The Service Bus for the Connected Business
Good afternoon!
I was successful at setting a basic HTTP authentication connection for a service endpoint (using REST as binding) and would like to configure the endpoint to use Digest Authentication.
When I do that there is an additional authentication header included that the server accepts listed as opaque to which I've given it a specific value for the connection to go through. How do I configure the service endpoint aside from setting the Security Model to HTTPDigest and having the client credentials set up in the security? Would I need to create a custom header via a business process?
Please let me know what would be the most efficient way to go about it. Thank you in advance!
Views: 501
All you should need to do is:
1. Create the credential in the Security section of Neuron ESB Explorer
2. Create a Service Endpoint
3. Select HttpDigest as the security model
4. Enable the Service Connector, set the subscriber ID and URL, and select the credential from the Client Credentials dropdown list.
Neuron will automatically add the appropriate Http Header for this. Are you seeing an error? Can you send that?
Joe
Hey Joe,
Thanks for helping me with this. I had done all the steps you mentioned but somehow, yes, I get the following error:
My understanding is that it requires an authentication value for opaque within the header: (which is set to $modded! on the listener channel with proper matching username and password).
Maybe I don't understand what you need. Do you have an example of a raw request that works with the service? Actually, it would be helpful if you could send one that works and one from Neuron. You can use Fiddler to capture both.
Joe
Hey Joe,
I'm currently using Insomnia for direct raw request that works with the service. The service is on a server and is configured with Digest Authentication type for HTTP Authentication. It has both auth and auth-int QOP Modes selected. Both MD5 and MD5-sess algorithms settings.
Opaque value = $modded!
Username and Password match with the raw request.
I've uploaded a doc that captures both the fhir listener and the raw request from insomnia.
Let me know if you need more details.
raw request.docx, 237 KB Hey Joe,
I think the basic issue we are experiencing is with trying to set a non-Windows Domain username/password credentials for the Digest Authentication. I noticed when working on the service endpoint that it only allows you to select a Windows Domain credential under Client Credentials.
I also noticed that in the proxy settings there is a custom credentials option. I set the Digest Authentication credentials there, but I'm not sure if there are additional steps to take for this to work.
Hi Joe,
We're still having an issue getting the digest-auth working for this service connector. Here's the working exchange when we send from 3rd party Insomnia tool (captured in Fiddler).
***server response to initial request***
HTTP/1.1 401 Unauthorized
Date: Tue, 11 Jul 2017 22:33:14 GMT
WWW-Authenticate: Digest qop="auth-int,auth", opaque="ac27f35a-4d39-4677-a5f1-5ef51878369e", domain="/fhir/Patient/", realm="My Realm", nonce="QUUyUKEKo76CtggY+5ze4YP7kGRPK/SV", algorithm="MD5,MD5-sess"
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 294
Server: Jetty(9.2.14.v20151106)
***return client request***
POST http://localhost:89/fhir/Patient/ HTTP/1.1
Host: localhost:89
Authorization: Digest username="admin",realm="My Realm",nonce="QUUyUKEKo76CtggY+5ze4YP7kGRPK/SV",uri="/fhir/Patient/",cnonce="5232edfc4157263cf3b31f358c41757d",nc=00000001,algorithm=MD5-sess,response="99c9c7463ef69be62df5f1604051687f",qop="auth",opaque="ac27f35a-4d39-4677-a5f1-5ef51878369e"
User-Agent: insomnia/5.5.2
Accept: */*
Accept-Encoding: deflate, gzip
Connection: Keep-Alive
Content-Type: application/xml
Content-Length: 12981
When Neuron tries to send I see the similar initial server response, but i do not see a follow up return request from Neuron. But I'm just looking at the event logs though - I've not been able to proxy Neuron to Fiddler properly to see the traffic directly (I've tried setting a custom proxy in the service connector, but no luck - if you have any ideas?
Our settings for the service connector Security tab are:
Security Model: HttpDigest
Server Identity Type: None
It may be that we are not setting the client credentials properly though. We are not using a Windows credential, we're using a Username/Password, however it doesn't appear that Non-Windows credentials appear in the drop-down in the Service Connector tab, so we are setting it in the Proxy Setting tab where it does appear. Is this correct?
Thanks.
Marc
Is the service you are calling on the local machine? If that's the case, then for Fiddler to work, the custom proxy address must be 127.0.0.1, and the service connector URL must be the machine name and not localhost.
You won't see the challenge/response exchange as that is handled by WCF under the covers.
Have you tried calling this service with a WCF client? What does the binding look like?
Thanks Joe.
Yes, everything is running local. I was able to get the proxy working for Fiddler to see the neuron traffic. I can see Neuron sending out a 2nd request in response to the Unauthorized 401 response from the service, but the return request looks identical to the original, no Authorization property is added to the header.
here's the exchange:
outbound request from Neuron:
PUT http://a2it201106:89/fhir/Patient/fs138 HTTP/1.1
Accept: application/xml+fhir
Accept-Encoding: deflate, gzip
User-Agent: insomnia/5.5.2
Content-Type: application/xml+fhir
Prefer: return=representation
If-Match: W/"id338"
Host: a2it201106:89
Content-Length: 14539
Expect: 100-continue
Connection: Close
service response:
HTTP/1.1 401 Unauthorized
Date: Wed, 12 Jul 2017 16:21:15 GMT
WWW-Authenticate: Digest qop="auth-int,auth", opaque="5db89e70-f70d-465d-a311-b5649f9b1db1", domain="/fhir/Patient/fs138", realm="My Realm", nonce="vKqqXcgM8T1wxFpAec1Xuf3EXK411wl+", algorithm="MD5,MD5-sess"
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 299
Connection: close
Server: Jetty(9.2.14.v20151106)
2nd outbound request from Neuron
PUT http://a2it201106:89/fhir/Patient/fs138 HTTP/1.1
Accept: application/xml+fhir
Accept-Encoding: deflate, gzip
User-Agent: insomnia/5.5.2
Content-Type: application/xml+fhir
Prefer: return=representation
If-Match: W/"id339"
Host: a2it201106:89
Content-Length: 14539
Expect: 100-continue
Connection: Close
We haven't been able to test with WCF, and the MS WCFTestClient tool doesn't work with connecting to RESTful services unfortunately..
appreciate any ideas you may have.
FYI, HttpBasic authentication is working fine with the service.
thanks.
Marc
Marc,
I have been able to verify Neuron can call a REST Service using digest authentication when the target service is also WCF. The initial challenge response is different:;
HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v1c247b269c4eb19e23251585aa5a9f7dda645eb6b94fcd201e5fe963ad9af4d7149b4f98806c6fd6b28f6c0a13f7a14b4dafc19a7ef0c7299",charset=utf-8,realm="Digest"
Date: Fri, 14 Jul 2017 11:29:13 GMT
My guess is there may be a WCF-Java interop issue here. Could you please see if you can successfully call this REST service with a WCF client?
Thanks,
Joe
Neuron ESB Product Support Forums and Communities
© 2024 Created by Neuron Admin.
Powered by
