Security profiles are configured by the broker administrator before
deploying a message flow, and are accessed by the security manager
at run time.
A security profile allows a broker
administrator to specify whether identity and security token propagation,
authentication, authorization, and mapping are performed on the identity
or security tokens associated with messages in the message flow, and
if so, which external security provider (also known as a Policy Decision
Point or PDP) is used. IBM® Tivoli® Federated Identity Manager
(TFIM) V6.1, and WS-Trust v1.3 compliant security token servers (including
TFIM V6.2), are supported for authentication, authorization, and mapping.
Lightweight Directory Access Protocol (LDAP) is supported for authentication
and authorization.
Security profiles apply to the SecurityPEP node and to security
enabled input, output, and request nodes, and are configured by the
administrator at deployment time in the Broker Archive editor. These
nodes have a Security Profile property (in the
Broker Archive editor), which can be left blank, set to No
Security, or set to a specific security profile name. Set No
Security to explicitly turn off security for the node. If
you leave the Security Profile property blank,
the node inherits the Security Profile property
that is set at the message flow level. If you leave the Security
Profile property blank at both levels, security is turned
off for the node. When this property is set to the name of a specific
security profile, that profile determines what message flow security
is configured. If the named security profile does not exist in the
run time, the message flow fails to deploy. If the specified external
security provider does not support the type of token configured on
the node for the security operation, an error is reported and the
message flow fails to deploy.
The security profile also specifies whether propagation
is required. A pre-configured profile that specifies propagation is
provided for use by output and request nodes. This profile is the Default
Propagation security profile. This profile can also
be used on an input node to extract tokens and put them into the message
tree ready for propagation or processing in a SecurityPEP node.
Security profiles contain values for the following properties:
- authentication
- Defines the type of authentication that is performed
on the source identity. This property applies only to SecurityPEP nodes
and input nodes. For more information, see Authentication and validation.
- authenticationConfig
- Defines the information that the broker needs to connect
to the provider, and the information needed to look up the identity
tokens. It is a provider-specific configuration string. This property
applies only to SecurityPEP nodes and input
nodes.
- mapping
- Defines the type of mapping that is performed on the
source identity. This property applies only to SecurityPEP nodes and input
nodes. For more information, see Identity mapping.
- mappingConfig
- Defines how the broker connects to the provider, and
contains additional information required to look up the mapping routine.
It is a provider-specific configuration string. This property applies
only to SecurityPEP nodes and input
nodes.
- authorization
- Defines the types of authorization checks that are performed
on the mapped or source identity. This property applies only to SecurityPEP nodes
and input nodes. For more information, see Authorization.
- authorizationConfig
- Defines how the broker connects to the provider, and
contains additional information that can be used to check access (for
example, a group that can be checked for membership). It is a provider-specific
configuration string. This property applies only to SecurityPEP nodes
and input nodes.
- passwordValue
- Defines how passwords are treated when they enter a
message flow. If PLAIN is selected, the password
appears in the Properties folder in plain text. If OBFUSCATE is
selected, the password appears in the Properties folder in base64
encoding. If MASK is selected, the password appears
in the Properties folder as four asterisks (****). This property applies
only to SecurityPEP nodes and input
nodes.
- propagation
- Enables or disables identity propagation on output and request
nodes. On the security enabled input nodes, you can choose to select
only identity propagation, without specifying any other security operations,
to make the extracted incoming identity or security token available
for use in the other nodes in the message flow, such as output or
request nodes. For more information, see Identity and security token propagation.
- idToPropagateToTransport
- Enables the use of a specific security identity for propagation. Set the value to
STATIC ID, and set the security identity by using the
transportPropagationConfig parameter.
- transportPropagationConfig
- Provides a specific security identity to propagate when
idToPropagateToTransport is set to STATIC ID. Set the
value to the name that you associate with the static user name and password identity when you run
the mqsisetdbparms. For more information, see Configuring a message flow for identity propagation.
For information on configuring a security profile
for LDAP, TFIM, or a WS-Trust v1.3 compliant security token server
(STS), see Creating a security profile.