Maximo Integration Framework (MIF)

Authentication

Maximo Authentication

Maximo supports 2 authentication modes, Maximo or Application Server-based. This configuration is done through the following System Property, mxe.useAppServerSecurity. It is set to false (0) by default. When set to 0 (false), Maximo is using its native authentication, not J2EE (app server) authentication.

MIF Authentication

MIF Authentication (for HTTP-based integration) follows the authentication model that is set for the Maximo application. MIF components (HTTP and non-HTTP) supporting inbound transactions require varying configurations to enable authentication.

The Inbound MIF Integration options:

  1. REST API
  2. OSLC/JSON API
  3. Interface Tables
  4. XML/Flat file loading (UI and CRON task)
  5. HTTP SOAP-based web services
  6. HTTP Servlet (XML/HTTP)
  7. JMS (Direct)

MIF Configuration points when using Maximo Authentication

HTTP SOAP-based Web Services

Can optionally use the default Login User (use ALLOWDFLTLOGIN in the ejb-jar.xml file)

When not using the default Login User, the request must pass the HTTP Header Property named MAXAUTH which must contain the user:password that is base64-encoded

HTTP Servlet (XML over HTTP)

Can optionally use the default Login User (use ALLOWDFLTLOGIN in the ejb-jar.xml file)

When not using the default Login User, the request must pass the HTTP Header Property named MAXAUTH which must contain the user:password that is base64-encoded

REST API

The request must pass the HTTP Header Property named MAXAUTH which must contain the user:password that is base64-encoded. No support for the Default Login User.

OSLC/JSON API

The request must pass the HTTP Header Property named MAXAUTH which must contain the user:password that is base64-encoded. No support for the Default Login User.

Flat and XML File Loading

Requires a valid user defined in the mxe.int.dfltuser system property. This is not optional and the setting of the ALLOWDFLTLOGIN in the ejb-jar.xml file has no bearing on this behavior.

Inserting messages into a queue (inbound and outbound)

Requires the assignment of a user and password to the JNDI name for the queue.

Configure that same user and password on the queue definition in Maximo using the Add/Modify Queues Action in the External Systems application. This allows the MIF components that read and write to the queue to be able to access the queue.

For Continuous Queues that use the Message Driven Beans (MDBs) to consume messages, the ejb-jar.xml deployment file must be updated with the user name assigned to the queue.

See the section, Configuring J2EE restriction for JMS queues, in the MIF section of the Maximo Knowledge Center for more details.

Consumption of messages out of an inbound queue (processing into Maximo)

Requires a valid user defined in the mxe.int.dfltuser system property when no user is attached to the message. This is not optional and the setting of the ALLOWDFLTLOGIN in the ejb-jar.xml file is not applicable. See section, Other Usage of the default Login, further down in this document for additional information.

Interface Tables

Does not support or rely on a default user. Interface Table End Point would require DB User/Password if DB tables are secured.


Related Information

MIF Default User

HTTP SOAP and Servlet-based (XML over HTTP) integration access supports the use of the default integration user. The default user is defined in the system property mxe.int.dfltuser with a default value of user: MXINTADM. Access through the REST api and the OSLC JSON api does not support the use of the default user.

The configuration to use the default integration user is in the ejb-jar.xml in the folder c:\maximo\applications\maximo\mboejb\ejbmodule\META-INF on your Maximo Admin workstation. There are four integration related <session> identified by the ejb-name. These are Object Structure service, Enterprise service, Standard service and the Workflow Service. To disable the use of the default login for each, change the <env-entry-value> of the <env-entry-name>ALLOWDFLTLOGIN</env-entry-name> from 1 (true) to 0 (false). After the ejb-jar.xml file is updated and saved, the Maximo .ear file needs to be rebuilt and redeployed.

NOTE: Starting in release 7.6.0.2, the default setting for <ALLOWDFLTLOGIN> is 0 (prior to this release, the setting was 1).

Below is a snippet from the ejb-jar.xml:

Enterprise Service

<session id="Session_enterpriseservice">

<ejb-name>enterpriseservice</ejb-name>

<home>psdi.iface.gateway.MEAGatewayHome</home>

<remote>psdi.iface.gateway.MEAGateway</remote>

<local-home>psdi.iface.gateway.MEAGatewayHomeLocal</local-home>

<local>psdi.iface.gateway.MEAGatewayLocal</local>

<ejb-class>psdi.iface.gateway.MEAGatewayBean</ejb-class>

<session-type>Stateless</session-type>

<transaction-type>Container</transaction-type>

<env-entry>

<env-entry-name>ALLOWDFLTLOGIN</env-entry-name>

<env-entry-type>java.lang.String</env-entry-type>

<env-entry-value>0</env-entry-value>

</env-entry>

Object Structure Service

<session id="Session_mosservice">

<ejb-name>mosservice</ejb-name>

<session id="Session_actionservice">

<ejb-name>actionservice</ejb-name>

WorkFlow Service

<session id="Session_wfservice">

<ejb-name>wfservice</ejb-name>

With Default Login turned off, integration messages provided via HTTP must provide the MAXAUTH HTTP header containing user:password base64-encoded.

An integration user that is authenticated has full access (create/update/delete) to object structures since there is no authorization enabled by default.

Other Usage of the default Login

The default login user identified in mxe.int.dfltuser, is also used in the following processing:

  1. Loading of files (Flat or XML) into an inbound queue either through the UI or CRON tasks.
  2. Messages processing out of the inbound queues that have no user attached to them (having a user on the queue message is determined, in part, by the configuration of system property, mxe.int.propagateuser, that controls the propagation of the user on the inbound transaction to the message that is saved into an inbound queue.

Given the use of the default login user, ensure that the value set in the mxe.int.dfltuser system property is a valid Maximo User.