This content has been marked as final. Show 3 replies
I find that there is a "DIR cache" feature available in MIT libraries (env variable KRB5CCNAME and kswitch) where the cache context switch can be done. I am also told by someone that this is rarely used as its relatively a new feature and most of the existing kerberos products/API's have the notion of treating the cache file as a single default principal.
Its not mentioned anywhere in the Oracle documentation about the "DIR cache" feature which I doubt is implemented in OCI looking at the parameters exposed in sqlnet.ora. So my solution now is to maintain one principal service account configured as external user across all databases and use it in my application.
You can always put keys for multiple principals in a single keytab file, but java's kinit command only recognizes the FILE format and it always overwrites the whole ccache file.
I am not sure what you want to achieve. If you just want to get initial TGTs for multiple principals and want each use its own, you can call "kinit -c" to save the TGT to different files, and then in you JAAS login config file, use 'ticketCache=' to assign the files to different principals on their own Krb5LoginModule lines.
The application is not written in Java, but in C++ which uses Oracle OCI thick driver and not JAAS like thin driver. With Oracle OCI thick driver within a running process, you can connect to Oracle database with only one Kerberos principal, and switching between principals is not supported.
For example, once you login to sqlplus /@<TNS-Service> using a kerberos principal, you cannot connect with another principal within that same sqlplus session. (sqlplus uses Oracle's sqlnet which is a OCI thick driver )
I know JAAS does support because its thin but not OCI thick driver which loads the Oracle parameters during process boot up and can never refresh (atleast the sqlnet parameters)
I have changed my application to use only one service principal (provide all the required privileges for that principal to use the resources) .