Overview
When customers upgrade their hosted/on-premises (HOPS) instances to Jive 9.1 and above, they may face an error logging in with Kerberos Single Sign-On (SSO). The error message in sbs.log says GSSException: Unsupported mechanism requested
. The users will be asked to log in with usernames and passwords, despite Kerberos being configured.
This article walks you through the solution for this error.
Solution
In Jive HOPS 9.1, we moved from Oracle JDK 8.0 to Amazon Corretto 8.0 JDK. The Amazon Corretto 8 JDK has a different out of the box configuration of their crypto providers when comparing it to the one found in Oracle JDK 8.0
-
You need to edit the file:
/usr/local/jive/java/jre/lib/security
- Existing security.provider.X entries need to be deleted or commented out. For example:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.4=sun.security.provider.Sun -
These entries need to be enabled
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
<supportagent>
See tickets #2790743, #2330130, and #2038642
</supportagent>
Testing
The users who were previously not able to log in using Kerberos SSO should now be able to log in successfully, without needing to enter a username and password.
Comments
0 comments
Please sign in to leave a comment.