Kerberos
services/kerberos
This configuration is used to describe a Kerberos configuration file which IAG can use to perform Kerberos Constrained Delegation as a means of authentication to a protected application.
The Kerberos service must contain:
- keytab
- keytab_spn
- realms
- libdefaults
keytab_spn and keytab must correspond to the service principal name and generated key table for a user which IAG will authenticate itself as. This user must have permission to perform delegated authentication.
This entry is an object and can be used to specify a single kerberos service.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| keytab | string | The Kerberos key table file which IAG will use to authenticate with the server. | |
| keytab_spn | string | The service principal name of the impersonating user when creating a Kerberos token. The service principal name can be determined by executing the Microsoft utility setspn (that is, setspn -L user, where user is the identity of the IAG account). | |
| realms | Array of realms | ||
| libdefaults | libdefaults | ||
| capaths | Array of capaths |
services/kerberos/realms[]
Realm-specific contact information and settings associated with the Microsoft Windows Server to use for performing Kerberos impersonation.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| name | string | The name of the Kerberos Realm being configured. | |
| kdc | string | The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. | |
| properties | Array of properties | ||
| hostname | string | The hostname for this realm. |
services/kerberos/realms[]/properties[]
Advanced additional properties to be added to the Realm configuration. These properties correspond to the properties in the [realms] <realm name> section of krb5.conf.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| name | string | Name of the entry to be written into the realms section of the Kerberos configuration. | |
| value | string | Value of the entry to be written into the realms section of the Kerberos configuration. |
services/kerberos/libdefaults
Advanced additional properties to be added to the Kerberos library configuration. These properties correspond to the properties in the [libdefaults] section of krb5.conf.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| properties | Array of properties |
services/kerberos/libdefaults/properties[]
The properties to be added to the Kerberos libdefaults configuration. Each entry consists of a name and a value.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| name | string | Name of the entry to be written into the libdefaults section of the Kerberos configuration. | |
| value | string | Value of the entry to be written into the libdefaults section of the Kerberos configuration. |
services/kerberos/capaths[]
Authentication paths for non-hierarchical cross-realm.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| client_realm | string | The client realm for this authentication path. | |
| realms | Array of realms |
services/kerberos/capaths[]/realms[]
The realms associated with this capath.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| server_realm | string | The server realm for this capath. | |
| inter_realm | string | The inter realm for this capath. |
Example
services:
kerberos:
keytab: "@ibm-app-gateway.keytab"
keytab_spn: HTTP/[email protected]
realms:
- name: IBM.COM
kdc: ibm.com
libdefaults:
properties:
- name: default_tgs_enctypes
value: "rc4-hmac des-cbc-md5 des-cbc-crc aes256-cts"
- name: default_tkt_enctypes
value: "rc4-hmac des-cbc-md5 des-cbc-crc aes256-cts"
Updated about 2 years ago