Extending the Security Policy Enforcement Point (PEP) sample

This sample uses the IBM Integration message flows that emulate the operation of Security Trust Service (STS). The true security implementation depends on the use of an external centralised security provider to provide authentication, authorization, and mapping. You can extend the sample to incorporate security enforcement by using your own security provider, for example TFIM V6.2

You can extend the sample to work with TFIM V6.2 by completing the following tasks. However, for detailed information about the TFIM V6.2 configuration with the integration node read the following topics in the IBM Integration Bus documentation:

• Authentication, mapping, and authorization with TFIM V6.2 and TAM
• Configuring authentication or security token validation with a WS-Trust v1.3 STS (TFIM V6.2)
• Configuring authorization with a WS-Trust v1.3 STS (TFIM V6.2)
• Configuring identity mapping with a WS-Trust V1.3 STS (TFIM V6.2)

For security operations at the HTTP_ID HTTPInput node:

1. Create a security profile with the following properties:
   • authentication = "WS-Trust v1.3 STS"
   • authenticationConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
2. On the TFIM v6.2, create a trust chain with the following properties:
   • Request Type : "Validate Oasis URI"
   • AppliesTo : http://localhost:7080/SecurityPEPNodeSample/ProcessMsgWithIdentity
   • Issuer : "Issuer1"
   • Token Type : "Username"
   • Module :
     • UsernameTokenSTSModule
     • Mode : Validate

For security operations at the PEP_UP_A1A2 SecurityPEP node

1. Create a security profile with the following properties:
   • authentication = "WS-Trust v1.3 STS"
   • authenticationConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
   • authorization = "WS-Trust v1.3 STS"
   • authorizationConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
2. On the TFIMv6.2, create a trust chain with the following properties:
   • Request Type : "Validate Oasis URI"
   • AppliesTo : PEP_UPA1A2
   • Issuer : REGEXP:(.*)
   • Token Type : "Username"
   • Modules :
     • UsernameTokenSTSModule
     • Mode : Validate
       • Default Map module with XSLT ContextAttributes_TAMAuthorization.xsl in the SecurityPEPNodeSampleApplicationProject/XSL folder
     • Mode : map
       • TAMAuthorizationModule
     • Mode : authorize

For security operations at the PEP_MAPUP->SAML2.0 SecurityPEP node:

1. Create a security profile with the following properties:
   • mapping = "WS-Trust v1.3 STS"
   • mappingConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
2. On the TFIMv6.2, create a trust chain with the following properties:
   • Request Type : "Issue Oasis URI"
   • AppliesTo : PEP_UP2SAML2
   • Issuer : Issuer1
   • Token Type : "Username"
   • Modules :
     • Default Map module with XSLT Map_UP2SAML2.xsl in the SecurityPEPNodeSampleApplicationProject/XSL folder
     • Mode : map
       • Default SAML 2.0 Token
     • Mode : issue

For security operations at SecurityPEP node in the Web service flow:

1. Create a security profile with the following properties:
   • authentication = "WS-Trust v1.3 STS"
   • authenticationConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
2. On the TFIMv6.2, create a trust chain with the following properties:
   • Request Type : "Validate Oasis URI"
   • AppliesTo : urn:IB9NODE.default.SecurityPEPNodeReportFlow
   • Issuer : REGEXP:(.*)
   • Token Type : "SAML 2.0"
   • Module :
     • Default SAML 2.0 Token
     • Mode : Validate

For instructions and more information, see Setting up message flow security and Message flow security overview in the IBM Integration Bus documentation.

Back to sample home