Using the AquaLogic Service Bus Console
Security Configuration
This section includes the following topics:
Overview of Security Configuration
This section includes the following topics:
You use the Security Configuration module to determine who has access to the resources in AquaLogic Service Bus. You configure transport-level security and message-level security by configuring credentials and access control policies, using WSDLs, WS-Policy statements, and while creating and editing proxy and business services. For more information, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
The following table lists the pages you can access from the Security Configuration module. The tasks and help topics associated with each are provided:
Users
Users are entities that can be authenticated. You can define users to authenticate access to a proxy service or access to the console. Each user is assigned a unique identity within the realm. To make it easier to administer a large number of users, users can be organized into named groups. Groups can in turn be assigned membership in other groups.
User type depends on the group to which the user is assigned.
Groups
To make it easier to administer a large number of users, users can be organized into named groups. Groups can in turn be assigned membership in other groups.
The following table lists the group types:
|
Property
|
Description
|
|
IntegrationAdministrators
|
Has complete access to all AquaLogic Service Bus resources, with the following exceptions:
Cannot create, edit, or delete users, groups, roles, credentials, or access control policies.
|
|
IntegrationDeployers
|
Has complete access to all AquaLogic Service Bus resources, with the following exceptions:
Cannot create, edit, or delete users, groups, roles, credentials, or access control policies.
|
|
IntegrationMonitors
|
Has read access to all AquaLogic Service Bus resources.
|
|
IntegrationOperators
|
This group has the following privileges:
|
|
Administrators
|
Has complete access to all AquaLogic Service Bus objects and functions.
|
|
Deployers
|
Has read access to all objects. Can create, delete, edit, import or export resources, services, proxy service providers, or projects.
|
|
Monitors
|
Has read access to all objects. Can export any resource, service, proxy service provider, or project.
|
|
Operators
|
Has read and export access to all objects. Can configure alerts, enable or disable metric collection, and suspend or resume services.
|
Note: In this release, IntegrationAdministrators and IntegrationDeployers have the same privileges. This may change in future releases.
Roles
BEA AquaLogic Service Bus supports role-based authorization. Although the specific users that require access to the components that make up your AquaLogic Service Bus application may change depending upon the deployment environment, the roles that require access are typically more stable. Authorization involves granting an entity permissions and rights to perform certain actions on a resource.
In role-based authorization, security policies define the roles that are authorized to access the resource. In addition to the built-in roles that are associated with certain administrative and monitoring privileges, security policies that control access to the following resources can be configured from the AquaLogic Service Bus Console. Only a WebLogic Server administrator can edit security roles. To learn more about roles, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
This Global Roles page displays key information about each global security role that has been configured in this security realm.
There are four types of roles:
|
Type
|
Name
|
Description
|
|
IA
|
Integration Administrator
|
Has complete access to all AquaLogic Service Bus resources, with the following exceptions:
Cannot create, edit, or delete users, groups, roles, credentials, or access control policies.
|
|
I D
|
Integration Deployer
|
Has complete access to all AquaLogic Service Bus resources, with the following exceptions:
Cannot create, edit, or delete users, groups, roles, credentials, or access control policies.
|
|
I M
|
Integration Monitor
|
Has read access to all AquaLogic Service Bus resources.
|
|
IO
|
Integration Operator
|
This group has the following privileges:
|
Note: To learn more about roles, including role-based access in the AquaLogic Service Bus Console, see Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
Adding a User
The Create New User - General Configuration page enables you to add a new user. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To Add a User
- From the left navigation pane, select Security Configuration. The Summary of Users page is displayed.
- Click Add New. The Create a New User - General Configuration page is displayed.
- In the User Name field, enter a unique name. This is a required field.
- In the Password field, enter a password. The password must be at least 8 characters long. This is a required field.
- In the Confirm Password field, enter the same password you entered for the Password field. This is a required field.
- In the Authentication Provider field, select the authentication provider for this user.
- In the Group Membership field, select a group for this user:
- Select a group from the Available Groups field.
- Click the arrow to move the group into the Current Groups field.
Note: The group you select determines the level of access this user has in the AquaLogic Service Bus Console. To learn about types of groups and role-based access, see Groups.
- To create the user, click Save.
The Summary of Users page is displayed. The new user is included in the list.
- To disregard changes and return to the Summary of Users page, click Cancel.
