ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportStoring password

Post new topicReply to topic Goto page 1, 2  Next
Storing password View previous topic :: View next topic
Author Message
wmqstankela
PostPosted: Thu Nov 29, 2018 7:33 am Post subject: Storing password Reply with quote

Voyager

Joined: 29 Feb 2016
Posts: 82

Hi all,

I am using IIB v10 and I have situation where my flow need to pass some user and password to 3rd party service. I am using JCN for creating request, but I don't want to set password in plain text in my code, so I create user defined configurable service with username and password values. I manage to read this values from JCN, but when I login to web user interface i see password as plain text.

Is there any other solution to store somewhere masked credentials that could be read from Java compute node?
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Nov 29, 2018 7:47 am Post subject: Re: Storing password Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25361
Location: Ohio, USA

wmqstankela wrote:
I have situation where my flow need to pass some user and password to 3rd party service.


Where in the request in the user id & password? HTTP header? WS-Security header? Somewhere in the payload body?

Where do you do the credentials from? The incoming request? Is it a static pair, i.e. the flow always users the same values

wmqstankela wrote:
I am using JCN for creating request


Why? Why not use the HTTPRequest node to do this?

Accepting that you need to form the payload in a Compute node of some kind, the HTTP Request node can propagate credentials into each of the 3 situations I name above, storing them in the same way IIB stores credentials for it's database connections and as secure.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
wmqstankela
PostPosted: Thu Nov 29, 2018 7:58 am Post subject: Reply with quote

Voyager

Joined: 29 Feb 2016
Posts: 82

User and pass is static and I allways use the same values. I send it in payload. Is there a way to store it somewhere in IIB like Security identity or some configurable service that can read from java, but not to store in plain text.

I know that i can store it in db, but i wonder if it is possible whitout db.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Nov 29, 2018 8:05 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25361
Location: Ohio, USA

wmqstankela wrote:
Is there a way to store it somewhere in IIB like Security identity or some configurable service that can read from java, but not to store in plain text.


Yes, it's what the HTTPRequest node uses but that's not accessible to user code.

wmqstankela wrote:
i wonder if it is possible whitout db.


And if you use a database, you then have to protect the database.

If you're determined to do this with a JCN (and I still don't understand why)then the user configurable service or a database are your best bets.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
wmqstankela
PostPosted: Thu Nov 29, 2018 8:06 am Post subject: Reply with quote

Voyager

Joined: 29 Feb 2016
Posts: 82

Ok, thanks Vitor!
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Nov 29, 2018 8:09 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25361
Location: Ohio, USA

wmqstankela wrote:
Ok, thanks Vitor!


For the record, I think your method is wrong.

I would also doubt that any security review of your solution would be happy with plain text credentials stored in a user service, or in a db without a lot of additional access controls.

But it's your site and your solution. So go in peace with it.


_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
wmqstankela
PostPosted: Fri Nov 30, 2018 2:15 am Post subject: Reply with quote

Voyager

Joined: 29 Feb 2016
Posts: 82

It's a little bit complicated...I will not set pass as plain text surely, that's why I am trying to find another way how to store pass so that I can read it from JCN.
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Nov 30, 2018 5:05 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25361
Location: Ohio, USA

wmqstankela wrote:
It's a little bit complicated...I will not set pass as plain text surely, that's why I am trying to find another way how to store pass so that I can read it from JCN.


That's what I mean (and what I keep saying); I wouldn't do this in the JCN, I'd use the HTTPRequest node.

But again, you're better placed than me to know what's best for your situation. And what your security people will or will not tolerate by way of risk.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
wmqstankela
PostPosted: Tue Dec 04, 2018 1:56 am Post subject: Reply with quote

Voyager

Joined: 29 Feb 2016
Posts: 82

Vitor, I have this situation. I'm searching ldap entry, using some java package. In order to do this, I need bind user and pass to provide with my search request. That's the reason why I need to store credentials somewhere on IIB and to read it from JCN.

