Configure API Gateway to act as the Kerberos client

This section describes how to configure API Gateway to act as a Kerberos client (DemoClient@AXWAY.COM) in Policy Studio. For more information on working in Policy Studio, see the API Gateway Policy Developer Guide.

Configure a Kerberos client

  1. In the node tree, click Environment Configuration > External Connections > Kerberos Clients.
  2. Click Add a Kerberos Client, and enter a name for your client (DemoClient Kerberos Client).
  3. On the Kerberos Endpoint tab, set the following:
    • Load via JAAS Login: Select this option and the Request from KDC option.
    • Kerberos Principal: DemoClient.
    • Enter Password: Enter the password.
    • Enabled: Make sure this option is selected.
  4. On the Advanced tab, set the following:
    • Mechanism: SPNEGO_MECHANISM.
    • Context Settings: Select the following options:
      • Mutual authentication
      • Integrity
      • Confidentiality
      • Anonymity
      • Replay Detection
      • Sequence Checking
    • Synchronize to Avoid Replay Errors at Service: If API Gateway is running on Windows, select this option, and enter the time to pause in milliseconds (for example, 15). If API Gateway is running on UNIX/Linux, deselect this option to improve performance.

For more details on the fields and options in this configuration window, see Configure Kerberos clients in the API Gateway Policy Developer Guide.

Configure a Kerberos profile for the Kerberos client

  1. In the node tree, click Environment Configuration > External Connections > Client Credentials > Kerberos.
  2. Add a Kerberos profile as follows:
    • Profile Name: Authenticate to DemoService.
    • Kerberos Client: DemoClient Kerberos Client.
    • Kerberos Service Principal: DemoService.
    • Send token with first request: Select this option.

For more details on the fields and options in this configuration window, see Configure Kerberos client credential profiles in the API Gateway Policy Developer Guide.

Configure a client-side policy

  1. Add a new policy named, for example, Kerberos Demo Client-Side.
  2. Open the Routing category in the filter palette, and drag a Connect to URL filter onto the policy canvas.
  3. Enter the URL used to invoke the Kerberos service-side policy in the Kerberos service. In this example, DemoClient@AXWAY.COM calls out and back to the same API Gateway instance on http://localhost:8080/service to call DemoService@AXWAY.COM.
  4. On the Authentication tab, choose the Kerberos credential profile configured earlier (Authenticate to DemoService), and click Finish.
    For more details on the fields and options in this configuration window, see Connect to URL in the API Gateway Policy Developer Filter Reference.
  5. Right-click the Connect to URL filter, and select Set as Start.
  6. Click on the Add Relative Path icon to create a new relative path /client that links to this Kerberos client-side policy.

The policy looks like this:

Policy with "Connect to URL" filter

The client-side policy has the following flow:

  • Send a request with a SPNEGO Kerberos token to the Kerberos service on URL http://localhost:8080/service.
  • Pass the response from Kerberos service back to the calling application.

Configure Kerberos system settings

  1. In the node tree, click Environment Configuration > Server Settings > Security > Kerberos, and click Add Kerberos Configuration.
  2. On the krb5.conf tab, change the following settings:
  3. [libdefaults]

    default_realm = AXWAY.COM

    [realms]

    AXWAY.COM = {

    kdc = dc.axway.com

    }

    Replace the realm settings in the example code with your Kerberos realm, and set the kdc setting to the host name of your Windows Domain Controller.

For more details on the fields and options in this configuration window, see Kerberos configuration in the API Gateway Policy Developer Guide.

Deploy the configuration

To deploy the configuration to API Gateway, click the Deploy icon.

You have now configured and deployed a simple client-side policy for Kerberos authentication using SPNEGO. You still need to configure the Kerberos service-side policy that runs when the above policy calls http://localhost:8080/service. See Configure API Gateway to act as the Kerberos service.

Related Links