{"id":9632,"date":"2014-03-23T20:44:49","date_gmt":"2014-03-24T01:44:49","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=9632"},"modified":"2014-03-23T20:44:49","modified_gmt":"2014-03-24T01:44:49","slug":"layer-7-policy-authoring-working-with-service-policies","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=9632","title":{"rendered":"Layer 7 Policy Authoring: Working with Service Policies"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tOverview<\/a>\n\t<\/li>\n\t
  2. \n\t\tGlobal Policies<\/a>\n\t<\/li>\n\t
  3. \n\t\tInternal Use Policies<\/a>\n\t<\/li>\n\t
  4. \n\t\tPolicy Structure<\/a>\n\t<\/li>\n\t
  5. \n\t\tSpecial Assertions<\/a>\n\t<\/li>\n\t
  6. \n\t\tHints and Tips<\/a>\n\t<\/li>\n\t
  7. \n\t\tPolicy Revisions<\/a>\n\t<\/li>\n\t
  8. \n\t\tPolicy Properties<\/a>\n\t<\/li>\n\t
  9. \n\t\tServices and Policies Folders<\/a>\n\t<\/li>\n\t
  10. \n\t\tService\/Policy Aliases<\/a>\n\t<\/li>\n\t
  11. \n\t\tMultiple Signatures<\/a>\n\t<\/li>\n\t
  12. \n\t\tCRUD Policies<\/a>\n\t<\/li>\n\t
  13. \n\t\tComments<\/a>\n\t<\/li>\n\t
  14. \n\t\tExport\/Import a Policy<\/a>\n\t\t
      \n
        \n\t\t\t
      1. \n\t\t\t\tExport<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n<\/ol>\n\t
      2. \n\t\tDebugging a Policy<\/a>\n\t\t
          \n
            \n\t\t\t
          1. \n\t\t\t\tPolicy Debug Tracing<\/a>\n\t\t\t<\/li>\n\t\t\t
          2. \n\t\t\t\tContext Variables in Debug Trace Policy<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n<\/ol>\n\t
          3. \n\t\tManaging Global Resources<\/a>\n\t<\/li>\n\t
          4. \n\t\tManage UDDI Registries<\/a>\n\t<\/li>\n\t
          5. \n\t\tReferences<\/a>\n\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
             <\/div>\n

            Overview<\/h2><\/span>\n

            * Policy types:
            \n– Service policies
            \n– Global policies
            \n– Policy fragments
            \n– Internal use policies<\/p>\n

            Global Policies<\/h2><\/span>\n

            * Always applied before or after<\/em> every service policy
            \n* Ensure consistency and reduce error
            \n* Permissions
            \n– Create\/Delete: Administrator
            \n– Edit: Administrator, Manage Web Service
            \n– Read: Administrator, Manage Web Service, Operators
            \n* Types of global policies:
            \n– message-received
            \n– pre-security
            \n– pre-servcie
            \n– post-service
            \n– post-security
            \n– message-completed
            \n* How global policies are evaluated
            \n– only one policy of each type is permitted
            \n– in the order shown previously
            \n– not all global policies will be evaluated in all cases
            \n* How a global policy relates to the service policy
            \n– A global policy shares the following with a service policy:
            \n— request\/response messages
            \n— message context mappings
            \n— audit\/fault settings
            \n— authentication details
            \n— built-in context variables (all other variables local to the policy being run)
            \n– Details in SOAP faults will not include details for global policies
            \n– audit sink policy (if configured) will run after service policy and all global policies are completed
            \n– policy fragments can be included in a global policy
            \n* Supported assertions
            \n– Apply Rate Limit Assertion on page
            \n– Add Audit Detail Assertion on page
            \n– Add Comment to Policy Assertion on page
            \n– All Assertions Must Evaluate to True Assertion on page
            \n– At Least One Assertion Must Evaluate to True Assertion on page
            \n– Audit Messages in Policy Assertion on page
            \n– Capture Identity of Requestor Assertion on page
            \n– Compare Expression Assertion on page
            \n– Continue Processing Assertion on page
            \n– Customize Error Response Assertion on page
            \n– Customize SOAP Fault Response Assertion on page
            \n– Include Policy Fragment Assertion on page
            \n– Limit Availability to Time\/Days Assertion on page
            \n– Limit Message Size Assertion on page
            \n– Restrict Access to IP Address Range Assertion on page
            \n– Send Email Alert Assertion on page
            \n– Send SNMP Trap Assertion on page
            \n– Set Context Variable Assertion on page
            \n– Stop Processing Assertion on page
            \n* Limitations of global policies: global policies will not be processed when:
            \n– when the Gateway generates a policy for the SecureSpan XML VPN Client.
            \n– when the Gateway generates the WS-SecurityPolicy document attached to a service WSDL.
            \n– if policy debug tracing is enabled for a service.
            \n– when the service policy is exported.
            \n– in policy migrations.<\/p>\n

            Internal Use Policies<\/h2><\/span>\n

            * wsdm-notifications policy:
            \n– wsdm: web services distributed management
            \n– evaluation for each WSDM notification message (added via WSDM Subscription Service internal service)
            \n– adds a A Route via HTTP(S)<\/em> assertion that routes to ${esmNotificationUrl}<\/em>, which refers to the value of the “<\/em>” tag of the Subscribe method in EsmSubscriptionManagementServiceBinding<\/em>.
            \n* Audit Message Filter (AMF) policy:
            \n– removes sensitive data from messages
            \n– protect data prior to auditing
            \n– intended to be used in conjunction with the Audit Viewer<\/em> policy
            \n– message is audited under the following conditions:
            \n1. The policy contains the Audit Messages in Policy<\/em> assertion, configured with a sufficiently high level.
            \n2. An assertion fails, causing the target message to be audited. (This assumes the audit.hinting<\/em> cluster property is set to its default value of “true”.)
            \n– Keep in mind:
            \n— only one AMF policy can be created per Gateway cluster
            \n— this policy cannot access context variables created by any other service policy of global policy
            \n— the output of AMF policy must be text\/xml for it to work with AV policy
            \n* Audit Viewer
            \n– used to reverse the actions of AMF policy
            \n– can restrict data viewing to individual users
            \n— uses a special “audit viewer” private key to enforce this restricted access
            \n– only one AV policy can be created per Gateway cluster
            \n— this policy cannot access context variables created by any other service policy of global policy
            \n– audit message or detail to be processed must be in XML format (Content-Type text\/xml)
            \n– don’t use Run All Assertions Concurrently<\/em> assertion in AV policy
            \n– default AV policy<\/p>\n

            \"layer7_policy_authoring_AVPolicy_default\"<\/a><\/h6><\/span>\n

            Policy Structure<\/h2><\/span>\n

            * Service request arrives
            \n* Request is run through WS-Sec processor
            \n– encrypted sections are decrypted and WS-Sec verified
            \n– default security header can be optionally removed before routing
            \n* Request is run through the policy assertions
            \n– routing assertion sends a request to the service provider
            \n– remainder of policy assertions are applied to the service response
            \n* Response is run through the WS-Sec decorator
            \n– default security header is created
            \n– signatures specified by policy are applied
            \n– encryption specified by the policy is performed
            \n* Response is sent back to the client<\/p>\n

            Special Assertions<\/h2><\/span>\n

            * At least one assertion must evaluate to true
            \n* All assertions must evaluate to true<\/p>\n

            Hints and Tips<\/h2><\/span>\n

            * Use Continue Processing<\/em> assertion to prevent failure of a policy due to the failure of a non-essential assertion
            \n* Some policy assertions work together and require the presence of each other to succeed:
            \n– Require HTTP Basic Credentials
            \n– Authenticate user or Group<\/p>\n

            \"layer7_policy_authoring_policyTogetherExample\"<\/a><\/h6><\/span>\n

            * To add more than one user or group in a policy, you should place each individual Authenticate User or Group assertion in a separate “At least one assertion” or “All assertions” folder with an authentication assertion (and other assertions, as required).<\/p>\n

            \"layer7_policy_authoring_multipleAuthenticatedUses\"<\/a><\/h6><\/span>\n

            * Put a Stop Processing<\/em> assertion after any assertion whose sole purpose is to report on a prior error, for example:
            \n– Audit Messages in Policy
            \n– Send Email Alert
            \n– Send SNMP Trap
            \n– Return Template Response to Requestor.
            \nReason: These assertions always succeed, even though the intent is to halt the policy and send an HTTP challenge.
            \n* Routing assertion usually should be placed last except:
            \n* Assertions that operate on response should be placed after<\/strong> routing application
            \n– Add Security Token (with target set to ‘Response’)
            \n– Add Timestamp (with target set to ‘Response’)
            \n– Encrypt Element (with target set to ‘Response’)
            \n– Evaluate Response XPath
            \n– Sign Element (with target set to ‘Response’)
            \n– Validate XML Schema Apply XSL Transformation
            \n* Assertions where you can specify the target message to be acted upon will be prefixed with
            \n– “Request:”
            \n– “Response:”
            \n– or “${VARIABLE_NAME}” in the policy window.
            \nFor example:
            \n– Request: Authenticate against XYZ
            \n– or Response: Add signed Timestamp.
            \n* Use Policy Validation Messages window to debug
            \n* Use Copy and Paste options on the Edit menu to organize the policy
            \n* Disable assertion instead of deleting
            \n* Disable all assertions in a “All assertions…” folder –> folder succeeds
            \n– Disable all assertions in a “At least one…” folder –> folder fails<\/p>\n

