Securing your WebSphere Message Broker David Coles – WebSphere Message Broker Level 3 Service, IBM Hursley – [email protected] Wednesday 4th August 2010
Secu
rin
g y
ou
r W
eb
Sp
here
Messag
e B
roker
David
Cole
s –
WebS
phere
Message B
roker
Level 3 S
erv
ice,
IBM
Hurs
ley
–dcole
s@
uk.ibm
.com
Wednesday 4
th A
ugust 2010
•W
elc
om
e to this
Technic
al In
trodu
ction to s
ecuring y
our
WebS
phere
Message B
roker.
•S
om
e s
lides in this
pre
senta
tion h
ave a
t le
ast one c
orr
espondin
gnote
s s
lide lik
e this
one,
whic
h c
onta
ins furt
he
r in
form
ation o
n the t
opic
bein
g d
iscussed, and/o
r lin
ks to w
eb
pages.
•O
nly
this
note
s s
lide w
ill b
e s
how
n d
uring the
pre
se
nta
tion. T
o v
iew
all
oth
er
no
tes
slid
es, ple
ase d
ow
nlo
ad a
nd v
iew
a c
op
y o
f th
is p
resenta
tion.
•T
he W
ebS
phere
Message B
roker
hom
epage c
an b
e found a
t
http:/
/ww
w.ibm
.com
/soft
wa
re/inte
gra
tion/w
bim
essagebro
ker/
3
Ag
en
da
•In
tro
ductio
n
•A
dm
inis
tratio
n s
ecu
rity
•M
essage B
roker
V7 r
ecap
•S
ecurity
exits
•C
hannel security
•R
un
tim
e s
ecuri
ty
•T
ransport
security
•D
ata
base s
ecurity
•M
essa
ge
flo
w s
ecu
rity
•S
ecurity
Manager
•W
S-S
ecurity
•D
em
o / S
am
ple
•S
um
ma
ry
•T
his
pre
senta
tion is d
ivid
ed in
to s
evera
l sections.
We’ll
be
gin
by d
escrib
ing
wh
at
security
is a
nd w
hy it
is im
port
ant.
We’ll
then r
ela
te t
his
to t
he d
iffe
rent
are
as o
f M
essage B
roker.
•M
essage B
roker
exposes t
hre
e im
port
ant
concepts
rela
tin
g t
o s
ecurity
. W
e'll
intr
oduce a
dm
inis
tration s
ecuri
ty,
runtim
e s
ecurity
and m
essage f
low
securi
ty,
lookin
g into
ea
ch c
oncept
exp
lain
ing h
ow
it
applie
s t
o M
essage B
roker,
giv
ing
an o
verv
iew
of
the f
unctiona
lity a
nd a
n intr
od
uction its
configura
tio
n.
•F
inally
we
’ll h
ighlig
ht
a t
echnolo
gy s
am
ple
tha
t is
supplie
d w
ith M
essage
Bro
ker
that
rea
lly s
ho
wcases t
he e
xcitin
g n
ew
functiona
lity a
vaila
ble
for
message f
low
security
.
No
tes
: A
ge
nd
a
5
Intr
od
uc
tio
n -
Secu
rity
Overv
iew
•S
ecurity
is a
bout pre
venting u
nauth
orised
access
•T
he n
eed to k
now
•C
overs
multip
le aspects
of M
essage B
roker
configura
tion a
nd
usage
•C
om
pute
r security
genera
lly r
efe
rs to the 3
A’s
•A
uth
entication
•Is
the u
ser
wh
o t
he
y s
ay t
he
y a
re
•A
uth
orization
•Is
the u
ser
allo
we
d t
o p
erf
orm
the g
iven a
ctio
n
•A
ccounting
•K
eepin
g t
rack o
f w
ho is a
cce
ssin
g a
reso
urc
e a
nd w
hen
Intr
od
uc
tio
n -
Secu
rity
Overv
iew
Bro
ker
EG
Message
Bro
ker
Toolk
it
Message
Bro
ker
Explo
rer
7
No
tes:
Intr
od
ucti
on
-S
ecu
rity
Overv
iew
•T
hre
e m
ain
are
as to M
essa
ge B
roke
r security
•A
dm
inis
tration
securi
ty
•W
ho is a
uth
ori
zed to p
erf
orm
adm
inis
trative a
ction
s o
n a
Bro
ker
•R
untim
e s
ecu
rity
•W
ho is a
uth
ori
zed to s
ub
mit m
essag
es to a
Bro
ker
•M
essag
e F
low
Security
•E
nd-t
o-e
nd p
rocessin
g o
f th
e m
essa
ge o
n the b
eha
lf o
f th
e ide
ntity
in
the m
essa
ge
Ad
min
istr
ati
on
Secu
rity
(V
6.X
Re
ca
p)
Messag
e
Bro
ker
To
olk
it
Co
nfi
gu
rati
on
Ma
na
ge
r P
rox
y
Co
mm
an
d lin
eC
om
man
d lin
e
Co
nfi
gu
rati
on
M
an
ag
er
Bro
ker
Th
ird
Part
y
Th
ird
Part
y
To
ols
To
ols
Ad
min
istr
ati
on
Secu
rity
(V
7)
Messag
e
Bro
ker
To
olk
it
/M
BX
Co
mm
an
d lin
eC
om
man
d lin
e
Co
nfi
gu
rati
on
M
an
ag
er
Bro
ker
Th
ird
Part
y
Th
ird
Part
y
To
ols
To
ols
CM
P A
PI
10
No
tes:
Ad
min
istr
ati
on
Secu
rity
•R
estr
iction o
f user
access
•W
ho is a
uth
orized to d
eplo
y r
esourc
es to B
rokers
•W
ho is a
uth
orized to r
un B
roker
adm
inis
trative c
om
mands
•A
ccess c
ontr
olle
d b
y W
MQ
access c
ontr
ol m
odel
•P
reventing u
nauth
orized a
ccess to d
eplo
ym
ent m
essages
•S
ecurity
exits
•C
hannel security
Co
nfi
gu
rati
on
Ma
na
ge
r R
em
ov
al
-B
en
efi
ts
•T
he B
roker
environm
ent w
ill b
e a
lot easie
r to
manage
•O
ne v
iew
of th
e w
orld
•M
ore
info
rmation r
etu
rned to tools
•M
uch im
pro
ved c
onnect and d
eplo
y tim
es
•Long-s
tandin
g n
iggle
s h
ave b
een e
limin
ate
d. V
7 h
as:
•O
ne-s
tep b
roker
cre
ation (
i.e.
no C
M a
ssocia
tion s
tep)
•N
o “
Dep
loym
ent
alread
y in p
rogre
ss”
messa
ges
•N
o C
M/B
roker
Synchro
niz
atio
n p
roble
ms
•C
ancel D
eplo
ym
ent
•P
erf
orm
ance
•A
s w
ell
as:
•N
o s
erv
ice u
ser
ID r
equirem
en
t o
n n
on-W
indow
s p
latform
s
•N
o d
efa
ult e
xecu
tion g
roups (
i.e.
to h
ost pub/s
ub
)
Co
nfi
gu
rati
on
Ma
na
ge
r R
es
po
ns
ibil
itie
s
Inte
raction w
ith T
ools
(C
MP
apps)
Deplo
ym
ent
Manages the p
ub/s
ub topolo
gy
Managin
g s
ubscriptions
Manages the t
opic
s h
iera
rch
y
Enfo
rcin
g a
dm
inis
trative s
ecurity
Managin
g a
dm
inis
trative s
ecurity
Ow
ne
r o
f a
dom
ain
of bro
ke
rs
In V
7
Security managed using MQ
Domains concept has been removed
Broker is Policy Enforcement Point
Pub/Sub managed using MQ v7 tools
Pub/Sub managed using MQ v7 tools
Pub/Sub managed using MQ v7 tools
Broker handles BAR file deployment
Broker handles admin connections
•S
implif
ied a
dm
inis
trative s
ecuri
ty in V
7 a
llow
s 3
levels
of
auth
orisation f
or
adm
inis
trative a
ctions:
•R
ead
ing
•W
riting
•E
xecuting (
i.e.
sta
rtin
g a
nd s
toppin
g)
•O
n t
wo o
bje
ct
typ
es:
•B
roker
•E
xecution G
roup
•A
dm
inis
trative s
ecurity
is n
ot
enab
led b
y d
efa
ult
•A
ccess c
ontr
olle
d u
sin
g M
Q q
ueues o
n t
he B
roker’s q
ueue m
anag
er
•G
uid
ance p
rovid
ed f
or
mig
ration f
rom
CM
AC
Ls
•T
hough t
here
is n
ot
a o
ne-t
o-o
ne m
ap
pin
g
Ad
min
istr
ati
ve
Se
cu
rity
Se
cu
rity
Qu
eu
es
SYSTEM.BROKER.AUTH
SYSTEM.BROKER.AUTH.<egname>
+inq= Read
+put = Write
+set = Execute
15
Secu
rity
Exit
s /
Ch
an
nel secu
rity
�M
essage B
roker
Toolk
it
�M
essage B
roker
Explo
rer
16
No
tes:
Secu
rity
Exit
s
•U
sed to v
erify
that th
e p
art
ner
at th
e o
ther
end is g
enuin
e
•U
se M
Q s
ecurity
exits to s
ecure
access to the B
roker
from
the W
ebS
phere
Message B
roker
Toolk
it, W
ebS
phere
Message B
roker
Explo
rer
or
clie
nt pro
gra
ms
•Y
ou c
an e
nable
a s
ecurity
exit a
t each e
nd o
f th
e c
onnection b
etw
een y
our
clie
nt sessio
n a
nd
the B
roker:
•S
et up a
security
exit o
n the c
hannel at th
e B
roker
end. T
his
security
exit h
as n
o s
pecia
l re
quirem
ents
; you c
an p
rovid
e a
sta
ndard
security
exit.
•S
et up a
security
exit in the W
ebS
phere
Message B
roker
Toolk
it o
r W
ebS
phere
Message
Bro
ker
Explo
rer.
Identify
the s
ecurity
exit p
ropert
ies w
hen y
ou c
onnect to
the b
roker.
•T
he s
ecurity
exit is a
sta
ndard
WebS
phere
MQ
security
exit,
written in J
ava™
.
•S
ee
http://p
ublib
.bould
er.
ibm
.com
/info
cente
r/w
mbhelp
/v7r0
m0/topic
/com
.ibm
.eto
ols
.mft.d
oc/a
p125
00_.h
tm and
http://p
ublib
.bould
er.
ibm
.com
/info
cente
r/w
mbhelp
/v7r0
m0/topic
/com
.ibm
.eto
ols
.mft.d
oc/a
p125
10_.h
tmfo
r m
ore
deta
ils
17
No
tes:
Ch
an
nel secu
rity
•S
ecure
the s
erv
er
conn
cha
nnel use
d t
o c
on
nect
the W
ebS
phere
Message B
roker
Toolk
it,
WebS
phere
Messa
ge B
roker
Explo
rer
or
clie
nt
pro
gra
ms t
o t
he M
essage B
roker
•K
eysto
res
and t
rusts
tore
sspecifie
d w
hen y
ou c
onfigure
the
connectio
n
•P
assw
ord
s p
rom
pte
d f
or
wh
en y
ou initia
te t
he c
onnection
•S
am
e d
esig
n a
s u
sed w
ith M
QE
xplo
rer
to c
onnect
to Q
ue
ue M
ana
gers
•S
ee
htt
p:/
/publib
.bo
uld
er.
ibm
.com
/info
cente
r/w
mb
help
/v7r0
m0/t
opic
/com
.ibm
.eto
ols
.mft
.doc/a
p12
232
_.h
tmfo
r m
ore
deta
ils.
18
Ru
nti
me S
ecu
rity
•W
ho is a
uth
orized to s
ubm
it a
message to a
message flo
w
•D
ele
gate
d to the tra
nsport
•C
an b
e o
fflo
aded to D
ata
Pow
er
applia
nce
•W
hat re
sourc
es c
an b
e a
ccessed b
y that m
essage flo
w
•T
ransport
Security
–S
SL
•D
ata
base S
ecurity
19
SS
L (
Se
cu
re S
oc
ke
ts L
aye
r)
•T
ransport
la
ye
r p
roto
col fo
r da
ta e
ncry
ption
•P
roto
col based o
n S
SL C
ert
ific
ate
enable
s e
ncry
ption o
f sensitiv
e info
rmation
during o
nlin
e tra
nsactions
•E
ach S
SL C
ert
ific
ate
conta
ins u
niq
ue, auth
en
ticate
d info
rma
tion a
bout th
e
cert
ific
ate
ow
ne
r
•A
Cert
ific
ate
Auth
ority
verifies the identity
of
the
cert
ific
ate
ow
ne
r w
hen it is
issued
•E
ach c
ert
ific
ate
consis
ts o
f a p
ublic
key a
nd a
private
ke
y
•P
ub
lic k
ey is u
se
d t
o e
ncry
pt
info
rma
tio
n
•P
riva
te k
ey is u
sed
to
de
cip
he
r it
•A
cert
ific
ate
ow
ner
keeps its
private
ke
y a
nd t
he p
ublic
key is d
istr
ibute
d
•A
n S
SL h
andshake a
uth
enticate
s the s
erv
er
and
th
e c
lient
•A
n e
ncry
ptio
n m
eth
od
is e
sta
blis
he
d w
ith
a u
niq
ue s
essio
n k
ey a
nd s
ecure
tra
nsm
issio
n c
an b
eg
in
20
SS
L (
Se
cu
re S
oc
ke
ts L
aye
r)
•In
built
SS
L S
upport
in m
ultip
le B
roker
nodes
•H
TT
P/S
OA
P N
odes (
HT
TP
S c
onnections)
•C
ICS
Request
•IM
SR
equest
•A
lso J
MS
Nodes w
ith c
om
plia
nt pro
vid
er
•H
iera
rchic
al configura
tion fo
r ke
ysto
res
and
tru
sts
tore
s
•Java J
KS
keysto
refo
rmat
support
ed
•S
upport
for
Serv
er
au
th a
nd C
lient auth
•S
erv
er
au
th
•T
he
clie
nt tr
usts
the
se
rve
r
•S
erv
er’
s p
ub
lic c
ert
is in
th
e c
lien
t’s tru
sts
tore
•C
lien
t a
uth
•B
uild
s o
n s
erv
er
au
th a
nd th
e s
erv
er
als
o tru
sts
the
clie
nt
