![]() ![]() ![]() ![]() ![]() ![]() ![]() |
This section covers the following topics:
AquaLogic Service Bus 2.5 (ALSB) is a configuration-based, policy-driven Enterprise Service Bus. It facilitates a loosely coupled architecture, facilitates enterprise-wide reuse of services, and centralizes management. AquaLogic Enterprise Security can be used to manage access control to ALSB's runtime resources, using the ALES WebLogic Server 9.x Security Service Module.
ALES secures only the runtime resources of ALSB, in general those resources that ALSB passes to isAccessAllowed()
; it does not secure the resources used during ALSB configuration, such as the ALSB console.
This section describes how to integrate AquaLogic Enterprise Security with the AquaLogic Service Bus. Once integrated, you can use the AquaLogic Enterprise Security Administration Console to write and deploy a set of authorization and role mapping policies to protect ALSB runtime resources.
To integrate AquaLogic Enterprise Security with AquaLogic Service Bus, perform the following tasks:
Before you begin, you must ensure that the following pre-requisites are satisfied:
c:\bea920
, the default BEA_HOME directory for WebLogic Server 9.2 on Windows.c:\bea920\ales-22-admin
, the default for ALES 2.2 and WebLogic Server 9.2 on Windows.c:\bea920\ales-22-ssm
.https://localhost:7010/asi
and the ALSB Console at https://localhost:7022/sbconsole
. Replace these URLs with the actual hostnames and port numbers on which you access these consoles.
Securing ALSB with ALES employs the WebLogic Server 9.x SSM. Integration of ALES with ALSB is not supported for versions of WebLogic Server prior to WebLogic Server 9.1. Install the WebLogic Server 9.x SSM on the machines on which you have installed ALSB, as described in Installing Security Service Modules. Configure the WebLogic Server 9.x SSM, as described in the following sections:
Before starting a WebLogic Server Security Service Module, you must first create an instance of the WebLogic Server Security Service Module using the Create New Instance Wizard:
For more information about creating an instance of a WebLogic Server Security Service Module, see Creating an Instance of a Security Service Module in Installing Security Service Modules.
After you create the WebLogic Server Security Service Module instance, enroll it with the SCM. You must have the ALES Administration Server running prior to enrolling the Security Service Module. To enroll the WebLogic Server Security Service Module run enroll.bat or enroll.sh. The enroll scripts are found in ALES-SSM/wls9-ssm/adm/instance
.
For more information about enrolling a security service module, see Enrolling the Instance of the Security Service Module in Installing Security Service Modules.
ALES includes an extension to the WebLogic Server 9.x Administration Console. Install the console extension in order for the ALES security providers to be visible in the WebLogic Server 9.x Administration Console.
To install the ALES security provider console extension, copy ales_security_provider_ext.jar
from BEA_HOME/ales22-ssm/wls9-ssm/lib
to the BEA_HOME/WLS_HOME/domains/servicebus/console-ext
directory.
Copy and modify the startWebLogic.cmd
files present in BEA-HOME/weblogic92/samples/domains/servicebus
and BEA-HOME/weblogic92/samples/domains/servicebus/bin
, as described in Modifying the startWebLogic File. The files set-wls-env.bat
and set-wls-env.sh
are located in the directory ALES-SSM/wls9-ssm/instance/myrealm/bin
.
An SSM configuration defines the set of security providers to use for adjudication, authentication, auditing, authorization, role mapping, and credential mapping services. This section describes how to use the WebLogic Server Administration Console to configure a set of security providers for AquaLogic Service Bus. After you have completed the steps described in Integration Pre-Requisites and the preceding sections:
http://localhost:7021/console
.For more information about creating a SSM configuration, see Configuring and Binding a Security Service Module in Installing Security Service Modules and the Console Help. See also Configuring the WebLogic Server 9.x SSM.
DatabaseAuthenticator
.oracle.jdbc.driver.OracleDriver
and the JDBC Connection URL is jdbc:oracle:thin:@oracle-host:1521:listener-name
, where oracle-host
is the name or IP address of the system running the Oracle database and listener-name
is the name of the database listener. ASIAuthorizationProvider
.//app/policy/myrealm
and click Save.ASIAdjudicator
.ASIRoleMapperProvider
.//app/policy/myrealm
and click Save.To activate the changes to the security realm:
After you configure your security providers in the WebLogic Server Administration Console, you need to take some additional steps to configure them using the AquaLogic Enterprise Security Administration Console. The console's default URL is https://localhost:7010/asi
and its default user name and password are system
and weblogic
. Use the ALES console to:
In the ALES Administration Console, create a new configuration named myrealm, including the ASI Authorization provider and the ASI Role Mapper:
myrealm
and click Create.//app/policy/myrealm
and click Apply.//app/policy/myrealm
and click Apply.In the ALES Administration Console, bind the new security configuration to the Service Control Manager:
Developing a set of policies typically begins by determining which resources you need to protect and your access control requirements. You then create the identity directory, resources, groups, users, and roles that you will use to write policies to protect those resources. Next you write a set of authorization and role mapping policies to define access control on those resources. Finally, you deploy the set of polices to the WebLogic Server Security Service Module that you use to control access to your data services.
