How to Invoke the “echo service” secured with Kerberos in WSO2 ESB

13 Dec

This is most useful sample to verify the echo service secured with “kerberos”

First you have to download the WSO2-ESB 4.5.0 and WSO2-IS 4.0.0
In this example IS(Identity Server) act as KDC(key distribution center) so first of all we have to configure the IS

Open the bellow mentioned files and do the required changes

1. $IS_HOME/repository/conf/embedded-ldap.xml

Download Sample embedded-ldap.xml here
under <KDCServer> and  make the property “enable” = true as follows
<Property name=”enabled”>true</Property>

add this property under <KDCServer>
<Property name=”preAuthenticationTimeStampEnabled”>false</Property>

2. $IS_HOME/repository/conf/user-mgt.xml

Download Sample user-mgt.xml here
under <ApacheDSUserStoreManager>
<Property name=”kdcEnabled”>true</Property>

3. $IS_HOME/repository/conf/security/krb5.conf

Download Sample krb5.conf here

default_realm = WSO2.ORG
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
allow_weak_crypto = true

WSO2.ORG = {
kdc =

[domain_realm] = WSO2.ORG = WSO2.ORG

krb4_convert = true
krb4_get_tickets = false

4. $IS_HOME/repository/conf/security/jaas.conf

Download Sample jaas.conf here

Server { required

Client { required

Now IS is configured successfully
Go to $IS_HOME/bin and run the

If IS configured properly, when your stating the IS you can see this log in command line
“[2012-12-13 14:40:32,426] INFO {} – Kerberos service started.”

Now you have to create the Server principle that we mention in “jass.conf”

Login to IS buy using username – “admin” password -“admin” and go to configure->Service Principle and create   It


Register the Server Principle
Service Name : esb/localhost
Description : Test
Password : dinuka
Re Password : dinuka

Next we have to create Client Principle that means “User”

Username : dinuka
Password : dinuka
User Role : admin

Lets move to configure the ESB

First go to $ESB_HOME/repository/conf/security/
and place the same krb5.conf and jaas.conf files in $IS_HOME/repository/conf/security/

Open $IS_HOME/repository/conf/carbon.xml and change the offset 0 to 1 and start the ESB
Download sample carbon.xml here

Go to ESB and secure the “echo” service with kerboros


Service Principle Name : esb/localhost
Service Principle Password : dinuka


We are done with the configuration now we have to invoke the echo service so you can download the Java Client from here

You have to set the project dependencies for above client so point the all jars in $ESB_HOME/repository/components/plugins 

If you change username and password at the configuration time you have to make those changes on the above client also Go to policy.xml in the above client and change the following details according to your setting

<rampart:property name=””>dinuka</rampart:property>
<!– Authenticating user password –>
<rampart:property name=”client.principal.password”>dinuka</rampart:property>
<!– To which service client needs to talk to –>
<rampart:property name=””>esb/localhost@WSO2.ORG</rampart:property>

Finally change the ECHO_SERVICE_EPR  relevant to the your ESB and run the

Results should be

Calling Echo service with parameter – Hello World
Response : <ns:echoStringResponse xmlns:ns=””><return>Hello World</return></ns:echoStringResponse>

1 Comment

Posted by on December 13, 2012 in Enterprise Service Bus, Identity Server, java, wso2


One response to “How to Invoke the “echo service” secured with Kerberos in WSO2 ESB

  1. යසස්

    October 14, 2014 at 4:28 pm

    Can u help me with the following issue, while running the java client?

    [java] Calling Echo service with parameter – Hello World
    [java] Exception in thread “main” java.lang.RuntimeException: Undefined ‘kerberosSTReqFailed’ resource property
    [java] at
    [java] at
    [java] at
    [java] at
    [java] at org.apache.rampart.builder.BindingBuilder.getKerberosTokenBuilder(
    [java] at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(
    [java] at
    [java] at
    [java] at org.apache.rampart.handler.RampartSender.invoke(
    [java] at org.apache.axis2.engine.Phase.invokeHandler(
    [java] at org.apache.axis2.engine.Phase.invoke(
    [java] at org.apache.axis2.engine.AxisEngine.invoke(
    [java] at org.apache.axis2.engine.AxisEngine.send(
    [java] at org.apache.axis2.description.OutInAxisOperationClient.send(
    [java] at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(
    [java] at org.apache.axis2.client.OperationClient.execute(
    [java] at org.apache.axis2.client.ServiceClient.sendReceive(
    [java] at org.apache.axis2.client.ServiceClient.sendReceive(
    [java] at
    [java] at org.wso2.identity.esb.kerberos.KerberosClient.main(
    [java] Caused by: java.util.MissingResourceException: Can’t find resource for bundle java.util.PropertyResourceBundle, key kerberosSTReqFailed
    [java] at java.util.ResourceBundle.getObject(
    [java] at java.util.ResourceBundle.getString(
    [java] at
    [java] … 19 more


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: