Extending the Security Policy Enforcement Point (PEP) sample
This sample uses the broker flows that emulate the operation of Security Trust Service (STS). The true
security implementation depends on the use of an external centralised security provider to provide
authentication, authorization, and mapping. You can extend the sample to
incorporate security enforcement by using your own security provider, for example TFIM V6.2
You can extend the sample to work with TFIM V6.2 by completing the following tasks. However, for
detailed information about the TFIM V6.2 configuration with the broker read the following topics in
the WebSphere Message Broker documentation:
For security operations at the HTTP_ID HTTPInput node:
- Create a security profile with the following properties:
- authentication = "WS-Trust v1.3 STS"
- authenticationConfig =
"http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
- On the TFIM v6.2, create a trust chain with the following properties:
- Request Type : "Validate Oasis URI"
- AppliesTo : http://localhost:7080/SecurityPEPNodeSample/ProcessMsgWithIdentity
- Issuer : "Issuer1"
- Token Type : "Username"
- Module :
- UsernameTokenSTSModule
- Mode : Validate
For security operations at the PEP_UP_A1A2 SecurityPEP node
- Create a security profile with the following properties:
- authentication = "WS-Trust v1.3 STS"
- authenticationConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
- authorization = "WS-Trust v1.3 STS"
- authorizationConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
- On the TFIMv6.2, create a trust chain with the following properties:
- Request Type : "Validate Oasis URI"
- AppliesTo : PEP_UPA1A2
- Issuer : REGEXP:(.*)
- Token Type : "Username"
- Modules :
- UsernameTokenSTSModule
- Mode : Validate
- Default Map module with XSLT ContextAttributes_TAMAuthorization.xsl
in the SecurityPEPNodeSampleApplicationProject/XSL folder
- Mode : map
- Mode : authorize
For security operations at the PEP_MAPUP->SAML2.0 SecurityPEP node:
- Create a security profile with the following properties:
- mapping = "WS-Trust v1.3 STS"
- mappingConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
- On the TFIMv6.2, create a trust chain with the following properties:
- Request Type : "Issue Oasis URI"
- AppliesTo : PEP_UP2SAML2
- Issuer : Issuer1
- Token Type : "Username"
- Modules :
- Default Map module with XSLT Map_UP2SAML2.xsl
in the SecurityPEPNodeSampleApplicationProject/XSL folder
- Mode : map
- Mode : issue
For security operations at SecurityPEP node in the Web service flow:
- Create a security profile with the following properties:
- authentication = "WS-Trust v1.3 STS"
- authenticationConfig = "http://{tfimv6.2hostname}:9080/TrustServerWST13/services/RequestSecurityToken"
- On the TFIMv6.2, create a trust chain with the following properties:
- Request Type : "Validate Oasis URI"
- AppliesTo : urn:MB8BROKER.default.SecurityPEPNodeReportFlow
- Issuer : REGEXP:(.*)
- Token Type : "SAML 2.0"
- Module :
- Default SAML 2.0 Token
- Mode : Validate
For instructions and more information, see
Setting up message flow security and
Message flow security overview in the
WebSphere Message Broker documentation.
Back to sample home