| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Using Security profiles |
« View previous topic :: View next topic » |
| Author |
Message
|
| naio |
 Posted: Tue Feb 25, 2014 10:51 am Post subject: |
 |
|
Voyager
Joined: 08 Nov 2012
Posts: 82
|
Hi to all of the masters,
I am trying to configure a basic service in WMB 8.0.0.2 with security profile:
MQInput - Compute - MQOutput
To access an Active Directory via LDAP.
I have search the infocenter and perform the following steps:
1) I configure and LDAP profile:
| Code: |
| mqsicreateconfigurableservice BK-c SecurityProfiles -o LDAP1 -n authentication,authenticationConfig -v "LDAP,\"ldap://10.1.1.0:389/CN=Users,DC=test,DC=local\"" |
Just to authentitcate. I chequed que profile with mqsireportproperties and it is created.
2) Then I configure the flow with the LDAP1 profile and make a test:
| Code: |
BIP2728E: Failed to search LDAP for user ''ldap://10.1.1.0:389'' with user name ''anonymous'' for binding. The following explanation was returned: 'javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 0000 ]'
An attempt was made to get the full Distinguished Name of ''ldap://10.1.1.0:389'', using a bind with user name ''anonymous'' |
So I spoke with the LDAP and AD group and told me that they do not allow anonymous connections.
3) I create the binding with mqsisetdbparms
| Code: |
| mqsisetdbparms BK8GLOBD01 -n ldap::10.1.1.0 -u "authorizedDN username" |
And make the test again:
| Code: |
The security profile ''LDAP1'' has specified ''LDAP'' for security processing. A message has entered a node that uses this profile and the provider is being invoked.
No action is required.
2014-02-25 15:00:22.452662 6 UserTrace BIP2703W: The identity token type ''Username and password'', issued by '''', was not authorized by security provider ''ldap://192.168.6.6:389'' to access message flow ''LDAP_Test_Flow''. (For a 'username' token type, the token is: ''User Administrador''.)
UserTrace BIP4060I: Data ''Se produjo un Error [FAILURE]
( ['MQROOT' : 0x7f50d813eaa0]
(0x01000000:Name):SecurityException = (
(0x03000000:NameValue):File = '/build/slot1/S800_P/src/SecurityProviders/Ldap/ImbLdapSecurityProvider.cpp' (CHARACTER)
(0x03000000:NameValue):Line = 122 (INTEGER)
(0x03000000:NameValue):Function = 'ImbLdapSecurityProvider::authenticate' (CHARACTER)
(0x03000000:NameValue):Type = 'MessageFlow' (CHARACTER)
(0x03000000:NameValue):Name = 'e841ae65-4401-0000-0080-e47159714cb0' (CHARACTER)
(0x03000000:NameValue):Label = 'LDAP_Test_Flow' (CHARACTER)
(0x03000000:NameValue):Catalog = 'BIPmsgs' (CHARACTER)
(0x03000000:NameValue):Severity = 2 (INTEGER)
(0x03000000:NameValue):Number = 2702 (INTEGER)
(0x03000000:NameValue):Text = 'Error Making Security JNI Call: MbLDAPSecurityProvider_authenticate' (CHARACTER)
(0x01000000:Name ):Insert = (
(0x03000000:NameValue):Type = 5 (INTEGER)
(0x03000000:NameValue):Text = 'usernameAndPassword' (CHARACTER)
)
(0x01000000:Name ):Insert = (
(0x03000000:NameValue):Type = 5 (INTEGER)
(0x03000000:NameValue):Text = 'User Administrador' (CHARACTER)
)
(0x01000000:Name ):Insert = (
(0x03000000:NameValue):Type = 5 (INTEGER)
(0x03000000:NameValue):Text = '' (CHARACTER)
)
(0x01000000:Name ):Insert = (
(0x03000000:NameValue):Type = 5 (INTEGER)
(0x03000000:NameValue):Text = 'LDAP' (CHARACTER)
)
)
) |
So I thought that the problem was the user name, but checking with the LDAP and AD team, they told me that it was ok, I download a free LDAP admin tool, and I could successfully connect, but with the broker it is impossible.
Is there any way to test the binding connection after the mqsisetdbparms command? (When connecting with a dataBase I use mqsicvp and worked fine, but I can not find a way to test the binding to the LDAP).
I have search in the web, forum and Infocenter, but I still can not get a clue.
Any piece of advice will be very grateful.
Thnaks in advance.
_________________
"God is in his heaven all's right with the world" |
|
| Back to top |
|
 |
| ganesh |
| Posted: Tue Feb 25, 2014 12:50 pm Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
| Step 3, I hope you set the password too. |
|
| Back to top |
|
|
| naio |
| Posted: Tue Feb 25, 2014 12:52 pm Post subject: |
|
|
Voyager
Joined: 08 Nov 2012
Posts: 82
|
yes of course.
I try with the -p "password" or leaving it empy and let the system ask twice for the password.
Thanks you for the advice anyway!
_________________
"God is in his heaven all's right with the world" |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Feb 25, 2014 1:53 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
LDAP requires a username/password for the user it is trying to authenticate (not the user that is connecting to the LDAP, the user that the LDAP is trying to authenticate).
MQ does not supply passwords. It only supplies usernames.
Try using an HTTPInput node and send it an HTTP Basic-Auth secured request. |
|
| Back to top |
|
|
| naio |
| Posted: Wed Feb 26, 2014 5:55 am Post subject: |
|
|
Voyager
Joined: 08 Nov 2012
Posts: 82
|
mqjeff, thanks for your reply.
I am sending this message:
<?xml version="1.0" encoding="UTF-8"?>
<Envelope>
<Body>
<Username>User Administrador</Username>
<Password>xxxxxx</Password>
<issuedBy></issuedBy>
</Body>
</Envelope>
And I am seting the user and pass from the payload of the message, using the security tab in the MQInput node. Not takin it from the MQMD or HTTP header.
I sould have wrote this before.
So to round it up:
1) I crate an LDAP profile.
2) I create the binding (I am using a particular user and pass that the LDAP team gave my as an authorized DN).
3) Setting the LDAP profile in the message flow and then send the message with a particular user and pass.
According to the infocenter and documentation it should work.
I have never worked with ldap + ad + wmb before, that is why I am a bit lost. I am trying yo figure it out.
Thanks you in advance.
_________________
"God is in his heaven all's right with the world" |
|
| Back to top |
|
|
| naio |
| Posted: Thu Mar 06, 2014 6:30 am Post subject: |
|
|
Voyager
Joined: 08 Nov 2012
Posts: 82
|
Finally I could make it work, the LDAP/AD team change several times the DN until it work.
What I could not found is a way to test the connection to the LDAP/AD server from the broker, as we do have a command to do this with the DBs.
Thanks to all for the help!
_________________
"God is in his heaven all's right with the world" |
|
| Back to top |
|
|
| GeneRK4 |
| Posted: Sat Aug 16, 2014 8:32 am Post subject: |
|
|
Master
Joined: 08 Jul 2013
Posts: 220
|
Could you please let me know how you resolved?I am getting the same problem
The security profile ''LDAPSP'' has specified ''LDAP'' for security processing. A message has entered a node that uses this profile and the provider is being invoked.
No action is required.
2014-08-16 21:49:27.778162 2596 UserTrace BIP2728E: Failed to search LDAP for user ''ldap://localhost:10389'' with user name ''anonymous'' for binding. The following explanation was returned: 'javax.naming.NoPermissionException: [LDAP: error code 50 - failed on search operation: Anonymous binds have been disabled!]'
An attempt was made to get the full Distinguished Name of ''ldap://localhost:10389'', using a bind with user name ''anonymous''.
Ensure that the user name supplied has permission to look up the given user. If necessary use mqsisetdbparms to specify a different user name and password to bind to the server. |
|
| Back to top |
|
|
| GeneRK4 |
| Posted: Sat Aug 16, 2014 10:02 am Post subject: |
|
|
Master
Joined: 08 Jul 2013
Posts: 220
|
I executed
"mqsisetdbparms RadBRK1 -n ldap::localhost -u "uid=admin,ou=system" -p pass" now and still more errors are coming up,
=========================================
2014-08-16 23:29:02.171981 12648 UserTrace BIP2735I: Identity has been passed to the ''LDAP'' security provider as instructed by security profile ''LDAPSP''. The following operations are requested: ''authentication'', '''', ''authorization''.
The security profile ''LDAPSP'' has specified ''LDAP'' for security processing. A message has entered a node that uses this profile and the provider is being invoked.
No action is required.
2014-08-16 23:29:02.308200 12648 UserTrace BIP2721E: Failed to bind to the LDAP server ''ldap://localhost:10389'' with user name ''uid=admin,ou=system''. Possible explanation: 'javax.naming.AuthenticationException: [LDAP: error code 49 - Bind failed: null]'
Ensure that the server address is correct.
Use mqsisetdbparms to check that the user name and password are valid.
If the user name is "anonymous", ensure that the LDAP server accepts anonymous binds.
2014-08-16 23:29:02.311482 12648 UserTrace BIP3145I: Message propagated to failure terminal; node 'SecurityTest.HTTP Input'.
Node 'SecurityTest.HTTP Input' has received an HTTP request message, but an error occurred before the message could be propagated to the output terminal. The message broker is propagating the message to the failure terminal of the node.
Examine the other messages and the message flow to determine why the message is not being received as expected. Correct this situation if possible. Perform any local error recovery processing required.
2014-08-16 23:29:02.311591 12648 SecurityException BIP2702W: The identity token type ''usernameAndPassword'', issued by ''Apache-HttpClient/4.1.1 (java 1.5)'', failed authentication with security provider ''LDAP''. (For a 'username' token type, the token is: ''wmbuser1''.)
The security provider specified failed to authenticate the provided identity token.
Ensure that the provided identity token is valid and that the specified security provider is configured to authenticate the specified identity token. If the security provider is shown as 'Cached', the authentication result is now being returned from the broker security cache. You can use the 'mqsireloadsecurity' command to clear the broker security cache. Check your security provider logs for information about why the identity token could not be authenticated.
=========================================
In LDAP ,I have checked the bind DN or user is,
uid=admin,ou=system
Password is correct as I have verified.
In SOAPUI tool,while trying to send Authentication headers for a message,
I have giving wmbuser1 which is already present LDAP.
Please let me know what I am missing here.. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
