|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
|
|
Authentication on the server with a token |
« View previous topic :: View next topic » |
Author |
Message
|
Rgorbun44 |
Posted: Mon Aug 17, 2020 3:49 am Post subject: Authentication on the server with a token |
|
|
Newbie
Joined: 17 Aug 2020 Posts: 4
|
HELLO!
Help me please!
Access to IBM is required not only within our company but also from external users.
We did so -
When accessing IBM in http headers, add authorization token and if the token matches the expected key => IBM processes the request
Suggest!
Is it possible to somehow check for the presence of this token for the entire broker or for the integration server?
Placed 400 adapters. Configuring everyone is not a solution. |
|
Back to top |
|
|
Vitor |
Posted: Mon Aug 17, 2020 4:52 am Post subject: Re: Authentication on the server with a token |
|
|
Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Rgorbun44 wrote: |
Is it possible to somehow check for the presence of this token for the entire broker or for the integration server? |
Ok, you've posted this in the MQ security section but are using IIB/ACE terms; what "IBM" are you actually using? Give version numbers.
What do you mean by 400 "adapters"? What technology is this?
Rgorbun44 wrote: |
When accessing IBM in http headers, add authorization token and if the token matches the expected key => IBM processes the request |
What do you mean by "authorization token" is this context? X509? Kerberos? Inside of a fortune cookie?
Rgorbun44 wrote: |
Is it possible to somehow check for the presence of this token for the entire broker or for the integration server? |
No, and you wouldn't want one token that allows access to every single resource. What you're describing is every single consumer of the service (internal and external) to be authorized before access is granted. Which is the absolutely normal pattern for an HTTP based service, and is typically done on a service by service basis by WS-Security, API security or one of the other standard patterns.
So you need to explain a lot more clearly what exactly you're trying to do, what software exactly you're trying to do it with and why the standard solutions don't work for you.
Better information, better advice. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
|
Rgorbun44 |
Posted: Mon Aug 17, 2020 5:22 am Post subject: Re: Authentication on the server with a token |
|
|
Newbie
Joined: 17 Aug 2020 Posts: 4
|
Vitor wrote: |
Rgorbun44 wrote: |
Is it possible to somehow check for the presence of this token for the entire broker or for the integration server? |
Ok, you've posted this in the MQ security section but are using IIB/ACE terms; what "IBM" are you actually using? Give version numbers.
What do you mean by 400 "adapters"? What technology is this?
Rgorbun44 wrote: |
When accessing IBM in http headers, add authorization token and if the token matches the expected key => IBM processes the request |
What do you mean by "authorization token" is this context? X509? Kerberos? Inside of a fortune cookie?
Rgorbun44 wrote: |
Is it possible to somehow check for the presence of this token for the entire broker or for the integration server? |
No, and you wouldn't want one token that allows access to every single resource. What you're describing is every single consumer of the service (internal and external) to be authorized before access is granted. Which is the absolutely normal pattern for an HTTP based service, and is typically done on a service by service basis by WS-Security, API security or one of the other standard patterns.
So you need to explain a lot more clearly what exactly you're trying to do, what software exactly you're trying to do it with and why the standard solutions don't work for you.
Better information, better advice. |
IBM Integration Toolkit
Version: 10.0.0.7.
There are about 400 applications on our server. Are you suggesting that I write authorization for each HTTPInput node?
I want a single authorization rule to be set on the server when accessing any HTTP Input node. |
|
Back to top |
|
|
Vitor |
Posted: Mon Aug 17, 2020 5:41 am Post subject: Re: Authentication on the server with a token |
|
|
Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Rgorbun44 wrote: |
IBM Integration Toolkit
Version: 10.0.0.7.
There are about 400 applications on our server. Are you suggesting that I write authorization for each HTTPInput node? |
No, I'm suggesting you use one of the standard patterns for securing an HTTP service that's supported by the HTTPInput node.
Rgorbun44 wrote: |
I want a single authorization rule to be set on the server when accessing any HTTP Input node. |
Like I said above, I really don't think having a single authorization controlling 400 applications is a good idea. I bet your internal security and the application owners won't be that happy about it either. I think you want (and need) security at a more granular level, which brings us back to the standard patterns.
What might be a good idea is to consider how you'd manage security if these 400 applications were running in an application server or similar. Where you'd put the security points, how you'd manage tokens, that sort of thing. Then map that security onto IIB. Unless you're doing something really freaky (and it doesn't sound like you are), you shouldn't need any code at all. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
|
Rgorbun44 |
Posted: Mon Aug 17, 2020 6:01 am Post subject: Re: Authentication on the server with a token |
|
|
Newbie
Joined: 17 Aug 2020 Posts: 4
|
Vitor wrote: |
Rgorbun44 wrote: |
IBM Integration Toolkit
Version: 10.0.0.7.
There are about 400 applications on our server. Are you suggesting that I write authorization for each HTTPInput node? |
No, I'm suggesting you use one of the standard patterns for securing an HTTP service that's supported by the HTTPInput node.
Rgorbun44 wrote: |
I want a single authorization rule to be set on the server when accessing any HTTP Input node. |
Like I said above, I really don't think having a single authorization controlling 400 applications is a good idea. I bet your internal security and the application owners won't be that happy about it either. I think you want (and need) security at a more granular level, which brings us back to the standard patterns.
What might be a good idea is to consider how you'd manage security if these 400 applications were running in an application server or similar. Where you'd put the security points, how you'd manage tokens, that sort of thing. Then map that security onto IIB. Unless you're doing something really freaky (and it doesn't sound like you are), you shouldn't need any code at all. |
Can you describe in more detail how you need to make this authorization or link to the documentation, or where you need to read about in order to implement it? |
|
Back to top |
|
|
Vitor |
Posted: Mon Aug 17, 2020 8:18 am Post subject: Re: Authentication on the server with a token |
|
|
Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Rgorbun44 wrote: |
Can you describe in more detail how you need to make this authorization or link to the documentation, or where you need to read about in order to implement it? |
It's unclear to me which technology you're using as you're talking about HTTPInput nodes and HTTP headers (which implies a REST service) but using tokens (which I associate more with SOAP WS-Security headers) as REST typically uses Basic-Auth.
All of this is covered in the documentation for the HTTPInput node here and also here. Using tokens with WS-Security is covered here.
You can find a good overview of IIB's security control points here. If you have more complex requirements, you can additionally use the SecurityPEP node, though I accept that requires you to add the node to 400 flows and is non-optimal.
Frankly, I think the HTTPInput node will do everything you're asking. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
|
Rgorbun44 |
Posted: Tue Aug 18, 2020 2:06 am Post subject: |
|
|
Newbie
Joined: 17 Aug 2020 Posts: 4
|
Can I make authorization on the broker / integration server by token. A single rule. If a user accesses any application on my server with a token, then it skips, if not, then access is closed |
|
Back to top |
|
|
Vitor |
Posted: Tue Aug 18, 2020 5:15 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Rgorbun44 wrote: |
Can I make authorization on the broker / integration server by token. A single rule. If a user accesses any application on my server with a token, then it skips, if not, then access is closed |
I'm still not clear what you mean by "token". What's generating this token? What's administering it?
As to your question, the answer is "no" because what you're doing is not typical. As I've said a couple of times, it's much more common to have security at an application level or, if you prefer, very uncommon to have 400 applications with exactly the same access, authorization and authentication requirements.
You could, I imagine, put a single application in front of the other 400 that does this token check of yours and then routes the call on if the check is successful. I would, however, urge you to confirm this requirement with your site's security & audit teams. I have a very hard time believing they're happy with this. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|