Security profiles

A security profile defines the security operations that are to be performed in a message flow at SecurityPEP nodes and security enabled input and output nodes.

Security profiles are configured by the integration administrator before deploying a message flow, and are accessed by the security manager at run time.

A security profile allows an integration administrator to specify whether authentication, authorization, mapping, and propagation are to be performed on the identity or security tokens associated with messages in the message flow. You can create a security profile for use with an external security provider (also known as a Policy Decision Point or PDP) to provide security enforcement and mapping. IBM® Tivoli® Federated Identity Manager (TFIM) V6.1 and WS-Trust v1.3 compliant Security Token Service (including TFIM V6.2) are supported for authentication, authorization, and mapping. Lightweight Directory Access Protocol (LDAP) is supported for authentication and authorization. As an alternative to using an external security provider for authentication, you can create a security profile for authenticating against credentials that are held locally in the integration server's vault, as described in Authenticating incoming requests by using credentials stored in the vault.

Security profiles can be configured by the administrator at deployment time in the BAR file editor. The security-enabled nodes have a Security Profile property in the BARfile editor, which can be left blank, set to No Security, or set to a specific security profile name. Set No Security to explicitly turn off security for the message flow node. If the Security Profile property is blank, the node inherits the Security Profile property that is set at the message flow level. If the Security Profile property is left blank at both levels, security is turned off for the message flow node.

The security profile also specifies whether propagation is required. A pre-configured profile that specifies propagation is provided for use by output and request nodes. This profile is the Default Propagation security profile. This profile can also be used on an input node to extract tokens and put them into the message tree ready for propagation or processing in a SecurityPEP node.

Security profiles contain values for the following properties:

alternateServers

Defines the comma-separated list of LDAP servers to failover when the primary server is not available. The list has the following format:

ldap[s]://host1:[port1], ldap[s]://host2:[port2], ldap[s]://host3:[port3]

After failover, the newly connected LDAP server becomes the primary server.

authentication

Defines the type of authentication that is performed on the source identity. For more information, see Authentication and validation.

authenticationConfig

Defines the information that the integration server needs to authenticate the identity, and can be one of the following values:

• The configured alias name of the locally stored credentials in the integration server's vault. These credentials are used for basic authentication when the Authentication type is Local. For more information, see Authenticating incoming requests by using credentials stored in the vault.
• The information that the integration server needs to connect to the external security provider and look up identity tokens. This property is in the form of a provider-specific configuration string.

mapping

Defines the type of mapping that is performed on the source identity. For more information, see Identity mapping.

mappingConfig

Defines how the integration node connects to the provider, and contains additional information required to look up the mapping routine. It is a provider-specific configuration string.

authorization

Defines the types of authorization checks that are performed on the mapped or source identity. For more information, see Authorization.

authorizationConfig

Defines how the integration node connects to the provider, and contains additional information that can be used to check access (for example, a group that can be checked for membership). It is a provider-specific configuration string.

passwordValue

Defines how passwords are treated when they enter a message flow. If PLAIN is selected, the password appears in the Properties folder in plain text. If OBFUSCATE is selected, the password appears in the Properties folder in base64 encoding. If MASK is selected, the password appears in the Properties folder as four asterisks (****).

propagation

Enables or disables identity propagation on output and request nodes. On the security enabled input nodes, you can choose to select only identity propagation, without specifying any other security operations, to make the extracted incoming identity or security token available for use in the other nodes in the message flow, such as output or request nodes. For more information, see Identity and security token propagation.

idToPropagateToTransport

Enables the use of a specific security identity for propagation. Set the value to STATIC ID, and set the security identity by using the transportPropagationConfig parameter.

transportPropagationConfig

Provides a specific security identity to propagate when idToPropagateToTransport is set to STATIC ID. Set the value to the name that you associate with the static user name and password identity when you run the mqsicredentials command. Alternatively, you can use the mqsisetdbparms command. For more information, see Configuring a message flow for identity propagation.

For information about configuring settings for the security profile, see Creating a security profile.