Webservice Security Using UsernamePassword

Generated by Jive SBS on 2013-08-05-04:001

Webservice security using...

Raviraj 17 posts since 11 Feb, 2009Webservice security using Username/Password 9 Aug, 2010 5:28 PMHello,

I am working on webservice security and I need to configure my webservice with username/password authentication and also need to make it https.

I found one document on community (shared by Carlo) which explains all the process. I haveattached the document which I am refering. I did all the configurations and it is working fineon my local machine (Both BW and Admin installed on one machine). But when I deploy iton admin which is on remote server (BW and admin are installed on different server), I amgetting 401 authentication error (Authentication attempt [user=test123, deployment=test-Process_Archive, authentication_succeeded=false).

Do I need to have some configuartions while deployinng the project?

Also as mentioned in section 6 of document I have done settings for"AuthorizationDomain.properties" while running on designer tester, why these settings arerequired? Are users credentials stored in this file? If yes, then In case of deployment do weneed to set something?

As per my guess our administration domain users are stored in LDAP... I saw theAuthorizationDomain.properties file on admin server but not found the users??

Can anyone please explian How it works?

Regards,

RavirajAttachments:

Understanding WSS-2009[1].doc (1.8 MB)

Carlo Milono 1,039 posts since 29 Apr, 2008



Re: Webservice security using Username/Password 11 Aug, 2010 11:06 AM

The deployed process is aware of its domain while a Designer is not, so you have to havean AuthorizationDomain.properties file available for Designer by copying it manually (aperson using Designer can thus test against multiple domains). Either Designer or theBWengine will read this AuthorizationDomain.properties file upon being initialized and itcontains access methods and credentials to use those access methods.

When a BW process has been configured to authenticate an incoming request, it will use the access method. For example, if you have DBMS configured for the domain, BW will usea JDBC call to look for users in the DBMS - if you are using non-DBMS, it will communicatevia RV to TIBCO Administrator and TIBCO Administrator will use a local call to look forusers in its Repo. If you have JAAS configured, the BW process will communicate to TIBCOAdministrator via a secured SOAP message exchange and TIBCO Administrator will do thelookup.

If you have LDAP and a DBMS domain, BW will look at the DBMS via JDBC, and if theuser is NOT found, it will check to see if LDAP is configured (that info is in the DBMS, notAuthorizationDomain.properties) - and it will connect directly to that LDAP instance. In thiscase, since TIBCO Administrator is not doing anything, it can be turned off (you foresakemonitoring).

Now there is an additional wrinkle! For OASIS WSSE Username Token, you can pick Textor Digest. LDAP can store credentials in a wide variety of manner - plain, multiple typesof hashed passphrases, and several types of encrypted passphrases. Not all of these willwork with a Username Token Profile, due to the fact that it is a base64 of a SHA1 hash of aconcatenation that includes the plain text passphrase. BW will hold that object in memory,LDAP will return a credential, and then BW will take the returned credential and re-create theobject as it has a handle on the Timestamp and Nonce and now has the passphrase - if thepassphrase is NOT in plain text, there can never be a match. If you are looking up a user inLDAP (not a user defined in TIBCO Administrator as local), check to see whether the LDAPis storing credentials in other than plain text.

Raviraj 17 posts since 11 Feb, 2009Re: Webservice security using Username/Password 11 Aug, 2010 11:58 AM

in response to Carlo Milono



Thanks Carlo for the explaination.A]. I am getting folowing error in my application's log file (tra/domain/mydomain/application/log/myapplogfileThe testUser is present on domain as I used it to deploy the ear using administrator

BW-HTTP-100700 Authentication attempt [user=testUser, deployment=test-Process_Archive, authentication_succeeded=false]2010 Aug 10 19:49:41:411 GMT -4 BW.test-Process_Archive Error [BW_Plugin] BW-HTTP-100000 Job-2000 Error in [Send.process/Send HTTP Request]The Http Server replied with a 4XX status code at com.tibco.plugin.share.http.client.JakartaHttpTransportDriver$RequestExecutor.run(JakartaHttpTransportDriver.java:248) at com.tibco.pe.util.ThreadPool$ThreadPoolThread.run(ThreadPool.java:99)

