IBM Integration Bus, Version 10.0.0.3 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


Authorization by using SSL Client Certificates

Client authentication data for SSL X509 certificates can be propagated into the local environment and used for authorization.

When you implement a message flow to use SSL authentication, you can check authenticated client certificates for authorization. When a security profile is configured for authorization and set on the input node, the data is passed to a security manager. An integration node security manager receives relevant parts of the certificate for authorization and sends it to the properties parser. During authentication, data from the identity or security token that is provided replaces the values in the properties tree identity fields. This data can be from a Basic-Auth transport header or a WS-Security token, for example. Parameter data in the certificate replaces fields in the properties tree. The following fields are reset with new data:

When you use the SOAPInput, HTTPInput, SCAInput, or TCPIPServerInput nodes, properties tree fields contain the information from the client certificate. Propagation is not automatically enabled but when it is enabled, a certificate is processed throughout the message flow and propagated for output or request nodes. By populating the local environment, the certificate data becomes available to the rest of the message flow.

A higher level of authentication (such as Basic-Auth or WS-Security) can overwrite the properties tree. Because of missing properties tree data, you are unable to authorize the client at the input node. However, you can use a SecurityPEP node to locate authentication (or other certificate) fields in the local environment to do the authorization. You can locate client certificates by using the local variable LocalEnvironment.input_node_name.Input.TransportSecurity.ClientAuth.Certificate, where input_node_name is one of SOAP, HTTP, SCA, or TCPIP.

Different nodes access the client certificate in different ways:

bc49120_.htm | Last updated 2015-11-27 00:01:21