A security profile
defines the security operations that are to be performed in a message
flow at SecurityPEP nodes
and security enabled input and output nodes.
Security profiles are configured by the integration administrator
before deploying a message flow, and are accessed by the security
manager at run time.
A security profile allows an integration administrator
to specify whether identity and security token propagation, authentication,
authorization, and mapping are performed on the identity or security
tokens associated with messages in the message flow, and if so, which
external security provider (also known as a Policy Decision Point
or PDP) is used. IBM® Tivoli® Federated Identity Manager
(TFIM) V6.1, and WS-Trust v1.3 compliant Security Token Service
(including TFIM V6.2), are supported for authentication, authorization,
and mapping. Lightweight Directory Access Protocol (LDAP) is supported
for authentication and authorization.
Security profiles apply to the SecurityPEP node and to
security enabled input, output, and request nodes, and are configured
by the administrator at deployment time in the BAR editor. These nodes have
a Security Profile property (in the BAR editor), which can be left
blank, set to No Security, or set to a specific
security profile name. Set No Security to explicitly
turn off security for the message flow node. If you leave the Security
Profile property blank, the node inherits the Security
Profile property that is set at the message flow level.
If you leave the Security Profile property blank
at both levels, security is turned off for the message flow node.
When this property is set to the name of a specific security profile,
that profile determines what message flow security is configured.
If the named security profile does not exist in the run time, the
message flow fails to deploy. If the specified external security provider
does not support the type of token configured on the node for the
security operation, an error is reported and the message flow fails
to deploy.
The security profile also specifies whether propagation
is required. A pre-configured profile that specifies propagation is
provided for use by output and request nodes. This profile is the Default
Propagation security profile. This profile can also
be used on an input node to extract tokens and put them into the message
tree ready for propagation or processing in a SecurityPEP node.
Security profiles contain values for the following properties:
- AlternateServers
-
Defines the comma-separated list of LDAP servers to failover when the primary server is not
available. The list has the following
format:
ldap[s]://host1:[port1], ldap[s]://host2:[port2], ldap[s]://host3:[port3]
After
failover, the newly connected LDAP server becomes the primary server.
- authentication
- Defines the type of authentication that is performed
on the source identity. This property applies only to SecurityPEP nodes and input
nodes. For more information, see Authentication and validation.
- authenticationConfig
- Defines the information that the integration node needs
to connect to the provider, and the information needed to look up
the identity tokens. It is a provider-specific configuration string.
This property applies only to SecurityPEP nodes and input
nodes.
- mapping
- Defines the type of mapping that is performed on the
source identity. This property applies only to SecurityPEP nodes and input
nodes. For more information, see Identity mapping.
- mappingConfig
- Defines how the integration node connects to the provider,
and contains additional information required to look up the mapping
routine. It is a provider-specific configuration string. This property
applies only to SecurityPEP nodes
and input nodes.
- authorization
- Defines the types of authorization checks that are performed
on the mapped or source identity. This property applies only to SecurityPEP nodes and input
nodes. For more information, see Authorization.
- authorizationConfig
- Defines how the integration node connects to the provider,
and contains additional information that can be used to check access
(for example, a group that can be checked for membership). It is a
provider-specific configuration string. This property applies only
to SecurityPEP nodes
and input nodes.
- passwordValue
- Defines how passwords are treated when they enter a
message flow. If PLAIN is selected, the password
appears in the Properties folder in plain text. If OBFUSCATE is
selected, the password appears in the Properties folder in base64
encoding. If MASK is selected, the password appears
in the Properties folder as four asterisks (****). This property applies
only to SecurityPEP nodes
and input nodes.
- propagation
- Enables or disables identity propagation on output and request
nodes. On the security enabled input nodes, you can choose to select
only identity propagation, without specifying any other security operations,
to make the extracted incoming identity or security token available
for use in the other nodes in the message flow, such as output or
request nodes. For more information, see Identity and security token propagation.
- idToPropagateToTransport
- Enables the use of a specific security identity for propagation.
Set the value to STATIC ID, and set the security
identity by using the transportPropagationConfig parameter.
- transportPropagationConfig
- Provides a specific security identity to propagate when idToPropagateToTransport is
set to STATIC ID. Set the value to the name
that you associate with the static user name and password identity
when you run the mqsisetdbparms.
For more information, see Configuring a message flow for identity propagation.
For information on configuring a security profile for LDAP, TFIM,
or a WS-Trust v1.3 compliant Security Token Service (STS), see Creating a security profile.