Configure API Gateway to act as the Kerberos service

This section describes how to configure API Gateway to act as a Kerberos client (DemoService@AXWAY.COM) in Policy Studio. For more information on working in Policy Studio, see the API Gateway Policy Developer Guide.

Configure a Kerberos service

  1. In the node tree, click Environment Configuration > External Connections > Kerberos Services.
  2. Click Add a Kerberos Service, and enter a name for your service (DemoService Kerberos Service).
  3. On the Kerberos Endpoint tab, set the following:
    • Kerberos Principal:DemoService@AXWAY.COM.
    • Enter Password: Enter the password you configured for the user account in Active Directory.
    • Enabled: Select this option.
  4. On the Advanced tab, set Mechanism to SPNEGO_MECHANISM, and click OK.

For more details on the fields and options in this configuration window, see Configure Kerberos services in the API Gateway Policy Developer Guide.

Configure a service-side policy

  1. Add a new Policy named, for example, Kerberos Demo Service-Side.
  2. Open the Authentication category in the filter palette, and drag a Kerberos Service filter onto the policy canvas.
  3. Set Kerberos Service to the Kerberos service you created (DemoService Kerberos Service), change Kerberos Standard to SPNEGO Over HTTP, and click Finish.
    For more details on the fields and options in this configuration window, see Kerberos service authentication in the API Gateway Policy Developer Filter Reference.
  4. Right-click the Kerberos Service filter, and select Set as Start.
  5. Open the Conversion category in the palette, and drag a Set Message filter onto the policy canvas.
  6. Set Content type as text/xml, copy the following code to Message Body, and click Finish:
  7. <Response>Kerberos client '${authentication.subject.id} authenticated' successfully.</Response>
  8. Open the Utility category in the palette, and drag a Reflect Message filter onto the policy canvas.
  9. Click Add Relative Path, and create a new relative path /service that links to this Kerberos service-side policy.
  10. Connect the filters with success paths.
  11. Service-side policy with Kerberos Service, Set Message, and Reflect Message filters

The policy has the following flow:

  • Authenticate the client.
  • Return a response with a HTTP status 200 if the authentication passes.

Deploy the configuration

To deploy the configuration to your Kerberos service, click the Deploy icon.

You have now configured a simple service-side policy for SPNEGO authentication. The Kerberos client invokes this policy on http://localhost:8080/service.

To test that your Kerberos authentication works as expected, see Test the policies.

Related Links