GSS-API Java Gurus
Hi!
Could somebody please clearify for me what's happening here:
java.lang.IllegalArgumentException: Authentication time of ticket cannot be null
at javax.security.auth.kerberos.KerberosTicket.init(KerberosTicket.java:279)
at javax.security.auth.kerberos.KerberosTicket.(KerberosTicket.java:222)
at sun.security.jgss.krb5.Krb5InitCredential.(Krb5InitCredential.java:118)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:198)
at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:107)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:584)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
Kerberos token seems to be valid it starts with:
60 82 09 01 06 09 2A 86 48 86 F7 12 01 02 02 01
00 6E 82 08......
With gssapi in c this is supposed to work....
Thanx.
This is what I do with the SPNEGO token before I pass it to acceptSecContext():
byte[] spnegoBytes = new BASE64Decoder().decodeBuffer(authHeader);
byte[] gssbytes = new String(spnegoBytes).substring(66).getBytes();
authHeader is the base64 String following "Negotiate " in the token sent by the browser
Using the MS doc abaout SPNEGO I calculated that the Kerberos body starts at byte 66 and runs to the end of the array. This seems to be accepted by acceptSecContext() or at least parsable but now I'm running into issues with encryption type support:
GSSException occurred Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
Similar Messages
-
GSS API failing with java 1.6 but working with java 1.5 in jboss 3.2.6
18:05:08,210 INFO [STDOUT] GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
18:05:08,210 INFO [STDOUT] at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
18:05:08,210 INFO [STDOUT] at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
18:05:08,213 INFO [STDOUT] at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
18:05:08,214 INFO [STDOUT] at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
18:05:08,214 INFO [STDOUT] at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)
18:05:08,214 INFO [STDOUT] at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)
18:05:08,214 INFO [STDOUT] at com.apple.ist.ds.server.impl.snkp.SSOTokenVerifier.credentialForService(SSOTokenVerifier.java:324)
18:05:08,214 INFO [STDOUT] at com.apple.ist.ds.server.impl.snkp.SSOTokenVerifier.initialize(SSOTokenVerifier.java:97)
18:05:08,214 INFO [STDOUT] at com.apple.ist.saci.iphonevpn.servlet.SACIIPhoneStartUpServlet.init(SACIIPhoneStartUpServlet.java:26)
18:05:08,214 INFO [STDOUT] at javax.servlet.GenericServlet.init(GenericServlet.java:256)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1029)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:862)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4013)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.StandardContext.start(StandardContext.java:4357)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:823)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:807)
18:05:08,214 INFO [STDOUT] at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:595)
18:05:08,214 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
18:05:08,214 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
18:05:08,214 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
18:05:08,215 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:597)
18:05:08,215 INFO [STDOUT] at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
18:05:08,215 INFO [STDOUT] at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:149)
18:05:08,215 INFO [STDOUT] at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
18:05:08,215 INFO [STDOUT] at org.apache.catalina.core.StandardContext.init(StandardContext.java:5441)
18:05:08,215 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
18:05:08,215 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
18:05:08,215 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
18:05:08,215 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:597)
18:05:08,215 INFO [STDOUT] at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
18:05:08,215 INFO [STDOUT] at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:149)
18:05:08,215 INFO [STDOUT] at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
18:05:08,215 INFO [STDOUT] at org.jboss.web.tomcat.tc5.TomcatDeployer.performDeployInternal(TomcatDeployer.java:316)
18:05:08,215 INFO [STDOUT] at org.jboss.web.tomcat.tc5.TomcatDeployer.performDeploy(TomcatDeployer.java:76)
18:05:08,215 INFO [STDOUT] at org.jboss.web.AbstractWebDeployer.start(AbstractWebDeployer.java:320)
18:05:08,215 INFO [STDOUT] at org.jboss.web.WebModule.startModule(WebModule.java:62)
18:05:08,215 INFO [STDOUT] at org.jboss.web.WebModule.startService(WebModule.java:40)
18:05:08,215 INFO [STDOUT] at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:271)
18:05:08,215 INFO [STDOUT] at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:221)
18:05:08,215 INFO [STDOUT] at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
18:05:08,215 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
18:05:08,215 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:597)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.ReflectedDispatcher.dispatch(ReflectedDispatcher.java:60)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.Invocation.dispatch(Invocation.java:62)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.Invocation.dispatch(Invocation.java:54)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.Invocation.invoke(Invocation.java:82)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:197)
18:05:08,216 INFO [STDOUT] at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
18:05:08,216 INFO [STDOUT] at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:884)
18:05:08,216 INFO [STDOUT] at $Proxy20.start(Unknown Source)
18:05:08,221 INFO [STDOUT] Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at com.sun.security.auth.callback.TextCallbackHandler.handle(TextCallbackHandler.java:102)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.getUsernameAndPassword(UsernamePasswordLoginModule.java:216)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:131)
at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:124)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)18:05:08,221 INFO [STDOUT] Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at com.sun.security.auth.callback.TextCallbackHandler.handle(TextCallbackHandler.java:102)It seems you are providing username using a TextCallbackHandler (which is default for GSS-API). This is OK if you are writing a console program and the user can input the name in a command line prompt. If you are writing a server side program, there is no console, you need to write your own CallbackHandler to provide username. -
Change password in Active Directory using the JNDI GSS-API/Kerberos
Hi
I am trying to the JNDI GSS-API to change a user password.
When I actually try to change the password using ctx.modifyAttributes(userName, mods), I get the exception:
09:39:38,163 ERROR [STDERR] javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 ]; remaining name 'CN=USER,OU=Usuarios,DC=testead,DC=br'
Here's my java code:
public class ChangePasswordLDAPCommand implements Command {
static Logger logger = Logger.getLogger(ChangePasswordLDAPCommand.class.getName());
@SuppressWarnings("unchecked")
public boolean execute(org.apache.commons.chain.Context context) throws ApplicationException {
logger.info("Início - execute");
try {
CoreConfig config = CoreConfig.getInstance();
String userName = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME);
char[] password = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD).toCharArray();
Subject subject = new Subject();
Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
Map<String, String> map = new HashMap<String, String>();
Map<String, String> shared = new HashMap<String, String>();
map.put("com.sun.security.auth.module.Krb5LoginModule","required");
map.put("client","true");
map.put("useTicketCache","true");
map.put("doNotPrompt","true");
map.put("useKeyTab","true");
map.put("useFirstPass","true");
map.put("refreshKrb5Config","true");
logger.info(">>>>> map.toString(): "+map.toString());
shared.put("javax.security.auth.login.name", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
shared.put("javax.security.auth.login.password", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
shared.put("javax.net.debug","SSL,handshake,trustmanager");
shared.put("sun.security.krb5.debug","true");
shared.put("com.sun.jndi.ldap.connect.pool.timeout","30000");
logger.info(">>>>> shared.toString(): "+shared.toString());
krb5LoginModule.initialize(subject, new UserNamePasswordCallbackHandler(userName,password),shared,map);
krb5LoginModule.login();
if(krb5LoginModule.commit()){
//Recupera o usuario a ser alterado
UsuarioTOLDAP usuarioTO = (UsuarioTOLDAP) context.get(CoreConfig.USUARIO_TO_LDAP);
logger.info(">>>>>>>>>>>>>>>>>>>>>> subject.toString(): "+subject.toString());
Subject.doAsPrivileged(subject, new JndiAction(usuarioTO), null);
} catch (LoginException e) {
e.printStackTrace();
} catch (PrivilegedActionException e) {
e.printStackTrace();
logger.info("Fim - execute");
return Command.CONTINUE_PROCESSING;
@SuppressWarnings("unchecked")
public class JndiAction implements java.security.PrivilegedExceptionAction{
private static Logger logger = Logger.getLogger(JndiAction.class.getName());
private UsuarioTOLDAP usuarioTOLDAP = null;
public JndiAction(UsuarioTOLDAP usuarioTO) {
this.usuarioTOLDAP = usuarioTO;
public Object run() {
performJndiOperation(usuarioTOLDAP);
return null;
@SuppressWarnings("unchecked")
private static void performJndiOperation(UsuarioTOLDAP usuarioTOLDAP){
logger.info(">>>>> entrei na JndiOperation");
try {
CoreConfig config = CoreConfig.getInstance();
String distinguishedName = "";
String keystore = "C:/Documents and Settings/user/.keystore";
System.setProperty(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
System.setProperty("com.sun.jndi.ldap.connect.pool.timeout","30000");
System.setProperty("javax.net.debug","all");
System.setProperty("sun.security.krb5.debug","true");
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, CoreConfig.INITIAL_CONTEXT_FACTORY);
env.put(Context.PROVIDER_URL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_URL));
env.put(Context.SECURITY_AUTHENTICATION, CoreConfig.SECURITY_PROTOCOL_GSSAPI);
env.put(Context.SECURITY_PRINCIPAL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
env.put(Context.SECURITY_CREDENTIALS, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
env.put(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
env.put("javax.security.sasl.qop","auth-int");
env.put("javax.security.sasl.strength","high");
env.put("javax.security.sasl.server.authentication","true");
String userName = "CN=USER,"+config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_BASE_DN);
// Cria o contexto inicial de acesso ao LDAP
//DirContext ctx = new InitialDirContext(env);
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//set password is a ldap modfy operation
ModificationItem[] mods = new ModificationItem[1];
//Replace the "unicdodePwd" attribute with a new value
//Password must be both Unicode and a quoted string
String newQuotedPassword = "\"" + usuarioTOLDAP.getNovaSenha() + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
// Perform the update
ctx.modifyAttributes(userName, mods);
ctx.close();
} catch (NamingException e1) {
e1.printStackTrace();
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}Edited by: c0m4nch3 on Jan 21, 2010 12:13 PMRefer to my response for a similar question in http://forums.sun.com/thread.jspa?threadID=5416736
