提示

如果您配置了日志持久化,则有可能遇到如下错误。

本文作者:slankka

# 常见Kerberos 错误

错误1

No valid credentials provided(Mechanism level: Failed to find any Kerberos tgt)
1

解决方案,在CAT Server端加入JVM启动参数

-Djavax.security.auth.useSubjectCredsOnly=false
1

参见: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html


错误2

Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))] 
1

详细错误参见 ISSUE #1644 (opens new window)

解决方案,开启kerberos debug级别日志, 如果看到:

unsupported key type found the default TGT: 18
1

解压$JAVA_HOME/jre/lib/security/local_policy.jar 进去如果看到:

// Some countries have import limits on crypto strength. This policy file
// is worldwide importable.

grant {
    permission javax.crypto.CryptoPermission "DES", 64;
    permission javax.crypto.CryptoPermission "DESede", *;
    permission javax.crypto.CryptoPermission "RC2", 128, 
                                     "javax.crypto.spec.RC2ParameterSpec", 128;
    permission javax.crypto.CryptoPermission "RC4", 128;
    permission javax.crypto.CryptoPermission "RC5", 128, 
          "javax.crypto.spec.RC5ParameterSpec", *, 12, *;
    permission javax.crypto.CryptoPermission "RSA", *;
    permission javax.crypto.CryptoPermission *, 128;
};
1
2
3
4
5
6
7
8
9
10
11
12
13
14

说明该JDK版本 因为某些国家的进口管制限制,默认不支持AES 256的加密解密。需要去Oracle官网下载并替换local_policy.jarUS_export_policy.jar。(这两个文件在$JAVA_HOME/jre/lib/security/)