Configure API Gateway policy

This section describes how to configure API Gateway as the Kerberos client using Policy Studio. For more information on working in Policy Studio, see the API Gateway Policy Developer Guide.

Configure a Kerberos client

  1. In the node tree, click Environment Configuration > External Connections > Kerberos Clients.
  2. Click Add a Kerberos Client, and enter a name for your client (such as ClientGateway Kerberos Client).
  3. On the Kerberos Endpoint tab, set the following:
    • Load via JAAS Login: Select this option and the Request from KDC option.
    • Kerberos Principal: Your API Gateway principal (ClientGateway).
    • Enter Password: Enter the password for ClientGateway@AXWAY.COM.
    • Enabled: Make sure this option is selected.
  4. On the Advanced tab, set the following:
    • Mechanism: SPNEGO_MECHANISM.
    • Context Settings: Select the following options:
      • Mutual authentication
      • Integrity
      • Confidentiality
      • Anonymity
      • Replay Detection
      • Sequence Checking
    • Synchronize to Avoid Replay Errors at Service: Deselect this option to improve performance.

For more details on the fields and options in this configuration window, see Configure Kerberos clients in the API Gateway Policy Developer Guide.

Configure a Kerberos profile for the Kerberos client

  1. In the node tree, click Environment Configuration > External Connections > Client Credentials > Kerberos.
  2. Add a Kerberos profile as follows:
    • Profile Name: Authenticate to back-end service.
    • Kerberos Client: Your Kerberos client (ClientGateway Kerberos Client).
    • Kerberos Service Principal: Your back-end service Kerberos service principal.
    • Send token with first request: Select this option.

For more details on the fields and options in this configuration window, see Configure Kerberos client credential profiles in the API Gateway Policy Developer Guide.

Configure a Kerberos policy

The following section describes how to configure the Kerberos policy for API Gateway as the Kerberos client.

To start, add a new policy named, for example, Kerberos Client SPNEGO.

Configure the end user authentication method

In this example, API Gateway authenticates the end user application using HTTP Basic. Depending on your environment, you may want to use a different authentication mechanism. For more details on the authentication filters available in API Gateway, see Authentication filters in the API Gateway Policy Developer Filter Reference.

  1. Open the Authentication category, and drag a HTTP Basic filter onto the policy canvas.
  2. Set Credential Format to User Name, and select Allow client challenge.
  3. Set Repository Name to Local User Store, and click Finish.
    For more details on the fields and options in this configuration window, see HTTP basic authentication in the API Gateway Policy Developer Filter Reference.
  4. Right-click the HTTP Basic filter, and select Set as Start.

API Gateway does not authenticate the end user to the back end. The back-end service only sees API Gateway's Kerberos credentials regardless of how the end user authenticates to API Gateway.

Configure connection to the back-end service

  1. Open the Routing category in the filter palette, and drag a Connect to URL filter onto the policy canvas.
  2. Enter the URL used that invokes the back-end service.
  3. On the Authentication tab, choose the Kerberos credential profile configured earlier (Authenticate to back-end service), and click Finish.

If the back-end service requires an SSL/TLS connection, SSL must be configured on the Connect to URL filter. For more details on the fields and options in this configuration window, see Connect to URL in the API Gateway Policy Developer Filter Reference.

Build the policy

  1. Click on the Add Relative Path icon to create a new relative path (for example, /gw-client-to-back-end) that links to this Kerberos policy.
  2. Connect the filters with a success path.

The policy looks like this:

The policy has the following flow:

  • Client application authenticates to API Gateway.
  • API Gateway sends a request to the back-end service. The request contains a Kerberos SPNEGO token where the client principal is API Gateway.
  • The back-end service authenticates API Gateway and returns a response to API Gateway.

Configure Kerberos system settings

  1. In the node tree, click Environment Configuration > Server Settings > Security > Kerberos, and click Add Kerberos Configuration.
  2. On the krb5.conf tab, change the following settings:
  3. [libdefaults]

    default_realm = AXWAY.COM

    [realms]

    AXWAY.COM = {

    kdc = dc.axway.com

    }

    Replace the realm settings in the example code with your Kerberos realm, and set the kdc setting to the host name of your Windows Domain Controller.

For more details on the fields and options in this configuration window, see Kerberos configuration in the API Gateway Policy Developer Guide.

Deploy the configuration

To deploy the configuration to API Gateway, click the Deploy icon.

You have now configured and deployed a simple Kerberos policy for SPNEGO authentication.

For a list of other use cases covered in this guide, see Kerberos use cases.

Test the configuration

Use a third-party application, such as POSTMan or similar, to call the Kerberos policy in API Gateway.

The back-end Kerberos service should send a confirmation on a successful authentication.

The Traffic Monitor tab on the API Gateway Manager (https://localhost:8090) is an excellent place to view and troubleshoot the message flows. For more details, see Monitor services in API Gateway Manager in the API Gateway Administrator Guide.

Related Links