{"id":9699,"date":"2014-04-15T13:57:45","date_gmt":"2014-04-15T18:57:45","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=9699"},"modified":"2014-04-15T13:57:45","modified_gmt":"2014-04-15T18:57:45","slug":"layer-7-policy-authoring","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=9699","title":{"rendered":"Layer 7 Policy Authoring"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tPolicy Fragments<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tOverview<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tAdd Policy Fragment to Service Policy<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
    3. \n\t\tPolicy Assertions<\/a>\n\t\t
        \n\t\t\t
      1. \n\t\t\t\tOverview<\/a>\n\t\t\t<\/li>\n\t\t\t
      2. \n\t\t\t\tAssertion Categories<\/a>\n\t\t\t<\/li>\n\t\t\t
      3. \n\t\t\t\tMaking Kerberos Configuration<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
      4. \n\t\tAccess Control Assertions<\/a>\n\t\t
          \n\t\t\t
        1. \n\t\t\t\tAuthenticate Against Identity Provider<\/a>\n\t\t\t<\/li>\n\t\t\t
        2. \n\t\t\t\tAuthenticate User or Group<\/a>\n\t\t\t\t
            \n\t\t\t\t\t
          1. \n\t\t\t\t\t\tAuthenticate Against a Simple LDAP IdP<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
          2. \n\t\t\t\tExchange Credentials using WS-Trust Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          3. \n\t\t\t\tExtract Attributes from Certificate Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          4. \n\t\t\t\tExtract Attributes for Authenticated User Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          5. \n\t\t\t\tPerform JDBC Query Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          6. \n\t\t\t\tQuery LDAP Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          7. \n\t\t\t\tRequire Encrypted UsernameToken Profile Credentials Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          8. \n\t\t\t\tRequire FTP Credentials Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          9. \n\t\t\t\tRequire HTTP Basic Credentials Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          10. \n\t\t\t\tRequire HTTP Cookie Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          11. \n\t\t\t\tRequire Remote Domain Identity Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          12. \n\t\t\t\tRequire SAML Token Profile Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          13. \n\t\t\t\tRequire SSH Credentials Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          14. \n\t\t\t\tRequire SSL or TLS Transport with Client Authentication Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          15. \n\t\t\t\tRequire Windows Integrated Authentication Credentials Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          16. \n\t\t\t\tRequire WS-Secure Conversation Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          17. \n\t\t\t\tRequire WS-Security Kerberos Token Profile Credentials Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          18. \n\t\t\t\tRequire WS-Security Password Digest Credentials Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          19. \n\t\t\t\tRequire WS-Security Signature Credentials Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          20. \n\t\t\t\tRequire WS-Security UsernameToken Profile Credentials Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          21. \n\t\t\t\tRequire XPath Credentials Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          22. \n\t\t\t\tRetrieve Credentials from Context Variable Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          23. \n\t\t\t\tRetrieve SAML Browser Artifact Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
          24. \n\t\t\t\tUse WS-Federation Credential Assertion<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
          25. \n\t\tTransport Layer Security Assertions<\/a>\n\t\t
              \n\t\t\t
            1. \n\t\t\t\tRequire SSL or TLS Transport Assertion<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
            2. \n\t\tXML Security Assertions<\/a>\n\t\t
                \n\t\t\t
              1. \n\t\t\t\tAdd or Remove WS-Security Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              2. \n\t\t\t\tAdd Security Token Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              3. \n\t\t\t\tAdd Timestamp Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              4. \n\t\t\t\tAdd WS-Security UsernameToken Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              5. \n\t\t\t\tBuild RST SOAP Request Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              6. \n\t\t\t\tBuild RSTR SOAP Response Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              7. \n\t\t\t\tBuild SAML Protocol Request Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              8. \n\t\t\t\tSAML Protocol Request Wizard<\/a>\n\t\t\t<\/li>\n\t\t\t
              9. \n\t\t\t\tBuild SAML Protocol Response Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              10. \n\t\t\t\tCancel Security Context Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              11. \n\t\t\t\tConfigure WS-Security Decoration Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              12. \n\t\t\t\tCreate SAML Token Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              13. \n\t\t\t\tCreate Security Context Token Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              14. \n\t\t\t\tCreate XACML Request Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              15. \n\t\t\t\tEncrypt Element Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              16. \n\t\t\t\tEstablish Outbound Secure Conversation Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              17. \n\t\t\t\tEvaluate SAML Protocol Response Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              18. \n\t\t\t\tEvaluate XACML Policy Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              19. \n\t\t\t\tLookup Outbound Secure Conversation Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              20. \n\t\t\t\tLookup Trusted Certificate Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              21. \n\t\t\t\t(Non-SOAP)Check Results from XML Verification Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              22. \n\t\t\t\t(Non-SOAP)Decrypt XML element Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              23. \n\t\t\t\t(Non-SOAP)Encrypt XML Element Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              24. \n\t\t\t\t(Non-SOAP)Sign XML Element Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              25. \n\t\t\t\t(Non-SOAP)Verify XML Element Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              26. \n\t\t\t\tProcess RSTR Response Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              27. \n\t\t\t\tProtect Against Message Replay Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              28. \n\t\t\t\tRequire Encrypted Element Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              29. \n\t\t\t\tRequire Signed Element Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              30. \n\t\t\t\tRequire Timestamp Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              31. \n\t\t\t\tSign Element Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
              32. \n\t\t\t\tUse WS-Security 1.1 Assertion<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
              33. \n\t\tMessage Routing Assertions<\/a>\n\t\t
                  \n\t\t\t
                1. \n\t\t\t\tAdd Header Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                2. \n\t\t\t\tCopy Request Message to Response Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                3. \n\t\t\t\tReturn Template Response to Requestor Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                4. \n\t\t\t\tRoute via FTP(S) Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                5. \n\t\t\t\tRoute via HTTP(S) Assertion<\/a>\n\t\t\t\t
                    \n\t\t\t\t\t
                  1. \n\t\t\t\t\t\tTarget Tab<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                  2. \n\t\t\t\t\t\tSecurity Tab<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                  3. \n\t\t\t\t\t\tRequest HTTP Rules Tab<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                  4. \n\t\t\t\t\t\tResponse HTTP Rules Tab<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                  5. \n\t\t\t\t\t\tProxy Tab<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                  6. \n\t\t\t\tRoute via JMS Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                  7. \n\t\t\t\tRoute via MQ Native<\/a>\n\t\t\t<\/li>\n\t\t\t
                  8. \n\t\t\t\tRoute via Raw TCP<\/a>\n\t\t\t<\/li>\n\t\t\t
                  9. \n\t\t\t\tRoute via SecureSpan Bridge<\/a>\n\t\t\t<\/li>\n\t\t\t
                  10. \n\t\t\t\tRoute via SSH2<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
                  11. \n\t\tLogging, Auditing, and Alerts Assertions<\/a>\n\t\t
                      \n\t\t\t
                    1. \n\t\t\t\tMessage Auditing<\/a>\n\t\t\t\t
                        \n\t\t\t\t\t
                      1. \n\t\t\t\t\t\tSystem Audits<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      2. \n\t\t\t\t\t\tAdmin Audits<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      3. \n\t\t\t\t\t\tPolicy Message Audits<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      4. \n\t\t\t\t\t\tExpand the Scope of Policy Message Audits for Troubleshooting<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                      5. \n\t\t\t\tAdd Audit Detail Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                      6. \n\t\t\t\tAudit Messages in Policy Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                      7. \n\t\t\t\tCapture Identity of Requestor Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                      8. \n\t\t\t\tCustomize SOAP Fault Response Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                      9. \n\t\t\t\tSend Email Alert Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                      10. \n\t\t\t\tSend SNMP Trap<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
                      11. \n\t\tPolicy Logic Assertions<\/a>\n\t<\/li>\n\t
                      12. \n\t\tThreat Protection Assertions<\/a>\n\t\t
                          \n\t\t\t
                        1. \n\t\t\t\tAutomatic Threat Protection<\/a>\n\t\t\t\t
                            \n\t\t\t\t\t
                          1. \n\t\t\t\t\t\tProtections<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                          2. \n\t\t\t\tLimit Message Size Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                          3. \n\t\t\t\tProtect Against Code Injection Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                          4. \n\t\t\t\tProtect Against Cross-Site Request Forgery (CSRF)<\/a>\n\t\t\t<\/li>\n\t\t\t
                          5. \n\t\t\t\tProtect Against Document Structure Threats Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                          6. \n\t\t\t\tProtect Against Message Replay Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                          7. \n\t\t\t\tProtect Against SQL Attack Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                          8. \n\t\t\t\tScan Using ICAP-Enabled Antivirus Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                          9. \n\t\t\t\tValidate JSON Schema Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                          10. \n\t\t\t\tValidate or Change Content Type Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                          11. \n\t\t\t\tValidate XML Schema Assertion<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
                          12. \n\t\tInternal Assertions<\/a>\n\t\t
                              \n\t\t\t
                            1. \n\t\t\t\tCollect WSDM Metrics Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                            2. \n\t\t\t\tConvert Audit Record to XML Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                            3. \n\t\t\t\tHandle UDDI Subscription Notification Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                            4. \n\t\t\t\tManage Gateway Assertion<\/a>\n\t\t\t<\/li>\n\t\t\t
                            5. \n\t\t\t\tSubscribe to WSDM Resource Assertion<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
                            6. \n\t\tReferences<\/a>\n\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
                               <\/div>\n

