| Author |
Message
|
| akil |
 Posted: Mon Jul 28, 2014 4:51 am Post subject: IIB 9: RESTWS Authorization with LDAP, Best Practice? |
 |
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
Hi
So now, I have a variety of flows deployed on the IIB,
1. I have 7 SOAP requests, using the broker wide listener (default port)
2. I have 10 XML-HTTP requests, using the broker wide listener (default port)
3. I have 3 file processing flows ( reading from a local system at the moment )
In the topology i have 2 environments ( 1 TEST & 1 PRD ), and for each of these environments I have ,
(a) 1 IIB server
(b) 3 service providers ( the 20 flows to to these 3 service providers )
(c) These 20 flows are called from 5 different applications .
I've set-up OpenLdap (I don't have Tivoli), and I have created a security profile for LDAP authentication.
For flow sets 1 & 2 above, I am using HTTP Basic Auth (at the moment, can change if needed). For flow set 3 (files), I haven't yet done any security configuration (not sure what's the best way to do this).
In the LDAP, i've created 2 OU's ( TEST & PRD for the 2 environments that I have ), and I have created 10 identifies (2 for each client application that calls the IIB, one to be used for UAT & the other to be used for PRD).
With this setup, I can authenticate clients separately for each environment, and all looks fine. As new clients come, I'll setup a new identity for them and all looks ok.
Now, I need to implement some sort of authorisation, client 1 should be able to invoke 4 of the 20 flows that are deployed, client 2 another 7 flows and so on.
What is the usual way to setup these kind of authorisation rules?
One option is to setup a database table , that is invoked post the LDAP authentication, and write ESQL to check for authorisation.
Is there any other option, one that uses LDAP to specify the authorisations (instead of a database table)? This will require the LDAP properties of the identity to be available in the flow - not sure if this is available..
Are there any other alternatives?
_________________
Regards |
|
| Back to top |
|
 |
| ganesh |
| Posted: Mon Jul 28, 2014 9:53 am Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
| You can setup both authentication and authorization in your security profile. |
|
| Back to top |
|
|
| akil |
| Posted: Mon Jul 28, 2014 10:13 am Post subject: |
|
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
The authorisation of LDAP checks if the user (that's part of the identity) belongs to a specific group, a group that's hardwired as part of the security profile. In this approach multiple security profiles (with different authorizationCOnfig) need to be created .. Can the group names to be checked be a user-defined property instead of being part of the SecurityProfile?
_________________
Regards |
|
| Back to top |
|
|
| ganesh |
| Posted: Mon Jul 28, 2014 10:44 am Post subject: |
|
|
Master
Joined: 18 Jul 2010
Posts: 294
|
Changes to security profile cannot be dynamic.
Why would you want to change a group in runtime? |
|
| Back to top |
|
|
| akil |
| Posted: Mon Jul 28, 2014 7:41 pm Post subject: |
|
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
I have the following scenario
1. Client 1 is authorised for services 1,2,3
2. Client 2 is authorised for services 3,4
3 Client 3 iOS authorised for service 5
I can include services 1 & 2 in a profile called group1, I can include 4 in profile2 and 5 in profile3. What do I do foe service 3? It needs to be in 2 profiles...( groups )..
How do I proceed?
_________________
Regards |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 29, 2014 4:36 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Usually done through SAML... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mb01mqbrkrs |
| Posted: Tue Jul 29, 2014 5:07 am Post subject: |
|
|
Apprentice
Joined: 18 Nov 2011
Posts: 48
|
| fjb_saper wrote: |
| Usually done through SAML... |
Its just a shame that Broker requires TFIM in order to actually validate it. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jul 29, 2014 5:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| mb01mqbrkrs wrote: |
| fjb_saper wrote: |
| Usually done through SAML... |
Its just a shame that Broker requires TFIM in order to actually validate it. |
It's fairly easy to put a standalone webserver in front of IIB that can do all the authentication you want. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Jul 29, 2014 5:11 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
You might want to increase the LDAP cache timeout value - to reduce the frequency of calls made to the LDAP server.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| akil |
| Posted: Tue Jul 29, 2014 8:29 am Post subject: |
|
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
So it appears that I can't use the built in ldap profile for this , let's just say that I add a compute node to check this, where do I store these rules ? Should i store them in ldap and query them ? Or do I setup a database ( and the associated user interface etc ) , or are there more
I can also enforce port level security (iptables) , and I can deploy flow 3 twice, one for each execution group, my question was aimed to find a IIB specific solution...
_________________
Regards |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jul 29, 2014 8:44 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I guess I don't know why FJ suggested SAML, but I'm sure he's got more experience in this area than me.
I'd personally create a group in LDAP for each service, and either you're a member of the service group or you aren't.
Then client 1 is a member of 3 groups, client 2 is a member of 2 groups, and etc... but each service only checks it's own group.
Or I'd offload authorization and authentication to a webserver front-tier, using IBM HTTP Server or Apache and export Broker config to the appropriate properties file using tooling provided. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 29, 2014 10:04 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I suggested SAML because he asked for other alternatives.
And authentication + authorization confirmed by a 3rd party server is usually done with a SAML service.
Not because of experience but because of state of the art.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| akil |
| Posted: Tue Jul 29, 2014 7:28 pm Post subject: |
|
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
If i do one group per service, I suppose it means that I create one security profile per service , as the group membership is part of the profile...so with 5 services I would have 5 groups? And 20 with 20? Is it possible to specify the group at runtime to avoid multiple profiles?
I am starting to read up in SAML , but I don't have tivoli, are there alternatives (open source ?) that work with IIB ?
_________________
Regards |
|
| Back to top |
|
|
| martinb |
| Posted: Wed Jul 30, 2014 2:18 am Post subject: |
|
|
Master
Joined: 09 Nov 2006
Posts: 210
Location: UK
|
Broker uses WS-Trust v1.3 to communicate with Security Token Servers, so provided both ends have interpreted the specification in the same way, should be OK.
You've mentioned options for building things to implement your particular use case, you could look at the Security Policy Enforcement Point (PEP) sample. That provides a trivial flow that itself talks WS-Trust v1.3 to demonstrate things in Broker without requiring a TFIM etc. |
|
| Back to top |
|
|
|
|
