On Sun, Jun 17, 2012 at 11:23 PM, Hasini Gunasinghe <[email protected]> wrote: > > > On Sun, Jun 17, 2012 at 11:11 PM, Amila Jayasekara <[email protected]> wrote: >> >> On Sun, Jun 17, 2012 at 7:57 PM, Hasini Gunasinghe <[email protected]> >> wrote: >> > Hi, >> > >> > On Sun, Jun 17, 2012 at 2:40 PM, Hasini Gunasinghe <[email protected]> >> > wrote: >> >> >> >> Hi, >> >> >> >> I am trying to use IS as KDC server to obtain a kerberos token to talk >> >> to >> >> a service in ESB which is secured with security scenario 16. >> >> I observe the following error in IS back end and client fails with "The >> >> security token could not be authenticated or authorized (Kerberos login >> >> failed)" >> >> >> >> WARN >> >> >> >> {org.apache.directory.server.kerberos.shared.store.operations.StoreUtils} >> >> - >> >> No server entry found for kerberos principal name >> >> krbtgt/[email protected] >> >> [2012-06-17 14:21:10,694] WARN >> >> {org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler} >> >> - >> >> Server not found in Kerberos database (7) >> > >> >> Hi Hasini, >> >> Please find answers inline. >> >> > >> > I was able to overcome the above error by enabling KDC at the first >> > start up >> > of IS. But I am curious to know why it was searching for an entry like: >> > "krbtgt/[email protected]" which we do not specify anywhere. >> >> This is the server Id of the Kerberos TGT. In LDAP servers the >> Kerberos TGT server is also treated as another service principal. >> Therefore this service principal should be there for client to request >> a ticket. >> >> In Kerberos client first sends TGT request. If client is able to get a >> token to access KDC server only then it request for a ticket to access >> another server. Therefore TGT server and other servers are treated in >> a similar fashion. The TGT service principal is added when embedded >> LDAP server is started with KDC server enabled. Also if KDC server >> enabled only we add few kerberos related attributes to user >> principals. At the moment Kerberos related attributes are not added if >> there are already users in the embedded ldap. That is why you had to >> start IS with a fresh schema to get above attributes. > > > Thanks a lot for the clarification.. >> >> >> > >> > Now I am getting the following error at the ESB end: (I have attached >> > the >> > krb5.conf, jaas.conf at ESB end and security policies used at client and >> > server ends). >> > Appreciate any insight on what might be the cause for an error like >> > below: >> >> This could be due to few reasons, >> 1. The signature algorithms used might be different >> 2. Pre-authentication enabled at server side and client not being able >> to process pre-authentication >> (Can u try disabling pre-authentication in embedded-ldap.xml) >> 3. There is a considerable time skew between server and client > > > I think it could be the reason 1 above - because I've already disabled > pre-authentication according to the instructions in previous mail thread and > the client and server are running in the same machine. So it can not be > reason 2 or 3. > > Can you please elaborate more on how 1 can occur? I believe we should set > the algorithms in krb5.conf in client side and server side. I specified the > same algorithms in both the configuration files. > > Is there any other place to mention the algorithms?
If you have specified same algorithms both sides, I am not quite sure about cause for the error. Lets try to debug tommorrow and see what is the exact cause is. Also, is it possible for you to check whether above mentioned exception appears when requesting TGT from KDC server or when requesting the server ticket from KDC ? (You may need to enable kerberos level logs in embedded LDAP server) Thanks AmilaJ > > Thanks, > Hasini. >> >> >> From the log it seems decryption is successful. Therefore I believe >> credentials are correct. Its only the integrity which fails. Therefore >> I believe it could be due to one of above reasons. >> >> Thanks >> AmilaJ >> >> > >> > GSSException: Failure unspecified at GSS-API level (Mechanism level: >> > Integrity check on decrypted field failed (31)) >> > at >> > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) >> > at >> > >> > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) >> > at >> > >> > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) >> > at >> > >> > org.apache.ws.security.processor.KerberosTokenProcessor$1.run(KerberosTokenProcessor.java:475) >> > at >> > >> > org.apache.ws.security.processor.KerberosTokenProcessor$1.run(KerberosTokenProcessor.java:468) >> > at java.security.AccessController.doPrivileged(Native Method) >> > at javax.security.auth.Subject.doAs(Subject.java:337) >> > at >> > >> > org.apache.ws.security.processor.KerberosTokenProcessor.acceptSecurityContext(KerberosTokenProcessor.java:468) >> > at >> > >> > org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:296) >> > at >> > >> > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) >> > at >> > >> > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) >> > at >> > >> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) >> > at >> > >> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) >> > at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) >> > at >> > >> > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) >> > at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) >> > at org.apache.axis2.engine.Phase.invoke(Phase.java:313) >> > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) >> > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) >> > at >> > >> > org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) >> > at >> > >> > org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:408) >> > at >> > >> > org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:259) >> > at >> > >> > org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:173) >> > at >> > >> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >> > at >> > >> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >> > at java.lang.Thread.run(Thread.java:619) >> > Caused by: KrbException: Integrity check on decrypted field failed (31) >> > at >> > >> > sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154) >> > at >> > >> > sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) >> > at >> > >> > sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125) >> > at >> > >> > sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) >> > at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) >> > at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:268) >> > at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134) >> > at >> > >> > sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79) >> > at >> > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724) >> > ... 25 more >> > [2012-06-17 19:46:51,281] ERROR - KerberosTokenProcessor Integrity check >> > on >> > decrypted field failed (31) >> > KrbException: Integrity check on decrypted field failed (31) >> > at >> > >> > sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154) >> > at >> > >> > sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) >> > at >> > >> > sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125) >> > at >> > >> > sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) >> > at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) >> > at >> > >> > org.apache.ws.security.kerberos.KrbTicketDecoder.decryptTicket(KrbTicketDecoder.java:99) >> > at >> > >> > org.apache.ws.security.kerberos.KrbTicketDecoder.parseApReq(KrbTicketDecoder.java:90) >> > at >> > >> > org.apache.ws.security.kerberos.KrbTicketDecoder.parseServiceTicket(KrbTicketDecoder.java:67) >> > at >> > >> > org.apache.ws.security.kerberos.KrbTicketDecoder.getSessionKey(KrbTicketDecoder.java:50) >> > at >> > >> > org.apache.ws.security.processor.KerberosTokenProcessor.getSessionKey(KerberosTokenProcessor.java:493) >> > at >> > >> > org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:297) >> > at >> > >> > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) >> > at >> > >> > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) >> > at >> > >> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) >> > at >> > >> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) >> > at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) >> > at >> > >> > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) >> > at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) >> > at org.apache.axis2.engine.Phase.invoke(Phase.java:313) >> > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) >> > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) >> > at >> > >> > org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) >> > at >> > >> > org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:408) >> > at >> > >> > org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:259) >> > at >> > >> > org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:173) >> > at >> > >> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >> > at >> > >> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >> > at java.lang.Thread.run(Thread.java:619) >> > [2012-06-17 19:46:51,287] ERROR - AxisEngine An error was discovered >> > processing the <wsse:Security> header (Failed to create the security >> > token) >> > org.apache.axis2.AxisFault: An error was discovered processing the >> > <wsse:Security> header (Failed to create the security token) >> > at >> > >> > org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) >> > at >> > >> > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) >> > at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) >> > at org.apache.axis2.engine.Phase.invoke(Phase.java:313) >> > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) >> > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) >> > at >> > >> > org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) >> > at >> > >> > org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:408) >> > at >> > >> > org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:259) >> > at >> > >> > org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:173) >> > at >> > >> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >> > at >> > >> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >> > at java.lang.Thread.run(Thread.java:619) >> > Caused by: org.apache.ws.security.WSSecurityException: An error was >> > discovered processing the <wsse:Security> header (Failed to create the >> > security token) >> > at >> > >> > org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:341) >> > at >> > >> > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) >> > at >> > >> > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) >> > at >> > >> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) >> > at >> > >> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) >> > at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) >> > at >> > >> > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) >> > ... 11 more >> > [2012-06-17 19:46:51,288] ERROR - ServerWorker Error processing POST >> > request >> > org.apache.axis2.AxisFault: An error was discovered processing the >> > <wsse:Security> header (Failed to create the security token) >> > at >> > >> > org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180) >> > at >> > >> > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) >> > at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) >> > at org.apache.axis2.engine.Phase.invoke(Phase.java:313) >> > at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) >> > at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) >> > at >> > >> > org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) >> > at >> > >> > org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:408) >> > at >> > >> > org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:259) >> > at >> > >> > org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:173) >> > at >> > >> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >> > at >> > >> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >> > at java.lang.Thread.run(Thread.java:619) >> > Caused by: org.apache.ws.security.WSSecurityException: An error was >> > discovered processing the <wsse:Security> header (Failed to create the >> > security token) >> > at >> > >> > org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:341) >> > at >> > >> > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) >> > at >> > >> > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) >> > at >> > >> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) >> > at >> > >> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) >> > at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) >> > at >> > >> > org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) >> > >> > Thanks, >> > Hasini. >> > >> > >> >> >> >> Appreciate a lot any insights to overcome it. I have attached >> >> embedded-ldap.xml and user-mgt.xml in IS side and krb5.conf, security >> >> policy >> >> in client side for reference. >> >> >> >> Let me also mention some of the suggestions for improvements here which >> >> I >> >> observed when trying to get the above scenario working. >> >> >> >> 1. "krb5.conf" and "jaas.conf" files are shipped with IS. But the >> >> information in krb5.conf doesn't match with default KDC server shipped >> >> with >> >> IS - i.e: realm name and supported algorithms. >> >> I changed the configuration according to the details in the below mail. >> >> I believe it would be useful if we also include the configurations that >> >> match with default KDC server. >> >> >> >> 2. Since above two files are required for sec scenario 16 to work, I >> >> think >> >> it would be useful if we make those files install with security >> >> management >> >> feature so that they will also be available in ESB and AS where this >> >> security scenario is available. >> >> >> >> Thanks, >> >> Hasini. >> >> >> >> >> >> ---------- Forwarded message ---------- >> >> From: Amila Jayasekara <[email protected]> >> >> Date: Fri, May 25, 2012 at 12:48 PM >> >> Subject: Re: [Architecture] How to we map IS users to Kerberos >> >> Principals >> >> To: [email protected], [email protected] >> >> >> >> >> >> Hi Srinath, >> >> >> >> Please find answers in-line. >> >> >> >> On Fri, May 25, 2012 at 11:29 AM, Srinath Perera <[email protected]> >> >> wrote: >> >> > Hi All, >> >> > >> >> > Few questions >> >> > >> >> > Do we map IS users to Kerberos Principals in our Kerberos (KDC) >> >> > integration >> >> > with IS? >> >> >> >> Yes, for this you need to use embedded LDAP server. Please enable KDC >> >> server in embedded LDAP configuration >> >> ($CARBON_HOME/repository/conf/embedded-ldap.xml) >> >> >> >> E.g :- >> >> >> >> <KDCServer> >> >> <Property name="name">defaultKDC</Property> >> >> <Property name="enabled">true</Property> >> >> .... >> >> </KDCServer> >> >> >> >> Above will start the KDC server. Also in-order to define service >> >> principals using UI please set "<Property >> >> name="kdcEnabled">false</Property>" to true in user-mgt.xml. >> >> >> >> If you already have users defined in LDAP they will not get KDC >> >> attributes. Therefore please remove content in repository/data and >> >> restart the server. >> >> >> >> > >> >> > How to do we map principals to users? (example will help) >> >> >> >> Once you enable KDC server, users will automatically assigned as user >> >> principals. So if you add a user through management console that user >> >> will be a Kerberos principal. To define service principals please >> >> "Kerberos Principals" menu in IS ui. >> >> >> >> > what is the domain name and host name we use in principals? How can >> >> > I >> >> > change them? >> >> >> >> Default domain is set to "wso2.org". You can change the domain using >> >> embedded-ldap.xml. >> >> >> >> <DefaultPartition> >> >> <Property name="id">root</Property> >> >> <Property name="realm">wso2.org</Property> >> >> ... >> >> </DefaultPartition> >> >> >> >> Host is set to localhost. You can change it using embedded-ldap.xml >> >> <KDCServer> configuration, >> >> >> >> <KDCServer> >> >> .... >> >> <Property name="host">localhost</Property> >> >> .... >> >> </KDCServer> >> >> >> >> >> >> > Have we tried our KDC with kinit and klist commands? Please point me >> >> > to instructions >> >> >> >> Yes, we have. You need setup realm information /etc/krb5.conf. I am >> >> pasting content of a sample file [1]. Based on the algorithms you >> >> define in krb5.conf you may need to disable pre-authentication. For >> >> sample in [1] please disable pre-authentication using >> >> embedded-ldap.xml KDCServer/preAuthenticationTimeStampEnabled. >> >> >> >> E.g :- >> >> >> >> amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ kinit >> >> [email protected] >> >> Password for [email protected]: >> >> amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ >> >> amila@aj:~/runenv/Run/kerberos/wso2is-3.2.2/repository/conf$ klist >> >> Ticket cache: FILE:/tmp/krb5cc_1000 >> >> Default principal: [email protected] >> >> >> >> Valid starting Expires Service principal >> >> 05/25/12 07:12:02 05/25/12 09:36:02 krbtgt/[email protected] >> >> renew until 05/26/12 07:12:02 >> >> >> >> >> >> > If I go and change a user in IS, does that change the associated >> >> > Kerberos Principal as well? >> >> >> >> Changing user in the sense, changing password of the user ? If so >> >> change will get affected. Also client code needs to make sure it is >> >> not using cached credentials from "kinit". >> >> >> >> Thanks >> >> AmilaJ >> >> >> >> [1] >> >> >> >> [libdefaults] >> >> default_realm = WSO2.ORG >> >> default_tgs_enCtypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 >> >> default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 >> >> permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 >> >> allow_weak_crypto = true >> >> >> >> [realms] >> >> WSO2.ORG = { >> >> kdc = 127.0.0.1:8000 >> >> } >> >> >> >> [domain_realm] >> >> .wso2.org = WSO2.ORG >> >> wso2.org = WSO2.ORG >> >> >> >> [login] >> >> krb4_convert = true >> >> krb4_get_tickets = false >> >> >> >> > >> >> > --Srinath >> >> > >> >> > -- >> >> > ============================ >> >> > Srinath Perera, Ph.D. >> >> > Senior Software Architect, WSO2 Inc. >> >> > Visiting Faculty, University of Moratuwa >> >> > Member, Apache Software Foundation >> >> > Research Scientist, Lanka Software Foundation >> >> > Blog: http://srinathsview.blogspot.com/ >> >> > Photos: http://www.flickr.com/photos/hemapani/ >> >> > Phone: 0772360902 >> >> > >> >> > _______________________________________________ >> >> > Architecture mailing list >> >> > [email protected] >> >> > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > >> >> >> >> >> >> >> >> -- >> >> Mobile : +94773330538 >> >> _______________________________________________ >> >> Architecture mailing list >> >> [email protected] >> >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> >> > >> > >> > _______________________________________________ >> > Dev mailing list >> > [email protected] >> > http://wso2.org/cgi-bin/mailman/listinfo/dev >> > >> >> >> >> -- >> Mobile : +94773330538 > > -- Mobile : +94773330538 _______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
