I double checked Kerberos - scenario 16 - having AD as KDC with ESB 4.0 - and it works fine - added a comment to the related JIRA with pointers..
AmilaM is testing with ApacheDS.. Thanks & regards, -Prabath On Mon, Oct 31, 2011 at 3:29 PM, Amila Suriarachchi <am...@wso2.com> wrote: > > > On Sun, Oct 30, 2011 at 9:47 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: >> >> Also, please check whether you have the following in the policy at the >> service end [it was in the client side policy you attached] >> >> <rampart:property name="kdc.des.aes.factor">4</rampart:property> > > I tried adding this at both side and removing as well. Could not get it > working. > > thanks, > Amila. >> >> Thanks & regards, >> -Prabath >> >> >> On Mon, Oct 31, 2011 at 7:12 AM, Prabath Siriwardena <prab...@wso2.com> >> wrote: >> > This fails at the signature validation.. Are you using the exact >> > version [1.5.5] of Apache DS as in the link or 1.5.7? >> > >> > Thanks & regards, >> > -Prabath >> > >> > On Mon, Oct 31, 2011 at 3:22 AM, Amila Suriarachchi <am...@wso2.com> >> > wrote: >> >> hi, >> >> >> >> I did the following to authenticate a client who's details are stored >> >> in >> >> Apache ds to WSO2 AS using kerberos. >> >> >> >> 1. First I configured the Apache DS kdc server for (1.5.5) as given >> >> here[1]. >> >> Then I could login to Apache DS server using Apache directory studio >> >> using >> >> kerberos. So that should be working fine. >> >> >> >> 2. I started configuring the WSO2 AS 4.0.0. First put the attached >> >> files to >> >> the repository/conf. Then use the security senario 16 in the wizard to >> >> configure the kerberos. Here I put SPN as ldap/localh...@example.com >> >> and >> >> password as randall (please see the given ldif file in the kerberos >> >> guide). >> >> Then it generated the policy but when I looked into it password was not >> >> there. >> >> >> >> 3. Finally started the client part following the sample given here[2]. >> >> Full >> >> client has been attached. I put the repository/lib +xalan 2.7.1 jar to >> >> the >> >> class path. >> >> >> >> After running the client it sends the message to the server. This can >> >> be >> >> seen from the tcp mon. But at the server it gives the following >> >> exception. I >> >> put the password and edited the server side policy like this as well. >> >> >> >> <rampart:kerberosConfig> >> >> <rampart:property >> >> >> >> name="service.principal.name">ldap/localh...@example.com</rampart:property> >> >> <rampart:property >> >> name="service.principal.password">randall</rampart:property> >> >> </rampart:kerberosConfig> >> >> >> >> GSSException: Failure unspecified at GSS-API level (Mechanism level: >> >> Integrity check on decrypted field failed (31)) >> >> at >> >> >> >> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) >> >> at >> >> >> >> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) >> >> at >> >> >> >> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) >> >> at >> >> >> >> org.apache.ws.security.processor.KerberosTokenProcessor$1.run(KerberosTokenProcessor.java:475) >> >> at >> >> >> >> org.apache.ws.security.processor.KerberosTokenProcessor$1.run(KerberosTokenProcessor.java:468) >> >> at java.security.AccessController.doPrivileged(Native Method) >> >> at javax.security.auth.Subject.doAs(Subject.java:337) >> >> at >> >> >> >> org.apache.ws.security.processor.KerberosTokenProcessor.acceptSecurityContext(KerberosTokenProcessor.java:468) >> >> at >> >> >> >> org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:296) >> >> at >> >> >> >> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) >> >> at >> >> >> >> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) >> >> at >> >> >> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) >> >> at >> >> >> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) >> >> at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) >> >> at >> >> >> >> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) >> >> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) >> >> at org.apache.axis2.engine.Phase.invoke(Phase.java:313) >> >> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) >> >> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) >> >> at >> >> >> >> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) >> >> at >> >> >> >> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) >> >> at >> >> >> >> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:206) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >> >> at >> >> >> >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90) >> >> at >> >> >> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111) >> >> at >> >> >> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >> >> at >> >> org.wso2.carbon.bridge.BridgeServlet.service(BridgeServlet.java:155) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >> >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304) >> >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >> >> at >> >> >> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) >> >> at >> >> >> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) >> >> at >> >> >> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462) >> >> at >> >> >> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) >> >> at >> >> >> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) >> >> at >> >> org.wso2.carbon.server.TomcatServer$1.invoke(TomcatServer.java:241) >> >> at >> >> >> >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563) >> >> at >> >> >> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) >> >> at >> >> >> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399) >> >> at >> >> >> >> org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:396) >> >> at >> >> >> >> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:356) >> >> at >> >> >> >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1534) >> >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >> >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >> >> at java.lang.Thread.run(Thread.java:619) >> >> Caused by: KrbException: Integrity check on decrypted field failed (31) >> >> at >> >> >> >> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154) >> >> at >> >> >> >> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) >> >> at >> >> >> >> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125) >> >> at >> >> >> >> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) >> >> at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) >> >> at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267) >> >> at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134) >> >> at >> >> >> >> sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79) >> >> at >> >> >> >> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724) >> >> ... 46 more >> >> [2011-10-30 17:48:54,993] ERROR >> >> {org.apache.ws.security.processor.KerberosTokenProcessor} - Integrity >> >> check >> >> on decrypted field failed (31) >> >> KrbException: Integrity check on decrypted field failed (31) >> >> at >> >> >> >> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154) >> >> at >> >> >> >> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) >> >> at >> >> >> >> sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125) >> >> at >> >> >> >> sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33) >> >> at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) >> >> at >> >> >> >> org.apache.ws.security.kerberos.KrbTicketDecoder.decryptTicket(KrbTicketDecoder.java:99) >> >> at >> >> >> >> org.apache.ws.security.kerberos.KrbTicketDecoder.parseApReq(KrbTicketDecoder.java:90) >> >> at >> >> >> >> org.apache.ws.security.kerberos.KrbTicketDecoder.parseServiceTicket(KrbTicketDecoder.java:67) >> >> at >> >> >> >> org.apache.ws.security.kerberos.KrbTicketDecoder.getSessionKey(KrbTicketDecoder.java:50) >> >> at >> >> >> >> org.apache.ws.security.processor.KerberosTokenProcessor.getSessionKey(KerberosTokenProcessor.java:493) >> >> at >> >> >> >> org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:297) >> >> at >> >> >> >> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) >> >> at >> >> >> >> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) >> >> at >> >> >> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) >> >> at >> >> >> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) >> >> at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) >> >> at >> >> >> >> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) >> >> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) >> >> at org.apache.axis2.engine.Phase.invoke(Phase.java:313) >> >> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) >> >> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) >> >> at >> >> >> >> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) >> >> at >> >> >> >> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) >> >> at >> >> >> >> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:206) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >> >> at >> >> >> >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90) >> >> at >> >> >> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111) >> >> at >> >> >> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >> >> at >> >> org.wso2.carbon.bridge.BridgeServlet.service(BridgeServlet.java:155) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >> >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304) >> >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >> >> at >> >> >> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) >> >> at >> >> >> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) >> >> at >> >> >> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462) >> >> at >> >> >> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) >> >> at >> >> >> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) >> >> at >> >> org.wso2.carbon.server.TomcatServer$1.invoke(TomcatServer.java:241) >> >> at >> >> >> >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563) >> >> at >> >> >> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) >> >> at >> >> >> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399) >> >> at >> >> >> >> org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:396) >> >> at >> >> >> >> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:356) >> >> at >> >> >> >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1534) >> >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >> >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >> >> at java.lang.Thread.run(Thread.java:619) >> >> [2011-10-30 17:48:54,995] ERROR {org.apache.axis2.engine.AxisEngine} - >> >> An >> >> error was discovered processing the <wsse:Security> header (Failed to >> >> create >> >> the security token) >> >> org.apache.axis2.AxisFault: An error was discovered processing the >> >> <wsse:Security> header (Failed to create the security token) >> >> at >> >> >> >> org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186) >> >> at >> >> >> >> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) >> >> at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) >> >> at org.apache.axis2.engine.Phase.invoke(Phase.java:313) >> >> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262) >> >> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:168) >> >> at >> >> >> >> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) >> >> at >> >> >> >> org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) >> >> at >> >> >> >> org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:206) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >> >> at >> >> >> >> org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90) >> >> at >> >> >> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111) >> >> at >> >> >> >> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >> >> at >> >> org.wso2.carbon.bridge.BridgeServlet.service(BridgeServlet.java:155) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) >> >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304) >> >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >> >> at >> >> >> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) >> >> at >> >> >> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) >> >> at >> >> >> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462) >> >> at >> >> >> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) >> >> at >> >> >> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) >> >> at >> >> org.wso2.carbon.server.TomcatServer$1.invoke(TomcatServer.java:241) >> >> at >> >> >> >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563) >> >> at >> >> >> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) >> >> at >> >> >> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399) >> >> at >> >> >> >> org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:396) >> >> at >> >> >> >> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:356) >> >> at >> >> >> >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1534) >> >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) >> >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) >> >> at java.lang.Thread.run(Thread.java:619) >> >> Caused by: org.apache.ws.security.WSSecurityException: An error was >> >> discovered processing the <wsse:Security> header (Failed to create the >> >> security token) >> >> at >> >> >> >> org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:341) >> >> at >> >> >> >> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:292) >> >> at >> >> >> >> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:120) >> >> at >> >> >> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) >> >> at >> >> >> >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) >> >> at org.apache.rampart.RampartEngine.process(RampartEngine.java:161) >> >> at >> >> >> >> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) >> >> ... 32 more >> >> >> >> What could be the issue? >> >> >> >> thanks, >> >> Amila. >> >> >> >> [1] >> >> https://cwiki.apache.org/DIRxSRVx11/543-kerberos-in-apacheds-155.html >> >> [2] http://cache.facilelogin.com/org.wso2.identity.esb.kerberos.zip >> >> >> >> _______________________________________________ >> >> Carbon-dev mailing list >> >> Carbon-dev@wso2.org >> >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> >> >> >> > >> > >> > >> > -- >> > Thanks & Regards, >> > Prabath >> > >> > http://blog.facilelogin.com >> > http://RampartFAQ.com >> > >> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> http://blog.facilelogin.com >> http://RampartFAQ.com >> _______________________________________________ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > > _______________________________________________ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > -- Thanks & Regards, Prabath http://blog.facilelogin.com http://RampartFAQ.com _______________________________________________ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev