Implement basic authentication on incoming requests by using credentials stored locally
in an independent integration server's vault.
About this task
You can secure your integrations by implementing basic authentication on deployed integrations,
so that incoming HTTP requests must supply a username and password, which are then authenticated
against credentials that are stored in an independent integration server's vault.
Procedure
To configure the authentication of incoming requests by using credentials stored in the
vault, complete the following steps:
-
Create a Security Profiles policy in a Policy project (for
example,
SecPolicy/BasicAuthLocal.policyxml
) and configure authentication against
locally stored credentials, by setting the Authentication property to
Local
and the AuthenticationConfiguration property to the name
of a local credential alias. For example:
<policies>
<policy policyType="SecurityProfiles" policyName="BasicAuthLocal" policyTemplate="SecurityProfiles">
<authentication>Local</authentication>
<authenticationConfig>LocalCredentialsAlias</authenticationConfig>
<mapping>NONE</mapping>
<mappingConfig></mappingConfig>
<authorization>NONE</authorization>
<authorizationConfig></authorizationConfig>
<propagation>false</propagation>
<idToPropagateToTransport>Message ID</idToPropagateToTransport>
<transportPropagationConfig></transportPropagationConfig>
<keyStore>Reserved for future use</keyStore>
<trustStore>Reserved for future use</trustStore>
<passwordValue>PLAIN</passwordValue>
<rejectBlankpassword>false</rejectBlankpassword>
</policy>
</policies>
-
Deploy the policy project that contains the new security profile, by using one of the following
methods:
- Add the policy project to a BAR file and deploy it
- Copy the policy project to the integration server's overrides directory
(work_directory/overrides)
-
Create the vault for the integration server, by using the mqsivault command; for
example:
mqsivault --work-dir c:\mywrk\myaceworkdir --create --vault-key abcd1234
-
Create the local credentials with the configured alias name in the integration server's vault,
by using the mqsicredentials command; for example:
mqsicredentials --work-dir c:\mywrk\myaceworkdir --create --vault-key abcd1234 --credential-type local
--credential-name LocalCredentialsAlias --username SecUserName --password SecPwd
-
Set the security profile to apply to the whole message flow, to a specific message flow node,
or to the whole independent integration server, by completing one of the following steps:
- Set the security profile to apply to the whole message flow by creating a BAR override,
setting the security profile to
{policy_project_name}:security_profile_name
as a property on the message flow
- Set the security profile to apply to a specific message flow node in either of the following ways:
- Create a BAR override, setting the security profile to
{policy_project_name}:security_profile_name
as a property on the message flow node
- Set the Security profile property in the Security tab
of the appropriate message flow node. The Security profile property can be set
on the following nodes:
- CICSRequest
- HTTPInput, HTTPRequest, HTTPAsyncRequest
- IMSRequest
- MQInput, MQOutput,
MQReply
- RESTRequest, RESTAsyncRequest
- SAPRequest
- SecurityPEP
- SiebelRequest
- SOAPInput, SOAPReply, SOAPRequest, SOAPAsyncRequest
- Set the security profile to apply to the whole integration server, by setting the
forceServerHTTPSecurityProfile property in the integration server's
server.conf.yaml configuration file to the name of the policy, in the form
{policy_project_name}:security_profile_name
;
for example:
forceServerHTTPSecurityProfile: '{SecPolicy}:BasicAuthLocal'
The setting specified in the forceServerHTTPSecurityProfile property in the
server.conf.yaml file overrides any specific settings made at the level of the
message flow or message flow node.
-
Restart the integration server for the changes to take effect, ensuring that you specify the
vault key; for example:
IntegrationServer --work-dir c:\mywrk\myaceworkdir --vault-key abcd1234
What to do next
When the deployed message flows are invoked with security applied, any request to the flow
must provide the required credentials. Failure to do so will result in an authentication error and
the request will fail.