TLTR: Kerberos auth for management over HTTP/HTTPS does not work with IBM java at all. Description: There are severel issues which lead to Kerberos auth for management over HTTP/HTTPS does not work with IBM java. When Kerberos security-realm is set for http-management and Management Console is accessed, following exception is thrown: ERROR [org.jboss.as.domain.management.security] (HttpManagementService-threads - 2) JBAS015208: Login failed using Keytab for principal 'HTTP/localhost' to handle request for host 'localhost': javax.security.auth.login.LoginException: unable to find LoginModule class: com.sun.security.auth.module.Krb5LoginModule at javax.security.auth.login.LoginContext.invoke(LoginContext.java:835) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:211) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:733) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:731) [rt.jar:1.7.0] at java.security.AccessController.doPrivileged(AccessController.java:314) [vm.jar:1.7.0] at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:730) [rt.jar:1.7.0] at javax.security.auth.login.LoginContext.login(LoginContext.java:600) [rt.jar:1.7.0] at org.jboss.as.domain.management.security.KeytabService.createSubjectIdentity(KeytabService.java:198) [jboss-as-domain-management-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9] at org.jboss.as.domain.management.security.KeytabIdentityFactoryService.getSubjectIdentity(KeytabIdentityFactoryService.java:132) [jboss-as-domain-management-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9] at org.jboss.as.domain.management.security.SecurityRealmService.getSubjectIdentity(SecurityRealmService.java:239) [jboss-as-domain-management-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9] at org.jboss.as.domain.http.server.security.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:126) [jboss-as-domain-http-interface-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9] at org.jboss.sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:64) at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81) at org.jboss.sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:710) at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:78) at org.jboss.as.domain.http.server.RealmReadinessFilter.doFilter(RealmReadinessFilter.java:47) [jboss-as-domain-http-interface-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9] at org.jboss.as.domain.http.server.DmrFailureReadinessFilter.doFilter(DmrFailureReadinessFilter.java:45) [jboss-as-domain-http-interface-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9] at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81) at org.jboss.sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:682) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156) [rt.jar:1.7.0] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:626) [rt.jar:1.7.0] at java.lang.Thread.run(Thread.java:780) [vm.jar:1.7.0] at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final-redhat-1.jar:2.1.1.Final-redhat-1] It is caused by mistake in org.jboss.as.domain.management.security.KeytabService on line 67. Value of field IBMKRB5LoginModule is incorrectly set on ""com.sun.security.auth.module.Krb5LoginModule". It has to be "com.ibm.security.auth.module.Krb5LoginModule". I also see another issues in this class for IBM java: 1) Line 145: name of Kerberos option is "useKeytab" not "useKeyTab". 2) principal option is missing for this Map. Add options.put("principal", principal); same as in non-IBM java branch. There can also be any more issues for IBM java (unable to test it now).
Darran Lofthouse <darran.lofthouse> updated the status of jira WFCORE-260 to Coding In Progress
Verification failed in EAP 6.4.0.DR11. IBM JDK 7 works fine. IBM JDK 6 still does not work. It is blocking certification [1] for IBM JDK6. During access to Management Console with IBM JDK6 fails with: ERROR [org.jboss.as.domain.management.security] (HttpManagementService-threads - 3) JBAS015208: Login failed using Keytab for principal 'HTTP/localhost' to handle request for host 'localhost': javax.security.auth.login.LoginException: Bad JAAS configuration: noAddress option not compatible with credsType {0} at com.ibm.security.jgss.i18n.I18NException.throwLoginException(I18NException.java:29) [ibmjgssprovider.jar:6.0] at com.ibm.security.auth.module.Krb5LoginModule.i(Krb5LoginModule.java:23) [ibmjgssprovider.jar:6.0] at com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:355) [ibmjgssprovider.jar:6.0] at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:272) [ibmjgssprovider.jar:6.0] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) [rt.jar:1.6.0] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) [rt.jar:1.6.0] at java.lang.reflect.Method.invoke(Method.java:611) [rt.jar:1.6.0] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795) [rt.jar:1.6.0] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209) [rt.jar:1.6.0] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:732) [rt.jar:1.6.0] at java.security.AccessController.doPrivileged(AccessController.java:310) [vm.jar:] at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:729) [rt.jar:1.6.0] at javax.security.auth.login.LoginContext.login(LoginContext.java:599) [rt.jar:1.6.0] at org.jboss.as.domain.management.security.KeytabService.createSubjectIdentity(KeytabService.java:198) [jboss-as-domain-management-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13] at org.jboss.as.domain.management.security.KeytabIdentityFactoryService.getSubjectIdentity(KeytabIdentityFactoryService.java:142) [jboss-as-domain-management-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13] at org.jboss.as.domain.management.security.SecurityRealmService.getSubjectIdentity(SecurityRealmService.java:240) [jboss-as-domain-management-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13] at org.jboss.as.domain.http.server.security.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:155) [jboss-as-domain-http-interface-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13] at org.jboss.sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:64) at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81) at org.jboss.sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:710) at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:78) at org.jboss.as.domain.http.server.RealmReadinessFilter.doFilter(RealmReadinessFilter.java:48) [jboss-as-domain-http-interface-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13] at org.jboss.as.domain.http.server.DmrFailureReadinessFilter.doFilter(DmrFailureReadinessFilter.java:45) [jboss-as-domain-http-interface-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13] at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81) at org.jboss.sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:682) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:908) [rt.jar:1.6.0] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:931) [rt.jar:1.6.0] at java.lang.Thread.run(Thread.java:738) [vm.jar:1.6.0] at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1] [1] https://mojo.redhat.com/docs/DOC-48621
Verified in EAP 6.4.0.DR12.
John Doyle <jdoyle> updated the status of jira EAP6-253 to Closed