> Integrating ALES with Application Environments > Integrating with AquaLogic Service Bus

Integrating ALES with Application Environments

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Integrating with AquaLogic Service Bus

This section covers the following topics:

 

Introduction

AquaLogic Service Bus 2.5 (ALSB) is a configuration-based, policy-driven Enterprise Service Bus. It facilitates a loosely coupled architecture, facilitates enterprise-wide reuse of services, and centralizes management. AquaLogic Enterprise Security can be used to manage access control to ALSB's runtime resources, using the ALES WebLogic Server 9.x Security Service Module.

ALES secures only the runtime resources of ALSB, in general those resources that ALSB passes to isAccessAllowed(); it does not secure the resources used during ALSB configuration, such as the ALSB console.

 

Integrating with AquaLogic Service Bus: Main Steps

This section describes how to integrate AquaLogic Enterprise Security with the AquaLogic Service Bus. Once integrated, you can use the AquaLogic Enterprise Security Administration Console to write and deploy a set of authorization and role mapping policies to protect ALSB runtime resources.

To integrate AquaLogic Enterprise Security with AquaLogic Service Bus, perform the following tasks:

  1. Make sure you have fulfilled all the installation prerequisites described in Integration Pre-Requisites.
  2. Create, configure, and enroll an instance of the WebLogic Server SSM, as described in Creating the WebLogic Server SSM Configuration.
  3. Create in the ALES console resources that correspond to the AquaLogic Service Bus resources you want to protect, as described in Configuring ALSB Resources.
  4. Configure security policies for ALSB, as described in Configuring ALSB Policies.
  5. Optionally, you can use the ALES PerfDB Auditing provider to verify your configuration, as described in Verify the Configuration Using the Performance Auditing Provider.

 

Integration Pre-Requisites

Before you begin, you must ensure that the following pre-requisites are satisfied:

  1. Install WebLogic Server 9.1 or 9.2 in accordance with the BEA Installation Guide. This section assumes that you have installed WebLogic Server in c:\bea920, the default BEA_HOME directory for WebLogic Server 9.2 on Windows.
  2. Install the AquaLogic Enterprise Security Administration Server, as described in Installing the Administration Server. This section assumes you have installed the ALES Administration Server in c:\bea920\ales-22-admin, the default for ALES 2.5 and WebLogic Server 9.2 on Windows.
  3. Install the WebLogic Server 9.x Security Service Module in your WebLogic Server directory, as described in Installing Security Service Modules. This section assumes you have installed the WebLogic Server 9.x Security Service Module in c:\bea920\ales-22-ssm.
  4. Install AquaLogic Service Bus 2.5 in your WebLogic Server directory in accordance with the AquaLogic Service Bus Installation Guide.
  5. You must have access to an Administration Console that is running on the AquaLogic Enterprise Security 2.5 Administration Server on either the local machine or a remote machine. This section assumes you are accessing the ALES Administration Console at https://localhost:7010/asi and the ALSB Console at https://localhost:7021/sbconsole. Replace these URLs with the actual hostnames and port numbers on which you access these consoles.

 

Creating the WebLogic Server SSM Configuration

Securing ALSB with ALES employs the WebLogic Server 9.x SSM. Integration of ALES with ALSB is not supported for versions of WebLogic Server prior to WebLogic Server 9.1. Install the WebLogic Server 9.x SSM on the machines on which you have installed ALSB, as described in Installing Security Service Modules. Configure the WebLogic Server 9.x SSM, as described in the following sections:

Create an Instance of the Security Service Module

Before starting a WebLogic Server Security Service Module, you must first create an instance of the WebLogic Server Security Service Module using the Create New Instance Wizard:

  1. Start the ALES Administration Server:
    • On Windows, Start > All Programs > BEA AquaLogic Enterprise Security > Administration Server > Start Server
    • On UNIX, run ALES-SSM/bin/WLESAdmin.sh start
  2. Run the ALES SSM New Instance Wizard:
    • On Windows, Start > All Programs > BEA AquaLogic Enterprise Security > WebLogic Server 9.x Security Service Module > Create New Instance
    • On UNIX, run ALES-SSM/wls9-ssm/adm/instancewizard.sh
  3. In the Create New Instance Wizard, enter values for the following:
    • Instance name (default: myrealm)
    • Authorization engine port (default: 8000)
    • Configuration ID (default: myrealm)
    • Enterprise domain (default: asi)

      • Click Next.

For more information about creating an instance of a WebLogic Server Security Service Module, see Creating an Instance of a Security Service Module in Installing Security Service Modules.

Enroll the Instance of the Security Service Module

After you create the WebLogic Server Security Service Module instance, enroll it with the SCM. You must have the ALES Administration Server running prior to enrolling the Security Service Module. To enroll the WebLogic Server Security Service Module run enroll.bat or enroll.sh. The enroll scripts are found in ALES-SSM/wls9-ssm/adm/instance.

For more information about enrolling a security service module, see Enrolling the Instance of the Security Service Module in Installing Security Service Modules.

Enable the Console Extension for Security Providers in the WLS 9.x Console

ALES includes an extension to the WebLogic Server 9.x Administration Console. Install the console extension in order for the ALES security providers to be visible in the WebLogic Server 9.x Administration Console.

To install the ALES security provider console extension, copy ales_security_provider_ext.jar from BEA_HOME/ales25-ssm/wls9-ssm/lib to the BEA_HOME/WLS_HOME/domains/servicebus/console-ext directory.

Modify the startWebLogic File

Copy and modify the startWebLogic.cmd files present in BEA-HOME/weblogic92/samples/domains/servicebus and BEA-HOME/weblogic92/samples/domains/servicebus/bin, as described in Modifying the startWebLogic File. The files set-wls-env.bat and set-wls-env.sh are located in the directory ALES-SSM/wls9-ssm/instance/myrealm/bin.

Configure ALES Security Providers in the WebLogic Administration Console

An SSM configuration defines the set of security providers to use for adjudication, authentication, auditing, authorization, role mapping, and credential mapping services. This section describes how to use the WebLogic Server Administration Console to configure a set of security providers for AquaLogic Service Bus. After you have completed the steps described in Integration Pre-Requisites and the preceding sections:

  1. Start WebLogic Server, using the startWebLogic script you modified in accordance with the instructions in Modify the startWebLogic File.
  2. Access the WebLogic Server Administration Console, using a browser. The default URL for the console is https://localhost:7001/console .
  3. Use the WebLogic Server Administration Console to:

For more information about creating a SSM configuration, see Configuring and Binding a Security Service Module in Installing Security Service Modules and the Console Help. See also Configuring the WebLogic Server 9.x SSM.

Configure the Security Realm

  1. In the Change Center of the WebLogic Server Administration Console, click Lock & Edit.
  2. In left pane of the WebLogic Server Administration Console, click Security Realms and then in the right pane click myrealm.
  3. On the Configuration page for the myrealm security realm:
    1. Set Security Model Default to Advanced.
    2. Uncheck Combined Role Mapping Enabled.
    3. Click Save.
    4. Click Advanced.
    5. Set Check Role and Policies to All Web applications and EJBs.
    6. Click Save.

Configure a Database Authenticator

  1. In the WebLogic Server Administration Console, select Security Realms > myrealm > Providers > Authentication.
  2. Click New.
  3. In the Name field, enter DatabaseAuthenticator.
  4. Select DatabaseAuthenticator from the Type pull down menu and click OK.
  5. Select REQUIRED from pulldown menu and click on save.
  6. On the Configuration: Provider-Specific page for the DatabaseAuthenticator security provider, enter the JDBC connection information. For Oracle databases, the JDBCDriver Class Name is oracle.jdbc.driver.OracleDriver and the JDBC Connection URL is jdbc:oracle:thin:@oracle-host:1521:listener-name, where oracle-host is the name or IP address of the system running the Oracle database and listener-name is the name of the database listener.

