Unable To Validate Client Webservice Request When Upgrading Kerberos Enctypes
(Doc ID 2955984.1)
Last updated on JUNE 20, 2023
Applies to:
Oracle Web Services Manager - Version 12.2.1.4.0 and laterInformation in this document applies to any platform.
Symptoms
Unable to validate a client web service request when using Kerberos enctypes format aes256-cts-hmac-sha1-96
What was tried:
........Working configuration........
Webservice security policy: wss11_kerberos_token_with_message_protection_basic128_service_policy
Service Keytab created with crypto RC4-HMAC-NT
Kerberos Configuration:
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
This worked successfully.
........Updated Configuration........
Webservice security policy: wss11_kerberos_token_with_message_protection_service_policy and updated algorithm-suite to Basic256
Service Keytab created with crypto AES256-SHA1
Updated AD Service user and client to use AES256-HMAC-SHA1
Kerberos Configuration:
default_tgs_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96
This fails with the following error:
oracle.wsm.security.SecurityException : WSM-00008 : Login Exception: {0}.
at oracle.wsm.security.policy.scenario.processor.KerberosTokenProcessor.verify(KerberosTokenProcessor.java:790)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor$1.run(KerberosSecurityScenarioExecutor.java:159)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor$1.run(KerberosSecurityScenarioExecutor.java:157)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.auth.subject.doPrivileged(Subject.java:549)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor.receive(KerberosSecurityScenarioExecutor.java:156)
Root cause by:
Caused By: oracle.security.crypto.asn1.ASN1FormatException: Length is too big: takes 108 bytes
at oracle.security.crypto.asn1.ASN1Header.b(Unknown Source)
at oracle.security.crypto.asn1.ASN1Header.input(Unknown Source)
at oracle.security.crypto.asn1.ASN1Header.<init>(Unknown Source)
at oracle.security.crypto.asn1.ASN1GenericConstructed.input(Unknown Source)
at oracle.security.crypto.asn1.ASN1GenericConstructed.<init>(Unknown Source)
Changes
The enctype was altered from the original setting.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |