On Sun, Jun 17, 2012 at 11:11 PM, Amila Jayasekara <[email protected]> wrote:
> On Sun, Jun 17, 2012 at 7:57 PM, Hasini Gunasinghe <[email protected]> > wrote: > > Hi, > > > > On Sun, Jun 17, 2012 at 2:40 PM, Hasini Gunasinghe <[email protected]> > wrote: > >> > >> Hi, > >> > >> I am trying to use IS as KDC server to obtain a kerberos token to talk > to > >> a service in ESB which is secured with security scenario 16. > >> I observe the following error in IS back end and client fails with "The > >> security token could not be authenticated or authorized (Kerberos login > >> failed)" > >> > >> WARN > >> > {org.apache.directory.server.kerberos.shared.store.operations.StoreUtils} - > >> No server entry found for kerberos principal name krbtgt/ > [email protected] > >> [2012-06-17 14:21:10,694] WARN > >> {org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler} > - > >> Server not found in Kerberos database (7) > > > > Hi Hasini, > > Please find answers inline. > > > > > I was able to overcome the above error by enabling KDC at the first > start up > > of IS. But I am curious to know why it was searching for an entry like: > > "krbtgt/[email protected]" which we do not specify anywhere. > > This is the server Id of the Kerberos TGT. In LDAP servers the > Kerberos TGT server is also treated as another service principal. > Therefore this service principal should be there for client to request > a ticket. > > In Kerberos client first sends TGT request. If client is able to get a > token to access KDC server only then it request for a ticket to access > another server. Therefore TGT server and other servers are treated in > a similar fashion. The TGT service principal is added when embedded > LDAP server is started with KDC server enabled. Also if KDC server > enabled only we add few kerberos related attributes to user > principals. At the moment Kerberos related attributes are not added if > there are already users in the embedded ldap. That is why you had to > start IS with a fresh schema to get above attributes. > Thanks a lot for the clarification.. > > > > > Now I am getting the following error at the ESB end: (I have attached the > > krb5.conf, jaas.conf at ESB end and security policies used at client and > > server ends). > > Appreciate any insight on what might be the cause for an error like > below: > > This could be due to few reasons, > 1. The signature algorithms used might be different > 2. Pre-authentication enabled at server side and client not being able > to process pre-authentication > (Can u try disabling pre-authentication in embedded-ldap.xml) > 3. There is a considerable time skew between server and client > I think it could be the reason 1 above - because I've already disabled pre-authentication according to the instructions in previous mail thread and the client and server are running in the same machine. So it can not be reason 2 or 3. Can you please elaborate more on how 1 can occur? I believe we should set the algorithms in krb5.conf in client side and server side. I specified the same algorithms in both the configuration files. Is there any other place to mention the algorithms? Thanks, Hasini. > > From the log it seems decryption is successful. Therefore I believe > credentials are correct. Its only the integrity which fails. Therefore > I believe it could be due to one of above reasons. > > Thanks > AmilaJ > > > > > GSSException: Failure unspecified at GSS-API level (Mechanism level: > > Integrity check on decrypted field failed (31)) > > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) > > at > > > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) > > at > > > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) > > at > > > org.apache.ws.security.processor.KerberosTokenProcessor$1.run(KerberosTokenProcessor.java:475) > > at > > > org.apache.ws.security.processor.KerberosTokenProcessor$1.run(KerberosTokenProcessor.java:468) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAs(Subject.java:337) > > at > > > org.apache.ws.security.processor.KerberosTokenProcessor.acceptSecurityContext(KerberosTokenProcessor.java:468) > > at > > > org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:296) > > at > > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) > > at > > > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) > > at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) > > at > > > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) > > at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) > > at org.apache.axis2.engine.Phase.invoke(Phase.java:313) > > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) > > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) > > at > > > org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) > > at > > > org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:408) > > at > > > org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:259) > > at > > > org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:173) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > > at java.lang.Thread.run(Thread.java:619) > > Caused by: KrbException: Integrity check on decrypted field failed (31) > > at > > > sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154) > > at > > > sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) > > at > > > sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125) > > at > > > sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) > > at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) > > at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:268) > > at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134) > > at > > > sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79) > > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724) > > ... 