Creating a security profile for WS-Trust V1.3 (TFIM V6.2)

You can create a security profile for a WS-Trust V1.3 compliant Security Token Service (STS), for example, Tivoli® Federated Identity Manager (TFIM) V6.2, for any combination of the following security operations: authentication, authorization, and mapping.

About this task

You can use the mqsicreateconfigurableservice command to create the security profile:

Creating a profile by using mqsicreateconfigurableservice

Creating a profile by using mqsicreateconfigurableservice

About this task

To create a security profile that uses a WS-Trust V1.3 compliant STS, you can use the mqsicreateconfigurableservice command by setting the configuration parameter to the full URL of the STS. The URL must consist of the transport scheme, host name, port, and path. For TFIM V6.2 WS-Trust V1.3 endpoint, the path is /TrustServerWST13/services/RequestSecurityToken. For example:

http://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken

Procedure

To create a security profile that uses WS-Trust v1.3 for mapping, enter the following command:

mqsicreateconfigurableservice integrationNodeName -c SecurityProfiles 
-o profilename -n mapping,mappingConfig 
-v "WS-Trust v1.3 STS",http://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken

To specify that you want the security manager to reject a user name during authentication if the user name has an empty password token, set rejectBlankpassword to TRUE. The default is FALSE, which means that a user name is authenticated against the WS-Trust server even if it has an empty password token.

To specify the way that the password is displayed in the properties folder, set passwordValue to one of the following values:

PLAIN: The password is displayed in the Properties folder as plain text.
OBFUSCATE: The password is displayed in the Properties folder as base64 encoding.
MASK: The password is displayed in the Properties folder as four asterisks (****).

If the URL specifies an address beginning with https://, an SSL secured connection is used for requests to the WS-Trust v1.3 server. For example, to create a security profile that uses an HTTPS connection to WS-Trust v1.3 for mapping, enter the following command:

mqsicreateconfigurableservice integrationNodeName -c SecurityProfiles 
-o profilename -n mapping,mappingConfig 
-v "WS-Trust v1.3 STS",https://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken

In addition to specifying the security profile URL as an address beginning with https://, you can configure the following advanced parameters, by setting integration node environment variables:

MQSI_STS_SSL_PROTOCOL

The version of the SSL protocol to be used. Valid values are:

SSL
SSLv3
Note: SSLv3 is disabled by default in IBM® Integration Bus Version 10.0, because SSLv3 is no longer considered secure; see Migrating a flow that uses SSLv3 for more information.
TLS

The initial value is TLS.

MQSI_STS_SSL_ALLOWED_CIPHERS

A space-separated list of the encryption ciphers that can be used. For a list of all the cipher suites that are supported by IBM Integration Bus, see the Java™ product information for your operating system. For operating systems that use IBM Java, see Appendix A of the IBM JSSE2 Guide: http://www.ibm.com/developerworks/java/jdk/security/60/secguides/jsse2Docs/JSSE2RefGuide.html

MQSI_STS_REQUEST_TIMEOUT

The STS request timeout, specified in seconds. The initial value is 100. For information about providing environment variables to the integration node, see Setting up a command environment.

MQSI_STS_REQUEST_ONBEHALFOF

If you set this environment variable to enabled, the WS-trust requests include the optional field wst:OnBehalfOf. This field is required when the STS server is secured and needs credentials/authentication tokens before it process the request.

If WS-Trust v1.3 STS is selected for more than one operation (for example, for authentication and mapping), the WS-Trust v1.3 server URL must be identical for all the operations, and is therefore specified only once.

The following example creates a security profile that uses TFIM V6.2 for authentication, mapping, and authorization:

mqsicreateconfigurableservice MYBROKER -c SecurityProfiles -o MyWSTrustProfile 
-n authentication,mapping,authorization,propagation,mappingConfig 
-v "WS-Trust v1.3 STS","WS-Trust v1.3 STS","WS-Trust v1.3 STS",TRUE,http://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken