Sunday, March 31, 2013

Some useful SVN commands...

Here's a growing list of SVN commands useful for me...

$ svn log --limit 10
$ svn info
$ svn status -u
$ svn diff --diff-cmd meld
$ svn diff -r [head | revision# | revision#:revision#] 
$ svn propedit svn:externals .

Wednesday, March 13, 2013

How to view the IP table in linux?

Using following command will list the entries in the IP table.
sudo /sbin/iptables --list

Friday, March 8, 2013

" An unsupported signature or encryption algorithm was used"

While testing a WS-Trust scenario with WSO2 Identity Server and WSO2 ESB, I encountered the following error at the client side: 
Exception in thread "main" org.apache.axis2.AxisFault: Error in creating an encrypted key
          at org.apache.rampart.handler.RampartSender.invoke(
          at org.apache.axis2.engine.Phase.invokeHandler(
          at org.apache.axis2.engine.Phase.invoke(
          at org.apache.axis2.engine.AxisEngine.invoke(
          at org.apache.axis2.engine.AxisEngine.send(
          at org.apache.axis2.description.OutInAxisOperationClient.send(
          at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(
          at org.apache.axis2.client.OperationClient.execute(
          at org.apache.axis2.client.ServiceClient.sendReceive(
          at org.apache.axis2.client.ServiceClient.sendReceive(
          at EchoClient.callEcho(
          at EchoClient.main(
      Caused by: org.apache.rampart.RampartException: Error in creating an encrypted key
          at org.apache.rampart.builder.BindingBuilder.getEncryptedKeyBuilder(
          at org.apache.rampart.builder.SymmetricBindingBuilder.setupEncryptedKey(
          at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(
          at org.apache.rampart.handler.RampartSender.invoke(
          ... 11 more
      Caused by: An unsupported signature or encryption algorithm was used (unsupported key transport encryption algorithm: No such algorithm:; nested exception is: 
 Cannot find any provider supporting RSA/ECB/OAEPPadding
          at org.apache.rampart.builder.BindingBuilder.getEncryptedKeyBuilder(
          ... 16 more
      Caused by: Cannot find any provider supporting RSA/ECB/OAEPPadding
          at javax.crypto.Cipher.getInstance(DashoA13*..)
          ... 19 more
I'd been trying hard to find the cause for this, but finally it turn out be a single important jar is missing from client's classpath.

[1] showed what was missing is the Bouncy Castle [2] jar, which is a Java implementation of the cryptographic algorithms. Downloading it from [3] and putting in the classpath resolved the issue.

[1] Rampart FAQ blog
[2] Bouncy Castle home page
[3] Bouncy Castle downloads

Wednesday, March 6, 2013

An Overview of Kerberos...

Kerberos is a protocol that allows users to authenticate once and use many services dispersed over an internal network. It removes the burden of re-login each time you need to access a service, which can be a file server, WS-Trust based STS or etc.

Three parties are involved in a Kerberos communication. One is the client principal, usually this the actual network user. Then the KDC (Key Distribution Center) and the service principal, which is the actual service the user wants to access. We'll take file server as the example for service principal.

KDC is connected to a user store and contains credential information of both the client and the service.

Following are the steps taken in a typical Kerberos communication:

(1)  At the initial login to the terminal by the User, client sends a request to KDC asking for a Ticket-Granting-Ticket (TGT). This primary ticket is needed to request other tickets for the services.

This request is fully encrypted, except for some visible identifier, by client's password hash. Usually this identifier is the username.

(2)  KDC then searches its user store by this identifier and retrieves the password of it.

Then it tries to decrypt the message client has sent. If decryption succeeds, KDC is sure this message is sent by a known user. Else, it will end the communication.

(3)  KDC then generates a TGT and encrypts it using a key only he knows. Because, TGT is intended only for KDC itself. And sends it to the client.

(4)  Client stores this TGT in a memory area termed as the Kerberos tray.

(5)  Now the client wants to access the File Server. To do it, he needs a ticket specifically aimed for the File Server.

TGT comes to play here; client sends a copy of it back to the KDC.

Note, if the client didn't have the TGT, KDC would have to do all the user validation stuff every time client needs a service ticket. But now, because TGT contains all the required information, that user validation stuff is not needed again (for a pre-defined time, after which renewal of TGT is required).

(6) KDC prepares a ticket for File Server, encrypted by File Server's password hash.

Remember, File Server's credentials are also there in the KDC. This ticket can be read only by the KDC and the File Server.

Then KDC sends back this ticket to the client.

(7) Client stores this in his Kerberos Tray and sends a copy of it to the File Server, which tries to decrypt it using his password. If he succeeds, client is grant access to its resources.

Following is an excellent video that explains Kerberos in simple terms :)