To prepare an AquaLogic Service Bus installation for production, you must pay special attention to your security needs. The following list outlines some of the tasks you need to perform:
sbconfig
directory under the domain root. For example:C:\bea\user_projects\domains\base_domain\alsb\config
AquaLogic Service Bus provides a resource servlet (BEA_HOME
/servicebus/lib/sbresourceWar/sbresource.war
) that is used to expose the resources registered in AquaLogic Service Bus. The resources registered with AquaLogic Service Bus include:
However, this servlet provides anonymous HTTP access to metadata, and as such it may be considered a security risk in some high-security environments.
If you do not want the AquaLogic Service Bus resources to be available anonymously via HTTP, you can set security roles on sbresources.war
to control access to it, or completely undeploy the resource.
Note: | If you undeploy the SB resource you will no longer be able to use the UDDI subsystem. |
As described in The Message Context Model, for processing message content, you can specify that the ALSB pipeline streams the content rather than loading it into memory. When you enable content streaming for a proxy service, you specify whether to buffer the streamed content to memory or a disk file as an intermediate step during the processing of the message.
If you use these temporary disk files, you should protect them.
To lock-down your ALSB domain, set the com.bea.wli.sb.context.tmpdir
java system property to specify where these temporary files will be written.
Make sure this directory exists and has the right set of access permissions.
For more information see the file access permission and file system recommendations in Securing a Production Environment in the WebLogic Server documentation.