Security Profiles policy (SecurityProfiles)

Use a Security Profiles policy to configure a security profile at run time.

A security profile defines the security operations that are completed in a message flow by SecurityPEP nodes and security-enabled input and output nodes. Security profiles are configured by the integration administrator before a message flow is deployed, and are accessed by the security manager at run time. You can use a Security Profiles policy to control, at run time, those security operations.

If you redeploy a Security Profiles policy, all message flows that are using the policy will be stopped and restarted.

The properties of this policy are described in the following table.
Table 1. Properties of the Security Profiles policy
Property Property name in .policyxml file Value
Authentication authentication This property specifies the type of authentication that is performed on the source identity. Valid values are:
  • None (the default)
  • Local (independent integration servers only)
  • LDAP
  • TFIM
  • WS-Trust V1.3 STS
  • A user-defined value

If you are using credentials that are stored in an independent integration server's vault, set this property to Local and specify the configured alias name of the credentials in the Authentication configuration property.

If you are using Tivoli Federated Identity Manager (TFIM) V6.1, set this property to TFIM. If you are using TFIM V6.2, set this property to WS-Trust V1.3 STS.

Value type: String
Authentication configuration authenticationConfig This property defines the information that the integration server needs to authenticate the identity, and can be one of the following values:
  • The configured alias name of the credentials stored in an independent integration server's vault. These credentials are used for basic authentication when the Authentication type is Local. For more information, see Authenticating incoming requests by using credentials stored in the vault.
  • The information that the integration server needs to connect to the external security provider and look up identity tokens. This property is in the form of a provider-specific configuration string.

Value type: String
Mapping mapping This property specifies the type of mapping that is performed (see Identity mapping). Valid values are:
  • None (the default)
  • TFIM
  • WS-Trust V1.3 STS
  • A user-defined value

If you are using TFIM V6.1, set this property to TFIM. If you are using TFIM V6.2, set this property to WS-Trust V1.3 STS.

Value type: String
Mapping configuration mappingConfig This property specifies how the integration node connects to the provider and looks up the mapping routine. This property is in the form of a provider-specific configuration string.

Value type: String
Authorization authorization This property specifies the types of authorization checks that are performed on the mapped or source identity (see Authorization). Valid values are:
  • None (the default)
  • LDAP
  • TFIM
  • WS-Trust V1.3 STS
  • A user-defined value

If you are using TFIM V6.1, set this property to TFIM. If you are using TFIM V6.2, set this property to WS-Trust V1.3 STS.

Value type: String
Authorization configuration authorizationConfig This property specifies how the integration node connects to the provider and checks access (for example, checking a group for membership). This property is in the form of a provider-specific configuration string.

Value type: String
Propagation propagation This property indicates whether identity propagation is performed on output and request nodes. On security-enabled input nodes, you can choose to select only identity propagation, without specifying any other security operations, to make the extracted incoming identity or security token available for use in the other nodes in the message flow, such as output or request nodes. See Identity and security token propagation. Valid values are:
  • True
  • False (the default)

Value type: Boolean
Identifier to propagate idToPropagateToTransport This property enables the use of a specific security identity for propagation. Set the value to Static ID and set the security identity by using the Transport propagation configuration property. This property has a default value of Message ID.

Value type: String
Transport propagation configuration transportPropagationConfig This property provides a specific security identity to propagate when Identifier to propagate is set to Static ID. Set the value of this property to the name that you associate with the static user name and password identity when you run the mqsisetdbparms command (see Configuring a message flow for identity propagation).

Value type: String
Keystore keyStore This property is reserved for future use.
Truststore trustStore This property is reserved for future use.
Password value passwordValue This property specifies how passwords are treated when they enter a message flow. Valid values are:
  • Default
  • Plain (the default): the password appears in the Properties folder in plain text.
  • Obfuscate: the password appears in the Properties folder in base64 encoding.
  • Mask: the password appears in the Properties folder as four asterisks (****).

Value type: String
Reject blank passwords rejectBlankpassword This property specifies whether the security manager internally rejects a user name that has an empty password token, without passing it to the configured security provider for authentication (for example, an LDAP server). Valid values are:
  • True
  • False (the default)

Value type: Boolean
Alternate server list alternateServers This property specifies the comma-separated list of LDAP servers to failover when the primary server is not available. The list has the following format:
ldap[s]://host1:[port1], ldap[s]://host2:[port2], ldap[s]://host3:[port3]
After failover, the newly connected LDAP server becomes the primary server.