The following XML firewalls are defined in the sample.
StoreAddLTPA XML firewall
The function of the
StoreAdd LTPA XML firewall is to provide a front end with a port than
users can call using only Basic authentication (for example, no LTPA
or similar). The request processing rule:
- Identifies with Basic authentication.
- Authenticates with a very simple LDAP lookup.
- Adds an LTPA token as part of the post processing.
- Forwards the request to the StoreWSP security policy with the
LTPA information now attached.
StoreMockService XML firewall
The StoreMockService
is an example service using an XML Firewall as an implementation.
The findInventory, purchase, and return operations all are supported.
The response values are static. This example service is created when
it is not possible to include a WebSphere® Application
Server in the pattern. The three request rules of the policy use a
matching action to determine the request operation and based on a
match, responds with a static SOAP response. Static SOAP responses
are provided based on the request operation instead of a full service
implementation.
StoreMockServiceAlternate XML firewall
The
StoreMockServiceAlternate is an example service using an XML Firewall
as an implementation. The findInventory, purchase, and return operations
all are supported. This service is used to demonstrate the routing
policy being enforced.
StoreXACMLFW firewall
This scenario performs
redaction based on the result of an XACML based permit/deny mechanism.
In DataPower®, there is
no way to call an individual AAA action in the response flow. A separate
gateway is created to contain the XACML Policy Decision Point (PDP).
This PDP was encapsulated in an AAA action on the request rule of
the StoreXACMLFW.
StoreXACMLFW is an XML firewall gateway in DataPower. This implementation
is used because it is a simple way to provided the functionality.
The StoreXML firewall uses the same WSDL interface as the Tivoli® Runtime Security Services
server. The StoreWSP gateway creates the request object and sends
it, protected using SSL, to the StoreXMLFW gateway.
The request
rule of the StoreXML firewall does the following:
- Performs AAA using the SSL information for authentication.
- Performs authorization using an on-box XACML PDP. The policy used
by the PDP is originally authored in IBM® Tivoli Security Policy Manager
but can be recreated using a standard editor, and the schema is defined
in the XACML specification.
- No transformation of the request is necessary in this authorization
processing.
- If the XACML request is valid, the request processing rule does
a fetch of a Permit response and returns to the client. Otherwise,
an exception is thrown that is handled by the exception processing
rule and returns a Deny response to the client.
Note: This Permit/Deny/Indeterminate is an example-level response
only. Additional error information could be included in a customer
specific flow.