Partner Authorization Overview

Copyright © Cloud Software Group, Inc. All Rights Reserved

Chapter 10 Authentication and Authorization : Partner Authorization Overview

Partner Authorization Overview

TIBCO API Exchange Gateway supports the authorization based on following actions:

Operation Identification

When a client sends the request to TIBCO API Exchange Gateway , the gateway identifies the operation as follows:

−

For SOAP requests, the operation is identified from the SOAP Action header, and/or URI as defined in the HTTP header.

−

For HTTP/XML requests, the operation is identified from the combination of method and URI.

−

For HTTP/HTTPs REST requests, the operation is identified from the combination of method, URI, and the value of some named HTTP header.

−

For SOAPJMS requests, the operation is identified from the JMS message SoapAction header . The SoapAction of facade Operation must be configured with SoapAction where SoapAction matches the value of the JMS SoapAction header.

−

For ESB requests, the operation is identified from the JMS message Operation header. The SoapAction of facade Operation must be configured with /ESB/[Operation] where[Operation] matches the value of the JMS Operation header.

The operation details are configured in the Facade Operations tab of the Config UI.

Partner Identification

TIBCO API Exchange Gateway uses the Partner Serial number and Partner Issuer CA from the header fields of the incoming request to uniquely identify the partner. The gateway maps the authenticated users from the transport headers to validate the identified partner in the gateway configuration repository.

The Partner Serial Number and Partner Issuer CA are configured on the PARTNER > Partners tab of the Config UI for a project configuration.

TIBCO API Exchange Gateway uses the Partner Serial number and Partner Issuer CA from the header fields of the incoming request to uniquely identify the partner. The gateway maps the authenticated users from the transport headers to validate the identified partner in the gateway configuration repository.

The Partner Serial Number and Partner Issuer CA are configured on the PARTNER > Partners tab of the Config UI for a project configuration.

For example, for HTTP/(s) transport, the partner is identified as follows:

•

Anonymous user

If no user is specified in the incoming request, the Core Engine considers this request as a request from anonymous user which is not authenticated. The Core Engine looks for the partner name defined by the tibco.clientVar.ASG/anonymous/PartnerName/Authenticated property in ASG_CONFIG_HOME/asg.properties file. The Core Engine matches the value of this property with the value defined by Partner Name field under Partners tab on the Config UI. If both the values match, the Core Engine further processes the request.

For example, the property is defined in ASG_CONFIG_HOME/asg.properties file as follows:

tibco.clientVar.ASG/anonymous/PartnerName/Authenticated=anon_pa rtner

To process any unauthenticated requests where no user is specified in the request, configure a partner as anon_partner under PARTNER > Partners tab on the Config UI.

If there is a mismatch, then the Core Engine rejects the partner with Authorization error.

By default, the gateway provides an anon partner to handle the requests from unauthenticated users.

•

Mutual SSL Authentication

If the Core Engine receives the request using mutual SSL authentication mechanism, the partner is identified by the certificate issuer and serial number from the certificate retrieved from the SSL headers.

The Core Engine retrieves the user name and issuer CA from the request headers. The Core Engine matches the user name and issuer CA as specified in the request header with the Partner Serial Number and Partner Issuer CA fields under Partners tab on the Config UI.

If there is a mismatch, the Core Engine rejects the partner with Authorization error.

Partner Authorization

After the operation and partner is identified, TIBCO API Exchange Gateway validates that the identified partner is authorized to invoke the operation. Setup the configuration details under PARTNER > Facade Access tab of the Config UI where you specify the operation which the identified partner is allowed to access.