A customer had implemented a number of REST services using IIB V10, they then wanted to secure these services using Integrated Windows Authentication or IWA. IIB provides the ability to authenticate the user attempting to invoke an IIB implemented REST service using Integrated Windows Authentication (IWA), this functionality is provided for IIB Nodes running on Windows and Linux/Unix.

In this article we describe how to enable IWA for an IIB REST service running on Windows to be consumed by a client.

It must be remembered that for IWA to be used on inbound REST calls to IIB that the embedded - integration server - listener must be used, not the integration node wide listener. For the purposes of this document we disable the integration node listener.

For the purposes of this article we used an IIB node named 'IIB10NODE' and an Integration server named 'default'. Note. The author did not have access to a Windows Domain Controller, all the commands shown in this section were executed using a Windows local account.

The REST service used in this scenario

We built a very simple REST service based on the article found here:

https://developer.ibm.com/integration/blog/2016/03/16/graphical-data-mapping-for-rest-apis-with-json-schema/

In the IIB toolkit the REST API Description looked this:

Using SOAP-UI (from another computer) to test this - with no authentication configured at this point gave the result shown in the following screenshot:

Disable the Integration Node Listener

We chose to disable the IIB node wide listene to do this we used the following command:

mqsichangeproperties IB10NODE -b httplistener -o HTTPListener -n startListener -v false

Next we restarted the IIB node once restarted we checked the status of the node wide listener with the command:

mqsireportproperties IB10NODE -b httplistener -o HTTPListener -n startListener

Which gave the response:

We then checked the port number being use by the embedded listener for the 'default' integration server with the command:

mqsireportproperties IB10NODE -e default -o HTTPConnector -n port

Which showed that the port being used was 7800:

Enable Integrated Windows Authentication

To enable IWA on the 'default' integration server using NTLM we used the following command:

mqsichangeproperties IB10NODE -e default -o HTTPConnector -n integratedWindowsAuthentication -v "NTLM"

We confirmed this with the command:

mqsireportproperties IB10NODE -e default -o HTTPConnector -n integratedWindowsAuthentication

Which reported:


We used 'NTLM' in this scenario other options are available which are documented here:

https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bp62010_.htm

We then restarted in the integration node to pick up the changes.

Testing IWA

Back in SOAP-UI we then configured NTLM by clicking on the 'Auth' section at the bottom of the SOAP-UI request:



We then selected 'Add new authorization' from the Authorizaton drop-down and chose NTLM:



We were then prompted for our username password and Domain which we completed as follows:



We then ran the request again and it completed successfully:



To double check we then added an 'x' to the end of the user id so that it became gb036159x and re-ran the request this time it failed with a 401 Unauthorised:

Testing IWA with a simple Java application

We then moved onto to testing IWA with a simple Java application we created a Java application the code was as follows:

  package com.ibm.issw.pjb; import java.io.BufferedReader;import java.io.InputStream;import java.io.InputStreamReader;import java.net.Authenticator;import java.net.PasswordAuthentication;import java.net.URL; public class CallEchoRESTTest3 {         static final String urlStr = "http://192.168.1.161:7800/echotest/v1/getEcho?InputText=gggggggg";   static final String user-id = "<-user-id->"; // your account name   static final String password = "<-password->"; // retrieve password for your account   static final String domain = "PJB-X230"; // May also be referred as realm    static class MyAuthenticator extends Authenticator {   public PasswordAuthentication getPasswordAuthentication() {        RequestorType reqType = getRequestorType();        System.out.println ("request type = " + reqType.toString());        System.out.println ("Protocol type = " + getRequestingProtocol());        System.out.println ("Scheme type = " + getRequestingScheme());        System.out.println("Feeding username and password for " + getRequestingScheme());         return (new PasswordAuthentication(domain + "\\" + user-id password.toCharArray()));      }   }    public static void main(String[] args) throws Exception {     Authenticator.setDefault(new MyAuthenticator());     URL url = new URL(urlStr);     InputStream ins = url.openConnection().getInputStream();     BufferedReader reader = new BufferedReader(new InputStreamReader(ins));     String str;     while((str = reader.readLine()) != null)       System.out.println(str);     } }

This Java code uses the PasswordAuthentication Class