MQSeries.net :: View topic - SOLVED: Question on SecurityProfiles

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SOLVED: Question on SecurityProfiles

SOLVED: Question on SecurityProfiles

« View previous topic :: View next topic »

Author

Message

paranoid221

Posted: Wed Oct 13, 2010 6:59 pm Post subject: SOLVED: Question on SecurityProfiles

Centurion

Joined: 03 Apr 2006
Posts: 101
Location: USA

I have just started looking into implementing authN and authZ for web service calls coming into a broker flow built with SOAP nodes. I did go through the infocenter documentation about the config steps, but before I venture any further, thought I would ask the question if this even addresses what I'm trying to achieve. Let's assume the following simple webservice flow:

SOAPInput->Compute->SOAPReply

Clients calling this webservice flow on broker send basicauth credential string in the transport header of the message.
NOTE: There will not be any wsse headers in the message
My intention is to pick up this credential string, base64Decode it to get the user and pass and authenticate and authorize this user against LDAP. I create a security profile on the broker with all the required LDAP settings. The question I have here is:
1) Would creating a security profile serve the purpose?
2) If yes, is the process of getting the basicAuth string and stripping it down to its barebones to get the user and pass taken care of automatically provided I give the XPath expression as $Root/HTTPInputHeader/Authorization in the WS-security settings on SOAPInput node.
3) If no, what other options do I have without having to code the LDAP lookup myself?
4) Are Policy Sets and Bindings a must when you have to use a security profile, assuming all I want to do is authN and authZ with no requirements on message signing and encryption?
5) If you add the securityprofile on the soap input node, is it mandatory for the input message to carry a wsse header?

Thanks in advance for any insight into this.[/b]
_________________
LIFE is a series of complex calculations, somewhere multiplied by ZERO.

Last edited by paranoid221 on Fri Oct 15, 2010 2:16 pm; edited 1 time in total

paranoid221

Posted: Fri Oct 15, 2010 6:07 am Post subject:

Centurion

Joined: 03 Apr 2006
Posts: 101
Location: USA

I took a shot at this thing last night and here is how far I got. Created the following simple MsgFlow:

SOAPInput -> Compute -> SoapReply

Created a security profile on the broker named B2E_LDAP with the following:
Authentication: LDAP
Authorization: LDAP
Propagation: FALSE
Password: PLAIN
Mapping: NONE
and added all the LDAP parameters as configured on our B2E LDAP server.

On the deployed BAR file, I added B2E_LDAP for the security profile property.
Ran mqsisetdbparms to register the LDAP server with the login credentials
Ran a test by passing basicAuth credentials in the transport header. Here is what happened:
1) Broker bind to LDAP server successful
2) UserId in the basicAuth header was authenticated sucessfully
3) Authorization of the userId is unsuccessful. Service trace shows this:

Code:

ImbLdapSecurityProvider::authorize $ Failed to perform security operation MbLDAPSecurityProvider_authorize r < c o m . i b m . b r o k e r . p l u g i n . M b S e c u r i t y E x c e p t i o n c l a s s : M b L D A P S e c u r i t y P r o v i d e r m e t h o d : a u t h o r i z e s o u r c e : B I P v 6 1 0 k e y : 2 7 0 3 > Â F r a m e : 0 c o m . i b m . b r o k e r . p l u g i n . M b S e c u r i t y E x c e p t i o n : [ B I P v 6 1 0 : 2 7 0 3 ] B I P 2 7 0 3 W : T h e i d e n t i t y ( t y p e ' n u l l ' , t o k e n ' MBUSER ' , i s s u e d b y ' ' ) w a s n o t a u t h o r i z e d b y s e c u r i t y p r o v i d e r ' l d a p : / / b2eldap . xxxx.com : 3 8 9 ' t o a c c e s s f l o w ' WS_SEC_POC_FLOW ' .

I f a c c e s s i s e x p e c t e d , c h e c k t h a t t h e s p e c i f i e d s e c u r i t y p r o v i d e r h a s b e e n c o n f i g u r e d t o a l l o w a c c e s s t o t h e g i v e n f l o w . : U s e r i s n o t i n B r o k e r a u t h o r i z a t i o n g r o u p

@ : c o m . i b m . b r o k e r . s e c u r i t y P r o v i d e r s . M b L D A P S e c u r i t y P r o v i d e r . t h r o w M b S e c u r i t y E x c e p t i o n ( M b L D A P S e c u r i t y P r o v i d e r . j a v a : 7 8 1 )

@ : c o m . i b m . b r o k e r . s e c u r i t y P r o v i d e r s . M b L D A P S e c u r i t y P r o v i d e r . a u t h o r i z e ( M b L D A P S e c u r i t y P r o v i d e r . j a v a : 6 1 9 )

Anything I'm missing to cause the authorization to be not successful? Please enlighten me if anyone got this working.
_________________
LIFE is a series of complex calculations, somewhere multiplied by ZERO.

paranoid221

Posted: Fri Oct 15, 2010 7:58 am Post subject:

Centurion

Joined: 03 Apr 2006
Posts: 101
Location: USA

The biggest bummer for me is the following:

Code:

I f a c c e s s i s e x p e c t e d , c h e c k t h a t t h e s p e c i f i e d s e c u r i t y p r o v i d e r h a s b e e n c o n f i g u r e d t o a l l o w a c c e s s t o t h e g i v e n f l o w . : U s e r i s n o t i n B r o k e r a u t h o r i z a t i o n g r o u p

Why does the id in the transport header of an incoming call have to be in a broker authorization group?
_________________
LIFE is a series of complex calculations, somewhere multiplied by ZERO.

Last edited by paranoid221 on Fri Oct 15, 2010 9:21 am; edited 1 time in total

paranoid221

Posted: Fri Oct 15, 2010 8:58 am Post subject:

Centurion

Joined: 03 Apr 2006
Posts: 101
Location: USA

Thought I would provide a little more detail on this.

Ran mqsisetdbparms as follows:

Code:

mqsisetdbparms WMBRK -n ldap:LDAP -u uid=svcwbimb,ou=applications,o=IBM,c=US -p *********

On the security profile:

Code:

LDAP Host: ldap://b2eldap.xxxxx.com:389
LDAP Search Scope: sub
LDAP baseDN: o=IBM,c=us
LDAP group baseDN: cn=WS_AUTH_GRP, ou=groups, o=IBM,c=us
LDAP uid attr = uid
LDAP group member attr = uniquemember

From the service traces I collected, this is what I see:

Code:

. MbLDAPSecurityProvider.getUserDNFromBrokerBind + u i d = MBUSER , o u = a p p l i c a t i o n s , o = IBM , c = U S

If you notice the above, the ou=applications was what was used for id svcwbimb for broker to connect to the LDAP server but I can't understand why that ou is being used for the MBUSER id that comes through in the webservice transport header. Should't the settings on the security profile be used for this id rather?

I'm giving it my everything to get this working. Any helping hand will be much appreciated
_________________
LIFE is a series of complex calculations, somewhere multiplied by ZERO.

mqjeff

Posted: Fri Oct 15, 2010 9:12 am Post subject:

Grand Master

Joined: 25 Jun 2008
Posts: 17447

I don't have a lot to add, unfortunately.

The WS-Security samples may provide some insight here, and perhaps mgk will be along with some clarification.

But you are doing quite well so far on your own, though.

paranoid221

Posted: Fri Oct 15, 2010 2:15 pm Post subject:

Centurion

Joined: 03 Apr 2006
Posts: 101
Location: USA

@mqjeff - thanks for taking the time to add a comment. Yes I did take a look at that sample but did not find it relevant to what I was trying to achieve.

Finally had success. It boiled down to how the id was configured in LDAP. Everything was right except for the fact that the 'uniquemember' attribute was not set for MBUSER id in LDAP. Worked with our security folks to have that fixed and works like a charm now.
Also, in retrospect, I thought I would take a moment to answer some of the questions I had in my first post:

1) Setting up a security profile will suffice for authN and authZ of a userId in the basicAuth string.
2) Yes. Getting the user and pass from the basicAuth string is inherently handled. You do not have to add an entry into the WS-Security table on the SoapInput node.
3) This doesn't need to be answered:)
4) Policy Sets and Policy Bindings are not required in this case. They are only required when you have a requirement for message signing and encryption and also when your clients include credentials as part of the wsse header in the SOAP message.
5) Security Profile is not required on the SoapInput node at the message flow level. Add the security profile name on the soapInput node after the BAR file is built.

The only thing that didn't look right to me was the error message I got in the service trace:

Code:

"U s e r i s n o t i n B r o k e r a u t h o r i z a t i o n g r o u p "

To me, that is very misleading causing one to think in the wrong direction. I was baffled and spent an hour questioning "why would the user need to be in a broker authorization group?". I hope it gets corrected in future versions.

But, I'll take the honors of being the happiest man at work for today

_________________
LIFE is a series of complex calculations, somewhere multiplied by ZERO.

mqjeff

Posted: Fri Oct 15, 2010 3:11 pm Post subject:

Grand Master

Joined: 25 Jun 2008
Posts: 17447

I suspect it's a case of a somewhat generic error message for a wider set of situations than expected.

Otherwise,

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SOLVED: Question on SecurityProfiles

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP