Implementing ws-security in Webspehere Message Broker


Now I will talk abut implementing web service security.

Preq:

  1. Understand Implementing webservice in Websphere Message Broker
  2. Understand web service security concept
  3. Understand using LDAP server/client

Introduction

By default if we create web service, and publish that web service. The service can be accessed publicly.  some times there are some service that must be access privately, just certain user can access the service. and how to make it more secure, high integrity, and more confident.  There are several type of we service security implementation.

  1. authentication, implemented using user name and password
  2. authorization, implemented in user group in user information repository such as user group in LDAP
  3. integrity,  implemented using digital signature
  4. confidentiality, implemented using encryption

this article we will focus on implementing web security in authentication and authorization. abd the scenario will be explained bellowed.

Case Study

supposed I have two user in my user directory (user01, and user02). Both user have the same password `testpw`.  I have a group named `permitted`. the member of this group is user01 but user02 not. I store all the user information in LDAP (IBM Tivoli Directory Server). I develop BookOrderService, this service is only can be accessed by registered user from my LDAP, and must be member of permitted group.

  1. authentication: can be accessed by registered user.
  2. authorization: must be member of permitted group.

So, while some service consumer invoke the BookService, the SOAP header must be contained username, and password.

<soapenv:Header>
	<wsse:Security
		xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
		<wsse:UsernameToken>
			<wsse:Username
				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
				wsu:Id="unt_907818524">user01</wsse:Username>
			<wsse:Password
				Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testpw</wsse:Password>
		</wsse:UsernameToken>
	</wsse:Security>
</soapenv:Header>

All issues above can be implemented in Websphere Message Broker using policy set, policy binding, and security profile. First we must define set of security that will be implemented such as user name password, digital signature, and encryption in policy set. after that we create a policy binding for previous policy set. Policy binding is used for binding the policy set to message broker and the service implementation. with policy set, policy binding and security profile, we doesn’t need to implement authentication and authorization logic in our web service because the broker will do it for you. And you can also reuse the security set, and bind it to your new service implementation.

Now .., let’s try to implement service authentication and authorization in websphere message broker.

Implementation

Software requirement:

  1. Websphere Message Broker (wmb), Websphere Message Broker Toolkit, Websphere Message Queue. I use version 7 for all these websphere product
  2. LDAP, I use IBM Tivoli Direcotry Server Installed in my VMWare
  3. LDAP client, I use apache directory studio.

Create LDAP user and group like picture above :

I use AddressBook example for our web service implementation, you can add and deployed the project to your wmb toolkit by clicking Import and deploy the sample in WebSphere Message Broker Version 7.0.0.0 > Product overview > Samples > Technology Samples > Web services , from your wmb toolkit. Open mqsi command console, and execute script above.

security profile name

mqsicreateconfigurableservice MB7BROKER -c SecurityProfiles -o LDAP -n authentication,authorization,propagation,authenticationConfig,authorizationConfig -v "LDAP,LDAP,TRUE,\"ldap://vmware:389/cn=users, cn=pot, O=IBM,C=US\",\"ldap://vmware:389/cn=permitted, cn=users, cn=pot, O=IBM,C=US\""
mqsireportproperties MB7BROKER -c SecurityProfiles -o LDAP -r

I host ldap in my vmware, ldap://vmware:389/cn=users, cn=pot, O=IBM,C=US is used for authentication uri.and ldap://vmware:389/cn=permitted, cn=users, cn=pot, O=IBM,C=US is used for authorization uri, based on permitted group.

set the policy set named `fnerble`

mqsicreateconfigurableservice MB7BROKER -c PolicySets -o fnerble
mqsichangeproperties MB7BROKER -c PolicySets -o fnerble  -n ws-security -p "C:\Program Files\ibm\MQSI\7.0\classes\policy.xml"
mqsireportproperties MB7BROKER -c PolicySets -o fnerble -r

after that set policy binding named `fnerbleBindings`

mqsicreateconfigurableservice MB7BROKER -c PolicySetBindings -o fnerbleBindings
mqsichangeproperties MB7BROKER -c PolicySetBindings -o fnerbleBindings -n ws-security -p "C:\Program Files\ibm\MQSI\7.0\classes\bindings.xml"
mqsireportproperties MB7BROKER -c PolicySetBindings -o fnerbleBindings -r

Open message broker explorer to view security profile. click Brokers > right click MB7BROKER > properties > select security > click security profiles > select LDAP. The LDAP security profile will be same like LDAP security profile that we have executed above. After that, close security profile window.

Click policy sets > expands policy set and select expands fnerbleBindings >  set associated policy set become fnerble. close the message broker explorer, and go to the message broker toolkit again.

click your project name in project explorer, and then create new Broker Arcive > click your bar file you have created before > select manage type > expand AddressBookProviderFlow.cmf > right click SOAP Input > configure.

  1. Set policy set : fnerble
  2. Set policy binding: fnerbleBindings
  3. Set security profile: LDAP

Deploy the BAR file to the broker.

Test

Open AddressBookProviderFlow, right click SOAP input > test.

Open Configuration tab > select I will deploy the specified broker archived manually > browse bar file.

While some service consumer want to consume the service, the broker will check the user name and password. So you must add user/password data in your soap header.

Come back to event tab, add security user name password header to the soap header:

<soapenv:Header>
	<wsse:Security
		xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
		<wsse:UsernameToken>
			<wsse:Username
				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
				wsu:Id="unt_907818524">username</wsse:Username>
			<wsse:Password
				Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pass</wsse:Password>
		</wsse:UsernameToken>
	</wsse:Security>
</soapenv:Header>

Test scnario:

  1. Set user name : user01, pass: testpwx  error occurred, because user not authenticated
  2. Set user name : user01, pass: testpw message return perfectly without error message user authenticated and authorized
  3. Set user name : user02, pass: testpw error occurred, because user not authorized

That’s All😀

6 thoughts on “Implementing ws-security in Webspehere Message Broker

  1. Angga Lingga February 10, 2010 / 10:44 am

    Ces … ini sama kaya kita pernah make tingkat II kemarin ya …
    VisiBroker ???

    Apa bedanya ces ???

    Oh ya ces …
    CodeIgniter mana lebih bagus ama Yii ato Zend ???

  2. adisembiring February 11, 2010 / 2:24 am

    Bukan, Visbroker itu kan untuk corba. kalo IBM websphere Message Broker itu ESB, didalamnya juga bisa di deploy web service app, messaging app, dll. Integrate ke Websphere MQ.

    aku kurang tau bagusan yang mana, belum pernah aku bandingkan dengan Yii ato Zend. api kalo mau belajar2 framework PHP. CI merupakan solusi yang tepat. okezone.com itu dibangun pake CI.

  3. Suchith March 17, 2010 / 4:16 pm

    Can you please share the “policy.xml” and “bindings.xml” file in this blog.What is the significance of these two files in setting up the MB environment with LDAP?

  4. Freight Broker Training September 3, 2010 / 7:18 pm

    Great site. Could have been better if you have included some useful links as well. I’ll be viewing your site for further updates.

  5. Cinnamon Tequila August 23, 2013 / 3:34 pm

    These are really great ideas in concerning blogging.
    You have touched some nice things here. Any way keep up
    wrinting.

  6. dirty jack mobile games April 15, 2014 / 3:40 am

    Howdy, i read your blog occasionally and i own a similar one and i was
    just curious if you get a lot of spam comments? If so how do you prevent it, any plugin
    or anything you can advise? I get so much lately it’s
    driving me crazy so any assistance is very much appreciated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s