Tuesday, April 22, 2014

Common pitfalls in Kerberos Authentication Using WSO2 Products

Recently I was going through the article written by Amilj on "Kerberos Authentication Using WSO2 Products" and ran into some issues. Since theses are common mistakes, thought of putting my solutions in this blog post so that this will be useful to anyone who's trying above article

Following are the WSO2 products I used
After setting up everything according to the article, and when running the client I came across following issues.

Issue 01 :

[java] log4j:WARN No appenders could be found for logger (org.apache.axiom.om.util.StAX
Utils).
     [java] log4j:WARN Please initialize the log4j system properly.
     [java] Calling Echo service with parameter - Hello World
     [java] org.apache.axis2.AxisFault: Error in building kereberos token
     [java]     at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76)
     [java]     at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
     [java]     at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
     [java]     at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
     [java]     at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426)
     [java]     at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
     [java]     at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
     [java]     at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
     [java]     at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554)
     [java]     at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530)
     [java]     at org.wso2.identity.esb.kerberos.KerberosClient.run(KerberosClient.java:111)
     [java]     at org.wso2.identity.esb.kerberos.KerberosClient.main(KerberosClient.java:43)
     [java] Caused by: org.apache.rampart.RampartException: Error in building kereberos token
     [java]     at org.apache.rampart.builder.BindingBuilder.getKerberosTokenBuilder(BindingBuilder.java:936)
     [java]     at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:425)
     [java]     at org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:86)
     [java]     at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144)
     [java]     at org.apache.rampart.handler.RampartSender.invoke(RampartSender.jav


Observed above exception in java client side.

Solution :

- Checked wso2carbon.log and found some warnings

TID: [0] [IS] [2014-04-22 22:18:31,628]  WARN {org.apache.directory.server.kerberos.shared.store.operations.StoreUtils} -  No server entry found for kerberos principal name pavithra@WSO2.ORG {org.apache.directory.server.kerberos.shared.store.operations.StoreUtils}
TID: [0] [IS] [2014-04-22 22:18:31,629]  WARN {org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler} -  Client not found in Kerberos database (6) {org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler}


If you need more details enable debug logs by adding following entry in IS_HOME/repository/conf/log4j.properties

log4j.logger.org.apache.directory.server.kerberos=DEBUG

- But I've created client principal correctly

- So checked the KDC (i.e. Embedded LDAP in Identity Server) through Apache DS browser to make sure that the client principal name has been added correctly.



 - There I observed that "_carbon.super"  has been added to client principal name. So when I added a user named pavithra through users and roles, the client principal name has become pavithra_carbon.super@WSO2.ORG

- Change following property in policy-1.xml in java client

Previously it was :



Change it to :



- Now if you again run the client, it should be able to successfully return the response from the secured service

- But I came across another issue :)

Issue 02 :

- When running the java client, it threw following exception

org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
    at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:78)
    at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:84)
    at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
    at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:622)
    at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:193)
    at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75)
    at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451)
    at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278)
    at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
    at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
    at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
    at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554)
    at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530)
    at org.wso2.identity.esb.kerberos.KerberosClient.main(KerberosClient.java:91)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: com.ctc.wstx.exc.WstxIOException: Connection has been shutdown: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at com.ctc.wstx.sw.BaseStreamWriter.finishDocument(BaseStreamWriter.java:1692)
    at com.ctc.wstx.sw.BaseStreamWriter.close(BaseStreamWriter.java:288)
    at org.apache.axiom.util.stax.wrapper.XMLStreamWriterWrapper.close(XMLStreamWriterWrapper.java:46)
    at org.apache.axiom.om.impl.MTOMXMLStreamWriter.close(MTOMXMLStreamWriter.java:188)
    at org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:844)
    at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:74)
    ... 24 more
Caused by: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1325)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1337)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:44)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
    at java.io.BufferedOutputStream.write(BufferedOutputStream.java:104)
    at org.apache.commons.httpclient.WireLogOutputStream.write(WireLogOutputStream.java:68)
    at org.apache.commons.httpclient.ChunkedOutputStream.flushCacheWithAppend(ChunkedOutputStream.java:121)
    at org.apache.commons.httpclient.ChunkedOutputStream.write(ChunkedOutputStream.java:179)
    at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
    at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
    at com.ctc.wstx.sw.BufferingXmlWriter.close(BufferingXmlWriter.java:194)
    at com.ctc.wstx.sw.BaseStreamWriter.finishDocument(BaseStreamWriter.java:1690)
    ... 29 more
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1692)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1675)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1601)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:94)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
    at java.io.BufferedOutputStream.write(BufferedOutputStream.java:104)
    at org.apache.commons.httpclient.WireLogOutputStream.write(WireLogOutputStream.java:68)
    at org.apache.commons.httpclient.ChunkedOutputStream.flushCacheWithAppend(ChunkedOutputStream.java:121)
    at org.apache.commons.httpclient.ChunkedOutputStream.write(ChunkedOutputStream.java:179)
    at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:96)
    at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:214)
    at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:311)
    at org.apache.axiom.util.stax.wrapper.XMLStreamWriterWrapper.flush(XMLStreamWriterWrapper.java:50)
    at org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.java:198)
    at org.apache.axiom.om.impl.dom.NodeImpl.serializeAndConsume(NodeImpl.java:842)
    ... 25 more
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at sun.security.validator.PKIXValidator.(PKIXValidator.java:57)
    at sun.security.validator.Validator.getInstance(Validator.java:161)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:108)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:204)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:637)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:89)
    ... 36 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183)
    at java.security.cert.PKIXParameters.(PKIXParameters.java:103)
    at java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:87)
    at sun.security.validator.PKIXValidator.(PKIXValidator.java:55)
    ... 48 more
Could not create service client


Solution :

- Obviously the truststore path was invlid :)

Now everything looks fine. So ran the client and again got an error in ESB side

Issue 03 :

- Observed following error on ESB console.

TID: [0] [ESB] [2014-04-22 14:32:20,151] ERROR {org.apache.ws.security.processor.KerberosTokenProcessor} -  java.lang.IllegalStateException: Cannot get keys at REQ_OK state
    at sun.security.krb5.KrbAsReqBuilder.checkState(KrbAsReqBuilder.java:398)
    at sun.security.krb5.KrbAsReqBuilder.getKeys(KrbAsReqBuilder.java:155)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:724)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
    at org.apache.ws.security.processor.KerberosTokenProcessor.authenticate(KerberosTokenProcessor.java:433)
    at org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:294)
    at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:308)
    at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:187)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
    at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
    at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
    at org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:722)
 {org.apache.ws.security.processor.KerberosTokenProcessor}
javax.security.auth.login.LoginException: java.lang.IllegalStateException: Cannot get keys at REQ_OK state
    at sun.security.krb5.KrbAsReqBuilder.checkState(KrbAsReqBuilder.java:398)
    at sun.security.krb5.KrbAsReqBuilder.getKeys(KrbAsReqBuilder.java:155)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:724)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
    at org.apache.ws.security.processor.KerberosTokenProcessor.authenticate(KerberosTokenProcessor.java:433)
    at org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:294)
    at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:308)
    at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:187)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
    at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
    at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
    at org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:722)

    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:886)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
    at org.apache.ws.security.processor.KerberosTokenProcessor.authenticate(KerberosTokenProcessor.java:433)
    at org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:294)
    at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:308)
    at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:187)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
    at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
    at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
    at org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:722)
TID: [0] [ESB] [2014-04-22 14:32:20,154] ERROR {org.apache.axis2.engine.AxisEngine} -  An error was discovered processing the header (Kerberos login failed) {org.apache.axis2.engine.AxisEngine}
org.apache.axis2.AxisFault: An error was discovered processing the header (Kerberos login failed)
    at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
    at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
    at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
    at org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:722)
Caused by: org.apache.ws.security.WSSecurityException: An error was discovered processing the header (Kerberos login failed)
    at org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:332)
    at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:308)
    at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:187)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
    ... 38 more


Solution :

- According to http://sourceforge.net/p/spnego/discussion/1003769/thread/167a25ec/, change java version from 7 to 6

When java 6 is used, the client runs without any errors and retruns the correcct response :)

Hope this will be helpful for anyone who's trying the article "Kerberos Authentication Using WSO2 Products"
 

2 comments:

  1. Hi Pavithra,
    I've encountered same issue as yours. find the issue "carbon.super" as it adds after the name. right now i'm encountering a different issue with the Kerberos client. alredy tried with Java 6 but issue still persists. apreciate if you know anything regarding this.

