IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Implementing WS-Security

Configure authentication, XML encryption, XML signature, and message expiration by using the Policy Sets and Policy Set Bindings editor.

You use the Policy Sets and Policy Set Bindings editor in the IBM® Integration Explorer to configure the following aspects of WS-Security:
Parent topic: WS-Security

Authentication

The following tokens are supported:
  • Username
  • X.509
  • SAML assertions
  • Kerberos tickets
  • LTPA binary tokens
Configuring authentication with username tokens:
  1. In the IBM Integration Explorer, right-click on the broker with which you want to work, and click Properties.
  2. In the Properties window, select the Security tab, and click Policy Sets.
  3. Create a policy set and add UserName authentication tokens to it; see Policy Sets and Policy Set Bindings editor: Authentication tokens panel.
  4. Further configure any X.509 authentication tokens defined in the associated policy set; see Policy Sets and Policy Set Bindings editor: Authentication and Protection Tokens panel.
  5. Configure a security profile; see Message flow security and security profiles.
  6. Associate the policy set with a message flow or node; see Associating policy sets and bindings with message flows and nodes.
Configuring authentication with X.509 tokens:
  1. If you are using the broker's truststore to hold the trusted certificate, you must configure it; see Viewing and setting keystore and truststore runtime properties at broker level or Viewing and setting keystore and truststore runtime properties at integration server level depending on where you want to set keystore and truststore runtime properties.
  2. Create a policy set and add UserName and X.509 authentication tokens to it; see Policy Sets and Policy Set Bindings editor: Authentication tokens panel.
  3. Configure the certificate mode for either broker truststore or an external security provider; see Policy Sets and Policy Set Bindings editor: Authentication and Protection Tokens panel.
  4. If you are using an external security provider, configure a security profile; see Message flow security and security profiles.
  5. Associate the policy set with a message flow or node; see Associating policy sets and bindings with message flows and nodes
Configuring authentication with SAML assertions:
  1. In the IBM Integration Explorer, right-click on the broker with which you want to work, and click Properties.
  2. In the Properties window, select the Security tab, and click Policy Sets.
  3. Create a policy set and add SAML pass-through 1.1 or SAML pass-through 2.0 tokens to it; see Policy Sets and Policy Set Bindings editor: Authentication tokens panel. SAML pass-though does not enforce subject confirmation, but the assertion is simply provided as a token to be processed in the external Security Token Server specified in the security profile that is associated with the node.
  4. Configure a security profile. The security profile must be configured to use a WS-Trust v1.3 STS. For more information, see Message flow security and security profiles.
  5. Associate the policy set with a message flow or node; see Associating policy sets and bindings with message flows and nodes.
Configuring authentication with Kerberos tickets:
  1. In the IBM Integration Explorer, right-click on the broker with which you want to work, and click Properties.
  2. In the Properties window, select the Security tab, and click Policy Sets.
  3. Create a policy set and add your Kerberos token type as symmetric tokens; see Policy Sets and Policy Set Bindings editor: Message Level Protection panel.
  4. Associate the policy set with a message flow or node; see Associating policy sets and bindings with message flows and nodes.
  5. Configure the host's Kerberos keytab file. For more information about Kerberos configuration, see the documentation for your broker's host system. For example, for Windows, see the "Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability", which you can access at http://technet.microsoft.com/en-us/library/.
Configuring authentication with LTPA binary tokens:
  1. In the IBM Integration Explorer, right-click on the broker with which you want to work, and click Properties.
  2. In the Properties window, select the Security tab, and click Policy Sets.
  3. Create a policy set and add LTPA tokens to it; see Policy Sets and Policy Set Bindings editor: Authentication tokens panel. The LTPA binary token is passed through to the external Security Token Server (STS) specified in the security profile that is associated with the node.
  4. Configure a security profile. The security profile must be configured to use a WS-Trust v1.3 STS. For more information, see Message flow security and security profiles.
  5. Associate the policy set with a message flow or node; see Associating policy sets and bindings with message flows and nodes.

Confidentiality

Confidentiality is provided by XML encryption, and requires either X.509 tokens or Kerberos tickets.

