WebSphere Enterprise Service Bus for z/OS, Version 6.2.0 Operating Systems: z/OS


Creating end to end security

There are many potential end to end security scenarios. Each of these might involve differing security steps. Several typical scenarios, with the necessary security options, are presented.

Before you begin

These scenarios all assume that administrative security is enforced.
Procedure
  1. Determine which of the examples provided in this section most closely match your security needs. In some instances, your needs might involve a combination of information from more than one of the scenarios.
  2. Read the security information for the relevant scenarios and apply it to your security needs.

Example

Inbound Web service request

In this scenario, a Web service client invokes a WebSphere® Process Server component. The request passes through several components in the WebSphere Process Server environment before being passed to an EIS by an adapter.

The figure shows a Web service request to WebSphere Enterprise Service Bus.

You can authenticate the Web service client as an SSL client, using HTTP Basic authentication or using WS-Security authentication. When the client is authenticated, access control is applied based on the SecurityPermission qualifier. Between the client and the WebSphere Process Server instance, you can secure the data integrity and privacy using SSL or WS-Security. SSL secures the entire pipe, whereas with WS-Security, you can encrypt or digitally sign parts of the SOAP message. For Web services, WS-Security is the preferred standard.

Outbound Web service request

In this scenario, the inbound request can be from an adapter, a Web service client, or an HTTP client. A component in WebSphere ESB (for example a mediation flow component) invokes an external Web service.

The figure shows a Web service request from WebSphere Enterprise Service Bus.

As for the inbound Web service request, you can authenticate with the external Web service as an SSL client, using HTTP Basic authentication or using WS-Security authentication. Use LTPACallBackHandler as the callback mechanism to extract the usernameToken from the current RunAs subject. Between WebSphere Process Server and the target Web service, you can ensure data privacy and integrity using WS-Security.

Web application - HTTP inbound request to WebSphere Process Server

WebSphere Process Server supports three types of authentication for HTTP:
  • HTTP basic authentication
  • HTTP forms-based authentication
  • HTTPS SSL-based client authentication.
In addition, to protect your intranet from intruders, you can place the Web server in the demilitarized zone (DMZ) and the WebSphere Process Server inside the inner firewall. In this example, WebSEAL is used as the reverse proxy, which performs the authentication. It has a trust association with WebSphere Process Server behind the firewall and can forward authenticated requests.
The figure depicts a web application making an HTTP (inbound) request to WebSphere Enterprise Service Bus.

task Task topic

Terms of use | Feedback


Timestamp icon Last updated: 21 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic//com.ibm.websphere.wesb620.zseries.doc/doc/tsec_endtoend.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).