•C
lien
t’s p
ub
lic c
ert
is in
th
e s
erv
er’
s tru
sts
tore
21
No
tes:
SS
L (
Se
cu
re S
oc
ke
ts L
aye
r)
•E
xam
ple
SS
L c
onfigura
tion for
the H
TT
P lis
tener
•C
rea
te a
ke
y s
tore
to
hold
th
e b
rokers
ce
rtific
ate
s u
sin
g k
eyto
ol
•C
onfigure
the b
roke
r to
use S
SL o
n a
part
icula
r po
rt
•T
urn
on
SS
L s
uppo
rt in
me
ssa
ge
bro
ke
r, b
y s
ett
ing a
va
lue
fo
r e
nab
leS
SL
Co
nn
ec
tor
mqsic
han
ge
pro
pe
rtie
sb
roke
r na
me
-b
htt
plis
ten
er
-o H
TT
PL
iste
ne
r-n
enab
leS
SL
Conne
cto
r-v
tru
e
•C
hoo
se
the
ke
ysto
refile
to
be
used
, b
y s
ett
ing a
va
lue
fo
r ke
ys
tore
Fil
em
qsic
han
ge
pro
pert
ies
bro
ke
r na
me
-b
htt
plis
ten
er
-o H
TT
PS
Conn
ecto
r-n
ke
ysto
reF
ile-v
fu
lly q
ua
lifie
d f
ile p
ath
to
ke
ysto
refile
•S
pe
cify t
he
pa
ssw
ord
fo
r th
e k
eysto
refile
, b
y s
ett
ing a
va
lue
fo
r ke
ys
tore
Pass
mqsic
han
ge
pro
pe
rtie
sb
roke
r na
me
-b
htt
plis
ten
er
-o H
TT
PS
Conn
ecto
r-n
ke
ysto
reP
ass
-v
pa
ssw
ord
fo
r ke
ysto
re
•S
pe
cify t
he
po
rt o
n w
hic
h W
ebS
ph
ere
Me
ssage
Bro
ke
r shou
ld lis
ten f
or
HT
TP
S r
eque
sts
mqsic
han
ge
pro
pe
rtie
sb
roke
r na
me
-b
htt
plis
ten
er
-o H
TT
PS
Conn
ecto
r-n
po
rt -
v P
ort
to
lis
ten
on
for
http
s
•C
onfigure
the m
essa
ge flo
w t
o p
rocess H
TT
PS
reque
sts
•S
pe
cify P
ath
Suff
ixfo
r H
TT
PIn
pu
t node
•S
ele
ct
Use
HT
TP
Sbo
x o
n the
HT
TP
Inp
ut node
•M
ore
deta
ils o
n im
ple
menting S
SL a
uth
entication c
an b
e found h
ere
: http://p
ublib
.bould
er.
ibm
.com
/info
cente
r/w
mbhelp
/v7r0
m0/topic
/com
.ibm
.eto
ols
.mft.d
oc/a
p12
230_.h
tm
•A
t W
MB
v7 the B
roker
no lon
ger
uses a
syste
m d
ata
base
•C
onfig
ura
tio
n is n
ow
sto
red e
xclu
siv
ely
on t
he f
ilesyste
m
•W
MB
does n
ot
ship
with a
data
base p
roduct
•U
ser
data
base a
ccess u
naff
ecte
d
•A
dditio
nally
, th
e W
indo
ws r
eg
istr
y is n
o long
er
used t
o h
old
configura
tion in
form
ation
•N
ew
mqsib
ackupbro
ker
and m
qsiresto
rebro
ker
com
mands t
o b
ackup
and r
esto
re (
for
DR
)
•M
igra
tio
n w
ill c
op
y a
ny s
yste
m d
ata
base a
nd r
egis
try c
onfigura
tio
n t
o
the f
ilesyste
m
Da
tab
as
e S
ec
uri
ty-
Bro
ke
r d
ata
ba
se
re
mo
va
l
•D
ata
base U
serI
Dand P
assw
ord
•N
o longer
used o
n
mqsic
reate
bro
ker
–flags ignore
d
•U
se m
qsis
etd
bp
arm
sto
co
ntr
ol
defa
ult O
DB
C a
nd J
DB
C a
ccess
contr
ol
•A
ny v
6.x
defa
ults a
re m
igra
ted
•S
erv
ice U
serI
Dand P
assw
ord
•N
o longer
used o
n n
on-W
indow
s
pla
tform
s
•S
till
required o
n W
indow
s, bu
t can
now
specify L
ocalS
yste
m
•T
he u
serid
that
sta
rts t
he b
roker
no
long
er
requ
ires m
qm
auth
ority
Da
tab
as
e s
ec
uri
ty-
Us
erI
ds
24
Messag
e F
low
Secu
rity
•D
efa
ult s
ecuri
ty m
ea
ns t
ransport
defa
ults a
re in e
ffect
•B
roker
serv
ice identity
will
be u
sed a
s p
roxy id f
or
all
messa
ges
•S
ecurity
mana
ger
ena
ble
s e
nd-t
o-e
nd s
ecuri
ty p
rocessin
g
•U
ses ide
ntity
in
the m
essage –
security
on a
per
messag
e b
asis
at
runtim
e
•Id
entity
auth
entication
•Id
entity
mappin
g
•Id
entity
auth
orization (
polic
y e
nfo
rcem
ent)
•Id
entity
pro
paga
tion
•D
ata
form
at
an
d t
ransport
ind
epen
dent
•C
onfig
ura
ble
by a
dm
inis
trato
r
•U
sin
g ‘security
pro
file
s’
•A
ble
to e
xplo
it c
entr
aliz
ed s
ecurity
pro
vid
er
•LD
AP
for
auth
enticatio
n a
nd a
uth
orization
•IB
M T
ivoli
Federa
ted
Identity
Manag
er
(TF
IM)
for
auth
entication,
auth
orization a
nd m
app
ing
•W
S-T
rust
v1.3
com
plia
nt
secu
rity
token s
erv
er
(ST
S)
Input M
sg
Outp
ut M
sg
Se
cu
rity
Pro
file
Input M
sg
Secu
rity
Man
ag
er
Overv
iew
Outp
ut M
sg
Po
lic
y
En
forc
em
en
t
Po
int
Po
lic
y
En
forc
em
en
t
Po
int
MQ
HT
TP
(S)
SO
AP
SC
A
MQ
HT
TP
(S)
SO
AP
SC
A
Auth
entication
Auth
orization
Se
cu
rity
Pro
file
Me
ssa
ge
Bro
ke
r
Po
licy D
ecis
ion
/D
efin
itio
nP
oin
t P
DP
Se
cu
rity
Co
nte
xt
Pro
pe
rtie
s t
ree
-S
ou
rce
-M
app
ed
Se
cu
rity
Pro
file
Security
Manage
r
Security
Cache
WS
-Tru
st
v1
.3 S
TS
LD
AP
…T
FIM
v6
.1
Use
rnam
e/p
wd
X.5
09
Ke
rbe
ros
LT
PA
SA
ML
Un
ive
rsa
l WS
SE
Mappin
g
26
No
tes:
Se
cu
rity
Ma
na
ge
r o
ve
rvie
w #
1
•T
he f
irst ste
p in c
onfiguring the s
ecurity
manager
is to c
reate
a s
ecurity
pro
file
. T
his
is d
one u
sin
g
either
•M
essage B
roker
Explo
rer
•m
qsic
reate
configura
ble
serv
ice
com
mand
This
enable
s the a
dm
inis
trato
r to
define a
ny o
f th
ree p
ossib
le s
ecurity
opera
tions a
nd p
rovid
e the
required c
onfigura
tion to d
efine the e
xte
rnal security
polic
y d
ecis
ion p
oin
t th
at w
ill b
e invoked
•T
he n
ext
ste
p is to a
ssocia
te the s
ecurity
pro
file
with a
node to e
nfo
rce the s
ecurity
, P
olic
y
Enfo
rcem
ent
Poin
t, e
ither
a input node o
r a S
ecurity
PE
Pnode. T
his
is d
one u
sin
g the B
AR
file
E
ditor.
•T
he f
low
develo
per
may n
eed to s
pecify t
he t
ype a
nd location o
f th
e s
ecurity
tokens in the m
essage
on the Input or
Security
PE
P n
ode u
sin
g X
Path
sor
ES
QL e
xpre
ssio
ns o
r fo
r S
OA
P n
odes a
Polic
y
Set and B
indin
g w
ill d
efine the token types
•A
t ru
ntim
e the s
ecurity
manager
extr
acts
the identity
info
rmation fro
m the input m
essage a
nd s
ets
it
in a
gro
up o
f S
ourc
e Identity
ele
ments
in the P
ropert
ies fold
er.
•If a
uth
entication w
as s
pecifie
d in the s
ecurity
pro
file
, th
e s
ecurity
manager
calls
the p
rovid
er
to
auth
enticate
the identity
. A
failu
re r
esults in a
Security
Exception b
ein
g thro
wn.
27
No
tes:
Se
cu
rity
Ma
na
ge
r o
ve
rvie
w #
2
•If identity
mappin
g w
as s
pecifie
d in the s
ecurity
pro
file
, th
e s
ecurity
manager
calls
the p
rovid
er
to
map.
A failu
re r
esults in a
Security
Exception
bein
g thro
wn. O
therw
ise the ‘m
apped’id
entity
is s
et
in M
apped Identity
ele
ments
in the P
ropert
ies fold
er.
•If a
uth
orization w
as s
pecifie
d in the s
ecurity
pro
file
, th
e s
ecurity
manager
calls
the p
rovid
er
to
auth
orize that th
e identity
has a
ccess to this
message flo
w. A
failu
re r
esults in a
Security
Exception
bein
g thro
wn.
•N
ote
if th
e S
ecurity
pro
vid
er
is a
Security
Token S
erv
er
then a
ll opera
tions a
re p
erf
orm
ed in a
sin
gle
invocation
•T
he m
essage,
inclu
din
g the P
ropert
ies fold
er
and its
sourc
e a
nd m
apped identity
info
rmation, is
pro
pagate
d d
ow
n the f
low
.
•W
hen the m
essage r
eaches a
n o
utp
ut node, a s
ecurity
pro
file
can b
e u
sed to indic
ate
the identity
is
to b
e p
ropagate
d in the m
essage. T
he m
apped identity
is u
sed,or
if that is
not set, the s
ourc
e
identity
is u
sed. If n
o identity
is s
et a S
ecurity
Exception is thro
wn.
•T
o im
pro
ve p
erf
orm
ance, auth
entication, auth
orization a
nd m
appin
g info
rmation fro
m the p
rovid
ers
is
cached for
re-u
se. T
he o
pera
tion o
f th
e c
ache is a
uto
matic, but it c
an b
e tuned if needed u
sin
g
the m
qsic
hangepro
pert
ies
and m
qsirelo
adsecurity
com
mands.
•M
ore
deta
ils o
n m
essage flo
w s
ecurity
can b
e found h
ere
: http://p
ublib
.bould
er.
ibm
.com
/info
cente
r/w
mbhelp
/v7r0
m0/topic
/com
.ibm
.eto
ols
.mft.d
oc/a
p04090_.
htm
28
Cre
ati
ng
secu
rity
pro
file
s u
sin
g t
he e
dit
or
•S
ecurity
pro
file
s a
re
configure
d in M
BX
•R
ight
clic
kin
g o
n y
our
bro
ker
an
d s
ele
cting
‘Pro
pert
ies’w
ill o
pen
the B
roker
pro
pert
ies
pane.
•F
rom
there
sele
ct
‘Security
Pro
file
s’in
th
e ‘S
ecurity
’ta
b t
o
open t
he S
ecuri
ty
Pro
file
s e
ditor.
•Y
ou c
an a
lso load t
he
‘Polic
y S
ets
’e
ditor
from
here
.
29
Cre
ati
ng
secu
rity
pro
file
s u
sin
g t
he e
dit
or
Configura
tion s
trin
gs
built
auto
matically
fr
om
pro
pert
ies
Cre
ate
and d
ele
te
pro
file
s
Exte
rnal P
DP
configura
tion
pro
pert
ies
Clic
kin
g F
inis
h
sends the u
pdate
s to
the b
roker
30
Secu
rity
pro
file
s
•A
security
pro
file
conta
ins t
he f
ollo
win
g s
ett
ings
•auth
entication =
{N
ON
E,
LD
AP
, W
S-T
rust v1.3
ST
S,…
}
•auth
entication
Config =
…
•m
appin
g =
{N
ON
E,
WS
-Tru
st v1.3
ST
S,…
}
•m
appin
gC
onfig
= …
•auth
orization =
{N
ON
E,
LD
AP
, W
S-T
rust v1.3
ST
S,…
}
•auth
orization
Config =
…
•passw
ord
Valu
e=
{P
LA
IN,
MA
SK
, O
BF
US
CA
TE
}
•pro
pa
gatio
n =
{T
RU
E, F
ALS
E}
Pro
pagation
-Input node,
just
extr
act th
e tokens
-O
utp
ut/
Request
nodes, fo
rward
the
token
Polic
y e
nfo
rcem
ent
on b
ehalf o
f C
onfigure
d P
olic
y
Decis
ion P
oin
t
In p
ropert
ies tre
e
31
No
tes:
Secu
rity
pro
file
s
•A
security
pro
file
consis
ts o
f tw
o k
inds o
f in
form
ation:
•P
olic
y e
nfo
rcem
ent (P
EP
) in
form
ation. W
heth
er
to a
uth
en
ticate
, au
thorize o
r m
ap
an identity
alo
ng w
ith the
pro
vid
er
to u
se
and
associa
ted c
onfigura
tion s
trin
g
•P
ropagation info
rmation. W
heth
er
to p
rop
aga
te th
e iden
tity
with a
n o
utp
ut
message.
