Posted On: Aug 27, 2020
Amazon RDS for Oracle now supports external authentication of database users using Kerberos and Microsoft Active Directory in AWS GovCloud (US) Regions.
Kerberos is a network authentication protocol developed by the Massachusetts Institute of Technology (MIT). It uses tickets and symmetric-key cryptography to eliminate the need to transmit passwords over the network. Kerberos has been built into Microsoft Active Directory and is designed to authenticate users to network resources, such as Oracle databases.
Amazon RDS for Oracle support for Kerberos and Microsoft Active Directory provides the benefits of single sign-on and centralized authentication of Oracle Database users. Keeping all of your user credentials in the same Active Directory will save you time and effort as you will now have a centralized place for storing and managing them for multiple DB instances.
With this feature you can enable your database users to authenticate against Amazon RDS for Oracle using either the credentials stored in the AWS Directory Service for Microsoft Active Directory, or the credentials stored in your on-premise Microsoft Active Directory, with forest trust relationship established between your on-premise Active Directory and an AWS Managed Active Directory. You can use the same Active Directory for different VPCs within the same AWS region. You can also join Amazon RDS for Oracle instances to shared Active Directory domains owned by different accounts.
Kerberos authentication with Amazon RDS for Oracle can be used without additional cost or licensing. This feature is supported for 11.2.0.4, 12.1.0.2, 12.2.0.1,18c, and 19c versions of Enterprise edition, and 12.1.0.2, 12.2.0.1, 18c, and 19c versions of Standard Edition 2.
To use the Kerberos authentication method with your Amazon RDS for Oracle DB instance, please sign up for the AWS Directory Service for Microsoft Active Directory (Enterprise Edition). You can enable Kerberos authentication while creating a new DB instance in the AWS Management Console by selecting an Active Directory record in the Advanced Settings section of the Create DB Instance Wizard in the Amazon RDS console. If the Active Directory record does not yet exist, create a new directory record by clicking on the Create a New Directory link. You can modify an existing DB instance to use the Kerberos authentication method through similar options under the Kerberos authentication section in the Modify DB Instance Wizard.
To use your existing on premise Microsoft Active Directory, follow the steps above to set up an AWS managed Active Directory first, then set up a forest trust relationship between your on premise directory and the AWS Managed AD by following the steps shown here.
Amazon RDS for Oracle makes it easy to set up, operate, and scale Oracle Database deployments in the cloud. To learn more about Kerberos authentication with Amazon RDS for Oracle, including regional availability information, please visit the documentation.