    Issue
    --------

    [java] Calling Echo service with parameter - Hello World
    [java] Exception in thread "main" java.lang.RuntimeException: Undefined 'kerberosSTReqFailed' resource property
    [java] at org.apache.ws.security.WSSecurityException.getMessage(WSSecurityException.java:206)
    [java] at org.apache.ws.security.WSSecurityException.(WSSecurityException.java:120)
    [java] at org.apache.ws.security.message.WSSecKerberosToken.prepare(WSSecKerberosToken.java:206)
    [java] at org.apache.ws.security.message.WSSecKerberosToken.build(WSSecKerberosToken.java:91)
    [java] at org.apache.rampart.builder.BindingBuilder.getKerberosTokenBuilder(BindingBuilder.java:934)
    [java] at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:425)
    [java] at org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:86)
    [java] at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144)
    [java] at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:65)
    [java] at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    [java] at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    [java] at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    [java] at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:426)
    [java] at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430)
    [java] at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
    [java] at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
    [java] at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:554)
    [java] at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:530)
    [java] at org.wso2.identity.esb.kerberos.KerberosClient.run(KerberosClient.java:111)
    [java] at org.wso2.identity.esb.kerberos.KerberosClient.main(KerberosClient.java:43)
    [java] Caused by: java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key kerberosSTReqFailed
    [java] at java.util.ResourceBundle.getObject(ResourceBundle.java:374)
    [java] at java.util.ResourceBundle.getString(ResourceBundle.java:334)
    [java] at org.apache.ws.security.WSSecurityException.getMessage(WSSecurityException.java:203)
    [java] ... 19 more

    ReplyDelete
  2. Hi Pavithra,

    I followed all the steps, but I'm getting the similar exception [1] as the one you have mentioned in the ESB. Even though I run the client with java 6, the error remains the same. What could I be missing here?

    [1] [2016-02-13 11:02:51,382] ERROR - KerberosTokenProcessor Integrity check on decrypted field failed (31)
    KrbException: Integrity check on decrypted field failed (31)
    at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:164)
    at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:41)
    at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:135)
    at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:41)
    at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:177)
    at org.apache.ws.security.kerberos.KrbTicketDecoder.decryptTicket(KrbTicketDecoder.java:99)
    at org.apache.ws.security.kerberos.KrbTicketDecoder.parseApReq(KrbTicketDecoder.java:90)
    at org.apache.ws.security.kerberos.KrbTicketDecoder.parseServiceTicket(KrbTicketDecoder.java:67)
    at org.apache.ws.security.kerberos.KrbTicketDecoder.getSessionKey(KrbTicketDecoder.java:50)
    at org.apache.ws.security.processor.KerberosTokenProcessor.getSessionKey(KerberosTokenProcessor.java:493)
    at org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:297)
    at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:308)
    at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:187)
    ...
    [2016-02-13 11:02:51,385] ERROR - AxisEngine An error was discovered processing the header (Failed to create the security token)
    org.apache.axis2.AxisFault: An error was discovered processing the header (Failed to create the security token)
    at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
    at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
    at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
    at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
    at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172)
    at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146)
    ...
    Caused by: org.apache.ws.security.WSSecurityException: An error was discovered processing the header (Failed to create the security token)
    at org.apache.ws.security.processor.KerberosTokenProcessor.verifyXMLSignature(KerberosTokenProcessor.java:341)
    at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:308)
    at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
    at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
    at org.apache.rampart.RampartEngine.process(RampartEngine.java:187)
    at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)

    ReplyDelete