The Kerberos Configuration screen enables you to configure API Gateway instance-wide Kerberos settings. The most important setting allows you to upload a Kerberos configuration file to the API Gateway, which contains information about the location of the Kerberos Key Distribution Center (KDC), encryption algorithms and keys, and domain realms to use.
You can also configure trace options for the various APIs used by the Kerberos system. For example, these include the Generic Security Services (GSS) and Simple and Protected GSSAPI Negotiation (SPNEGO) APIs.
Linux and Solaris platforms ship with a native implementation of the GSS library, which can be leveraged by the API Gateway. The location of the GSS library can be specified using settings on this screen.
The Kerberos configuration file (krb5.conf
) is
required by the Kerberos system to configure the location of the
Kerberos KDC, supported encryption algorithms, and default realms.
The file is required by both Kerberos Clients and Services that are configured for the API Gateway. Kerberos Clients need to know the location of the KDC so that they can obtain a Ticket Granting Ticket (TGT). They also need to know what encryption algorithms to use and to what realm they belong.
A Kerberos Client or Service knows what realm it belongs to because
either the realm is appended to the principal name after the @
symbol. Alternatively, if the realm is not specified in the principal name,
it is assumed to be in the default_realm
as specified in the
krb5.conf
file.
Kerberos Services do not need to talk to the KDC to request a TGT. However,
they still require the information about supported encryption algorithms and
default realms contained in the krb5.conf
file. There is
only one default_realm
specified in this file, but you can specify
a number of additional named realms. The default_realm
setting is
found in the [libdefaults]
section of the
krb5.conf
file. It points to a realm in the
[realms]
section. This setting is not required.
A default krb5.conf
is displayed in the text area,
which can be modified where appropriate and then uploaded to the
API Gateway's configuration by clicking the OK button.
Alternatively, if you already have a krb5.conf
file
that you want to use, browse to this file using the Load File
button. The contents of the file are displayed in the text area, and can
subsequently be uploaded by clicking the OK button.
Note | |
---|---|
You can also type directly into the text area to modify the
|
The check boxes on this screen enable you to configure various tracing
options for the underlying Kerberos API. Trace output is always written
to the /trace
directory of your API Gateway installation.
Kerberos Debug Trace:
Enables extra tracing from the Kerberos API layer.
SPNEGO Debug Trace:
Turns on extra tracing from the SPNEGO API layer.
Extra Debug at Login:
Provides extra tracing information during login to the Kerberos KDC.
The Generic Security Services API (GSS-API) is an API for accessing security services, including Kerberos. Implementations of the GSS-API ship with the Linux and Solaris platforms and can be leveraged by the API Gateway when it is installed on these platforms. The fields on this tab allow you to configure various aspects of the GSS-API implementation for your target platform.
Note | |
---|---|
These are instance-wide settings. If use of the native GSS API is selected, it will be used for all Kerberos operations. All Kerberos Clients and Services must therefore be configured to load their credentials natively. |
If the native API is used the following will not be supported:
-
The SPNEGO mechanism.
-
The WS-Trust for SPNEGO standard as it requires the SPNEGO mechanism.
-
The SPNEGO over HTTP standard as it requires the SPNEGO mechanism. (It is possible to use the KERBEROS mechanism with this protocol, but this would be non-standard.)
-
Signing and encrypting using the Kerberos session keys.
Use Native GSS Library:
Check this checkbox to use the operating system's native GSS implementation. This option only applies to API Gateway installations on the Linux and Solaris platforms.
Native GSS Library Location:
If you have opted to use the native GSS library, enter the
location of the GSS library in the field provided, for example,
/usr/lib/libgssapi.so
. On Linux, the
library is called libgssapi.so
. On Solaris,
this library is called libgss.so
.
Note | |
---|---|
This setting is only required when this library is in a non-default location. |
Native GSS Trace:
Use this option to enable debug tracing for the native GSS library.