In this article I have described how to implement Message Level security in SOAP-WebServices at IIB/WMB using x509v3 certificates.
You can extend and customize this implementation to meet your needs.
Here I will cover both scenarios:
-- Invoking a SOAP-WSSecure web service
-- Exposing a SOAP WS-Secure web service
We can implement Authentication/Authorization, Message Integrity using Digital Signature and Message Confidentiality using Encryption/Decryption. While HTTPS secures the web-service message in transit, SOAP-WSSecurity secures as soap message at rest. I will cover HTTPS implementation is separate post.
In this article I have covered Authentication/Authorization and Message Integrity using Digital signature. In same way, you can configure message confidentiality using encryption/decryption.
Environment:
WMB/IIB v7,8,9
Linux
x509v3 certifcates
IIBK eyStore
IIB TrustStore
Creating KeyStore and TrustStore
Import Applications’ Public Keys in TrustStore
Configuring the broker/integration node with the KeyStore and TrustStore
Creating policy set
Creating policy set binding
Commands for exporting/importing policySet &
Bindings from one broke to other
You can extend and customize this implementation to meet your needs.
Here I will cover both scenarios:
-- Invoking a SOAP-WSSecure web service
-- Exposing a SOAP WS-Secure web service
We can implement Authentication/Authorization, Message Integrity using Digital Signature and Message Confidentiality using Encryption/Decryption. While HTTPS secures the web-service message in transit, SOAP-WSSecurity secures as soap message at rest. I will cover HTTPS implementation is separate post.
In this article I have covered Authentication/Authorization and Message Integrity using Digital signature. In same way, you can configure message confidentiality using encryption/decryption.
Environment:
WMB/IIB v7,8,9
Linux
x509v3 certifcates
Message flow exposed as a web service
Provider:
In this scenario a SOAP WebService flow is exposed at IIB.
Scenario:
IIB Message flow invokes a ws-secure web service:
In this scenario IIB message
flows acts as a web service consumer.
The request message that IIBsends to application web-service is signed
by IIB's private key. Application authenticates & validates thesignature and
signs the response with it's Private key. IIB message flow authenticates &
validates the signature in response.
IIBK eyStore
KeyStore contains
IIB's Private key. Specify the path for KeyStore. For example
/ESB/wmb/wssecurity/KeyStore.jks
IIB TrustStore
TrustStore contains
Public keys of Applications and CA certificates. Specify the path for TrustStore. For example:
/ESB/wmb/wssecurity/TrustStore.jks
Creating KeyStore and TrustStore
-- Run the command ikeyman.exe under the
WebSphere Message Broker /IIB product install directory.
-- Click Key Database File and select New to create a keystore named keyStore
and a truststore named trustStore for the Web service provider. Provide the
file name and location, and make sure that the key database type is JKS, as
shown in Figure:
Import IIB x509v3 Private Key in
KeyStore
Configuring the broker/integration node with the KeyStore and TrustStore
In order for the broker/integration node to use these keystores, you must configure the
broker properties. Use the following commands to set up the keystore
and truststore:
1.
mqsichangeproperties
<BrokerName> -o BrokerRegistry -n brokerKeystoreType -v JKS
2.
mqsichangeproperties
<BrokerName> -o BrokerRegistry -n brokerTruststoreType-v JKS
3.
mqsichangeproperties
<BrokerName> -o BrokerRegistry -n brokerKeystoreFile -v /ESB/wmb/wssecurity/KeyStore.jks
4.
mqsichangeproperties
<BrokerName> -o BrokerRegistry -n brokerTruststoreFile -v /ESB/wmb/wssecurity/TrustStore.jks
5.
mqsichangeproperties
<BrokerName> -o BrokerRegistry -n brokerKeystorePass -v brokerKeystore::password
6.
mqsichangeproperties
<BrokerName> -o BrokerRegistry -n brokerTruststorePass -v brokerTruststore::password
7.
mqsisetdbparms
<BrokerName> -n brokerTruststore::password -u temp -p <password>
8.
mqsisetdbparms
<BrokerName> -n brokerKeystore::password -u temp -p <password>
Creating policy set
n Open Message Broker Explorer/ IIB Explorer, right-click
the broker, and select Properties.
n On the Properties dialog, select Security
=> Policy Sets.
n Select
Policy Sets => Add to add a new policy set on the Set up Policy Sets and
Policy Set Bindings for this broker dialog. Rename the Policy with appropriate
name.
n Expand
WS-Security and highlight Authentication Token on the left. Do the appropriate
configurations depending on scenario.
n Expand WS-Security and highlight Message
Level Protection on the left. Do the appropriate configurations depending on
scenario.
n Click Tokens and add Initiator and/or Recipient
tokens depending on scenario.
n Click Algorithms and select appropriate
algorithm.
n Highlight Message Part Protection and do
appropriate configurations for signature & encryption depending on
scenario:
n Highlight QName and do appropriate
configuration depending on scenario.
n Highlight XPath and do appropriate
configurations depending on scenario.
n Click Finish to save the policy set BPM_Policy.
n Run the following command to see the details
of the policy set BPM_Policy:
mqsireportproperties <BrokerName> -c PolicySets -o <PolicyName>
–r
Creating policy set binding
n Right-click the broker, select Properties
and Security, and then click Policy Sets.
n Select Policy Set Bindings on the left and
then click Add to create a new entry. Rename it to appropriate name. Select
appropriate policy to be associated. Select ‘Provider’ if this will be used
with Input node and select ‘Consumer’ if it will be used with Request nodes.
n Select the Binding => WS-Security =>
Message Part Policy. Do the appropriate configurations for signature and
encryption depending on scenario
n Expand Message Part Policy and select Key
Information. Do the appropriate
configurations depending on scenario.
n Click Finish button to save the binding.
n Run the following command to see details of
the policy set binding:
mqsireportproperties <BrokerNAme> -c PolicySetBindings -o <BindingName>
–r
Commands for exporting/importing policySet &
Bindings from one broke to other
We can import the policy set and policy set bindings created on one
broker to another. Let us say from BROKER07 to MB7BROKER by using below
commands:
n Commands For exporting PolicySet and
PolicySetBindings:
mqsireportproperties BROKER07 -c PolicySets -o <PolicyName> -n
ws-security -p D:\Shared\BPMDeal_Policy.xml
mqsireportproperties BROKER07 -c PolicySetBindings -o <BindingName>
-n ws-security -p D:\Shared\BPMDeal_Bindings.xml
n Command for importing PolicySet and
PolicySetBindings:
mqsicreateconfigurableservice MB7BROKER -c PolicySets -o <PolicyName>
mqsicreateconfigurableservice MB7BROKER -c PolicySetBindings -o <BindingName>
mqsichangeproperties MB7BROKER -c PolicySets -o <PolicyName> -n
ws-security -p D:\Shared\BPMDeal_Policy.xml
mqsichangeproperties MB7BROKER -c PolicySetBindings -o <BindingName>
-n ws-security -p D:\Shared\BPMDeal_Bindings.xml
mqsichangeproperties MB7BROKER -c PolicySetBindings -o <BindingName>
-n associatedPolicySet -v <PolicySetName>
Now you must select the Policy Set and Policy Set bindings in BAR file before the deployment.
I will cover Policy-Set and bindings implementation at run time governed by WSRR in separate post.
Watch out for More !!!
Hi Anand
ReplyDeleteThank you for this informative tutorial. Really helpful. Do you have this same tutorial as a Consumer?