| Author |
Message
|
| akil |
 Posted: Sun Aug 03, 2014 9:30 am Post subject: IIB 9: mqsisetdbparams : custom credentials |
 |
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
Hi
In my flows I call third party web services which require an identity to be passed, either as http basic auth or as some elements in the message. I am currently putting these credentials as user defined properties, but I need to obfuscate the passwords or better still store them in the broker registry .
Is this the conventional way.. Does the broker registry allow storing of arbitrary credentials ?
_________________
Regards |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Aug 04, 2014 4:33 am Post subject: Re: IIB 9: mqsisetdbparams : custom credentials |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| akil wrote: |
| Does the broker registry allow storing of arbitrary credentials ? |
Yes. You need to add the arbitrary id to the broker registry using the mqsisetdbparms command, then create a security profile with mqsicreateconfigurableservice to propagate that id, then associate that profile with your flow.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Aug 04, 2014 4:58 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It depends somewhat on what you mean by "as some elements in the message".
If it's "entirely random elements in the message, made up by the designer of the service I'm calling, who has no idea that there are well understood standards for securing web services", then you can't use the built-in processes for Propagating Identities. |
|
| Back to top |
|
|
| akil |
| Posted: Mon Aug 04, 2014 5:07 am Post subject: |
|
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
Hi
Here's an example of the kind of header that I need to send..
| Code: |
<ns:RequestHeader>
<ns:CustomerId>(mycustomerID)</ns:CustomerId>
<ns:UserId>(myUserID)</ns:UserId>
<ns:Password>(mySecret in clearText)</ns:Password>
<ns:MemberNumber>(my Second Factor)</ns:MemberNumber>
<ns:SecurityCode>(my Second Factor secret)</ns:SecurityCode>
<ns:ProductCode>MCR</ns:ProductCode>
<ns:ProductVersion>1.0</ns:ProductVersion>
<ns:ReportFormat>XML</ns:ReportFormat>
</ns:RequestHeader>
|
So there are 5 name-value pairs that I need to store somewhere so that when I make a call, I can pick up the appropriate values. While, this is part of a SOAP request, it is some sort of custom message, there is no HTTP Basic Auth or SAML or SOAP security...
What are my options?
_________________
Regards |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Aug 04, 2014 5:14 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It *might* be possible to define a custom Security Policy that matches this.
Suggest you open a PMR for clarification.
Otherwise, there's no user-exposed functions for retrieving values from mqsisetdbparms. So your best bet is to store the passwords using UDPS or a user defined configurable service in an already obfuscated form.
And fire the person who designed that header. |
|
| Back to top |
|
|
| akil |
| Posted: Mon Aug 04, 2014 7:27 pm Post subject: |
|
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
Thanks, will stick to UDP's , I'll also open a PMR to see if there's a way out.
But is there any way of obfuscating values of UDP's that is understood by the broker? Like for example slappasswd ? Am trying to avoid wiring up something specific as this pattern (credentials in elements) is used for 6-7 web-services..
_________________
Regards |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 05, 2014 5:01 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| akil wrote: |
Thanks, will stick to UDP's , I'll also open a PMR to see if there's a way out.
But is there any way of obfuscating values of UDP's that is understood by the broker? Like for example slappasswd ? Am trying to avoid wiring up something specific as this pattern (credentials in elements) is used for 6-7 web-services.. |
There's no way to tell broker "obfuscate this UDP when I store it, and de-obfuscate it when I retrieve it".
The only thing that does that for you is mqsisetdbparms.
Again, fire the designer of these webservices and adopt standard WS-Security protocols. |
|
| Back to top |
|
|
| akil |
| Posted: Tue Aug 05, 2014 8:11 am Post subject: |
|
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
 I am calling services published by equifax, a credit rating agency... Can't refactor or fire...Have to comply,..
Thanks for clarifying ... Will look for a non broker solution..
_________________
Regards |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Aug 05, 2014 8:49 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| akil wrote: |
| I am calling services published by equifax, a credit rating agency... Can't refactor or fire...Have to comply,.. |
Directly? You're going directly out of IIB to an Equifax URL? Which apparently doesn't support WS-Security? A credit rating agency? Some of whose web services carry personally identifiable and sensitive data?
There's no chance at all you're calling an intermediate service hosted by your organization?
How worried should I be about my credit rating?
Also, and to return to your original point:
| akil wrote: |
| In my flows I call third party web services which require an identity to be passed, either as http basic auth |
So why are you not using basic auth, which can be held & obfuscated via mqsisetdbparms?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| akil |
| Posted: Tue Aug 05, 2014 8:57 am Post subject: |
|
|
Partisan
Joined: 27 May 2014
Posts: 338
Location: Mumbai
|
1. The call to equifax is over https,
2. Yes, the ESB will call out directly, via a proxy server
3. This specific agency does not provide http basic auth ( there is another one which does )
4. The ESB is the intermediate service . All other internal applications will call the web service published by the ESB, the credentials are only with the ESB ,
Is something alarming about the above?
_________________
Regards |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Aug 05, 2014 9:13 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| akil wrote: |
| Is something alarming about the above? |
That you're communicating with the Equifax credit rating agency, which by the nature of its function uses sensitive and personal information in its transactions, and the only security appears to be the SSL in the HTTP. No WS-Security, hence no digital signatures, no encryption of payload and nothing else which I'd hope would be defending my SSN.
And before you say "But HTTPS is secure", ask yourself why someone invented WS-Security if that's always true and always sufficient.
Not having a go at you; just wondering if there's any way to stop Equifax holding my data!
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
