SSM Installation and Configuration Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Configuring a Remote SSM and Proxy

This chapter describes the necessary steps for securing an application using a remote SSM.

 

Overview

When OES security calls using the Java API have been implemented in a custom application, SSM proxy services can be set up on the application host and used to communicate with a remote SSM on another machine. The SSM proxy provides local security services, including caching, logging, and failover support.

RMI or SOAP can be used as the transport mechanism for communication between the SSM proxy and the remote SSM. (In XACML terminology, the SSM proxy and remote SSM are be analogous to PDP Proxy and PDP respectively.)

 

Creating the Remote SSM

To set up a remote SSM:

  1. On the remote machine, install and enroll the Web Services SSM as described in Installing SSMs.
    2. Note: For this release, there is no separate install for the RMI SSM. It is available only by installing and instantiating a Web Services SSM.
  2. Create a Web Service SSM or RMI SSM instance.

    3. To create a Web Service instance, see Configuring SSMs Using ConfigTool.

    To create an RMI instance:

    1. Run BEA_HOME\ales32-ssm\webservice-ssm\adm\create_rmi_ssm.bat | .sh. This creates the BEA_HOME\ales32-ssm\rmi-ssm directory.
    2. In BEA_HOME\ales32-ssm\rmi-ssm\adm launch instancewizard.cmd and complete the wizard prompts.

 

Configuring the SSM Proxy

To set up the SSM proxy on the client application:

  1. On the remote SSM, copy the directory indicated below and its files to a directory on the application client.

    2. Web Service SSM— BEA_HOME\ales32-ssm\webservice-ssm\<instance>\pdpproxy
    RMI SSM— BEA_HOME\ales32-ssm\webservice-ssm\<instance>\rmi-ssm\pdpproxy

  2. Also on the remote SSM, copy the trust keystore located in BEA_HOME\ales32-shared\keys to the same directory on the application client containing the Jar files.
    3. Note: The demonstration trust keystore provided during installation is named DemoTrust.jks. This can be used in development and testing environments.
  3. Make sure the directory on the application client containing the Jars and keystore file are included in the SSM client Classpath.

    4. To specify the SSM proxy location, use a system property in the command line, such as: -Dpdp.configuiration.properties.location=D:\pdpproxy\PDPClientConfiguration.properties.

  4. Open PDPProxyConfiguration.properties in a text editor and set the values as described in Table 7-1.

    5. Table 7-1 PDPProxyConfiguration.properties Settings
    Setting
    Description
    ProxyID
    An arbitrary SSM proxy ID. This name must be unique in the OES deployment.
    Examples:
    ProxyId=SSM-RMI-Client1
    ProxyId=SSM-WS-Client1
    SSMConfigID
    The configuration ID of the remote SSM. This configuration can be managed using the Administration Console.
    Example:
    SSMConfigID=asiadmin
    PDPTransport
    This setting determines whether RMI or SOAP is used as transport protocol for communicating with the remote SSM.
    Possible values: RMI, WS, or JAVA
    Example:
    PDPTransport=RMI
    PDPAddress
    A comma-separated list of the url of the primary remote SSM and port number and one or more failover SSMs.
    For RMI, the URL must begin with rmi://; for SOAP, it must begin with http://. To use SSL, these must be rmis:// or https://.
    Example:
    PDPAddress=rmi://acme01:9300,rmi://acme02:9300
    PDPAddress=https://acme01:9300,https://acme02:9300
    RequestTimeoutMilliSecs
    Number of milliseconds to timeout a request is the remote SSM is not responding.
    Example:
    RequestTimeoutMilliSecs=10000
    FailureRertyCount
    Number of attempts to make before failing over to failover SSM.
    Example:
    FailureRertyCount=3
    FailbackTimeoutMilliSecs
    Number of milliseconds after failover to wait before attempting reaccess to the primary remote SSM.
    Example:
    FailbackTimeoutMilliSecs=180000
    TrustStore
    The fully-qualified path to the trust keystore copied in step 2 above. This provides one-way SSL connections with the remote SSM. Use forward slashes.
    NOTE: The PDPAddress parameter must begin with rmis:// or https://.
    Example:
    c:/bea3_2/ales32-shared/keys/<filename>.jks
    SynchronizationIntervalMilliSecs
    The interval (in milliseconds) used by the proxy to poll the remote SSM to determine if the authorization cache should be synchronized.
    Example:
    SynchronizationIntervalMilliSecs=60000

  5. The proxy files copied to the application client contains the Apache Log4j package. For logging SSM proxy activities, configure the log4j.properties with appenders to enable proxy debugging.

 

Configuring Caching, Logging, and Failover

How caching, logging, and failover are configured depends on the whether it is the remote SSM or the SSM proxy.

Caching

Caching configuration on the remote SSM is determined by settings established on the authorization provider being used by the SSM. This is managed using the Administration Console.

The SSM proxy uses the same caching configuration established on the remote SSM. In addition, the SynchronizationIntervalMilliSecs setting in PDPProxyConfiguration.properties determines how often to poll the remote SSM to see if re-synchronization is necessary.

The cache on the SSM proxy cannot be flushed from the Administration Console. However, the SSM proxy cache is automatically flushed when whenever there is a new policy distribution on the SSM (subject to the SynchronizationIntervalMilliSecs parameter). In addition, if this is not sufficient, the ability to flush the cache may be added to the application client using the following methods of the AuthorizationService class:

These methods can be invoked from either the SSM or the SSM proxy. They will simultaneously flush both the client and server cache.

Logging

Logging configuration on the remote SSM is determined by settings established on the auditing provider being used by the SSM. This is managed using the Administration Console.

On the SSM proxy, logging can be implemented using the Apache Log4j package (log4j.jar) that is included in the pdpproxy directory that was copied from the SSM instance.

Failover

Failover support for an SSM proxy can be implemented by deploying one or more failover SSMs and then pointing to those SSMs using the PDPAddress setting in PDPProxyConfiguration.properties. The first specified SSM will be the primary SSM; the second will be the failover SSM.

 

Adding New Assertion Types (Web Services SSM)

To add support for new identity assertion types to the Web Services SSM:

  1. Create a new Java class as a holder for the identity assertion. Note that the new holder class must belong to the com.bea.security.ssmws.credentials namespace. In this procedure, we use a class named com.bea.security.ssmws.credentials.TestCredHolderImpl and a custom identity assertion type named TestIA. See Figure 7-1 for an example.
  2. Add the JAR file containing the holder class to the Web Service SSM's classpath. To do this, modify the WLESws.wrapper.conf configuration file located in BEA_HOME/ales32-ssm/webservice-ssm/instance-name/config. For example, if the holder class is contained in a file named ssmwsCustomAssertion.jar, add a line like this to WLESws.wrapper.conf:

    3. wrapper.java.classpath.40=C:/bea/ales32-ssm/webservice-ssm/lib/ssmwsCustomAssertion.jar

    Note: The wrapper.java.classpath lines must increment sequentially.
  3. Modify the mapping file for incoming messages. Mapping for incoming messages is controlled by the castor.xml file in the BEA_HOME/ales32-ssm/webservice-ssm/lib/com/bea/security/ssmws/soap directory. Add an entry like the following inside the <mapping> XML element: 
    4.         <class name="com.bea.security.ssmws.credentials.TestCredHolderImpl">
                <map-to cst:xml="TestIA" /> 
                <field name="cookie" type="java.lang.String" >
                    <bind-xml node="text"/>
                </field>
            </class>
  4. Modify the mapping file for outgoing messages. Mapping for incoming messages is controlled by the castor.xml file in the BEA_HOME/ales32-ssm/webservice-ssm/lib/com/bea/security/ssmws/credentials directory. Add an entry like the following inside the <mapping> XML element 
    5.         <class name="com.bea.security.ssmws.credentials.TestCredHolderImpl">
            <map-to cst:xml="TestIA"         cst:ns-uri="http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd" /> 
            <field name="cookie" type="java.lang.String" >
                <bind-xml node="text"/>
            </field>
            </class>
  5. To log SOAP messages received and sent by the Web Services SSM, make the following changes to the SSM instance’s config/log4j.properties file:
    1. Change log4j.appender.A1.Threshold=ERROR to log4j.appender.A1.Threshold=DEBUG
    2. Add the following entry: log4j.logger.com.bea.security.ssmws.server=DEBUG

When the Web Services SSM is started, it will use the new holder implementation and the mapping entries to convert back and forth between the token's XML and Java representations.

Figure 7-1 Sample Identity Assertion Holder Class 
        public class TestCredHolderImpl implements CredentialHolder
        {
        private String m_cookie;
        public static final String m_Type = "TestIA";
        
        public void setCookie(String cookie)
        {
            m_cookie = cookie;
        }
        public String getCookie()
        {
            return m_cookie;
        }
        public Object getObject()
        {
            return getCookie();
        }
        public void setObject(Object cred)
        {
            setCookie((String)cred);
        }
        public String getType()
        {
            return TestCredentialHolderImpl.m_Type;
        }
        public String getAsString()
        {
            return m_cookie;
        }
        }

  Back to Top       Previous  Next