I have an application running as a weblogic startup class. When it gets to the point where it has to request a service from my application that is setup with Kerberos Service Principal I get a 401 Unauthorized exception (As seen below).
When I run the application through a normal private static void main method using precisely the same JVM arguments and config files(listed below) it works.
I used Wireshark to see what is going on and I can see that it only tries to use the service once and not twice meaning that Weblogic does not know how to Negotiate authentication. It seems that Weblogic ignores my JVM arguments completely as there is no signs of Kerberos being used at all in Weblogic even with debug=true added to the jvm arguments and the config files. I did also set the logging level to debug and enabled atn and atz in monitoring there is no traces of any Kerberos being used
Here is my arguments (I tested singular and double slashes in my path as well as adding qoutes and not)
set JAVA_OPTIONS_KRB5_CREDS="-Djavax.security.auth.useSubjectCredsOnly=false"
set JAVA_OPTIONS_KRB5_CONF="-Djava.security.auth.login.config=C:\Mywork\wl12213\user_projects\domains\KSS\config\login.conf"
set JAVA_OPTIONS_KRB5_INI="-Djava.security.krb5.conf=C:\Mywork\wl12213\user_projects\domains\KSS\config\krb5.conf"
set JAVA_OPTIONS_KRB5_DEBUG="-Dsun.security.krb5.debug=true"
set JAVA_OPTIONS=%JAVA_OPTIONS% %JAVA_OPTIONS_KRB5_CREDS% %JAVA_OPTIONS_KRB5_CONF% %JAVA_OPTIONS_KRB5_INI% %JAVA_OPTIONS_KRB5_DEBUG%
Here is my main class
URL url = new URL("url to service (Using the url the SPN is registered to)");
QName qname = new QName("schema");
Service service = Service.create(url, qname);
keystoreService = service.getPort(new QName("schema", "KeystoreServiceSoap11"), KeystoreService.class);
GetKeystoreRequest request = new GetKeystoreRequest();
request.setKeystoreType(StoreType.IDENTITY_STORE);
request.setMachineName(machineName);
GetKeystoreResponse response = keystoreService.getKeystore(request);
The login.conf file
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required principal="KHULE" useKeyTab="true" keyTab="C:\\Mywork\\wl12213\\user_projects\\domains\\KSS\\config\\weblogic.keytab" storeKey="true" debug=true;
};
The Exception
Caused by: com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.checkStatusCode(HttpTransportPipe.java:332)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.createResponsePacket(HttpTransportPipe.java:274)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:232)
at weblogic.wsee.jaxws.transport.http.client.WLSHttpTransportPipe.process(WLSHttpTransportPipe.java:30)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:145)
at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:110)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877)
at com.sun.xml.ws.client.Stub.process(Stub.java:463)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:191)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:92)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:161)
at com.sun.proxy.$Proxy147.getKeystore(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:147)
at com.sun.proxy.$Proxy148.getKeystore(Unknown Source)
at za.co.discovery.security.camanager.clients.weblogic.KeyStoreFactory.getIdentityStore(KeyStoreFactory.java:66)
Can you please help me ?