                              Policy Fragments<\/h2><\/span>\n

                              Overview<\/h3><\/span>\n

                              * Used to group assertions
                              \n* Can be used in any published service
                              \n* Two types of policy fragments:
                              \n– included policy fragments: need to be manually included in service policy
                              \n– global policy fragments: will run at predefined points, will not show in service policy
                              \n* Tasks:
                              \n– create a new policy fragment<\/p>\n

                              \"layer7_policy_createPolicyFragment_1\"<\/a><\/h6><\/span>\n

                              – policy fragment revisions<\/p>\n

                              \"layer7_policy_PolicyFragment_revision_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_PolicyFragment_revision_2\"<\/a><\/h6><\/span>\n

                              – add a policy fragment to a policy
                              \n– delete a policy fragment
                              \n– edit a policy fragment
                              \n* Tips
                              \n– policy fragments are listed in the Services and Policies list
                              \n– can import items from a policy template into a fragment
                              \n– can not<\/strong> import items from UDDI registry
                              \n– you can drag and drop one fragment into another (fragment composition<\/em>)
                              \n– policy fragments have their own revision history<\/em>
                              \n– If the fragment contains assertions that create custom context variables and these variables will be referenced in an including policy, ensure that a Export Variables from Fragment assertion is added to the fragment.
                              \n— An example of assertions that create context variables are the XPath-based assertions (Evaluate Request XPath or Evaluate Response XPath).<\/p>\n

                              Add Policy Fragment to Service Policy<\/h3><\/span>\n

                              * Open target service policy
                              \n* Drag and drop Include Policy Fragment<\/em> assertion to desired position within service policy<\/p>\n

                              Policy Assertions<\/h2><\/span>\n

                              Overview<\/h3><\/span>\n

                              * A policy defines restrictions for the consumption of a published service that is protected by the Gateway
                              \n* Policy assertions are building blocks for policies<\/p>\n

                              Assertion Categories<\/h3><\/span>\n

                              * Access Control
                              \n* Transport Layer Security
                              \n* XML Security
                              \n* Message Validation\/Transformation
                              \n* Message Routing
                              \n* Service Availability
                              \n* Logging, Auditing, and Alerts
                              \n* Policy Logic
                              \n* Threat Protection
                              \n* Internal Assertions
                              \n* Custom Assertions
                              \n* Policy Templates: contains exported policies<\/p>\n

                              Making Kerberos Configuration<\/h3><\/span>\n

                              * Generate a keytab file for Layer 7. See here<\/a>
                              \n* Open Tasks > Manage Cluster-Wide Properties<\/em> and set krb5.kdc<\/em> to target KDC IP address<\/p>\n

                              \"layer7_policy_authoring_loadKeytab_specifyKDC_3\"<\/a><\/h6><\/span>\n

                              * Open Tasks > Manage Kerberos Configuration<\/em>
                              \n* Click Load Keytab<\/em> button
                              \n* Browse to keytab file, e.g. layer7.keytab<\/strong><\/p>\n

                              \"layer7_policy_authoring_loadKeytab_1\"<\/a><\/h6><\/span>\n

                              * Loaded:<\/p>\n

                              \"layer7_policy_authoring_loadKeytab_2\"<\/a><\/h6><\/span>\n

                              * Error: Could not login ‘Clock skew too great (37)’
                              \n– This is due to time sync off between Layer 7 and domain controller
                              \n– Solution:
                              \n— Setup NTP client on Layer 7 to use domain controller NTP server (ssh to gateway, select 1: Configure system settings, then 1: Configure networking and system time settings)
                              \n— Increase Maximum tolerance for computer clock synchronization<\/em> setting in domain controller<\/p>\n

                              Access Control Assertions<\/h2><\/span>\n

                              Authenticate Against Identity Provider<\/h3><\/span>\n

                              * Authenticate users and\/or groups from
                              \n– LDAP, e.g. AD<\/p>\n

                              \"layer7_policy_authenticateAgainstIdP_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authenticateAgainstIdP_2\"<\/a><\/h6><\/span>\n

                              – Simple LDAP (cannot do groups)
                              \n– FIP (Federated IdP)
                              \n– IIP (Internal IdP)<\/p>\n

                              Authenticate User or Group<\/h3><\/span>\n
                              \"layer7_policy_authenticateUser_1\"<\/a><\/h6><\/span>\n

                              Authenticate Against a Simple LDAP IdP<\/h4><\/span>\n

                              * Only users, not groups<\/strong>, can be authenticated against simple LDAP<\/p>\n

                              Exchange Credentials using WS-Trust Assertion<\/h3><\/span>\n

                              * Steps:
                              \n– extract credentials from preceding assertion
                              \n– send credentials to WS-Trust STS via WS-Trust RequestSecurityToken (RST) SOAP request
                              \n– extract RequestedSecurityToken (SAML or UsernameToken) from WS-Trust RequestSecurityTokenResponse (RSTR)
                              \n– replace original request’s credentials with RequestedSecurityToken
                              \n* Caveats:
                              \n– must configure the Route via HTTP(S)<\/em> or Route via SecureSpan Bridge<\/em> assertions to maintain the Security header in the message.
                              \n— The Exchange Credentials using WS-Trust assertion will be invalidated if the routing assertion in the policy is set to remove processed Security headers
                              \n— must select the “Leave current Security header in request before routing<\/em>” option in the HTTP(S) Routing Properties that is used by both assertions.
                              \n– If the credentials in a message are covered by an XML Signature using the Sign Element<\/em> assertion, then the signature will be invalidated when the credentials are replaced by the Exchange Credentials using WS-Trust assertion.<\/p>\n

                              Extract Attributes from Certificate Assertion<\/h3><\/span>\n

                              * Extracts information from X.509 Certificate of the last authenticated user and places them in context variables:
                              \n– subject\/issuer DN fields
                              \n– some extended attributes
                              \n* Must be preceded by:
                              \n– at least one credential source assertion:
                              \n— Require SSL or TLS Transport with Client Authentication
                              \n— Require WS-Secure Conversation
                              \n— Require WS-Security Signature Credentials
                              \n— Require SAML Token Profile (Subject Confirmation: Holder of Key, Require Message Signature)
                              \n– an identity assertion, e.g. Authenticate User or Group<\/p>\n

                              Extract Attributes for Authenticated User Assertion<\/h3><\/span>\n

                              * Used to create context variables based on the attributes of a previously authenticated user
                              \n* Intended primarily to be used by Create SAML Token<\/em> assertion
                              \n* Can also be read by any assertion that uses context variables<\/p>\n

                              \"layer7_policy_authoring_extractAttr_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_extractAttr_2\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_extractAttr_3\"<\/a><\/h6><\/span>\n

                              Perform JDBC Query Assertion<\/h3><\/span>\n
                              \"layer7_policy_authoring_jdbcQuery_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_jdbcQuery_2\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_jdbcQuery_3\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_jdbcQuery_4\"<\/a><\/h6><\/span>\n

                              Query LDAP Assertion<\/h3><\/span>\n

                              * Reads attributes from LDAP entries and stores them in context variables<\/p>\n

                              \"layer7_policy_authoring_ldapQuery_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_ldapQuery_2\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_ldapQuery_3\"<\/a><\/h6><\/span>\n

                              Require Encrypted UsernameToken Profile Credentials Assertion<\/h3><\/span>\n

                              * Requires an encrypted Username Token element to be present and that it be encrypted with the same key that was used to sign the timestamp or other parts of the message
                              \n* Requires message security features contained in WS-Security version 1.1 or later.<\/p>\n

                              Require FTP Credentials Assertion<\/h3><\/span>\n

                              Require HTTP Basic Credentials Assertion<\/h3><\/span>\n
                              \"layer7_policy_requireBasicAuth_1\"<\/a><\/h6><\/span>\n

                              Require HTTP Cookie Assertion<\/h3><\/span>\n

                              * Checks that a request contains a cookie with the same name as that specified in the assertion.
                              \n* If the request does not contain a cookie with this name, then the assertion fails.
                              \n* Does not<\/strong> check the validity or expiry of a cookie. It only checks for the presence of a cookie<\/p>\n

                              \"layer7_policy_requireCookie_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_requireCookie_2\"<\/a><\/h6><\/span>\n

                              Require Remote Domain Identity Assertion<\/h3><\/span>\n

                              * Need to pair with SecureSpan XML VPN Client.
                              \n* Enables the Windows Domain Injection feature in the SecureSpan XML VPN Client.<\/p>\n

                              Require SAML Token Profile Assertion<\/h3><\/span>\n

                              * Supports both the SAML 1.1 and 2.0 standards
                              \n* When used to validate an Attribute Statement, the attribute values that were validated are placed into context variables with the names: saml.attr.att_nam<\/em>e<\/p>\n

                              Require SSH Credentials Assertion<\/h3><\/span>\n

                              The Require SSH Credentials assertion allows you to require a user’s SSH credentials in a request. You can require either the user name and plain text password only, or the user name and public key only, or the user name and either the plain text password or the public key.
                              \nThis assertion is a credential source that saves the user name with the password or public key from the SSH session for later authentication and authorization using the Authenticate User or Group Assertion<\/p>\n

                              Require SSL or TLS Transport with Client Authentication Assertion<\/h3><\/span>\n

                              Require Windows Integrated Authentication Credentials Assertion<\/h3><\/span>\n

                              * Requires the presence of credentials from a Windows domain in the request
                              \n* Make sure no other credential sources (e.g. Require HTTP Basic Credentials) are present in the policy
                              \n* Places realm of the client into the kerberos.realm<\/em> context variable
                              \n* Realm is displayed when using Manage Kerberos Configuration<\/em> task<\/p>\n

                              Require WS-Secure Conversation Assertion<\/h3><\/span>\n

                              Require WS-Security Kerberos Token Profile Credentials Assertion<\/h3><\/span>\n

                              * Requires that the request message contains a valid WSS1.1 Kerberos Token (specifically, a GSS wrapped Kerberos v5 AP-REQ, as defined in the GSSAPI specification).
                              \n* This assertion places the realm of the client in the kerberos.realm<\/em> context variable
                              \n* Must validate realm before performing authentication<\/p>\n

