As part of my Vagrantfile I have
config.vm.box = "hashicorp/bionic64"
config.vm.provision "shell", path: "https://get.docker.com", name: "dockers"
I'm behind a corporate proxy. I appended my corporate certificate to
C:\HashiCorp\Vagrant\embedded\cacert.pem. Also, I set this environments variable CURL_CA_BUNDLE & SSL_CERT_FILE both to C:\HashiCorp\Vagrant\embedded\cacert.pem which has the certificate.
But still vagrant up fails with the following message:
schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
INFO interface: Machine: error-exit ["Vagrant::Errors::DownloaderError", "An error occurred while downloading the remote file. The error\nmessage, if any, is reproduced below. Please fix this error and try\nagain.\n\nschannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.\r"]
My guess is that Ruby (being used by Vagrant) cannot find the cert or the call to get the revocation list is blocked. Any ideas what is the exact issue here and how to fix it?
Update
In the debug mode it appears that curl (possibly called from Ruby?) is trying to download the file
INFO downloader: Downloader starting download:
INFO downloader: -- Source: https://get.docker.com
INFO downloader: -- Destination: C:/Users/John/.vagrant.d/tmp/12288a08-a7ba-3d92-96ff-8bf28e739099-remote-script
INFO subprocess: Starting process: ["C:\\HashiCorp\\Vagrant\\embedded\\bin/curl.EXE", "-q", "--fail", "--location", "--max-redirs", "10", "--verbose", "--user-agent",
"Vagrant/2.2.16 (+https://www.vagrantup.com; ruby2.6.7) ", "--output", "C:/Users/John/.vagrant.d/tmp/12288a08-a7ba-3d92-96ff-8bf28e739099-remote-script", "https://get.docker.com"]
DEBUG subprocess: Selecting on IO
DEBUG subprocess: stderr: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 99.84.174.91:443...
* Connected to get.docker.com (99.84.174.91) port 443 (#0)
* schannel: ALPN, offering http/1.1
* schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
* schannel: shutting down SSL/TLS connection with get.docker.com port 443
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
Have a look at this SO answer .
As mentioned there, disabling the antivirus software till vagrant init was initialized solved the problem.
Related
3 out of 4 connections fails while trying to validate the receipt using apple sandbox URL.Is anyone experiencing the same issue?
https://sandbox.itunes.apple.com/verifyReceipt
Connection 3: encountered error(3:-9816)
2020-04-03 20:30:18.834825+0530 App[6312:266644] Task <AD18FA15-D34F-4428-BD0A-107AAAAAF555>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9816])
the upload task returned an error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9816, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x600000cac660 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9816}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://sandbox.itunes.apple.com/verifyReceipt, NSErrorFailingURLStringKey=https://sandbox.itunes.apple.com/verifyReceipt, _kCFStreamErrorDomainKey=3}
ddev will not start on VMware Ubuntu 18 VM and fails.
fails with the following error messages.
Failed to start drupaltraining: ddev-router failed to become ready:
logOutput=nginx: the configuration file /etc/nginx/nginx.conf syntax
is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
nginx config: OK ddev-router healthcheck endpoint not responding
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed to connect to 127.0.0.1 port 80: Connection refused
, err=container /ddev-router unhealthy: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
nginx config: OK ddev-router healthcheck endpoint not responding
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed to connect to 127.0.0.1 port 80: Connection refused
I was able to get it working on a physical Ubuntu 18 box.
Thanks for any help
I have developed a biometric authencation system on java8u144 and active directory password reset using ldaps on java8u191. When I tried to combine them...
Forst biometric encryption popped error for invalid key size. I updated JCE UNLIMITED .THEN BIOMETRIC STARTED WORKING BUT ldaps connection issues remain for ssl handshake pkix path building failed
I am not able to fix it
Pls help me out
I am running out of time
i am getting following exception
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-nio-8084-exec-2, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
http-nio-8084-exec-2, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 2E .......
http-nio-8084-exec-2, called closeSocket()
http-nio-8084-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
on java8u144 without jce code was working but biometric needed unlimited strength. i tried java8u144 java8u162 java8u191
currently using java8u162.
above exception is coming only after JCE upgrade.
kindly guide how to get certificate chain for this.
NOTE LDP.exe is working on client sucessfully.
& OPENSSL : unable to verify first cerificate
In Windows 10, I'm not able to connect to MongoDB server with the following errors:
>mongo "mongodb+srv://xxx-dsvlb.mongodb.net/test" --username xxx --verbose
2018-11-01T11:34:19.273+0700 D - [main] User Assertion: DNSHostNotFound: Failed to look up service "":This operation returned because the timeout period expired. C:\data\mci\6411135b04f345f6d01072b56250cba6\src\src\mongo/util/dns_query_windows-impl.h 254
MongoDB shell version v4.0.3
2018-11-01T11:34:30.535+0700 D - [main] User Assertion: DNSHostNotFound: Failed to look up service "":This operation returned because the timeout period expired. C:\data\mci\6411135b04f345f6d01072b56250cba6\src\src\mongo/util/dns_query_windows-impl.h 254
Enter password:
connecting to: mongodb+srv://xxx-dsvlb.mongodb.net/test
2018-11-01T11:35:16.589+0700 D - [js] User Assertion: DNSHostNotFound: Failed to look up service "":This operation returned because the timeout period expired. C:\data\mci\6411135b04f345f6d01072b56250cba6\src\src\mongo/util/dns_query_windows-impl.h 254
2018-11-01T11:35:16.590+0700 D NETWORK [js] creating new connection to:xxx-shard-00-02-dsvlb.mongodb.net.:27017
2018-11-01T11:35:17.356+0700 D - [js] User Assertion: SSLHandshakeFailed: QueryContextAttributes for connection info failed with-2146893055 C:\data\mci\6411135b04f345f6d01072b56250cba6\src\src\mongo/transport/session_asio.h 240
2018-11-01T11:35:17.357+0700 D NETWORK [js] creating new connection to:xxx-shard-00-01-dsvlb.mongodb.net.:27017
2018-11-01T11:35:18.197+0700 D - [js] User Assertion: SSLHandshakeFailed: QueryContextAttributes for connection info failed with-2146893055 C:\data\mci\6411135b04f345f6d01072b56250cba6\src\src\mongo/transport/session_asio.h 240
2018-11-01T11:35:18.198+0700 D NETWORK [js] creating new connection to:xx-shard-00-00-dsvlb.mongodb.net.:27017
2018-11-01T11:35:19.017+0700 D - [js] User Assertion: SSLHandshakeFailed: QueryContextAttributes for connection info failed with-2146893055 C:\data\mci\6411135b04f345f6d01072b56250cba6\src\src\mongo/transport/session_asio.h 240
2018-11-01T11:35:19.018+0700 D - [js] User Assertion: InternalError: couldn't connect to server lakon-shard-00-00-dsvlb.mongodb.net.:27017, connection attempt failed: SSLHandshakeFailed: QueryContextAttributes for connection info failed with-2146893055 src\mongo\scripting\mozjs\mongo.cpp 756
2018-11-01T11:35:19.021+0700 E QUERY [js] Error: couldn't connect to server lakon-shard-00-00-dsvlb.mongodb.net.:27017, connection attempt failed: SSLHandshakeFailed: QueryContextAttributes for connection info failed with-2146893055 :
connect#src/mongo/shell/mongo.js:257:13
#(connect):1:6
2018-11-01T11:35:19.024+0700 D - [js] User Assertion: Location12513: connect failed src\mongo\shell\shell_utils.cpp 343
2018-11-01T11:35:19.024+0700 I QUERY [js] MozJS GC prologue heap stats - total: 4056565 limit: 0
2018-11-01T11:35:19.027+0700 I QUERY [js] MozJS GC epilogue heap stats - total: 421536 limit: 0
2018-11-01T11:35:19.027+0700 I QUERY [js] MozJS GC prologue heap stats - total: 313504 limit: 0
2018-11-01T11:35:19.028+0700 I QUERY [js] MozJS GC epilogue heap stats - total: 131244 limit: 0
2018-11-01T11:35:19.029+0700 D - [main] User Assertion: Location12513: connect failed src\mongo\scripting\mozjs\proxyscope.cpp 300
exception: connect failed
Using MongoDB shell 3.6.2 on Windows 10, I still cannot connect but with a different error (confusing, isn't it?):
>mongo "mongodb+srv://xxx-dsvlb.mongodb.net/test" --username xxx --password xxx
MongoDB shell version v3.6.2
connecting to: mongodb+srv://xxx-dsvlb.mongodb.net/test
MongoDB server version: 3.6.8
2018-11-01T11:01:52.923+0700 E QUERY [thread1] Error: Authentication failed. :
DB.prototype._authOrThrow#src/mongo/shell/db.js:1608:20
#(auth):6:1
#(auth):1:2
exception: login failed
However, with Ubuntu 16.04 I can connect just fine to the exact same server:
⟫ mongo "mongodb+srv://xxx-dsvlb.mongodb.net/test" --username xxx --password xxx
MongoDB shell version v4.0.3
connecting to: mongodb+srv://xxx-dsvlb.mongodb.net/test
2018-11-01T04:27:02.536+0000 I NETWORK [js] Starting new replica set monitor for lakon-shard-0/xxx-shard-00-02-dsvlb.mongodb.net.:27017,xxx-shard-00-00-dsvlb.mongodb.net.:27017,xxx-shard-00-01-dsvlb.mongodb.net.:27017
2018-11-01T04:27:02.561+0000 I NETWORK [ReplicaSetMonitor-TaskExecutor] Successfully connected to xxx-shard-00-02-dsvlb.mongodb.net.:27017 (1 connections now open to xxx-shard-00-02-dsvlb.mongodb.net.:27017 with a 5 second timeout)
2018-11-01T04:27:02.562+0000 I NETWORK [js] Successfully connected to xxx-shard-00-00-dsvlb.mongodb.net.:27017 (1 connections now open to xxx-shard-00-00-dsvlb.mongodb.net.:27017 with a 5 second timeout)
2018-11-01T04:27:02.563+0000 I NETWORK [js] changing hosts to xxx-shard-0/xxx-shard-00-00-dsvlb.mongodb.net:27017,xxx-shard-00-01-dsvlb.mongodb.net:27017,lakon-shard-00-02-dsvlb.mongodb.net:27017 from xxx-shard-0/xxx-shard-00-00-dsvlb.mongodb.net.:27017,xxx-shard-00-01-dsvlb.mongodb.net.:27017,xxx-shard-00-02-dsvlb.mongodb.net.:27017
2018-11-01T04:27:02.570+0000 I NETWORK [ReplicaSetMonitor-TaskExecutor] Successfully connected to xxx-shard-00-00-dsvlb.mongodb.net:27017 (1 connections now open to xxx-shard-00-00-dsvlb.mongodb.net:27017 with a 5 second timeout)
2018-11-01T04:27:02.573+0000 I NETWORK [js] Successfully connected to xxx-shard-00-02-dsvlb.mongodb.net:27017 (1 connections now open to xxx-shard-00-02-dsvlb.mongodb.net:27017 with a 5 second timeout)
Implicit session: session { "id" : UUID("4a6488c7-7a22-44d4-977e-07eb09ef37f6") }
MongoDB server version: 3.6.8
WARNING: shell and server versions do not match
2018-11-01T04:27:02.588+0000 I NETWORK [ReplicaSetMonitor-TaskExecutor] Successfully connected to xxx-shard-00-01-dsvlb.mongodb.net:27017 (1 connections now open to xxx-shard-00-01-dsvlb.mongodb.net:27017 with a 5 second timeout)
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
MongoDB Enterprise xxx-shard-0:PRIMARY>
A MongoDB Atlas support staff told me this is due to network connection on my part, but I'm sure that is not the root issue, because I can connect to the server when using other client such as Robo 3T using the same Windows 10 computer.
