问题
After setting our domain users to support AES encryption for Kerberos tokens (Windows Server 2008R2), on a web-application server side we get the following exception:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled)
Strangely we have Java 6 (1.6.0_27) , which means that AES should be supported, according to this document: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
Any ideas what's missing in our web-application or Java, or third parties? We are using Spring security Kerberos extension (with minimal code modifications to fit into our current Spring 2.x version and additional authentication requirements).
回答1:
EDIT (2017-05-06): upcoming JDK versions will have this included. Only a config parameter needs to be set, see JDK-8157561.
Follow this link - Java SE Downloads, scroll down and download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your specific JDK version and follow the process in this tutorial titled: 5.4.2. Kerberos and Unlimited Strength Policy.
The basic steps are as follows:
locate your JDK's security directory (showing Unix below):
$ locate 'jre/lib/security' | grep 'lib/security$' /usr/java/jdk1.7.0_17/jre/lib/security /usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/securityNoting the above, we need to add the downloaded JCE .jar files to
/usr/java/jdk1.7.0_17/jre/lib/security.The JCE .zip file includes the following (showing JDK 1.7's JCE):
$ ls -l UnlimitedJCEPolicy total 16 -rw-rw-r-- 1 root root 2500 May 31 2011 local_policy.jar -rw-r--r-- 1 root root 7289 May 31 2011 README.txt -rw-rw-r-- 1 root root 2487 May 31 2011 US_export_policy.jarThese are the bundled versions with the JDK (again 1.7):
$ ls -l /usr/java/jdk1.7.0_17/jre/lib/security/*.jar -rw-r--r--. 1 root root 2865 Mar 1 2013 /usr/java/jdk1.7.0_17/jre/lib/security/local_policy.jar -rw-r--r--. 1 root root 2397 Mar 1 2013 /usr/java/jdk1.7.0_17/jre/lib/security/US_export_policy.jarWe need to move these out of the way and replace them with the included versions in the JCE .zip file. I typically do the following:
$ pushd /usr/java/jdk1.7.0_17/jre/lib/security/ /usr/java/jdk1.7.0_17/jre/lib/security ~ $ mkdir limited $ mv *.jar limited/ $ cp ~/UnlimitedJCEPolicy/*.jar . $ ls -l *.jar -rw-r--r-- 1 root root 2500 Jun 25 12:50 local_policy.jar -rw-r--r-- 1 root root 2487 Jun 25 12:50 US_export_policy.jarRestart anything that's making use of JDK (Tomcat, etc.).
来源:https://stackoverflow.com/questions/12956037/gssexception-encryption-type-aes256cts-mode-with-hmac-sha1-96-is-not-suppo