                              Require WS-Security Password Digest Credentials Assertion<\/h3><\/span>\n

                              * Requires WSS Digest token present and matches with username and password
                              \n* Can optionally check the presence of timestamp or nonce
                              \n– Does not<\/strong> check:
                              \n— timestamp expiration
                              \n— reuse of nonce<\/p>\n

                              Require WS-Security Signature Credentials Assertion<\/h3><\/span>\n

                              * Requires:
                              \n– presence of WS-Sec X.509 BinarySecurityToken containing a client certificate
                              \n– at least one element is signed
                              \n* Supports WS-Sec 1.0
                              \n* Best practices:
                              \n– use together with Protect Against Message Replay assertion to enforce timestamp<\/p>\n

                              Require WS-Security UsernameToken Profile Credentials Assertion<\/h3><\/span>\n

                              * Requires presence of
                              \n– user name
                              \n– plain text password
                              \n– authentication realm
                              \n* Supports WS-Sec 1.0<\/p>\n

                              Require XPath Credentials Assertion<\/h3><\/span>\n

                              Retrieve Credentials from Context Variable Assertion<\/h3><\/span>\n

                              * Retrieves X.509 cert contained in a specified context variable<\/p>\n

                              Retrieve SAML Browser Artifact Assertion<\/h3><\/span>\n

                              * Uses the credentials in a request message to obtain a SAML Browser Artifact from a SAML SSO endpoint<\/p>\n

                              Use WS-Federation Credential Assertion<\/h3><\/span>\n

                              * Submits credentials from the current request to the local ADFS server
                              \n* Two modes of operation:
                              \n– Token request:
                              \n— submit previously authenticated login\/password (by other assertions) to ADFS
                              \n— add successfully returned SAML token to current request’s SOAP security header
                              \n– Token exchange:
                              \n— submit previously authenticated SAML token to ADFS
                              \n— add successfully returned SAML token to current request’s SOAP security header<\/p>\n

                              Transport Layer Security Assertions<\/h2><\/span>\n

                              Require SSL or TLS Transport Assertion<\/h3><\/span>\n
                              \"layer7_policy_authoring_requireSSL_1\"<\/a><\/h6><\/span>\n

                              XML Security Assertions<\/h2><\/span>\n

                              Add or Remove WS-Security Assertion<\/h3><\/span>\n

                              * Used to apply pending WS-Sec decorations to a message or to remove security headers
                              \n* Should be placed after the following WS-Sec assertions in a policy and<\/em> if the target message is the request message or context variable
                              \n– Add Security Token
                              \n– Add Timestamp
                              \n– Configure WS-Sec Decoration
                              \n– Encrypt Element
                              \n– Sign Element<\/p>\n

                              Add Security Token Assertion<\/h3><\/span>\n

                              \/\/ TODO<\/p>\n

                              Add Timestamp Assertion<\/h3><\/span>\n

                              * Used to add <wsu:Timestamp><\/em> element into the SOAP security header of all<\/em> target messages
                              \n* You can:
                              \n– specify expiry time period
                              \n-choose the method used to include SSL cert for the Gateway<\/p>\n

                              Add WS-Security UsernameToken Assertion<\/h3><\/span>\n

                              * Deprecated. Use Add Security Token Assertion<\/em> instead<\/p>\n

                              Build RST SOAP Request Assertion<\/h3><\/span>\n

                              * Used to create a SOAP message containing a Request Security Token (RST) in the SOAP body.
                              \n* RST can be:
                              \n– Security Context Token (SCT)
                              \n– SAML oToken<\/p>\n

                              Build RSTR SOAP Response Assertion<\/h3><\/span>\n

                              * Used to create a SOAP response message containing a RequestSecurityTokenResponse (RSTR) element
                              \n* Two types of responses:
                              \n– token issuance
                              \n– token cancellation
                              \n* Example<\/p>\n

                              \r\n\r\n  ...<\/wst:TokenType>\r\n  \r\n    \/\/ The issued security token appears here\r\n  <\/wst:RequestedSecurityToken>\r\n...\r\n<\/wst:RequestSecurityTokenResponse>\r\n<\/pre>\n
                              * Context Variables created:
                              \nprefix.rstrResponse
                              \nprefix.wsaNamespace
                              \nprefix.rstrWsaAction<\/p>\n
                              Build SAML Protocol Request Assertion<\/h3><\/span>\n
                              * Used to create a SAMLP request from either
                              \n– request message
                              \n– response message
                              \n– message variable
                              \n* Typically used with:
                              \n– Build SAML Protocol Request
                              \n– Route via HTTP(S)
                              \n– Evaluate SAML Protocol Response<\/p>\n
                              SAML Protocol Request Wizard<\/h3><\/span>\n
                              \/\/ TODO<\/p>\n
                              Build SAML Protocol Response Assertion<\/h3><\/span>\n
                              * Used to
                              \n– place a SAML token into a SAML Protocl Response message
                              \n– allow various attributes\/elements of Response to be specified<\/p>\n
                              Cancel Security Context Assertion<\/h3><\/span>\n
                              * Used to cancel a security conversion session that is no longer in use
                              \n* Can be either:
                              \n– inbound
                              \n– outbound
                              \n* Cancel inbound session:
                              \n– cancel token
                              \n– build RSTR SOAP Response Assertion<\/p>\n
                              \r\n\r\n  \r\n<\/wst:RequestSecurityTokenResponse>\r\n<\/pre>\n
                              * Cancel outbound session:
                              \n– Outbound sessions are established using the Establish Outbound Secure Conversation assertion.
                              \n– You simply need to specify the URL of the session being cancelled<\/p>\n
                              Configure WS-Security Decoration Assertion<\/h3><\/span>\n
                              * Used to specify or override pending security decorations for a message
                              \n* Provides a convenient location to set security attributes that were previously configured in other assertions:
                              \n– WS-Security Version
                              \n– Signature Digest Algorithm
                              \n– Encryption Algorithm(s)
                              \n– Signature Key Reference
                              \n– Encryption Key Reference
                              \n– Add Timestamp
                              \n– Security Token Signing
                              \n– Key Encryption Algorithm
                              \n– Use DerivedKey Token
                              \n* Four tabs to configure:
                              \n– General
                              \n– Signing
                              \n– Encryption
                              \n– Advanced<\/p>\n
                              Create SAML Token Assertion<\/h3><\/span>\n
                              * Used to create and optionally sign a SAML otken
                              \n\/\/ TODO<\/p>\n
                              Create Security Context Token Assertion<\/h3><\/span>\n
                              * Used to process an inbound message containing a RST request
                              \n* It will
                              \n– issue a Security Context Token (SCT)
                              \n– establish a secure conversation session
                              \n– save the session
                              \n* The secure conversation is mapped by the identifier defined in SCT<\/p>\n
                              Create XACML Request Assertion<\/h3><\/span>\n
                              * Used to
                              \n– build a valid XACML request
                              \n– place it in the specified target (req msg, resp msg, or msg var)
                              \n* Can be used
                              \n– in Evaluate XACML Policy<\/em> assertion
                              \n– routed to any other PDP for a decision
                              \n* Contains 4 attributes:
                              \n– Subject: 1 or more per request
                              \n– Resource: exactly one for XACML 1.0\/1.1, 1 or more for XACML 2.0
                              \n– Action: exactly one per request
                              \n– Environment: exactly one for XACML 2.0, 1 or 1 for 1.0\/1.1<\/p>\n
                              Encrypt Element Assertion<\/h3><\/span>\n
                              * used to select message elements to be encrypted in target message:
                              \n– if the target is response<\/em> message, encryption will occur automatically
                              \n– if the target is request<\/em> message or a message CV<\/em>, then Add or Remove WS-Security<\/em> assertion must be added after<\/strong> the Encrypt Element assertion in the policy to perform the encryption
                              \n* Supports W3C Signature 1.0<\/em> standard
                              \n* Can only be used in a web service policy
                              \n– should be placed before<\/strong> the routing assertion in a policy<\/p>\n
                              Establish Outbound Secure Conversation Assertion<\/h3><\/span>\n
                              * Used to create a new secure outbound conversation session using the security context identifier extracted from a Security Context Token
                              \n* The outbound session includes a shared secret<\/em> to be used for message decoration in future message exchanges
                              \n* Context variables created by this assertion:
                              \n– outboundSC.session
                              \n– outboundSC.session.<attribute> e.g. ${outboundSC.session.id}<\/em>
                              \nid: The session identifier
                              \nuser: The authenticated user
                              \n\tproviderId: The user’s Identity Provider ID
                              \n\tid: The user’s identifier
                              \n\tlogin: The user’s login ID
                              \n\tfirstName: The user’s first name
                              \n\tlastName: The user’s last name
                              \n\temail: The user’s email address
                              \n\tdepartment: The user’s department
                              \n\tsubjectDn: The user’s X.509 subject DN
                              \ncreation: The session creation time
                              \nexpiration: The session’s expiration time
                              \nscNamespace: The namespace of WSSecure Conversation<\/p>\n
                              Evaluate SAML Protocol Response Assertion<\/h3><\/span>\n
                              * Used to evaluate a SAML protocol response<\/p>\n
                              Evaluate XACML Policy Assertion<\/h3><\/span>\n
                              * Used to evaluate a XACML policy and renders an authorization decision for a resource based on the set of attributes found in a XACML request
                              \n* Fails with a policy that contains empty Description Element<\/p>\n
                              Lookup Outbound Secure Conversation Assertion<\/h3><\/span>\n
                              * Used to lookup an outbound secure conversation session that has been mapped to the authenticated user and the back-end service on which the secure conversation session is established
                              \n* Succeeds if at least one unexpired session is found
                              \n* CV created (see here<\/a> for session attributes):
                              \n– <.session e.g. scLookup.session.id<\/p>\n
                              Lookup Trusted Certificate Assertion<\/h3><\/span>\n
                              * Used to lookup trusted certs based on CN value
                              \n– store certs in a CV for later user in a policy<\/p>\n
                              (Non-SOAP)Check Results from XML Verification Assertion<\/h3><\/span>\n
                              * Used to check the contents of the context variables produced by the (Non-SOAP)Verify XML Element Assertion<\/p>\n
                              (Non-SOAP)Decrypt XML element Assertion<\/h3><\/span>\n
                              * used to immediately decrypt one or more EncryptedData<\/em> elements in an XML message (non-soap)
                              \n* Context variables created:
                              \n– <prefix>.elementsDecrypted
                              \n– <prefix>.encryptionMethodsUris
                              \n– <prefix>.recipientCertificates<\/p>\n
                              (Non-SOAP)Encrypt XML Element Assertion<\/h3><\/span>\n
                              * Used to immediately encrypt one or more elements in an XML message (non-soap)<\/p>\n
                              (Non-SOAP)Sign XML Element Assertion<\/h3><\/span>\n
                              * Used to immediately sign one or more elements in an XML message (non-soap)
                              \n– use Sign Element Assertion<\/em> for SOAP messages<\/p>\n
                              (Non-SOAP)Verify XML Element Assertion<\/h3><\/span>\n
                              * used to immediately verify one or more EncryptedData<\/em> elements in an XML message (non-soap)
                              \n* Supports the special prefix ‘local:<\/em>‘ in the ID attribute, for matching the namespace URI against the owning element rather than the attribute
                              \n* Context variables created:
                              \n– <prefix>.elementsVerified
                              \n– <prefix>.signatureMethodUris
                              \n– <prefix>.digestMethodUris
                              \n– <prefix>.signingCertificates
                              \n– <prefix>.signatureValues
                              \n– <prefix>.signatureElements<\/p>\n
                              Process RSTR Response Assertion<\/h3><\/span>\n
                              * Used to process RSTR response message to get the security context
                              \n* Context variables created:
                              \n– <prefix>.token
                              \n– <prefix>.createTime
                              \n– <prefix>.expiryTime
                              \n– <prefix>.serverEntropy
                              \n– <prefix>.fullKey
                              \n– <prefix>.keySize<\/p>\n
                              Protect Against Message Replay Assertion<\/h3><\/span>\n
                              * Used to protect Gateway against possible replay attacks
                              \n* Can be either cluster-wide (default) or per node
                              \n* Uses an internal reply ID
                              \n* Two modes:
                              \n– Default mode: reject if:
                              \n— dup creation times tamp in a msg
                              \n— expired time stamp
                              \n– creation time stamp is more than 30 days old
                              \n– Custom mode
                              \n* Considerations:
                              \n– place after an Authenticate User or Group<\/em> assertion to improve performance
                              \n– should not be used in any policy that will process messages from JMS destinations that are configured with the “On completion” acknowledgement mode without a specified failure queue<\/p>\n
                              \"layer7_policy_authoring_protectReplay_1\"<\/a><\/h6><\/span>\n
                              Require Encrypted Element Assertion<\/h3><\/span>\n
                              * Check that specific message elements are encrypted in target message
                              \n* Intended for use in a web service policy
                              \n– Supports WS-Sec 1.0\/1.1<\/em>
                              \n* Should be placed before the routing assertion in a policy when targeting the request message<\/p>\n
                              \"layer7_policy_authoring_requireEncrypt_1\"<\/a><\/h6><\/span>\n
                              Require Signed Element Assertion<\/h3><\/span>\n
                              * Check that specific message elements in the target message have been signed by the specified identity
                              \n* Intended for use in a web service policy
                              \n– Supports WS-Sec 1.0\/1.1<\/em>
                              \n* Context variable created:
                              \n– ${prefix.element}<\/em>: contains the signature element
                              \n– ${prefix.token.type}<\/em>: contains token type, i.e. Kerberos, sAML, SymmetricKey, X.509
                              \n– ${prefix.token.element}<\/em>: contains security token element, e.g. a binary security token
                              \n– ${prefix.token.attributes.*}<\/em>: contains token attributes (X.509: cert, SAML: issuer.certificate, subject.certificate, signing.certifcate)<\/p>\n
                              \"layer7_policy_authoring_requireSign_1\"<\/a><\/h6><\/span>\n
                              Require Timestamp Assertion<\/h3><\/span>\n
                              * Check for the presence of a timestamp in the target message:
                              \n– SOAP header contains a valid <wsu:Timestamp> element and the date contained is no more than one minute in the future
                              \n– an expiry date is present in the timestamp and that date is no more than one minute in the past
                              \n– an expiry time is present in the timestamp and the current time of the Gateway is no later than the <wsu:Created> time + the Maximum Expiry Time configured in this assertion or the request SOAP <wsu:Expires> time, whichever occurs earlier.
                              \n* Optionally check for security signature for all timestamps<\/p>\n
                              Sign Element Assertion<\/h3><\/span>\n
                              * Used to sign selected message elements in the target message<\/em>
                              \n– if target is response message, signing occur automatically
                              \n– if target is request message or message context variable, then the Add or Remove WS-Security<\/em> assertion must be added after the Encrypt Element<\/em> assertion in the policy to perform the signing
                              \n* Supports WS-Sec 1.0\/1.1<\/em><\/p>\n
                              \"layer7_policy_authoring_sign_1\"<\/a><\/h6><\/span>\n
                              Use WS-Security 1.1 Assertion<\/h3><\/span>\n
                              * Check that policy is compliant with WS-Security 1.1<\/em> including:
                              \n– the Use WS-Security 1.1 assertion
                              \n– at least one WS-Security signing\/encryption assertion enforced on the request (for example, Require WS-Security Signature Credentials, Require WS-Secure Conversation, Sign Element, Encrypt Element)
                              \n– at least one WS-Security signing\/encryption assertion acting on the response (for example, Add Timestamp, Sign Element, Encrypt Element)<\/p>\n
                              Message Routing Assertions<\/h2><\/span>\n
                              Add Header Assertion<\/h3><\/span>\n
                              * Used to add custom headers to a message that will either be sent out over HTTP or returned as the default HTTP response
                              \n* Will always succeed<\/p>\n
                              \"layer7_policy_authoring_addHeader_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_addHeader_2\"<\/a><\/h6><\/span>\n
                              Copy Request Message to Response Assertion<\/h3><\/span>\n
                              * Copies the inbound request exactly as it appears at the current point in the policy
                              \n– echo back request<\/p>\n
                              \"layer7_policy_authoring_echoRequest_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_echoRequest_2\"<\/a><\/h6><\/span>\n
                              Return Template Response to Requestor Assertion<\/h3><\/span>\n
                              * Used to define a message to be returned to the requestor
                              \n– useful for debugging messages<\/p>\n
                              \"layer7_policy_authoring_tempalteResponse_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_tempalteResponse_2\"<\/a><\/h6><\/span>\n
                              Route via FTP(S) Assertion<\/h3><\/span>\n
                              * Used to route requests to a backend FTP(S) server
                              \n– using passive mode FTP<\/p>\n
                              \"layer7_policy_authoring_routeFTP_1\"<\/a><\/h6><\/span>\n
                              Route via HTTP(S) Assertion<\/h3><\/span>\n
                              * Used defines
                              \n– where a web service or XML application message is sent
                              \n– what authentication credentials to use
                              \n* If client authentication is requested by a service, then
                              \n– Gateway will use its<\/strong> certificate for the SSL-TLS handshake
                              \n* Supports HTTP 1.1 standard
                              \n* Automatically added when using
                              \n– Publish SOAP Web Service Wizard
                              \n– Create WSDL Wizard
                              \n– Publish XML Application Wizard
                              \n* Notes:
                              \n– Requests are routed downstream using the same HTTP verb (i.e. GET, POST) as incoming request
                              \n– HTTP POST is always used if request message source is a context variable<\/p>\n
                              Target Tab<\/h4><\/span>\n
                              * URL: you can  use context variables in URL, e.g.
                              \n– ${request.http.header.sample-http-header}<\/em>
                              \n– http:\/\/${gateway.warehouse.hostname}\/ACMEWarehouseWS\/Service1.asmx<\/em>
                              \n* How IP addresses should be retrieved:
                              \n– Lookup IP Addresses in DNS
                              \n– Use the following IP addresses
                              \n– Use multiple URLs
