Posted: 2 Oct 2018 10:10 EDT Last activity: 20 Oct 2018 4:21 EDT
User Kerberos delegation for Connect-REST
Configuration details: (Pega7.3.1 on Tomcat7.0.59, JDK 1.7.0_161, Linux)
We need to make Connect-REST service which requires Kerberos authentication (not a service account Kerberos credential but the SSO user's credential). We know we can configure a service account Kerberos keytab, but the requirement is to the user specific Kerberos credential.
Is there anyway Tomcat can be configured to pick up the user Kerberos dynamically based on the SSO user? In the Connect-REST rule form, it seems there is no place to configure this information.
***Edited by Moderator Marissa to update platform capability tags****
There are couple of things outstanding with snippet of code:
#1, "getDelegatedCredential" method is available API for "net.sourceforge.spnego.SpnegoPrincipal" object; for our App, instead, we are getting "org.apache.catalina.realm.GenericPrincipal" object;
#2, there is no API to get a delegated GSSCredential from the "GenericPrincipal" object. The only API to get GSSCredential is "getGssCredential", if we use this GSSCredential and use it for a HTTP connection, the Kerberos token got destroy immediately after (i.e. the user SSO session is invalid immediately);
Finally, even we get the delegatedcredential, we have manually extract the token and set it on the Connect-REST header in order to make a secure connection.