This discussion is archived
7 Replies Latest reply: Nov 28, 2011 4:29 PM by 687626 RSS

Using Sun's kerberos module with IBM JRE  ?

687626 Expert
Currently Being Moderated
Is it possible to use Sun's Kerberos Login Module [com.sun.security.auth.module.Krb5LoginModule] within another JRE like IBM's ? We are planning to use SSO with Lotus Notes client as initiator. Notes client run IBM Java and has its own version of Kerberos Login Module com.ibm.security.auth.module.Krb5LoginModule.

Sun's version has a nice feature of fetching TGT's from inmemory LSA area which is not present in IBM's one. So with Sun we can make the SSO process totally transparent to end users and they are not prompted to renter the password at any point in time. A fresh TGT is issued and saved in windows in-memory LSA area each time an user unlocks his desktop session by entering his password. Sun's login module can fetch this TGT and perform the Kerberos authentication. Advantages with this approach is we don't need to maintain any credential cache's in user's file system and no need to refresh the TGT's in the credential cache as TGT's are automatically refreshed when user unlocks his desktop session and at no point we need to ask a password from user to refresh the TGT..

With IBM one we need to have and maintain credential cache and also need to renew the TGT's before its expiry. And to renew TGT's in case it expires we need to prompt for password from the user.

The Java agent running in Notes client use JAAS login. Since JAAS is a pluggable framework, I hoped it be possible to use Sun's Login Module. But I can see that the classes used by sun's kerberos module are in rt.jar and not available as an external pluggable jar. So will this configuration be supported ?
  • 1. Re: Using Sun's kerberos module with IBM JRE  ?
    EJP Guru
    Currently Being Moderated
    It is highly unlikely that this configuration can be made to work. But I would have thought these classes were in JCE.jar, not rt.jar.
  • 2. Re: Using Sun's kerberos module with IBM JRE  ?
    687626 Expert
    Currently Being Moderated
    Nope ..it is in rt.jar . jce.jar doesn't have a package starting with com.*
  • 3. Re: Using Sun's kerberos module with IBM JRE  ?
    Weijun Newbie
    Currently Being Moderated
    The Krb5LoginModule classes are inside rt.jar. Also, in order to get ccache from LSA, you need some JNI native codes, and they are in w2k_lsa_auth.dll in the bin directory.

    I don't think it's easy to merge these classes and dll into IBM JRE. If it's me, I would try to find a tool that can fetch ccache info from LSA and save it to a file-based ccache file which is recognized by both Oracle and IBM's JREs.
  • 4. Re: Using Sun's kerberos module with IBM JRE  ?
    687626 Expert
    Currently Being Moderated
    Does this dll depend on any other dll. .

    I just placed w2k_lsa_auth.dll in the jre/lib/ext directory of the notes and tried to run the agent.. which resulted in the below error..

    JavaAgent
    About to Login
    Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    Incorrect address format.
    javax.security.auth.login.LoginException: java.lang.NullPointerException
         at sun.security.krb5.internal.ccache.aq.<init>(DashoA6275:82)
         at sun.security.krb5.internal.ccache.an.c(DashoA6275:368)
         at sun.security.krb5.internal.ccache.FileCredentialsCache.c(DashoA6275:219)
         at sun.security.krb5.internal.ccache.FileCredentialsCache.c(DashoA6275:104)
         at sun.security.krb5.internal.ccache.al.a(DashoA6275:78)
         at sun.security.krb5.Credentials.acquireTGTFromCache(DashoA6275:308)
         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:520)
         at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:618)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209)
         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709)
         at java.security.AccessController.doPrivileged(AccessController.java:246)
         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:603)
         at JavaAgent.getBase64KerberosTicket(JavaAgent.java:35)
         at JavaAgent.NotesMain(JavaAgent.java:98)
         at lotus.domino.AgentBase.runNotes(Unknown Source)
         at lotus.domino.NotesThread.run(Unknown Source)
  • 5. Re: Using Sun's kerberos module with IBM JRE  ?
    687626 Expert
    Currently Being Moderated
    ok this is a known issue with Java 1.4 . Got fixed after putting the 1.5 jars. Next Error.. looks like dll is not getting hooked :(
    JavaAgent
    About to Login
    Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    Acquire TGT from Cache
    Credentials are no longer valid
    Principal is null
    null credentials from Ticket Cache
              [Krb5LoginModule] authentication failed 
    Unable to obtain Princpal Name for authentication 
    javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication 
         at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)
         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
         at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:618)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209)
         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709)
         at java.security.AccessController.doPrivileged(AccessController.java:246)
         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:603)
         at JavaAgent.getBase64KerberosTicket(JavaAgent.java:35)
         at JavaAgent.NotesMain(JavaAgent.java:98)
         at lotus.domino.AgentBase.runNotes(Unknown Source)
         at lotus.domino.NotesThread.run(Unknown Source)
    Kerberos ticket:
    null
  • 6. Re: Using Sun's kerberos module with IBM JRE  ?
    Weijun Newbie
    Currently Being Moderated
    The following debug messages are quite strange:

    Acquire TGT from Cache
    Credentials are no longer valid

    Please make sure in the JAAS config file, useTicketCache=true but ticketCache is not specified. Otherwise, the file will be used instead of LSA.
  • 7. Re: Using Sun's kerberos module with IBM JRE  ?
    687626 Expert
    Currently Being Moderated
    Thanks.. Actually I had a file based cache in the user home with an expired token .Deleted the cache and now I am able to fetch the TGT's from in memory cache. Had to do many hacks including copying the dll to Notes_Home/jvm/bin and then replacing IBM's security.jar which has its own version of GSSManager with a manually merged 'Sun-IBM' security.jar. Replaced IBM's GSS classes with the Sun's one in this merged class.

    Not a clean solution at all ..so have to talk to SOE guys whether it can be promoted to prod... but know it works..

    Thanks for all your replies

    Regards
    Atheek

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points