Securing API using Kerberos at the Message Level

Author: Chidambaram, Arun Dev

Supported Versions: 10.0 & above

Introduction

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. API Gateway can mandate the clients to add the kerberos token in the incoming SOAP request by using the "Inbound Authentication - Message" policy Action. If a native API is protected with Kerberos authentication at the message level API Gateway can use the "Outbound Authentication - Message" policy Action to add the kerberos token in the outgoing SOAP request.

Prerequisite

Step 1: The KDC (Key Distribution Center) server should be configured to issue kerberos token.
Step 2: In API Gateway we need to configure the KDC server details using the krb.conf file.


Step 3: Restart API Gateway
Step 4: Create an HTTPS port

NOTE

  • Install the native service package in Integration server 10.0 or later
  • API Gateway installation and Native Service integration server installation should be different
  • The native services that are used in this tutorial are given below,
    1. SOAPnativeService.employeeService:EmployeeService (For Usecase 3 and )
    2. SOAPnativeService.employeeService:EmployeeService_Kerberos
  • The API Gateway assets used in this tutorial are given below,
    1. Employee_API_Kerberos_Inb_Msg
    2. Emp_Kerb_Inb_Msg_Identify_App
    3. Employee_API_Kerberos_Out_Msg
    4. Emp_API_Kerb_Out_Incoming_HTTP
    5. Emp_API_Kerberos_Delegation

Use Case 1 - Enforce Kerberos Authentication in the API Gateway

In this use case the native API is not protected with any authentication protocol and in API Gateway we going to enforce the clients to add kerberos token in the incoming SOAP request. API Gateway will validate the incoming Kerberos token by communicating with the KDC and then it authenticates the client. The user for which the kerberos token is fetched from the client should be valid IS user.

Step 1: Create an API in API Gateway with the native API's WSDL

Step 2: Configure "Require HTTP/HTTPS" policy action with the following values,




Protocol:
HTTP,HTTPS

Step 3: Configure "Inbound Authentication - Message" policy action with the following values,
Token Assertion
                           : Require Kerberos Token
Service Principal Name Form     : Username
Service Principal Name               : spartans/arundev.sag.vmchnadfs20w.com
Service Principal Password        : P@ssw0rd

Step 4: Using a SOAP client with gateway endpoint send the SOAP request.
For this demo we have used Designer as a SOAP client. Using the API Gateway endpoint create a consumer wsd and run the connector with kerberos credentials.

Use Case 2 - Enforce Kerberos Authentication in the API Gateway and Identify Application

In this use case the native API is not protected with any authentication protocol and in API Gateway we going authenticate and authorize the application. API Gateway will validate the incoming Kerberos token by communicating with the KDC and then it authenticates the client. The user for which the kerberos token is fetched from the client should be valid IS user. Once authenticated, API Gateway identifies any application matching with the authenticated user.

Step 1: Create an API in API Gateway with the native API's WSDL
Step 2: Create an application and associate with Gateway API created with the following values,
Other identifiers
: Username 
Values: alice@SAG.VMCHNADFS20W.COM

Step 3: Configure "Require HTTP/HTTPS" policy action with the following values,
Protocol:
HTTP, HTTPS

Step 4: Configure "Identify & Authorize Application" policy action with the following values
Identification Type:
Kerberos Token

Step 5: Configure "Inbound Authentication - Message" policy action with the following values
Token Assertion
                           : Require Kerberos Token
Service Principal Name Form     : Username
Service Principal Name               : spartans/arundev.sag.vmchnadfs20w.com
Service Principal Password        : P@ssw0rd

Step 6: Using a SOAP client with gateway endpoint send the SOAP request.
For this demo we have used Designer as a SOAP client. Using the API Gateway endpoint create a consumer wsd and run the connector with kerberos credentials.

Use Case 3 - Adding Kerberos Token in the Outbound SOAP Message

The native API is enforced with require kerberos token policy. This is the wsdl of the native API. API Gateway will fetch a Kerberos token from KDC , add it to SOAP header and sends the SOAP request to the native API.

Step 1: Create an API in API Gateway with the native API's WSDL
Step 2: Configure "Outbound Authentication - Message" policy action with the following values

Authentication scheme             : Kerberos
Authenticate Using                    :  Custom Credentials
Client Principal                          :  alice
Client Password                         :  P@ssw0rd
Service Principal                        :  spartans/arundev.sag.vmchnadfs20w.com
Service Principal Nameform     : Username

Step 3: Using a SOAP client with gateway endpoint send the SOAP request.

Use Case 4 - Adding Kerberos Token in the Outbound SOAP Message Using Incoming HTTP Authentication Header

 The native API is enforced with require kerberos token policy. This is the wsdl of the native API. API Gateway will fetch Kerberos token from KDC using the incoming HTTP basic authentication header, add it to SOAP header and sends the SOAP request to the native API.

Step 1: Create an API in API Gateway with the native API's WSDL
Step 2: Configure "Inbound Authentication - Transport" policy action with the following values
Require HTTP Basic Authentication:
Select

Step 3: Configure "Outbound Authentication - Message" policy action with the following values
Authentication scheme
            : Kerberos
Authenticate Using                   :  Incoming HTTP basic auth credentials
Service Principal                       :  spartans/arundev.sag.vmchnadfs20w.com
Service Principal Nameform    : Username

Step 4: Using a SOAP client with gateway endpoint sends the SOAP request.

Use Case 5 - Kerberos Delegation

Kerberos Delegation is a feature that allows an application to reuse the end-user credentials to access recourses hosted on a different server. In this use case we have enforced Kerberos authentication at the inbound and also we get a delegated kerberos token and add in the SOAP header and the SOAP request to the native API. From the client we get delegatable kerberos token for "alice" and send to Gateway. Gateway validates the kerberos token and fetches another kerberos token for "bob" using "alice" delegated credentials.

Step 1: Create an API in API Gateway with the native API's WSDL
Step 2: Configure "Require HTTP/HTTPS" policy action with the following values,
Protocol:
HTTP, HTTPS

Step 3: Configure "Inbound Authentication - Message" policy action with the following values
Token Assertion
                           : Require Kerberos Token
Service Principal Name Form     : Username
Service Principal Name               : spartans/arundev.sag.vmchnadfs20w.com
Service Principal Password        : P@ssw0rd

Step 4: Configure "Outbound Authentication - Message" policy action with the following values
Authentication scheme
             : Kerberos
Authenticate Using                   :  Delegate incoming credentials
Client Principal                          :  bob
Client Password                        :  P@ssw0rd
Service Principal                       :  spartans/arundev.sag.vmchnadfs20w.com
Service Principal Nameform     : Username

Step 5: Using a SOAP client with gateway endpoint send the SOAP request.
Note: Designer is not capable of requesting a delegatable kerberos token so you need to have a different soal client which fetches a delegatable kerberos token adds to the SOAP header and sends the SOAP request to API Gateway