Securing IBM WebSphere Cast Iron Appliance while integrating with Salesforce-Part V

Introduction

This article is the fifth and final part of the article series titled ‘Securing IBM Websphere Cast Iron while integrating with Salesforce. In this article, we will uncover the final piece of the puzzle: authenticating the incoming requests using web services.

Authenticating the user requests

Since IBM Websphere Cast Iron server is in DMZ, it is exposed to the public internet which enables to be accessed from any device. We saw couple of techniques to safeguard the access to the server at various levels from firewall to transport layer in the previous articles. At the application level, the IBM Websphere Cast Iron doesn’t provide out of the box security such as ‘Authentication’ or ‘Authorization’. To overcome this limitation, this article proposes a technique – using external web service to authenticate the client requests. ‘Authentication’ provides the ability for the web service host to challenge the client to provide access credentials, typically user name/password, but not limited to, to enable the access to provide integration capabilities. Authentication process generally involves in using the standard authentication mechanisms such as Windows Authentication, Kerberos or Forms based authentication. Covering the details of these authentication mechanisms is out of scope of this article. Hence this article will focus on providing a simple way to authenticate the client requests using standard web services technology.

As previously said, the IBM Websphere Cast Iron server doesn’t provide any type of authentication or authorization capabilities out of the box. So, a simple technique to overcome this limitation would be to implement the authentication and authorization services in an external stack such as J2EE or Microsoft .NET as standard web services and utilize these web services to provide the authentication/authorization capabilities. These web services in turn can implement any type of authentication mechanism from Windows to Kerberos to Forms based; using either user name/password credentials or a security token based credentials or simply oAuth based authentication.

This article will implement a simple web service based on .NET WCF web services technology to provide the authentication service. The Cast Iron orchestration can utilize this web service to authenticate the incoming requests and route the call or perform further integration logic or simple reject the call based on the result from this web service. The following diagram captures this flow:

AuthenticationProcess

Implementation

Cast Iron Orchestration – This Cast Iron orchestration is an example for calling an authentication web service hosted in external system. The code for the Cast Iron orchestration can be downloaded from here.  The following image is extracted from the Websphere Cast Iron Studio that demonstrates the flow of the orchestration.

TestRequestWithExtAuth

Authentication Web Service – The authentication web service is a simple .NET WCF web service that takes the security credentials as an XML dataset and returns the authentication status.

Since the article’s purpose is to demonstrate the technique, this web service doesn’t implement any particular authentication mechanism. But as the reader can observe, it is fairly easy to implement any type of authentication mechanism within this web service. The code for the .NET WCF web service can be downloaded from here.

Summary

This article series exposed the security challenges in integrating Salesforce with on-premise applications in the context of IBM Websphere Cast Iron as the integration platform. It also explored various techniques from firewall rules to transport level authentication to custom validation service to external authentication service to address these challenges. Neither the security challenges nor the solutions are complete, but it gives an idea about the security concerning the cloud to on-premise integration and various solutions to address them. The techniques explained here can be implemented with any integration platform and not limited to IBM Websphere Cast Iron, though the implementation details will differ.

Advertisements

Tagged: , , , , , ,

9 thoughts on “Securing IBM WebSphere Cast Iron Appliance while integrating with Salesforce-Part V

  1. Ram February 16, 2013 at 3:27 pm Reply

    Hi,

    Thanks for the excellent tutorial.

    Can we get Free Trail of Cast Iron Studio?? please provide any links for the same.

    Regards,
    Ram

    • Hari Krishnan February 17, 2013 at 1:20 am Reply

      I believe IBM doesn’t provide a free trial of Cast Iron software. If you need to integrate with Salesforce, you may want to try Mulesoft ESB (The community edition is free).

  2. RaviPrakash March 3, 2013 at 8:42 pm Reply

    Hi Hair,

    This is Raviprakash am working as castiron developer, i need info about the salesforce to ,net application( webservices) orchestration. What is the require things to get from .net webserives. As of now i have requested the WSDL. The thing how to design the WSDL of .net services that i need to transfer the lead information to ,net application using .net webserices.. Please do needful. Thanks

    RaviPrakash
    Email:s.raviprakashreddy@gmail.com

    • Hari Krishnan March 4, 2013 at 12:08 am Reply

      Hello Ravi,
      I assume you want to consume the ‘Lead’ data in your Salesforce.com org from your on-premise .NET web service. You will need to take the WSDL (I suggest to go with enterprise WSDL, unless you build a web services framework to be consumed by your application, where you can use the partner WSDL) from Salesforce and consume it in your .NET ASMX / WCF Web Service. To do this you can follow the below steps:

      Click ‘Generate Enterprise WSDL’ under Your Name | Setup | Develop | API and then click ‘Generate’. This gets you the enterprise wsdl. Import this file into your Visual Studio and start using the API. You can find more information about using the enterprise WSDL from .NET in the following link: http://wiki.developerforce.com/page/Integrating_Force.com_with_Microsoft_.NET. There are some things you need to take extra care; for e.g in Salesforce datetime values are always represented as UTC, so if you need the datetime value in different timezone, then you need to handle it.

      Regards,
      Hari Krishnan.

      • RaviPrakash March 4, 2013 at 4:33 am Reply

        Hi Hari, Thank you very much for quick reply. The requirement is different from the above actually. I need to send salesforce lead details to .net application using .net webservice. I have done previously using database activity(Sql). But now my client is not allowing to database. He asking me send the data through webservice. so i have requested to them about .NET WSDL. There are asking me what should be there in .net WSDL to send salseforce lead details to .net application

        1) how to transfer my salesforce lead details to .net application using WSDL of .net.
        2) I need the WSDL which should accept my salesforce data. so client is asking what requirement do i required in WSDL. Can you please guide me what things i expect from .net WSDL to accept my salesforce data.

        Provide me the things i need to request the client for WSDL(i.e how they can design for me)

        once again thank you very much hari. Do needful.

  3. Sat December 6, 2013 at 7:40 pm Reply

    Hi, is it possible to use Windows authentication to connect to a SQL server database? Thanks for your time on this.

    • Hari Krishnan December 6, 2013 at 7:46 pm Reply

      I believe you are asking about using Windows Authentication to connect to SQL Server – this was not possible with the version that I worked (6.1). I’m not sure about the latest versions of Cast Iron.

  4. Poonam Sharma March 9, 2014 at 11:28 am Reply

    Hi Hari,
    I am starting my career as IBM CAST IRON developer, Just wanted to ask you does this tool has good future value. was just confused to go for this project or not.??

    • Hari Krishnan March 19, 2014 at 5:41 pm Reply

      IBM Cast Iron is used by many companies and this segment is growing. There are many similar tools (like Informatica cloud, Mule ESB/CloudHub, Jitterbit, Snaplogic, Dell Boomi – to name a few); Tool is one thing and architecting/desiging/developing solutions is another thing; the latter will always enrich your experience if you have to jump to another tool. That said, my opinion is that there are much better integration tools for much better price, specifically when compared to the features that IBM Cast Iron offer. Anyways, I no longer work with this tool and I’m not sure about the latest capabilities of this tool.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: