Authenticating incoming requests with IWA on Windows
Set up IBM® Integration Bus to use Integrated Windows Authentication (IWA) to secure inbound requests against an integration node on Windows.
Before you begin
Securing an IBM Integration Bus service with IWA modifies the behavior of only the HTTPInput and SOAPInput nodes. For inbound support, IWA requires the HTTP and SOAP nodes to use an embedded (integration server) listener. IWA is not supported by integration node listeners. SOAP nodes use embedded listeners by default, but HTTP nodes use integration node listeners by default. For information on how to switch to an embedded listener, see Switching from an integration node listener to embedded listeners.
If you are using HTTP over SSL (HTTPS), you must set up a public key infrastructure (PKI). For more information, see Setting up a public key infrastructure.
About this task
To enable IWA on an integration node running on Windows, run the following command:
mqsichangeproperties integrationNodeName -e integrationServerName -o ConnectorType
-n integratedWindowsAuthentication -v "PropertyValue"
Where: - integrationNodeName is the name of the integration node you want to modify.
- integrationServerName is the name of the integration server on that integration node.
- ConnectorType is HTTPSConnector for an SSL connection, or HTTPConnector for a non-SSL connection.
- PropertyValue is NTLM, Negotiate, or Negotiate:Kerberos. Multiple values can be given, separated by a semicolon or a space, and these values are not case-sensitive. The order in which the values are specified, is the order in which they are returned to the client in the HTTP response. To disable IWA, set this property to a blank string.
To check what the current IWA setting is, run the following command:
mqsireportproperties integrationNodeName -e integrationServerName -o ConnectorType -r
The
following output is displayed within the connector properties:- integratedWindowsAuthentication='PropertyValue'
- integratedWindowsAuthentication=''
Results
Local environment tree credentials | Properties folder credentials |
---|---|
username (root folder) | IdentitySourceType |
> fullName
(consisting of realm\username) |
|
> username | IdentitySourceToken |
> realm | IdentitySourceIssuedBy |
> package | |
> spn | |
> sid |
Examples
mqsichangeproperties IBNODE -e default -o HTTPSConnector
-n integratedWindowsAuthentication -v "Negotiate"
mqsichangeproperties IBNODE -e default -o HTTPConnector
-n integratedWindowsAuthentication -v "NTLM;Negotiate"
mqsichangeproperties IBNODE -e default -o HTTPConnector
-n integratedWindowsAuthentication -v ""