A fix is available
APAR status
Closed as program error.
Error description
This APAR adds inbound and outbound support for Integrated Windows Authentication to the SOAP Input and Request and HTTP Input and Request nodes when running a broker. NTLM, SPNEGO and Kerberos are supported. For inbound support this APAR adds a new property "integratedWindowsAuthentication" to the HTTPConnector and HTTPSConnector objects. This property can take the following values: NTLM - Specify the use of NTLM Negotiate - Specify using to negotiate the use of either Kerberos or NTLM Negotiate:Kerberos - Specify the use of Kerberos only, without falling back to NTLM You may also specify a semi-colon delimited list of acceptable protocols, for example to allow NTLM or Negotiate on a non-SSL connection you can set: mqsichangeproperties IB9Node -e default -o HTTPConnector -n integratedWindowsAuthentication -v "NTLM;Negotiate" For outbound support a new property "allowedAuthTypes" is added to the ComIbmSocketConnectionManager object. This property can take the following values: IWA - Allow the broker to authenticate using any IWA protocol NTLM - Allow the broker to authenticate using NTLM Negotiate - Allow the broker to authenticate using SPNEGO (NTLM or Kerberos) Nego2 - Allow the broker to authenticate using SPNEGO-2 (NTLM or Kerberos) None - Do not authenticate All - Allow authentication with any supported protocol Basic - Allow Authentication with Basic Auth When any protocol other than Basic Auth is enabled the HTTPRequest or SOAPRequest nodes will not pre-emptively authenticate to the service. Instead they will wait for a 401 response from the server indicating which authentication mechanisms are supported by the server and will use the highest supported protocol. Once connected this protocol will be used to authenticate pre-emptively until the flow is stopped or the allowAuthTypes is changed. To configure any of the protocols to always be used for pre-emptive authentication this APAR also adds the property "preemptiveAuthType" to the ComIbmSocketConnectionManager. This property can take any of the following values: Basic - Pre-emptively authenticate using Basic Auth NTLM - Pre-emptively authenticate using NTLM Negotiate - Pre-emptively authenticate using SPNEGO (NTLM or Kerberos) Nego2 - Pre-emptively authenticate using SPNEGO2 (NTLM or Kerberos) When using any form of outbound authentication there must be a security profile configured on the node or flow which is configured for Identity Propagation. The pre-supplied "Default Propagation" security profile is sufficient.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: All users of IBM Integration Bus V9.0 on Windows. Platforms affected: Windows on x86 platform, Windows on x86-64 platform **************************************************************** PROBLEM DESCRIPTION: IBM Integration Bus does not support Integrated Windows Authentication for WebServices, particularly the protocols NTLM, SPNEGO and SPNEGO2 are not supported. There are a number of resource name changes between WebSphere Message Broker and IBM Integration Bus Version 9.0. For details visit http://pic.dhe.ibm.com/infocenter/wmbhelp/v9r0m0/topic/com.ibm.e tools.mft.doc/bb23814_.htm
Problem conclusion
IBM Integration Bus now supports Integrated Windows Authentication inbound and outbound for the SOAPInput and SOAPRequest and HTTPInput and HTTPRequest nodes. The NTLM, SPNEGO and Kerberos protocols are supported. INBOUND ------------ For inbound support this APAR adds a new property "integratedWindowsAuthentication" to the HTTPConnector and HTTPSConnector objects. This property can take the following values: NTLM - Specify the use of NTLM Negotiate - Specify using to negotiate the use of either Kerberos or NTLM Negotiate:Kerberos - Specify the use of Kerberos only, without falling back to NTLM You may also specify a semi-colon delimited list of acceptable protocols, for example to allow NTLM or Negotiate on a non-SSL connection you can set: mqsichangeproperties IB9Node -e default -o HTTPConnector -n integratedWindowsAuthentication -v "NTLM;Negotiate" OUTBOUND -------------- For outbound support a new property "allowedAuthTypes" is added to the ComIbmSocketConnectionManager object. This property can take the following values: IWA - Allow the broker to authenticate using any IWA protocol NTLM - Allow the broker to authenticate using NTLM Negotiate - Allow the broker to