Configuring a message flow for identity propagation
To enable a message flow to perform identity propagation, the input nodes must extract the identity from the message flow and the output node must propagate it. If the message identity does not contain enough information for identity propagation, you can provide the identity to propagate.
Before you begin
Before you can configure a message flow to perform identity propagation, you must check that an appropriate security profile exists, or create a new security profile. See Creating a security profile.
About this task
Enabling identity propagation
About this task
To enable a message flow to perform identity propagation, complete the following steps.
Procedure
- In the Application Development view, right-click the BAR file, then click .
- Click the Manage and Configure tab.
- Click the flow or node on which you want to set the
security profile. The properties that you can configure for the message flow or for the node are displayed in the Properties view.
- In the Security Profile Name field, select a security profile that has identity propagation enabled.
- Save the BAR file.
mqsiapplybaroverride -b barFileName -k applicationName -m
flowName#nodeName.securityProfileName=securityProfileNameProviding the identity to propagate
About this task
For information about the identity tokens that you can propagate with each node type, see Identity and security token propagation.
If the message identity does not contain enough information for identity propagation, you can use any of the following methods to acquire the necessary information:
- Use information that is in the message body. For example, if the message comes from WebSphere® MQ with only a Username token, and the output is an HTTPRequest node that requires a Username and password token, the password might be present in the body of the incoming message. For more information, see Configuring the extraction of an identity or security token.
- Configure an identity mapper by using IBM Tivoli Federated Identity Manager. For more information, see the IBM Tivoli Federated Identity Manager product documentation online.
- Use ESQL or Java™ to set the Mapped Identity fields in the Properties tree.
- Configure a static user name and password identity by completing
the following steps:
- Run the mqsisetdbparms command:
Where securityIDName is a name to associate with the static user name and password identity, and username and password are the identity credentials that you want to use. For more information, see mqsisetdbparms command.mqsisetdbparms integrationNodeName -n securityIDName -u username -p password - Create a SecurityProfiles configurable service that sets the property
values listed in the following table:
Where securityIDName is the name that you associated with the static user name and password identity in the mqsisetdbparms command. For example, if you use the command line, run the following command:Properties Values propagation TRUE idToPropagateToTransport STATIC ID transportPropagationConfig securityIDName
For more information, see mqsicreateconfigurableservice command.mqsicreateconfigurableservice integrationNodeName -c SecurityProfiles -o securityProfileName -n "propagation,idToPropagateToTransport,transportPropagationConfig" -v "TRUE,STATIC ID,securityIDName"
- Run the mqsisetdbparms command: