14 Monitoring and Managing Security Policies

Fusion Middleware Control lets you monitor and manage policies attached to your Service Bus services, including their usage and violation metrics. You can also attach policy sets globally, define policy overrides, and attach and detach policies from your services.

This chapter includes the following topics:

14.1 Introduction to Security Policies

Security policies provide a framework to manage and secure web services consistently across your organization. In Service Bus, you attach policies to proxy and business services.

You can manage policies for individual services in your Service Bus projects in JDeveloper, the Oracle Service Bus Console and in Fusion Middleware Control. Both consoles support runtime configuration. Using Fusion Middleware Control, you can also attach policies globally by creating policy sets.

This chapter describes monitoring and managing policies in Fusion Middleware Control. For information about working with policies in Oracle Service Bus Console and Oracle JDeveloper, see "Securing Business and Proxy Services" in Developing Services with Oracle Service Bus.

14.2 Configuring Global Policies

You can assign policies to multiple services in a Service Bus project using policy sets in Fusion Middleware Control. These are called global policies.

When you create a global policy set, the policies in the set are automatically attached to the proxy or business services that match the configuration of the policy set. In order for the matching services to use the policies in a global policy set, the services must be configured to use OWSM policies.

The policy set configuration defines the policy subject and any of the following for the service to which you want the policy attached: domain name, application name, and resource path (in the form project_name/folder/subfolder. You can attach policies to the following Service Bus services:

  • JCA Business Service

  • JCA Proxy Service

  • RESTful Business Service

  • RESTful Proxy Service

  • SOAP Business Service

  • SOAP Proxy Service

For information about global policy attachments and policy sets, see "Global Policy Attachments Using Policy Sets" in Understanding Oracle Web Services Manager. For information about the policy subjects to select for each of these, see "Understanding Policy Subjects" in Understanding Oracle Web Services Manager.

14.2.1 How to Create a Global Policy Set

To create a policy set, follow the instructions in Creating a Policy Set Using Fusion Middleware Control in Securing Web Services and Managing Policies with Oracle Web Services Manager.

14.2.2 How to Enable a Service for Global Policies

In addition to being able to enable and disable global policy sets in Fusion Middleware Control, you can also configure business and proxy services to use or not use policies. In order to use global policies, a business or proxy service must be enabled to use policies from the OWSM policy store. You configure this in either JDeveloper or the Oracle Service Bus Console. For more information, see How to attach Oracle Web Services Manager Policies in JDeveloper and How to attach Oracle Web Services Manager Policies in the Console in Developing Services with Oracle Service Bus.

To enable a service for global policies:

  1. In the Application Navigator or the Project Navigator, locate the business or proxy service for which you want to enable global policies.
  2. Right-click the service and select Open.

    The Business or Proxy Service Definition Editor appears.

  3. Do one of the following:
    • In JDeveloper, click the Policies tab.

    • In the Oracle Service Bus Console, click the Policies tab.

  4. On the Policies page, select From OWSM Policy Store in the list of available policy binding models.

    You do not need to select any policies to attach, but you can attach individual policies if needed.

  5. When you are done configuring policies, click Save.
  6. To activate the changes in the runtime, click Activate.

14.2.3 How to Disable a Service for Global Policies

If a business or proxy service has policies enabled and matches the configuration of a global policy set, the policies in that set are automatically applied to the service. You can prevent this by disabling policies in the service, but this means that policies cannot be individually attached either. You configure this in either JDeveloper or the Oracle Service Bus Console. For more information, see How to attach Oracle Web Services Manager Policies in JDeveloper and How to attach Oracle Web Services Manager Policies in the Console in Developing Services with Oracle Service Bus.

To disable a service for global policies:

  1. In the Application Navigator or the Project Navigator, locate the business or proxy service for which you want to diable global policies.
  2. Right-click the service and select Open.

    The Business or Proxy Service Definition Editor appears.

  3. Do one of the following:
    • In JDeveloper, click the Policies tab.

    • In the Oracle Service Bus Console, click the Policies tab.

  4. On the Policies page, select No Policies in the list of available policy binding models.
  5. When you are done configuring policies, click Save.
  6. To activate the changes in the runtime, click Activate.

14.3 Monitoring Security Policies

Fusion Middleware Control lets you monitor the policies being used by the services in your domain by providing a view of the policies used by each proxy or business service.

You can also view any policy violations that have occurred, and you can view and analyze usage for each policy.

14.3.1 Viewing the Policies Attached to a Service

The Policies page of a business or proxy service displays all the policies that are globally and directly attached to a service. You can access the Policies page for a service in a variety of ways. These steps describe accessing it from the project's Service Health page.

To view the policies attached to a service:

  1. In Fusion Middleware Control, expand SOA > service-bus.
  2. Click the name of the project containing the service you want to view.

    The project's Service Health page appears.

  3. In the Services table, click the name of the service whose policies you want to view.

    The Dashboard for the selected service appears.

  4. Click the Policies tab.

    The Policies page lists both globally and directly attached policies.

    Figure 14-1 Proxy Service Policies Page

    Description of Figure 14-1 follows
    Description of "Figure 14-1 Proxy Service Policies Page"
  5. To only view effective policies in the Directly Attached Policies table, click Effective Only above the table.

    For more information about effective policies, see How the Effective Set of Policies is Calculated in Securing Web Services and Managing Policies with Oracle Web Services Manager.

14.3.2 Monitoring Policy Usage

Before making any changes to the policies used by your services, Oracle recommends you do a usage analysis to see which subjects are using a particular policy. Policy usage information is only available with a database-based OWSM repository and only for enabled services. The WSM Policies page displays the number of subjects to which a policy is attached. You can then view a list of the policy subjects of the selected type to which the policy is attached.

To monitor policy usage:

  1. In the upper portion of Fusion Middleware Control, click the WebLogic Domain menu, point to Web Services, and then select WSM Policies.

    The WSM Policies page appears.

  2. To filter the list of policies, enter a name or category, or select a saved search. Click Search.
  3. Click the number in the Attachment column for the selected policy to display the Usage Analysis page.
  4. To view policy subjects in only the local domain, select Local Domain in the View Option field. To view policy subjects for all domains, select Enterprise.
  5. To view the other policy subjects to which the policy is attached, select the subject type from the Subject Type menu.

    The Subject Type menu provides an attachment count for each subject type to which the policy is attached.

14.3.3 Viewing Policy Violations

The list of policies on a service's Policies tab includes the number of policy violations for policies with faults.

To monitor policy violations:

  1. Access the Policies page for the service you want to configure, as described in Viewing the Policies Attached to a Service.
  2. In the Directly Attached Policies table, look in the Total Violations column to locate policies that have faults.
  3. Click the number in the Violations column to view more information about the faults.

14.4 Managing Security Policies

In Fusion Middleware Control, you can manage security policies by attaching and detaching policies, overriding policy properties, and creating global policies.

For information about global policies, see Configuring Global Policies.

14.4.1 Attaching Security Policies Directly to a Service

To attach security policies to a service:

  1. Access the Policies page for the service you want to configure, as described in Viewing the Policies Attached to a Service.
  2. Above the Directly Attached Policies table, click Attach/Detach.

    The Attach/Detach Policies window appears.

    Figure 14-2 Attach/Detach Policies Window

    Description of Figure 14-2 follows
    Description of "Figure 14-2 Attach/Detach Policies Window"
  3. In the Available list, select a policy to attach, and then click Attach.
  4. Repeat the above step for each policy to attach.
  5. Click Validate to verify the configuration.
  6. Click OK to close the Attach/Detach Policies window.

    The new policies appear in the Directly Attached Policies table.

14.4.2 Detaching Policies from a Service

To detach policies from a service:

  1. Access the Policies page for the service you want to configure, as described in Viewing the Policies Attached to a Service.
  2. Above the Directly Attached Policies table, click Attach/Detach.

    The Attach/Detach Policies window appears.

  3. In the Directly Attached Policies list, select a policy to detach, and then click Detach.
  4. Repeat the above step for each policy to detach.
  5. Click Validate to verify the configuration.
  6. Click OK to close the Attach/Detach Policies window.

    The policies are removed from the Directly Attached Policies table.

14.4.3 Overriding Security Policies

You can override the configuration for a policy that is directly attached to a service. This lets you update the configuration on a per service or client basis without creating new policies for each. In this way, you can create policies that define default configuration values and customize those values based on your runtime requirements. You can define overrides in the proxy or business service configuration, as described in "Securing Business and Proxy Services" in Developing Services with Oracle Service Bus.

To override security policies in Fusion Middleware Control:

  1. Locate the policies you want to override, as described in Viewing the Policies Attached to a Service.
  2. In the Directly Attached Policy table, select the policy for which you want to define an override, and click Override Policy Configuration.

    The Security Configuration Details dialog appears, and lists the properties whose values can be overridden.

  3. In the Value column, enter the override value for each property, and then click Apply.