Before you can configure a message flow to perform identity propagation, you must check that an appropriate security profile exists, or create a new security profile
Creating a security profile
Using the command console, run the following command:
mqsicreateconfigurableservice broker_name -c SecurityProfiles -o securityProfileName -n "propagation,idToPropagateToTransport,transportPropagationConfig" -v "TRUE,STATIC ID,securityIDName"
Using the IIB Web user Interface:
Select IIB Node-->Operational Policy-->Confugarable Services.
Create new Confugarable Service.
Choose SecurityProfiles type
Using the IIB Web user Interface:
Select IIB Node-->Operational Policy-->Confugarable Services.
Create new Confugarable Service.
Choose SecurityProfiles type
Stop the broker.
Start the broker.
An input node extracts security tokens if it is configured with a security profile at deployment time. An output node propagates an identity if it is configured with a security profile that enables propagation at deployment time.
To enable a message flow to perform identity propagation, complete the following steps.
By using the BAR editor, select a security profile that has identity propagation enabled. You can set a security profile on a message flow or on individual input and output nodes. If no security profile is set for the input and output nodes, the setting is inherited from the setting on the message flow.
- In the Application Development view, right-click the BAR file, then click Open with > BAR Editor.
- Click the Manage and Configure tab. In IIB 10 Click the Manage tab.
- Click the flow or node on which you want to set the security profile. The properties that you can configure for the message flow or for the node are displayed in the Properties view. In IIB 10 click on the Resources folder to select the flow or node.
- In the Security Profile Name field, select a security profile that has identity propagation enabled.
- Save the BAR file.
Alternatively, you can set a security profile on the flow or the input node by using the mqsiapplybaroverride command.
e.g. mqsiapplybaroverride -b barFileName -k applicationName -m
flowName#nodeName.securityProfileName=securityProfileName
Providing the identity to propagate
Configure a static user name and password identity by completing the following steps:
- Run the mqsisetdbparms command:
where securityIDName is a name to associate with the static user name and password identity, and username and password are the identity credentials that you want to use.
- Create a SecurityProfiles configurable service that sets the property values listed in the following table:
The idToPropagateToTransport enables the use of a specific security identity for propagation. Set the value to STATIC ID, and set the security identity by using the transportPropagationConfig parameter.
The transportPropagationConfig enables or disables identity propagation on output and request nodes.
Where securityIDName is the name that you associated with the static user name and password identity in the mqsisetdbparms command.
After creating the security profile and overriding the bar file. I kept getting a 401 - Unauthorised status. After a lot of reading I came across this in the information Center:
When security is enabled, the HTTPRequest and SOAPRequest nodes wait for a 401 response from the server that indicates which authentication mechanisms the server supports. The nodes then use the highest supported protocol for the connection, which is selected in the order that is listed previously. When connected, this protocol is used to authenticate pre-emptively until the flow is stopped or the allowedAuthTypes property is changed. To configure any of the protocols to be used pre-emptively, run the following command:
mqsichangeproperties IBNODE -e default -o ComIbmSocketConnectionManager -n preemptiveAuthType -v "Basic"
When security is enabled, the HTTPRequest and SOAPRequest nodes wait for a 401 response from the server that indicates which authentication mechanisms the server supports. The nodes then use the highest supported protocol for the connection, which is selected in the order that is listed previously. When connected, this protocol is used to authenticate pre-emptively until the flow is stopped or the allowedAuthTypes property is changed. To configure any of the protocols to be used pre-emptively, run the following command:
mqsichangeproperties IBNODE -e default -o ComIbmSocketConnectionManager -n preemptiveAuthType -v "Basic"
I made the chnage to authenticate pre-emptively and it worked!!!.
Content from IBM © Integration Bus Information Center
Content from IBM © Integration Bus Information Center
No comments:
Post a Comment