ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportSecure broker hosted web services using Kerberos

Post new topicReply to topic
Secure broker hosted web services using Kerberos View previous topic :: View next topic
Author Message
prasadpav
PostPosted: Wed Sep 25, 2019 8:57 am Post subject: Secure broker hosted web services using Kerberos Reply with quote

Centurion

Joined: 03 Oct 2004
Posts: 141

We have our broker (10.0.0.13) running on Linux and KDC is Windows Active Directory. I want to secure web services (created using HTTPInput nodes) that are hosted by the broker i.e. authenticate the users using Kerberos and also authorise them in the next step. The setup which I've done is not working and I'm at a loss because I'm not seeing any error messages or any useful information for troubleshooting other than the HTTP 500 Internal server error for the requests to the web service which I wanted to secure.

Here's what I've done so far and hope someone could point out where it is going wrong:

1) Changed the execution group to use the embedded http listener and changed the property "integratedWindowsAuthentication='Negotiate:Kerberos'
2) Created kerberos keytab file using the following command:

Code:
ktutil:  add_entry -password -p z_iibkrb@sample.com -k 1 -e aes256-cts-hmac-sha1-96


3) Configured BrokerRegistry to set both the kerberos config file and the keytab file

Code:
  brokerKerberosConfigFile='/etc/krb5.conf'
  brokerKerberosKeytabFile='/var/mqsi/kerberos/conf/dv1mqm_krb5.keytab'

4) Created the following security profile for Authenticating the users calling the broker hosted service

Code:
  IWA_LDAP_Authenticate
    authentication='LDAP'
    authenticationConfig='ldap://samp0001.sample.com:389/OU=Users,OU=UK,DC=sample,DC=com?cn?base'
    authorization='NONE'
    authorizationConfig=''
    idToPropagateToTransport='Message ID'
    keyStore='Reserved for future use'
    mapping='NONE'
    mappingConfig=''
    passwordValue='PLAIN'
    propagation='FALSE'
    rejectBlankpassword='FALSE'
    transportPropagationConfig=''
    trustStore='Reserved for future use'

5) Deployed the message flow with the Security profile set to "IWA_LDAP_Authenticate"
6) Restarted the broker and then tested it.

Following error information is available from the service trace:

Quote:
2019-09-25 17:08:35.179820 6634 com.ibm.broker.inlinehttp.tomcatthreadpool.TomcatInstanceManager$AdapterClass@2882d306.authenticate
Request 'Got socket field'
2019-09-25 17:08:35.180036 6634 { TomcatInstanceManager.authorizeUserGSS , 'fd:317 lastuse:1569427715177 SSL:false NTLM:false Negot
iate:true Kerberos Only:true Persistent:true'

2019-09-25 17:08:35.180288 6634 JavaRootLogger: org.apache.coyote.http11.AbstractHttp11Processor.process file:/build/slot3/S1000_
P/src/DataFlowEngine/NativeTrace/ImbNativeTrace.cpp line:170 message:3484.BIPmsgs 'MbWXSLogHandler:SEVERE' , 'Error processing request'
2019-09-25 17:08:35.180288 6634 UserTrace BIP3484E: ''Error processing request''
An embedded component has written the 'SEVERE' level diagnostic message included here.
Refer to the appropriate message in the embedded component's documentation.
2019-09-25 17:08:35.180304 6634 JavaRootLogger: org.apache.coyote.http11.AbstractHttp11Processor.process 'MbWXSLogHandler:SEVERE'
, 'Error processing request'
2019-09-25 17:08:35.181212 6634 JavaRootLogger: org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process 'MbWXSLogHan
dler:FINE' , 'Socket: [org.apache.tomcat.util.net.SocketWrapper@3f765607:Socket[addr=/10.36.69.56,port=61896,localport=8070]], Status in: [
OPEN_READ], State out: [CLOSED]'


Onething seems confusing to me or feels redundant is the capturing of the LDAP server name in the security profile config when the LDAP server names are available with kerberos config file already.

Code:
authenticationConfig='ldap://samp0001.sample.com:389/OU=Users,OU=UK,DC=sample,DC=com?cn?base'


Many thanks in advance in going through this.
Back to top
View user's profile Send private message
rama91
PostPosted: Thu Sep 26, 2019 10:56 am Post subject: Reply with quote

Novice

Joined: 28 Aug 2019
Posts: 12

Hi,

I'm facing the exact issue; not able to authenticate a client user using kerberos. Please have a look on this thread.
http://www.mqseries.net/phpBB2/viewtopic.php?p=431825#431825


What is the Service Principal Name set for this user account ? I tried generating keytab using RC4-HMAC as suggested in guides. Is the Broker Service running under this user account ?

Code:
ktutil:  add_entry -password -p z_iibkrb@sample.com -k 1 -e aes256-cts-hmac-sha1-96


How are you testing this broker service ? Did you set SPN as defined in this link ?

https://www.ibm.com/support/knowledgecenter/en/SSMKHH_9.0.0/com.ibm.etools.mft.doc/bp62015_.htm
Back to top
View user's profile Send private message
prasadpav
PostPosted: Fri Sep 27, 2019 2:05 am Post subject: Reply with quote

Centurion

Joined: 03 Oct 2004
Posts: 141

Quote:
How are you testing this broker service ? Did you set SPN as defined in this link ?


Yes, I've configured SPN for the AD user id (z_iibkrb@sample.com) as follows:

Code:
http/dev001.sample.com:9070
http/dev001:9070


Quote:
What is the Service Principal Name set for this user account ? I tried generating keytab using RC4-HMAC as suggested in guides. Is the Broker Service running under this user account ?


My broker is running on linux under the local userid - dv1mqm. I then configured broker to use the kerberos keytab file which has the userid (z_iibkrb@sample.com) & it's associated password to connect to the AD for authenticating the clients.

My test setup has this chain:

Code:
postman --> Fiddler 4 --> Broker service


Since I've configured my EG to use "Negotiate: Kerberos", I was hoping that the broker service starts the kerberos protocol handshake. I had wireshark running to see if at all any handshake is happening to request for the client's key. But nothing is happening and it is immediately throwing the error that is captured from my system trace. And the error information is vague and doesn't help nor say what is causing the issue.

Code:
I found the broker documentation incomplete where some of the properties like for BrokerRegistry object - brokerKerberosConfigFile & brokerKerberosKeytabFile are not mentioned.
[/quote]
Back to top
View user's profile Send private message
rama91
PostPosted: Fri Oct 11, 2019 6:32 am Post subject: Reply with quote

Novice

Joined: 28 Aug 2019
Posts: 12

Prasadpav - Did you manage to get the kerberos authentication working ? I raised a PMR & got few answers from them. I believe these will be useful to you as well.

Quote:
Should the Service Principal name be registered against the User ID on which broker service is running ?
Quote:
IBM : No


Quote:
Do we need a security profile to be associated with the Provider flow ? I'm not looking to authorise user against LDAP group (or) extract identity and propagate them to downstream nodes
Quote:
IBM : No
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportSecure broker hosted web services using Kerberos
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.