Kerberos Services


The API Gateway can act as a Kerberos Service. In this case, Kerberos clients must obtain a Kerberos service ticket to authenticate to the Kerberos Service exposed by the API Gateway. Clients must present this ticket to the API Gateway for their requests to be processed (to be successfully authenticated). The Kerberos Service is responsible for consuming these tickets.

You can configure Kerberos Services globally under the External Connections node in the tree view of the Policy Studio. To configure a Kerberos Service, right-click the Kerberos Services node in the tree, and select the Add a Kerberos Service option from the context menu. The following sections describe how to configure the various fields on the Kerberos Service dialog.

Globally configured Kerberos Services are selected by name as part of the Kerberos Service Authentication filter, which is responsible for validating the tickets consumed by the Kerberos Service. Make sure to enter a descriptive name for the service in the Name field of the Kerberos Service dialog. For more information on configuring this filter, see the Kerberos Service Authentication topic.

Having configured the Kerberos Service, it is available for selection when configuring other Kerberos-related filters. Make sure to select the Enabled checkbox at the bottom of the screen, which is selected by default.

Kerberos Endpoint Tab

Complete the following fields on this tab:

Kerberos Principal:

Select the name of the principal to be associated with the API Gateway. Clients wishing to authenticate to the API Gateway must present a service ticket containing a matching principal name to the API Gateway.

Kerberos Principals are configured globally under the External Connections node in the tree view of the Policy Studio. Right-click the Kerberos Principals node, and select the Add a Kerberos Principal option from the context menu.

Alternatively, you can select the Add button under the Kerberos Principal drop-down list to add a new principal. For more information on configuring a principal, see the Kerberos Principals topic.

Secret Key:

Use this section to specify the location of the Kerberos Service's secret key, which is used to decrypt service tickets received from Kerberos clients.


The Kerberos Service's secret key is originally created for a specific Principal on the KDC. A password is required to generate this key, which can be entered directly into the Password field here.


Usually, however, a Keytab file is generated, which contains a mapping between a Principal name and that Principal's secret key. The Keytab file can then be loaded into the API Gateway configuration using the fields provided on this section.

You can load the Principal-to-key mappings into the table by selecting the Load Keytab button, and then browsing to the location of an existing Keytab file. You can add a new Keytab Entry by clicking the Add Principal button. For more information on configuring the Keytab Entry dialog, see the Kerberos Keytab topic.

You can delete a Keytab Entry by selecting the entry in the table, and clicking the Delete Entry button. You can also export the entire contents of the Keytab table by clicking the Export Keytab button.

[Important] Important

The contents of the Keytab table (whether derived from a Keytab file or manually entered using the Keytab Entry dialog) are stored in the clear in the API Gateway's underlying configuration. The Keytab contents can be stored encrypted, if required, by setting a passphrase for the API Gateway configuration data. For more information on how to do this, see the Setting the Encryption Passphrase topic.

When the server starts up it writes the stored Keytab contents out to the /conf/plugin/kerberos/keytabs/ folder of your API Gateway installation. Oracle recommends that you configure directory-based or file-based access control for this directory and its contents.

Load via Native GSS Library:

If you have configured the API Gateway to Use Native GSS Library on the Process-level Kerberos Configuration settings, you must choose to load the Kerberos Service's secret key from the location preferred by the GSS library. The native GSS library expects the Kerberos service's secret key to be in the system's default Keytab file. The location of this Keytab file is specified in the default_keytab_name setting in the krb5.conf file that the native GSS library reads using the KRB5_CONFIG environment variable. This Keytab may contain keys for multiple Kerberos services.

Advanced Tab

Configure the following fields on this tab:


Select the mechanism used to establish a context between this Kerberos service and the Kerberos client. The Kerberos client must use the same mechanism selected here.

Extract Delegated Credentials:

A Kerberos client can set an attribute on the context with the Kerberos service to indicate that they wish to allow the service to act on behalf of the client in subsequent communications. For example, this enables the Kerberos service (the API Gateway) to assume the identity of the client when communicating with a back-end Kerberos service. In this way, the client's credentials are propagated to the back-end service as opposed to the API Gateway's credentials. This is called credential delegation.

In cases where a Kerberos client wishes to delegate its credentials to a Kerberos service, you can configure the service to extract the delegated credentials from the context it establishes with the client. Select the Extract Delegated Credentials checkbox to extract the client's delegated credentials and store them in the gss.delegated.credentials and message attributes.

The extracted delegated credentials can be forwarded on to the back-end Kerberos service (on behalf of the user) using the Kerberos settings on the Kerberos Client Authentication filter or the Connection filter. When configuring the Kerberos Client used on the Kerberos Authentication tab of the Connection filter, make sure to select the option to retrieve the Ticket Granting Ticket(TGT) from the extracted delegated credentials (the Extract from delegated credentials checkbox on the Kerberos Endpoint tab).

For more details on configuring these options, see the following topics: