The following topics are covered is this section:
BEA AquaLogic Enterprise Security (ALES) is a fine-grained entitlements product that was designed to enable centralized management of access to both application resources and application objects. ALES uses a centrally administered, distributed security services architecture that supports hierarchical policies across heterogeneous application environments. It also provides a unified and adaptable security infrastructure that enables a service-oriented approach to securing distributed applications. It allows shared security infrastructure and services to be leveraged and re-used across the heterogeneous enterprise—improving security and increasing IT efficiency.
ALES includes the Administration Application and a set of Security Services Modules (SSM).
The ALES Administration Application provides centralized management of application entitlements, letting you control all of your security policies and configuration data from a single web-based console. Configuration, security policy, and user metadata for ALES-distributed Security Services Modules are managed and provisioned by the Administration Application. All administrative functions, including delegation, are fully configurable through administrative policies.
BEA AquaLogic Enterprise Security supports a variety of Security Service Modules (SSMs) that reside in the application environments protected by ALES. They provide the runtime enforcement of entitlements and integrate with the underlying security framework to provide services for authentication, authorization, auditing, role mapping, and credential mapping. The security framework also provides a simple application programming interface (API) that can be used by security and application developers to define security policies and services. SSMs are provided for the WebLogic Platform, Java applications, Web Server applications, Oracle application, WebSphere applications, and non-Java applications through a generic Web Services SSM.
This section covers the following topics:
This section describes new and changed features for this release of AquaLogic Enterprise Security.
This release of AquaLogic Enterprise Security has several new and changed features:
These features are described in the sections that follow.
The ALES 3.0 documentation set has been completely redesigned to make required tasks easier to understand and more accessible. The new organizational model includes Securing Applications with ALES 3.0 documents and How To sections, which make it easier to find the information you need.
In ALES 3.0 the Entitlements UI includes comprehensive administrative support, including the following management operations:
The Entitlements UI also now includes support for all attribute types.
In ALES 3.0, bulk authorization APIs are exposed in both the Java API and the Web Service API. The APIs accept two kinds of input parameters and return a list of access decision as well as response attributes:
The Java API AuthorizationService
includes new getStatistics
, flushCache
and flushCacheByUser
methods.
ALES 3.0 includes the ability to return the following information through the API:
ALES 3.0 includes a new SSM configuration tool that greatly simplifies the task of creating an SSM instance.
You need only make some simple edits to a properties file and the config tool creates the SSM, including providers and a default policy, and binds everything together in the console. If any information is missing in the properties file, the tool prompts for the data.
The config tool has check (validate) and process options.
The config tool is located in BEA_HOME
/ales30-ssm/ssm-type/adm/ConfigTool.bat/sh
.
In ALES 3.0 the keystores usage has been greatly simplified. ALES creates a single set of keys to represent a host where ALES components are installed. All ALES components located under a BEA_HOME installation directory use the same shared set of keys, located in BEA_HOME/ales30-shared/keys.
A new enroll tool uses these shared keys and you need only run it once once for any given BEA_HOME. This means you do not have to enroll every SSM that you might create.
This release of ALES provides out-of-the-box attribute retrievers that you can configure directly in the WebLogic Server Administration Console for the WLS 9.x/10.0 SSM, and in the ALES Administration Console for all other SSMs.
Attribute retrievers are used by ASI Authorization and ASI Role Mapping providers to retrieve attributes for use by AquaLogic Enterprise Security authorization and role mapping.
There is no longer any need to write code to create an attribute retriever.
The following attribute retrievers types are provided. You can cache attributes for RDBMS, LDAP, and Custom attribute retrievers.
ALES 3.0 includes a new SSM for the WebSphere Application Server. The WebSphere SSM is a Java SSM in WebSphere container, and it allows Java applications deployed in WebSphere to be protected by ALES.
The BEA_HOME
\ales30-ssm\websphere-ssm\examples\PolicyQueryWebApp
example shows how to configure and set up the WebSphere SSM. It also contains a simple Policy Query Web Application that shows how to retrieve basic security services, and use them to do authentication and authorization.
ALES 3.0 includes an SSM for Oracle. The SSM allows ALES policy to be used to limit access and secure data in one or more Oracle database tables.
The ALES Oracle SSM makes use of a feature in Oracle 10g called Fine Grained Access Control (FGAC). You control user access to Oracle tables by using the ALES Administration Console to specify access policies.
The ALES Control for WebLogic Workshop allows you to drag and drop methods from the ALES control onto a WLP page flow, or a WLI process, and then use the data returned by a selected method (access decision, roles, entitlements, etc.) to drive a downstream node in the page flow or process. For example, the result of an IsAccessAllowed method call (grant/deny or set of responses) could drive a downstream decision or switch node in a WLI process.
The ALES control supports a standard set of methods, such as IsAccessAllowed
, GetRoles
, and so forth.
A sample showing the use of the ALES control in WLI process definition is included in BEA_HOME
\ales30-ssm\wls-ssm\examples\ALESControlForWLW
.
ALES 3.0 includes WebLogic Integration 9.2 MP2 runtime resources protection. This allows you to create ALES policies to control access to resources in a WLI process integration, such as WLI processes, nodes, channels, task plans, and worklists Consider the following uses:
You can use one ALES Admin Console to manage users/groups/roles and configure policies for several WLI domains.
You can create user/group based policies for WLI in addition to role-based policies.
You can create policies with conditions for WLI, such as when a user is allowed to perform a task.
You can create policies with attributes for WLI.
You can use ALES runtime APIs in WLI applications to do security, such as authenticate, authorization and so forth.
A sample showing the use of the ALES control in WLI process definition is included in BEA_HOME
\ales30-ssm\wls-ssm\examples\WLI92Domain
.
ALES 3.0 integration with ALBPM 6.0 provides a set of APIs that an ALBPM process designer can call from inside of activities and transitions to get an authorization decision or to return responses. The information could then be stored in a BPM instance variable that could be used anywhere else in the process. Similarly, you could use a BPM instance variable to set the context for an ALES call, such as the loan amount.
The data returned by the ALES policy decision can be used in a conditional transition (routing to the next task), or to set a work item for a user.
ALES 3.0 includes the following new platform support. Supported Configurations describes all of the supported configurations.
Table 1 lists the platform on which each AquaLogic Enterprise Security core component is supported.
WebLogic Server 19.2 MP2, 10.0 MP1
|
Suse Linux 29.2 & 10.0
|
|
1Works with WLS configured to use either the Sun JVM or the JRockit JVM that ships with the 9.x or 10.x version of the server. JRockit JVM supported on Intel hardware only. 2Suse Linux is supported on both 32-bit and 64-bit hardware. |
Table 2 lists the AquaLogic Enterprise Security SSMs, the platforms on which they run, and operating systems under which they are supported.
Note: | ALES does not include the JDBC driver for MS SQL and PointBase. If you want to use MS SQL or PointBase for your database, you must download the appropriate JDBC driver. You must use the latest MS SQL 2005 JDBC driver with all versions of MS SQL. |
Windows 2000, 20031
|
RHAS2 3.0, 4.0
|
AIX4
|
||||
---|---|---|---|---|---|---|
MS .NET 1.1 and 2.05
|
||||||
1Windows 2000 SP4 and higher, Windows 2003 R2 and higher. 2RedHat Advanced Server. 3Suse Linux is supported on both 32-bit and 64-bit hardware. 4AIX SSM support will be delivered post-GA as a CP to ALES 3.0. 5NET Web Services client on Windows 2000 and 2003 only. 6Works with WLS configured to use either the Sun JVM or the JRockit JVM that ship with the 9.x or 10.x version of the server. JRockit JVM supported on Intel hardware only. 7ALDSP 2.5 running on WLS 8.1.x, ALDSP 3.0 running on WLS 10.0 MP1. 8ALSB 2.6 running on WLS 9.2, ALSB 3.0 running on WLS 9.2 MP1 and WLS 10.0 MP1. |
This section describes known limitations in BEA AquaLogic Enterprise Security, Version 3.0 and may include a possible workaround or fix, where applicable. If an entry includes a CR (Change Request) number, a possible solution may be provided in a future BEA AquaLogic Enterprise Security release where BEA will provide vendor specific code to fix the problem. Refer to the CR number to conveniently track the solution as problems are resolved.
Please contact your BEA Technical Support for assistance in tracking any unresolved problems. For contact information, see the section Contacting BEA Customer Support.
Table 3 lists the known issues in this release of AquaLogic Enterprise Security 3.0.
Your feedback on the product documentation is important to us. Send us e-mail at docsupport@bea.com if you have questions or comments. Your comments will be reviewed directly by the BEA professionals who create and update the product documentation.
In your e-mail message, please indicate that you are using the documentation for the BEA AquaLogic Enterprise Security Version 3.0 release.
If you have any questions about this version of the BEA AquaLogic Enterprise Security product, or if you have problems installing and running the product, contact BEA Customer Support through BEA Web Support at http: // support.bea.com. You can also contact Customer Support by using the contact information provided on the Customer Support Card, which is included in the product package.
When contacting Customer Support, be prepared to provide the following information: