Providing credentials for outbound requests by using IWA
Set up IBM® Integration Bus to consume a remote service that is secured with Integrated Windows Authentication (IWA). Only IBM Integration Bus running on Windows can consume an IWA-secured service.
Before you begin
Your IBM Integration Bus must be running on the Windows operating system. If it is running on a different operating system, an IWA-secured remote service cannot be consumed.
- HTTPRequest
- SOAPRequest
- RESTRequest
A security identity is required for outbound authentication. By default, the identity credentials of the integration node user ID (the serviceUserId parameter that is specified by the mqsicreatebroker command) is sent to the remote service to use for authentication. If you require a specific security identity to be propagated, you must set the appropriate identity credentials in the Properties tree. For more information, see Providing credentials in HTTP requests.
About this task
To consume a remote service that is secured with IWA, run the following command:
mqsichangeproperties integrationNodeName -e integrationServerName -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "PropertyValue"
Where: - integrationNodeName is the name of the integration node you want to modify.
- integrationServerName is the name of the integration server on that integration node.
- PropertyValue is one of the following values:IBM Integration Bus selects one value from the list of supported IWA protocols by the server, in the following order: Nego2, Negotiate, NTLM. Multiple values can be given, separated by a semicolon or a space, and these values are not case-sensitive.
mqsichangeproperties integrationNodeName -e integrationServerName -o ComIbmSocketConnectionManager
-n preemptiveAuthType -v "PropertyValue"
Where:- integrationNodeName is the name of the integration node you want to modify.
- integrationServerName is the name of the integration server on that integration node.
- PropertyValue is one of the following values:
HTTP/iib.iibservice
. If the service exists
at a different SPN, use the following local environment overrides
to provide an explicit SPN for the service:
To check the current outbound authentication setting, run the following command:
mqsireportproperties integrationNodeName -e integrationServerName
-o ComIbmSocketConnectionManager -r
The following output
is displayed within the connector properties:- allowedAuthTypes='PropertyValue'
Examples
mqsichangeproperties IBNODE -e default -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "IWA"
mqsichangeproperties IBNODE -e default -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "NTLM;Negotiate"
mqsichangeproperties IBNODE -e default -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "None"