            Policy Revisions<\/h2><\/span>\n

            * Default to 20 revisions
            \n* A new revision is created each time the policy is saved, even if no changes<\/em> have been made.
            \n* Change with policyVersioning.maxRevisions<\/em> cluster property
            \n* Versions containing a comment are protected from being overwritten.
            \n* Versions without a comment will be automatically overwritten when the revision limit is reached.
            \n* To view revisions, right click service name and select Revision History<\/em><\/p>\n

            Policy Properties<\/h2><\/span>\n

            * Tasks > Create Policy<\/em><\/p>\n

            \"layer7_policy_authoring_policyProperties\"<\/a><\/h6><\/span>\n

            Services and Policies Folders<\/h2><\/span>\n

            * To create new folder: right click root or folder and select Create New Folder<\/em><\/p>\n

            \"layer7_policy_authoring_createNewFolder\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_createNewFolder_2\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_createNewFolder_3\"<\/a><\/h6><\/span>\n

            * Also creates folder roles:<\/p>\n

            \"layer7_policy_authoring_newFolderRoles\"<\/a><\/h6><\/span>\n

            * Rename, Delete folder:<\/p>\n

            \"layer7_policy_authoring_updateFolder\"<\/a><\/h6><\/span>\n

            Service\/Policy Aliases<\/h2><\/span>\n

            * Overview:
            \n– Folder cannot have aliases
            \n– an entity may have multiple aliases
            \n– deleting an original removes all its aliases
            \n– deleting an alias does not affect original or other aliases
            \n– access to alias = folder access + original access
            \n* Create an alias:
            \n– right click a service\/policy and select Copy as Alias<\/em>
            \n– right click a destination folder and select Paste as Alias<\/em><\/p>\n

            Multiple Signatures<\/h2><\/span>\n

            * To allow multiple signatures:
            \n– select the [Allow multiple signatures]<\/em> check box in the Require WS-Security Signature Credentials Assertion<\/em>
            \n– set the cluster property wss.processor.allowMultipleTimestampSignatures<\/em> to “true<\/strong>“.<\/p>\n

            CRUD Policies<\/h2><\/span>\n

            * Create policy: Tasks > Create Policy<\/em>
            \n* Disable policy: right click policy > select Revision History > click Clear Active<\/em><\/p>\n

            \"layer7_policy_authoring_disablePolicy\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_disablePolicy_2\"<\/a><\/h6><\/span>\n

            * Enable policy: right click policy > select Revision History > select revision > click Set Active<\/em><\/p>\n

            \"layer7_policy_authoring_enablePolicy\"<\/a><\/h6><\/span>\n

            * Validate policy<\/p>\n

            Comments<\/h2><\/span>\n

            * Add comment:
            \n– Drag and drop Add Comment to Policy<\/em> assertion<\/p>\n

            \"layer7_policy_authoring_commentAssertion\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_commentAssertion_2\"<\/a><\/h6><\/span>\n

            – Right click assertion and select Add Comment<\/em><\/p>\n

            \"layer7_policy_authoring_addComment_1\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_addComment_2\"<\/a><\/h6><\/span>\n

            Export\/Import a Policy<\/h2><\/span>\n

            Export<\/h4><\/span>\n

            * Portable policy XML file exported includes:
            \n– identity providers belonging to the users and groups in the policy
            \n– JMS routing endpoints or destinations, if included in the policy
            \n– any custom assertion, if present in the policy
            \n* To export:<\/p>\n

            \"layer7_policy_authoring_expPolicy_1\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_expPolicy_2\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_expPolicy_3\"<\/a><\/h6><\/span>\n

            * To import:
            \n– open target service<\/p>\n

            \"layer7_policy_authoring_impPolicy_1\"<\/a><\/h6><\/span>\n

            – drag and drop from Policy Templates > HelloWorldSvc_expPolicy.xml<\/em> into target service policy<\/p>\n

            \"layer7_policy_authoring_impPolicy_2\"<\/a><\/h6><\/span>\n

            – OR click Import Policy<\/em> and select HelloWorldSvc_expPolicy.xml<\/em>
            \n– Edit routing assertion<\/p>\n

            \"layer7_policy_authoring_impPolicy_3\"<\/a><\/h6><\/span>\n

            – validate
            \n– save and activate<\/p>\n

            Debugging a Policy<\/h2><\/span>\n

            Policy Debug Tracing<\/h4><\/span>\n

            * For both SOAP and non-SOAP services
            \n* Executes after each assertion has completed
            \n* Captures the following and more:
            \n– service OID
            \n– service ordinal
            \n– policy OID
            \n– policy ordinal
            \n– assertion status
            \n* Best practice: configure an audit sink to be run in addition to a debug trace policy
            \n* To enable:<\/p>\n

