Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Webservice security using Username/Password authentication and HTTPS

    Enviado por

    swapnil_bankar
    560 visualizações8 páginas
    Raviraj is working on securing a web service with username/password authentication and HTTPS. He configured his local environment successfully but is getting a 401 authentication error when deploying to a remote server. Carlo explains that the deployed process is aware of its domain configuration while the local designer is not, so an AuthorizationDomain.properties file needs to be available for the designer. He also clarifies how the username/password authentication works with LDAP and provides troubleshooting suggestions for Raviraj such as checking if the test user is in LDAP and examining network connections and configuration files. Raviraj thanks Carlo and says he will work on addressing the issues.

    Descrição original:

    Webservice Security Using UsernamePassword

    Título original

    Webservice Security Using UsernamePassword

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    Raviraj is working on securing a web service with username/password authentication and HTTPS. He configured his local environment successfully but is getting a 401 authentication error when deploying to a remote server. Carlo explains that the deployed process is aware of its domain configuration while the local designer is not, so an AuthorizationDomain.properties file needs to be available for the designer. He also clarifies how the username/password authentication works with LDAP and provides troubleshooting suggestions for Raviraj such as checking if the test user is in LDAP and examining network connections and configuration files. Raviraj thanks Carlo and says he will work on addressing the issues.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    560 visualizações8 páginas

    Webservice security using Username/Password authentication and HTTPS

    Enviado por

    swapnil_bankar
    Raviraj is working on securing a web service with username/password authentication and HTTPS. He configured his local environment successfully but is getting a 401 authentication error when deploying to a remote server. Carlo explains that the deployed process is aware of its domain configuration while the local designer is not, so an AuthorizationDomain.properties file needs to be available for the designer. He also clarifies how the username/password authentication works with LDAP and provides troubleshooting suggestions for Raviraj such as checking if the test user is in LDAP and examining network connections and configuration files. Raviraj thanks Carlo and says he will work on addressing the issues.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 8

    Webservice security using...

    Raviraj 17 posts since 11 Feb, 2009 Webservice security using Username/Password 9 Aug, 2010 5:28 PM

    Hello,

    I am working on webservice security and I need to configure my webservice with username/ password authentication and also need to make it https. I found one document on community (shared by Carlo) which explains all the process. I have attached the document which I am refering. I did all the configurations and it is working fine on my local machine (Both BW and Admin installed on one machine). But when I deploy it on admin which is on remote server (BW and admin are installed on different server), I am getting 401 authentication error (Authentication attempt [user=test123, deployment=testProcess_Archive, authentication_succeeded=false). Do I need to have some configuartions while deployinng the project? Also as mentioned in section 6 of document I have done settings for "AuthorizationDomain.properties" while running on designer tester, why these settings are required? Are users credentials stored in this file? If yes, then In case of deployment do we need to set something? As per my guess our administration domain users are stored in LDAP... I saw the AuthorizationDomain.properties file on admin server but not found the users?? Can anyone please explian How it works?

    Regards, Raviraj
    Attachments: Understanding WSS-2009[1].doc (1.8 MB)

    Carlo Milono 1,039 posts since 29 Apr, 2008

    Generated by Jive SBS on 2013-08-05-04:00 1

    Webservice security using...

    Re: Webservice security using Username/Password 11 Aug, 2010 11:06 AM

    The deployed process is aware of its domain while a Designer is not, so you have to have an AuthorizationDomain.properties file available for Designer by copying it manually (a person using Designer can thus test against multiple domains). Either Designer or the BWengine will read this AuthorizationDomain.properties file upon being initialized and it contains access methods and credentials to use those access methods.

    When a BW process has been configured to authenticate an incoming request, it will use the access method. For example, if you have DBMS configured for the domain, BW will use a JDBC call to look for users in the DBMS - if you are using non-DBMS, it will communicate via RV to TIBCO Administrator and TIBCO Administrator will use a local call to look for users in its Repo. If you have JAAS configured, the BW process will communicate to TIBCO Administrator via a secured SOAP message exchange and TIBCO Administrator will do the lookup.

