| Author |
Message
|
| 3junior |
 Posted: Tue May 28, 2013 9:29 am Post subject: Password Encryption (HttpRequest|SOAPRequest) |
 |
|
Novice
Joined: 28 May 2013
Posts: 16
|
Hi All,
I have a requirement to call external web services using HttpRequest|SOAPRequest, which require authentication. I have already created follows that work by adding user name and password to header. What I need is a mechanism out of box (MB 8.0.0.2) that will allow me to encrypt a password and call it within the follow something similar to mqsidbsetparm for jdbc or ldap services. Also another requirement is to modify the password on the fly without having to rebuild bar files.
Hope someone has a solution that doesn't require me to create a custom app to decrypt and encrypt a password.
I have already used the search function and could not find the answer to this question. I seen other threads without solution. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue May 28, 2013 9:40 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
I have the following information:
| Quote: |
- Create a configurable service with the following properties:
mqsicreateconfigurableservice <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -n propagation,idToPropagateToTransport,transportPropagationConfig -v TRUE,"STATIC ID",<mySecurityIdentifier>
- Set the desired username/password:
mqsisetdbparms <BROKERNAME> -n <mySecurityIdentifier> -u <username> -p <password>
- Verify the contents of your newly created security profile:
mqsireportproperties <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -r
- Deploy a message flow set to use <HTTPServiceIdentity> security profile and watch it send messages using your chosen username and password. |
With thanks to the IBMers involved who pointed out you can do this in v8
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| 3junior |
| Posted: Tue May 28, 2013 10:21 am Post subject: |
|
|
Novice
Joined: 28 May 2013
Posts: 16
|
| Vitor wrote: |
I have the following information:
| Quote: |
- Create a configurable service with the following properties:
mqsicreateconfigurableservice <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -n propagation,idToPropagateToTransport,transportPropagationConfig -v TRUE,"STATIC ID",<mySecurityIdentifier>
- Set the desired username/password:
mqsisetdbparms <BROKERNAME> -n <mySecurityIdentifier> -u <username> -p <password>
- Verify the contents of your newly created security profile:
mqsireportproperties <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -r
- Deploy a message flow set to use <HTTPServiceIdentity> security profile and watch it send messages using your chosen username and password. |
With thanks to the IBMers involved who pointed out you can do this in v8 |
Thanks for the quick reply |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue May 28, 2013 10:22 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| 3junior wrote: |
| Do I have to use security profile for this solution? |
I believe so. Why would you not want to?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| 3junior |
| Posted: Tue May 28, 2013 10:26 am Post subject: |
|
|
Novice
Joined: 28 May 2013
Posts: 16
|
| Vitor wrote: |
| 3junior wrote: |
| Do I have to use security profile for this solution? |
I believe so. Why would you not want to? |
NVM will test now
Thank again |
|
| Back to top |
|
|
| 3junior |
| Posted: Tue May 28, 2013 10:42 am Post subject: |
|
|
Novice
Joined: 28 May 2013
Posts: 16
|
| 3junior wrote: |
| Vitor wrote: |
I have the following information:
| Quote: |
- Create a configurable service with the following properties:
mqsicreateconfigurableservice <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -n propagation,idToPropagateToTransport,transportPropagationConfig -v TRUE,"STATIC ID",<mySecurityIdentifier>
- Set the desired username/password:
mqsisetdbparms <BROKERNAME> -n <mySecurityIdentifier> -u <username> -p <password>
- Verify the contents of your newly created security profile:
mqsireportproperties <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -r
- Deploy a message flow set to use <HTTPServiceIdentity> security profile and watch it send messages using your chosen username and password. |
With thanks to the IBMers involved who pointed out you can do this in v8 |
Thanks for the quick reply |
Hi Vitor,
Do you know if this information is any where on the IBM website?
Thanks |
|
| Back to top |
|
|
| 3junior |
| Posted: Tue May 28, 2013 12:07 pm Post subject: |
|
|
Novice
Joined: 28 May 2013
Posts: 16
|
| 3junior wrote: |
| Vitor wrote: |
I have the following information:
| Quote: |
- Create a configurable service with the following properties:
mqsicreateconfigurableservice <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -n propagation,idToPropagateToTransport,transportPropagationConfig -v TRUE,"STATIC ID",<mySecurityIdentifier>
- Set the desired username/password:
mqsisetdbparms <BROKERNAME> -n <mySecurityIdentifier> -u <username> -p <password>
- Verify the contents of your newly created security profile:
mqsireportproperties <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -r
- Deploy a message flow set to use <HTTPServiceIdentity> security profile and watch it send messages using your chosen username and password. |
With thanks to the IBMers involved who pointed out you can do this in v8 |
Thanks for the quick reply |
Can you please provide an example on how to incorporate this into http request node? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed May 29, 2013 3:23 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| 3junior wrote: |
| Can you please provide an example on how to incorporate this into http request node? |
The magic words are "security profile" |
|
| Back to top |
|
|
| 3junior |
| Posted: Wed May 29, 2013 4:46 am Post subject: |
|
|
Novice
Joined: 28 May 2013
Posts: 16
|
| mqjeff wrote: |
| 3junior wrote: |
| Can you please provide an example on how to incorporate this into http request node? |
The magic words are "security profile" |
I have security profile enabled. How do I get the value now in esql to build the header?
SET OutputRoot.Properties.IdentitySourceType='usernameAndPassword';
SET OutputRoot.Properties.IdentitySourceToken = 'myUser';
SET OutputRoot.Properties.IdentitySourcePassword = 'mytest';
Thanks |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed May 29, 2013 4:48 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| 3junior wrote: |
| mqjeff wrote: |
| 3junior wrote: |
| Can you please provide an example on how to incorporate this into http request node? |
The magic words are "security profile" |
I have security profile enabled. How do I get the value now in esql to build the header? |
You don't GET it from ESQL.
You leave it for the security profile to populate. That's the whole point of the security profile, that it knows the passwords and you don't. |
|
| Back to top |
|
|
| 3junior |
| Posted: Wed May 29, 2013 5:00 am Post subject: |
|
|
Novice
Joined: 28 May 2013
Posts: 16
|
| mqjeff wrote: |
| 3junior wrote: |
| mqjeff wrote: |
| 3junior wrote: |
| Can you please provide an example on how to incorporate this into http request node? |
The magic words are "security profile" |
I have security profile enabled. How do I get the value now in esql to build the header? |
You don't GET it from ESQL.
You leave it for the security profile to populate. That's the whole point of the security profile, that it knows the passwords and you don't. |
Thanks for your quick reply. What if I had to use a custom header for username and password? |
|
| Back to top |
|
|
| 3junior |
| Posted: Wed May 29, 2013 5:10 am Post subject: |
|
|
Novice
Joined: 28 May 2013
Posts: 16
|
Also for the Identity Token type what value do I select?
Sorry for all the questions this type of setup is new to MB 8.0 and I cannot find documentation on the procedure described
| Quote: |
Vitor wrote:
I have the following information:
Quote:
- Create a configurable service with the following properties:
mqsicreateconfigurableservice <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -n propagation,idToPropagateToTransport,transportPropagationConfig -v TRUE,"STATIC ID",<mySecurityIdentifier>
- Set the desired username/password:
mqsisetdbparms <BROKERNAME> -n <mySecurityIdentifier> -u <username> -p <password>
- Verify the contents of your newly created security profile:
mqsireportproperties <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -r
- Deploy a message flow set to use <HTTPServiceIdentity> security profile and watch it send messages using your chosen username and password.
With thanks to the IBMers involved who pointed out you can do this in v8
Thanks for the quick reply |
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed May 29, 2013 5:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| 3junior wrote: |
| Thanks for your quick reply. What if I had to use a custom header for username and password? |
You wouldn't be able to use a security profile.
You can't access the contents of security profiles, nor the contents of data stored by mqsisetdbparms from any broker transformation interface.
These both provide mechanisms to SEPARATE the developer from the REAL credentials, so that the proper ADMINISTRATOR can configure them. |
|
| Back to top |
|
|
| 3junior |
| Posted: Wed May 29, 2013 5:32 am Post subject: |
|
|
Novice
Joined: 28 May 2013
Posts: 16
|
| 3junior wrote: |
Also for the Identity Token type what value do I select?
| Quote: |
Vitor wrote:
I have the following information:
Quote:
- Create a configurable service with the following properties:
mqsicreateconfigurableservice <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -n propagation,idToPropagateToTransport,transportPropagationConfig -v TRUE,"STATIC ID",<mySecurityIdentifier>
- Set the desired username/password:
mqsisetdbparms <BROKERNAME> -n <mySecurityIdentifier> -u <username> -p <password>
- Verify the contents of your newly created security profile:
mqsireportproperties <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -r
- Deploy a message flow set to use <HTTPServiceIdentity> security profile and watch it send messages using your chosen username and password.
With thanks to the IBMers involved who pointed out you can do this in v8
Thanks for the quick reply |
|
HI MQJeff,
Also for the Identity Token type what value do I select?
Sorry for all the questions this type of setup is new to MB 8.0 and I cannot find documentation on the procedure described |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed May 29, 2013 5:35 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| 3junior wrote: |
| 3junior wrote: |
Also for the Identity Token type what value do I select?
| Quote: |
Vitor wrote:
I have the following information:
Quote:
- Create a configurable service with the following properties:
mqsicreateconfigurableservice <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -n propagation,idToPropagateToTransport,transportPropagationConfig -v TRUE,"STATIC ID",<mySecurityIdentifier>
- Set the desired username/password:
mqsisetdbparms <BROKERNAME> -n <mySecurityIdentifier> -u <username> -p <password>
- Verify the contents of your newly created security profile:
mqsireportproperties <BROKERNAME> -c SecurityProfiles -o <HTTPServiceIdentity> -r
- Deploy a message flow set to use <HTTPServiceIdentity> security profile and watch it send messages using your chosen username and password.
With thanks to the IBMers involved who pointed out you can do this in v8
Thanks for the quick reply |
|
HI MQJeff,
Also for the Identity Token type what value do I select?
Sorry for all the questions this type of setup is new to MB 8.0 and I cannot find documentation on the procedure described |
You are attempting to have Broker administratively add a security token to an outbound message.
This security token needs to be verifiable by the receiver of the outbound message.
So it is the receiver of the outbound message that strictly controls the structure, content, nature, and all other aspects of the security token that you need to construct.
So you need to set the Identity Token type to the value that matches what the receiver of your message wants. |
|
| Back to top |
|
|
|
|