            \"layer7_policy_authoring_debugTracing_1\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_debugTracing_2\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_debugTracing_3\"<\/a><\/h6><\/span>\n

            * Internal Debug Trace Policy:<\/p>\n

            \"layer7_policy_authoring_debugTracing_4\"<\/a><\/h6><\/span>\n

            – shared by all published services that have tracing enabled
            \n– more complex example:<\/p>\n

            \"layer7_policy_authoring_debugTracing_5\"<\/a><\/h6><\/span>\n

            * Save trace information to a file
            \n– open Tasks > Manage Log\/Audit Sinks<\/em> and create a new log sink:<\/p>\n

            <\/h6><\/span>\n

            – open Tasks > Manage Cluster-wide Properties<\/em> and set:
            \ncom.l7tech.server.trace.TracePolicyEvaluator.level = FINER<\/em>
            \n– Configure your trace policy to accumulate any desired trace information in the context variable ${trace.out}. For example, the policy sample under “More Complex Example” above is a good example
            \n– When service consumption is complete, you can find the trace log file in this directory:
            \n\/opt\/SecureSpan\/Gateway\/node\/default\/var\/logs<\/em><\/p>\n

            Context Variables in Debug Trace Policy<\/h4><\/span>\n

            * Only exists when
            \n– used in a debug trace policy
            \n– or within a policy fragment that is included in a debug trace policy<\/p>\n

            Managing Global Resources<\/h2><\/span>\n

            * e.g. XML schema or DTD
            \n* A global resource can be referenced by an import statement in
            \n– ore or more Validate XML Schema<\/em> assertions in a policy
            \n– or from another global resource
            \n* The referenced schema, or global schema, must exist in the Manage Global Resources table\u2014and hence in the Gateway\u2014in order for validation to proceed
            \n* Schema dependencies (i.e., import targets) do not need to be in the Manage Global Resources table when monitoring a URL for a schema to validate (\u201cMonitor URL for latest value\u201d option in the Validate XML Schema assertion).
            \n* Default global resources
            \n– SOAP 1.1 and 1.2 XML Schemas:
            \nhttp:\/\/schemas.xmlsoap.org\/soap\/envelope\/ (SOAP 1.1)
            \nhttp:\/\/www.w3.org\/2003\/05\/soap-envelope\/ (SOAP 1.2)
            \nhttp:\/\/www.w3.org\/2001\/xml.xsd (XML namespace)
            \n– DTDs:
            \nhttp:\/\/www.w3.org\/2001\/XMLSchema.dtd (XML Schema)
            \nhttp:\/\/www.w3.org\/2001\/datatypes.dtd (XML Schema Datatypes)<\/p>\n

            \"layer7_policy_authoring_defaulGlobalResources\"<\/a><\/h6><\/span>\n

            * To manage, click: Tasks > Manage Global Resources<\/em><\/p>\n

            \"layer7_policy_authoring_globalResources_actions\"<\/a><\/h6><\/span>\n

            * Import a global resource<\/p>\n

            \"layer7_policy_authoring_globalResources_import_1\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_globalResources_import_2\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_globalResources_import_3\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_globalResources_import_4\"<\/a><\/h6><\/span>\n

            * Edit a global resource<\/p>\n

            \"layer7_policy_authoring_globalResources_import_5\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_globalResources_import_6\"<\/a><\/h6><\/span>\n

            * Add XML Schema<\/p>\n

            \"layer7_policy_authoring_globalResources_addSchema_1\"<\/a><\/h6><\/span>\n
            \"layer7_policy_authoring_globalResources_addSchema_2\"<\/a><\/h6><\/span>\n

            * Remove a global resource
            \n* Analyze a global resource<\/p>\n

            Manage UDDI Registries<\/h2><\/span>\n

            References<\/h2><\/span>\n

            * Layer 7 Policy Authoring User Manual Version 6.2<\/p>\n","protected":false},"excerpt":{"rendered":"

            Overview * Policy types: – Service policies – Global policies – Policy fragments – Internal use policies Global Policies * Always applied before or after every service policy * Ensure consistency and reduce error * Permissions – Create\/Delete: Administrator – … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[306],"tags":[471,404],"class_list":["post-9632","post","type-post","status-publish","format-standard","hentry","category-layer7","tag-layer","tag-policy"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-2vm","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9632"}],"version-history":[{"count":14,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9632\/revisions"}],"predecessor-version":[{"id":9698,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9632\/revisions\/9698"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}