[JBoss JIRA] (ELY-1541) local-kerberos CredentialSource does not work with IBM java

Friday, 6 April 2018

    [
https://issues.jboss.org/browse/ELY-1541?page=com.atlassian.jira.plugin.s...
] 

Jan Kalina edited comment on ELY-1541 at 4/6/18 5:54 AM:
---------------------------------------------------------

Ok, I was wrong - we dont need any {{<local-kerberos>}} in elytron client. All you
need to use kerberos as client is to use:

{code}
bin/jboss-cli.sh -c --no-local-auth -Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.krb5.conf=/path/krb5.conf :whoami
{code}
When no credential is provided from CredentialSource, GSSContext will obtain it
automatically and also correctly. Just need to have KRB5CCNAME env variable set for IBM
JDK before:
{code}
export KRB5CCNAME=FILE:/tmp/krb5cc_1000
JAVA_HOME=/opt/ibm-java-x86_64-80 bin/jboss-cli.sh -c --no-local-auth
-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf=/path/krb5.conf
:whoami
{code}

If KRB5CCNAME is not defined for IBM, following error is produced:
{code}
Failed to connect to the controller: Unable to authenticate against controller at
localhost:9990: ELY05029: Unable to create GSSContext: org.ietf.jgss.GSSException, major
code: 11, minor code: 0
	major string: General failure, unspecified at GSSAPI level
	minor string: Cannot get credential for principal default principal
{code}

This mean {{LocalKerberosCredentialSource}} should be removed (deprecated) from elytron,
as it is redundant.

was (Author: honza889):
Ok, I was wrong - we dont need any {{<local-kerberos>}} in elytron client. All you
need to use kerberos as client is to use:

{code}
bin/jboss-cli.sh -c --no-local-auth -Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.krb5.conf=/path/krb5.conf :whoami
{code}
When no credential is provided from CredentialSource, GSSContext will obtain it
automatically and also correctly. Just need to have KRB5CCNAME env variable set for IBM
JDK before:
{code}
export KRB5CCNAME=FILE:/tmp/krb5cc_1000
{code}

This mean {{LocalKerberosCredentialSource}} should be removed (deprecated) from elytron,
as it is redundant.

...
 local-kerberos CredentialSource does not work with IBM java
 -----------------------------------------------------------

                 Key: ELY-1541
                 URL: https://issues.jboss.org/browse/ELY-1541
             Project: WildFly Elytron
          Issue Type: Bug
          Components: Credentials
    Affects Versions: 1.2.3.Final
            Reporter: Jan Kalina
            Assignee: Jan Kalina
              Labels: ibm-java

 When trying to connect as with Oracle JDK, following error occure:
 {code}
 Failed to connect to the controller: Unable to authenticate against controller at
localhost:9990: ELY05053: Callback handler failed for unknown reason:
java.lang.reflect.UndeclaredThrowableException: org.ietf.jgss.GSSException, major code:
11, minor code: 0
 	major string: General failure, unspecified at GSSAPI level
 	minor string: Cannot get credential for principal default principal
 {code}
 -This is probably related to missing *useDefaultCcache* JAAS config (false by default):-

https://www.ibm.com/support/knowledgecenter/en/SSYKE2_6.0.0/com.ibm.java....

--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006