| Author |
Message
|
| arcgang |
 Posted: Wed Jun 22, 2011 9:25 am Post subject: WMB 7.0 with Tivoli Directory Server - LDAP |
 |
|
Novice
Joined: 02 May 2007
Posts: 16
|
Hi,
I am trying to have WS-Security with the SOAP node(s) of WMB. I have set up the Tivoli Directory Server LDAP and have created the security profile (SP). I have also associated the SP and the provider policy binding etc in the bar file. I have followed the steps per the following link :
http://www.ibm.com/developerworks/websphere/library/techarticles/1008_fan/1008_fan.html?ca=drs-
Issue : When I test with the wsse credentials in the soap-header the credentials have no effect. Irrespecitve of username/pwd, the webservice always returns successful response. I have enabled service trace and not able to see WMB bind with LDAP as well.
Can anyone throw some light on this. Is there any specific way I can verify that the WMB-LDAP connectivity is in place ? |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Wed Jun 22, 2011 9:51 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
You may like to post your config: version/support pak level. Post the flow sequence, I assume your flow starts with SOAPInput? Post a screenshot of the client, so we can see if you are using http or https . More information would help us help you. Also, does the client successfully authenticate the server? Post the WMB key signature from the keystore.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jun 22, 2011 9:54 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Can you use LDAP from the environment of the broker's service user?
Did you bounce the broker since?
If you can't use LDAP from the broker's service user what makes you think the broker could use it? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| arcgang |
| Posted: Wed Jun 22, 2011 10:41 am Post subject: |
|
|
Novice
Joined: 02 May 2007
Posts: 16
|
|
| Back to top |
|
|
| arcgang |
| Posted: Wed Jun 22, 2011 10:46 am Post subject: |
|
|
Novice
Joined: 02 May 2007
Posts: 16
|
| Except for one the image links are not showing up in the post. The Img tags are not working. Kindly click on the links to view the images. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jun 22, 2011 10:50 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If the broker is to use LDAP ( and run under ldap) have you verified whether you need to run the mqsichangebroker command with the ldap flags?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Jun 22, 2011 10:52 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jun 22, 2011 10:56 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| lancelotlinc wrote: |
| Endpoint URL is HTTP not HTTPS. Therefore, no login is taking place. |
I'm not sure I agree with your police work there.
The login is being handled by passing a WS-Security token in the SOAP content, not by validating the client side certificate. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Jun 22, 2011 11:02 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| mqjeff wrote: |
| lancelotlinc wrote: |
| Endpoint URL is HTTP not HTTPS. Therefore, no login is taking place. |
I'm not sure I agree with your police work there.
The login is being handled by passing a WS-Security token in the SOAP content, not by validating the client side certificate. |
You may be correct. I think I would need to tinker with it to check it for sure.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| arcgang |
| Posted: Wed Jun 22, 2011 11:04 am Post subject: |
|
|
Novice
Joined: 02 May 2007
Posts: 16
|
@fjb_saper
No, I have not used the mqsichangebroker command with ldap flags. Is it really necessary ?
Do you have a sample depicting the setting of the flags LDAPPrincipal and LDAPCredentials ?
Thanks |
|
| Back to top |
|
|
| arcgang |
| Posted: Wed Jun 22, 2011 11:09 am Post subject: |
|
|
Novice
Joined: 02 May 2007
Posts: 16
|
| Btw, I have the checkbox "Allow anonymous connections" checked under TDS - Server Administration->Manager Server connections |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jun 22, 2011 11:16 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| arcgang wrote: |
| Btw, I have the checkbox "Allow anonymous connections" checked under TDS - Server Administration->Manager Server connections |
So maybe you should disable that and see what happens. |
|
| Back to top |
|
|
| arcgang |
| Posted: Wed Jun 22, 2011 1:32 pm Post subject: |
|
|
Novice
Joined: 02 May 2007
Posts: 16
|
@mqjeff - Switching it off does not help.
I wonder if there would be a bind information written on to a log to indicate that the WMB - LDAP connection is established. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jun 22, 2011 1:46 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Certainly there would be information in a Broker service trace, but it might be a bit ... confusing... to try and read that.
I would hope that Tivoli LDAP would make it relatively easy to log authentication requests and determine if they have occurred or what has gone wrong - but I've not used this program. |
|
| Back to top |
|
|
| arcgang |
| Posted: Wed Jun 22, 2011 3:35 pm Post subject: |
|
|
Novice
Joined: 02 May 2007
Posts: 16
|
|
| Back to top |
|
|
|
|
