Kerberos configuration

Overview

The Kerberos Configuration screen enables you to configure API Gateway instance-wide Kerberos settings. The most important setting allows you to upload a Kerberos configuration file to the API Gateway, which contains information about the location of the Kerberos Key Distribution Center (KDC), encryption algorithms and keys, and domain realms to use.

You can also configure trace options for the various APIs used by the Kerberos system. For example, these include the Generic Security Services (GSS) and Simple and Protected GSSAPI Negotiation (SPNEGO) APIs.

Linux and Solaris platforms ship with a native implementation of the GSS library, which can be leveraged by the API Gateway. The location of the GSS library can be specified using settings on this screen.

Kerberos configuration file—krb5.conf

The Kerberos configuration file (krb5.conf) is required by the Kerberos system to configure the location of the Kerberos KDC, supported encryption algorithms, and default realms.

The file is required by both Kerberos Clients and Services that are configured for the API Gateway. Kerberos Clients need to know the location of the KDC so that they can obtain a Ticket Granting Ticket (TGT). They also need to know what encryption algorithms to use and to what realm they belong.

A Kerberos Client or Service knows what realm it belongs to because either the realm is appended to the principal name after the @ symbol. Alternatively, if the realm is not specified in the principal name, it is assumed to be in the default_realm as specified in the krb5.conf file.

Kerberos Services do not need to talk to the KDC to request a TGT. However, they still require the information about supported encryption algorithms and default realms contained in the krb5.conf file. There is only one default_realm specified in this file, but you can specify a number of additional named realms. The default_realm setting is found in the [libdefaults] section of the krb5.conf file. It points to a realm in the [realms] section. This setting is not required.

A default krb5.conf is displayed in the text area, which can be modified where appropriate and then uploaded to the API Gateway's configuration by clicking the OK button. Alternatively, if you already have a krb5.conf file that you want to use, browse to this file using the Load File button. The contents of the file are displayed in the text area, and can subsequently be uploaded by clicking the OK button.

[Note] Note

You can also type directly into the text area to modify the krb5.conf contents. Please refer to your Kerberos documentation for more information on the settings that can be configured in the krb5.conf file.

Advanced settings

The check boxes on this screen enable you to configure various tracing options for the underlying Kerberos API. Trace output is always written to the /trace directory of your API Gateway installation.

Kerberos Debug Trace:

Enables extra tracing from the Kerberos API layer.

SPNEGO Debug Trace:

Turns on extra tracing from the SPNEGO API layer.

Extra Debug at Login:

Provides extra tracing information during login to the Kerberos KDC.

Native GSS library

The Generic Security Services API (GSS-API) is an API for accessing security services, including Kerberos. Implementations of the GSS-API ship with the Linux and Solaris platforms and can be leveraged by the API Gateway when it is installed on these platforms. The fields on this tab allow you to configure various aspects of the GSS-API implementation for your target platform.

[Note] Note

These are instance-wide settings. If use of the native GSS API is selected, it will be used for all Kerberos operations. All Kerberos Clients and Services must therefore be configured to load their credentials natively.

If the native API is used the following will not be supported:

  • The SPNEGO mechanism.

  • The WS-Trust for SPNEGO standard as it requires the SPNEGO mechanism.

  • The SPNEGO over HTTP standard as it requires the SPNEGO mechanism. (It is possible to use the KERBEROS mechanism with this protocol, but this would be non-standard.)

  • Signing and encrypting using the Kerberos session keys.

Use Native GSS Library:

Check this checkbox to use the operating system's native GSS implementation. This option only applies to API Gateway installations on the Linux and Solaris platforms.

Native GSS Library Location:

If you have opted to use the native GSS library, enter the location of the GSS library in the field provided, for example, /usr/lib/libgssapi.so. On Linux, the library is called libgssapi.so. On Solaris, this library is called libgss.so.

[Note] Note

This setting is only required when this library is in a non-default location.

Native GSS Trace:

Use this option to enable debug tracing for the native GSS library.