I've used user defined configurable service, but the password is in plain text. Do you know better solution for this situation?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Dec 04, 2018 5:23 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19816
Location: LI,NY

I thought there was a PEP node that allows you to check LDAP and would retrieve the LDAP access credentials just like IIB retrieves any other credentials it stored...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
wmqstankela
PostPosted: Tue Dec 04, 2018 5:43 am Post subject: Reply with quote

Voyager

Joined: 29 Feb 2016
Posts: 82

Thanks fjb_saper for an answer!

How do you mean that PEP node will retreive LDAP access credentials? How to bind with LDAP?
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Dec 04, 2018 6:05 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25361
Location: Ohio, USA

wmqstankela wrote:
How do you mean that PEP node will retreive LDAP access credentials?


There's a world of difference between what you originally asked:

wmqstankela wrote:
where my flow need to pass some user and password to 3rd party service


and this:

wmqstankela wrote:
I'm searching ldap entry


For the first case, you need to use the inbuilt capabilities of the HTTPRequest node. For the second case, you need to use a PEP node as my associate correctly points out.

Note that if your 2 use cases are in some way linked (for example you need to obtain a token/credentials of some kind from LDAP and pass it to this 3rd party service) then you still don't need a JCN; you can get the HTTPRequest node to pass it directly.


wmqstankela wrote:
How to bind with LDAP?


As laid out in the instructions for the PEP node.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Esa
PostPosted: Wed Dec 05, 2018 4:48 am Post subject: Reply with quote

Grand Master

Joined: 22 May 2008
Posts: 1378
Location: Finland

Vitor wrote:

There's a world of difference between what you originally asked:


No, there is not. The OP needs a password for some purpose, like opening a keyring file that is not the one owned by the integration node. Or adding a password in a non-SOAP XML file. etc. And wants to know where to store it safely. He doesn't want to put it in plaintext anywhere. So he asks advice, like would it be a good idea to encrypt it and put it in a user defined configurable service. And in that case, where to put the encryption key?

And he was told to put it in LDAP and fetch it with a SecurityPEP node. But I don't think you can do it that way.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Dec 05, 2018 5:59 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19816
Location: LI,NY

Esa wrote:
Vitor wrote:

There's a world of difference between what you originally asked:


No, there is not. The OP needs a password for some purpose, like opening a keyring file that is not the one owned by the integration node. Or adding a password in a non-SOAP XML file. etc. And wants to know where to store it safely. He doesn't want to put it in plaintext anywhere. So he asks advice, like would it be a good idea to encrypt it and put it in a user defined configurable service. And in that case, where to put the encryption key?

And he was told to put it in LDAP and fetch it with a SecurityPEP node. But I don't think you can do it that way.

Not quite. The OP said the reason he needed the userid pwd was to access the LDAP, to retrieve whatever he needed to retrieve from there.

We just suggested to use a PEP node to access the LDAP. I hope that the query passed to the PEP node will retrieve what he needs.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Wed Dec 05, 2018 6:09 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25361
Location: Ohio, USA

Esa wrote:
He doesn't want to put it in plaintext anywhere. So he asks advice, like would it be a good idea to encrypt it and put it in a user defined configurable service. And in that case, where to put the encryption key?


And I told him to use the HTTPRequest node, which since v9.0.0.something does exactly what you're describing - adding credentials which are not part of the inbound message tree to the outbound request from a secure, broker maintained store.

Esa wrote:
And he was told to put it in LDAP and fetch it with a SecurityPEP node.


I don't think that's what he was told. That's certainly not what I was agreeing with. I thought he asked (and was answered) how to look something up from LDAP and use that as the credentials for the 3rd party service.

Esa wrote:
But I don't think you can do it that way.


I agree that's not the solution to the first case, but continue to assert that the HTTPRequest node is.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum IndexWebSphere Message Broker SupportStoring password
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.