Note: You cannot export users, groups, roles, credentials, certificates or access control policies when you export a configuration, as these objects are created through the WebLogic Server. You must create these objects again when you import the exported configuration, or where available use specific WebLogic Server tools to export and import them.
Related Topics
Listing and Locating Users
Viewing and Changing User Details
Deleting a User
Listing and Locating Users
The Summary of Users page enables you to view a list of users that have been created in the AquaLogic Service Bus Console. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To List and Locate Users
- From the left navigation pane, select Users from under Security Configuration. The Summary of Users page is displayed, which displays the following information for each user. For a more detailed description of the properties, see Viewing and Changing User Details.
|
Property
|
Description
|
|
User Name
|
The name assigned to the user. The name is a link to the View User Details page. To learn more, see Viewing and Changing User Details.
|
|
Group Membership
|
The name of the group to which this user belongs. The name is a link to the View Group Details page. To learn more, see Viewing and Changing Group Details.
|
|
Authentication Provider
|
The authentication provider for this user.
|
|
Options
|
Click the Delete icon to delete a specific user. To learn more, see Deleting a User.
|
- To locate a specific user, do one of the following:
- Filter by user name. Click Search, enter the search target, then click Search again. Wild cards can be used. The users matching the search criteria are displayed.
- Resort the list. Ascending and descending arrow buttons indicate sortable columns—in this case, the Group Name and Authentication Provider fields. Click the button to change the sort order.
- Scroll through the pages. Use the controls in the lower right corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.
The Summary of Users page also enables you to do the following:
- To create a new user, click Add New. To learn more, see Adding a User.
Related Topics
Overview of Security Configuration
Viewing and Changing User Details
The View User Details page enables you to view and change details of a specific user. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To View and Change User Details
- Click the user name. The View User Details page displays the following information.
|
Property
|
Description
|
|
User Name
|
The name of this user
|
|
Authentication Provider
|
The authentication provider for this user.
|
|
Group Membership
|
The name of the group to which this user belongs.
|
- Click Back to return to the Summary of Users page or click Reconfigure to edit the user details. When you click Reconfigure, the Edit User Details page is displayed.
- Make the appropriate changes to the New Password, Confirm Password, and Group Membership fields. See Adding a User for a description of the fields.
Note: You cannot change the User Name field.
- To update the user, click Save Changes. The Summary of Users page is displayed.
- To disregard changes and return to the Summary of Users page, click Cancel.
Related Topics
Deleting a User
Deleting a User
The Summary of Users page enables you to delete a selected user or multiple users. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To Delete a User
- From the left navigation pane, select Security Configuration. The Summary of Users page is displayed.
- Select the user you want to delete. You can select multiple users if necessary.
- Click Delete. A message prompting you to confirm that you want to delete the user is displayed.
- To delete the user, click OK. The user is removed from the list.
- To disregard changes and return to the Summary of Users page, click Cancel.
Note: Alternatively, you can click the Delete icon in the Options column of the user you want to delete.
Related Topics
Adding a User
Listing and Locating Users
Viewing and Changing User Details
Adding a Group
The Create New Group page enables you to add a new group. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic User Guide.
To Add a Group
- From the left navigation pane, select Groups from under Security Configuration. The Summary of Groups page is displayed.
- In the Group Name field, enter a unique name. Note that you cannot enter spaces or special characters. This is a required field.
- In the Authentication Provider field, select the authentication provider.
- In the Group Membership field, select a group to which this group can belong:
- Select a group from the Available Groups field.
- Click the arrow to move the group into the Current Groups field.
Note: The group you select determines the level of access this user has in the AquaLogic Service Bus Console. To learn about types of groups and role-based access, see Groups.
- To create the group, click Save.
The Summary of Groups page is displayed. The new group is included in the list.
- To disregard changes and return to the Summary of Groups page, click Cancel.
Note: You cannot export users, groups, roles, credentials, certificates or access control policies when you export a configuration, as these objects are created through the WebLogic Server. You must create these objects again when you import the exported configuration, or where available use specific WebLogic Server tools to export and import them.
Related Topics
Listing and Locating Groups
Viewing and Changing Group Details
Deleting a Group
Listing and Locating Groups
The Summary of Groups page enables you to view a list of groups. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To List and Locate Groups
- From the left navigation pane, select Groups from under Security Configuration. The Summary of Groups page is displayed, which displays the following information for each group. For a more detailed description of the properties, see Viewing and Changing Group Details.
|
Property
|
Description
|
|
Group Name
|
The name of the group. The name is a link to the View Group Details page. To learn more, see Viewing and Changing Group Details.
|
|
Group Membership
|
The group to which this group belongs. The name is a link to the View Group Details page. To learn more, see Viewing and Changing Group Details.
|
|
Authentication Provider
|
The authentication provider for this group.
|
|
Delete
|
Click the Delete icon to delete a specific group. To learn more, see Deleting a Group.
|
- To locate a specific group, do one of the following:
- Filter by group name. Click Search, enter the search target, then click Search again. Wild cards can be used. The groups matching the search criteria are displayed.
- Resort the list. Ascending and descending arrow buttons indicate sortable columns—in this case, the Group Name and Authentication Provider fields. Click the button to change the sort order.
- Scroll through the pages. Use the controls in the lower right corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.
The Summary of Groups page also enables you to do the following:
Related Topics
Overview of Security Configuration
Viewing and Changing Group Details
The View Group Details page enables you to view and change details of a specific group. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To View and Change Group Details
- Click the group name. The View Group Details page displays the following information:
|
Property
|
Description
|
|
Group Name
|
The name of this group
|
|
Authentication Provider
|
The authentication provider for this group
|
|
Groups
|
The group to which this group belongs
|
- Click Back to return to the Summary of Groups page or click Reconfigure to edit the group details. When you click Reconfigure, the Edit Group Details page is displayed.
- Make the appropriate changes to the Group Membership field. See Adding a Group for a description of the field.
Note: You cannot change the Group Name field.
- To update the group, click Save Changes. The Summary of Groups page is displayed.
- To disregard changes and return to the Summary of Groups page, click Cancel.
Related Topics
Deleting a Group
Deleting a Group
The Summary of Groups page enables you to delete a selected group or multiple groups. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To Delete a Group
- From the left navigation pane, select Security Configuration. The Summary of Groups page is displayed.
- Select the group you want to delete. You can select multiple groups if necessary.
- Click Delete. A message prompting you to confirm that you want to delete the group is displayed.
- To delete the group, click OK. The group is removed from the list.
- To disregard changes and return to the Summary of Groups page, click Cancel.
Note: Alternatively, you can click the Delete icon in the Options column of the group you want to delete.
Related Topics
Adding a Group
Listing and Locating Groups
Viewing and Changing Group Details
Adding a Role
The Create New Role page enables you to add a new role. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To Add a New Role
- From the left navigation pane, select Roles from under Security Configuration. The Global Roles page is displayed.
- In the Role Name field, enter a unique name. Note that you cannot enter spaces or special characters. This is a required field.
Note: Be sure that there are no spaces or < > characters in the security role name. Security role names are case sensitive. The BEA convention is that all security role names are singular.
- To create the role, click OK.
The Global Roles page is displayed. The new role is included in the list.
- To disregard changes and return to the Global Roles page, click Cancel.
When you click OK to create the role, the next step is to define the conditions under which the role applies. On the Global Roles page, click the name of the new global role.
The Global Role Conditions page is displayed.
- Under Role Conditions, click Add Condition.
The following prompt is displayed:
Choose the predicate you wish to use as your new condition
- Choose a predicate from the list box. Typically, you choose Group. When a group is used to create a security role, the security role can be granted to all members of the group (that is, multiple users).
- Click Next. The next steps depend on what you chose for your condition predicate. Do one of the following:
|
Condition Predicate...
|
Complete These Steps...
|
|
If you selected Group, enter one or more arguments that define the group or groups that should hold this role
|
1. In the Group Argument Name field, enter an argument that defines the group.
2. Click Add.
3. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
4. Click Finish.
|
|
If you selected User, enter one or more arguments that define the user or users that should hold this role
|
1. In the User Argument Name field, enter an argument that defines the user.
2. Click Add.
3. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
4. Click Finish.
|
|
If you selected Server is in development mode, Allow access to everyone or Deny access to everyone
|
Click Finish.
