java GSSException: [..] 不支持/启用带有 HMAC SHA1-96 的加密类型 AES256CTS 模式
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12956037/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
GSSException: [..] Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled
提问by Art Licis
After setting our domain users to support AES encryption for Kerberos tokens (Windows Server 2008R2), on a web-application server side we get the following exception:
将我们的域用户设置为支持 Kerberos 令牌 (Windows Server 2008R2) 的 AES 加密后,在 Web 应用程序服务器端,我们得到以下异常:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled)
GSSException:在 GSS-API 级别未指定失败(机制级别:不支持/启用带有 HMAC SHA1-96 的加密类型 AES256CTS 模式)
Strangely we have Java 6 (1.6.0_27) , which means that AES should be supported, according to this document: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
奇怪的是我们有 Java 6 (1.6.0_27) ,这意味着应该支持 AES,根据这个文件:http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-功能.html
Any ideas what's missing in our web-application or Java, or third parties? We are using Spring security Kerberos extension (with minimal code modifications to fit into our current Spring 2.x version and additional authentication requirements).
知道我们的 Web 应用程序或 Java 或第三方缺少什么吗?我们正在使用 Spring 安全 Kerberos 扩展(对代码进行最少的修改以适应我们当前的 Spring 2.x 版本和其他身份验证要求)。
回答by Michael-O
EDIT(2017-05-06): upcoming JDK versions will have this included. Only a config parameter needs to be set, see JDK-8157561.
编辑(2017-05-06):即将发布的 JDK 版本将包含此内容。只需要设置一个配置参数,参见JDK-8157561。
Follow this link - Java SE Downloads, scroll down and download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your specific JDK version and follow the process in this tutorial titled: 5.4.2. Kerberos and Unlimited Strength Policy.
按照此链接 - Java SE 下载,向下滚动并下载适用于您的特定 JDK 版本的 Java 加密扩展 (JCE) Unlimited Strength Jurisdiction Policy Files,并按照本教程中标题为:5.4.2的过程进行操作。Kerberos 和无限强度策略。
The basic steps are as follows:
基本步骤如下:
locate your JDK's security directory (showing Unix below):
$ locate 'jre/lib/security' | grep 'lib/security$' /usr/java/jdk1.7.0_17/jre/lib/security /usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/securityNoting the above, we need to add the downloaded JCE .jar files to
/usr/java/jdk1.7.0_17/jre/lib/security.The JCE .zip file includes the following (showing JDK 1.7's JCE):
$ ls -l UnlimitedJCEPolicy total 16 -rw-rw-r-- 1 root root 2500 May 31 2011 local_policy.jar -rw-r--r-- 1 root root 7289 May 31 2011 README.txt -rw-rw-r-- 1 root root 2487 May 31 2011 US_export_policy.jarThese are the bundled versions with the JDK (again 1.7):
$ ls -l /usr/java/jdk1.7.0_17/jre/lib/security/*.jar -rw-r--r--. 1 root root 2865 Mar 1 2013 /usr/java/jdk1.7.0_17/jre/lib/security/local_policy.jar -rw-r--r--. 1 root root 2397 Mar 1 2013 /usr/java/jdk1.7.0_17/jre/lib/security/US_export_policy.jarWe need to move these out of the way and replace them with the included versions in the JCE .zip file. I typically do the following:
$ pushd /usr/java/jdk1.7.0_17/jre/lib/security/ /usr/java/jdk1.7.0_17/jre/lib/security ~ $ mkdir limited $ mv *.jar limited/ $ cp ~/UnlimitedJCEPolicy/*.jar . $ ls -l *.jar -rw-r--r-- 1 root root 2500 Jun 25 12:50 local_policy.jar -rw-r--r-- 1 root root 2487 Jun 25 12:50 US_export_policy.jarRestart anything that's making use of JDK (Tomcat, etc.).
找到您的 JDK 的安全目录(在下面显示 Unix):
$ locate 'jre/lib/security' | grep 'lib/security$' /usr/java/jdk1.7.0_17/jre/lib/security /usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/security注意上述,我们需要将下载的 JCE .jar 文件添加到
/usr/java/jdk1.7.0_17/jre/lib/security.JCE .zip 文件包括以下内容(显示 JDK 1.7 的 JCE):
$ ls -l UnlimitedJCEPolicy total 16 -rw-rw-r-- 1 root root 2500 May 31 2011 local_policy.jar -rw-r--r-- 1 root root 7289 May 31 2011 README.txt -rw-rw-r-- 1 root root 2487 May 31 2011 US_export_policy.jar这些是 JDK 的捆绑版本(同样是 1.7):
$ ls -l /usr/java/jdk1.7.0_17/jre/lib/security/*.jar -rw-r--r--. 1 root root 2865 Mar 1 2013 /usr/java/jdk1.7.0_17/jre/lib/security/local_policy.jar -rw-r--r--. 1 root root 2397 Mar 1 2013 /usr/java/jdk1.7.0_17/jre/lib/security/US_export_policy.jar我们需要将它们移开,并用 JCE .zip 文件中包含的版本替换它们。我通常执行以下操作:
$ pushd /usr/java/jdk1.7.0_17/jre/lib/security/ /usr/java/jdk1.7.0_17/jre/lib/security ~ $ mkdir limited $ mv *.jar limited/ $ cp ~/UnlimitedJCEPolicy/*.jar . $ ls -l *.jar -rw-r--r-- 1 root root 2500 Jun 25 12:50 local_policy.jar -rw-r--r-- 1 root root 2487 Jun 25 12:50 US_export_policy.jar重新启动任何使用 JDK(Tomcat 等)的东西。
