Security


Contents


  1. IBM WebSphere DataPower XC10 appliance security overview
  2. Configure IBM appliance user interface security
  3. Manage users and groups
  4. Securing data grids
  5. Configure Transport Layer Security (TLS)
  6. Configure your appliance to authenticate users with an LDAP directory
  7. Security configuration


Security

You can configure several aspects of security on the appliance, including user interface security and transport level security.


1. IBM WebSphere DataPower XC10 appliance security overview

With IBM WebSphere DataPower XC10 appliance, you can control access to both the appliance itself and the data grid data that is being held on the appliance.


Appliance security

Some of the key features that make the appliance a secure foundation are:

The appliance is contained in a tamper resistant case

There is an intrusion detection switch in the chassis that is continuously monitored. If the switch is triggered, the appliance does not start. The appliance must be returned to IBM before the appliance can be started again. Additional elements, such as the tamper-resistant screws on the case are also included to discourage opening the case. The design of the appliance ensures that you can access the customer replaceable items from the rear of the appliance without opening the case.

There is no access to the operating system through a shell

There is no command shell in the operating system of the appliance. By design, no command interpreters are included on the appliance to reduce security vulnerabilities. There is only one operating system user ID on the appliance. You cannot externally log on to the appliance with a user ID, because there is no shell available.

No user provided logic can be run on the appliance

The appliance does not provide any ability for a user to upload an executable script or code. The only exception to this statement is a system firmware update, in which you can run a script to install updated firmware on the appliance. These system updates are signed by the firmware manufacturer as a precaution. No user provided untrusted software can be run on the appliance.


Data grid security

You can control access to the information that is contained in the data grids. If you do not enable security on the data grid, any application can access the information in the data grid. You can enable security in general on a data grid, to allow anyone that has a user account and password on the appliance to access the data grid. You can also restrict access to a set of users or user groups by enabling authorization on the data grid.


Transport Layer Security (TLS)

You can use TLS to secure the data grids and user interface by configuring a keystore, truststore, and certificate alias. TLS settings apply to all appliances in the collective.


Users and user groups

You can define permissions for users and user groups both for the appliance administration and the data grid security.


2. Configure IBM appliance user interface security

Much of the security functionality offered by WebSphere DataPower XC10 appliance is built into the construction of the appliance. Additional security settings are included to provide additional security options for your environment.

You must be assigned the Appliance administration permission to perform these steps.

To increase the security coverage of the appliance, you can configure several options that exist to control the user behavior.

  1. Navigate to the Settings panel.

    To manage your security options, navigate to the Settings panel using one of the following methods:

    • From the menu bar at the top of the appliance user interface, navigate to...

        Appliance | Settings
    • From the Welcome page, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand Security.

  3. Set your security permissions.

    1. Set the Allow new users to create their own accounts field. The default value for this field is Disabled. This field specifies if a user is able to create their own account. When this field is Enabled, a Register button appears on the login screen.

    2. Set the Allow password reset from the serial console field. The default value for this field is Disabled.

      Disabled:

      Make sure that you configure an SMTP server and an email address for the xcadmin user. These configurations ensure that if the xcadmin password is lost, then there is a way to reset the password. If this field is disabled and these configurations are not made, then it is impossible to reset a lost xcadmin password and the appliance must be returned to IBM for remanufacturing.

      Enabled:

      You can reset the password for the xcadmin user using a serial connection without any other credentials required and without an SMTP message. If this option is selected, the physical access to your WebSphere DataPower XC10 appliance is even more important than typical. With physical access to the machine, any user is able to gain administrator access to the appliance.

  4. Configure your appliance to authenticate users with a LDAP directory.

After successfully completing these steps, you have specified how the appliance handles certain security-related scenarios and whether external authentication is used for access to the user interface. Configure users and groups to provide access to the user interface. You also use users and groups to provide access to data grids.


3. Manage users and groups

Users and user groups are provided so that you can manage the level of access for each individual to your WebSphere DataPower XC10 appliance. Use user groups to apply permissions to groups of users.

You must be assigned the Appliance administration permission to perform these steps. You can manage your users and user groups using the appliance user interface.


3.1. Create a user

You need a user name and password to log in to the user interface. Use these steps to create new accounts to allow users to access and administer your WebSphere DataPower XC10 appliance.

You must be assigned the Appliance administration permissions to perform these steps. If you are using Lightweight Directory Access Protocol (LDAP) to authenticate users, the user that is being registered must first exist in the LDAP repository. Use the following steps to create a user using the appliance user interface:

  1. Navigate to the Users panel.

    • From the menu bar at the top of the appliance user interface, navigate to Collective > Users.
    • From the Home panel, click the Create users link in the Step 1: Set up the appliance section.

  2. Click the add icon ( ) to begin adding a new user.

  3. Enter an ID in the User name field. The value for this field can be up to 64 characters in length and cannot be blank. All alphanumeric characters can be used, and the following special characters: !@#%^*&-+=. This field cannot be changed after you have created the user. If you are using LDAP authentication, the user that is being registered must exist in the LDAP repository.

  4. Optional: Enter the name of the user in the Full name field. This field is used for display purposes in the user interface. If you do not enter a value for this field, the user name is displayed. After you have created the user, only the user can edit the field. The administrator cannot change the value of this field after the user is created.

  5. Enter the password for the user in the Password field. The password can use the same characters available for the User name field. If Simple Mail Transfer Protocol (SMTP) is enabled, you can leave the password field blank when a user is created, and a password is automatically generated. If LDAP authentication is enabled, the Password field is not displayed because the password from the LDAP registry is used for authentication. Reenter the same password for the user in the Verify Password field.

  6. Enter a valid email address for the user in the Email address field. This field specifies the email address used to provide a new password if the user forgets their password and additional notifications. The email address is required when a Simple Mail Transfer Protocol (SMTP) server is used. 

  7. Click OK.

You have a new user account that you can use to log on to the user interface. When a user is first created only the default permissions are assigned.


3.2. Manage users

After you create a user, manually modify the user settings if additional permissions are required. You can also use these steps to modify a user if the information has changed.

You must be assigned the Appliance administration permission to perform these steps. When you create a user, the user has the default permissions. If the user account needs additional permissions, then add these permissions manually after the initial user creation. If a user account was created using the self-registration function, then only a subset of the user information is available. The remaining information needs to be added by a user that is assigned the appliance administration permission. Use the following steps to modify a user using the appliance user interface.

  1. Navigate to the Users panel.

    • From the menu bar at the top of the appliance user interface, navigate to Collective > Users.
    • From theHome panel, click the Create users link in the Step 1: Set up the appliance section.

  2. Click the User name for the user you intend to modify. The display name and the user name cannot be modified after the user has been created.

  3. You can edit the password and email address for the user. To change the password, click [edit] for the field. Enter a new password to change the password.

  4. View the user activity. The following user activity can be viewed from the user account screen:

    • Current Status: This field shows the status of the user. The following list contains the possible user statuses:

      • : Active in the last 5 minutes
      • : Inactive for more than 5 minutes
      • : User has not logged in yet

    • User Groups: This field lists all the user groups in which the user is a member.

      Type in the group name to add a user to a group. As you type the user group name, a list of user groups matching what you have typed is displayed. Click the user group name to add the user to the group. Typing in the user group name does not add the user to the group. Adding a user to a user group results in the user being assigned the permissions of the user group. The previous level of permissions assigned to the user is not retained. To remove a user from a user group, click the [remove] link next to the group you want to the user to be removed from. If a user is removed from all groups (besides the Everyone group), then the user retains the permissions that are assigned to the last group from which they were removed.

  5. Modify the permissions for this user. You can select or clear these permissions to control the level of access that a user is assigned. User permissions cannot be modified if a user is a member of a group, not including the Everyone group. If a user is a member of a group, then the user has the permissions defined by that group. If a user is a member of multiple groups, then the user has the sum of the permissions defined by these groups. When you change the permissions defined for the group, the changes are propagated to all the members of the group. The following permissions are available for each user.

    • Appliance administration
    • Appliance monitoring
    • Data grid creation

You have successfully modified a user account. After you have modified the user, you can add the user to a user group. You can add a layer of security to your appliance by using a Lightweight Directory Access Protocol (LDAP) server for authentication.


3.3. Removing a user

A user name and password are required to be able to log in to the user interface. If you no longer need a specific user, however, you can remove that user from WebSphere DataPower XC10 appliance.

You must be assigned the Appliance administration permission to perform these steps. When you delete a user, all the resources owned by that user are automatically transferred to you. Use these steps to remove a user account from your appliance using the appliance user interface.

  1. Navigate to the Users panel.

    • From the menu bar at the top of the appliance user interface, navigate to Collective > Users.
    • From the Home page, click the Create users link in the Step 1: Set up the appliance section.

  2. Click the <user_name> of the user to select the user you intend to delete.

    Note: The Administrator user account, xcadmin, cannot be deleted.

  3. Click the delete icon () to begin deleting the user. A message box is displayed requesting confirmation that this user can permanently be deleted.

  4. Click OK.

You removed a user account from your appliance.


3.4. Registering a new user account

You can create your own user account when the administrator enables the Allow new users to create their own accounts option. Use this task to create a user account from the login screen.

To register a new user account, the Allow new users to create their own accounts field must be set to Enabled.

  1. Access the WebSphere DataPower XC10 appliance login screen.

  2. Click the Register... button to begin creating a user account.

  3. Enter a login ID in the User Name field. The value entered for this field is used as both the user name and the display name for the user. The value for this field can be up to 64 characters in length. All alphanumeric characters can be used. The following special characters are also available: !@#%^*&-+=

    If Lightweight Directory Access Protocol (LDAP) is used to authenticate users, the user that is being registered must exist in the LDAP repository.

  4. Enter a password for the user in the Password field. The password can use the same characters available for the User Name field. The Password field is required if a Simple Mail Transfer Protocol (SMTP) or LDAP server is not defined. If SMTP is enabled, you can choose to enter a password or to leave the field blank and have a generated password sent to your email address. If LDAP is used to authenticate users, the existing LDAP password is used and you do not need to enter a password.

  5. Reenter the same password for the user in the Verify Password field. The value you enter for this field must be identical to the value entered for the Password field. If these fields do not match, then an error is displayed when you click Register and must be resolved before the user can be created.

  6. Enter an email address in the Email address field. The email address is required when a Simple Mail Transfer Protocol (SMTP) server is used. 

  7. Click the Register button to complete the registration process.

After you have successfully completed these steps, you registered a user account that you can use to log in to the user interface. By default, you are assigned Appliance monitoring permissions only.


3.5. Create a user group

You can create user groups to better manage the access of your users to particular WebSphere DataPower XC10 appliance resources.

You must be assigned the Appliance administration permission to perform these steps. Create user groups to quickly assign a collection of users access to a resource or group of resources. User groups are empty when they are first created. You must manually add users to each new user group. Use the following steps to create a user using the appliance user interface.

  1. Navigate to Collective > User Groups.

  2. Click the add icon () to create a group.

  3. Enter a name in the Group name field. The value for this field can be up to 64 characters in length and cannot be blank. All alphanumeric characters can be used, and the following special characters: !@#%^*&-+= are also available.

  4. Enter any additional information in the Description field. This field can be used to include additional details about the user group.

  5. Click OK.

After successfully completing these steps, you have a new user group to help manage the permissions for your WebSphere DataPower XC10 appliance users. You can add users to the group you created.


3.6. Manage user groups

When you first create a user group, the user group does not have any users designated as members. You must manually add users to the group unless LDAP authentication is enabled.

You must be assigned the Appliance administration permission to perform these steps. Use the following steps to add or remove a user from a user group using the appliance user interface.

  1. Navigate to Collective > User Groups.

  2. Click the <group_name> to select a group to modify.

  3. To modify the description of the user group, click the existing description and enter the changes that you want to make.

  4. To add a user to the group, then type the user to add and then click the <user_name>

    As you type the user name, a list of users matching what you have typed is displayed. Click the user name to add the user to the group. Typing in user name does not add the user to the group. Adding a user to a user group results in the user being assigned the permissions of the user group. The previous level of permissions assigned to the user is not retained.

    Note: If LDAP Authentication is enabled, then you cannot modify the membership of a group within WebSphere DataPower XC10 appliance.

  5. Modify the permissions assigned to the group.

    The following permissions are available to be applied to a user group:

    • Appliance administration
    • Appliance monitoring
    • Data cache creation

  6. If you want to remove a user from the group, Click the [remove] link next to the user you want to remove. No confirmation is required to remove the user, therefore use appropriate caution when you are managing your user group. If a user is removed from all groups, besides the Everyone group, then the user retains the permissions that assigned to the last group from which they were removed.

You have completed the modifications to your user group.


3.7. Removing a user group

You can remove a user group from WebSphere DataPower XC10 appliance if the user group is no longer needed.

You must be assigned the Appliance administration permission to perform these steps. Use these steps to remove a user group from your appliance using the appliance user interface.

  1. Click Collective > User Groups.

  2. Click <user_group_name> to select the user group that you intend to remove.

    Note: The Everyone user group cannot be removed.

  3. Click the remove icon () to begin removing the group.

  4. Click OK to confirm that the selected user group can be removed.

Each user group member is removed from the group, and the user group is deleted.


3.8. User permissions

User permissions are defined to determine which panels are viewable for each user and to determine the user access to a particular object.

The permissions that assigned to your users define which administrative tasks for WebSphere DataPower XC10 appliance they are able to perform. In addition to determining which of the administrative pages are displayed, the content of the Welcome page is dynamically generated to display different content for users assigned different level of access. When users initially register, they have the appliance monitoring permissions. An appliance administrator must assign data grid creation or appliance administration permissions.

Table 1. Viewable panels for each permission level
Permission View Welcome page Create data grids Delete data grids View monitor menu View tasks View and create collectives and zones Modify appliance settings Manage users and user groups
Appliance monitoring Yes No No Yes Yes No No No
Data grid creation Yes Yes Yes No Yes No No No
Appliance administration Yes Yes Yes Yes Yes Yes Yes Yes


4. Securing data grids

After you create the data grids, the security of the data grid is disabled by default. You can change the security settings for a data grid to restrict access to a certain user or group of users.

When you change the security settings for a data grid, the data grid automatically restarts. When the data grid is restarted, any data that is in the data grid is lost. Configure the security for the data grids before you begin to save data in the data grid. Communication through the REST gateway is always secure, even if you do not have security enabled on the data grid.

  1. In the user interface, navigate to the data grid settings. Click Data Grid > data_grid_type. Click the data_grid_name that you want to edit.

  2. Enable security or authorization for the data grid. Click Enable security to enable any user that has access to the user interface to access the data grid. To further restrict access, click Enable authorization. With authorization enabled, you can specify a list of users or user groups in the Access granted to list. When enable authorization is selected, only users that are listed in this access list can access the data grid data. You can assign the following access to users or user groups by clicking the name of the default access type that is displayed in the user interface:

    • read: When assigned this permission, the user or user group can read or query data from the data grid.

    • write: When assigned this permission, the user or user group can read, query, and write data to the data grid.

    • create: When assigned this permission, the user or user group can read, query, write, insert, and create dynamic maps in the data grid.

    • all: When assigned this permission, the user or user group can read, query, write, insert, create dynamic maps, remove, and invalidate data from the data grid. Appliance administrators have all permission by default.

    When you change the security and authorization settings, there is a timeout value of five minutes.

    • Authentication timeout: If you change a user password for a user that has already been authenticated to the data grid, the original credential is still valid for up to five minutes.

    • Authorization timeout: If you remove a permission for a user, that user continues to have the permission for up to five minutes. This timeout applies only for permissions that are removed. If you add a permission to a user, the user gets the permissions immediately.


5. Configure Transport Layer Security (TLS)

You can configure Transport Layer Security (TLS) by modifying or replacing the keystore and truststore, and choosing the certificate alias for the configuration.

  • You can configure TLS with Version 1.0.0.4 or later.

  • You must be using WebSphere eXtreme Scale Client Version 7.1 Fix 1 or later.

  • You must be assigned the Appliance administration permission.

  • You must have a keystore or truststore with the associated passwords to add to the appliance configuration.

  • To modify the existing truststore, you can download the truststore from the appliance.

  • You must update the truststore with the public certificates of the clients. The appliance must trust the clients that are connecting.

  • The supplied truststore must include a public certificate that corresponds to an entry in the keystore. Certificate aliases from the keystore must be trusted in the truststore to be supplied as a possible configuration option for the certificate alias for the appliance.

  • The global security setting in WebSphere Application Server determines how that server attempts connections to the WebSphere DataPower XC10 appliance:

    • When the global security setting is disabled, connections are attempted over TCP/IP.

    • When the global security setting is enabled, add the public certificate of the appliance to the WebSphere Application Server truststores.

    If your WebSphere DataPower XC10 appliance has TLS required configured, enable global security. For more information about configuring global security, see Global security settings.

The TLS settings apply to the user interface and data grids. The settings are applied to all of the appliances in the collective.

  1. Required for WebSphere Application Server: Add the appliance public certificate to the WebSphere Application Server default truststores.

    • If you are using the default appliance truststore:

      Run the addXC10PublicCert.py script from the was_root/bin directory on the dmgr. Use the following command:

      wsadmin -lang jython -f addXC10PublicCert.py

    • If you are using custom keys for the appliance:

      Run the addXC10PublicCert.py script from the was_root/bin directory on the dmgr with the -certPath command line option. The value of the -certPath command line option is the disk location of the public certificate that corresponds to the alias configured for the keystore on the appliance.

      wsadmin -lang jython -f addXC10PublicCert.py -certPath ./trustStore.jks

  2. Required for WebSphere Application Server: Download the appliance truststore and WebSphere Application Server public certificates and run the keytool utility to add the certificate to the truststore. This tool updates the appliance truststore to include the certificates from WebSphere Application Server.

    1. If you are using the default appliance truststore, download the active truststore. Click Appliance > Settings > Transport Layer Security (TLS). Click Download active truststore and remember the location of where you saved the file on disk, for example in the /downloads/trustStore.jks directory.

    2. Extract the WebSphere Application Server public certificate.

      1. In the WebSphere Application Server administrative console, click Security > SSL certificate and key management > Keystores and certificates.

      2. From Keystore usages, select Root certificates keystore.

      3. Select DmgrDefaultRootStore.

      4. Select Personal certificates.

      5. Click the checkbox next to a certificate in the root keystore. Specify a fully-qualified file name of the certificate to extract, such as: /certificates/public.cer.

      6. In a command-line window, run the following command: cd /java_home/bin

      7. Run the keytool utility.

        keytool -import -noprompt -alias "example alias" -keystore /downloads/trustStore.jks  -file /certificates/public.cer -storepass xc10pass -storetype jks

      8. If you have additional certificates to import, repeat the steps to extract the certificates and run the keytool utility again.

  3. Upload keystore and truststore information to the appliance. In the appliance user interface, click Appliance > Settings > Transport Layer Security (TLS). If you completed the steps for WebSphere Application Server, upload the updated /downloads/trustStore.jks file. After you upload a keystore or truststore, update the associated password. If you are using the default truststore, the password is xc10pass.

  4. Select the certificate alias for the collective.

  5. Specify the transport type. Choose one of the following transport type settings:

    • TLS supported: Data grids communicate with TCP/IP, SSL, or TLS. The user interface is accessible with HTTP and HTTPS.

    • TLS required: Data grids communicate with SSL or TLS only. The user interface is accessible with HTTPS only.

    • Data grid TLS disabled: Data grids communicate with non-secure connections. The user interface is accessible with HTTP and HTTPS.

  6. To require the client to send a trusted certificate to enable communication, select Enable client certificate authentication.

  7. Click Submit TLS settings to save the changes to the configuration.

The collective must restart to complete the TLS configuration changes.

Limited portions of the user interface are accessible when the collective is restarting. If you cannot access portions of the user interface, wait for an appropriate time and submit the request again. The Tasks panel shows completion for some TLS changes automatically by displaying a success status.

If you changed the certificate alias used by the appliance, you might need to restart the browser, log out and log back in to the user interface, or trust new certificates from a browser prompt.

If the user interface seems to be unavailable when client authentication is enabled, verify that you have a trusted client certificate imported into the browser. If a trusted client certificate is not imported into the browser, you cannot access the user interface. After you successfully log on to the user interface, the task indicates the success of the TLS configuration. Best practices

  • To avoid browser warnings when you access the user interface from different appliances, consider including a wildcard in the Common Name (CN) of the certificate in the keystore. Each appliance uses the same certificate for TLS configuration, as specified by the certificate alias. For example, you might use *.mycompany.com instead of myhost.mycompany.com to make the certificate valid for all hosts in the mycompany domain.

  • You might want to use a private certificate authority (CA) to sign the certificate that is associated with the certificate alias that you chose for your TLS configuration. You can then import the CA certificate into the browser and trust any collective with a certificate signed by the private CA without being prompted. Using a private CA is generally only appropriate for access on a private intranet.


6. Configure your appliance to authenticate users with an LDAP directory

You can optionally use a Lightweight Directory Access Protocol (LDAP) directory to authenticate users with your IBM WebSphere DataPower XC10 appliance.

You must be assigned the Appliance administration permission to perform these steps.

Using an LDAP server to authenticate users is optional. If you choose to use an external LDAP server, then match all of your IBM WebSphere DataPower XC10 appliance users with the users in the specified LDAP directory. The user name attribute is used to authenticate the IBM WebSphere DataPower XC10 appliance users with the LDAP directory. Users that are not in the LDAP directory cannot be authenticated.

You can set up your LDAP to use the secure port. The secure sockets layer (SSL) certificate of the LDAP server must be issued by a publicly trusted certificate authority (CA), which is already in the <JAVA_HOME>/jre/lib/security/cacerts file. WebSphere DataPower XC10 appliance does not support using self-signed certificates.

  1. Navigate to the Settings panel. Use one of the following methods:

    • From the menu bar at the top of the appliance user interface, navigate to Appliance > Settings.
    • From the Welcome page, click the Customize settings link in the Step 1: Set up the appliance section.

  2. Expand Security.

  3. Configure your appliance to authenticate users with an LDAP directory.

    1. To enable LDAP authentication, select the check box next to Enable LDAP authentication. The Enable LDAP authentication check box is not selected by default. Selecting this check box enables WebSphere DataPower XC10 appliance to use the specified LDAP server to authenticate users at login.
    2. Enter the JNDI provider URL. Example for non-SSL LDAP:

      ldap://mycompany.com:389/ 
      or

      ldap://mycompany.com/ 
      If a port is not explicitly specified, the default port number is 389. Example for SSL LDAP:

      ldaps://mycompany.com:636/ 
      or

      ldaps://mycompany.com/ 
      If a port is not explicitly specified, the default port number is 636.

    3. Enter the JNDI base DN (users). Example:

      CN=users,DC=mycompany,DC=com

    4. Enter the JNDI base DN (groups). Example:

      DC=mycompany,DC=com

    5. Enter the Search filter (users). Example:

      (&(sAMAccountName={0})(objectcategory=user)) or uid={0}

      Note: A user ID is embedded in the place holder "{0}". "{0}" is replaced by the login user ID that you entered in the login screen.

    6. Enter the JNDI security authentication. This field is optional unless your LDAP server does not permit anonymous LDAP queries. Example:

      CN=Administrator,CN=users,DC=mycompany,DC=com

    7. Enter the password. This field is the JNDI security credentials, and is optional unless your LDAP server does not permit anonymous LDAP queries.

  4. Test the LDAP authentication settings that you configured. You can test the settings you used to configure authentication with an LDAP server. This section allows you to perform LDAP queries to look for specified users and groups.

    1. Click Test LDAP authentication settings to expand this section.

    2. To test a user name, enter a user name in the LDAP user name field, and click the associated Test LDAP query button. Example:

      test_user@us.ibm.com

      If the query is successful, then a message is displayed as follows: Found LDAP User DN: <user information>. If the query is not successful, then an error message is displayed.

    3. To test a group name, enter a group name in the LDAP group name field, and click the associated Test LDAP query button. Example:

      Test Group

      If the query is successful, then a message is displayed as follows: Found LDAP Group DN: <user information>. If the query is not successful, then an error message is displayed.

You have specified an LDAP directory for external authentication when accessing the user interface. Understanding how to control user access to different areas of your environment is an important part of your security solution.


7. REST gateway: Security configuration

To access a data grid through the REST gateway, the user must be authenticated to the WebSphere DataPower XC10 appliance, regardless of whether the data grid has security enabled. The application client must always provide a basic authorization header with the authorized user ID and password in the HTTP headers of the HTTP request. To access data grids through the REST gateway, provide the user ID and password in an authorization header.


Authentication and authorization

To access to a data grid map through the REST gateway, the user or user group must be authenticated and authorized to access the specified data grid in the URI. Even if you do not have security configured on the data grid, configure the user group you are using to communicate through the REST gateway to have all access to the data grid. The application client must provide a basic authorization header with the authorized user ID and password in the HTTP headers of the HTTP request.

Authorization: Basic <base64 encoded string of .userid:password.>
For more information about the basic authorization header format, see Wikipedia: Basic access authentication.


Secured data grids

Use the REST gateway in a secured data grid configuration. To access the secured data grids, provide the user ID and password in an authorization header. The user must be authenticated and authorized to access the specified data grid in the URI.

Table 1. Secured data grids
Permission Get Post Delete
READ X    
WRITE X    
CREATE X X  
ALL X X X


Transport security

Clients that are using the REST Gateway can use the HTTPS protocol if transport security is required. Using HTTPS instead of HTTP introduces significant additional processing burden on the WebSphere DataPower XC10 appliance to process the request.