Configure API Gateway policy

This section describes how to configure API Gateway as the Kerberos service using Policy Studio. For more information on working in Policy Studio, see the API Gateway Policy Developer Guide.

Configure a Kerberos service

  1. In the node tree, click Environment Configuration > External Connections > Kerberos Services, and add a new Kerberos service.
  2. Enter a name for the service, such as ServiceGateway Kerberos Service, and select the Kerberos Principal you configured (ServiceGateway).
  3. Click Enter Password, and enter the password for gateway@AXWAY.COM.
  4. On the Advanced tab, set Mechanism to SPNEGO_MECHANISM, and click OK.

For more details on the fields and options in this configuration window, see Configure Kerberos services in the API Gateway Policy Developer Guide.

Configure a Kerberos policy

The following section describes how to configure the Kerberos policy for API Gateway as the Kerberos service.

To start, add a new policy named, for example, Kerberos Service SPNEGO.

Configure the Kerberos authentication

  1. Open the Authentication category in the palette, and drag a Kerberos Service filter onto the policy canvas.
  2. Select the Kerberos service you configured (ServiceGateway Kerberos Service), select SPNEGO Over HTTP, and click OK.
    For more details on the fields and options in this configuration window, see Kerberos service authentication in the API Gateway Policy Developer Filter Reference.
  3. Right-click the Kerberos Service filter on the policy canvas, and select Set as Start.

Configure connection to the back-end service

  1. Configure the authentication mechanism the back-end service requires. The required filters and configuration details depend on the type of authentication. For more details on different authentication methods, see API Gateway Policy Developer Guide.
  2. Open the Routing category in the filter palette, and drag a Connect to URL filter onto the policy canvas.
  3. Enter the URL used that invokes the back-end service, and click Finish.
    For more details on the fields and options in this configuration window, see Connect to URL in the API Gateway Policy Developer Filter Reference.

Build the policy

  1. Click Add Relative Path icon, create a new relative path /gw-service-to-back-end that links to the Kerberos policy, and click OK.
  2. Connect the filters with success paths.
  3. policy with Kerberos SErvice, Set Success Messae, and Reflect Message filters

The policy has the following flow:

  • API Gateway authenticates the client application, such as a browser, using Kerberos authentication.
  • API Gateway creates the authentication tokens the back-end service requires.
  • API Gateway connects and authenticates to the back-end service.

If API Gateway can map the Kerberos credentials received from the client app to the end-user-specific credentials in the non-Kerberos authentication mechanism, API Gateway can authenticate the actual end user to the back-end service.

Deploy the configuration

To deploy the configuration to API Gateway, click Deploy icon.

You have now configured and deployed a simple Kerberos policy for SPNEGO authentication.

The most common client application in this scenario is a standard browser. In addition to configuring API Gateway, you must also configure your browser to authenticate to API Gateway. For more details, see Configure your browser to authenticate to API Gateway.

By default, the connection between the browser and API Gateway acting as the Kerberos service is by default unsecured. For details how to change to a secured connection, see Configure browser authentication over SSL/TLS.

Related Links