Complete the following fields on this tab:
Kerberos Principal:
Select the name of the principal to be associated with the
Enterprise Gateway. Clients wishing to authenticate to the Enterprise Gateway
must present a service ticket
containing a matching principal name to the Enterprise Gateway.
Kerberos Principals are configured globally under the External
Connections node in the tree view of the Policy Studio. Right-click
the Kerberos Principals node, and select the Add
a Kerberos Principal option from the context menu.
Alternatively, you can select the Add button under
the Kerberos Principal drop-down list to add a new principal.
For more information on configuring a principal, see the
Kerberos Principals topic.
Secret Key:
Use this section to specify the location of the Kerberos Service's
secret key, which is used to decrypt service tickets received from
Kerberos clients.
Password:
The Kerberos Service's secret key is originally created for a specific
Principal on the KDC. A password is required to generate this key, which
can be entered directly into the Password field here.
Keytab:
Usually, however, a Keytab file is generated, which
contains a mapping between a Principal name and that Principal's secret
key. The Keytab file can then be loaded into the Enterprise Gateway configuration
using the fields provided on this section.
You can load the Principal-to-key mappings into the table by selecting the
Load Keytab button, and then browsing to the location of
an existing Keytab file. You can add a new Keytab Entry by clicking the
Add Principal button. For more information on configuring
the Keytab Entry dialog, see the
Kerberos Keytab Entry topic.
You can delete a Keytab Entry by selecting the entry in the table, and
clicking the Delete Entry button. You can also export
the entire contents of the Keytab table by clicking the Export
Keytab button.
Important Note:
The contents of the Keytab table (whether derived from a Keytab file or
manually entered using the Keytab Entry dialog) are stored
in the clear in the Enterprise Gateway's underlying configuration. The Keytab
contents can be stored encrypted, if required, by setting a passphrase for
the Enterprise Gateway configuration data. For more information on how to do this,
see the Setting the Encryption
Passphrase topic.
When the server starts up it writes the stored Keytab contents out to
the /conf/plugin/kerberos/keytabs/ folder of your
Enterprise Gateway installation. Oracle recommends that you configure
directory-based or file-based access control for this directory and
its contents.
Load via Native GSS Library:
If you have configured the Enterprise Gateway to Use Native GSS Library
on the Process-level Kerberos Configuration settings, you must
choose to load the Kerberos Service's secret key from the location preferred
by the GSS library. The native GSS library expects the Kerberos service's secret
key to be in the system's default Keytab file. The location of this Keytab file
is specified in the default_keytab_name setting in the
krb5.conf file that the native GSS library reads using the
KRB5_CONFIG environment variable. Note that this Keytab may
contain keys for multiple Kerberos services.
|