| Author |
Message
|
| saibaba |
 Posted: Fri Aug 31, 2012 6:08 am Post subject: POlicy sets and bindings |
 |
|
Newbie
Joined: 31 Aug 2012
Posts: 2
|
My Goal is to store username and password in Broker using policy sets and bindings. I am using a Soap requestnode in my message flow.
I follwed all the instructions from online.
The task was unsuccessful: The deployment was unsuccessful. Check error messages above for explanation. |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Fri Aug 31, 2012 6:24 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Based on my experience, I don't recommend doing this.
You don't need to use any policy sets for SOAP nodes, unless you need "BasicAuth", in which case you can elect to use the default policy set.
Standard wsse authentication does not use BasicAuth, so if you use standard wsse style credentials, you don't need any policy set whatsoever.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Aug 31, 2012 6:41 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| Based on my experience, I don't recommend doing this. |
Ok, what is your recommendation?
| lancelotlinc wrote: |
| You don't need to use any policy sets for SOAP nodes, unless you need "BasicAuth", in which case you can elect to use the default policy set. |
So where, in your recommendation, does one store WS-Security credentials?
| lancelotlinc wrote: |
| Standard wsse authentication does not use BasicAuth, so if you use standard wsse style credentials, you don't need any policy set whatsoever. |
What do you need then?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Aug 31, 2012 6:44 am Post subject: Re: POlicy sets and bindings |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| saibaba wrote: |
| Check error messages above for explanation. |
But hark, what light through yonder window breaks? It is the east, and the Info Center is the sun! |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Aug 31, 2012 7:06 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| Vitor wrote: |
| lancelotlinc wrote: |
| Based on my experience, I don't recommend doing this. |
Ok, what is your recommendation?
|
Use wsse credentials.
| Vitor wrote: |
| lancelotlinc wrote: |
| You don't need to use any policy sets for SOAP nodes, unless you need "BasicAuth", in which case you can elect to use the default policy set. |
So where, in your recommendation, does one store WS-Security credentials? |
For SOAP Requests (ie. most Web Services) using wsse-style credentials, you put them in the SOAP Header.
| Vitor wrote: |
| lancelotlinc wrote: |
| Standard wsse authentication does not use BasicAuth, so if you use standard wsse style credentials, you don't need any policy set whatsoever. |
What do you need then? |
Use the default policy set if BasicAuth is a requirement, which it usually never is, unless your talking to a .Net Windows only Web Service that was built for Windows-centric computing environment.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Aug 31, 2012 7:12 am Post subject: Re: POlicy sets and bindings |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Aug 31, 2012 7:34 am Post subject: Re: POlicy sets and bindings |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
That doesn't show the error messages above in order to provide an explanation.
But good linkage! |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Aug 31, 2012 7:38 am Post subject: Re: POlicy sets and bindings |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| mqjeff wrote: |
That doesn't show the error messages above in order to provide an explanation.
But good linkage! |
You are correct and thank you. I like that particular InfoCentre page because it enumerates all security possibilities for a Web Service, albeit in the context of the SOAPInput node. To apply that information to the SOAPRequest node, just inverse the concepts.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Aug 31, 2012 8:01 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| For SOAP Requests (ie. most Web Services) using wsse-style credentials, you put them in the SOAP Header. |
Well yes Captain Obvious, I do understand that's where they fit in the WS-Security standard for supplying them. That's not where my question was headed. If you use a code snippet like:
| lancelotlinc wrote: |
| Code: |
Set OutputRoot.SOAP.Header.wsse:Security.wsse:UsernameToken.wsse:Username = uid;
Set OutputRoot.SOAP.Header.wsse:Security.wsse:UsernameToken.wsse:Password = pwd; |
|
Then you need to source uid & pid from someplace. The obvious place is from a policy set. Or do you just put them as UDPs where anyone with access can see them in clear text?