•S
ecurity
pro
file
s m
ay b
e c
rea
ted,
dele
ted, vie
wed a
nd e
dited u
sin
g a
security
pro
file
editor,
pa
rt o
f th
e b
roke
r to
olk
it a
dm
inis
tration p
ers
pective. T
his
assis
ts w
ith t
he b
uild
ing
of th
e s
om
etim
es c
om
ple
x c
onfigura
tion s
trin
gs n
eeded b
y t
he p
rovid
ers
. C
lickin
g o
n the
Fin
ish b
utton o
f th
e e
ditor
sends t
he u
pdate
s d
irect
to t
he b
roker.
Security
pro
file
s a
re
notdeplo
yed in t
he .ba
r file
.
•A
ltern
atively
security
pro
file
s m
ay b
e c
rea
ted,
dele
ted, vie
wed a
nd
dele
ted u
sin
g the
bro
ker
mqsic
reate
configura
ble
serv
ice,
mqsid
ele
teconfigura
ble
serv
ice,
mqsic
hangepro
pert
ies a
nd
mqsire
port
pro
pe
rtie
scom
mands, o
r th
eir
CM
P A
PI
equiv
ale
nt.
•F
urt
he
r deta
ils a
nd info
rma
tion o
n s
ecurity
pro
file
s a
nd their c
onfig
ura
tion c
an b
e f
ound
here
:
http:/
/publib
.bould
er.
ibm
.com
/info
cente
r/w
mbhelp
/v7r0
m0/t
opic
/com
.ibm
.eto
ols
.mft
.doc/a
p04070_.h
tm
32
Cre
ati
ng
se
cu
rity
pro
file
s u
sin
g c
om
ma
nd
s
•T
o c
reate
a n
ew
security
pro
file
•m
qsic
reate
configura
ble
serv
ice
<bro
ker>
-c S
ecurity
Pro
file
s
–o <
pro
file
-na
me>
-n
<pro
pert
y-n
am
e-l
ist>
-v <
pro
pert
y-v
alu
e-l
ist>
•T
o d
ele
te a
security
pro
file
•m
qsid
ele
teco
nfigura
ble
serv
ice
<bro
ker>
-c S
ecurity
Pro
file
s
–o <
pro
file
-na
me>
•T
o c
hange the v
alu
es in a
security
pro
file
•m
qsic
ha
nge
pro
pert
ies <
bro
ker>
-c S
ecurity
Pro
file
s
–o <
pro
file
-na
me>
-n <
pro
pert
y-n
am
e-lis
t> -
v <
pro
pert
y-v
alu
e-lis
t>
•T
o r
eport
the v
alu
es in a
security
pro
file
•m
qsirep
ort
pro
pert
ies <
bro
ker>
-c S
ecurity
Pro
file
s –
o <
pro
file
-nam
e>
-r
•m
qsirep
ort
pro
pert
ies <
bro
ker>
-c S
ecurity
Pro
file
s
–o a
llRep
ort
able
Entity
Nam
es -
r
As
so
cia
tin
g s
ec
uri
ty p
rofi
les
wit
h f
low
s
Security
Manager
Cache
Se
cu
rity
Pro
file
A1
---
Ma
p -
--
A2
---
Input M
sg
PE
P E
nab
led
In
pu
t n
od
e o
pera
tio
n s
um
mary
Po
lic
y
En
forc
em
en
t
Po
int
Se
cu
rity
Co
nte
xt
Pro
pe
rtie
s-
So
urc
e-
Ma
pp
ed
Auth
entication
Mappin
gA
uth
orization
Me
ssa
ge
Bro
ke
r
Po
licy D
ecis
ion
/D
efin
itio
nP
oin
t P
DP
•W
ith a
Security
Pro
file
associa
ted M
Q,
HT
TP
, S
CA
Inpu
t nodes e
xtr
act
tokens,
•T
ransport
De
fault,
MQ
UserI
D, H
TT
P B
asic
Auth
•C
onfigure
d X
path
/ES
QL locations for
usern
am
e,
usern
am
eA
ndP
assw
ord
, X
.509,
SA
ML
•S
OA
P n
odes w
ith a
Security
Pro
file
associa
ted
extr
act
the W
S-S
ecurity
token a
ccord
ing to t
he
Usern
am
e,
SA
ML o
r LT
PA
Polic
y S
et and B
indin
gs
set. (
Can u
se T
ransport
De
fault if no p
olic
y)
•S
ecurity
Manage
r en
forc
es s
ecurity
opera
tions
defined in S
ecurity
Pro
file
•In
voke e
xte
rnal P
DP
or
retr
ieve c
ached d
ecis
ion
•S
ecurity
Manage
r re
turn
s d
ecis
ion to input node
•S
uccess, pro
pag
ate
with S
ecurity
conte
xt
•F
ailu
re
•T
ransport
defined r
eje
ction o
f in
put m
essage
•O
ptional “T
reat S
ecurity
Exceptions a
s n
orm
al”
35
No
tes:
MQ
, H
TT
P, S
OA
P n
od
es
•T
he s
ecurity
man
ager
means tha
t an input node c
an a
ct as a
Polic
y E
nfo
rcem
ent
poin
t
(PE
P).
•T
he d
efa
ult locations fro
m w
he
re t
o o
bta
in the t
oken, passw
ord
and
issuedB
y info
rma
tion
are
tra
nspo
rt d
ep
endent and a
re s
how
n o
n the
slid
es. T
o o
ve
rrid
eth
e d
efa
ult locations,
use the n
ode location p
ropert
ies t
o s
pecify a
n E
SQ
L p
ath
or
XP
ath
to t
he a
ctu
al lo
cation
in the m
essage h
eader
or
bod
y
•T
he b
ehavio
ur
when h
andlin
g a
Security
Exception is tra
nsport
depe
ndent and is s
how
n
on the s
lides
•N
ote
tha
t th
e u
se
of an
HT
TP
Inpu
t node w
ith u
sern
am
e a
nd p
assw
ord
fro
m t
he H
TT
P
Auth
entication h
eader
and a
suitable
pro
file
is e
quiv
ale
nt to
“H
TT
P B
asic
Auth
”
functionalit
y
•T
he S
OA
P n
ode
s b
ehave in tw
o d
iffe
rent
wa
ys d
ependin
g o
n w
heth
er
the W
S-S
ecu
rity
pro
tocol is
bein
g u
sed b
y t
he m
essage.
PE
P E
nab
led
MQ
/ S
CA
/ H
TT
P I
np
ut
no
de
op
era
tio
n•
Security
Pro
pe
rtie
s P
age a
llow
s f
or
configura
tion o
f
•T
oken t
yp
e
•T
ransport
De
fault
(HT
TP
Basic
-Auth
, M
Q U
ser)
•U
sern
am
e,
Usern
am
e +
Passw
ord
, S
AM
L A
ssert
ion , X
.509
Cert
ific
ate
•X
path
/ES
QL T
oken location o
f support
ed
token type, use ‘
’to
set a litera
l valu
e
•T
reat
security
exceptio
ns a
s n
orm
al, c
auses n
egative s
ecuri
ty d
ecis
ion t
o
pro
pa
gate
to f
ailu
re t
erm
inal ra
ther
than in
bu
ilt t
ransport
reje
ction
37
No
tes:
No
de p
rop
ert
ies
•S
ecurity
pro
pert
ies a
re c
arr
ied
on
tw
o k
inds o
f no
de,
inp
ut
no
des a
nd o
utp
ut/
requ
est no
des.
