Copyright © Cloud Software Group, Inc. All Rights Reserved
Copyright © Cloud Software Group, Inc. All Rights Reserved


Chapter 11 Security Policies : Types of Security Policies
Types of Security Policies
This section explains the following types of security policies supported by TIBCO API Exchange Gateway .
Authentication
An authentication policy determines how to authenticate the users. An authentication policy requires that the incoming request must provide the identities of the sender so that the gateway will authenticate those identities before processing the request.
You can define an authentication policy for a client to require that target services must authenticate the client’s identity before processing a request. A client authentication policy is usually applied at target services.
TIBCO API Exchange Gateway supports following types of authentication policies:
Basic
When the client sends the username and password in the HTTP basic authentication header of the request message, you can enforce a basic authentication policy to authenticate the client’s identity. The basic authentication policy authenticates the username and password in the client request against LDAP Authentication service provider and generates SAML 2.0 assertion which is forwarded to the TIBCO API Exchange Gateway .
UsernameToken
The UsernameToken authentication policy authenticates the username and password specified with the usernameToken in the client request message using a specified LDAP shared resource.
* 
TIBCO API Exchange Gateway supports UsernameToken authentication policy with the password digest using WSS processor for LDAP server. Use the password digest for UsernameToken authentication policy as follows:
The LDAP server must save plain text passwords which are available to the administrative user.
Use the OpenLDAP LDAP server.
SAML
TIBCO API Exchange Gateway provides SAML authentication policy which allows you to authenticate the credentials in the SAML assertion from the security header of the SOAP message. The SAML assertion is authenticated using an identity service provider shared resource.
X509
TIBCO API Exchange Gateway provides the X509 security policy so that the target operations with SOAP bindings can authenticate the consumer's identity using the consumer's X509 signature. The consumer’s identity is authenticated using an identity service provider shared resource.
See following policies:
BasicAuthentication.policy
AuthenticationByUsernameToken.policy
AuthenticationBySaml.policy
SiteMinder
TIBCO API Exchange Gateway provides the SiteMinder security policy so that the target operations with HTTP bindings can authenticate the consumer's identity using the SiteMinder session cookie. The consumer’s identity is authenticated using an SiteMinder service provider shared resource.
See AuthenticationBySiteMinder.policy.
OAuth
TIBCO API Exchange Gateway provides the authentication by OAuth policy. The authentication by OAuth policy ensures that any access to a target operation with this policy enforced must be authenticated by an OAuth authorization server. The authorization server used is specified in the policy along with the client ID and client secret registered with an OAuth authorization server.
See AuthenticationbyOAuth Policy.
Authorization
TIBCO API Exchange Gateway supports following authorization policies:
Role
Authorization by role policy of TIBCO API Exchange Gateway provides a way to authorize the user based on the role.
See Authorization By Role Policy.
Confidentiality
TIBCO API Exchange Gateway enforces the confidentiality of the data in the requests and responses as follows:
Decrypts the encrypted data in the facade request.
Encrypts the data in the target request to forward to any external target operation.
Encrypts the data in the target response.
See following policies:
Encryption.policy
Decryption.policy
Integrity
TIBCO API Exchange Gateway ensures the integrity of inbound and outbound requests by virtue of Integrity policy in following ways:
Verify the signatures of the users of the incoming facade request.
Sign the request to forward to any external target operation.
Sign the facade response.
See following policies:
Sign
Verify Signature
CredentialMapping
TIBCO API Exchange Gateway can map the credentials of the subject from the authenticated principal in the form of SAML assertion, or can map the username and password in the security header or the HTTP Authorization header by virtue of Credential mapping policies.
TIBCO API Exchange Gateway supports following policies for credential mapping:
Basic
usernameToken
SAML
OAuth
See following policies:
CredentialMappingByUsernameToken Policy
CredentialMappingBySAML Policy
Credential Mapping by OAuth Policy
Credential Mapping By OAuth
TIBCO API Exchange Gateway supports the credential mapping by OAuth policy. The policy generates the access token using the credentials configured in the policy. The credential mapping uses the OAuth password credential or client credential authorization flow to obtain the access token required to access the protected target operation, therefore, the previous authentication or authorization is not needed.
Copyright © Cloud Software Group, Inc. All Rights Reserved
Copyright © Cloud Software Group, Inc. All Rights Reserved