Start of change
WebSphere Message Brokers
File: ap04110_
Writer: Stephanie J Strugnell

Task topic

This build: July 31, 2007 21:34:48

Configuring identity

Input nodes can retrieve identity from the bitstream. For example, an MQ input node retrieves the UserIdentifier from the message descriptor (MQMD) and puts it in the Identity Source Token element of the properties folder. At the same time, it sets the Identity Source Type element to username and the Identity Source Issued By element to MQMD.PutApplName (the put application name).

However, this information is not sufficient to perform authentication. For authentication to occur, a usernameAndPassword type token is required. If this is not available, the incoming identity has to be trusted, although you can reduce the problem by applying transport-level security using MQ Extended Security Edition for MQ.

If authentication is required, the username and password information must be provided as part of the incoming message. To enable this, the flow must include a path into the message to locate the security information. You specify this information using the Security tab on the Input nodes:

  1. In Identity Token Type, specify the type of identity token that is in the message. The type can have one of the following values:
    • None
    • Username
    • UsernameAndPassword
    • X.509
    The default is Username.
  2. In Identity Token Location, specify the location in the message where the identity is specified. This is in the form of an ESQL path or XPath expression, and must resolve to a token with the type Username, UsernameAndPassword, or X.509. If you leave this option blank, the identity is retrieved from the MQMD.UserIdentifier transport header.Token Location.
  3. In Identity Password Location, enter the location in the message where the password is specified. This is in the form of an ESQL path or XPath expression, and must resolve to a string containing a password. This option can be set only if the Identity Token Type is set to usernameAndPassword. If you leave this option blank, the password is not set.
  4. In Identity IssuedBy Location, specify a string or path expression to show where (in the message) information about the issuer of the identity is held. This is in the form of an ESQL Path, Xpath expression, or literal defining where the identity was defined. If you leave this blank, the MQMD.PutApplName value is used.
  5. Promote the properties to the flow. This ensures that all input nodes share the same information.
Related concepts
Identity
Authentication
Identity mapping
Authorization
Identity propagation
Security profiles
Security exception processing
Related tasks
Configuring authentication
Configuring identity mapping
Configuring a security profile
Configuring authorization
Configuring a message flow for identity propagation
Setting up message flow security
Related reference
mqsicreateconfigurableservice command
mqsideleteconfigurableservice command
mqsichangeproperties command
mqsireportproperties command
MQInput node
HTTPInput node
HTTPRequest node
MQOutput node
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:34:48

ap04110_ This topic's URL is:
End of change