IBM Support

IV27398: JGSS component does not support non-ASCII principal name.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message, as reported by customer:
    =======================================
    
    javax.security.auth.login.FailedLoginException: Login error:
    com.ibm.security.krb5.KrbException, status code: 6
    
    
    Stack Trace, if applicable:
    ===========================
    
    javax.security.auth.login.FailedLoginException: Login error:
    com.ibm.security.krb5.KrbException, status code: 6
     message: Client not found in Kerberos database
     at
    com.ibm.security.jgss.i18n.I18NException.throwFailedLoginExcepti
    on(I18NException.java:23)
     at
    com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.j
    ava:165)
     at
    com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.j
    ava:20)
     at
    com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModu
    le.java:633)
    
    
    Other Error Information, as reported by customer:
    =================================================
    
    DES string-to-key encoding does not support support machine
    specific charset.
    

Local fix

  • Workaround:
    ===========
    
    N.A.
    

Problem summary

  • Abstract Description:
    JGSS component does not support non-ASCII principal name.
    
    Error Message, as reported by customer:
    javax.security.auth.login.FailedLoginException: Login error:
    com.ibm.security.krb5.KrbException, status code: 6
    
    Stack Trace, if applicable:
    javax.security.auth.login.FailedLoginException: Login error:
    com.ibm.security.krb5.KrbException, status code: 6
     message: Client not found in Kerberos database
     at
    com.ibm.security.jgss.i18n.I18NException.throwFailedLoginExcepti
    on(I18NException.java:23)
     at
    com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.j
    ava:165)
     at
    com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.j
    ava:20)
     at
    com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModu
    le.java:633)
    
    
    Other Error Information, as reported by customer:
    DES string-to-key encoding does not support support machine
    specific charset.
    
    
    Workaround:
    N/A
    
    JVM affected:
     ibmjgssprovider.jar.
    Java 5.0, 6.0, and 7.0.
    

Problem conclusion

  • This defect will be fixed in:
    5.0.0 SR16
    6.0.1 SR5
    6.0.0 SR13
    7.0.0 SR4
    
    IBM JGSS Introduces the ibm.security.krb5.msinterop.kstring
    system property. When set to true, UTF-8 is used in encoding the
    principal name. Otherwise, ASCII is used.
    This property need to be true when authenticating non-ASCII
    principal name to KDC.
    
    Another interop issue is string-to-key encoding for DES keys.
    RFC 3961 claims UTF-8 should be used, but Microsoft AD uses
    machine-specific charset, precisely, the code page specified in
    the registry key
    
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage
    \OEMCP
    To interop, IBM JGSS introduces the
    ibm.security.krb5.msinterop.des.s2kcharset system property to
    specify the charset used when performing string-to-key.
    For example, when authenticating umlauts principal name on
    Microsoft AD, ibm.security.krb5.msinterop.des.s2kcharset should
    be set to one of the following charsets for DES keys:
    'IBM00858', 'IBM437', 'IBM775', 'IBM850', 'IBM852', 'IBM857',
    'IBM861', 'IBM865', 'x-IBM859'
    The result is based on the tests performed on "Windows Server
    2003 Enterprise Edition" and "Windows 2008 R2 Standard". The
    value of
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage
    \OEMCP is 437 on both of the systems.
    
    The defect is recorded as,
    Hursley CMVC defect 194544.
    The fix will be available in,
    Java 5.0 SR16, Java 6.0SR13, Java 6.26SR5, Java 7.0 SR4
    The build dates  20121030
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV27398

  • Reported component name

    TIV JAVA GSS-AP

  • Reported component ID

    TIVSECJGS

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-09-04

  • Closed date

    2012-11-02

  • Last modified date

    2013-02-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIV JAVA GSS-AP

  • Fixed component ID

    TIVSECJGS

Applicable component levels

  • R100 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL44","label":"JGSS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
12 February 2013