739899 – qpid java client fails GSSAPI authentication with javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication

Bug 739899 - qpid java client fails GSSAPI authentication with javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication

Summary: qpid java client fails GSSAPI authentication with javax.security.auth.login.L...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	qpid-java
Sub Component:
Version:	2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	messaging-bugs
QA Contact:	MRG Quality Engineering
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-20 11:20 UTC by Frantisek Reznicek
Modified:	2022-11-05 04:17 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Frantisek Reznicek 2011-09-20 11:20:49 UTC

Description of problem:

qpid client fails to authenticate with GSSAPI mechanism and raises javax.security.auth.login.LoginException with following exception stack:

  [root@ibm-x3650-02 java]# java -Djavax.security.auth.useSubjectCredsOnly=false   -Djava.security.auth.login.config=${JAVACLI_EXAMPLE_PATH}/myjas.conf       -Dsun.security.krb5.debug=true  -Dqpid.sasl_mechs="GSSAPI"   -Dqpid.sasl_protocol=qpidd  -Dqpid.sasl_server_name=${TKRB5_FQDN}       -Dlog4j.configuration=${JAVACLI_EXAMPLE_PATH}/log4j.xml    -cp "$CLASSPATH"   org.apache.qpid.example.jmsexample.requestResponse.Server
  log4j:WARN No appenders could be found for logger (org.apache.qpid.jndi.PropertiesFileInitialContextFactory).
  log4j:WARN Please initialize the log4j system properly.
  Config name: /etc/krb5.conf
  >>>KinitOptions cache name is /tmp/krb5cc_0
  >>>DEBUG <CCacheInputStream>  client principal is zlY7rEMKY53LFVJgh
  >>>DEBUG <CCacheInputStream> server principal is krbtgt/EXAMPLE.COM
  >>>DEBUG <CCacheInputStream> key type: 16
  >>>DEBUG <CCacheInputStream> auth time: Tue Sep 20 06:43:28 EDT 2011
  >>>DEBUG <CCacheInputStream> start time: Tue Sep 20 06:43:28 EDT 2011
  >>>DEBUG <CCacheInputStream> end time: Wed Sep 21 06:43:28 EDT 2011
  >>>DEBUG <CCacheInputStream> renew_till time: Wed Dec 31 19:00:00 EST 1969
  >>> CCacheInputStream: readFlags()  INITIAL;
  >>>DEBUG <CCacheInputStream>
  >>>DEBUG <CCacheInputStream>  client principal is zlY7rEMKY53LFVJgh
  >>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/EXAMPLE.COM
  >>>DEBUG <CCacheInputStream> key type: 0
  >>>DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
  >>>DEBUG <CCacheInputStream> start time: Wed Dec 31 19:00:00 EST 1969
  >>>DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
  >>>DEBUG <CCacheInputStream> renew_till time: Wed Dec 31 19:00:00 EST 1969
  >>> CCacheInputStream: readFlags()
  java.io.IOException: extra data given to DerValue constructor
          at sun.security.util.DerValue.init(DerValue.java:386)
          at sun.security.util.DerValue.<init>(DerValue.java:294)
          at sun.security.krb5.internal.Ticket.<init>(Ticket.java:91)
          at sun.security.krb5.internal.ccache.CCacheInputStream.readData(CCacheInputStream.java:256)
          at sun.security.krb5.internal.ccache.CCacheInputStream.readCred(CCacheInputStream.java:363)
          at sun.security.krb5.internal.ccache.FileCredentialsCache.load(FileCredentialsCache.java:189)
          at sun.security.krb5.internal.ccache.FileCredentialsCache.acquireInstance(FileCredentialsCache.java:84)
          at sun.security.krb5.internal.ccache.CredentialsCache.getInstance(CredentialsCache.java:82)
          at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:302)
          at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:606)
          at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          at java.lang.reflect.Method.invoke(Method.java:616)
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
          at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
          at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
          at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
          at sun.security.jgss.GSSUtil.login(GSSUtil.java:264)
          at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:153)
          at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:346)
          at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:344)
          at java.security.AccessController.doPrivileged(Native Method)
          at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:343)
          at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:145)
          at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:123)
          at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:189)
          at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:220)
          at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
          at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
          at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
          at org.apache.qpid.transport.ClientDelegate.connectionStart(ClientDelegate.java:149)
          at org.apache.qpid.transport.ClientDelegate.connectionStart(ClientDelegate.java:51)
          at org.apache.qpid.transport.ConnectionStart.dispatch(ConnectionStart.java:104)
          at org.apache.qpid.transport.ConnectionDelegate.control(ConnectionDelegate.java:49)
          at org.apache.qpid.transport.ConnectionDelegate.control(ConnectionDelegate.java:40)
          at org.apache.qpid.transport.Method.delegate(Method.java:163)
          at org.apache.qpid.transport.Connection.received(Connection.java:368)
          at org.apache.qpid.transport.Connection.received(Connection.java:58)
          at org.apache.qpid.transport.network.Assembler.emit(Assembler.java:95)
          at org.apache.qpid.transport.network.Assembler.assemble(Assembler.java:181)
          at org.apache.qpid.transport.network.Assembler.frame(Assembler.java:129)
          at org.apache.qpid.transport.network.Frame.delegate(Frame.java:133)