    If you have LDAP and a DBMS domain, BW will look at the DBMS via JDBC, and if the user is NOT found, it will check to see if LDAP is configured (that info is in the DBMS, not AuthorizationDomain.properties) - and it will connect directly to that LDAP instance. In this case, since TIBCO Administrator is not doing anything, it can be turned off (you foresake monitoring).

    Now there is an additional wrinkle! For OASIS WSSE Username Token, you can pick Text or Digest. LDAP can store credentials in a wide variety of manner - plain, multiple types of hashed passphrases, and several types of encrypted passphrases. Not all of these will work with a Username Token Profile, due to the fact that it is a base64 of a SHA1 hash of a concatenation that includes the plain text passphrase. BW will hold that object in memory, LDAP will return a credential, and then BW will take the returned credential and re-create the object as it has a handle on the Timestamp and Nonce and now has the passphrase - if the passphrase is NOT in plain text, there can never be a match. If you are looking up a user in LDAP (not a user defined in TIBCO Administrator as local), check to see whether the LDAP is storing credentials in other than plain text.

    Raviraj 17 posts since 11 Feb, 2009 Re: Webservice security using Username/Password 11 Aug, 2010 11:58 AM in response to Carlo Milono

    Generated by Jive SBS on 2013-08-05-04:00 2

    Webservice security using...

    Thanks Carlo for the explaination. A]. I am getting folowing error in my application's log file (tra/domain/mydomain/application/ log/myapplogfile The testUser is present on domain as I used it to deploy the ear using administrator

    BW-HTTP-100700 Authentication attempt [user=testUser, deployment=testProcess_Archive, authentication_succeeded=false] 2010 Aug 10 19:49:41:411 GMT -4 BW.test-Process_Archive Error [BW_Plugin] BWHTTP-100000 Job-2000 Error in [Send.process/Send HTTP Request] The Http Server replied with a 4XX status code at com.tibco.plugin.share.http.client.JakartaHttpTransportDriver$RequestExecutor.r un(JakartaHttpTransportDriver.java:248) at com.tibco.pe.util.ThreadPool$ThreadPoolThread.run(ThreadPool.java:99) <?xml version="1.0" encoding="UTF-8"?> <Data> <ns0:HttpClientException xmlns:ns0="http://schemas.tibco.com/bw/plugins/http/5.0/ httpExceptions"> <msg>The Http Server replied with a 4XX status code</msg> <msgCode>BW-HTTP-100000</msgCode> <ns1:statusLine xmlns:ns1="http://schemas.tibco.com/bw/plugins/http/5.0/cio"> <httpVersion>HTTP/1.1</httpVersion> <statusCode>401</statusCode> <reasonPhrase>Unauthorized</reasonPhrase> </ns1:statusLine> <ns1:httpMessage xmlns:ns1="http://schemas.tibco.com/bw/plugins/http/5.0/cio"> <headers> <content-length>954</content-length> <connection>close</connection> <content-type>text/html;charset=utf-8</content-type> <date>Tue, 10 Aug 2010 23:49:41 GMT</date> <server>Apache-Coyote/1.1</server> <www-authenticate>BASIC realm="BWRealm"</www-authenticate>

    Generated by Jive SBS on 2013-08-05-04:00 3

    Webservice security using...

    </headers>

    <binaryContent>PGh0bWw+PGhlYWQ +PHRpdGxlPkFwYWNoZSBUb21jYXQvNS41LjI3IC0gRXJyb3Ig cmVwb3J0PC90aXRsZT48c3R5bGU +PCEtLUgxIHtmb250LWZhbWlseTpUYWhvbWEsQXJpYWwsc2Fucy1z ZXJpZjtjb2xvcjp3aGl0ZTtiYWNrZ3JvdW5kLWNvbG9yOiM1MjVENzY7Zm9udC1zaXplOjIycHg7fSBI MiB7Zm9udC1mYW1pbHk6VGFob21hLEFyaWFsLHNhbnMtc2VyaWY7Y29sb3I6d2hpdGU7YmFja2dyb ZC1jb2xvcjojNTI1RDc2O2ZvbnQtc2l6ZToxNnB4O30gSDMge2ZvbnQtZmFtaWx5OlRhaG9tYSxBcmlh bCxzYW5zLXNlcmlmO2NvbG9yOndoaXRlO2JhY2tncm91bmQtY29sb3I6IzUyNUQ3Njtmb250LXNpemU MTRweDt9IEJPRFkge2ZvbnQtZmFtaWx5OlRhaG9tYSxBcmlhbCxzYW5zLXNlcmlmO2NvbG9yOmJsYW O2JhY2tncm91bmQtY29sb3I6d2hpdGU7fSBCIHtmb250LWZhbWlseTpUYWhvbWEsQXJpYWwsc2Fucy ZXJpZjtjb2xvcjp3aGl0ZTtiYWNrZ3JvdW5kLWNvbG9yOiM1MjVENzY7fSBQIHtmb250LWZhbWlseTpU YWhvbWEsQXJpYWwsc2Fucy1zZXJpZjtiYWNrZ3JvdW5kOndoaXRlO2NvbG9yOmJsYWNrO2ZvbnQtc2 ZToxMnB4O31BIHtjb2xvciA6IGJsYWNrO31BLm5hbWUge2NvbG9yIDogYmxhY2s7fUhSIHtjb2xvciA6 ICM1MjVENzY7fS0tPjwvc3R5bGU+IDwvaGVhZD48Ym9keT48aDE +SFRUUCBTdGF0dXMgNDAxIC0gPC9o MT48SFIgc2l6ZT0iMSIgbm9zaGFkZT0ibm9zaGFkZSI+PHA+PGI +dHlwZTwvYj4gU3RhdHVzIHJlcG9y dDwvcD48cD48Yj5tZXNzYWdlPC9iPiA8dT48L3U +PC9wPjxwPjxiPmRlc2NyaXB0aW9uPC9iPiA8dT5U aGlzIHJlcXVlc3QgcmVxdWlyZXMgSFRUUCBhdXRoZW50aWNhdGlvbiAoKS48L3U +PC9wPjxIUiBzaXpl PSIxIiBub3NoYWRlPSJub3NoYWRlIj48aDM +QXBhY2hlIFRvbWNhdC81LjUuMjc8L2gzPjwvYm9keT48 L2h0bWw+</binaryContent> </ns1:httpMessage> </ns0:HttpClientException> </Data>

    B]. Also I found another error in tibco/tra/5.6/logs/Administrator.log

    2010 Jun 28 13:40:11:708 GMT -4 Error [com.tibco.administrator.command.tool.ApplicationManagement] AESDKJ-0000 [main] Domain Name myDomainName/ specified does not exist. Please make sure you have typed it correctly C]. I have LDAP and a DBMS domain. In this case from which file BW will get dbms details (url, uName, passwd)?

    Generated by Jive SBS on 2013-08-05-04:00 4

    Webservice security using...

    I am not sure what to do in this case. What I did till this time is that: 1. I created simple test project, where I tried to do simple basic authenticatio using http pallettes 2. I deployed the ear on developemnt server and found above errors, while I tried to run the sendhttprequest process

    Is there any settings required on my environment? Which log file should I see to get the error trace? Please reply.

    Regards, Raviraj

    Carlo Milono 1,039 posts since 29 Apr, 2008 Re: Webservice security using Username/Password 11 Aug, 2010 1:54 PM in response to Raviraj

    O.K., I was a bit hasty - you are using HTTP Basic Authentication, not SOAP Username tokens.

    The log entry"2010 Jun 28 13:40:11:708 GMT -4 Error [com.tibco.administrator.command.tool.ApplicationManagement] AESDKJ-0000 [main] Domain Name myDomainName/ specified does not exist. Please make sure you have typed it correctly" is an old entry.

    Some questions: is "testUser" in LDAP? is your connection to LDAP via StartTLS or SSL? If LDAP is secured, you have to have the 'chain of trust' for the Server Certificate in your JRE on all machines that communicate via LDAP/s. Try with a different identity that is local to TIBCO Administrator (i.e., not in LDAP).

    Generated by Jive SBS on 2013-08-05-04:00 5

    Webservice security using...

    You can also try to do a "netstat" on a cold machine to see if the deployed project is actually making a JDBC and/or LDAP connection (you should know the machines that are participating).

    Use a text editor and open up the <tibco>/tra/domain/<domain_name>/ AuthorizationDomain.properties file - you will see the JDBC connection URI and credentials; as I said, the LDAP credentials are actually in the DBMS - I don't remember which table/ column they reside in and I don't have a current equivalent environment to look at. You can launch the 'domainutility' to change the LDAP information and it will retrieve it for you - just abend the change.

    Raviraj 17 posts since 11 Feb, 2009 Re: Webservice security using Username/Password 11 Aug, 2010 2:19 PM in response to Carlo Milono

    Hello Carlo,

    Thanks a lot for explaining the process in detail. I will work on it now.

    Regards, Raviraj

    Raviraj 17 posts since 11 Feb, 2009 Re: Webservice security using Username/Password 11 Aug, 2010 4:17 PM in response to Carlo Milono

    Hello Carlo,

    I have some more doubts in terms of webservice security.

    Generated by Jive SBS on 2013-08-05-04:00 6

    Webservice security using...

    What is the diffrence between : 1. Using webservice basic authentication by configuring service pallete (checkbox for basic authentication in endpoint) AND using username/passwd authetication by configuring policy and policy asociation pallete? 2. Securing webservice using client authentication required checkbox from http connection SSl properties AND using x509 token authetication by configuring policy and policy association pallete?

    Please clarify my doubts here. Thank you,

    Regards, Raviraj

    Carlo Milono 1,039 posts since 29 Apr, 2008 Re: Webservice security using Username/Password 11 Aug, 2010 5:41 PM in response to Raviraj

    What is the diffrence between : 1. Using webservice basic authentication by configuring service pallete (checkbox for basic authentication in endpoint) AND using username/ passwd authetication by configuring policy and policy asociation pallete?<cm> You have dual authentication credentials; this could be construed as a form of multi-factor authentication if you present two different credentials. For Basic Authentication it will be in an HTTP Header (let's say 'raviraj997/$om3h@rdpassw0rd') and the other policy/policy association is going to be in the SOAP Header 'raviraj33456/pouqwe8908345890dkl' - of course, that means that everyone must have two identities. Both would authenticate in the realms of the TIBCO Administrator, one could be in a DBMS and the other in LDAP, or other combinations.</cm> 2. Securing webservice using client authentication required checkbox from http connection SSl properties AND using x509 token authetication by configuring policy and policy association pallete?<cm> This would potentially give you three levels of authentication - HTTP Basic Auth would authentication against Admin/LDAP, X.509 may be in a distinct group from a trust perspective (authenticate in BW based on Trusted

    Generated by Jive SBS on 2013-08-05-04:00 7

    Webservice security using...

    Certificates Folder), and you could have yet another CA for the X.509 used for SSL/TLS (potentially with a different Trust chain)...</cm> If you are in a learning mode, and it seems you are, try making some simple HTTP request from a browser to a BW project and play with some of the SSL properties. You can configure BW to make a request to the browser for a certificate (which you would have to import into the browsers' keystore and the CA of the service would need to be imported into the browsers' truststore). If you further make the HTTP service request Basic Authentication, you will see the browser pop-up a window and ask for credentials. This would give you some indication of how to use Basic Authentication and SSL for HTTP securitization. For WSSE, look at the BW examples - they cover quite a bit of ground. Since you read my document, another learning tool is to have a proxy that can capture/print SOAP/HTTP messages - I've used TCPMon and Paros, but there are others. Paros can terminate SSL if you have the proper certificates.

    Raviraj 17 posts since 11 Feb, 2009 Re: Webservice security using Username/Password 12 Aug, 2010 10:36 AM in response to Carlo Milono

    Thanks Carlo for detail description.

    Regards, Raviraj

    Raviraj 17 posts since 11 Feb, 2009 Re: Webservice security using Username/Password 12 Aug, 2010 10:36 AM in response to Raviraj

    Answered.

    Generated by Jive SBS on 2013-08-05-04:00 8

    Você também pode gostar