Tuesday, 19 August 2014

Using LDAP Authentication in WMB-Part1

LDAP is hierarchical structure.Read is fast in LDAP.Hence it is suitable for storing data related to organisation and relationship.
Database is Flatfile.Write is fast.
What is the Protocol used for Authorisation? –LDAP
What is the Protocol used for Authentication? -Kerberos

 whats the relation between LDAP vs Kerberos ?
 Two _completely_ different protocols/systems. 
In short and generalized: LDAP is for AUTHORIZATION (access rules) 
 and Kerberos is for AUTHENTICATION (verify password). 

Lets say we need to have many users under  User group.
·         First download Apache Directory Studio
·         Start the Apache Server in Apache DS Eclipse
·         Right click on the Server and choose Create a connection
·         Right click on ou=system and  create Organisational Unit as ou=ibm
·         Right click on ou=ibm and  create Organisational Unit as ou=users
·         Now rightclick ou=users and create user using inetOrgPerson by cn=wmbuser1

What's an inetOrgPerson object?

The inetOrgPerson object class is a general purpose object class that
holds attributes about people. The attributes it holds were chosen
to accommodate information requirements found in typical Internet and
Intranet directory service deployments.
An inetOrgPerson can contain a user id (uid) and password (userPassword) which will be useful later for authenticating users from using LDAP.

·         Create two new attributes such as uid and userPassword for the user newly created

·         Now,to create Authorisation groups,right click on ou=users(you can even create a new organisational unit such as ou=group).
·         Choose groupofnamesand give cn=authorised.
·         Choose the member as wmbuser1 for the group cn=authorised



Creating Security Profiles in Message broker explorer
·         Right click on Broker name.And choose Properties.
·         In the Properties window,choose Security and Policy
·         Then choose,Security Policy
·         Fill up the below highlighted areas
·         For Authentication config :- (Right click on Users in Apache LDAP and get the baseDN from the properties window)
LDAP baseDN=ou=users,ou=ibm,ou=system”
·         For Authorisation group baseDN config :- (Right click on authorisation group name in Apache LDAP and get the baseDN from the properties window)
LDAP group baseDN=”cn=authorized,ou=users,ou=ibm,ou=system”

Once the security profile is configured,use the below command to check the Security profile configured details.

mqsireportproperties <BrokerName> -c SecurityProfiles -o <SecurityProfileName> –r

mqsireportproperties RadBRK1 -c SecurityProfiles -o LDAPSP -r

One last point to be noted is,if you have setup your LDAP server to accept anonymous connection,then the below command can be executed.

mqsisetdbparms RadBRK1 -n ldap::localhost  -u anonymous

Enter password for user ID

Retype password for user ID.

BIP8071I: Successful command completion.


If not,then use the binding userid and password
mqsisetdbparms RadBRK1 -n ldap::localhost -u "uid=admin,ou=system" -p secret
Makesure that you use correct password for this binding userid .Otherwise WMB cannot connect to the LDAP server and binding related errors will be thrown.
How can you ensure that you use correct username and password for binding?
Verify password once by right clicking on the LDAP Connection,

Sometimes,if you feel that the previous security settings not cleared properly,then use the below command to clear the cache.
C:\Program Files\IBM\MQSI\9.0.0.1>mqsireloadsecurity  RadBRK1
BIP1026I: Modifying the security cache of broker 'RadBRK1' execution group 'defa
ult'...
BIP8071I: Successful command completion.

Using Security in HTTP nodes (Simple flow):

Identity Propagation

There are many ways to propagate Identity from client flow.
1.     Using tools like SOAPUI
At Client side - Use SOAPUI tool and use HTTPAuthentication headers as below
There is a tab named “Authentication and Security-related Settings”.Choose “Preemptive” and provide the user id and password to pass the Authentication headers in the message.
Identity Extraction
(Identity Extraction is only for Input nodes)
At Server side – HTTPInput node should be selected with “Transport Default” for Identity Token type.
·         If Identity token type is chosen as “Transport Default”,then the user name and password are extracted from the HTTP header.

2.     Using Static Security Profile from Broker Registry and setting this Security Profile  in HTTPRequest node Security Profile Property

3.     Using the Username and Password credentials directly in Compute node esql by base64encoding

4.     By setting  OutputRoot.Properties IdentitySourceType, IdentitySourceToken, IdentitySourcePassword.

I have explained how to setup Security in details for the above said methods in my earlier post.

Using Security Profiles:

If “Default Propagation” is chosen in Security Profile of Input nodes:
Enables or disables identity propagation on input,output and request nodes. On the security enabled input nodes, you can choose to select only identity propagation, without specifying any other security operations(Authorisations), to make the extracted incoming identity or security token available for use in the other nodes in the message flow, such as output or request nodes. 

In this example,let me show you how to use Security related operations in the Input side by having the Security Profile at the Input node of a simple flow as below :-

In the bar file,mention the SecurityProfile name we have created earlier,
As I am passing wrong user id and password “mqbrkrs” and “mqbrkrs” in the SOAPUI Request,it is failing as below

Now when I am using correct userid “wmbuser1” and its password “pass” which is configured in LDAP ,then I am getting proper results.

REF:
How to create connection in LDAP?
Using Security profiles in Message Broker: