You are on page 1of 4

Maximo Integration Framework (MIF)

Authentication

Maximo Authentication

Maximo supports 2 authentication modes, Maximo or Application Server-based. This configuration is


done through the following System Property, mxe.useAppServerSecurity. It is set to false (0) by default.
When set to 0 (false), Maximo is using its native authentication, not J2EE (app server) authentication.

MIF Authentication

MIF Authentication (for HTTP-based integration) follows the authentication model that is set for the
Maximo application. MIF components (HTTP and non-HTTP) supporting inbound transactions require
varying configurations to enable authentication.

The Inbound MIF Integration options:

1. REST API
2. OSLC/JSON API
3. Interface Tables
4. XML/Flat file loading (UI and CRON task)
5. HTTP SOAP-based web services
6. HTTP Servlet (XML/HTTP)
7. JMS (Direct)
MIF Configuration points when using Maximo Authentication

HTTP SOAP-based Web Services

Can optionally use the default Login User (use ALLOWDFLTLOGIN in the ejb-jar.xml file)

When not using the default Login User, the request must pass the HTTP Header Property named
MAXAUTH which must contain the user:password that is base64-encoded

HTTP Servlet (XML over HTTP)

Can optionally use the default Login User (use ALLOWDFLTLOGIN in the ejb-jar.xml file)

When not using the default Login User, the request must pass the HTTP Header Property named
MAXAUTH which must contain the user:password that is base64-encoded

REST API

The request must pass the HTTP Header Property named MAXAUTH which must contain the
user:password that is base64-encoded. No support for the Default Login User.

OSLC/JSON API

The request must pass the HTTP Header Property named MAXAUTH which must contain the
user:password that is base64-encoded. No support for the Default Login User.

Flat and XML File Loading

Requires a valid user defined in the mxe.int.dfltuser system property. This is not optional and
the setting of the ALLOWDFLTLOGIN in the ejb-jar.xml file has no bearing on this behavior.

Inserting messages into a queue (inbound and outbound)

Requires the assignment of a user and password to the JNDI name for the queue.

Configure that same user and password on the queue definition in Maximo using the
Add/Modify Queues Action in the External Systems application. This allows the MIF
components that read and write to the queue to be able to access the queue.

For Continuous Queues that use the Message Driven Beans (MDBs) to consume messages, the
ejb-jar.xml deployment file must be updated with the user name assigned to the queue.

See the section, Configuring J2EE restriction for JMS queues, in the MIF section of the Maximo
Knowledge Center for more details.

Consumption of messages out of an inbound queue (processing into Maximo)

Requires a valid user defined in the mxe.int.dfltuser system property when no user is attached
to the message. This is not optional and the setting of the ALLOWDFLTLOGIN in the ejb-jar.xml
file is not applicable. See section, Other Usage of the default Login, further down in this
document for additional information.
Interface Tables

Does not support or rely on a default user. Interface Table End Point would require DB
User/Password if DB tables are secured.

Related Information

MIF Default User

HTTP SOAP and Servlet-based (XML over HTTP) integration access supports the use of the default
integration user. The default user is defined in the system property mxe.int.dfltuser with a default value
of user: MXINTADM. Access through the REST api and the OSLC JSON api does not support the use of
the default user.

The configuration to use the default integration user is in the ejb-jar.xml in the folder
c:\maximo\applications\maximo\mboejb\ejbmodule\META-INF on your Maximo Admin workstation.
There are four integration related <session> identified by the ejb-name. These are Object Structure
service, Enterprise service, Standard service and the Workflow Service. To disable the use of the default
login for each, change the <env-entry-value> of the <env-entry-name>ALLOWDFLTLOGIN</env-entry-
name> from 1 (true) to 0 (false). After the ejb-jar.xml file is updated and saved, the Maximo .ear file
needs to be rebuilt and redeployed.

NOTE: Starting in release 7.6.0.2, the default setting for <ALLOWDFLTLOGIN> is 0 (prior to this
release, the setting was 1).

Below is a snippet from the ejb-jar.xml:

Enterprise Service

<session id="Session_enterpriseservice">

<ejb-name>enterpriseservice</ejb-name>

<home>psdi.iface.gateway.MEAGatewayHome</home>

<remote>psdi.iface.gateway.MEAGateway</remote>

<local-home>psdi.iface.gateway.MEAGatewayHomeLocal</local-home>

<local>psdi.iface.gateway.MEAGatewayLocal</local>

<ejb-class>psdi.iface.gateway.MEAGatewayBean</ejb-class>

<session-type>Stateless</session-type>

<transaction-type>Container</transaction-type>

<env-entry>

<env-entry-name>ALLOWDFLTLOGIN</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>

<env-entry-value>0</env-entry-value>

</env-entry>

Object Structure Service

<session id="Session_mosservice">

<ejb-name>mosservice</ejb-name>

<session id="Session_actionservice">

<ejb-name>actionservice</ejb-name>

WorkFlow Service

<session id="Session_wfservice">

<ejb-name>wfservice</ejb-name>

With Default Login turned off, integration messages provided via HTTP must provide the MAXAUTH
HTTP header containing user:password base64-encoded.

An integration user that is authenticated has full access (create/update/delete) to object structures
since there is no authorization enabled by default.

Other Usage of the default Login

The default login user identified in mxe.int.dfltuser, is also used in the following processing:

1. Loading of files (Flat or XML) into an inbound queue either through the UI or CRON tasks.
2. Messages processing out of the inbound queues that have no user attached to them (having a
user on the queue message is determined, in part, by the configuration of system property,
mxe.int.propagateuser, that controls the propagation of the user on the inbound transaction to
the message that is saved into an inbound queue.

Given the use of the default login user, ensure that the value set in the mxe.int.dfltuser system property
is a valid Maximo User.