| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Kerberos token propagation in SOAPRequest node in IIB |
« View previous topic :: View next topic » |
| Author |
Message
|
| IIBDVLPR97 |
 Posted: Mon Apr 25, 2016 8:14 am Post subject: Kerberos token propagation in SOAPRequest node in IIB |
 |
|
Newbie
Joined: 25 Apr 2016
Posts: 3
|
Our installation uses Kerberos authentication based on user name, and it works fine on a direct request to an IIB application (key store is defined and connects successfully); If I need to call one of those applications from within another, using a SOAPRequest node, the Kerberos token does not get propagated, and it results in a "401 - Unauthorized URL ..." error. I read all of the documentation provided by the IBM knowledge center and the 3 posts on this site that had similar problems but are not entirely addressing the same case. I also experimented with various combinations of identity mapping/source combinations; What I noticed is that the token is not an available value in the input message, and even though the token is supposed to be generated from the user id, passing that as the token has no effect; I also tried adding policy and binding for propagation but I was not able to determine how any Kerberos token extraction would be defined in those containers; If anyone has had any direct experience with this problem please share the results.
What I have tried:
1) Am not able to see the Token in the input message received by the first application. I am not even sure if I should be able to see the K token in the input msg? but from other postings it seems that for x509 the token is visible, also the http log show the token was negotiated successfully.
2) The input does show that Kerberos was used to start the application:
IdentitySourceType:CHARACTER:kerberosTicket
IdentitySourceToken:CHARACTER: user id
IdentitySourceIssuedBy: The value is set to the correct URL
spn:CHARACTER:HTTP/server fully qualified (4 nodes) @xxx.xxx.COM
3) because of 1,I tried to set the user or the spn as the token in the IdentitySource and mapping in combination with various token types (username, usernameAndPassword, kerberosTicket); In the last case I get the error 2720 indicating that no ticket is available or a 401 (not auth).
I used the default propagation both in the Soap Input node and the Soap request, and even set up a profile just for propagation;
4) I tried setting up the policy/Binding but could not find a place that would ask anything about Kerberos token propagation (also added a PEP node to see if the token would become available somehow but it did not)
5) To complicate things further the above problem happens when I try to call another application from within one of the remote servers but when I try the same process within my local machine IIB integration node I am able to call another module (on my localhost). In this case in the soap.http. ...indentity.kerberosTicket I see an additional tag called sid (which I do not see when I call the remote server). That I think is the password of my key store and I tried also passing that hard coded to see if it would work(N/L)
6)Probably tried something else I can't remember.
Thank you very much. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Mon Apr 25, 2016 8:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| IIBDVLPR97 |
| Posted: Mon Apr 25, 2016 9:41 am Post subject: |
|
|
Newbie
Joined: 25 Apr 2016
Posts: 3
|
Thank you for your reply Grandmaster; I had already verified the set up. Please notice that the problem is not accessing a Kerberos authenticated application directly but indirectly.
Ex: Appl A is a web service Application that provides a common function; B is also a web service that uses Soap Request to call Appl A;
I can call Appl A directly (works fine)
I can call Appl B directly (also works fine)
When appl B tries to call appl A from within, result is 401 - (unauthorized ...)
Thank you; |
|
| Back to top |
|
|
| mgk |
| Posted: Mon Apr 25, 2016 10:25 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
IIB currently (@10.0.0.4) does not support Kerberos Token Propagation, where the same token received at an Input node is propagated out of a Request node. You will need to raise an RFE if you need this feature in a future release.
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| IIBDVLPR97 |
| Posted: Mon Apr 25, 2016 1:16 pm Post subject: |
|
|
Newbie
Joined: 25 Apr 2016
Posts: 3
|
Thank you mgk, I was suspecting that may be the case even though nowhere in the documentation is it ever mentioned. So do you have any suggestions on what the alternative is (if any), given the environment I described?
For example is it feasible to call the kdc and retrieve a new token, and then pass it on in the SOAPRequest?
If that was even feasible is there a way to accomplish it within the confine of the IIB message structure, and what does it require?
A possible but most labor intensive solution could be of course to rewrite every service that can be used as a common service, as a sub-flow, which is then invoked wherever needed, but that may not be a "best-practice" approach. Any comment on that?
Thank you. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
