Layer 7 Policy Authoring: Working with Service Policies

Posted on March 23, 2014 by Jianming Li

Contents

  1. Overview
  2. Global Policies
  3. Internal Use Policies
  4. Policy Structure
  5. Special Assertions
  6. Hints and Tips
  7. Policy Revisions
  8. Policy Properties
  9. Services and Policies Folders
  10. Service/Policy Aliases
  11. Multiple Signatures
  12. CRUD Policies
  13. Comments
  14. Export/Import a Policy
      1. Export
  15. Debugging a Policy
      1. Policy Debug Tracing
      2. Context Variables in Debug Trace Policy
  16. Managing Global Resources
  17. Manage UDDI Registries
  18. References
 

Overview

* Policy types:
– Service policies
– Global policies
– Policy fragments
– Internal use policies

Global Policies

* Always applied before or after every service policy
* Ensure consistency and reduce error
* Permissions
– Create/Delete: Administrator
– Edit: Administrator, Manage Web Service
– Read: Administrator, Manage Web Service, Operators
* Types of global policies:
– message-received
– pre-security
– pre-servcie
– post-service
– post-security
– message-completed
* How global policies are evaluated
– only one policy of each type is permitted
– in the order shown previously
– not all global policies will be evaluated in all cases
* How a global policy relates to the service policy
– A global policy shares the following with a service policy:
— request/response messages
— message context mappings
— audit/fault settings
— authentication details
— built-in context variables (all other variables local to the policy being run)
– Details in SOAP faults will not include details for global policies
– audit sink policy (if configured) will run after service policy and all global policies are completed
– policy fragments can be included in a global policy
* Supported assertions
– Apply Rate Limit Assertion on page
– Add Audit Detail Assertion on page
– Add Comment to Policy Assertion on page
– All Assertions Must Evaluate to True Assertion on page
– At Least One Assertion Must Evaluate to True Assertion on page
– Audit Messages in Policy Assertion on page
– Capture Identity of Requestor Assertion on page
– Compare Expression Assertion on page
– Continue Processing Assertion on page
– Customize Error Response Assertion on page
– Customize SOAP Fault Response Assertion on page
– Include Policy Fragment Assertion on page
– Limit Availability to Time/Days Assertion on page
– Limit Message Size Assertion on page
– Restrict Access to IP Address Range Assertion on page
– Send Email Alert Assertion on page
– Send SNMP Trap Assertion on page
– Set Context Variable Assertion on page
– Stop Processing Assertion on page
* Limitations of global policies: global policies will not be processed when:
– when the Gateway generates a policy for the SecureSpan XML VPN Client.
– when the Gateway generates the WS-SecurityPolicy document attached to a service WSDL.
– if policy debug tracing is enabled for a service.
– when the service policy is exported.
– in policy migrations.

Internal Use Policies

* wsdm-notifications policy:
– wsdm: web services distributed management
– evaluation for each WSDM notification message (added via WSDM Subscription Service internal service)
– adds a A Route via HTTP(S) assertion that routes to ${esmNotificationUrl}, which refers to the value of the “” tag of the Subscribe method in EsmSubscriptionManagementServiceBinding.
* Audit Message Filter (AMF) policy:
– removes sensitive data from messages
– protect data prior to auditing
– intended to be used in conjunction with the Audit Viewer policy
– message is audited under the following conditions:
1. The policy contains the Audit Messages in Policy assertion, configured with a sufficiently high level.
2. An assertion fails, causing the target message to be audited. (This assumes the audit.hinting cluster property is set to its default value of “true”.)
– Keep in mind:
— only one AMF policy can be created per Gateway cluster
— this policy cannot access context variables created by any other service policy of global policy
— the output of AMF policy must be text/xml for it to work with AV policy
* Audit Viewer
– used to reverse the actions of AMF policy
– can restrict data viewing to individual users
— uses a special “audit viewer” private key to enforce this restricted access
– only one AV policy can be created per Gateway cluster
— this policy cannot access context variables created by any other service policy of global policy
– audit message or detail to be processed must be in XML format (Content-Type text/xml)
– don’t use Run All Assertions Concurrently assertion in AV policy
– default AV policy

layer7_policy_authoring_AVPolicy_default

Policy Structure

* Service request arrives
* Request is run through WS-Sec processor
– encrypted sections are decrypted and WS-Sec verified
– default security header can be optionally removed before routing
* Request is run through the policy assertions
– routing assertion sends a request to the service provider
– remainder of policy assertions are applied to the service response
* Response is run through the WS-Sec decorator
– default security header is created
– signatures specified by policy are applied
– encryption specified by the policy is performed
* Response is sent back to the client

