Copyright © Cloud Software Group, Inc. All Rights Reserved

Manage Policies

This section explains the configuration setup required to manage the policies by TIBCO API Exchange Gateway . The gateway allows you to configure various types of policies to support authentication, authorization, integrity, confidentiality and credential mapping.

TIBCO API Exchange Gateway provides sample template policy files for all types of supported policies at the following location: ASG_CONFIG_HOME/default/policy. Table Sample Template Policies lists the sample template policy files for each supported policy.

To manage policies in TIBCO API Exchange Gateway product, you must do the following configuration setup:

•	Define the shared resources. See Configure Shared Resource.

•	Create policies for the intended usage. See Create Policy.

•	Register the policies to the system. See Register Policy.

•	Apply the policies to target operation. See Apply Policy.

Perform the following steps to manage any policy:

Configure Shared Resource

You may configure an appropriate shared resource before you can create a policy. The table Types of Security Shared Resources explains the types of shared resources supported by TIBCO API Exchange Gateway product.

To configure a shared resource, perform the following steps:

Define Shared Resource Properties File

This section explains how to define the properties files required for the shared resource configuration.

TIBCO API Exchange Gateway provides the sample configuration file for the shared resources for each of the security type profile. It is recommended to use the sample files as templates and edit the properties as per your requirement. See Shared Resources Properties for details of properties for each supported shared resource.

Sample Files

 

• The property files for various supported shared resources are located under: ASG_CONFIG_HOME/default/security/resource • See Shared Resources Properties Sample Files for sample file for each shared resource.

Register Shared Resource with TIBCO API Exchange Gateway

The Shared Resources tab on the configuration allows you to register the shared resources with TIBCO API Exchange Gateway.

To configure a shared resource, follow these steps:

1.	Start the Config UI server, if not already started. See Starting GUI.

2.	Create a new project or select an existing project under Projects.

3.	Click the SECURITY tab on the right hand side.

4.	Click Shared Resources tab on top menu.

5.	Enter the details for shared resource defined as follows:

Table 102 Shared Resource Name Configuration

Parameter	Description
New Resources File	A new property file which defines the Shared Resources configuration. See Shared Resources Properties for details
Existing Resources Files	Select a configuration file of Shared Resource configuration. See Shared Resources Properties for details

•	Save changes to the project.

• The shared resource name is defined in the properties file by the following property: com.tibco.governance.sharedresource.name For example, the shared resource name is defined in the properties file as follows: com.tibco.governance.sharedresource.name=LdapAsp • The shared resource name from the properties file must match the shared resource name in the policy file defined by ResourceInstance property. <tpa:SharedResourceLoginModule ResourceInstance="LdapAsp"/>

Create Policy

To create a policy, perform the following steps:

Define Shared Resource For a Policy

Before you create a policy, make sure that you have created the appropriate shared resource properties file for that policy. See Configure Shared Resource for details.

You must define the correct shared resource for a specific policy. For example, you must define LDAP shared resource for username token authentication policy.

Following table lists the shared resource required for a specific policy.

Table 103 Policy And Shared Resource Property File

Policy	Shared Resource	Shared Resource Property File (Resource Files)
• UsernameToken authentication • Basic authentication	LDAP Shared Resource	Properties for LDAP Authentication Shared Resource
SAML Authentication	WSS Shared Resource	WssAsp.properties
SiteMinder Authentication	Siteminder Shared Resource	Properties for SiteMinder Service Provider
Sign	Subject Shared Resource	Properties for Subject Identify Provider (SIP)
Decryption	Subject Shared Resource	Properties for Subject Identify Provider (SIP)
Verify Signature	Trust shared resource	Properties for Trust Identify Provider (TIP)
Encryption	Trust shared resource	Properties for Trust Identify Provider (TIP)
Credential Mapping • UsernameToken • SAML	• UsernameToken - Password identity provider • Keystore - Password identity provider • SAML - Subject Identity Provider

Create Policy File

You can create any supported policy file in the following ways:

a.	Copy a sample template file from the following location:

ASG_CONFIG_HOME/default/policy

b.	Edit the parameters in the file as required. For example, you must change the ResourceInstance parameter to match the shared resource name defined in the properties file.

