| Author |
Message
|
| SN_IIB |
 Posted: Wed Oct 08, 2014 11:27 pm Post subject: Implement Basic authentication for Incoming SOAP Requests |
 |
|
Novice
Joined: 20 Jul 2014
Posts: 10
|
Dear Experts,
I would like to implement basic authentication for the incoming soap requests in IIB. I read various product documents and knowledge centre document but could not clearly get how to implement.
Please can you advice or point to step by step guide?
Thank you.
Last edited by SN_IIB on Wed Feb 04, 2015 2:22 am; edited 1 time in total |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Oct 09, 2014 7:15 am Post subject: Re: Implement Basic authentication for Incoming SOAP Request |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| SN_IIB wrote: |
| Please can you advice or point to step by step guide? |
The InfoCenter. Seriously. You configure the node to check user id & password, and configure broker to check them against whatever you validate with.
Which part of that documentation didn't you understand? Post specific questions, you'll get specific answers.
Or have a try and post what went wrong. This will guide our responses in this fairly broad subject.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| SN_IIB |
| Posted: Tue Oct 14, 2014 11:25 pm Post subject: |
|
|
Novice
Joined: 20 Jul 2014
Posts: 10
|
Thank you Vitor.
So far what I have done to configure Basis authentication which is simple userid-password based authentication for soap input node:
In IBM Websphere MQ Explorer -> Integration Node -> Broker -> Properites -> Security and Policy -> Policy Set
1. I created the policy
2. In Policy WS Security, I created a USername authentication token.
In policy set binding
1. I created a policy set pointing to the policy I created above.
What I am looking for:
So far, I could not find any option to provide userid and password against which authentication check should be made.
I understand, after configure this userid-password, I need to configure the policy and policy set created above in the soap input node in the message flow.
Please can you validate my config steps and tell me how to configure userid-password. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 15, 2014 5:05 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can manually set fields in the Identity tree in Properties.
You can create a security id using mqsisetdbparms that is associated with the security policy by name. At least in v8 and later. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 15, 2014 5:42 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| SN_IIB wrote: |
| So far, I could not find any option to provide userid and password against which authentication check should be made. |
You shouldn't be providing this for a SOAPInput node. The user id & password / SAML token / other identifying credentials are provided by the guy making the call. It's pointless (from a security perspective) to check all incoming requests against credentials that you are supplying - this means every request, irrespective of source, gets a valid user id and password.
So what you need to configure is where in the inbound message broker needs to look for this information; by default it's in the relevant part of the WS-Security header. That will then be checked against whatever security system (LDAP) broker is configured to use.
| SN_IIB wrote: |
| Please can you validate my config steps and tell me how to configure userid-password. |
- Your steps are wrong
- You only configure (set) a user id and password if you're using a SOAPRequest (not SOAPInput) node to call out of broker to a web service. In that use case broker can propagate the user id from an inbound message or (as my most worthy associate correctly points out) obtain them from code or a static id.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| SN_IIB |
| Posted: Wed Oct 15, 2014 10:39 pm Post subject: |
|
|
Novice
Joined: 20 Jul 2014
Posts: 10
|
Thanks again Vitor.
I understand what you suggested is using web service username token inside SOAP Header.
But my requirement is, the incoming request to IIB would have basic authentication details in the HTTP header.
We know that SOAP message [I mean envelope] resides inside a HTTP body.
Do we have a way to verify this basic authentication credentials in the HTTP header for incoming SOAP requests.
Please note that, for outgoing requests, I used a HTTP header node before the SOAP Request node and provided the basic authentication details [that would be verified at target system] in the HTTP header node. Currently I have hard coded them in the http header node in each message flow but I am looking for a way to configure it once at broker level. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 15, 2014 10:54 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| SN_IIB wrote: |
Thanks again Vitor.
I understand what you suggested is using web service username token inside SOAP Header.
But my requirement is, the incoming request to IIB would have basic authentication details in the HTTP header.
We know that SOAP message [I mean envelope] resides inside a HTTP body.
Do we have a way to verify this basic authentication credentials in the HTTP header for incoming SOAP requests.
Please note that, for outgoing requests, I used a HTTP header node before the SOAP Request node and provided the basic authentication details [that would be verified at target system] in the HTTP header node. Currently I have hard coded them in the http header node in each message flow but I am looking for a way to configure it once at broker level. |
You're on the right track. Use a policy that propagates the credentials. Then in the flow use first a PEP node to check / validate the credentials.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Oct 16, 2014 5:07 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| You're on the right track. Use a policy that propagates the credentials. Then in the flow use first a PEP node to check / validate the credentials. |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
