Escolar Documentos
Profissional Documentos
Cultura Documentos
Version 3.8.1
Note
Before using this information and the product it supports, read the information in Notices and trademarks on page 389.
Contents
Chapter 1. Introduction . . . . . . . . 1
Intended audience . . . . . . . . .
File naming guidelines . . . . . . . .
Object naming guidelines . . . . . . .
Typeface conventions . . . . . . . .
Purpose of Multi-Protocol Gateway services .
Support for Web 2.0 configurations . . . .
REST principals in Web 2.0 . . . . .
Web 2.0 and JSON . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
1
2
2
2
3
3
5
. .
. .
. .
. .
. .
. .
. .
pane
. .
. .
. .
. .
. .
. .
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
11
11
11
12
12
12
12
12
12
13
13
14
14
14
14
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
17
17
17
18
19
20
20
21
21
21
22
23
24
25
25
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
25
27
28
29
29
29
30
30
31
32
.
.
.
.
.
.
.
.
.
.
.
.
32
32
33
33
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
. 37
. 41
. 41
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
42
43
43
44
44
45
45
46
46
47
47
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
51
54
55
58
61
65
66
67
68
71
74
74
74
74
75
75
iii
77
78
78
78
79
79
81
81
81
83
83
83
84
85
85
iv
.
.
.
.
.
.
.
.
.
.
.
.
87
88
88
92
92
92
93
94
95
95
95
97
97
. 98
. 99
. 99
. 107
. 109
. 115
116
. 116
. 117
. 119
. 122
. 123
. 126
. 127
. 130
. 130
. 130
. 132
. 133
. 135
. 135
. 136
. 137
. 142
. 144
. 145
. 145
. 146
. 146
Attachment protocol . . .
Format of the <results> element
Using the variable builder . .
Debugging processing policies.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
147
148
148
149
151
152
153
159
167
168
168
170
172
180
180
180
180
181
181
181
181
182
182
182
182
183
183
183
184
184
184
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
187
189
189
189
190
190
190
191
191
191
191
191
192
192
193
193
194
194
194
.
.
.
.
.
.
.
.
to
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
195
196
197
198
198
199
200
202
.
.
.
.
.
.
.
.
.
.
.
.
.
.
202
202
203
203
203
204
205
206
206
207
207
208
209
209
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
211
212
213
213
214
216
217
217
218
219
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
221
221
224
226
233
234
235
235
242
243
243
244
245
245
245
246
246
251
.
.
. 253
. 255
|
|
|
258
259
261
263
263
264
264
266
267
268
271
273
274
274
276
285
290
290
291
291
293
298
299
300
301
301
302
302
308
308
309
309
309
317
318
318
318
319
319
320
320
321
322
322
322
323
324
324
325
326
327
327
328
Contents
280
281
281
281
|
|
|
vi
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
328
329
329
330
331
331
332
332
332
335
338
338
339
341
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
343
345
345
346
348
350
350
351
351
352
352
353
353
354
354
355
355
356
356
357
357
358
359
359
362
366
.
.
. 367
. 367
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
368
368
368
369
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
371
371
372
372
373
373
373
374
374
375
Service variables . . . . . . . . . . . .
General service variables . . . . . . . .
Multi-Protocol Gateway and Web Service Proxy
service variables . . . . . . . . . . .
Configuration service variables . . . . . .
Load balancer service variables . . . . . .
Legacy MQ-specific service variables . . . .
Multistep variables . . . . . . . . . .
Transaction variables . . . . . . . . . . .
Asynchronous transaction variables . . . . .
Error handling transaction variables . . . . .
Headers transaction variables . . . . . . .
Persistent connection transaction variables. . .
Routing transaction variables . . . . . . .
URL-based transaction variables . . . . . .
Web Services Management transaction variables
Extension variables . . . . . . . . . . .
System variables . . . . . . . . . . . .
List of available variables . . . . . . . . .
376
376
376
377
378
378
379
380
380
381
382
383
383
384
384
385
386
387
. 389
Index . . . . . . . . . . . . . . . 391
Chapter 1. Introduction
IBM WebSphere DataPower SOA Appliances are purpose-built, easy-to-deploy
network appliances that simplify, help secure, and accelerate your XML and Web
services deployments while extending your SOA infrastructure. These appliances
offer an innovative, pragmatic approach to harness the power of SOA while
simultaneously enabling you to leverage the value of your existing application,
security, and networking infrastructure investments.
Intended audience
This document is intended for Developers who manage the configuration of
Multi-Protocol Gateway services, objects, and associated referenced objects on the
IBM WebSphere DataPower appliance. Developers should have the following
knowledge:
v Network architecture and concepts
v Internet protocols, including HTTP, TCP/IP, MQ
v Lightweight Directory Access Protocol (LDAP) and directory services
v Authentication and authorization
v XML and XSLT
v Web Services
v Web Services Security
Developers should also be familiar with SSL protocol, key exchange (public and
private), digital signatures, cryptographic algorithms, and certificate authorities.
This document assumes that an Administrator has installed and initially
configured the appliance as described in the IBM WebSphere DataPower SOA
Appliances: 9003: Installation Guide or in the IBM WebSphere DataPower SOA
Appliances: Type 9235: Installation Guide, depending on the model type.
Typeface conventions
The following typeface conventions are used in the documentation:
bold
italics
monospaced
Identifies user-supplied input or computer output.
Retrieves a resource
DELETE
Removes an existing resource
HEAD
Retrieves metadata
With these HTTP methods and your DataPower appliance, you can write
processing policies that are common to RESTful services by using the HTTP
methods shown in Table 1.
Table 1. Processing actions available with HTTP methods
Processing actions
Description
Fetch
Results
Results asynchronous
Log
Method rewrite
If you send requests that do not contain a payload and you want to apply
processing rules, you must enable force the DataPower service to process messages
with the Processing Messages Whose Body Is Empty property. By default a
DataPower service passes requests without a payload directly to the client without
applying any processing rule.
Chapter 1. Introduction
Application server
DataPower appliance
Response A (6)
Response A (5)
Response B (3)
Request A (4)
Request B (2)
Request A (1)
Accounting
services
Message flow
Figure 1 shows a typical proxy implementation.
1. The client sends a Request A (1) to the DataPower appliance.
2. The DataPower appliance receives Request A (1) and sends a Request B (2) to a
RESTful accounting Web service.
3. The Accounting Services receive Request B (2) and sends a Response B (3) back
to the DataPower appliance.
4. The DataPower appliance forwards the Request A (4) to the application server.
5. The application server receives the Request A (4) and sends a Response A (5) to
DataPower appliance.
6. The DataPower appliance forwards Response A (6) to the client.
Implementation details
There are many ways to implement a proxy with a RESTful service for your
DataPower appliance. One way to implement a proxy, as shown in Figure 1, would
be to:
1. Configure your service
2. Configure a processing policy with a results or fetch action.
3. Change the HTTP Method to support your Accounting Service
4. Add a remote Web service IP address and port.
REST client
Application server
DataPower appliance
1
Request A (POX)
Request A (SOAP)
Response A (POX)
Response A (SOAP)
SOAP
Web service
Message flow
Figure 2 shows a typical proxy implementation.
1. A RESTful client sends Request A (POX) to a SOAP Web service on an
application server.
2. The DataPower appliance receives Request A (POX) and transforms it to SOAP
using a transform action.
3. In addition, a URL rewrite policy and SOAPAction HTTP header can be used to
transform the message Request A 1 (SOAP).
4. The Web service on the application server receives Request A1 (SOAP) and
sends a Response A1 (SOAP) to the DataPower appliance.
5. The DataPower appliance transforms Response A1 (SOAP) to Response A (POX)
using a transform action.
6. The DataPower appliance forwards Response A (POX) to the client.
Implementation details
There are many ways to implement a bridge scenario. One way to implement the
bridge scenario, as shown in Figure 2, would be to:
Configure your service with a HTTP front side handler.
Choose the appropriate HTTP methods for your front side handler.
Define your request type.
Configure your processing policy data conversion such as converting Plain Old
XML (POX) to SOAP.
5. Add a remote Web service IP address and port.
1.
2.
3.
4.
|
|
|
|
Chapter 1. Introduction
|
|
|
well-formed JSON as described in RFC 4627. The service converts the message to
JSONx and makes the converted JSONx available as input to a processing policy in
the __JSONASJSONX context.
|
|
|
|
If you are not using JSON as the request type or the response type, to transform a
JSON payload to JSONx, use the convert-http processing action. When you add an
input conversion map to the processing action, you must select JSON as the default
input encoding for the DataPower service.
Application server
DataPower Appliance
1
Request A (JSON)
Request A (SOAP)
Response A (JSON)
Response A (SOAP)
SOAP
Web service
Message flow
Figure 3 shows a typical data transformation implementation.
1. The AJAX client sends a Request A (JSON) to a SOAP Web service on an
application server.
2. The DataPower appliance receives the Request A (JSON) and transforms
Request A from JSON to JSONx to SOAP.
3. The DataPower appliance forwards the transformed Request A1 (SOAP) to the
SOAP Web service.
4. The Web service receives the Request A1 (SOAP) and sends a Response A1
(SOAP) to the DataPower appliance.
5. The DataPower appliance receives and transforms Response A1 (SOAP) to
JSONx to JSON and forwards the transformed Response A (JSON) to the AJAX
client.
Implementation details
There are many ways to implement JSON to JSONx data transformations. One way
to implement the JSON scenario, as shown in Figure 3, would be to:
1. Configure your service with an HTTP front side handler
2. Configure the processing policy with a convert to XML action that specifies
JSON as the default encoding.
3. Configure a transform action to convert JSONx to SOAP
4. Add a remote Web service IP address and port.
Welcome screen
After successfully logging in, the WebGUI displays its Welcome screen. Visibility of
objects in the WebGUI is controlled by a combination of the Role-based
management (RBM) object and whether the administrator is in the default domain
or an application domain.
Input
When the WebGUI displays this type of input field, you can specify the referenced
object in the following ways:
v Select the name of an existing referenced object from the list.
v Use the + button to create a new referenced object. When created, the input field
contains the name of the newly created referenced object.
v Use the ... button to modify the referenced object whose name is in the input
field. When modified, the input field retains the name of the referenced object.
When you click the + button or ... button, the WebGUI launches a new window
that displays the configuration screen for that type of object.
Input
Delete
Add
When the WebGUI displays this type of list, you can manage referenced objects in
the following ways:
v Select the name of an existing referenced object from the list. Click Add to add it
to the list of referenced objects.
v Use the + button to create a new referenced object. When created, the input field
contains the name of the new referenced object. Click Add to add it to the list of
referenced objects.
v Use the ... button to modify the referenced object whose name is in the input
field. When modified, the input field retains the name of the referenced object.
Click Add to add it to the list of referenced objects.
v Select the name of a referenced object from the list (either the input field or the
list of referenced objects). Click Delete to remove it from the list of referenced
objects.
When you click the + button or ... button, the WebGUI launches a new window
that displays the configuration screen for that type of object.
4. Click Cancel.
10
Canceling changes
As you use the WebGUI, click Cancel to not save the current changes to the
running configuration. If you click Cancel, you return to the catalog and lose all
changes.
Resetting objects
Independent of whether the settings are saved to the configuration, you can reset
an object to its default configuration.
To revert changes to a specific object:
1.
2.
3.
4.
11
Deleting objects
You might want to delete objects that are no longer needed. If no object depends
on the object to be deleted, you can delete it at any time. Because a DataPower
service is a top-level object, you can delete it at any time. Conversely, you cannot
delete an object that is active and in use by a higher-level object.
To
1.
2.
3.
4.
delete an object:
Display the catalog for the object.
Click the name of the object to delete.
Click Delete.
Follow the prompts.
Deleting an object deletes that object only. Deleting an object does not delete
referenced objects.
Exporting objects
To export an object:
1. Display the catalog for the object.
2. Click the name of the object to export.
3. Click Export.
4. Follow the prompts.
12
v If the display lists unused properties, click Hide to hide these properties. Hiding
unused properties is the default behavior.
When viewing the object status, the window provides the following information:
v The name of the instance and its type with a control to collapse (hide) or expand
(show) referenced objects
v Its configuration state: New, Modified, or Saved
v It operational state: up or down
v Its administrative state: enabled or disabled
v Details about the detected error, if applicable
v A link (magnifying glass icon) to view the logs for this object
To
1.
2.
3.
Cloning services
You might want to create a service that is similar to an existing service. For
example, you need two equivalent services, but each service communicates with a
different remote server. In these cases, you can create a clone of an existing service
and edit the clone. The cloning process can expedite the creation of a similar
service.
To clone a service:
Display the catalog for the service.
Click the name of the service to clone.
Click Clone.
When the screen refreshes, specify the name of the clone.
In the Device Address field, specify the Ethernet interface that the service
monitors for incoming client requests. Use the default address (0.0.0.0) to
specify all interfaces.
6. In the Device Port field, specify the Ethernet port that the service monitors for
incoming client requests.
7. As necessary, edit the other properties.
1.
2.
3.
4.
5.
13
For complete details about using the probe, refer to the IBM WebSphere DataPower
SOA Appliances: Problem Determination Guide.
Quiescing a handler
You can quiesce either a listening or a polling protocol handler to transition the
operational state of the handler to the down state in a controlled manner.
To quiesce a protocol handler:
1. Click Objects Protocol Handlers and the type of handler.
2. Click on the name of the handler.
3.
4.
5.
6.
7.
Click Quiesce.
Specify the Timeout in seconds.
Click Quiesce.
Click Confirm.
Click Close.
Unquiescing a handler
You can unquiesce a quiesced listening or polling handler to transition the handler
to the up operational state.
To unquiesce a handler:
1. Click Objects Protocol Handlers and the type of handler.
2. Click on the name of the handler.
3. Click Unquiesce.
4. Click Confirm.
5. Click Close.
Quiescing a service
You can quiesce a service to transition the operational state of the service and all
handlers associated with the service to the down state in a controlled manner.
To quiesce a service:
1.
2.
3.
4.
5.
6. Click Confirm.
7. Click Close.
Unquiescing a service
You can unquiesce a quiesced service to transition the service to the up operational
state. All quiesced handlers associated with the service are also placed in the up
operational state.
To unquiesce a service:
1. Click Objects Protocol Handlers and the type of service.
14
2.
3.
4.
5.
Click
Click
Click
Click
15
16
17
3. Send the CSR to VeriSign. Do not store it on the box (except in the temporary:
directory).
4. VeriSign returns the signed certificate.
5. Store the signed certificate on the box and create a Certificate object that
references it.
Optionally, create an Identification Credentials object that references the Key and
Certificate objects. When you create the Identification Credentials, the
key-certificate pair is validated to ensure that pair is ready for use.
3.
4.
5.
6.
off
(Default) Creates the entry in forward RDN order.
Optional: In the Country Name (C) field, enter a country name.
Optional: In the State or Province (ST) field, enter a state name or a
province name.
Optional: In the Locality (L) field, enter a locality name.
Optional: In the Organization (O) field, enter the name of an organization.
Optional: In the Organizational Unit (OU) field, enter the name of an
organizational unit.
Optional: In the Organizational Unit 2 (OU), Organizational Unit 3 (OU),
and Organizational Unit 4 (OU) fields, enter the names of additional
organizational units.
7. In the Password Alias field, enter a password alias to access the key file.
8. Set Export Private Key to indicate whether the action writes the key file to the
temporary: directory.
18
on
off
(Default) Does not write the key file to the temporary: directory.
off
Does not create a self-signed certificate.
10. Set Export Self-Signed Certificate to indicate whether the action writes the
self-signed certificate to the temporary: directory.
on
off
Does not write the self-signed certificate to the temporary: directory.
11. Set Generate Key and Certificate Objects to indicate whether the action
automatically creates the objects from the generated files.
on
off
Does not create the objects from the generated files.
12. In the Object Name field, enter the name to use for the Key object and for the
Certificate object. Leave blank to allow the action to generate the names from
the input information (based on the Common Name (CN) or File Name
property).
13. In the Using Existing Key Object field, enter the name of an existing key. If
supplied and valid, the action generates a new certificate and a new
Certificate Signing Request (CSR) that is based on the key in the identified
Key object. In this case, the appliance does not generate a new key.
14. Click Generate Key to generate a private key and, if requested, a self-signed
certificate. A CSR is created automatically.
15. Follow the prompts.
The CSR can be submitted to a certificate authority (CA) to receive a certificate that
is based on this private key. This action creates the following files and objects:
v Creates the private key file in the cert: directory; for example,
cert:///sample-privkey.pem
v Creates the CSR in the temporary: directory; for example, temporary:///
sample.csr
v If Generate Self-Signed Certificate is enabled, creates a self-signed certificate in
the cert: directory; for example, cert:///sample-sscert.pem
v If Export Self-Signed Certificate is enabled, creates a copy of the self-signed
certificate in the temporary: directory; for example, temporary:///samplesscert.pem
v If Generate Key and Certificate Objects is enabled, creates a Key object and a
Certificate object
If the action creates a self-signed certificate, you can use this certificate-key pair for
the following purposes:
v Establish Identification Credentials
v Encrypt or decrypt XML documents
19
Note: If the appliance has HSM hardware, you can export Key objects. For details,
refer to IBM WebSphere DataPower SOA Appliances: Hardware Security Module
Guide.
To
1.
2.
3.
20
If the output format includes private fields of the key, the file must be in the same
directory as the configured file of the private key object. The OpenSSH public key
format, which is used in authorized_keys files, does not contain any private fields.
It contains only public fields.
To convert a key object:
Click Administration Miscellaneous Crypto Tools.
Click the Convert Crypto Key Object tab.
From the Key Name list, select the name of the key object to be converted.
In the Output File Name field, enter the name of the output file. Use the
temporary:///mykey.pub format.
5. From the Output Format list, select the format of the output file.
6. Click Convert Crypto Key Object to convert the specified key object to the
specified format.
1.
2.
3.
4.
21
To access and use z/OS certificates, the NSS client object on DataPower must have
permission to access the z/OS certificate. See your z/OS documentation for more
information on these settings.
nssclient
Specifies an existing NSS client object.
ZOSCERTLABEL
Specifies the label name of an existing SAF certificate
residing on the z/OS system.
Password
Depending of business security policies, provide one of the following:
v If local security policies provide for password-protected keys, specify
the password (or a password alias).
v If local polices do not support password protection, leave blank.
v If key files are protected by a plaintext password, specify the
password.
Note: Plaintext passwords appear as such in the configuration script.
v If key files are protected by an aliased password, specify the alias.
The CLI provides a password-map command that uses a
locally-generated key to 3DES encrypt a password used to access a
private key file. The command maps the encrypted password to a
password alias in a password map file. The password map and the
22
off
on
23
Private Key
Select Key objects to add. Refer to Defining Key objects on page 25
for more information.
Shared Secret Key
Select Shared Secret Key objects to add. Refer to Defining shared
secret keys on page 28 for more information.
Certificates
Select Certificate objects to add. Refer to Defining Certificate objects
on page 22 for more information.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
24
5. Optional: Click Save Config to save the changes to the startup configuration.
Use a key object created with a private key that is retrieved from z/OS the same
way you use a key object created with a local private key. Use a key object created
with a private key that is stored on z/OS to make requests for decryption or
signature generation on the z/OS system.
To create key objects, the DataPower appliance communicates with z/OS using an
NSS client object. The NSS client object must be defined and in the up operational
state when you create key objects.
To use a retrieved z/OS key, the key must be a SAF key that is not stored in ICSF.
The SAF key is cached locally on the appliance until the associated application
domain or the appliance is restarted.
To use a remote z/OS key, the key must be a SAF key that is stored in ICSF. The
SAF key is never taken off of your z/OS system. Therefore, the NSS client object
must be in the up operational state when using remote key objects. For more
information about the NSS client object, see NSS Client on page 368.
To access and use z/OS keys, the NSS client object on DataPower must have
permission to access the z/OS keys. See your z/OS documentation for more
information on these settings.
25
nssclient
Specifies an existing NSS client object.
ZOSKEYLABEL
Specifies the label name of an existing SAF key residing on the
z/OS system. A saf-key:// must be a SAF key that is not stored
in ICSF. A saf-remote-key:// must be a SAF key that is stored in
ICSF.
Password
Depending on business security policies, provide one of the following:
v If local security policies provide for password-protected keys, specify
the password (or a password alias).
v If local polices do not support password protection, leave blank.
v If key files are protected by a plaintext password, specify the password.
Note: Plaintext passwords appear as such in the configuration script.
v If key files are protected by an aliased password, specify the alias.
The CLI provides a password-map command that uses a locally-generated
key to 3DES encrypt a password used to access a private key file. The
command maps the encrypted password to a password alias in a
password map file. The password map and the locally-generated key are
saved to separate files on the appliance. Plaintext passwords are not
stored in memory or saved on the appliance.
Password Alias
Specify if the text entered in the Password field is a plaintext password or
a password alias.
on
off
(Default) Identifies the text as a plaintext password.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
26
DEFAULT
Includes all cipher suites, except for the following ciphers and
cipher suites:
v eNULL ciphers
v Cipher suites that use DH authentication
v Cipher suites that contain the RC4, RSA, and SSL version 2
ciphers
HIGH Includes all high encryption cipher suites. These ciphers
support a key length in excess of 128 bits.
MEDIUM
Includes all medium encryption cipher suites. These ciphers
support a key length of 128 bits.
LOW
27
EXPORT
Includes all cipher suites that support a key length of 40 or 56 bits
and are eligible for export outside of the United States.
For a detailed list of ciphers, refer to the profile command in the
product-specific version of the Command Reference.
Options
Use the check boxes to disable support for SSL versions and variants. By
default, SSL Version 2, SSL Version 3, and Transaction Level Security
(TLS) Version 1 are enabled.
v To disable SSL Versions 2, click Disable-SSLv2.
v To disable SSL Version 3, click Disable-SSLv3.
v To disable TLS Version 1, click Disable-TLSv1.
v To allow SSL and TLS renegotiation, which is vulnerable to a
man-in-the-middle (MITM) attack documented in CVE-2009-3555, click
Permit insecure SSL renegotiation.
Send Client CA List
Enable or disable the transmission of a Client CA List during the SSL
handshake.
Note: Transmission of a Client CA List is meaningful only when this
Profile object supports a reverse (or server) proxy and when this
Profile object has an assigned Validation Credentials.
A Client CA List consists of a listing of the CA certificates in the
Validation Credentials for this Profile object. A Client CA List can be sent
by an SSL server as part of the request for a client certificate. The Client
CA list provides the client with a list of approved CAs whose signatures
are acceptable for authentication purposes.
Note: SSL servers are not required by the protocol to send a Client CA
List. Generally, SSL servers do not send a Client CA list.
Some implementations or local policies, however, might mandate
the use of Client CA lists.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
28
29
forward
The SSL proxy acts as an SSL client (or acts in the forward direction). In
client proxy mode, SSL is used over the appliance-to-server connection.
reverse
The SSL proxy acts as an SSL server (or acts in the reverse direction). In
server proxy mode, SSL is used over the appliance-to-client connection.
two-way
The SSL proxy acts as both an SSL client and SSL server (or acts in both
directions). In two-way mode, SSL is used over the appliance-to-server
connection and the appliance-to-client-connection.
5.
6.
7.
8.
9.
10.
30
on
on
off
13. Set Always Request Client Authentication to control when to request SSL
client authentication.
on
31
Validation credentials
Validation credentials consists of a set of certificates. Validation credentials validate
the authenticity of received certificates and digital signatures. You can create
validation credentials from the following types of certificates:
v All non-expiring, non-password-protected certificates
v Specific certificates
Validation methods
When creating a validation credentials from specific certificates, you must define
the validation method. Validation can use one of the following methods:
Match to an exact certificate or immediate issuer
Validates uses the certificates in the validation credentials. The validation
credential contains either the exact peer certificate to match or the
certificate of the immediate issuer. The certificate could be an intermediate
CA or a root CA. This mode is useful to match the peer certificate exactly,
but that certificate is not a self-signed (root) certificate.
Full certificate chain checking, or PKIX
Validation checks the complete certificate chain from subject to root.
Validation succeeds only if the chain ends with a root certificate in the
validation credentials. Nonroot certificates in the validation credentials are
used as untrusted intermediate certificates. Additional untrusted
intermediate certificates will be obtained dynamically from the context at
hand (SSL handshake messages, PKCS#7 tokens, PKIPath tokens, and so
forth).
When using this validation method, self-signed certificates are considered
to be trusted roots assuming that they are correctly designated as CA
certificates by their Basic Constraints extension and Key Usage extension, if
present. Non-self-signed certificates are considered untrusted intermediates.
The validation credentials must not contain more than one certificate with
a given subject name. During client certificate validation, the client can
present a set of other certificates to be considered when building the
certification chain. Only non-self-signed CA certificates are used from this
set and are treated as candidate untrusted intermediate certificates.
32
PKIX validation
When the validation method is PKIX, the following extensions for CA certificates
can be marked as critical. A certificate that contains any other critical extension
causes the certificate to be rejected. When a certificate contains other noncritical
extensions, these extensions are ignored.
v Key Usage This extension is not required to be present. If present, it must
indicate that the key is suitable for certificate signing.
v Subject Alternative Name This extension is not used. Regardless of its
criticality, validation does not reject a certificate if it contains the extension.
v Basic Constraints This extension is required in a CA certificate. There is an
exception for X509 V1 root certificates. However, all V3 CA certificates must
have the extension. Only V3 certificates can be used as intermediates. Fully
implemented in accordance to RFC 3280.
v Certificate Policies Fully implemented in accordance to RFC 3280.
v Authority Information Access This extension is used for only Online Certificate
Status Protocol (OCSP).
v Policy Constraints Fully implemented in accordance to RFC 3280.
v Inhibit Any-Policy Fully implemented in accordance to RFC 3280.
5.
6.
7.
8.
33
34
The service acts as either an FTP client, which polls a remote FTP server
for requests, or as an FTP server, which accepts incoming FTP connections.
HTTP Including GET and POST. POST can contain XML, SOAP, DIME, SOAP
with Attachments. This protocol is available on all appliances.
HTTPS
Including GET and POST. POST can contain XML, SOAP, DIME, SOAP
with Attachments. This protocol is available on all appliances.
IMS
The service can accept incoming IMS protocol requests and can initiate
IMS connections on the back side.
MQ
The service can use GET and PUT queues to communicate with MQ
queues. This protocol requires the MQ license.
NFS
The service can poll an NFS-mounted directory for the presence of new
files and can place responses on an NFS mounted directory.
SFTP
The service acts as either an SFTP client on the back-side, which connects
to a remote SFTP server for request, or as an SFTP server on the front-side,
which allows SFTP clients to post to and retrieve files from a back-end file
system.
35
HTTP
HTTPS
MQ
Multi-Protocol Gateway
HTTP or
HTTPS or
MQ
Multi-Protocol Gateway services can accept client requests through any of the
protocol handlers that are shown (HTTP, HTTPS, or MQ). A static URL determines
the destination for all traffic. This server-side traffic can employ one of the
protocols that are shown (HTTP, HTTPS, or MQ).
When the back-end service endpoint is dynamically determined, the gateway
supports a Stateful Raw XML protocol handler. Because the connection is stateful,
this protocol handler can only communicate with a back-end service that also
employs the same protocol. Figure 7 shows other protocol handlers that the same
gateway can use to dynamically route to the other protocols.
HTTP
HTTP
HTTPS
HTTPS
MQ
MQ
Stateful
Multi-Protocol Gateway
Stateful
Back End Servers
The messages can be processed and routed using any of the standard processing
actions that are available to a service.
36
Available properties
This section provides details about the fields available:
v General
v Advanced
v Style sheet parameters
v Headers
v Monitors
v Web Services Addressing
v Web Services Reliable Messaging
Table 2. Properties available on the General tab
Name
Purpose
Multi-Protocol Gateway
Name
Summary
Type
XML Manager
Multi-Protocol Gateway
Policy
Backend URL
Response Type
Flow Control
Propagate URI
Compression
Request Type
37
Purpose
Purpose
Persistent Connections
Loop Detection
Follow Redirects
Gateway Credentials
Default parameter
namespace
38
Name
Purpose
Parameter Name
Custom Name
Purpose
Parameter Value
Purpose
Direction
Header Name
Header Name
Purpose
Monitors Evaluation Method Indicates how monitors interact with each other when the
service uses more than one monitor.
Table 7. Properties available on the WS-Addressing tab
Name
Purpose
WS-Addressing Mode
Strip WS-Addressing
Headers
WS-Addressing Message
Generation Pattern
Asynchronous HTTP
Response Code
WS-Addressing
Asynchronous Reply Point
WS-Addressing
Asynchronous Reply
Timeout
Rewrite WS-Addressing
Reply To Header
Rewrite WS-Addressing
Fault To Header
Rewrite WS-Addressing To
Header
Default WS-Addressing
Reply-To
Default WS-Addressing
Fault-To
39
Purpose
Force Incoming
WS-Addressing
Purpose
Use WS-ReliableMessaging
AAA Policy
Destination InOrder
Delivery Assurance
Destination Accept Two-Way Indicates whether to accept offers for two-way Reliable
Offers
Messaging in CreateSequence SOAP requests. If the request
includes an offer, the creation of a Reliable Messaging
destination creates a Reliable Messaging source to send
responses to the client.
40
Required on Request
Required on Response
Purpose
Source Maximum
Simultaneous Sequences
v
v
v
v
v
To
1.
2.
3.
4.
Message tampering
Padding oracle
SQL injections
XML viruses (X-Virus)
Dictionary attacks
protect against XML threats, perform the following steps:
Click the XML Threat Protection tab.
Defines all of the properties for threat protection, as needed.
Click Apply to save the changes to the running configuration.
Optional: Click Save Config to save the changes to the startup configuration.
41
42
|
|
|
|
|
|
Protection against padding oracle prevents attackers from using error messages to
discover the plaintext data. Error messages after a decryption action can provide
an attacker who is using the padding oracle attack method with enough
information to determine the contents of the plaintext data. When enabled, the
appliance manipulates error messages to avoid revealing internal cryptographic
states.
|
|
|
|
|
43
XML virus
Viruses are typically contained in message attachments. XML Virus Protection sets
parameters that handle the following types of attacks in attachments:
v XML virus attacks
v XML encapsulation attacks
v Payload hijack attacks
v Binary injection attacks
First determine whether to process attachments. If you process attachments, define
an antivirus action to check attachments for viruses.
Streaming
Provides limited processing of XML attachments, and streams XML
and non-XML attachments to output.
Unprocessed
Allows messages that contain attachments, but does not process
attachments.
For additional information about streaming attachments, refer to
Optimizing through Streaming.
Response attachment processing mode or Response Attachments
Specifies the processing mode for attachments in server responses.
Allow Processes the message root and needed XML and non-XML
44
Streaming
Provides limited processing of XML attachments, and streams XML
and non-XML attachments to output.
Unprocessed
Allows messages that contain attachments, but does not process
attachments.
For additional information about streaming attachments, refer to
Optimizing through Streaming.
For the XML Firewall services only, these properties are on both the General tab
and the XML Threat Protection tab. A change on either tab affects the property on
both tabs.
URL builders
To use a URL builder, click the protocol-specific button. The WebGUI launches a
utility that assists in building the protocol-specific URL.
v For information about using the utility to build an IMS Connect URL, see
Building an IMS Connect URL on page 46.
v For information about using the utility to build a TIBCO EMS URL, see
Building a TIBCO EMS URL on page 46.
v For information about using the utility to build a WebSphere JMS URL, see
Building a WebSphere JMS URL on page 47.
45
v For information about using the utility to build a WebSphere MQ URL, see
Building a WebSphere MQ URL on page 47.
use the IMS Connect URL builder for assistance in the construction of a URL:
Click IMS Connect Helper.
From the IMS Connect Config list, select an IMS Connect configuration.
In the Transaction Name field, specify the transaction name for the connection.
This property sets the TranCode parameter. This property overrides the value of
the Transaction Code property for the IMS Connect object.
4. Specify the datastore name (IMS destination ID) for the connection in the Data
Store ID field. This property sets the DataStoreID parameter. This property
overrides the value of the Data Store ID property for the IMS Connect object.
5. Click Build.
The utility creates a URL in the following format:
dpims://object?TranCode=code;DataStoreID=ID
See the url-open extension element in the IBM WebSphere DataPower SOA
Appliances: Extension Elements and Functions Catalog for details about changing the
URL for a secure connection or for adding other query parameters.
See the url-open extension element in the IBM WebSphere DataPower SOA
Appliances: Extension Elements and Functions Catalog for details about changing the
URL for a secure connection or for adding other query parameters.
46
See the url-open extension element in the IBM WebSphere DataPower SOA
Appliances: Extension Elements and Functions Catalog for details about changing the
URL for a secure connection or for adding other query parameters.
47
See the url-open extension element in the IBM WebSphere DataPower SOA
Appliances: Extension Elements and Functions Catalog for details about changing the
URL for a secure connection, for using another MQPMO value, or for adding other
query parameters.
48
2. Create the LBManager XML Manager object and add the LBGroup group to the
Load Balancer Groups list. Refer to Configure XML Manager objects on page
367 for more information.
3. Create a DataPower service, for example the LBFirewall XML Firewall, and
configure the following properties:
a. Select the LBManager XML Manager from the XML Manager list.
b. Specify LBGroup (the Load Balancer Group) as the address of the back-end
server for the DataPower service. Depending on the DataPower service or
the view of that DataPower service, the field could be Remote Address,
Server Address, or something similar.
With a Web Service Proxy that is configured statically from a WSDL file, the
field is part of the configuration of the Remote Rewrite Rules of the
WS-Proxy Endpoint Rewrite object. The field is either Remote Endpoint
Host (object view) or Hostname (IP Address) (service view).
For complete information about managing Load Balancer Group objects, refer to
Load balancer groups on page 267.
49
50
51
where:
filename
The file name for the renamed input file.
serial
timestamp
The timestamp.
Note: File renaming cannot be used with an FTP server that supports only 8.3
file names.
For example if the input files are NNNNNN.input and you want to rename them
to NNNNNN.processing, then the match pattern would be ([0-9] {6})\.input$
and the processing pattern would be $1.processing. The resultant file name of
the server would be:
NNNNNN.processing.serial.domain.poller.timestamp
52
on
on
(Default) Creates the result file using the naming pattern specified
by the Result File Name Pattern property.
off
Does not create the result file.
b. When on, specify the PCRE to use as the match pattern to build the name
of the result file in the Result File Name Pattern field. This PCRE will
normally have a back reference for the base input file. For instance, if
input files are NNNNNN.input and you want to rename them to
NNNNNN.result, the match pattern would be ([0-9] {0-6})\.input$ and
the rename pattern would be $1.result.
Some servers might allow this pattern to indicate a path that puts the file
in a different directory, if it allows cross-directory renames. For instance,
the match pattern would be (.*) and the rename pattern would be
../result/$1.
13. Define the processing seize behavior.
a. Specify the time to wait in seconds before processing a file that is already
in the processing state in the Processing Seize Timeout field. Use an
integer in the range of 0 through 1000. The default is 0.
53
14.
15.
16.
17.
b. Specify the PCRE to use to find files that were renamed to indicate that
they are in the being processed state but the processing was never
completed in the Processing Seize Pattern field.
The processing seize pattern contains three phrases that must be in \(\)
pairs. The first phrase is the base file name that includes the configured
processing suffix. The second phrase is the host name. The third phrase is
the timestamp.
Select the XML Manager that contains the User Agent configuration to use
from the XML Manager list.
In the Maximum File Transfers Per Poll Cycle field, specify the number of
concurrent connections. The value 0 means unlimited number of connections
based on available system resources.
Click Apply to save the changes to the running configuration.
Optional: Click Save Config to save the changes to the startup configuration.
54
Defining as transparent
To configure an FTP Server Handler to access a transparent file system:
1. Select Objects Protocol Handlers FTP Server Front Side Handler to
display the catalog.
Chapter 6. Handler configuration
55
56
use both the USER and PASS commands to complete the login process. If
no Certificate AAA Policy is configured, USER and PASS will always be
required. If the AUTH TLS command is not used by the FTP client, USER
and PASS will always be required.
11. Define FTP support.
a. Set Allow CCC Command to indicate whether the FTP CCC command can
be used to turn off TLS encryption of the FTP control connection after user
authentication. If allowed, the CCC command can be used to turn off
encryption after authentication. Turning off encryption is necessary when
the FTP control connection crosses a firewall or NAT device that needs to
sniff the control connection. Turning off encryption eliminates the secrecy
of the files being transferred and allows TCP packets injection attacks.
b. Define behavior for passive command support.
1) Select the support behavior for passive commands from the Passive
(PASV) Command list. Without the PASV command, the STOR,
SOUT, and RETR commands will fail when issued by the FTP client.
When not allowing passive mode, the FTP client must use the FTP
PORT command. The default is Allow Passive Mode.
2) If allowing or requiring support, set Limit Port Range for Passive
Connections to control whether to limit the TCP port range that the
FTP server can dynamically allocate.
3) If limiting the port range, define the port range and define the timeout
for establishing a data connection.
a) Specify the lower end of the range in the Minimum Passive Port
field.
b) Specify the upper end of the range in the Maximum Passive Port
field.
c) Specify the number of seconds that the server waits for a client to
establish a passive data connection in the Passive Data Connection
Idle Timeout field.
4) Set Disable Passive Data Connection (PASV) IP Security Check to
specify whether to disable the IP security check that verifies that the
incoming data connection comes from the already connected client.
5) Set Disable Active Data Connection (PORT) IP Security Check to
specify whether to disable the IP security check that verifies that
outgoing data connections can only connect to the client.
6) Define behavior for alternate IP address support.
a) Set Use Alternate PASV IP Address to select the behavior for
alternate IP address support.
b) If allowing support, use the Alternate PASV IP Address field to
specify the numeric IP address.
c. Set Enable LIST command support to specify whether the FTP server
distinguishes between the LIST command and the NLST command. Disable
this option to respond to either command with an NLST command. This
option only applies to transparent file systems.
d. Set Enable delete support to specify whether file delete commands are
allowed on the FTP server. This option only applies to transparent file
systems.
e. Select the use of encryption for data connections (file transfers) from the
File Transfer Data Encryption list. Data encryption is controlled by the
FTP PROT P command. The default is Allow Data Encryption.
Chapter 6. Handler configuration
57
f. Set Allow Compression to specify whether the FTP client can use FTP
MODE Z compression. After enabling FTP compression, the FTP client can
use the zlib method to compress data transfers.
g. Define behavior for unique file names
1) Set Allow Unique File Name (STOU) to specify whether the FTP client
can use the FTP STOU command. When enabled, the FTP server
generates a unique file name for each transferred file.
2) If enabled, specify the prefix for file names that are generated when
using the FTP STOU command in the Unique File Name Prefix field.
When defining the prefix, use the ^[^/]*$ format. The directory
separator (/) is not allowed. The default is to not add a prefix, which is
an empty string.
12. Specify the number of seconds that the FTP control connection can be idle in
the Idle Timeout field. After the specified duration elapses, the FTP server
closes the control connection. Defaults to 0, which disables the timeout.
13. Click Apply to save the changes to the running configuration.
14. Optional: Click Save Config to save the changes to the startup configuration.
58
8. Select an instance of the Access Control List object to apply from the Access
Control List list.
9. Define secure connection.
a. Set Require TLS to specify whether FTP control connections require
explicit TLS encryption. If required, the FTP client must use the FTP
AUTH TLS command before any other command. This setting does not
control encryption of data transfers.
b. Select an instance of the SSL Proxy Profile object to assign from the SSL
Proxy list.
10. Define user authentication.
a. Select an instance of the AAA Policy object from the Password AAA
Policy list. This instance performs authentication of user names and
passwords provided to the FTP server by the client with the USER and
PASS commands. If the authentication succeeds, the FTP client can use all
of the features of the FTP server. If the authentication fails, a 530 error is
returned, and the user can attempt to authenticate again. If no Password
AAA Policy is configured, any user name and password is accepted.
b. Select an instance of the AAA Policy object from the Certificate AAA
Policy list. This instance performs secondary authentication of the
information in the TLS/SSL certificate that is provided during TLS
negotiation after the AUTH TLS command to the FTP server. Primary
authentication is done by the SSL Proxy Profile, which can completely
reject a certificate. This authentication stage controls whether an FTP
password will be demanded or not. If the result of this authentication
succeeds, the FTP client will only have to use the USER command to login
after the AUTH TLS. If this authentication fails, the FTP client will have to
use both the USER and PASS commands to complete the login process. If
no Certificate AAA Policy is configured, USER and PASS will always be
required. If the AUTH TLS command is not used by the FTP client, USER
and PASS will always be required.
11. Define FTP support.
a. Set Allow CCC Command to specify whether the FTP CCC command can
be used to turn off TLS encryption of the FTP control connection after user
authentication. If allowed, the CCC command can be used to turn off
encryption after authentication. Turning off encryption is necessary when
the FTP control connection crosses a firewall or NAT device that needs to
sniff the control connection. Turning off encryption eliminates the secrecy
of the files being transferred and allows TCP packets injection attacks.
b. Define behavior for passive command support.
1) Select the support behavior for passive commands from the Passive
(PASV) Command list. Without the PASV command, the STOR,
SOUT, and RETR commands will fail when issued by the FTP client.
When not allowing passive mode, the FTP client must use the FTP
PORT command. The default is Allow Passive Mode.
2) If allowing or requiring support, set Limit Port Range for Passive
Connections to control whether to limit the TCP port range that the
FTP server can dynamically allocate.
3) If limiting the port range, define the port range and define the timeout
for establishing a data connection.
a) Specify the lower end of the range in the Minimum Passive Port
field.
59
b) Specify the upper end of the range in the Maximum Passive Port
field.
c) Specify the number of seconds that the server waits for a client to
establish a passive data connection in the Passive Data Connection
Idle Timeout field.
4) Set Disable Passive Data Connection (PASV) IP Security Check to
specify whether to disable the IP security check that verifies that the
incoming data connection comes from the already connected client.
5) Set Disable Active Data Connection (PORT) IP Security Check to
specify whether to disable the IP security check that verifies that
outgoing data connections can only connect to the client.
6) Define behavior for alternate IP address support.
a) Set Use Alternate PASV IP Address to specify the behavior for
alternate IP address support.
b) If allowing support, use the Alternate PASV IP Address field to
specify the numeric IP address.
c. Select the use of encryption for data connections (file transfers) from the
File Transfer Data Encryption list. Data encryption is controlled by the
FTP PROT P command. The default is Allow Data Encryption.
d. Set Allow Compression to select whether the FTP client can use FTP
MODE Z compression. After enabling FTP compression, the FTP client can
use the zlib method to compress data transfers.
e. Define behavior for unique file names
1) Set Allow Unique File Name (STOU) to select whether the FTP client
can use the FTP STOU command. When enabled, the FTP server
generates a unique file name for each transferred file.
2) If enabled, specify the prefix for file names that are generated when
using the FTP STOU command in the Unique File Name Prefix field.
When defining the prefix, use the ^[^/]*$ format. The directory
separator (/) is not allowed. The default is to not add a prefix, which is
an empty string.
12. Specify the number of seconds that the FTP control connection can be idle in
the Idle Timeout field. After the specified duration elapses, the FTP server
closes the control connection. Defaults to 0, which disables the timeout.
13. Define response behavior and storage for responses.
a. Select how to make response files available for gateway transactions
started the FTP STOR or SOUT operation from the Response Type list.
b. If FTP Client, which indicates that the response is written by the FTP
client:
1) Specify the suffix to add when generating response files in the
Response Suffix field. The directory separator (/) is not allowed. The
suffix should be in the ^[^/]*$ format. Defaults to an empty string.
2) specify the URL to use when generating response files in the Response
URL field. This URL enables a response to be written using FTP
commands. The URL must be an FTP URL that starts with ftp://. The
URL should include a directory, but not a file name. The URL cannot
include query parameters. The URL should be in the
^(|ftp://[^/]+(/[^/]+)*)$ format. The default is to have no response
generated (an empty string).
3) Specify the maximum size in megabytes for the temporary file system
in the Temporary Storage Size field.
60
61
a. Specify the IP address on which the FTP server listens in the Local IP
Address field. Defaults to 0.0.0.0, which indicates that the service is active
on all IP addresses.
To use a local Host Alias instead of a static IP address, click Host Alias. A
Host Alias allows you to specify a locally configured alias that resolves to
a static IP address. Aliasing can help when moving configurations across
systems.
b. Specify the port that the FTP Server service monitors in the Port field. This
port is the port on which FTP control connections can be established. This
port does not control the TCP port that is used for the data connections. If
the FTP client uses the PASV command, data connections will use an
arbitrary, unused TCP port. The default is 21.
7. Define the characteristics of the file system.
a. Select Virtual Persistent from the Filesystem Type list.
b. Specify the duration in seconds that a connection to a virtual file system is
retained after all FTP control connections from user identities are
disconnected in the Persistent Filesystem Timeout field. When the timeout
expires, the virtual file system object is destroyed. All of the response files
that were not deleted by the FTP client are deleted from their storage area.
c. Specify the initial working directory on the FTP server (after users connect
and authenticate) in the Default Directory field. When the working
directory is not the root directory, the specified directory must be one of
the configured virtual directories. The default is the root directory (/).
d. Specify the maximum file name length on the FTP server in the Maximum
Filename Length field.
8. Select an instance of the Access Control List object to apply from the Access
Control List list.
9. Define secure connection.
a. Set Require TLS to select whether FTP control connections require explicit
TLS encryption. If required, the FTP client must use the FTP AUTH TLS
command before any other command. This setting does not control
encryption of data transfers. The default is off.
b. Select an instance of the SSL Proxy Profile object to assign from the SSL
Proxy list.
10. Define user authentication.
a. Select an instance of the AAA Policy object from the Password AAA
Policy list. This instance performs authentication of user names and
passwords provided to the FTP server by the client with the USER and
PASS commands. If the authentication succeeds, the FTP client can use all
of the features of the FTP server. If the authentication fails, a 530 error is
returned, and the user can attempt to authenticate again. If no Password
AAA Policy is configured, any user name and password is accepted.
b. Select an instance of the AAA Policy object from the Certificate AAA
Policy list. This instance performs secondary authentication of the
information in the TLS/SSL certificate that is provided during TLS
negotiation after the AUTH TLS command to the FTP server. Primary
authentication is done by the SSL Proxy Profile, which can completely
reject a certificate. This authentication stage controls whether an FTP
password will be demanded or not. If the result of this authentication
succeeds, the FTP client will only have to use the USER command to login
after the AUTH TLS. If this authentication fails, the FTP client will have to
use both the USER and PASS commands to complete the login process. If
62
63
2) If enabled, specify the prefix for file names that are generated when
using the FTP STOU command in the Unique File Name Prefix field.
When defining the prefix, use the ^[^/]*$ format. The directory
separator (/) is not allowed. The default is to not add a prefix, which is
an empty string.
f. Define the restart behavior:
1) Set Allow Restart (REST) to indicate whether to support the REST
command to continue the transfer of a file after an interruption in the
data transfer.
For written files, the server delays the actual processing until a timeout
expires or until the next FTP command (other than SIZE or REST). The
FTP client can return and resume the transfer with the SIZE, REST, and
STOR commands. The argument to the REST command must be the
same as the byte count returned by the SIZE command.
2) If supported, specify the number of seconds that the FTP client has to
reconnect to the server in the Restart Timeout field. The FTP client
needs to use SIZE, REST, and STOR commands to continue an
interrupted file transfer. If this period of time elapses, the data that was
received to this point on the TCP data connection will be passed to the
DataPower service. This timeout is canceled if another command (other
than SIZE or REST) is received on the FTP control connection.
12. Specify the number of seconds that the FTP control connection can be idle in
the Idle Timeout field. After the specified duration elapses, the FTP server
closes the control connection. The value 0 disables the timeout.
13. Define response behavior and storage for responses.
a. Select how to make response files available for gateway transactions
started the FTP STOR or SOUT operation from the Response Type list.
The default is No Response.
b. If FTP Client, which indicates that the response is written by the FTP
client:
1) Specify the suffix to add when generating response files in the
Response Suffix field. The directory separator (/) is not allowed. The
suffix should be in the ^[^/]*$ format. Defaults to an empty string.
2) specify the URL to use when generating response files in the Response
URL field. This URL enables a response to be written using FTP
commands. The URL must be an FTP URL that starts with ftp://. The
URL should include a directory, but not a file name. The URL cannot
include query parameters. The URL should be in the
^(|ftp://[^/]+(/[^/]+)*)$ format. The default is to have no response
generated (an empty string).
3) Specify the maximum size for the temporary file system in the
Temporary Storage Size field.
c. If Virtual Filesystem, which indicates that the response is made available
as a file in the virtual file system that can be read by the FTP client:
1) Specify the directory to store the response in the Response Storage
field.
2) If NFS:
a) Specify the suffix to add when generating response files in the
Response Suffix field. The directory separator (/) is not allowed.
The suffix should be in the ^[^/]*$ format. Defaults to an empty
string.
64
b) Select an NFS static mount to apply. Each response file will have a
unique file name in the NFS directory from the Response NFS
Mount list. The name of the response file is not related to the file
name that the virtual file system presents to the FTP client.
Generally, this NFS directory is not made available through the FTP
server. This directory should not be used for any other purpose.
3) If Temporary:
a) Specify the suffix to add to the end of the input file name in the
Response Suffix field.
b) Specify the maximum size in megabytes for the temporary file
system in the Temporary Storage Size field.
14. Define virtual directories. The FTP client can use all of these directories to
write file to be processed. The root directory (/) is always present and cannot
be created. Its response directory is always the root directory.
a. Click the Virtual Directories tab.
b. Create a virtual directory.
1) Click Add.
2) Specify the directory in the virtual file system of the FTP server where
the FTP client can find this directory in the Virtual Directory field.
3) Specify the directory in the virtual file system of the FTP server where
the responses to files are stored in this directory will go in the
Response Directory field.
4) Click Save.
c. Repeat the previous step to define another virtual directory.
15. Click Apply to save the changes to the running configuration.
16. Optional: Click Save Config to save the changes to the startup configuration.
65
7. From the HTTP Version to Client list, select the HTTP version to use on the
client connection.
8. Set the Allowed Methods and Versions check boxes to select the allowed
methods and versions for incoming HTTP requests.
9. Set Persistent Connections to enable or disable the negotiation of persistent
connections.
10. Set Compression to enable or disable the negotiation of GZIP compression.
11. Define HTTP header and URL limits.
a. In the Maximum Allowed URL Length field, enter the length of the
longest incoming URL to accept in bytes. The length includes any query
string or fragment identifier.
b. In the Maximum Allowed Total Header Length field, enter the maximum
aggregate byte size of incoming HTTP headers.
c. In the Maximum Number of HTTP Request Headers Allowed field, enter
the maximum number of headers allowed in the request message. The
value 0 means unlimited.
d. In Maximum Allowed Length of HTTP Header Name field, enter the
maximum length of the name part of a header. Each HTTP Header is
expressed as a name-value pair. The value 0 means unlimited.
e. In Maximum Allowed Length of HTTP Header Value field, enter the
maximum length of the value part of a header. Each HTTP Header is
expressed as a name-value pair. The value 0 means unlimited.
f. In Maximum Allowed Length of HTTP Query String field, enter the
maximum length of the query string. The value 0 means unlimited.
12. From the Access Control List list, select the Access Control List to apply.
13. Click Apply to save the changes to the running configuration.
14. Optional: Click Save Config to save the changes to the startup configuration.
66
b. In the Port Number field, enter the listening port. The default value is 443.
7. From the HTTP Version to Client list, select the HTTP version to use on the
client connection.
8. Set the Allowed Methods and Versions check boxes to select the allowed
methods and versions for incoming HTTP requests.
9. Set Persistent Connections to enable or disable the negotiation of persistent
connections.
10. Set Compression to enable or disable the negotiation of GZIP compression.
11. Define HTTP header and URL limits.
a. In the Maximum Allowed URL Length field, enter the length of the
longest incoming URL to accept in bytes. The length includes any query
string or fragment identifier.
b. In the Maximum Allowed Total Header Length field, enter the maximum
aggregate byte size of incoming HTTP headers.
c. In the Maximum Number of HTTP Request Headers Allowed field, enter
the maximum number of headers allowed in the request message. The
value 0 means unlimited.
d. In Maximum Allowed Length of HTTP Header Name field, enter the
maximum length of the name part of a header. Each HTTP Header is
expressed as a name-value pair. The value 0 means unlimited.
e. In Maximum Allowed Length of HTTP Header Value field, enter the
maximum length of the value part of a header. Each HTTP Header is
expressed as a name-value pair. The value 0 means unlimited.
f. In Maximum Allowed Length of HTTP Query String field, enter the
maximum length of the query string. The value 0 means unlimited.
12.
13.
14.
15.
From the SSL Proxy list, select the SSL Proxy Profile to assign.
From the Access Control List list, select the Access Control List to apply.
Click Apply to save the changes to the running configuration.
Optional: Click Save Config to save the changes to the startup configuration.
67
7.
8.
9.
10.
To use a local Host Alias instead of a static IP address, click Host Alias. A
Host Alias allows you to specify a locally configured alias that resolves to a
static IP address. Aliasing can help when moving configurations across
systems.
Specify the port that the IMS listener monitors in the Port Number field. The
default is 3000.
Select an SSL Proxy Profile to assign from the SSL Proxy list.
Set Persistent Connections to enable or disable persistent connections on the
frontend, when appropriate.
Set EBCDIC Input Header Encoding to select the encoding for input headers
as EBCDIC or ASCII. This setting does not affect payload processing. Payload
is not automatically processed.
on
off
(Default) Indicates that input headers are in ASCII encoding.
11. Select an Access Control List from the Access Control List list.
12. In the Maximum Segment Size field, enter the maximum segment size in KB.
The value 0 disables segmentation.
v A Maximum Segment Size of 0 disables IMS message segmenting. With
message segmenting disabled, you must use a policy to handle an IMS
message with a segmented payload and with LL and ZZ segment headers.
v A Maximum Segment Size in the range from 1 to 32 enables message
segmenting and specifies the maximum segment size. Request side
processing receives an incoming multi-segment IMS message and strips the
LL and ZZ segment headers to send a message with one continuous payload
to the request side policy. Response side processing splits the message into
multiple segments of the specified size and adds the appropriate LL and ZZ
segment headers after the response side policy processing finishes. The
headers are handled the same for a message with a payload smaller than
the Maximum Segment Size.
Note: The Maximum Segment Size specifies the maximum segment size in
KB into which a message is split when sending to an IMS client. This
does not limit the segment size of a request message. The DataPower
appliance can accept a request message up to a maximum segment
size of 64 KB from an IMS client.
13. Click Apply to save the changes to the running configuration.
14. Optional: Click Save Config to save the changes to the startup configuration.
68
where:
filename
The file name for the renamed input file.
serial
timestamp
The timestamp.
Note: File renaming cannot be used with an NFS server that supports only 8.3
file names.
For example if the input files are NNNNNN.input and you want to rename them
to NNNNNN.processing, then the match pattern would be ([0-9] {6})\.input$
and the processing pattern would be $1.processing. The resultant file name of
the server would be:
NNNNNN.processing.serial.domain.poller.timestamp
off
69
b. When off, specify the PCRE to use to rename the input file on success in
the Success File Renaming Pattern field. This PCRE will normally have a
back reference for the base input file. For instance, if input files are
NNNNNN.input and you want to rename them to NNNNNN.processed, the
match pattern would be ([0-9] {0-6})\.input$ and the rename pattern
would be $1.processed.
Some servers might allow this pattern to indicate a path that puts the file
in a different directory, if it allows cross-directory renames. For instance,
the match pattern would be (.*) and the rename pattern would be
../processed/$1.
11. Define the process for deleting files on processing error.
a. Set Delete File on Processing Error to select whether to delete the input or
processing rename file when it could not be processed.
on
on
(Default) Creates the result file using the naming pattern specified
by the Result File Name Pattern property.
off
Does not create the result file.
b. If on, specify the PCRE to use as the match pattern to build the name of
the result file in the Result File Name Pattern field. This PCRE will
normally have a back reference for the base input file. For instance, if
input files are NNNNNN.input and you want to rename them to
NNNNNN.result, the match pattern would be ([0-9] {0-6})\.input$ and
the rename pattern would be $1.result.
Some servers might allow this pattern to indicate a path that puts the file
in a different directory, if it allows cross-directory renames. For instance,
the match pattern would be (.*) and the rename pattern would be
../result/$1.
13. Define the processing seize behavior.
a. Specify the time to wait in seconds before processing a file that is already
in the processing state in the Processing Seize Timeout field. Use an
integer in the range of 0 through 1000. The default is 0.
Processing seize allows failure handling of a poller when multiple data
routers are polling the same target. If another data router renames a file
and does not process (and rename or delete) it in the specified number of
seconds, this system attempts to take over processing. This system will
attempt to take over processing when all of these three conditions are met
when compared to the processing seize pattern. 1) The base file name (first
match phrase) is the processing seize pattern, 2) The host name (second
match phrase) is not the name of this system, 3) The timestamp (third
match phrase) is further in the past than the wait time specified by this
timeout. When these three conditions are met, this system renames the file
(with its host name and fresh timestamp) and locally processes the file.
This processing assumes that the rename succeeded.
70
b. Specify the PCRE to use to find files that were renamed to indicate that
they are in the being processed state but the processing was never
completed in the Processing Seize Pattern field.
The processing seize pattern contains three phrases that must be in \(\)
pairs. The first phrase is the base file name that includes the configured
processing suffix. The second phrase is the host name. The third phrase is
the timestamp.
14. Select the XML Manager that contains the User Agent configuration to use
from the XML Manager list.
15. In the Maximum File Transfers Per Poll Cycle field, specify the number of
concurrent connections. The 0 means an unlimited number of connections
based on available system resources.
16. Click Apply to save the changes to the running configuration.
17. Optional: Click Save Config to save the changes to the startup configuration.
71
poller that succeeds in renaming the input file will proceed to process the file.
Any other poller that tries to rename the file at the same time will fail to
rename the file and will proceed to try the next file that matches the specified
match pattern.
To ensure uniqueness, the resulting file name will be in the following format:
filename.serial.domain.poller.timestamp
where:
filename
The file name for the renamed input file.
serial
timestamp
The timestamp.
Note: File renaming cannot be used with an SFTP server that supports only
8.3 file names.
For example if the input files are NNNNNN.input and you want to rename them
to NNNNNN.processing, then the match pattern would be ([0-9] {6})\.input$
and the processing pattern would be $1.processing. The resultant file name of
the server would be:
NNNNNN.processing.serial.domain.poller.timestamp
72
on
(Default) Creates the result file using the naming pattern specified
by the Result File Name Pattern property.
off
Does not create the result file.
b. When on, specify the PCRE to use as the match pattern to build the name
of the result file in the Result File Name Pattern field. This PCRE will
normally have a back reference for the base input file. For instance, if
input files are NNNNNN.input and you want to rename them to
NNNNNN.result, the match pattern would be ([0-9] {0-6})\.input$ and
the rename pattern would be $1.result.
Some servers might allow this pattern to indicate a path that puts the file
in a different directory, if it allows cross-directory renames. For instance,
the match pattern would be (.*) and the rename pattern would be
../result/$1.
13. Define the processing seize behavior.
a. Specify the time to wait in seconds before processing a file that is already
in the processing state in the Processing Seize Timeout field. Enter any
value of 0 - 1000. The default is 0.
Processing seize allows failure handling of a poller when multiple data
routers are polling the same target. If another data router renames a file
and does not process (and rename or delete) it in the specified number of
seconds, this system attempts to take over processing. This system will
attempt to take over processing when all of these three conditions are met
when compared to the processing seize pattern. 1) The base file name (first
match phrase) is the processing seize pattern, 2) The host name (second
match phrase) is not the name of this system, 3) The timestamp (third
match phrase) is further in the past than the wait time specified by this
timeout. When these three conditions are met, this system renames the file
(with its host name and fresh timestamp) and locally processes the file.
