Kerberos is moving away from peoplesoft as of PT 8.57. Until 8.56 Oracle used to deliver the SDK and later on they removed the SDK from Tools package.
Surprisingly oracle does delivers the source code for customers to make use of this and use kerberos as an SSO.
You can find the sorce code from below location
$PS_HOME/sdk/desktopsso/src/com/peoplesoft/pt/desktopsso/kerberos
KerberosSSOFilter.java ===> Will be used in webserver for requesting token.
KerberosSSOValidator.java ===> Will be used for app server validation.
Kerberos is a such a nice and strong SSO solution so i would keep using SSO but it does lacking the logging feature.
Means if there is any issue you cannot simply troubleshoot as error message just says below
<BEA-000000> <KerberosSSOFilter: Received invalid token.>
Error seems to be generic. So i thought we can add few more logging capability in java class and recompile it.
Add below line of code right after line #142.
142 catch (GSSException e) {
143 this.verbPrint("Received invalid token.");
144 this.verbPrint(e.getMajorString());
145 this.verbPrint(e.getMinorString());
146 this.verbPrint(e.getMessage());
147 this.verbPrint(e.toString());
148 System.out.println("Major Code: " + String.valueOf(e.getMajor()));
149 System.out.println("Minor Code: " + String.valueOf(e.getMinor()));
Surprisingly oracle does delivers the source code for customers to make use of this and use kerberos as an SSO.
You can find the sorce code from below location
$PS_HOME/sdk/desktopsso/src/com/peoplesoft/pt/desktopsso/kerberos
KerberosSSOFilter.java ===> Will be used in webserver for requesting token.
KerberosSSOValidator.java ===> Will be used for app server validation.
Kerberos is a such a nice and strong SSO solution so i would keep using SSO but it does lacking the logging feature.
Means if there is any issue you cannot simply troubleshoot as error message just says below
<BEA-000000> <KerberosSSOFilter: Received invalid token.>
Error seems to be generic. So i thought we can add few more logging capability in java class and recompile it.
Add below line of code right after line #142.
142 catch (GSSException e) {
143 this.verbPrint("Received invalid token.");
144 this.verbPrint(e.getMajorString());
145 this.verbPrint(e.getMinorString());
146 this.verbPrint(e.getMessage());
147 this.verbPrint(e.toString());
148 System.out.println("Major Code: " + String.valueOf(e.getMajor()));
149 System.out.println("Minor Code: " + String.valueOf(e.getMinor()));
Try compiling it using JDK (please do not use JRE)
$PS_CFG_HOME/webserv/<domain_name>/bin/. ./setEnv.sh
export CLASSPATH=$CLASSPATH:$PC_CFG_HOME/webserv/<domain_name>/applications/peoplesoft/PORTAL.war/WEB-INF/classes
$JDK_HOME/javac KerberosSSOFilter.java
In case if you get below error while compiling.
KerberosSSOFilter.java:324: error: getHeaderNames() in KerberosSSOFilter.KerberosAuthWrapper cannot implement getHeaderNames() in HttpServletRequest public Enumeration getHeaderNames() { ^ return type Enumeration is not compatible with Enumeration
Please get the line # and change the ? with string like below.
180 @Override
181 public Enumeration<String> getHeaders(final String name) {
182 if (name.equals("KRB_USER")) {
183 final Vector<String> values = new Vector<String>();
184 values.add(this.principalName);
185 return values.elements();
186 }
187 final HttpServletRequest req = (HttpServletRequest)this.getRequest();
188 return req.getHeaders(name);
Now the actual error message will be logeed in your PIA_stdout.log along with received invalid token.
<BEA-000000> <KerberosSSOFilter: Received invalid token.>
<BEA-000000> <KerberosSSOFilter: Failure unspecified at GSS-API level>
<BEA-000000> <KerberosSSOFilter: Invalid argument (400) - Cannot find key of appropriate type to decrypt
AP REP - AES256 CTS mode with HMAC SHA1-96>
<BEA-000000> <KerberosSSOFilter: Failure unspecified at GSS-API level (Mechanism level: Invalid argument
(400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)>
<BEA-000000> <KerberosSSOFilter: GSSException: Failure unspecified at GSS-API level (Mechanism level: In
valid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)>
<BEA-000000> <Major Code: 11>
<BEA-000000> <Minor Code: -1>
You can pass on this error message to respective team who is responsible for generating keytab.
This is great. Thanks for sharing this
ReplyDelete