This fails at the signature validation.. Are you using the exact
version [1.5.5] of Apache DS as in the link or 1.5.7?
Thanks & regards,
-Prabath
On Mon, Oct 31, 2011 at 3:22 AM, Amila Suriarachchi <am...@wso2.com> wrote:
> hi,
>
> I did the following to authenticate a client who's details are stored in
> Apache ds to WSO2 AS using kerberos.
>
> 1. First I configured the Apache DS kdc server for (1.5.5) as given here[1].
> Then I could login to Apache DS server using Apache directory studio using
> kerberos. So that should be working fine.
>
> 2. I started configuring the WSO2 AS 4.0.0. First put the attached files to
> the repository/conf. Then use the security senario 16 in the wizard to
> configure the kerberos. Here I put SPN as ldap/localh...@example.com and
> password as randall (please see the given ldif file in the kerberos guide).
> Then it generated the policy but when I looked into it password was not
> there.
>
> 3. Finally started the client part following the sample given here[2]. Full
> client has been attached. I put the repository/lib +xalan 2.7.1 jar to the
> class path.
>
> After running the client it sends the message to the server. This can be
> seen from the tcp mon. But at the server it gives the following exception. I
> put the password and edited the server side policy like this as well.
>
> <rampart:kerberosConfig>
> <rampart:property
> name="service.principal.name">ldap/localh...@example.com</rampart:property>
> <rampart:property
> name="service.principal.password">randall</rampart:property>
> </rampart:kerberosConfig>
>
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Integrity check on decrypted field failed (31))
> at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
> at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
> at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
> at
> org.apache.ws.security.processor.KerberosTokenProcessor$1.run(KerberosTokenProcessor.java:475)
> at
> org.apache.ws.security.processor.KerberosTokenProcessor$1.run(KerberosTokenProcessor.java:468)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:337)
> at
> org.apache.ws.security.processor.KerberosTokenProcessor.acceptSecurityContext(KerberosTokenProcessor.java:468)
> at
> org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:296)
> at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292)
> at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
> at org.apache.rampart.RampartEngine.process(RampartEngine.java:161)
> at
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
> at
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
> at
> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
> at
> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:206)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
> at
> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
> at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
> at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
> at org.wso2.carbon.bridge.BridgeServlet.service(BridgeServlet.java:155)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
> at org.wso2.carbon.server.TomcatServer$1.invoke(TomcatServer.java:241)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
> at
> org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:396)
> at
> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:356)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1534)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:619)
> Caused by: KrbException: Integrity check on decrypted field failed (31)
> at
> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
> at
> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
> at
> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
> at
> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
> at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
> at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
> at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
> at
> sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
> at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
> ... 46 more
> [2011-10-30 17:48:54,993] ERROR
> {org.apache.ws.security.processor.KerberosTokenProcessor} - Integrity check
> on decrypted field failed (31)
> KrbException: Integrity check on decrypted field failed (31)
> at
> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
> at
> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
> at
> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
> at
> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
> at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
> at
> org.apache.ws.security.kerberos.KrbTicketDecoder.decryptTicket(KrbTicketDecoder.java:99)
> at
> org.apache.ws.security.kerberos.KrbTicketDecoder.parseApReq(KrbTicketDecoder.java:90)
> at
> org.apache.ws.security.kerberos.KrbTicketDecoder.parseServiceTicket(KrbTicketDecoder.java:67)
> at
> org.apache.ws.security.kerberos.KrbTicketDecoder.getSessionKey(KrbTicketDecoder.java:50)
> at
> org.apache.ws.security.processor.KerberosTokenProcessor.getSessionKey(KerberosTokenProcessor.java:493)
> at
> org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:297)
> at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292)
> at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
> at org.apache.rampart.RampartEngine.process(RampartEngine.java:161)
> at
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
> at
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
> at
> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
> at
> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:206)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
> at
> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
> at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
> at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
> at org.wso2.carbon.bridge.BridgeServlet.service(BridgeServlet.java:155)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
> at org.wso2.carbon.server.TomcatServer$1.invoke(TomcatServer.java:241)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
> at
> org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:396)
> at
> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:356)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1534)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:619)
> [2011-10-30 17:48:54,995] ERROR {org.apache.axis2.engine.AxisEngine} - An
> error was discovered processing the <wsse:Security> header (Failed to create
> the security token)
> org.apache.axis2.AxisFault: An error was discovered processing the
> <wsse:Security> header (Failed to create the security token)
> at
> org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186)
> at
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
> at
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
> at
> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
> at
> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:206)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
> at
> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
> at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
> at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
> at org.wso2.carbon.bridge.BridgeServlet.service(BridgeServlet.java:155)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
> at org.wso2.carbon.server.TomcatServer$1.invoke(TomcatServer.java:241)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
> at
> org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:396)
> at
> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:356)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1534)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:619)
> Caused by: org.apache.ws.security.WSSecurityException: An error was
> discovered processing the <wsse:Security> header (Failed to create the
> security token)
> at
> org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:341)
> at
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292)
> at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
> at org.apache.rampart.RampartEngine.process(RampartEngine.java:161)
> at
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
> ... 32 more
>
> What could be the issue?
>
> thanks,
> Amila.
>
> [1] https://cwiki.apache.org/DIRxSRVx11/543-kerberos-in-apacheds-155.html
> [2] http://cache.facilelogin.com/org.wso2.identity.esb.kerberos.zip
>
> _______________________________________________
> Carbon-dev mailing list
> Carbon-dev@wso2.org
> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>
>
--
Thanks & Regards,
Prabath
http://blog.facilelogin.com
http://RampartFAQ.com
_______________________________________________
Carbon-dev mailing list
Carbon-dev@wso2.org
http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