Special Assertions

* At least one assertion must evaluate to true
* All assertions must evaluate to true

Hints and Tips

* Use Continue Processing assertion to prevent failure of a policy due to the failure of a non-essential assertion
* Some policy assertions work together and require the presence of each other to succeed:
– Require HTTP Basic Credentials
– Authenticate user or Group

layer7_policy_authoring_policyTogetherExample

* To add more than one user or group in a policy, you should place each individual Authenticate User or Group assertion in a separate “At least one assertion” or “All assertions” folder with an authentication assertion (and other assertions, as required).

layer7_policy_authoring_multipleAuthenticatedUses

* Put a Stop Processing assertion after any assertion whose sole purpose is to report on a prior error, for example:
– Audit Messages in Policy
– Send Email Alert
– Send SNMP Trap
– Return Template Response to Requestor.
Reason: These assertions always succeed, even though the intent is to halt the policy and send an HTTP challenge.
* Routing assertion usually should be placed last except:
* Assertions that operate on response should be placed after routing application
– Add Security Token (with target set to ‘Response’)
– Add Timestamp (with target set to ‘Response’)
– Encrypt Element (with target set to ‘Response’)
– Evaluate Response XPath
– Sign Element (with target set to ‘Response’)
– Validate XML Schema Apply XSL Transformation
* Assertions where you can specify the target message to be acted upon will be prefixed with
– “Request:”
– “Response:”
– or “${VARIABLE_NAME}” in the policy window.
For example:
– Request: Authenticate against XYZ
– or Response: Add signed Timestamp.
* Use Policy Validation Messages window to debug
* Use Copy and Paste options on the Edit menu to organize the policy
* Disable assertion instead of deleting
* Disable all assertions in a “All assertions…” folder –> folder succeeds
– Disable all assertions in a “At least one…” folder –> folder fails

Policy Revisions

* Default to 20 revisions
* A new revision is created each time the policy is saved, even if no changes have been made.
* Change with policyVersioning.maxRevisions cluster property
* Versions containing a comment are protected from being overwritten.
* Versions without a comment will be automatically overwritten when the revision limit is reached.
* To view revisions, right click service name and select Revision History

Policy Properties

* Tasks > Create Policy

layer7_policy_authoring_policyProperties

Services and Policies Folders

* To create new folder: right click root or folder and select Create New Folder

layer7_policy_authoring_createNewFolder
layer7_policy_authoring_createNewFolder_2
layer7_policy_authoring_createNewFolder_3

* Also creates folder roles:

layer7_policy_authoring_newFolderRoles

* Rename, Delete folder:

layer7_policy_authoring_updateFolder

Service/Policy Aliases

* Overview:
– Folder cannot have aliases
– an entity may have multiple aliases
– deleting an original removes all its aliases
– deleting an alias does not affect original or other aliases
– access to alias = folder access + original access
* Create an alias:
– right click a service/policy and select Copy as Alias
– right click a destination folder and select Paste as Alias

Multiple Signatures

* To allow multiple signatures:
– select the [Allow multiple signatures] check box in the Require WS-Security Signature Credentials Assertion
– set the cluster property wss.processor.allowMultipleTimestampSignatures to “true“.

