Layer 7 Policy Manager

* Layer 7 Gateway is a policy-optimized and ASIC-accelerated (Application Specific Integrated Circuit) XML Firewall and Web Services gateway that
– protects and controls how shared web services are accessed by and exposed to external applications.
* Layer 7 Gateway comes in three form factors:
– Virtual applicance. See this post on how to install Layer 7 virtual appliance.
– ASIC-accelerated DMZ appliance. ASIC stands for application specific integrated circuit.
– 64-bit ASIC-accelerated appliance for EAI or ESB.

* Is a cross-domain enablement product designed to speed and secure web services integrations spanning identity and security domains.
* Available in three form factors:
– Class lib
– Executable
– Integrated inside a Gateway for drop-in partner connectivity and web services federation

* GUI based application (either standalone or browser based) that allows administrators to centrally define, provision, verify, and audit fine-grained security and connectivity policies for cross-domain web services and XML integrations.
* Available as software for:
– Windows
– RHEL
– Solaris
– SOAP API

* Web: https://layer7:8443/ssg/webadmin/
* Standalone GUI

* Login

* Home page

* Cluster-Wide properties are accessed with notation: ${gateway.clusterProperty}

* Add a new password:

* Edit a password:

* When Permit use via context variable reference is checked, the password can be referenced by ${secpass.*} context variables.

* By default, passwords are cached for
– 60 seconds if authenticated
– 30 seconds if not authenticated
* 15 seconds are needed for password changes to propagate through the cluster nodes.

* Force Administrative Passwords Reset

* Interfaces can be monitored by a listen port
* Interfaces can be configured to listen on one or more IP addresses

* Allow the Gateway to query external databases and then use the query results during policy consuption.
* Menu: Task > Manage JDBC Connection

TODO

* Used to periodically poll an email server for SOAP messages to process.
* Supported email server types:
– POP3
– IMAP4/IMAP4rev1
* Supports SSL encryption
– can use internal trust store for trusting email server certs
* Menu: Task > Manage Email Listeners
* Create a new mail listener:

* Menu: Task > Manage Roles

* Add user to role:

* Remove user from role:

* Menu: Task > Manage Log/Audit Sinks
* Mange log sink:

* Mange audit sink:

* Used to configure options to be used by the Gateway for outbound(?) HTTP(S) connections:
– login credentials for an HTTPS host
– define a proxy for the host
– specify a private key to be used for authentication
* Also used to edit the default HTTP proxy settings
* Menu: Task > Manage HTTP Options
* Add an HTTP option:

* Set default HTTP proxy:

* Menu: Task > Manage Service Resolution

* Menu: Task > Additional Actions > Manage SFTP Polling Listeners
* Connection setting:

* Message Processing setting:

The Layer 7 Gateway supports SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol) messages, both inbound and outbound. This allows the Gateway to work with backend services which rely on these protocols. These messages are secured using the SSH2 protocol (SSH1 is not supported).
* Using Inbound SSH:
– configure an internal SSH server running on a Gateway listen port. This is done by creating a new listen port using the SSH2 protocol.
– The SSH listener supports inbound SCP upload and inbound SFTP PUT commands to the Gateway.
– This listener automatically opens and closes the SSH port on start and stop.
– Can use both password authentication or pki authentication.
* Using Outbound SSH:
– outbound SCP upload and download with an external SCP server
– outbound SFTP “PUT” and “GET” with an external SFTP server

* Web services from existing WSDL:
– use Publish SOAP Web Service Wizard
– Default Gateway URI:
http://layer7:8080/ssg/soap
https://layer7:8443/ssg/soap
* Web services require the generation of a new WSDK:
– use Create WSDL Wizard
* Non-SOAP applications:
– use Publish REST, Web API, or Other Service Wizard

* Accessed by right clicking and select Service Properties.
* General properties:
– Rename service display name
– Disable/enable service
– Enable WS-Security processing
– Enable policy debug tracing

* HTTP/FTP properties:
– Change resolution path
– Check resolution conflicts
– Change HTTP methods

* WSDL properties:
– Reset WSDL
– Edit WSDL
– Change SOAP version
– Allow requests intended for operations not supported by the WSDL

* UDDI properties

* expose Gateway Management API

* requires WSDL
* uses various tokens, e.g. Create SAML Token, Create Security Context Token

* Notifies client about changes in UDDI registry: Handle UDDI Subscription Notification assertion

* Allows client to request metrics data for a given managed resource.
* Has one method:
– GetMultipleResourceProperties

* Allows client to subscribe to receive notifications about changes in a resource
* Has three methods:
– Subscribe
– Renew
– Unsubscribe

* Include resource id within the URL:
http://:8080/wsdm/qosmetrics?serviceoid=12345
* Include service id as part of the SOAP message:

<ResourceId>http://ssghost:8080/service/hello</ResourceId>

* Include resource URI within the URL of the query string:
http://:8080/wsdm/qosmetrics?serviceuri=/myuris/service1uri

* STS issues following tokens:
– SAML tokens using Create SAML Token assertion
– Security Context tokens using Create Security Context Token assertion
* Issued tokens can be returned in a Request Security Token Response (RSTR) using Build RSTP SOAP Response assertion
* Security Context tokens can be cancelled using the Cancel Security Context assertion
* Publish STS:

* Default STS policy:

* Sample Messages

* Click Home > Publish SOAP Web Service
– Or click Tasks > Publish SOAP Web Service

* Enter WSDL location, e.g., http://openidmbox:8080/cxf-jaxws-one-1.0-SNAPSHOT/HelloWorld?wsdl and click Next:

* Select Custom resolution path and enter value /HelloWorld

* Click Finish to accept all defaults.
* Service should show up in the Service panel:

* New WSDL can now be accessed from Layer7 with URL: https://layer7:8443/HelloWorld?wsdl

* Add a new user named l7test with password Welcome1!

* Add a new group named Accounting

* Query internal identity provider:

* Double click the service, e.g. HelloWorldImplService, to open the service policy panel:

* Authenticate against any user from IIP:
– Drag and drop Assertions > Access Control > Authenticate Against Identity Provider to policy panel

* Authenticate against a specific user or group from IIP:
– Drag and drop Assertions > Access Control > Authenticate User or Group to policy panel

* Authenticate against multiple users or groups from IIP:
– Drag and drop additional Assertions > Access Control > Authenticate User or Group to policy panel

* Create a service account on AD with user name svc.l7 and password Welcome1!

* Right click Identity Provider and then select Create LDAP Identity Provider

* Select Provider Type: MicrosoftActiveDirectory and enter login info:

* Click Test button to validate connection.

* Accept default Group Object Classes screen and click Next

* Accept default User Object Classes screen and click Next

* Accept default Advanced Configuration screen and click Next

* Accept default Certificate Settings screen and click Next

* Click Finish

* Double click service to open policy panel.
* Drag and drop Assertions > Transport Layer Security (TLS) > Require SSL or TLS Transport into policy panel.
* Click Save and Activate.

* From SoapUI, check that request to http://layer7:8080/HelloWorld endpoint is not longer working.

* From SoapUI, check that request to https://layer7:8443/HelloWorld endpoint is still working.

* Double click service to open policy panel.
* Drag and drop Assertions > Access Control > Require HTTP Basic Credentials into policy panel and immediately under Require SSL or TLS Transport.
* Drag and drop Assertions > Access Control > Authenticate User or Group into policy panel and immediately under Require HTTP Basic Credentials.
* Select ad.mytest.local > Service Layer7

* Right click Authenticate User: svc.l7 from [ad.mytest.local] and select Target Message. Select Request and click OK button.

* Click Save and Activate.

* From SoapUI, check that request to https://layer7:8443/HelloWorld endpoint now requires authentication.

* Add to SoapUI request:
– Authorisation Type: Preemptive
– Username: svc.l7
– Password: Welcome1!

* Check that request is successful with correct username and password.

* Constraint assertions:
– Require SSL
– Require credentials
– Require signatures/encryption
* Action assertions
– Authenticate credentials
– Transforming messages
– Turn on auditing
– Routing messages

* Add an assertion: drag and drop or click add policy button (]>[)
* Rearrange an assertion: drag and drop or click up and down arrows
* Disable an assertion: click red X inside a circle button
* Delete an assertion: click the black X button
* Expand assertion: click the expand button (up arrow on top of bottom arrow)
* Copy and paste an assertion: Ctr-C/Ctr-V
* Open configurable properties: double click an assertion or right click and select … Properties
* Add ‘All…’ Folder: right click and select it
* Add ‘At least one…’ Folder: right click an select it

* Layer 7 Policy Manager User Manual Version 6.2