| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SOAPInput node and Kerberos |
« View previous topic :: View next topic » |
| Author |
Message
|
| bielesibub |
 Posted: Mon Apr 04, 2011 9:13 am Post subject: SOAPInput node and Kerberos |
 |
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
Hi all,
A quick question for the gurus, relating to the following error message from a Kerberos enabled SOAPInput (We're using v7.0.0.2)
"org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: null"
This error is generated when I send in a request from a c# SOAP client that constructs a SOAP request with a token+signature dynamically.
BTW, I've extracted the kerberos token and have manually passed it to TFIM using a SecurityPEP node and it authenticates successfully.
I have another client that was created using WCF for another SOAP service and this works fine;
Is there a way that I can debug what is going on behind the scenes (in axis2?) to tell me where the problem really is? - I'm assuming that I've overlooked the obvious! I've tried service trace and a visual comparison of the request messages but this doesn't show up anything obvious
I'd ideally like to use a generic client as I don't want to have multiple clients to test multiple services.
Also, why does the kerberos token gets stripped from the message when it propagates out of the SOAPInput node?
Cheers, |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Mon Apr 04, 2011 9:31 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It sounds like you've missed the configuration necessary to authenticate with the kerberos server. Not to validate the cert, but to connect to the kerberos server to validate.
As to why the cert is removed, that's because it's supposed to be removed.
If you want it to be re-added, you will need to ensure that you are using identity propagation. |
|
| Back to top |
|
|
| bielesibub |
| Posted: Tue Apr 05, 2011 12:08 pm Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
mqjeff, thanks for your speedy reply!
It might seem like a silly question, but what configuration do I need?
Heres what I've done;
Generated keytab file (for service that I am referring to in the following) and deployed these to the broker.
Created a kerberos token using the Kerberostoken class in C#, with 'servicePrincipalName' + ImpersonationLevel.Impersonation
In respect to the kerberos token being propagated, I've set the security profile to default propagation and have not seen the token passed, I've also set it up using a security profile configured just to pass the identity and still no token (I don't really care that its gone to be honest, I've been asked if we can preserve it)
BTW..I'm not discounting the fact that I have missed something totally obvious here!
Cheers |
|
| Back to top |
|
|
| bielesibub |
| Posted: Thu Apr 07, 2011 2:47 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
For anyone that might be slightly interested, the problem appears to have been solved.
The c# code wasn't generating a <derivedkeytoken> element in the request message, this was fixed really simply by setting;
(KerberosAssertion).RequireDerivedKeys = true.
Simples...  |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
