How to fix "Key for the principal <principal user> not available in <keytab file>" in Java 18 Spring Boot

huangapple go评论127阅读模式
英文:

How to fix "Key for the principal <principal user> not available in <keytab file>" in Java 18 Spring Boot

问题

我正在尝试使用keytab文件连接到Kafka进行登录,但遇到了以下异常和身份验证失败;

> 找到不支持的密钥类型(23)用于 AAA@EXAMPLE.TH
>
> 2023-07-17 09:56:54 主体 AAA@EXAMPLE.TH 的密钥在 /etc/example.keytab 中不可用
>
> 2023-07-17 09:56:54 [Krb5LoginModule] 身份验证失败
>
> 2023-07-17 09:56:54 无法从用户获取密码

我仔细检查了jaas文件,确保了正确的keytab文件路径,但似乎在指定的路径中找不到keytab文件。

这是我的jaas文件中的值;

KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    debug=true
    isInitiator=true
    doNotPrompt=true

    keyTab="/etc/example.keytab"
    principal="AAA@EXAMPLE.TH";
};

和 krb5.conf 文件中的值;

# includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log 
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
[libdefaults]
    default_realm = EXAMPLE.TH
    kdc_timesync = 1
    ticket_lifetime = 7d
    #renew_lifetime = 15d
[realms]
    EXAMPLE.TH = {
        admin_server = example.th
        kdc = example.th
        default_domain = EXAMPLE.TH
    }

此外,这是我的 application.properties 文件;

## kafka security
spring.kafka.properties.security.protocol=SASL_SSL
spring.kafka.properties.sasl.mechanism=GSSAPI
spring.kafka.properties.sasl.kerberos.service.name=bigfoot
spring.kafka.properties.ssl.truststore.location=./keyuat/godzilla.client.truststore.jks
spring.kafka.properties.ssl.truststore.password=godzilla007

## kafka consumer
spring.kafka.consumer.bootstrap-servers=godzilla01:9092,godzilla02:9092,godzilla03:9092
spring.kafka.consumer.group-id=godzilla_lookup
spring.kafka.consumer.enable-auto-commit=false
spring.kafka.consumer.auto-offset-reset=latest
spring.kafka.topic.name=prod-godz

有人能帮我解决这个异常吗?我对Kafka非常陌生,刚刚开始作为Java开发人员工作了大约10个月。所以欢迎并感激任何评论或建议。如果需要更多信息,我可以提供。

提前感谢!

英文:

I am trying to connect to Kafka using keytab file to login but found this following exceptions and authentication failed;

> Found unsupported keytype (23) for AAA@EXAMPLE.TH
>
> 2023-07-17 09:56:54 Key for the principal AAA@EXAMPLE.TH not available in /etc/example.keytab
>
> 2023-07-17 09:56:54 [Krb5LoginModule] authentication failed
>
> 2023-07-17 09:56:54 Unable to obtain password from user

I double-checked the jaas file that I put the right path for keytab file but it seemed not find the keytab file in that specified path.

Here's the values in my jaas file;

KafkaClient { 
        com.sun.security.auth.module.Krb5LoginModule required 
        useKeyTab=true
        storeKey=true
        debug=true
        isInitiator=true
        doNotPrompt=true

        keyTab=&quot;/etc/example.keytab&quot;
        principal=&quot;AAA@EXAMPLE.TH&quot;;
};

And krb5.conf values;

# includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log 
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
[libdefaults]
    default_realm = EXAMPLE.TH
    kdc_timesync = 1
    ticket_lifetime = 7d
    #renew_lifetime = 15d
[realms]
    EXAMPLE.TH = {
        admin_server = example.th
        kdc = example.th
        default_domain = EXAMPLE.TH
    }

In addition, this is my application.properties file

## kafka security
spring.kafka.properties.security.protocol=SASL_SSL
spring.kafka.properties.sasl.mechanism=GSSAPI
spring.kafka.properties.sasl.kerberos.service.name=bigfoot
spring.kafka.properties.ssl.truststore.location=./keyuat/godzilla.client.truststore.jks
spring.kafka.properties.ssl.truststore.password=godzilla007

## kafka consumer
spring.kafka.consumer.bootstrap-servers=godzilla01:9092,godzilla02:9092,godzilla03:9092
spring.kafka.consumer.group-id=godzilla_lookup
spring.kafka.consumer.enable-auto-commit=false
spring.kafka.consumer.auto-offset-reset=latest
spring.kafka.topic.name=prod-godz

Could anyone help me fixing this exception? I am very new to Kafka and just started working as Java Developer about 10 months. So any comments or suggestions are welcome and appreciated. And I can provide more info if needed.

Thanks in advance!

答案1

得分: 0

问题出在Java版本上。我的keytab加密类型是ArcFour with HMAC/md5,而我用于我的应用程序的Java 18不允许读取这个keytab文件。我尝试降级到Java 11并连接Kafka,没有任何额外的值,一切都正常工作。

因此,解决方案(在使用Java版本18且keytab加密类型为弱类型的情况下)是在krb5.conf中设置额外的值"allow_weak_crypto = true"。顺便说一下,这也取决于keytab的加密类型,如果算法是现代或强大的,我认为这不是一个问题。

英文:

In my case, the issue is about Java version. My keytab encryption type is ArcFour with HMAC/md5 and Java 18 that I used for my app is not allow to read This keytab file. I've tried downgrading to Java 11 and connecting Kafka an it works fine without any additional values.

So the solution (in case of using Java version 18 and keytab encryption type is weak type) is to set additional value in krb5.conf "allow_weak_crypto = true". By the way, it also depends on the keytab encryption type, if the algorithm is modern or strong I don't think it is a problem.

huangapple
  • 本文由 发表于 2023年7月17日 15:09:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/76702174.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定