25 more > > [2012-06-17 19:46:51,281] ERROR - KerberosTokenProcessor Integrity check > on > > decrypted field failed (31) > > KrbException: Integrity check on decrypted field failed (31) > > at > > > sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154) > > at > > > sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) > > at > > > sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125) > > at > > > sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) > > at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) > > at > > > org.apache.ws.security.kerberos.KrbTicketDecoder.decryptTicket(KrbTicketDecoder.java:99) > > at > > > org.apache.ws.security.kerberos.KrbTicketDecoder.parseApReq(KrbTicketDecoder.java:90) > > at > > > org.apache.ws.security.kerberos.KrbTicketDecoder.parseServiceTicket(KrbTicketDecoder.java:67) > > at > > > org.apache.ws.security.kerberos.KrbTicketDecoder.getSessionKey(KrbTicketDecoder.java:50) > > at > > > org.apache.ws.security.processor.KerberosTokenProcessor.getSessionKey(KerberosTokenProcessor.java:493) > > at > > > org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:297) > > at > > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) > > at > > > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) > > at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) > > at > > > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) > > at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) > > at org.apache.axis2.engine.Phase.invoke(Phase.java:313) > > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) > > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) > > at > > > org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) > > at > > > org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:408) > > at > > > org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:259) > > at > > > org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:173) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > > at java.lang.Thread.run(Thread.java:619) > > [2012-06-17 19:46:51,287] ERROR - AxisEngine An error was discovered > > processing the <wsse:Security> header (Failed to create the security > token) > > org.apache.axis2.AxisFault: An error was discovered processing the > > <wsse:Security> header (Failed to create the security token) > > at > > > org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) > > at > > > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) > > at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) > > at org.apache.axis2.engine.Phase.invoke(Phase.java:313) > > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) > > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) > > at > > > org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) > > at > > > org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:408) > > at > > > org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:259) > > at > > > org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:173) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > > at java.lang.Thread.run(Thread.java:619) > > Caused by: org.apache.ws.security.WSSecurityException: An error was > > discovered processing the <wsse:Security> header (Failed to create the > > security token) > > at > > > org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:341) > > at > > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) > > at > > > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) > > at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) > > at > > > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) > > ... 11 more > > [2012-06-17 19:46:51,288] ERROR - ServerWorker Error processing POST > > request > > org.apache.axis2.AxisFault: An error was discovered processing the > > <wsse:Security> header (Failed to create the security token) > > at > > > org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) > > at > > > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) > > at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) > > at org.apache.axis2.engine.Phase.invoke(Phase.java:313) > > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) > > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) > > at > > > org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) > > at > > > org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:408) > > at > > > org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:259) > > at > > > org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:173) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > > at java.lang.Thread.run(Thread.java:619) > > Caused by: org.apache.ws.security.WSSecurityException: An error was > > discovered processing the <wsse:Security> header (Failed to create the > > security token) > > at > > > org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:341) > > at > > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) > > at > > > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) > > at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) > > at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) > > at > > > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) > > > > Thanks, > > Hasini. > > > > > >> > >> Appreciate a lot any insights to overcome it. I have attached > >> embedded-ldap.xml and user-mgt.xml in IS side and krb5.conf, security > policy > >> in client side for reference. > >> > >> Let me also mention some of the suggestions for improvements here which > I > >> observed when trying to get the above scenario working. > >> > >> 1. "krb5.conf" and "jaas.conf" files are shipped with IS. But the > >> information in krb5.conf doesn't match with default KDC server shipped > with > >> IS - i.e: realm name and supported algorithms. > >> I changed the configuration according to the details in the below mail. > >> I believe it would be useful if we also include the configurations that > >> match with default KDC server. > >> > >> 2. Since above two files are required for sec scenario 16 to work, I > think > >> it would be useful if we make those files install with security > management > >> feature so that they will also be available in ESB and AS where this > >> security scenario is available. > >> > >> Thanks, > >> Hasini. > >> > >> > >> ---------- Forwarded message ---------- > >> From: Amila Jayasekara <[email protected]> > >> Date: Fri, May 25, 2012 at 12:48 PM > >> Subject: Re: [Architecture] How to we map IS users to Kerberos > Principals > >> To: [email protected], [email protected] > >> > >> > >> Hi Srinath, > >> > >> Please find answers in-line. > >> > >> On Fri, May 25, 2012 at 11:29 AM, Srinath Perera <[email protected]> > wrote: > >> > Hi All, > >> > > >> > Few questions > >> > > >> > Do we map IS users to Kerberos Principals in our Kerberos (KDC) > >> > integration > >> > with IS? > >> > >> Yes, for this you need to use embedded LDAP server. Please enable KDC > >> server in embedded LDAP configuration > >> ($CARBON_HOME/repository/conf/embedded-ldap.xml) > >> > >> E.g :- > >> > >> <KDCServer> > >> <Property name="name">defaultKDC</Property> > >> <Property name="enabled">true</Property> > >> .... > >> </KDCServer> > >> > >> Above will start the KDC server. Also in-order to define service > >> principals using UI please set "<Property > >> name="kdcEnabled">false</Property>" to true in user-mgt.xml. > >> > >> If you already have users defined in LDAP they will not get KDC > >> attributes. Therefore please remove content in repository/data and > >> restart the server. > >> > >> > > >> > How to do we map principals to users? (example will help) > >> > >> Once you enable KDC server, users will automatically assigned as user > >> principals. So if you add a user through management console that user > >> will be a Kerberos principal. To define service principals please > >> "Kerberos Principals" menu in IS ui. > >> > >> > what is the domain name and host name we use in principals? How can I > >> > change them? > >> > >> Default domain is set to "wso2.org". You can change the domain using > >> embedded-ldap.xml. > >> > >> <DefaultPartition> > >> <Property name="id">root</Property> > >> <Property name="realm">wso2.org</Property> > >> ... > >> </DefaultPartition> > >> > >> Host is set to localhost. You can change it using embedded-ldap.xml > >> <KDCServer> configuration, > >> > >> <KDCServer> > >> .... > >> <Property name="host">localhost</Property> > >> .... > >> </KDCServer> > >> > >> > >> > Have we tried our KDC with kinit and klist commands? Please point me > >> > to instructions > >> > >> Yes, we have. You need setup realm information /etc/krb5.conf. I am > >> pasting content of a sample file [1]. Based on the algorithms you > >> define in krb5.conf you may need to disable pre-authentication. For > >> sample in [1] please disable pre-authentication using > >> embedded-ldap.xml KDCServer/preAuthenticationTimeStampEnabled. > >> > >> E.g :- > >> > >> amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ kinit > >> [email protected] > >> Password for [email protected]: > >> amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ > >> amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ klist > >> Ticket cache: FILE:/tmp/krb5cc_1000 > >> Default principal: [email protected] > >> > >> Valid starting Expires Service principal > >> 05/25/12 07:12:02 05/25/12 09:36:02 krbtgt/[email protected] > >> renew until 05/26/12 07:12:02 > >> > >> > >> > If I go and change a user in IS, does that change the associated > >> > Kerberos Principal as well? > >> > >> Changing user in the sense, changing password of the user ? If so > >> change will get affected. Also client code needs to make sure it is > >> not using cached credentials from "kinit". > >> > >> Thanks > >> AmilaJ > >> > >> [1] > >> > >> [libdefaults] > >> default_realm = WSO2.ORG > >> default_tgs_enCtypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 > >> default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 > >> permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 > >> allow_weak_crypto = true > >> > >> [realms] > >> WSO2.ORG = { > >> kdc = 127.0.0.1:8000 > >> } > >> > >> [domain_realm] > >> .wso2.org = WSO2.ORG > >> wso2.org = WSO2.ORG > >> > >> [login] > >> krb4_convert = true > >> krb4_get_tickets = false > >> > >> > > >> > --Srinath > >> > > >> > -- > >> > ============================ > >> > Srinath Perera, Ph.D. > >> > Senior Software Architect, WSO2 Inc. > >> > Visiting Faculty, University of Moratuwa > >> > Member, Apache Software Foundation > >> > Research Scientist, Lanka Software Foundation > >> > Blog: http://srinathsview.blogspot.com/ > >> > Photos: http://www.flickr.com/photos/hemapani/ > >> > Phone: 0772360902 > >> > > >> > _______________________________________________ > >> > Architecture mailing list > >> > [email protected] > >> > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >> > > >> > >> > >> > >> -- > >> Mobile : +94773330538 > >> _______________________________________________ > >> Architecture mailing list > >> [email protected] > >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >> > > > > > > _______________________________________________ > > Dev mailing list > > [email protected] > > http://wso2.org/cgi-bin/mailman/listinfo/dev > > > > > > -- > Mobile : +94773330538 >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
