{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • General
    • Edge/API Management
    • Developer Portal
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Analytics
    • Events
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
1
Question by JSurapaneni · Oct 08, 2018 at 09:17 AM · 335 Views kerberos

Retrieve the kerberos token from KDC server

Hello,

can anyone help me on this.

Below is my requirement

1. User posts JWT token.

2. need to validate JWT token and extract UPN

3. authenticate KDC server with UPN and Keytab file and retrieve kereberos token

and I am stuck up at step 3

Getting error from apigee while calling java callout

Error running java callout java.lang.RuntimeException: javax.security.auth.login.LoginException: No LoginModules configured for customclient


Below is my java callout properties

-----------

<JavaCallout async="false" continueOnError="false" enabled="true" name="JavaCallout-GenerateKerb"> <DisplayName>JavaCallout-GenerateKerb</DisplayName> <Properties>

<Property name="krb5Conf">krb5.conf</Property>

<Property name="loginConf">login1.conf</Property>

<Property name="loginModule">customclient</Property>

<Property name="serverPrincipal">HTTP/Svc-apigee-kerb</Property>

</Properties> <ClassName>main.java.GenerateKerberos</ClassName> <ResourceURL>java://Kerb1.0.jar</ResourceURL> </JavaCallout>

------------------


This is failing at the below step in JAva code

String loginModule = (String)properties.get("loginModule");

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

7 Answers

· Add your answer
  • Sort: 
avatar image
2

Answer by Anil Sagar @ Google   · Oct 15, 2018 at 01:43 AM

@JSurapaneni , @Denis Kalitviansky , @Jared Williams ,

You need to change few settings to make it work.

You need to add below properties to message processor, Find out how to do same, below,

java.security.krb5.conf=/opt/krb5.conf

java.security.auth.login.config=/opt/login.conf

Step 1 : Edit vi /opt/apigee/customer/application/message-processor.properties

Step 2 : Add below line to above file at the end

conf/system.properties+java.security.auth.login.config=/opt/login.conf conf/system.properties+java.security.krb5.conf=/opt/krb5.conf

Step 3 : Restart Message Processor

Step 4: Verify cat /opt/apigee/edge-message-processor/conf/system.properties

Prints above two properties at end.

Place krb5.conf & login.conf in /opt directory & make sure permissions are taken care.

Above error should go away. Hope it helps.

Comment
Add comment Show 6 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Jared Williams ♦   · Oct 15, 2018 at 03:11 AM 0
Link

Thanks @Anil Sagar @ Google! I just tested and can confirm that this does indeed resolve the "No LoginModules configured for..." exception.

avatar image Anil Sagar @ Google ♦♦ Jared Williams ♦   · Oct 15, 2018 at 03:15 AM 0
Link

Awesome ! Glad it worked !!

avatar image Denis Kalitviansky Anil Sagar @ Google ♦♦ · Oct 15, 2018 at 05:01 AM 0
Link

For me that error indeed go away, but I have new one - and it seems all configured normally

{"fault":{"faultstring":"Failed to execute JavaCallout. java.lang.SecurityException: java.io.IOException: Configuration Error:\n\texpected [;], read [end of file]","detail":{"errorcode":"steps.javacallout.ExecutionError"}}}

Can you maybe share your conf files? OR the github ones is that working?

Show more comments
avatar image
0

Answer by Dino-at-Google   · Oct 08, 2018 at 04:39 PM

You are following along with this?

https://github.com/apigee/api-platform-samples/tree/master/sample-proxies/kerberos-credential-mediation

What do you mean when you say the following line is "failing"?

String loginModule = (String)properties.get("loginModule");

I think, with the configuration you are showing, the Java callout cannot :fail: at that line. It will return a string ("customclient"), or null. It won't "fail".

Also you said the failure is "No LoginModules configured for customclient"

That is a different symptom. That error or exception won't be generated by the line of code you cited.

Have you configured the login.conf and krb5.conf? Show them.

Where do you have these files?

Give us more details.

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Denis Kalitviansky · Oct 13, 2018 at 01:29 PM

I also want to raise question on 'where to put the .conf files and keytab'.

/opt/apigee

/opt/

/opt/apigee/messageprocessor location

not working. Please assist?

