[jboss-jira] [JBoss JIRA] (ELY-283) Investigate Elytron and gssproxy interoperability
Peter Skopek (JIRA)
issues at jboss.org
Tue Sep 22 07:08:00 EDT 2015
[ https://issues.jboss.org/browse/ELY-283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13111191#comment-13111191 ]
Peter Skopek commented on ELY-283:
----------------------------------
h1. How to setup gssproxy and Elytron: A brain dump
h2. Notes
According to \[1\] gssproxy is using libgssapi Interposer Plugin which utilises feature of dynamic linker in the system.
It allows to call your library with the same funcion before actual library provided by system. For more info see \[3\].
h2. Versions
h3. Java (client and server):
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
h3. gssproxy:
gssproxy-0.4.1-1.fc22.x86_64
- using Apache DS (embedded) as KDC
h2. Configurations
{panel:title=/root/gssproxy.conf}
{noformat}
[gssproxy]
[service/eap]
mechs = krb5
cred_store = keytab:/opt/keytab/serverKeyTab-apache
# cred_store = keytab:/opt/keytab/serverKeyTab
# cred_store = keytab:/root/serverKeyTab
allow_any_uid = yes
trusted = yes
euid = 12956 # UID os the user running process which accesses gssproxy
krb5_principal = sasl/test_server_1 at WILDFLY.ORG{quote}
{noformat}{panel}
Start gssproxy under root as follows: /sbin/gssproxy -i -d -c /root/gssproxy.conf
- interactive run
- debug
- using following configuration
- no need to stop original /sbin/gssproxy process unless one is using the same euid in both configurations
{panel:title=krb5.conf used by Java Server process (part of source code of Elytron)}
{noformat}
[libdefaults]
default_realm = WILDFLY.ORG
default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd
default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd
kdc_timeout = 5000
dns_lookup_realm = false
dns_lookup_kdc = false
allow_weak_crypto = yes
forwardable = true
[realms]
WILDFLY.ORG = {
kdc = localhost:6088
}
[login]
krb4_convert = true
krb4_get_tickets = false
{noformat}{panel}
{panel:title=/etc/krb5.conf used by Java Client process}
{noformat}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = WILDFLY.ORG
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
WILDFLY.ORG = {
kdc = 127.0.0.1:6088
}
[domain_realm]
.redhat.com = REDHAT.COM
redhat.com = REDHAT.COM
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
{noformat}{panel}
h2. To read:
\[1\] https://git.fedorahosted.org/cgit/gss-proxy.git/tree/proxy/docs/Behavior
\[2\] https://fedorahosted.org/gss-proxy/
\[3\] http://www.drdobbs.com/building-library-interposers-for-fun-and/184404926
h2. Java Server Process (using gssproxy) VM options
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.jgss.lib="/usr/lib64/libgssapi_krb5.so.2.2"
-Dsun.security.jgss.native="true"
-Dsun.security.krb5.debug=true
-Dsun.security.jgss.debug=true
h2. Environment variables for the sever process
- GSSPROXY_BEHAVIOR=REMOTE_FIRST
- GSS_USE_PROXY=1
h2. Java Client Process (not using gssproxy) VM options:
-Dsun.security.krb5.debug=true
-Dsun.security.jgss.debug=true
_Note: Just debugging stuff._
> Investigate Elytron and gssproxy interoperability
> -------------------------------------------------
>
> Key: ELY-283
> URL: https://issues.jboss.org/browse/ELY-283
> Project: WildFly Elytron
> Issue Type: Task
> Components: SASL
> Reporter: Peter Skopek
> Assignee: Peter Skopek
>
> Investigate Elytron and gssproxy interoperability.
> https://fedorahosted.org/gss-proxy/
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list