Security Profiles policy (SecurityProfiles)
Use a Security Profiles policy to configure a security profile at run time.
A security profile defines the security operations that are completed in a message flow by SecurityPEP nodes and security-enabled input and output nodes. Security profiles are configured by the integration administrator before a message flow is deployed, and are accessed by the security manager at run time. You can use a Security Profiles policy to control, at run time, those security operations.
If you redeploy a Security Profiles policy, all message flows that are using the policy will be stopped and restarted.
Property | Property name in .policyxml file | Value |
---|---|---|
Authentication | authentication | This property specifies the type of authentication that is performed on the source identity.
Valid values are:
If you are using credentials that are stored in an independent integration server's vault, set this property to Local and specify the configured alias name of the credentials in the Authentication configuration property. If you are using Tivoli Federated Identity Manager (TFIM) V6.1, set this property to TFIM. If you are using TFIM V6.2, set this property to WS-Trust V1.3 STS. Value type: String |
Authentication configuration | authenticationConfig | This property defines the information that the integration server needs to authenticate the
identity, and can be one of the following values:
Value type: String |
Mapping | mapping | This property specifies the type of mapping that is performed
(see Identity mapping). Valid values are:
If you are using TFIM V6.1, set this property to TFIM. If you are using TFIM V6.2, set this property to WS-Trust V1.3 STS. Value type: String |
Mapping configuration | mappingConfig | This property specifies how the integration node connects to
the provider and looks up the mapping routine. This property is in
the form of a provider-specific configuration string. Value type: String |
Authorization | authorization | This property specifies the types of authorization checks that
are performed on the mapped or source identity (see Authorization). Valid values are:
If you are using TFIM V6.1, set this property to TFIM. If you are using TFIM V6.2, set this property to WS-Trust V1.3 STS. Value type: String |
Authorization configuration | authorizationConfig | This property specifies how the integration node connects to
the provider and checks access (for example, checking a group for
membership). This property is in the form of a provider-specific configuration
string. Value type: String |
Propagation | propagation | This property indicates whether identity propagation is performed
on output and request nodes. On security-enabled input nodes, you
can choose to select only identity propagation, without specifying
any other security operations, to make the extracted incoming identity
or security token available for use in the other nodes in the message
flow, such as output or request nodes. See Identity and security token propagation.
Valid values are:
Value type: Boolean |
Identifier to propagate | idToPropagateToTransport | This property enables the use of a specific security identity
for propagation. Set the value to Static ID and
set the security identity by using the Transport propagation
configuration property. This property has a default value
of Message ID. Value type: String |
Transport propagation configuration | transportPropagationConfig | This property provides a specific security identity to propagate
when Identifier to propagate is set to Static
ID. Set the value of this property to the name that you
associate with the static user name and password identity when you
run the mqsisetdbparms command
(see Configuring a message flow for identity propagation). Value type: String |
Keystore | keyStore | This property is reserved for future use. |
Truststore | trustStore | This property is reserved for future use. |
Password value | passwordValue | This property specifies how passwords are treated when they
enter a message flow. Valid values are:
Value type: String |
Reject blank passwords | rejectBlankpassword | This property specifies whether the security manager internally
rejects a user name that has an empty password token, without passing
it to the configured security provider for authentication (for example,
an LDAP server). Valid values are:
Value type: Boolean |
Alternate server list | alternateServers | This property specifies the comma-separated list of LDAP servers to failover
when the primary server is not available. The list has the following
format: After
failover, the newly connected LDAP server becomes the primary server. |