Also the following may be related: http://forums.sun.com/thread.jspa?threadID=5196192
Good luck. -
Changing user password in Active Directory using the JNDI GSS-API/Kerberos5
Hello,
I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
*javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
*If anyone can help me figure out why it doesn't work, that would be great!*
P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
Here's my java code:
{code}import javax.naming.*;
import javax.security.auth.*;
import java.security.PrivilegedAction;
import java.io.UnsupportedEncodingException;
public void changeSecret((String uid, String oldPassword, String newPassword)
throws NamingException, ACException{
try {
K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
LoginContext lc = new LoginContext("marker", cb);
lc.login();
Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
catch(LoginException e) {
try {
lc.logout();
catch(LoginException e) {
}ChangePasswordAction.java is:import javax.naming.*;
import javax.naming.naming.directory.*;
import java.io.UnsupportedEncodingException;
private class ChangePasswordAction implements PrivilegedAction {
private String uid;
private String quotedOldPassword;
private String quotedNewPassword;
public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
this.uid = uid;
quotedOldPassword = "\"" + oldPassword + "\"";
quotedNewPassword = "\"" + newPassword + "\"";
public Object run() {
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
try {
DirContext ctx = new InitialDirContext(env);
ModificationItem[] mods = new ModificationItem[2];
byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
ctx.modifyAttributes(uid, mods);
ctx.close();
} catch (NamingException e) {
} catch (UnsupportedEncodingException e) {
return null;
}K5CallbackHandler is:import javax.security.auth.callback.*;
final class K5CallbackHandler
implements CallbackHandler {
private final String name;
private final char[] passwd;
public K5CallbackHandler(String nm, String pw) {
name = nm;
if(pw == null) {
passwd = new char[0];
else {
passwd = pw.toCharArray();
public void handle(Callback[] callbacks)
throws java.io.IOException, UnsupportedCallbackException {
for(int i = 0; i < callbacks.length; i++) {
if(callbacks[i] instanceof NameCallback) {
NameCallback cb = (NameCallback) callbacks;
cb.setName(name);
else {
if(callbacks[i] instanceof PasswordCallback) {
PasswordCallback cb = (PasswordCallback) callbacks[i];
cb.setPassword(passwd);
else {
throw new UnsupportedCallbackException(callbacks[i]);
}The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
marker {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
//Eg. auth-conf; confidentiality, auth-int; integrity
//confidentiality is required to set a password
env.put("javax.security.sasl.qop","auth-conf");
//require high strength 128 bit crypto
env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
Good luck. -
How to use Kerberos & GSS-API to authenticate in Windows OS
Hi,
I need to use Kerberos and GSS-API authentication for user loing in my JSP/Java application against Active Directory in Windows 2003 Server.
I have goen through one thread which is quite similar to my need, but it's used for Linux host, which u can see below.
http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
Anyone can guide me that how to authenticate user using Kerberos again Active Directory for Windows Environment ?
Thanking you in Advance.
Satyam AMINYou can use Java GSS/Kerberos for authentication using any KDC (Solaris/Linux/Windows) provided you have setup the configuration.
Here are the Java GSS tutorials to get started:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index.html
Seema -
Error: Unable to load the GSS-API Shared Library
Hi all,
I'm trying to install a working copy of SAP on a Debian Etch host. I've tried all versions available here: ftp://ftp.sap.com/pub/sapgui/java/ (710 r[2-6]) The jar installer completes successfully without error, but when I attempt to launch the application, I'm greeted with the same critical error each time. Here's my connection string:
conn=/M/my-server-hostname/S/3610/G/PRD_GENERIC&sncon=true&sncqop=3
Here's my (Sun) java version:
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Server VM (build 10.0-b22, mixed mode)
Here's the full error message:
Error: Unable to load the GSS-API Shared Library
named "sncgss.so"
Fri Nov 21 16:07:25 2008
Release 710
Component SNC (Secure Network Communication), version 5
rc = -1, module sncxxdl_mt.c, line 342
Detail SncPDLInit
System Call dlopen
Is there a software dependency I might be missing? This is my first attempt at installing SAP on a Linux host, so there may be something else even more obvious that I'm not seeing...
Thanks in advance for any help you can provide.
-EricHi,
one solution should be to set the env variable $SNC_LIB to you libseude.so, e.g.
