Preview only show first 10 pages with watermark. For full document please download

Tibco Activematrix Policy Director Administration ®

   EMBED


Share

Transcript

TIBCO ActiveMatrix® Policy Director Administration Software Release 2.0.0 November 2014 Document Updated: January 2015 Two-Second Advantage® 2 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE. USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME. This document contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc. TIBCO and Two-Second Advantage are either registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or other countries. Enterprise Java Beans (EJB), Java Platform Enterprise Edition (Java EE), Java 2 Platform Enterprise Edition (J2EE), and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle Corporation in the U.S. and other countries. All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only. THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME. THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES. Copyright © 2010-2015 TIBCO Software Inc. ALL RIGHTS RESERVED. TIBCO Software Inc. Confidential Information TIBCO ActiveMatrix® Policy Director Administration 3 Contents Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 TIBCO Documentation and Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Governance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Object Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Governance Controls Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Credential Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Applying Security Policies to TIBCO ActiveMatrix BusinessWorks™ 6.2 Applications . . . . . . . . . . . . . . . . . .11 Setting Up Governance for TIBCO ActiveMatrix BusinessWorks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Governance Control Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Using Sample Python Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Creating a Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Creating a TIBCO ActiveMatrix BusinessWorks™ Application Object Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Creating a Governance Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Supported Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Governance Control Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Basic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Basic Credential Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Authentication by Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Authentication by SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Authorization by Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 WSS Consumer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 WSS Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Policy Status List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 TIBCO ActiveMatrix® Policy Director Administration 4 Figures Interaction of TIBCO ActiveMatrix Policy Director and TIBCO ActiveMatrix BusinessWorks 6 . . . . . . . . . . . . .11 Basic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 TIBCO ActiveMatrix® Policy Director Administration 5 TIBCO Documentation and Support Services All TIBCO documentation is available on the TIBCO Documentation site, which can be found here: https://docs.tibco.com Product-Specific Documentation The following documents for this product can be found in the TIBCO Documentation Library: ● Installation and Configuration ● Administration How to Contact TIBCO Support For comments or problems with this manual or the software it addresses, contact TIBCO Support as follows: ● For an overview of TIBCO Support, and information about getting started with TIBCO Support, visit this site: http://www.tibco.com/services/support ● If you already have a valid maintenance or support contract, visit this site: https://support.tibco.com Entry to this site requires a user name and password. If you do not have a user name, you can request one. How to Join TIBCOmmunity TIBCOmmunity is an online destination for TIBCO customers, partners, and resident experts. It is a place to share and access the collective experience of the TIBCO community. TIBCOmmunity offers forums, blogs, and access to a variety of resources. To register, go to: http://www.tibcommunity.com TIBCO ActiveMatrix® Policy Director Administration 6 Governance Overview Enforcing policies in an enterprise requires performing a fixed set of tasks involving managing resources, object groups, and governance controls. For enforcing a security policy, you need the appropriate resource and object groups. The following tasks need to be performed: 1. Define the required resources. 2. Define the object groups. 3. Create the governance controls. 4. Manage the governance controls. TIBCO ActiveMatrix® Policy Director Administration 7 Object Groups An object group is a user-defined set of governed objects. You can assign governed objects to a group of similar governed objects to manage and use them as a unit during run time. Object Groups and Object Group Types A governed object can be a logical object, such as an TIBCO ActiveMatrix BusinessWorks™ application, or a physical object, such as a TIBCO ActiveMatrix BusinessWorks™ appNode. An object group always contains the same type of governed objects. For example, an object group can consist of all TIBCO ActiveMatrix BusinessWorks™ application instances that belong to a TIBCO ActiveMatrix BusinessWorks™ domain. TIBCO ActiveMatrix® Policy Director currently only supports the TIBCO ActiveMatrix BusinessWorks™ application instance object group type. Defining Object Groups You can define the following object groups in two ways: ● Fixed, with governed objects that are explicitly added and do not change. ● Dynamic, or defined by criteria, with governed objects that move in and out of the group as they meet the standards set for membership. When an object group is dynamic, you can apply the appropriate governance policies to any governed object that the system discovers in the future. Ways to Use Object Groups Use an object group to combine governed objects that have the same governance requirements and to apply the same policies to that group. Examples of using an object group to apply policies to related objects such as all finance applications (policies are enforced on services). After you create an object group by combining governed objects with the same governance requirements, you can apply the same policies to the group. For example, you can apply an encryption policy to all finance applications (enforced on services). TIBCO ActiveMatrix® Policy Director Administration 8 Governance Controls Overview TIBCO ActiveMatrix® Policy Director allows you to secure services using various types of security policies. Each governance control is designed to perform an intended policy action such as authentication, authorization, confidentiality, integrity, credential mapping, or logging. You can apply the policies to incoming messages received from service consumers and to the outgoing messages to service providers. The policies can be applied at the endpoints. You require the following external resources to enforce a policy at run time: ● Authentication service providers ● Identity service providers ● Trust service providers Any of the above providers may be configured and shared among the policies as resources. For example, If you configure a resource named sampleLdap, the same resource can be used for LDAP authentication as well as WSS authentication. TIBCO ActiveMatrix® Policy Director provides the following types of policies: Policy Types Category Authentication Authorization Confidentiality Integrity Credential Mapping Policy Applies To ● Basic ● Service ● Username Token ● SAML ● SiteMinder ● Kerberos (SPNEGO) ● Role ● Service ● Encrypt ● Service ● Decrypt ● Reference ● Sign ● Service ● Verify Signature ● Reference ● Basic ● Reference ● Username Token ● SAML TIBCO ActiveMatrix® Policy Director Administration 9 Category Audit Message Delivery Policy ● Applies To Logging ● Service ● Reference ● WS Reliable Messaging ● Service ● WS Addressing ● Reference Authentication Authentication is a process of identifying the credential of the user who sent the request. A user requires proof of identity before establishing trust with the server. There are different types authentication: ● Basic The credential used for authentication is obtained from the HTTP authorization header in the form of username and password The username and password are authenticated against an LDAP authentication provider. ● Username Token The credential used for authentication is the usernameToken obtained from the security header of the SOAP message. The username and password from the usernameToken are authenticated against an LDAP authentication provider. ● Security Assertion Markup Language (SAML) The credential used for authentication is the SAML assertion derived from the security header of the SOAP message. The SAML assertion is authenticated using an identity service provider. ● X509 The credential used for authentication is the X509 certificate from the security header of the SOAP message. To use the X509 authentication , the SOAP message must be sent using X509 token profile. The SAML assertion is authenticated using an