IM InfoSphere Identity Insight, Version 8.0

webservices.policy and webservices.passwd file parameters

These configuration files contain the pipelineURL parameter settings to configure authentication and authorization security settings for Web services pipelines.

These properties files provide enhanced Web Services security through configurable authentication and authorization settings. The webservices.policy properties file allows you to configure authentication and authorization settings. The webservices.passwd properties file contains users and group along with their passwords.

The location of the files are in the <install_dir>/srd-home/easwsdirectory.

Authentication is the process of confirming a user or computer's identity. Authorization is the operation that verifies the permissions and access rights granted to a user. Using these two independently configured security layers allows the provider of Web Services to control who can access the system and what degree of access they will have. The configuration of authentication and authorization is handled through the “webservices.properties” file. By default, Authentication and Authorization are both disabled for all Webservices.

Note: When the webservices.policy file, webservices.passwd file or the pipeline configurations are changed, Web services must be stopped and re-started. This is accomplished by running the stopEAS and startEAS scripts. Entries other than those described here may be present in this file. Do not change these other entries unless directed by IBM Support.

Most SOAP-clients do not support the HTTP Basic Authentication challenge/response mechanism. However, the Authorization features can still be used.

webservices.policy
The webservices.properties file contains Authentication and Authorization properties such as authenticate=ALWAYS and authorize=ALWAYS. Use this properties file to configure authentication and authorization settings. It is located in the srd-home directory for Web Services. The file is located in the srd-home directory and you can manually modify and maintain the file using any text editor.

Policy settings for the authentication level and authorization level can each be independently set to “NEVER”, “REMOTE” or “ALWAYS. By default, both authentication and authorization are set to “NEVER”. The combination of the various settings is described in the use cases section below.

Note: SOA-UMF records can be ingested, and replies received, regardless of the security settings here. The Legacy srd.wsdl 'process' call can be secured to assist in securing this access-method. An example entry is found in the comments in the webservices.policy file.
webservices.passwd
This properties file contains user and group names along with their passwords. You can manage it with a JAVA command line utility wspwd.jar. This utility encrypts the passwords before saving to disk.

IBM InfoSphere Identity Insight Web Services provide support for HTTP Basic Authentication. HTTP Basic Authentication challenges an HTTP client for credentials by sending a “401 Unauthorized” response when credentials are not provided. The user is prompted for a user name and password in a browser window. Once received, the request is resubmitted with the added credentials in an HTTP header.

HTTP Basic Authentication support provides a "challenge client" setting whereby the server can be configured to expect and attempt to match credentials upon the initial request. If not provided, the server sends a “403 Forbidden” response.

Use cases for enhanced security

The following tables describe the Authentication and Authorization security settings through use cases.

Keep in mind that the product's Visualizer component leverages Web Services and Visualizer Enterprise Java Beans connect to the Web Services locally. If either authentication or authorization is set to “ALWAYS” then the Visualizer is subject to authentication and authorization restrictions. If set to “NEVER” or “REMOTE” the Visualizer is not affected. Because of this, the “ALWAYS” settings should only be used for EAS Web Services installations that are not used with the Visualizer.

Table 1. Authentication NEVER, Authorization NEVER
Authentication NEVER, Authorization NEVER
Description No security. This is separate from the accessRestriction property which continues to function as before.
Actors User, Client System, SOAP Service Provider, Pipeline
Pre-conditions Web Services are running.
Post-conditions Data was returned or an error code was issued.
Primary scenario
  1. A local client system calls any of the available Web Service methods.
  2. This call is processed and a response is generated.
Alternate A remote client calls any of the available Web Service methods.
Error conditions If the Web Services or the Pipeline are not available an error is returned.
Table 2. Authentication REMOTE, Authorization NEVER
Authentication REMOTE, Authorization NEVER
Description Remote requests must authenticate. Local requests are allowed without authentication. Once authenticated, the remote user can access any Web service operation. Local requests can always execute any Web service operation.
Actors User, Client System, SOAP Service Provider, Pipeline
Pre-conditions Web Services are running.
Post-conditions Data was returned or an error code was issued.
Primary scenario
  1. A local client system calls any of the available Web Service methods.
  2. This call is processed and a response is generated.
Alternate scenario A
  1. A remote client calls any of the available Web Service methods and provides authentication credentials.
  2. The service validates the credentials and provides the response.
Alternate scenario B
  1. A remote client calls any of the available Web Service methods and does not provide authentication credentials.
  2. If configured, the service responds with “401 Unauthorized” to challenge the client to provide credentials.
  3. If the provided credentials are valid, the request will be process and a response generated. Otherwise, “403 Forbidden” will be returned.
Error conditions If the Web Services or the Pipeline are not available an error is returned.
Table 3. Authentication ALWAYS, Authorization NEVER
Authentication ALWAYS, Authorization NEVER
Description All requests must authenticate otherwise either a "401 Unauthorized" response is given to challenge the client (if configured) or a "403 Forbidden" response is given to indicate that user is not permitted to access the operation. Once authenticated, the user can access any Web Service operation, but without authentication, none can be accessed.
Actors User, Client System, SOAP Service Provider, Pipeline
Pre-conditions Web Services are running.
Post-conditions Data was returned or an error code was issued.
Primary scenario
  1. A client system calls any of the available Web Service methods and provides authentication credentials.
  2. The supplied credentials are validated.
  3. If the credentials are valid, the request is processed and a response is generated. Otherwise, “403 Forbidden” is returned.
Alternate scenario
  1. A client calls any of the available Web Service methods and does not provide authentication credentials.
  2. If configured, the system responds with “401 Unauthorized” to challenge the client to provide credentials.
  3. If the client has been designed to listen for a “401 Unauthorized” response, it can then send credentials. Otherwise, the call fails.
Error conditions If the Web Services or the Pipeline are not available an error is returned.
Table 4. Authentication NEVER, Authorization REMOTE
Authentication NEVER, Authorization REMOTE
Description No authentication is required and local clients can access any Web Service operation. Remote clients can only access operations for which the policy allows "any group" access.
Actors User, Client System, SOAP Service Provider, Pipeline
Pre-conditions Web Services are running.
Post-conditions Data was returned or an error code was issued.
Primary scenario
  1. A client system calls any of the available Web Service methods and provides authentication credentials.
  2. The supplied credentials are validated.
  3. If the credentials are valid, the request is processed and a response is generated. Otherwise, “403 Forbidden” is returned.
Alternate scenario
  1. A client calls any of the available Web Service methods and does not provide authentication credentials.
  2. If configured, the system responds with “401 Unauthorized” to challenge the client to provide credentials.
  3. If the client has been designed to listen for a “401 Unauthorized” response, it can then send credentials. Otherwise, the call fails.
Error conditions If the Web Services or the Pipeline are not available an error is returned.
Table 5. Authentication REMOTE, Authorization REMOTE
Authentication REMOTE, Authorization REMOTE
Description All local requests are allowed without authentication or authorization. Remote requests must authenticate. Once authenticated, the remote user can only access Web Service operations for which they are authorized. Local requests are always executed any Web Service operation.
Actors User, Client System, SOAP Service Provider, Pipeline
Pre-conditions Web Services are running.
Post-conditions Data was returned or an error code was issued.
Primary scenario
  1. A local client system calls any of the available Web Service methods.
  2. This call is processed and a response is generated.
Alternate scenario A
  1. A remote client calls any of the available Web Service methods and provides authentication credentials.
  2. The service validates the credentials.
  3. If the requesting user is authorized for the requested service, it is processed and data returned. If the user is not authorized, a “403 Forbidden” response is returned.
Alternate scenario B
  1. A remote client calls any of the available Web Service methods and does not provide authentication credentials.
  2. If configured, the system returns “401 Unauthorized” to prompt the user to provide a name and password.
Error conditions If the Web Services or the Pipeline are not available an error is returned.
Table 6. Authentication ALWAYS, Authorization REMOTE
Authentication ALWAYS, Authorization REMOTE
Description All requests must authenticate. If not, either "401 Unauthorized" is returned to prompt the user for a name and password or "403 Forbidden" is returned to indicate that user is not permitted to access the operation. The 401 response only occurs if configured to challenge clients. Local clients who have authenticated are able to access any Web Service operation. Remote clients are only able to access Web Service operations for which they are authorized.
Actors User, Client System, SOAP Service Provider, Pipeline
Pre-conditions Web Services are running.
Post-conditions Data was returned or an error code was issued.
Primary scenario
  1. A local client system calls any of the available Web Service methods and provides authentication credentials.
  2. This call is processed and a response is generated.
Alternate scenario A
  1. A local client calls any of the available Web Service methods and does not provide authentication credentials.
  2. If configured, the system responds with “401 Unauthorized” to prompt the client to provide a user name and password.
  3. If the credentials are valid, the client can access any running service.
Alternate scenario B
  1. A remote client calls any of the available Web Service methods and provides authentication credentials.
  2. The service validates the credentials.
  3. If the requesting user is authorized for the requested service, it is processed and data returned. If the user is not authorized, a “403 Forbidden” response is returned.
Alternate scenario C
  1. A remote client calls any of the available Web Service methods and does not provide authentication credentials.
  2. If configured, the service returns “401 Unauthorized” to prompt the client to provide a user name and password.
  3. If the credentials are valid, the client can access any running service.
Error conditions If the Web Services or the Pipeline are not available an error is returned.
Table 7. Authentication NEVER, Authorization ALWAYS
Authentication NEVER, Authorization ALWAYS
Description No authentication is required. Clients can only access operations for which the policy allows "any group" access.
Actors User, Client System, SOAP Service Provider, Pipeline
Pre-conditions Web Services are running.
Post-conditions Data was returned or an error code was issued.
Primary scenario
  1. A client system calls any of the available Web Service methods and provides authentication credentials.
  2. The credentials are validated.
  3. If the called method is open to all users, the request is processed; otherwise, “403 Forbidden” is returned.
Alternate scenario
  1. A client calls any of the available Web Service methods and does not provide authentication credentials.
  2. If configured, the system responds with “401 Unauthorized” to prompt the client to provide a user name and password.
Error conditions If the Web Services or the Pipeline are not available an error is returned.
Table 8. Authentication REMOTE, Authorization ALWAYS
Authentication REMOTE, Authorization ALWAYS
Description All local requests are allowed without authentication. Remote clients must be authenticated. Local clients can only access those Web Service operations for which "any group" access is granted. Remote clients can only access Web Service operations for which they are specifically authorized.
Actors User, Client System, SOAP Service Provider, Pipeline
Pre-conditions Web Services are running.
Post-conditions Data was returned or an error code was issued.
Primary scenario
  1. A local client system calls any of the available Web Service methods.
  2. If the requested service is available to all groups, the request is processed, If not, “403 Forbidden” is returned.
Alternate scenario A
  1. A remote client calls any of the available Web Service methods and provides authentication credentials.
  2. The service validates the credentials.
  3. If the validated user has been granted access to the requested service, the call is processed and data returned. If not, "403 Forbidden” is returned.
Alternate scenario B
  1. A remote client calls any of the available Web Service methods and does not provide authentication credentials.
  2. If configured, the service responds with “401 Unauthorized” to prompt the client to provide a user name and password.
  3. The service validates the credentials. If the validated user has been granted access to the requested service, the call is processed and data returned. If not, "403 Forbidden” is returned.
Error conditions If the Web Services or the Pipeline are not available an error is returned.
Table 9. Authentication ALWAYS, Authorization ALWAYS
Authentication ALWAYS, Authorization ALWAYS
Description All requests must authenticate. If not, either "401 Unauthorized" is returned to prompt the client for credentials, or "403 Forbidden" is returned to indicate that user is not permitted to access the operation. The "401" response only occurs if configured. Once authenticated, the clients can only access Web Service operations for which they are specifically authorized. Local and remote requests are treated the same way.
Actors User, Client System, SOAP Service Provider, Pipeline
Pre-conditions Web Services are running.
Post-conditions Data was returned or an error code was issued.
Primary scenario
  1. A client system calls any of the available Web Service methods and provides authentication credentials.
  2. The credentials are validated.
  3. If the user has been granted access to the requested service, the request is processed. If not, “403 Forbidden” is returned.
Alternate scenario
  1. A client calls any of the available Web Service methods and does not provide authentication credentials.
  2. If configured, the system returns “401 Unauthorized” to prompt the client to provide credentials.
Error conditions If the Web Services or the Pipeline are not available an error is returned.


Feedback

Last updated: 2011