| Author |
Message
|
| p939276 |
 Posted: Thu Dec 17, 2015 11:45 pm Post subject: IBM Integration Bus How to propagate SOAP headers to Securit |
 |
|
Novice
Joined: 17 Dec 2015
Posts: 10
|
I am working with IBM Integration Bus v10 for an ESB implantation project, and we are now defining the security model.
We have created a security flow and expose it as an WS-Trust v1.3 STS Security profile, and associate it with all business flows together with policy sets and bindings. The security flow is correctly invoked every time a message arrives to a business flow's SoapInput node.
Now, we would like to have access to some of the Soap Headers fields the consumers are sending to the business flows, but within the security flow. We have some custom headers that are important during authentication process, beyond username and password in the standard WS-Security header. As it is the product who is sending the Soap message to the security flow before executing the business flow itself, we cannot intercept the message to propagate the headers.
How can we solve this? We have tried also with a PEP node in the business flow and play with the issuerBy field, but with no luck.
Thanks in advance. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Dec 18, 2015 5:56 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Consumers don't send messages.
They consume them.
All of the incoming SOAP headers should be available to a message flow driven off of a SOAPInput node.
You may need to use the node in Gateway mode if you want to process it before the WS-Security policies have acted on it.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| p939276 |
| Posted: Sat Dec 26, 2015 7:12 am Post subject: |
|
|
Novice
Joined: 17 Dec 2015
Posts: 10
|
Thanks @mqjeff.
Maybe I've explained myself wrong.
Other applications call SOAP services published by our ESB, including WS-Security headers and some other custom SOAP Headers.
Messages are received by a SoapInput node and, as it has a policy set and a WS-Trust v1.3 security profile configured, it automatically invokes the WS-Trust flow with the already parsed WS-Security header (let's say, username and password).
However, the message that arrives to the WS-Trust flow is not the same that the SOAP Service has received, but a WS-Trust RequestSecurityToken message, where the custom SOAP headers sent by the client are not available anymore.
The question is how to propagate those custom SOAP headers to the message sent by IIB to the WS-Trust security flow.
Thanks! |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Sat Dec 26, 2015 9:04 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Perhaps you might like to look at running the first SOAPInput Node in gateway mode.
The headers are there in your message tree perhaps you are not copying/reformatting them properly. Put some trace nodes (pattern set to ${Root})in the flow and take a user trace. This may help you get to the bottom of the problem.
Don't forget to obfuscate any ip addresses/names etc in any output you might put here.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| p939276 |
| Posted: Sat Dec 26, 2015 11:36 am Post subject: |
|
|
Novice
Joined: 17 Dec 2015
Posts: 10
|
Hi @smdavies99,
Thanks for your response.
The security flow that I use as a WS-Trust v1.3 compliant profile is configured in gateway mode.
The business services (the ones that are actually called by the clients) are not, because we'd like to make use of the message validation capabilities, and some of them are actually Integration Services.
I think it's not a real problem, but a missing option when configuring security profiles. IIB let you indicate which security profile apply for a certain service, but it doesn't give anything to indicate which information from the original message you like to propagate to the WS-Trust message.
I hope the Environment Tree would be propagated but it isn't, even when using a PEP node as the security point instead of a SoapInput.
Maybe the question would be: how to intercept the automatic messages sent by IIB to a security profile and add them some more information from the message context "just-in-time".
Thanks! |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Dec 26, 2015 9:41 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
As an alternative you could always remove the relevant field from the security part of the header and just add it to the soap header. or just copy that field to the standard soap header, just not in the security part of it.
It should then be carried over...
Hope that helps some  
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| p939276 |
| Posted: Mon Dec 28, 2015 9:19 am Post subject: |
|
|
Novice
Joined: 17 Dec 2015
Posts: 10
|
Thanks @fjb_saper, but it still not what I want to achieve.
My messages have the WS-Security header (wsse:Security) and a custom header (let's say, tns:myCustomHeader), both into the SOAP Header tag in the SOAP Envelope.
If a security profile is configured, the WS-Security header is analyzed by my policy set, extracted and sent automatically to the WS-Trust flow specified by my security profile. In that flow is where I cannot access the information of the custom header, because IIB don't propagate it.
The only solution I can imagine is to store the full message in the Global Cache or sth like that with a key identifying the message, send that key somehow to the security flow, and from there query the Global Cache to access the full message.
Can you imagine any other better solution?
Thanks in advance! |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Dec 28, 2015 11:23 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
How exactly are you trying to propagate the header?
Have you taken a user trace of the flow when it tries to process a message?
Have you put trace nodes into you flow so that you can look at the complete message tree?
How have you tried to diagnose and rectify the problem?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| p939276 |
| Posted: Mon Dec 28, 2015 1:28 pm Post subject: |
|
|
Novice
Joined: 17 Dec 2015
Posts: 10
|
Hi @smdavies99,
I have put trace nodes to see the complete message. If I don't configure the security profile linked to a WS-Trust v1.3 compliant flow, the message sent by the client contains both the WS-Security SOAP Header and our company custom SOAP Header, both into the soapenv:Header tag.
When I configure the security profile, the message arriving to my security flow has an empty SOAP Header, and a body including a RequestSecurityToken element, with the details of the issuer, appliesTo and validateTarget (extracted by IIB from the original message's WS-Security header).
The empty header of the security message is what I would like to be populated with all the other SOAP headers in the original message.
I need either an option in IIB when configuring security but seems to be not implemented yet, or any other workaround to resolve the scenario (access the original message from a security flow). |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Dec 28, 2015 6:13 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Open a PMR.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| p939276 |
| Posted: Thu Dec 31, 2015 7:59 am Post subject: |
|
|
Novice
Joined: 17 Dec 2015
Posts: 10
|
Sorry for asking but, what is a PMR? A question directly to IBM?
Thanks in advance. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Thu Dec 31, 2015 8:10 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| p939276 wrote: |
Sorry for asking but, what is a PMR? A question directly to IBM?
Thanks in advance. |
Did you not think to query the IBM web site for the letters PMR?
If you did then you would have found this
http://www-01.ibm.com/support/docview.wss?uid=swg21507639
You will need your organisations IBM ID to submit one.
Give the URL of this thread as part of the details you supply to them.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| p939276 |
| Posted: Thu Dec 31, 2015 8:15 am Post subject: |
|
|
Novice
Joined: 17 Dec 2015
Posts: 10
|
Great, I'll do that.
Thanks everybody for your help, and have a happy new year! |
|
| Back to top |
|
|
|
|
