After upgrading to Gateway 11.1 our policy which uses kerberos authentication is failing.

The policy fails when the 'Require Windows Integrated Authentication Credentials' assertion is executed and the following error is returned and seen in the gateway logs:

class com.l7tech.kerberos.KerberosGSSAPReqTicket (in unnamed module @0x63a12c68) cannot access class sun.security.jgss.GSSHeader (in module java.security.jgss) because module java.security.jgss does not export sun.security.jgss to unnamed module @0x63a12c68

CA API Gateway 11.1

Gateway 11.1 now uses Java 17 which resulted in the situation being experienced.

We need to update the following file on each gateway node in the cluster:

/opt/SecureSpan/Gateway/runtime/etc/profile.d/ssgruntimedefs.sh

Add the following entry at line 24:

default_java_opts="$default_java_opts --add-exports java.security.jgss/sun.security.jgss=ALL-UNNAMED"

Save the changes to the file and then restart the gateway service.

The policy using kerberos authentication now executes successfully.

We have defect DE602868 open with our development team and this situation will be addressed in an upcoming 11.1 CR