Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15900

Kerberos fails when used with IBM JDK

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.2, 6.5.2.1, 7.0.0, 6.5.2.2, 5.5.2
    • Fix Version/s: 6.5.3, 7.0.0, 5.5.2
    • Component/s: authentication
    • Labels:
    • Environment:
      IBM JDK with IBM JAAS configuration

      -DamCryptoDescriptor.provider=IBMJCE \
      -DamKeyGenDescriptor.provider=IBMJCE -Dcom.sun.identity.authentication.module.WindowsDesktopSSO.Krb5LoginModule=com.ibm.security.auth.module.Krb5LoginModule \
    • Sprint:
      AM Sustaining Sprint 71, AM Sustaining Sprint 72, AM Sustaining Sprint 73
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Due to OPENAM-13088 where the JAAS is passed with isInitiator property, this will cause

      amAuthWindowsDesktopSSO:02/04/2020 12:56:20:432 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[dd67820b-8dd0-47eb-8b6a-739c7fecf929-1652]
      Stack trace:
      javax.security.auth.login.LoginException: Bad JAAS configuration: unrecognized option: isInitiator
              at com.ibm.security.jgss.i18n.I18NException.throwLoginException(Unknown Source)
              at com.ibm.security.auth.module.Krb5LoginModule.d(Unknown Source)
              at com.ibm.security.auth.module.Krb5LoginModule.a(Unknown Source)
              at com.ibm.security.auth.module.Krb5LoginModule.login(Unknown Source)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
              at java.lang.reflect.Method.invoke(Method.java:508)
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:788)
              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:196)
      

      How to reproduce the issue

      1. Install AM into WebSphere or for simplicity use Tomcat but with IBM JDK
      2. Set the JDK settings as with a blank keystore.jceks as per docs for install
        -DamCryptoDescriptor.provider=IBMJCE \
        -DamKeyGenDescriptor.provider=IBMJCE -Dcom.sun.identity.authentication.module.WindowsDesktopSSO.Krb5LoginModule=com.ibm.security.auth.module.Krb5LoginModule \
        
      3. Configure a WSSO module and test it
      Expected behaviour
      Works fine
      
      Current behaviour
      WSSO on IBM fails with the exception on message debug show.
      If JDK changed to OpenJDK (without those IBM settings), this works
      

      Work around

      Do not use IBM JDK if possible.

      Code analysis

      WindowsDesktopConfigjava
      ... 
      110            hashmap.put("isInitiator", Boolean.toString(isInitiator));
      111            if (kerberosModuleName.equalsIgnoreCase("com.ibm.security.auth.module.Krb5LoginModule")) {
      ....
      

      Line 110 should be moved inside a non-IBM section.
      The above should fix this

      Others: Consistencies and impact of difference in isInitiator and IBM credsType reconciliation

      It seems we have "credsType" for IBM https://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jgssDocs/jaas_login_user.html which is "acceptor". Maybe an enhancement for the IBM portion is to now take in the initiator value. and deprecate the hidden switch for
      "com.sun.identity.authentication.module.WindowsDesktopSSO.credsType"
      (or maybe change it to null) and use the settings set in isInitiator.
      PS: The problem is that isInitiator is defaulted to true and may cause issues
      when migration (when the prior values are false/acceptor only).

                  if (kerberosModuleName.equalsIgnoreCase("com.ibm.security.auth.module.Krb5LoginModule")) {
                      hashmap.put("useKeytab", keytab);
                      hashmap.put("refreshKrb5Config", "false");
                      if (isInitiator && credsType.equals("acceptor")) {
                          // IsInitiator mismatch IBM settings" promote to both.
                          hashmap.put("credsType", "both");
                      } else {
                          hashmap.put("credsType", credsType);
                      }
                  } else {
                      hashmap.put("isInitiator", Boolean.toString(isInitiator));
                      hashmap.put("storeKey", "true");
                      hashmap.put("useKeyTab", "true");
                      hashmap.put("keyTab", keytab);
                      hashmap.put("doNotPrompt", "true");
                      hashmap.put("refreshKrb5Config", refreshConf);
                  }
      

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: