The DataPower® appliance or instance is the
Policy Enforcement Point (PEP) of the IBM® SOA
Policy Gateway Pattern. When the Application Domain is
deployed, it is possible to create the content of that domain.
Procedure
When setting up your configurations, ensure that different domain names are used on
each DataPower appliance, otherwise the ITCAM for SOA topology workspaces does not display the
correct data .
Create a Web Service Proxy (WSP):
- From the DataPower Control
Panel, click Web Service Proxy.
- Click Add and enter a name for the
Proxy.
- Open the WSRR Subscription tab.
In the WSRR Server list, click WSRRSVR.
- Provide the other information that is required, such as the Front Side Handler, the namespace,
the object name, and so on, to create the configuration of the Web Service Proxy.
Create policies for the WSP:
- Open the Policy tab for the WSP
Editor.
- Click Processing Rules at the appropriate
level. You can either create a new rule or edit the default rule provided.
The key policy action to add is the AAA Action.
This handles the Identification, Authentication, and Authorization
that are key to the pattern.
Key things that you must specify for the AAA action include the Input and Output, as well as the
AAA Policy. You can create the policy while creating the AAA Policy Action, or you might create it
before this by using the AAA editor.
- Identification is the step where the user is Identified. In the sample, there are two forms of
identification used. In the StoreAddLTPA XML firewall, the identification used basic authentication.
In the StoreWSP firewall, identification was provided by LTPA token.
- Authentication is the step where the user is proved to be a user who is known to the system.
There are many options to choose from. In the sample, there are two examples; the first where the
user was looked up using LDAP, and the second that accepted a valid LTPA Token.
- Authorization is the step where the user is authorized to the resource, in this case the web
service operations. The following key elements must be specified to use XACML on-box PDP authorization:
- The Method: Use XACML Authorization.
- The XACML Version; for example, 2.0.
- PDP Type; for example, deny based PDP.
- Use On box PDP: On
- The name of the PDP, which has the XACML specified.
- Configure the PDP. For more information, see Altering the XACML PDP on DataPower.
- The custom XSL style sheet to bind AAA and XACML: use
apil-xacml-bindingnew.xsl as a starting point.
To configure the gateway to use Redaction:
- Modify the XACML .xml file to match the particular security policies you
want to enforce for the redaction.
- Create an XML Firewall with an AAA action that follows
the redaction sample.
- Modify the PDP used by the above AAA action to point to
the style sheet you are using to enforce redaction.
- Copy and modify the storeCallPDP.xsl style sheet, that creates the SOAP
payload for the XACML service. In particular, make sure that the Action and Resource match your
requirements for the XACML policy document you created.
- Make sure that your modified style sheet calls the correct
port for your new XACML XML Firewall.