Menu
I want to point to a different krb.conf file, dynamically, without restarting the JVM. I have searched through different solution on Stackoverflow and tried to implement the solution accordingly. But some how, even if I update the System.property("java.security.krb5.conf", ...) to point the the new krb.conf file, the JAAS is not able to understand this and still using the earlier conf file. Following are the details of my solution with the code:
My Jaas.conf file is as follows:
Mutual {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
};
sp.kerb.sso.KinitExample {
com.sun.security.auth.module.Krb5LoginModule required
client=TRUE
refreshKrb5Config=true
debug=true;
};
I have set refreshKrb5Config=true for obvious reasons as I want to reload the krb configuration file.
Here is the code I am trying to execute: package sp.kerb.sso;
import sun.security.krb5.internal.tools.Kinit;
public class KinitExample {
public static void main(String[] args) {
String kerberosFileName = "C:\\Windows\\krb5.ini";
String jaas_config_file_name = "C:\\Users\\User1\\temp\\howrah.jaas.conf";
System.setProperty("java.security.auth.login.config", jaas_config_file_name); // setting the jaas config file
System.setProperty("java.security.krb5.conf" , kerberosFileName); // setting the kerberos file
System.setProperty("java.security.krb5.debug" , "true");
final String administrator = "[email protected]".toUpperCase();
String cacheFileLoc = "C:\\Users\\User1\\temp\\admin.cache";
// Perfoming Kinit ...
Kinit.main(new String[]{"-c",cacheFileLoc, administrator , "Password123" });
kerberosFileName = "C:\\Users\\User2\\temp\\new.krb.conf"; // Using new KRB configuration file
System.setProperty("java.security.krb5.debug" , "true");
System.setProperty("java.security.auth.login.config", jaas_config_file_name); // setting the property again
System.setProperty("java.security.krb5.conf" , kerberosFileName); // setting the property again
System.out.println(System.getProperty("java.security.krb5.conf")); // Prints the updated conf file location.
cacheFileLoc = "C:\\Users\\User2\\temp\\newadmin.cache";
String newAdmin = "[email protected]".toUpperCase();
Kinit.main(new String[]{"-c",cacheFileLoc, newAdmin , "Password123" });
}
}
The cache for the admin is created, but the cache for the newAdmin is not created as the respective krb.conf files have distinct realms and JAAS doesn't seem to able to connect to the realm from the new.krb.conf and hence fails with the infamour 906 error code.
What is it that I am doing wrong? What I want to achieve is possible? How should I resolve the issue?
Also Note that, if I totally comment the admin cache creation logic and start with the new.krb.conf (all the code related to newAdmin) it works perfectly fine and creates the cache for the newAdmin
217
security. krb5. conf is set, its value is assumed to specify the path and file name. If that system property value is not set, then the configuration file is looked for in the directory. <java-home>\lib\security (Windows)
The krb5. conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.
As I am changing the default location of Java krb5.conf file, I need to specify Java system property “java.security.krb5.conf” to the location of configuration file. If you have access to any of the default file locations (documented in Java Kerberos documentation), you can directly use ktab command line to create the file.
The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory /etc.
The default Kerberos configuration file name for Windows is krb5.ini. For other platforms is the default Kerberos configuration file name is krb5.conf. The default location for the Kerberos configuration file is shown later in this section: Table 1. Default locations for Kerberos configuration file.
If you have access to any of the default file locations (documented in Java Kerberos documentation), you can directly use ktab command line to create the file. In the above example, I am using IBM tool to create a principle named [email protected]. “tangr’ is the LANID in domain “GLOBAL.kontext.tech”.
You should call sun.security.krb5.Config.refresh(); in order to reload configuration from new file.
194
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
