Configuring the extraction of an identity or security token
You can configure the SecurityPEP node or security enabled input nodes to extract the identity or security token from a message and store it in the properties tree identity fields, enabling it to be processed throughout the message flow and propagated at output or request nodes.
Before you begin
Check that an appropriate security profile exists or create a new security profile. See Creating a security profile.
About this task
- An MQInput node, with the Identity token type security property set to Transport default, retrieves the UserIdentifier element from the message descriptor (MQMD) and puts it into the Identity Source Token element of the Properties folder. At the same time, it sets the Identity Source Type element to username and the Identity Source Issued By element to MQMD.PutApplName (the put application name).
- An HTTPInput node, with the Identity token type security property set to Transport default, retrieves the BasicAuth header from the HTTP request, decodes it, and puts it into the Identity Source Token and Password elements in the Properties folder. At the same time, it sets the Identity Source Type element to username + Password and the Identity Source Issued By element to the HTTP header UserAgent property.
- A SOAPInput node retrieves the appropriate tokens as defined by the configured WS-Security policy sets and bindings, or (if they are not set), the transport binding determines the token type; for example, HTTP transport is BasicAuth. The SOAPInput node then populates the identity source fields in the Properties folder with the retrieved tokens. With a Kerberos policy set and bindings, the token type is a Username containing the Service Principal Name (SPN) from the Kerberos ticket.
- A SecurityPEP node, with the Identity token type property set to Current token, can use the token that has been extracted by an upstream input or SecurityPEP node and stored in the Properties folder.
In some cases, the information extracted from the transport headers is not set or is insufficient to perform authentication or authorization. For example, for authentication to occur, a Username + Password type token is required; however, with WebSphere® MQ, only a username is available, which means that the incoming identity has to be trusted. However, you can increase security by applying transport-level security using WebSphere MQ Extended Security Edition.
If the transport header cannot provide the required identity credentials, the information must be provided as part of the body of the incoming message. To enable the identity information to be taken from the body of the message, you must specify the location of the information by using either the Security tab on the HTTP, MQ, and SCA input nodes or the Basic tab on the SecurityPEP node, or by configuring the required policy set and bindings WS-Security profile on the SOAP node. A SOAP node with a Kerberos policy set and bindings extracts a Username token containing the Service Principal Name (SPN) of the Kerberos ticket.
Procedure
What to do next
- In the IBM Integration Toolkit, right-click the BAR file, then click .
- Click the Manage and Configure tab.
- Click the flow or node on which you want to set the security profile. The properties that you can configure for the message flow or for the node are displayed in the Properties view.
- In the Security Profile Name field, select a security profile.
- Save the BAR file.
mqsiapplybaroverride -b barFileName -k applicationName -m
flowName#nodeName.securityProfileName=securityProfileName
For
more information, see mqsiapplybaroverride command.