IC98376: INTEGRATED SECURITY ENHANCEMENTS SUPPORT FOR HTTP AND SOAP NODES

IBM Integration Bus V9.0 - Fix Pack 9.0.0.2

APAR status

• Closed as program error.

Error description

• This APAR adds inbound and outbound support for Integrated
  Windows Authentication to the SOAP Input and Request and HTTP
  Input and Request nodes when running a broker.
  NTLM, SPNEGO and Kerberos are supported.
  
  For inbound support this APAR adds a new property
  "integratedWindowsAuthentication" to the HTTPConnector and
  HTTPSConnector objects. This property can take the following
  values:
  NTLM - Specify the use of NTLM
  Negotiate - Specify using to negotiate the use of either
  Kerberos or NTLM
  Negotiate:Kerberos - Specify the use of Kerberos only, without
  falling back to NTLM
  
  You may also specify a semi-colon delimited list of acceptable
  protocols, for example to allow NTLM or Negotiate on a non-SSL
  connection you can set:
  
  mqsichangeproperties IB9Node -e default -o HTTPConnector -n
  integratedWindowsAuthentication -v "NTLM;Negotiate"
  
  For outbound support a new property "allowedAuthTypes" is added
  to the ComIbmSocketConnectionManager object. This property can
  take the following values:
  
  IWA - Allow the broker to authenticate using any IWA protocol
  NTLM - Allow the broker to authenticate using NTLM
  Negotiate - Allow the broker to authenticate using SPNEGO (NTLM
  or Kerberos)
  Nego2 - Allow the broker to authenticate using SPNEGO-2 (NTLM or
  Kerberos)
  None - Do not authenticate
  All - Allow authentication with any supported protocol
  Basic - Allow Authentication with Basic Auth
  
  When any protocol other than Basic Auth is enabled the
  HTTPRequest or SOAPRequest nodes will not pre-emptively
  authenticate to the service. Instead they will wait for a 401
  response from the server indicating which authentication
  mechanisms are supported by the server and will use the highest
  supported protocol. Once connected this protocol will be used to
  authenticate pre-emptively until the flow is stopped or the
  allowAuthTypes is changed. To configure any of the protocols to
  always be used for pre-emptive authentication this APAR also
  adds the property "preemptiveAuthType" to the
  ComIbmSocketConnectionManager. This property can take any of the
  following values:
  
  Basic - Pre-emptively authenticate using Basic Auth
  NTLM - Pre-emptively authenticate using NTLM
  Negotiate - Pre-emptively authenticate using SPNEGO (NTLM or
  Kerberos)
  Nego2 - Pre-emptively authenticate using SPNEGO2 (NTLM or
  Kerberos)
  
  When using any form of outbound authentication there must be a
  security profile configured on the node or flow which is
  configured for Identity Propagation. The pre-supplied "Default
  Propagation" security profile is sufficient.
  

Local fix

Problem summary

• ****************************************************************
  USERS AFFECTED:
  All users of IBM Integration Bus V9.0 on Windows.
  
  
  Platforms affected:
  Windows on x86 platform, Windows on x86-64 platform
  
  ****************************************************************
  PROBLEM DESCRIPTION:
  IBM Integration Bus does not support Integrated Windows
  Authentication for WebServices, particularly the protocols NTLM,
  SPNEGO and SPNEGO2 are not supported.
  
  There are a number of resource name changes between WebSphere
  Message Broker and IBM Integration Bus Version 9.0. For details
  visit
  http://pic.dhe.ibm.com/infocenter/wmbhelp/v9r0m0/topic/com.ibm.e
  tools.mft.doc/bb23814_.htm
  

Problem conclusion

• IBM Integration Bus now supports Integrated Windows
  Authentication inbound and outbound for the SOAPInput and
  SOAPRequest and HTTPInput and HTTPRequest nodes. The NTLM,
  SPNEGO and Kerberos protocols are supported.
  
  INBOUND
  ------------
  For inbound support this APAR adds a new property
  "integratedWindowsAuthentication" to the HTTPConnector and
  HTTPSConnector objects. This property can take the following
  values:
  NTLM - Specify the use of NTLM
  Negotiate - Specify using to negotiate the use of either
  Kerberos or NTLM
  Negotiate:Kerberos - Specify the use of Kerberos only, without
  falling back to NTLM
  
  You may also specify a semi-colon delimited list of acceptable
  protocols, for example to allow NTLM or Negotiate on a non-SSL
  connection you can set:
  
  mqsichangeproperties IB9Node -e default -o HTTPConnector -n
  integratedWindowsAuthentication -v "NTLM;Negotiate"
  
  OUTBOUND
  --------------
  For outbound support a new property "allowedAuthTypes" is added
  to the ComIbmSocketConnectionManager object.
  
