GSSAPI authentication for remote EJB
npabst May 23, 2012 6:13 AMHello everyone,
I am having difficulties configuring GSSAPI to authenticate access to EJB for remote client.
I have configure my remote client to use GSSAPI for authentication, add GSSAPI as an allowed sasl mechanism in standalone.xml
and generate a Keytab for the principal remote/fqdn.
The client part seems to work: I am prompt for login and password to obtain a TGT then I get a TGS for remote/fqdn but then i get the following error :
Client Side
javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: java.io.IOException: JBREM000202: Abrupt close on Remoting connection 01414655 to /192.168.201.187:4447]
at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:121)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at org.jboss.as.quickstarts.ejb.remote.client.JndiAction.performJndiOperation(JndiAction.java:37)
at org.jboss.as.quickstarts.ejb.remote.client.JndiAction.run(JndiAction.java:20)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.jboss.as.quickstarts.ejb.remote.client.RemoteEJBClient.main(RemoteEJBClient.java:51)
Caused by: java.lang.RuntimeException: java.io.IOException: JBREM000202: Abrupt close on Remoting connection 01414655 to /192.168.201.187:4447
at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:87)
at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:56)
at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateCachedNamingStore(InitialContextFactory.java:166)
at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateNamingStore(InitialContextFactory.java:139)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:104)
... 10 more
Caused by: java.io.IOException: JBREM000202: Abrupt close on Remoting connection 01414655 to /192.168.201.187:4447
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Authentication.handleEvent(ClientConnectionOpenListener.java:540)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Authentication.handleEvent(ClientConnectionOpenListener.java:511)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.nio.NioHandle.run(NioHandle.java:90)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)
at org.jboss.naming.remote.client.EndpointCache$EndpointWrapper.connect(EndpointCache.java:105)
at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:55)
... 13 more
Server Side
08:36:59,191 TRACE [org.jboss.remoting.remote.server] (Remoting "server4" read-1) Added mechanism GSSAPI
08:36:59,218 TRACE [org.jboss.remoting.remote.connection] (Remoting "server4" read-1) Sent message java.nio.HeapByteBuffer[pos=21 lim=21 cap=8192] (direct)
08:36:59,221 TRACE [org.jboss.remoting.remote.connection] (Remoting "server4" read-1) Flushed channel (direct)
08:36:59,691 TRACE [org.jboss.remoting.remote.server] (Remoting "server4" read-1) Server received authentication request
08:36:59,785 TRACE [org.jboss.remoting.remote.connection] (Remoting "server4" read-1) Connection error detail: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)]
at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:113) [rt.jar:1.6.0_22]
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(FactoryImpl.java:85) [rt.jar:1.6.0_22]
at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial$1.run(ServerConnectionOpenListener.java:316) [jboss-remoting-3.2.3.GA.jar:3.2.3.GA]
at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial$1.run(ServerConnectionOpenListener.java:313) [jboss-remoting-3.2.3.GA.jar:3.2.3.GA]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_22]
at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:313) [jboss-remoting-3.2.3.GA.jar:3.2.3.GA]
at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:121) [jboss-remoting-3.2.3.GA.jar:3.2.3.GA]
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.3.GA.jar:3.0.3.GA]
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189) [xnio-api-3.0.3.GA.jar:3.0.3.GA]
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103) [xnio-api-3.0.3.GA.jar:3.0.3.GA]
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.3.GA.jar:3.0.3.GA]
at org.xnio.nio.NioHandle.run(NioHandle.java:90)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:108) [rt.jar:1.6.0_22]
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:128) [rt.jar:1.6.0_22]
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:189) [rt.jar:1.6.0_22]
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) [rt.jar:1.6.0_22]
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60) [rt.jar:1.6.0_22]
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:150) [rt.jjar:1.6.0_22]
at com.sun.security.sasl.gsskerb.GssKrb5Server.<init>(GssKrb5Server.java:96) [rt.jar:1.6.0_22]
... 12 more
08:36:59,814 ERROR [org.jboss.remoting.remote.connection] (Remoting "server4" read-1) JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)]
From my understanding "Failed to find any Kerberos Key" means that the server did not find his Keytab to validate user authentication.
How do I indicate jboss server where to find his Keytab ?
Is there any documentation about how configuring GSSAPI mechanism on Jboss 7 ?
Any help would be greatly appreciated.
Client Code
public class RemoteEJBClient {
public static void main(String[] args) throws Exception {
System.out.println("*** Krb5LoginModule ***");
LoginContext lctest=new LoginContext("GSSAPI", new SampleCallbackHandler());
lctest.login();
Subject.doAs(lctest.getSubject(), new JndiAction(args));
}
}
public class JndiAction implements java.security.PrivilegedAction {
private String[] args;
public JndiAction(String[] origArgs) {
this.args = (String[])origArgs.clone();
}
public Object run() {
performJndiOperation(args);
return null;
}
private void performJndiOperation(String[] args) {
// Set up environment for creating initial context
Hashtable jndiProperties = new Hashtable();
jndiProperties.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
jndiProperties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY,"org.jboss.naming.remote.client.InitialContextFactory");
jndiProperties.put(Context.PROVIDER_URL, "remote://192.168.201.187:4447");
jndiProperties.put("jboss.naming.client.ejb.context", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(jndiProperties);
// do something useful with ctx
RemoteCalculator rc = (RemoteCalculator) ctx.lookup("ejb:/jboss-as-ejb-remote-app//CalculatorBean!" + RemoteCalculator.class.getName());
System.out.println("Obtained a remote stateless calculator for invocation");
// invoke on the remote calculator
int a = 204;
int b = 340;
System.out.println("Adding " + a + " and " + b + " via the remote stateless calculator deployed on the server");
int sum = rc.add(a, b);
System.out.println("Remote calculator returned sum = " + sum);
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}
}
}
jaas.conf
GSSAPI {
com.sun.security.auth.module.Krb5LoginModule required client=true debug=true;
};
Standalone.xml
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm">
<sasl>
<include-mechanisms value="GSSAPI"/>
</sasl>
</connector>
</subsystem>