Configure an ASI Authorization Provider

  1. In the WebLogic Server Administration Console, select Security Realms > myrealm > Providers > Authorization.
  2. Click New.
  3. In the Name field, enter ASIAuthorizer.
  4. Select ASIAuthorizationProvider from the Type pull down menu and click OK.
  5. On the Configuration: Provider-Specific page for the ASIAuthorizationProvider security provider, set the Application Deployment Parent field to //app/policy/myrealm and click Save.

Replace the Default Adjudicator with the ASI Adjudicator

  1. In the WebLogic Server Administration Console, select Security Realms > myrealm > Providers > Adjudication.
  2. Click Replace.
  3. In the Name field, enter ASIAdjudicator.
  4. Select ASIAdjudicator from the Type pull down menu and click Save.
  5. On the Configuration: Provider-Specific page for the ASIAdjudicator security provider, uncheck Require Unanimous Permit and click Save.

Configure an ASI Role Mapper

  1. In the WebLogic Server Administration Console, select Security Realms > myrealm > Providers > Role Mapping.
  2. Click New.
  3. In the Name field, enter ASIRoleMapperProvider.
  4. Select ASIRoleMapperProvider from the Type pull down menu and click Save.
  5. On the Configuration: Provider-Specific page for the ASIRoleMapperProvider security provider, set the Application Deployment Parent field to //app/policy/myrealm and click Save.

Activate Changes

To activate the changes to the security realm:

  1. In the Change Center of the WebLogic Server Administration Console, click Activate Changes.
  2. Shut down the AquaLogic Service Bus domain.

Configure ALES Security Providers in the ALES Administration Console

After you configure your security providers in the WebLogic Server Administration Console, you need to take some additional steps to configure them using the AquaLogic Enterprise Security Administration Console. The console's default URL is https://localhost:7010/asi and its default user name and password are system and weblogic. Use the ALES console to:

Create the weblogic User

Create a user named weblogic.

  1. In the AquaLogic Enterprise Security Administration Console, select Identity > Users and click New.
  2. In the Create User window, enter the name weblogic and click OK.
  3. Select the user name weblogic and click Set Password. If this is a development environment, you can use the default password weblogic.

Create a New SSM Configuration

In the ALES Administration Console, create a new configuration named myrealm, including the ASI Authorization provider and the ASI Role Mapper:

  1. In the left pane, click Unbound Configuration.
  2. Click Create a new Security Service Module Configuration.
  3. In the Configuration ID field, enter myrealm and click Create.
  4. Select Providers > Authorizers.
  5. Click Configure a new ASI Authorization Provider and click Create.
  6. In the Details tab for the ASI Authorization Provider, set the Application Deployment Parent field to //app/policy/myrealm and click Apply.
  7. Select Unbound Configurations > myrealm > Role Mapping.
  8. Click Configure a new ASI Role Mapper Provider and click Create.
  9. In the Details tab for the ASI Authorization Provider, set the Application Deployment Parent field to //app/policy/myrealm and click Apply.

Bind the Configuration to the SCM

In the ALES Administration Console, bind the new security configuration to the Service Control Manager:

  1. Select Security Configuration > Service Control Managers > adminconfig.
  2. Click adminconfig in the left pane and click the Bindings tab in the right pane.
  3. Select myrealm from the dropdown menu and click Bind.

 

Configuring Resources and Policies for ALSB

Developing a set of policies typically begins by determining which resources you need to protect and your access control requirements. You then create the identity directory, resources, groups, users, and roles that you will use to write policies to protect those resources. Next you write a set of authorization and role mapping policies to define access control on those resources. Finally, you deploy the set of polices to the WebLogic Server Security Service Module that you use to control access to your data services.

