I am using DataPower to proxy MobileFirst Applications and AppCenter running on a WAS Liberty Profile.
While we got great results with the Mobile Apps (Hybrid apps), we are facing some strange behaviour with the AppCenter: Basically, anytime that a /j_security_check URI arrives to DataPower, the connection fails.
What we are looking at is that we do not know how to make the Server understand that there is a proxy between it and the client (I mean, like configuring Access Mappings on IIS or SharePoint web portals).
I ran a Fiddler trace and found the following difference in the HTTP Headers
HTTP 'Cookie' Header with DataPower:
Cookie: oracle.uix=0^^GMT-3:00; WASReqURL=http://:9080/appcenterconsole/console.html
HTTP 'Cookie' Header without DataPower:
Cookie: LtpaToken2=pWORZGbPV7BvEsrPzu+fz2mOdBRIByWqee2AMNjw/8k8qJS7i6HMPSnBja46sB3dYwJIy0uEyZ3k0ftQloTGGQUt+Vqu0ZDYJ1a9CDAaLYEeMj/1ZCSMSrctfIqiq6/hoRc1ayX4GkY3gEWpDwwjAEdQKc99r6XJl5VsKKglNm4sQhkbsNFx29mVLF7bp21A3jd+GrxDfS6aEZHau6H5A5Gr5o1ZvyRBQ2aQNtLWw2DZh55GzHUj8q8muBZqPZ36ORN9RXSxemwMtzLqUedJ/K6Tps3WLtqLdCXV9YmQj6V4zCBtQvLjKHoRQ1PYCNzm
I am testing the LTPA token generation in DataPower, but, in the meantime, I would like to know if there is any documentation regarding this use case.
http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.1.0/com.ibm.worklight.installconfig.doc/admin/t_integrating_datapower_was_or_iberty.html
The link you pointed to is documentation that describes an example of how to configure DataPower to do LTPA token generation and proxy authentication to the Worklight Server.
You don't give enough information to tell what is causing your problem on requests that go through DataPower vs. the ones that do not go through DataPower. Typically to debug these kinds of problems you need a debug trace from DataPower, a copy of the DataPower configuration and maybe a packet trace. These things often contain confidential information so if you have an IBM support contract, I would open a PMR with Worklight and submit those items so we can help you with that.
You don't say what your time line is, but there is likely to be a sample configuration and some updated documentation about how to integrate DataPower and Worklight with in the next few weeks.
Related
We are trying to integrate Jboss application to make Web services calls, so was wondering is it a good practice to make the web services call go through a web server always instead of handling SSL stuff by Jboss ?
Have this curious idea because if we want to implement authentication and make web server handle all the certificates for SSL so that in future if Jboss is replaced with a different technology the basic SSL configuration stills remains same in web server.
I agree for incoming requests to Jboss it makes sense to go through apache, but was wondering what about outbound connections from Jboss to a different provider ?
Any thoughts is very much appreciated.
I followed the tutorial deploy and run Service Stack application on Ubuntu Linux and I got my API quickly up and running. So far it's all plain-text though. I'd like to secure the API with SSL, especially the service receiving username and password, but maybe everything.
I'm using the regular CredentialsAuthProvider together with JwtAuthProvider at the moment, if it's relevant. Using a 3rd party OAuth2/OpenID Connect would solve the login problem, but not securing the remaining contents.
Also wonder how to selectively choose which services require SSL.
The stack is: mono, nginx and HyperFastCGI (and C# ServiceStack)
You'll want to configure SSL on nginx, i.e. your external-facing Web Server. What ASP.NET Web framework you're using is irrelevant as SSL will be terminated at nginx and any downstream Web Applications will still be receiving plain-text requests.
I'm looking for a way to expose my customer's WCF Services as REST Services (and create all the security stack to support claims / oauth authentication and authorization)
I'm working on 2 different approach to do so:
Create a new REST Service which will act as a proxy to
expose my WCF Service as REST Services (11 services / 130 web methods to
migrate...) and secure it using an IP STS / RS STS
Use a existing product like Apigee which will do all those job for me and even more feature than initially planned.
