services/kerberos

This configuration is used to describe a Kerberos configuration file which IAG can use to perform Kerberos Constrained Delegation as a means of authentication to a protected application.
The Kerberos service must contain:

  • keytab
  • keytab_spn
  • realms
  • libdefaults

keytab_spn and keytab must correspond to the service principal name and generated key table for a user which IAG will authenticate itself as. This user must have permission to perform delegated authentication.
This entry is an object and can be used to specify a single kerberos service.

Properties

NameTypeConstraintsDescription
keytabstringThe Kerberos key table file which IAG will use to authenticate with the server.
keytab_spnstringThe service principal name of the impersonating user when creating a Kerberos token. The service principal name can be determined by executing the Microsoft utility setspn (that is, setspn -L user, where user is the identity of the IAG account).
realmsArray of realms
libdefaultslibdefaults
capathsArray of capaths

services/kerberos/realms[]

Realm-specific contact information and settings associated with the Microsoft Windows Server to use for performing Kerberos impersonation.

Properties

NameTypeConstraintsDescription
namestringThe name of the Kerberos Realm being configured.
kdcstringThe name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included.
propertiesArray of properties
hostnamestringThe hostname for this realm.

services/kerberos/realms[]/properties[]

Advanced additional properties to be added to the Realm configuration. These properties correspond to the properties in the [realms] <realm name> section of krb5.conf.

Properties

NameTypeConstraintsDescription
namestringName of the entry to be written into the realms section of the Kerberos configuration.
valuestringValue of the entry to be written into the realms section of the Kerberos configuration.

services/kerberos/libdefaults

Advanced additional properties to be added to the Kerberos library configuration. These properties correspond to the properties in the [libdefaults] section of krb5.conf.

Properties

NameTypeConstraintsDescription
propertiesArray of properties

services/kerberos/libdefaults/properties[]

The properties to be added to the Kerberos libdefaults configuration. Each entry consists of a name and a value.

Properties

NameTypeConstraintsDescription
namestringName of the entry to be written into the libdefaults section of the Kerberos configuration.
valuestringValue of the entry to be written into the libdefaults section of the Kerberos configuration.

services/kerberos/capaths[]

Authentication paths for non-hierarchical cross-realm.

Properties

NameTypeConstraintsDescription
client_realmstringThe client realm for this authentication path.
realmsArray of realms

services/kerberos/capaths[]/realms[]

The realms associated with this capath.

Properties

NameTypeConstraintsDescription
server_realmstringThe server realm for this capath.
inter_realmstringThe inter realm for this capath.

Example

services:
  kerberos:
    keytab: "@ibm-app-gateway.keytab"
    keytab_spn: HTTP/[email protected]
    realms:
      - name: IBM.COM
        kdc: ibm.com
    libdefaults:
      properties:
        - name: default_tgs_enctypes
          value: "rc4-hmac des-cbc-md5 des-cbc-crc aes256-cts"
        - name: default_tkt_enctypes
          value: "rc4-hmac des-cbc-md5 des-cbc-crc aes256-cts"

Did this page help you?