Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SSO on Tomcat on IBM AIX 7.1

Status
Not open for further replies.

martinsticzay

IS-IT--Management
May 25, 2016
4
CZ
Hello,
I'm trying to solve the problem with the Single Sign On on Apache Tomcat running on IBM AIX 7.1. I've already tried the OpenText support, but i was told that this problem is probably somewhere at configuration of Tomcat or AIX.
Funny thing is, that the same Tomcat configuration worked properly on HP UX operating system.
So, the trace is:
We are trying to set up Single Sign On for OpenText OTDS 10.2.1 from web client of OpenText TCP 10.2.1 (system by OpenText) and can't even set up valid path for Kerberos keytab file.
Structure:
adpra050: Windows AD server as Kerberos server,
wcc71502: AIX 7.1 running Tomcat 6 that has krb5Login configuration and a keytab file. OTDS and application server for TCP 10.2.1 resides on this host.
adpra098: Windows server 2008 for TCP web client.
The aim is that Tomcat will use the keytab only, not the whole AIX system. Now neither Tomcat can use the keytab file properly. What was working in HP-UX configuration (instead of AIX), is not working on AIX.
To set up SSO we requested a krb5kt file from the domain admin.
The file was tested by using
kinit -k -t /appl/earchive/otex/RCS_102/krb5kt HTTP/wcc71502.vsskb.cz which produced a Kerberos ticket and saved it to user's home.
Files used to configure Kerberos for Tomcat:
/etc/krb5/krb5.conf
in /appl/earchive/otex/RCS_102/ (Catalina_home):
krb5kt
conf/krb5.conf
conf/jaas.conf
bin/setenv.sh to set path to jaas.conf

Despite all efforts to pass the keytab file we always get this error in logs:
rcs.log:
javax.security.auth.login.LoginException: Bad JAAS configuration: bad URL krb5kt Error java.net.MalformedURLException: no protocol: krb5kt

ums.log:
ixos.sec.sso.CheckerContext - Error in method 'buildToken4Invalidate(tokenString)'
ixos.sec.sso.CheckerException: session with id wtCJdTDkZWt84J4lLq3VYSZhB+LGX6DMD68R2+d5 is unknown at ixos.sec.sso.modules.DBSessionPersistence.getSession(DBSessionPersistence.java:360)
at ixos.sec.sso.modules.UMSSessionStore.getSession(UMSSessionStore.java:125)

directory.access.log:
2016-04-28 14:20:34,210 WARN [SMessage Receive Queue Popper 2] otx.OTDSAccess : OTDS.Access - ,2016/04/28 14:20:34 CEST,0,0,Authentication Service,Failure Access,28,Initial authentication failed,Unknown User,,Authentication failure [UNKNOWN]: Unknown User from host 10.144.10.121 with address 10.144.10.121 for resource 8975d99f-78f0-451c-8535-4042d88faed8
The user is not recognized any time when SSO is tried to be used (when Login.aspx is open in the browser).

Any help in how to correctly supply the krb5kt path is appreciated.

Thank you.
Martin.
 
Could you post the configuration entry that points to that path? Does it look like file:///?

Cheers,
Dian
 
Thank you for the answer.
My config files look like this. I used format "file:unix-style-path" according to some internet tutorials. I'll try to set three slashes in a close future, as you say.
/conf/krb5.conf
[libdefaults]
default_realm = DEV.LOCAL
default_keytab_name = file:/appl/earchive/otex/RCS_102/krb5kt
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true

[realms]
DEV.LOCAL = {
kdc = adpra050.vsskb.cz:88
}

[domain_realm]
vsskb.cz= VSSKB.CZ
.vsskb.cz= VSSKB.CZ

/conf/jaas.conf

com.ibm.security.jgss.krb5.initiate {
com.ibm.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/wnv71506.vsskb.cz"
useKeyTab=true
keyTab="/appl/earchive/otex/RCS_102/krb5kt"
storeKey=true;
};

com.ibm.security.jgss.krb5.accept {
com.ibm.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/wnv71506.vsskb.cz"
useKeyTab=true
keyTab="/appl/earchive/otex/RCS_102/krb5kt"
storeKey=true;
};

/bin/setenv.sh
CATALINA_OPTS="-Dcs.instancename=node001 -XX:MaxPermSize=256M -Xmx2048M $CATALINA_OPTS"
CATALINA_OPTS="-Dorg.apache.commons.logging.Log=com.opentext.ecm.components.logging.wrappers.JCLBootLogger $CATALINA_OPTS"
CATALINA_OPTS="-Djava.security.auth.login.config=file:/appl/earchive/otex/RCS_102/conf/jaas.conf -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all $CATALINA_OPTS"
echo JAAS properties set
 
It was more a question than a suggestion: the "java.net.MalformedURLException: no protocol krb5kt" error means that the system is expecting an URL but can't find the protocol (file:)

Said that, protocols and paths when dealing with different OSs are a p*** in the a** and after all these years I still can't figure out the correct way at first try.

The error detail (krb5kt) means that's the final part of the offending URL, and that leaves two suspects:

default_keytab_name = file:/appl/earchive/otex/RCS_102/krb5kt
keyTab="/appl/earchive/otex/RCS_102/krb5kt"

Since it's says JAAS configuration, I'd asume the jass.conf is actually being read, so the second one should be the one. Said that, that URL looks fine to me and to some examples I've been through so the only suggestion I can make is, if possible, to try with something like

keyTab="file:/appl/earchive/otex/RCS_102/krb5kt" or keyTab=file:/appl/earchive/otex/RCS_102/krb5kt

At least, that would give you more info about the problem

Cheers,
Dian
 
I've tried all combinations i could find online(file:/, "file:/", FILE:/, "FILE:/", also with three slashes file:///), but with no change of the error log. Seems like Tomcat doesn't even care about configuration files, because it resulted the same error even when i completely removed conf files.
 
I'm out of suggestions. Desperate try: change krb5kt for krb5kt1, krb5kt2 in the different configuration files or parameters to be sure which one is complaning

Cheers,
Dian
 
Thank you very much for your cooperation.
After that, turned out it wasn't working with any of these files, but only with /etc/ktb5/krb5.conf, which had a bad format(now it's FILE:/appl/earchive.... with no quotation marks).
I'm not completely sure why, because any of the internet how-to pages were completely sure to use jaas and krb config files inside the tomcat.
Anyway, thank's a lot :)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top