Authentication overview

AS4 Microservice provides several mechanisms to secure messages, including authentication.

Authentication uses a security token to validate a user and determine whether their access is valid in a particular context. A client can be a user, computer, or application. Without authentication, an attacker can use spoofing techniques to send a modified SOAP message to the service provider.

To provide authentication, you can insert a security token in the request message. Depending on the type of security token that you use, the security token can also be inserted in the response message. The following types of security tokens are supported for authentication.

User name tokens (either a user name token or X.509 binary security token, or both): Security tokens are used (in accordance with the WS-Security specification) to digitally sign and encrypt messages, and to provide data confidentiality and data origin authentication. For more information, see../com.ibm.help.meg.welcome.doc/meg_as4_usertokenauthenticationoverview.html.
X.509 certificates: A digital certificate is a set of electronic data that uniquely identifies an organization. The certificate contains a public key for the organization, and is digitally signed by a trusted party to bind the public key to the organization. Other information in the certificate specifies how the key is used and the time period for which it is valid.
Secure Support Portal (SSP): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications. In AS4 Microservice, SSP allows the use of an alternate user authentication method such as Sterling External Authentication Service (SEAS) or to control access directly using Lightweight Directory Access Protocol (LDAP), Active Directory (AD), or a custom authentication method. When a trading partner connects to SSP using a username and password, SSP connects to SEAS. That authentication mechanism then interacts with IBM ID or any LDAP-supported authentication mechanism. If the user is authenticated by SEAS, SEAS returns a token that is sent along with the HTTP request to AS4 Microservice.AS4 Microservice interacts with identity to determine whether it is an external user, and in that case AS4 Microservice identity connects to SEAS to validate the token validated. Once the token is validated, the flow is processed normally.

User name tokens are used to validate user names and passwords. When a web service server receives a user name token, the user name and password are extracted and passed to a user registry for verification. If the user name and password combination is valid, the result is returned to the server and the message is accepted and processed. When used in authentication, user name tokens are typically passed only in the request message, not the response message. In AS4 Microservice, security tokens are configured in the Conformance Policy.

Important:

All types of user tokens must be protected. For this reason, if you send a user token over an untrusted network, use the HTTPS protocol for transport.