IBM Support

IV93273: KLIST ERROR READING KEYTAB ENTRIES CONTAINING EXTENDED VERSION DATA.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message, as reported by customer:
    
    java.io.IOException: Login failure for sifsuser@IBM.COM from
    keytab /etc/security/keytabs/sifsuser.keytab
    
    Stack Trace, if applicable:
    
    [KRB_DBG_CFG] Config:Thread-11:   Loaded from native config
    [KRB_DBG_KDC] KdcComm:Thread-11:   >>> KdcAccessibility: reset
    [KRB_DBG_KDC] KdcComm:Thread-11:   >>> KdcAccessibility: reset
    [KRB_DBG_KTAB] KeyTab:Thread-11:   >>> KeyTab: trying to load
    keytab file /etc/security/keytabs/sifsuser.keytab
    [KRB_DBG_KTAB] KeyTab:Thread-11Loading the keytab file ...
    >>> KeyTab: load() entry length: 54
    [KRB_DBG_KTAB] KeyTableInputStream:Thread-11:   >>>
    KeyTabInputStream, readName(): IBM.COM
    [KRB_DBG_KTAB] KeyTableInputStream:Thread-11:   >>>
    KeyTabInputStream, readName(): sifsuser
    [KRB_DBG_KTAB] KeyTab:Thread-11Loading the keytab file ...
    >>> KeyTab:load() entry length: 1
    [KRB_DBG_KTAB] KeyTableInputStream:Thread-11:   >>>
    KeyTabInputStream, readName(^WQd&rXJW
    [KRB_DBG_KTAB] KeyTab:Thread-11:   >>> KeyTab: exception
    Illegal character in realm name; one of: '/', ':', '\0'
    [KRB_DBG_CCHE] Credentials:Thread-11:   >>> Credentials:
    Created
    Credentials with 0 keys. Key types: Exception in thread
    "Thread-11" java.io.IOException: Login failure for
    sifsuser@IBM.COM from keytab
    /etc/security/keytabs/sifsuser.keytab
     at
    org.apache.hadoop.security.UserGroupInformation.loginUserFromKey
    tabAndReturnUGI(UserGroupInformation.java:1146)
     at
    com.ibm.streamsx.hdfs.client.auth.BaseAuthenticationHelper.authe
    nticateWithKerberos(BaseAuthenticationHelper.java:104)
     at
    com.ibm.streamsx.hdfs.client.auth.HDFSAuthenticationHelper.conne
    ct(HDFSAuthenticationHelper.java:59)
     at
    com.ibm.streamsx.hdfs.client.AbstractHdfsClient.connect(Abstract
    HdfsClient.java:35)
     at
    com.ibm.streamsx.hdfs.client.HdfsJavaClient.connect(HdfsJavaClie
    nt.java:10)
     at
    com.ibm.streamsx.hdfs.AbstractHdfsOperator.initialize(AbstractHd
    fsOperator.java:56)
     at
    com.ibm.streamsx.hdfs.HDFS2FileSource.initialize(HDFS2FileSource
    .java:119)
     at
    com.ibm.streams.operator.internal.runtime.api.OperatorAdapter.in
    itialize(OperatorAdapter.java:735)
     at
    com.ibm.streams.operator.internal.jni.JNIBridge.<init>(JNIBridge
    .java:271)
    Caused by: javax.security.auth.login.FailedLoginException: Null
    key
     at
    com.ibm.security.jgss.i18n.I18NException.throwFailedLoginExcepti
    on(I18NException.java:32)
     at
    com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.j
    ava:722)
     at
    com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.j
    ava:154)
     at
    com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModu
    le.java:411)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:95)
     at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
     at java.lang.reflect.Method.invoke(Method.java:508)
     at
    javax.security.auth.login.LoginContext.invoke(LoginContext.java:
    788)
     at
    javax.security.auth.login.LoginContext.access$000(LoginContext.j
    ava:196)
     at
    javax.security.auth.login.LoginContext$5.run(LoginContext.java:7
    21)
     at
    javax.security.auth.login.LoginContext$5.run(LoginContext.java:7
    19)
     at
    java.security.AccessController.doPrivileged(AccessController.jav
    a:686)
     at
    javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginCo
    ntext.java:719)
     at
    javax.security.auth.login.LoginContext.login(LoginContext.java:5
    93)
     at
    org.apache.hadoop.security.UserGroupInformation.loginUserFromKey
    tabAndReturnUGI(UserGroupInformation.java:1135)
     ... 8 more
    
    Other Error Information, as reported by customer:
    
    N/A
    

Local fix

  • N/A
    

Problem summary

  • The KeyTabInputStream.readEntry() is not allowing for keytab
    enties that contain extended version data.
    
    
    ERROR DESCRIPTION:
    
    The customer is experiencing a "java.io.IOException: Login
    failure for xxxxx@yyy.zzz from keytab
    /etc/security/keytabs/sifsuser.keytab" error.
    

Problem conclusion

  • Updated KeyTabInputStream.readEntry() to allow for keytab enties
    that contain extended version data.
    
    The associated RTC PRs:  124268 (Java 8), 124906 (Java 6 & 7)
    The associated Austin CMVC defect is 117599 (Java 8), 117607
    (Java 6 & 7)
    The associated Austin APAR is IV93273
    
    
    
    JVMs affected : Java 8, 7, & 6
    
    The fix was delivered for: Java 8 SR4 FP5, Java 7 SR10 FP5, Java
    727 SR4 FP5, Java 6 SR16 FP45, Java 626 SR8 FP45
    
    
    
    The affected jars:  ibmjgssprovider.jar
    
    The build level of this jar for Java 8 is "20170214"
    
    The build level of this jar for Java 6 & 7 is "20170301"
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV93273

  • Reported component name

    TIV JAVA GSS-AP

  • Reported component ID

    TIVSECJGS

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-02-09

  • Closed date

    2017-02-17

  • Last modified date

    2017-03-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIV JAVA GSS-AP

  • Fixed component ID

    TIVSECJGS

Applicable component levels

  • R100 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL44","label":"JGSS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
03 March 2017