Setting up message flow security

Set up security on a message flow to control access based on the identity of a message passing through the message flow.

About this task

You can configure the integration node to perform end-to-end processing of an identity carried in a message through a message flow. Administrators can configure security at message flow level, controlling access based on the identity flowed in a message. This security mechanism is independent of both the transport and the message format.

To set up security for a message flow, perform the tasks described in the following topics:

Procedure

  1. Creating a security profile
  2. Configuring the extraction of an identity or security token
  3. Configuring identity authentication and security token validation
  4. Configuring identity mapping
  5. Configuring authorization
  6. Configuring a message flow for identity propagation
  7. Security identities for integration nodes connecting to external systems
  8. Review and set the cacheTimeout property on the securitycache component
  9. Diagnosing security problems

What to do next

If the message flow is a web service implemented by using the SOAP nodes, and the identity is to be taken from the WS-Security header tokens, you must also create appropriate Policy sets and bindings, then configure them on the relevant SOAP nodes (in addition to the security profile). See Associating policy sets and bindings with message flows and nodes.

To work with an identity, you must configure the policy sets and bindings for the relevant capabilities:
  • To work with a Username and Password identity, configure the policy sets and bindings for Username token capabilities.
  • To work with an X.509 Certificate identity, configure the policy sets and bindings for X.509 certificate token capabilities.

    In the policy set binding, the Certificates mode of the X.509 certificate authentication token must be set as Trust Any (rather than Trust Store), so that the certificate is passed to the security provider defined by the security profile. Setting Trust Store causes the certificate to be validated in the local integration node trust store.

  • To work with a SAML assertion, configure the policy sets and bindings for SAML token capabilities.
  • To work with an LTPA token, configure the policy sets and bindings for LTPA token capabilities.
  • To work with a Kerberos ticket, configure the policy sets and bindings for Kerberos token capabilities.

For more information, see Policy Sets and Policy Set Bindings editor: Authentication and Protection Tokens panel.