| Author |
Message
|
| Campbell |
 Posted: Sun Jul 07, 2013 8:20 pm Post subject: Broker Authorization using LDAP |
 |
|
Novice
Joined: 18 Feb 2013
Posts: 11
|
I have created a service that uses security but i have an issue (actually two issues).
I do security in two parts. The user sends a message to the service using a standard WSS header with user and password. The SOAP Input Node does LDAP authentication to a windows based security system.
Once the user passes authentication a subflow is called for each different operation. The first node in the subflow is a Security PEP node which does LDAP authorization using RACF.
The whole thing works fine if the user has the same password in the windows based system and RACF but if they do not it fails (and of course they have different password rules).
This leads me to question 1. Since the phase-two security profile does authorization only, why does it care about the password at all?
I connect to both of the LDAP servers using an LDAP master user (a separate one for each) so it does not need the password to connect to LDAP. I believe it should just be using the master profile to connect and then verifying the user is in the group and not doing anything with the password.
Possibly this is connected to another problem i have already raised a PMR for where i need to specify the authenticationConfig for a security profile even when it is only doing authorization (authentication=NONE).
This leads me to question two. Have any of you guys created a security profile for an LDAP connection to RACF that does authorization only? If so, did you have to specify an authenticationConfig?
Any help would be greatly appreciated. I am under a lot of pressure to get this project delivered.  |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Sun Jul 07, 2013 9:58 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Having been 'dazzled'/Blinded by RACF in the past, may I suggest that you raise a PMR with IBM for this. If anyone can understand the devil that is RACF, it is them. They will also tell you if this is at all possible. If it isn't then at least you will have the official word from IBM to help your discussion with your PHB's.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Jul 08, 2013 8:21 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You're probably asking the SecurityPEP node to authenticate and authorize, not just authorize.
The flow is receiving a UserName/Password token. This is then being authenticated against the windows LDAP. This exact same token is then being passed to the RACF LDAP for authorization (which again, is likely doing authentication).
You need to look at either federating the two LDAPS so that RACF authorizations can be accessed from the windows LDAP or windows LDAP users can be authenticated against RACF.
Or you need to look at mapping the userids between LDAPS, so that you can authenticate the windows LDAP user and then fetch the credentials for the corresponding RACF ldap user, and present that to the SecurityPEP node.
Or you can look at reconfiguring the securityPEP node to require a username token instead of a username/password token and configure RACF to provide authorization without authentication. |
|
| Back to top |
|
|
| Campbell |
| Posted: Mon Jul 08, 2013 3:07 pm Post subject: |
|
|
Novice
Joined: 18 Feb 2013
Posts: 11
|
| mqjeff wrote: |
| You're probably asking the SecurityPEP node to authenticate and authorize, not just authorize. |
It looks like that is what it is trying to do but that is not what i am asking it for.
The properties of the security profile it is using look like this:
SecurityProfiles
MySecurityProfileName
authentication='NONE'
authenticationConfig=''
authorization='LDAP'
authorizationConfig='secret stuff i dont post on the internet'
keyStore='keystore.jks'
mapping='NONE'
mappingConfig=''
passwordValue='MASK'
propagation='TRUE'
rejectBlankpassword='TRUE'
transportPropagationConfig=''
trustStore='Reserved for future use'
so you can see that authentication is 'NONE'
| mqjeff wrote: |
| The flow is receiving a UserName/Password token. This is then being authenticated against the windows LDAP. This exact same token is then being passed to the RACF LDAP for authorization (which again, is likely doing authentication). |
i agree but i dont think it should be doing authentication since the security profile says not to.
| mqjeff wrote: |
You need to look at either federating the two LDAPS so that RACF authorizations can be accessed from the windows LDAP or windows LDAP users can be authenticated against RACF.
Or you need to look at mapping the userids between LDAPS, so that you can authenticate the windows LDAP user and then fetch the credentials for the corresponding RACF ldap user, and present that to the SecurityPEP node. |
I will ask our security expert about this but even if it is possible i still dont see why it is necessary since I dont understand why it is trying to authenticate the user when authenticate=none.
| mqjeff wrote: |
| Or you can look at reconfiguring the securityPEP node to require a username token instead of a username/password token and configure RACF to provide authorization without authentication. |
I am connecting to RACF using a master user which is authenticated by RACF but, as I understand it, it should then just be checking if the userid that was passed exists in a group. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jul 09, 2013 2:29 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Try setting rejectBlankPassword to FALSE and then set the IdentityMappedUser to the IdentitySourceUser and leave the IdentityMappedPassword blank or set it to null.
Or just clear IdentitySourcePassword.
Then call the securityPEPnode. |
|
| Back to top |
|
|
| Campbell |
| Posted: Tue Jul 09, 2013 9:34 pm Post subject: |
|
|
Novice
Joined: 18 Feb 2013
Posts: 11
|
I have resolved these issues.
I set the rejectBlankPassword to FALSE and changed the settings in the PEP node from CurrentToken (which was actually usernameAndPassword) to Username.
My second issue was cause by my inability to comprehend the written word. I read the manual again and the questions i had about the security profile were all detailed in the manual.
Thanks for your help. |
|
| Back to top |
|
|
|
|
