Kerberos Web Service Callout Fails with WSM-07501 and WSM-00008 When Using An OWSM Policy For The Kerberos Processing: UseKeyTab Set To False (Doc ID 2123108.1)

Last updated on OCTOBER 07, 2022

Applies to:

Oracle Web Services Manager - Version 12.2.1.0.0 and later
Information in this document applies to any platform.

Symptoms

ENVIRONMENT
=============
WLS 12.2.1.0.0
Linux x86-64 Red Hat Enterprise 6

A client application created not using JDeveloper calls an OSB Proxy Service using oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy.
The OSB Proxy Service is protected using oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy.

The following kerberos login module configuration is used:

<serviceInstance name="krb5.loginmodule" provider="jaas.login.provider">
<description>Kerberos Login Module</description>
<property name="principal" value="svc-osb@<domain>"/>
<property name="renewTGT" value="true"/>
<property name="debug" value="true"/>
<property name="loginModuleClassName" value="com.sun.security.auth.module.Krb5LoginModule"/>
<property name="storeKey" value="false"/>
<property name="doNotPrompt" value="true"/>
<property name="keyTab" value="/test/svc-osb.keytab"/>
<property name="useKeyTab" value="true"/>
<property name="jaas.login.controlFlag" value="REQUIRED"/>
<property name="useTicketCache" value="true"/>
<property name="addAllRoles" value="true"/>
</serviceInstance>
<serviceInstance name="krb.loginmodule" provider="jaas.login.provider">
<description>OPSS Kerberos Login Module</description>
<property name="principal" value="svc-osb@<domain>"/>
<property name="renewTGT" value="true"/>
<property name="debug" value="true"/>
<property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.krb.JpsKrbLoginModule"/>
<property name="storeKey" value="false"/>
<property name="doNotPrompt" value="true"/>
<property name="keyTab" value="/test/svc-osb.keytab"/>
<property name="useKeyTab" value="true"/>
<property name="jaas.login.controlFlag" value="REQUIRED"/>
<property name="useTicketCache" value="true"/>
<property name="addAllRoles" value="true"/>
</serviceInstance>

Note that "useKeyTab" is set to "true" throughout.

Similar configuration in the WSM Domain Configuration:

> displayWSMConfiguration()
[...]
NAME: "use.key.tab" CATEGORY: "KerberosLoginModule" SOURCE: "default"
Value: true

ISSUE
======

This fails very early on the client side, with the following error:

Changes

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

Kerberos Web Service Callout Fails with WSM-07501 and WSM-00008 When Using An OWSM Policy For The Kerberos Processing: UseKeyTab Set To False (Doc ID 2123108.1)

Applies to:

Symptoms

Changes

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!