Before you begin
Your IBM Integration Bus must be
running on the Windows operating
system. If IBM Integration Bus is running on
a different operating system, an IWA-secured remote service cannot
be consumed.
Your message flow must include an HTTPRequest node, or a SOAPRequest node, or both.
If your message flow includes an HTTPRequest node, you must
set the HTTP version property to 1.1 and
select Enable HTTP/1.1 keep-alive on the HTTP
Settings tab in the Properties view
of the node.
A security identity is required for outbound
authentication. By default, the identity credentials of the integration node user ID (the serviceUserId parameter
that is specified by the mqsicreatebroker command)
is sent to the remote service to use for authentication. If you require
a specific security identity to be propagated, you must set the appropriate
identity credentials in the Properties tree. For more information,
see Providing credentials in HTTP requests.
About this task
Use the following commands to set up and manage outbound support for the NTLM, Kerberos,
SPNEGO, and SPNEGO-2 protocols, which together are referred to as Integrated Windows Authentication (IWA). By default IWA is enabled.
To consume a
remote service that is secured with IWA, run the following
command:
mqsichangeproperties integrationNodeName -e integrationServerName -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "PropertyValue"
Where:
- integrationNodeName is the name of the integration node you want to modify.
- integrationServerName is the name of the integration server on that integration node.
- PropertyValue is one of the following values:
- IWA
- Allow the integration node to authenticate by using any IWA
protocol.
- NTLM
- Allow the integration node to authenticate by using the NTLM
protocol.
- Negotiate
- Allow the integration node to authenticate by using the SPNEGO
process to negotiate the use of the NTLM or Kerberos protocols.
- Nego2
- Allow the integration node to authenticate by using the SPNEGO-2
process to negotiate the use of the NTLM or Kerberos protocols.
- Basic
- Allow authentication with Basic Authentication.
- All
- Allow authentication with any supported protocol from this list.
- None
- Do not authenticate.
Multiple values can be given, separated by a semicolon or a space, and these values are not
case-sensitive. IBM Integration Bus selects one value from the list of supported
IWA protocols by the server, in the following order: Nego2, Negotiate, NTLM.
When security is enabled, the
HTTPRequest and
SOAPRequest nodes wait for a
401
response from the server that indicates which authentication mechanisms the server supports. The
nodes then use the highest supported protocol for the connection, which is selected in the order
that is listed previously. When connected, this protocol is used to authenticate pre-emptively until
the flow is stopped or the
allowedAuthTypes property is changed.
To configure any of the protocols to be used pre-emptively, run the following command:
mqsichangeproperties integrationNodeName -e integrationServerName -o ComIbmSocketConnectionManager
-n preemptiveAuthType -v "PropertyValue"
Where:
- integrationNodeName is the name of the integration node you want to modify.
- integrationServerName is the name of the integration server on that integration node.
- PropertyValue is one of the following values:
- Basic
- Pre-emptively authenticate by using Basic Authentication.
- NTLM
- Pre-emptively authenticate by using the NTLM protocol.
- Negotiate
- Pre-emptively authenticate by using the SPNEGO process to negotiate the use of the NTLM or
Kerberos protocols.
- Nego2
- Pre-emptively authenticate by using the SPNEGO-2 process to negotiate the use of the NTLM or
Kerberos protocols.
For more advanced scenarios, the following optional configuration properties can also be
used with the
ComIbmSocketConnectionManager object:
- allowNtlmNegotiation='TRUE'
- Set to 'FALSE' to prevent NTLM from being negotiated with
the SPNEGO and SPNEGO-2 protocols. The default value is
'TRUE'.
- negotiateMutualAuth='FALSE'
- Set to 'TRUE' if you require mutual authentication when the
Kerberos protocol is negotiated. The default value is
'FALSE'.
Note: When
IBM Integration Bus is authenticating by using Kerberos, the
integration node automatically generates a service principal name (SPN)
for the service that is based on the host name for the request. For example, if the URL for the
service is http://iib.iibservice/testservice/service1.svc the SPN is assumed to be
HTTP/iib.iibservice. If the service exists at a different SPN, use the following
local environment overrides to provide an explicit SPN for the service:
- HTTP
- SET OutputLocalEnvironment.Destination.HTTP.ServicePrincipalName =
'HTTP/iib.iibservice2.com:7800';
- SOAP
- SET OutputLocalEnvironment.Destination.SOAP.Request.Transport.HTTP.ServicePrincipalName
= 'HTTP/iib.iibservice2.com:7800';
To check the current outbound authentication setting, run the following
command:
mqsireportproperties integrationNodeName -e integrationServerName
-o ComIbmSocketConnectionManager -r
The
following output is displayed within the connector properties:
- allowedAuthTypes='PropertyValue'
Where
PropertyValue is
NTLM,
Negotiate,
Nego2,
None, or
Basic. If multiple values are set, they are separated by a semicolon.