> ALES Integration Guide > Securing AquaLogic Service Bus Runtime Resources

ALES Integration Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Securing AquaLogic Service Bus Runtime Resources

This section covers the following topics:

 

Overview

AquaLogic Service Bus 2.5 (ALSB) is a configuration-based, policy-driven Enterprise Service Bus. It facilitates a loosely coupled architecture, facilitates enterprise-wide reuse of services, and centralizes management. AquaLogic Enterprise Security can be used to manage access control to ALSB’s runtime resources, using the WLS SSM.

ALES secures only the runtime resources of ALSB, in general those resources that ALSB passes to isAccessAllowed(). It does not secure the resources used during ALSB configuration, such as the ALSB console.

 

Prerequisites

This document assumes the following:

 

Integration Tasks

The integration tasks are.

  1. Define the security providers described in Define the Security Providers
  2. Define ALSB resources as described in Define ALSB Resources in ALES
  3. Define the Identities as described in Define Identities.
  4. Define the policies as described in Define Policies for ALSB.
  5. Distribute the policies as described in Distribute Changes.

 

Define the Security Providers

Note: Providers for WebLogic 9.x/10.0 are defined using the WebLogic console. For details, see Define Security Providers for WebLogic 9.x/10.0

To secure Service Bus resources, create a security realm and define the following provider types:

When creating the realm, use the following settings:

 

Define ALSB Resources in ALES

Developing a set of policies typically begins by determining which resources you need to protect and your access control requirements. You then create the identity directory, resources, groups, users, and roles that you will use to write policies to protect those resources. Next you write a set of authorization and role mapping policies to define access control on those resources. Finally, you deploy the set of polices to the WebLogic Server Security Service Module that you use to control access to your data services.

Regular Resource

To create a regular resource named abc:

  1. In the ALES Administration Console, open the resource tree.
  2. Right-click the parent of abc and select Add Resource.
  3. In the Name field, enter abc and click OK.

Virtual Resource

To create a virtual resource named xyz:

  1. Create a resource as described in Regular Resource.
  2. Right-click the xyz resource and select Configure Resource.
  3. Check the Allow Virtual Resources box and click OK.

ALSB Proxy Service Resources

Create resources in ALES corresponding to the ALSB Proxy Services. An ALSB Proxy Service has up to four key/value properties:

ALES resource definitions for ALSB use this format: 

//app/policy/<binding app>/<Proxy Service App name>/ProxyService/<Project Name>/[Folder name]/<Proxy Service Name>

Table 8-1 describes how ALSB Proxy Service reference elements map to ALES resource and privilege elements

Table 8-1 ALSB Proxy Service Elements Represented in ALES Resources and Privileges
Resource/Privilege Element
Description
binding app
The ALES binding node name.
Proxy Service app name
The default application name, shared.
ProxyService
The ALES resource type.
Folder name
The ALSB Proxy Service folder name.
//priv/<operation>
The operation field of the ALSB Proxy Service, representing one of the Web Services operations provided.

Here is an example of how to convert an ALSB transport level access control to an ALES policy. In ALSB: 

type=type=<alsb-proxy-service>, path=project/folder, proxy=myProxy, action=invoke

is converted in ALES to: 

//app/policy/<binding app node>/shared/ProxyService/project/folder/myProxy

with a default privilege of //priv/access, since with action=invoke, there is no operation defined.

Here is an example of how to convert ALSB access control during inbound web-service-security request processing: 

type=<alsb-proxy-service>, path=project/folder, proxy=myProxy, action=wss-invoke, operation=ProcessPO

is converted in ALES to: 

//app/policy/<binding app node>/shared/ProxyService/project/folder/myProxy

with a privilege of //priv/ProcessPO.

Resource Binding Application and Distribution Point

To make a resource binding application and distribution point named def:

  1. Right click the mouse on parent of def, and select Add Resource.
  2. In the Name field, enter def.
  3. From the Type dropdown field, select Binding and check the Distribution Point box.
  4. After the resource is created, right-click the resource and select Configure Resource.
  5. Select Binding application from the pull-down menu and click OK.

Resource Tree

Select Resources on the left pane and create a resource tree as shown in Listing 8-1:

  1. Make myrealm a resource binding application and distribution point.
  2. Make the consoleapp and ProxyServices resources virtual.
    3. Listing 8-1 Resource Tree 
    myrealm
       |---- consoleapp
       |---- shared
             |----- adm
             |----- eis
             |----- ejb
             |----- jdbc
             |----- jms
             |----- jndi
             |----- ProxyService
             |       |----- MortgageBroker
             |               |----- ProxyServices
             |                      |---- loanGateway1
             |                      |---- loanGateway2
             |                      |---- loanGateway3
             |----- svr
             |----- url
             |----- webservices
             |----- workcontext

Discovering Services

When developing policies for use with a Security Service Module, you can use the Discovery mode feature to help define your policy components. Instructions for using Discovery mode are provided in the Resource Discovery section in the Policy Managers Guide.

 

Define Identities

Follow these steps to create a user named weblogic.

  1. In the ALES Administration Console, select Identity > Users and click New.
  2. In the Create User window, enter the name weblogic and click OK.
  3. Select the weblogic user and click Set Password. If this is a development environment, you can use the default password weblogic.

 

Define Policies for ALSB

The ALES Administration Server installation includes a set of sample polices for BEA AquaLogic Service Bus, located at BEA_HOME/ales30-admin/examples/policy/alsb_sample_policy. You may import and use them as a starting point for developing a full set of policies to secure ALSB resources. For information about how to import the sample policies, see the README file in the sample directory and see also Importing Policy Data in the Policy Managers Guide.

This section includes examples of policy creation:

Authorization Policies

The following policy grants any user with the role Admin all privileges over the resources adm and svr resources: 

grant(any, //app/policy/myrealm/shared/adm, //role/Admin)if true;
grant(any, //app/policy/myrealm/shared/svr, //role/Admin) if true;

To add this policy:

  1. Select Policy > Authorization Policies and click New.
  2. Check grant option the top of the window. Then select any from the list and click Add.
  3. Click Resources tab and expand myrealm > shared.
  4. Select adm and click Add, then select svr and click Add.
  5. Click the Policy Subjects tab, click Admin and then click Add.
  6. Make sure that the data is correct and click OK.
  7. Repeat steps 2-6 to create a policy that grants all users all privileges over the eis, ejb, jdbc, jms, jndi, url, webservices and workcontext resources:
    8. grant(any, //app/policy/myrealm/shared/eis, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/ejb, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/jdbc, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/jms, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/jndi, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/url, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/webservices, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/workcontext, //role/Everyone) if true;
  8. Repeat steps 2-6 to create a policy that grants all users access to the ProxyServices resource:
    9. grant(access, //app/policy/myrealm/shared/ProxyService/MortgageBroker/ProxyServices, 
    //role/Everyone)if true;

Role Mapping Policies

The following policy grants the user weblogic the role Admin over the resource myrealm: 

grant(//role/Admin, //app/policy/myrealm, //user/asi/weblogic/) if true;

To add this policy:

  1. Select Policy > Authorization Policies and click New.
  2. In the Available Roles list, select Admin and click Add.
  3. On the Resources tab, select myrealm in the Available Resource list and click Add.
  4. On the Policy Subjects tab, select Users from the Select Policy Subjects dropdown menu. Then select weblogic and click Add.
  5. Make sure that the data is correct and click OK.
  6. Repeat steps 1-5 to create a policy that grants the user anonymous the role Anonymous over the resource myrealm:
    7. grant(//role/Anonymous, //app/policy/myrealm, //user/asi/anonymous/) if true;
  7. Repeat steps 1-5 to create a policy that grants the group of all users the role Everyone over the resource myrealm:
    8. grant(//role/Everyone, //app/policy/myrealm, //sgrp/asi/allusers/) if true;

 

Distribute Changes

After you have made changes to the configuration and policies in the ALES console, follow these steps to distribute the changes.

  1. In the Administration Console’s left pane, select Click Deployment.
  2. Click Configuration in the right pane. Then select Security Configurations and click Distribute Configuration Changes. A message should indicate 100% distribution.
  3. Select Deployment in the left pane.
  4. Select Policy and click Distribute Policy. A message should indicate 100% distribution.

After the policies are distributed, start both the myrealm ARME instance used to protect the ALSB domain and the domain itself.

 

Verify SSM Configuration Using PerfDBAuditor

It is possible to use the ALES performance auditing provider to verify that the SSM has been properly configured to protect ALSB. This provider collects statistics about requests routed through ALES.

To use the PerfDBAuditor to verify the SSM configuration, follow these steps:

  1. In the WebLogic Server Administration Console, select Security Realms > myrealm > Providers > Auditing and click New.
  2. In the Name field, enter PerfDBAuditor. Then select PerfDBAuditor from the Type field and click OK.
  3. On the Configuration: Provider-Specific page for the PerfDBAuditor security provider, enter the JDBC connection information. For Oracle databases, the JDBCDriver Class Name is oracle.jdbc.driver.OracleDriver and the JDBC Connection URL is jdbc:oracle:thin:@oracle-host:1521:listener-name, where oracle-host is the name or IP address of the system running the Oracle database and listener-name is the name of the database listener.

    4. Optionally, set the Performance Statistics Interval attribute to 1 to collect data at 1 minute intervals (instead of the default 5 minutes).

  4. Click on Save and then activate changes.
  5. Stop and restart the domain.
  6. Generate some data by:
    1. Opening (http://localhost:7021/examplesWebApp/index.jsp) and reloading the application.
    2. Under Run the AquaLogic Service Bus Examples, click Run the Example.
    3. Click Submit Loan Application.
  7. After a few minutes, check the PERF_ATZ_STAT database table. You should see a non-zero value under TOTALREQ. This indicates that the SSM is configured correctly to secure the application.

  Back to Top       Previous  Next