identity service provider. ● Kerberos (SPNEGO) The credential is an authentication protocol for client-server applications. SPENGO provides a mechanism for extending Kerberos to web application using the standard HTTP protocol. ● SiteMinder The credential provides policy-based authentication and single sign-on for all web-based applications. This can be used along with IdentityMinder that manages user profiles, and TransactionMinder that provides access to web services. TIBCO ActiveMatrix® Policy Director Administration 10 Authorization Authorization is a process of authorizing a user that has been authenticated to access some resources and allowing the user to proceed with the incoming request. Authorization of a request is supported based on roles. When a request is authenticated, an SAML assertion is generated that may contains the roles as attributes of the SAML assertions. The roles in the SAML assertion may be originated as follows: ● From the groups defined in the LDAP which is applicable for basic or Username Token authentication. ● From the authenticated SAML assertion which is applicable for SAML. Confidentiality Confidentiality ensures that the data is accessible only to the intended user. Data is encrypted by the sender using a public certificate. The receiver decrypts the data using a private key before using the data. Integrity Integrity ensures that the data has not been tampered with. The data is signed by the party who sends the request and includes the signature along with a digital certificate. The receiver can verify the signature using the certificate to determine the integrity of the data received. Credential Mapping Credential Mapping is used to propagate an identity to the outgoing request using usernameToken or SAML assertion. Credential mapping supports the following policies: ● Basic ● Username Token ● SAML TIBCO ActiveMatrix® Policy Director Administration 11 Applying Security Policies to TIBCO ActiveMatrix BusinessWorks™ 6.2 Applications ® Using TIBCO ActiveMatrix Policy Director, you can apply security policies to TIBCO ActiveMatrix BusinessWorks applications. TIBCO ActiveMatrix Policy Director offers dynamic policy-based governance to TIBCO ActiveMatrix BusinessWorks which allows you to manage and enforce security policies separately from the TIBCO ActiveMatrix BusinessWorks application implementation and deployment. ® TIBCO ActiveMatrix Policy Director includes support for TIBCO Enterprise Administrator (TEA). Administration capabilities for TIBCO ActiveMatrix Policy Director are enabled in TEA through a TEA agent embedded within the TIBCO ActiveMatrix Policy Director server. ® TIBCO ActiveMatrix Policy Director also works with TIBCO Security Server installed with TEA. TIBCO Security Server manages resources such as LDAP, keystores, and Trust and Identity Providers. The TIBCO ActiveMatrix Policy Director server deploys policies to Governance Agents (Policy Enforcement Points) running within each TIBCO ActiveMatrix BusinessWorks AppNode. The image below provides an overview of how the components within the TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix BusinessWorks (Enterprise mode), and TIBCO Enterprise Administrator interact with each other to manage and provide security policies for a TIBCO ActiveMatrix BusinessWorks application. Interaction of TIBCO ActiveMatrix Policy Director and TIBCO ActiveMatrix BusinessWorks 6 TIBCO ActiveMatrix® Policy Director Administration 12 Setting Up Governance for TIBCO ActiveMatrix BusinessWorks The Governance Lifecycle Event Listener within the bwagent and the Governance Agent within each AppNode are disabled by default. You must enable them by setting properties within their respective config.ini files. Prerequisites ● ● ● You must have the following software installed: — TIBCO ActiveMatrix BusinessWorks™ 6.2 and its Hotfix 2 — TIBCO Enterprise Message Service™ 7.0 or greater — TIBCO® Enterprise Administrator Version 2.1 or greater — TIBCO ActiveMatrix® Policy Director 2.0 The following software must be running: — TIBCO Enterprise Message Service server — TEA server — TIBCO Security Server — TIBCO ActiveMatrix Policy Director server You must have Python installed and configured to communicate with the TEA server. Refer to the TIBCO® Enterprise Administrator Installation Guide for details on configuring Python. In order to apply security policies to TIBCO ActiveMatrix BusinessWorks applications, do the following: 1. In TIBCO ActiveMatrix BusinessWorks, do the following: a. Make sure that the bwagent is configured for the Enterprise mode. b. Enable and configure the Governance Lifecycle Event Listener in bwagent. c. Enable and configure Governance Agents in AppNodes of an AppSpace. 2. In the TIBCO Security Server, do the following: a. Create resources using the TIBCO Security Server. 3. In TIBCO ActiveMatrix Policy Director, do the following: a. Create governance control in TIBCO ActiveMatrix Policy Director. Ensuring that bwagent is Configured for Enterprise Mode Verify that the bwagent is configured in the Enterprise mode. To do so: 1. Open the \6.2\config\bwagent.ini file. 2. Verify that the bw.admin.mode property is set to the following: bw.admin.mode=enterprise Enabling and Configuring the Governance Lifecycle Event Listener in bwagent TIBCO ActiveMatrix Policy Director server listens to lifecycle events such as, application deploy or undeploy on the bwagent, so that it can discover applications on which to enforce policies. To enable and configure the Governance Lifecycle Event Listener properties for the bwagent, perform the following steps: TIBCO ActiveMatrix® Policy Director Administration 13 For the TIBCO ActiveMatrix Policy Director server to receive lifecycle events, ensure that the bw.governance.jms.* properties in the bwagent.ini file correspond correctly with the bw.governance.jms.* properties in the jms.conf file located at \tibco\cfgmgmt \pd\conf directory. For the server to deploy policies to the AppSpace and receive notifications from the governance agents running in the AppNodes, ensure that the bw.governance.jms.* properties in the AppSpace config.ini correspond correctly with the bw.governance.jms.* properties in the jms.conf file located at \tibco\cfgmgmt\pd\conf directory. 1. Stop the bwagent if it is running using the following command: bwagent -x stop 2. Open one of the JSON files, bwagent_db.json or bwagent_as.json located in \config (Windows) or ${BW_HOME}/config (Unix) and update it as follows: ● Set governanceenabled property to true. ● Configure the remaining governance lifecycle event listener properties in the JSON file according to your environment. Use the bwagent_db.json file if bwagent is configured to use an external database for data persistence and TIBCO Enterprise Message Service for communication transport. Use the bwagent_as.json file if bwagent is configured to use TIBCO ActiveSpaces® for both data persistence and communication transport. 3. Run the following command to create the bwagent.ini file in the correct location. ● If you updated the bwagent_db.json file, run: \bin>bwadmin config -cf ../config/bwagent_db.json agent ● If you updated the bwagent_as.json file, run: \bin>bwadmin config -cf ../config/bwagent_as.json agent 4. Start the bwagent by running the following command: bwagent -x startagent For the TIBCO ActiveMatrix BusinessWorks applications that were deployed before you enabled the Governance Lifecycle Event Listener and the Governance Agent, use the TIBCO ActiveMatrix Policy Director utilities located in \tea\agents\pd\2.0\samples\utilities to apply ad hoc changes. Enabling the Governance Agents in the AppNodes of an AppSpace Each AppNode in TIBCO ActiveMatrix BusinessWorks includes a Governance Agent, which interacts with TIBCO ActiveMatrix Policy Director to enforce policies for TIBCO ActiveMatrix BusinessWorks applications. The Governance Agents are disabled by default. In order to apply security policies, you must enable these Governance Agents and configure the environment as described below. To enable governance on AppSpace, configure the Governance Agent properties for an AppSpace by following these steps: 1. Copy the existing AppSpace configuration file appspace_config.ini (located in the root of the AppSpace folder), or the AppSpace configuration template file, appspace_config.ini_template, (located in \config\) to a temporary location. Do not modify the original AppSpace configuration file, config.ini (located in the root of the AppSpace folder), or the AppSpace configuration template file, appspace_config.ini_template file. Instead, make changes to the copy of the file that is in the temporary location. TIBCO ActiveMatrix® Policy Director Administration 14 2. Edit the configuration file in the temporary location to set the following properties. If TIBCO ActiveMatrix Policy Director is already setup, ensure that the JMS server properties specified in the AppSpace configuration file match the JMS server configured in the TIBCO ActiveMatrix Policy Director server. # ------------------------------------------------------------------------# Section: BW Governance Agent & SPM Configuration. The properties in # this section are applicable to Governance Agent and the Governance SPM # EventSubscriber that is executed