Kerberos Cluster Properties

The following cluster properties are used during Kerberos authentication. 
gateway94
The following cluster properties are used during Kerberos authentication. 
Property
Description
kerberos.referral.limit
Maximum number of referrals to discover the true realm of the user.
Default:
5
Increasing the maximum number of referrals may affect performance.
kerberos.krb5Config.overwrite
Controls whether the
Layer7 API Gateway
overwrites an existing krb5.conf configuration file. Value is a Boolean.
  • true
    = Overwrites the krb5.conf file when updating the Kerberos configuration.
  • false
    = No overwrite of the krb5.conf file if the file exists.
Default:
true
kerberos.cache.size
Maximum number of referral tickets retained in the cache. Value is an integer. A value of zero indicates no caching. A value of "-1" indicates an unlimited cache.
An unlimited cache is not recommended, as this can impact
Layer7 API Gateway
performance. Use with caution.
The maximum should be large enough to store entire chain of referral tickets, because the entire chain of referral tickets is stored in the ticket cache. For example: If you intend to store 1000 user credentials in the cache and each referral chain consists of 5 tickets, then the cache size should be > 5000.
Tickets are automatically purged when they expire, regardless of the cache size.
Default: 
0
kerberos.cache.timeToLive
Controls how long a Kerberos ticket is stored in the cache. Value is an integer. This is a global setting for the cache and each individual ticket can have its own time-to-live value. The Gateway purges a ticket from the cache based on the earlier of these two settings. Valid values are 0 to 2147483647 seconds. A value of zero indicates no caching. 
Default: 
0
(seconds)
If the 
kerberos.cache.timeToLive
property is
longer
than the time-to-live value for an individual ticket, then the Gateway uses a one minute buffer. For example, a Kerberos ticket is valid for 10 hours but the cluster property specifies 20 hours. In this scenario, the Gateway removes the ticket from the cache at 9 hours, 59 minutes and then requests a new ticket.
If the 
kerberos.cache.timeToLive
property is
shorter
than the time-to-live value for an individual ticket, then the ticket is removed at the precise second specified in this cluster property.
In addition to this cluster property, a ticket is also removed from the cache under these conditions:
  • Ticket has expired (its time-to-live setting is shorter than the cluster property)
  • Kerberos caching properties have been updated
  • The Gateway is restarted
  • When a single ticket from the referral chain is purged from the cache, the entire chain is also removed.
The Gateway no longer permits a value of '-1' to indicate an unlimited cache period.
  • If '-1' is added using the REST Management API, the Gateway logs a warning and uses the default value instead ("0").
  • If '-1' is migrated in using the Gateway Migration Utility, the Gateway logs a warning and uses the default value instead ("0").
  • If you upgrade from a Gateway version 9.3 and earlier and this cluster property is set to '-1' , then the Gateway converts this value to 2147483647 seconds after the upgrade is complete .
krb5.kdc
Sets the "kdc" value in the krb5.conf (Kerberos configuration) file. The default value is determined by parsing the user's domain in the
kerberos.keytab
file, then performing a host/IP lookup to determine the KDC value.
krb5.realm
Sets the "default_realm" value in the krb5.conf (Kerberos configuration) file. The default value is determined by parsing the user's domain in the
kerberos.keytab
file, then performing a host/IP lookup to determine the realm.