|
|
This section covers the following topics:
Using the WLS SSM, ALES can be used to manage access control to ALSB’s runtime resources, using the WLS SSM. AquaLogic Service Bus 3.0 (ALSB) is a configuration-based, policy-driven Enterprise Service Bus. It allows a loosely coupled architecture, facilitates enterprise-wide reuse of services, and centralizes management.
ALES secures only the runtime resources of ALSB, in general those resources that ALSB passes to isAccessAllowed(). It does not secure the resources used during ALSB configuration, such as the ALSB console.
This document assumes the following:
| Note: | Installation of WebLogic Server 10.0 MP1 and AquaLogic Service Bus 3.0 |
Perform the following tasks to provide an SSM configuration and define an initial policy set for securing ALSB resources. At the conclusion of these steps, you can refine this information as described in the remaining sections of this document.
chdir | cd to BEA_HOME/ales30-ssm/wls-ssm/adm.myssm_config.properties and name it alsb_ssm_config.properties.alsb_ssm_config.properties in an editor. Set ssm.type=wls-alsb-ssm and specify other entries as needed. | Note: | For a sample properties file, see |
ConfigTool -process alsb_ssm_config.properties.http://host:port/sbconsole).You can now use the facilities, including creating/managing projects.
This is a sample of the properties files used to establish the initial configuration for securing ALSB resources.
For instructions on completing this file, see the SSM Installation and Configuration Guide.
### This file lists properties for the SSM configuration tool
### ConfigTool will interactively prompt for values which
### are commented out
### This is the weblogic domain directory
### Use / (and not \ ) for the path
wls.domain.dir = C:/BEAProducts/alsb300_wls100/user_projects/domains/alsb_domain_3
### SSM's config-id
### You can use the name of your application for this value
ssm.conf.id = SimpleApp2
### Database password
db.password = password
### ALES Admin password
ales.admin.password = weblogic
### SSM Username and password
### Note : This is the admin user's username/password of the domain being
### protected. In this case the target domain is the ALSB domain
ssm.admin.name = system
ssm.admin.password = weblogic
### The type of SSM defined by the type of domain against which it
### is configured. The tool will load policies and configuration from
### BEAHOME/ales*-ssm/wls-ssm/config/<ssm.type> where <ssm.type> is one of:
### wls-ssm (for WebLogic Server domain)
### wls-portal-ssm (for WebLogic Portal domain)
### wls-alsb-ssm (for AquaLogic Service Bus domain)
### Note : For ALSB domain this is'wls-alsb-ssm'.
ssm.type = wls-alsb-ssm
#############################################################
### If you have not installed ALES Admin and SSM in the same BEA-HOME,
### specify the values below. The ConfigTool will interactively prompt for
### values that are commented out
#############################################################
### Database user name
# db.login = db_user
### ALES Admin username
# ales.admin.name = system
### name of the SSM instance directory
# ssm.instance.name = MySsm
### the ALES application node name
### This is like the root resource for the SSM
# ales.resource.root = //app/policy/MyApp
### ALES identity directory name
# ales.identity.dir = ALSBdir
### Database JDBC URL:
### Oracle -> jdbc:oracle:thin:@<server>:<port>:<sid>
### Sybase -> jdbc:sybase:Tds:<server>:<port>
### Sql Server -> jdbc:sqlserver://<server>:<port>
### Pointbase -> jdbc:pointbase:server://<server>/ales
###
### values:
### <server>: name or IP address of database machine
### <port>: port where the database listener is running
### <sid>: SID for oracle database
# db.jdbc.url = jdbc:oracle:thin:@db_server:1521:db_sid
### Database JDBC Driver:
### Oracle: oracle.jdbc.driver.OracleDriver
### Sybase: com.sybase.jdbc3.jdbc.SybDriver
### Sql: com.microsoft.sqlserver.jdbc.SQLServerDriver
### Pointbase: com.pointbase.jdbc.jdbcUniversalDriver
### DB2: com.ibm.db2.jcc.DB2Driver
# db.jdbc.driver = oracle.jdbc.driver.OracleDriver
### ARME's port number, by default this is 8000
# arme.port = 8000
| Note: | Providers for WebLogic 9.x/10.0 are defined using the WebLogic console. For details, see WebLogic 9.x/10.0 Security Providers |
To secure Service Bus resources, create a security realm and define the following provider types:
When creating the realm, use the following settings:
Policy definitions include the ALSB resources to which the policy applies. These resources must be defined in ALES.
To create a regular resource named abc:
To create a virtual resource named xyz:
xyz resource and select Configure Resource.Create resources in ALES corresponding to the ALSB Proxy Services. An ALSB Proxy Service has up to four key/value properties:
ALES resource definitions for ALSB use this format:
//app/policy/<binding app>/<Proxy Service App name>/ProxyService/<Project Name>/[Folder name]/<Proxy Service Name>
Table 8-1 describes how ALSB Proxy Service reference elements map to ALES resource and privilege elements
Here is an example of how to convert an ALSB transport level access control to an ALES policy. In ALSB:
type=type=<alsb-proxy-service>, path=project/folder, proxy=myProxy, action=invoke
//app/policy/<binding app node>/shared/ProxyService/project/folder/myProxy
with a default privilege of //priv/access, since with action=invoke, there is no operation defined.
Here is an example of how to convert ALSB access control during inbound web-service-security request processing:
type=<alsb-proxy-service>, path=project/folder, proxy=myProxy, action=wss-invoke, operation=ProcessPO
//app/policy/<binding app node>/shared/ProxyService/project/folder/myProxy
with a privilege of //priv/ProcessPO.
To make a resource binding application and distribution point named def:
def, and select Add Resource.def.Select Resources on the left pane and create a resource tree as shown in Listing 8-1:
myrealm a resource binding application and distribution point.consoleapp and ProxyService resources virtual.myrealm
|---- consoleapp
|---- shared
|----- adm
|----- eis
|----- ejb
|----- jdbc
|----- jms
|----- jndi
|----- ProxyService
| |----- MortgageBroker
| |----- ProxyService
| |---- loanGateway1
| |---- loanGateway2
| |---- loanGateway3
|----- svr
|----- url
|----- webservices
|----- workcontext
When developing policies for use with a Security Service Module, you can use the Discovery mode feature to help define your policy components. Instructions for using Discovery mode are provided in the Resource Discovery section in the Policy Managers Guide.
The ConfigTool will create an ALSB Identity directory and the ALSB administrative user. This user’s password is used to start the ALSB application. Assuming the ALSB Identity directory name is ALSDdir and the administrative user name is weblogic, follow these steps to maintain the password:
Depending on the policy model used to secure ALSB resources, additional ALSB users and groups may be required. For background information, see Identities in the Policy Managers Guide.
The ConfigTool will create an initial set of policies using the files located in BEA_HOME/ales30-admin/examples/policy/alsb_sample_policy. You may import and use them as a starting point for developing a full set of policies to secure ALSB resources. For information about how to import the sample policies, see the README file in the sample directory and see also
Importing Policy Data in the Policy Managers Guide.
This section includes examples of policy creation:
The following policy grants any user with the role Admin all privileges over the resources adm and svr resources:
grant(any, //app/policy/myrealm/shared/adm, //role/Admin)if true;
grant(any, //app/policy/myrealm/shared/svr, //role/Admin) if true;
any from the list and click Add.adm and click Add, then select svr and click Add.Admin and then click Add.eis, ejb, jdbc, jms, jndi, url, webservices and workcontext resources:grant(any, //app/policy/myrealm/shared/eis, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/ejb, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/jdbc, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/jms, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/jndi, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/url, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/webservices, //role/Everyone) if true;
grant(any, //app/policy/myrealm/shared/workcontext, //role/Everyone) if true;
ProxyService resource:grant(access, //app/policy/myrealm/shared/ProxyService/MortgageBroker/ProxyService,
//role/Everyone)if true;
The following policy grants the user weblogic the role Admin over the resource myrealm:
grant(//role/Admin, //app/policy/myrealm, //user/asi/weblogic/) if true;
myrealm in the Available Resource list and click Add.Users from the Select Policy Subjects dropdown menu. Then select weblogic and click Add.anonymous the role Anonymous over the resource myrealm:grant(//role/Anonymous, //app/policy/myrealm, //user/asi/anonymous/) if true;
Everyone over the resource myrealm:grant(//role/Everyone, //app/policy/myrealm, //sgrp/asi/allusers/) if true;
After you have made changes to the configuration and policies in the ALES console, follow these steps to distribute the changes.
After the policies are distributed, start both the myrealm ARME instance used to protect the ALSB domain and the domain itself.
It is possible to use the ALES performance auditing provider to verify that the SSM has been properly configured to protect ALSB. This provider collects statistics about requests routed through ALES.
To use the PerfDBAuditor to verify the SSM configuration, follow these steps:
PerfDBAuditor. Then select PerfDBAuditor from the Type field and click OK.oracle.jdbc.driver.OracleDriver and the JDBC Connection URL is jdbc:oracle:thin:@oracle-host:1521:listener-name, where oracle-host is the name or IP address of the system running the Oracle database and listener-name is the name of the database listener. Optionally, set the Performance Statistics Interval attribute to 1 to collect data at 1 minute intervals (instead of the default 5 minutes).
|