This processing assumes that the rename succeeded.
b. Specify the PCRE to use to find files that were renamed to indicate that
they are in the being processed state but the processing was never
completed in the Processing Seize Pattern field.
The processing seize pattern contains three phrases that must be in \(\)
pairs. The first phrase is the base file name that includes the configured
processing suffix. The second phrase is the host name. The third phrase is
the timestamp.
14. Select the XML Manager that contains the User Agent configuration to use
from the XML Manager list.
15. In the Maximum File Transfers Per Poll Cycle field, specify the number of
concurrent connections. The value 0 means an unlimited number of
connections based on available system resources. To avoid the consumption of
all the systems resources, enter a value other then 0.
16. In the SSH Client Connection field, specify the name of an existing SSH
Client Profile. The SSH Client Profile describes how SSH connections are
made from the SSH client to an SSH server.
17. Click Apply to save the changes to the running configuration.
18. Optional: Click Save Config to save the changes to the startup configuration.
73
Configuration considerations
Consider the following settings when configuring a Multi-Protocol Gateway
service:
v When transferring large files, use the streaming setting. To support bidirectional
streaming, set both Stream Output to Back and Stream Output to Front to
Stream Messages. For complete information, see Optimizing through Streaming.
v For large files, set the back and front timeout values appropriately with the Back
Side Timeout and Front Side Timeout fields, respectively.
74
Where:
address The IP address of the DataPower Ethernet interface
port
path
When the client requests a directory listing, the URL contains a query parameter to
flag the request type. For example, a DIR request might generate the following
URL:
sftp://host.example.com:22/;type=d
The ;type=d query parameter is appended to the URL to designate the DIR request.
v If the Multi-Protocol Gateway service uses a static backend, the service adds the
?Listing=LIST query parameter before forwarding the request to the remote FTP
server.
v If the Multi-Protocol Gateway service uses either a dynamic backend or
Propagate URI is set to off, use a custom style sheet to modify the URL before
passing the request to the remote FTP server. For example, the style sheet might
test whether the value of the var://service/URI variable contains ;type=d. If it
contains this query parameter, the style sheet replaces ;type=d with
?Listing=list and sets the value of the var://service/routing-url variable to
the resultant URL.
v When the client requests to delete a file and the Allow Delete is enabled, the
URL contains a query parameter to flag the request type. For example:
sftp://host.example.com:22/orders.xml?Delete=true. The Delete=true query
parameter is appended to the URL to designate that the file named orders.xml
will be deleted.
75
76
c. Click Add.
d. In the Virtual Directory field, specify the directory in the virtual file
system of the SFTP server.
e. Click Apply.
16. Click Apply to save the changes to the running configuration.
17. Optional: Click Save Config to save the changes to the startup configuration.
77
1.
2.
3.
4.
7.
8.
9.
10.
11.
12.
To use a local Host Alias instead of a static IP address, click Host Alias. A
Host Alias allows you to specify a locally configured alias that resolves to a
static IP address. Aliasing can help when moving configurations across
systems.
Specify the port monitored by the handler in the Port Number field. The
default is 4000.
Set Persistent Connections to enable or disable persistent TCP connections.
When enabled, more than one transaction could be contained in the same TCP
session. Persistent connections can speed end-to-end processing when many
small transactions flow through the appliance.
Select an SSL Proxy Profile to assign from the SSL Proxy Profile list.
Select an Access Control List to apply from the Access Control List list.
Click Apply to save the changes to the running configuration.
Optional: Click Save Config to save the changes to the startup configuration.
78
For example, consider a topic hierarchy split into the following topic spaces:
v library topics for document management
v sales topics for marketing and sales tracking
v engineering topics for engineering and technology
The topic volumes can appear in all three topic spaces, and have a very different
meaning in each.
79
Redelivered
Contains a Boolean indicating that the message has been delivered in
the past, but not yet acknowledged
9. Select the TIBCO EMS server to associate from the TIBCO EMS Server list.
10. Select an SSL Proxy Profile to assign from the SSL Proxy Profile list.
11. Select an Access Control List to apply from the Access Control List list.
12. Click Apply to save the changes to the running configuration.
13. Optional: Click Save Config to save the changes to the startup configuration.
80
81
Redelivered
Contains a Boolean indicating that the message has been delivered in
the past, but not yet acknowledged
12. Click Apply to save the changes to the running configuration.
13. Optional: Click Save Config to save the changes to the startup configuration.
82
High-level configuration
To configure an MQ Front Side Handler:
1. Select Objects Protocol Handlers MQ Front Side Handler to display the
MQ Front Side Handler catalog.
2. Click Add.
3. Define the basic configuration of the handler. See Defining the basic
configuration for details.
4. Define the publish and subscribe configuration. These fields are only supported
with WebSphere MQ V7 queue managers. See Defining the publish and
subscribe configuration on page 84 for details.
5. Define the properties and headers configuration. See Defining the properties
and headers configuration on page 85 for details.
6. Define the advanced configuration. See Defining the advanced configuration
on page 85 for details.
7. Click Apply to save the changes to the running configuration.
8. Optional: Click Save Config to save the changes to the startup configuration.
83
See the MQGMO_* (Get Message Options) topic in the Constants section
of the WebSphere MQ Information Center for details.
When a message is too large for a queue, an attempt to put the message on
the queue fails. Segmentation is a technique that allows the queue manager or
application to split the message into smaller pieces, and place each segment
on a queue as a separate physical message. The application that retrieves the
message can either handle the multiple segments one-by-one, or request the
queue manager to reassemble the segments into a single message that is
returned by the MQGET call. The reassembly request is achieved by
specifying the MQGMO_COMPLETE_MSG option (65536) on the MQGET call, and by
providing a buffer large enough to accommodate the entire message.
Note: Ensure that the associated queue manager supports the
MQGMO_COMPLETE_MSG option. On z/OS, MQ queue managers do not
support segmentation. On other operating systems, MQ queue
managers might not be configured to support segmentation.
9. In the Polling Interval field, specify the number of seconds before an
MQGET operation returns if no messages are available. The next attempt will
be performed immediately. Setting a low value will help to detect quickly
network connectivity issues and queue manager power shutdown. At the
same time, a low value will increase network traffic. The minimum is 1. The
default is 30.
10. Use the Retrieve Backout Settings field to determine whether to retrieve the
backout threshold and backout queue name from the MQ server.
on
on
off
(Default) The variable returns the name of the queue manager group.
12. In the CCSI field, specify the Coded Character Set Identifier (CCSID) that the
remote MQ queue manager converts output data. The default CCSID is for
ISO-8859-1 (latin-1). For a list of CCSID, see the following web site:
http://www.ibm.com/software/globalization/ccsid/ccsid_registered.jsp
This property is meaningful only when the MQ Queue Manager object has the
Convert Input property set to on.
84
2. In the Subscription Name field, specify the name for the durable subscription.
3. In the Publish Topic String field, specify a topic string associated with the
identified queue manager. The handler publishes messages to this topic string.
If the Put Queue field is specified, this field is ignored.
Note: These fields are only supported with WebSphere MQ V7 queue managers.
off
(Default) No header
MQRFH
MQRFH header
MQRFH2
MQRFH2 header
5. If Header to Extract Content-Type is not None, specify the XPath expression to
extract the value of the Content-Type header in the XPath expression to extract
Content-Type from MQ header field. Click XPath Tool for help building the
XPath expression.
85
1. Use the Async Put field to specify whether to put a message to a queue
without waiting for a response from the queue manager.
on
off
86
Matching rules
A matching rule determines whether candidate traffic is subject to an associated
processing rule in a processing policy. Matching rules support the implementation
of processing policies and XML manager-based schema validation rules. The
processing policy evaluates candidate documents against all expressions in the
matching rules. A document matches the rule only if it conforms to all expressions
in the rule. Documents that fail to match all expressions do not match the rule.
Matching rules come in the following flavors:
v An HTTP method matching rule matches on the http method type PUT, DELETE,
GET, POST and HEAD in the http request.
v An HTTP matching rule tests HTTP header content. Simple matching expressions
enable the identification of specific HTTP header fields and header field
contents. These expressions are similar to those that define a Compile Options
Policy or a URL Refresh Policy.
v A URL matching rule uses simple matching patterns to test incoming URLs.
v An XPath matching rule uses an XPath expression applied to the incoming
message to determine a match. If the expression evaluates to true, a match is
made. The XPath Tool is available to help construct this expression.
While HTTP, URL, and XPath matching rules determine if incoming traffic is
subject to a processing rule, an error code rule provides the ability to provide
custom, user-defined error processing. As error codes are written as hexadecimal
integers, the error code expression matches one or more hexadecimal integers.
87
Processing rules
A processing rule specifies the processing actions to apply to incoming documents.
A processing rule can be as simple as a single action to transform of an incoming
XML document using a style sheet. On the other hand, a processing rule can be as
complex as an action that performs the following actions:
v Use several schema validations and style sheet filters to ensure that the
client-generated payload is not malicious.
v Transform the document to remove elements that are not needed by the backend
server.
v Route the transformed document to a dynamically determined server.
Processing rules are characterized by their direction.
v
v
v
v
Processing actions
Processing rules can contain the following actions. For details about defining the
listed actions within a processing rule, refer to Defining processing actions on
page 95.
AAA
Antivirus
An antivirus action invokes a named, reusable rule. This action sends
messages to a virus scanning server at a defined host/port or URI. This
action calls a style sheet that corresponds to the ICAP Host Type selected
to perform the scanning, sets the type of virus handling and error handling
to perform on the message after scanning, and sets the level of Virus
Scanner logs. See Adding an antivirus action on page 95 for details.
Call processing
A call action invokes a named, reusable rule. After the action completes,
processing continues to the next action, if any. See Adding a call
processing rule (call) action on page 97 for details.
Checkpoint event
A checkpoint action specifies an event to trigger the collection of
information for WS-Management agents and Service Level Monitors. This
action is available for Web Service Proxy services only. See Adding a
checkpoint event (checkpoint) action on page 97 for details.
Conditional
A conditional action implements programmatic if-then-else processing. If an
XPath expression returns true when applied to the input context of the
action, a designated processing action runs. Any number of if-then clauses
can be configured. A final else clause that uses an empty XPath expression
() runs a designated action when no other XPath expression matches the
input. You can designate a call action. The call action provides the ability
88
to run a complete processing rule that contains one or more actions. You
can configure a conditional action to provide the same service as a
complete processing policy, which gives you the ability to conditionally
invoke different processing policies on input.
Convert query parameters to XML
A convert-http action converts non-XML CGI-encoded input (an HTTP
POST, an HTML form, or URI parameters) into an equivalent XML
message. This action in the active rule alerts the service to treat input as
non-XML CGI-encoded input. For a service to use this action, the request
type for that service must be set to XML. See Adding a convert query
parameters to XML (convert-http) action on page 99 for details.
Crypto binary
A cryptobin action signs, verifies, encrypts, or decrypts binary data. This
action uses the syntax and methodologies that are described in RFC 2311,
S/MIME Version 2 Message Specification, dated March 1988, and RFC 2315,
PKCS #7: Cryptographic Message Syntax 1.5, dated March 1998. This action
requires that the appliance has the PKCS7-SMIME feature. See
Cryptographic binary (cryptobin) action on page 99 for details.
Decrypt
A decrypt action performs full or field-level document decryption. See
Adding a decrypt action on page 107 for details.
Encrypt
An encrypt action performs complete or field-level document encryption
using either WS-Security or XML encryption standards. See Adding an
encrypt action on page 109 for details.
Event-sink
An event-sink action causes processing to wait until designated
asynchronous actions complete. The outputs of these asynchronous actions
can then be safely used by subsequent actions that are contained in the
processing rule. This action is useful for the parallel processing of actions.
For example, the appliance can parallelly contact remote resources, such as
an authentication server or a Web server, that located on the network. With
parallel processing, the processing time is reduced to the latency of the
slowest response. With serial processing, the appliance waits for network
operations to complete and therefore incur the latency of network
operations. By including network-oriented actions in this action, their
results become available for subsequent processing.
Extract
An extract action applies an XPath expression to a specified context and
stores the result in another context. See Adding an extract using XPath
(extract) action on page 116 for details.
Fetch
Filter
For-each
The for-each action implements a programmatic loop for each of the defined
actions. Each time an XPath expression returns true, a designated action
runs. The for-each can be used to apply a series of style sheets to input
data, if desired. Instead of using XPath expressions, the loop can be
processed a specific number of times. Each iteration of the loop stores its
Chapter 7. Processing policies
89
The log action is for transaction logging, not event logging to a log target.
This action takes a copy of a particular message payload and sends it to a
log destination for auditing purposes. This action requires a destination
URL and will send the input context to the defined endpoint. The message
is wrapped in the same schema as the SOAP log target. The message
contains all the standard log metadata fields (timestamp, category, client IP
address, and so forth), and the payload is inserted into the message field.
The contents are sent with the defined log priority and log category. The
response, if any, is stored in the output context, if one is defined. See
Adding a log action on page 122 for details.
On error
An on-error action defines a named rule that enables user-defined error
handling when subsequent processing encounters errors. The on-error
action either stops processing or continues to the next processing step.
Optionally the action calls the named rule to handle the error condition.
Without an on-error action, the default error handling is to stop processing
and log a message.
A processing rule can contain one or more on-error actions. Each action
defines error handling for subsequent actions until another on-error action
is found. When another action is found, error-handling procedures are set
to the new on-error action. As such, this action enables conditional error
handling in a processing context.
See Adding an on-error action on page 126 for details.
Note: A processing policy can contain on-error actions and an error rule.
When a processing policy contains both on-error actions and an
error rule, the on-error action overrides the error rule. An error rule,
if the processing policy contains one, is invoked when an error
occurs during processing. In this case, the error rule acts as an error
handler.
Results
A results action sends a message to a URL. A results action can optionally
specify a context in which to store the response. See Adding a results
action on page 128 for details.
Results asynchronous
A results-async action asynchronously sends a message to a URL. This
action does not support sending a message to an output context. With this
action, processing continues without waiting for a response. See Adding a
results asynchronous (results-async) action on page 129 for details.
Rewrite header
A rewrite action rewrites HTTP headers or URLs using a URL rewrite
policy. See Adding a rewrite header (rewrite) action on page 130 for
details.
Rewrite HTTP method
A rewrite-method action rewrites the HTTP method. See Adding a method
rewrite action on page 130 for details.
Route with style sheet or XPath
A route-action action performs style sheet-based routing or XPath
90
91
Validate
A validate action performs schema-based validation against XML
documents using a user-specified method. See Adding a validate action
on page 142 for details.
Verify A verify action validates the digital signature on an incoming document.
See Adding a verify action on page 144 for details.
Contexts
A context can be described as a temporary variable that contains data used by a
processing action. The input context, the context specified for the Input field,
contains the data to be processed. The output context, the context specified for the
Output field, receives the data produced by the action.
v Some actions require both an input context and an output context.
v Some actions require an input context only.
v Some actions require an output context only.
v Some actions require neither an input context or an output context.