This issue happens ONLY when using MongoDB shell (both 3.6.2 and 4.0.3) in Windows 10.
It's probably a bug with MongoDB Shell and Windows 10 implementation?
it's a bit late but here, I had this problem when my shell's version is 4.0.5 then I install 4.2.11, it solve this problem. I tried many things with different connection string syntax and it does not solve the problem and still stuck at SSLHandshake error, so I guess if version were same it might solve the problem(mine 4.0.5 and remote was 4.2.11) and go ahead with new version installation(though I still think it's not version problem but I don't know what is). This problem only happen while I was in shell, connecting from the client like NoSqlBooster or Spring seem to work fine. My Robo3T have a problem connecting but randomly, sometimes once sometimes multiple re-trying.
My Zookeeper client is having trouble connecting to the Hadoop cluster.
This works fine from a Linux VM, but I am using a Mac.
I set the -Dsun.security.krb5.debug=true flag on the JVM and get the following output:
Found ticket for solr#DDA.MYCO.COM to go to krbtgt/DDA.MYCO.COM#DDA.MYCO.COM expiring on Sat Apr 29 03:15:04 BST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for solr#DDA.MYCO.COM to go to krbtgt/DDA.MYCO.COM#DDA.MYCO.COM expiring on Sat Apr 29 03:15:04 BST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbKdcReq send: kdc=oc-10-252-132-139.nat-ucfc2z3b.usdv1.mycloud.com UDP:88, timeout=30000, number of retries =3, #bytes=682
>>> KDCCommunication: kdc=oc-10-252-132-139.nat-ucfc2z3b.usdv1.mycloud.com UDP:88, timeout=30000,Attempt =1, #bytes=682
>>> KrbKdcReq send: #bytes read=217
>>> KdcAccessibility: remove oc-10-252-132-139.nat-ucfc2z3b.usdv1.mycloud.com
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
cTime is Thu Dec 24 11:18:15 GMT 2015 1450955895000
sTime is Fri Apr 28 15:15:06 BST 2017 1493388906000
suSec is 925863
error code is 7
error Message is Server not found in Kerberos database
cname is solr#DDA.MYCO.COM
sname is zookeeper/oc-10-252-132-160.nat-ucfc2z3b.usdv1.mycloud.com#DDA.MYCO.COM
msgType is 30
KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
at org.apache.zookeeper.client.ZooKeeperSaslClient$2.run(ZooKeeperSaslClient.java:366)
at org.apache.zookeeper.client.ZooKeeperSaslClient$2.run(ZooKeeperSaslClient.java:363)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:362)
at org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:348)
at org.apache.zookeeper.client.ZooKeeperSaslClient.sendSaslPacket(ZooKeeperSaslClient.java:420)
at org.apache.zookeeper.client.ZooKeeperSaslClient.initialize(ZooKeeperSaslClient.java:458)
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1057)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
... 18 more
ERROR 2017-04-28 15:15:07,046 5539 org.apache.zookeeper.client.ZooKeeperSaslClient [main-SendThread(oc-10-252-132-160.nat-ucfc2z3b.usdv1.mycloud.com:2181)]
An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)])
occurred when evaluating Zookeeper Quorum Member's received SASL token.
This may be caused by Java's being unable to resolve the Zookeeper Quorum Member's hostname correctly.
You may want to try to adding '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment.
Zookeeper Client will go to AUTH_FAILED state.
