We Have Moved
The IBM Application Gateway has a new home - docs.verify.ibm.com/gateway
The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.
Kerberos
Description
This configuration is used to describe a Kerberos configuration file which IAG can use to perform Kerberos Constrained Delegation as a means of authentication to a protected application.
The Kerberos service must contain:
- keytab
- keytab_spn
- realms
- libdefaults
'keytab_spn' and 'keytab' must correspond to the service principal name and generated key table for a user which IAG will authenticate itself as. This user must have permission to perform delegated authentication.
This entry is an object and can be used to specify a single kerberos service.
Properties
The following table(s) describe the configuration properties for this component:
| Name | Type | Constraints | Description |
|---|---|---|---|
| libdefaults | LIBDEFAULTS Object | ||
| keytab | string | The Kerberos key table file which IAG will use to authenticate with the server. |
|
| capaths | array[CAPATHS Object] | ||
| keytab_spn | string | The service principal name of the impersonating user when creating a Kerberos token. The service principal name can be determined by executing the Microsoft utility 'setspn' (that is, setspn -L user, where user is the identity of the IAG account). |
|
| realms | array[REALMS Object] |
LIBDEFAULTS Object
Advanced additional properties to be added to the Kerberos library configuration. These properties correspond to the properties in the [libdefaults] section of krb5.conf.
| Name | Type | Constraints | Description |
|---|---|---|---|
| properties | array[PROPERTIES Object] |
PROPERTIES Object
The properties to be added to the Kerberos libdefaults configuration. Each entry consists of a name and a value.
| Name | Type | Constraints | Description |
|---|---|---|---|
| name | string | Name of the entry to be written into the libdefaults section of the Kerberos configuration. |
|
| value | string | Value of the entry to be written into the libdefaults section of the Kerberos configuration. |
CAPATHS Object
Authentication paths for non-hierarchical cross-realm.
| Name | Type | Constraints | Description |
|---|---|---|---|
| client_realm | string | The client realm for this authentication path. |
|
| realms | array[REALMS Object] |
REALMS Object
The realms associated with this capath.
| Name | Type | Constraints | Description |
|---|---|---|---|
| server_realm | string | The server realm for this capath. |
|
| inter_realm | string | The inter realm for this capath. |
REALMS Object
Realm-specific contact information and settings associated with the Microsoft Windows Server to use for performing Kerberos impersonation.
| Name | Type | Constraints | Description |
|---|---|---|---|
| hostname | string | The hostname for this realm. |
|
| kdc | string | The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. |
|
| properties | array[PROPERTIES Object] | ||
| name | string | The name of the Kerberos Realm being configured. |
PROPERTIES Object
Advanced additional properties to be added to the Realm configuration. These properties correspond to the properties in the [realms]
| Name | Type | Constraints | Description |
|---|---|---|---|
| name | string | Name of the entry to be written into the realms section of the Kerberos configuration. |
|
| value | string | Value of the entry to be written into the realms section of the Kerberos configuration. |
Example
services:
kerberos:
keytab: "@ibm-app-gateway.keytab"
keytab_spn: HTTP/ibm-app-gateway@IBM.COM
realms:
- name: IBM.COM
kdc: ibm.com
libdefaults:
properties:
- name: default_tgs_enctypes
value: "rc4-hmac des-cbc-md5 des-cbc-crc aes256-cts"
- name: default_tkt_enctypes
value: "rc4-hmac des-cbc-md5 des-cbc-crc aes256-cts"