  This property can take the following values:
  
  IWA - Allow the broker to authenticate using any IWA protocol
  NTLM - Allow the broker to authenticate using NTLM
  Negotiate - Allow the broker to authenticate using SPNEGO (NTLM
  or Kerberos)
  Nego2 - Allow the broker to authenticate using SPNEGO-2 (NTLM or
  Kerberos)
  None - Do not authenticate
  All - Allow authentication with any supported protocol
  Basic - Allow Authentication with Basic Auth
  
  When any protocol other than Basic Auth is enabled the
  HTTPRequest or SOAPRequest nodes will not preemptively
  authenticate to the service. Instead they will wait for a HTTP
  401 response from the server indicating which authentication
  mechanisms are supported by the server and will use the highest
  supported protocol. Once connected this protocol will be used to
  authenticate preemptively until the flow is stopped or the
  allowAuthTypes is changed. To configure any of the protocols to
  always be used for preemptive authentication this APAR also adds
  the property "preemptiveAuthType" to the
  ComIbmSocketConnectionManager.
  
  This property can take any of the following values:
  
  Basic - Preemptively authenticate using Basic Auth
  NTLM - Preemptively authenticate using NTLM
  Negotiate - Preemptively authenticate using SPNEGO (NTLM or
  Kerberos)
  Nego2 - Preemptively authenticate using SPNEGO2 (NTLM or
  Kerberos)
  
  When using any form of outbound authentication there must be a
  security profile configured on the Node or Flow which is
  configured for Identity Propagation. The pre-supplied "Default
  Propagation" security profile is sufficient.
  
  For more advanced scenarios, the following optional
  configuration properties can also be used with the
  ComIbmSocketConnectionManager object:
  
  allowNtlmNegotiation='TRUE' - set this to 'FALSE' to prevent
  NTLM from being negotiated with the Negotiate and Nego2
  authentication protocols
  negotiateMutualAuth='FALSE' - set this to 'TRUE' if you require
  mutual authentication when the Kerberos protocol is negotiated
  
  Note: When negotiating Kerberos, the broker automatically
  generates a service principal name (SPN) for the service based
  on the host name for the request. For example, if the URL for
  the service is https://iib.iibservice/testservice/service1.svc
  the SPN will be assumed to be 'HTTP/iib.iibservice'. If the
  service exists at a different SPN, use the following local
  environment overrides to provide an explicit SPN for the
  service.
  
  For HTTP:
  SET OutputLocalEnvironment.Destination.HTTP.ServicePrincipalName
  = 'HTTP/iib.iibservice2.com:7800';
  
  For SOAP:
  SET
  OutputLocalEnvironment.Destination.SOAP.Request.Transport.HTTP.S
  ervicePrincipalName = 'HTTP/iib.iibservice2.com:7800';
  
  When using any form of outbound authentication, there must be a
  security profile configured on the node or flow that is
  configured for identity propagation. The supplied Default
  Propagation security profile is sufficient. In addition, if you
  are using an HTTPRequest node, you must set the HTTP version
  property to "1.1" and select "Enable HTTP/1.1 keep-alive" on the
  HTTP Settings tab in the Properties view.
  
  To check what the current outbound authentication is, run the
  following command:
  
  mqsireportproperties brokerName -e ExecutionGroupName -o
  ComIbmSocketConnectionManager -r
  
  The new property, "allowedAuthTypes", is displayed within the
  connector properties. If multiple values are set, they are
  separated by a semicolon.
  
  If no specific credentials are set, the credentials of the
  broker service user ID will be sent to the remote service
  (parameter specified under the mqsicreatebroker command). If you
  require specific identity credentials to be propagated, you must
  set the appropriate credentials in the Properties tree. For more
  information, see the task topic "Configuring authentication with
  HTTP basic authentication" in the Knowledge Center.
  
  ---------------------------------------------------------------
  The fix is targeted for delivery in the following PTFs:
  
  Version    Maintenance Level
  v9.0       9.0.0.2
  
  The latest available maintenance can be obtained from:
  http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27006041
  
  If the maintenance level is not yet available, information on
  its planned availability can be found on:
  http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308
  ---------------------------------------------------------------
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  INTEGRATION BUS

• Fixed component ID

  5724J0530

Applicable component levels

• R900 PSY

     UP