Use the DataPower Security wizard
in the WebSphere® Message Broker Explorer to configure an external DataPower® appliance to handle
the WS-Security Policy for your HTTP, HTTPS input, and SOAP nodes
within your message flow. The DataPower box
is configured to decrypt incoming messages to your flow and encrypt
outgoing messages from your flow without requiring any changes to
the message flows or broker configuration.
Before you start:To use the DataPower Security wizard
you must have access to the SYSTEM.DEF.SVRCONN channel on the broker's
queue manager. Your clients must send their messages direct to the DataPower appliance on a Client
port you specify.
The following steps are required
to configure a DataPower appliance
for WS-Security for your message flows:
- Select which HTTP(S)Input and SOAP nodes you want to configure
your security for.
- Create a DataPower connection
profile or edit an existing profile.
- Use or alter the default Policy Sets to specify your encryption
and decryption WS- Security parameters.
- Specify which specific Crypto Keys to use from the DataPower box
On the DataPower appliance
the following configuration is created after you run the
DataPower
Security wizard:
- An XML Firewall with optionally Back (for HTTPSInput Nodes) and
Front (Client) SSL connection.
- An XML Firewall Policy consisting of a list of inbound/ request
rules and an outbound/ response rule per HTTP Input or SOAP Node.
- Each inbound/ request rule consists of a decryption action with
parameters specified from the Policy Set.
- Each outbound/ response rule consists of an encryption action
with parameters specified from the Policy Set.
To configure DataPower security
for your message flows:
- Right-click on the message flow or execution group with
which you want to work, and click Properties. You can enable security handling on a single message flow containing
HTTP, HTTPS input and SOAP nodes, or you can select an execution group
to enable security handling for these nodes in all the message flows
in the execution group.
- In the Properties window, click DataPower on
the left to open the DataPower tab.
- Click Configure Security to open
the Security on DataPower Appliance window. The HTTP, HTTPS input, and SOAP nodes from your message flows
are displayed in the Flow Details table.
- Select a Policy Set Binding from the list of options. If you select the No Policy Set Bindings option, no encryption
or decryption nodes are specified in your policy rules. You can use
this option as a test for the communication channels before applying
a policy set binding. To create a policy set binding, click Edit
Policy Sets. See Policy Sets and Policy Set Bindings editor, for
more information about the Policy Sets and Policy Set Bindings editor.
- In the DataPower details
section, select a User profile from the list of options. Click Edit
Profiles to create or edit connection profiles. To create
a profile:
- In the DataPower Connection Profiles window,
click Add.
- Click in the relevant cell in the table to edit the
values. You must provide a valid user name, domain, and
the host name of your DataPower appliance.
- Click Finish. The
new or edited profile is now available to select in the Security
on DataPower Appliance window.
- Add a password for the profile in the Password field.
You can also use the DataPower Connection Profiles window
to import and export profiles in the WebSphere Message Broker Explorer on
different machines.
- You must now decide whether to create a new Policy or merge
with an existing Policy. If you attempt to merge with a policy that
does not exist, a new one is created. A merge adds request and response
rules to your policy, but it does not overwrite any preexisting rules.
A merge also does not alter your existing firewall settings.
- Enter the name or names of your XML Firewalls, and the
Client Ports on which your HTTP clients connect to your DataPower box.
- Optional: Select the nodes to configure in the Flow Details
section, and click Next to select XML Firewall
SSL settings, Decryption, and Encryption rules for your DataPower device.
- Click Finish. An attempt
is made to connect to your domain on your DataPower box to retrieve your Crypto Profiles.
- Click Yes to confirm that you want
to alter the configuration of your DataPower appliance.
You have configured DataPower security settings for your message
flow or execution group.