GSS异常:[..]不支持/启用具有HMAC SHA1-96的加密类型AES256CTS模式 [英] GSSException: [..] Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled
问题描述
在设置我们的域用户以支持Kerberos令牌(Windows Server 2008R2)的AES加密后,在Web应用程序服务器端,我们得到以下异常:
After setting our domain users to support AES encryption for Kerberos tokens (Windows Server 2008R2), on a web-application server side we get the following exception:
GSSException:在GSS-API级别未指定失败(机制级别:
加密类型AES256CTS模式,HMAC SHA1-96不支持/启用
)
GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled)
奇怪的是,我们有Java 6(1.6.0_27),这意味着应该支持AES,根据这个文档: http://docs.oracle.com/javase/6/docs/technotes/guides/ security / jgss / jgss-features.html
Strangely we have Java 6 (1.6.0_27) , which means that AES should be supported, according to this document: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
我们的网络应用程序或Java或第三方中缺少哪些想法?我们正在使用Spring安全Kerberos扩展(最少的代码修改,以适应我们当前的Spring 2.x版本和其他身份验证要求)。
Any ideas what's missing in our web-application or Java, or third parties? We are using Spring security Kerberos extension (with minimal code modifications to fit into our current Spring 2.x version and additional authentication requirements).
推荐答案
编辑(2017-05-06):即将推出的JDK版本将包括此内容。只需设置配置参数,请参阅 JDK-8157561 。
EDIT (2017-05-06): upcoming JDK versions will have this included. Only a config parameter needs to be set, see JDK-8157561.
按照链接 - Java SE下载,向下滚动并下载适用于您的特定JDK版本的Java Cryptography Extension(JCE)Unlimited Strength Jurisdiction Policy Files,并按照本教程中标题为: 5.4.2。 Kerberos和无限强度政策。
Follow this link - Java SE Downloads, scroll down and download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your specific JDK version and follow the process in this tutorial titled: 5.4.2. Kerberos and Unlimited Strength Policy.
基本步骤如下:
-
找到JDK的安全目录(显示下面的Unix):
locate your JDK's security directory (showing Unix below):
$ locate 'jre/lib/security' | grep 'lib/security$'
/usr/java/jdk1.7.0_17/jre/lib/security
/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/security
注意到上述情况,我们需要将下载的JCE .jar文件添加到 /usr/java/jdk1.7.0_17/jre/lib/security 。
JCE .zip文件包含以下内容(显示JDK 1.7的JCE):
The JCE .zip file includes the following (showing JDK 1.7's JCE):
$ ls -l UnlimitedJCEPolicy
total 16
-rw-rw-r-- 1 root root 2500 May 31 2011 local_policy.jar
-rw-r--r-- 1 root root 7289 May 31 2011 README.txt
-rw-rw-r-- 1 root root 2487 May 31 2011 US_export_policy.jar
这些是带有JDK的捆绑版本(同样是1.7):
These are the bundled versions with the JDK (again 1.7):
$ ls -l /usr/java/jdk1.7.0_17/jre/lib/security/*.jar
-rw-r--r--. 1 root root 2865 Mar 1 2013 /usr/java/jdk1.7.0_17/jre/lib/security/local_policy.jar
-rw-r--r--. 1 root root 2397 Mar 1 2013 /usr/java/jdk1.7.0_17/jre/lib/security/US_export_policy.jar
我们需要将它们移开并用JCE .zip文件中包含的版本替换它们。我通常会执行以下操作:
We need to move these out of the way and replace them with the included versions in the JCE .zip file. I typically do the following:
$ pushd /usr/java/jdk1.7.0_17/jre/lib/security/
/usr/java/jdk1.7.0_17/jre/lib/security ~
$ mkdir limited
$ mv *.jar limited/
$ cp ~/UnlimitedJCEPolicy/*.jar .
$ ls -l *.jar
-rw-r--r-- 1 root root 2500 Jun 25 12:50 local_policy.jar
-rw-r--r-- 1 root root 2487 Jun 25 12:50 US_export_policy.jar
重新启动任何使用JDK的东西(Tomcat等)。
Restart anything that's making use of JDK (Tomcat, etc.).
这篇关于GSS异常:[..]不支持/启用具有HMAC SHA1-96的加密类型AES256CTS模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