authenticate using SPNEGO (NTLM or Kerberos) Nego2 - Allow the broker to authenticate using SPNEGO-2 (NTLM or Kerberos) None - Do not authenticate All - Allow authentication with any supported protocol Basic - Allow Authentication with Basic Auth When any protocol other than Basic Auth is enabled the HTTPRequest or SOAPRequest nodes will not preemptively authenticate to the service. Instead they will wait for a HTTP 401 response from the server indicating which authentication mechanisms are supported by the server and will use the highest supported protocol. Once connected this protocol will be used to authenticate preemptively until the flow is stopped or the allowAuthTypes is changed. To configure any of the protocols to always be used for preemptive authentication this APAR also adds the property "preemptiveAuthType" to the ComIbmSocketConnectionManager. This property can take any of the following values: Basic - Preemptively authenticate using Basic Auth NTLM - Preemptively authenticate using NTLM Negotiate - Preemptively authenticate using SPNEGO (NTLM or Kerberos) Nego2 - Preemptively authenticate using SPNEGO2 (NTLM or Kerberos) When using any form of outbound authentication there must be a security profile configured on the Node or Flow which is configured for Identity Propagation. The pre-supplied "Default Propagation" security profile is sufficient. For more advanced scenarios, the following optional configuration properties can also be used with the ComIbmSocketConnectionManager object: allowNtlmNegotiation='TRUE' - set this to 'FALSE' to prevent NTLM from being negotiated with the Negotiate and Nego2 authentication protocols negotiateMutualAuth='FALSE' - set this to 'TRUE' if you require mutual authentication when the Kerberos protocol is negotiated Note: When negotiating Kerberos, the broker automatically generates a service principal name (SPN) for the service based on the host name for the request. For example, if the URL for the service is https://iib.iibservice/testservice/service1.svc the SPN will be assumed to be 'HTTP/iib.iibservice'. If the service exists at a different SPN, use the following local environment overrides to provide an explicit SPN for the service. For HTTP: SET OutputLocalEnvironment.Destination.HTTP.ServicePrincipalName = 'HTTP/iib.iibservice2.com:7800'; For SOAP: SET OutputLocalEnvironment.Destination.SOAP.Request.Transport.HTTP.S ervicePrincipalName = 'HTTP/iib.iibservice2.com:7800'; When using any form of outbound authentication, there must be a security profile configured on the node or flow that is configured for identity propagation. The supplied Default Propagation security profile is sufficient. In addition, if you are using an HTTPRequest node, you must set the HTTP version property to "1.1" and select "Enable HTTP/1.1 keep-alive" on the HTTP Settings tab in the Properties view. To check what the current outbound authentication is, run the following command: mqsireportproperties brokerName -e ExecutionGroupName -o ComIbmSocketConnectionManager -r The new property, "allowedAuthTypes", is displayed within the connector properties. If multiple values are set, they are separated by a semicolon. If no specific credentials are set, the credentials of the broker service user ID will be sent to the remote service (parameter specified under the mqsicreatebroker command). If you require specific identity credentials to be propagated, you must set the appropriate credentials in the Properties tree. For more information, see the task topic "Configuring authentication with HTTP basic authentication" in the Knowledge Center. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.0 9.0.0.2 The latest available maintenance can be obtained from: http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27006041 If the maintenance level is not yet available, information on its planned availability can be found on: http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IC98376
Reported component name
INTEGRATION BUS
Reported component ID
5724J0530
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2013-12-17
Closed date
2014-07-03
Last modified date
2014-07-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
INTEGRATION BUS
Fixed component ID
5724J0530
Applicable component levels
R900 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSNQK6","label":"IBM Integration Bus"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
03 July 2014