Topic
  • No replies
LukeX
LukeX
1 Post

Pinned topic AIX JRE 1.8 build 2.9 http client ignore TGT after login

‏2018-09-11T10:17:09Z | aix java kerberos

Hi,

We are trying a http client on AIX 7. While testing Kerberos authentication, we found it's hard to get the same code working on other platforms (Windows, Linux) work the same way for AIX.

The krb5.conf and login module have been updated for IBM JRE. In Kerberos debug log, the configuration looks as following:

[JGSS_DBG_CRED]  Thread-5 JAAS config: debug=true
[JGSS_DBG_CRED]  Thread-5 JAAS config: credsType=initiate only (default)

[JGSS_DBG_CRED]  Thread-5 config: useCcache=null
[JGSS_DBG_CRED]  Thread-5 config: useDefaultKeytab=false (default)
[JGSS_DBG_CRED]  Thread-5 config: useKeytab=null

[JGSS_DBG_CRED]  Thread-5 JAAS config: forwardable=false (default)
[JGSS_DBG_CRED]  Thread-5 JAAS config: renewable=false (default)
[JGSS_DBG_CRED]  Thread-5 JAAS config: proxiable=false (default)
[JGSS_DBG_CRED]  Thread-5 JAAS config: tryFirstPass=false (default)
[JGSS_DBG_CRED]  Thread-5 JAAS config: useFirstPass=false (default)
[JGSS_DBG_CRED]  Thread-5 JAAS config: moduleBanner=false (default)
[JGSS_DBG_CRED]  Thread-5 JAAS config: interactive login? yes

 

 

And we found TGT had been acquired and user login had succeeded. But when context trying to intial service session, there is no Subject found.

[JGSS_DBG_CRED]  Thread-5 Kerberos login complete
[JGSS_DBG_CRED]  Thread-5 Login successful
[JGSS_DBG_CRED]  Thread-5 kprincipal : tester@TARGET.COM
[JGSS_DBG_CRED]  Thread-5 tester@TARGET.COM added to Subject
[JGSS_DBG_CRED]  Thread-5 Kerberos ticket added to Subject
[JGSS_DBG_CRED]  Thread-5 added key of type aes256-cts-hmac-sha1-96
[JGSS_DBG_CRED]  Thread-5 added key of type aes128-cts-hmac-sha1-96 
[JGSS_DBG_CRED]  Thread-5 added key of type des3-cbc-sha1
[JGSS_DBG_CRED]  Thread-5 added key of type rc4-hmac
[JGSS_DBG_PROV]  Thread-5 Number of system providers=9
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 3 system providers found/added
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 getMechs: Mechanism(s) supported by provider IBMJGSSProvider
[JGSS_DBG_PROV]  Thread-5 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 getMechs: Mechanism(s) supported by provider IBMJGSSProvider
[JGSS_DBG_PROV]  Thread-5 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechs: Mechanism(s) supported by provider IBMSPNEGO
[JGSS_DBG_PROV]  Thread-5 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechs: 2 unique mechanism(s) found
[JGSS_DBG_PROV]  Thread-5 [0]: 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 [1]: 1.2.840.113554.1.2.2
[JGSS_DBG_CRED]  Thread-5 MN not found; creating one
[JGSS_DBG_PROV]  Thread-5 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.3.6.1.5.5.2 get Factory for mech: 1.2.840.113554.1.2.2 GSSCaller:
[JGSS_DBG_PROV]  Thread-5 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.2.840.113554.1.2.2 get Factory for mech: 1.2.840.113554.1.2.2 GSSCaller:
[JGSS_DBG_PROV]  Thread-5 Created new (empty) factory list (size=1) for provider IBMJGSSProvider version 8.0
[JGSS_DBG_PROV]  Thread-5 Loading factory
[JGSS_DBG_PROV]  Thread-5 Factory class name for provider IBMJGSSProvider version 8.0 is com.ibm.security.jgss.mech.krb5.Krb5MechFactory
[JGSS_DBG_PROV]  Thread-5 IBMJGSSProvider (version 8.0) loaded
[JGSS_DBG_PROV]  Thread-5 Prior to load
[JGSS_DBG_PROV]  Thread-5 Done to load
[JGSS_DBG_PROV]  Thread-5 Loaded factory for provider IBMJGSSProvider version 8.0
[JGSS_DBG_PROV]  Thread-5 Loaded factory ok
[JGSS_DBG_PROV]  Thread-5 getFactory: index = 1 found factory caller = GSSCaller{UNKNOWN}
[JGSS_DBG_CRED]  Thread-5 Name cannonicalization complete, resulting name string=HTTP/target.service.com@TARGET.COM
[JGSS_DBG_CRED]  Thread-5 MN not found; creating one
[JGSS_DBG_PROV]  Thread-5 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.3.6.1.5.5.2 get Factory for mech: 1.3.6.1.5.5.2 GSSCaller:
[JGSS_DBG_PROV]  Thread-5 Created new (empty) factory list (size=1) for provider IBMJGSSProvider version 8.0
[JGSS_DBG_PROV]  Thread-5 Loading factory
[JGSS_DBG_PROV]  Thread-5 Factory class name for provider IBMJGSSProvider version 8.0 is com.ibm.security.jgss.mech.spnego.SPNEGOMechFactory
[JGSS_DBG_PROV]  Thread-5 Prior to load
[JGSS_DBG_PROV]  Thread-5 Number of system providers=9
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 3 system providers found/added
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 getMechs: Mechanism(s) supported by provider IBMJGSSProvider
[JGSS_DBG_PROV]  Thread-5 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 getMechs: Mechanism(s) supported by provider IBMJGSSProvider
[JGSS_DBG_PROV]  Thread-5 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechs: Mechanism(s) supported by provider IBMSPNEGO
[JGSS_DBG_PROV]  Thread-5 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechs: 2 unique mechanism(s) found
[JGSS_DBG_PROV]  Thread-5 [0]: 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 [1]: 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 getMechs: Mechanism(s) supported by provider IBMJGSSProvider
[JGSS_DBG_PROV]  Thread-5 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechs: Mechanism(s) supported by provider IBMJGSSProvider
[JGSS_DBG_PROV]  Thread-5 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 getMechs: Mechanism(s) supported by provider IBMSPNEGO
[JGSS_DBG_PROV]  Thread-5 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 getMechs: 2 unique mechanism(s) found
[JGSS_DBG_PROV]  Thread-5 [0]: 1.3.6.1.5.5.2
[JGSS_DBG_PROV]  Thread-5 [1]: 1.2.840.113554.1.2.2
[JGSS_DBG_PROV]  Thread-5 Done to load
[JGSS_DBG_PROV]  Thread-5 Loaded factory for provider IBMJGSSProvider version 8.0
[JGSS_DBG_PROV]  Thread-5 Loaded factory ok
[JGSS_DBG_PROV]  Thread-5 getFactory: index = 0 found factory caller = GSSCaller{UNKNOWN}
[JGSS_DBG_PROV]  Thread-5 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.3.6.1.5.5.2 get Factory for mech: 1.2.840.113554.1.2.2 GSSCaller:
[JGSS_DBG_PROV]  Thread-5 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.2.840.113554.1.2.2 get Factory for mech: 1.2.840.113554.1.2.2 GSSCaller:
[JGSS_DBG_PROV]  Thread-5 Created new (empty) factory list (size=1) for provider IBMJGSSProvider version 8.0
[JGSS_DBG_PROV]  Thread-5 Loading factory
[JGSS_DBG_PROV]  Thread-5 Factory class name for provider IBMJGSSProvider version 8.0 is com.ibm.security.jgss.mech.krb5.Krb5MechFactory
[JGSS_DBG_PROV]  Thread-5 Prior to load
[JGSS_DBG_PROV]  Thread-5 Done to load
[JGSS_DBG_PROV]  Thread-5 Loaded factory for provider IBMJGSSProvider version 8.0
[JGSS_DBG_PROV]  Thread-5 Loaded factory ok
[JGSS_DBG_PROV]  Thread-5 getFactory: index = 1 found factory caller = GSSCaller{UNKNOWN}
[JGSS_DBG_CRED]  Thread-5 Name cannonicalization complete, resulting name string=HTTP/target.service.com@TARGET.COM
[JGSS_DBG_CTX]  Thread-5 Creating context, initiator = yes, input cred = null
[JGSS_DBG_CTX]  Thread-5 Creating default initiator creds
[JGSS_DBG_CRED]  Thread-5 Creating mech cred for null, mech 1.3.6.1.5.5.2, usage initiate only
[JGSS_DBG_PROV]  Thread-5 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.3.6.1.5.5.2 get Factory for mech: 1.3.6.1.5.5.2 GSSCaller:
[JGSS_DBG_PROV]  Thread-5 getFactory: index = 0 found factory caller = GSSCaller{UNKNOWN}
[JGSS_DBG_CRED]  Thread-5 Search Subject for SPNEGO INIT cred (<<DEF>>, com.ibm.security.jgss.mech.spnego.SPNEGOCredElement)
[JGSS_DBG_CRED]  Thread-5 No Subject
[JGSS_DBG_CRED]  Thread-5 Cannot get SPNEGOCredElement from Subject
[JGSS_DBG_PROV]  Thread-5 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.3.6.1.5.5.2 get Factory for mech: 1.2.840.113554.1.2.2 GSSCaller:
[JGSS_DBG_PROV]  Thread-5 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.2.840.113554.1.2.2 get Factory for mech: 1.2.840.113554.1.2.2 GSSCaller:
[JGSS_DBG_PROV]  Thread-5 getFactory: index = 1 found factory caller = GSSCaller{UNKNOWN}
[JGSS_DBG_CRED]  Thread-5 Search Subject for Kerberos V5 INIT cred (<<DEF>>, com.ibm.security.jgss.mech.krb5.s)
[JGSS_DBG_CRED]  Thread-5 No Subject
[JGSS_DBG_CRED]  Thread-5 Creating credentials for name null, servName null, usage 1
[JGSS_DBG_CRED]  Thread-5 Trying to get credentials for null
[JGSS_DBG_CRED]  Thread-5 usage: initiator only, check subject, useAllCred : false
[JGSS_DBG_CRED]  Thread-5 Obtaining Subject creds for default principal
[JGSS_DBG_CRED]  Thread-5 SubjectCredFinder: client=null, server=null
[JGSS_DBG_CRED]  Thread-5 Cannot get SPNEGOCredElement for the default Mechanism because of org.ietf.jgss.GSSException, major code: 13, minor code: 0
major string: Invalid credentials
minor string: SubjectCredFinder: no JAAS Subject

 Does anyone know the reason of this? JAAS usage is different in IBM JRE or we missed some important configuration? 

 Modified detail log is attached as well.

JVM Version:

> java -version
java version "1.8.0_171"
Java(TM) SE Runtime Environment (build 8.0.5.17 - pap3280sr5fp17-20180627_01(SR5 FP17))
IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc-32-Bit 20180626_390413 (JIT enabled, AOT enabled)
OpenJ9   - 5cdc604
OMR      - a24bc01
IBM      - 21870d6)
JCL - 20180619_01 based on Oracle jdk8u171-b11

 

Attachments

Updated on 2018-09-11T10:19:21Z at 2018-09-11T10:19:21Z by LukeX