| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Secure broker hosted web services using Kerberos |
« View previous topic :: View next topic » |
| Author |
Message
|
| prasadpav |
 Posted: Wed Sep 25, 2019 8:57 am Post subject: Secure broker hosted web services using Kerberos |
 |
|
Centurion
Joined: 03 Oct 2004
Posts: 142
|
We have our broker (10.0.0.13) running on Linux and KDC is Windows Active Directory. I want to secure web services (created using HTTPInput nodes) that are hosted by the broker i.e. authenticate the users using Kerberos and also authorise them in the next step. The setup which I've done is not working and I'm at a loss because I'm not seeing any error messages or any useful information for troubleshooting other than the HTTP 500 Internal server error for the requests to the web service which I wanted to secure.
Here's what I've done so far and hope someone could point out where it is going wrong:
1) Changed the execution group to use the embedded http listener and changed the property "integratedWindowsAuthentication='Negotiate:Kerberos'
2) Created kerberos keytab file using the following command:
3) Configured BrokerRegistry to set both the kerberos config file and the keytab file
| Code: |
brokerKerberosConfigFile='/etc/krb5.conf'
brokerKerberosKeytabFile='/var/mqsi/kerberos/conf/dv1mqm_krb5.keytab'
|
4) Created the following security profile for Authenticating the users calling the broker hosted service
| Code: |
IWA_LDAP_Authenticate
authentication='LDAP'
authenticationConfig='ldap://samp0001.sample.com:389/OU=Users,OU=UK,DC=sample,DC=com?cn?base'
authorization='NONE'
authorizationConfig=''
idToPropagateToTransport='Message ID'
keyStore='Reserved for future use'
mapping='NONE'
mappingConfig=''
passwordValue='PLAIN'
propagation='FALSE'
rejectBlankpassword='FALSE'
transportPropagationConfig=''
trustStore='Reserved for future use'
|
5) Deployed the message flow with the Security profile set to "IWA_LDAP_Authenticate"
6) Restarted the broker and then tested it.
Following error information is available from the service trace:
| Quote: |
2019-09-25 17:08:35.179820 6634 com.ibm.broker.inlinehttp.tomcatthreadpool.TomcatInstanceManager$AdapterClass@2882d306.authenticate
Request 'Got socket field'
2019-09-25 17:08:35.180036 6634 { TomcatInstanceManager.authorizeUserGSS , 'fd:317 lastuse:1569427715177 SSL:false NTLM:false Negot
iate:true Kerberos Only:true Persistent:true'
2019-09-25 17:08:35.180288 6634 JavaRootLogger: org.apache.coyote.http11.AbstractHttp11Processor.process file:/build/slot3/S1000_
P/src/DataFlowEngine/NativeTrace/ImbNativeTrace.cpp line:170 message:3484.BIPmsgs 'MbWXSLogHandler:SEVERE' , 'Error processing request'
2019-09-25 17:08:35.180288 6634 UserTrace BIP3484E: ''Error processing request''
An embedded component has written the 'SEVERE' level diagnostic message included here.
Refer to the appropriate message in the embedded component's documentation.
2019-09-25 17:08:35.180304 6634 JavaRootLogger: org.apache.coyote.http11.AbstractHttp11Processor.process 'MbWXSLogHandler:SEVERE'
, 'Error processing request'
2019-09-25 17:08:35.181212 6634 JavaRootLogger: org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process 'MbWXSLogHan
dler:FINE' , 'Socket: [org.apache.tomcat.util.net.SocketWrapper@3f765607:Socket[addr=/10.36.69.56,port=61896,localport=8070]], Status in: [
OPEN_READ], State out: [CLOSED]' |
Onething seems confusing to me or feels redundant is the capturing of the LDAP server name in the security profile config when the LDAP server names are available with kerberos config file already.
| Code: |
| authenticationConfig='ldap://samp0001.sample.com:389/OU=Users,OU=UK,DC=sample,DC=com?cn?base' |
Many thanks in advance in going through this. |
|
| Back to top |
|
 |
| rama91 |
| Posted: Thu Sep 26, 2019 10:56 am Post subject: |
|
|
Novice
Joined: 28 Aug 2019
Posts: 15
|
|
| Back to top |
|
|
| prasadpav |
| Posted: Fri Sep 27, 2019 2:05 am Post subject: |
|
|
Centurion
Joined: 03 Oct 2004
Posts: 142
|
| Quote: |
| How are you testing this broker service ? Did you set SPN as defined in this link ? |
Yes, I've configured SPN for the AD user id (z_iibkrb@sample.com) as follows:
| Code: |
http/dev001.sample.com:9070
http/dev001:9070 |
| Quote: |
| What is the Service Principal Name set for this user account ? I tried generating keytab using RC4-HMAC as suggested in guides. Is the Broker Service running under this user account ? |
My broker is running on linux under the local userid - dv1mqm. I then configured broker to use the kerberos keytab file which has the userid (z_iibkrb@sample.com) & it's associated password to connect to the AD for authenticating the clients.
My test setup has this chain:
| Code: |
| postman --> Fiddler 4 --> Broker service |
Since I've configured my EG to use "Negotiate: Kerberos", I was hoping that the broker service starts the kerberos protocol handshake. I had wireshark running to see if at all any handshake is happening to request for the client's key. But nothing is happening and it is immediately throwing the error that is captured from my system trace. And the error information is vague and doesn't help nor say what is causing the issue.
| Code: |
| I found the broker documentation incomplete where some of the properties like for BrokerRegistry object - brokerKerberosConfigFile & brokerKerberosKeytabFile are not mentioned. |
[/quote] |
|
| Back to top |
|
|
| rama91 |
| Posted: Fri Oct 11, 2019 6:32 am Post subject: |
|
|
Novice
Joined: 28 Aug 2019
Posts: 15
|
Prasadpav - Did you manage to get the kerberos authentication working ? I raised a PMR & got few answers from them. I believe these will be useful to you as well.
| Quote: |
| Should the Service Principal name be registered against the User ID on which broker service is running ?
|
| Quote: |
| Do we need a security profile to be associated with the Provider flow ? I'm not looking to authorise user against LDAP group (or) extract identity and propagate them to downstream nodes
|
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
