RS Gateway Basic Authentication

When RS Gateway is configured not to accept anonymous requests, clients must send a login request with a username and password.

For more information about configuring anonymous users, see the discussion about RS Gateway roles.

Security Overview

Configuring RS Gateway security includes the following steps.
  1. Configure Gateway Proxy RS Gateway credentials in /opt/mtx/conf/gateway_proxy.yaml. For more information, see the discussion about configuring the Gateway Proxy.
  2. Configure RS Gateway connection properties in rsgateway-site.yaml.

    The properties must include the credentials to connect to Gateway Proxy.

  3. Define the client RS Gateway logins and passwords in the following files:
    • matrixx.yaml
    • mtx_notifier_camel.yaml
  4. Define RS Gateway clients in the /opt/mtx/conf/rsgateway_users.yaml file.

    For more information, see the discussion about RS Gateway connection properties.

  5. Define MATRIXX Backoffice Customer Tool users in the matrixxbct_users.yaml file.
RS Gateway must be provisioned to a single domain and must only receive traffic for that domain. RS Gateway gets a request and forwards it to the Traffic Routing Agent (TRA) for delivery to the correct sub-domain to handle the request. A multi-request is delivered to the specified domain. You can specify different tenant IDs in a multi-request if all objects are in the same sub-domain. For example: 
<MtxResponseMulti>
    <ResponseList>
        <MtxResponseCreate>
            <ObjectId>0:1:5:17</ObjectId>
            <Result>0</Result>
            <ResultText>OK</ResultText>
            <TenantId>FOO</TenantId>
        </MtxResponseCreate>
        <MtxResponseCreate>
            <ObjectId>0:1:5:19</ObjectId>
            <Result>0</Result>
            <ResultText>OK</ResultText>
            <TenantId>BAR</TenantId>
        </MtxResponseCreate>
        <MtxResponseCreate>
            <ObjectId>0:1:5:21</ObjectId>
            <Result>0</Result>
            <ResultText>OK</ResultText>
            <TenantId>FOO</TenantId>
        </MtxResponseCreate>
        <MtxResponseCreate>
            <ObjectId>0:1:5:25</ObjectId>
            <Result>0</Result>
            <ResultText>OK</ResultText>
            <TenantId>BAR</TenantId>
        </MtxResponseCreate>
        <MtxResponseCreate>
            <ObjectId>0:1:5:29</ObjectId>
            <Result>0</Result>
            <ResultText>OK</ResultText>
            <TenantId>FOO</TenantId>
        </MtxResponseCreate>
        <MtxResponseCreate>
            <ObjectId>0:1:5:30</ObjectId>
            <Result>0</Result>
            <ResultText>OK</ResultText>
            <TenantId>BAR</TenantId>
        </MtxResponseCreate>
        <MtxResponse>
            <Result>0</Result>
            <ResultText>OK</ResultText>
            <TenantId>FOO</TenantId>
        </MtxResponse>
        <MtxResponse>
            <Result>0</Result>
            <ResultText>OK</ResultText>
            <TenantId>BAR</TenantId>
        </MtxResponse>
        <MtxResponse>
            <Result>0</Result>
            <ResultText>OK</ResultText>
            <TenantId>FOO</TenantId>
        </MtxResponse>
        <MtxResponse>
            <Result>0</Result>
            <ResultText>OK</ResultText>
            <TenantId>BAR</TenantId>
        </MtxResponse>
    </ResponseList>
    <RouteId>1</RouteId>
    <Result>0</Result>
    <ResultText>OK</ResultText>
</MtxResponseMulti>

Basic Authentication

Figure 1 shows different RS Gateway clients and how they are authenticated using basic authentication.
Figure 1. RS Gateway Security

MATRIXX Backoffice Customer Tool and the Notification Server provide credentials for authentication by RS Gateway using YAML files.

RS Gateway uses HTTP Basic authentication to authenticate clients using login ID and password credentials.

To authenticate a session, make the following POST call:
http://address:port/rsgateway/login?username=username&password=password
RS Gateway responds with a Set-Cookie JSESSIONID. For example: 
Set-Cookie: JSESSIONID=513D75020993448D72469669E3FD83B7; Path=/rsgateway, Expires: Tue, 03 Jul 2001 06:00:00 GMT
You must use Set-Cookie in the cookie header for any subsequent requests.

Invalid credentials result in a 401 result code response as shown in the following JSON response:

{
    "resp": {
        "_resultCode": 401,
        "_resultText": "Full authentication is required to access this resource"
    }
}

If a login fails due to invalid credentials or an invalid cookie, the response is in the format (XML or JSON) of the request unless the Accept request header indicates that the client accepts JSON. If the request is in XML and the client accepts JSON, the 401 response is in JSON.

Important: The following users are defined out-of-the-box in the /WEB-INF/properties/rsgateway_users.yaml file. Do not edit this file.
  • std (This user is disabled out-of-the-box.)
  • admin (This user is disabled out-of-the-box.)
  • matrixxbct
  • notifier

For information about each of these users and their roles, see the discussion about RS Gateway roles.

Additional users must be defined in a /opt/mtx/conf/rsgateway_users.yaml file. Additional authentication can be configured in the rsgateway-extensions.yaml file. .

RS Gateway determines user authentication and authorization by reading the users in the /opt/mtx/conf/rsgateway_users.yaml file. For information about adding and deleting RS Gateway users, see the discussions about adding and deleting RS Gateway users.

Client Information

For auditing and tracking, security information passed in a SubMan API request (MtxRequest.ApiEventSecurityInfo) is copied to Event Detail Record (EDR) (MtxPrimaryEvent.ApiEventSecurityInfo) generated for the SubMan API request. Information includes:
  • The client IP address.
  • The client username.
  • The client session ID.