Question

5
Replies
167
Views
Close popover
Elad Altstein (EladA603)
EVO IT
CTO
EVO IT
IL
EladA603 Member since 2016 4 posts
EVO IT
Posted: January 31, 2020
Last activity: February 6, 2020
Closed

Service REST rules and Custom/Kerberos Authentication

Hi Pega Community,

I am trying to setup Kerberos authentication for my REST Service rules.

I already have a working Kerberos Authentication Service Rule + properly configured Tomcat/SPNEGO SourceForge/Web.xml for Web/Portal SSO login.

For the REST Services I did a "Save As" for my existing Authentication Service and created a new one of type "Custom" running the same activity, and configured my Service Package to "Custom" authentication and chose my new Authentication Service - "ServiceKerberos".

However I think I might be missing in my web.xml configuration. I configured a new servlet called "ServiceKerberos1" which is basically copied from the my working (delivered) WebKerberos1 servlet. What I did change/add was these params (taken from the "WebRestService" servlet):

<init-param>
	<param-name>PegaEtierClass</param-name>
			<!--param-value>com.pega.pegarules.services.http.HTTPService</param-value-->
			<param-value>com.pega.pegarules.integration.engine.internal.services.http.HTTPService</param-value>
		</init-param>
		<init-param>
			<param-name>CharacterEncoding</param-name>
			<param-value>UTF-8</param-value>
		</init-param>
		<!-- Indicate that R-S-REST never handles static content-->
		<init-param>
			<param-name>HasStaticContent</param-name>
			<param-value>false</param-value>
		</init-param>

I also obviously added a new Servlet Mapping for my Servlet like so: "/PRServiceKerberos1/*"

My problem is this:

I am trying to invoke my REST service through this URL:

https://mypehahost.com/prweb/PRServiceKerberos1/mypackage/v1/myservice

I am prompted for a User/Pass and after successfully logging in I get an HTTP 500 with this exception in the log:

Caused by: com.pega.pegarules.pub.PRException: Failed to retrieve Rule-Service-HTTP instance myPackage.v1.myService using service package access group APP:APPAdmin

I am sure the user I am logging has this Access Group and when I turn off "Use External Authentication" and revert the Service Package back to "Basic" authentication I can successfully invoke the service.

It's a tough one, anyone have any ideas? Is my approach correct? What am I missing?

Thanks,

Elad.

Low-Code App Development Security System Administration Installation and Deployment
Moderation Team has archived post,
Close popover This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.