| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| WS-Security but no LDAP or TFIM |
« View previous topic :: View next topic » |
| Author |
Message
|
| goffinf |
 Posted: Wed Mar 07, 2012 4:33 pm Post subject: WS-Security but no LDAP or TFIM |
 |
|
Chevalier
Joined: 05 Nov 2005
Posts: 401
|
Broker version: 7 or 8
Having looked thru loads of posts here on the subject of ws-sec, I still can't find a definitive answer. So ...
Are there any options other than LDAP or TFIM that I could use to configure a SOAPInput node to authenticate an inbound request containing a WS-Security header (let's keep in simple for now and just say the UsernameToken variety) ?. For example could I use a keystore/truststore or a database ?
Similarly can I create a WS-Security header on an outbound request from SOAPRequest node, without the need for LDAP/TFIM ?
There are some reasons why I'm asking. I won't bore you with details but it's primarily a matter of support for these two in my company (or rather the lack of it).
I am guessing that I could 'kruft' up some code myself, but I'd like to see how much of the standard functionality provided by the base product I can use before resorting to that, if possible.
Regards
Fraser. |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Thu Mar 08, 2012 1:08 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
The user identity can be taken from WS-Security header once you have the PS defined. Have you defined the PS? If so, please post them so we can see how you have done it.
| Code: |
mqsireportproperties myBroker -c PolicySets -o myPolicySet -n ws-security -p myPolicySet.xml
mqsireportproperties myBroker -c PolicySetBindings -o myPolicySetBinding -n ws-security -p myPolicySetBinding.xml
|
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| ramires |
| Posted: Thu Mar 08, 2012 3:57 pm Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
|
| Back to top |
|
|
| bielesibub |
| Posted: Mon Mar 12, 2012 8:29 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
AFAIK....
| Quote: |
| Are there any options other than LDAP or TFIM that I could use to configure a SOAPInput node to authenticate an inbound request containing a WS-Security header (let's keep in simple for now and just say the UsernameToken variety) ?. |
Not that I know of, other than adding some 'downstream' checking.
| Quote: |
| For example could I use a keystore/truststore or a database ? |
keystore/truststore this wouldn't work for UsernameToken.. x.509 yes..
You could have a database that contained a list of valid users, you could check incoming usernames with a compute node following the SOAPInput. Usernames can be got from a message either by applying a policy/binding (the username should appear in Properties) or using ESQL to drill into the message.
| Quote: |
| Similarly can I create a WS-Security header on an outbound request from SOAPRequest node, without the need for LDAP/TFIM ? |
Yes, you can do this a couple of ways.. add the security header in a compute node before making the request, or through a security profile.
Good luck...
(It feels like I've been banging my head against a brick wall the past year trying to get WS-Security (with Kerberos, x.509, SAML) working between .Net and WMB v7) |
|
| Back to top |
|
|
| goffinf |
| Posted: Mon Mar 12, 2012 9:04 am Post subject: |
|
|
Chevalier
Joined: 05 Nov 2005
Posts: 401
|
Thx beilesibub, I was coming to the same conclusion but its good to hear from someone who has trodden that path already. Its not a problem per se, I just wanted to check whether I needed to venture into the wonderful world of TFIM or not.
Extracting the credentials with a policyset/binding and setting up our own Db *is* a possibility, but my gut instinct tells me that it would be better to get Broker to do as much of the heavy lifting as possible for anything other than the most trivial username/pwd stuff. Who knows, maybe we'll want to get into [partial] signing, and all sorts (although frankly its pretty hard to get anyone internal to take even basic security measures seriously ... but if it easy [enough] then its gotta be worth it imho)
| Quote: |
| keystore/truststore this wouldn't work for UsernameToken.. x.509 yes.. |
If I *was* using X509 (which in many cases I probably will - just starting with the UNT profile cos its easier), what would be the best way to do the authentication/authorisation check to a keystore (JCN ?) ?
Lancelotlinc: I was just using the default policyset/binding for now whilst in learning mode.
Regards
Fraser. |
|
| Back to top |
|
|
| bielesibub |
| Posted: Mon Mar 12, 2012 9:20 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
| Quote: |
| If I *was* using X509 (which in many cases I probably will - just starting with the UNT profile cos its easier), what would be the best way to do the authentication/authorisation check to a keystore (JCN ?) ? |
Simple way is to add public keys to a trust store, you can set the trust store to be broker wide or per execution group. You'd need to create and apply a policy set to check your tokens, but beware the policy set editor is the spawn of the devil! 
If you use a truststore per execution group level then this could possibly be used to granularise (if thats a word) your authorisation.
I used TFIM/TAM here. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
