7 Replies Latest reply on Dec 16, 2014 4:48 AM by simkam

    Using Kerberos for Datasource Authentication

    Markus Unger Newbie

      Hello,

       

      i have the problem that one of our customers is going to use Kerberos as Database authentication method. Now i shall switch our Wildfly from the good old "User/Password" system to use Kerberos against the Database.

      All i found so far was using Kerberos for user authentification on Wildfly side but unfortunately nothing on how to use Kerberos for the Database authentication. In this scenario Wildfly whould be the "Client" which is authenticating against the Database.

      My question now is: Is there a way to do that? If yes, where can i find the documentation about that?

      In the Wildfly Admin Guide (Admin Guide - WildFly 8 - Project Documentation Editor) is a link to the JBoss AS7 : Security Domain Model but nothing about Kerberos.

       

      Any help would be greatly appreciated!

         Markus

        • 1. Re: Using Kerberos for Datasource Authentication
          Jesper Pedersen Master

          Start by using the 8.x branch, and try the following as a starting point

           

           <security-domain name="DatabaseUser" cache-type="default">
            <authentication>
            <login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">
            <module-option name="storeKey" value="true"/>
            <module-option name="useKeyTab" value="true"/>
            <module-option name="keyTab" value="value"/>  <--- CHANGE
            <module-option name="principal" value="value"/>  <--- CHANGE
            <module-option name="doNotPrompt" value="true"/>
            <module-option name="useTicketCache" value="true"/>
            <module-option name="debug" value="true"/>
            <module-option name="ticketCache" value="/tmp/krb"/>
            <module-option name="refreshKrb5Config" value="true"/>
            <module-option name="isInitiator" value="true"/>
            <module-option name="addGSSCredential" value="true"/>
            <module-option name="delegationCredential" value="USE"/>
            </login-module>
            </authentication>
            </security-domain>
          

           

          for the security domain. Your datasource likely needs options too

          • 2. Re: Using Kerberos for Datasource Authentication
            Markus Unger Newbie

            First of all, thank you for your answer.

            It took some time to create a keyTab file because its the customer infrastructure and some problems with a valid SPN and so on.

             

            But now back to the configuration.

            I inserted the lines you wrote for my database connection, but if i start our wildfly, i always get an exception (see some lines below).

            First i thought the keyTab file is wrong, or the principal is wrong or something like that, but if i comment out the "keyTab" line and the "principal" line, i get exactly the same error.

            Then i tried to rename the keyTab file if there would be a file not found error or something but actually im not sure if this option has any influence at all.

             

            Do you have any suggestions?

             

            What do you mean with my datasource likely needs options?

            The connection-url has some special parameters which already worked for a connection with squirrel. Are there more?

             

            Thank you in advance for your response!

               Markus

             

             

            We are using a Wildfly 8.0.0 Final release.

             

            Here is the Exception.

            2014-09-10 16:48:51,452 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-3) Exception during createSubject()PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed

                at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)

                at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1184)

                at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1179)

                at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]

                at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1178)

                at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:637)

                at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:283)

                at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:310)

                at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:124)

                at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)

                at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)

                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]

                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]

                at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]

             

            And if i test the connection (with the admin interface), i get this error message:

            2014-09-10 17:18:02,541 ERROR [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (XNIO-1 task-7) IJ000614: Exception during createSubject() PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed

                at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84) [picketbox-4.0.20.Final.jar:4.0.20.Final]

                at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:130) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]

                at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:125) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]

                at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]

                at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.createSubject(PoolBySubject.java:124) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]

                at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.testConnection(PoolBySubject.java:86) [ironjacamar-core-impl-1.1.3.Final.jar:1.1.3.Final]

                at org.jboss.as.connector.subsystems.common.pool.PoolOperations$TestConnectionInPool.invokeCommandOn(PoolOperations.java:206) [wildfly-connector-8.0.0.Final.jar:8.0.0.Final]

                at org.jboss.as.connector.subsystems.common.pool.PoolOperations$1.execute(PoolOperations.java:87) [wildfly-connector-8.0.0.Final.jar:8.0.0.Final]

                at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:591) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]