                              \n* IP fail strategy
                              \n– Ordered Sticky with Failover
                              \n– Random Sticky with Failover
                              \n– Round Robin
                              \n* Connection timeout:
                              \n– defined by io.outConnectTimeout<\/em> cluster property
                              \n– defaults to 30 seconds
                              \n* Read timeout:
                              \n– defined by io.outTimeout<\/em> cluster property
                              \n– defaults to 60 seconds
                              \n* Maximum retries
                              \n– choose between 1 and 100
                              \n– defaults to 3
                              \n* Follow Redirects:
                              \n– check to instruct the Route via HTTP(S)<\/em> assertion to follow HTTP redirect responses from the downstream target.
                              \n– otherwise, redirect responses are sent back to the requestor.
                              \n* Assertion Outcome:
                              \n– Fail if target returns error status (>=400)
                              \n– Pass through SOAP faults with error status 500
                              \n– Never fail as long as target returns an answer<\/p>\n
                              \"layer7_policy_authoring_routeHTTP_URL\"<\/a><\/h6><\/span>\n
                              Security Tab<\/h4><\/span>\n
                              * Specify HTTP Credentials
                              \n* Use HTTP Credentials from Request
                              \n* Attach SAML Sender-Vouches
                              \n– enabled only for SOAP web service policies
                              \n* Send TAI (Trusted Association Interceptor) Header
                              \n* Use Windows Integrated
                              \n– use delegated credentials
                              \n– use Gateway Keytab
                              \n– use configured credendials
                              \n* TLS Version
                              \n* Current WSS Header Handling: specify how to handle security header
                              \n– Don’t modify the request Security header
                              \n– Remove Layer 7 actor and mustUnderstand attributes from processed Security header
                              \n– Remove processed Security header from request before routing
                              \n– Promote other security header as default before routing<\/p>\n
                              \"layer7_policy_authoring_routeHTTP_Security\"<\/a><\/h6><\/span>\n
                              Request HTTP Rules Tab<\/h4><\/span>\n
                              \"layer7_policy_authoring_routeHTTP_requestHTTPRules\"<\/a><\/h6><\/span>\n
                              Response HTTP Rules Tab<\/h4><\/span>\n
                              \"layer7_policy_authoring_routeHTTP_responseHTTPRules\"<\/a><\/h6><\/span>\n
                              Proxy Tab<\/h4><\/span>\n
                              \"layer7_policy_authoring_routeHTTP_proxy\"<\/a><\/h6><\/span>\n
                              Route via JMS Assertion<\/h3><\/span>\n
                              Route via MQ Native<\/h3><\/span>\n
                              Route via Raw TCP<\/h3><\/span>\n
                              * Used if the custom transport protocol “l7.raw.tcp<\/em>” has been configured for a listen port.
                              \n* This assertion acts as a client of the server-side transport:
                              \n– it will
                              \n— transmit the request,
                              \n— close the sending side,
                              \n— read the response (if possible),
                              \n— and then initialize the response message with a preconfigured Content-Type.
                              \n* This assertion will succeed if the raw TCP routing is successful.<\/p>\n
                              Route via SecureSpan Bridge<\/h3><\/span>\n
                              Route via SSH2<\/h3><\/span>\n
                              Logging, Auditing, and Alerts Assertions<\/h2><\/span>\n
                              Message Auditing<\/h3><\/span>\n
                              System Audits<\/h4><\/span>\n
                              * User has no control
                              \n* Internal messages
                              \n* Severity levels:
                              \n– Fine
                              \n– Finer
                              \n– Finest
                              \n* Always available in the audit event log<\/p>\n
                              Admin Audits<\/h4><\/span>\n
                              * User can control with cluster property:
                              \n– audit.adminThreshod<\/em><\/p>\n
                              Policy Message Audits<\/h4><\/span>\n
                              * User has full control
                              \n* Generated during the processing of a policy
                              \n* Defaults to Warning
                              \n* Cluster properties to control thresholds:
                              \n– audit.messageThreshold<\/em>
                              \n– audit.detailThreshold<\/em><\/p>\n
                              Expand the Scope of Policy Message Audits for Troubleshooting<\/h4><\/span>\n
                              * Add Audit Messages in Policy<\/em> assertion
                              \n– set its trigger severity level to Warning<\/em> which has results:
                              \n— Info <\/em>becomes Warning<\/em>
                              \n— Warning<\/em> remains Warning<\/em>
                              \n— Severe<\/em> remains Severe<\/em><\/p>\n
                              Add Audit Detail Assertion<\/h3><\/span>\n
                              * Used to define a custom message in audit message<\/p>\n
                              \"layer7_policy_authoring_auditDetail_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_auditDetail_2\"<\/a><\/h6><\/span>\n
                              Audit Messages in Policy Assertion<\/h3><\/span>\n
                              * Used to enable auditing of messages within a policy
                              \n* Records events related to the processing of a policy
                              \n– assertion violations
                              \n– authentication failures
                              \n– routing errors
                              \n* Events can be viewed in Gateway Audit Events window<\/p>\n
                              \"layer7_policy_authoring_auditMsgInPolicy_1\"<\/a><\/h6><\/span>\n
                              Capture Identity of Requestor Assertion<\/h3><\/span>\n
                              * Used to capture requestor’s identity for auditing or reporting:
                              \n– requestor’s IP address
                              \n– requestor’s authenticated user ID
                              \n– value from a context variable that contains identifying info abou the requestor
                              \n* Can define upto 5 mappings in a Capture Identity of Requestor<\/em> assertion<\/p>\n
                              \"layer7_policy_authoring_captureRequestorId\"<\/a><\/h6><\/span>\n
                              * Can be viewed in the Details<\/em> tab of the Gateway Audit Events window<\/p>\n
                              \"layer7_policy_authoring_captureRequestorId_2\"<\/a><\/h6><\/span>\n
                              Customize SOAP Fault Response Assertion<\/h3><\/span>\n
                              * Used to configure SOAP fault response on a policy-by-policy basis
                              \n* SOAP fault detail levels:
                              \n– Drop connection
                              \n– Generic SOAP fault
                              \n– Medium detail
                              \n– Full detail
                              \n– Template
                              \n* Must be placed within a message received<\/em> or pre security<\/em> global policy, i.e. at the beginning of the policy<\/p>\n
                              \"layer7_policy_authoring_customSOAPFault_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_customSOAPFault_2\"<\/a><\/h6><\/span>\n
                              Send Email Alert Assertion<\/h3><\/span>\n
                              \"layer7_policy_authoring_sendEmailAlerts\"<\/a><\/h6><\/span>\n
                              Send SNMP Trap<\/h3><\/span>\n
                              \"layer7_policy_authoring_sendSNMPTrap\"<\/a><\/h6><\/span>\n
                              Policy Logic Assertions<\/h2><\/span>\n
                              Threat Protection Assertions<\/h2><\/span>\n
                              Automatic Threat Protection<\/h3><\/span>\n
                              * Built-in protectino
                              \n* Cannot be disabled<\/p>\n
                              Protections<\/h4><\/span>\n
                              * All TCP\/IP based attacks, e.g.
                              \n– ICMP flood
                              \n– ping of death
                              \n– routing redirect style attacks
                              \n* Coercive Parsing and XML Bomb
                              \n* External Entity Attack
                              \n– Gateway does not resolve external entities by default
