| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| WS-Security and Active Directory work with WMB? |
« View previous topic :: View next topic » |
| Author |
Message
|
| liminzhang |
 Posted: Mon Sep 29, 2014 9:30 am Post subject: WS-Security and Active Directory work with WMB? |
 |
|
Novice
Joined: 29 Sep 2014
Posts: 11
|
Hi there,
Did anyone use WMB 7.0.0.6 with WS-Security and Microsoft Active Directory? I searched the forum and it appears that no one encountered this issue before.
The following is the settings I used.
Settings for the security profile
SecurityProfiles
SecurityProfile_1
authentication='LDAP'
authenticationConfig='ldap://dc001:389/OU=MyCompany Users,OU=MyCompany Users and Computers,DC=MyCompany,DC=com?sAMAccountName'
authorization='LDAP'
authorizationConfig='ldap://dc001:389/CN=MyGroup,OU=DISTRIBUTION LISTS,OU=Security Groups,OU=MyCompany Users,OU=MyCompany Users and Computers,DC=MyCompany,DC=com'
keyStore='keystore.jks'
mapping='NONE'
mappingConfig=''
passwordValue='PLAIN'
propagation='TRUE'
rejectBlankpassword='FALSE'
trustStore='Reserved for future use'
Settings for AddressBookProviderFlow.cmf
Provider Policy Set:WSS10Default
Provider Policy Set Binding:WSS10Default
Security Profile Name:SecurityProfile_1
The SOAP request
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:con="http://cds.gdt.com/ContraventionDetailsService/">
<soapenv:Header>
<wsse:Security soapenv:actor="" mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="unt_907818524">MyUid</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">MyPassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
></soapenv:Header>
<soapenv:Body>
<NS2:Person xmlns:NS2="http://addressbook.com/" ><NS2:Name>Dave1</NS2:Name><NS2:Address><NS2:City>Carlisle</NS2:City><NS2:Street>Welton</NS2:Street><NS2:Province>Cumbria</NS2:Province><NS2:PostalCode>NE2 3HP</NS2:PostalCode><NS2:PhoneNumber><NS2:Area>1</NS2:Area><NS2:Prefix>2</NS2:Prefix><NS2:Local>3</NS2:Local></NS2:PhoneNumber></NS2:Address></NS2:Person>
</soapenv:Body>
</soapenv:Envelope>
User trace logs.
2014-09-29 09:57:09.397778 5012 UserTrace BIP2735I: Identity has been passed to the ''LDAP'' security provider as instructed by security profile ''SecurityProfile_1''. The following operations are requested: ''authentication'', '''', ''authorization''.
The security profile ''SecurityProfile_1'' has specified ''LDAP'' for security processing. A message has entered a node that uses this profile and the provider is being invoked.
No action is required.
2014-09-29 09:57:09.415883 5012 UserTrace BIP2736I: Preparing to bind to LDAP server ''ldap://dc001:389'', using username ''CN=MyLastName\, MyFirstName,OU=MyCompany Users,OU=MyCompany Users and Computers,DC=MyCompany,DC=com'' and the associated password.
The LDAP security provider is authenticating the username (''CN=MyLastName\, MyFirstName,OU=MyCompany Users,OU=MyCompany Users and Computers,DC=MyCompany,DC=com'') by performing an LDAP bind; success of this bind will guarantee the authenticity of the password.
No action is required.
2014-09-29 09:57:09.434168 5012 UserTrace BIP2735I: Identity has been passed to the ''LDAP'' security provider as instructed by security profile ''SecurityProfile_1''. The following operations are requested: ''authorization'', 'AddressBookProviderFlow', '{4}'.
The security profile ''SecurityProfile_1'' has specified ''LDAP'' for security processing. A message has entered a node that uses this profile and the provider is being invoked.
No action is required.
2014-09-29 09:57:09.459191 5012 UserTrace BIP2737I: Preparing to look up distinguished name (DN) ''CN=MyLastName\, MyFirstName,OU=MyCompany Users,OU=MyCompany Users and Computers,DC=MyCompany,DC=com'' in group ''CN=MyGroup,OU=DISTRIBUTION LISTS,OU=Security Groups,OU=MyCompany Users,OU=MyCompany Users and Computers,DC=MyCompany,DC=com'' on LDAP server ''ldap://dc001:389''. Member attributes searched are ''[member, uniquemember]''.
The LDAP security provider is performing an authorization check on the username (''CN=MyLastName\, MyFirstName,OU=MyCompany Users,OU=MyCompany Users and Computers,DC=MyCompany,DC=com'') by checking whether it is a member of group ''CN=MyGroup,OU=DISTRIBUTION LISTS,OU=Security Groups,OU=MyCompany Users,OU=MyCompany Users and Computers,DC=MyCompany,DC=com''.
No action is required.
2014-09-29 09:57:09.464107 5012 UserTrace BIP2703W: The identity token type ''Username and password'', issued by '''', was not authorized by security provider ''ldap://dc001:389'' to access message flow ''AddressBookProviderFlow''. (For a 'username' token type, the token is: ''MyUid''.)
If access is expected, ensure that the specified security provider has been configured to allow access to the specified message flow. If the security provider is shown as 'Cached', the authorization result is now being returned from the broker security cache. You can use the 'mqsireloadsecurity' command to clear the broker security cache. Check your security provider logs for information about why the identity token could not be authorized.
I double checked the membership with the following query in a .Net program. The query show that the memebership is in Active Directory.
Membership Query
srch.Filter = @"(&(objectClass=user)(distinguishedName=CN=MyLastName\, MyFirstName,OU=MyCompany Users,OU=MyCompany Users and Computers,DC=MyCompany,DC=com)(memberOf=CN=MyGroup,OU=DISTRIBUTION LISTS,OU=Security Groups,OU=MyCompany Users,OU=MyCompany Users and Computers,DC=MyCompany,DC=com))";
I am in local administrator group on my computer and the message flow was deployed on my computer.
Does anyone have a clue? Can Microsoft Active Directory work with WMB at all?
Thanks
L.Z.
Last edited by liminzhang on Thu Oct 02, 2014 1:25 pm; edited 1 time in total |
|
| Back to top |
|
 |
| martinb |
| Posted: Mon Sep 29, 2014 12:38 pm Post subject: |
|
|
Master
Joined: 09 Nov 2006
Posts: 210
Location: UK
|
Yes, I've seen WMB successfully use Active Directory for Authentication and Authorization.
Scanning though I think you might need to check if you should be setting the optional "member_attr" in the security profile "authorizationConfig"?
The docs state it defaults is to look for both "member" and "uniquemember" attributes.
I note in your test LDAP query you have "memberOf". |
|
| Back to top |
|
|
| liminzhang |
| Posted: Mon Sep 29, 2014 1:26 pm Post subject: |
|
|
Novice
Joined: 29 Sep 2014
Posts: 11
|
Hi martinb,
Thanks for the quick reply.
| martinb wrote: |
| Yes, I've seen WMB successfully use Active Directory for Authentication and Authorization. |
Glad to know this:).
| martinb wrote: |
| Scanning though I think you might need to check if you should be setting the optional "member_attr" in the security profile "authorizationConfig"? |
I set the option paramber as 'member'. It did not work. The only change is "Member attributes searched are ''[member]''. " as shown in the log file.
| martinb wrote: |
| The docs state it defaults is to look for both "member" and "uniquemember" attributes. |
Yeah. the original log in my previous message shows this. "Member attributes searched are ''[member, uniquemember]''"
| martinb wrote: |
| I note in your test LDAP query you have "memberOf". |
I think memberOf in the query means 'also a member of the following group parameter'. I tested both a group the user belongs to and a group the user does not belongs to and confirmed my guess.
I intercepted the traffic between the Active Directory Server and WMB with WireShark. The correct group member attributes were returned. Even though the group member attributes contain the user, the authorization could not pass. I found that the distinguished name (DN) of the user looks like 'myFirstName\, myLastName, ', i.e. it contains contains '\'. I guess IBM WMB LDAP security provider did not handle DNs with '\' correctly. Do you remember whether DNs contain '\' for your case?
Thanks
L.Z.
Last edited by liminzhang on Wed Oct 01, 2014 8:09 am; edited 1 time in total |
|
| Back to top |
|
|
| liminzhang |
| Posted: Tue Sep 30, 2014 8:25 am Post subject: |
|
|
Novice
Joined: 29 Sep 2014
Posts: 11
|
I just tested one user whose distinguished name does not contain any backslash ('\'). It did not work. My guess is wrong.
I started service trace in debug mode and still could not find more useful information.
Does any WMB master know how WMB authorization works after WMB security provider fetches group information?
IBM should open source WMQ:). |
|
| Back to top |
|
|
| martinb |
| Posted: Tue Sep 30, 2014 3:44 pm Post subject: |
|
|
Master
Joined: 09 Nov 2006
Posts: 210
Location: UK
|
You tested the one thing that I was wondering about, if that escaped comma would be throwing this.
Having authenticated the user the Broker will have the fully qualified DN of the user, and will be looking for an entry with that DN in the group.
If you can see this coming back in the traffic from ActiveDirectory, it is sounding like time to raise this with Broker support via a PMR. |
|
| Back to top |
|
|
| liminzhang |
| Posted: Wed Oct 01, 2014 8:05 am Post subject: |
|
|
Novice
Joined: 29 Sep 2014
Posts: 11
|
| Quote: |
| You tested the one thing that I was wondering about, if that escaped comma would be throwing this. |
The comma inside the DN may cause the issue. Actually the reason the user whose DN does not contain escaped comma was not authorized is that the member attribute inside the group does NOT contain the user. However the memberOf attribute of that user contains the group. A LDAP query used by a .Net program really confirmed that the user is a member of that group. WMB service provider should use LDAP query to check whether a user belongs to a group, which is also more object oriented. However I could not find a user satisfying the condition to make a test for now.
. Has a DN without any comma
. Belongs to a group whose member attribute contains the user's DN.
One of co-worker made a good catch. He found this link, http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg1IC87178. As per this document, the comma inside "CN=FirstName\, LastName" causes authorization failure. We also doublechecked the version number of WMB on my computer, which is 7.0.0.4. I made a mistake by assuming the version number of WMB development kit is the same as that of WMB. Hope applying fix pack 7.0.0.6 will resolve this issue. |
|
| Back to top |
|
|
| liminzhang |
| Posted: Fri Oct 03, 2014 2:15 pm Post subject: |
|
|
Novice
Joined: 29 Sep 2014
Posts: 11
|
| Update: I got one user satisfying the two conditions in my previous message. I tested with it and the authorization succeeded. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