The Http Server replied with a 4XX status code BW-HTTP-100000 HTTP/1.1 401 Unauthorized 954 close text/html;charset=utf-8 Tue, 10 Aug 2010 23:49:41 GMT Apache-Coyote/1.1 BASIC realm="BWRealm"



PGh0bWw+PGhlYWQ+PHRpdGxlPkFwYWNoZSBUb21jYXQvNS41LjI3IC0gRXJyb3IgcmVwb3J0PC90aXRsZT48c3R5bGU+PCEtLUgxIHtmb250LWZhbWlseTpUYWhvbWEsQXJpYWwsc2Fucy1zZXJpZjtjb2xvcjp3aGl0ZTtiYWNrZ3JvdW5kLWNvbG9yOiM1MjVENzY7Zm9udC1zaXplOjIycHg7fSBIMiB7Zm9udC1mYW1pbHk6VGFob21hLEFyaWFsLHNhbnMtc2VyaWY7Y29sb3I6d2hpdGU7YmFja2dyb3VuZC1jb2xvcjojNTI1RDc2O2ZvbnQtc2l6ZToxNnB4O30gSDMge2ZvbnQtZmFtaWx5OlRhaG9tYSxBcmlhbCxzYW5zLXNlcmlmO2NvbG9yOndoaXRlO2JhY2tncm91bmQtY29sb3I6IzUyNUQ3Njtmb250LXNpemU6MTRweDt9IEJPRFkge2ZvbnQtZmFtaWx5OlRhaG9tYSxBcmlhbCxzYW5zLXNlcmlmO2NvbG9yOmJsYWNrO2JhY2tncm91bmQtY29sb3I6d2hpdGU7fSBCIHtmb250LWZhbWlseTpUYWhvbWEsQXJpYWwsc2Fucy1zZXJpZjtjb2xvcjp3aGl0ZTtiYWNrZ3JvdW5kLWNvbG9yOiM1MjVENzY7fSBQIHtmb250LWZhbWlseTpUYWhvbWEsQXJpYWwsc2Fucy1zZXJpZjtiYWNrZ3JvdW5kOndoaXRlO2NvbG9yOmJsYWNrO2ZvbnQtc2l6ZToxMnB4O31BIHtjb2xvciA6IGJsYWNrO31BLm5hbWUge2NvbG9yIDogYmxhY2s7fUhSIHtjb2xvciA6ICM1MjVENzY7fS0tPjwvc3R5bGU+IDwvaGVhZD48Ym9keT48aDE+SFRUUCBTdGF0dXMgNDAxIC0gPC9oMT48SFIgc2l6ZT0iMSIgbm9zaGFkZT0ibm9zaGFkZSI+PHA+PGI+dHlwZTwvYj4gU3RhdHVzIHJlcG9y dDwvcD48cD48Yj5tZXNzYWdlPC9iPiA8dT48L3U+PC9wPjxwPjxiPmRlc2NyaXB0aW9uPC9iPiA8dT5UaGlzIHJlcXVlc3QgcmVxdWlyZXMgSFRUUCBhdXRoZW50aWNhdGlvbiAoKS48L3U+PC9wPjxIUiBzaXpl PSIxIiBub3NoYWRlPSJub3NoYWRlIj48aDM+QXBhY2hlIFRvbWNhdC81LjUuMjc8L2gzPjwvYm9keT48 L2h0bWw+

B]. Also I found another error in tibco/tra/5.6/logs/Administrator.log

2010 Jun 28 13:40:11:708 GMT -4 Error[com.tibco.administrator.command.tool.ApplicationManagement] AESDKJ-0000 [main] Domain Name myDomainName/ specified does not exist. Please make sure you have typedit correctly

C]. I have LDAP and a DBMS domain. In this case from which file BW will get dbms details(url, uName, passwd)?



I am not sure what to do in this case. What I did till this time is that:1. I created simple test project, where I tried to do simple basic authenticatio using httppallettes2. I deployed the ear on developemnt server and found above errors, while I tried to run thesendhttprequest process

Is there any settings required on my environment? Which log file should I see to get the errortrace?

Please reply.

Regards,Raviraj

Carlo Milono 1,039 posts since 29 Apr, 2008Re: Webservice security using Username/Password 11 Aug, 2010 1:54 PM

in response to RavirajO.K., I was a bit hasty - you are using HTTP Basic Authentication, not SOAP Usernametokens.

