SQL & PL/SQL

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

ORA-01704: string literal too long for CLOB colum

user4295847May 30 2013 — edited Jun 4 2013

Hi,

I'm trying to execute sql script containing a lot of insert into statements.

Insert into table (clob_column) values ("value of 5500 characters");
I get the below error message. Please let me know how do resolve this issue without PL/SQL ?

ORA-01704: string literal too long

843810

Just an update on my original question in case it helps...

If I switch to /crypto AES256-SHA1 in the ktpass command I get Checksum failed errors instead. Has anyone been able to make Java 1.6 Kerberos apps work with a Windows AD/KDC running on Windows Server 2008? If yes, what steps did you follow?

Here are the results:

      KeyTabInputStream, readName(): CONTOSO.LOCAL
      KeyTabInputStream, readName(): HTTP
      KeyTabInputStream, readName(): OPENSSOHOST.contoso.local
      KeyTab: load() entry length: 95; type: 18
Added key: 18version: 3
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 23 16 3 1.
0: EncryptionKey: keyType=18 kvno=3 keyValue (hex dump)=
0000: 32 A0 E6 1C 0E 2E AE 8F   2B C0 4A 28 29 84 91 3D  2.......+.J()..=
0010: CC C6 49 B1 EF 18 28 DA   22 A9 4D 8B D0 36 47 AE  ..I...(.".M..6G.


default etypes for default_tkt_enctypes: 18 23 16 3 1.
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=164
      KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=164
      KrbKdcReq send: #bytes read=205
      KrbKdcReq send: #bytes read=205
      KDCRep: init() encoding tag is 126 req type is 11
     KRBError:
         sTime is Tue Apr 06 10:51:04 NZST 2010 1270507864000
         suSec is 47253
         error code is 25
         error Message is Additional pre-authentication required
         realm is CONTOSO.LOCAL
         sname is krbtgt/CONTOSO.LOCAL
         eData provided.
         msgType is 30
     Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18
     Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
     Pre-Authentication Data:
         PA-DATA type = 16
     Pre-Authentication Data:
         PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = CONTOSO.LOCALHTTPOPENSSOHOST.contoso.local
     KrbAsReq salt is CONTOSO.LOCALHTTPOPENSSOHOST.contoso.local
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
      EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=251
      KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=251
      KrbKdcReq send: #bytes read=98
      KrbKdcReq send: #bytes read=98
      KDCRep: init() encoding tag is 126 req type is 11
     KRBError:
         sTime is Tue Apr 06 10:51:04 NZST 2010 1270507864000
         suSec is 203503
         error code is 52
         error Message is Response too big for UDP, retry with TCP
         realm is CONTOSO.LOCAL
         sname is krbtgt/CONTOSO.LOCAL
         msgType is 30
      KrbKdcReq send: kdc=dc1w.contoso.local TCP:88, timeout=30000, number of retries =3, #bytes=251
     DEBUG: TCPClient reading 1581 bytes
      KrbKdcReq send: #bytes read=1581
      KrbKdcReq send: #bytes read=1581
      EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
      KrbAsRep cons in KrbAsReq.getReply HTTP/openssohost.contoso.local
Service Subject:HTTP/openssohost.contoso.local@CONTOSO.LOCAL
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 06 2d 30 82 06 29 a0.....
5f a3 6e 04 01 
Checksum failed !
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoToken NegTokenInit : no MIC token included
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Found key for HTTP/openssohost.contoso.local@CONTOSO.LOCAL(18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
      EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at kerberostest.Main.doSubjectCall(Main.java:54)
        at kerberostest.Main.main(Main.java:44)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at kerberostest.Main$1.run(Main.java:58)
        ... 4 more
Caused by: KrbException: Checksum failed
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:85)
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:77)
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
        ... 11 more
Caused by: java.security.GeneralSecurityException: Checksum failed
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
        at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:59)
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:83)
        ... 17 more
{code}


Thanks

Mark

843810

hi mark,
I have the same problem in my install, i'm triying an SSO using CAS Spnego and Kerberos, i'm using DES-CBC-MD5 crypto.
this is my exception :
[#|2010-04-16T10:15:14.506+0200|INFO|sun-appserver2.1|net.java.spnego.SpnegoServerAuthModule|_ThreadID=16;_ThreadName=httpSSLWorkerThread-38005-1;|jmac.gss_dialog_failed
GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at net.java.spnego.SpnegoServerAuthModule.validateRequest(SpnegoServerAuthModule.java:251)
at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1172)
at com.sun.web.security.RealmAdapter.validate(RealmAdapter.java:1331)
at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1213)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:643)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:625)
at org.apache.catalina.core.StandardPipeline.doChainInvoke(StandardPipeline.java:599)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:92)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:288)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:647)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:579)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:831)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:440)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:228)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Caused by: KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 34 more

did you find an issue!!
any help will be welcome
thanks

843810

I guess OPENSSOHOST is a CNAME.

You have to use the name of the computer to create the keytab instead of a DNS Record like OPENSSOHOST . Then it will work.

843810

Hi Markdr,

You've received the "Cannot find key of appropriate type to decrypt".

From the exceptions you've pasted into your first message we can see cause: "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96".

Key type of this encryption is 18.

Now in command line type: klist -e -k krb5.keytab
and look for Key types. You should have encryption type 18.

Here's full list of those codes: http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml. Key type is eType. Yours is aes256-cts-hmac-sha1-96

If you don't have it, then use ktpass to generate correct keytab with correct encoding: aes256.

Best regards & good luck,
Kamil

1 - 4

Locked Post

New comments cannot be posted to this locked post.

Locked on Jul 2 2013

Added on May 30 2013

7 comments

55,181 views

SQL & PL/SQL

ORA-01704: string literal too long for CLOB colum

Comments

Post Details