| Author |
Message
|
| sguruprasanna |
 Posted: Fri Sep 16, 2011 7:05 am Post subject: WS-Security - signing a message using X509 cert. |
 |
|
Apprentice
Joined: 29 Jul 2002
Posts: 37
|
I am trying to deploy a webservice on broker 7.0.0.3 on windows. The client(s) will need to sign the body of the message using a x509 cert. I looked at the addressbook sample, and got confused at step:8.
http://publib.boulder.ibm.com/infocenter/wmbhelp/v7r0m0/index.jsp?topic=%2Fcom.ibm.etools.mft.samples.wssecsamp.doc%2Fdoc%2Fsetup_providerbinding.htm
In my case, there could be many webservice clients with different x509 certs. How can I make sure, broker can read the signed message from all clients (instead of hardcoding the Keyname in initToken)?
I read somewhere in the documentation that to achieve this, I need to set both Keyname and KeyAlias to "Any" or leave it blank. Neither of this works.
I am getting this error:
| Quote: |
CWWSS6800E: The entry with alias 'Any' of keystore 'F:\cert\testps.jks' cannot be found: entry=null
|
Can you please guide me here?
Thanks
Guru |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Fri Sep 16, 2011 8:13 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Hi Guru -
What is Trust Property set to? Either it should be TrustAny or TrustStore. If TrustAny, with no security profile set, all certificates are trusted. With a security profile set, the certificate is passed to the security provider defined by the security profile for it to establish trust.
Lance
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| sguruprasanna |
| Posted: Fri Sep 16, 2011 8:44 am Post subject: |
|
|
Apprentice
Joined: 29 Jul 2002
Posts: 37
|
Thanks Lance.
I have it set to TrustStore.
Security provider in my case will be LDAP. I read that authentication, identity mapping etc using X509 with LDAP is not supported.
Do I need to set the security profile in that case? Also, if the only option is to set "TrustAny", and if I don't set security profile, I think it would it create a securiy hole, correct? |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Sep 16, 2011 9:01 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
1. I would first set it to work insecurely as a test, so you have confidence that Broker is doing its part. (ie. TrustAny with no security provider set).
2. Then set it to TrustAny with a defined security provider.
3. mgk , mqjeff would be good resources to ask about LDAP. I suspect it would be supported, or plans to support it. I do not know the current status. This is Friday and already past bedtime in Hursley. Wait till Monday and hopefully see a message from mgk.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 16, 2011 9:08 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| lancelotlinc wrote: |
| 3. mgk , mqjeff would be good resources to ask about LDAP. I suspect it would be supported, or plans to support it. I do not know the current status. This is Friday and already past bedtime in Hursley. Wait till Monday and hopefully see a message from mgk. |
It's been too long since I've done meaningful things with LDAP.
It's also only past *bar* time in Hursley, not *bed* time.
But, yes, hopefully mgk will be along at some point.
Key information should not in any way be required for incoming message identification or authorization. It should defer that to either the security provider or to the broker trust store. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Sep 16, 2011 9:09 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
I found this WMB 6.1 document that says LDAP is supported, but not for X.509 tokens:
http://www-01.ibm.com/support/docview.wss?uid=swg27015336&aid=1
| Quote: |
Supported Directory Servers
LDAP V3 Directory servers like
Tivoli Server Directory (TDS) V6.1
OpenLDAP
Microsoft® Active Directory®
TFIM V6.1
Broker doesn’t support some of the v3 features like:
queries with referral in a multi-domain environment
X.509 tokens for LDAP authentication |
You could write your own security service provider to make the X.509 connection. Also, mgk or mqjeff could tell us the current status. There may have been some support added in WMB version 7.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 16, 2011 9:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| lancelotlinc wrote: |
| Also, mgk or mqjeff could tell us the current status. |
Again, you are only half right.
| lancelotlinc wrote: |
| There may have been some support added in WMB version 7. |
I'm sure if there was, it would be documented in the Info Center. |
|
| Back to top |
|
|
| sguruprasanna |
| Posted: Wed Sep 21, 2011 6:40 am Post subject: |
|
|
Apprentice
Joined: 29 Jul 2002
Posts: 37
|
Hi,
I am still struggling to get this working... From the documentation, it looks like I don't need to have a security provider, the truststore I configure at the execution group level should be used as I have set the "Trust" field to "Truststore" in the policy binding.
I tried to set "Any", tried to set it to blank (1 space), for the "Key Name"and "Key Alias". Both of them did not work.
Any help on this is greatly appreciated...
This is what is in the documentation:
http://publib.boulder.ibm.com/infocenter/wmbhelp/v7r0m0/topic/com.ibm.etools.mft.doc/ab60200_.htm?resultof=%22%4b%65%79%20%6e%61%6d%65%22%20
| Quote: |
Key Name The distinguished name (DN) that uniquely identifies the key in the keystore that is defined in the broker using the mqsichangeproperties command. For example “CN=CommonName, O=Organisation, C=Country". When you require message level protection on the inbound signature token and the key is not known in advance, enter Any or leave blank.
Key Alias The key alias of the key in the keystore defined by the broker. When you require message level protection on the inbound signature token and the key is not known in advance, enter Any or leave blank. You define the broker keystores using the mqsisetdbparms and mqsichangeproperties commands.
|
|
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Sep 21, 2011 6:57 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| Quote: |
Broker doesn’t support some of the v3 features like:
X.509 tokens for LDAP authentication |
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| sguruprasanna |
| Posted: Wed Sep 21, 2011 7:04 am Post subject: |
|
|
Apprentice
Joined: 29 Jul 2002
Posts: 37
|
Correct me if I am wrong, I think I don't need LDAP here, but just the Keystore..
I am just trying to get the Key (or token) looked up against the truststore configured... |
|
| Back to top |
|
|
| sguruprasanna |
| Posted: Wed Sep 21, 2011 7:14 am Post subject: |
|
|
Apprentice
Joined: 29 Jul 2002
Posts: 37
|
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Sep 21, 2011 7:15 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Apparently, mgk is the person that needs to answer. "bar" time again in Hursley. May have to wait till tomorrow...
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Sep 21, 2011 9:50 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| lancelotlinc wrote: |
| Apparently, mgk is the person that needs to answer. "bar" time again in Hursley. May have to wait till tomorrow... |
If 'mgk' can be in the bar at 3:15pm on a Wednesday afternoon then I must be doing something wrong.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| sguruprasanna |
| Posted: Thu Sep 22, 2011 4:08 am Post subject: |
|
|
Apprentice
Joined: 29 Jul 2002
Posts: 37
|
|
| Back to top |
|
|
| bielesibub |
| Posted: Thu Sep 22, 2011 5:37 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
Guru,
It's not just you... we can't get it to work here either. I've tried a number of combinations of 'Any' / 'N/A' / 'JustAcceptTheBloodyToken' but none work.
I am about to raise a request with IBM to give us some technical help.. I'm hoping that it's just the 'dodgy' policy panels that are causing the issue.
Cheers, |
|
| Back to top |
|
|
|
|