|
|
If you selected a time-constrained predicate such as Access occurs between specified hours, select start and end times and a GMT offset
|
1. In the Starting Time field, enter the earliest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
2. In the Ending Time field, enter the latest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
3. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
4. Click Finish.
|
|
If you selected Context element defined, enter a context element name
|
1. In the Context element name field, enter the name of the context element.
2. Click Finish.
|
|
If you selected Context element's value equals a numeric constant, Context element's value is greater than a numeric constant, or Context element's value is less than a numeric constant, enter a context element name and a numeric value to compare it against
|
1. In the Context element name field, enter the name of the context element the value of which is to be evaluated.
2. In the Numeric Value field, enter a numeric value.
3. Click Finish.
|
|
If you selected Context element's value equals a string value, enter a context element name and a string value to compare it against
|
1. In the Context element name field, enter the name of the context element the value of which is to be evaluated.
2. In the String Value field, enter the string value that you want to compare.
3. Click Finish.
|
|
If you selected a time-constrained predicate such as Access occurs before or Access occurs after
|
1. In the Date field, enter a date in the format mm/dd/yy. For example, enter 1/1/04. You can add an optional time in the format hh:mm:ss AM|PM. For example, you can enter 1/1/04 12:45:00 AM.
2. Click Finish.
|
|
If you selected the time-constrained predicate Access occurs on specified days of the week, select the day of the week and a GMT offset
|
1. In the Day of week field, enter the day of the week.
2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
3. Click Finish.
|
|
If you selected a time-constrained predicate such as Access occurs on a specified day of the month, Access occurs before a specified day of the month, or Access occurs after a specified day of the month
|
1. In the Day of the Month field, enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.
2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
3. Click Finish.
|
- If necessary, repeat steps 5-7 to add expressions based on different role conditions. You can do the following in the Role Conditions section to modify the expressions:
|
To...
|
Complete These Steps...
|
|
Change the ordering of the selected expression
|
Click Move Up and Move Down.
|
|
Merge or unmerge role conditions and switch the highlighted and and or statements between expressions.
|
Click Combine and Uncombine.
|
|
Make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.
|
Click Negate.
|
|
Delete a selected expression
|
Click Remove.
|
- When all the expressions in the Role Conditions section are correct, click Save. To activate these changes, in the Change Center, click Activate.
Note: Some changes affect only particular servers. Not all changes take effect immediately—some require a restart.
Note: You cannot export users, groups, roles, credentials, certificates or access control policies when you export a configuration, as these objects are created through the WebLogic Server. You must create these objects again when you import the exported configuration, or where available use specific WebLogic Server tools to export and import them.
Related Topics
Listing and Locating Roles
Viewing and Changing Role Details
Deleting a Role
Listing and Locating Roles
The Global Roles page enables you to view a list of roles. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To List and Locate Roles
- From the left navigation pane, select Roles from under Security Configuration. The Global Roles page is displayed, which displays the following information for each role. For a more detailed description of the properties, see Viewing and Changing Role Details:
|
Property
|
Description
|
|
Role Name
|
The name of the role. The name is a link to the View Role Details page. To learn more, see Viewing and Changing Role Details.
|
|
Provider Name
|
The authentication provider for this group.
|
- To locate a specific role, scroll through the pages. Use the controls in the lower right corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.
This page also enables you to do the following:
- To create a new role, click Add New. To learn more, see Adding a Role.
- To delete a selected role, click Delete. To learn more, see Deleting a Role.
Related Topics
Overview of Security Configuration
Viewing and Changing Role Details
The View Role Details page enables you to view and change details of a specific role. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To View and Change Role Details
- Click the role name. The View Role Details page enables you to view and change details of a specific role. It displays the following information:
|
Property
|
Description
|
|
Name
|
The name of the role.
|
|
Role Conditions
|
The conditions which determine membership in this role.
|
|
To...
|
Complete This Step...
|
|
Change the ordering of the selected expression
|
Click Move Up and Move Down.
|
|
Merge or unmerge role conditions and switch the highlighted and and or statements between expressions.
|
Click Combine and Uncombine.
|
|
Make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.
|
Click Negate.
|
|
Delete a selected expression
|
Click Remove.
|
- Click Save. The Global Roles page is displayed.
Related Topics
Adding a Role
Listing and Locating Roles
Deleting a Role
Deleting a Role
The Global Roles page enables you to delete roles. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To Delete a Role
- From the left navigation pane, select Roles from under Security Configuration. The Global Roles page is displayed.
- Select the role you want to delete. You can select multiple roles if necessary.
- Click Delete. A message prompting you to confirm that you want to delete the role is displayed.
- To delete the role, click OK. The role is removed from the list.
- To disregard changes and return to the Global Roles page, click Cancel.