•F
or
input
no
des,
wh
eth
er
runtim
e s
ecurity
is c
on
figu
red fo
r th
e n
od
e is d
ete
rmin
ed b
y t
he
Secu
rity
pro
file
pro
pe
rty.
If n
o s
ecu
rity
pro
file
is s
pecifie
d t
hen s
ecurity
is n
ot co
nfigu
red. O
therw
ise it is
th
e s
ecu
rity
pro
file
th
at
sa
ys w
hic
h c
om
bin
ation o
f auth
entication
, a
uth
orizatio
n a
nd
map
pin
g is t
o b
e p
erf
orm
ed w
ith t
he id
entity
in
th
e m
essage
.
•T
he Id
entity
toke
n type
pro
pe
rty s
pecifie
s h
ow
the
ide
ntity
ap
pears
in t
he m
essa
ge.
It c
an b
e o
ne
of
U
sern
am
e,
Use
rna
me +
Passw
ord
, S
AM
L A
ssert
ion,
or
X.5
09 C
ert
ific
ate
then s
ecu
rity
is c
on
figu
red.
•T
he d
efa
ult locatio
n in th
e m
essage
of
the
toke
n,
passw
ord
an
d issu
er
is tra
nspo
rt d
ep
end
en
t. H
ow
ever
the
location m
ay b
e o
verr
idd
en u
sin
g th
e I
de
ntity
to
ken
locatio
n, Id
entity
pa
ssw
ord
loca
tion a
nd I
de
ntity
issu
edB
y
location
pro
pe
rtie
s.
•If a
Secu
rity
Exceptio
n is t
hro
wn a
s a
re
su
lt o
f an a
uth
enticatio
n, a
uth
orizatio
n o
r m
appin
g f
ailu
res,
the d
efa
ult
beh
avio
ur
is th
at it c
an n
ot
be c
au
ght
by e
xce
ptio
n h
andle
rs,
such a
s w
ire
d C
atc
h t
erm
inals
. In
ste
ad t
he
exce
ptio
n is a
lwa
ys r
etu
rne
d t
o th
e in
put
nod
e,
where
the b
eh
avio
ur
is t
ransp
ort
de
pen
den
t. T
his
ca
n b
e
overr
idde
n b
y th
e T
reat S
ecu
rity
exce
ptio
ns a
s n
orm
al e
xce
ptions
pro
pe
rty,
whic
h if che
cke
d a
llow
s s
ecurity
fa
ilure
s t
o b
e h
an
dle
d u
sin
g t
he u
su
al e
xceptio
n h
an
dle
rs.
•N
ote
tha
t th
e I
de
ntity
fie
lds in t
he P
ropert
ies fold
er
are
only
set
if a
secu
rity
pro
file
is p
resen
t fo
r th
e inp
ut
nod
e.
•F
or
outp
ut/re
quest n
odes,
wh
eth
er
the id
entity
is p
ropag
ate
d w
ith t
he o
utb
ou
nd m
essa
ge is d
ete
rmin
ed b
y
the s
ecu
rity
pro
file
giv
en b
y t
he S
ecu
rity
pro
file
pro
pert
y. A
pre
-configure
d p
rofile
fo
r use b
y o
utp
ut/
reque
st
nod
es is s
hip
pe
d w
ith th
e b
roker
whic
h s
pecifie
s p
ropag
atio
n.
•N
ote
tha
t th
e S
ecuri
ty p
rofile
pro
pert
y is ‘hid
den’but ‘c
on
figu
rable
’m
eanin
g t
hat
it c
an o
nly
be s
et in
th
e
bro
ker
arc
hiv
e (
bar)
file
at
de
plo
y t
ime b
y a
n a
dm
inis
trato
r. Itis
not
vis
ible
on th
e n
ode its
elf. T
here
is a
lso a
S
ecurity
pro
file
pro
pert
y o
n t
he m
essage
flo
w its
elf,
whic
h a
cts
as a
de
fault fo
r all
nodes in t
he m
essa
ge
flo
w
that
do n
ot sp
ecify a
secu
rity
pro
file
explic
itly
. W
hen the f
low
-le
vel p
rop
ert
y is s
et
a n
od
e c
an s
till
be
configure
d t
o n
ot
ha
ve a
pro
file
(i.e
. n
ot u
se th
e flo
w-d
efa
ult v
alu
e)
by c
ho
osin
g “
No S
ecurity
”on it.
Security
Manager
Cache
Po
lic
y
En
forc
em
en
t
Po
int
Se
cu
rity
Pro
file
A1
---
Ma
p -
--
A2
---
Se
cu
rity
Co
nte
xt
Pro
pe
rtie
s-
So
urc
e-
Ma
pp
ed
Auth
entication
Mappin
gA
uth
orization
Me
ssa
ge
Bro
ke
r
Po
licy D
ecis
ion
/D
efin
itio
nP
oin
t P
DP
•W
ith a
Security
Pro
file
associa
ted S
ecurity
PE
P n
ode c
an b
e c
onfigure
d to
use
•C
urr
en
t to
kens in S
ecurity
Conte
xt
•E
xtr
act
fro
m X
pa
th/E
SQ
L location, fo
r
usern
am
e,
usern
am
eA
ndP
assw
ord
,
X.5
09, S
AM
L, ke
rbero
sT
icket, L
TP
A,
univ
ers
alW
sse
•S
ecurity
Manage
r en
forc
es s
ecurity
opera
tions d
efined in S
ecurity
Pro
file
•In
voke e
xte
rnal P
DP
or
retr
ieve c
ached
decis
ion
•S
ecurity
Manage
r re
turn
s d
ecis
ion to
Security
PE
Pnode
•S
uccess, pro
pag
ate
to
out
term
inal w
ith
Security
conte
xt
update
d
•F
ailu
re, p
ropagate
to f
ailu
re te
rmin
al w
ith
wra
pped s
ecurity
exception
New
Secu
rity
PE
P n
od
e o
pera
tio
n s
um
mary
MB
7.0
.0.1
New
Secu
rity
PE
P N
od
e
Basic
Pro
pert
ies
•U
se C
urr
ent to
kens o
r extr
act to
ken u
sin
g d
esig
n t
ime
Xpath
/ES
QL locations
Advanced P
ropert
ies
•A
llow
overr
ide for
WS
-Tru
st A
pplie
sT
ow
hic
h a
Security
T
oken S
erv
er
uses in p
olic
y d
ecis
ions
•U
se a
t an
y p
oin
t in
an
y f
low
to e
nfo
rce s
ecu
rity
po
licy
40
Pro
pe
rtie
s f
old
er
& Id
en
titi
es
Sou
rce
iden
tity
Ma
pped
iden
tity
•T
ype c
onta
ins
•none, usern
am
e,
usern
am
eA
ndP
assw
ord
, X
.509,
SA
ML,
kerb
ero
sT
icket, L
TP
A,
univ
ers
alW
sse
•T
oken
conta
ins
•S
trin
g: usern
am
e
•B
ase 6
4 s
trin
g: X
.509,
kerb
ero
sT
icket, L
TP
A
•S
trin
g s
erializ
ation: S
AM
L,
univ
ers
alW
sse
•P
assw
ord
conta
ins
•S
trin
g: passw
ord
or
RA
CF
passticket,
whic
h m
ight be p
lain
, m
asked o
r obfu
scate
d
•Is
suedB
yconta
ins
•S
trin
g:
where
the token w
as c
reate
d
•M
apped u
sed in p
refe
rence to S
ourc
e
41
No
tes:
Pro
pe
rtie
s f
old
er
& Id
en
titi
es
•A
n identity
is a
pie
ce o
f in
form
ation w
hic
h c
an u
niq
uely
identify
an
indiv
idual or
obje
ct. W
ithin
the B
roker
identity
is h
eld
in the
Pro
pert
ies
fold
er
of th
e b
roker
message tre
e.
•T
here
are
eig
ht field
s in the P
ropert
ies fold
er,
betw
een them
definin
g
two identities; ‘s
ourc
e’and ‘m
apped’. F
or
each o
f th
ese identities,
Type, T
oken, P
assw
ord
and IssuedB
y fie
lds a
re h
eld
.
•T
he T
ype
field
defines the form
at of th
e T
oken
•T
he T
oken
field
hold
s the a
ctu
al to
ken d
ata
•In
the c
ase o
f a U
sern
am
e +
Passw
ord
token the P
assw
ord
field
will
additio
nally
conta
in the a
ssocia
ted p
assw
ord
. T
his
could
equally
be
a R
AC
F P
ass T
icket
The v
alu
e m
ight be m
asked o
r obfu
scate
d
•T
he IssuedB
yfield
defines w
here
the T
oken w
as c
reate
d.
•T
he v
alu
es in the P
ropert
ies a
re w
rite
able
, fo
r exam
ple
fro
m E
SQ
L
42
LD
AP
su
pp
ort
•R
equires e
ither
•IB
M T
ivoli
Dire
cto
ry S
erv
er
•O
penLD
AP
•M
icro
soft
Active D
irecto
ry
•If
anonym
ous login
not
perm
itte
d
•m
qsis
etd
bparm
s –
n ldap::
LD
AP
–u <
usern
am
e>
–p <
passw
ord
>
•m
qsis
etd
bparm
s –
n ldap::
<serv
ern
am
e>
–u <
usern
am
e>
–p <
passw
ord
>
•S
upport
ed t
oken t
ypes
•U
sern
am
e
•U
sern
am
e +
Passw
ord
•U
se o
f security
pro
file
editor
recom
mended
43
No
tes:
LD
AP
su
pp
ort
•R
equires e
ither
IBM
Tiv
oli
Directo
ry S
erv
er
or
OpenLD
AP
or
Mic
rosoft A
ctive D
irecto
ry .
•If y
our
LD
AP
serv
er
does n
ot perm
it a
nonym
ous login
, you n
eed to
use the m
qsis
etd
bparm
scom
mand to
set up the u
sern
am
e (
fully
qualif
ied)
and p
assw
ord
to b
e u
sed.
•LD
AP
support
is for
token types o
f U
sern
am
eand U
sern
am
e +
Passw
ord
.
•B
uild
ing L
DA
P c
onfigura
tion s
trin
gs is q
uite c
om
plic
ate
d. If y
ou
are
usin
g c
om
mands, th
ere
are
thre
e
cases.
The s
ynta
x is s
how
n for
each a
long w
ith r
eal exam
ple
s fro
m I
BM
Blu
e P
ages.
•A
uth
entication o
nly
•S
ynta
x: ld
ap[s
]://serv
er[
:port
]/baseD
N[ ? [ u
id_attr
] [ ? [ b
ase | s
ub ] ] ]
•E
xam
ple
: ld
aps://b
luepages.ibm
.com
:999/o
u=
blu
epages.ibm
.com
?em
aila
ddre
ss
•A
uth
entication &
Auth
orization
•S
ynta
x a
uth
n:
As a
bove
•S
ynta
x a
uth
z: ldap[s
]://serv
er[
:port
]/gro
upD
N [ ? m
em
ber_
attr
]
•E
xam
ple
auth
z: ldaps://b
luepages.ibm
.com
:999/c
n=
HU
RLA
B M
QE
SB
-JH
RP
T,o
u=
mem
berlis
t,
ou=
ibm
gro
ups,o
=ib
m.c
om
?uniq
uem
em
ber
•A
uth
orization o
nly
•S
ynta
x: ld
ap[s
]://serv
er[
:port
]/gro
upD
N [ ? [ m
em
ber_
attr
] [ ? [ b
ase | s
ub] [ ? [x-
userB
aseD
N=
baseD
N,x
-uid
_attr=
uid
_attr
] ] ] ]
•E
xam
ple
: ld
aps://b
luepages.ibm
.com
:999/c
n=
HU
RLA
B M
QE
SB
-JH
RP
T,o
u=
mem
berlis
t,
ou=
ibm
gro
ups,o
=ib
m.c
om
???x-u
serB
aseD
N=
ou=
blu
epages%
2co=
ibm
.com
, x-u
id_attr=
em
aila
ddre
ss
•N
ote
that any c
om
mas w
ithin
baseD
N a
nd u
id a
ttribute
need to b
e r
epla
ced w
ith "
%2c".
44
TF
IM s
up
po
rt
•T
FIM
6.1
re
qu
ire
d
•C
rea
te T
FIM
cu
sto
m T
rust
Se
rvic
e m
od
ule
ch
ain
s
•A
uth
enticate
, a
uth
orize,
map a
s n
ecessary
•C
hain
sele
cte
d b
y I
ssuedB
yvalu
e a
nd m
essage f
low
nam
e
•S
up
po
rte
d t
oke
n t
yp
es
•U
sern
am
e
•U
sern
am
e +
Passw
ord
•X
.509 C
ert
ific
ate
•S
up
po
rte
d id
en
tity
ma
pp
ing
s
•U
sern
am
e t
oU
sern
am
e
•X
.509 C
ert
ific
ate
to U
sern
am
e
45
No
tes:
TF
IM s
up
po
rt•
TF
IM 6
.1 is r
equired.
•It is the
responsib
ility
of
the u
ser
to c
usto
miz
e T
FIM
to
pe
rfo
rm the
required a
ction
again
st th
e identity
. T
his
is p
erf
orm
ed u
sin
g T
rust
Serv
ice m
odule
chain
s to
auth
enticate
or
auth
orize o
r m
ap
the identity
.
•T
he c
hain
to u
se is d
ete
rmin
ed b
y a
com
bin
ation o
f th
e s
ourc
e identity
issuedB
yvalu
e a
nd the n
am
e o
f th
e m
essage flo
w,
exp
ressed a
s <
bro
ke
r-nam
e>
.<exec-g
rp-
nam
e>
.<m
sg
-flo
w-n
am
e>
.
•T
FIM
support
is f
or
token t
ypes o
f U
sern
am
e, U
sern
am
e +
Passw
ord
and X
.509
Cert
ific
ate
.
