If a client connection to a Message VPN is successfully authenticated, access to the message broker resources and messaging capabilities within that Message VPN must be authorized for the client.
For a client to be authorized, it must provide the host message broker with a client username that matches one that is provisioned on the Message VPN to which the connection has been made. (These client usernames can either be provided by the connected client or be automatically generated for the client based on an LDAP group that it is a member of.) If the client provides a valid client username and password, the client’s connection is authorized.
Once authorized, the following two types of profiles that are assigned to the provisioned client username are then used to provide the client with its access permissions and messaging capabilities:
- Access Control List (ACL) profiles
- Client profiles
ACL profiles define whether the client is permitted to connect to the Message VPN, and, if it is, permissions are assigned to the client that set whether it can publish messages to topics and whether it can subscribe to topics. They also set whether those its publish and subscribe rights are limited to an explicit range of topics. For more information, refer to Controlling Client Access with ACL Profiles.
Client profiles are sets of common configuration parameters that can be applied to groups of clients, which allows consistent configurations to be readily defined for many clients. For more information, refer to Configuring Clients with Client Profiles.
The following figure shows the basic process for authorizing an authenticated client according to the authorization properties assigned to a client username provisioned on the Message VPN.
Authorization Process Using Provisioned Client Usernames
When internal authorization is used, rather than LDAP group authorization, client usernames provisioned on the Message VPN will determine a client’s authorization. If the client provides a client username that matches a client username provisioned in the Message VPN that the client has connected to, the client and ACL profiles configured for that client username are applied to the client. If the client does not provide a client username, the message broker will attempt to apply the client username named
default and the client and ACL profiles configured for that client username.
Internal authorization is the default authorization mode for Message VPNs.
default client username account always exists on the message broker and cannot be deleted. However, by default, this account is not enabled.
After the client is bound to a client username account in the specified Message VPN, the message broker checks whether that client username account is enabled or not. If the client username account is not enabled, the client is disconnected. (The response “403 Client Username Is Shutdown” is sent before disconnecting.)
If the bound client username account is enabled, the client is then created with the properties of the client profile and ACL profile configured for the bound client username account object.
Related Provisioning and Configuration Information
- For information on how to configure client authentication and client profiles, refer to Client Authentication Management.
- For information on how to configure ACLs, refer to Access Control List Configuration.
Clients can also receive their authorizations based on whether they belong to specific LDAP authorization groups. Using LDAP authorization groups to authorize clients can assist network administrators that deal with large numbers of clients, especially when those clients are already configured in a corporate server, and churn frequently as employees join and leave an organization.
When LDAP authorization is enabled for the Message VPN that an authenticated client is attempting to connect to, an LDAP attribute (typically
MEMBEROF) is retrieved for the client, and an LDAP lookup is made to an external LDAP server to determine the LDAP groups that the client belongs to.
Any LDAP groups that the lookup returns are compared against the LDAP authorization groups configured on the message broker, and the client is assigned an matching authorization group with a no shutdown state that has the highest priority.
Note: The maximum number of authorization groups that may be retrieved for a client from an external LDAP server is 128. The client will not be authorized if more authorization groups are returned.
A client username is then automatically generated for the client, and the client and ACL profiles configured for the matching group are applied to the client username that the client is bound to. These profiles provide the client with its authorizations.
The following figure shows the basic process for authorizing an authenticated client that belongs to a configured LDAP authorization group.
Authorization Process Using LDAP Groups