IBM Support

IV58752: JGSS NO NEED TO DO COMPARISON BETWEEN MAXIMUM RECEIVE BUFFER SIZE AND COMPUTED SIZE OF MECHANISM TOKEN FOR SASL/JGSS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Error Message, as reported by customer:
    If SASL/JGSS server/client sets its maximum receive buffer size
    to 0 which causes the maximum receive buffer size to be less
    than the computed size of mechanism token, JGSS should allow it
    and don't throw exception. IBM's implementation doesn't allow
    the maximum receive buffer size to be less than the computed
    size of mechanism token used by SASL server/client.
    
    Stack Trace, if applicable:
    WARNING: emptying DBPortPool to
    ldaptest.10gen.cc/54.225.191.151:27017 b/c of error
    com.mongodb.MongoException$Network: IOException authenticating
    the connection
     at
    com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:50
    4)
     at com.mongodb.DBPort.authenticate(DBPort.java:322)
     at com.mongodb.DBPort.checkAuth(DBPort.java:333)
     at
    com.mongodb.DBTCPConnector.innerCall(DBTCPConnector.java:243)
     at com.mongodb.DBTCPConnector.call(DBTCPConnector.java:216)
     at
    com.mongodb.DBApiLayer$MyCollection.__find(DBApiLayer.java:288)
     at com.mongodb.DB.command(DB.java:262)
     at com.mongodb.DB.command(DB.java:244)
     at com.mongodb.DBCollection.getCount(DBCollection.java:985)
     at com.mongodb.DBCollection.getCount(DBCollection.java:956)
     at com.mongodb.DBCollection.getCount(DBCollection.java:931)
     at com.mongodb.DBCollection.count(DBCollection.java:868)
     at JAASLogin$2.run(JAASLogin.java:88)
     at JAASLogin$2.run(JAASLogin.java:84)
     at
    java.security.AccessController.doPrivileged(AccessController.jav
    a:366)
     at javax.security.auth.Subject.doAs(Subject.java:572)
     at JAASLogin.main(JAASLogin.java:83)
    Caused by: javax.security.sasl.SaslException: Final handshake
    failed [Caused by org.ietf.jgss.GSSException, major code: 11,
    minor code: 0
     major string: General failure, unspecified at GSSAPI level
     minor string: Input max size 0 less than computed required
    size 53]
     at
    com.ibm.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(Gss
    Krb5Client.java:309)
     at
    com.ibm.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Gs
    sKrb5Client.java:168)
     at
    com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:49
    3)
     ... 16 more
    Caused by: org.ietf.jgss.GSSException, major code: 11, minor
    code: 0
     major string: General failure, unspecified at GSSAPI level
     minor string: Input max size 0 less than computed required
    size 53
     at
    com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NE
    xception.java:30)
     at
    com.ibm.security.jgss.GSSContextImpl.getWrapSizeLimit(GSSContext
    Impl.java:98)
     at
    com.ibm.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(Gss
    Krb5Client.java:254)
     ... 18 more
    
    
    Other Error Information, as reported by customer:
    N/A
    

Local fix

  • N/A
    

Problem summary

  • JGSS no need to do comparison between maximum receive buffer
    size and computed size of mechanism token for SASL/JGSS
    server/client authentication.
    
    ERROR DESCRIPTION:
    If SASL/JGSS server/client sets its maximum receive buffer size
    to 0 which causes the maximum receive buffer size to be less
    than the computed size of mechanism token, JGSS should allow it
    and don't throw exception. IBM's implementation doesn't allow
    the maximum receive buffer size to be less than the computed
    size of mechanism token used by SASL server/client.
    
    Caused by: javax.security.sasl.SaslException: Final handshake
    failed [Caused by org.ietf.jgss.GSSException, major code: 11,
    minor code: 0
     major string: General failure, unspecified at GSSAPI level
     minor string: Input max size 0 less than computed required size
    53]
     at
    com.ibm.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(Gss
    Krb5Client.java:309)
     at
    com.ibm.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Gs
    sKrb5Client.java:168)
     at
    com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:49
    3)
     ... 16 more
    Caused by: org.ietf.jgss.GSSException, major code: 11, minor
    code: 0
     major string: General failure, unspecified at GSSAPI level
     minor string: Input max size 0 less than computed required size
    53
     at
    com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NE
    xception.java:30)
     at
    com.ibm.security.jgss.GSSContextImpl.getWrapSizeLimit(GSSContext
    Impl.java:98)
     at
    com.ibm.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(Gss
    Krb5Client.java:254)
     ... 18 more
    

Problem conclusion

  • Allow the maximum receive buffer size to be less than the
    computed size of mechanism token used by SASL server/client.
    
    The associated Austin CMVC defect is 115455.
    The associated Hursley CMVC defect is 202255.
    The associated RTC Problem Report is 64876.
    
    The fix was delivered for 150_SR16_FP7, 160_SR16FP1, 626_SR8FP1,
     170_SR7FP1, and 727_SR1FP1.
    
    
    The fix will be available in ibmjgssprovider.jar (level
    20140507b).
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV58752

  • Reported component name

    TIV JAVA GSS-AP

  • Reported component ID

    TIVSECJGS

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-04-04

  • Closed date

    2014-05-20

  • Last modified date

    2014-05-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIV JAVA GSS-AP

  • Fixed component ID

    TIVSECJGS

Applicable component levels

  • R100 PSY

       UP



Document information

More support for: Tivoli Components - Java Security
JGSS

Software version: 100

Reference #: IV58752

Modified date: 30 May 2014