I double checked Kerberos - scenario 16 - having AD as KDC with ESB
4.0 - and it works fine - added a comment to the related JIRA with
pointers..
AmilaM is testing with ApacheDS..
Thanks & regards,
-Prabath
On Mon, Oct 31, 2011 at 3:29 PM, Amila Suriarachchi <am...@wso2.com> wrote:
>
>
> On Sun, Oct 30, 2011 at 9:47 PM, Prabath Siriwardena <prab...@wso2.com>
> wrote:
>>
>> Also, please check whether you have the following in the policy at the
>> service end [it was in the client side policy you attached]
>>
>> <rampart:property name="kdc.des.aes.factor">4</rampart:property>
>
> I tried adding this at both side and removing as well. Could not get it
> working.
>
> thanks,
> Amila.
>>
>> Thanks & regards,
>> -Prabath
>>
>>
>> On Mon, Oct 31, 2011 at 7:12 AM, Prabath Siriwardena <prab...@wso2.com>
>> wrote:
>> > This fails at the signature validation.. Are you using the exact
>> > version [1.5.5] of Apache DS as in the link or 1.5.7?
>> >
>> > Thanks & regards,
>> > -Prabath
>> >
>> > On Mon, Oct 31, 2011 at 3:22 AM, Amila Suriarachchi <am...@wso2.com>
>> > wrote:
>> >> hi,
>> >>
>> >> I did the following to authenticate a client who's details are stored
>> >> in
>> >> Apache ds to WSO2 AS using kerberos.
>> >>
>> >> 1. First I configured the Apache DS kdc server for (1.5.5) as given
>> >> here[1].
>> >> Then I could login to Apache DS server using Apache directory studio
>> >> using
>> >> kerberos. So that should be working fine.
>> >>
>> >> 2. I started configuring the WSO2 AS 4.0.0. First put the attached
>> >> files to
>> >> the repository/conf. Then use the security senario 16 in the wizard to
>> >> configure the kerberos. Here I put SPN as ldap/localh...@example.com
>> >> and
>> >> password as randall (please see the given ldif file in the kerberos
>> >> guide).
>> >> Then it generated the policy but when I looked into it password was not
>> >> there.
>> >>
>> >> 3. Finally started the client part following the sample given here[2].
>> >> Full
>> >> client has been attached. I put the repository/lib +xalan 2.7.1 jar to
>> >> the
>> >> class path.
>> >>
>> >> After running the client it sends the message to the server. This can
>> >> be
>> >> seen from the tcp mon. But at the server it gives the following
>> >> exception. I
>> >> put the password and edited the server side policy like this as well.
>> >>
>> >> <rampart:kerberosConfig>
>> >> <rampart:property
>> >>
>> >> name="service.principal.name">ldap/localh...@example.com</rampart:property>
>> >> <rampart:property
>> >> name="service.principal.password">randall</rampart:property>
>> >> </rampart:kerberosConfig>
>> >>
>> >> GSSException: Failure unspecified at GSS-API level (Mechanism level:
>> >> Integrity check on decrypted field failed (31))
>> >> at
>> >>
>> >> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
>> >> at
>> >>
>> >> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
>> >> at
>> >>
>> >> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.KerberosTokenProcessor$1.run(KerberosTokenProcessor.java:475)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.KerberosTokenProcessor$1.run(KerberosTokenProcessor.java:468)
>> >> at java.security.AccessController.doPrivileged(Native Method)
>> >> at javax.security.auth.Subject.doAs(Subject.java:337)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.KerberosTokenProcessor.acceptSecurityContext(KerberosTokenProcessor.java:468)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:296)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120)
>> >> at
>> >>
>> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
>> >> at
>> >>
>> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
>> >> at org.apache.rampart.RampartEngine.process(RampartEngine.java:161)
>> >> at
>> >>
>> >> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
>> >> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
>> >> at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
>> >> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
>> >> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
>> >> at
>> >>
>> >> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
>> >> at
>> >>
>> >> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
>> >> at
>> >>
>> >> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:206)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >>
>> >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
>> >> at
>> >>
>> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
>> >> at
>> >>
>> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >> org.wso2.carbon.bridge.BridgeServlet.service(BridgeServlet.java:155)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >>
>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
>> >> at
>> >>
>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
>> >> at
>> >>
>> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
>> >> at
>> >>
>> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
>> >> at
>> >> org.wso2.carbon.server.TomcatServer$1.invoke(TomcatServer.java:241)
>> >> at
>> >>
>> >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>> >> at
>> >>
>> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
>> >> at
>> >>
>> >> org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:396)
>> >> at
>> >>
>> >> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:356)
>> >> at
>> >>
>> >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1534)
>> >> at
>> >>
>> >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>> >> at
>> >>
>> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>> >> at java.lang.Thread.run(Thread.java:619)
>> >> Caused by: KrbException: Integrity check on decrypted field failed (31)
>> >> at
>> >>
>> >> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
>> >> at
>> >>
>> >> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
>> >> at
>> >>
>> >> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
>> >> at
>> >>
>> >> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
>> >> at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
>> >> at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
>> >> at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
>> >> at
>> >>
>> >> sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
>> >> at
>> >>
>> >> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
>> >> ... 46 more
>> >> [2011-10-30 17:48:54,993] ERROR
>> >> {org.apache.ws.security.processor.KerberosTokenProcessor} - Integrity
>> >> check
>> >> on decrypted field failed (31)
>> >> KrbException: Integrity check on decrypted field failed (31)
>> >> at
>> >>
>> >> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
>> >> at
>> >>
>> >> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
>> >> at
>> >>
>> >> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
>> >> at
>> >>
>> >> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
>> >> at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
>> >> at
>> >>
>> >> org.apache.ws.security.kerberos.KrbTicketDecoder.decryptTicket(KrbTicketDecoder.java:99)
>> >> at
>> >>
>> >> org.apache.ws.security.kerberos.KrbTicketDecoder.parseApReq(KrbTicketDecoder.java:90)
>> >> at
>> >>
>> >> org.apache.ws.security.kerberos.KrbTicketDecoder.parseServiceTicket(KrbTicketDecoder.java:67)
>> >> at
>> >>
>> >> org.apache.ws.security.kerberos.KrbTicketDecoder.getSessionKey(KrbTicketDecoder.java:50)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.KerberosTokenProcessor.getSessionKey(KerberosTokenProcessor.java:493)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:297)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120)
>> >> at
>> >>
>> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
>> >> at
>> >>
>> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
>> >> at org.apache.rampart.RampartEngine.process(RampartEngine.java:161)
>> >> at
>> >>
>> >> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
>> >> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
>> >> at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
>> >> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
>> >> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
>> >> at
>> >>
>> >> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
>> >> at
>> >>
>> >> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
>> >> at
>> >>
>> >> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:206)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >>
>> >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
>> >> at
>> >>
>> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
>> >> at
>> >>
>> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >> org.wso2.carbon.bridge.BridgeServlet.service(BridgeServlet.java:155)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >>
>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
>> >> at
>> >>
>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
>> >> at
>> >>
>> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
>> >> at
>> >>
>> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
>> >> at
>> >> org.wso2.carbon.server.TomcatServer$1.invoke(TomcatServer.java:241)
>> >> at
>> >>
>> >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>> >> at
>> >>
>> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
>> >> at
>> >>
>> >> org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:396)
>> >> at
>> >>
>> >> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:356)
>> >> at
>> >>
>> >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1534)
>> >> at
>> >>
>> >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>> >> at
>> >>
>> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>> >> at java.lang.Thread.run(Thread.java:619)
>> >> [2011-10-30 17:48:54,995] ERROR {org.apache.axis2.engine.AxisEngine} -
>> >> An
>> >> error was discovered processing the <wsse:Security> header (Failed to
>> >> create
>> >> the security token)
>> >> org.apache.axis2.AxisFault: An error was discovered processing the
>> >> <wsse:Security> header (Failed to create the security token)
>> >> at
>> >>
>> >> org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186)
>> >> at
>> >>
>> >> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
>> >> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
>> >> at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
>> >> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
>> >> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168)
>> >> at
>> >>
>> >> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
>> >> at
>> >>
>> >> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
>> >> at
>> >>
>> >> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:206)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >>
>> >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
>> >> at
>> >>
>> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
>> >> at
>> >>
>> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >> org.wso2.carbon.bridge.BridgeServlet.service(BridgeServlet.java:155)
>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
>> >> at
>> >>
>> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
>> >> at
>> >>
>> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
>> >> at
>> >>
>> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
>> >> at
>> >>
>> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
>> >> at
>> >> org.wso2.carbon.server.TomcatServer$1.invoke(TomcatServer.java:241)
>> >> at
>> >>
>> >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
>> >> at
>> >>
>> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>> >> at
>> >>
>> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
>> >> at
>> >>
>> >> org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:396)
>> >> at
>> >>
>> >> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:356)
>> >> at
>> >>
>> >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1534)
>> >> at
>> >>
>> >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>> >> at
>> >>
>> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>> >> at java.lang.Thread.run(Thread.java:619)
>> >> Caused by: org.apache.ws.security.WSSecurityException: An error was
>> >> discovered processing the <wsse:Security> header (Failed to create the
>> >> security token)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:341)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292)
>> >> at
>> >>
>> >> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120)
>> >> at
>> >>
>> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
>> >> at
>> >>
>> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
>> >> at org.apache.rampart.RampartEngine.process(RampartEngine.java:161)
>> >> at
>> >>
>> >> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
>> >> ... 32 more
>> >>
>> >> What could be the issue?
>> >>
>> >> thanks,
>> >> Amila.
>> >>
>> >> [1]
>> >> https://cwiki.apache.org/DIRxSRVx11/543-kerberos-in-apacheds-155.html
>> >> [2] http://cache.facilelogin.com/org.wso2.identity.esb.kerberos.zip
>> >>
>> >> _______________________________________________
>> >> Carbon-dev mailing list
>> >> Carbon-dev@wso2.org
>> >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Thanks & Regards,
>> > Prabath
>> >
>> > http://blog.facilelogin.com
>> > http://RampartFAQ.com
>> >
>>
>>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> http://blog.facilelogin.com
>> http://RampartFAQ.com
>> _______________________________________________
>> Carbon-dev mailing list
>> Carbon-dev@wso2.org
>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>
>
> _______________________________________________
> Carbon-dev mailing list
> Carbon-dev@wso2.org
> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>
>
--
Thanks & Regards,
Prabath
http://blog.facilelogin.com
http://RampartFAQ.com
_______________________________________________
Carbon-dev mailing list
Carbon-dev@wso2.org
http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
