| Author |
Message
|
| pradheep86 |
 Posted: Tue Jan 21, 2014 10:31 pm Post subject: Broker as Kerberos Client |
 |
|
Newbie
Joined: 20 Jan 2014
Posts: 2
|
The requirement is to send a xml file from Broker using http to a target web application secured by Integrated Windows authentication using Kerberos.
Version of Broker used: V8.0
Broker OS: AIX
Target Application OS: Windows Server 2008
WMB infocenter tells that kerberos based WS-Security is supported only through SOAP Nodes. Using SOAP Request Node in Gateway Mode creates SOAP Envelope which is not desirable as the target application is not expecting the SOAP message.
I believe Broker contacts the KDC to get the token and send to target application for authentication.
Will the SOAP envelop be removed automatically when the message is finally sent to target web application? I am yet to test this but need some confirmation on the approach.
Is there any other way to implement this functionality if the above will not work? |
|
| Back to top |
|
 |
| mgk |
| Posted: Wed Jan 22, 2014 4:52 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
If you are using Integrated Windows Authentication (IWA), where the Kerberos ticket is sent as an HTTP Header then you should know that this is not supported in Version 8. In V8 the Kerberos support is not IWA based, but rather it uses the soap-based WS-Security. To use IWA you need to use V9 FP1 and open a PMR to request the newly released APAR "IC98376" to get the IWA function which includes updates to support NTLM as well as Kerberos IWA. However, outbound IWA support is currently only available on for Windows so your Broker would need to be on a Windows box. Therefore, you can raise a requirement for Kerberos based IWA on AIX in a future release. Alternatives to this include changing the service to use WS-Security rather than IWA or using a JCN to embed an exising IWA http client. For the benefit of other readers, I should point out that the APAR above does include Inbound Kerberos IWA for other platforms such as AIX, but unfortunately that does not help you here.
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| pradheep86 |
| Posted: Wed Jan 22, 2014 11:53 pm Post subject: |
|
|
Newbie
Joined: 20 Jan 2014
Posts: 2
|
| @MGK, Thanks for your reply. Please provide some more details on how to implement the option 'use a JCN to embed an exising IWA http client' you suggested. The other option I have in mind is to implement Basic Authentication which will have only minimal changes in target application if the above option involves more steps.. |
|
| Back to top |
|
|
| mgk |
| Posted: Thu Jan 23, 2014 2:30 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
If you can change the server then that will be the simplest way. You could configure the server to use WS-Sec with Kerberos (message level security) or Basic Auth over SSL. Either will be simpler than the JCN approach.
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| happyj |
| Posted: Fri Feb 21, 2014 1:46 am Post subject: |
|
|
Voyager
Joined: 07 Feb 2005
Posts: 87
|
mgk
Are you able to share anything on future enhancements to Broker V9 in this area?
I would be very interested in being able to call a IWA web service from a unix server - it may even help get an upgrade project !
J |
|
| Back to top |
|
|
| mgk |
| Posted: Fri Feb 21, 2014 3:05 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
Hello.
I have no further update over the above. If you need outbound IWA support for unix, you will need to raise a requirement, or use a Windows Broker instead. Out of interest, is the service secured with NTLM or Kerberos?
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
|
|
