Introduction

When security is enabled, the InfoSphere MDM Server application client must authenticate itself to the application server in order to access InfoSphere MDM Server. The InfoSphere MDM application client is responsible for utilizing the right authentication mechanism to log into the application server and to access InfoSphere MDM Server.

Assumptions

This article assumes an understanding of the following topics:

• WebSphere® Application Server security (see the WebSphere Security Handbook for details)
• Java Authentication and Authorization Service (JAAS) login modules and callback handlers
• Web services security

Sample application clients

The InfoSphere MDM Server supports multiple application clients including Web application client, application thin client, J2EE application client, and Applet application client. The Web application client and Java application thin client are the most commonly used. This article provides a set of samples to give you experience on how to configure and implement different InfoSphere MDM Server clients. Each topic briefly highlights the most useful aspects on how to configure and implement your own application client, and provides instructions on how to install and run the sample.

Java application thin client

A Java application thin client has to use the CSIV2 SAS protocol to access to the secured InfoSphere MDM Server on WebSphere Application Server. One option is to use the SAS client that WebSphere Application Server provided. What you need to do is to configure the SAS client properties file and set CORBA configURL in Java client JVM arguments. For more information about Java Application Client Authentication in WebSphere, see the WebSphere Security Handbook.

How to configure authentication

Edit the following properties in sas.client.props to configure the authentication:

com.ibm.CORBA.authenticationTarget=BasicAuth
com.ibm.CORBA.authenticationRetryEnabled=true
com.ibm.CORBA.authenticationRetryCount=3
com.ibm.CORBA.validateBasicAuth=true
. . .
com.ibm.CORBA.loginTimeout=300
com.ibm.CORBA.loginSource=prompt

# RMI/IIOP user identity
com.ibm.CORBA.loginUserid=SampleUser
com.ibm.CORBA.loginPassword=aPassword

When running the Java application thin client, add one JVM argument to provide the CORBA configURL to the SAS client properties file location, such as java -Dcom.ibm.CORBA.ConfigURL=file:properties/sas.client.props JavaClient.

Sample code

Create a Java application client to access InfoSphere MDM Server services using the following code:

Hashtable ctxParams = new Hashtable(1);
ctxParams.put(Context.PROVIDER_URL, this.CORBA_URL);
ctxParams.put(Context.INITIAL_CONTEXT_FACTORY, this.contextFactory);
. . .
InitialContext ctx = new InitialContext(ctxParams);
obj = ctx.lookup(EJB_HOME_JNDI_NAME);
theDWLServiceControllerHome = (DWLServiceControllerHome) javax.rmi.PortableRemoteObject
    .narrow(obj, DWLServiceControllerHome.class);
DWLServiceController aDWLServiceController = theDWLServiceControllerHome.create();
response = (String) (aDWLServiceController.
    processRequest(getTCRMContext(), SAMPLE_REQUEST));
			

How to run the sample

Download and unzip the sample JavaClient.zip. Open the batch file JavaClientSecurityEnabled.bat and set the values of SERVER_URL, CLIENT_DIR and WAS_DIR to the following:

• SERVER_URL to the server bootstrap IIOP, such as iiop://localhost:2809
• CLIENT_DIR to the thin client location, such as CLIENT_DIR=C:\JavaClient
• WAS_DIR to the WebSphere Application Server 6.1 home directory, such as WAS_DIR =C:\IBM\SDP70\runtimes\base_v61

Run the script JavaClientSecurityEnabled.bat.

If the InfoSphere MDM Server is secured, a logon form is prompted to ask user name and password.

Enter the user name and password, the security properties are passed to the server with the request. After request is processed, the response is displayed.

When using SSL to secure the transportation channel, configure both sas.client.props and ssl.client.props. For more information about configuring SSL for a RMI/IIOP thin client, see the ssl.client.props configuration file in the WebSphere Application Server information center.

