Kerberos Encryption Strength and the JCE Policy Files Extension

If the encryption being used in your Kerberos environment is too strong, you might encounter the error message "Unable to connect to server: GSS initiate failed" when trying to use the connector to connect to a Kerberos-enabled cluster. Typically, Java vendors only allow encryption strength up to 128 bits by default. If you are using greater encryption strength in your environment (for example, 256-bit encryption), then you might encounter this error.

Diagnosing the Issue

If you encounter the error message "Unable to connect to server: GSS initiate failed", confirm that it is occurring due to encryption strength by enabling Kerberos layer logging in the JVM and then checking if the log output contains the error message "KrbException: Illegal key size".

To enable Kerberos layer logging in a Sun JVM:

  • Choose one:
  • In the Java command you use to start the application, pass in the following argument:
  • -Dsun.security.krb5.debug=true

  • Or, add the following code to the source code of your application:
  • System.setProperty("sun.security.krb5.debug","true")

To enable Kerberos layer logging in an IBM JVM:

  • Choose one:
  • In the Java command you use to start the application, pass in the following arguments:
  • -Dcom.ibm.security.krb5.Krb5Debug=all
    -Dcom.ibm.security.jgss.debug=all

  • Or, add the following code to the source code of your application:
  • System.setProperty("com.ibm.security.krb5.Krb5Debug","all");
    System.setProperty("com.ibm.security.jgss.debug","all");

Resolving the Issue

After you confirm that the error is occurring due to encryption strength, you can resolve the issue by downloading and installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files extension from your Java vendor. Refer to the instructions from the vendor to install the files to the correct location.

Important:

Consult your company’s policy to make sure that you are allowed to enable encryption strengths in your environment that are greater than what the JVM allows by default.

If the issue is not resolved after you install the JCE policy files extension, then restart your machine and try your connection again. If the issue persists even after you restart your machine, then verify which directories the JVM is searching to find the JCE policy files extension. To print out the search paths that your JVM currently uses to find the JCE policy files extension, modify your Java source code to print the return value of the following call:

System.getProperty("java.ext.dirs")