APAR status
Closed as program error.
Error description
Error Message, as reported by customer: If SASL/JGSS server/client sets its maximum receive buffer size to 0 which causes the maximum receive buffer size to be less than the computed size of mechanism token, JGSS should allow it and don't throw exception. IBM's implementation doesn't allow the maximum receive buffer size to be less than the computed size of mechanism token used by SASL server/client. Stack Trace, if applicable: WARNING: emptying DBPortPool to ldaptest.10gen.cc/54.225.191.151:27017 b/c of error com.mongodb.MongoException$Network: IOException authenticating the connection at com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:50 4) at com.mongodb.DBPort.authenticate(DBPort.java:322) at com.mongodb.DBPort.checkAuth(DBPort.java:333) at com.mongodb.DBTCPConnector.innerCall(DBTCPConnector.java:243) at com.mongodb.DBTCPConnector.call(DBTCPConnector.java:216) at com.mongodb.DBApiLayer$MyCollection.__find(DBApiLayer.java:288) at com.mongodb.DB.command(DB.java:262) at com.mongodb.DB.command(DB.java:244) at com.mongodb.DBCollection.getCount(DBCollection.java:985) at com.mongodb.DBCollection.getCount(DBCollection.java:956) at com.mongodb.DBCollection.getCount(DBCollection.java:931) at com.mongodb.DBCollection.count(DBCollection.java:868) at JAASLogin$2.run(JAASLogin.java:88) at JAASLogin$2.run(JAASLogin.java:84) at java.security.AccessController.doPrivileged(AccessController.jav a:366) at javax.security.auth.Subject.doAs(Subject.java:572) at JAASLogin.main(JAASLogin.java:83) Caused by: javax.security.sasl.SaslException: Final handshake failed [Caused by org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Input max size 0 less than computed required size 53] at com.ibm.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(Gss Krb5Client.java:309) at com.ibm.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Gs sKrb5Client.java:168) at com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:49 3) ... 16 more Caused by: org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Input max size 0 less than computed required size 53 at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NE xception.java:30) at com.ibm.security.jgss.GSSContextImpl.getWrapSizeLimit(GSSContext Impl.java:98) at com.ibm.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(Gss Krb5Client.java:254) ... 18 more Other Error Information, as reported by customer: N/A
Local fix
N/A
Problem summary
JGSS no need to do comparison between maximum receive buffer size and computed size of mechanism token for SASL/JGSS server/client authentication. ERROR DESCRIPTION: If SASL/JGSS server/client sets its maximum receive buffer size to 0 which causes the maximum receive buffer size to be less than the computed size of mechanism token, JGSS should allow it and don't throw exception. IBM's implementation doesn't allow the maximum receive buffer size to be less than the computed size of mechanism token used by SASL server/client. Caused by: javax.security.sasl.SaslException: Final handshake failed [Caused by org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Input max size 0 less than computed required size 53] at com.ibm.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(Gss Krb5Client.java:309) at com.ibm.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Gs sKrb5Client.java:168) at com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:49 3) ... 16 more Caused by: org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Input max size 0 less than computed required size 53 at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NE xception.java:30) at com.ibm.security.jgss.GSSContextImpl.getWrapSizeLimit(GSSContext Impl.java:98) at com.ibm.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(Gss Krb5Client.java:254) ... 18 more
Problem conclusion
Allow the maximum receive buffer size to be less than the computed size of mechanism token used by SASL server/client. The associated Austin CMVC defect is 115455. The associated Hursley CMVC defect is 202255. The associated RTC Problem Report is 64876. The fix was delivered for 150_SR16_FP7, 160_SR16FP1, 626_SR8FP1, 170_SR7FP1, and 727_SR1FP1. The fix will be available in ibmjgssprovider.jar (level 20140507b).
Temporary fix
Comments
APAR Information
APAR number
IV58752
Reported component name
TIV JAVA GSS-AP
Reported component ID
TIVSECJGS
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-04-04
Closed date
2014-05-20
Last modified date
2014-05-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIV JAVA GSS-AP
Fixed component ID
TIVSECJGS
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL44","label":"JGSS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
30 May 2014