Web services application client

The MDM Server Web services support message-level security, upon which authentication mechanism, integrity ,and confidentiality are applied. The message-level security over SSL allows for security to be implemented end-to-end through multiple services, regardless of the transport layer protocol. At the message level, the security elements, for example, security token, time stamp, signature, and encrypted key, are inserted into SOAP message headers. When MDM Server receives the token, it extracts the user name and password and executes verification. If it is valid, the message is processed.

How to configure security

This section shows the scenario of configuring a user name token for a Web services Web client. The configuration steps are:

1. Import MDM Server's Web service definition languages (WSDLs) and create the Web services Web client. For more information on generating the Web services proxy and using TCP/IP monitor, see the "Creating Web services Client" section of the WebSphere Application Server Information Center.
2. Open the deployment descriptor in WS Extension, navigate to Request Generator Configuration > Security Token, and add a user name token, for example, an MDMToken.
   
   Figure 3. Security token configuration
   
   
   
3. Choose the token type as Username Token.
   
   Figure 4. Security Token dialog
   
   
   
4. On the WS binding tab, navigate to Security Request Generator Binding Configuration > Token Generator, and add a new token generator.
   
   Figure 5. Token Generator configuration
   
   
   
5. Check the Use value type check box, and select Username Token in the Value type field.
6. When using a fix user, choose com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler in the Callback handler field, and enter a user name and password that is able to log on to InfoSphere MDM Server in the User ID and Password fields.
   
   Figure 6. Token Generator dialog
   
   
   
7. When using a dynamic user, enter a custom callback handler name in the Callback handler field, such as com.ibm.mdm.ws.callbackhandler.UsernameHandler.
   
   Figure 7. Token Generator dialog 2
   
   
   

Sample Code

The following code shows an implementation of the custom callback handler.

import javax.security.auth.callback.CallbackHanlder

public class UsernameHandler implements CallbackHandler {

. . .

  public void handle(Callback[] callbacks)
              throws IOException,UnsupportedCallbackException {
              
    for (int i = 0; i < callbacks.length; i++) {
      if (callbacks[i] instanceof NameCallback) {
        NameCallback nameCallback = (NameCallback)callbacks[i];
        nameCallback.setName(getUsername());
      } else if (callbacks[i] instanceof PasswordCallback) {
        PasswordCallback pwdCallback =  (PasswordCallback)callbacks[i];
        pwdCallback.setPassword(getPassword().toCharArray());
      } else if(callbacks[i] instanceof PropertyCallback){
        //Get the property if necessary
      } else {
        throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
      }
    }
    
  }

. . .

}

How to run the sample

Follow the steps to run the sample:

1. Import MDMWSClient.ear into a workspace, and launch index.jsp, found in the MDMWSClientSample project.
   
   Figure 8. Web services client sample
   
   
   
2. Enter an MDM service end point in the MDM Web Services EndPoint field, such as http://localhost:9080/PartyWS_HTTPRouter/services/PabrtyPort.
3. When using a dynamic user, input the user name and password to "user name" and "password".
4. Enter a party ID (a number in long) and a name in the Add Party Input Panel field.
5. Click Submit.

If the party is added, the party ID and name are displayed in Party Response panel. You can use the TCP/IP monitor to verify that the user name token is propagated with the SOAP message, as shown in Listing 4:

<soapenv:Envelope
    xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/
    oasis-200401-wss-wssecurity-secext-1.0.xsd"
    soapenv:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>sampleUserName</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-username-token-profile-1.0#PasswordText">
samplePassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
. . .
</soapenv:Body>
</soapenv:Envelope>
			

Conclusion

When dealing with InfoSphere MDM Server, inevitably you will use an application client to access InfoSphere MDM Server. This article showed you two scenarios of implementing application clients to be authenticated on a secured InfoSphere MDM Server. It showed how to implement your own application clients by the steps to configure and customize the application client with sample code.

The InfoSphere MDM Sever also provides application clients in its package, such as a Batch Processor (a Java application thin client) and an Administration and Data Stewardship application (Web application clients). These applications are able to work on either a secured or unsecured InfoSphere MDM Server. To know how to configure these application clients to access a secured InfoSphere MDM Server, read the "InfoSphere MDM Server Installation Guide."

InfoSphere MDM Server is able to work on WebSphere Application Server or a BEA WebLogic application server. How to configure and customize the application clients to be authenticated to secured InfoSphere MDM Server on a BEA WebLogic application server will be covered in subsequent articles.

Back to top

Downloads

Information about download methods

Resources

Learn

• Understand IBM InfoSphere MDM Server Security, Part 1: Overview of Master Data Management Security" provides an overview of MDM Server's security features and how they work.
  
  
• Understanding IBM InfoSphere MDM Server security, Part 3: Using LDAP to implement transaction authorization" provides an example showing how to implement a transaction authorization provider using an LDAP server.
  
  
• Understanding IBM InfoSphere MDM Server Security, Part 4: Using SAML in MDM Server" provides an overview of identity propagation in MDM Server.
  
  
• Understanding IBM InfoSphere MDM Server Security, Part 5: Integrating Master Data Management Server with Tivoli Federated Identity Manager" provides configuration instructions to extend identity propagation capabilities and facilitate client application development.
  
  
• "Creating Web services Client": Read this very informative section in the WebSphere Application Server Information Center.
  
  
• "ssl.client.props configuration file": Find this section in the WebSphere Application Server Information Center, for more information about configuring SSL for a RMI/IIOP thin client.
  
  
• "Securing Web services applications using JAX-RPC at the message level": Discover how standards and profiles address how to provide protection for messages that are exchanged in a Web service environment.
  
  
• "Authentication protocol settings for a client configuration" Get details on how to properly configure a Web service client for authentication in this section of the WebSphere Application Server Information Center.
  
  
• Browse the technology bookstore for books on these and other technical topics.
  
  
• developerWorks Information Management zone: Learn more about DB2. Find technical documentation, how-to articles, education, downloads, product information, and more.
  
  
• Stay current with developerWorks technical events and webcasts.
  
  

Get products and technologies

• Build your next development project with IBM trial software, available for download directly from developerWorks.
  
  

Discuss

• Participate in the discussion forum.
  
  
• Check out developerWorks blogs and get involved in the developerWorks community.
  
  

About the authors

Allan Luo is a software developer in the MDM Server development team. Currently, his responsibilities are to implement business and technical features for the party and product domains of the MDM Server. This work touches on a wide variety of areas including Web services, security, UI components, and the Internal testing tool. He is also interested in application server and algorithmic e-trading system implementations.

Gary Chen is a lead developer on the MDM Server development team. His focus is to design and lead the development of WCC, party domain, product domain, and configuration for the MDM Server. He has also mastered a wide variety of technologies such as security, XML/Web service, multi-thread, NIO network, and transaction management.

Comments (Undergoing maintenance)

Back to top

Trademarks  |  My developerWorks terms and conditions

Table of contents

• Introduction
• Sample application clients
• Conclusion
• Downloads
• Resources
• About the authors
• Comments

Next steps from IBM

Spring, JRuby, and Ajax development is easier with WebSphere Application Server - a smart Java 5 and J2EE Web services-based application server.

---

• Try: The no-charge WebSphere Application Server Community Edition is a pre-integrated, lightweight Java 5 application server built on Apache Tomcat and other best-of-breed open source software such as OpenEJB, Apache Axis, and Apache Derby.
• Article: The article leverage the Spring Framework and the WebSphere Application Server to improve your J2EE project productivity.
• Tutorial: See how the free WebSphere Application Server and XML can improve the efficiency of your JRuby on Rails and Ajax development.
• Buy: WebSphere Application Server - Express

My developerWorks community

Dig deeper into Information Management on developerWorks

DB2 pureScale

See how true transparent scaling architecture can be achieved on distributed platforms

Special offers