IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Creating a security profile for WS-Trust V1.3 (TFIM V6.2)

You can create a security profile for a WS-Trust V1.3 compliant Security Token Server (STS), for example, Tivoli® Federated Identity Manager (TFIM) V6.2, for any combination of the following security operations: authentication, authorization, and mapping.

You can use either the mqsicreateconfigurableservice command or an editor in the IBM® Integration Explorer to create the security profile:
Parent topic: Creating a security profile

Creating a profile using mqsicreateconfigurableservice

To create a security profile that uses a WS-Trust V1.3 compliant Security Token Server (STS), you can use the mqsicreateconfigurableservice command by setting the configuration parameter to the full URL of the STS. The URL must consist of the transport scheme, host name, port, and path. For TFIM V6.2 WS-Trust V1.3 endpoint, the path is /TrustServerWST13/services/RequestSecurityToken. For example: 
http://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken
To create a security profile that uses WS-Trust v1.3 for mapping, enter the following command: 
mqsicreateconfigurableservice brokername -c SecurityProfiles 
-o profilename -n mapping,mappingConfig 
-v "WS-Trust v1.3 STS",http://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken

To specify that you want the security manager to reject a user name during authentication if the user name has an empty password token, set rejectBlankpassword to TRUE. The default is FALSE, which means that a user name is authenticated against the WS-Trust server even if it has an empty password token.

To specify the way that the password is displayed in the properties folder, set passwordValue to one of the following values:
PLAIN
The password is displayed in the Properties folder as plain text.
OBFUSCATE
The password is displayed in the Properties folder as base64 encoding.
MASK
The password is displayed in the Properties folder as four asterisks (****).
If the URL specifies an address beginning with https://, an SSL secured connection is used for requests to the WS-Trust v1.3 server. For example, to create a security profile that uses an HTTPS connection to WS-Trust v1.3 for mapping, enter the following command:
mqsicreateconfigurableservice brokername -c SecurityProfiles 
-o profilename -n mapping,mappingConfig 
-v "WS-Trust v1.3 STS",https://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken
In addition to specifying the security profile URL as an address beginning with https://, you can configure the following advanced parameters, by setting broker environment variables:
MQSI_STS_SSL_PROTOCOL
The version of the SSL protocol to be used. Valid values are:
  • SSL
  • SSLv3
  • TLS
The initial value is SSLv3.
MQSI_STS_SSL_ALLOWED_CIPHERS
A space-separated list of the encryption ciphers that can be used. For a list of all the cipher suites that are supported by IBM Integration Bus, see the Java™ product information for your operating system. For operating systems that use IBM Java, see Appendix A of the IBM JSSE2 Guide: http://www.ibm.com/developerworks/java/jdk/security/60/secguides/jsse2Docs/JSSE2RefGuide.html
MQSI_STS_REQUEST_TIMEOUT
The STS request timeout, specified in seconds. The initial value is 100. For information about providing environment variables to the broker, see Setting up a command environment.
MQSI_STS_REQUEST_ONBEHALFOF
If you set this environment variable to enabled, the WS-trust requests include the optional field wst:OnBehalfOf. This field is required when the STS server is secured and needs credentials/authentication tokens before it process the request.

If WS-Trust v1.3 STS is selected for more than one operation (for example, for authentication and mapping), the WS-Trust v1.3 server URL must be identical for all the operations, and is therefore specified only once.

The following example creates a security profile that uses TFIM V6.2 for authentication, mapping, and authorization: 
mqsicreateconfigurableservice MYBROKER -c SecurityProfiles -o MyWSTrustProfile 
-n authentication,mapping,authorization,propagation,mappingConfig 
-v "WS-Trust v1.3 STS","WS-Trust v1.3 STS","WS-Trust v1.3 STS",TRUE,http://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken

Creating a profile using the IBM Integration Explorer

You can use the IBM Integration Explorer to create a security profile for using WS-Trust v1.3.
  1. In the IBM Integration Explorer, right-click on the broker with which you want to work, and click Properties.
  2. In the Properties window, select the Security tab, and click Security Profiles. The Security Profiles window is displayed, containing a list of existing security profiles for the broker on the left and, on the right, a pane in which you can configure the profile.
  3. Click Add to create a new profile and add it to the list. You can edit the name of the security profile by highlighting it in the list and pressing F2. The security profile name must not include spaces.
  4. Configure the security profile using the entry fields on the right side of the pane:
    1. Select the security provider that you require for Authentication, Mapping, and Authorization. When you select WS-Trust v1.3 STS for any of these options, the STS URI field in the Security Token Service (STS) Parameters group is enabled.
    2. Type the URL of the WS-Trust v1.3 STS into the STS URL field. The STS URL must contain the following URL parts:
      • Transport scheme (http or https)
      • Host name (a fully qualified domain name)
      • Port
      • Path (for example, for TFIM V6.2: /TrustServerWST13/services/RequestSecurityToken)
      For example: 
      http://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken
      The URL that you enter forms a configuration string, which is displayed in one or more of the configuration fields (Authentication Config, Mapping Config, and Authorization Config), depending on the security operations that are configured to use WS-Trust v1.3 STS.

      For more information about the valid values for the configuration parameter, see Creating a profile using mqsicreateconfigurableservice.

    3. In the Propagation field, specify whether you require the identity to be propagated. The default is False.
    4. In the Password Value field, select the way in which the password is displayed in the properties folder. The password is optional, and is required only when the token type is Username + Password. The options are:
      PLAIN
      The password is shown in the Properties folder as plain text.
      OBFUSCATE
      The password is shown in the Properties folder as base64 encoding.
      MASK
      The password is shown in the Properties folder as four asterisks (****).
  5. Click Finish to deploy the security profile to the broker.
Related concepts:
Identity
Authentication and validation
Identity mapping
Authorization
Identity and security token propagation
Security profiles
Related tasks:
Configuring the extraction of an identity or security token
Configuring identity authentication and security token validation
Configuring identity mapping
Creating a security profile
Configuring authorization
Configuring a message flow for identity propagation
Setting up message flow security
Related reference:
mqsicreateconfigurableservice command
SecurityPEP node
bp28010_.htm | Last updated Friday, 21 July 2017