Solace Cloud and basic auth
For one of our projects, we want to connect an ERP platform that can push events using a webhook mechanism. We use a Solace HTTP endpoint for this. The Solace part works fine.
Challenge
The ERP platform does not allow you to use a secured endpoint. So, we can't config certs or config basic authentication. It can only initiate callbacks to HTTPS endpoints without any authentication. They use We HMAC SHA256 for a hash-based message authentication code.
We at least want some form of authentication on our Solace Cloud broker before the message enters Solace and then Boomi. So, currently, we use basic auth on the test instance.
I was wondering if you can do something similar as we can with Boomi. You can call a Boomi HTTPS endpoint with the boomi_auth parameter which contains the base64encoded string of username:password
https://connect.boomi.com/ws/simple/someAction;boomi_auth=Zm9vOmJhcgo?blah=bazz
Question: does Solace have something similar? Any other suggestions are fine.
Comments
-
Hi @sjaak ..! Just to be clear, for my understanding... you want this ERP platform to push/webhook events into Solace, without using any authentication? And you're hoping that there is some way in Solace to specify/define authentication using the URL on incoming REST messages?
2 -
Hi Aaron, we would like to use at least basic auth on the Solace side. No authentication on the Solace side is not an option. The problem is that we don't have any configuration options to call the Solace endpoint using basic auth. Other than a workaround like using a URL parameter to pass the username:password as a base64encoded string. See the Boomi example.
0 -
Looks like @sjaak wants a way to authenticate to Solace by passing the auth string as a (base64 encoded) query string parameter (using basic auth as the authentication scheme)
0 -
Right, ok. No, we currently don't have a way of dong basic auth via the URL, only via standard HTTP header. You'll need a proxy or something in between. If Boomi can do that, sounds like that could be your onramp into Solace.
Another wacky alternative (just brainstorming here) is to have a 2nd Solace Message VPN (or Cloud instance) and disable authentication completely. This would allow it to accept any inbound REST request with no authentication. Ensure the VPn is configured for (micro)Gateway REST mode. Next, code a small Solace application that is listening to the inbound URL's that you want. E.g.
GET/ws/simple/someAction*
. When it receives a message on that, strip out the authentication credentials and republish a new message onto your original Message VPN that has the proper basic auth. When the response comes back, your "proxy" app would just reply to whoever sent it the message. I guess, essentially this is building a proxy, but I'm thinking of it more from a messaging view than a REST view.1 -
We have a Boomi proxy in between for the time being. We have whitelisted the ERP platform on the Boomi side. Which works.
Regarding your suggestion: is it possible to whitelist source systems on the Solace side? We're going to use Solace Cloud for this customer.0 -
Regarding your suggestion: is it possible to whitelist source systems on the Solace side?
Solace has the concept of ACLs, or Access Control Lists for its client connections. There are three facets: IP address/range, publish topics, and subscribe topics. These can be configured as whitelists or blacklists.
So if the inbound IP address(es) are fairly static, you can define a whitelist in CIDR form.
1