This section covers the following topics:
This section describes how to use the ALES Administration Console to define the application resources that you will protect using ALES.
To create a regular resource named abc
:
To create a virtual resource named xyz
:
xyz
and select Configure Resource.
To make a resource binding application and distribution point named def
:
def
, and select Add Resource.def
.Select Resources on the left pane and create a resource tree as shown in Listing 11-1:
Note: | Pay extra attention to entering the resource names correctly, any mistake will result in incorrect configuration |
myrealm
|---- consoleapp
|---- shared
|----- adm
|----- eis
|----- ejb
|----- jdbc
|----- jms
|----- jndi
|----- ProxyService
| |----- MortgageBroker
| |----- ProxyServices
| |---- loanGateway1
| |---- loanGateway2
| |---- loanGateway3
|----- svr
|----- url
|----- webservices
|----- workcontext
|---- normalLoanJWSBasicEjb
When developing policies for use with a Security Service Module, you can use the Discovery mode feature to help define your policy components. Instructions for using Discovery mode are provided in the Resource Discovery section in the Policy Managers Guide.
The ALES Administration Server installation includes a set of sample polices for BEA AquaLogic Service Bus, located at BEA_HOME/ales22-admin/examples/policy/alsb_sample_policy
. You can import these sample policies and use them as a starting point for developing a full set of policies for your applications. For information about how to import the sample policies, see the README file in the sample directory and see also
Importing Policy Data in the Policy Managers Guide.
This section includes examples of policy creation:
The following policy grants any user with the role Admin
all privileges over the resources //app/policy/myrealm/shared/adm and //app/policy/myrealm/shared/svr
:
grant(any, //app/policy/myrealm/shared/adm, //role/Admin)if true;
grant(any, //app/policy/myrealm/shared/svr, //role/Admin) if true;
adm
and click Add, then select svr
and click Add.The following policy grants all users all privileges over the eis, ejb, jdbc, jms, jndi, url, webservices and workcontext resources:
grant(any, //app/policy/myrealm/shared/eis, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/ejb, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/jdbc, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/jms, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/jndi, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/url, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/webservices, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/workcontext, //role/Everyone) if true;
grant(any, //app/policy/myrealm/normalLoanJWSBasicEjb, //role/Everyone)if true;
The following policy grants all users the access privilege to the MortgageBroker/ProxyServices resource:
grant(access,//app/policy/myrealm/shared/ProxyService/MortgageBroker/ProxyServices,//role/Everyone)if true;
The following policy grants the user weblogic
the role Admin
over the resource myrealm
:
grant(//role/Admin, //app/policy/myrealm, //user/asi/weblogic/) if true;
The following policy grants the user anonymous
the role Anonymous
over the resource myrealm
:
grant(//role/Anonymous
, //app/policy/myrealm, //user/asi/anonymous
/) if true;
The following policy grants the group of all users the role Everyone
over the resource myrealm
:
grant(//role/Everyone
, //app/policy/myrealm, //sgrp/asi/allusers
/) if true;
After you have made changes to the configuration and policies in the ALES console, distribute the changes:
Once the distribution of the Security Configurations reaches 100% complete, distribute the policy changes:
Once the distribution of the policy reaches 100% complete:
BEA_HOME\weblogic92\samples\domains\servicebus\startWebLogicALES.cmd
Now the AquaLogic Service Bus domain is protected by the AquaLogic Enterprise Security WebLogic 9.x SSM.
This step is optional. If you like, you use the ALES performance auditing provider to verify that the AquaLogic Enterprise Security SSM has been properly configured to protect your ALSB installation.
The PerfDBAuditor is an ALES audit provider which collects statistics about requests routed through ALES. After you configure a PerfDBAuditor in your ALSB security realm, you can examine the database tablesFor more information about the PerfDBAuditor provider, see Performance Statistics in the Administration and Deployment Guide.
To use the PerfDBAuditor to verify your configuration, follow the procedures in the following sections:
Using the WebLogic Server Administration Console, configure the ALES Performance DB Audit provider:
PerfDBAuditor
.oracle.jdbc.driver.OracleDriver
and the JDBC Connection URL is jdbc:oracle:thin:@oracle-host:1521:listener-name
, where oracle-host
is the name or IP address of the system running the Oracle database and listener-name
is the name of the database listener. Optionally, set the Performance Statistics Interval attribute to 1 to collect data at 1 minute intervals (instead of the default 5 minutes).
Stop the server by running BEA_HOME/weblogic92/samples/domains/servicebus/bin/stopWebLogic.sh
Restart the server by running BEA_HOME/weblogic92/samples/domains/servicebus/startWebLogicALES.cmd
Generate some performance data and check it:
After a few minutes, check the database table PERF_ATZ_STAT, which is populated with authorization statistics. You should see a non-zero value under TOTALREQ. This indicates that access to the ALSB example application is protected by the AquaLogic Enterprise Security SSM.
![]() ![]() ![]() |