CA API Gateway 9.1

9.4 9.1

Kerberos Cluster Properties

The following cluster properties are used during Kerberos authentication. 
gateway
The following cluster properties are used during Kerberos authentication. 
Property
Description
kerberos.referral.limit
Maximum number of referrals to discover the true realm of the user.
Default:
5
Increasing the maximum number of referrals may affect performance.
kerberos.krb5Config.overwrite
Controls whether the
API Gateway
 overwrites an existing krb5.conf configuration file. Value is a Boolean.
  • true
     = Overwrites the krb5.conf file when updating the Kerberos configuration.
  • false
     = No overwrite of the krb5.conf file if the file exists.
Default:
true
kerberos.cache.size
Maximum number of referral tickets retained in the cache. Value is an integer. A value of zero indicates no caching. A value of "-1" indicates an unlimited cache.
An unlimited cache is not recommended, as this can impact
API Gateway
 performance. Use with caution.
The maximum should be large enough to store entire chain of referral tickets, because the entire chain of referral tickets is stored in the ticket cache. For example: If you intend to store 1000 user credentials in the cache and each referral chain consists of 5 tickets, then the cache size should be > 5000.
Tickets are automatically purged when they expire, regardless of the cache size.
Default: 
0
kerberos.cache.timeToLive
Controls how long a ticket is stored in the cache. Value is an integer. This is a global setting for the cache and each individual ticket can have its own time-to-live value. A ticket is purged from the cache based on the earlier of these two settings. A value of zero indicates no caching. A value of "-1" indicates no time limit.
Default: 
0
(seconds)
In addition to this cluster property, a ticket is also removed from the cache under these conditions:
  • Ticket has expired
  • Ticket's "time to live" has been exceeded
  • Kerberos caching properties have been updated
  • API Gateway
     is restarted
  • When a single ticket from the referral chain is purged from the cache, the entire chain is also removed.
krb5.kdc
Sets the "kdc" value in the krb5.conf (Kerberos configuration) file. The default value is determined by parsing the user's domain in the
kerberos.keytab
 file, then performing a host/IP lookup to determine the KDC value.
krb5.realm
Sets the "default_realm" value in the krb5.conf (Kerberos configuration) file. The default value is determined by parsing the user's domain in the
kerberos.keytab
 file, then performing a host/IP lookup to determine the realm.

Content feedback and comments