A security profile defines the security operations that are to be performed in a message flow at SecurityPEP nodes and security enabled input and output nodes.
Security profiles are configured by the integration administrator before deploying a message flow, and are accessed by the security manager at run time.
A security profile allows an integration administrator to specify whether identity and security token propagation, authentication, authorization, and mapping are performed on the identity or security tokens associated with messages in the message flow, and if so, which external security provider (also known as a Policy Decision Point or PDP) is used. IBM® Tivoli® Federated Identity Manager (TFIM) V6.1, and WS-Trust v1.3 compliant Security Token Service (including TFIM V6.2), are supported for authentication, authorization, and mapping. Lightweight Directory Access Protocol (LDAP) is supported for authentication and authorization.
Security profiles apply to the SecurityPEP node and to security enabled input, output, and request nodes, and are configured by the administrator at deployment time in the BAR editor. These nodes have a Security Profile property (in the BAR editor), which can be left blank, set to No Security, or set to a specific security profile name. Set No Security to explicitly turn off security for the message flow node. If you leave the Security Profile property blank, the node inherits the Security Profile property that is set at the message flow level. If you leave the Security Profile property blank at both levels, security is turned off for the message flow node. When this property is set to the name of a specific security profile, that profile determines what message flow security is configured. If the named security profile does not exist in the run time, the message flow fails to deploy. If the specified external security provider does not support the type of token configured on the node for the security operation, an error is reported and the message flow fails to deploy.
The security profile also specifies whether propagation is required. A pre-configured profile that specifies propagation is provided for use by output and request nodes. This profile is the Default Propagation security profile. This profile can also be used on an input node to extract tokens and put them into the message tree ready for propagation or processing in a SecurityPEP node.
Security profiles contain values for the following properties:
For information on configuring a security profile for LDAP, TFIM, or a WS-Trust v1.3 compliant Security Token Service (STS), see Creating a security profile.