Comment
Add comment Show 3 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Denis Kalitviansky · Oct 13, 2018 at 01:30 PM 0
Link

@Maruti Chand

Hi, can you please help on the subject?

avatar image JSurapaneni · Oct 14, 2018 at 05:19 PM 0
Link

tried placing the files under /opt/apigee and /opt/apigee/messageprocessor.

both didn't worked.

avatar image JSurapaneni · Oct 14, 2018 at 05:21 PM 0
Link

placed both conf and keytab files at different locations and tried

/opt/apigee

/opt/apigee/messageprocessor

/opt/apigee/messageprocessor/conf

avatar image
0

Answer by Anil Sagar @ Google   · Oct 15, 2018 at 03:17 AM

@JSurapaneni , @Jared Williams , @Denis Kalitviansky ,

Here is the sample proxy that successfully worked for me !

helloworldkerbproxy-rev11-2017-11-03.zip


helloworldkerbproxy-rev11-2017-11-03.zip (9.5 kB)
Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Denis K · Oct 15, 2018 at 04:12 AM

Hi Anil, in the documentation written that there can be two modes, e.g. I can validate incoming Kerberos ticket against KDC server, and new ticket will be generated to backend from my keystore. My question where I can choose if my proxy requires Kerberos or when my proxy is not protected by Kerberos but my real backend is and I need to authenticate to it as client.

Thanks

Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Denis Kalitviansky · Oct 17, 2018 at 08:32 AM 0
Link

@Anil Sagar @ Google, Hi Anil, any assistance please?

avatar image
0

Answer by Denis Kalitviansky · Oct 28, 2018 at 08:58 PM

Dear community, please help with separation of the modes if possible. We want in some cases to just protect our proxy with Kerberos (without authenticating to backed with kerberos also), and in some cases to authenticate to backend Kerberos protected API while leaving front-end proxy unprotected.

Comment
Add comment Show 6 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Denis Kalitviansky · Oct 28, 2018 at 08:58 PM 0
Link

@Anil Sagar @ Google any source code available for this functionality so we can make it?

avatar image Anil Sagar @ Google ♦♦ Denis Kalitviansky   · Oct 29, 2018 at 01:40 AM 0
Link

@Denis Kalitviansky , You can use sample proxy attached above.

avatar image Denis Kalitviansky Anil Sagar @ Google ♦♦ · Oct 29, 2018 at 01:44 PM 0
Link

Hi @Anil Sagar @ Google, your proxy is doing the two steps both: protect facade with Kerberos and also talk to backend with kerberos... i want to split it... possible? - for example I want to authenticate to BACKEND API's only with kerberos, but my Apigee proxy facade is available without Kerb

Show more comments
avatar image
0

Answer by Rahul · Oct 29, 2018 at 01:14 PM

@Anil Sagar @ Google

I have followed all guidelines mentioned in your previous comments, my kerberos is only generating ticket when I'm sending UPN same as SPN and it;s not working when i send user email for authenticating. For eg. if SPN is http/MYLDAP.COM and UPN is also http/MYLDAP.COM then ticket is generated , if UPN is something like http/RAHUL@MYLDAP.COM it won't work.

Could you please help

Comment
Add comment Show 3 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Jared Williams ♦   · Dec 10, 2018 at 06:01 PM 0
Link

Hi @Anil Sagar @ Google @Dino-at-Google. Have either of you run into Rahul's situation before?

avatar image Anil Sagar @ Google ♦♦ Jared Williams ♦   · Dec 11, 2018 at 08:34 AM 0
Link

@Jared Williams , Ideally, It should work. I haven't come across similar situation.

avatar image Jared Williams ♦   · Dec 16, 2018 at 11:34 PM 0
Link

Rahul, if you are receiving an exception, could you please paste the exception and full stack trace. Alternatively, can you add message logging to the java callout (or check any logs you may be capturing downstream) and paste those here?

For more information about java callout logging, please check this community post: https://community.apigee.com/questions/20840/acces-to-java-log-messages.html

This cookbook may also be helpful in understanding how you can gain more visibility into, and handle java callout errors: https://docs.apigee.com/api-platform/samples/cookbook/how-handle-java-callout-errors

Your answer

Hint: You can notify a user about this post by typing @username

Up to 5 attachments (including images) can be used with a maximum of 5.0 MB each and 25.0 MB total.

Follow this Question

Answers Answers and Comments

69 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

How to persist Jaas.conf file in edge message proccessor 1 Answer

Kerberos Authentication in OPDK Apigee 2 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2019 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • General
  • Edge/API Management
  • Developer Portal
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Analytics
  • Events
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Members
  • Badges