| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Programmatic authentication without using external systems |
« View previous topic :: View next topic » |
| Author |
Message
|
| darioo |
 Posted: Fri Feb 22, 2013 3:02 am Post subject: Programmatic authentication without using external systems |
 |
|
Novice
Joined: 19 Mar 2009
Posts: 15
|
This is going to be a lengthy post, so please bear with me.
TL;DR version:
Is there a way to provide a username and password to the Broker so they can be used generically / programmatically?
Long version:
Take a look at this website: http://browserspy.dk/password.php. This is a nice way to test out basic authentication. More specifically, this page: http://browserspy.dk/password-ok.php.
Ok, so if I want to authenticate myself, I have to provide a username and password. Correct username is "test". Correct password is "test". Easy enough when using a browser. Now, I want to do it using WMB. For the record, I'm using version 7.0.0.3.
How do I want to do it? Let's say every 10 minutes. Of course, this is just a test scenario. Imagine that, in real life, I have to hit a web site every 10 minutes so I check if there are any new XML messages or something that need to be processed.
So, the only input node I have is Timeout notification. Right now, one way I've found out to do this:
| Code: |
| Timeout notification node -> Compute node -> Security PEP node -> HTTP request node -> further processing as needed... |
Using Compute node, I set this:
| Code: |
SET Environment.User = 'test';
SET Environment.Password = 'test'; |
On Security PEP node, I set Identity token type as "Username + Password", identity token location as "$Environment/User", identity password location as "$Environment/Password".
On HTTP request node, I set Web service URL as "http://browserspy.dk/password-ok.php".
I build the BAR file, setting Security Profile Name as "Default propagation".
After deployment, everything works as expected, I am successfuly authenticated and get expected results.
Now, my real question is: is there a way to do this without programmatically setting (and therefore hardcoding) username and password in the Compute node? I know that I can use, for example, an MQInput node and then send a message that contains username and password, and afterwards extract them in compute node, but that defeats the purpose. I could also retrieve username and password from a database if they are provided in plain text as a query result, but that too defeats the purpose because username and password are always located outside of Broker.
I was thinking of a mechanism like mqsisetdbparms that encrypts provided password in a file and afterwards extracting it transparently in a compute node.
Constraints: no LDAP. So, no creation of new security profiles. I am not a service provider, I'm a service requester. Also, no policy sets. I'm not doing web services.
It should be just the Broker using (if needed) a Security PEP node and a Compute node. Is this possible? |
|
| Back to top |
|
 |
| marko.pitkanen |
| Posted: Fri Feb 22, 2013 4:10 am Post subject: |
|
|
Chevalier
Joined: 23 Jul 2008
Posts: 440
Location: Jamsa, Finland
|
Hi,
Hopefully I'm wrong, but if I remember it correctly broker doesn't provide such a functionality like security identity mapping via logical name it provides for fileOutput -node or EIS -adapters or ODBC -DataSources, for the http -nodes at the moment.
Perhaps you can implement it yourself with external database or service or broker's internal UserDefined configurable service.
--
Marko |
|
| Back to top |
|
|
| darioo |
| Posted: Fri Feb 22, 2013 4:35 am Post subject: |
|
|
Novice
Joined: 19 Mar 2009
Posts: 15
|
Using a UserDefined configurable service is one possibility, but then again, the password would still be visible using MQ explorer or a mqsireportproperties command. And a bit messy since I'd have to use Java to extract everything.
I could have also added "no database" when mentioning constraints. It's best if I stick to "It should be just the Broker" part.
Using a database like this could be a security hazard since it would have to be stored in plain text in the database.
Of course, other options exist, such as having it stored encrypted in database, then fetching it to Broker, then decrypting it using a private key... but this is all pretty messy and I'd avoid it if possible.
That's why I mentioned I like mqsisetdbparms' approach. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Feb 22, 2013 4:42 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| darioo wrote: |
Using a UserDefined configurable service is one possibility, but then again, the password would still be visible using MQ explorer or a mqsireportproperties command. And a bit messy since I'd have to use Java to extract everything.
I could have also added "no database" when mentioning constraints. It's best if I stick to "It should be just the Broker" part.
Using a database like this could be a security hazard since it would have to be stored in plain text in the database.
Of course, other options exist, such as having it stored encrypted in database, then fetching it to Broker, then decrypting it using a private key... but this is all pretty messy and I'd avoid it if possible.
That's why I mentioned I like mqsisetdbparms' approach. |
You seem to be missing the point.
You need to set up a user identity service (set up with mqsisetdbparms) that you then reference in the security profile.
Think of your setup as a setup for a restful service.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Feb 22, 2013 6:13 am Post subject: Re: Programmatic authentication without using external syste |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| darioo wrote: |
| Now, my real question is: is there a way to do this without programmatically setting (and therefore hardcoding) username and password in the Compute node? |
Not in WMBv7, but in WMBv8.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Feb 22, 2013 6:33 am Post subject: Re: Programmatic authentication without using external syste |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| darioo wrote: |
| Now, my real question is: is there a way to do this without programmatically setting (and therefore hardcoding) username and password in the Compute node? |
Not in WMBv7, but in WMBv8. |
  |
|
| Back to top |
|
|
| darioo |
| Posted: Sat Feb 23, 2013 2:50 am Post subject: |
|
|
Novice
Joined: 19 Mar 2009
Posts: 15
|
Clash of the titans 
So, the bottom line is: if I have WMB7, I can only do what I want using an external system (LDAP or database)? If that's the case, then great, since I won't go hunting for a solution that doesn't exist. It's a good thing that alternatives do exist.
I'll have to research new features of WMB8 then. This might be a good reason for upgrading. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sat Feb 23, 2013 6:35 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| darioo wrote: |
Clash of the titans
So, the bottom line is: if I have WMB7, I can only do what I want using an external system (LDAP or database)? |
It's the only officially supported way, yes. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
