Message flow security and security profiles

IBM® Integration Bus provides a security manager for implementing message flow security, so that end-to-end processing of a message through a message flow is secured based on an identity carried in that message instance.

For details of the supported external providers and the operation of the message flow security manager, see Message flow security overview. For information about the token types that are supported by the SOAP nodes and by external security providers, see Identity.

When the message flow is a web service implemented by using SOAP nodes and the identity is to be taken from the WS-Security SOAP headers, the SOAP nodes are the Policy Enforcement Point (PEP) and the external provider defined by the Security profiles is the Policy Decision Point (PDP).

The following configuration is required to implement message flow security based on an identity carried in WS_Security tokens.
  • Policy sets define the type of tokens used for the identity.
    • To work with a Username and Password identity, configure the policy and binding for Username token Authentication.
    • To work with a X.509 Certificate identity, configure the policy and binding for X.509 certificate token Authentication.
      • In the Policy Set Binding, set the X.509 certificate Authentication Token certificates mode to Trust Any. You set it this way (and not to Trust Store) so that the certificate is passed to the security provider defined by the Security Profile. Setting it to Trust Store will cause the certificate to be validated in the local Integration node Trust Store. For more details, see Policy Sets and Policy Set Bindings editor: Authentication and Protection Tokens panel.
    • To work with a SAML assertion token, configure the policy and binding for SAML token Authentication.
  • The message flow security operation and external provider are defined by the Security profiles

As an alternative to message flow security and an external PDP, the integration node's truststore can be used as a local PDP for X.509 certificate authentication. For WS-Security signing and encryption using only the local integration node capability, you must configure the integration node's truststore. For details, see Viewing and setting keystore and truststore runtime properties at integration node level, or Viewing and setting keystore and truststore runtime properties at integration server level.

Kerberos based WS-Security is supported in the SOAP nodes. When you use Kerberos for security, the SOAP node's WS-Security processing links directly with the host's Kerberos infrastructure. The integration node host must be configured for Kerberos, providing a krb.conf file to define the Kerberos Key Distribution Center (KDC) and default realm. A Kerberos keytab file must also be configured. For more information about configuring Kerberos, see your host's Kerberos documentation.

To work with Kerberos WS-Security in SOAP nodes, create a policy set and bindings specifying Kerberos symmetric encryption tokens on the Message Level Protection panel; see Policy Sets and Policy Set Bindings editor: Message Level Protection panel. Also configure the required settings on the Kerberos settings panel, as described in Policy Sets and Policy Set Bindings editor: Kerberos settings panel, and then associate this policy set and bindings with the SOAP node. You can also associate SOAP nodes with a security profile that sets only propagation, so that Kerberos can be used to:
  • Extract the service principal as a Username token from SOAP input nodes
  • Propagate the Kerberos Key Distribution Center (KDC) credentials as a Username and password to SOAP request nodes.