IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Security profiles

A security profile defines the security operations that are to be performed in a message flow at SecurityPEP nodes and security enabled input and output nodes.

Security profiles are configured by the broker administrator before deploying a message flow, and are accessed by the security manager at run time.

A security profile allows a broker administrator to specify whether identity and security token propagation, authentication, authorization, and mapping are performed on the identity or security tokens associated with messages in the message flow, and if so, which external security provider (also known as a Policy Decision Point or PDP) is used. IBM® Tivoli® Federated Identity Manager (TFIM) V6.1, and WS-Trust v1.3 compliant security token servers (including TFIM V6.2), are supported for authentication, authorization, and mapping. Lightweight Directory Access Protocol (LDAP) is supported for authentication and authorization.

Security profiles apply to the SecurityPEP node and to security enabled input, output, and request nodes, and are configured by the administrator at deployment time in the Broker Archive editor. These nodes have a Security Profile property (in the Broker Archive editor), which can be left blank, set to No Security, or set to a specific security profile name. Set No Security to explicitly turn off security for the node. If you leave the Security Profile property blank, the node inherits the Security Profile property that is set at the message flow level. If you leave the Security Profile property blank at both levels, security is turned off for the node. When this property is set to the name of a specific security profile, that profile determines what message flow security is configured. If the named security profile does not exist in the run time, the message flow fails to deploy. If the specified external security provider does not support the type of token configured on the node for the security operation, an error is reported and the message flow fails to deploy.

The security profile also specifies whether propagation is required. A pre-configured profile that specifies propagation is provided for use by output and request nodes. This profile is the Default Propagation security profile. This profile can also be used on an input node to extract tokens and put them into the message tree ready for propagation or processing in a SecurityPEP node.

Security profiles contain values for the following properties:

authentication: Defines the type of authentication that is performed on the source identity. This property applies only to SecurityPEP nodes and input nodes. For more information, see Authentication and validation.
authenticationConfig: Defines the information that the broker needs to connect to the provider, and the information needed to look up the identity tokens. It is a provider-specific configuration string. This property applies only to SecurityPEP nodes and input nodes.
mapping: Defines the type of mapping that is performed on the source identity. This property applies only to SecurityPEP nodes and input nodes. For more information, see Identity mapping.
mappingConfig: Defines how the broker connects to the provider, and contains additional information required to look up the mapping routine. It is a provider-specific configuration string. This property applies only to SecurityPEP nodes and input nodes.
authorization: Defines the types of authorization checks that are performed on the mapped or source identity. This property applies only to SecurityPEP nodes and input nodes. For more information, see Authorization.
authorizationConfig: Defines how the broker connects to the provider, and contains additional information that can be used to check access (for example, a group that can be checked for membership). It is a provider-specific configuration string. This property applies only to SecurityPEP nodes and input nodes.
passwordValue: Defines how passwords are treated when they enter a message flow. If PLAIN is selected, the password appears in the Properties folder in plain text. If OBFUSCATE is selected, the password appears in the Properties folder in base64 encoding. If MASK is selected, the password appears in the Properties folder as four asterisks (****). This property applies only to SecurityPEP nodes and input nodes.
propagation: Enables or disables identity propagation on output and request nodes. On the security enabled input nodes, you can choose to select only identity propagation, without specifying any other security operations, to make the extracted incoming identity or security token available for use in the other nodes in the message flow, such as output or request nodes. For more information, see Identity and security token propagation.
idToPropagateToTransport: Enables the use of a specific security identity for propagation. Set the value to STATIC ID, and set the security identity by using the transportPropagationConfig parameter.
transportPropagationConfig: Provides a specific security identity to propagate when idToPropagateToTransport is set to STATIC ID. Set the value to the name that you associate with the static user name and password identity when you run the mqsisetdbparms. For more information, see Configuring a message flow for identity propagation.

For information on configuring a security profile for LDAP, TFIM, or a WS-Trust v1.3 compliant security token server (STS), see Creating a security profile.

ap04070_.htm |

Last updated Friday, 21 July 2017