wsit
  1. wsit
  2. WSIT-1571

IllegalArgumentException authenticating Metro client with Metro webservice @ MS 2008 R2 server (rc4-hmac)

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None
    • Environment:

      Web service client: GlassFish v3.0.1 on Windows XP
      Web service: GlassFish v3.0.1 on Windows Server 2008 R2

      Description

      Trying web service authentication with Kerberos, web service is running on GlassFish v3.0.1 on MS Windows 2008 R2 server. Service account is created, SPN's are set, keytab's are generated (for both server and client).
      On client side:
      kinit -k -t donatas.keytab donatas
      succeeds (gets ticket).

      Having -Dsun.security.krb5.debug=true, in client glassfish log I see, that pre-authentication gets requested, then succeeds, then KDC starts negotiating service ticket (using RC4-HMAC):

      -----------------------
      Found ticket for donatas@EDS.VMI.LT to go to krbtgt/EDS.VMI.LT@EDS.VMI.LT expiring on Fri Jul 01 03:59:50 EEST 2011|#]
      Service ticket not found in the subject|#]
      >>> Credentials acquireServiceCreds: same realm|#]
      default etypes for default_tgs_enctypes: 23 16 3 1 .

      >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType|#]
      >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType|#]
      >>> KrbKdcReq send: kdc=dc.eds.vmi.lt UDP:88, timeout=30000, number of retries =3, #bytes=1316|#]
      >>> KDCCommunication: kdc=dc.eds.vmi.lt UDP:88, timeout=30000,Attempt =1, #bytes=1316|#]
      >>> KrbKdcReq send: #bytes read=1320|#]
      >>> KrbKdcReq send: #bytes read=1320|#]
      >>> KdcAccessibility: remove dc.eds.vmi.lt|#]
      >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType|#]
      >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000|#]
      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType|#]
      Krb5Context setting mySeqNumber to: 588563156|#]
      Krb5Context setting peerSeqNumber to: 0|#]
      Created InitSecContextToken:
      0000: 01 00 6E 82 04 DF 30 82 04 DB A0 03 02 01 05 A1 ..n...0.........
      0010: 03 02 01 0E A2 07 03 05 00 00 00 00 00 A3 82 04 ................
      0020: 06 61 82 04 02 30 82 03 FE A0 03 02 01 05 A1 0C .a...0..........
      0030: 1B 0A 45 44 53 2E 56 4D 49 2E 4C 54 A2 20 30 1E ..EDS.VMI.LT. 0.
      0040: A0 03 02 01 00 A1 17 30 15 1B 04 48 54 54 50 1B .......0...HTTP.
      0050: 0D 64 63 2E 65 64 73 2E 76 6D 69 2E 6C 74 A3 82 .dc.eds.vmi.lt..
      0060: 03 C5 30 82 03 C1 A0 03 02 01 17 A1 03 02 01 04 ..0.............
      ...
      ClassName=com.sun.org.apache.xml.internal.security.algorithms.JCEMapper;MethodName=translateURItoJCEID;|Request for URI http://www.w3.org/2001/04/xmlenc#aes128-cbc|#]

      [#|2011-06-30T17:59:49.615+0300|SEVERE|glassfish3.0.1|com.sun.xml.wss.logging.impl.filter|_ThreadID=23;_ThreadName=Thread-1;|WSS1414: Error extracting symmetric key Missing argument|#]

      [#|2011-06-30T17:59:49.630+0300|SEVERE|glassfish3.0.1|com.sun.xml.wss.provider.wsit|_ThreadID=23;_ThreadName=Thread-1;|WSITPVD0029: Error in Securing Outbound Message.
      com.sun.xml.wss.impl.WssSoapFaultException: java.lang.IllegalArgumentException: Missing argument
      at ...
      Caused by: com.sun.xml.wss.XWSSecurityException: java.lang.IllegalArgumentException: Missing argument
      at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:459)
      at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:93)
      at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:272)
      at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:189)
      at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:150)
      at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureOutboundMessage(WSITClientAuthContext.java:515)
      ... 43 more
      Caused by: java.lang.IllegalArgumentException: Missing argument
      at javax.crypto.spec.SecretKeySpec.<init>(DashoA13*..)
      at com.sun.xml.ws.security.impl.kerberos.KerberosContext.getSecretKey(KerberosContext.java:91)
      at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:432)
      ... 48 more

      #]
      -------------

      Source code for KerberosContext.getSecretKey(KerberosContext.java:91) reveals:

      this.sKey = new SecretKeySpec(this.secretKey, algorithm);

      and for SecretKeySpec.<init>():

      public SecretKeySpec(byte[] paramArrayOfByte, String paramString)
      {
      if ((paramArrayOfByte == null) || (paramString == null))
      throw new IllegalArgumentException("Missing argument");
      ...

      Conclusion: either algorithm or secretKey were sent as null to SecretKeySpec.
      Log file, config files are attached.

      1. client-server.log
        46 kB
        donatasc
      2. krb5.conf
        0.4 kB
        donatasc
      3. login.conf
        0.8 kB
        donatasc
      4. SignatureFilter.diff
        2 kB
        donatasc

        Activity

        Hide
        kumarjayanti added a comment -

        Hi,

        Thanks again for your help and filing the issues. I was looking at the proposed fix and was confused why this setSecretKey() call would ever be required. I understand it is null and therefore you are seeing the "illegalArgumentException: Missing argument".

        So we have the KerberosLogin.java where we try to do a KerberosLogin using the JDK supported Kerberos LoginModules and there the code sets the secretKey as follows :

        ===========
        Set<Object> setPrivCred = loginSubject.getPrivateCredentials();
        Iterator<Object> iter2 = setPrivCred.iterator();
        while (iter2.hasNext()) {
        Object privObject = iter2.next();
        if (privObject instanceof KerberosTicket) {
        KerberosTicket kerbTicket = (KerberosTicket) privObject;
        try {
        if (kerbTicket.getServer().getName().equals(gssContext.getTargName().toString()))

        { SecretKey sKey = kerbTicket.getSessionKey(); byte[] secret = sKey.getEncoded(); krbContext.setSecretKey(secret); break; }

        } catch (GSSException ex)

        { throw new XWSSecurityException(ex); }

        }
        }
        ==========

        So it appears to me that incase of ActiveDirectory somehow the result of KerberosLogin

        1. does not have the KerberosTicket as a private credential in the Subject.

        OR
        2. the following condition check fails : if (kerbTicket.getServer().getName().equals(gssContext.getTargName().toString())) {

        I would be thankful to you if you can tell us which of the two above happens ?.

        Based on that i will integrate the suggested fix.

        Thanks again.

        Show
        kumarjayanti added a comment - Hi, Thanks again for your help and filing the issues. I was looking at the proposed fix and was confused why this setSecretKey() call would ever be required. I understand it is null and therefore you are seeing the "illegalArgumentException: Missing argument". So we have the KerberosLogin.java where we try to do a KerberosLogin using the JDK supported Kerberos LoginModules and there the code sets the secretKey as follows : =========== Set<Object> setPrivCred = loginSubject.getPrivateCredentials(); Iterator<Object> iter2 = setPrivCred.iterator(); while (iter2.hasNext()) { Object privObject = iter2.next(); if (privObject instanceof KerberosTicket) { KerberosTicket kerbTicket = (KerberosTicket) privObject; try { if (kerbTicket.getServer().getName().equals(gssContext.getTargName().toString())) { SecretKey sKey = kerbTicket.getSessionKey(); byte[] secret = sKey.getEncoded(); krbContext.setSecretKey(secret); break; } } catch (GSSException ex) { throw new XWSSecurityException(ex); } } } ========== So it appears to me that incase of ActiveDirectory somehow the result of KerberosLogin 1. does not have the KerberosTicket as a private credential in the Subject. OR 2. the following condition check fails : if (kerbTicket.getServer().getName().equals(gssContext.getTargName().toString())) { I would be thankful to you if you can tell us which of the two above happens ?. Based on that i will integrate the suggested fix. Thanks again.
        Hide
        donatasc added a comment -

        I did some debuging:

        kerbTicket.getServer().getName() = HTTP/dc.eds.vmi.lt@EDS.VMI.LT
        gssContext.getTargName().toString() = HTTP/dc.eds.vmi.lt

        Which one of them is comming from wsit-*.xml file?

        Show
        donatasc added a comment - I did some debuging: kerbTicket.getServer().getName() = HTTP/dc.eds.vmi.lt@EDS.VMI.LT gssContext.getTargName().toString() = HTTP/dc.eds.vmi.lt Which one of them is comming from wsit-*.xml file?
        Hide
        donatasc added a comment -

        I replaced "HTTP/dc.eds.vmi.lt" to "HTTP/dc.eds.vmi.lt@EDS.VMI.LT" in wsit-.xml file on the client, and *got it working (after 2 weeks of trial and error).

        The real problem is that Metro is not reporting in any way, that none of KerberosTickets have kerbTicket.getServer().getName() = gssContext.getTargName().toString()
        There could be at least WARNING (if not SEVERE) log message, saying that wsit-*.xml file has wrong service principal name.

        Show
        donatasc added a comment - I replaced "HTTP/dc.eds.vmi.lt" to "HTTP/dc.eds.vmi.lt@EDS.VMI.LT" in wsit- .xml file on the client, and *got it working (after 2 weeks of trial and error). The real problem is that Metro is not reporting in any way, that none of KerberosTickets have kerbTicket.getServer().getName() = gssContext.getTargName().toString() There could be at least WARNING (if not SEVERE) log message, saying that wsit-*.xml file has wrong service principal name.
        Hide
        kumarjayanti added a comment -

        Thanks for all the self-debugging. Your comment is valid, i shall add a WARNING log over there.

        Show
        kumarjayanti added a comment - Thanks for all the self-debugging. Your comment is valid, i shall add a WARNING log over there.
        Hide
        kumarjayanti added a comment -

        Added a WARNING as required.

        Show
        kumarjayanti added a comment - Added a WARNING as required.

          People

          • Assignee:
            kumarjayanti
            Reporter:
            donatasc
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: