Connection

Contents

Overview

The Connection is responsible for making the connection to the remote Web Service. It relies on connection details that are set by the other filters in the Routing filter group.

Since the Connection filter actually connects out to other services, it is responsible for negotiating the SSL handshake involved in setting up a (mutually) authenticated secure channel.

General Configuration

Enter a name for the filter in the Name field. Click on the tabs to configure the various aspects of the Connection filter.

Trusted Certificates

This section lists all CA certificates that have been imported into the Oracle Certificate Store. Select the certificates that the Enterprise Gateway will consider to be trusted when it attempts to establish a connection to a remote server. The remote server's SSL certificate must be issued by one of the certificates selected (i.e. trusted) on this tab.

Client SSL Authentication

The Enterprise Gateway can be configured to authenticate itself to the remote Web Service. It will do so using the certificate chosen on this tab.

HTTP Authentication

The Enterprise Gateway can use both HTTP basic and HTTP digest authentication to authenticate to the remote server. In both cases the User Name and Password of a user must be specified in the fields provided.

Kerberos Authentication

The settings on this tab allows you to authenticate to a Kerberos Service by sending a Kerberos service ticket in the HTTP request to that service. Note that it is also possible to configure the Enterprise Gateway to authenticate to a Kerberos Service by including the relevant Kerberos tokens inside the XML message itself. Please refer to the Kerberos Client Authentication help page for more information.

Kerberos Client
The role of the Kerberos Client selected here is twofold: first, it must obtain a Kerberos TGT (Ticket Granting Ticket) and second, it uses this TGT to obtain a service ticket for the Kerberos Service Principal selected below. Take a look at the Kerberos Client help page for more information on configuring Kerberos Clients.

Kerberos Clients are configured globally under the "External Connections" node in the tree view of the Policy Studio. They can then be selected in the Kerberos Client dropdown on this tab. It is also possible to add a global Kerberos Client directly from this tab by clicking the Add button. Similarly, existing Kerberos Clients can be edited and deleted by selecting the client in the dropdown and clicking the Edit and Delete buttons, respectively.

Kerberos Service Principal
The Kerberos Client selected from the dropdown above must obtain a ticket from the Kerberos TGS (Ticket Granting Server) for the Kerberos Service Principal selected here. The Service Principal can be used to uniquely identify the Service within the Kerberos realm. The TGS will grant a ticket for the selected Principal, which the client can then send to the Kerberos Service. The Principal in the ticket must match the Kerberos Service's Principal in order for the client to be successfully authenticated.

Kerberos Principals are also configured globally under the "External Connections" node in the tree view of the Policy Studio. Alternatively, it is possible to add a global Kerberos Principal directly by clicking the Add button. Existing Kerberos Principals can be edited and deleted by clicking the Edit and Delete buttons, respectively. For more information on configuring Kerberos Principals please refer to the Kerberos Principals help page.

Send Token with First Request
In some cases, the client may not authenticate (i.e. send the Authorization HTTP header) to the Kerberos Service on its first request. The Kerberos Service should then respond with an HTTP 401 response containing a WWW-Authenticate: Negotiate HTTP header. This header value instructs the client to authenticate to the server by sending up the Authorization header. The client then sends up a second request, this time with the Authorization header, which contains the relevant Kerberos token. Check this option to force the Connection filter to always send the Authorization HTTP header that contains the Kerberos Service ticket on its first request to the Kerberos Service.

Pass when Service Returns 200
In some (rare) cases, a Kerberos Service may return a "200 OK" response to a Kerberos Client's initial request even though the security context has not yet been fully established. This "200 OK" response may not contain the WWW-authenticate HTTP header.

By checking this option, you are instructing the Connection filter to send the request to the Kerberos Service despite the fact that the context has not been established. The onus then falls on the Kerberos Service to decide whether or not to process the request depending on the status of the security context.

Send Body Only After Establish Context
The Kerberos client may be configured to only send the message body after the context has been fully established, i.e. the client has mutually authenticated with the service.

Advanced

This tab allows you to configure certain advanced features of the Connection filter.

The following configuration options are available:

Send via Proxy
Check this option if the Enterprise Gateway must connect to the destination Web Service through an HTTP proxy. In this case, the Enterprise Gateway will include the full URL of the destination Web Service in the request line of the HTTP request. For example, if the destination Web Service resides at http://localhost:8080/services, then the request line would appear as follows: 

POST http://localhost:8080/services HTTP/1.1

If the Enterprise Gateway was not routing through a proxy, the request line would appear as follows: 

POST /services HTTP/1.1

Transparent Proxy (present client's IP address to server)
Enables the use of the Enterprise Gateway as a transparent proxy on Linux systems with the TPROXY kernel option set. When selected, the IP address of the original client connection that caused the circuit to be invoked is used as the local address of the connection to the destination server. For more details and an example, see Configuring a Transparent Proxy.

Ciphers
The Ciphers field allows the administrator to specify the ciphers that the server supports. The server will send this list of supported ciphers to the destination server, which will then select the highest strength common cipher as part of the SSL handshake. The selected cipher will then be used to encrypt the data as it is sent over the secure channel.

HTTP Host Header
An HTTP 1.1 client must send a Host header in all HTTP 1.1 requests. The Host header identifies the hostname and port number of the requested resource as specified in the original URL given by the client.

When routing messages on to target Web Services, the Enterprise Gateway can either forward on the Host as received from the client, or it can specify the address and port number of the destination Web Service in the Host header that it routes onwards.

Select Use Host header specified by client to force the Enterprise Gateway to always forward on the original Host header that it received from the client. Alternatively, to configure the Enterprise Gateway to include the address and port number of the destination Web Service in the Host header, select the Generate new Host header radio button.