Authenticating incoming requests by using credentials stored in the vault

Implement basic authentication on incoming requests by using credentials stored locally in an independent integration server's vault.

About this task

You can secure your integrations by implementing basic authentication on deployed integrations, so that incoming HTTP requests must supply a username and password, which are then authenticated against credentials that are stored in an independent integration server's vault.

Procedure

To configure the authentication of incoming requests by using credentials stored in the vault, complete the following steps:

  1. Create a Security Profiles policy in a Policy project (for example, SecPolicy/BasicAuthLocal.policyxml) and configure authentication against locally stored credentials, by setting the Authentication property to Local and the AuthenticationConfiguration property to the name of a local credential alias. For example: 
    
<policies>
  <policy policyType="SecurityProfiles" policyName="BasicAuthLocal" policyTemplate="SecurityProfiles">
    <authentication>Local</authentication>
    <authenticationConfig>LocalCredentialsAlias</authenticationConfig>
    <mapping>NONE</mapping>
    <mappingConfig></mappingConfig>
    <authorization>NONE</authorization>
    <authorizationConfig></authorizationConfig>
    <propagation>false</propagation>
    <idToPropagateToTransport>Message ID</idToPropagateToTransport>
    <transportPropagationConfig></transportPropagationConfig>
    <keyStore>Reserved for future use</keyStore>
    <trustStore>Reserved for future use</trustStore>
    <passwordValue>PLAIN</passwordValue>
    <rejectBlankpassword>false</rejectBlankpassword>
  </policy>
</policies>
    For information about how to create a policy, see Creating policies with the IBM App Connect Enterprise Toolkit.
  2. Deploy the policy project that contains the new security profile, by using one of the following methods:
    • Add the policy project to a BAR file and deploy it
    • Copy the policy project to the integration server's overrides directory (work_directory/overrides)
  3. Create the vault for the integration server, by using the mqsivault command; for example: 
    mqsivault --work-dir c:\mywrk\myaceworkdir --create --vault-key abcd1234
    For more information about creating a vault, see Creating a vault by using the mqsivault command.
  4. Create the local credentials with the configured alias name in the integration server's vault, by using the mqsicredentials command; for example: 
    mqsicredentials --work-dir c:\mywrk\myaceworkdir --create --vault-key abcd1234 --credential-type local 
--credential-name LocalCredentialsAlias --username SecUserName --password SecPwd
    For more information about creating security credentials, see Configuring encrypted credentials by using the mqsicredentials command.
  5. Set the security profile to apply to the whole message flow, to a specific message flow node, or to the whole independent integration server, by completing one of the following steps:
    • Set the security profile to apply to the whole message flow by creating a BAR override, setting the security profile to {policy_project_name}:security_profile_name as a property on the message flow
    • Set the security profile to apply to a specific message flow node in either of the following ways:
      • Create a BAR override, setting the security profile to {policy_project_name}:security_profile_name as a property on the message flow node
      • Set the Security profile property in the Security tab of the appropriate message flow node. The Security profile property can be set on the following nodes:
        • CICSRequest
        • HTTPInput, HTTPRequest, HTTPAsyncRequest
        • IMSRequest
        • MQInput, MQOutput, MQReply
        • RESTRequest, RESTAsyncRequest
        • SAPRequest
        • SecurityPEP
        • SiebelRequest
        • SOAPInput, SOAPReply, SOAPRequest, SOAPAsyncRequest
    • Set the security profile to apply to the whole integration server, by setting the forceServerHTTPSecurityProfile property in the integration server's server.conf.yaml configuration file to the name of the policy, in the form {policy_project_name}:security_profile_name; for example:
      
forceServerHTTPSecurityProfile: '{SecPolicy}:BasicAuthLocal'

      The setting specified in the forceServerHTTPSecurityProfile property in the server.conf.yaml file overrides any specific settings made at the level of the message flow or message flow node.

  6. Restart the integration server for the changes to take effect, ensuring that you specify the vault key; for example: 
    IntegrationServer --work-dir c:\mywrk\myaceworkdir --vault-key abcd1234

What to do next

When the deployed message flows are invoked with security applied, any request to the flow must provide the required credentials. Failure to do so will result in an authentication error and the request will fail.