within a BW AppNode. # ------------------------------------------------------------------------# Enable or disable the governance agent. This property is optional and # itspecifies whether the governance agent should be enabled or disabled # in the AppNode. The supported values are: true or false. The default # value is “false”. bw.governance.enabled=true # BW Governance Agent JMS URL. This property is optional and it is used # to specify the JMS server URL used to communicate with the # TIBCO Policy Director Administrator. If this property is not set, then # the BW Governance agent will not attempt to connect to the JMS server. # The URL is expected to start with 'tcp://' or 'ssl://' and the failover # URLs can be specified as a ',' or '+' separated list. bw.governance.jms.server.url=tcp://localhost:7222 # BW Governance Agent JMS User Name. This property is required if the # Governance Agent JMS URL is specified. bw.governance.jms.server.username=admin # BW Governance Agent JMS User Password. This property is required if the # Governance Agent JMS URL is specified. bw.governance.jms.server.password= # BW Governance Agent JMS SSL connection trust store type. This property # is required if the JMS server protocol is ssl. The supported values are # 'JKS'and 'JCEKS'. The default value is 'JKS' bw.governance.jms.ssl.trust.store.type=JKS # BW Governance Agent JMS SSL connection trust store location. This # property is required if the JMS server protocol is ssl. bw.governance.jms.ssl.trust.store.location= # BW Governance Agent JMS SSL connection trust store password. This # property is required if the JMS server protocol is ssl. The password # may be clear text or supplied as an obfuscated string. bw.governance.jms.ssl.trust.store.password= # BW Governance Agent JMS Connection attempt count. This property is # required if the Governance Agent JMS URL is specified and it specifies # the number of JMS connection attempts the Governance Agent will make. # The default value is '120'. bw.governance.jms.reconnect.attempt.count=120 # BW Governance Agent JMS Connection attempt timeout. This property is # required if the Governance Agent JMS URL is specified and it specifies # the timeout between the attempt to reestablish connection to the JMS # server. The default value is '500'. bw.governance.jms.reconnect.attempt.timeout=500 # BW Governance Agent JMS Connection attempt delay. This property is # required if the Governance Agent JMS URL is specified and it specifies # the delay in milliseconds between attempts to establish reestablish # connection to the JMS server. The default value is '500'. bw.governance.jms.reconnect.attempt.delay=500 # # # # BW Governance Agent JMS receiver queue name. This property is required if the Governance Agent JMS URL is specified and it specifies receiver queue name for the governance agent and administrator communication. The default value is 'queue.bw.governance.agent.bw.default’. TIBCO ActiveMatrix® Policy Director Administration 15 bw.governance.jms.queue.receiver.name=queue.governance.agent.bw.default # BW Governance Agent JMS sender queue name. This property is required # if the Governance Agent JMS URL is specified and it specifies the # sender queue name for the governance agent and administrator # communication. It must match the value specified in the Policy Director # Administrator configuration. # The default value is 'governance.de.bw.default’. bw.governance.jms.queue.sender.name=governance.de.bw.default # BW Governance Agent JMS JNDI custom property. This property is optional # and it provides the ability to specify custom property for the # JMS JNDI Initial Context. For example to provide a custom property # called "myProperty" for the JNDI Initial Context, then specify # a property "bw.governance.jms.application.property.myProperty=". #bw.governance.jms.application.property.= # BW Governance Agent Shared Resource lookup. This property is optional # and it provides ability for the Governance Agent to lookup shared # resources. # bw.governance.sr.WSSConfiguration=com.tibco.trinity.runtime.core. # provider.authn.wss 3. Run the following command to push the configuration to the AppSpace: bwadmin[admin] > config -d -a -cf / 4. Restart the AppNode and AppSpace from the TIBCO ActiveMatrix BusinessWorks agent user interface in TEA. Creating Governance Control You must create the governance controls before applying policies. Make sure that your TEA server, TIBCO Security Server, and TIBCO ActiveMatrix Policy Director server are running before creating the governance controls. To create governance controls, follow these steps: 1. Create an object group that identifies a group of applications on which you want to apply the policies. Refer to Creating a TIBCO ActiveMatrix BusinessWorks™ Application Object Group. 2. Configure your resources for example, an LDAP resource, a keystore resource or any resource required for your policy. Refer to Creating a Resource. 3. Tie the object groups with resources using the governance control. Refer to Creating a Governance Control. Refer to the Governance Control Management section in this guide for details. Deploying Policies on an Application To deploy a policy on an application, do the following: 1. In the TEA web user interface ( http://localhost:8777/tea/), click TIBCO ActiveMatrix Policy Director agent card. 2. Click the Governance Controls link or icon in the left vertical pane. 3. Click the link for the policy under the Name column. 4. Click deploy in the list of commands above the Summary tab. 5. Click the deploy button. TIBCO ActiveMatrix® Policy Director Administration 16 Governance Control Management Governance control management involves creating resources, object groups, governance controls, and deploying them appropriately. You can create governance control and do such actions as synchronize, display, copy, delete, deploy, activate and deactivate policies from either the TIBCO® Security Server web user interface (from within the TEA user interface) or by running the appropriate sample Python script bundled with TIBCO ActiveMatrix® Policy Director. Using Sample Python Scripts TIBCO ActiveMatrix® Policy Director comes bundled with sample Python scripts that you can use as a starting point to create resources, object groups and governance controls. Creating a Policy To create a policy, use the sample Python scripts that come bundled with TIBCO ActiveMatrix® Policy Director. You must modify the scripts according to your environment before using them. Creating a policy involves the following steps: Procedure 1. Create the necessary resource for the policy. 2. Create a TIBCO ActiveMatrix BusinessWorks™ application object group. 3. Create a governance control. Creating a Resource The first step when creating a policy is to create one or more resource(s) that will be used by that policy. To create a resource, do the following: Procedure 1. Modify the appropriate sample script according to your environment and save it. 2. Run the script using the command python3 . 3. Verify that the resource has been created by going to http://localhost:8777/tea in a browser and navigating to the TIBCO® Security Server user interface. You should see your newly created resource there. Applying subsequent changes made to a resource to the Policy that uses that resource If a TIBCO Security resource is changed after it's used by any Policy, the following utility (python script) must be run to push the changes to the affected Governance agents: / samples/utilities/registerResourceUpdateEvent.py In the script, specify the resource name and its type, for example: pd.notifySecuritySRUpdate('SampleLdapAuthNResource', 'LdapAuthNResource') where the 'SampleLdapAuthNResource' is the resource name and the dapAuthNResource' is the resource type. Valid resource types are listed in the sample script. The resource type for a particular resource can also be found from the TEA UI on the resource object page. TIBCO ActiveMatrix® Policy Director Administration 17 Creating a TIBCO ActiveMatrix BusinessWorks™ Application Object Group Policies created in TIBCO ActiveMatrix® Policy Director can be applied to groups of applications called object groups. Procedure 1. Edit the script, \tea\agents\pd\2.0\samples\objectGroup \createBW6ApplicationGroup.py according to your environment. 2. In a terminal window, change directory to \tea\agents\pd\2.0\samples \ObjectGroup and run python3 createBW6ApplicationGroup .py. 3. Verify that the object group has been created by going to http://localhost:8777/tea in a browser and navigating to the TIBCO ActiveMatrix® Policy Director user interface. You should see your newly created object group there. Creating a Governance Control Use the sample Python scripts bundled with TIBCO ActiveMatrix® Policy Director to create a governance control. To create a governance control using the sample Python scripts, do the following: Prerequisites 1. Make sure that you have created resource(s) that are needed for the policy. 2. Make sure that you have created a TIBCO ActiveMatrix BusinessWorks™ Application Object Group. Procedure 1. Edit the appropriate script in \tea\agents\pd\2.0\samples\governanceControl \authentication\ directory according to your environment. Refer to the Readme in the directory for instructions on how to edit the script. 2. In a terminal window, change directory to \tea\agents\pd\2.0\samples \governanceControl\authentication\ and run python3 . 3. Verify that the governance control has been created by going to http://localhost:8777/tea in a browser and navigating to the TIBCO ActiveMatrix® Policy Director user interface. You should see your newly created governance control there. 4. Click Deploy. Supported Policies TIBCO ActiveMatrix® Policy Director currently supports the following policies. Create the policies using the sample Python scripts bundled with TIBCO ActiveMatrix® Policy Director. The scripts to create each policy are located in the locations stated in the sections for each policy below. Basic Authentication Policy Use these scripts to do the following steps to create a Basic Authentication policy. Refer to the corresponding text file in \tea\agents\pd\2.0\samples\readme folder for details on this policy. Create an LDAP Resource: \tea\agents\pd\2.0\samples\resources TIBCO ActiveMatrix® Policy Director Administration 18 Create an Object Group: \tea\agents\pd\2.0\samples\objectGroups Create a Governance Control: \tea\agents\pd\2.0\samples\governanceControls \authentication Username Token Authentication Policy Use these scripts to do the following steps to create a Username Token Authentication policy. Refer to the corresponding text file in \tea\agents\pd\2.0\samples\readme folder for details on this policy. Create an LDAP Resource: \tea\agents\pd\2.0\samples\resources Create an Object Group: \tea\agents\pd\2.0\samples\objectGroups Create a Governance Control: \tea\agents\pd\2.0\samples\governanceControls \authentication SiteMinder Authentication Policy Use these scripts to do the following steps to create a SiteMinder authentication policy: Create a SiteMinder Resource: \tea\agents\tss\1.0\samples \resourceManagerService\siteminder Create an Object Group: \tea\agents\pd\2.0\samples\objectGroups Create a Governance Control: \tea\agents\pd\2.0\samples\governanceControls \wssProvider SPNEGO-Based Kerberos Policy Use these scripts to do the following steps to create a SPNEGO-Based Kerberos policy: Create a Kerberos Resource: \tea\agents\tss\1.0\samples \resourceManagerService\kerberos Create an Object Group: \tea\agents\pd\2.0\samples\objectGroups Create a Governance Control: \tea\agents\pd\2.0\samples\governanceControls \wssProvider SAML Authentication Policy Use these scripts to do the following steps to create a SAML Authentication policy. Refer to the corresponding text file in \tea\agents\pd\2.0\samples\readme folder for details on this policy. Create a WSS Processor Resource: \tea\agents\pd\2.0\samples\resources Create an Object Group: \tea\agents\pd\2.0\samples\objectGroups Create a Governance Control: \tea\agents\pd\2.0\samples\governanceControls \wssProvider Authorization By Role Policy Use these scripts to do the following steps to create a Authorization By Role policy: Does not need to specify a resource, however, prerequisite is to pair it with an authentication policy. Create an Object Group: \tea\agents\pd\2.0\samples\objectGroups TIBCO ActiveMatrix® Policy Director Administration 19 Create an Authorization Governance Control: \tea\agents\pd\2.0\samples \governanceControls\authorization WSS Provider Policy Use these scripts to do the following steps to create a WSS Provider policy. Refer to the corresponding text file in \tea\agents\pd\2.0\samples\readme folder for details on this policy. Create WSS Authentication Resource: \tea\agents\pd\2.0\samples\resources Create an Object Group: \tea\agents\pd\2.0\samples\objectGroups Create a WSS Provider Governance Control: \tea\agents\pd\2.0\samples \governanceControls\wssProvider TIBCO ActiveMatrix® Policy Director Administration 20 Governance Control Reference Governance control policies are broadly categorized into the following types - security, WS-addressing, and reliability. Basic Authentication Basic authentication is a security policy that ensures that a consumer request is validated based on the credentials in the HTTP header. Basic Authentication Policy Requirement Policy Basic Authentication Resources ● Object Group Types LDAP Authentication BW Application instance (enforced on SOAP/HTTP, REST/HTTP) Basic Credential Mapping Basic Credential Mapping is a policy to ensure that the credentials in the consumer request are validated once and propagated across domains. Credentials are mapped using a password identity provider. The identity extracted from the password identity is inserted as HTTP Basic Authentication in the outgoing request. It is applicable to the following endpoints: Policy Requirement Policy Credential Mapping ● Basic ● Username Token Resource Object Group Types ● Identity Provider ● Keystore provider BW Application instance TIBCO ActiveMatrix® Policy Director Administration 21 Authentication by Kerberos Authentication by Kerberos is a security policy to ensure that consumer requests provide their credentials as Special Negotiation (SPNEGO) tokens using Kerberos authentication. Policy Requirement Policy Kerberos (SPNEGO) Shared Resource ● Kerberos Authentication resource Object Group Types BW Application instance (enforced on SOAP/HTTP, REST/HTTP) Authentication by SiteMinder Authentication by SiteMinder is a security policy to ensure that the consumer credentials are validated as username tokens using the SiteMinder protocol. Policy Requirement Policy SiteMinder Shared Resource ● SiteMinder Authentication Object Group Types BW Application instance Authorization by Role Authorization by Role is a security policy that ensures that a request is authorized based on the role used in the Security Assertion Markup Language (SAML) tokens. Policy Requirement Policy Shared Resource Object Group Types Authorization by Role Does not need to specify a resource, however, prerequisite is to pair it with an authentication policy. BW Application instance (enforced on SOAP/HTTP, REST/HTTP) WSS Consumer This policy facilitates processing of WS-Security Header from response message. WSS Consumer acts on the Reference side to ensure that the confidentiality, integrity, and timestamp of a request remains secure. To maintain confidentiality, a response is decrypted at its endpoint. To maintain integrity, the response is verified for a valid signature. To track the time of the response, a timestamp is inserted in the response. To maintain confidentiality, the policy can be configured for an outbound request to be encrypted and an inbound response to be decrypted at its endpoint. To maintain integrity, the outbound request can be signed and the signature verified in the inbound response. You can also insert a timestamp in an outbound request and verify a timestamp in the inbound response. You also have an option to attach credentials to the outbound request. TIBCO ActiveMatrix® Policy Director Administration 22 Policy Requirement Policy Shared Resource WSS Consumer ● WSS Authentication ● Trust Provider ● Identity Provider Object Group Types BW Application instance Use the sample Python scripts bundled with TIBCO ActiveMatrix® Policy Director to create WSS Consumer. WSS Provider This policy is WSS Provider acts on the Server side to ensure that the confidentiality, integrity, and timestamp of a request remains secure. To maintain confidentiality, a request is encrypted at its endpoint. To maintain integrity, the request is verified for a valid signature. To track the time of the request, a timestamp is inserted in the request. Policy Requirement Policy Shared Resource WSS Provider ● WSS Authentication Object Group Types BW Application instance Policy Status List A policy can have multiple statuses through out its life-cycle. Value Description Draft A policy is in a Draft state when it is being configured in the TIBCO ActiveMatrix Policy Director, and the Distribution Engine has not yet dispatched it to an agent. Deployed A policy is in a Deployed state when it is residing on an agent, and the agent has all the information related to the policy. When you deploy a policy for the first time, it is automatically activated. Activated A policy is in an Activated state when it is residing on an agent, and the agent has enforced the policy on selected object groups. Deactivated A policy is in an DeActivated state when it is residing on an agent, but the agent has stopped enforcing the policy on selected object groups. Undeployed A policy is in an Undeployed state when the policy is not residing on an agent. DeployError The DeployError status is displayed when deploying a policy on some or all of the members of the object group fails. Deploy Successful The DeploySuccessful status is displayed when deploying a policy on all the members of the object group was successful. TIBCO ActiveMatrix® Policy Director Administration 23 Value Description out-of-sync When the targeted configuration of a policy or the resource instances associated with the policy is not synchronized with the deployed configuration, the status is displayed as out-of-sync. In-sync When the targeted configuration of a policy or the resource instances associated with the policy is synchronized with the deployed configuration, the status is displayed as in-sync. TIBCO ActiveMatrix® Policy Director Administration