ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportAuthentication on the server with a token

Post new topicReply to topic
Authentication on the server with a token View previous topic :: View next topic
Author Message
Rgorbun44
PostPosted: Mon Aug 17, 2020 3:49 am Post subject: Authentication on the server with a token Reply with quote

Newbie

Joined: 17 Aug 2020
Posts: 4

HELLO!
Help me please!
Access to IBM is required not only within our company but also from external users.
We did so -
When accessing IBM in http headers, add authorization token and if the token matches the expected key => IBM processes the request
Suggest!
Is it possible to somehow check for the presence of this token for the entire broker or for the integration server?
Placed 400 adapters. Configuring everyone is not a solution.
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Aug 17, 2020 4:52 am Post subject: Re: Authentication on the server with a token Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26041
Location: Texas, USA

Rgorbun44 wrote:
Is it possible to somehow check for the presence of this token for the entire broker or for the integration server?


Ok, you've posted this in the MQ security section but are using IIB/ACE terms; what "IBM" are you actually using? Give version numbers.

What do you mean by 400 "adapters"? What technology is this?

Rgorbun44 wrote:
When accessing IBM in http headers, add authorization token and if the token matches the expected key => IBM processes the request


What do you mean by "authorization token" is this context? X509? Kerberos? Inside of a fortune cookie?


Rgorbun44 wrote:
Is it possible to somehow check for the presence of this token for the entire broker or for the integration server?


No, and you wouldn't want one token that allows access to every single resource. What you're describing is every single consumer of the service (internal and external) to be authorized before access is granted. Which is the absolutely normal pattern for an HTTP based service, and is typically done on a service by service basis by WS-Security, API security or one of the other standard patterns.

So you need to explain a lot more clearly what exactly you're trying to do, what software exactly you're trying to do it with and why the standard solutions don't work for you.

Better information, better advice.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Rgorbun44
PostPosted: Mon Aug 17, 2020 5:22 am Post subject: Re: Authentication on the server with a token Reply with quote

Newbie

Joined: 17 Aug 2020
Posts: 4

Vitor wrote:
Rgorbun44 wrote:
Is it possible to somehow check for the presence of this token for the entire broker or for the integration server?


Ok, you've posted this in the MQ security section but are using IIB/ACE terms; what "IBM" are you actually using? Give version numbers.

What do you mean by 400 "adapters"? What technology is this?

Rgorbun44 wrote:
When accessing IBM in http headers, add authorization token and if the token matches the expected key => IBM processes the request


What do you mean by "authorization token" is this context? X509? Kerberos? Inside of a fortune cookie?


Rgorbun44 wrote:
Is it possible to somehow check for the presence of this token for the entire broker or for the integration server?


No, and you wouldn't want one token that allows access to every single resource. What you're describing is every single consumer of the service (internal and external) to be authorized before access is granted. Which is the absolutely normal pattern for an HTTP based service, and is typically done on a service by service basis by WS-Security, API security or one of the other standard patterns.

So you need to explain a lot more clearly what exactly you're trying to do, what software exactly you're trying to do it with and why the standard solutions don't work for you.

Better information, better advice.

IBM Integration Toolkit
Version: 10.0.0.7.
There are about 400 applications on our server. Are you suggesting that I write authorization for each HTTPInput node?
I want a single authorization rule to be set on the server when accessing any HTTP Input node.
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Aug 17, 2020 5:41 am Post subject: Re: Authentication on the server with a token Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26041
Location: Texas, USA

Rgorbun44 wrote:
IBM Integration Toolkit
Version: 10.0.0.7.
There are about 400 applications on our server. Are you suggesting that I write authorization for each HTTPInput node?


No, I'm suggesting you use one of the standard patterns for securing an HTTP service that's supported by the HTTPInput node.

Rgorbun44 wrote:
I want a single authorization rule to be set on the server when accessing any HTTP Input node.


Like I said above, I really don't think having a single authorization controlling 400 applications is a good idea. I bet your internal security and the application owners won't be that happy about it either. I think you want (and need) security at a more granular level, which brings us back to the standard patterns.

What might be a good idea is to consider how you'd manage security if these 400 applications were running in an application server or similar. Where you'd put the security points, how you'd manage tokens, that sort of thing. Then map that security onto IIB. Unless you're doing something really freaky (and it doesn't sound like you are), you shouldn't need any code at all.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Rgorbun44
PostPosted: Mon Aug 17, 2020 6:01 am Post subject: Re: Authentication on the server with a token Reply with quote

Newbie

Joined: 17 Aug 2020
Posts: 4

Vitor wrote:
Rgorbun44 wrote:
IBM Integration Toolkit
Version: 10.0.0.7.
There are about 400 applications on our server. Are you suggesting that I write authorization for each HTTPInput node?


No, I'm suggesting you use one of the standard patterns for securing an HTTP service that's supported by the HTTPInput node.

Rgorbun44 wrote:
I want a single authorization rule to be set on the server when accessing any HTTP Input node.


Like I said above, I really don't think having a single authorization controlling 400 applications is a good idea. I bet your internal security and the application owners won't be that happy about it either. I think you want (and need) security at a more granular level, which brings us back to the standard patterns.

What might be a good idea is to consider how you'd manage security if these 400 applications were running in an application server or similar. Where you'd put the security points, how you'd manage tokens, that sort of thing. Then map that security onto IIB. Unless you're doing something really freaky (and it doesn't sound like you are), you shouldn't need any code at all.


Can you describe in more detail how you need to make this authorization or link to the documentation, or where you need to read about in order to implement it?
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Aug 17, 2020 8:18 am Post subject: Re: Authentication on the server with a token Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26041
Location: Texas, USA

Rgorbun44 wrote:
Can you describe in more detail how you need to make this authorization or link to the documentation, or where you need to read about in order to implement it?


It's unclear to me which technology you're using as you're talking about HTTPInput nodes and HTTP headers (which implies a REST service) but using tokens (which I associate more with SOAP WS-Security headers) as REST typically uses Basic-Auth.

All of this is covered in the documentation for the HTTPInput node here and also here. Using tokens with WS-Security is covered here.

You can find a good overview of IIB's security control points here. If you have more complex requirements, you can additionally use the SecurityPEP node, though I accept that requires you to add the node to 400 flows and is non-optimal.

Frankly, I think the HTTPInput node will do everything you're asking.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Rgorbun44
PostPosted: Tue Aug 18, 2020 2:06 am Post subject: Reply with quote

Newbie

Joined: 17 Aug 2020
Posts: 4

Can I make authorization on the broker / integration server by token. A single rule. If a user accesses any application on my server with a token, then it skips, if not, then access is closed
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Aug 18, 2020 5:15 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26041
Location: Texas, USA

Rgorbun44 wrote:
Can I make authorization on the broker / integration server by token. A single rule. If a user accesses any application on my server with a token, then it skips, if not, then access is closed


I'm still not clear what you mean by "token". What's generating this token? What's administering it?

As to your question, the answer is "no" because what you're doing is not typical. As I've said a couple of times, it's much more common to have security at an application level or, if you prefer, very uncommon to have 400 applications with exactly the same access, authorization and authentication requirements.

You could, I imagine, put a single application in front of the other 400 that does this token check of yours and then routes the call on if the check is successful. I would, however, urge you to confirm this requirement with your site's security & audit teams. I have a very hard time believing they're happy with this.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportAuthentication on the server with a token
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.