After setting our domain users to support AES encryption for Kerberos tokens (Windows Server 2008R2), on a web-application server side we get the following exception:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled)
Strangely we have Java 6 (1.6.0_27) , which means that AES should be supported, according to this document: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
Any ideas what's missing in our web-application or Java, or third parties? We are using Spring security Kerberos extension (with minimal code modifications to fit into our current Spring 2.x version and additional authentication requirements).
EDIT (2017-05-06): upcoming JDK versions will have this included. Only a config parameter needs to be set, see JDK-8157561.
Follow this link - Java SE Downloads, scroll down and download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your specific JDK version and follow the process in this tutorial titled: 5.4.2. Kerberos and Unlimited Strength Policy.
The basic steps are as follows:
locate your JDK's security directory (showing Unix below):
$ locate 'jre/lib/security' | grep 'lib/security$' /usr/java/jdk1.7.0_17/jre/lib/security /usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/security
Noting the above, we need to add the downloaded JCE .jar files to /usr/java/jdk1.7.0_17/jre/lib/security.
The JCE .zip file includes the following (showing JDK 1.7's JCE):
$ ls -l UnlimitedJCEPolicy total 16 -rw-rw-r-- 1 root root 2500 May 31 2011 local_policy.jar -rw-r--r-- 1 root root 7289 May 31 2011 README.txt -rw-rw-r-- 1 root root 2487 May 31 2011 US_export_policy.jar
These are the bundled versions with the JDK (again 1.7):
$ ls -l /usr/java/jdk1.7.0_17/jre/lib/security/*.jar -rw-r--r--. 1 root root 2865 Mar 1 2013 /usr/java/jdk1.7.0_17/jre/lib/security/local_policy.jar -rw-r--r--. 1 root root 2397 Mar 1 2013 /usr/java/jdk1.7.0_17/jre/lib/security/US_export_policy.jar
We need to move these out of the way and replace them with the included versions in the JCE .zip file. I typically do the following:
$ pushd /usr/java/jdk1.7.0_17/jre/lib/security/ /usr/java/jdk1.7.0_17/jre/lib/security ~ $ mkdir limited $ mv *.jar limited/ $ cp ~/UnlimitedJCEPolicy/*.jar . $ ls -l *.jar -rw-r--r-- 1 root root 2500 Jun 25 12:50 local_policy.jar -rw-r--r-- 1 root root 2487 Jun 25 12:50 US_export_policy.jar
Restart anything that's making use of JDK (Tomcat, etc.).
