ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportWS-Security using Username & Password, IIB as Provider

Post new topicReply to topic
WS-Security using Username & Password, IIB as Provider View previous topic :: View next topic
Author Message
Partha.Baidya
PostPosted: Fri Jan 12, 2018 10:31 am Post subject: WS-Security using Username & Password, IIB as Provider Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 92

We are trying to configure WS-Security using Username & Password token for a Provide flow hosted in IIB.
What value should we pass in for authentication, propagation, authenticationConfig in mqsicreateconfigurableservice command while using Username tokens based authentication?

Code:
mqsicreateconfigurableservice IB10NODE -c SecurityProfiles -o WSSecurityProfile -n authentication,authorization,propagation,authe -v "<value>,<value>,TRUE


In IIB infocentre the is documentation for LDAP, WS-Trust V1.3 & TFIM but no examples given if we use a basic one like only Username Token.
Back to top
View user's profile Send private message
martinb
PostPosted: Mon Jan 15, 2018 3:49 am Post subject: Reply with quote

Disciple

Joined: 09 Nov 2006
Posts: 191
Location: UK

Hi

The question you need to answer first is "how is the username and password going to be validated?"

The "Policy set and bindings" set on the SOAPInput node will require that input requests have a WS-Security header providing username and password.

The "SecurityProfile" set on the SOAPInput node is used to configure what is done with the username and password credentials.

Often an LDAP server is used to authenticate that these credentials are valid - hence you'd set authentication, to "LDAP" and setup the relevant authenticationConfig.

HTH
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Mon Jan 15, 2018 8:45 am Post subject: Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 92

We will store the user ID & password in a Database and validate from there instead of LDAP.
Request messages will send username and password in wsse Header.
Back to top
View user's profile Send private message
martinb
PostPosted: Mon Jan 15, 2018 1:31 pm Post subject: Reply with quote

Disciple

Joined: 09 Nov 2006
Posts: 191
Location: UK

Quote:
We will store the user ID & password in a Database and validate from there instead of LDAP.


From this I take it you're doing your own authentication within the flow logic, ie a compute node.

In this case I would

- Have the SOAP Input node set with Policy set and Bindings to set WSSE username and password
- Have the SOAP Input node set with the "Default Propagation" Security profile, The Default Propagation profile is a predefined profile that requests only identity propagation. (It has authentication = 'NONE' authenticationConfig = '' and propagation = 'TRUE')


This will ensure the input SOAP request as a username token WSSE header, and the username and password will be extracted to the Properties tree fields, 'IdenitySourceToken' and 'IdenitySourcePassword' so you can have your Compute node validate them against your DB.
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Mon Jan 15, 2018 5:48 pm Post subject: Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 92

@martinb
Once I set Default Policy Set, Default Bindings & Default Propagation, I getting the Username & Password in Properties tree. But I am not getting Nonce and creation time.
Is there anyway to get Nonce & Creation time too from Properties tree?
My requirement is to calculate password digest from Nonce, Creation Time & DB stored password and compare the result with Request Password digest. I am using java code to create digest.
Back to top
View user's profile Send private message
martinb
PostPosted: Tue Jan 16, 2018 1:24 am Post subject: Reply with quote

Disciple

Joined: 09 Nov 2006
Posts: 191
Location: UK

Hi,

The SOAP WSSE UsernameToken Header Nonce and Created fields are not provided in the Properties tree.

You should be able to access these from the SOAP domain message tree in the "Header" folder.
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Tue Jan 16, 2018 9:40 am Post subject: Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 92

When I am using Default Policy Set, Default Bindings & Default Propagation I am not getting Nonce & Creation Time in SOAP Header not even in Local Environment as well.

Is there any other way to get Nonce & Creation Time while using Policy Set?
Code:

<Message>
<Properties>
<IdentitySourceType>
<IdentitySourceToken>
<IdentitySourcePassword>
<IdentitySourceIssuedBy>:CHARACTER:SOAP_WS_SECURITY
<IdentityMappedType>:CHARACTER:
<IdentityMappedToken>:CHARACTER:
<IdentityMappedPassword>:CHARACTER:
<IdentityMappedIssuedBy>:CHARACTER:
<SOAP>
 <Header>
   <Body>
</SOAP>
<LocalEnvironment>
<SOAP>
<Input>
  <Transport>
      <HTTP>
  </Transport>
  <WSS>
      <Identities>
   <usernameAndPassword>
      <username>
                <password>
   </usernameAndPassword>
      <Identities>
  <WSS>
 <Input>
<SOAP>
Back to top
View user's profile Send private message
martinb
PostPosted: Wed Jan 17, 2018 1:56 am Post subject: Reply with quote

Disciple

Joined: 09 Nov 2006
Posts: 191
Location: UK

Hi

Quote:
When I am using Default Policy Set, Default Bindings & Default Propagation I am not getting Nonce & Creation Time in SOAP Header


Sorry, yes of cause - if you have the IIB SOAP nodes configured with Policy Set and Bindings, you are telling it to deal with the relevant wsse:Security SOAP header, so it will, and in doing so "remove" it from the message tree propagated from the SOAP Input node.

In your case

Quote:
My requirement is to calculate password digest from Nonce, Creation Time & DB stored password and compare the result with Request Password digest. I am using java code to create digest.



You're needing to have the whole wsse:Security SOAP header, so you need to configure your SOAP Input node to just leave it and propagate it on.

So you would need to not set any Policy Set and Bindings, or Security Profile on the SOAP Input.

This means the SOAP Input will not impose any WS-Security, so messages with or without a WSSE username header will be passed into the message flow.

Your logic which is going to validate the password digest will have to also reject the SOAP input message if the WSSE username header, or any part of it is not present and correct in the SOAP domain message Header.
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Wed Jan 17, 2018 8:19 am Post subject: Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 92

Hi martinb,

Thanks for your recommendation, now it is very clear on how broker handles the security headesr and able to use the WSS header accordingly by writing custom java code to calculate password digest from nonce, creation time & password stored in DB.

Our requirement has been changed from storing the password in Database to use external security provider as Microsoft Active Directory as LDAP.
I have a doubt whether LDAP will support password digest instead of clear text password.
Could you please let me know if this is possible?
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportWS-Security using Username & Password, IIB as Provider
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.