Extending the Security Policy Enforcement Point (PEP) sample
This sample uses the IBM Integration message flows that emulate the operation of Security Trust Service (STS). The true
security implementation depends on the use of an external centralised security provider to provide
authentication, authorization, and mapping. You can extend the sample to
incorporate security enforcement by using your own security provider, for example TFIM V6.2
You can extend the sample to work with TFIM V6.2 by completing the following tasks. However, for
detailed information about the TFIM V6.2 configuration with the integration node read the following topics in
the IBM Integration Bus documentation:
For security operations at the HTTP_ID HTTPInput node:
Create a security profile with the following properties:
authentication = "WS-Trust v1.3 STS"
authenticationConfig =
"http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
On the TFIM v6.2, create a trust chain with the following properties:
Request Type : "Validate Oasis URI"
AppliesTo : http://localhost:7080/SecurityPEPNodeSample/ProcessMsgWithIdentity
Issuer : "Issuer1"
Token Type : "Username"
Module :
UsernameTokenSTSModule
Mode : Validate
For security operations at the PEP_UP_A1A2 SecurityPEP node
Create a security profile with the following properties:
authentication = "WS-Trust v1.3 STS"
authenticationConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
authorization = "WS-Trust v1.3 STS"
authorizationConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
On the TFIMv6.2, create a trust chain with the following properties:
Request Type : "Validate Oasis URI"
AppliesTo : PEP_UPA1A2
Issuer : REGEXP:(.*)
Token Type : "Username"
Modules :
UsernameTokenSTSModule
Mode : Validate
Default Map module with XSLT ContextAttributes_TAMAuthorization.xsl
in the SecurityPEPNodeSampleApplicationProject/XSL folder
Mode : map
Mode : authorize
For security operations at the PEP_MAPUP->SAML2.0 SecurityPEP node:
Create a security profile with the following properties:
mapping = "WS-Trust v1.3 STS"
mappingConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
On the TFIMv6.2, create a trust chain with the following properties:
Request Type : "Issue Oasis URI"
AppliesTo : PEP_UP2SAML2
Issuer : Issuer1
Token Type : "Username"
Modules :
Default Map module with XSLT Map_UP2SAML2.xsl
in the SecurityPEPNodeSampleApplicationProject/XSL folder
Mode : map
Mode : issue
For security operations at SecurityPEP node in the Web service flow:
Create a security profile with the following properties:
authentication = "WS-Trust v1.3 STS"
authenticationConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
On the TFIMv6.2, create a trust chain with the following properties:
Request Type : "Validate Oasis URI"
AppliesTo : urn:IB9NODE.default.SecurityPEPNodeReportFlow
Issuer : REGEXP:(.*)
Token Type : "SAML 2.0"
Module :
Default SAML 2.0 Token
Mode : Validate
For instructions and more information, see
Setting up message flow security and
Message flow security overview in the
IBM Integration Bus documentation.
Back to sample home