Kerberos Authentication in OPDK Apigee

Google Cloud Apigee
1

Hi guys, one of our client has a Kerberos secured backend and would like to call it through Apigee.

I have gone through these, post1 post2, and understand that we need to make some config changes in OPDK and use a Javacallout as per this repo.

  1. May I know, what are these changes exactly & how I can do them?
  2. Can I deploy the proxy given in repo, make some changes in Properties, add config files at root and use it to call our Kerberos secured backend?
  3. What kind of token does it give OAuth/JWT?

@Anil Sagar @ Google, I understand that, you did not document your recent implementation. But if you remember any other things, please mention them.

@Dino-at-Google @Timothy Murray (tcs) @timothymurraytcs @Sai Saran Vaidyanathan @AMAR DEVEGOWDA @Anil Sagar

2

@Paul Mibus - ^^

3

I don’t know the answers to all of these questions.

@Mukundha Madhavan may know.

4

  1. you need the necessary keytab files and login.conf,

  2. technically should work, but i haven’t tested this recently, @Anil Sagar @ Google might know the latest on this (for eg, how to access local files might have changed) - this callout uses GSS API, you could actually create your own callout if required

  3. this callout, verifies the incoming kerberos token and generates a new token to talk to the backend. It does not generates Oauth/JWT

Are you trying to do a) kerberos → kerberos or b) OAuth → Kerberos mediation?

If you are trying b)

easiest and recommended approach is to proxy your backend with an IIS and initiate kerberos at the IIS server

client --oauth--> Apigee --mSSL--> IIS --kerberos--> backend

If you want to do this in Apigee, then you need to use kerberos constrained delegation using the GSS API

Thanks,

5

Thanks for the info Gnanasekarann, I think it is kerberos → kerberos.

@Anil Sagar @ Google any other inputs are appreciated.

6

@JSurapaneni , Property files has to be changed in MessageProcessor to reference KDC config files.

I have done it 6 months back successfully but unable to recollect exact details now. Good news is I still have end to end setup on Google Cloud VM’s.

Let me see if i can reconstruct same once again & do a video series or post in near future. Unfortunately, No ETA.

7

I understand this is like an legacy authentication method and many people/accounts would not be interested in but, a 4MV4D video series on this topic would be great @Anil Sagar @ Google :slight_smile:

1 Like
8

Thanks Anil. Actually I have placed the configuration places under opt\apigee folder directly. so do I need to place the files under /opt/apigee/edge-message-processor? or /opt/apigee/edge-message-processor/bin?

9

What is the recommended model for supporting 3rd party plugin to enable Kerberos Constrained Delegation? I see that there is no built-in support for Kerberos and probably need to rely on 3rd party plugin? How do we verify if the plugin is secure, not prone to security vulnerabilities?

,

Does APIGEE provide support in case if the custom kerberos modules to enable constrained delegation does not work? Please let me know.