Configuring the bus-enabled Web services component to access a secure service integration bus

When you install WebSphere® Application Server, security is enabled and every installed service integration bus is secured. Set the minimum security configuration that is required to allow the bus-enabled Web services component to work in a secure service integration bus.

Before you begin

This topic assumes that you have completed all the steps and prerequisites described in Installing the SIBus Web services applications and resources, and that you have created a new endpoint listener configuration for each endpoint listener application that you have installed.

Note: To use bus-enabled Web services when bus security is enabled, your Web services clients must provide suitable credentials when making requests. Your clients can provide credentials either using WS-Security or using HTTP basic authentication, as described in Authenticating Web services clients using HTTP basic authentication. For HTTP basic authentication, application security must also be enabled and, depending on which of these authentication schemes you use, the endpoint listener application must be appropriately configured as described in Password-protecting inbound services. When you use HTTP basic authentication, you map the AuthenticatedUsers role to the special "AllAuthenticatedUsers" group (or to some other suitable authenticated group or user); when you use WS-Security you do not need to map the endpoint listener AuthenticatedUsers role unless Application Security is enabled, in which case you map the AuthenticatedUsers role to the special "Everyone" group. For more information, see Assigning users and groups to roles.

About this task

When security is enabled, WebSphere Application Server and the service integration bus require authentication by user ID and password for the resource adapter and for every endpoint listener that you have installed. To meet this requirement, you configure an authentication alias for the resource adapter and endpoint listeners to use when they communicate with the bus.

To set the minimum security configuration that is required to allow bus-enabled Web services to work in a secure service integration bus, use the administrative console to complete the following steps:

Procedure

  1. In the navigation pane, click Service integration > Buses > [Content Pane] bus_name > J2EE Connector Architecture (J2C) authentication data entries.
  2. Create a J2C authentication alias.
  3. Configure authentication for the resource adapter by completing the following steps:
    1. In the administrative console navigation pane, click Resources > Resource adapters > SIB_RA > J2C activation specification > SIBWS_OUTBOUND_MDB.
    2. In the Authentication alias drop-down list, select the authentication alias that you created.
    3. Click Apply.
  4. Optional: Configure endpoint listener authentication.
    If you configure the endpoint listener authentication property as detailed in this step, then messages sent to the bus from the endpoint are always sent under the user ID specified in the property value. If you omit this step, then the message sent to the bus is sent as the ID of the user already authenticated by WebSphere Application Server (for example, if the inbound request contains WS-Security authentication, or if the endpoint is protected). If you omit this step and no authenticated user ID is found, then the message send will fail with the following error:
    CWSIK0018E: Send access to destination <destination> was denied for user with subject <subject>.

    To configure endpoint listener authentication, complete the following steps for every bus that is connected to an endpoint listener:

    1. In the administrative console navigation pane, click one of the following paths:
      • Servers > Application servers > [Content Pane] server_name > Endpoint listeners
      • Servers > Clusters > [Content Pane] cluster_name > Endpoint listeners
      A list of endpoint listeners is displayed in an endpoint listener collection form.
    2. Click the name of an endpoint listener in the list. The current endpoint listener settings for this endpoint listener are displayed.
    3. Under the additional properties heading, click Connection properties. A list of all the service integration buses that are currently connected to this endpoint listener is displayed in a service integration bus connection properties collection form.
    4. Click the name of a bus in the list. A list of custom properties (name and value pairs) for this bus is displayed. These custom properties define the manner in which the endpoint listener connects to this bus:
      Note: Property name com.ibm.websphere.sib.webservices.replyDestination, defines the reply destination name used by the endpoint listener. Do not modify or remove this property, which is set automatically when the service integration bus is associated with the endpoint listener.
    5. Enter a new custom property. For the property name, type com.ibm.websphere.sib.webservices.EPLAuthAlias. For the property value, type the authentication alias that you created.
  5. Save your changes to the master configuration.
  6. Close the administrative console.

What to do next

You are now ready to configure Web services for a service integration bus.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 10:03:57 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=tjw_security_install
File name: tjw_security_install.html