WSO2 API Manager and Kerberos

0
votes

I have set up a new WSO2 API Manager server (Version 2.6.0) and try to configure the server to support Kerberos but I have a problem of understanding the overall process. Our client is an Angular application running on windows machines (Chrome or IE). In the documentation I found the sentence, The application should request a new access token by calling
curl -v -X POST -H "Authorization: Basic <base64 encoded client id:client secret value>" -k -d "grant_type=kerberos&kerberos_realm=<kerberos realm>&kerberos_token=**<kerberos token>**" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token

but where should this "kerberos token" should come from and how can I test it?

  • I have installed and configured the server corresponding to the documentation.
  • I have a service principal in the AD and configured the Identity provider in WSO2 API.
  • I have configured an example API which works with normal OAuth2
  • I have activated Kerberos on the application (WSO2 API Store)

My expected result would be, the service is called, the user is authenticated and the user info is passed to the backend service but at the moment I stack and cannot find a solution how I can find this kerberos tocken.

1
wso2wso2-am

1 Answers

2
votes

define authorized header as X-APIM-Auth when creating the API. Build the custom handler code below, and copy the resulting jar to following directory in path /repository/components/dropins.

https://github.com/AndreaNim/kerberos-delegation-handler

You can add this custom handler to API and add the below logic to /repository/resources/api_templates/velocity_template.xml file.

configure the SPN of the IIS backend service as the targetSPN property in the handler as below,

<handler class="org.wso2.apim.kerberos.handler.CustomKerberosDelegationHandler">
        <property name="targetSPN" value="<Server Principal Name>"/>
</handler>

Create a directory called “kerberos” inside /repository/conf/security/ folder and add the following files,

  • krb5.conf
  • login.conf
  • keytab

Sample krb5.conf file:

[libdefaults]
        default_realm = EXAMPLE.COM

[realms]
        EXAMPLE.COM = {
        kdc = kdc1.example.com
                  }

[domain_realm]
        .example.com = EXAMPLE.COM

Sample login.conf file:

KrbLogin {
 com.sun.security.auth.module.Krb5LoginModule required
 useTicketCache=false
 refreshKrb5Config=true
 doNotPrompt=true
 useKeyTab=true
 debug=true
 storeKey=true
 principal="< principal >"
 keyTab="< keytab_path >";
};

Command to create a Keytab

ktpass /out <keytab>  /princ HTTP/<FQDN>@<DOMAIN NAME> /mapuser <User Name of the AD account>/pass <User Password of the Authentication Service AD account> /crypto All /ptype KRB5_NT_PRINCIPAL

try to get the access token via password grant type.