$>setenv SNC_LIB /usr/sap/<sid>/SYS/exe/run/libsecude.o (or wherever the lib resides)
and then restart guilogon.
Also, as fas as I know, SAPGUI has issues with Java 6, so I would rather go with Java 5 or 1.4.2.
Oliver Stabel -
GSS-API/Kerberos v5 Authentication - Example throws strange exception
Hi There,
When II'm trying to run the GSS-API example I get this exception:
java.lang.SecurityException: D:\Program Files\jdk1.2.2\jre\lib\security\HBJAASLogin.config (The system cannot find the file specified)
I know that the exception is thrown because it cannot find the file: HBJAASLogin.config
The strangest thing is that I don't have that file, if I search for it on the NET it isn't found anywhere ?!?
And on the code there's no mention of the file ???
Why does it need the file?
Thank You
Pinhohi,
i am very sorry to disturb you..
already i sent this problem to [email protected]
but i not able to see my mail in users archives.
so i am forwarding this.
i don't know how to forward this to forum
please help me
Thanks and Regards
kumar
-----Original Message-----
From: kumar [mailto:[email protected]]
Sent: Wednesday, April 10, 2002 6:17 PM
To: [email protected]
Subject: Compilation error :: please help me.. it is urgent
hi ,
I downloaded following version of openssl and during compilation, i got the following error.
openssl-engine-0.9.6c.
i got the same result with version openssl-0.9.6 also
Step : Compile OpenSSL
C:\kumar\openssl-engine-0.9.6c.tar\openssl-engine-0.9.6c> ms\mingw32
C:\kumar\openssl-engine-0.9.6c.tar\openssl-engine-0.9.6c>perl Configure Mingw32
Configuring for Mingw32
IsWindows=1
CC =gcc
CFLAG =-DTHREADS -DDSO_WIN32 -DL_ENDIAN -fomit-frame-pointer -O3 -m486
-Wall
EX_LIBS =
BN_ASM =bn_asm.o
DES_ENC =des_enc.o fcrypt_b.o
BF_ENC =bf_enc.o
CAST_ENC =c_enc.o
RC4_ENC =rc4_enc.o
RC5_ENC =rc5_enc.o
MD5_OBJ_ASM =
SHA1_OBJ_ASM =
RMD160_OBJ_ASM=
PROCESSOR =
RANLIB =true
PERL =perl
THIRTY_TWO_BIT mode
DES_PTR used
DES_RISC1 used
DES_UNROLL used
BN_LLONG mode
RC4_INDEX mode
RC4_CHUNK is undefined
Configured for Mingw32.
Generating x86 for GNU assember
Bignum
DES
crypt
Blowfish
CAST5
RC4
MD5
SHA1
RIPEMD160
RC5\32
Generating makefile
Generating DLL definition files
Building OpenSSL
mkdir tmp
mkdir out
mkdir outinc
mkdir outinc\openssl
copy .\crypto\cryptlib.h tmp\cryptlib.h
1 file(s) copied.
copy .\crypto\buildinf.h tmp\buildinf.h
1 file(s) copied.
copy .\crypto\md32_common.h tmp\md32_common.h
1 file(s) copied.
copy .\crypto\md4\md4_locl.h tmp\md4_locl.h
1 file(s) copied.
copy .\crypto\md5\md5_locl.h tmp\md5_locl.h
1 file(s) copied.
copy .\crypto\sha\sha_locl.h tmp\sha_locl.h
1 file(s) copied.
copy .\crypto\ripemd\rmd_locl.h tmp\rmd_locl.h
1 file(s) copied.
copy .\crypto\ripemd\rmdconst.h tmp\rmdconst.h
1 file(s) copied.
copy .\crypto\des\des_locl.h tmp\des_locl.h
1 file(s) copied.
copy .\crypto\des\rpc_des.h tmp\rpc_des.h
1 file(s) copied.
copy .\crypto\des\spr.h tmp\spr.h
1 file(s) copied.
copy .\crypto\des\des_ver.h tmp\des_ver.h
1 file(s) copied.
copy .\crypto\rc2\rc2_locl.h tmp\rc2_locl.h
1 file(s) copied.
copy .\crypto\rc4\rc4_locl.h tmp\rc4_locl.h
1 file(s) copied.
copy .\crypto\rc5\rc5_locl.h tmp\rc5_locl.h
1 file(s) copied.
copy .\crypto\idea\idea_lcl.h tmp\idea_lcl.h
1 file(s) copied.
copy .\crypto\bf\bf_pi.h tmp\bf_pi.h
1 file(s) copied.
copy .\crypto\bf\bf_locl.h tmp\bf_locl.h
1 file(s) copied.
copy .\crypto\cast\cast_s.h tmp\cast_s.h
1 file(s) copied.
copy .\crypto\cast\cast_lcl.h tmp\cast_lcl.h
1 file(s) copied.
copy .\crypto\bn\bn_lcl.h tmp\bn_lcl.h
1 file(s) copied.
copy .\crypto\bn\bn_prime.h tmp\bn_prime.h
1 file(s) copied.
copy .\crypto\bio\bss_file.c tmp\bss_file.c
1 file(s) copied.
copy .\crypto\objects\obj_dat.h tmp\obj_dat.h
1 file(s) copied.
copy .\crypto\conf\conf_def.h tmp\conf_def.h
1 file(s) copied.
copy .\ssl\ssl_locl.h tmp\ssl_locl.h
1 file(s) copied.
copy .\apps\apps.h tmp\apps.h
1 file(s) copied.
copy .\apps\progs.h tmp\progs.h
1 file(s) copied.
copy .\apps\s_apps.h tmp\s_apps.h
1 file(s) copied.
copy .\apps\testdsa.h tmp\testdsa.h
1 file(s) copied.
copy .\apps\testrsa.h tmp\testrsa.h
1 file(s) copied.
copy .\.\e_os.h outinc\openssl\e_os.h
1 file(s) copied.
copy .\.\e_os2.h outinc\openssl\e_os2.h
1 file(s) copied.
copy .\crypto\crypto.h outinc\openssl\crypto.h
1 file(s) copied.
copy .\crypto\tmdiff.h outinc\openssl\tmdiff.h
1 file(s) copied.
copy .\crypto\opensslv.h outinc\openssl\opensslv.h
1 file(s) copied.
copy .\crypto\opensslconf.h outinc\openssl\opensslconf.h
1 file(s) copied.
copy .\crypto\ebcdic.h outinc\openssl\ebcdic.h
1 file(s) copied.
copy .\crypto\symhacks.h outinc\openssl\symhacks.h
1 file(s) copied.
copy .\crypto\md2\md2.h outinc\openssl\md2.h
1 file(s) copied.
copy .\crypto\md4\md4.h outinc\openssl\md4.h
1 file(s) copied.
copy .\crypto\md5\md5.h outinc\openssl\md5.h
1 file(s) copied.
copy .\crypto\sha\sha.h outinc\openssl\sha.h
1 file(s) copied.
copy .\crypto\mdc2\mdc2.h outinc\openssl\mdc2.h
1 file(s) copied.
copy .\crypto\hmac\hmac.h outinc\openssl\hmac.h
1 file(s) copied.
copy .\crypto\ripemd\ripemd.h outinc\openssl\ripemd.h
1 file(s) copied.
copy .\crypto\des\des.h outinc\openssl\des.h
1 file(s) copied.
copy .\crypto\rc2\rc2.h outinc\openssl\rc2.h
1 file(s) copied.
copy .\crypto\rc4\rc4.h outinc\openssl\rc4.h
1 file(s) copied.
copy .\crypto\rc5\rc5.h outinc\openssl\rc5.h
1 file(s) copied.
copy .\crypto\idea\idea.h outinc\openssl\idea.h
1 file(s) copied.
copy .\crypto\bf\blowfish.h outinc\openssl\blowfish.h
1 file(s) copied.
copy .\crypto\cast\cast.h outinc\openssl\cast.h
1 file(s) copied.
copy .\crypto\bn\bn.h outinc\openssl\bn.h
1 file(s) copied.
copy .\crypto\rsa\rsa.h outinc\openssl\rsa.h
1 file(s) copied.
copy .\crypto\dsa\dsa.h outinc\openssl\dsa.h
1 file(s) copied.
copy .\crypto\dso\dso.h outinc\openssl\dso.h
1 file(s) copied.
copy .\crypto\dh\dh.h outinc\openssl\dh.h
1 file(s) copied.
copy .\crypto\buffer\buffer.h outinc\openssl\buffer.h
1 file(s) copied.
copy .\crypto\bio\bio.h outinc\openssl\bio.h
1 file(s) copied.
copy .\crypto\stack\stack.h outinc\openssl\stack.h
1 file(s) copied.
copy .\crypto\stack\safestack.h outinc\openssl\safestack.h
1 file(s) copied.
copy .\crypto\lhash\lhash.h outinc\openssl\lhash.h
1 file(s) copied.
copy .\crypto\rand\rand.h outinc\openssl\rand.h
1 file(s) copied.
copy .\crypto\err\err.h outinc\openssl\err.h
1 file(s) copied.
copy .\crypto\objects\objects.h outinc\openssl\objects.h
1 file(s) copied.
copy .\crypto\objects\obj_mac.h outinc\openssl\obj_mac.h
1 file(s) copied.
copy .\crypto\evp\evp.h outinc\openssl\evp.h
1 file(s) copied.
