WAS v8.5 > Reference > Administrator best practices

Bus-enabled web services default configuration for accessing a secure bus

By default, the bus-enabled web services component can access a secure service integration bus. This means that your Web services clients, if they provide suitable credentials when making requests, can use bus-enabled web services when bus security is enabled. We can modify or override the default configuration, for example by defining an authentication alias the service integration resource adapter uses to access the bus.

To use bus-enabled web services when bus security is enabled, the web services clients must provide suitable credentials when making requests. Your clients can provide credentials either using WS-Security or using HTTP basic authentication, as described in Authenticate web services clients using HTTP basic authentication. For HTTP basic authentication, application security must also be enabled and, depending on which of these authentication schemes we use, the endpoint listener application must be appropriately configured as described in Password-protecting inbound services. When we use HTTP basic authentication, you map the AuthenticatedUsers role to the special "AllAuthenticatedUsers" group (or to some other suitable authenticated group or user); when we use WS-Security we do not need to map the endpoint listener AuthenticatedUsers role unless Application Security is enabled, in which case you map the AuthenticatedUsers role to the special "Everyone" group. For more information, see Assigning users and groups to roles.

The default configuration the bus-enabled web services component uses to access a secure bus is as follows:


The server group in the bus connector role

This group controls whether a user is authorized to connect to the bus. The server group can be added or removed using the dmgr console:

Service integration -> Buses -> security_value -> [Authorization Policy] Users and groups in the bus connector role

This group can also be set using the following wsadmin command scripts:

addGroupToBusConnectorRole
removeGroupFromBusConnectorRole


The useServerSubject property

This boolean property is found in the custom properties panel of the J2C activation specification associated with the inbound, outbound or gateway service:

Resources -> Resource Adapters -> J2C activation specifications -> activation_specification_name -> [Additional Properties] J2C activation specification custom properties

This property can also be set using wsadmin command scripts.


Disable and overriding the default configuration

To disable the default configuration, set the useServerSubject property to "false" rather than removing the server group, because the service integration resource adapter is not the only system resource that uses the server subject. If we remove the server group from the bus connector role, then no system resources can use the server subject.

We can also override the default configuration by defining an authentication alias the service integration resource adapter uses to access the bus. Using an authentication alias does not make your configuration more secure. However, you might want to use an alias for consistency of approach if we have other application servers running under WAS v6.0.x, or to support your internal business controls for use of IDs and passwords.

If we configure an authentication alias you need not also disable the default configuration. If an authentication alias exists, it overrides the default configuration. However if you subsequently remove the authentication alias from the activation specification, the default configuration will again take control and (if not disabled) will allow the service integration resource adapter to continue to access the bus.

The following table shows whether the service integration resource adapter can connect to the secured bus, depending on the state of the different properties:

Summary of expected behavior for accessing a secure service integration bus. The first column of this table shows whether or not the secure service integration bus has a valid authentication alias, indicated by Yes or No as appropriate. The second column indicates whether or not the useServerSubject property is selected, indicated by Yes or No as appropriate. The third column shows whether or not the server group has been added to the bus connector role, indicated by Yes or No as appropriate. The fourth column shows, for each of the combinations of Yes and No settings given in the first three columns, whether or not the resource adapter can connect to the bus, indicated by Yes or No as appropriate.

Valid authentication alias useServerSubject Server group on bus connector role Resource adapter can connect?
Yes No No Yes
No Yes Yes Yes
No No Yes No
No No No No
No Yes No No
Yes Yes Yes Yes (using the authentication alias)


+

Search Tips   |   Advanced Search