IBM Integration Bus, Version 10.0.0.1 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


Configuring for identity propagation

To enable a message flow to perform identity propagation, the input nodes must extract the identity and the output node must propagate it.

Before you begin

Before you can configure a message flow to perform identity propagation, you must check that an appropriate security profile exists, or create a new security profile. See Creating a security profile.

About this task

An input node extracts security tokens if it is configured with a security profile at deployment time. An output node propagates an identity if it is configured with a security profile that enables propagation at deployment time.

To enable a message flow to perform identity propagation, complete the following steps.

Procedure

By using the BAR editor, select a security profile that has identity propagation enabled. You can use the Default Propagation profile, which is a predefined profile that requests only identity propagation. You can set a security profile on a message flow or on individual input and output nodes. If no security profile is set for the input and output nodes, the setting is inherited from the setting on the message flow.
  1. In the Application Development view, right-click the BAR file, then click Open with > BAR Editor.
  2. Click the Manage and Configure tab.
  3. Click the flow or node on which you want to set the security profile. The properties that you can configure for the message flow or for the node are displayed in the Properties view.
  4. In the Security Profile Name field, select a security profile that has identity propagation enabled.
  5. Save the BAR file.

What to do next

For a SOAPRequest or SOAPAsyncRequest node, you can define an appropriate policy set and bindings to specify how the propagated identity is placed in the WS-Security header (rather than the underlying transport headers). For more information, see Policy sets.

On SOAPRequest and SOAPAsyncRequest nodes, only Username and SAML tokens can be propagated. However, on the SOAPRequest and SOAPAsyncRequest nodes with a Kerberos policy set and bindings, a Username and password token can be propagated into the node to provide the Kerberos client credentials.

For the SAPRequest node, you can propagate only the user name and password. For the CICSRequest and IMSRequest nodes, you can propagate the user name, or the user name and password.

If the message identity does not contain enough information for identity propagation, you can use any of the following methods to acquire the necessary information:

ap04160_.htm | Last updated 2015-05-28 20:51:38