Configuring the Policy Enforcement Point

The DataPower® appliance or instance is the Policy Enforcement Point (PEP) of the IBM® SOA Policy Gateway Pattern. When the Application Domain is deployed, it is possible to create the content of that domain.

Procedure

When setting up your configurations, ensure that different domain names are used on each DataPower appliance, otherwise the ITCAM for SOA topology workspaces does not display the correct data .

Create a Web Service Proxy (WSP):

  1. From the DataPower Control Panel, click Web Service Proxy.
  2. Click Add and enter a name for the Proxy.
  3. Open the WSRR Subscription tab. In the WSRR Server list, click WSRRSVR.
  4. Provide the other information that is required, such as the Front Side Handler, the namespace, the object name, and so on, to create the configuration of the Web Service Proxy.

Create policies for the WSP:

  1. Open the Policy tab for the WSP Editor.
  2. Click Processing Rules at the appropriate level. You can either create a new rule or edit the default rule provided. The key policy action to add is the AAA Action. This handles the Identification, Authentication, and Authorization that are key to the pattern.

    Key things that you must specify for the AAA action include the Input and Output, as well as the AAA Policy. You can create the policy while creating the AAA Policy Action, or you might create it before this by using the AAA editor.

    • Identification is the step where the user is Identified. In the sample, there are two forms of identification used. In the StoreAddLTPA XML firewall, the identification used basic authentication. In the StoreWSP firewall, identification was provided by LTPA token.
    • Authentication is the step where the user is proved to be a user who is known to the system. There are many options to choose from. In the sample, there are two examples; the first where the user was looked up using LDAP, and the second that accepted a valid LTPA Token.
    • Authorization is the step where the user is authorized to the resource, in this case the web service operations. The following key elements must be specified to use XACML on-box PDP authorization:
      • The Method: Use XACML Authorization.
      • The XACML Version; for example, 2.0.
      • PDP Type; for example, deny based PDP.
      • Use On box PDP: On
      • The name of the PDP, which has the XACML specified.
      • Configure the PDP. For more information, see Altering the XACML PDP on DataPower.
      • The custom XSL style sheet to bind AAA and XACML: use apil-xacml-bindingnew.xsl as a starting point.

To configure the gateway to use Redaction:

  1. Modify the XACML .xml file to match the particular security policies you want to enforce for the redaction.
  2. Create an XML Firewall with an AAA action that follows the redaction sample.
  3. Modify the PDP used by the above AAA action to point to the style sheet you are using to enforce redaction.
  4. Copy and modify the storeCallPDP.xsl style sheet, that creates the SOAP payload for the XACML service. In particular, make sure that the Action and Resource match your requirements for the XACML policy document you created.
  5. Make sure that your modified style sheet calls the correct port for your new XACML XML Firewall.

Task Task

Feedback

Timestamp icon Last updated: Thursday, 3 July 2014
http://publib.boulder.ibm.com/infocenter/prodconn/v1r0m0/topic/com.ibm.scenarios.soawdpwsrr25.doc/topics/tsoa2_PEP_config.htm