Question

5
Replies
123
Views
EladA603 Member since 2016 4 posts
EVO IT
Posted: 8 months ago
Last activity: 7 months 3 weeks ago

Service REST rules and Custom/Kerberos Authentication

Hi Pega Community,

I am trying to setup Kerberos authentication for my REST Service rules.

I already have a working Kerberos Authentication Service Rule + properly configured Tomcat/SPNEGO SourceForge/Web.xml for Web/Portal SSO login.

For the REST Services I did a "Save As" for my existing Authentication Service and created a new one of type "Custom" running the same activity, and configured my Service Package to "Custom" authentication and chose my new Authentication Service - "ServiceKerberos".

However I think I might be missing in my web.xml configuration. I configured a new servlet called "ServiceKerberos1" which is basically copied from the my working (delivered) WebKerberos1 servlet. What I did change/add was these params (taken from the "WebRestService" servlet):

<init-param>
	<param-name>PegaEtierClass</param-name>
			<!--param-value>com.pega.pegarules.services.http.HTTPService</param-value-->
			<param-value>com.pega.pegarules.integration.engine.internal.services.http.HTTPService</param-value>
		</init-param>
		<init-param>
			<param-name>CharacterEncoding</param-name>
			<param-value>UTF-8</param-value>
		</init-param>
		<!-- Indicate that R-S-REST never handles static content-->
		<init-param>
			<param-name>HasStaticContent</param-name>
			<param-value>false</param-value>
		</init-param>

I also obviously added a new Servlet Mapping for my Servlet like so: "/PRServiceKerberos1/*"

My problem is this:

I am trying to invoke my REST service through this URL:

https://mypehahost.com/prweb/PRServiceKerberos1/mypackage/v1/myservice

I am prompted for a User/Pass and after successfully logging in I get an HTTP 500 with this exception in the log:

Caused by: com.pega.pegarules.pub.PRException: Failed to retrieve Rule-Service-HTTP instance myPackage.v1.myService using service package access group APP:APPAdmin

I am sure the user I am logging has this Access Group and when I turn off "Use External Authentication" and revert the Service Package back to "Basic" authentication I can successfully invoke the service.

It's a tough one, anyone have any ideas? Is my approach correct? What am I missing?

Thanks,

Elad.

Low-Code App Development Security System Administration Low-Code App Development Installation and Deployment
Share this page LinkedIn