Retrieve the kerberos token from KDC server
Hello,
can anyone help me on this.
Below is my requirement
1. User posts JWT token.
2. need to validate JWT token and extract UPN
3. authenticate KDC server with UPN and Keytab file and retrieve kereberos token
and I am stuck up at step 3
Getting error from apigee while calling java callout
Error running java callout java.lang.RuntimeException: javax.security.auth.login.LoginException: No LoginModules configured for customclient
Below is my java callout properties
-----------
<JavaCallout async="false" continueOnError="false" enabled="true" name="JavaCallout-GenerateKerb"> <DisplayName>JavaCallout-GenerateKerb</DisplayName> <Properties>
<Property name="krb5Conf">krb5.conf</Property>
<Property name="loginConf">login1.conf</Property>
<Property name="loginModule">customclient</Property>
<Property name="serverPrincipal">HTTP/Svc-apigee-kerb</Property>
</Properties> <ClassName>main.java.GenerateKerberos</ClassName> <ResourceURL>java://Kerb1.0.jar</ResourceURL> </JavaCallout>
------------------
This is failing at the below step in JAva code
String loginModule = (String)properties.get("loginModule");
Answer by Anil Sagar @ Google
·
Oct 15 at 01:43 AM
@JSurapaneni , @Denis Kalitviansky , @Jared Williams ,
You need to change few settings to make it work.
You need to add below properties to message processor, Find out how to do same, below,
java.security.krb5.conf=/opt/krb5.conf
java.security.auth.login.config=/opt/login.conf
Step 1 : Edit vi /opt/apigee/customer/application/message-processor.properties
Step 2 : Add below line to above file at the end
conf/system.properties+java.security.auth.login.config=/opt/login.conf conf/system.properties+java.security.krb5.conf=/opt/krb5.conf
Step 3 : Restart Message Processor
Step 4: Verify cat /opt/apigee/edge-message-processor/conf/system.properties
Prints above two properties at end.
Place krb5.conf & login.conf in /opt directory & make sure permissions are taken care.
Above error should go away. Hope it helps.
Thanks @Anil Sagar @ Google! I just tested and can confirm that this does indeed resolve the "No LoginModules configured for..." exception.
For me that error indeed go away, but I have new one - and it seems all configured normally
{"fault":{"faultstring":"Failed to execute JavaCallout. java.lang.SecurityException: java.io.IOException: Configuration Error:\n\texpected [;], read [end of file]","detail":{"errorcode":"steps.javacallout.ExecutionError"}}}
Can you maybe share your conf files? OR the github ones is that working?
Answer by Dino-at-Google
·
Oct 08 at 04:39 PM
You are following along with this?
What do you mean when you say the following line is "failing"?
String loginModule = (String)properties.get("loginModule");
I think, with the configuration you are showing, the Java callout cannot :fail: at that line. It will return a string ("customclient"), or null. It won't "fail".
Also you said the failure is "No LoginModules configured for customclient"
That is a different symptom. That error or exception won't be generated by the line of code you cited.
Have you configured the login.conf and krb5.conf? Show them.
Where do you have these files?
Give us more details.
We have placed the files under /opt/apigee folder
login.conf
===========
customclient{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab=/opt/apigee/keytabfile.keytab
principal=HTTP/Svc-apigee-kerb
};
===========
krb5.conf
===========
[libdefaults]
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc [realms]
DIR.slb.com = {
kdc = US1190DOM19.dir.slb.com
default_domain = DIR.slb.com
} [domain_realm]
.DIR.slb.com = DIR.slb.com
==============
when we post request from postman to proxy, it is giving the error
JavaCalloutStepDefinition$SecurityWrappedExecution.execute() : Error running java callout
java.lang.RuntimeException: javax.security.auth.login.LoginException: No LoginModules configured for customclient
at main.java.GenerateKerberos.execute(GenerateKerberos.java:63) ~[na:na]
-----
Caused by: javax.security.auth.login.LoginException: No LoginModules configured for customclient
Yes. we are following as per the below link
Double check your java callout properties. Above, you have "login1.conf" but the filename you gave under /opt/apigee was "login.conf" (no 1 at the end).
Hi Javed,
actually I tried with different options, so at that time it was given with login1.conf. but I am referring the correct one only in my java properties. while copying above it might be typo.
I believe the problem is placing these configurations in proper place which I am currently placing /opt/apigee, which is not taking.
Same here, location of the conf & keytab files are probably incorrect...
I also want to raise question on 'where to put the .conf files and keytab'.
/opt/apigee
/opt/
/opt/apigee/messageprocessor location
not working. Please assist?
@Maruti Chand
Hi, can you please help on the subject?
tried placing the files under /opt/apigee and /opt/apigee/messageprocessor.
both didn't worked.
placed both conf and keytab files at different locations and tried
/opt/apigee
/opt/apigee/messageprocessor
/opt/apigee/messageprocessor/conf
Answer by Anil Sagar @ Google
·
Oct 15 at 03:17 AM
@JSurapaneni , @Jared Williams , @Denis Kalitviansky ,
Here is the sample proxy that successfully worked for me !
Hi Anil, in the documentation written that there can be two modes, e.g. I can validate incoming Kerberos ticket against KDC server, and new ticket will be generated to backend from my keystore. My question where I can choose if my proxy requires Kerberos or when my proxy is not protected by Kerberos but my real backend is and I need to authenticate to it as client.
Thanks
@Anil Sagar @ Google, Hi Anil, any assistance please?
Dear community, please help with separation of the modes if possible. We want in some cases to just protect our proxy with Kerberos (without authenticating to backed with kerberos also), and in some cases to authenticate to backend Kerberos protected API while leaving front-end proxy unprotected.
@Anil Sagar @ Google any source code available for this functionality so we can make it?
@Denis Kalitviansky , You can use sample proxy attached above.
Hi @Anil Sagar @ Google, your proxy is doing the two steps both: protect facade with Kerberos and also talk to backend with kerberos... i want to split it... possible? - for example I want to authenticate to BACKEND API's only with kerberos, but my Apigee proxy facade is available without Kerb
@Anil Sagar @ Google
I have followed all guidelines mentioned in your previous comments, my kerberos is only generating ticket when I'm sending UPN same as SPN and it;s not working when i send user email for authenticating. For eg. if SPN is http/MYLDAP.COM and UPN is also http/MYLDAP.COM then ticket is generated , if UPN is something like http/RAHUL@MYLDAP.COM it won't work.
Could you please help
Hi @Anil Sagar @ Google @Dino-at-Google. Have either of you run into Rahul's situation before?
@Jared Williams , Ideally, It should work. I haven't come across similar situation.
