IBM Jdk Issue Kerberos: Cannot authenticate keytab with credsType=both in JAAS

StackOverflow https://stackoverflow.com/questions/19707616

  •  02-07-2022
  •  | 
  •  

Question

I have a service to service model in which I have a keytab for Kerberos Authentication.

In this model I have defined a login configuration as the follows:-

import java.util.HashMap;
import java.util.Map;

import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;

public class GSSIbmLoginConfiguration extends Configuration {

private AppConfigurationEntry configEntry;

public GSSIbmLoginConfiguration(String principal, 
                                String credentialCache, 
                                String keytab, 
                                KerberosCredentialUsage usage) {
    Map<String, String> params = new HashMap<String, String>();

    params.put("credsType", "both");
    params.put("renewable", Boolean.TRUE.toString());
    params.put("principal", principal);

    if (credentialCache != null) {
        params.put("useCcache", credentialCache);
    }

    if (keytab != null) {
        params.put("useKeytab", keytab);
    }

    configEntry = new AppConfigurationEntry(
            "com.ibm.security.auth.module.Krb5LoginModule",
            AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, params);
}

public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
    return new AppConfigurationEntry[] {
            configEntry
    };
}

This login configuration acts as a substitute for jaas.conf

Now I am trying to LoginContext's login method which is working. I am then obtaining subject from it.

Now using this subject I do a privileged action.

private static final class SubjectAction implements PrivilegedExceptionAction<GSSCredential> {

    private final int credentialType;

    private final int credentialLifetime;

    private SubjectAction(int credType, int lifetime) {
        credentialType = credType;
        credentialLifetime = lifetime;
    }

    public GSSCredential run() throws GSSException {
                    GSSManager gssManager = GSSManager.getInstance()
        return gssManager.createCredential(null, credentialLifetime, KRB5_MECH_ID, GSSCredential.INITIATE_AND_ACCEPT);      
    }
}

This fails. The relevant logs(which I digged out after setting log system properties):-

[JGSS_DBG_CRED]  localhost-startStop-1 Creating mech cred for null, mech 1.2.840.113554.1.2.2, usage initiate and accept
[JGSS_DBG_PROV]  localhost-startStop-1 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.3.6.1.5.5.2 get Factory for mech: 1.2.840.113554.1.2.2 GSSCaller:
[JGSS_DBG_PROV]  localhost-startStop-1 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.2.840.113554.1.2.2 get Factory for mech: 1.2.840.113554.1.2.2 GSSCaller:
[JGSS_DBG_PROV]  localhost-startStop-1 Created new (empty) factory list (size=1) for provider IBMJGSSProvider version 7.0
[JGSS_DBG_PROV]  localhost-startStop-1 Loading factory
[JGSS_DBG_PROV]  localhost-startStop-1 Factory class name for provider IBMJGSSProvider version 7.0 is com.ibm.security.jgss.mech.krb5.Krb5MechFactory
[JGSS_DBG_PROV]  localhost-startStop-1 Prior to load
[JGSS_DBG_PROV]  localhost-startStop-1 Done to load
[JGSS_DBG_PROV]  localhost-startStop-1 Loaded factory for provider IBMJGSSProvider version 7.0
[JGSS_DBG_PROV]  localhost-startStop-1 Loaded factory ok
[JGSS_DBG_PROV]  localhost-startStop-1 getFactory: index = 1 found factory caller = com.ibm.security.jgss.GSSCaller@e7d4b6d7
[JGSS_DBG_CRED]  localhost-startStop-1  usage: initiate and subject
[JGSS_DBG_CRED]  localhost-startStop-1 Obtaining creds from Krb5Util.ServiceCreds for default service
[JGSS_DBG_CRED]  localhost-startStop-1 Found key for isp/ISPNode1/ISPDomain@INFAKRB.INFADEV.COM(1)
[JGSS_DBG_CRED]  localhost-startStop-1 Found key for    isp/ISPNode1/ISPDomain@INFAKRB.INFADEV.COM(23)
[JGSS_DBG_CRED]  localhost-startStop-1 Found key for isp/ISPNode1/ISPDomain@INFAKRB.INFADEV.COM(3)
[JGSS_DBG_CRED]  localhost-startStop-1 Found key for isp/ISPNode1/ISPDomain@INFAKRB.INFADEV.COM(17)
[JGSS_DBG_CRED]  localhost-startStop-1 acquiring creds for isp/ISPNode1/ISPDomain@INFAKRB.INFADEV.COM

Now what is really perplexing is this:-

[JGSS_DBG_CRED]  localhost-startStop-1 Creating mech cred for null, mech 1.2.840.113554.1.2.2, usage initiate and accept
and then:
[JGSS_DBG_PROV]  localhost-startStop-1 getFactory: index = 1 found factory caller = com.ibm.security.jgss.GSSCaller@e7d4b6d7
[JGSS_DBG_CRED]  localhost-startStop-1  usage: initiate and subject

The first part is for the createCredential itself. However the second seems to be for some mechanism factory related call(kerberos in this case). Now after this File based cred cache auth is getting initiated.

[KRB_DBG_CCHE] FileCredentialsCache:localhost-startStop-1:   >>>KinitOptions cache name is /export/home/ispqa95/krb5cc_ispqa95
[KRB_DBG_CCHE] FileCredentialsCache:localhost-startStop-1:   >>> FileCredentialsCache default name is: /export/home/ispqa95/krb5cc_ispqa95
[KRB_DBG_CCHE] FileCredentialsCache:localhost-startStop-1:   >>>FileCredentialsCache: read ccache version 0x503
[KRB_DBG_KDC] KrbDataInputStream:localhost-startStop-1:   >>>KrbDataInputStream: Bytes read: 0000: 49 4e 46 41 4b 52 42 2e  49 4e 46 41 44 45 56 2e  INFAKRB.INFADEV.

0010: 43 4f 4d COM

[KRB_DBG_KDC] KrbDataInputStream:localhost-startStop-1:   >>> CCacheInputStream: equiv string: INFAKRB.INFADEV.COM
[KRB_DBG_CCHE] CCacheInputStream:localhost-startStop-1:   >>> readPrincipal: read realm INFAKRB.INFADEV.COM
[KRB_DBG_KDC] KrbDataInputStream:localhost-startStop-1:   >>>KrbDataInputStream: Bytes read: 0000: 6e 61 67 61 72 6c 61                               nagarla

Which means somehow the mechanism factory is getting wrong value.

I tried decompiling IBM jars (ibmjgssprovider.jar) but it seems that class names inside is garbled(replaced by a,b, xy etc).

This ultimately leads to:- java.io.IOException: Primary principals do not match

Being propietary, I am having a hard time figuring out IBM behaviour. OpenJdk dosent help much.

Can someone help. Is it some system property my product is setting that can cause such a behavior?

I am trying to check for all possible system properties at time of execution. Please let me know if something else is needed.

Also can someone point to some IBM JDK Security forum as well? I would like to post this issue there as well.

Was it helpful?

Solution

Ok I figured out how to solve this issue:-

A system property: 

-Djavax.security.auth.useSubjectCredsOnly=true

must be set during startup, otherwise the credential used by IBM is default one(which it tries to fetch from File based credential cache in case of AIX)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top