                              \n– Gateway can be configured using the Evaluate Request XPath<\/em> and Evaluate Response XPath<\/em> assertions to block all messages containing references to external entities.
                              \n* Schema poisoning
                              \n– Schema poisoning involves an attacker attempting to compromise a system by replacing or tampering with the schema.
                              \n– Gateway does not load schemas from unauthorized locations
                              \n– All schemas must be loaded by the admin
                              \n– Dynamic loading is not permitted
                              \n* WSDL Scanning
                              \n* XML Routing Detours<\/p>\n
                              Limit Message Size Assertion<\/h3><\/span>\n
                              * Used to specify a size limit for
                              \n– an entire message (including attachments)
                              \n– a port of XML message (not including attachments)
                              \n* Should be placed before the routing assertion in the policy<\/p>\n
                              \"layer7_policy_authoring_limitMsgSize\"<\/a><\/h6><\/span>\n
                              Protect Against Code Injection Assertion<\/h3><\/span>\n
                              \"layer7_policy_authoring_codeInjection\"<\/a><\/h6><\/span>\n
                              Protect Against Cross-Site Request Forgery (CSRF)<\/h3><\/span>\n
                              * Provides two mechanisms:
                              \n– double submit cookie validation: This can be used to validate the contents of a cookie that contains some session identifier, to see if it matches the same session identifier contained in a request parameter.
                              \n– HTTP referer validation:This can be used to ensure that the referer value belongs to a whitelist of domains. Although the referer domain is easily spoofed, this validation reduces the attack vectors for a CSRF attack.
                              \n* Context variable created:
                              \n– csrf.valid.token<\/strong> contains the value of the cookie<\/p>\n
                              \"layer7_policy_authoring_csrf\"<\/a><\/h6><\/span>\n
                              Protect Against Document Structure Threats Assertion<\/h3><\/span>\n
                              * Used to specify size limits for incoming XML requests
                              \n– protects against XDoS attacks using oversized files<\/p>\n
                              \"layer7_policy_authoring_XDoS\"<\/a><\/h6><\/span>\n
                              Protect Against Message Replay Assertion<\/h3><\/span>\n
                              see previous<\/a><\/p>\n
                              Protect Against SQL Attack Assertion<\/h3><\/span>\n
                              * Checks request message for patterns associated with potential SQL injection attacks<\/p>\n
                              \"layer7_policy_authoring_SQLInjection\"<\/a><\/h6><\/span>\n
                              Scan Using ICAP-Enabled Antivirus Assertion<\/h3><\/span>\n
                              * Allows Gateway to connect to an antivirus server that supports the ICAP protocol, such as McAfee\u00ae, Sophos\u00ae, or Symantec\u2122.
                              \n* Context variables created:
                              \n– icap.response.infected
                              \n– icap.response.header.names.X
                              \n– icap.response.header.values.X
                              \n– icap.response.header.values.X.headerName<\/p>\n
                              \"layer7_policy_authoring_antiVirus\"<\/a><\/h6><\/span>\n
                              Validate JSON Schema Assertion<\/h3><\/span>\n
                              * Used to validate JSON data against JSON schema:
                              \n– validate JSON data structure
                              \n– validate JSON data property type
                              \n– validate JSON data property values<\/p>\n
                              \"layer7_policy_authoring_validateJSON\"<\/a>
                              \n<\/h6>\n
                              Validate or Change Content Type Assertion<\/h3><\/span>\n
                              * Can be used to validate or change the Content-Type of any target message<\/p>\n
                              \"layer7_policy_authoring_contentType\"<\/a><\/h6><\/span>\n
                              Validate XML Schema Assertion<\/h3><\/span>\n
                              * Protect against:
                              \n– XML parameter tampering
                              \n– XDoS attacks
                              \n* Schema is provided by Gateway Admin
                              \n* WSDL contained schema can also be extracted and used
                              \n* A policy can contain multiple Validate XML Schema<\/em> assertions.
                              \n* Schema validation failure is captured in context variable ${chema.failure}<\/strong>
                              \n* Tarari Schema Validation Limitations
                              \n– can be used to accelerate schema validation<\/p>\n
                              \"layer7_policy_authoring_validateSchema_1\"<\/a><\/h6><\/span>\n
                              \"layer7_policy_authoring_validateSchema_2\"<\/a><\/h6><\/span>\n
                              Internal Assertions<\/h2><\/span>\n
                              Collect WSDM Metrics Assertion<\/h3><\/span>\n
                              * Used to collect metrics for a specified resource that is interoperable with the Web Services Distributed Management (WSDM) specification.
                              \n* Automatically added to a policy when the WSDM QosMetrics<\/em> internal service is published<\/p>\n
                              \"layer7_publish_WSDMQosMetrisSvc\"<\/a><\/h6><\/span>\n
                              \"layer7_publish_WSDMQosMetrisSvc_2\"<\/a><\/h6><\/span>\n
                              * This assertion forwards GetMultipleResourceProperties<\/em> requests to the Layer 7 implementation of the WSDM service
                              \n* Requires that the cluster property serviceMetrics.enabled<\/em> be set to true (default setting).
                              \n* Supported metrics:
                              \n– muws2:OperationalStatus
                              \n– mows:NumberOfRequests
                              \n– mows:NumberOfFailedRequests
                              \n– mows:NumberOfSuccessfulRequests
                              \n– mows:ServiceTime
                              \n– mows:MaxResponseTime
                              \n– mows:LastResponseTime
                              \n– qosm:Throughput
                              \n– qosm:AvgResponseTime<\/p>\n
                              Convert Audit Record to XML Assertion<\/h3><\/span>\n
                              * Converts current audit record into XML code as an in-memory DOM tree, overwriting the targeted message
                              \n* This assertion is designed to populate the request in an audit sink policy with some XML. The resulting XML is not enclosed in a SOAP envelope<\/p>\n
                              Handle UDDI Subscription Notification Assertion<\/h3><\/span>\n
                              Manage Gateway Assertion<\/h3><\/span>\n
                              * Processes the request as a management SOAP message
                              \n* Will populate the response message
                              \n* Automatically added to a policy when the Gateway Management internal service is published
                              \n* Context variables created:
                              \n– prefix.action
                              \n– prefix.entityType
                              \n– prefix.entityId
                              \n– prefix.message<\/p>\n
                              Subscribe to WSDM Resource Assertion<\/h3><\/span>\n
                              * Used to send subscription requests to a specific resouce that is interoperable with the DoD Joint Web Services Distributed Management (WSDM) specification.
                              \n* Automatically added to a policy when the WSDM Subscription internal service is published
                              \n* Recognizes three methods:
                              \n– Subscribe
                              \n– Renew
                              \n– Unsubscribe<\/p>\n
                              References<\/h2><\/span>\n
                              * Layer 7 Policy Authoring User Manual v6.2.pdf<\/p>\n","protected":false},"excerpt":{"rendered":"
                              Policy Fragments Overview * Used to group assertions * Can be used in any published service * Two types of policy fragments: – included policy fragments: need to be manually included in service policy – global policy fragments: will run … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[306],"tags":[630,404],"class_list":["post-9699","post","type-post","status-publish","format-standard","hentry","category-layer7","tag-layer7","tag-policy"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-2wr","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9699"}],"version-history":[{"count":31,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9699\/revisions"}],"predecessor-version":[{"id":9958,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9699\/revisions\/9958"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}