| Author |
Message
|
| paustin_ours |
 Posted: Fri Oct 07, 2016 9:12 am Post subject: security profile for basic auth |
 |
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
I am looking into setting up basic-auth authentication for my incoming http requests.
i see i can set up security profile in my httpinput node and set up config service and set db parms to create a user ID and password.
does this then authenticate the userID and password i am sending in my http request that i send to the httpinput node? doesnt look like it.
how is the authentication happening, can you please share your thoughts? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Fri Oct 07, 2016 9:48 am Post subject: Re: security profile for basic auth |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| paustin_ours wrote: |
| how is the authentication happening, can you please share your thoughts? |
My thoughts are you should try looking in the product documentation. You would have noticed the section entitled "Authenticating incoming requests with LDAP".
I don't see how it could have been more clearly named for your situation.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Fri Oct 07, 2016 9:57 am Post subject: Re: security profile for basic auth |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| paustin_ours wrote: |
I am looking into setting up basic-auth authentication for my incoming http requests.
i see i can set up security profile in my httpinput node and set up config service and set db parms to create a user ID and password.
does this then authenticate the userID and password i am sending in my http request that i send to the httpinput node? doesnt look like it.
how is the authentication happening, can you please share your thoughts? |
you have been around long enough to know that trying things first and then coming back with the bits you don't understand is the best course of action.
Have you put a tool like Wireshark into use to come up with the 'doesn't look like it?' point?
What do you see? It would be strange indeed to see the username/password sent in clear over the connection.
All I can say to your problem is that Magic sometimes happens.
It would probably need an IIB dev/designer/architect to explain the details.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Fri Oct 07, 2016 12:17 pm Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
| Quote: |
| you have been around long enough to know that trying things first and then coming back with the bits you don't understand is the best course of action. |
point taken. Will try a few things and get back to you guys. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Tue Oct 11, 2016 6:49 pm Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
this is what i have
HttpInput node --->compute--> httprequest -->httpreply
i have created a security profile for basic auth using the below commands
| Code: |
mqsicreateconfigurableservice TESTNODE -c SecurityProfiles -o testProfile -n "propagation,idToPropagateToTransport,transportPropagationConfig" -v "TRUE,STATIC ID,securityIDName"
mqsisetdbparms TESTNODE -n securityIDName -u test -p test |
this is doing so that i can use this for basic auth.
now there is no option in the http request node to set the profile name to use.
i did see this below link
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bp19260_.htm
| Quote: |
To enable basic authentication, select an appropriate security profile for the output node or the message flow in the BAR file editor. The credentials are picked up from the following Properties tree locations if set:
Properties.IdentityMappedType
Properties.IdentityMappedToken
Properties.IdentityMappedPassword
If the mapped identity fields are not set, the credentials are picked up from the following Properties tree locations:
Properties.IdentitySourceType
Properties.IdentitySourceToken
Properties.IdentitySourcePassword
For basic authentication both a username and password are required, therefore the appropriate Type field must be set to the string usernameAndPassword. For example:
SET OutputRoot.Properties.IdentitySourceType='usernameAndPassword';
SET OutputRoot.Properties.IdentitySourceToken = 'myUser';
SET OutputRoot.Properties.IdentitySourcePassword = 'myPassw0rd';
SET OutputRoot.Properties.IdentitySourceIssuedBy = 'myDomain'; |
where do i set the security profile information in the above? Each of those stanzas have a line for password. Isnt the whole idea of creating a security profile so that i dont have to pass the password in clear text in the esql code?
Also i saw some examples online where there is a cast statement for base64 of the username:password. who puts password in clear text in the code?
anyways, i am kinda stuck in not knowing how to link the security profile to the http request. Please advise. thanks |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 12, 2016 4:40 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| paustin_ours wrote: |
| anyways, i am kinda stuck in not knowing how to link the security profile to the http request. Please advise. thanks |
Still not having much luck with the Knowledge Center search function eh?
The article Invoking message flow security using a security enabled input node is the third hit I get searching for "linking security profile with HTTP Input". This contains a useful diagram and the following text:
| Quote: |
| You can create security profiles by using the mqsicreateconfigurableservice command. You then use the BAR editor to configure the security profile on either an individual node or the whole message flow. |
 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 12, 2016 4:44 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Does that help with the HTTPRequest node which is the question being asked?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 12, 2016 4:50 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
Does that help with the HTTPRequest node which is the question being asked?
|
Clearly having a lot of trouble with language lately. I saw this:
| paustin_ours wrote: |
I am looking into setting up basic-auth authentication for my incoming http requests.
i see i can set up security profile in my httpinput node and set up config service and set db parms to create a user ID and password.
does this then authenticate the userID and password |
and thought the question was about authenticating the basic auth user id and password on the incoming requests going through the HTTPInput node so that only authenticated basic auth user id and passwords would be propogated to the subsequent HTTPRequest.
English. Trickier than you think.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 12, 2016 4:59 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| mqjeff wrote: |
Does that help with the HTTPRequest node which is the question being asked?
|
Clearly having a lot of trouble with language lately. |
I blame the coffee.
Isn't basic-auth covered by the default security profile?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 12, 2016 5:27 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqjeff wrote: |
Isn't basic-auth covered by the default security profile? |
You still have to assign it on the bar file, and paustin_ours did not say that he did assign it there...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 12, 2016 5:38 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| mqjeff wrote: |
Isn't basic-auth covered by the default security profile? |
You still have to assign it on the bar file, and paustin_ours did not say that he did assign it there... |
You also need to tie in the LDAP if you want to authenticate the credentials. The default profile extracts & propagates them.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| paustin_ours |
| Posted: Wed Oct 12, 2016 6:18 am Post subject: |
|
|
Yatiri
Joined: 19 May 2004
Posts: 667
Location: columbus,oh
|
assigning the profile to the BAR file was it. It worked after i did that. thanks all. I did read that before but i was too egoistic to believe that is all that is needed.
| Quote: |
| You also need to tie in the LDAP if you want to authenticate the credentials. The default profile extracts & propagates them. |
why would i need this if i make the httprequest using the profile[id/password] that i created?
My understansing thus far is this. To Authenticate incoming http requests, I create a security profile and associate it with the httpinput node. I do see i need LDAP to authenticate incoming basic auth ID/password. Will i then need a security profile that retrieves the ID of the incoming message and then uses it for LDAP auth. This security profile is different from the one used above in the sense it wont have a user ID password? I need to read more about this. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 12, 2016 6:24 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| paustin_ours wrote: |
| i was too egoistic to believe that is all that is needed. |
It's hard to see problems with your ego standing in front of you. But having bravely recognized your failing, you can take action and turn back from the path of egoistic blindness, which leads only to a job as management.
| paustin_ours wrote: |
| I need to read more about this. |
And perform more experiments, even if your ego claims they're stupid.
Worse case, your experiment will confirm that the selected method doesn't work....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