•A
s far
as identity
mappin
g is c
oncern
ed,
it is p
ossib
le to m
ap a
usern
am
e to
anoth
er
usern
am
e, and a
n X
.509 c
ert
ific
ate
to a
usern
am
e. B
ut
itis
not possib
le to
map a
use
rnam
e to a
n X
.509 c
ert
ific
ate
(T
FIM
doe
s n
ot is
sue X
.509 c
ert
ific
ate
s).
•W
hen m
appin
g f
rom
an X
.509
cert
ific
ate
, T
FIM
can v
alid
ate
the c
ert
ific
ate
, but
can
not be u
sed t
o v
erify
the identity
of th
e o
rigin
al sender.
This
would
have to b
e d
one
els
ew
here
, fo
r e
xam
ple
, usin
g W
S-S
ecurity
support
fo
r dig
ital sig
natu
res u
sin
g a
S
OA
PIn
put node
.
46
WS
-Tru
st
v1.3
Secu
rity
To
ken
Serv
er
•R
equires a
ny W
S-T
rust v1.3
com
plia
nt pro
vid
er
•T
FIM
6.2
support
ed a
nd t
este
d
•S
upport
ed o
pera
tions
•Id
entity
Auth
en
tication o
r to
ke
n V
alid
ation
•Id
entity
Ma
ppin
g o
r to
ken I
ssuance/E
xcha
ng
e
•A
uth
orization
•S
upport
ed token types -
all
•U
sern
am
e +
Passw
ord
, S
AM
L,
Kerb
ero
s,
LT
PA
, R
AC
F P
assT
icket, X
509
•U
niv
ers
al W
SS
E .
. A
ny t
oken t
hat
can b
e p
ut
in a
WS
SE
hea
der
sub
tree
•S
ecuring the S
TS
connection
•S
SL a
nd/o
r B
asic
-Auth
47
WS
-Secu
rity
•M
essage b
ased s
ecurity
•F
ine g
ranula
rity
•P
art
s o
f th
e m
essage m
ay b
e e
ncry
pte
d in d
iffe
rent w
ays w
ith d
iffe
rent
keys
•P
art
s o
f a m
essage m
ay b
e (
multip
ly)
encry
pte
d a
nd s
igned
•O
n a
need to k
now
basis
•W
S-S
ecurity
can b
e u
sed in insecure
tra
nsport
s
•S
OA
P n
odes s
upport
WS
-Security
•C
onfigure
d u
sin
g p
olic
y s
ets
and b
indin
gs
48
WS
-Secu
rity
•K
ey a
reas c
overe
d for
WS
-Security
•A
uth
entication (
Tokens)
•M
essage P
art
Pro
tection
•X
ML S
ignatu
re (
Sig
ned)
•T
o e
nsure
data
inte
grity
•M
essage c
an b
e r
ead b
ut
not
chang
ed w
itho
ut
dete
ction
•X
ML E
ncry
ptio
n (
Encry
pte
d)
•T
o e
nsure
confidentialit
y
•M
essage c
an n
ot
be r
ead o
r chang
ed
Security
Manager
Cache
Sec
uri
tyP
rofi
leA
1 -
--
Ma
p -
--
A2
---
SO
AP
M
sg
SO
AP
In
pu
t n
od
e o
pera
tio
n s
um
mary
A1/M
ap/A
2
Me
ssa
ge
Bro
ke
r
Po
licy D
ecis
ion
/D
efin
itio
nP
oin
t P
DP
Po
lic
y S
et
an
d B
ind
ing
s
-U
se
rna
me
-LT
PA
pa
ss th
rou
gh
-S
AM
L p
ass th
rou
gh
SO
AP
M
sg
Po
lic
y S
et
an
d B
ind
ing
s
-Ke
rbe
ros
-X
.50
9
JV
M
Kerb
ero
s
krb
5.ini
krb
5.k
eyta
b
Keysto
re
Tru
sts
tore
•P
olic
y S
et and
Bin
din
gs c
onfigure
s the t
oken p
rofile
whic
h s
pecifie
s w
hat
security
tokens m
ust be
pre
sent
in the S
OA
P h
ea
ders
•S
ecurity
Pro
file
only
used w
hen
th
e token is
pro
cessed b
y t
he
Security
Manag
er
•P
olic
y s
et
and B
indin
gs d
efin
e t
he W
S-S
ecurity
pro
file
toke
n b
ind
ing
•S
ecurity
pro
ce
ssin
g is e
ith
er
•E
xte
rnal S
ecuri
ty P
olic
y D
ecis
ion P
oin
t
•U
sern
am
e a
nd p
assw
ord
LD
AP
or
WS
-Tru
st v1.3
ST
S
•S
AM
L / L
TP
A p
ass thro
ugh W
S-T
rust v1
.3 S
TS
Security
pro
file
defines the p
olic
y d
ecis
ion for
an
y o
r all
of auth
en
tication, m
appin
g
and/o
r auth
orization w
hic
h a
re d
ele
gate
d to
specifie
d p
rovid
er
via
security
manager
•K
erb
ero
s .
. D
irect
to K
ey D
istr
ibutio
n C
entr
e v
ia J
VM
Can p
ropag
ate
the s
erv
ice p
rincip
al, b
ut
not
the t
icket
•X
.50
9
To B
roker
Ke
y a
nd T
rust
sto
res
•If
no P
olic
y s
et
and B
indin
gs,
defa
ult p
ick u
p H
TT
P B
asic
-Auth
head
er
•S
ecurity
reje
ction a
lwa
ys h
an
dle
d t
hro
ugh S
OA
P F
ault r
esponse t
oclie
nt
No
tes
: P
EP
En
ab
led
SO
AP
In
pu
t n
od
e o
pe
rati
on
51
Dem
o / S
am
ple
52
Su
mm
ary
•M
ultip
le a
spects
to M
essage B
roker
Security
•A
dm
inis
tration
securi
ty
•S
ecurity
Exits
•C
hannel S
ecurity
•R
untim
e s
ecu
rity
•T
ransport
securi
ty -
SS
L
•D
ata
base S
ecuri
ty
•M
essag
e flo
w s
ecu
rity
•S
ecurity
Manag
er
•Id
en
tity
pro
pa
ga
tion
•W
S-S
ecurity
•N
ew
PE
P n
ode in v
7 F
P1 s
ignific
antly e
nhances M
essage F
low
security
options
Co
pyri
gh
t a
nd
Tra
de
ma
rks
©IB
M C
orp
ora
tio
n 2
010. A
ll r
igh
ts r
eserv
ed
. IB
M, th
e IB
M lo
go
, ib
m.c
om
an
d t
he g
lob
e d
esig
n a
re t
rad
em
ark
s o
f In
tern
ati
on
al
Bu
sin
ess M
ach
ines C
orp
ora
tio
n, re
gis
tere
d in
man
y ju
risd
icti
on
s
wo
rld
wid
e. A
cu
rren
t list
of
IBM
tra
dem
ark
s is a
vailab
le o
n t
he
Web
at
"Co
pyri
gh
t an
d t
rad
em
ark
in
form
ati
on
" at
ww
w.ib
m.c
om
/leg
al/co
pytr
ad
e.s
htm
l. O
ther
co
mp
an
y, p
rod
uct,
or
serv
ice n
am
es m
ay b
e t
rad
em
ark
s o
r serv
ice m
ark
s o
f o
thers
.