Configuring XML encryption with X.509 tokens:
  1. If you are using the broker's truststore to hold the trusted certificate, you must configure it; see Viewing and setting keystore and truststore runtime properties at broker level or Viewing and setting keystore and truststore runtime properties at integration server level, depending on where you want to set keystore and truststore runtime properties.
  2. In the IBM Integration Explorer, right-click on the broker with which you want to work, and click Properties.
  3. In the Properties window, select the Security tab, and click Policy Sets.
  4. Create a policy set, enable XML encryption, create encryption tokens, and select the encryption algorithms that you will use; see Policy Sets and Policy Set Bindings editor: Message Level Protection panel.
  5. Define which parts of a message are to be encrypted; see Policy Sets and Policy Set Bindings editor: Message Part Protection panel.
  6. Further configure message part encryption; see Policy Sets and Policy Set Bindings editor: Message Part Policies panel.
  7. Further configure the keystore and truststore; see Policy Sets and Policy Set Bindings editor: Key Information panel.
  8. Associate the policy set with a message flow or node; see Associating policy sets and bindings with message flows and nodes.
Configuring XML encryption with Kerberos tickets:
  1. Configure your host for Kerberos, providing a krb.conf configuration file. This step is required on all operating systems, including Windows.
  2. Provide the broker with the Kerberos client credentials for accessing the Kerberos Key Distribution Center (KDC). These credentials (which are required for SOAPRequest nodes) can be provided in the Broker properties tree, or by using the mqsisetdbparms command. The credentials are taken in order of priority:
    • The node has a security profile with the propagation property set to True and the Properties tree username and password token is present. If no Username and password token exists, an exception in thrown.
    • mqsisetdbparms kerberos::<realm>::<integration server name>
    • mqsisetdbparms kerberos::<realm>
    • mqsisetdbparms kerberos::kerberos
  3. In the IBM Integration Explorer, right-click on the broker with which you want to work, and click Properties.
  4. In the Properties window, select the Security tab, and click Policy Sets.
  5. Create a policy set and add the required Kerberos token type as Symmetric Tokens; see Policy Sets and Policy Set Bindings editor: Message Level Protection panel.

Integrity

Integrity is provided by XML signature, and requires either X.509 tokens or Kerberos tickets.

Configuring XML signature with X.509 tokens:
  1. If you are using the broker's truststore to hold the trusted certificate, you must configure it; see Viewing and setting keystore and truststore runtime properties at broker level or Viewing and setting keystore and truststore runtime properties at integration server level depending on where you want to set keystore and truststore runtime properties.
  2. In the IBM Integration Explorer, right-click on the broker with which you want to work, and click Properties.
  3. In the Properties window, select the Security tab, and click Policy Sets.
  4. Create a policy set, enable XML signature, and create signature tokens; see Policy Sets and Policy Set Bindings editor: Message Level Protection panel.
  5. Define which parts of a message are to be signed; see Policy Sets and Policy Set Bindings editor: Message Part Protection panel.
  6. Further configure message part signature; see Policy Sets and Policy Set Bindings editor: Message Part Policies panel.
  7. Further configure the keystore and truststore; see Policy Sets and Policy Set Bindings editor: Key Information panel.
  8. Associate the policy set with a message flow or node; see Associating policy sets and bindings with message flows and nodes.
Configuring XML signature with Kerberos tickets:
  1. Configure your host for Kerberos, providing a krb.conf configuration file. This step is required on all operating systems, including Windows.
  2. Provide the broker with the Kerberos client credentials for accessing the Kerberos Key Distribution Center (KDC). These credentials (which are required for SOAPRequest nodes) can be provided in the Broker properties tree, or by using the mqsisetdbparms command. The credentials are taken in the following order of priority:
    • The node has a security profile with the propagation property set to True and the Properties tree username and password token is present. If no Username and password token exists, an exception in thrown.
    • mqsisetdbparms kerberos::<realm>::<integration server name>
    • mqsisetdbparms kerberos::<realm>
    • mqsisetdbparms kerberos::kerberos
  3. In the IBM Integration Explorer, right-click on the broker with which you want to work, and click Properties.
  4. In the Properties window, select the Security tab, and click Policy Sets.
  5. Create a policy set and add the required Kerberos token type as Symmetric Tokens; see Policy Sets and Policy Set Bindings editor: Message Level Protection panel.

Expiration

To configure message expiration, see Policy Sets and Policy Set Bindings editor: Message Expiration panel.
Related concepts:
Policy sets
WS-Security capabilities
Related tasks:
Viewing and setting keystore and truststore runtime properties at broker level
Viewing and setting keystore and truststore runtime properties at integration server level
Associating policy sets and bindings with message flows and nodes
Related reference:
Policy Sets and Policy Set Bindings editor
mqsisetdbparms command
mqsireportdbparms command
ac60160_.htm | Last updated Friday, 21 July 2017