The following XML firewalls are defined in the sample.
StoreAddLTPA XML firewall
The function of the StoreAdd LTPA XML firewall is
to provide a front end with a port that users can call by using only Basic authentication (for
example, no LTPA). The request processing rule:
- Identifies with Basic authentication.
- Authenticates with a simple LDAP lookup.
- Adds an LTPA token as part of the post processing.
- Forwards the request to the StoreWSP security policy with the LTPA information now
attached.
StoreMockService XML firewall
The StoreMockService is an example service that
uses an XML Firewall as an implementation. The findInventory, purchase, and return operations all
are supported. The response values are static. This example service is created when it is not
possible to include a WebSphere® Application Server in
the pattern. The three request rules of the policy use a matching action to determine the request
operation and based on a match, respond with a static SOAP response. Static SOAP responses are
provided based on the request operation instead of a full service implementation.
StoreMockServiceAlternate XML firewall
The StoreMockServiceAlternate is an
example service that uses an XML Firewall as an implementation. The findInventory, purchase, and
return operations all are supported. This service is used to demonstrate enforcement of the routing
policy.
StoreXACMLFW firewall
This scenario performs redaction based on the result of an XACML-based permit/deny mechanism. In
DataPower®, there is no way to call an individual AAA
action in the response flow. A separate gateway is created to contain the XACML Policy Decision
Point (PDP). This PDP was encapsulated in an AAA action on the request rule of the StoreXACMLFW.
StoreXACMLFW is an XML firewall gateway in DataPower.
This implementation is used because it is a simple way to provide the functionality. The StoreXML
firewall uses the same WSDL interface as the Tivoli® Runtime
Security Services server. The StoreWSP gateway creates the request object and sends it, protected by
SSL, to the StoreXMLFW gateway.
The request rule of the StoreXML firewall does the following tasks:
- Performs AAA by using the SSL information for authentication.
- Performs authorization by using an on-box XACML PDP. The policy that is used by the PDP is
originally authored in IBM®
Tivoli Security Policy Manager but can be recreated by
using a standard editor, and the schema is defined in the XACML specification.
- No transformation of the request is necessary in this authorization
processing.
- If the XACML request is valid, the request processing rule does a fetch of a Permit response and
returns to the client. Otherwise, an exception occurs that is handled by the exception processing
rule and returns a Deny response to the client.
Note: The Permit/Deny/Indeterminate is an example-level response only. Additional error information
could be included in a customer-specific flow.