Configuring a message flow for identity propagation

To enable a message flow input node to extract and propagate along the identity that is received from an input message, it must be configured with a security profile with propagation enabled.
To enable an output or request node to send an identity that is being propagated in the output message, it must be configured with a security profile with propagation enabled.
Alternatively, an output or request node can be configured to send a locally stored identity in the output message by configuring it with a security profile with propagation enabled, and the local identity referenced.

Before you begin

Before you can configure a message flow to perform identity propagation, you must check that an appropriate security profile exists, or create a new security profile. For more information, see Creating a security profile.

About this task

To configure a message flow to perform identity propagation, complete the following tasks:
  1. Enabling identity propagation for an input node
  2. Enabling identity propagation for an output node or a request node
  3. Providing the identity to propagate

Enabling identity propagation for an input node

About this task

An input node extracts security tokens if it is configured with a security profile that enables propagation at deployment time.

To enable a message flow to perform identity propagation on an input node, complete the following steps.

Procedure

By using the BAR editor, select a security profile that is enabled for identity propagation.
You can use the Default Propagation profile, which is a predefined profile that requests only identity propagation. You can set a security profile on a message flow or on individual input nodes. If no security profile is set for the input nodes, the setting is inherited from the setting on the message flow.
  1. In the Application Development view, right-click the BAR file, then click Open with > BAR Editor.
  2. Click the Manage and Configure tab.
  3. Click the flow or input node on which you want to set the security profile.
    The properties that you can configure for the message flow or for the input node are displayed in the Properties view.
  4. In the Security Profile Name field, select a security profile that is enabled for identity propagation.
  5. Save the BAR file.
Alternatively, you can set a security profile on the flow or the input node by using the mqsiapplybaroverride command. For example:
mqsiapplybaroverride -b barFileName -k applicationName -m 
flowName#nodeName.securityProfileName=securityProfileName
For more information, see mqsiapplybaroverride command.

Enabling identity propagation for an output node or a request node

About this task

An output node or a request node propagates an identity if it is configured with a security profile that enables propagation, and optionally provides an identity at deployment time.
For more information about providing an identity, see Providing the identity to propagate.

To enable a message flow to perform identity propagation on an output node or a request node, complete the following steps.

Procedure

By using the BAR editor, select a security profile that is enabled for identity propagation.
You can use the Default Propagation profile, which is a predefined profile that requests only identity propagation. You can set a security profile on a message flow or on individual output nodes or request nodes. If no security profile is set for the output nodes or request nodes, the setting is inherited from the setting on the message flow.
  1. In the Application Development view, right-click the BAR file, then click Open with > BAR Editor.
  2. Click the Manage and Configure tab.
  3. Click the flow, output node, or request node on which you want to set the security profile.
    The properties that you can configure for the message flow or for the output node or request node are displayed in the Properties view.
  4. In the Security Profile Name field, select a security profile that is enabled for identity propagation.
  5. Save the BAR file.
Alternatively, you can set a security profile on the flow or the output node or request nodes by using the mqsiapplybaroverride command. For example:
mqsiapplybaroverride -b barFileName -k applicationName -m 
flowName#nodeName.securityProfileName=securityProfileName
For more information, see mqsiapplybaroverride command.

Providing the identity to propagate

About this task

For more information about the identity tokens that you can propagate with each node type, see Identity and security token propagation.

If you want a Request node or an Output node to use a locally stored credential, you must provide the identity that it can use to authenticate to the remote server.

If the identity fields in the properties folder of the input message assembly do not contain enough information for the required outbound identity propagation, you can use any of the following methods to acquire the necessary information:

  • Use information that is in the message body. For example, if the message comes from IBM MQ with only a Username token, and the output is an HTTPRequest node that requires a Username and password token, the password might be present in the body of the incoming message. For more information, see Configuring the extraction of an identity or security token.
  • Map the current identity to the required identity by configuring the identity mapping. For more information, see Identity mapping.
  • Use ESQL or Java™ to set the Mapped Identity fields in the Properties tree.
  • Configure a static username and password local identity by completing the following steps:
    1. Run the mqsisetdbparms command:
      mqsisetdbparms -w workDir -n securityIDName -u username -p password
      Where securityIDName is a name to associate with the static username and password identity, and username and password are the identity credentials that you want to use. For more information, see mqsisetdbparms command.

      As an alternative to using the mqsisetdbparms command, you can use the mqsicredentials command to encrypt credentials and store them in the IBM App Connect Enterprise vault. For more information, see mqsicredentials command, mqsivault command, and Authenticating incoming requests by using credentials stored in the vault.

    2. Create a Security Profiles policy that sets the property values that are listed in the following table:
      Properties Values
      Propagation True
      Identifier to propagate Static ID
      Transport propagation configuration securityIDName
      Where securityIDName is the name that you associated with the static username and password identity in the mqsisetdbparms command.