See information about the latest product version
Configuring a message flow for identity propagation
To enable a message flow to perform identity propagation, the input nodes must extract the identity from the message flow and the output node must propagate it. If the message identity does not contain enough information for identity propagation, you can provide the identity to propagate.
Before you can configure a message flow to perform identity propagation, you must check that an appropriate security profile exists, or create a new security profile. See Creating a security profile.
For a SOAPRequest or SOAPAsyncRequest node, you can define an appropriate policy set and bindings to specify how the propagated identity is placed in the WS-Security header (rather than the underlying transport headers). For more information, see Policy sets.
On SOAPRequest and SOAPAsyncRequest nodes, only Username and SAML tokens can be propagated. However, on the SOAPRequest and SOAPAsyncRequest nodes with a Kerberos policy set and bindings, a Username and password token can be propagated into the node to provide the Kerberos client credentials.
For the SAPRequest node, you can propagate only the user name and password. For the CICSRequest and IMSRequest nodes, you can propagate the user name, or the user name and password.
- Take the information from the message body. For example, if the message comes from WebSphere MQ with only a username token, and the output is an HTTP request node requiring a Username + Password token, the password might be present in the body of the incoming message. For more information, see Configuring the extraction of an identity or security token.
- Configure an identity mapper using TFIM. For more information, see the IBM® Tivoli Federated Identity Manager Information Center.
- Use ESQL or Java™ to set the Mapped Identity fields in the Properties tree.
Enabling identity propagation
To enable a message flow to perform identity propagation, complete the following steps.
- In the Broker Development view, right-click the BAR file, then click .
- Click the Manage and Configure tab.
- Click the flow or node on which you want to set the security profile. The properties that you can configure for the message flow or for the node are displayed in the Properties view.
- In the Security Profile Name field, select a security profile that has identity propagation enabled.
- Save the BAR file.
mqsiapplybaroverride -b barFileName -k applicationName -m
flowName#nodeName.securityProfileName=securityProfileName
For
more information, see mqsiapplybaroverride command.Providing the identity to propagate
For information about the identity tokens that you can propagate with each node type, see Identity and security token propagation.
- Use information that is in the message body. For example, if the message comes from WebSphere MQ with only a Username token, and the output is an HTTPRequest node that requires a Username and password token, the password might be present in the body of the incoming message. For more information, see Configuring the extraction of an identity or security token.
- Configure an identity mapper by using IBM Tivoli Federated Identity Manager. For more information, see the IBM Tivoli Federated Identity Manager Information Center.
- Use ESQL or Java to set the Mapped Identity fields in the Properties tree.
- Configure a static user name and password identity by completing the following steps:
- Run the mqsisetdbparms
command:
Where securityIDName is a name to associate with the static user name and password identity, and username and password are the identity credentials that you want to use. For more information, see mqsisetdbparms command.mqsisetdbparms integrationNodeName -n securityIDName -u username -p password
- Create a SecurityProfiles configurable service that sets the property values listed in the following table:
Where securityIDName is the name that you associated with the static user name and password identity in the mqsisetdbparms command. For example, if you use the command line, run the following command:Properties Values propagation TRUE idToPropagateToTransport STATIC ID transportPropagationConfig securityIDName
For more information, see mqsicreateconfigurableservice command.mqsicreateconfigurableservice BrokerName -c SecurityProfiles -o securityProfileName -n "propagation,idToPropagateToTransport,transportPropagationConfig" -v "TRUE,STATIC ID,securityIDName"
- Run the mqsisetdbparms
command: