[SOLVED] Updating the kerberors krb.conf file using "java.security.krb5.conf" System.property() is not working

Updating the kerberors krb.conf file using "java.security.krb5.conf" System.property() is not working

I want to point to a different krb.conf file, dynamically, without restarting the JVM. I have searched through different solution on Stackoverflow and tried to implement the solution accordingly. But some how, even if I update the System.property("java.security.krb5.conf", ...) to point the the new krb.conf file, the JAAS is not able to understand this and still using the earlier conf file. Following are the details of my solution with the code:

My Jaas.conf file is as follows:

   Mutual {
      com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
   };
   sp.kerb.sso.KinitExample {
      com.sun.security.auth.module.Krb5LoginModule required 
      client=TRUE 
      refreshKrb5Config=true
      debug=true;
  };

I have set refreshKrb5Config=true for obvious reasons as I want to reload the krb configuration file.

Here is the code I am trying to execute: package sp.kerb.sso;

import sun.security.krb5.internal.tools.Kinit;

public class KinitExample {

public static void main(String[] args) {

      String kerberosFileName = "C:\\Windows\\krb5.ini";
      String jaas_config_file_name = "C:\\Users\\User1\\temp\\howrah.jaas.conf";

      System.setProperty("java.security.auth.login.config", jaas_config_file_name);  // setting the jaas config file
      System.setProperty("java.security.krb5.conf"        , kerberosFileName); // setting the kerberos file
      System.setProperty("java.security.krb5.debug"        , "true");

      final String administrator = "admin@exampledomain.lab".toUpperCase();
      String cacheFileLoc = "C:\\Users\\User1\\temp\\admin.cache";

      // Perfoming Kinit ...
      Kinit.main(new String[]{"-c",cacheFileLoc, administrator , "Password123" });

      kerberosFileName = "C:\\Users\\User2\\temp\\new.krb.conf";    // Using new KRB configuration file

      System.setProperty("java.security.krb5.debug"        , "true");
      System.setProperty("java.security.auth.login.config", jaas_config_file_name); // setting the property again
      
      System.setProperty("java.security.krb5.conf"        , kerberosFileName); // setting the property again

      System.out.println(System.getProperty("java.security.krb5.conf")); // Prints the updated conf file location.

      cacheFileLoc = "C:\\Users\\User2\\temp\\newadmin.cache";
      String newAdmin = "administrator@test.lab".toUpperCase();
      Kinit.main(new String[]{"-c",cacheFileLoc, newAdmin , "Password123" });
    }
 }

The cache for the admin is created, but the cache for the newAdmin is not created as the respective krb.conf files have distinct realms and JAAS doesn't seem to able to connect to the realm from the new.krb.conf and hence fails with the infamour 906 error code.

What is it that I am doing wrong? What I want to achieve is possible? How should I resolve the issue?

Also Note that, if I totally comment the admin cache creation logic and start with the new.krb.conf (all the code related to newAdmin) it works perfectly fine and creates the cache for the newAdmin

Solution

You should call sun.security.krb5.Config.refresh(); in order to reload configuration from new file.