[jboss-jira] [JBoss JIRA] (WFLY-8295) Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
Martin Choma (JIRA)
issues at jboss.org
Mon Mar 6 03:46:00 EST 2017
[ https://issues.jboss.org/browse/WFLY-8295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Choma updated WFLY-8295:
-------------------------------
Steps to Reproduce:
* On IBM java
* Follow https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-ConfigureAuthenticationwithaKerberosBasedIdentityStore
* During adding kerberos-security-factory add obtain-kerberos-ticket = true option
{code}
/subsystem=elytron/kerberos-security-factory=krbSF:add( \
principal="HTTP/host at REALM", \
path="/path/to/http.keytab", \
obtain-kerberos-ticket="true", \
mechanism-oids=[ \
1.2.840.113554.1.2.2, \
1.3.6.1.5.5.2 \
] \
)
{code}
was:
* On IBM java
* Follow https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.alpha/html-single/how_to_set_up_sso_with_kerberos/#configure_the_elytron_subsystem
* In step 2.4.1.1 during adding kerberos-security-factory add obtain-kerberos-ticket = true option
{code}
/subsystem=elytron/kerberos-security-factory=krbSF:add( \
principal="HTTP/host at REALM", \
path="/path/to/http.keytab", \
obtain-kerberos-ticket="true", \
mechanism-oids=[ \
1.2.840.113554.1.2.2, \
1.3.6.1.5.5.2 \
] \
)
{code}
> Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
> ----------------------------------------------------------------------------------------
>
> Key: WFLY-8295
> URL: https://issues.jboss.org/browse/WFLY-8295
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: ibm-java, kerberos
>
> On IBM java when obtain-kerberos-ticket is set to true user always get
> {code}
> javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible
> {code}
> According to ibm documentation [1] credsType=initiator and useKeytab are really incompatible.
> This constraint can't be avoided once obtain-kerberos-ticket = true, because keytab path is required in model.
> {code}
> "path" => {
> "type" => STRING,
> "description" => "The path of the KeyTab to load to obtain the credential.",
> "attribute-group" => "file",
> "expressions-allowed" => true,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> },
> {code}
> And keytab is always set into Kerberos login module options
> {code:title=GSSCredentialSecurityFactory.java}
> if (IS_IBM) {
> options.put("noAddress", "true");
> options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "initiator");
> options.put("useKeytab", keyTab.toURI().toURL().toString());
> }
> {code}
> [1] https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jgssDocs/jaas_login_user.html
> I am not setting to blocker just because I am not sure about importance of obtain-kerberos-ticket. See my question JBEAP-9292.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list