Hi,
I'm fairly new to web services. I have deployed several DataStage 8.5 single node parallel jobs with ISD Input and Output stages as web services using ISD 8.5 and SOAP over HTTP (actually https) with HTTP Basic Authentication. I have a few beginner questions.
There seems to be no WAS 7 documents included with Information Server 8.5. Is it useful to find WAS docs on the IBM web site? It's like a black box to me right now. Or are there WAS docs hiding somewhere on the client or server as part of a default full install of Information Server?
I have deployed web service A for customer A and web service B for customer B and these run on the same server. I've found through testing that either customer's ID and password can be used to access the other customer's web service (data that the other customer/consumer should not be able to access).
Fortunately this is all in test mode right now with no live data. I've looked through the ISD PDFs on my client and not found anything about how to secure one web service from consumers of other web services. Is that possible or is it that once a service consumer has access, they can access everything?
Thanks!
WAS docs and web service security questions
WAS docs and web service security questions
Choose a job you love, and you will never have to work a day in your life. - Confucius
-
ray.wurlod
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
WAS for Information Server is intended to be a black box, save for the single step of identifying the authentication method (which is documented in the Planning, Installation and Configuration Guide).
You can find out anything you need to know about WAS from the IBM web site - particularly the Information Center (for WAS).
My practical experience, however, is that you should continue to regard WAS as a black box, other than to know where it writes its logs.
You can find out anything you need to know about WAS from the IBM web site - particularly the Information Center (for WAS).
My practical experience, however, is that you should continue to regard WAS as a black box, other than to know where it writes its logs.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
There is no way to "isolate" ISD role based users. I will assume that you have already found the HTTP authentication check box when designing your service...this allows you to require authentication, and then have only users with an ISD Consumer Role to be able to invoke them.
If you need isolation of user <---> service, I can think of two ways...one is to write a proxy service of your own that does the filtering, and the other is to manually edit the EAR file for your deployed ISD application. I believe the latter is the simpler, but it will require that you do some studying and a lot of testing.
Some of this is documented in the ISD Security manual in your standard doc set --- a couple of years ago we tested and wrote up how to edit the EAR and make adjustments (usually using RSA or other tooling) to support far more complex WS-Security configurations. Specific user authentication is a part of that.......
Not for the faint-of-heart, but definitely do-able, using normal, supported WAS techniques. It all works because ISD is using fully supported methods within WAS.
Ernie
If you need isolation of user <---> service, I can think of two ways...one is to write a proxy service of your own that does the filtering, and the other is to manually edit the EAR file for your deployed ISD application. I believe the latter is the simpler, but it will require that you do some studying and a lot of testing.
Some of this is documented in the ISD Security manual in your standard doc set --- a couple of years ago we tested and wrote up how to edit the EAR and make adjustments (usually using RSA or other tooling) to support far more complex WS-Security configurations. Specific user authentication is a part of that.......
Not for the faint-of-heart, but definitely do-able, using normal, supported WAS techniques. It all works because ISD is using fully supported methods within WAS.
Ernie
Ernie Ostic
blogit!
<a href="https://dsrealtime.wordpress.com/2015/0 ... ere/">Open IGC is Here!</a>
blogit!
<a href="https://dsrealtime.wordpress.com/2015/0 ... ere/">Open IGC is Here!</a>
Thanks, Ray and Ernie, for your feedback. That's good to know that perhaps WAS should remain as a black box. I am wondering because it seems like I need more control over the web service security.
Information Server appears to have only one security role for web services, Suite Component role: ISD Consumer, and once you grant that to a user then they can access any web service in any ISD project. One grant = access to all web services.
I have gone through the Admin guide, ISD PDF guides, and online help for ISD security. I have not found a way to limit an ISD Consumer as to which web services they are allowed to access. Ernie, I was hoping you wouldn't say what you said.
I have run across the manual EAR edit documentation you mentioned.
I think what I need sounds simple. If I use ISD project A to deploy web service A for Customer A, with confidentiality (HTTPS) and authentication (HTTP Basic), then I want only Customer A to have access to it. I need a way, ideally through the GUI, to limit web service access by ISD project (just like DataStage projects). Based on your feedback, it sounds like I need to open an enhancement request with IBM.
Information Server appears to have only one security role for web services, Suite Component role: ISD Consumer, and once you grant that to a user then they can access any web service in any ISD project. One grant = access to all web services.
I have gone through the Admin guide, ISD PDF guides, and online help for ISD security. I have not found a way to limit an ISD Consumer as to which web services they are allowed to access. Ernie, I was hoping you wouldn't say what you said.
I have run across the manual EAR edit documentation you mentioned.I think what I need sounds simple. If I use ISD project A to deploy web service A for Customer A, with confidentiality (HTTPS) and authentication (HTTP Basic), then I want only Customer A to have access to it. I need a way, ideally through the GUI, to limit web service access by ISD project (just like DataStage projects). Based on your feedback, it sounds like I need to open an enhancement request with IBM.
Choose a job you love, and you will never have to work a day in your life. - Confucius
It not in the GUI today.....I suppose you could open an enhancement, but really, it's not "that"hard to do. It will take time as I said, and some testing, but it's all fully supported and documented within WAS..... I haven't done it in several years since we researched and wrote that document, but I recall it being more of a learning curve with RSA than with anything else, and for this, it's possible that you could just desconstruct the EAR yourself and do the edits manually once you studied the WAS documentation. I think I deleted all the deconstructed EARs I built for that project but will check.
The one nice thing is that single EARs are deployed for each whole "application" within ISD. That means that you can play with and experiment with a single service in a single application without impacting other services or apps within ISD or within Info Server.
Do both if you can...campaign for a new feature and also research the EAR...you may have it working in short order.
Ernie
The one nice thing is that single EARs are deployed for each whole "application" within ISD. That means that you can play with and experiment with a single service in a single application without impacting other services or apps within ISD or within Info Server.
Do both if you can...campaign for a new feature and also research the EAR...you may have it working in short order.
Ernie
Ernie Ostic
blogit!
<a href="https://dsrealtime.wordpress.com/2015/0 ... ere/">Open IGC is Here!</a>
blogit!
<a href="https://dsrealtime.wordpress.com/2015/0 ... ere/">Open IGC is Here!</a>
Hi Ernie,
I opened an enhancement request this morning but don't have any estimate when such a security feature could be added to the Console, like ISD project level security. This is somewhat painful to my ears as I have DataStage experience and think the security model works well there, but I'm not (as of now) a Java developer and am going to be downloading WAS documents, it sounds like, after all! You've given me a bit of confidence here.
Thank you.
I opened an enhancement request this morning but don't have any estimate when such a security feature could be added to the Console, like ISD project level security. This is somewhat painful to my ears as I have DataStage experience and think the security model works well there, but I'm not (as of now) a Java developer and am going to be downloading WAS documents, it sounds like, after all! You've given me a bit of confidence here.
Thank you.
Choose a job you love, and you will never have to work a day in your life. - Confucius
The good news is that you won't have to become a java developer....though you will ultimately be learning more about the configuration files within a WebSphere EJB application.......in the end, though the edits are mostly textual inside of xml documents.......
Ernie
Ernie
Ernie Ostic
blogit!
<a href="https://dsrealtime.wordpress.com/2015/0 ... ere/">Open IGC is Here!</a>
blogit!
<a href="https://dsrealtime.wordpress.com/2015/0 ... ere/">Open IGC is Here!</a>