WebSphere Message Broker, Version 8.0.0.7 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Authentication, mapping, and authorization with TFIM V6.1 and TAM

Use WebSphere® Message Broker, Tivoli® Federated Identity Manager (TFIM) V6.1, and Tivoli Access Manager (TAM) to control authentication, mapping, and authorization.

Note: Support for TFIM V6.1 is included for compatibility with previous versions of WebSphere Message Broker. If possible, upgrade to TFIM V6.2 and refer to the information in Authentication, mapping, and authorization with TFIM V6.2 and TAM.

WebSphere Message Broker makes a single TFIM WS-Trust call for an input node that is configured with a TFIM security profile, which means that a single module chain must be configured to perform all the required authentication, mapping, and authorization operations.

The following diagram shows the configuration of WebSphere Message Broker, TFIM, and TAM to enable authentication, mapping, and authorization of an identity in a message flow:

The image is described in the text.

The numbers in the preceding diagram correspond to the following sequence of events:

  1. A message enters a message flow.
  2. A WS-Trust request is issued by the broker, with these properties:
    • RequestType = Validate
    • Identity = Token(s) from input message
    • Issuer = Issuer from input message
    • AppliesTo Address = "Broker.ExecutionGroup.FlowName"
    • PortType = "FlowName"
    • Operation = "MessageFlowAccess"
  3. TFIM selects a module chain to process the WS-Trust request, based on the AppliesTo Address and Issuer properties of the request.
  4. A module chain can perform authentication if it includes a module (such as a UsernameTokenSTSModule or X509STSModule) in validate mode.
  5. A module chain can perform mapping by using an XSLTransformationModule in mapping mode to manipulate the identity information.
  6. A module chain can perform authorization by using an AuthorizationSTSModule in other mode. The module chain must be configured with a Protected Object Root value.
  7. The AuthorizationSTSModule performs the authorization check by making a request to TAM with these properties:
    • Action = “i” (invoke)
    • Action Group = “WebService"
    • Protected Object = "ProtectedObjectRoot.FlowName.MessageFlowAccess"

      where “i” and “WebService” are default values used by an AuthorizationSTSModule; and FlowName and MessageFlowAccess are the WS-Trust request PortType and Operation values.

  8. TAM processes the authorization request by:
    1. Finding the Access Control Lists (ACLs) associated with protected object "<ProtectedObjectRoot>.<FlowName>.MessageFlowAccess".
    2. Checking whether or not the ACLs grant action “i” on action group “WebService” to the user (with the user either named directly, or by membership of a named group).
  9. The WS-Trust reply is returned to the broker. If this action is the result of a mapping request, the WS-Trust reply contains the mapped identity token.

For further information about how to configure TFIM and TAM, see IBM® Security Systems information centers.

Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2016Copyright IBM Corporation 1999, 2016.

        
        Last updated:
        
        Last updated: 2016-05-23 14:47:24


Concept topicConcept topic | Version 8.0.0.7 | ap04041_