Security for the IBM SOA Policy Gateway Pattern patterns

Customers require different levels of security between WSRR and DataPower®, particularly in the area of SSL. The IBM® SOA Policy Gateway Pattern supports 3 levels of SSL communication between the configuration scripts and DataPower when using theSOA Policy Gateway Basic Runtime, SOA Policy Gateway Basic Runtime Sample, and SOA Policy Gateway Advanced Runtime patterns.

If SSL is not required

If you do not require SSL to be used, the public key and private keys for the curl client are not provided and left as Unset.
Note: If no SSL is used, all data sent to DataPower is unencrypted, including user and password information. This presents a security vulnerability. Passwords used in SOMA calls to DataPower do not support encryption, and are therefore are transported to the DataPower appliance unencrypted. Therefore, use server side authentication is used at a minimum to ensure security.

Mutual authentication between the DataPower applications and the scripts in the Basic and Advanced Patterns

If you require that mutual authentication occur between the DataPower applications and the scripts in the Basic and Advanced Patterns:

Concept Concept

Feedback

Timestamp icon Last updated: Thursday, 3 July 2014
http://publib.boulder.ibm.com/infocenter/prodconn/v1r0m0/topic/com.ibm.scenarios.soawdpwsrr.doc/topics/csoa2_security.htm