Kerberos Configuration

Contents

Overview

The Kerberos Configuration dialog allows you to configure Process-wide Kerberos settings. The most important setting allows you to upload a Kerberos configuration file to the Enterprise Gateway, which contains information about the location of the Kerberos KDC (Key Distribution Center), encryption algorithms and keys, and domain realms to use.

It is also possible to configure trace options for the various APIs used by the Kerberos system, for example, the GSS (Generic Security Services) and SPNEGO (Simple and Protected GSSAPI Negotiation) APIs.

Linux and Solaris platforms ship with a native implementation of the GSS library, which can be leveraged by the Enterprise Gateway. The location of the GSS library can be specified using settings on this dialog.

Kerberos Configuration File - krb5.conf

The Kerberos configuration file (i.e. krb5.conf) is required by the Kerberos system to configure the location of the Kerberos KDC, supported encryption algorithms, and default realms.

The file is required by both Kerberos Clients and Services that are configured for the Enterprise Gateway. Kerberos Clients need to know the location of the KDC so that they can obtain a Ticket Granting Ticket (TGT). They also need to know what encryption algorithms to use and to what realm they belong.

A Kerberos Client or Service will know what realm they belong to because either the realm is appended to the principal name after the "@" symbol or, on the other hand, if the realm is not specified in the principal name they are assumed to be in the "default_realm" as specified in the krb5.conf file.

Kerberos Services do not need to talk to the KDC to request a TGT. However, they still require the information about supported encryption algorithms and default realms contained within the krb5.conf file. There is only one "default_realm" specified in this file, but it is possible to specify a number of additional named realms. The "default_realm" setting can be found in the [libdefaults] section of the krb5.conf file. It will point to a realm in the [realms] section. This setting is not required.

A default krb5.conf is displayed in the text area, which can be modified where appropriate and then uploaded to the Enterprise Gateway's configuration by clicking the OK button. Alternatively, if you already have a krb5.conf file that you want to use, browse to this file using the Load File button. The contents of the file will be displayed in the text area and can subsequently be uploaded by clicking the OK button.

Note that it is also possible to type directly into the text area to modify the krb5.conf contents. Please refer to your Kerberos documentation for more information on the settings that can be configured within the krb5.conf file.

Advanced Settings

The checkboxes on this screen allow you to configure various tracing options for the underlying Kerberos API. Trace output is always written to the /trace directory of your Enterprise Gateway installation.

Kerberos Debug Trace:
Enables extra tracing from the Kerberos API layer.

SPNEGO Debug Trace:
Turns on extra tracing from the SPNEGO API layer.

Extra Debug at Login:
Provides extra tracing information during login to the Kerberos KDC.

Native GSS Library

The Generic Security Services API (GSS-API) is an API for accessing security services, including Kerberos. Implementations of the GSS-API ship with the Linux and Solaris platforms and can be leveraged by the Enterprise Gateway when it is installed on these platforms. The fields on this tab allow you to configure various aspects of the GSS-API implementation for your target platform.

Note that these are process-wide settings. If use of the native GSS API is selected, it will be used for all Kerberos operations. All Kerberos Clients and Services must therefore be configured to load their credentials natively.

If the native API is used the following will not be supported:

  • The SPNEGO mechanism.
  • The WS-Trust for SPNEGO standard as it requires the SPNEGO mechanism.
  • The SPNEGO over HTTP standard as it requires the SPNEGO mechanism. Note that it is possible to use the KERBEROS mechanism with this protocol, but this would be non-standard.
  • Signing and encrypting using the Kerberos session keys.

Use Native GSS Library:
Check this checkbox to use the operating system's native GSS implementation. This option only applies to Enterprise Gateway installations on the Linux and Solaris platforms.

Native GSS Library Location:
If you have opted to use the native GSS library, enter the location of the GSS library in the field provided, for example, /usr/lib/libgssapi.so. On Linux platforms, the library is called libgssapi.so, while on Solaris this library is called libgss.so. It is important to note that this setting is only required when this library is in a non-default location.

Native GSS Trace:
Use this option to enable debug tracing for the native GSS library.