          at org.apache.qpid.transport.network.Assembler.received(Assembler.java:100)
          at org.apache.qpid.transport.network.Assembler.received(Assembler.java:42)
          at org.apache.qpid.transport.network.InputHandler.next(InputHandler.java:187)
          at org.apache.qpid.transport.network.InputHandler.received(InputHandler.java:103)
          at org.apache.qpid.transport.network.InputHandler.received(InputHandler.java:42)
          at org.apache.qpid.transport.network.io.IoReceiver.run(IoReceiver.java:128)
          at java.lang.Thread.run(Thread.java:636)
  javax.jms.JMSException: Error creating connection: GSS initiate failed
          at org.apache.qpid.client.AMQConnectionFactory.createConnection(AMQConnectionFactory.java:286)
          at org.apache.qpid.example.jmsexample.requestResponse.Server.runTest(Server.java:69)
          at org.apache.qpid.example.jmsexample.requestResponse.Server.main(Server.java:48)
  Caused by: org.apache.qpid.AMQConnectionFailureException: GSS initiate failed [error code 200: reply success]
          at org.apache.qpid.client.AMQConnection.<init>(AMQConnection.java:478)
          at org.apache.qpid.client.AMQConnectionFactory.createConnection(AMQConnectionFactory.java:276)
          ... 2 more
  Caused by: org.apache.qpid.AMQException: Cannot connect to broker: GSS initiate failed [error code 200: reply success]
          at org.apache.qpid.client.AMQConnectionDelegate_0_10.makeBrokerConnection(AMQConnectionDelegate_0_10.java:211)
          at org.apache.qpid.client.AMQConnection.makeBrokerConnection(AMQConnection.java:623)
          at org.apache.qpid.client.AMQConnection.<init>(AMQConnection.java:401)
          ... 3 more
  Caused by: org.apache.qpid.transport.ConnectionException: GSS initiate failed
          at org.apache.qpid.transport.ConnectionException.rethrow(ConnectionException.java:67)
          at org.apache.qpid.transport.Connection.connect(Connection.java:267)
          at org.apache.qpid.client.AMQConnectionDelegate_0_10.makeBrokerConnection(AMQConnectionDelegate_0_10.java:192)
          ... 5 more
  Caused by: org.apache.qpid.transport.ConnectionException: GSS initiate failed
          at org.apache.qpid.transport.Connection.exception(Connection.java:511)
          at org.apache.qpid.transport.ClientDelegate.connectionStart(ClientDelegate.java:157)
          at org.apache.qpid.transport.ClientDelegate.connectionStart(ClientDelegate.java:51)
          at org.apache.qpid.transport.ConnectionStart.dispatch(ConnectionStart.java:104)
          at org.apache.qpid.transport.ConnectionDelegate.control(ConnectionDelegate.java:49)
          at org.apache.qpid.transport.ConnectionDelegate.control(ConnectionDelegate.java:40)
          at org.apache.qpid.transport.Method.delegate(Method.java:163)
          at org.apache.qpid.transport.Connection.received(Connection.java:368)
          at org.apache.qpid.transport.Connection.received(Connection.java:58)
          at org.apache.qpid.transport.network.Assembler.emit(Assembler.java:95)
          at org.apache.qpid.transport.network.Assembler.assemble(Assembler.java:181)
          at org.apache.qpid.transport.network.Assembler.frame(Assembler.java:129)
          at org.apache.qpid.transport.network.Frame.delegate(Frame.java:133)
          at org.apache.qpid.transport.network.Assembler.received(Assembler.java:100)
          at org.apache.qpid.transport.network.Assembler.received(Assembler.java:42)
          at org.apache.qpid.transport.network.InputHandler.next(InputHandler.java:187)
          at org.apache.qpid.transport.network.InputHandler.received(InputHandler.java:103)
          at org.apache.qpid.transport.network.InputHandler.received(InputHandler.java:42)
          at org.apache.qpid.transport.network.io.IoReceiver.run(IoReceiver.java:128)
          at java.lang.Thread.run(Thread.java:636)
  Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
          at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
          at org.apache.qpid.transport.ClientDelegate.connectionStart(ClientDelegate.java:149)
          ... 18 more
  Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
          at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:351)
          at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:145)
          at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:123)
          at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:189)
          at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:220)
          at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
          at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
          at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
          ... 19 more
  Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
          at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:750)
          at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:646)
          at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          at java.lang.reflect.Method.invoke(Method.java:616)
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
          at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
          at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
          at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
          at sun.security.jgss.GSSUtil.login(GSSUtil.java:264)
          at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:153)
          at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:346)
          at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:344)
          at java.security.AccessController.doPrivileged(Native Method)
          at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:343)
          ... 26 more
  Server: Caught an Exception: javax.jms.JMSException: Error creating connection: GSS initiate failed


