Introduction and Roadmap

The following sections describe the content and organization of this document, as well as new features in AquaLogic Enterprise Security 2.2:

Audience and Scope

This document summarizes the features of the BEA AquaLogic™ Enterprise Security products and presents an overview of the architecture and capabilities of the security services. It provides a starting point for understanding the family of BEA AquaLogic Enterprise Security products.

The document is intended for all users of the BEA AquaLogic Enterprise Security product family, including:

Business analysts
Security architects
Security developers
Application developers
Server and application administrators

The BEA AquaLogic Enterprise Security products incorporate many terms and concepts that are defined in the glossary. BEA recommends that you review the terminology to become familiar with the various terms and concepts.

Guide to This Document

This chapter, Introduction and Roadmap, outlines the scope of this document and summarizes new features in this release of AquaLogic Enterprise Security.
Overview of BEA WebLogic Enterprise Security, describes BEA AquaLogic Enterprise Security products, services, features, and functionality.
Architecture Overview, describes the BEA AquaLogic Enterprise Security product architecture and its components.
Security Services, describes security services, including auditing, authentication, authorization and role mapping, and credential mapping.
Security Administration, describes policies and how you use the Administration Server to design policies.

Related Information

The BEA corporate web site provides all documentation for BEA AquaLogic Enterprise Security, including:

WSDL Documentation for the Web Service Interfaces—Provides reference information for the Web Services Interfaces that are part of this release of BEA AquaLogic Enterprise Security.
Administration and Deployment Guide—Provides step-by-step instructions for performing various administrative tasks.
Integrating ALES with Application Environments—Describes how to integrate AquaLogic Enterprise Security into application environments.
Policy Managers Guide—Describes how to write access control policies for BEA AquaLogic Enterprise Security, and describes how to import and export policy data.
Installing Security Services Modules—Describes how to install ALES Security Services Modules, including the Web Services Security Service Module.
Developing Security Providers —Describes how to develop custom security providers.
Javadocs for Security Service Provider Interfaces—Provides reference information for the Security Service Provider Interfaces that are part of this release of BEA AquaLogic Enterprise Security.
Programming Security for Java Applications—Describes how to implement security in Java applications. It include descriptions of the Security Service Application Programming Interfaces and programming instructions for implementing security in Java applications.
Javadocs for Java API—Provides reference information for the Java Application Programming Interfaces that are part of this release of BEA AquaLogic Enterprise Security.

New and Changed Features in This Release

This release of AquaLogic Enterprise Security has several new and changed features.

Performance Statistics

The performance statistics feature enables the collection of authentication and authorization data for troubleshooting and performance analysis. The performance statistic feature is controlled by an auditing security provider, the PerfDBAuditor provider, which you configure and enable for each Security Service Module for which you want to gather statistics.

The performance statistics feature gathers the following information, for each SSM configuration ID and host name, aggregated for each time interval specified by the Performance Statistics Interval setting:

Number of requested and successful authentications
Number of requested and successful authorizations
Average latency of an authentication request, in milliseconds
Average latency of an authorization request (the duration of calls to isAccessAllowed from start to end), in milliseconds
For any user attribute required for policy evaluation or response:

Average retrieval time, in milliseconds
Total number of retrievals

For each external function called during evaluation:

Average execution time, in milliseconds
Total number of calls

Web Services Client Authorization Cache

A client-side Authorization cache allows an application that is using the Web Services SSM to take advantage of in-process caching to achieve performance improvements when making authorization calls.

The Web Services Authorization cache is implemented as an Axis handler. The handler implementation allows you to add and remove the Authorization cache without affecting existing code. The Authorization cache can be configured through a Java API. If you do not use the configuration API to configure the cache, the default values for the cache are used.

Authorization Through XACML

External applications can ask authorization questions through use of the XACML protocol. This capability is supported only in the Web Services SSM.

The XACML service is implemented as an extension to the existing Authorization Service in the Web Service SSM, and uses the same configuration and administration scripts of the Web Service SSM. The XACML service is silently installed together with the Web Service SSM.

New Installation Features

This release of AquaLogic Enterprise Security includes a utility to help you upgrade from AquaLogic Enterprise Security 2.1. See Installing the Administration Server for additional information.

As of version 2.2 of ALES, the user who installs the Administration Server and SSMs does not require administrator privileges on a Windows platform, or root access on a Sun Solaris or Linux platform. The installation procedures set the file and directory permissions based on the user who runs the installer.

Support for Non-U.S.-English Locales

You can install the Administration Server and SSMs in non-US-English locales. If you install AquaLogic Enterprise Security on a machine that is part of a non-US-English locale, it is assumed that all other components with which AquaLogic Enterprise Security communicates will also be installed on the same non-US-English locale, including the policy RDBMS and the authentication source (LDAP or RDBMS).

WebLogic Server 9.x SSM Added

The WebLogic Server 9.x Security Service Module (SSM) integrates AquaLogic Enterprise Security with BEA WebLogic Server 9.1 and 9.2. This SSM uses a different security framework from the one used in the WebLogic Server 8.1 SSM and the other AquaLogic Enterprise Security SSMs. When you install the WebLogic Server 9.x SSM, AquaLogic Enterprise Security uses the WebLogic Server 9.x security framework. As a consequence, when you use the WebLogic Server 9.x SSM, you configure security providers in the WebLogic Administration Console, rather than in the AquaLogic Enterprise Security Administration Console. You still use the AquaLogic Enterprise Security Administration Console to create resources and to write security policies for all SSMs, and to configure providers in SSMs other than the WebLogic Server 9.x SSM. You must also use the AquaLogic Enterprise Security Administration Console to configure the deployment parent in the ASI Authorizer and ASI Role Mapper providers.

WebLogic 9.x Security Providers Supported

This release of AquaLogic Enterprise Security supports any of the WebLogic 9.x security providers. However, the Security Service Module for WebLogic Server 9.x is configured differently, as described in Integrating ALES with Application Environments.

You can also use the WebLogic Server 9.x WebLogicMBeanMaker to create any of the security provider types described in Developing WebLogic Security Providers.

Web Services SSM Now Supports Microsoft .Net and WebLogic Workshop 9.0 Clients

The Web Services SSM includes a set of examples that illustrate Web Services client development in different environments. The examples are located in BEA_HOME\ales22-ssm\examples. For this release, the following new examples are included:

ssmWorkshop

ssmNET

WebLogic Portal 9.2 Integration Supported

This release of AquaLogic Enterprise Security allows you to integrate with WebLogic Portal 9.2 server and portal applications, resulting in an enhanced set of security services for use in protecting WebLogic Portal. AquaLogic Enterprise Security participates in the authoring and management of policy for WebLogic Portal resources. Once AquaLogic Enterprise Security is integrated with WebLogic Portal, you use AquaLogic Enterprise Security Administration Server to manage resources related to portal desktops, books, pages, and portlets.

AquaLogic Service Bus Integration Supported

This release of AquaLogic Enterprise Security allows you to integrate AquaLogic Service Bus 2.5. AquaLogic Service Bus 2.5 (ALSB) is a configuration-based, policy-driven Enterprise Service Bus. It facilitates a loosely coupled architecture, facilitates enterprise-wide reuse of services, and centralizes management. You can use AquaLogic Enterprise Security to manage access control to ALSB's runtime resources, using the ALES WebLogic Server 9.x Security Service Module.

ALES secures only the runtime resources of ALSB, in general those resources that ALSB passes to isAccessAllowed(); it does not secure the resources used during ALSB configuration, such as the ALSB console.

Additional Platforms Supported

This release of AquaLogic Enterprise Security supports the following additional platforms:

WebLogic Server 9.1 and 9.2 are supported as platforms for the AquaLogic Enterprise Security Administration Server. An AquaLogic Enterprise Security Administration Server running on WebLogic Server 9.1 or 9.2 works with both WLS 8.1 and WLS 9.x SSMs.
WebLogic Server 9.1 and 9.2 are supported as platforms for SSMs. The SSMs run with either the Sun JVM or the JRockit JVM that ship with WebLogic Server.
Tomcat 5.5.15 is supported as a platform for AquaLogic Enterprise Security Administration Server.
AIX 5.3 is supported as a platform for SSMs. AquaLogic Enterprise Security supports the WebLogic Server (8.1x/9.x), Java, and Web Services SSMs on AIX 5.3.
JRockit JVM is supported. AquaLogic Enterprise Security supports the use of both the Sun JVM and the JRockit JVM. Use of JRockit as a JVM is supported only for 9.x platform products. AquaLogic Enterprise Security supports the JRockit release that ships with WLS 9.x, which is based on the 1.5 version of the Sun JVM. JRockit is supported only on Intel Pentium-compatible hardware (Windows and Red Hat Linux).

New Examples

This release of AquaLogic Enterprise Security includes the following new examples. Each example has a readme file that describes its function.

For admin:

BEA_HOME\ales22-admin\examples\EJBAppExample
BEA_HOME\ales22-admin\examples\arme_extension
BEA_HOME\ales22-admin\examples\DBSetupKit
BEA_HOME\ales22-admin\examples\policy
BEA_HOME\ales22-admin\examples\policymgtwsapi
BEA_HOME\ales22-admin\examples\tools

For SSMs:

For Java SSM:

BEA_HOME\ales22-ssm\java-ssm\examples\AttributeRetriever
BEA_HOME\ales22-ssm\java-ssm\examples\JavaAPIExample
BEA_HOME\ales22-ssm\java-ssm\examples\QueryResources
BEA_HOME\ales22-ssm\java-ssm\examples\tools

For Web Services SSM:

BEA_HOME\ales22-ssm\webservice-ssm\examples\ArmeMonitor
BEA_HOME\ales22-ssm\webservice-ssm\examples\JavaWebServiceClient
BEA_HOME\ales22-ssm\webservice-ssm\examples\SsmNet
BEA_HOME\ales22-ssm\webservice-ssm\examples\SsmWorkshop
BEA_HOME\ales22-ssm\webservice-ssm\examples\tools
BEA_HOME\ales22-ssm\webservice-ssm\examples\XACMLClient

For WLS 9 SSM:

BEA_HOME\ales22-ssm\wls9-ssm\examples\ALESEnabledWLP92Domain
BEA_HOME\ales22-ssm\wls9-ssm\examples\tools

For WLS 8 SSM:

BEA_HOME\ales22-ssm\wls-ssm\ALESEnabledWLPDomain
BEA_HOME\ales22-ssm\wls-ssm\ALESEnabledWLSCluster
BEA_HOME\ales22-ssm\wls-ssm\ArmeMonitor
BEA_HOME\ales22-ssm\wls-ssm\ResourceConverter
BEA_HOME\ales22-ssm\wls-ssm\SAMLServletExample
BEA_HOME\ales22-ssm\wls-ssm\taglib
BEA_HOME\ales22-ssm\wls-ssm\tools

Adding Application Context from the BLM API

In this release of AquaLogic Enterprise Security, the BLM API has been enhanced to allow you to send an Application Context to the auditing service.

The following BLM API methods have been added to provide for the Application Context:

BLMManager.create(java.util.Hashtable credentials, java.util.Hashtable appCtx). This method creates an instance of the BLMContextManager and initializes the BLMContextManager with an Application Context. The BLM then adds the Application Context data to all auditing messages associated with this BLM Context sent to the Audit provider.
BLMContextManager.setApplicationContext(Hashtable appCtx). This method replaces an existing application context with the new one provided. (You must have called BLMManager.create(java.util.Hashtable credentials, java.util.Hashtable appCtx) method prior to calling setApplicationContext(Hashtable appCtx). All subsequent audit messages associated with this BLM Context have the Application Context added to them when they are sent to the Audit provider.
BLMContextManager.clearApplicationContext(). This method clears the Application Context associated with this BLM Context so that it is no longer included with audit messages sent to the Audit provider.