|
|
A service account provides a user name and password that proxy services and business services use for outbound authentication or authentication to a local or remote resource, such as an FTP server or a JMS server. For example, if a business service is required to supply a user name and password for transport-level authentication with a Web Service, you create a service account that specifies the user name and password, then you configure the business service to include the service-account credentials in its outbound requests.
The user names and passwords that you enter in service accounts are used for outbound authentication or for providing credentials to local or remote resources. The user names and passwords that you enter in the Security Configuration module of the ALSB Console are used for inbound authentication and for authenticating administrative requests. See Specifying Service Accounts.
You can use the same service account for multiple business services and proxy services. To specify the user name and password that a service account provides, you can use any of the following techniques:
Requires you to save a user name and password with the service account configuration. The service account encodes this user name and password in the outbound request.
Causes the service account to provide the user name and password that it receives from an incoming client request. For example, if an inbound HTTP BASIC request contains “pat” and “patspassword” as the user name and password, the service account encodes “pat” and “patspassword” in the outbound request.
Because this technique requires that client requests include clear-text user names and passwords, it is applicable only for client requests that use either the HTTP BASIC protocol, a Web Services Security Username Token authentication with a clear-text password, or a custom user name and password token.
BEA recommends that you use this technique only when ALSB and the endpoint belong to the same authentication domain. For example, use this technique when you are routing messages within a single organization and both ALSB and the message consumer authenticate against a common LDAP server.
The following restrictions apply to this technique:
fn-bea:lookupBasicCredentials XQuery function. For more information, see
XQuery Implementation in AquaLogic Service Bus User Guide.| Note: | If your proxy is an active WSS intermediary, you can use WS-Security to encrypt a WS-Security Username Token or custom user name/password. In this instance, user name/password pass-through works because the proxy will first decrypt the request and will then have access to the clear-text user name/password. |
Requires you to correlate (map) the user name that is the result of authenticating an inbound request from a client (the local user name) to a user name and password that you specify (the remote user name and password). When the service account receives a request from an authenticated client that has been mapped, it provides the appropriate remote user name and password for the business service or proxy service outbound request.
If the client authenticates at both transport level and message level, the service account maps the message level user name to the remote user name and password.
You can also map an anonymous user name to a remote user name and password.
The following restrictions apply to this technique:
fn-bea:lookupBasicCredentials XQuery function. For more information, see
XQuery Implementation in AquaLogic Service Bus User Guide.Creating and Configuring Business Services
Create/Edit a Proxy Service - E-Mail Transport Configuration page
Service accounts and their data participate fully in ALSB sessions: you must be in a session to create or modify a service account, and if you discard the session, the service account and its data is also discarded. When you activate a session, ALSB saves the user name, password, and other service account data in the user name/password credential mapping provider that is configured for the domain.
Click View All to remove the search filters and display all service accounts.
A unique name for the service account. Click on the name to see the View Service Account Details page. See Editing Service Accounts.
|
|
The project name and the name of the folder in which the service account resides. Click on the name to see the project or folder that contains this resource. See Qualifying Resource Names Using Projects and Folders.
|
|
Contains a
 Delete icon. If a business service or proxy service has been configured to use a service account, a  Deletion Warning icon indicates that you can delete the service account with a warning confirmation. This might result in conflicts due to unresolved references from the service to the deleted service account. See Deleting Service Accounts.
|
To create a service account that maps the user name from one or more clients to user names and passwords that you specify, do the following:
If you have not already added this user in the Security Configuration module of the ALSB Console, do so before you use this mapping in a runtime environment. See Adding Users. ALSB lets you create a mapping for a non-existent local user, but the mapping will never match an authenticated user and will never be used. |
The date and time that the user created this service account or imported it into the configuration. Click the date and time link to view the change history of this resource. See View Change History page.
|
|
The number of objects that this service account references. If such references exist, click the numeric link to view a list of the objects. See Viewing References to Resources.
|
|
The number of objects that reference this service account. If such references exist, click the numeric link to view a list of the objects. For example, if you selected this service account as the JMS service account in a proxy service with a JMS transport protocol, the proxy service is listed as a reference when you click the link. See Viewing References to Resources.
|
|
You cannot change the Resource Name field.
| Note: | If the service account that you modified is used to authenticate with a WebLogic JMS server, the JMS server might not recognize your modification for up to 60 seconds. By default, WebLogic Server JMS checks permissions for each destination every 60 seconds. To change this behavior, modify the WebLogic Server startup command so that it sets the following system property to the frequency (in seconds) that you want WebLogic Server JMS to check permissions: weblogic.jms.securityCheckInterval A value of 0 (zero) for this property ensures that a permissions check is performed for every send, receive, and getEnumeration action on a JMS resource. |
See Ensuring the Security of Your Production Environment in Securing a Production Environment, which is available at the following URL: http://e-docs.bea.com/wls/docs92/lockdown/practices.html
When you delete a service account, the user name, password, or local-user to remote-user mapping data that the service account contains is also deleted.
See Editing Business Service Configurations or Editing Proxy Service Configurations.
Delete icon in the Options field of the service account you want to delete.
The service account is deleted in the current session. If a business service or proxy service has been configured to use a service account, a Deletion Warning icon indicates that you can delete the service account with a warning confirmation. This might result in conflicts due to unresolved references from the service to the deleted service account.
|