Related Topics
Adding a Role
Listing and Locating Roles
Viewing and Changing Role Details
Adding a Credential
The Create New Credential page allows you to add a new credential. To learn more about credentials, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
Note: To access the Credentials or Access Controls page in the AquaLogic Service Bus Console, you must first activate the session. Credentials and access controls are created outside of sessions and associated with resources that are already activated. Activating a session deploys the resources you have configured to run time, making them available to credentials and access controls.
To Add a Credential
- From the left navigation pane, select Credentials from under Security Configuration. The View Summary of Credential Resources page is displayed.
- Click Add New. The Create a New Credential - General Configuration page is displayed.
- In the Select Resource Type field, select a resource type for which you want to create credentials. You can select one of the following resource types:
|
Resource Type...
|
Description...
|
|
Proxy Service Provider
|
Proxy service providers encapsulate all the PKI (Public Key Infrastructure) credentials used by one or more proxy services. Different PKI credentials (private-key/certificate pairs) for different purposes can be assigned to a proxy service provider. When a proxy is created, a proxy service provider can be specified. If the proxy needs PKI credentials, for example to open an HTTPS connection with client-certificate authentication, it gets the credentials from the proxy service provider. Multiple proxies can use the same proxy service provider.
The PKI credential mapper is a security provider and must be configured with the location of a keystore, (relative to the domain root), keystore password, keystore type (optional), and keystore provider (optional). This keystore can be the same as the server's identity keystore or a different one. If you define a proxy service provider, you must configure a PKI credential mapper in your security realm. By default the realm configuration does not have a PKI mapper. If you do not define a proxy service provider, you do not need to define a PKI mapper within the security realm. For more information, see Digital Certificates in Security Fundamentals in Understanding WebLogic Security.
To learn more about proxy service providers, see Overview of Proxy Service Providers.
|
|
Service Account
|
A service account is an alias resource for a username and password. AquaLogic Service Bus uses service accounts to provide authentication when connecting to a service or server.
To learn more about service accounts, see Overview of Service Accounts.
|
- Click Next. If you selected Proxy Service Provider, a list of available proxy service providers is displayed. If you selected Service Account, a list of available service accounts is displayed.
Note: You must have previously created the proxy service providers and service accounts in a session and activated that session to display these resources on this page.
- In the Select column, click Select for the specific resource you want to use.
- In the Purpose of this Credential field, select the purpose of the credential that you want to associate with the selected resource.
For proxy service providers, you can select one of the following purposes:
|
Available Purpose...
|
Description...
|
|
SSL Client Authentication
|
TLS/SSL (Secure Sockets Layer) provides secure connections by allowing two applications connecting over a network to authenticate the other's identity and by encrypting the data exchanged between the applications. Authentication allows a server, and optionally a client, to verify the identity of the application on the other end of a network connection.
This key-pair is used when a proxy is required to invoke a service that requires TLS/SSL client certificate authentication.
|
|
Digital Signature
|
This key-pair is used with Web service security when a proxy is required to sign one or more parts of a SOAP envelope. Digital signature provides message integrity.
|
|
Encryption
|
This key-pair is used with Web service security when a proxy is required to decrypt one or more parts of a SOAP envelope. Encryption provides message confidentiality.
|
|
Web Services Security X509 Token
|
This key-pair is used with web service security when a proxy is required to include an authentication token in the SOAP envelope.
|
- In the Credential Provider field, select the credential provider.
- In the Username field, select a valid user name.
- In the Key Password field, enter a password (minimum 8 characters).
- In the Confirm Key Password field, enter the same password you entered in the Key Password field.
- Click Next. A summary of the data you entered is displayed.
- Review the data you entered for this new credential.
- To create the credential, click Finish.
The View Summary of Credential Resources page is displayed. The new credential is included in the list.
- To disregard changes and return to the View Summary of Credential Resources page, click Cancel.
Note: You cannot export users, groups, roles, credentials, certificates or access control policies when you export a configuration, as these objects are created through the WebLogic Server. You must create these objects again when you import the exported configuration.
Related Topics
Listing and Locating Credentials
Viewing and Changing Credential Details
Deleting a Credential
Listing and Locating Credentials
The View Summary of Credential Resources page enables you to view a list of credentials. To learn more about credentials, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To List and Locate Credentials
- From the home page, select Credentials from under Security Configuration. The View Summary of Credential Resources page is displayed, which displays the following information for each credential resource. For a more detailed description of the properties, see Viewing and Changing Credential Details:
|
Property
|
Description
|
|
Name of Resource
|
The resource name, which is a link to the resource details. Click the name to view and change details. To learn more, see Viewing and Changing Credential Details.
|
|
Resource Type
|
The resource type:
|
|
Credential Purpose
|
The purpose of the credential
|
|
Credential Provider Name
|
The name of the credential provider
|
|
Options
|
Click the Delete icon to delete a specific credential resource. To learn more, see Deleting a Credential.
|
- To locate a specific credential, do one of the following:
- Filter by credential name. Enter the search target, then click Search. The credentials matching the search criteria are displayed.
- Resort the list. Ascending and descending arrow buttons indicate sortable columns. Click the button to change the sort order.
- Scroll through the pages. Use the controls in the lower right corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.
From this page, you can also do the following:
Related Topics
Overview of Security Configuration
Viewing and Changing Credential Details
The View Credential Details page enables you to view and change details of a specific credential. To learn more about credentials, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
Note: To access the Credentials or Access Controls page in the AquaLogic Service Bus Console, you must first activate the session. Credentials and access controls are created outside of sessions and associated with resources that are already activated. Activating a session deploys the resources you have configured to run time, making them available to credentials and access controls.
To View and Change Credential Details
- Click the name of the resource. The Create a New Credential - General Configuration page is displayed. The page displays the following information:
|
Property
|
Description
|
|
General Configuration
|
|
|
Resource Name
|
The resource name.
|
|
Resource Type
|
The resource type:
|
|
Purpose of this Credential
|
The purpose of the credential
|
|
Credential Configuration
|
|
|
Username
|
The user name associated with this credential.
|
- To change the details of this credential, click Edit.
- To return to the View Summary of Credential Resources page, click OK.
- Make the appropriate changes to the fields that are displayed. See Adding a Credential for a description of the fields.
- To update the credential, click Finish.
The View Summary of Credential Resources page is displayed. The new credential is included in the list.
- To return to the previous page, click Back.
- To disregard changes and return to the View Summary of Credential Resources page, click Cancel.
Related Topics
Adding a Credential
Listing and Locating Credentials
Deleting a Credential
Deleting a Credential
You can delete a selected credential or multiple credentials from the Summary of Credentials page. To learn more about credentials, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
To Delete a Credential
- From the left navigation pane, select Credentials from under Security Configuration. The View Summary of Credential Resources page is displayed.
- Select the credential you want to delete. You can select multiple credentials if necessary.
- Click Delete. A message prompting you to confirm that you want to delete the role is displayed.
- To delete the role, click OK. The role is removed from the list.
- To disregard changes and return to the View Summary of Credential Resources page, click Cancel.
Note: Alternatively, you can click the Delete icon in the Options column of the credential you want to delete.
Related Topics
Adding a Credential
Listing and Locating Credentials
Viewing and Changing Credential Details
Listing and Locating Access Control Policies
The Access Control for Proxy Services page lists the defined access control policies. Only a WebLogic Server administrator can define access control policies. To learn more, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.
Note: To view the access control policies for a proxy service in the AquaLogic Service Bus Console, you must first activate the session. Access control policies are created outside of sessions and associated with resources that are already activated. Activating a session deploys the resources you have configured to run time, making them available to credentials and access controls.
To List and Locate Access Control Policies
From the left navigation pane, select Access Controls from under Security Configuration. The Access Control for Proxy Services page is displayed, which displays the following information for each access control policy:
|
Property
|
Description
|
|
Name
|
The name of the proxy service. The name is a link to the Proxy Service Details page. To learn more, see Viewing and Changing Proxy Services.
|
|
Transport Authorization Policy
|
The transport authorization policy. The policy is a link to the View Policy Details page. This only applies to HTTP or HTTPS proxy services. To learn more, see Editing Transport Authorization Policies.
|
|
Service Authorization Policy
|
The service authorization policy, if there is one. The policy is a link to the View Policy Details page. This policy is related to WS-Security. This only applies to SOAP proxy services that have Web service security policies in the WSDL. To learn more, see Editing Service Authorization Policies.
|
From this page, you can also do the following:
Note: The Policy Details page allows you to configure a new access control policy, edit an existing access control policy or delete an access control policy. For more information, see Security Policies in Securing WebLogic Resources and Manage Security Policies in the BEA WebLogic Server Administration Console Online Help.
Related Topics
Overview of Security Configuration
Editing Transport Authorization Policies
The Policy Details page enables you to edit the transport-level security policy of a proxy service that uses HTTP or HTTPS as its transport protocol. You access this page when you click View Policies in the Transport Authorization Policy column of a specific proxy service on the Access Control for Proxy Services page. The page displays the following information:
|
Property
|
Description
|
|
Proxy Service Name
|
Displays the name of the proxy service name for which you selected View Policies on the Access Control for Proxy Services page.
|
|
Providers
|
Displays the authorization providers that you can select from the Authorization Provider field. AquaLogic Service Bus supports both the WebLogic DefaultAuthorizer and the WebLogic XACML Authorization Provider.
|
|
Policy Conditions
|
Displays the conditions that determine the access control to the proxy service resources.
|
To Edit a Transport Authorization Policy
Note: You can edit the transport authorization policy for an existing proxy service either inside or outside a session. When you create a new proxy service in a session, the Access Controls for Proxy Services page will not display it until you have the activated the session.
- In the Authorization Provider field, accept the default WebLogic Authorization Provider that is displayed.
- Under Policy Conditions, click Add Condition.
The following prompt is displayed:
Choose the predicate you wish to use as your new condition
- Select a predicate from the dropdown list.
- Click Next. The next steps depend on what you chose for your condition predicate. Do one of the following:
|
Condition Predicate...
|
Complete These Steps...
|
|
If you selected Role, enter one or more arguments that define the group or groups that should hold this role
|
1. In the Role Argument Name field, enter an argument that defines the group.
2. Click Add.
3. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
4. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected Group, enter one or more arguments that define the group or groups that should hold this role
|
1. In the Group Argument Name field, enter an argument that defines the group.
2. Click Add.
3. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
4. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected User, enter one or more arguments that define the user or users that should hold this role
|
1. In the User Argument Name field, enter an argument that defines the user.
2. Click Add.
3. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
4. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected the time-constrained predicate Access occurs on specified days of the week, select the day of the week and a GMT offset
|
1. In the Day of week field, enter the day of the week.
2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
3. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected a time-constrained predicate such as Access occurs between specified hours, select start and end times and a GMT offset
|
1. In the Starting Time field, enter the earliest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
2. In the Ending Time field, enter the latest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
3. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
4. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected Context element's value is greater than a numeric constant, Context element's value equals a numeric constant, or Context element's value is less than a numeric constant, enter a context element name and a numeric value to compare it against
|
1. In the Context element name field, enter the name of the context element the value of which is to be evaluated.
2. In the Numeric Value field, enter a numeric value.
3. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected Deny access to everyone, Allow access to everyone or Server is in development mode
|
Click Finish.
Alternatively, you can click Cancel to discard the changes and return to the View Policy Details page.
|
|
If you selected a time-constrained predicate such as Access occurs before or Access occurs after
|
1. In the Date field, enter a date in the format mm/dd/yy. For example, enter 1/1/04. You can add an optional time in the format hh:mm:ss AM|PM. For example, you can enter 1/1/04 12:45:00 AM.
2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
3. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected a time-constrained predicate such as Access occurs on a specified day of the month, Access occurs before a specified day of the month, or Access occurs after a specified day of the month
|
1. In the The day of the month field, enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.
2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
3. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected Context element's value equals a string constant, enter a context element name and a string value to compare it against
|
1. In the Context element name field, enter the name of the context element the value of which is to be evaluated.
2. In the String Value field, enter the string value that you want to compare.
3. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected Context element defined, enter a context element name
|
1. In the Context element name field, enter the name of the context element.
2. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
- If necessary, repeat steps 3-5 to add expressions based on different policy conditions. You can do the following in the Policy Conditions section to modify the expressions:
|
To...
|
Complete These Steps...
|
|
Change the ordering of the selected expression
|
Select the checkbox associated with the condition, then click Move Up and Move Down.
|
|
Merge or unmerge policy conditions and switch the highlighted and and or statements between expressions.
|
Select the checkbox associated with the appropriate conditions, then click Combine and Uncombine.
|
|
Make a condition negative; for example, NOT Group Operators excludes the Operators group from the policy.
|
Select the checkbox associated with the condition, then click Negate.
|
|
Delete a selected expression
|
Select the checkbox associated with the condition, then click Remove.
|
- When you have finished entering conditions in the Policy Conditions section, click Save.
Related Topics
Overview of Security Configuration
Editing Service Authorization Policies
The Policy Details page enables you to edit the service-level security policy of a proxy service. You access this page when you click View Policies in the Service Authorization Policy column of a specific proxy service on the Access Control for Proxy Services page. The page displays the following information:
|
Property
|
Description
|
|
Proxy Service Name
|
Displays the name of the proxy service name for which you selected View Policies on the Access Control for Proxy Services page.
|
|
Providers
|
Displays the authorization providers that you can select from the Authorization Provider field. AquaLogic Service Bus supports authorization using the default WebLogic Authorization Provider.
|
|
Policy Conditions
|
Displays the conditions that determine the access control to the proxy service resources.
|
To Edit a Service Authorization Policy
Note: You can edit the transport authorization policy for an existing proxy service either inside or outside a session. When you create a new proxy service in a session, the Access Controls for Proxy Services page will not display it until you have the activated the session.
- In the Authorization Provider field, accept the default WebLogic Authorization Provider that is displayed.
- Under Policy Conditions, click Add Condition.
The following prompt is displayed:
Choose the predicate you wish to use as your new condition
- Select a predicate from the dropdown list.
- Click Next. The next steps depend on what you chose for your condition predicate. Do one of the following:
|
Condition Predicate...
|
Complete These Steps...
|
|
If you selected Role, enter one or more arguments that define the group or groups that should hold this role
|
1. In the Role Argument Name field, enter an argument that defines the group.
2. Click Add.
3. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
4. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected Group, enter one or more arguments that define the group or groups that should hold this role
|
1. In the Group Argument Name field, enter an argument that defines the group.
2. Click Add.
3. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
4. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected User, enter one or more arguments that define the user or users that should hold this role
|
1. In the User Argument Name field, enter an argument that defines the user.
2. Click Add.
3. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
4. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected the time-constrained predicate Access occurs on specified days of the week, select the day of the week and a GMT offset
|
1. In the Day of week field, enter the day of the week.
2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
3. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected a time-constrained predicate such as Access occurs between specified hours, select start and end times and a GMT offset
|
1. In the Starting Time field, enter the earliest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
2. In the Ending Time field, enter the latest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
3. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
4. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected Context element's value is greater than a numeric constant, Context element's value equals a numeric constant, or Context element's value is less than a numeric constant, enter a context element name and a numeric value to compare it against
|
1. In the Context element name field, enter the name of the context element the value of which is to be evaluated.
2. In the Numeric Value field, enter a numeric value.
3. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected Deny access to everyone, Allow access to everyone or Server is in development mode
|
Click Finish.
Alternatively, you can click Cancel to discard the changes and return to the View Policy Details page.
|
|
If you selected a time-constrained predicate such as Access occurs before or Access occurs after
|
1. In the Date field, enter a date in the format mm/dd/yy. For example, enter 1/1/04. You can add an optional time in the format hh:mm:ss AM|PM. For example, you can enter 1/1/04 12:45:00 AM.
2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
3. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected a time-constrained predicate such as Access occurs on a specified day of the month, Access occurs before a specified day of the month, or Access occurs after a specified day of the month
|
1. In the The day of the month field, enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.
2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
3. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected Context element's value equals a string constant, enter a context element name and a string value to compare it against
|
1. In the Context element name field, enter the name of the context element the value of which is to be evaluated.
2. In the String Value field, enter the string value that you want to compare.
3. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
|
If you selected Context element defined, enter a context element name
|
1. In the Context element name field, enter the name of the context element.
2. Do one of the following:
To save the arguments and return to the predicate list,
click Finish.
To discard the changes and return to the predicate list,
click Back.
To discard the changes and return to the View Policy
Details page, click Cancel.
|
- If necessary, repeat steps 3-5 to add expressions based on different policy conditions. You can do the following in the Policy Conditions section to modify the expressions:
|
To...
|
Complete These Steps...
|
|
Change the ordering of the selected expression
|
Select the checkbox associated with the condition, then click Move Up and Move Down.
|
|
Merge or unmerge policy conditions and switch the highlighted and and or statements between expressions.
|
Select the checkbox associated with the appropriate conditions, then click Combine and Uncombine.
|
|
Make a condition negative; for example, NOT Group Operators excludes the Operators group from the policy.
|
Select the checkbox associated with the condition, then click Negate.
|
|
Delete a selected expression
|
Select the checkbox associated with the condition, then click Remove.
|
- When you have finished entering conditions in the Policy Conditions section, click Save.
Related Topics
Overview of Security Configuration
