My Oracle Support Banner

Unable To Validate Client Webservice Request When Upgrading Kerberos Enctypes (Doc ID 2955984.1)

Last updated on JUNE 20, 2023

Applies to:

Oracle Web Services Manager - Version 12.2.1.4.0 and later
Information in this document applies to any platform.

Symptoms

Unable to validate a client web service request when using Kerberos enctypes format aes256-cts-hmac-sha1-96

What was tried:

........Working configuration........

Webservice security policy: wss11_kerberos_token_with_message_protection_basic128_service_policy

Service Keytab created with crypto RC4-HMAC-NT

Kerberos Configuration:

default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac

This worked successfully.


........Updated Configuration........

Webservice security policy: wss11_kerberos_token_with_message_protection_service_policy and updated algorithm-suite to Basic256

Service Keytab created with crypto AES256-SHA1
Updated AD Service user and client to use AES256-HMAC-SHA1

Kerberos Configuration:
default_tgs_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96

This fails with the following error:

oracle.wsm.security.SecurityException : WSM-00008 : Login Exception: {0}.
at oracle.wsm.security.policy.scenario.processor.KerberosTokenProcessor.verify(KerberosTokenProcessor.java:790)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor$1.run(KerberosSecurityScenarioExecutor.java:159)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor$1.run(KerberosSecurityScenarioExecutor.java:157)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.auth.subject.doPrivileged(Subject.java:549)
at oracle.wsm.security.policy.scenario.executor.KerberosSecurityScenarioExecutor.receive(KerberosSecurityScenarioExecutor.java:156)

Root cause by:

Caused By: oracle.security.crypto.asn1.ASN1FormatException: Length is too big: takes 108 bytes
at oracle.security.crypto.asn1.ASN1Header.b(Unknown Source)
at oracle.security.crypto.asn1.ASN1Header.input(Unknown Source)
at oracle.security.crypto.asn1.ASN1Header.<init>(Unknown Source)
at oracle.security.crypto.asn1.ASN1GenericConstructed.input(Unknown Source)
at oracle.security.crypto.asn1.ASN1GenericConstructed.<init>(Unknown Source)

Changes

 The enctype was altered from the original setting.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.