Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-24658

(7.4.z) WFLY-17768 - Incorrect allow_weak_crypto value in testsuite krb5.conf file

XMLWordPrintable

      Since Oracle Java SE 8u351, we start to see test failures from AdvancedLdapLoginModuleTestCase and SPNEGOLoginModuleTestCase (both testes were removed in upstream WFLY) in one of our downstream CI machine. i.e.

      javax.security.auth.login.LoginException: no supported default etypes for default_tkt_enctypes
      	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810)
      	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
      	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
      	at org.jboss.as.test.integration.security.common.Utils.loginWithKerberos(Utils.java:1187)
      	at org.jboss.as.test.integration.security.common.Utils.makeCallWithKerberosAuthn(Utils.java:631)
      	at org.jboss.as.test.integration.security.loginmodules.negotiation.AdvancedLdapLoginModuleTestCase.testDeployment(AdvancedLdapLoginModuleTestCase.java:292)
      	at org.jboss.as.test.integration.security.loginmodules.negotiation.AdvancedLdapLoginModuleTestCase.test1(AdvancedLdapLoginModuleTestCase.java:218)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
      	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
      	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
      	at org.jboss.arquillian.junit.Arquillian$8$1.invokeMethod(Arquillian.java:325)
      	at org.jboss.arquillian.junit.MethodInvoker$1.invoke(MethodInvoker.java:18)
      	at org.jboss.arquillian.container.test.impl.execution.LocalTestExecuter.execute(LocalTestExecuter.java:57)
      	at sun.reflect.GeneratedMethodAccessor28.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:103)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:90)
      	at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:133)
      	at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:105)
      	at org.jboss.arquillian.core.impl.EventImpl.fire(EventImpl.java:62)
      	at org.jboss.arquillian.container.test.impl.execution.ClientTestExecuter.execute(ClientTestExecuter.java:50)
      	at sun.reflect.GeneratedMethodAccessor17.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:103)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:90)
      	at org.jboss.arquillian.container.test.impl.client.ContainerEventController.createContext(ContainerEventController.java:128)
      	at org.jboss.arquillian.container.test.impl.client.ContainerEventController.createTestContext(ContainerEventController.java:118)
      	at sun.reflect.GeneratedMethodAccessor16.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95)
      	at org.jboss.arquillian.test.impl.TestContextHandler.createTestContext(TestContextHandler.java:116)
      	at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95)
      	at org.jboss.arquillian.test.impl.TestContextHandler.createClassContext(TestContextHandler.java:83)
      	at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95)
      	at org.jboss.arquillian.test.impl.TestContextHandler.createSuiteContext(TestContextHandler.java:69)
      	at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95)
      	at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:133)
      	at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.test(EventTestRunnerAdaptor.java:139)
      	at org.jboss.arquillian.junit.MethodInvoker.invoke(MethodInvoker.java:15)
      	at org.jboss.arquillian.junit.Arquillian$8.evaluate(Arquillian.java:332)
      	at org.jboss.arquillian.junit.Arquillian$4.evaluate(Arquillian.java:204)
      	at org.jboss.arquillian.junit.Arquillian.multiExecute(Arquillian.java:350)
      	at org.jboss.arquillian.junit.Arquillian.access$200(Arquillian.java:54)
      	at org.jboss.arquillian.junit.Arquillian$5.evaluate(Arquillian.java:215)
      	at org.jboss.arquillian.junit.Arquillian$7$1.invoke(Arquillian.java:279)
      	at org.jboss.arquillian.container.test.impl.execution.ClientBeforeAfterLifecycleEventExecuter.execute(ClientBeforeAfterLifecycleEventExecuter.java:88)
      	at org.jboss.arquillian.container.test.impl.execution.ClientBeforeAfterLifecycleEventExecuter.on(ClientBeforeAfterLifecycleEventExecuter.java:66)
      	at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:103)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:90)
      	at org.jboss.arquillian.container.test.impl.client.ContainerEventController.createContext(ContainerEventController.java:128)
      	at org.jboss.arquillian.container.test.impl.client.ContainerEventController.createBeforeContext(ContainerEventController.java:114)
      	at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95)
      	at org.jboss.arquillian.test.impl.TestContextHandler.createTestContext(TestContextHandler.java:116)
      	at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95)
      	at org.jboss.arquillian.test.impl.TestContextHandler.createClassContext(TestContextHandler.java:83)
      	at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95)
      	at org.jboss.arquillian.test.impl.TestContextHandler.createSuiteContext(TestContextHandler.java:69)
      	at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
      	at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95)
      	at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:133)
      	at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:105)
      	at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.fireCustomLifecycle(EventTestRunnerAdaptor.java:159)
      	at org.jboss.arquillian.junit.Arquillian$7.evaluate(Arquillian.java:273)
      	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
      	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
      	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
      	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
      	at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
      	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
      	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
      	at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
      	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
      	at org.jboss.arquillian.junit.Arquillian$2.evaluate(Arquillian.java:166)
      	at org.jboss.arquillian.junit.Arquillian.multiExecute(Arquillian.java:350)
      	at org.jboss.arquillian.junit.Arquillian.access$200(Arquillian.java:54)
      	at org.jboss.arquillian.junit.Arquillian$3.evaluate(Arquillian.java:177)
      	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
      	at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
      	at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:115)
      	at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:365)
      	at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:273)
      	at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
      	at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:159)
      	at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384)
      	at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345)
      	at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126)
      	at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418)
      Caused by: KrbException: no supported default etypes for default_tkt_enctypes
      	at sun.security.krb5.Config.defaultEtype(Config.java:880)
      	at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
      	at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:262)
      	at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:334)
      	at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:488)
      	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:772)
      	... 137 more
      

      The cause is Deprecate 3DES and RC4 in Kerberos (JDK-8139348). The RN mentions that "Users can set allow_weak_crypto = true in the krb5.conf configuration file  to re-enable" This is actually what we have already configured in https://github.com/wildfly/wildfly/blob/27.0.1.Final/testsuite/shared/src/main/resources/org/jboss/as/test/integration/security/common/krb5.conf#LL8 for our testsuite. But the value is incorrect, it should be allow_weak_crypto = true instead.

      The allow_weak_crypto attribuet is described here https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults

              chaowan@redhat.com Chao Wang
              chaowan@redhat.com Chao Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: