Start of change
WebSphere Message Brokers
File: ap04150_
Writer: Stephanie J Strugnell

Task topic

This build: July 31, 2007 21:34:51

Configuring authorization

Before you start:

Before you can configure a message flow to perform authorization, you need to check that an appropriate security profile exists, or create a new security profile. See Configuring a security profile.

LDAP:

When LDAP is used for authorization, the broker needs to determine whether the incoming username is a member of the given group. To do this, the broker needs the following information:
  • To resolve the username to an LDAP entry, the broker needs to know the base distinguished name (Base DN) of the accepted login IDs. This is required to enable the broker to differentiate between different entries with the same name.
  • To get an entry list from a group name, the group name must be the distinguished name of the group, not just a common name. An LDAP search is made for the group, and the username is checked by finding an entry matching the distinguished name of the user.
  • If your LDAP directory does not permit anonymous logins, use the mqsisetdbparms command to specify a username and password:
    mqsisetdbparms -n LDAP -u username -p password
    or
    mqsisetdbparms -n <servername> -u username -p password
    where <servername> is your base LDAP server name, for example, ldap.mydomain.com.
To enable an existing message flow to perform authorization:
On the Security tab for each input node, select a security profile that has authorization enabled:
Screen capture of the Security tab on the MQInput Node Properties panel.
Related concepts
Identity
Authentication
Identity mapping
Authorization
Identity propagation
Security profiles
Security exception processing
Related tasks
Configuring identity
Configuring authentication
Configuring identity mapping
Configuring a security profile
Configuring a message flow for identity propagation
Setting up message flow security
Related reference
mqsicreateconfigurableservice command
mqsideleteconfigurableservice command
mqsichangeproperties command
mqsireportproperties command
MQInput node
HTTPInput node
HTTPRequest node
MQOutput node
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:34:51

ap04150_ This topic's URL is:
End of change