Kerberos Web Service Callout Fails with WSM-07501 and WSM-00008 When Using An OWSM Policy For The Kerberos Processing: UseKeyTab Set To False (Doc ID 2123108.1)

Last updated on AUGUST 28, 2017

Applies to:

Oracle Web Services Manager - Version 12.2.1.0.0 and later
Information in this document applies to any platform.

Symptoms

ENVIRONMENT
=============
WLS 12.2.1.0.0
Linux x86-64 Red Hat Enterprise 6

A client application created not using JDeveloper calls an OSB Proxy Service using oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy.
The OSB Proxy Service is protected using oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy.

The following kerberos login module configuration is used:

<serviceInstance name="krb5.loginmodule" provider="jaas.login.provider">
<description>Kerberos Login Module</description>
<property name="principal" value="svc-osb@<domain>"/>
<property name="renewTGT" value="true"/>
<property name="debug" value="true"/>
<property name="loginModuleClassName" value="com.sun.security.auth.module.Krb5LoginModule"/>
<property name="storeKey" value="false"/>
<property name="doNotPrompt" value="true"/>
<property name="keyTab" value="/test/svc-osb.keytab"/>
<property name="useKeyTab" value="true"/>
<property name="jaas.login.controlFlag" value="REQUIRED"/>
<property name="useTicketCache" value="true"/>
<property name="addAllRoles" value="true"/>
</serviceInstance>
<serviceInstance name="krb.loginmodule" provider="jaas.login.provider">
<description>OPSS Kerberos Login Module</description>
<property name="principal" value="svc-osb@<domain>"/>
<property name="renewTGT" value="true"/>
<property name="debug" value="true"/>
<property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.krb.JpsKrbLoginModule"/>
<property name="storeKey" value="false"/>
<property name="doNotPrompt" value="true"/>
<property name="keyTab" value="/test/svc-osb.keytab"/>
<property name="useKeyTab" value="true"/>
<property name="jaas.login.controlFlag" value="REQUIRED"/>
<property name="useTicketCache" value="true"/>
<property name="addAllRoles" value="true"/>
</serviceInstance>
   
Note that "useKeyTab" is set to "true" throughout.

Similar configuration in the WSM Domain Configuration:

> displayWSMConfiguration()
[...]
NAME: "use.key.tab" CATEGORY: "KerberosLoginModule" SOURCE: "default"
Value: true

ISSUE
======

This fails very early on the client side, with the following error:

[WLS-1] [TRACE:16] [] [oracle.jps.authentication] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)']
[userId: oracle] [ecid: 0000LCJEs6o3z0WjLxyGOA1MnMyf000009,0:1:3] [APP: sample-1-ear]
[partition-name: DOMAIN] [tenant-name: GLOBAL] [WEBSERVICE.name: ComputeService] [WEBSERVICE_PORT.name: ComputePort]
[FlowId: 0000LCJEs717U8xaw9Bh6G1MnNcm000008] [oracle.wsm.policy.name: oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy]
[WSM_PolicyVersion: none] [WSM_RemoteAddress: .... ] [WSM_LogType: Request]
[WSM_PolicyName: oracle/wss11_saml_token_with_message_protection_service_policy]
[WSM_ServiceID: sample-1-ear/sample-1.war/ComputeService]
[SRC_CLASS: oracle.security.jps.internal.jaas.module.krb.JpsKrbLoginModule]
[SRC_METHOD: initialize] options: {principal=osb@, renewTGT=true, debug=true,
loginModuleClassName=oracle.security.jps.internal.jaas.module.krb.JpsKrbLoginModule, storeKey=false, doNotPrompt=true, keyTab=/security/domain/osb.keytab,
useKeyTab=true, useTicketCache=true, addAllRoles=true},
runtime options: {keyTab=/security/domain/osb.keytab, principal=osb@,
useKeyTab=false, delegateLoginModuleClassName=com.sun.security.auth.module.Krb5LoginModule, storeKey=false, doNotPrompt=true}

[WLS-1] [ERROR] [WSM-07501] [oracle.wsm.resources.enforcement] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oracle] [ecid: 0000LCJEs6o3z0WjLxyGOA1MnMyf000009,0:1:3] [APP: sample-1-ear] [partition-name: DOMAIN] [tenant-name: GLOBAL] [WEBSERVICE.name: ComputeService] [WEBSERVICE_PORT.name: ComputePort] [FlowId: 0000LCJEs717U8xaw9Bh6G1MnNcm000008] [oracle.wsm.policy.name: oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy] [WSM_PolicyVersion: none] [WSM_RemoteAddress: 10.10.10.10] [WSM_LogType: Request] [WSM_PolicyName: oracle/wss11_saml_token_with_message_protection_service_policy] [WSM_ServiceID: sample-1-ear/sample-1.war/ComputeService] Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.client, application=sample-1-ear, composite=null, modelObj=ComputeService, policy=null, policyVersion=null, assertionName=null.[[
oracle.wsm.common.sdk.WSMException: WSM-00008 : Web service authentication failed. at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor.init(KerberosSecurityScenarioExecutor.java:131)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:281)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:309)
[...]
Caused by: oracle.wsm.security.SecurityException: WSM-00008 : Web service authentication failed.
at oracle.wsm.security.jps.JpsManager.kerbAuthenticate(JpsManager.java:431)
at oracle.wsm.security.policy.scenario.processor.KerberosTokenUtil.getKerbSubject(KerberosTokenUtil.java:358)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor.init(KerberosSecurityScenarioExecutor.java:123)
... 91 more
Caused by: javax.security.auth.login.LoginException: Configuration Error - useKeyTab should be set to true to use the keytab /security/domain/osb.keytab at com.sun.security.auth.module.Krb5LoginModule.validateConfiguration(Krb5LoginModule.java:964)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:570)
at oracle.security.jps.internal.jaas.module.krb.JpsKrbLoginModule.login(JpsKrbLoginModule.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at oracle.wsm.security.jps.JpsManager.kerbAuthenticate(JpsManager.java:428)
... 93 more

Somehow, even though useKeyTab is set to true, the setting is not recognized by com.sun.security.auth.module.Krb5LoginModule.validateConfiguration().

Java level debug output:

<.sample.compute.ComputeImpl>
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true
ticketCache is null isInitiator true KeyTab is /security/domain/osb.keytab
refreshKrb5Config is false principal is osb@ tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms