Enabling proxy authentication for the gateway

The gateway requires access to the Internet for invoking Web services and for retrieval of WSDL files. Many enterprise installations use a proxy server in support of Internet routing, and many proxy servers require authentication before they grant access to the Internet. This requirement is supported in HTTP messaging by a "Proxy-Authorization" message header that contains encoded username and password credentials.

For messages passing through the gateway, you can enable and disable proxy authentication, and specify whether the authentication credentials are supplied by the service requester or by the gateway. If you specify requester-supplied credentials, the credentials in the HTTP message that the gateway receives are re-instantiated by the gateway in the equivalent message that it sends on to the proxy. If you specify gateway-supplied credentials, the gateway ignores any credentials in the incoming HTTP message and supplies its own credentials in the equivalent message that it sends on to the proxy.

Note: In certain circumstances, the gateway also creates and sends its own messages (for example for WSDL retrieval). In these cases, the gateway always supplies its own credentials to the authenticating proxy. So even if you enable proxy authentication and specify requester-supplied credentials, still supply credentials for the gateway.

To enable proxy authentication for the gateway, complete the following steps:

 

  1. Display the Web services gateway administrative user interface.

  2. In the navigation pane, click the following link:

    Gateway

    • Configure
    The gateway configuration form is displayed:

  3. Enable the Enable proxy authentication check box.

  4. In the Proxy user field, type the proxy username for the gateway itself.

    Note: If you enable proxy authentication then this field is compulsory, even if you also specify requester-supplied credentials as described below.

  5. In the Proxy password field, type the associated proxy password for the gateway itself.

    Note: If you enable proxy authentication then this field is compulsory, even if you also specify requester-supplied credentials as described in the next step.

  6. To set the Use Gateway proxy credentials for invoking WebServices check box, complete one of the following two steps:

    1. If you want to use requester-supplied credentials, then clear the Use Gateway proxy credentials check box.

      With this setting, each incoming message to the gateway from a service requester is expected to contain a valid "Proxy-Authorization" HTTP message header. This header is re-instantiated by the gateway in the equivalent message that it sends on to the proxy.

      Note: For gateway-initiated messaging, such as WSDL retrieval, the gateway supplies its own credentials in the HTTP messages that it sends to the proxy.

    2. If you want to use gateway-supplied credentials, then enable the Use Gateway proxy credentials check box.

      With this setting, a trust association is established between the gateway and the authenticating proxy. The gateway supplies its own credentials in all messages that it sends to the proxy, and no username or password is required from service requesters for invoking Web services.

  7. Click Apply Changes.

  8. You also need to provide the appserver in which your gateway is running with machine details for the authenticating proxy and for any internal machines that do not require authentication. You do this by setting system properties in the WebSphere Application Server Java Virtual Machine as follows:

    1. Start the WebSphere Application Server administrative server.

    2. Start the administrative console.

    3. In the navigation pane, select Application Servers -> your_server_name -> Process Definition -> Java Virtual Machine -> Custom Properties.

    4. Set the following properties:

      • http.proxySet - Set this to true to tell the application server that it is required to work with an authenticating proxy.

      • http.proxyHost - Set this to the machine name of the authenticating proxy.

      • http.proxyPort - Set this to the port through which the authenticating proxy is accessed. For example 8080

      • http.nonProxyHosts - List the internal machines for which authentication is not required for routing through the proxy. Separate each machine name in the list with a vertical bar "|".

        Note: This list must include the machine on which the gateway is installed.

    5. Save the settings.

    6. Stop then restart the appserver.

    7. Close the administrative console.

 

What to do next

Note: You also use the gateway configuration form to set the namespace URI and WSDL URI for the Web services gateway.

Administering security for the Web services gateway
Enabling Web Services Security (WS-Security) for the gateway
Enabling basic authentication and authorization for the gateway
Invoking Web services over HTTPS
Web services gateway troubleshooting tips

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.