ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » WS Security with Security profile to gain a token

Post new topic  Reply to topic
 WS Security with Security profile to gain a token « View previous topic :: View next topic » 
Author Message
Marc456
PostPosted: Tue Nov 22, 2016 8:29 am    Post subject: WS Security with Security profile to gain a token Reply with quote

Newbie

Joined: 11 May 2016
Posts: 8

Hi all,

The following issue is driving me nuts for several days already. I tried a lot, and I will save you all those details, however I can understand that those might be usefull later in the discussion if needed.
Bottomline is: I need to connect to an STS server with username and password to gain a token, following the WS-Trust1.3 protocol.
This all in the IBM Integration Bus v9.

Therefor I created a Security profile in the explorer, restarted the integration server, and created a bar file, on which I connected the http input node with the same security profile. The username and password are given on the basic auth of the browser, when calling the webservice from a browser.

However, in debug I keep getting:
Code:
Number:INTEGER:2725
Text:CHARACTER:Caught configuration exception, logged. Throwing new recoverable exception.


In the trace I get the following:
Code:
UserTrace   BIP3634I: Node 'WS-Trust v1.3 STS' received HTTP data from host '<serverX>' with status code of 415.
The broker has received data via HTTP from a remote server at host '<ServerX>' with an HTTP status code of 415. Status codes beginning with a 2 indicate success; others imply errors in either client or server.
No action required.
Warning     BIP2724W: A configuration exception was caught during security processing of flow ''JoepieDePoepie_MsgFlow'' using security profile ''<SecurityProfile>''.


Ok - when focussing on this, the http 415 request gives me this info:
Unsupported Media Type

But I dont get that: Isnt the broker 'under water' not giving this as a SOAP/XML request to the STS server (with its WS headers)?

Thanks in advance, love to tell you more in detail, which I can do if requested, but for readabilty reasons I have done it this way.

Cheers!
Back to top
View user's profile Send private message
mqjeff
PostPosted: Tue Nov 22, 2016 8:52 am    Post subject: Re: WS Security with Security profile to gain a token Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Marc456 wrote:
Code:
Warning     BIP2724W: A configuration exception was caught during security processing of flow ''JoepieDePoepie_MsgFlow'' using security profile ''<SecurityProfile>''.


This says that your Security Profile is misconfigured, or not applied, or etc.

An issue with "unsupported media type" could be that you are sending a message tree with either no parser attached, or the wrong one (JSON for example or BLOB)

But fix your security profile issue first.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
Marc456
PostPosted: Tue Nov 22, 2016 10:18 am    Post subject: Reply with quote

Newbie

Joined: 11 May 2016
Posts: 8

Thanks mqjeff - Much appreciated you replied so quickly!

I have followed these rules to create a security profile:
http://www.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/bp28010_.htm

Based on that information I created a profile in the explorer:


But I also already tried to create one on AIX:
mqsicreateconfigurableservice $Broker -c SecurityProfiles -o MatrixSTS \
-n authentication,mapping,authorization,propagation,authenticationConfig,authorizationConfig,mappingConfig,idToPropagateToTransport,transportPropagationConfig \
-v "WS-Trust v1.3 STS","WS-Trust v1.3 STS","WS-Trust v1.3 STS",TRUE,$STS,$STS,$STS,"STATIC ID",MatrixSTS_Cred

(where $STS is the url)


After each change on this profile, I restarted the (entire) broker to make this profile active (I think its only a restart of the integration server, but just to be sure).

Is there some kind of 'make this profile active' option?
NOTE -> I did not see this security profile in the dropdownlist when creating the bar file. Therefor I just typed it in. The bar is deployed (where it wont deploy when a security profile is used which is not known by the integration server).
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Nov 22, 2016 11:35 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

your profile doesn't seem to be configured right. In particular the ldap host as localhost is bad.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Marc456
PostPosted: Tue Nov 22, 2016 11:40 am    Post subject: Reply with quote

Newbie

Joined: 11 May 2016
Posts: 8

fjb_saper wrote:
your profile doesn't seem to be configured right. In particular the ldap host as localhost is bad.

Hi fjb_saper!

Those fields are greyed out automatically when selecting WS-Trust fields. When selecting (in those fields, which are pull down menus) LDAP, those LDAP fields underneth can be configured.

OR - Maybe I am wrong, and this is the golden egg
Back to top
View user's profile Send private message
Marc456
PostPosted: Tue Nov 22, 2016 7:13 pm    Post subject: Reply with quote

Newbie

Joined: 11 May 2016
Posts: 8

Meanwhile I am thinking is this the right way? Yes, i have seen this methodoligy on the IBM site (and that it should store the identity in the local environment settings) but i also see the usage of the pep.
Can someone confirm that setting a security profile on the 'http input node' should give me a token from a sts wit ws trust?
Is it sending a soap request automatically baed on the standards?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Nov 23, 2016 5:24 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Marc456 wrote:
Meanwhile I am thinking is this the right way? Yes, i have seen this methodoligy on the IBM site (and that it should store the identity in the local environment settings) but i also see the usage of the pep.
Can someone confirm that setting a security profile on the 'http input node' should give me a token from a sts wit ws trust?
Is it sending a soap request automatically based on the standards?

Sounds about right

Looking at your config, you have
  • Authentication
  • Mapping
  • Authorization


Are you sure that those 3 functions have the exact same URL on your STS server? Because it looks that that's what you configured...


_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Marc456
PostPosted: Thu Nov 24, 2016 3:04 am    Post subject: Reply with quote

Newbie

Joined: 11 May 2016
Posts: 8

fjb_saper wrote:
Marc456 wrote:
Meanwhile I am thinking is this the right way? Yes, i have seen this methodoligy on the IBM site (and that it should store the identity in the local environment settings) but i also see the usage of the pep.
Can someone confirm that setting a security profile on the 'http input node' should give me a token from a sts wit ws trust?
Is it sending a soap request automatically based on the standards?

Sounds about right

Looking at your config, you have
  • Authentication
  • Mapping
  • Authorization


Are you sure that those 3 functions have the exact same URL on your STS server? Because it looks that that's what you configured...


Hi!
Yeah, what they have told me, all is that same address (for those 3 configuration items).
Allthough i officially should use the mapping one, as it is only to map a username and password to a token. The other 2 are (but PLEASE correct me if i am wrong), not needed.
I thought i have read this as well in some IBM manual.

Still stuck though
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » WS Security with Security profile to gain a token
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.