Products | Versions |
---|---|
Spotfire Server | 12.0 and higher |
When the TIBCO Spotfire Server is upgraded to version 12.0 or newly installed and RC4-HMAC encryption type is used in krb5.conf file and keytab, the Spotfire Server application will fail to start, and the following errors are seen in the server.log:
[*Initialization*] web.context.ContextLoader: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'kerberosCredentialsManager' defined in class path resource [applicationContext-tss-is-common.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.KerberosCredentialsManager]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: Failure acquiring a Kerberos TGT for the service principal
ERROR 2022-09-17T12:22:17,719-0400 [unknown, #B-101, #270] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : SPNEGO NegoTokenTarg : did not have the right token type)
ERROR 2022-09-17T12:22:12,950-0400 [unknown, #B-20, #87] server.security.KerberosAuthenticator: Failure when executing privileged Kerberos authentication action
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled)
Caused by: sun.security.krb5.KrbException: Encryption type RC4 with HMAC is not supported/enabled
Caused by: sun.security.krb5.KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:1015) ~[java.security.jgss:?]
This is because Spotfire 12.0 is bundled with Java SE Development Kit 17. The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default in Java 17. Therefore, after upgrading from an earlier working version with RC4-HMAC encryption type where that encryption was enabled to Spotfire 12.0, Spotfire will not fail to start. Please refer to the Java 17 release note.
To resolve, you need to use AES-128 or AES-256 encryption types while creating the keytab and configure krb5.conf with below encryption types:
default_tkt_enctypes = aes128-cts,aes256-cts,
default_tgs_enctypes = aes128-cts,aes256-cts
Also make sure AES-128 and AES-256 are enabled on the service account created for the Spotfire Server and Node Manager.
External: Java 17 release note
Doc: Creating Keytab
Doc: Configuring krb5.conf
KB: 000039381 Enabling AES128 and AES256 for the service account