I'm trying to play with Apigee first, but I'm facing an issue while creating the API Proxy.
I've deployed a simple WCF Service (with only 2 methods) on a Windows Azure VM exposed in basicHttp (which works as expected - means I test it in a Console app successfully, even when the client app is located outside my Azure's VM -).
Problem comes when I follow the Apigee workflow to expose it as a REST Service. I try to fetch service's wsdl on Apigee portal and got following error:
Error: Cannot invoke method getOperation() on null object
Does someone know where the issue come from ? I don't have much information from Apigee portal.
I already validate my wsdl through http://www.wsdl-analyzer.com/ but everything looks fine...
Meantime, Amazone webservice works fine on Apigee and generate the REST Service so problem seems to come from my service's WSDL
This bug has been fixed and will be included in the next release (R24.4). If you still have any problems with the new release, please let us know.
I recently got a similar error in the most recent version of Apigee (Version 141029).
The error: "Fetch WSDL Error: Cannot invoke method startsWith() on null object".
The fix was to rename my local file from "somename.xml" to "somename.wsdl".
The question is as simple as the title. I have a webapp (I have no clue as to what technology it was built on or what appserver it is running on). However, I do know that this webapp is being served by an Apache Server/ IIS Server / IBM Http Server. Now, I would like to have a plugin/ module / add-on at the web-server end, which would parse/truncate/cut/regex the http response (based on the requested url's pattern), and mask(encrypt/shuffle/substitute) a set of fields in this response based on different parameters(user's LDAP permissions in the intranet / user's geo-location if on the internet, etc) and send the altered response back to the user.
So, Is there an easy answer to creating such plugins/modules/add-ons? How feasible is this approach of creating extra software at the webserver, when you want to mask sensitive information in a webapp without modfying the web-app code? Are there any tools that help you do this for Apache?
And, finally, is this just a really crazy thing to try?!
Each webserver will have its own way of doing so.
There is no universal plugin architecture for webservers.
In IIS you would write an HTTP Handler or HTTP Module, or possibly an ISAPI Filter. You can also directly interact with the http response using the Response object exposed by the HttpContext.
With apache, there are different modules that can do what you want (mod_headers, for example).
I don't know anything about WebSphere, but I am certain it also has similar mechanisms.
What you are asking is required by most web applications, so would be either built in or very easy to do.
The easiest way is to add a plug-in using the web application container. For example, if it's Tomcat, you can add a filter or valve.
If you want to plug-in to the web server, you'd need to write a custom module using the API of whichever web server is being used.
If all else fails, you could always wrap the entire server in a reverse proxy. All requests would go through your proxy and that would give you the opportunity to modify the requests and the responses.
Here is my scenario:
I have a proxy that actually has the SSL Cert installed and this sits in front of a load balanced web farm. Each IIS server does not have SSL so I can't use transport security via wsHttp binding. I have not investigated basicHttp because we want to provide SOAP 1.2 going forward w/ this solution. In addition to this, my network team won't allow any use of certs to encrypt at the message level. (this alone would solve my dilemma i'm sure)
My security group has a requirement that we use Forms Authentication (membership provider).
The final solution must allow SSL via the front proxy, yet some type of WCF binding to keep complexity encapsulated in a config file.
I was working with a custom binding that allowed for username/password sent via clear text, but when I try to connect via https i get the usual "http expected" uri error.
How can I use SSL via the proxy to connect securely from client app to web service, but not have SSL installed on IIS and leverage the WCF stack + forms authentication?
I'm not new to WCF, but this very custom setup seems to have me unsure if the requirements allow for any type "easy" solution.
Thank you in advance!
EDIT: I did finally get this working and decided to write a short blog post with complete source code required to write the custom binding.
I think this is similar to a problem many have had when wanting to provide WCF services over SSL when the actual service in IIS is behind an SSL-offloading device. In which case, the following two pages should help you out:
http://blog.hackedbrain.com/archive/2006/09/26/5281.aspx
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/87a254c8-e9d1-4d4c-8f62-54eae497423f/
Basically you need to lie to WCF and say that the service is secure, even though the traffic will be conducted over HTTP (between the service and the proxy).