ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » WS-Security using Username & Password, IIB as Provider

Post new topic  Reply to topic
 WS-Security using Username & Password, IIB as Provider « View previous topic :: View next topic » 
Author Message
Partha.Baidya
PostPosted: Fri Jan 12, 2018 10:31 am    Post subject: WS-Security using Username & Password, IIB as Provider Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 97

We are trying to configure WS-Security using Username & Password token for a Provide flow hosted in IIB.
What value should we pass in for authentication, propagation, authenticationConfig in mqsicreateconfigurableservice command while using Username tokens based authentication?

Code:
mqsicreateconfigurableservice IB10NODE -c SecurityProfiles -o WSSecurityProfile -n authentication,authorization,propagation,authe -v "<value>,<value>,TRUE


In IIB infocentre the is documentation for LDAP, WS-Trust V1.3 & TFIM but no examples given if we use a basic one like only Username Token.
Back to top
View user's profile Send private message
martinb
PostPosted: Mon Jan 15, 2018 3:49 am    Post subject: Reply with quote

Master

Joined: 09 Nov 2006
Posts: 210
Location: UK

Hi

The question you need to answer first is "how is the username and password going to be validated?"

The "Policy set and bindings" set on the SOAPInput node will require that input requests have a WS-Security header providing username and password.

The "SecurityProfile" set on the SOAPInput node is used to configure what is done with the username and password credentials.

Often an LDAP server is used to authenticate that these credentials are valid - hence you'd set authentication, to "LDAP" and setup the relevant authenticationConfig.

HTH
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Mon Jan 15, 2018 8:45 am    Post subject: Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 97

We will store the user ID & password in a Database and validate from there instead of LDAP.
Request messages will send username and password in wsse Header.
Back to top
View user's profile Send private message
martinb
PostPosted: Mon Jan 15, 2018 1:31 pm    Post subject: Reply with quote

Master

Joined: 09 Nov 2006
Posts: 210
Location: UK

Quote:
We will store the user ID & password in a Database and validate from there instead of LDAP.


From this I take it you're doing your own authentication within the flow logic, ie a compute node.

In this case I would

- Have the SOAP Input node set with Policy set and Bindings to set WSSE username and password
- Have the SOAP Input node set with the "Default Propagation" Security profile, The Default Propagation profile is a predefined profile that requests only identity propagation. (It has authentication = 'NONE' authenticationConfig = '' and propagation = 'TRUE')


This will ensure the input SOAP request as a username token WSSE header, and the username and password will be extracted to the Properties tree fields, 'IdenitySourceToken' and 'IdenitySourcePassword' so you can have your Compute node validate them against your DB.
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Mon Jan 15, 2018 5:48 pm    Post subject: Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 97

@martinb
Once I set Default Policy Set, Default Bindings & Default Propagation, I getting the Username & Password in Properties tree. But I am not getting Nonce and creation time.
Is there anyway to get Nonce & Creation time too from Properties tree?
My requirement is to calculate password digest from Nonce, Creation Time & DB stored password and compare the result with Request Password digest. I am using java code to create digest.
Back to top
View user's profile Send private message
martinb
PostPosted: Tue Jan 16, 2018 1:24 am    Post subject: Reply with quote

Master

Joined: 09 Nov 2006
Posts: 210
Location: UK

Hi,

The SOAP WSSE UsernameToken Header Nonce and Created fields are not provided in the Properties tree.

You should be able to access these from the SOAP domain message tree in the "Header" folder.
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Tue Jan 16, 2018 9:40 am    Post subject: Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 97

When I am using Default Policy Set, Default Bindings & Default Propagation I am not getting Nonce & Creation Time in SOAP Header not even in Local Environment as well.

Is there any other way to get Nonce & Creation Time while using Policy Set?
Code:

<Message>
<Properties>
<IdentitySourceType>
<IdentitySourceToken>
<IdentitySourcePassword>
<IdentitySourceIssuedBy>:CHARACTER:SOAP_WS_SECURITY
<IdentityMappedType>:CHARACTER:
<IdentityMappedToken>:CHARACTER:
<IdentityMappedPassword>:CHARACTER:
<IdentityMappedIssuedBy>:CHARACTER:
<SOAP>
 <Header>
   <Body>
</SOAP>
<LocalEnvironment>
<SOAP>
<Input>
  <Transport>
      <HTTP>
  </Transport>
  <WSS>
      <Identities>
   <usernameAndPassword>
      <username>
                <password>
   </usernameAndPassword>
      <Identities>
  <WSS>
 <Input>
<SOAP>
Back to top
View user's profile Send private message
martinb
PostPosted: Wed Jan 17, 2018 1:56 am    Post subject: Reply with quote

Master

Joined: 09 Nov 2006
Posts: 210
Location: UK

Hi

Quote:
When I am using Default Policy Set, Default Bindings & Default Propagation I am not getting Nonce & Creation Time in SOAP Header


Sorry, yes of cause - if you have the IIB SOAP nodes configured with Policy Set and Bindings, you are telling it to deal with the relevant wsse:Security SOAP header, so it will, and in doing so "remove" it from the message tree propagated from the SOAP Input node.

In your case

Quote:
My requirement is to calculate password digest from Nonce, Creation Time & DB stored password and compare the result with Request Password digest. I am using java code to create digest.



You're needing to have the whole wsse:Security SOAP header, so you need to configure your SOAP Input node to just leave it and propagate it on.

So you would need to not set any Policy Set and Bindings, or Security Profile on the SOAP Input.

This means the SOAP Input will not impose any WS-Security, so messages with or without a WSSE username header will be passed into the message flow.

Your logic which is going to validate the password digest will have to also reject the SOAP input message if the WSSE username header, or any part of it is not present and correct in the SOAP domain message Header.
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Wed Jan 17, 2018 8:19 am    Post subject: Reply with quote

Voyager

Joined: 05 Nov 2009
Posts: 97

Hi martinb,

Thanks for your recommendation, now it is very clear on how broker handles the security headesr and able to use the WSS header accordingly by writing custom java code to calculate password digest from nonce, creation time & password stored in DB.

Our requirement has been changed from storing the password in Database to use external security provider as Microsoft Active Directory as LDAP.
I have a doubt whether LDAP will support password digest instead of clear text password.
Could you please let me know if this is possible?
Back to top
View user's profile Send private message
PankajKr
PostPosted: Fri Nov 08, 2019 12:17 am    Post subject: Re: WS-Security using Username & Password, IIB as Provid Reply with quote

Newbie

Joined: 06 Nov 2019
Posts: 4

I have a similar requirement but unable to achieve as I am getting following error while trying to run following command:

mqsicreateconfigurableservice ACE_NODE -c SecurityProfiles -o WSSecurityProfile -n authentication,authorization,propagation,authe -v "<value>,<value>,TRUE

BIP1042I: Command deprecated, please use policy projects instead.

I am using ACE v11 as IIB version

Partha.Baidya wrote:
We are trying to configure WS-Security using Username & Password token for a Provide flow hosted in IIB.
What value should we pass in for authentication, propagation, authenticationConfig in mqsicreateconfigurableservice command while using Username tokens based authentication?

Code:
mqsicreateconfigurableservice IB10NODE -c SecurityProfiles -o WSSecurityProfile -n authentication,authorization,propagation,authe -v "<value>,<value>,TRUE


In IIB infocentre the is documentation for LDAP, WS-Trust V1.3 & TFIM but no examples given if we use a basic one like only Username Token.
Back to top
View user's profile Send private message
abhi_thri
PostPosted: Fri Nov 08, 2019 5:08 am    Post subject: Re: WS-Security using Username & Password, IIB as Provid Reply with quote

Knight

Joined: 17 Jul 2017
Posts: 516
Location: UK

PankajKr wrote:
I have a similar requirement but unable to achieve as I am getting following error while trying to run following command:

mqsicreateconfigurableservice ACE_NODE -c SecurityProfiles -o WSSecurityProfile -n authentication,authorization,propagation,authe -v "<value>,<value>,TRUE

BIP1042I: Command deprecated, please use policy projects instead.

I am using ACE v11 as IIB version



hi...that is expected as ACE uses policies instead of config services,
https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.etools.mft.doc/bh19400_.htm#bh19400___policies

Quote:
At earlier releases, configurable services allow you to control and update connection properties and other operational properties of message flows and message flow nodes at run time. In IBM App Connect Enterprise Version 11.0, policies perform this administrative role.
Back to top
View user's profile Send private message
PankajKr
PostPosted: Sat Nov 09, 2019 7:11 pm    Post subject: Reply with quote

Newbie

Joined: 06 Nov 2019
Posts: 4

Do we have any Supporting Documents in order to implement same in ACE v11.0.
Back to top
View user's profile Send private message
abhi_thri
PostPosted: Mon Nov 11, 2019 1:17 am    Post subject: Reply with quote

Knight

Joined: 17 Jul 2017
Posts: 516
Location: UK

PankajKr wrote:
Do we have any Supporting Documents in order to implement same in ACE v11.0.


hi...the infocenter link I listed earlier do contain sub-links to related topics, https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.etools.mft.doc/xi62000_.htm
Back to top
View user's profile Send private message
PankajKr
PostPosted: Thu Nov 14, 2019 6:16 am    Post subject: Reply with quote

Newbie

Joined: 06 Nov 2019
Posts: 4

Thank you Partisan for your comment
abhi_thri wrote:
PankajKr wrote:
Do we have any Supporting Documents in order to implement same in ACE v11.0.


hi...the infocenter link I listed earlier do contain sub-links to related topics, https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.etools.mft.doc/xi62000_.htm


As I was able to propagate UserName and Password to my Message Flow and there I am cross checking entry with Credentials stored in DB.

I will mentioned the steps done so that it's helpful to other Users:

ACE version : 11.0.0.5

1) I have created BAR file of my Integration Service project by following steps
Right Click on Integration Service -> New -> Bar File

2) Provide Container Name and can leave Folder Name empty and provide .bar file name.

3) Click on Finish and this will open BAR File window

4) Select Application, shared libraries, services and REST API Radio Button and in Services select your Integration service project

5) Click on Build and Save Button.

6) Then click on Manage Tab and you can see your project which you have selected in above Steps

7) Expand Resources, Message Map till you see SOAP Input node which is my case and click on it.

This will open Configure window then scroll down to select Security Profile and select 'Default Propagation'.

9) Save the Project and deploy it to your target server.

10) Above given steps will propagate the UserName and Password to Message Properties under Root.Properties.IdentitySourceUserName and Root.Properties.IdentitySourcePassword

Now you can play around with provided credentials in order to
Authenticate User.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » WS-Security using Username & Password, IIB as Provider
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.