WebSphere Message Broker, Version 8.0.0.7
Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS
See information about the latest product version
See information about the latest product version
Creating a security profile for WS-Trust V1.3 (TFIM V6.2)
You can create a security profile for a WS-Trust V1.3 compliant Security Token Server (STS), for example, Tivoli® Federated Identity Manager (TFIM) V6.2, for any combination of the following security operations: authentication, authorization, and mapping.
You can use either the mqsicreateconfigurableservice command
or an editor in the WebSphere® Message Broker Explorer to create
the security profile:
Creating a profile using mqsicreateconfigurableservice
To create a security profile that uses a WS-Trust V1.3
compliant Security Token Server (STS), you can use the mqsicreateconfigurableservice command
by setting the configuration parameter to the full URL of the STS.
The URL must consist of the transport scheme, host name, port, and
path. For TFIM V6.2 WS-Trust V1.3 endpoint, the path is /TrustServerWST13/services/RequestSecurityToken.
For example:
http://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken
To create a security profile that uses WS-Trust v1.3 for
mapping, enter the following command:
mqsicreateconfigurableservice brokername -c SecurityProfiles
-o profilename -n mapping,mappingConfig
-v "WS-Trust v1.3 STS",http://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken
If
the URL specifies an address beginning with https://,
an SSL secured connection is used for requests to the WS-Trust v1.3
server. For example, to create a security profile that uses an HTTPS
connection to WS-Trust v1.3 for mapping, enter the following command:
mqsicreateconfigurableservice brokername -c SecurityProfiles
-o profilename -n mapping,mappingConfig
-v "WS-Trust v1.3 STS",https://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken
In addition to specifying the security profile URL as an
address beginning with https://, you can configure
the following advanced parameters, by setting broker environment variables:
- MQSI_STS_SSL_PROTOCOL
- The version of the SSL protocol to be used. Valid values are:
- SSL
- SSLv3
- TLS
- MQSI_STS_SSL_ALLOWED_CIPHERS
- A space-separated list of the encryption ciphers that can be used. For a list of all the cipher suites that are supported by WebSphere Message Broker, see the Java™ product information for your operating system. For operating systems that use IBM® Java, see Appendix A of the IBM JSSE2 Guide: http://www.ibm.com/developerworks/java/jdk/security/60/secguides/jsse2Docs/JSSE2RefGuide.html
- MQSI_STS_REQUEST_TIMEOUT
- The STS request timeout, specified in seconds. The initial value is 100. For information about providing environment variables to the broker, see Setting up a command environment.
If WS-Trust v1.3 STS is selected for more than one operation (for example, for authentication and mapping), the WS-Trust v1.3 server URL must be identical for all the operations, and is therefore specified only once.
The following example
creates a security profile that uses TFIM V6.2 for authentication,
mapping, and authorization:
mqsicreateconfigurableservice MYBROKER -c SecurityProfiles -o MyWSTrustProfile
-n authentication,mapping,authorization,propagation,mappingConfig
-v "WS-Trust v1.3 STS","WS-Trust v1.3 STS","WS-Trust v1.3 STS",TRUE,http://stsserver.mycompany.com:9080/TrustServerWST13/services/RequestSecurityToken
Creating a profile using the WebSphere Message Broker Explorer
You can use the WebSphere Message Broker Explorer to
create a security profile for using WS-Trust v1.3.