| lancelotlinc wrote: |
| Standard wsse authentication does not use BasicAuth, so if you use standard wsse style credentials, you don't need any policy set whatsoever. |
So you're saying the OP is way off base in using policy sets because they don't work in this context, and the documentation is flawed?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Aug 31, 2012 8:12 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| Vitor wrote: |
| lancelotlinc wrote: |
| For SOAP Requests (ie. most Web Services) using wsse-style credentials, you put them in the SOAP Header. |
Well yes Captain Obvious, I do understand that's where they fit in the WS-Security standard for supplying them. That's not where my question was headed. If you use a code snippet like:
| lancelotlinc wrote: |
| Code: |
Set OutputRoot.SOAP.Header.wsse:Security.wsse:UsernameToken.wsse:Username = uid;
Set OutputRoot.SOAP.Header.wsse:Security.wsse:UsernameToken.wsse:Password = pwd; |
|
Then you need to source uid & pid from someplace. The obvious place is from a policy set. Or do you just put them as UDPs where anyone with access can see them in clear text? |
| Captain Obvious wrote: |
| Here I come to save the day !!! |
We store the uid in a UDP and the pwd in a cache hashmap.
| Vitor wrote: |
| lancelotlinc wrote: |
| Standard wsse authentication does not use BasicAuth, so if you use standard wsse style credentials, you don't need any policy set whatsoever. |
So you're saying the OP is way off base in using policy sets because they don't work in this context, and the documentation is flawed? |
Not quite. The linked documentation is accurate. Of the third-party cloud-based providers we use in the ESB integration code that I have written in the last two years, one cloud provider needs BasicAuth style and nine cloud providers accept their credentials wsse style. Policy sets are a viable option. Beginner WMB developers will have significant difficulty, especially if they have avoided the necessary training.
WMB Dev I
https://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=course_description&courseCode=WM664
WMB DEV II
https://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/en?pageType=course_description&courseCode=WM674
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Aug 31, 2012 10:51 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| We store the uid in a UDP and the pwd in a cache hashmap. |
I suppose I should have guessed you'd write an external Java component rather than use something inbuilt, provided but not written in Java.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Aug 31, 2012 10:54 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| Vitor wrote: |
| lancelotlinc wrote: |
| We store the uid in a UDP and the pwd in a cache hashmap. |
I suppose I should have guessed you'd write an external Java component rather than use something inbuilt, provided but not written in Java. |
The design decision is a good one. The passwords change frequently. All passwords are centralized. While I really like this idea, I cannot take credit for it, since it was not my decision.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Sep 03, 2012 3:44 am Post subject: Re: POlicy sets and bindings |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| mqjeff wrote: |
That doesn't show the error messages above in order to provide an explanation.
But good linkage! |
You are correct and thank you. I like that particular InfoCentre page because it enumerates all security possibilities for a Web Service, albeit in the context of the SOAPInput node. To apply that information to the SOAPRequest node, just inverse the concepts. |
Well moving back to the point, and agreeing that's a good description of the mechanism, if the OP has read all that, attempted to implement it and failed is the only recourse to obtain management buy-in (literally) for 2 training courses? Or to advise management (or more likely the client) that the design is flawed & they need to provide a Java component in which credentials can be stored?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Sep 03, 2012 3:54 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| Use the default policy set if BasicAuth is a requirement, which it usually never is, unless your talking to a .Net Windows only Web Service that was built for Windows-centric computing environment. |
For the record you'll never guess what most of the Web Services I'm interacting with are......
(Clue: I use a lot of basic auth....)
Are the OP's problems (more fully described in the double post here  ) just a badly described policy set? I don't recognize them.
Also is the default good enough for BasicAuth? Have I been wasting my time all these years building my own when I could have been learning Java.....? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Sep 03, 2012 5:58 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It should be sufficient to enable the default policy set and profile, and then populate Identity in order to cause Broker to emit messages with HTTP Basic Authentication attached.
Note that you do have to take the step of actually enabling and applying the default profiles to your flows. This is not done automatically. |
|
| Back to top |
|
|
|
|