      ResourceInstance="LdapAsp".

• Policy must be a well formed WS policy. • All the resource instances in the policy must be defined in the shared resource. properties file.

Sample Template Policy Files

Following table lists the policy template (sample) file for each of the supported policy:

Table 104 Sample Template Policies

Policy Type	Template File
Authentication	Basic Authentication Policy BasicAuthentication.policy
	Username token Authentication Policy AuthenticationByUsernameToken.policy
	SAML Authentication Policy AuthenticationBySaml.policy
	SiteMinder Authentication Policy AuthenticationBySiteMinder.policy
	OAuth Authentication Policy AuthenticationbyOAuth Policy
Authorization	Authorization By Role Policy Authorization By Role Policy
		Confidentiality	Decryption policy Decryption.policy
			Encryption policy Encryption.policy
				Integrity	Sign policy Sign.policy
					VerifySignature policy VerifySignature.policy
CredentialMapping	UsernameToken Credential Mapping UsernameToken Credential Mapping
	SAML Credential Mapping SAML Credential Mapping
	OAuth Credential Mapping CredentialMappingByOAuth.policy

Register Policy

You can register a policy on the Config UI by uploading a policy file and set the name for a policy.

To register a policy, follow these steps:

1.	Start the Config UI, if not running.

2.	Create a new project or select an existing project under Projects.

3.	Click the SECURITY tab on the right hand side.

4.	Click the Policy Mapping tab on the top menu.

5.	Click the Add Property icon to add a new policy mapping.

6.	Enter the following parameters for the policy:

Table 105 Policy Mapping Parameters

Type	Description
Policy Name	• Specifies the name for the policy. • Required.
Type	Set the type of the policy. For example, Authentication. See Policy Types and SubTypes. See Types of Security Policies for details.
SubType	Set the policy sub type. For example, UsernameToken See Policy Types and SubTypes. See Types of Security Policies for details.
New Policy File	Specifies the policy definition file. Browse to choose a new policy file. See Create Policy to create the policy definition file.
Existing Policy File	Specifies an existing policy definition file. The policy file must exist in the gateway ASG_CONFIG_HOME/configuration/policy folder. For example, for the default configuration, the policy file must exist in the ASG_CONFIG_HOME/default/policy folder.

7.	Save changes to the project or configuration.

Apply Policy

This section explains the steps to apply any registered policy to a target operation or reference endpoints. Policy Binding allows you to associate the policy with one or more target operation endpoints.

You can apply a policy on the Config UI by associating an existing policy to a target operation or reference endpoint as follows:

To apply a policy, follow these steps:

1.	Start the Config UI, if not running.

2.	Create a new configuration or select an existing configuration.

3.	Click the SECURITY tab on the right hand side.

4.	Click the Policy Binding tab on the top menu.

5.	Click the Add Property icon to add a new policy binding.

6.	Enter the following parameters for the policy:

Type	Description
Policy	Specifies a name for the policy. The policy name must be configured under Policy Mapping tab.
URI	Specifies the URI of the operation to which the policy is applied.
Transport	Specifies the transport of the request. For example, HTTP, JMS, or SOAP.
facade Operation	Specifies the operation to which the policy is applied. The facade operation must be configured in the facade Operations tab.
Binding	Specifies the binding component that the policy is applied to. This could be either a facade operation (service) or a target operation (reference).
Flow	Specifies the flow of the request. Possible values are in or out.
Target Operation	Specifies the target operation. The target operation must be configured in the Target Operations tab.

7.	Save changes to the project or configuration.

Copyright © Cloud Software Group, Inc. All Rights Reserved