| Author |
Message
|
| Partha.Baidya |
 Posted: Fri Jan 12, 2018 10:31 am Post subject: WS-Security using Username & Password, IIB as Provider |
 |
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
We are trying to configure WS-Security using Username & Password token for a Provide flow hosted in IIB.
What value should we pass in for authentication, propagation, authenticationConfig in mqsicreateconfigurableservice command while using Username tokens based authentication?
| Code: |
| mqsicreateconfigurableservice IB10NODE -c SecurityProfiles -o WSSecurityProfile -n authentication,authorization,propagation,authe -v "<value>,<value>,TRUE |
In IIB infocentre the is documentation for LDAP, WS-Trust V1.3 & TFIM but no examples given if we use a basic one like only Username Token. |
|
| Back to top |
|
 |
| martinb |
| Posted: Mon Jan 15, 2018 3:49 am Post subject: |
|
|
Master
Joined: 09 Nov 2006
Posts: 210
Location: UK
|
Hi
The question you need to answer first is "how is the username and password going to be validated?"
The "Policy set and bindings" set on the SOAPInput node will require that input requests have a WS-Security header providing username and password.
The "SecurityProfile" set on the SOAPInput node is used to configure what is done with the username and password credentials.
Often an LDAP server is used to authenticate that these credentials are valid - hence you'd set authentication, to "LDAP" and setup the relevant authenticationConfig.
HTH |
|
| Back to top |
|
|
| Partha.Baidya |
| Posted: Mon Jan 15, 2018 8:45 am Post subject: |
|
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
We will store the user ID & password in a Database and validate from there instead of LDAP.
Request messages will send username and password in wsse Header. |
|
| Back to top |
|
|
| martinb |
| Posted: Mon Jan 15, 2018 1:31 pm Post subject: |
|
|
Master
Joined: 09 Nov 2006
Posts: 210
Location: UK
|
| Quote: |
| We will store the user ID & password in a Database and validate from there instead of LDAP. |
From this I take it you're doing your own authentication within the flow logic, ie a compute node.
In this case I would
- Have the SOAP Input node set with Policy set and Bindings to set WSSE username and password
- Have the SOAP Input node set with the "Default Propagation" Security profile, The Default Propagation profile is a predefined profile that requests only identity propagation. (It has authentication = 'NONE' authenticationConfig = '' and propagation = 'TRUE')
This will ensure the input SOAP request as a username token WSSE header, and the username and password will be extracted to the Properties tree fields, 'IdenitySourceToken' and 'IdenitySourcePassword' so you can have your Compute node validate them against your DB. |
|
| Back to top |
|
|
| Partha.Baidya |
| Posted: Mon Jan 15, 2018 5:48 pm Post subject: |
|
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
@martinb
Once I set Default Policy Set, Default Bindings & Default Propagation, I getting the Username & Password in Properties tree. But I am not getting Nonce and creation time.
Is there anyway to get Nonce & Creation time too from Properties tree?
My requirement is to calculate password digest from Nonce, Creation Time & DB stored password and compare the result with Request Password digest. I am using java code to create digest. |
|
| Back to top |
|
|
| martinb |
| Posted: Tue Jan 16, 2018 1:24 am Post subject: |
|
|
Master
Joined: 09 Nov 2006
Posts: 210
Location: UK
|
Hi,
The SOAP WSSE UsernameToken Header Nonce and Created fields are not provided in the Properties tree.
You should be able to access these from the SOAP domain message tree in the "Header" folder. |
|
| Back to top |
|
|
| Partha.Baidya |
| Posted: Tue Jan 16, 2018 9:40 am Post subject: |
|
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
When I am using Default Policy Set, Default Bindings & Default Propagation I am not getting Nonce & Creation Time in SOAP Header not even in Local Environment as well.
Is there any other way to get Nonce & Creation Time while using Policy Set?
| Code: |
<Message>
<Properties>
<IdentitySourceType>
<IdentitySourceToken>
<IdentitySourcePassword>
<IdentitySourceIssuedBy>:CHARACTER:SOAP_WS_SECURITY
<IdentityMappedType>:CHARACTER:
<IdentityMappedToken>:CHARACTER:
<IdentityMappedPassword>:CHARACTER:
<IdentityMappedIssuedBy>:CHARACTER:
<SOAP>
<Header>
<Body>
</SOAP>
<LocalEnvironment>
<SOAP>
<Input>
<Transport>
<HTTP>
</Transport>
<WSS>
<Identities>
<usernameAndPassword>
<username>
<password>
</usernameAndPassword>
<Identities>
<WSS>
<Input>
<SOAP> |
|
|
| Back to top |
|
|
| martinb |
| Posted: Wed Jan 17, 2018 1:56 am Post subject: |
|
|
Master
Joined: 09 Nov 2006
Posts: 210
Location: UK
|
Hi
| Quote: |
| When I am using Default Policy Set, Default Bindings & Default Propagation I am not getting Nonce & Creation Time in SOAP Header |
Sorry, yes of cause - if you have the IIB SOAP nodes configured with Policy Set and Bindings, you are telling it to deal with the relevant wsse:Security SOAP header, so it will, and in doing so "remove" it from the message tree propagated from the SOAP Input node.
In your case
| Quote: |
My requirement is to calculate password digest from Nonce, Creation Time & DB stored password and compare the result with Request Password digest. I am using java code to create digest.
|
You're needing to have the whole wsse:Security SOAP header, so you need to configure your SOAP Input node to just leave it and propagate it on.
So you would need to not set any Policy Set and Bindings, or Security Profile on the SOAP Input.
This means the SOAP Input will not impose any WS-Security, so messages with or without a WSSE username header will be passed into the message flow.
Your logic which is going to validate the password digest will have to also reject the SOAP input message if the WSSE username header, or any part of it is not present and correct in the SOAP domain message Header. |
|
| Back to top |
|
|
| Partha.Baidya |
| Posted: Wed Jan 17, 2018 8:19 am Post subject: |
|
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
Hi martinb,
Thanks for your recommendation, now it is very clear on how broker handles the security headesr and able to use the WSS header accordingly by writing custom java code to calculate password digest from nonce, creation time & password stored in DB.
Our requirement has been changed from storing the password in Database to use external security provider as Microsoft Active Directory as LDAP.
I have a doubt whether LDAP will support password digest instead of clear text password.
Could you please let me know if this is possible? |
|
| Back to top |
|
|
| PankajKr |
| Posted: Fri Nov 08, 2019 12:17 am Post subject: Re: WS-Security using Username & Password, IIB as Provid |
|
|
Newbie
Joined: 06 Nov 2019
Posts: 4
|
I have a similar requirement but unable to achieve as I am getting following error while trying to run following command:
mqsicreateconfigurableservice ACE_NODE -c SecurityProfiles -o WSSecurityProfile -n authentication,authorization,propagation,authe -v "<value>,<value>,TRUE
BIP1042I: Command deprecated, please use policy projects instead.
I am using ACE v11 as IIB version
| Partha.Baidya wrote: |
We are trying to configure WS-Security using Username & Password token for a Provide flow hosted in IIB.
What value should we pass in for authentication, propagation, authenticationConfig in mqsicreateconfigurableservice command while using Username tokens based authentication?
| Code: |
| mqsicreateconfigurableservice IB10NODE -c SecurityProfiles -o WSSecurityProfile -n authentication,authorization,propagation,authe -v "<value>,<value>,TRUE |
In IIB infocentre the is documentation for LDAP, WS-Trust V1.3 & TFIM but no examples given if we use a basic one like only Username Token. |
|
|
| Back to top |
|
|
| abhi_thri |
| Posted: Fri Nov 08, 2019 5:08 am Post subject: Re: WS-Security using Username & Password, IIB as Provid |
|
|
Knight
Joined: 17 Jul 2017
Posts: 516
Location: UK
|
| PankajKr wrote: |
I have a similar requirement but unable to achieve as I am getting following error while trying to run following command:
mqsicreateconfigurableservice ACE_NODE -c SecurityProfiles -o WSSecurityProfile -n authentication,authorization,propagation,authe -v "<value>,<value>,TRUE
BIP1042I: Command deprecated, please use policy projects instead.
I am using ACE v11 as IIB version
|
hi...that is expected as ACE uses policies instead of config services,
https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.etools.mft.doc/bh19400_.htm#bh19400___policies
| Quote: |
| At earlier releases, configurable services allow you to control and update connection properties and other operational properties of message flows and message flow nodes at run time. In IBM App Connect Enterprise Version 11.0, policies perform this administrative role. |
|
|
| Back to top |
|
|
| PankajKr |
| Posted: Sat Nov 09, 2019 7:11 pm Post subject: |
|
|
Newbie
Joined: 06 Nov 2019
Posts: 4
|
| Do we have any Supporting Documents in order to implement same in ACE v11.0. |
|
| Back to top |
|
|
| abhi_thri |
| Posted: Mon Nov 11, 2019 1:17 am Post subject: |
|
|
Knight
Joined: 17 Jul 2017
Posts: 516
Location: UK
|
|
| Back to top |
|
|
| PankajKr |
| Posted: Thu Nov 14, 2019 6:16 am Post subject: |
|
|
Newbie
Joined: 06 Nov 2019
Posts: 4
|
Thank you Partisan for your comment
As I was able to propagate UserName and Password to my Message Flow and there I am cross checking entry with Credentials stored in DB.
I will mentioned the steps done so that it's helpful to other Users:
ACE version : 11.0.0.5
1) I have created BAR file of my Integration Service project by following steps
Right Click on Integration Service -> New -> Bar File
2) Provide Container Name and can leave Folder Name empty and provide .bar file name.
3) Click on Finish and this will open BAR File window
4) Select Application, shared libraries, services and REST API Radio Button and in Services select your Integration service project
5) Click on Build and Save Button.
6) Then click on Manage Tab and you can see your project which you have selected in above Steps
7) Expand Resources, Message Map till you see SOAP Input node which is my case and click on it.
 This will open Configure window then scroll down to select Security Profile and select 'Default Propagation'.
9) Save the Project and deploy it to your target server.
10) Above given steps will propagate the UserName and Password to Message Properties under Root.Properties.IdentitySourceUserName and Root.Properties.IdentitySourcePassword
Now you can play around with provided credentials in order to
Authenticate User. |
|
| Back to top |
|
|
|
|
