Menu
I am very much new to the MOngoDB + Java Configuration. I am trying to achive the connection from remote mongodb server from Java application. I want to use GSSAPI mechanism for connection with mongotemplate. Below code has been executing successfully. Below code is from my configuration file.
List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>();
ServerAddress address = new ServerAddress(host, port);
serverAddresses.add(address);
List<MongoCredential> credentials = new ArrayList<MongoCredential>();
MongoCredential credential = MongoCredential.createGSSAPICredential(userName);
credential.withMechanismProperty("SERVICE_NAME", gssapiServiceName);
credential.withMechanismProperty("CANONICALIZE_HOST_NAME", true);
credentials.add(credential);
return new MongoClient(serverAddresses, credentials);
But when I am trying execute below code I am getting exception
DB db = mongoTemplate.getDb();
Set<String> dbCollections1 = db.getCollectionNames();
Exception:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193) at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427) at sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:62) at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154) at com.mongodb.DBPort$GSSAPIAuthenticator.getGSSCredential(DBPort.java:622) at com.mongodb.DBPort$GSSAPIAuthenticator.createSaslClient(DBPort.java:593) at com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:895) at com.mongodb.DBPort.authenticate(DBPort.java:432) at com.mongodb.DBPort.checkAuth(DBPort.java:443) at com.mongodb.DBTCPConnector.innerCall(DBTCPConnector.java:289) at com.mongodb.DBTCPConnector.call(DBTCPConnector.java:269) at com.mongodb.DBCollectionImpl.find(DBCollectionImpl.java:84) at com.mongodb.DB.command(DB.java:320) at com.mongodb.DB.command(DB.java:299) at com.mongodb.DB.command(DB.java:388) at com.mongodb.DBApiLayer.getCollectionNames(DBApiLayer.java:152)
939
Million thanks to all who have responded and take a look to my question.
After adding some System Properties and a new conf file, Finally I am able to get connected with MongoDB server. Herewith the updated code -
try {
System.setProperty("java.security.krb5.conf","C:/mongodb/UnixKeytab/krb5.conf");
System.setProperty("java.security.krb5.realm","EXAMPLE.COM");
System.setProperty("java.security.krb5.kdc","example.com");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("java.security.auth.login.config","C:/mongodb/UnixKeytab/gss-jaas.conf");
List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>();
ServerAddress address = new ServerAddress(host, port);
serverAddresses.add(address);
List<MongoCredential> credentials = new ArrayList<MongoCredential>();
MongoCredential credential = MongoCredential.createGSSAPICredential(username);
credentials.add(credential);
MongoClient mongoClient1 = new MongoClient(serverAddresses, credentials);
DB db = mongoClient1.getDB(database);
} catch (UnknownHostException e) {
e.printStackTrace();
}
My krb5.conf file look like below -
[libdefaults]
default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
default_keytab_name = <keytab file path>
[realms]
EXAMPLE.COM = {
kdc = example.com
master_kdc = example.com
default_domain = EXAMPLE.COM
}
INTRANET = {
kdc = example.com
master_kdc = example.com
default_domain = example.com
}
My gss-jaas.conf look like below -
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="my-account@MY_REALM"
doNotPrompt=true
keyTab="path-to-my-keytab-file"
debug=true;};
Code I have posted is working for me. Hope this will work for others.
110
Adding some information to this post as its extremely useful already.
If the Sasl/createSaslClient is not run within the Subject:doAs method
that is retrieved from the LoginContext, the credentials will not be picked up from the krb5.conf file. I.e the GSS code looks at the current thread's security manager for the Subject which is registered via the Subject:doAs method, and then uses the credentials from this subject. This Subject should've been obtained via jaas which in turn would read the correct jaas and krb5.conf credentials, but if you do not run the sasl and saslclient methods inside the Subject:doAs method all this doesn't matter.
You can get around it by setting javax.security.auth.useSubjectCredsOnly=false which means if no credentials can be found, some default names in the jaas file will be searched for see LoginConfigImpl.java#92, one is com.sun.security.jgss.initiate.
e.g
com.sun.security.jgss.initiate{
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
useKeyTab=true
keyTab="mykeytab"
principal="service/host@REALM";
};
I faced the same error "Mechanism level: Failed to find any Kerberos tgt". My problem looks different from yours, but it could be useful to other ones with the same error.
In my case it was caused by an error in writing the principal name in one of my configuration files.
I suggest to check the Jaas LoginManager configuration file (provided with java.security.auth.login.config) and policy files for principals. Typical error is the domain name in lowercase: [email protected] instead of [email protected]
In the case you set/refer to the principal programmatically, you can also check the principal name correctness in your code. Regards
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