CRUD Policies

* Create policy: Tasks > Create Policy
* Disable policy: right click policy > select Revision History > click Clear Active

layer7_policy_authoring_disablePolicy
layer7_policy_authoring_disablePolicy_2

* Enable policy: right click policy > select Revision History > select revision > click Set Active

layer7_policy_authoring_enablePolicy

* Validate policy

Comments

* Add comment:
– Drag and drop Add Comment to Policy assertion

layer7_policy_authoring_commentAssertion
layer7_policy_authoring_commentAssertion_2

– Right click assertion and select Add Comment

layer7_policy_authoring_addComment_1
layer7_policy_authoring_addComment_2

Export/Import a Policy

Export

* Portable policy XML file exported includes:
– identity providers belonging to the users and groups in the policy
– JMS routing endpoints or destinations, if included in the policy
– any custom assertion, if present in the policy
* To export:

layer7_policy_authoring_expPolicy_1
layer7_policy_authoring_expPolicy_2
layer7_policy_authoring_expPolicy_3

* To import:
– open target service

layer7_policy_authoring_impPolicy_1

– drag and drop from Policy Templates > HelloWorldSvc_expPolicy.xml into target service policy

layer7_policy_authoring_impPolicy_2

– OR click Import Policy and select HelloWorldSvc_expPolicy.xml
– Edit routing assertion

layer7_policy_authoring_impPolicy_3

– validate
– save and activate

Debugging a Policy

Policy Debug Tracing

* For both SOAP and non-SOAP services
* Executes after each assertion has completed
* Captures the following and more:
– service OID
– service ordinal
– policy OID
– policy ordinal
– assertion status
* Best practice: configure an audit sink to be run in addition to a debug trace policy
* To enable:

layer7_policy_authoring_debugTracing_1
layer7_policy_authoring_debugTracing_2
layer7_policy_authoring_debugTracing_3

* Internal Debug Trace Policy:

layer7_policy_authoring_debugTracing_4

– shared by all published services that have tracing enabled
– more complex example:

layer7_policy_authoring_debugTracing_5

* Save trace information to a file
– open Tasks > Manage Log/Audit Sinks and create a new log sink:

– open Tasks > Manage Cluster-wide Properties and set:
com.l7tech.server.trace.TracePolicyEvaluator.level = FINER
– Configure your trace policy to accumulate any desired trace information in the context variable ${trace.out}. For example, the policy sample under “More Complex Example” above is a good example
– When service consumption is complete, you can find the trace log file in this directory:
/opt/SecureSpan/Gateway/node/default/var/logs

Context Variables in Debug Trace Policy

* Only exists when
– used in a debug trace policy
– or within a policy fragment that is included in a debug trace policy

Managing Global Resources

* e.g. XML schema or DTD
* A global resource can be referenced by an import statement in
– ore or more Validate XML Schema assertions in a policy
– or from another global resource
* The referenced schema, or global schema, must exist in the Manage Global Resources table—and hence in the Gateway—in order for validation to proceed
* Schema dependencies (i.e., import targets) do not need to be in the Manage Global Resources table when monitoring a URL for a schema to validate (“Monitor URL for latest value” option in the Validate XML Schema assertion).
* Default global resources
– SOAP 1.1 and 1.2 XML Schemas:
http://schemas.xmlsoap.org/soap/envelope/ (SOAP 1.1)
http://www.w3.org/2003/05/soap-envelope/ (SOAP 1.2)
http://www.w3.org/2001/xml.xsd (XML namespace)
– DTDs:
http://www.w3.org/2001/XMLSchema.dtd (XML Schema)
http://www.w3.org/2001/datatypes.dtd (XML Schema Datatypes)

layer7_policy_authoring_defaulGlobalResources

* To manage, click: Tasks > Manage Global Resources

layer7_policy_authoring_globalResources_actions

* Import a global resource

layer7_policy_authoring_globalResources_import_1
layer7_policy_authoring_globalResources_import_2
layer7_policy_authoring_globalResources_import_3
layer7_policy_authoring_globalResources_import_4

* Edit a global resource

layer7_policy_authoring_globalResources_import_5
layer7_policy_authoring_globalResources_import_6

* Add XML Schema

layer7_policy_authoring_globalResources_addSchema_1
layer7_policy_authoring_globalResources_addSchema_2

* Remove a global resource
* Analyze a global resource

Manage UDDI Registries

References

* Layer 7 Policy Authoring User Manual Version 6.2

This entry was posted in layer7 and tagged , . Bookmark the permalink.

One Response to Layer 7 Policy Authoring: Working with Service Policies

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.