Oracle® Fusion Middleware
Part 8. External connections

Client credentials enable you to globally configure client authentication settings for the following authentication options:

You can configure settings for client credentials under the External Connections node in the Policy Studio tree, which you can then specify at the filter level (for example, in the Connection and Connect To URL filters).

API key client credential profiles enable you to globally configure authentication settings for API keys as a client. API keys are supplied by client users and applications calling REST APIs to allow the API service provider to track and control how the APIs are used (for example, to meter access and prevent abuse or malicious attack).

To configure API key client credential profiles, you must first configure a provider. The following Amazon Web Services provider configurations are included in an out-of-the-box installation of API Gateway:

A client can authenticate to the API service provider with a user name and password combination using HTTP basic authentication or HTTP digest authentication.

To add a HTTP basic/digest client credential profile, click the HTTP Basic node, and click the Add button on the HTTP Basic/Digest Client Credentials window. Complete the following fields on the Add HTTP Authentication Profile dialog:

Profile Name:

Enter a suitable name for this HTTP authentication profile.

Choose Authentication Type:

Select the Basic or Digest radio button to specify the type of HTTP authentication to use, and enter a user name and password in the Username and Password fields.

Automatically send credentials:

Select this option to automatically send credentials in the request. This is the equivalent of Send token with first request in Kerberos. This option is selected by default.

After you have configured your HTTP client credentials globally, you can select the client credential profile to use for authentication on the Authentication tab of your filter (for example, in the Connection and Connect To URL filters). For more information, see the Connection and Connect to URL topics.

A client can authenticate to a Kerberos service by sending a Kerberos service ticket in the HTTP request to that service.

To add a Kerberos client credential profile, click the Kerberos node, and click the Add button on the Kerberos Client Credentials window. Complete the following fields on the Add Kerberos Profile dialog:

Profile Name:

Enter a suitable name for this Kerberos authentication profile.

Kerberos Client:

Click the browse button to select a Kerberos client. The selected Kerberos client has two roles. First, it must obtain a Kerberos Ticket Granting Ticket (TGT). Second, it uses this TGT to obtain a service ticket for the Kerberos Service Principal selected below.

You can configure Kerberos clients globally under the External Connections node in the Policy Studio tree. These can then be selected in the Kerberos Client field. For more details on configuring Kerberos clients, see the Configure Kerberos clients topic.

Kerberos Service Principal:

Click the browse button to select a Kerberos service principal. The Kerberos client must obtain a ticket from the Kerberos Ticket Granting Server (TGS) for the selected Kerberos service principal. The service principal can be used to uniquely identify the service in the Kerberos realm. The TGS grants a ticket for the selected principal, which the client can then send to the Kerberos service. The principal in the ticket must match the Kerberos service's principal for the client to be successfully authenticated.

You can also configure Kerberos principals globally under the External Connections node in the Policy Studio tree. For more details on configuring Kerberos principals, see the Configure Kerberos principals topic.

Send token with first request:

In some cases, the client might not authenticate (send the Authorization HTTP header) to the Kerberos service on its first request. The Kerberos service should then respond with an HTTP 401 response containing a WWW-Authenticate: Negotiate HTTP header. This header value instructs the client to authenticate to the server by sending up the Authorization header. The client then sends up a second request, this time with the Authorization header, which contains the relevant Kerberos token. Select this option to always send the Authorization HTTP header that contains the Kerberos service ticket on the first request to the Kerberos service. This option is selected by default.

Send body only after establish context:

Select this option to configure the Kerberos client to only send the message body after the context has been fully established (the client has mutually authenticated with the service). This option is not selected by default.

Pass when service returns 200 even if context not established:

In rare cases, a Kerberos service might return a 200 OK response to a Kerberos client's initial request even though the security context has not yet been fully established. This 200 OK response might not contain the WWW-authenticate HTTP header. Select this option to send the request to the Kerberos service even if the context has not been established. It is the responsibility of the Kerberos service to decide whether to process the request depending on the status of the security context. This option is not selected by default.

After you have configured your Kerberos client credentials globally, you can select the client credential profile to use for authentication on the Authentication tab of your filter (for example, in the Connection and Connect To URL filters). For more information, see the Connection and Connect to URL topics.