This section covers the following topics:

Configuring ALSB Resources

This section describes how to use the ALES Administration Console to define the application resources that you will protect using ALES.

Creating a Regular Resource

To create a regular resource named abc:

  1. In the ALES Administration Console, open the resource tree.
  2. Right click the parent of abc, and select Add Resource.
  3. In the Name field, enter abc and click OK

Creating a Virtual Resource

To create a virtual resource named xyz:

  1. Create a resource as described in Creating a Regular Resource.
  2. Right click the resource xyz and select Configure Resource.
  3. Check the Allow Virtual Resources box and click OK.

Creating the ALSB Proxy Service Resources

Create resources in ALES corresponding to the ALSB Proxy Services. An ALSB Proxy Service has up to four key/value properties:

path

The full name of the proxy service, for example: path=project/folder1/folder2

proxy

The name of the proxy service, for example proxy=myProxy

action

One of two values, invoke or wss-invoke

operation

The name of the operation to invoke, used only where the action=wss-invoke, for example operation=processPO

ALES resource definitions for ALSB use this format: 

//app/policy/<binding app>/<Proxy Service App name>/ProxyService/<Project Name>/[Folder name]/<Proxy Service Name>

Table 11-1 describes how ALSB Proxy Service reference elements map to ALES resource and privilege elements

Table 11-1 ALSB Proxy Service Elements Represented in ALES Resources and Privileges
Resource/Privilege Element
Description
binding app
The ALES binding node name.
Proxy Service app name
The default application name, shared.
ProxyService
The ALES resource type.
Folder name
The ALSB Proxy Service folder name.
//priv/<operation>
The operation field of the ALSB Proxy Service, representing one of the Web Services operations provided.

Here is an example of how to convert an ALSB transport level access control to an ALES policy. In ALSB: 

type=type=<alsb-proxy-service>, path=project/folder, proxy=myProxy, action=invoke

is converted in ALES to: 

//app/policy/<binding app node>/shared/ProxyService/project/folder/myProxy

with a default privilege of //priv/access, since with action=invoke, there is no operation defined.

Here is an example of how to convert ALSB access control during inbound web-service-security request processing: 

type=<alsb-proxy-service>, path=project/folder, proxy=myProxy, action=wss-invoke, operation=ProcessPO

is converted in ALES to: 

//app/policy/<binding app node>/shared/ProxyService/project/folder/myProxy

with a privilege of //priv/ProcessPO.

Creating a Resource Binding Application and Distribution Point

To make a resource binding application and distribution point named def:

  1. Right click the mouse on parent of def, and select Add Resource.
  2. In the Name field, enter def.
  3. From the Type drop-down list box, select Binding.
  4. Check the Distribution Point box.
  5. After the resource is created, right click the resource and select Configure Resource.
  6. Select Binding application from the pull-down menu and click OK.

Creating a Resource Tree

Select Resources on the left pane and create a resource tree as shown in Listing 11-1:

  1. Make myrealm a resource binding application and distribution point.
  2. Make the consoleapp and ProxyServices resources virtual.
Note: Pay extra attention to entering the resource names correctly, any mistake will result in incorrect configuration
Listing 11-1 Resource Tree 
myrealm
   |---- consoleapp
   |---- shared
         |----- adm
         |----- eis
         |----- ejb
         |----- jdbc
         |----- jms
         |----- jndi
         |----- ProxyService
         |       |----- MortgageBroker
         |               |----- ProxyServices
         |                      |---- loanGateway1
         |                      |---- loanGateway2
         |                      |---- loanGateway3
         |----- svr
         |----- url
         |----- webservices
         |----- workcontext

Discovering Services

When developing policies for use with a Security Service Module, you can use the Discovery mode feature to help define your policy components. Instructions for using Discovery mode are provided in the Resource Discovery section in the Policy Managers Guide.

Configuring ALSB Policies

The ALES Administration Server installation includes a set of sample polices for BEA AquaLogic Service Bus, located at BEA_HOME/ales25-admin/examples/policy/alsb_sample_policy. You can import these sample policies and use them as a starting point for developing a full set of policies for your applications. For information about how to import the sample policies, see the README file in the sample directory and see also Importing Policy Data in the Policy Managers Guide.

This section includes examples of policy creation:

Authorization Policy Examples

The following policy grants any user with the role Admin all privileges over the resources //app/policy/myrealm/shared/adm and //app/policy/myrealm/shared/svr: 

grant(any, //app/policy/myrealm/shared/adm, //role/Admin)if true;
grant(any, //app/policy/myrealm/shared/svr, //role/Admin) if true;

To add this policy:

  1. Select Policy > Authorization Policies and click New.
  2. Check grant the top of the window.
  3. Click any from the list and click Add.
  4. Click Resources tab and expand myrealm > shared.
  5. Select adm and click Add, then select svr and click Add.
  6. Click the Policy Subjects tab, click Admin and then click Add.
  7. Make sure that the data is correct and click OK.

The following policy grants all users all privileges over the eis, ejb, jdbc, jms, jndi, url, webservices and workcontext resources: 

grant(any, //app/policy/myrealm/shared/eis, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/ejb, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/jdbc, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/jms, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/jndi, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/url, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/webservices, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/workcontext, //role/Everyone) if true;

To add this policy:

  1. Select Policy > Authorization Policies and click New.
  2. Check grant the top of the window.
  3. Click any from the list and click Add.
  4. Click Resources tab and expand myrealm > shared.
  5. Select in turn each of eis, ejb, jdbc, jms, jndi, url, webservices and workcontext and click Add.
  6. Click the Policy Subjects tab, click Everyone and then click Add.
  7. Make sure that the data is correct and click OK.

The following policy grants all users access to the ProxyServices resource: 

grant(access, //app/policy/myrealm/shared/ProxyService/MortgageBroker/ProxyServices,

//role/Everyone)if true;

To add this policy:

  1. Select Policy > Authorization Policies and click New.
  2. Check grant the top of the window.
  3. Click access from the list and click Add.
  4. Click Resources tab and expand myrealm > shared > ProxyService > MortgageBroker.
  5. Select ProxyServices and click Add.
  6. Click the Policy Subjects tab, click Everyone and then click Add.
  7. Make sure that the data is correct and click OK.

Role Mapping Policy Examples

The following policy grants the user weblogic the role Admin over the resource myrealm: 

grant(//role/Admin, //app/policy/myrealm, //user/asi/weblogic/) if true;

To add this policy:

  1. Select Policy > Authorization Policies.
  2. Click New
  3. In the Available Roles list, click Admin.
  4. Click Add.
  5. Click the Resources tab.
  6. In the Available Resources list, click myrealm.
  7. Click Add.
  8. Click the Policy Subjects tab
  9. In the Select Policy Subjects from: pulldown menu, select Users.
  10. Select weblogic.
  11. Click Add.
  12. Make sure that the data is correct and click OK.

The following policy grants the user anonymous the role Anonymous over the resource myrealm: 

grant(//role/Anonymous, //app/policy/myrealm, //user/asi/anonymous/) if true;

To add this policy:

  1. Select Policy > Authorization Policies.
  2. Click New
  3. In the Available Roles list, click Anonymous.
  4. Click Add.
  5. Click the Resources tab.
  6. In the Available Resources list, click myrealm.
  7. Click Add.
  8. Click the Policy Subjects tab
  9. In the Select Policy Subjects from: pulldown menu, select Users.
  10. Select anonymous.
  11. Click Add.
  12. Make sure that the data is correct and click OK.

The following policy grants the group of all users the role Everyone over the resource myrealm: 

grant(//role/Everyone, //app/policy/myrealm, //sgrp/asi/allusers/) if true;

To add this policy:

  1. Select Policy > Authorization Policies.
  2. Click New
  3. In the Available Roles list, click Everyone.
  4. Click Add.
  5. Click the Resources tab.
  6. In the Available Resources list, click myrealm.
  7. Click Add.
  8. Click the Policy Subjects tab
  9. In the Select Policy Subjects from: pulldown menu, select Groups.
  10. Select anonymous.
  11. Click Add.
  12. Make sure that the data is correct and click OK.

Distribute Changes

After you have made changes to the configuration and policies in the ALES console, distribute the changes:

  1. Click Deployment in the left pane.
  2. Click Configuration in the right pane.
  3. Select Security Configurations and click Distribute Configuration Changes.

Once the distribution of the Security Configurations reaches 100% complete, distribute the policy changes:

  1. Click Deployment in the left pane.
  2. Select Policy and click Distribute Policy.

Once the distribution of the policy reaches 100% complete:

  1. Start the myrealm ARME instance that is used to protect the ALSB domain. On Windows, select Start > All Programs > BEA AquaLogic Enterprise Security > Security Service Module > Weblogic 9.x Server Securiity Service Module > myrealm > Start ARME(console mode)
  2. Start the ALSB domain:
    3.  BEA_HOME\weblogic92\samples\domains\servicebus\startWebLogicALES.cmd

    This step can take several minutes to complete.

Now the AquaLogic Service Bus domain is protected by the AquaLogic Enterprise Security WebLogic 9.x SSM.

 

Verify the Configuration Using the Performance Auditing Provider

This step is optional. If you like, you use the ALES performance auditing provider to verify that the AquaLogic Enterprise Security SSM has been properly configured to protect your ALSB installation.

The PerfDBAuditor is an ALES audit provider which collects statistics about requests routed through ALES. After you configure a PerfDBAuditor in your ALSB security realm, you can examine the database tables. For more information about the PerfDBAuditor provider, see Performance Statistics in the Administration and Deployment Guide.

To use the PerfDBAuditor to verify your configuration, follow the procedures in the following sections:

Configure the PerfDBAudit Provider

Using the WebLogic Server Administration Console, configure the ALES Performance DB Audit provider:

  1. In the WebLogic Server Administration Console, select Security Realms > myrealm > Providers > Auditing
  2. Click New.
  3. In the Name field, enter PerfDBAuditor.
  4. Select PerfDBAuditor from the Type pull down menu and click OK.
  5. On the Configuration: Provider-Specific page for the PerfDBAuditor security provider, enter the JDBC connection information. For Oracle databases, the JDBCDriver Class Name is oracle.jdbc.driver.OracleDriver and the JDBC Connection URL is jdbc:oracle:thin:@oracle-host:1521:listener-name, where oracle-host is the name or IP address of the system running the Oracle database and listener-name is the name of the database listener.

    6. Optionally, set the Performance Statistics Interval attribute to 1 to collect data at 1 minute intervals (instead of the default 5 minutes).

    Click on save

  6. Click Activate Changes.

Restart the Domain

Stop the server by running BEA_HOME/weblogic92/samples/domains/servicebus/bin/stopWebLogic.sh

Restart the server by running BEA_HOME/weblogic92/samples/domains/servicebus/startWebLogicALES.cmd

Generate Data

Generate some performance data and check it:

  1. In Internet Explorer, open the ALSB example application at http://localhost:7021/examplesWebApp/index.jsp.
  2. Click Reload the examples.
  3. Under Run the AquaLogic Service Bus Examples, click Run the Example.
  4. Click Submit Loan Application.

After a few minutes, check the database table PERF_ATZ_STAT, which is populated with authorization statistics. You should see a non-zero value under TOTALREQ. This indicates that access to the ALSB example application is protected by the AquaLogic Enterprise Security SSM.


  Back to Top       Previous  Next