The data for the contexts can be XML or non-XML. XML data is expressed in a tree
format. Non-XML data is binary. When the data is XML, the XML tree can include
lists of variables and attached documents.
The context can also be a variable. Refer to Adding a set variable (setvar) action
on page 132 for more information.
Context keywords
Processing rules recognize the following keywords and apply special context to
them:
INPUT
92
v For a server-to-client rule, the OUTPUT context is the data that is sent to
the client.
NULL
PIPE
The output of an action becomes the input to the next action. As such, any
action that uses the PIPE context as output must be followed by an action
that uses the PIPE context as input. The PIPE context is useful in certain
instances to reduce processing latency. The PIPE context is the correct
choice for streaming operations.
__JSONASJSONX
Valid as the input to an action when the service request type or response
type is JSON. The __JSONASJSONX context contains the data that is
associated with the request or the response after the data is validated as
well-formed JSON as described in RFC 4627 and converted to JSONx. As
with any other XML, the processing policy actions can manipulate JSONx.
If it is necessary to convert back to JSON, an explicit transformation action,
possibly specifying jsonx2json.xsl, can be applied.
93
Client to Server
The rule applies to client-generated requests that go through the
service. Client requests arrive at front addresses to the service.
Server to Client
The rule applies to server-generated responses that go through the
service. Server responses arrive at back addresses to the service.
7. Double-click the Match icon to display the Match Assignment window.
a. From the Matching Rule list, select a matching rule. Refer to Defining
matching rules on page 290 for more information.
b. Click Done to assign the matching rule to the processing rule.
8. Create the processing rule by dragging action icons to the configuration path.
9. After adding the last action to the processing rule, click Apply to add the
completed rule to the processing policy.
94
To add additional processing rules to the processing policy, repeat step 4 on page
94 through step 9 on page 94.
All candidate documents are processed by the rule that conforms to the defined
direction and matching rule.
4. From the AAA Policy list, select an AAA policy. Refer to Creating AAA
policies on page 152 for complete information about creating an AAA policy.
5. Set Asynchronous to indicate whether to process asynchronously. If enabled,
the action does not need to complete before the rule starts processing its next
action.
6. Optional: In the Output field, enter or select the context for the data produced.
7. Click Done.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
95
96
97
98
99
None
(Default) use this value for all inputs other than Base64.
Base64
Use this value to characterize the data to be signed using Base64
encoding.
11. Select the output format to characterize the signed PKCS #7 object (SignedData
produced by the signature process) from the Output Encoding Format list.
12. Set Binary Data to indicate whether the input data is true binary and should
be canonicalized. This finer characterization enables or disables the
canonicalization of line endings in the input data.
on
Indicates that the input data is not true binary and can be
canonicalized. Use this setting if the input data is a raw-text string
that consists of meaningful 7-bit data units.
When creating a detached S/MIME signature (where Output Encoding
Format is S/MIME and Include Content Data is off), setting Binary Data to
off can produce an unverifiable signature since the data is not canonicalized
as expected for an S/MIME message.
True binary data should be Base64 encoded before signing with a detached
S/MIME signature.
Binary Data can be set to off for Base64 encoded data.
off
13. Specify or select the context for the data produced in the Output field.
100
14. If the action is complete, click Done. The configuration path shows the Crypto
Binary icon.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
Defining advanced settings: Use the Advanced screen to identify the style sheet
and define less commonly used settings.
1. Click the Advanced tab to display the Advanced screen.
2. Confirm the Input setting.
3. Confirm that the Action Type is cryptobin.
4. Confirm that the PKCS#7 Sign radio button is selected.
5. Confirm the Asynchronous setting.
6. Use the Processing Control File field or select the style sheet to perform
PKCS #7 signing.
v If the style sheet is not stored on the appliance, specify its location or a
variable that expands to a URL. If a variable, use the var://context/name
form.
v If the style sheet is in the store: or local: directory, select the style sheet.
You can click Upload or Fetch to obtain the file.
7. To define parameters for the style sheet, click Add Parameter (at the bottom
of the window).
a. In the Stylesheet Parameter Name field, specify the name of the
parameter.
b. In the Stylesheet Parameter Value field, specify the value for the
parameter.
c. Click Submit to return to the Advanced window, which now lists the
newly defined parameter.
Repeat this step to define each additional parameter.
8. Confirm the Signers setting.
9. Confirm the Include Content Data setting.
10. Confirm the Input Encoding Format setting.
11. Confirm the Output Encoding Format setting.
12. Confirm the Binary Data setting.
13. If necessary, define the following settings:
Include text/plain Header
When the Output Encoding Format is S/MIME and the Binary Data
is off, adds a Content-Type:text/plain MIME header to the input
data prior to the signature process. The added header is part of the
signed data.
By default, the header is not added. Some S/MIME clients, however,
require such a header as part of the data.
Include Signer's Certificate
By default, the public certificate of each message signer is included
with the signed document. PKCS #7 supports multiple signing entities.
When set to off, signer certificates are not included. The verifying
entity must procure them through other means.
101
Include CA Certificates
By default, the Intermediate CA certificates of each message signer are
included with the signed document. PKCS #7 supports multiple
signing entities.
When set to off, CA certificates are not included. The verifying entity
must procure them through other means.
Include Authenticated Signed Attributes
By default, the action includes contentType, signingTime, and
messageDigest attributes in the signature.
When set to off, these attributes are not added to the signature.
Additional Certificates
Refer to Include Certificates Only.
Include Certificates Only
Used with Additional Certificates, and only if the PKCS #7 file
consists solely of a group of certificates. Any input data is ignored.
When set to off, the unsigned output produced by the action consists
of the certificates that are identified by Additional Certificates and
any certificate that is identified by Signers and Include CA
Certificates, although certificate identification by these last two
properties is optional.
Name of Context Variable Holding Output Metadata
Specifies the name of the context variable to which the output of this
operation (including error strings, if any) is written. The string
var://context/ is prepended to the specified name.
14. Click Done to complete the action. The configuration path shows the Crypto
Binary icon.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
102
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
Advanced settings: Use the Advanced screen to identify the style sheet and
define less commonly used settings.
1. Click the Advanced tab to display the Advanced screen.
2. Confirm the Input setting.
3. Confirm that the Action Type is cryptobin.
4. Confirm that the PKCS#7 Verify radio button is selected.
5. Confirm the Asynchronous setting.
6. Use the Processing Control File field or select the style sheet used by this
cryptobin verify action to perform signature verification.
v If the style sheet is not stored on the appliance, specify its location or a
variable that expands to a URL. If a variable, use the var://context/name
form.
v If the style sheet is in the store: or local: directory, select the style sheet.
You can click Upload or Fetch to obtain the file.
7. To define parameters for the style sheet, click Add Parameter (at the bottom
of the window).
a. In the Stylesheet Parameter Name field, specify the name of the
parameter.
b. In the Stylesheet Parameter Value field, specify the value for the
parameter.
c. Click Submit to return to the Advanced window, which now lists the
newly defined parameter.
Repeat this step to define each additional parameter.
8. Confirm the Validation Credential setting.
9. Confirm the Input Encoding Format setting.
10. Confirm the Output Encoding setting.
11. If necessary, define the following settings:
Maximum Number of Signatures to Verify
By default, the action verifies a maximum of 10 signatures. This
limitation guards against a Denial of Service (DoS) attack launched by
a document that contains an exceedingly large number of signatures.
You can change the default to any integer between 1 and 25.
Additional Certificates to Check for Signers
Certificates of PKCS #7 signers are identified by the issuing CA's
distinguished name and by the issuer-specific serial number that is
contained in the PKCS #7 SignerInfo type. The standard does not
specify that the certificate itself be included with the signed content.
103
You can use the Add and Delete buttons with the list to create a list of
certificates used to validate the certificates presented or referenced by
document signatories.
Allow Internal Signers' Certificates
Certificates providing a chain-of-trust for signatories can be included
in the PKCS #7 SignedData type. However, certificates need not be
included.
By default, the action uses included certificates in its efforts to verify
signatures, in addition to the certificates that are specified by the
Additional Certificates to Check for Signers property.
Setting Allow Internal Signers' Certificates to off, prohibits the action
from using included certificates, thus limiting its verification efforts to
the certificate set that is specified by Additional Certificates to Check
for Signers.
URL Location of Detached Data
Specifies the location of the detached data that was signed by the
PKCS #7 SignedData type. Used only when verifying a detached
signature where the encoding format of the input data not S/MIME.
Detached Data Encoding Format
Specifies the encoding format of the detached data that was signed.
Base64 encoded binary
Specifies that the data is Base64 encoded
Binary
Specifies binary data
Name of Context Variable Holding Output Metadata
Specifies the name of the context variable to which the output
of this operation (including error strings, if any) is written.
The string var://context/ is prepended to the specified name.
12. Click Done to complete the action. The configuration path shows the Crypto
Binary icon.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
104
off
Indicates that the input data is not true binary and can be
canonicalized. Use this setting if the input data is a raw-text string
consisting of meaningful 7-bit data units.
105
8.
9.
10.
11.
12.
106
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
Advanced settings: Use the Advanced screen to identify the style sheet and
define less commonly used settings.
1. Click the Advanced tab to display the Advanced screen.
2. Confirm the Input setting.
3. Confirm that the Action Type is cryptobin.
4. Confirm that the PKCS#7 Decrypt radio button is selected.
5. Confirm the Asynchronous setting.
6. Use the Processing Control File field or specify the style sheet used by this
cryptobin decrypt action to perform document decryption.
v If the style sheet is not stored on the appliance, specify its location or a
variable that expands to a URL. If a variable, use the var://context/name
form.
v If the style sheet is in the store: or local: directory, select the style sheet.
You can click Upload or Fetch to obtain the file.
7. To define parameters for the style sheet, click Add Parameter (at the bottom
of the window).
a. In the Stylesheet Parameter Name field, specify the name of the
parameter.
b. In the Stylesheet Parameter Value field, specify the value for the
parameter.
c. Click Submit to return to the Advanced window, which now lists the
newly defined parameter.
Repeat this step to define each additional parameter.
8. Confirm the Input Encoding Format setting.
9. Confirm the Output Encoding Format setting.
10. Confirm the Recipients setting.
11. If necessary, define the following settings.
Remove text/plain Header
Removes a Content-Type:text/plain MIME header from the plaintext,
decrypted data. Used only when Input Encoding Format is S/MIME.
By default, the header (if present) is not removed.
Name of Context Variable Holding Output Metadata
Specifies the name of the context variable to which the output of this
operation (including error strings, if any) is written. The string
var://context/ is prepended to the specified name.
12. Click Done to complete the action. The configuration path shows the Crypto
Binary icon.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
107
This action might require that certain parameters be supplied during the
configuration of the service.
To
1.
2.
3.
Advanced settings
Use the Advanced screen to identify the style sheet and define less commonly used
settings.
1. Click the Advanced tab to display the Advanced screen.
2. Use the Processing Control File field or select the style sheet used by this
decrypt action.
v If the style sheet is not stored on the appliance, specify its location or a
variable that expands to a URL. If a variable, use the var://context/name
form.
v If the style sheet is in the store: or local: directory, select the style sheet.
You can click Upload or Fetch to obtain the file.
3. Set Optimize Element Description to enable or disable optimization of the
decrypted data.
According to the encryption specifications, decrypting element-encrypted data
(instead of content-encrypted) should result in valid XML. The decrypted data
should contain all of the required namespace prefix bindings that are needed to
parse the resulting XML data.
108
on
Enables optimization. If you know that the source of the encrypted data
follows this specification, use this setting. Enabling optimization might
improve performance. Decryption does not require extra
canonicalization.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
2.
3.
4.
5.
6.
109
b. From the Recipient Certificate list, select the certificate that contains the
public key for the intended recipient.
8. Define the encryption scope, WS-Security version, and encryption keys.
a. From the Messages and Attachment Handling list, select the encryption
scope.
b. When the encryption scope includes messages: From the Encryption Key
Type list, select the bulk encryption key and how it is protected.
c. When using a symmetric key, define whether to use key derivation and, if
derived, how to derive the key.
1) Set Use WS-SC Key Derivation to indicates whether to use a derived
key as the symmetric key for data encryption or to wrap the ephemeral
key.
2) Determine the key and controls.
v When using key derivation: From the WS-SecureConversation DKT
Derivation Base list, select the type of key derivation to use or the
base token to use to derive the key.
Derive Key from WS-Sec Kerberos Token
If selected, specify the Encryptor principal, Decryptor principal,
and the keytab that contain these principals.
Derive Key from Encrypted Ephemeral Key
Derive Key from EncryptedKeySHA1
Derive Key from Existing DKT Token
If selected, specify the name of the base token.
Use Key Derivation if a SCT Token is Available
Use Symmetric SAML HoK Token from Recipient
v When not using key derivation: From the Symmetric Key
Encryption Source list, select the source for the key.
Use a Key in SecurityContext
Use a Random Key and Encrypt it for the Recipient
Use an Existing DKT Token
If selected, specify the name of the base token.
Use an EncryptedKeySHA1 for Recipient
Use Static Shared Secret Key
If specified, select the Shared Secret Key.
Use the Kerberos Session
If selected, specify the Encryptor principal, Decryptor principal,
and the keytab that contain these principals.
Use the Symmetric SAML HoK Token from the Recipient
d. From the WS-Security Version list, select the version of WS-Security.
e. Set One Ephemeral Key to indicate whether to use the same ephemeral
key for all encryptions.
9. Optional: Click the Advanced tab to configure advanced properties.
a. In the Processing Control File field, specify the encryption style sheet. By
default, this action uses the encrypt-wssec.xsl file in the store: directory.
b. From the Output Type list, select how to interpret the server response.
c. From the Symmetric Encryption Algorithm list, select the algorithm.
d. If the encryption type is asymmetric: define the key transport algorithm.
110
e.
f.
g.
h.
111
112
113
114
115
116
Filter actions
A processing policy provides following implementations:
Standard filter
Creates a filter that checks the document for user-defined elements. A
standard filter uses the specified style sheet to accept or reject the
submitted document. You can use the filter-accept-all.xsl or
filter-reject-all.xsl style sheets in the store: directory.
Replay filter
Creates a filter that checks the document for replay attacks. A replay filter
uses the replay-filter.xsl style sheet in the store: directory to cache a
selected value from submitted documents. When that value occurs in any
subsequent requests, the request is rejected.
Required elements filter
Creates a filter that checks the document for the presence of required
elements in the SOAP header. A required elements filter uses the
required-elements-filter.xsl style sheet in the store: directory.
Message layout filter
Creates a filter that checks the document for WS-Security message layout.
A message layout filter uses the wssecurity-message-layout-filter.xsl style
sheet in the store: directory.
Conformance filter
Creates a filter that checks the document for conformance against the
define Conformance Policy. A conformance filter uses the
conformance-filter.xsl style sheet in the store: directory.
117
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
118
9. Specify or select the context for the data produced in the Output field.
10. Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
6.
7.
8.
Drag the Filter icon to the configuration path (the horizontal line).
