Understand IBM InfoSphere MDM Server security, Part 2: Introduction to authentication services

MDM Server 8 authentication illustrated using sample application clients

Learn how to configure and customize a client application authenticated to IBM® InfoSphere™ Master Data Management (MDM) Server through its authentication services, in Part 2 of this series. This article provides the detailed configuration and implementation for two scenarios: a Java™ application client and a Web service application client. Other articles in this series detail how to use and configure various other MDM Server security components to solve real-world business problems.

Share:

Allan Luo (allanluo@ca.ibm.com), Software Developer, IBM

Photo: Allan LuoAllan Luo is a software developer in the MDM Server development team. Currently, his responsibilities are to implement business and technical features for the party and product domains of the MDM Server. This work touches on a wide variety of areas including Web services, security, UI components, and the Internal testing tool. He is also interested in application server and algorithmic e-trading system implementations.



Gary Chen (garychen@ca.ibm.com), Lead Developer, IBM

Author Photo: Gary ChenGary Chen is a lead developer on the MDM Server development team. His focus is to design and lead the development of WCC, party domain, product domain, and configuration for the MDM Server. He has also mastered a wide variety of technologies such as security, XML/Web service, multi-thread, NIO network, and transaction management.



20 November 2008

Also available in Chinese

Introduction

When security is enabled, the InfoSphere MDM Server application client must authenticate itself to the application server in order to access InfoSphere MDM Server. The InfoSphere MDM application client is responsible for utilizing the right authentication mechanism to log into the application server and to access InfoSphere MDM Server.

Assumptions

This article assumes an understanding of the following topics:

  • WebSphere® Application Server security (see the WebSphere Security Handbook for details)
  • Java Authentication and Authorization Service (JAAS) login modules and callback handlers
  • Web services security

Software stack for all articles of this series

All discussions of MDM Server are related to the InfoSphere MDM Server 8.0 and related stack. This article assumes a familiarity with MDM Server and the terminology used within it's product manuals.

Sample application clients

The InfoSphere MDM Server supports multiple application clients including Web application client, application thin client, J2EE application client, and Applet application client. The Web application client and Java application thin client are the most commonly used. This article provides a set of samples to give you experience on how to configure and implement different InfoSphere MDM Server clients. Each topic briefly highlights the most useful aspects on how to configure and implement your own application client, and provides instructions on how to install and run the sample.

Java application thin client

A Java application thin client has to use the CSIV2 SAS protocol to access to the secured InfoSphere MDM Server on WebSphere Application Server. One option is to use the SAS client that WebSphere Application Server provided. What you need to do is to configure the SAS client properties file and set CORBA configURL in Java client JVM arguments. For more information about Java Application Client Authentication in WebSphere, see the WebSphere Security Handbook.

How to configure authentication

Edit the following properties in sas.client.props to configure the authentication:

Listing 1. Authentication properties
com.ibm.CORBA.authenticationTarget=BasicAuth
com.ibm.CORBA.authenticationRetryEnabled=true
com.ibm.CORBA.authenticationRetryCount=3
com.ibm.CORBA.validateBasicAuth=true
. . .
com.ibm.CORBA.loginTimeout=300
com.ibm.CORBA.loginSource=prompt

# RMI/IIOP user identity
com.ibm.CORBA.loginUserid=SampleUser
com.ibm.CORBA.loginPassword=aPassword

When running the Java application thin client, add one JVM argument to provide the CORBA configURL to the SAS client properties file location, such as java -Dcom.ibm.CORBA.ConfigURL=file:properties/sas.client.props JavaClient.

Sample code

Create a Java application client to access InfoSphere MDM Server services using the following code:

Listing 2. Authentication code
Hashtable ctxParams = new Hashtable(1);
ctxParams.put(Context.PROVIDER_URL, this.CORBA_URL);
ctxParams.put(Context.INITIAL_CONTEXT_FACTORY, this.contextFactory);
. . .
InitialContext ctx = new InitialContext(ctxParams);
obj = ctx.lookup(EJB_HOME_JNDI_NAME);
theDWLServiceControllerHome = (DWLServiceControllerHome) javax.rmi.PortableRemoteObject
    .narrow(obj, DWLServiceControllerHome.class);
DWLServiceController aDWLServiceController = theDWLServiceControllerHome.create();
response = (String) (aDWLServiceController.
    processRequest(getTCRMContext(), SAMPLE_REQUEST));

How to run the sample

Download and unzip the sample JavaClient.zip. Open the batch file JavaClientSecurityEnabled.bat and set the values of SERVER_URL, CLIENT_DIR and WAS_DIR to the following:

  • SERVER_URL to the server bootstrap IIOP, such as iiop://localhost:2809
  • CLIENT_DIR to the thin client location, such as CLIENT_DIR=C:\JavaClient
  • WAS_DIR to the WebSphere Application Server 6.1 home directory, such as WAS_DIR =C:\IBM\SDP70\runtimes\base_v61

Run the script JavaClientSecurityEnabled.bat.

If the InfoSphere MDM Server is secured, a logon form is prompted to ask user name and password.

Figure 1. Logon form
Login form

Enter the user name and password, the security properties are passed to the server with the request. After request is processed, the response is displayed.

Figure 2. MDM Server response message
MDM Server response message

When using SSL to secure the transportation channel, configure both sas.client.props and ssl.client.props. For more information about configuring SSL for a RMI/IIOP thin client, see the ssl.client.props configuration file in the WebSphere Application Server information center.

Web services application client

The MDM Server Web services support message-level security, upon which authentication mechanism, integrity ,and confidentiality are applied. The message-level security over SSL allows for security to be implemented end-to-end through multiple services, regardless of the transport layer protocol. At the message level, the security elements, for example, security token, time stamp, signature, and encrypted key, are inserted into SOAP message headers. When MDM Server receives the token, it extracts the user name and password and executes verification. If it is valid, the message is processed.

How to configure security

This section shows the scenario of configuring a user name token for a Web services Web client. The configuration steps are:

  1. Import MDM Server's Web service definition languages (WSDLs) and create the Web services Web client. For more information on generating the Web services proxy and using TCP/IP monitor, see the "Creating Web services Client" section of the WebSphere Application Server Information Center.
  2. Open the deployment descriptor in WS Extension, navigate to Request Generator Configuration > Security Token, and add a user name token, for example, an MDMToken.
    Figure 3. Security token configuration
    Security token configuration
  3. Choose the token type as Username Token.
    Figure 4. Security Token dialog
    Security Token dialog
  4. On the WS binding tab, navigate to Security Request Generator Binding Configuration > Token Generator, and add a new token generator.
    Figure 5. Token Generator configuration
    Token Generator configuration
  5. Check the Use value type check box, and select Username Token in the Value type field.
  6. When using a fix user, choose com.ibm.wsspi.wssecurity.auth.callback.NonPromptCallbackHandler in the Callback handler field, and enter a user name and password that is able to log on to InfoSphere MDM Server in the User ID and Password fields.
    Figure 6. Token Generator dialog
    Token Generator dialog
  7. When using a dynamic user, enter a custom callback handler name in the Callback handler field, such as com.ibm.mdm.ws.callbackhandler.UsernameHandler.
    Figure 7. Token Generator dialog 2
    Token Generator dialog 2

Sample Code

The following code shows an implementation of the custom callback handler.

Listing 3. Custom callback handler
import javax.security.auth.callback.CallbackHanlder

public class UsernameHandler implements CallbackHandler {

. . .

  public void handle(Callback[] callbacks)
              throws IOException,UnsupportedCallbackException {
              
    for (int i = 0; i < callbacks.length; i++) {
      if (callbacks[i] instanceof NameCallback) {
        NameCallback nameCallback = (NameCallback)callbacks[i];
        nameCallback.setName(getUsername());
      } else if (callbacks[i] instanceof PasswordCallback) {
        PasswordCallback pwdCallback =  (PasswordCallback)callbacks[i];
        pwdCallback.setPassword(getPassword().toCharArray());
      } else if(callbacks[i] instanceof PropertyCallback){
        //Get the property if necessary
      } else {
        throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
      }
    }
    
  }

. . .

}

How to run the sample

Follow the steps to run the sample:

  1. Import MDMWSClient.ear into a workspace, and launch index.jsp, found in the MDMWSClientSample project.
    Figure 8. Web services client sample
    Web services client sample
  2. Enter an MDM service end point in the MDM Web Services EndPoint field, such as http://localhost:9080/PartyWS_HTTPRouter/services/PabrtyPort.
  3. When using a dynamic user, input the user name and password to "user name" and "password".
  4. Enter a party ID (a number in long) and a name in the Add Party Input Panel field.
  5. Click Submit.

If the party is added, the party ID and name are displayed in Party Response panel. You can use the TCP/IP monitor to verify that the user name token is propagated with the SOAP message, as shown in Listing 4:

Listing 4. Sample SOAP message
<soapenv:Envelope
    xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/
    oasis-200401-wss-wssecurity-secext-1.0.xsd"
    soapenv:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>sampleUserName</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-username-token-profile-1.0#PasswordText">
samplePassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
. . .
</soapenv:Body>
</soapenv:Envelope>

Conclusion

When dealing with InfoSphere MDM Server, inevitably you will use an application client to access InfoSphere MDM Server. This article showed you two scenarios of implementing application clients to be authenticated on a secured InfoSphere MDM Server. It showed how to implement your own application clients by the steps to configure and customize the application client with sample code.

The InfoSphere MDM Sever also provides application clients in its package, such as a Batch Processor (a Java application thin client) and an Administration and Data Stewardship application (Web application clients). These applications are able to work on either a secured or unsecured InfoSphere MDM Server. To know how to configure these application clients to access a secured InfoSphere MDM Server, read the "InfoSphere MDM Server Installation Guide."

InfoSphere MDM Server is able to work on WebSphere Application Server or a BEA WebLogic application server. How to configure and customize the application clients to be authenticated to secured InfoSphere MDM Server on a BEA WebLogic application server will be covered in subsequent articles.


Downloads

DescriptionNameSize
Sample Java ClientJavaClient.zip43KB
Sample Web Services Application ClientMDMWSClient.ear6.6MB

Resources

Learn

Get products and technologies

  • Build your next development project with IBM trial software, available for download directly from developerWorks.

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Information management on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Information Management
ArticleID=352899
ArticleTitle=Understand IBM InfoSphere MDM Server security, Part 2: Introduction to authentication services
publish-date=11202008