Copyright © Cloud Software Group, Inc. All Rights Reserved

Overview

TIBCO API Exchange Gateway allows you to secure a facade operation or a target operation using various types of security policies. This allows you to apply the policy to the incoming messages received from the service consumers and also apply the policy to the outgoing messages forwarded to the service providers. You can apply the policies at the endpoints of facade or target operations. See Types of Security Policies for the details on the supported policies.

Figure Security Enforcement EndPoints illustrates the security policy enforcement points in the standard request processing pipeline.

Figure 19 Security Enforcement EndPoints

Security Concepts

This section explains few terms required to understand how the policies can secure an incoming request or outgoing request.

Authentication

Authentication is a process of identifying the credential of the party who sent the request. TIBCO API Exchange Gateway supports the following types of authentication:

•

Basic

In the basic authentication, the credential used for authentication is obtained from the HTTP authorization header in the form of username and password. The username and password are authenticated against an LDAP authentication provider.

•	UsernameToken

In UsernameToken authentication, the credential used for authentication is the usernameToken obtained from the security header of the SOAP message. The username and password from the usernameToken are authenticated against an LDAP authentication provider.

•	Security Assertion Markup Language (SAML)

In SAML authentication, the credential used for authentication is the SAML assertion derived from the security header of the SOAP message. The SAML assertion is authenticated using an identity service provider.

•

X509

In X509 authentication, the credential used for authentication is the X509 certificate in the SAML assertion from the security header of the SOAP message. To use the X509 authentication, the SOAP message must be sent using X509 token profile. The SAML assertion is authenticated using an identity service provider.

•	SiteMinder

In SiteMinder authentication, the credential used for authentication is the SiteMinder session cookie or the username/password from the HTTP headers.

−	If no credential is found, a password challenge is returned to request for username/password.

−	If the HTTP headers has both SiteMinder session cookie and username/password, the SiteMinder session is used for authentication using the SiteMinder Service provider as specified in the policy.

−	If SiteMinder session cookie is not available but username/password is provided, username/password is used to authenticate with the SiteMinder server and the SM session cookie is added to the response after a successful authentication.

SiteMinder authentication policy can be applied to the requests received directly by the HTTP channel of Core Engine, not to the requests which are received through the Apache HTTP Server.

Authorization

Authorization is a process of authorizing the party who has been authenticated to access some resources and allowing the party to proceed with the incoming request. TIBCO API Exchange Gateway supports the authorization of a request on the basis of roles. When a request is authenticated, a SAML assertion is generated that may contains the roles as attributes of the SAML assertions. The roles in the SAML assertion may be originated as follows:

•	From the groups defined in the LDAP which is applicable for basic or usernameToken authentication.

•	From the authenticated SAML assertion which is applicable for SAML or X509 authentication.

Confidentiality

Confidentiality is a process to ensure that the data is accessible to the intended party only. To achieve this goal, the data is encrypted by the sender using a public certificate. The receiver decrypts the data using a private key before using the data.

Integrity

Integrity is a process to ensure that the data has not been tampered with. To achieve this goal, the data is signed by the party who sent the request and includes the signature along with a digital certificate in the request. The receiver can verify signature using the certificate to determine the integrity of the data received.

Credential Mapping

Credential Mapping is a process of propagating an identity to the outgoing request. The gateway propagates the credentials using usernameToken or SAML assertion.

Policy

A policy specifies how the gateway enforces the security constraints applied to facade or target operations. Each policy has an assertion to perform an intended security constraint such as authentication, authorization, confidentiality, integrity, or credential mapping. You must refer to following topics for details to understand the policy:

See Policy Use Cases for details on assertions for specific policy.

To enforce or process a policy at runtime, the gateway requires following external resources:

•	Authentication service providers

•	Identity service providers

•	Trust service providers

Shared Resource

Any provider such as Authentication service provider, Identity service provider or Trust service provider may be used by more than one policy. This means that these providers are shared among the policies as a collection of shared resources. A policy usually refers to a service provider as a resource instance. A policy views a specific service provider as a resource instance which is configured as a shared resource.

A shared resource is a configured resource that may be used by one or more policy. For example, If you configure a resource instance named LdapAspRI, the same resource can be used for LDAP authentication as well as WSS authentication.

See Define Shared Resource Properties File for the list of shared resource that are applicable to specific type of policy.

Policy Types And Subtypes

The following table lists the policy types and subtypes supported by TIBCO API Exchange Gateway ..

Table 101 Policy Types and SubTypes

Policy Type	Policy Subtype	Endpoints
Authentication	− Basic − UsernameToken − SAML − SiteMinder − OAuth	• Facade Operation
Authorization	− Role	• Facade Operation
Integrity	− Sign − Verify Signature	• Facade Operation • Target Operation
Confidentiality	− Encrypt − Decrypt	• Facade Operation • Target Operation
Credential Mapping	− Basic − UsernameToken − SAML − OAuth	• Target Operation

Copyright © Cloud Software Group, Inc. All Rights Reserved