I want to point to a different krb.conf file, dynamically, without restarting the JVM. I have searched through different solution on Stackoverflow and tried to implement the solution accordingly. But some how, even if I update the System.property("java.security.krb5.conf", ...) to point the the new krb.conf file, the JAAS is not able to understand this and still using the earlier conf file. Following are the details of my solution with the code:
My Jaas.conf file is as follows:
Mutual {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
};
sp.kerb.sso.KinitExample {
com.sun.security.auth.module.Krb5LoginModule required
client=TRUE
refreshKrb5Config=true
debug=true;
};
I have set refreshKrb5Config=true for obvious reasons as I want to reload the krb configuration file.
Here is the code I am trying to execute: package sp.kerb.sso;
import sun.security.krb5.internal.tools.Kinit;
public class KinitExample {
public static void main(String[] args) {
String kerberosFileName = "C:\\Windows\\krb5.ini";
String jaas_config_file_name = "C:\\Users\\User1\\temp\\howrah.jaas.conf";
System.setProperty("java.security.auth.login.config", jaas_config_file_name); // setting the jaas config file
System.setProperty("java.security.krb5.conf" , kerberosFileName); // setting the kerberos file
System.setProperty("java.security.krb5.debug" , "true");
final String administrator = "[email protected]".toUpperCase();
String cacheFileLoc = "C:\\Users\\User1\\temp\\admin.cache";
// Perfoming Kinit ...
Kinit.main(new String[]{"-c",cacheFileLoc, administrator , "Password123" });
kerberosFileName = "C:\\Users\\User2\\temp\\new.krb.conf"; // Using new KRB configuration file
System.setProperty("java.security.krb5.debug" , "true");
System.setProperty("java.security.auth.login.config", jaas_config_file_name); // setting the property again
System.setProperty("java.security.krb5.conf" , kerberosFileName); // setting the property again
System.out.println(System.getProperty("java.security.krb5.conf")); // Prints the updated conf file location.
cacheFileLoc = "C:\\Users\\User2\\temp\\newadmin.cache";
String newAdmin = "[email protected]".toUpperCase();
Kinit.main(new String[]{"-c",cacheFileLoc, newAdmin , "Password123" });
}
}
The cache for the admin is created, but the cache for the newAdmin is not created as the respective krb.conf files have distinct realms and JAAS doesn't seem to able to connect to the realm from the new.krb.conf and hence fails with the infamour 906 error code.
What is it that I am doing wrong? What I want to achieve is possible? How should I resolve the issue?
Also Note that, if I totally comment the admin cache creation logic and start with the new.krb.conf (all the code related to newAdmin) it works perfectly fine and creates the cache for the newAdmin
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext-- configuration issues are silently ignored, the flags are the only way to detect them // 2. reset the JAAS configuration with e.g. a different file name and see if the Kerberos conf is bounced also – Unexpressed