Providing credentials for outbound requests by using IWA
Set up IBM® App Connect Enterprise to consume a remote service that is secured with Integrated Windows Authentication (IWA). Only IBM App Connect Enterprise running on Windows can consume an IWA-secured service.
Before you begin
Your IBM App Connect Enterprise must be running on the Windows operating system. If it is running on a different operating system, an IWA-secured remote service cannot be consumed.
- HTTPRequest
- SOAPRequest
- RESTRequest
A security identity is required for outbound authentication. By default, the identity credentials of the integration node user ID (the serviceUserId parameter that is specified by the mqsicreatebroker command) is sent to the remote service to use for authentication. If you require a specific security identity to be propagated, you must set the appropriate identity credentials in the Properties tree. For more information, see Providing credentials in HTTP requests.
About this task
To consume a remote service that is secured with IWA, stop the integration node and run the following command:
mqsichangeproperties integrationNodeName -e integrationServerName -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "PropertyValue" -f
Where: - integrationNodeName is the name of the integration node you want to modify.
- integrationServerName is the name of the integration server on that integration node.
- PropertyValue is one of the following values:IBM App Connect Enterprise selects one value from the list of supported IWA protocols by the server, in the following order: Nego2, Negotiate, NTLM. Multiple values can be given, separated by a semicolon or a space, and these values are not case-sensitive.
mqsichangeproperties integrationNodeName -e integrationServerName -o ComIbmSocketConnectionManager
-n preemptiveAuthType -v "PropertyValue" -f
Where:- integrationNodeName is the name of the integration node you want to modify.
- integrationServerName is the name of the integration server on that integration node.
- PropertyValue is one of the following values:
HTTP/iib.iibservice
. If the service exists at a different SPN, use the following
local environment overrides to provide an explicit SPN for the service:
To check the current outbound authentication setting, start the integration node and run the following command:
mqsireportproperties integrationNodeName -e integrationServerName
-o ComIbmSocketConnectionManager -r
The
following output is displayed within the connector properties:- allowedAuthTypes='PropertyValue'
Examples
mqsichangeproperties INODE -e default -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "IWA" -f
mqsichangeproperties INODE -e default -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "NTLM;Negotiate" -f
mqsichangeproperties INODE -e default -o ComIbmSocketConnectionManager
-n allowedAuthTypes -v "None" -f