copy .\crypto\asn1\asn1.h outinc\openssl\asn1.h
1 file(s) copied.
copy .\crypto\asn1\asn1_mac.h outinc\openssl\asn1_mac.h
1 file(s) copied.
copy .\crypto\pem\pem.h outinc\openssl\pem.h
1 file(s) copied.
copy .\crypto\pem\pem2.h outinc\openssl\pem2.h
1 file(s) copied.
copy .\crypto\x509\x509.h outinc\openssl\x509.h
1 file(s) copied.
copy .\crypto\x509\x509_vfy.h outinc\openssl\x509_vfy.h
1 file(s) copied.
copy .\crypto\x509v3\x509v3.h outinc\openssl\x509v3.h
1 file(s) copied.
copy .\crypto\conf\conf.h outinc\openssl\conf.h
1 file(s) copied.
copy .\crypto\conf\conf_api.h outinc\openssl\conf_api.h
1 file(s) copied.
copy .\crypto\txt_db\txt_db.h outinc\openssl\txt_db.h
1 file(s) copied.
copy .\crypto\pkcs7\pkcs7.h outinc\openssl\pkcs7.h
1 file(s) copied.
copy .\crypto\pkcs12\pkcs12.h outinc\openssl\pkcs12.h
1 file(s) copied.
copy .\crypto\comp\comp.h outinc\openssl\comp.h
1 file(s) copied.
copy .\crypto\engine\engine.h outinc\openssl\engine.h
1 file(s) copied.
copy .\ssl\ssl.h outinc\openssl\ssl.h
1 file(s) copied.
copy .\ssl\ssl2.h outinc\openssl\ssl2.h
1 file(s) copied.
copy .\ssl\ssl3.h outinc\openssl\ssl3.h
1 file(s) copied.
copy .\ssl\ssl23.h outinc\openssl\ssl23.h
1 file(s) copied.
copy .\ssl\tls1.h outinc\openssl\tls1.h
1 file(s) copied.
copy .\rsaref\rsaref.h outinc\openssl\rsaref.h
1 file(s) copied.
gcc -o tmp\cryptlib.o -Ioutinc -Itmp -O3 -fomit-frame-pointer -DDSO_WIN32 -c .
\crypto\cryptlib.c
process_begin: CreateProcess((null), gcc -o tmp\cryptlib.o -Ioutinc -Itmp -O3 -f
omit-frame-pointer -DDSO_WIN32 -c .\crypto\cryptlib.c, ...) failed.
make (e=2): The system cannot find the file specified.
make: *** [tmp\cryptlib.o] Error 2
You can ignore the error messages above
1 file(s) copied.
Building the libraries
Building OpenSSL
gcc -o tmp/cryptlib.o -Ioutinc -Itmp -DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointe
r -O3 -m486 -Wall -DBN_ASM -DMD5_ASM -DSHA1_ASM -c ./crypto/cryptlib.c
process_begin: CreateProcess((null), gcc -o tmp/cryptlib.o -Ioutinc -Itmp -DL_EN
DIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -m486 -Wall -DBN_ASM -DMD5_ASM -DSHA1_
ASM -c ./crypto/cryptlib.c, ...) failed.
make (e=2): The system cannot find the file specified.
make: *** [tmp/cryptlib.o] Error 2
C:\kumar\openssl-engine-0.9.6c.tar\openssl-engine-0.9.6c>
Note :
As per readme instruction,
i am using following
1. GNU C (Mingw32) :
gcc-2.95.2-msvcrt.exe
make-3.76.1.zip
2. ActivePerl-5.6.1.631-MSWin32-x86.msi
what is the work around? is there any mistake from my side?
please help me.. it is urgent
Thanks and Regards
kumar -
Anybody had any luck connecting to an AD Server via CFLDAP when it only appears to allow authentication using GSS-API?
I'm having almost the same problem.
I'm authenticating users against MS Active Directory: the Kerberos stuff works fine, but when I try to execute the LDAP query I get the following exception:
javax.naming.AuthenticationException: SASL authentication failed [Root exception is java.lang.IllegalAccessError: tried to access class sun.security.krb5.KrbKdcReq from class sun.security.krb5.internal.az]
at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:411)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2640)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
This error occurs only for a few users, while for others the code works perfectly.
I've tried using both Sun's JDK (1.4.2_08) and BEA JRockit with the same result.
Thanks in advance
Alberto -
GSS-API How to get the client-to-service ticket
In Kerberos when requesting services, the client sends the following two messages to the TGS: A composed message of the Ticket-Granting Ticket and the ID of the requested serviceand authenticator (which is composed of the client ID and the timestamp), all encrypted using the client/TGS session key.
Then upon receiving these messages the TGS sends the followings to the client:
A: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key) encrypted using the service's secret key.
