IBM Integration Bus makes a single TFIM
WS-Trust call for an input node or SecurityPEP node that is configured
with a WS-Trust V1.3 STS security profile. As a result, a single module
chain must be configured to perform all the required authentication,
mapping, and authorization operations.
When you use a WS-Trust v1.3 STS for authentication, authorization,
or mapping, a request is made to the trust service with the following
parameters, which control the STS processing. If you are using TFIM
V6.2, these parameters are used in the selection of the TFIM module
chain:
Parameter |
Value |
RequestType |
The type of request issued to the trust service.
Valid values are:- Issue
- This value can be specified when mapping is the only operation
that is set to WS-Trust V1.3 STS in
the security profile. It is not valid if WS-Trust V1.3 STS is specified
for authentication or authorization.
The namespace qualified value
is http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue,
which shows in TFIM V6.2 as Issue Oasis URI.
- Validate
- This value must be set when the security profile also includes
authentication or authorization (in addition to mapping) for the same WS-Trust V1.3 STS provider.
The
namespace qualified value is http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate,
which shows in TFIM V6.2 as Validate Oasis URI.
|
Issuer |
This value is determined by the effective setting
of the IssuedBy property
on the Basic tab of the SecurityPEP node or the Security tab
of the input node. |
AppliesTo |
This value is determined by the type of node:- MQInput or SCAInput node with MQ binding:
- The WebSphere® MQ IRI
of the node's input queue; for example:
wmq://msg/queue/queue_name@queue_manager_name
- HTTPInput, SOAPInput, or SOAPAsyncResponse node with HTTP binding:
- The endpoint URL; for example:
http://myflow/myInputNodePath
- SecurityPEP node with a default (blank) WS-Trust AppliesTo address:
- The URN for the message flow that contains the node; for example:
urn:/broker_name.execution_group_name.flow_name
- SecurityPEP node with WS-Trust AppliesTo address set on the Advanced
tab of the node:
- The URI value configured in the property. This value is typically
the URL of the target service that is used when you invoke a mapping
operation to obtain the required token for the following request node;
for example:
http://remotehost.ibm.com:9080/targetservice
You
can also set the AppliesTo service
name and AppliesTo port
type properties on the Advanced tab
of the node. The WS-Trust request includes these optional elements
only when they are configured. These values are typically valid QNames;
for example: http://myservice.mycom.com:myservicename
When
you set these properties in the SecurityPEP node, you must
configure them in the TFIM module chain:
|
This section describes an authorization configuration that you
can use to perform the authorization operation with TFIM V6.2 and
TAM.
In the security profile, set the TFIM V6.2 endpoint for the authorization
operation. When you create a module chain to be used by a security
enabled input node or SecurityPEP node,
and resolved by AppliesTo information, you must
include the TFIM TAMAuthorizationSTModule to invoke TAM authorization.
The TAMAuthorizationSTSModule requires the following TFIM STS universal
user context attributes:
- PrincipalName
- The username to be authorized. This username must exist in your
TAM user repository.
- ObjectName
- The TAM object name of the resource on which an authorization
check is to be made. Typically this is derived from the AppliesTo information
that is passed by the message flow security manager from the security
enabled input node or SecurityPEP node.
- Action
- The TAM action to be authorized; for example, x (eXecute).
The TAM Access Control List (ACL), which determines the authorization
decision, is located in the TAM protected object space using the
path that is set on the ObjectName attribute of
the TFIM STS universal user context input to the TAMAuthorizationSTSModule
module.
The following diagram shows the configuration of IBM Integration Bus, TFIM V6.2, and TAM to enable
authentication, mapping, and authorization of an identity in a message
flow:
The numbers in the preceding diagram correspond to the following
sequence of events:
- A message enters a message flow.
- A WS-Trust request is issued by the broker, with the RequestType, Issuer,
and AppliesTo properties set.
- TFIM selects a module chain to process the WS-Trust request, based
on the RequestType, Issuer,
and AppliesTo properties of the request.
- A module chain can perform authentication if it includes a module
in Validate mode that is appropriate to the token
type that is being passed in the request from the message flow input
message. For example, a Username and Password token can be authenticated
using a UsernameTokenSTSModule .
- The module chain must perform some mapping by using an XSLTransformationModule
in mapping mode to manipulate the identity information and to provide
the required context attributes in the TFIM stsuser object for use
by subsequent modules.
- A module chain can perform authorization in TAM by using the TAMAuthorizationSTSModule.
- The TAMAuthorizationSTSModule performs the authorization check
by making a request to TAM with these properties:
- Action = a (where a is the
stsuser context action attribute). For example, x for
eXecute could be set using the following code:
<stsuuser:ContextAttributes>
<!-- Action -->
<stsuuser:Attribute name="Action" type="urn:ibm:names:ITFIM:stsmodule:tamazn">
<stsuuser:Value>x</stsuuser:Value>
</stsuuser:Attribute>
</stsuuser:ContextAttributes>
- Action Group = WebService
- Protected Object = ProtectedObjectName (where ProtectedObjectName is
the stsuser context action attribute). For example, x for
eXecute could be set using the following code:
<stsuuser:ContextAttributes>
<!-- ObjectName -->
<stsuuser:Attribute name="ObjectName" type="urn:ibm:names:ITFIM:stsmodule:tamazn">
<stsuuser:Value>ProtectedObjectName</stsuuser:Value>
</stsuuser:Attribute>
</stsuuser:ContextAttributes>
Typically, ProtectedObjectName is
set conditionally from the AppliesTo information
in the request.
- TAM processes the authorization request by:
- Finding the Access Control Lists (ACLs) associated with protected
object ProtectedObjectName
- Checking whether the ACLs grant action a on
action group WebService to the user (the user is
named either directly or indirectly, through membership of a named
group).
- The WS-Trust reply is returned to the broker. If this action is
the result of a mapping request, the WS-Trust reply contains the mapped
identity token.
For further information about how to configure TFIM and TAM, see IBM Security Systems product documentation.