Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GSSException: [..] Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled

Tags:

java

aes

kerberos

After setting our domain users to support AES encryption for Kerberos tokens (Windows Server 2008R2), on a web-application server side we get the following exception:

GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled)

Strangely we have Java 6 (1.6.0_27) , which means that AES should be supported, according to this document: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html

Any ideas what's missing in our web-application or Java, or third parties? We are using Spring security Kerberos extension (with minimal code modifications to fit into our current Spring 2.x version and additional authentication requirements).

like image 555
Art Licis Avatar asked Oct 18 '12 13:10

Art Licis


1 Answers

EDIT (2017-05-06): upcoming JDK versions will have this included. Only a config parameter needs to be set, see JDK-8157561.

Follow this link - Java SE Downloads, scroll down and download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your specific JDK version and follow the process in this tutorial titled: 5.4.2. Kerberos and Unlimited Strength Policy.

The basic steps are as follows:

  1. locate your JDK's security directory (showing Unix below):

    $ locate 'jre/lib/security' | grep 'lib/security$'
    /usr/java/jdk1.7.0_17/jre/lib/security
    /usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security
    /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security
    /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/security
    
  2. Noting the above, we need to add the downloaded JCE .jar files to /usr/java/jdk1.7.0_17/jre/lib/security.

  3. The JCE .zip file includes the following (showing JDK 1.7's JCE):

    $ ls -l UnlimitedJCEPolicy
    total 16
    -rw-rw-r-- 1 root root 2500 May 31  2011 local_policy.jar
    -rw-r--r-- 1 root root 7289 May 31  2011 README.txt
    -rw-rw-r-- 1 root root 2487 May 31  2011 US_export_policy.jar
    
  4. These are the bundled versions with the JDK (again 1.7):

    $ ls -l /usr/java/jdk1.7.0_17/jre/lib/security/*.jar
    -rw-r--r--. 1 root root 2865 Mar  1  2013 /usr/java/jdk1.7.0_17/jre/lib/security/local_policy.jar
    -rw-r--r--. 1 root root 2397 Mar  1  2013 /usr/java/jdk1.7.0_17/jre/lib/security/US_export_policy.jar
    
  5. We need to move these out of the way and replace them with the included versions in the JCE .zip file. I typically do the following:

    $ pushd /usr/java/jdk1.7.0_17/jre/lib/security/
    /usr/java/jdk1.7.0_17/jre/lib/security ~
    
    $ mkdir limited
    $ mv *.jar limited/
    
    $ cp ~/UnlimitedJCEPolicy/*.jar .
    $ ls -l *.jar
    -rw-r--r-- 1 root root 2500 Jun 25 12:50 local_policy.jar
    -rw-r--r-- 1 root root 2487 Jun 25 12:50 US_export_policy.jar
    
  6. Restart anything that's making use of JDK (Tomcat, etc.).

like image 195
Michael-O Avatar answered Sep 30 '22 19:09

Michael-O