Security Context Propagation from TIBCO ActiveMatrix Policy Manager
ActiveMatrix BusinessWorks allows you to define security policies and associate them with web services such that these policies are applied to the inbound or/and outbound messages by associating security policies with web services. You can now choose not to apply inbound policies in ActiveMatrix BusinessWorks, because ActiveMatrix BusinessWorks allows the propagation of security context from TIBCO ActiveMatrix Policy Manager.
ActiveMatrix BusinessWorks can now propagate the security context information sent by TIBCO ActiveMatrix Policy Manager and map it to appropriate fields of the security context in ActiveMatrix BusinessWorks. The security context information is available only when a policy is applied and the information is sent by TIBCO ActiveMatrix Policy Manager.
ActiveMatrix Policy Manager sends security information as an XML document, either as part of the header when HTTP transport is used, or as a message property when JMS transport is used. The security information is available under the header com.tibco.security.userinformation
.
When ActiveMatrix BusinessWorks Service resource or SOAP Event Source activity receives such a message, it processes the XML document from the header and propagates it in its output tab.
ActiveMatrix BusinessWorks propagates the incoming security context to all outbound invokes by adding the security information as a HTTP header in case of HTTP, or as a JMS message property in case of JMS transport. The following figure shows the Authentication Certificate Information and Signature Certificate Information as seen in the Output tab of a SOAP Event Source activity. In this case, the ActiveMatrix Policy Manager had applied the Authentication Signature inbound policy.
Security Context in SOAP Event Source activity Output tab
Enabling security context propagation from TIBCO Policy Manager
You can enable security context propagation from TIBCO Policy Manager by selecting the Expose Security Context checkbox available on the Configuration tab of the Service resource or the SOAP Event Source activity using either HTTP or JMS transport.
ActiveMatrix BusinessWorks can propagate two types of security context information from ActiveMatrix Policy Manager -
-
Authentication Username Token - For this policy, ActiveMatrix BusinessWorks propagates only the Username value. This is because TIBCO ActiveMatrix Policy Manager does not give out the complete Username Token. Instead, it provides only the Username. The password and the Password type values in the security context will be empty.
-
Authentication Certificate Information and Signature Certificate Information - For this policy, ActiveMatrix BusinessWorks propagates the certificate information, consisting of Subject_DN, Issuer_DN, Serial No and the encoded certificate.
Available Security Contexts in ActiveMatrix BusinessWorks
The following table lists the inbound policies available in Policy Manager and the corresponding policies in ActiveMatrix BusinessWorks.
Inbound Policy in ActiveMatrix Policy Manager |
Available Security Context in ActiveMatrix BusinessWorks |
Authentication - IMS |
Authentication Username Token |
Crypto - Check Signature |
Signature Certificate Information |
Authentication Signature and Crypto - Check Signature |
Authentication Certificate Information and Signature Certificate Information |
Authentication Signature |
Authentication Certificate Information and Signature Certificate Information |
Authentication - IMS and Crypto - Check Signature |
Authentication Username Token and Signature Certificate Information |
Authentication - IMS and Crypto - Encrypt and Decrypt |
Authentication Username Token and Signature Certificate Information |
Limitations to Security Context Propagation from TIBCO ActiveMatrix Policy Manager
The number of security context types that ActiveMatrix BusinessWorks propagates is restricted due to certain limitations.
-
For Authentication Username Token policy, only the Username value will be available. The password and Password Type values will be empty. This is because ActiveMatrix Policy Manager gives out only the Username in the security context.
-
ActiveMatrix BusinessWorks will not propagate any extra information given out by ActiveMatrix Policy Manager. For example, information such as User Role and User Attributes, given by ActiveMatrix Policy Manager will not be propagated.
-
ActiveMatrix Policy Manager does not propagate the Transport Security Context received from the client. Hence, the Transport Security Context node in ActiveMatrix BusinessWorks will never be populated with the clients transport security context, when the security context is propagated from ActiveMatrix Policy Manager.
-
Signature using Username Token is not available in ActiveMatrix Policy Manager. As a result, it cannot be supported by ActiveMatrix BusinessWorks when using ActiveMatrix Policy Manager.