Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-21373

(7.4.z) JBJCA-1426 - OAUTH marshaling failure when connecting to Oracle database using Kerberos authentication

    XMLWordPrintable

Details

    • False
    • False
    • Documentation (Ref Guide, User Guide, etc.), Release Notes, Compatibility/Configuration
    • Blocks Testing
    • +
    • Undefined
    • Hide

      Download and unzip oracle-krb.zip and any EAP version.

      1. copy keytab KRBUSR01 to JBOSS_HOME
      2. copy krb5.conf to JBOSS_HOME
      3. copy standalone.xml to JBOSS_HOME/standalone/configuration
      4. download Oracle JDBC driver ojdbc8.jar and copy it to JBOSS_HOME/standalone/deployments
      5. start server
      6. run CLI 
        /subsystem=datasources/data-source=TestDatasource:test-connection-in-pool
      Show
      Download and unzip oracle-krb.zip and any EAP version. copy keytab KRBUSR01 to JBOSS_HOME copy krb5.conf to JBOSS_HOME copy standalone.xml to JBOSS_HOME/standalone/configuration download Oracle JDBC driver ojdbc8.jar and copy it to JBOSS_HOME/standalone/deployments start server run CLI /subsystem=datasources/data-source=TestDatasource:test-connection-in-pool

    Description

      Caused by: java.sql.SQLException: OAUTH marshaling failure
        at oracle.jdbc.driver.T4CTTIoauthenticate.validateO5ServerResponse(T4CTTIoauthenticate.java:1650)
        at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTHWithO5Logon(T4CTTIoauthenticate.java:1469)
        at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:1219)
        at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:1173)
        at oracle.jdbc.driver.T4CConnection.authenticateUserForLogon(T4CConnection.java:1030)
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:646)
        at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:1032)
        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:90)
        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:681)
        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:602)
        at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
        ... 238 more

      IronJacamar automatically adds user and password properties to Driver/DataSource connection properties and Oracle JDBC driver (and/or database) seems to be sensitive to the presence of these properties.

      In the case of Kerberos authentication, the user is automatically extracted from Subject and password is set to an empty string. IJ does it on multiple places, I didn't look for the exact place in this case, but one example is BaseWrapperManagedConnectionFactory.java#L1434

      Here is an overview how Oracle Databases and Drivers behave with different combinations of connection properties

      Database version: Oracle 12cR1

      driver/props no properties user password both
      12.2.0.1​ ok ​ ok ​ ok ​ ok
      19.3 ok ​ ok ​ ok ​ ok
      19.10 ok ​ ok ​ ok ​ ok
      21.1 ok ​ ok ​ ok ​ ok

      Database version: Oracle 12cR2

      driver/props no properties user password both
      12.2.0.1​ ok ​ fail ​ ok ​ fail
      19.3 ok ​ fail ​ ok ​ fail
      19.10 ok ​ fail ​ ok ​ fail
      21.1 ok ​ ok ​ ok ​ fail

      Database version: Oracle 19cR3

      driver/props no properties user password both
      12.2.0.1 ​ ok ​ fail ​ ok ​ fail
      19.3 ok ​ fail ​ ok ​ fail
      19.10 ok ​ fail ​ ok ​ fail
      21.1 ok ​ ok ​ ok ​ fail

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22286 [QA](7.4.z) JBJCA-1427 - not possible to bypass GSSCredentials using Datasource.getConnection(username,password)

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22300 [QE](7.3.z) JBJCA-1427 - not possible to bypass GSSCredentials using Datasource.getConnection(username,password)

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22117 (7.3.z) JBJCA-1426 - OAUTH marshaling failure when connecting to Oracle database using Kerberos authentication

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-21313 [GSS](7.4.z) Upgrade Ironjacamar from 1.4.30.Final-redhat-00001 to 1.4.35.Final-redhat-00001

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          relates to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) JBJCA-1426 Kerberos support: don't copy GSSCredential by default

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              rhn-support-ivassile Ilia Vassilev
              msimka@redhat.com Martin Simka
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: