Your IBM Integration Bus must be
running on the Windows operating
system. If IBM Integration Bus is running on
a different operating system, an IWA-secured remote service cannot
be consumed.
Ensure that you have a security profile specified that is configured for identity propagation. The supplied Default Propagation security profile is sufficient for all authentication types. For more information, see Creating a security profile.
Your
message flow must include an HTTPRequest node, or a SOAPRequest node, or both.
If your message flow includes an HTTPRequest node, you must
set the HTTP version property to 1.1 and
select Enable HTTP/1.1 keep-alive on the HTTP
Settings tab in the Properties view
of the node.
A security identity is required for outbound authentication. By default, the identity credentials of the broker user ID (the serviceUserId parameter that is specified by the mqsicreatebroker command) is sent to the remote service to use for authentication. If you require a specific security identity to be propagated, you must set the appropriate identity credentials in the Properties tree. For more information, see Providing credentials in HTTP requests.
Use the following commands to set up and manage outbound support for the NTLM, Kerberos, SPNEGO, and SPNEGO-2 protocols, which together are referred to as Integrated Windows Authentication (IWA). By default IWA is not enabled.
To consume a remote service that is secured with IWA, run the following command:
mqsichangeproperties broker_name -e IntegrationServerName -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "PropertyValue"
Where:
- broker_name is the name of the broker you want to modify.
- IntegrationServerName is the name of the integration server on that broker.
- PropertyValue is one of the following values:
- IWA
- Allow the broker to authenticate by using any IWA protocol.
- NTLM
- Allow the broker to authenticate by using the NTLM protocol.
- Negotiate
- Allow the broker to authenticate by using the SPNEGO process to negotiate the use of the NTLM or Kerberos protocols.
- Nego2
- Allow the broker to authenticate by using the SPNEGO-2 process to negotiate the use of the NTLM or Kerberos protocols.
- Basic
- Allow authentication with Basic Authentication.
- All
- Allow authentication with any supported protocol from this list.
- None
- Do not authenticate.
Multiple values can be given, separated by a semicolon or a space, and these values are not case-sensitive. IBM Integration Bus selects one value from the list of supported IWA protocols by the server, in the following order: Nego2, Negotiate, NTLM.
When any security protocol other than Basic Authentication is enabled, the
HTTPRequest and
SOAPRequest nodes do not pre-emptively authenticate to the service. Instead the nodes wait for a
401 response from the server indicating which authentication mechanisms the server supports. The nodes then use the most appropriate supported protocol selected in the order listed above, based on the permitted protocols that have been set and the protocols that the server supports. Once connected, this protocol will be used to authenticate pre-emptively until the flow is stopped or the
allowedAuthTypes property is changed. To configure any of the protocols to be used pre-emptively, run the following command:
mqsichangeproperties broker_name -e IntegrationServerName -o ComIbmSocketConnectionManager
-n preemptiveAuthType -v "PropertyValue"
Where:
- broker_name is the name of the broker you want to modify.
- IntegrationServerName is the name of the integration server on that broker.
- PropertyValue is one of the following values:
- Basic
- Pre-emptively authenticate by using Basic Authentication.
- NTLM
- Pre-emptively authenticate by using the NTLM protocol.
- Negotiate
- Pre-emptively authenticate by using the SPNEGO process to negotiate the use of the NTLM or Kerberos protocols.
- Nego2
- Pre-emptively authenticate by using the SPNEGO-2 process to negotiate the use of the NTLM or Kerberos protocols.
For more advanced scenarios, the following optional configuration properties can also be used with the
ComIbmSocketConnectionManager object:
- allowNtlmNegotiation='TRUE'
- Set to 'FALSE' to prevent NTLM from being negotiated with the SPNEGO and SPNEGO-2 protocols. The default value is 'TRUE'.
- negotiateMutualAuth='FALSE'
- Set to 'TRUE' if you require mutual authentication when the Kerberos protocol is negotiated. The default value is 'FALSE'.
Note: When
IBM Integration Bus is authenticating by using Kerberos, the
broker automatically generates a service principal name (SPN) for the service that is based on the host name for the request. For example, if the URL for the service is http://iib.iibservice/testservice/service1.svc the SPN is assumed to be
HTTP/iib.iibservice. If the service exists at a different SPN, use the following local environment overrides to provide an explicit SPN for the service:
- HTTP
- SET OutputLocalEnvironment.Destination.HTTP.ServicePrincipalName = 'HTTP/iib.iibservice2.com:7800';
- SOAP
- SET OutputLocalEnvironment.Destination.SOAP.Request.Transport.HTTP.ServicePrincipalName = 'HTTP/iib.iibservice2.com:7800';
To check the current outbound authentication setting, run the following command:
mqsireportproperties broker_name -e IntegrationServerName
-o ComIbmSocketConnectionManager -r
The following output is displayed within the connector properties:
- allowedAuthTypes='PropertyValue'
Where
PropertyValue is
NTLM,
Negotiate,
Nego2,
None, or
Basic. If multiple values are set, they are separated by a semicolon.