It is proved that at the moment of above exception other clients (c++, python) are able to authenticate correctly:

  [root@ibm-x3650-02 java]# perftest --mechanism GSSAPI --count 1 -p 32804 --user zlY7rEMKY53LFVJgh --broker ibm-x3650-02. ... .com                                                                                                                 Processing 1 messages from qpid-perftest_sub_ready . done.                                                                         Sending start 1 times to qpid-perftest_pub_start
  Processing 1 messages from qpid-perftest_pub_done . done.
  Processing 1 messages from qpid-perftest_sub_done . done.
  
  Total 2 transfers of 1024 bytes in 0.0427095 seconds.
  
  Publish transfers/sec:
  24.5611
  Average: 24.5611
  
  Subscribe transfers/sec:
  4.92387
  Average: 4.92387
  
  Total transfers/sec:      46.828
  Total Mbytes/sec: 0.0457305
  [root@ibm-x3650-02 java]# echo $?
  0


Version-Release number of selected component (if applicable):
python-qpid-0.10-1.el6.noarch
python-qpid-qmf-0.10-10.el6.x86_64
qpid-cpp-client-0.10-6.el6.x86_64
qpid-cpp-client-devel-0.10-6.el6.x86_64
qpid-cpp-client-devel-docs-0.10-6.el6.noarch
qpid-cpp-server-0.10-6.el6.x86_64
qpid-cpp-server-devel-0.10-6.el6.x86_64
qpid-cpp-server-store-0.10-6.el6.x86_64
qpid-cpp-server-xml-0.10-6.el6.x86_64
qpid-java-client-0.10-9.el6.noarch
qpid-java-common-0.10-9.el6.noarch
qpid-java-example-0.10-9.el6.noarch
qpid-java-jca-0.10-9.el6.noarch
qpid-qmf-0.10-10.el6.x86_64
qpid-qmf-debuginfo-0.10-10.el6.x86_64
qpid-qmf-devel-0.10-10.el6.x86_64
qpid-tools-0.10-5.el6.noarch
ruby-qpid-0.7.946106-2.el6.x86_64


How reproducible:
100%

Steps to Reproduce:
1. run qpid_ptest_authentication_krb5 test
   or alternatively:
1. set-up kerberos server for single host
2. run qpidd in auth=yes mode
3. launch a java client for instance:
  java -Djavax.security.auth.useSubjectCredsOnly=false  \
       -Djava.security.auth.login.config=${JAVACLI_EXAMPLE_PATH}/myjas.conf \
       -Dsun.security.krb5.debug=true  -Dqpid.sasl_mechs="GSSAPI"   \
       -Dqpid.sasl_protocol=qpidd  -Dqpid.sasl_server_name=$(hostname) \
       -Dlog4j.configuration=${JAVACLI_EXAMPLE_PATH}/log4j.xml \
       -cp "$CLASSPATH"  \
       org.apache.qpid.example.jmsexample.requestResponse.Server
  
myjas.conf:
com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true;
};

requestResponse.properties:
java.naming.factory.initial =       org.apache.qpid.jndi.PropertiesFileInitialContextFactory
connectionfactory.qpidConnectionfactory =         amqp://zlY7rEMKY53LFVJgh:@clientid/testpath?brokerlist='tcp://ibm-x3650-02. ... .com:32804'
queue.requestQueue = request



Actual results:
client does not authenticate with GSSAPI.

Expected results:
client should authenticate with GSSAPI.

Additional info:

Comment 2 Frantisek Reznicek 2011-09-20 11:49:31 UTC

The issue is observed also on packages:
  qpid-java-*0.10-6.el*.noarch

Note You need to log in before you can comment on or make changes to this bug.