I've tested Kerberos config as follows:
>kinit -kt /etc/security/keytabs/solr.headless.keytab solr
>klist
Credentials cache: API:3451691D-7D5E-49FD-A27C-135816F33E4D
Principal: solr#DDA.MYCO.COM
Issued Expires Principal
Apr 28 16:58:02 2017 Apr 29 04:58:02 2017 krbtgt/DDA.MYCO.COM#DDA.MYCO.COM
Following the instructions from hortonworks I managed to get the kerberos ticket stored in a file:
>klist -c FILE:/tmp/krb5cc_501
Credentials cache: FILE:/tmp/krb5cc_501
Principal: solr#DDA.MYCO.COM
Issued Expires Principal
Apr 28 17:10:25 2017 Apr 29 05:10:25 2017 krbtgt/DDA.MYCO.COM#DDA.MYCO.COM
Also I tried the suggested JVM option suggested in the stack trace (-Dsun.net.spi.nameservice.provider.1=dns,sun), but this led to a different error along the lines of Client session timed out, which suggests that this JVM param is preventing the client from connecting correctly in the first place.
==EDIT==
Seems that the Mac version of Kerberos is not the latest:
> krb5-config --version
Kerberos 5 release 1.7-prerelease
I just tried brew install krb5 to install a newer version, then adjusting the path to point to the new version.
> krb5-config --version
Kerberos 5 release 1.15.1
This has had no effect whatsoever on the outcome.
NB this works fine from a linux VM on my Mac, using exactly the same jaas.conf, keytab files, and krb5.conf.
krb5.conf:
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = DDA.MYCO.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DDA.MYCO.COM = {
admin_server = oc-10-252-132-139.nat-ucfc2z3b.usdv1.mycloud.com
kdc = oc-10-252-132-139.nat-ucfc2z3b.usdv1.mycloud.com
}
Reverse DNS:
I checked that the FQDN hostname I'm connecting to can be found using a reverse DNS lookup:
> host 10.252.132.160
160.132.252.10.in-addr.arpa domain name pointer oc-10-252-132-160.nat-ucfc2z3b.usdv1.mycloud.com.
This is exactly as per the response to the same command from the linux VM.
===WIRESHARK ANALYSIS===
Using Wireshark configured to use the system key tabs allows a bit more detail in the analysis.
Here I have found that a failed call looks like this:
client -> host AS-REQ
host -> client AS-REP
client -> host AS-REQ
host -> client AS-REP
client -> host TGS-REQ <-- this call is detailed below
host -> client KRB error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
The erroneous TGS-REQ call shows the following:
Kerberos
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 1 item
req-body
Padding: 0
kdc-options: 40000000 (forwardable)
realm: DDA.MYCO.COM
sname
name-type: kRB5-NT-UNKNOWN (0)
sname-string: 2 items
SNameString: zookeeper
SNameString: oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
till: 1970-01-01 00:00:00 (UTC)
nonce: 797021964
etype: 3 items
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
Here is the corresponding successful call from the linux box, which is followed by several more exchanges.
Kerberos
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 1 item
req-body
Padding: 0
kdc-options: 40000000 (forwardable)
realm: DDA.MYCO.COM
sname
name-type: kRB5-NT-UNKNOWN (0)
sname-string: 2 items
SNameString: zookeeper
SNameString: d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
till: 1970-01-01 00:00:00 (UTC)
nonce: 681936272
etype: 3 items
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-DES3-CBC-SHA1 (16)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
So it looks like the client is sending
oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
as the server host, when it should be sending:
d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
So the question is, how do I fix that? Bear in mind this is a Java piece of code.
My /etc/hosts has the following:
10.252.132.160 b3e073.ddapoc.ucfc2z3b.usdv1.mycloud.com
10.252.134.51 d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
10.252.132.139 d7cc18.ddapoc.ucfc2z3b.usdv1.mycloud.com
And my krb5.conf file has:
kdc = d7cc18.ddapoc.ucfc2z3b.usdv1.mycloud.com
kdc = b3e073.ddapoc.ucfc2z3b.usdv1.mycloud.com
kdc = d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
I tried adding -Dsun.net.spi.nameservice.provider.1=file,dns as a JVM param but got the same result.
I fixed this by setting up a local dnsmasq instance to supply the forward and reverse DNS lookups.
So now from the command line, host d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com returns 10.252.134.51
See also here and here.
Looks like some DNS issue.
Could this SO question help you resolving your problem?
Also, here is an Q&A about the problem.
It also could be because of non Sun JVM.