Configuring provider mode web services for identity propagation
Identity propagation with a web service request relies
on trust-based configurations; for example, using a client-certified
SSL connection from WebSphere® DataPower®.
In this task, you configure a PIPELINE resource to expect an ICRX
identity token in the WS-Security header, sent from a trusted client.
Before you begin
You must configure your RACF RACMAP settings before you configure
your web service connections, otherwise you receive the RACF ICH408I message
for every unmapped request that is sent to RACF. For more information
about configuring the RACF RACMAP command, see Configuring RACF for identity propagation.
You
must configure a trust relationship between the WebSphere DataPower appliance
and CICS, for example, using SSL client certification between WebSphere DataPower and
CICS. The digital certificate that WebSphere DataPower uses
to identify itself must be associated with a user ID, and that user
ID must be granted surrogate authority to assert identities. For more
information about surrogate authority, see Surrogate
user security.
About this task
This task explains how to use CICS with a WebSphere DataPower appliance to provide a web
service configuration that can propagate distributed identities in a secure and robust way. The
circle in the diagram indicates that this task explains the CICS-specific configuration.
WebSphere DataPower acts as an
intermediary between CICS and other applications. Remote web service requester applications connect
to the WebSphere DataPower appliance using
the SOAP protocol. WebSphere DataPower
authenticates the credentials supplied by the remote client and mapping the credentials to a z/OS
ICRX identity token, which identifies the distributed identity of a user. The SOAP message is then
forwarded to CICS over the trusted SSL connection with an ICRX identity token in a WS-Security
header. For more information about ICRX identity tokens, see z/OS Security Server RACF Data Areas.
CICS receives the SOAP message from WebSphere DataPower. The PIPELINE configuration
file specifies blind trust, because the only possible client is the WebSphere DataPower appliance, and WebSphere DataPower is communicating with CICS
over a secure SSL connection. Therefore, you do not need to specify additional authentication in the
PIPELINE configuration file. The WS-Security handler program locates the first ICRX found in the
WS-Security header and uses the ICRX to identify the user.
Procedure
Create a PIPELINE resource, or edit an existing PIPELINE resource to specify the basic-ICRX
mode, which allows the PIPELINE to receive an ICRX.
The most typical combination is the blind trust with the basic-ICRX mode. For more information
about the PIPELINE resource element, see The <authentication> element.
Here is an example PIPELINE configuration file, showing blind trust with the basic-ICRX mode:
Here is an example SOAP message with an ICRX identity, using blind
trust:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-soap-message-security-1.0#Base64Binary"
wsu:Id="ICRX"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsswssecurity-utility-1.0.xsd"
ValueType="http://www.IBM.com/xmlns/prod/zos/saf#ICRXV1">
ICRX IS HERE
</wsse:BinarySecurityToken>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
APPLICATION SPECIFIC XML IS HERE
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Web service requests from WebSphere DataPower with
an ICRX identity token in the WS-Security header, connected over a
client-certified SSL connection, can now flow.