WAS v8.5 > Secure applications > Secure web services > Secure bus-enabled web services

Overriding the default security configuration between bus-enabled web services and a secure bus

To override the default configuration through which the bus-enabled web services component accesses a secure service integration bus, you configure an authentication alias the service integration resource adapter uses to access the bus.

To use bus-enabled web services when bus security is enabled, the web services clients must provide suitable credentials when making requests. Your clients can provide credentials either using WS-Security or using HTTP basic authentication, as described in Authenticate web services clients using HTTP basic authentication. For HTTP basic authentication, application security must also be enabled and, depending on which of these authentication schemes we use, the endpoint listener application must be appropriately configured as described in Password-protecting inbound services. When we use HTTP basic authentication, you map the AuthenticatedUsers role to the special "AllAuthenticatedUsers" group (or to some other suitable authenticated group or user); when we use WS-Security we do not need to map the endpoint listener AuthenticatedUsers role unless Application Security is enabled, in which case you map the AuthenticatedUsers role to the special "Everyone" group. For more information, see Assigning users and groups to roles.

The default configuration the bus-enabled web services component uses to access a secure bus is as follows:

• Access to a bus is configured through the bus connector role. By default, every bus connector role includes a group called server. Members of this group are authorized to connect to the bus.
• The service integration resource adapter uses a J2C activation specification to communicate with the bus. By default, this activation specification has a Boolean custom property useServerSubject set to true. Allow the service integration resource adapter to connect to the bus as a subject (a member) of the server group.

For more information, see Bus-enabled web services default configuration for accessing a secure bus.

We can override this default configuration by defining an authentication alias the service integration resource adapter uses to access the bus. Using an authentication alias does not make your configuration more secure. However, you might want to use an alias for consistency of approach if we have other application servers running under WAS v6.0.x, or to support your internal business controls for use of IDs and passwords.

1. In the navigation pane, click Service integration -> Buses -> security_value -> [Related Items] JAAS - J2C authentication data.
2. Create a J2C authentication alias.

3. Configure authentication for the resource adapter by completing the following steps:
   1. In the dmgr console navigation pane, click Resources -> Resource Adapters -> J2C activation specifications -> activation_specification_name, where activation_specification_name is SIBWS_OUTBOUND_MDB.
   2. In the Authentication alias drop-down list, select the authentication alias created.

   3. Click Apply.

4. Optional: Disable the default authentication configuration.

   If you configure an authentication alias you need not also disable the default configuration. If an authentication alias exists, it overrides the default configuration. This means that if we use an authentication alias that is authorized to access the bus then the communication will succeed, and if we use an authentication alias not authorized to access the bus then the communication will fail, irrespective of the default settings. However if you subsequently remove the authentication alias from the activation specification, the default configuration will again take control and (if not disabled) will allow the service integration resource adapter to continue to access the bus. For more information, see Bus-enabled web services default configuration for accessing a secure bus.

   To disable the default authentication configuration, complete the following steps:

   1. In the dmgr console navigation pane, click Resources -> Resource Adapters -> J2C activation specifications -> activation_specification_name -> [Additional Properties] J2C activation specification custom properties, where activation_specification_name is SIBWS_OUTBOUND_MDB.
   2. In the list of custom properties, click useServerSubject

   3. Change the Value for the useServerSubject property from "true" to "false".

   4. Click OK.

5. Save your changes to the master configuration.
   
6. Close the dmgr console.

Subtopics

• Bus-enabled web services default configuration for accessing a secure bus
  By default, the bus-enabled web services component can access a secure service integration bus. This means that your Web services clients, if they provide suitable credentials when making requests, can use bus-enabled web services when bus security is enabled. We can modify or override the default configuration, for example by defining an authentication alias the service integration resource adapter uses to access the bus.

Related information:

Configure secure transmission of SOAP messages using WS-Security
Work with password-protected components
Invoking outbound services over HTTPS

+

Search Tips   |   Advanced Search