XML firewalls in the sample

The following XML firewalls are defined in the sample.

StoreAddLTPA XML firewall

The function of the StoreAdd LTPA XML firewall is to provide a front end with a port than users can call using only Basic authentication (for example, no LTPA or similar). The request processing rule:
  1. Identifies with Basic authentication.
  2. Authenticates with a very simple LDAP lookup.
  3. Adds an LTPA token as part of the post processing.
  4. Forwards the request to the StoreWSP security policy with the LTPA information now attached.

StoreMockService XML firewall

The StoreMockService is an example service using an XML Firewall as an implementation. The findInventory, purchase, and return operations all are supported. The response values are static. This example service is created when it is not possible to include a WebSphere® Application Server in the pattern. The three request rules of the policy use a matching action to determine the request operation and based on a match, responds with a static SOAP response. Static SOAP responses are provided based on the request operation instead of a full service implementation.

StoreMockServiceAlternate XML firewall

The StoreMockServiceAlternate is an example service using an XML Firewall as an implementation. The findInventory, purchase, and return operations all are supported. This service is used to demonstrate the routing policy being enforced.

StoreXACMLFW firewall

This scenario performs redaction based on the result of an XACML based permit/deny mechanism. In DataPower®, there is no way to call an individual AAA action in the response flow. A separate gateway is created to contain the XACML Policy Decision Point (PDP). This PDP was encapsulated in an AAA action on the request rule of the StoreXACMLFW.

StoreXACMLFW is an XML firewall gateway in DataPower. This implementation is used because it is a simple way to provided the functionality. The StoreXML firewall uses the same WSDL interface as the Tivoli® Runtime Security Services server. The StoreWSP gateway creates the request object and sends it, protected using SSL, to the StoreXMLFW gateway.

The request rule of the StoreXML firewall does the following:

  1. Performs AAA using the SSL information for authentication.
  2. Performs authorization using an on-box XACML PDP. The policy used by the PDP is originally authored in IBM® Tivoli Security Policy Manager but can be recreated using a standard editor, and the schema is defined in the XACML specification.
  3. No transformation of the request is necessary in this authorization processing.
  4. If the XACML request is valid, the request processing rule does a fetch of a Permit response and returns to the client. Otherwise, an exception is thrown that is handled by the exception processing rule and returns a Deny response to the client.
Note: This Permit/Deny/Indeterminate is an example-level response only. Additional error information could be included in a customer specific flow.

Concept Concept

Feedback

Timestamp icon Last updated: Thursday, 3 July 2014
http://publib.boulder.ibm.com/infocenter/prodconn/v1r0m0/topic/com.ibm.scenarios.soawdpwsrr.doc/topics/csoa2_sample_firewalls.htm