                at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:469) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]

                at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:273) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]

                at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:268) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]

                at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:272) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]

                at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:146) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]

                at org.jboss.as.domain.http.server.DomainApiHandler.handleRequest(DomainApiHandler.java:169)

                at org.jboss.as.domain.http.server.security.SubjectDoAsHandler$1.run(SubjectDoAsHandler.java:72)

                at org.jboss.as.domain.http.server.security.SubjectDoAsHandler$1.run(SubjectDoAsHandler.java:68)

                at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]

                at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_51]

                at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94) [wildfly-controller-8.0.0.Final.jar:8.0.0.Final]

                at org.jboss.as.domain.http.server.security.SubjectDoAsHandler.handleRequest(SubjectDoAsHandler.java:68)

                at org.jboss.as.domain.http.server.security.SubjectDoAsHandler.handleRequest(SubjectDoAsHandler.java:63)

                at io.undertow.server.handlers.BlockingHandler.handleRequest(BlockingHandler.java:50)

                at org.jboss.as.domain.http.server.DomainApiCheckHandler.handleRequest(DomainApiCheckHandler.java:77)

                at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52)

                at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168)

                at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687)

                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]

                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]

                at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]

             

            2014-09-10 17:18:02,541 ERROR [org.jboss.as.controller.management-operation] (XNIO-1 task-7) JBAS014613: Operation ("test-connection-in-pool") failed - address: ([

                ("subsystem" => "datasources"),

                ("data-source" => "DSDatabase")

            ]) - failure description: "JBAS010440: failed to invoke operation: JBAS010447: Connection is not valid"

            • 3. Re: Using Kerberos for Datasource Authentication
              Jesper Pedersen Master

              Build the WildFly 8.x branch, with IronJacamar 1.1.8-SNAPSHOT, and retry. WildFly 8.0 is too old.

              • 4. Re: Using Kerberos for Datasource Authentication
                Markus Unger Newbie

                Thank you for your really fast answer.

                I think we will wait for the next stable release with IronJacamar >= 1.1.8.

                 

                Greetings

                     Markus

                • 5. Re: Using Kerberos for Datasource Authentication
                  Jesper Pedersen Master

                  Just start with WildFly 8.x then. IJ 1.1.8 will likely be released later this month based on community feedback, then you can use http://www.ironjacamar.org/doc/userguide/1.1/en-US/html/ch03.html#installas

                  • 6. Re: Using Kerberos for Datasource Authentication
                    Yun Ke Newbie

                    I am using wildfly 8.2 and seeing the following errors

                    ==================================================

                    2014-12-12 15:12:43,071 WARN  [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (management-handler-thread - 1) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: No matching credentials in Subject!

                            at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getConnectionProperties(BaseWrapperManagedConnectionFactory.java:1166) [ironjacamar-jdbc-1.1.9.Final.jar:1.1.9.Final]

                            at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:222) [ironjacamar-jdbc-1.1.9.Final.jar:1.1.9.Final]

                            at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:1166) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]

                            at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:446) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]

                            at org.jboss.jca.core.connectionmanager.pool.AbstractPool.internalTestConnection(AbstractPool.java:764) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]

                            at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.testConnection(PoolBySubject.java:89) [ironjacamar-core-impl-1.1.9.Final.jar:1.1.9.Final]

                            at org.jboss.as.connector.subsystems.common.pool.PoolOperations$TestConnectionInPool.invokeCommandOn(PoolOperations.java:206) [wildfly-connector-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.connector.subsystems.common.pool.PoolOperations$1.execute(PoolOperations.java:87) [wildfly-connector-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:660) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:501) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:298) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:293) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:276) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:150) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:199) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$300(ModelControllerClientOperationHandler.java:130) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:150) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:146) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]

                            at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_51]

                            at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:146) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

                            at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:283)

                            at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:504)

                            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]

                            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]

                            at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]

                            at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final.jar:2.1.1.Final]

                    • 7. Re: Using Kerberos for Datasource Authentication
                      simkam Newbie

                      Are you sure that authentication was successful?

                      Do you use KerberosLoginModule from Jboss negotiation with property addGSSCredential=true?