Web Gateway access with Kerberos

For Web Gateway-to-IRIS Kerberos on UNIX/Linux, the Web Gateway acts as the Kerberos client, and you configure it with the target IRIS server’s service principal name plus a key table file. The documentation also refers to a Key Distribution Centre (KDC) as part of Kerberos, which indicates Kerberos relies on that external Kerberos infrastructure rather than being fully self-contained inside the local Web Gateway host. [1]

There is not a full step-by-step procedure in the returned material, but the documented UNIX/Linux configuration steps for the Web Gateway are:

• Set Service Principal Name to that of the target InterSystems IRIS server the Web Gateway connects to.
• Enter the full path to the Key Table file in the Key Table field.
• Set Username to the name of the appropriate key in the key table file.
• Leave Password empty.
• The client principal name is that of the Web Gateway host; this is the name used to identify the key in the Kerberos key table, and that principal must be given the necessary privileges in InterSystems IRIS for the Web Gateway service to operate. [1][2]

You also need to choose the Web Gateway Connection Security Level for the server definition:

• 1 = Kerberos
• 2 = Kerberos with Packet Integrity
• 3 = Kerberos with Encryption [3][1]

For the Web Gateway configuration file, the relevant CSP.ini server-profile parameters documented for Kerberos are:

• Connection_Security_Level
• Service_Principal_Name
• Keytable
• Username
• Password [3]

A Kerberos-oriented server section therefore needs those fields populated consistently with the rules above; specifically, on UNIX/Linux the password should be empty, Service_Principal_Name should identify the IRIS server, Keytable should point to the keytab file, and Username should be the key name from that keytab. [3][1]

The returned documents do not provide a complete working sample of a Kerberos CSP.ini section or any sample contents for a csp.keytab file. They only document the parameters and how they must be used. [3][1]

The returned documents also do not provide any Apache-specific changes required for Kerberos in your scenario. The only Apache-related material returned is a generic example CSP.conf for routing CSP requests, not Kerberos-specific Apache configuration. [4]

One additional requirement is that the Web Gateway must be able to load the InterSystems Kerberos client library on UNIX/Linux, which is irisconnect.so. It must be installed in a location on the OS PATH or in one of these locations relative to the Web Gateway installation: ., ./bin, ../bin, or ../../bin. If it loads successfully, the Event Log shows:

Web Gateway Initialization The IRISCONNECT library is loaded - Version: 5.3.0.175.0. 

[1]

The documentation also states that if the Web Gateway cannot locate or link to the IRISCONNECT library, it writes a failure message to the Web Gateway Event Log. [1]

Based on the returned documents, the documentation covers Web Gateway-to-IRIS Kerberos authentication, but it does not document browser SSO pass-through from Apache/browser credentials into IRIS via Web Gateway. A related community thread in the results explicitly asks for that and says they could not find documentation for it. [5]

Sources: