IBM Integration Bus, Version 10.0.0.5 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


Providing credentials in HTTP requests

Use a security profile to configure HTTPRequest and SOAPRequest nodes to authenticate with a remote server.

About this task

Basic authentication is a common extension in the HTTP protocol that allows a client to provide identity information to a remote web server in the form of a username and password sent in the HTTP header data. Security profiles in IBM® Integration Bus provide a way for message flow designers to provide these credentials without building the HTTP headers in a Compute node.

If identity propagation is enabled for the selected security profile, the HTTPRequest and SOAPRequest nodes automatically pick up username and password credentials, if present, from the Properties tree. See Configuring a message flow for identity propagation. The predefined security profile Default Propagation has this setting enabled.

If your integration node runs on Windows, you can choose to use additional protocols to pass identity information with the HTTP request, which avoids passing the user and password in the clear. The identity used is obtained from the Properties tree in the same way as basic authentication. These protocols include NT Lan Manager (NTLM), Kerberos, and Simple and Protected Negotiation (SPNEGO), collectively known as Integrated Windows Authentication (IWA), and are controlled at the integration server level. For more information, see Providing credentials for outbound requests by using IWA.

To enable basic authentication, select an appropriate security profile for the output node or the message flow in the BAR file editor. The credentials are picked up from the following Properties tree locations if set:

Properties.IdentityMappedType
Properties.IdentityMappedToken
Properties.IdentityMappedPassword

If the mapped identity fields are not set, the credentials are picked up from the following Properties tree locations:

Properties.IdentitySourceType
Properties.IdentitySourceToken
Properties.IdentitySourcePassword

For basic authentication both a username and password are required, therefore the appropriate Type field must be set to the string usernameAndPassword. For example:

SET OutputRoot.Properties.IdentitySourceType='usernameAndPassword';
SET OutputRoot.Properties.IdentitySourceToken = 'myUser';
SET OutputRoot.Properties.IdentitySourcePassword = 'myPassw0rd';
SET OutputRoot.Properties.IdentitySourceIssuedBy = 'myDomain';

These fields are interpreted by a subsequent HTTPRequest or SOAPRequest node and converted into a basic authentication HTTP header.

You can also propagate credentials from an input message by setting a security profile which includes propagation on an input node, and then using the input node properties Identity token type, Identity Token location and Identity password location. These three properties take an XPath expression that specifies the location in the input message to retrieve the appropriate token or password from. When configured correctly, these properties place the identity information in the Properties.IdentitySourceType, Properties.IdentitySourceToken and Properties.IdentitySourcePassword fields. HTTPRequest or SOAPRequest nodes then use these values directly, with an appropriate security policy.

You can override the configuration of the security profile by selecting the build option Override configurable property values in the BAR file editor.


bp19260_.htm | Last updated 2016-06-25 08:09:05