| Author |
Message
|
| jayZ |
 Posted: Tue Apr 17, 2012 9:37 am Post subject: Accessing Security Profile w/Compute Node |
 |
|
Acolyte
Joined: 03 Jun 2008
Posts: 71
|
I am writing a message flow that will ultimately use FTPS to deliver files to customers. Because the file output node does not support FTPS, our company has written another message flow that implements a java api to do all of our ftp'ing (FTP, sFTP, FTPS). That flow accepts a message with the FTP credentials and the location of the file to be delivered.
My question is, is it possible to use a security profile administered on the broker to look up that username/password combo, and then pass it into the FTP flow? If so, how? |
|
| Back to top |
|
 |
| zpat |
| Posted: Tue Apr 17, 2012 9:40 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| You can access a WMB user defined configurable service from Java inside WMB. |
|
| Back to top |
|
|
| jayZ |
| Posted: Tue Apr 17, 2012 9:42 am Post subject: |
|
|
Acolyte
Joined: 03 Jun 2008
Posts: 71
|
Thanks for the quick reply.
Is that using the CMP API? Either way, do you have a link to any of the documentation on how to do that? |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Tue Apr 17, 2012 9:45 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
IBM recommends using Message Broker configurable services to store such information. The Security identity property of the file node or configurable service is used to provide authentication information.
An alternative authentication method is supported using OpenSSH format identity files, sometimes called an SSH key file. Identity files only contain one identity, unlike x509 Key Stores. The identity file can be protected by a pass phrase which is used when decrypting the identity. The mqsisetdbparms command has been extended to take an identity file and optional pass phrase, as an alternative to a password.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| jayZ |
| Posted: Tue Apr 17, 2012 9:50 am Post subject: |
|
|
Acolyte
Joined: 03 Jun 2008
Posts: 71
|
That works, too, provided I can get to that information in the context of a message flow. Ultimately, I'll need to insert that username/password into a message that will be routed to another flow.
We've been using a lookup db; but, I'm trying to create a solution more in line with how the broker does other security lookups. That being said, if I can't extract the username/password at runtime, I can't use it. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Tue Apr 17, 2012 9:55 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
At our site, we have a web service that serves us passwords. When we call an external provider, we first call the internal web service that returns the then-current password. This web service is locked down to a select few client IP addresses. Passwords are / can be changed every few minutes, like your RSA SecurId dongle.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| jayZ |
| Posted: Tue Apr 17, 2012 9:59 am Post subject: |
|
|
Acolyte
Joined: 03 Jun 2008
Posts: 71
|
That could work, but for other reasons I'd probably just use a lookup database instead.
My choices really are:
1) Broker administered object if I can access the credentials within a message flow.
2) Lookup database |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Tue Apr 17, 2012 10:08 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
A couple of tips:
1. If you elect to use the db, you may like to store your password in the db as encrypted or masked. Probably would not be a good idea to store the password in plain text.
2. If you are designing your SOAPRequests for the future, you will eventually need to support dynamic credentialing. This implies a rewrite if you choose either of your two methods. The point of the web service is to support advanced credential management in real-time.
RSA web site has several good-to-read articles about on-demand credentialing.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| jayZ |
| Posted: Thu Apr 19, 2012 5:43 am Post subject: |
|
|
Acolyte
Joined: 03 Jun 2008
Posts: 71
|
So, back to my original question, can I access broker administered objects from within a message flow? If so, can I get a link to the appropriate documentation/API needed to do it?
Thanks,
JZ |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Apr 19, 2012 5:46 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| jayZ |
| Posted: Thu Apr 19, 2012 5:49 am Post subject: |
|
|
Acolyte
Joined: 03 Jun 2008
Posts: 71
|
Halleluiah!
From one mqjeff to another... Thanks! |
|
| Back to top |
|
|
|
|
