IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Creating a security profile for LDAP

Create a security profile for use with Lightweight Directory Access Protocol (LDAP) or Secure LDAP (LDAPS), by using either the mqsicreateconfigurableservice command or an editor in the IBM® Integration Explorer.

Before you start:

Ensure that you have an LDAP server that is LDAP Version 3 compliant, for example:
  • IBM Tivoli® Directory Server
  • Microsoft Active Directory
  • OpenLDAP.

If your LDAP directory does not permit login by unrecognized user IDs, and does not grant search access rights on the subtree, you must also set up a separate authorized login ID that the broker can use for the search. For information on how to do this, see Configuring authorization with LDAP or Authenticating incoming requests with LDAP.

Parent topic: Creating a security profile

Creating a security profile using mqsicreateconfigurableservice

You can use the mqsicreateconfigurableservice command to create a security profile that uses LDAP for authentication, authorization, or both. The security profile ensures that each message has an authenticated ID and is authorized for the message flow.

  1. Open a command window that is configured for your environment.
  2. Enter the mqsicreateconfigurableservice command on the command line. For example: 
    mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP
-n authentication,authenticationConfig,authorization,authorizationConfig,propagation,rejectBlankpassword
-v "LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com\",LDAP,
\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,o=acme.com\",TRUE,TRUE

    You must enclose the LDAP URL (which contains commas) with escaped double quotation marks (\" and \") so that the URL commas are not confused with the comma separator of the value parameter of mqsicreateconfigurableservice.

    If the LDAP URL includes an element name with a space, in this case cn=All Sales, the set of values after the -v flag must be enclosed by double quotation marks, (")

    For more information about the structure of the command, refer to the mqsicreateconfigurableservice command.

    You can define the security-specific parts of the command in the following way:

    1. Set the authentication to LDAP. This ensures that the incoming identity is validated.
    2. Set the authenticationConfig using the following syntax: 
      ldap[s]://server[:port]/baseDN[?[uid_attr][?[base|sub]]]

      For example:

      ldap://ldap.acme.com:389/ou=sales,o=acme.com
ldaps://localhost:636/ou=sales,o=acme?cn?base
      ldap:
      (Required) Fixed protocol string.
      s:
      (Optional) Specifies whether SSL should be used. Default is not to use SSL.
      server:
      (Required) The name or IP address of the LDAP server to contact.
      port:
      (Optional) The port to connect to. Default is 389 (non-SSL). For LDAP servers with SSL enabled, the port is typically 636.
      baseDN
      (Required) String defining the base distinguished name (DN) of all users in the directory. If users exist in different subtrees, specify a common subtree under which a search on the username uniquely resolves to the required user entry, and set the sub attribute.
      uid_attr:
      (Optional) String defining the attribute to which the incoming username maps, typically uid, CN, or email address. Default is uid.
      base|sub:
      (Optional) Defines whether to perform a base or subtree search. If base is defined, the authentication is faster because the DN of the user can be constructed from the uid_att, username, and baseDN values. If sub is selected, a search must be performed before the DN can be resolved. Default is sub.
    3. (Optional) To specify that you want the security manager to reject a user name during authentication if the user name has an empty password token, set rejectBlankpassword to TRUE. The default is FALSE, which means that a user name is authenticated against the LDAP server even if it has an empty password token.
    4. (Optional) To specify the way that the password is displayed in the properties folder, set passwordValue to one of the following values:
      PLAIN
      The password is displayed in the Properties folder as plain text.
      OBFUSCATE
      The password is displayed in the Properties folder as base64 encoding.
      MASK
      The password is displayed in the Properties folder as four asterisks (****).
    5. Set the authorization to LDAP. This ensures that the incoming identity is checked for group membership in LDAP.
    6. Set the authorizationConfig using the following syntax: 
      ldap[s]://server[:port]/groupDN[?[member_attr]
[?[base|sub][?[x-userBaseDN=baseDN,
x-uid_attr=uid_attr]]]]

      For example:

      ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,
o=acme.com?uniquemember?sub?x-userBaseDN=ou=sales%2co=ibm.com,
x-uid_attr=emailaddress
      ldap:
      (Required) Fixed protocol string
      s:
      (Optional) Specifies whether SSL is used. Default is not to use SSL.
      server:
      (Required) The name or IP address of the LDAP server to contact.
      port:
      (Optional) The port to connect to. Default is 389 (non-SSL). For LDAP servers with SSL enabled, the port is typically 636.
      groupDN
      (Required) Fully defined distinguished name of the group in which users must be members to be granted access.
      member_attr:
      (Optional) The attribute of the group used to filter the search. Default is to look for both member and uniquemember attributes.
      The following options are required only if authentication has not preceded the authorization, and if the authentication configuration string has not been specified. If the authentication configuration string has been specified, the following parameters are ignored and those provided by the baseDN, uid_attr, and [base|sub] for authentication are used instead:
      base|sub:
      (Optional) Defines whether to perform a base or subtree search. If base is defined, the authentication is faster because the DN of the user can be constructed from uid_att + username + baseDN. If sub is selected, a search must be performed before the DN can be resolved. Default is sub.
      baseDN
      (Optional) String defining the base distinguished name of all users in the directory. Must be preceded by the string x-userBaseDN. Any commas in the BaseDN must be rendered as %2c.
      x-uid_attr:
      (Optional) String defining the attribute to which the incoming username should map, typically uid, CN, or email address. Default is uid. Must be preceded by the string x-uid_attr.
    When you submit the command from a batch (.bat) file or command (.cmd) file, if the LDAP URL includes an extension with LDAP URL “percent hex hex” escaped characters (for example, a comma replaced by %2c, or a space replaced by %20), the percent signs must be escaped from the batch interpreter with an extra percent sign (%%). For example:
    mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP_URI_FUN 
-n authentication,authenticationConfig,authorization,authorizationConfig -v
"LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com?emailaddress?sub\",
LDAP,\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,
o=acme.com?report?base?x-BaseDN=ou=sales%%2co=acme.com,
x-uid_attr=emailaddress\""

    The selected group must be defined on the LDAP server, and all of the required users must be members of the group.

  3. If you need to reconfigure the security profile after it has been created, use the mqsichangeproperties command. You must stop and start the integration server for the change of property value to take effect.

Creating a security profile using the IBM Integration Explorer

You can use the IBM Integration Explorer to create a security profile for LDAP.
  1. In the IBM Integration Explorer, right-click on the broker with which you want to work, and click Properties.
  2. In the Properties window, select the Security tab, and click Security Profiles. The Security Profiles window is displayed, containing a list of existing security profiles for the broker on the left, and a pane in which you can configure the profile on the right.
  3. Click Add to create a new profile and add it to the list. You can edit the name of the security profile by highlighting it in the list and pressing F2.
  4. Configure the security profile using the entry fields on the right side of the pane:
    1. Select the type of Authentication required. This can be LDAP, TFIM, or NONE.
    2. If you have selected LDAP for authentication, edit the following fields in the LDAP Parameters section:
      • LDAP Host
      • LDAP baseDN
      • LDAP uid attr
      • LDAP search Scope

      The values that you enter in the LDAP Parameters fields create a configuration string, which is displayed in the Authentication Config field. For information about the valid values for the parameters, see Creating a security profile using mqsicreateconfigurableservice.

    3. Select the type of Mapping required. This can be either TFIM or NONE.
    4. If you have selected TFIM for mapping, type the URL of the TFIM server in the TFIM Configuration field of the TFIM Parameters section.

      The value that you specify in the TFIM Configuration field creates a configuration string, which is displayed in the Mapping Config field.

    5. Select the type of Authorization required. This can be LDAP, TFIM, or NONE.
    6. If you have selected LDAP for authorization, edit the following fields in the LDAP Parameters section:
      • LDAP Host
      • LDAP baseDN
      • LDAP uid attr
      • LDAP search Scope
      • LDAP group baseDN
      • LDAP group member.

      The values that you enter in the LDAP Parameters fields create a configuration string, which is displayed in the Authorization Config field. For information about the valid values for the parameters, see Creating a security profile using mqsicreateconfigurableservice.

    7. In the Propagation field, specify whether you require the identity to be propagated. The default is False.
    8. In the Reject Empty Password field, specify whether you want the security manager to reject a user name during authentication if the user name has an empty password token. The default is FALSE, which means that a user name is authenticated against the LDAP server even if it has an empty password token.
    9. In the Password Value field, select the way in which the password is displayed in the properties folder. The options are:
      PLAIN
      The password appears in the Properties folder as plain text.
      OBFUSCATE
      The password appears in the Properties folder as base64 encoding.
      MASK
      The password appears in the Properties folder as four asterisks (****).
  5. Click Finish to deploy the security profile to the broker.

To delete an existing security profile, select the profile in the list and then click Delete.

Related concepts:
Identity
Authentication and validation
Identity mapping
Authorization
Identity and security token propagation
Security profiles
Security exception processing
Related tasks:
Configuring the extraction of an identity or security token
Configuring identity authentication and security token validation
Configuring identity mapping
Creating a security profile
Configuring authorization
Configuring a message flow for identity propagation
Setting up message flow security
Related reference:
mqsicreateconfigurableservice command
mqsideleteconfigurableservice command
mqsichangeproperties command
mqsireportproperties command
MQInput node
HTTPInput node
SOAPInput node
SOAPAsyncRequest node
HTTPRequest node
MQOutput node
SecurityProfiles configurable service
ap04141_.htm | Last updated Friday, 21 July 2017