B: Client/server session key encrypted with the client/TGS session key.
Now I'm wondering how to obtain A and B throught the kerberos login in GSS-API . I have the following code that I use to request a kerberized service but it returns only a KerberosTicket in PrivateCredentialsSet for the Subject. A sessionKey can also be obtained form this KerberosTicket ! Which session key is this ? the session key B described above? and Where to get the Client-to-server ticket (A) described above ?
Thanks for any help !
Alex
lc = new LoginContext("login-client", new TextCallbackHandler());
lc.login();
mysubject = lc.getSubject();
java.util.Set principals = lc.getSubject().getPrincipals();
java.util.Iterator iterador = principals.iterator();
if (iterador.hasNext()){
KerberosPrincipal principal = (KerberosPrincipal) iterador.next();
clientName =principal.getName();
PrivilegedAction generateServiceTicket = new ClientAction(clientName,"[email protected]");
Subject.doAs(mysubject, generateServiceTicket);
Set prvCredentials = lc.getSubject().getPrivateCredentials();
for (Iterator i = prvCredentials.iterator(); i.hasNext(); j++) {
KerberosTicket ticket = (KerberosTicket) i.next();
prvKrbCrds = (KerberosTicket[]) mysubject.getPrivateCredentials().toArray(new KerberosTicket[0]);
public Object run() {
try{
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
GSSName userName = manager.createName(pn,GSSName.NT_USER_NAME);
GSSCredential cred = manager.createCredential(usr,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.INITIATE_ONLY);
GSSName peerName = manager.createName(servicename,
GSSName.NT_HOSTBASED_SERVICE, krb5Mechanism);
GSSContext setContext = manager.createContext(peerName, krb5Mechanism, cred,
GSSContext.DEFAULT_LIFETIME);
setContext.requestInteg(false);
setContext.requestConf(false);
byte[] inputBuf = new byte[0];
byte[] tkt = setContext.initSecContext(inputBuf, 0, 0);
}catch(GSSException gsse){
gsse.printStackTrace();
}In Kerberos when requesting services, the client sends the following two messages to the TGS: A composed message of the Ticket-Granting Ticket and the ID of the requested serviceand authenticator (which is composed of the client ID and the timestamp), all encrypted using the client/TGS session key.
Then upon receiving these messages the TGS sends the followings to the client:
A: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key) encrypted using the service's secret key.
B: Client/server session key encrypted with the client/TGS session key.
Now I'm wondering how to obtain A and B throught the kerberos login in GSS-API . I have the following code that I use to request a kerberized service but it returns only a KerberosTicket in PrivateCredentialsSet for the Subject. A sessionKey can also be obtained form this KerberosTicket ! Which session key is this ? the session key B described above? and Where to get the Client-to-server ticket (A) described above ?
Thanks for any help !
Alex
lc = new LoginContext("login-client", new TextCallbackHandler());
lc.login();
mysubject = lc.getSubject();
java.util.Set principals = lc.getSubject().getPrincipals();
java.util.Iterator iterador = principals.iterator();
if (iterador.hasNext()){
KerberosPrincipal principal = (KerberosPrincipal) iterador.next();
clientName =principal.getName();
PrivilegedAction generateServiceTicket = new ClientAction(clientName,"[email protected]");
Subject.doAs(mysubject, generateServiceTicket);
Set prvCredentials = lc.getSubject().getPrivateCredentials();
for (Iterator i = prvCredentials.iterator(); i.hasNext(); j++) {
KerberosTicket ticket = (KerberosTicket) i.next();
prvKrbCrds = (KerberosTicket[]) mysubject.getPrivateCredentials().toArray(new KerberosTicket[0]);
public Object run() {
try{
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
GSSName userName = manager.createName(pn,GSSName.NT_USER_NAME);
GSSCredential cred = manager.createCredential(usr,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.INITIATE_ONLY);
GSSName peerName = manager.createName(servicename,
GSSName.NT_HOSTBASED_SERVICE, krb5Mechanism);
GSSContext setContext = manager.createContext(peerName, krb5Mechanism, cred,
GSSContext.DEFAULT_LIFETIME);
setContext.requestInteg(false);
setContext.requestConf(false);
byte[] inputBuf = new byte[0];
byte[] tkt = setContext.initSecContext(inputBuf, 0, 0);
}catch(GSSException gsse){
gsse.printStackTrace();
} -
JAAS and GSS-API Tutorial Question
I am running the JAAS and GSS-API tutorial from http://java.sun.com/j2se/1.4.1/docs/guide/security/jgss/tutorials/BasicClientServer.html. I am running in a Windows 2000 Active Directory environment. It appears to be running correctly, but I have a question. Every time it is run, it asks for the User ID (it supplies a default of my current login name) and then a password. The server also asks for the same information. I am running the client and server on the same machine, so the user ID and password entered for both are identical.
I was under the impression, however, that either GSS-API or JAAS using Kerberos would be able to obtain credentials without asking for the user ID and password, because I am already logged on. Is there something I need to change in the example do this? I am missing something else?
Thank you.
CraigPlease do not reply to this posting. If you have suggestions or questions, please use http://forum.java.sun.com/thread.jsp?forum=60&thread=383862&tstart=0&trange=30 on this same topic.
-
ABAP APIs / Java APIs (MDM Extraction)
Hi All,
If I have to extract data out of MDM Repository without using the MDM Syndication functionality, How can I do that?
I know there is something called ABAP APIs / Java APIs. Can this ABAP/Java APIs be used to extract data out of MDM Repositories?
If yes, where exactly are these ABAP/Java programs written? In MDM server? Or Portal server?
Thanks,You can actually do that with the help of API.
for similar issue follow below threads.
Data syndication using MDM Java API
Retrieve Data using Java API
Hope this help
thx
Deep -
Hanging of Java API (java.io.File/java.nio)
Hi
I am facing the following problem on one of my machine , we have NFS partition mounted on the server and our application is writing on it using JAVA java.io.File/java.nio api. But when NFS is unavailable its hangs and also causes the hanging of our server. Please help me if some one already faced this problem.
NFS file system un-reachable the Java API (java.io.File/java.nio) will stuck and see if there is any solution
Thanks in advance.
KaiserThere do not believe there is any published API for reading rules files (including the Java API, C API and VB APIs).Tim TowApplied OLAP, Inc
-
GSS API library required to set up a Secure Network Connection (SNC)
We are working in a project to connect Microsoft ILM to SAP CUA. The goal is to manage Identities in
SAP CUA by Microsoft ILM.
The requirement is to make use of an encrypted network connection between the two systems.
Due to our investigation it looks like that we need to use a SNC (Secure Network Connection).
To set up a SNC we need a third party GSS API library. Before we can order this GSS API library we need to
test this in a test environment.
Our question if there is a possibility that we can use a trial version of a GSS API library, to set up a test environment?
Is there another way to setup a SNC in a test environment?
We are looking for a GSS API Library?
If you need more information please contact me.Hi AndrZegers ,
This is Supply Network collaboration (SNC) forum and your query looks like more of security.
You can post your query in security forum.
Security
Regards,
Nikhil -
From Where i can get DI-API Java Connector ?
Hi,
Can any one tell me path to install DI-API Java Connector.
Thanks ,Hi,
If you load the DI-API, the JCO will be installed also
Regards
Ad -
Hello,
Je recherche des exemples d'utilisation de l'API Java avec SAP Business One. En effet, les exemples fournis en VB.Net fonctionne correcteement, par contre, je n'arrive pas à effectuer une connexion en Java.
Help me please !
A+Hello Laurent,
here's a bit of source code that should work; I hope it helps!
Sorry, but it would take too long to reply in French
Frank
private ICompany m_cmp;
int rc = 0;
try
// initializing the company object
m_cmp = SBOCOMUtil.newCompany();
m_cmp.setUseTrusted(false);// just as a sample
m_cmp.setLanguage(SBOCOMConstants.BoSuppLangs_ln_English);
m_cmp.setUserName("manager");
m_cmp.setPassword("manager");
m_cmp.setDBUserName("sa");
m_cmp.setDBPassword("");
m_cmp.setCompanyDB("SBODemo_US");
m_cmp.setServer("(local)");
rc = m_cmp.connect();
if(rc == 0)
else
Maybe you are looking for
-
How do I get more than 99 images????
I have iDVD v2.1. I have a Mac OS X 10.2.8. I want to update my iDVD, but how can I do that? I want to have more than 99 images in a slide show, but I think I need to update it. The only update I found for 10.2.8 Macs is the iDVD 3.0.1 update, which
-
Handling Recurring Journal Entries in BPC 7.0NW
Hi all, I'm looking for suggestions on handling the posting of Recurring Journal entries in a Legal Consolidation. I'm new to BPC, and am afraid I don't know the "best" way to do this. Currently, we are assuming that we would "copy" the previous mo
-
Tiler Desktop Environment with support for iconified files and dirs
I like to put a lot of my temporary files and directories I am working with on the desktop as icons so I can easily start them by the click of a button. However in gnome I am always manually tiling my windows. Is there any tiler with icon support? Or
-
how do you save a wifi password so you don't have to put the password in everytime to connect?
-
Hi, while performing currency conversion I am facing the following issue SPRunConversion Version 7.5.106 ERROR FX-300 Timeid=10000005 - Nothing Extract from Fact - CLCFXTRANS Any Suggesions..