Maximo

Maximo

Come for answers, stay for best practices. All we're missing is you.

 View Only
Back to discussions
Expand all | Collapse all

Latest Java Update (Java version = 1.8.0_351, Java Runtime Version = 8.0.7.20) leads to Kerberos Issues

  • 1.  Latest Java Update (Java version = 1.8.0_351, Java Runtime Version = 8.0.7.20) leads to Kerberos Issues

    Posted Mon December 05, 2022 04:39 AM
    Hi out there,

    just want to inform that I had an issue up to now where Kerberos/SPNEGO SSO with our Microsoft AD was not working anymore after installing WebSphere 9.0.5 FP14 (on top of FP13) and Java version = 1.8.0_351, Java Runtime Version = 8.0.7.20    (from Java version = 1.8.0_341, Java Runtime Version = 8.0.7.15).

    Case @ IBM is opened. (5003p00002lPn0oAAC)

    It seems that the java policy files have changed (at least the change/creation date has changed).

    After rolling back JAVA (not WebSphere FP14) Kerberos is now working again.

    The error was (in trace): 
    [05.12.22 07:36:20:839 MEZ] 000001bc SystemErr R javax.security.auth.login.FailedLoginException: Schlüssel kann nicht aus Chiffrierschlüssel HTTP/fqdnofserver.host.com@HOST.COM abgerufen werden

    [05.12.22 07:36:20:870 MEZ] 000001bc ServerCredent E com.ibm.ws.security.spnego.ServerCredentialsFactory initializeServer CWSPN0015E: Unable to create a GSSCredential for: HTTP/fqdnofserver.host.com@HOST.COM
    [05.12.22 07:36:20:870 MEZ] 000001bc ServerCredent < com.ibm.ws.security.spnego.ServerCredentialsFactory initializeServer RETURN
    [05.12.22 07:36:20:870 MEZ] 000001bc ServerCredent E com.ibm.ws.security.spnego.ServerCredentialsFactory initializeServerCreds CWSPN0017E: Unable to create GSSCredentials for any of the hosts specified in the configuration properties.



    So please take care before installing up to date Java Runtime for WebSphere 9.0.5

    ------------------------------
    Klaus Schmidinger
    IT Guy
    Julius Blum GmbH
    ------------------------------

    #AssetandFacilitiesManagement
    #Maximo


  • 2.  RE: Latest Java Update (Java version = 1.8.0_351, Java Runtime Version = 8.0.7.20) leads to Kerberos Issues
    Best Answer

    Posted Mon December 12, 2022 12:58 AM
    answer from IBM Support (thanks for great support!)
    RC4-HMAC has been disabled in that new JDK (because it's vulnerable since many years..) so in the keytab you just have RC4 keys, you could be experiencing the problem.

    When creating our Keytab Files from ActiveDirectory, the ktpass command used the RC4-HMAC algorithmus. We've similiar issues in other applications where with the current java release, Kerberos is getting into trouble 'cause of old algorithmus which should be replaced.


    to verify your keytab: 
    java com.ibm.security.krb5.internal.tools.Klist -e -k keytabfile

    Example.
    E:\IBM\WebSphere\AppServer\java\jre\bin>java com.ibm.security.krb5.internal.tools.Klist -e -k E:\IBM\krb\mykeytab.keytab



    in my case the result is
    [1] Principal: HTTP/hostname.subdomain.domain@ABC.NET
    KVNO: 1
    Verschlüsselungstyp (skey, tkt): RC4 with HMAC, {1}

    ------------------------------
    Klaus Schmidinger
    Teamlead IT4IT
    Julius Blum GmbH
    ------------------------------

    Original Message


Related Content