The log entry"2010 Jun 28 13:40:11:708 GMT -4 Error [com.tibco.administrator.command.tool.ApplicationManagement] AESDKJ-0000 [main] Domain Name myDomainName/ specified does not exist. Please make sure you have typedit correctly" is an old entry.

Some questions: is "testUser" in LDAP? is your connection to LDAP via StartTLS or SSL? If LDAP is secured, you have to have the 'chain of trust' for the Server Certificate in yourJRE on all machines that communicate via LDAP/s. Try with a different identity that is localto TIBCO Administrator (i.e., not in LDAP).



You can also try to do a "netstat" on a cold machine to see if the deployed project isactually making a JDBC and/or LDAP connection (you should know the machines that areparticipating).

Use a text editor and open up the /tra/domain//AuthorizationDomain.properties file - you will see the JDBC connection URI and credentials; as I said, the LDAP credentials are actually in the DBMS - I don't remember which table/column they reside in and I don't have a current equivalent environment to look at. You canlaunch the 'domainutility' to change the LDAP information and it will retrieve it for you - justabend the change.

Raviraj 17 posts since 11 Feb, 2009Re: Webservice security using Username/Password 11 Aug, 2010 2:19 PM

in response to Carlo MilonoHello Carlo,

Thanks a lot for explaining the process in detail.

I will work on it now.

Regards,

Raviraj

Raviraj 17 posts since 11 Feb, 2009Re: Webservice security using Username/Password 11 Aug, 2010 4:17 PM

in response to Carlo MilonoHello Carlo,

I have some more doubts in terms of webservice security.



What is the diffrence between :

1. Using webservice basic authentication by configuring service pallete (checkbox forbasic authentication in endpoint) AND using username/passwd authetication by

configuring policy and policy asociation pallete?

2. Securing webservice using client authentication required checkbox from httpconnection SSl properties AND using x509 token authetication by configuring policy and

policy association pallete?

Please clarify my doubts here.

Thank you,

Regards,

Raviraj

Carlo Milono 1,039 posts since 29 Apr, 2008Re: Webservice security using Username/Password 11 Aug, 2010 5:41 PM

in response to RavirajWhat is the diffrence between : 1. Using webservice basic authentication by configuringservice pallete (checkbox for basic authentication in endpoint) AND using username/passwd authetication by configuring policy and policy asociation pallete? Youhave dual authentication credentials; this could be construed as a form of multi-factorauthentication if you present two different credentials. For Basic Authentication it will bein an HTTP Header (let's say 'raviraj997/$om3h@rdpassw0rd') and the other policy/policyassociation is going to be in the SOAP Header 'raviraj33456/pouqwe8908345890dkl' - ofcourse, that means that everyone must have two identities. Both would authenticate in therealms of the TIBCO Administrator, one could be in a DBMS and the other in LDAP, or othercombinations. 2. Securing webservice using client authentication required checkboxfrom http connection SSl properties AND using x509 token authetication by configuringpolicy and policy association pallete? This would potentially give you three levelsof authentication - HTTP Basic Auth would authentication against Admin/LDAP, X.509may be in a distinct group from a trust perspective (authenticate in BW based on Trusted



Certificates Folder), and you could have yet another CA for the X.509 used for SSL/TLS(potentially with a different Trust chain)... If you are in a learning mode, and it seemsyou are, try making some simple HTTP request from a browser to a BW project and playwith some of the SSL properties. You can configure BW to make a request to the browserfor a certificate (which you would have to import into the browsers' keystore and the CA ofthe service would need to be imported into the browsers' truststore). If you further make theHTTP service request Basic Authentication, you will see the browser pop-up a window andask for credentials. This would give you some indication of how to use Basic Authenticationand SSL for HTTP securitization. For WSSE, look at the BW examples - they cover quite abit of ground. Since you read my document, another learning tool is to have a proxy that cancapture/print SOAP/HTTP messages - I've used TCPMon and Paros, but there are others. Paros can terminate SSL if you have the proper certificates.


in response to Carlo MilonoThanks Carlo for detail description.

Regards,

Raviraj


in response to RavirajAnswered.

Webservice Security Using UsernamePassword

Documents

Transcript of Webservice Security Using UsernamePassword