Complete the following fields on this tab:
Kerberos Principal:
Select the name of the principal that will be associated with the
Enterprise Gateway. Clients wishing to authenticate to the Enterprise Gateway
must present a service ticket
containing a matching principal name to the Enterprise Gateway.
Kerberos Principals are configured globally under the "External
Connections" node in the tree view of the Policy Studio. Right-click on
the "Kerberos Principals" node and select the
Add a Kerberos Principal option from the context menu.
Alternatively, you can select the Add button beneath
the Kerberos Principal dropdown to add a new principal.
For more information on configuring a principal, please refer to the
Kerberos Principals help
page.
Secret Key:
Use this section to specify the location of the Kerberos Service's
secret key, which will be used to decrypt service tickets received from
Kerberos clients.
Password:
The Kerberos Service's secret key is originally created for a specific
Principal on the KDC. A password is required to generate this key, which
can be entered directly into the Password field here.
Keytab:
Usually, however, a Keytab file is generated, which
contains a mapping between a Principal name and that Principal's secret
key. The Keytab file can then be loaded into the Enterprise Gateway configuration
using the fields provided on this section.
It is possible to load the Principal-to-key mappings into the table by
selecting the Load Keytab button and then browsing to
the location of an existing Keytab file. A new Keytab Entry
can be added by clicking the Add Principal button.
Take a look at the
Kerberos Keytab Entry help page
for more information on configuring the Keytab Entry
dialog.
A Keytab Entry can be deleted by selecting the entry in the table and
clicking on the Delete Entry button. It is also
possible to export the entire contents of the Keytab table by clicking
on the Export Keytab button.
It is important to note that the contents of the Keytab table (whether
derived from a Keytab file or manually entered using the
Keytab Entry dialog) are stored in the clear in the
Enterprise Gateway's underlying configuration. The Keytab contents can be stored
encrypted, if required, by setting a passphrase for the Enterprise Gateway configuration data.
For more information on how to do this please refer to the
Setting the Encryption Passphrase
help page.
When the server starts up it writes the stored Keytab contents out to
the /conf/plugin/kerberos/keytabs/ folder of your
Enterprise Gateway installation. Oracle recommends that you
configure directory- or file-based access control for this directory
and its contents.
Load via Native GSS Library:
If you have configured the Enterprise Gateway to
Use Native GSS Library on the Process-level
Kerberos Configuration settings, you must choose to
load the Kerberos Service's secret key from the location preferred
by the GSS library. The native GSS library will expect the Kerberos
service's secret key to be in the system's default Keytab file. The
location of this Keytab file is specified in the "default_keytab_name"
setting in the krb5.conf file that the native GSS
library reads via the KRB5_CONFIG environment
variable. Note that this Keytab may contain keys for multiple Kerberos
services.
|