Double-click the Filter icon to display the Filter action window.
Specify or select the context for the data to be processed in the Input field.
Specify or select the store:///conformance-filter.xsl style sheet with the
Processing Control File fields.
Set Asynchronous to indicate whether to process asynchronously. If enabled,
the action does not need to complete before the rule starts processing its next
action.
Select the conformance policy from the Conformance Policy list. Refer to
Conformance Policy on page 261 for details.
Specify or select the context for the data produced in the Output field.
Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
119
Process a nodeset with a series of style sheets and generate results as a single
output This use case loops through an XML file that contains a list of the URLs for
style sheets. The input context of the for-each action contains this XML
file. Refer to Specifying the location of remote resources on page 146 for
details about the content for the style sheet.
The Loop Action in this case is a transform action. The transform uses the
value of the var://service/multistep/loop-iterator variable. This
variable evaluates to the URL of a style sheet to use for the transform. This
Loop Action operates on an input context that is not the input context of
the for-each loop. The input context of the Loop Action typically contains
the message that is submitted by the service client. The output context of
the transform is set to the same context as the input context. In this way,
each subsequent style sheet operates on the output of the previous style
sheet. The output context of the transform could be the same as that of the
for-each loop itself. The action that immediately follows the loop takes as
its input context the output context of the Loop Action.
This configuration method avoids memory requirements of many included
style sheets in a single style sheet. Instead, the use of output contexts
clarifies data and memory management.
Distribute data to a range of destinations
This use case loops through an XML file that contains a list of destination
URLs. A results action sends the data in the processing context to each
destination. If the return from each iteration of the results action is not
important, the results action can be asynchronous. If the return from each
iteration is needed for further processing, the for-each loop can be
configured to place the return for each iteration in a unique output context.
A style sheet can then recombine the contents of the contexts.
Data enrichment
This use case loops through repeating elements in a message and uses the
values in each element as inputs to a data-enriching action, such as a
fetch, results, or sql action. This method can also be used to authenticate
a list of identities.
To add a for-each action, use the following procedure:
1. Drag the Advanced icon to the configuration path (the horizontal line).
2. Double-click the Advanced icon to display a window that lists the advanced
action types.
3. Click the For-each radio button.
4. Click Next to display the Configure Event-sink action window.
5. Set the desired Input context. Select auto to cause the service to use the best
available choice (typically the output context of the previous action). All XPath
expressions are applied to the data in this context.
6. Set Asynchronous to indicate whether to process asynchronously. If enabled,
the action does not need to complete before the rule starts processing its next
action.
7. Select the desired method of iteration from the Iterator Type list.
Count Runs the Loop Action on the entire message in the input context for
the number of times set in the Iterator Count field. The screen
refreshes to display the Iterator Count field. Enter any value of 1 32768.
120
XPath Expression
Runs the Loop Action on each node set that is returned by the XPath
expression in the XPath Expression field. The screen refreshes to
display the XPath Expression field.
If the XPath expression is /*[namespace-uri()=http://joe.com and
local-name()=Order]/*[namespace-uri()=http://joe.com and
local-name()=Item], the loop runs three times for the following input:
<joe:Order xmlns:joe="http://joe.com">
<joe:Item>
<joe:Qty>5</joe:Qty>
<joe:ProdID>32145-12</joe:ProdID>
</joe:Item>
<joe:Item>
<joe:Qty>10</joe:Qty>
<joe:ProdID>78-697-24</joe:ProdID>
</joe:Item>
<joe:Item>
<joe:Qty>10</joe:Qty>
<joe:ProdID>091356-3</joe:ProdID>
</joe:Item>
</joe:Order>
121
off
(Default) The output context contains the result of the last iteration
only, not the aggregated results of each iteration.
10. Specify or select the context for the data produced in the Output field. The
value cannot be PIPE.
11. Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
122
send the input context to the defined endpoint. The message is wrapped in the
same schema as the SOAP log target. The message contains all the standard log
metadata fields (timestamp, category, client IP address, and so forth), and the
payload is inserted into the message field.
To add a log action:
1. Drag the Advanced icon to the configuration path (the horizontal line).
2. Double-click the Advanced icon to display a window that lists the advanced
action types.
3. Click the Log radio button.
4. Click Next to display the Log action window.
5. Optional: Select the Input context. If auto, processing sets the context
identifier. The contents of input context are sent to the defined destination.
6. In the Destination field, specify a valid URL. Refer to Locating remote
resources in actions on page 145 for details.
7. From the Log Level list, select a priority. The priority might be meaningful to
the entity that receives the log message.
8. From the Log Type list, select a logging category.
9. Set Asynchronous to indicate whether to process asynchronously. If enabled,
the action does not need to complete before the rule starts processing its next
action.
10. For HTTP protocols: From the Method list, select the HTTP method type.
11. Optional: Select the Output context or specify a new context name. Select auto
to allow the processing policy to set the output context. If left blank, no
response is captured from the log action.
12. Click Done to complete the action.
The configuration path shows the Log icon.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
MQ header action
The MQ Header action can perform the following header and queue modifications:
Modify MQMD Request Message Headers
Selectively override specified headers values in a request message or drops
all header values from the request message and replaces with new or
auto-generated values.
Retrieve Responses using Message Id or Correlation Id
Modify how the service retrieves response messages from a backend reply
queue by specifying a message ID or Correlation ID. By default, the service
looks in the backend reply queue for response messages that have a
Correlation Id that matches the Message Id of the request message.
Modify MQMD Response Message Headers
Selectively override specified header values in a response message or
drops all header values from the response message and replaces with new
or auto-generated values.
123
124
8. Select MQMD for Get from the MQ Request Header Processing list.
9. Define how the service pulls messages from the backend reply queue.
v In the Message Id field, specify the message ID. The service pulls messages
from the backend reply queue with the specified message ID.
v In the Correlation Id field, specify the correlation ID. The service pulls
messages from the backend reply queue with the specified correlation ID.
10. Select an output context. If auto, processing inserts the output context.
11. Click Done.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
125
126
Cancel
Stop the processing of the current processing rule.
Alternative
Invoke an alternative processing rule.
Continue
Continue with the next sequential processing action.
6. Optionally use the Processing Rule controls to select the target rule. The
target rule is the rule that this action calls. For information about creating
reusable processing rules, refer to Defining reusable rules on page 145.
To define a target rule, do one of the following:
v Select a processing rule from the list of available processing rules.
v Click Var Builder to use the variable builder to define a custom context
variable for a processing rule. Refer to Using the variable builder on page
148 for details.
7. Optionally use the Error Input field or select the input context to the invoked
error rule. If no input context is specified, the input context of the failed
action is provided as a default context to the error rule.
8. Optionally use the Error Output field or select the output context from the
invoked error rule. If no output context is specified, the output context of the
failed action is provided as a default context to the error-rule.
Select OUTPUT to transmit the error message to the requesting client.
9. Set Asynchronous to indicate whether to process asynchronously. If enabled,
the action does not need to complete before the rule starts processing its next
action.
10. Click Done to complete the action. The configuration path shows the On
Error icon.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
Results actions
A processing policy provides two actions that can send results in the input context
to remote servers:
results
Optionally sends results to one or more remote servers and, when
processing in synchronous mode, waits for a response from the remote
servers. When configured to process in asynchronous mode, the results
action is equivalent to the results-async action. However with the results
action, you can include an event-sink action in the processing rule to wait
for the response from the remote servers. Refer to Adding a results
action on page 128 for configuration details.
results-async
Sends results to one or more remote server and does not wait for a
response from the remote servers. Refer to Adding a results asynchronous
(results-async) action on page 129 for configuration details.
Both of the results-type actions offer the following options:
v The ability to send results to multiple destinations. For the results action, the
specification of a destination is optional. For a results-async action, the
specification of a destination is required.
v Can control the number of connection retries.
Chapter 7. Processing policies
127
Because a results-async action does not support an output context, the results
action provides the following options that are not available for a results-async
action. These options are meaningful only when processing in synchronous mode
or when processing in asynchronous mode and the processing rule contains a
subsequent event-sink action.
v The ability to create multiple output contexts.
v The ability to control the aggregation of multiple output contexts.
v The ability to control the interpretation of the server response, if any.
128
XML or does not exist, parses the response as XML. For any other
value, treats the response as Binary and stores the response
without parsing.
XML Parses the response as XML.
b. Set Use Multiple Outputs to determine whether to write parallel outputs
into separate contexts.
on
off
(Default) The output context contains the result of the last iteration
only, not the aggregated results of each iteration.
10. Optionally enter or select the context for the data produced in the Output
field.
Leave blank if no response is expected or if the response can be ignored. A
value is required when Use Multiple Outputs is set to on.
11. For HTTP protocols: From the Method list, select the HTTP method type.
12. Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
129
Require All
Sends the results in the input context to all potential destinations and
fails if any of the remote servers fails.
8. Enter an integer in the Number of Retries field to set the number of times the
service retries a failed connection to the destination. The default is 0.
9. Enter an integer in the Retry Interval field to set the number of milliseconds
the service waits before retrying a connection. The default is 1000.
10. For HTTP protocols: From the Method list, select the HTTP method type.
11. Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
Route-type actions
A processing policy provides three routing implementations using two actions to
select the destination:
130
Stylesheets
Uses the route-set action to implement style sheet-based routing. Refer to
Adding a route with style sheet (route-action) action for details.
XPath expressions
Uses the route-set action to implement XPath expression-based routing.
Refer to Adding a route with XPath expression (route-action) action for
details
Variables
Uses the route-set action to implement variable-based routing. Refer to
Route with variables (route-set) action on page 132 for details.
131
132
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
133
134
For details about other advanced settings, refer to the online help.
14. Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
(Default) Indicates that the SQL statement is contained in the SQL Text
field.
Chapter 7. Processing policies
135
Stylesheet
Indicates that the SQL statement is derived by executing the style
sheet specified by the Transform field against the contents on the
context specified by the Input field.
10.
11.
12.
13.
14.
15.
Variable
Indicates that the SQL statement is contained in the variable specified
by the Variable Name field.
If the SQL Input Method is Static, use the SQL Text field to provide an SQL
statement. This setting indicates that the SQL statement that is used by the
action is provided by this property.
If the SQL Input Method is Stylesheet, use either the Processing Control File
dialog or the Variable Name field to identify a style sheet. This setting
indicates that the SQL statement that is used by the action is constructed by
executing the specified style sheet against the contents of the Input context.
If the SQL Input Method is Variable, use the Variable Name field to identify
a style sheet. This setting indicates that the SQL statement that is used by the
action is the contents of the specified variable.
Set Asynchronous to indicate whether to process asynchronously. If enabled,
the action does not need to complete before the rule starts processing its next
action.
Optionally specify or select the context for the data produced in the Output
field.
Click Done to complete the action. The configuration path shows the SQL
icon.
Note: If the SQL action successfully queries the data source, the query produces
standard SQL schema output messages. In some instances, query errors also
produce standard SQL schema output messages. However, if the query fails
for one of the following reasons, a generic SOAP fault is reported:
v The SQL data source name is invalid, missing, or incorrect.
v The SQL data source is disabled.
v The SQL data source is not in the up operational state.
v The SQL query is not resolvable.
v The data source is read-only, and you attempt to run a non-SELECT
query.
v The size-limit property of the data source was exceeded.
v Other unexpected errors.
A more descriptive SQL error message can still be found in the log.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
136
5. In the Attachment URI field, specify the attachment to strip. If omitted, all
attachments are stripped from the specified context.
6. Set Asynchronous to indicate whether to process asynchronously. If enabled,
the action does not need to complete before the rule starts processing its next
action.
7. Click Done to complete the action. The configuration path shows the Strip
Attachments icon.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
Transform-type actions
A processing policy provides the following transform implementations:
Transform for XML messages
Uses the xform action to transform XML documents. The action identifies
the XSLT style sheet to use to perform the transform.
Transform for non-XML messages
Uses the xformbin action to transform non-XML documents. The action
identifies the XSLT style sheet to use to perform the transform.
Processing instruction-based transform for XML messages
Uses the xformpi action to transform XML documents. The XML document
is the source of the processing instruction. The action uses the processing
instruction in the presented XML documents to perform the transform.
SOAP refinement transform
Transforms the SOAP header and child elements of a SOAP document in
accordance with the defined SOAP Header Disposition table. This
transform uses the soap-refine.xsl style sheet in the store: directory.
Buffer attachments transform
Transforms an attachment manifest to ensure that all attachments are
buffered, not streamed. This transform uses the buffer-attachments.xsl style
sheet in the store: directory.
Conformance transform
Transforms an XML document to conform to the define Conformance
Policy. This transform uses the conformance-xform.xsl style sheet in the
store: directory.
137
6. Optional: From the URL Rewrite Policy list, select the rewrite policy to rewrite
the style sheet URL that is extracted from the incoming document. Refer to
URL Rewrite Policy on page 345 for more information.
7. Set Asynchronous to indicate whether to process asynchronously. If enabled,
the action does not need to complete before the rule starts processing its next
action.
8. Specify or select the context for the data produced in the Output field.
9. Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
138
4. In the Processing Control File field, specify or select the style sheet to use.
v If the style sheet is not stored on the appliance, specify its location or a
variable that expands to a URL. If a variable, use the var://context/name
form.
v If the style sheet is in the store: or local: directory, select the style sheet.
5.
6.
7.
8.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
139
http://www.w3.org/2003/05/soap-envelope/role/next
Everyone, including the intermediary and ultimate receiver,
receives the message and should be able to process the
security header.
http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver
(Default) The ultimate receiver can process the security
header.
Blank or an empty string
No actor/role identifier is configured. The ultimate receiver
is assumed when processing the message, and no actor/role
attribute is added when generating the security header.
Note: There should not be more than one security header that
omit the actor/role identifier.
USE_MESSAGE_BASE_URI
Indicates that the actor/role identifier is the base URI of the
message. If the SOAP message is transported using HTTP, the
base URI is the request-URI of the HTTP request.
Any other string
Indicates the actor or role of the security header.
off
140
off
11. Select the disposition table from the SOAP Header Disposition Table list.
This table contains a list of instructions that controls how to handle SOAP
headers, child elements, or both SOAP headers and child elements. Refer to
SOAP Header Disposition Table on page 329 for information.
12. Specify or select the context for the data produced in the Output field.
13. Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
141
6. Optionally select the rewrite policy to rewrite the style sheet URL that is
extracted from the incoming document from the URL Rewrite Policy list. Refer
to URL Rewrite Policy on page 345 for more information.
7. Set Asynchronous to indicate whether to process asynchronously. If enabled,
the action does not need to complete before the rule starts processing its next
action.
8. Specify or select the context for the data produced in the Output field.
9. Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
142
Body or Detail
Apply the schema against the contents of the detail element for SOAP
faults, and the contents of the Body otherwise.
Ignore Faults
If the document is a SOAP fault, pass it through without further
validation; otherwise, validate the contents of the SOAP Body.
Chapter 7. Processing policies
143
This setting does not affect validating the INPUT context to ensure that it is a
valid document. If you are validating an intermediate context, such as the
result of an XSLT transform or an externally retrieved document, this content
is not implicitly validated as SOAP. You might want to select Envelope to
validate the entire document.
10. Set Asynchronous to indicate whether to process asynchronously. If enabled,
the action does not need to complete before the rule starts processing its next
action.
11. Specify or select the context for the data produced in the Output field.
12. Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
Verify actions
A verify action validates digital signatures in messages. The basic configuration
requires the selection of the type or types of signatures to verify. The verify action
can validate RSA/DSA (asymmetric) signatures, HMAC (symmetric) signatures, or
both types of signatures. If a message contains signatures that are signed by
RSA/DSA and HMAC algorithms, the verify action can validate one type of
signing algorithm and ignore the other. If set to a single signature type and the
signing method is different, verification fails.
During processing, the verify action can retrieve the key information from the
WS-Security token or from the signature information.
v RSA/DSA verification uses public keys (certificates).
v HMAC verification uses shared secret keys.
Kerberos signature verification: You must define the verifier principal and the
keytab that contains the shared secret key.
Optionally, you can define the signer principal to
validate that this principal signed this message.
These setting are available on the Advanced tab.
By default, the verify action checks the expiration of the WS-Security timestamp.
You can modify this behavior and other timestamp checks on the Advanced tab.
144
b. From the Validation Credential list, select the credentials set to validate the
certificate.
7. Optional: In the Output field, enter or select the context for the data that was
processed.
8. Click the Advanced tab to override basic settings or define advanced settings.
v Optional: Override WS-Security timestamp checking for both HMAC and
RSA/DSA verification
v Kerberos principals and keytab for Kerberos signature (HMAC) verification
v Optional: Enable WS-Security 1.1 signature confirmation for both HMAC and
RSA/DSA verification
v Optional: SAML remote tokens (WS-Security 1.1) processing for both HMAC
and RSA/DSA verification
v Optional: Caching of extracted session key from the verified message.
Cached key is for future cryptographic operations that use
EncryptedKeySHA1.
v Optional: Processing of security header based on SOAP actor/role
9. Click Done to complete the action.
If this is the last action for the rule, click Apply Policy. Otherwise, drag another
icon to the configuration path.
WebGUI label
Optional or
Required
Number of servers
fetch
Source
Required
Only one
for-each
Source
Required
One or more
log
Destination
Required
One or more
145
WebGUI label
Optional or
Required
Number of servers
results
Destination
Optional
One or more
results-async
Destination
Required
One or more
route-set
Destination
Required
Only one
ftp
http
https
ims (not secure) or imsssl (secure), if licensed
mq (MQ protocol to a dynamic back end)
smtp
sql, if licensed
v tcp
v tcps
v tibems, if licensed (TIBCO EMS protocol to a dynamic back end)
In addition to the previous protocols, the fetch, results, and results-async
actions support the attachment protocol. Refer to Attachment protocol on page
147 for details.
Predefined variable
Use a predefined variable in the var://context/name form that expands to
a URL (Source or Destination field) or to multiple URLs (Destination field
only).
For a single URL
Use the setvar action to define the var://context/remote1 variable
with a value of http://server1.domain.com:2222. Then, specify
var://context/remote1 in the Source or Destination field.
For multiple URLs
Use the setvar action to define the var://context/results/
remote-multi variable with the following value:
<results mode="require-all" multiple-outputs="true">
<url input="context1">http://127.0.0.1:22223</url>
<url input="context2">http://127.0.0.1:22224</url>
<url input="context3">http://127.0.0.1:22225</url>
<url input="context4">http://127.0.0.1:22226</url>
</results>
146
Attachment protocol
The fetch, results, and results-async actions support the attachment protocol.
This protocol identifies a SOAP attachment and has the following format:
attachment://context/cid:content_id[?query_param_1[&query_param_2]]
Encode=base64 or Encode=hexbin
Compress=gzip
Archive=tar or Archive=zip
Filename=file_name
The results and results-async actions support the following query parameters:
v
v
v
v
v
v
Decode=base64
Compress=gzip
Archive=tar or Archive=zip
Filename=file_name
Parsable=true
Manifest=true
The following code excerpt shows a configuration that uses the attachment and
cid protocols:
rule swa-zip-003
# fetch base64 encoded zip file into archive-base64
fetch
cid:contract123.zip
archive-base64
Chapter 7. Processing policies
147
strip-attachments INPUT
# add archive-base64 as a new attachment to input and decode
results
archive-base64
attachment://INPUT/cid:archive-zip?Decode=base64
# fetch binary file into context x
fetch
http://zoostation/clitest-importpackage.zip
new-file-to-add
# add file to archive
results
new-file-to-add
attachment://INPUT/cid:archive-zip?Archive=zip&Filename=testfile
# return context with new archive (3 files)
results INPUT
exit
The context value for the input argument cannot be INPUT, OUTPUT, or PIPE.
148
For the call and on-error actions, you can create a custom context variable only.
After clicking Var Builder the area shown in Figure 9 is visible.
For the setvar action, you can create a custom context variable or select an existing
service, extension, or system variable. The created or selected variable must be a
write-only or read-write variable. After clicking Var Builder the area shown in
Figure 10 is visible.
Figure 10. Variable builder for custom context, service, extension, and system variables
After defining a custom context variable, click Use Custom. The variable builder
closes, and the field contains the defined variable.
149
150
Extract Resource
Authenticate
Allow | Deny
Map Credentials
Map Resource
Authorize
Allow | Deny
Post Processing
Output
Message
Generate
Error
After extracting the service requester identity and resource, the policy authenticates
the claimed identity. Authentication is most commonly accomplished via an
external service (for example, a RADIUS or LDAP server), but other custom
processing methods, such as site-specific XML- or XPath-based solutions, are
readily supported. During policy definition, you select a single authentication
method from a menu of supported methods, and (depending upon the selected
method) provide a few items of additional required information, such as a server
address or the URL of a custom processing resource.
151
152
v
v
v
v
v
153
<wsse:Password>Flintstone</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</S11:Header>
WS-SecureConversation Identifier
The claimed identity of the requester is extracted from a
WS-SecureConversation Identifier. A client that has established a
security context could provide credentials in addition to the security
context identifier to help with authentication; if present, the <wst:Base>
154
155
156
SAML Artifact
The AAA policy captures a SAML artifact, which is then used during
the Authenticate step to provide an authenticated identity. An artifact
might appear in the URL used by the client.
https://server.domain.com/service?SAMLART=h48ck4klje
Client IP Address
The IP address of the client is used for authentication.
Subject DN from Certificate in the Message's signature
The claimed identity of the requester is extracted from a certificate used
to validate a digitally-signed message. The AAA policy verifies the
validity of the signature. If valid, uses the Subject DN that is extracted
from the certificate that is associated with the signature as the claimed
identity.
<?xml version="1.0" encoding="UTF-8"?>
<message xmlns="http://www.example.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.com message.xml">
<to>Alice</to>
<from>Bob</from>
<subject>Important</subject>
<body>
Traveling to San Francisco, Honolulu, and Ashtabula.
See you in the sky.
</body>
<method>Fax</method>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"
xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SignedInfo>
...
</SignedInfo>
<SignatureValue>MBwxXIuY2...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICMjCCTfMCFB9mFK6vs= </X509Certificate>
<X509IssuerSerial>
<X509IssuerName>CN=jrb@somedomain.com</X509IssuerName>
<X509SerialNumber>0</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</KeyInfo>
</Signature>
</message>
on
157
158
Processing Metadata
Extract the identity from the processing metadata, such as protocol
headers, system variables, and other custom metadata sources. If
selected, the WebGUI displays the following property:
Processing Metadata Item
Select a Processing Metadata object to identify extracted items.
Refer to Processing Metadata on page 318 for more information.
You must use custom style sheet for authentication.
Custom Template
The claimed identity of the requester is extracted by a custom or
proprietary identification resource (for example, a style sheet).
If selected, the WebGUI displays the following property:
Specify a URL
v If the resource is stored in the local: or store: directory, select
the resource.
v If the resource is remote to the local: or store directory, specify
the location of the resource.
v If the resource is stored on the WebGUI workstation, click
Upload to transfer the file.
v If the resource is stored on a remote server, click Fetch to
transfer the file.
2. After enabling one or more identity extraction methods, click Next to display
the Authentication window and continue with the Authentication phase of the
AAA Policy definition.
159
160
Enables an LDAP search for the user's group. The login name
of the user along with the LDAP Search Parameters will be
used as part of an LDAP search to retrieve the user's DN.
v If off, the WebGUI removes the LDAP Prefix and LDAP Suffix
fields:
LDAP Prefix
Optional: Specify an LDAP prefix name. The specified string is
prefixed to the identity that is extracted before submission to the
LDAP server. The default is cn=.
LDAP Suffix
Optional: Specify an LDAP Suffix name. This specified string is
appended to the identity that is extracted before submission to the
LDAP server. For example, o=datapower.
User Auxiliary LDAP Attribute
Define the list of LDAP attributes as the auxiliary information for
AAA. Use a comma as the delimiter. For example,
email,cn,userPassword. Results are appended to the context variable
var://context/ldap/auxiliary-attributes. The LDAP attributes are
synchronized to the AAA authentication cache.
Contact a SAML Server for a SAML Authentication Statement
The requester is authenticated by a SAML server. If authentication
succeeds, a SAML Authentication statement is returned and used for
further communication. If selected, the WebGUI displays the following
properties:
SAML signature validation credentials
Optional: Select the Validation Credentials set used to validate a
digitally-signed SAML authentication statement. The AAA policy
validates the signature against these credentials. If the certificate
cannot be validated, authentication fails. Refer to Validation
credentials on page 32 for more information.
SAML Authentication Query Server URL
Specify the URL of the SAML Authentication server to use to retrieve
a SAML authentication statement.
161
off
When required, specify the size of the client entropy in bytes in the
Client Entropy Size field. The size refers to the length of the client
entropy before Base64 encoding. Use an integer in the range of 8
through 128. The default is 32.
Require Server Entropy
Indicates whether to require server entropy in the WS-Trust
response.
on
off
162
off
off
When required, specify the value for the AppliesTo header in the
AppliesTo Header field.
WS-Trust Encryption Certificate
Optional: Select a Crypto Certificate to encrypt WS-Trust elements
in the request. If selected, he public key of the certificate encrypts
the client entropy key material for the recipient. If blank, the
WS-Trust BinarySecret element contains the entropy material. In
this case, use an SSL Proxy Profile to secure the message exchange
with the WS-Trust server.
Contact ClearTrust server
The requester is authenticated by a ClearTrust server. If selected, the
WebGUI displays the following properties:
ClearTrust Server URL
Specify the URL used to access the ClearTrust server.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to remote
authentication server. Retain the default value to use a non-SSL
connection.
Contact Netegrity SiteMinder
The requester is authenticated by a Netegrity server. If selected, the
WebGUI displays the following properties:
Host
Specify the IP address or host name of the Netegrity server.
Port Specify the port number of the Netegrity server.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to remote
authentication server. Retain the default value to use a non-SSL
connection.
Netegrity Base URI
Optional: Specify a Base URI for the identified Netegrity server. The
Base URI consists of the concatenation of the combination of the
servlet-name and url-pattern from its web.xml file. Given the
following entries in a web.xml file, specify datapoweragent/.
163
<servlet-mapping>
<servlet-name>datapoweragent</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
164
165
on
166
TFIM Credentials are taken from a TFIM configuration. If selected, the WebGUI
prompts from the following property:
TFIM Configuration
Select a TFIM configuration. Refer to Creating TFIM objects on
page 253 for more information.
WS-SecureConversation
Credentials are taken from the WS-SecureConversation context token.
XML File
Identifies an XML file as the mapping resource. If selected, the WebGUI
displays the following property:
URL
v If the resource is stored in the local: or store: directory, select the
resource.
v If the resource is remote to the local: or store directory, specify the
location of the resource.
v If the resource is stored on the WebGUI workstation, click Upload
to transfer the file.
v If the resource is stored on a remote server, click Fetch to transfer
the file.
Refer to Using an AAA Info file on page 246 for more information.
XPath Identifies an XPath expression as the mapping resource. If selected, the
WebGUI displays the following property:
XPath Expression
Specify an XPath expression to be applied to the value extracted
during the identity extraction phase.
For assistance in creating the XPath expression, click XPath Tool. This
tool allows you to load an XML document and build the expression
by selecting the desired node.
Chapter 8. AAA Policy configuration
167
168
XPath expression
The identity of the requested resource is extracted from the client request
by an XPath expression. If selected, the WebGUI displays the following
properties:
XPath expression
Specify an XPath expression to be applied to the value extracted
during the Resource Extraction step.
For assistance in creating the XPath expression, click XPath Tool. This
tool allows you to load an XML document and build the expression
by selecting the desired node.
If the defined expression contains namespace elements, click XPath
Binding to provide namespace/prefix data. Refer to Setting
namespace data for XPath bindings on page 245 for more
information.
For example, you could specify /*[local-name()="message"]/*[localname()="transitmethod"] for the following message:
<?xml version="1.0"?>
<message xmlns="http://www.example.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.com message.xml">
<to>Alice</to>
<from>Bob</from>
Chapter 8. AAA Policy configuration
169
<subject>Important</subject>
<body>
Traveling to San Francisco, Honolulu, and Ashtabula.
See you in the sky.
</body>
<transitmethod>Fax</transitmethod>
</message>
Processing Metadata
Extract the resource from the processing metadata, such as protocol
headers, system variables, and other custom metadata sources. If selected,
the WebGUI displays the following property:
Processing Metadata Item
Select a Processing Metadata object to identify extracted items. Refer
to Processing Metadata on page 318 for more information.
You must use custom style sheet for authentication.
tivoli
TAMBI prefix
Indicates that the output of the mapped resource uses the prefix
170
TFIM prefix
Indicates that the output of the mapped resource uses the prefix
style from Tivoli Federated Identity Manager (TFIM). If
selected, the WebGUI displays the following property:
Tivoli object space instance prefix
Specify the name of the TFIM domain. When selected, the
mapped resource output is:
/itfim-wssm/wssm-default/domain_name/mapped_resource_name
WebSEAL prefix
(Default) Indicates that the output of the mapped resource uses
the prefix style used by the WebSEAL component of Tivoli
Access Manager for e-business. If selected, the WebGUI displays
the following properties:
Tivoli object space instance prefix
Specify the name of the WebSEAL instance. When
implemented, the mapped resource output is:
/WebSEAL/instance_name/mapped_resource_name
171
XPath expression
Specify an XPath expression to be applied to the value extracted
during the Resource Extraction phase.
For assistance in creating the XPath expression, click XPath
Tool. This tool allows you to load an XML document and build
the expression by selecting the desired node.
If the defined expression contains namespace elements, click
XPath Binding to provide namespace/prefix data. Refer to
Setting namespace data for XPath bindings on page 245 for
more information.
Click Next to display the Authorization window.
c (Control)
r (Read)
d (Delete)
s (Server Admin)
g (Delegate)
T (Traverse)
l
m
N
R
t
v
W
x
(List Directory)
(Modify)
(Create)
(Bypass AuthAZ)
Resource/Action map
Select an existing action map file.
172
(Trace)
(View)
(Password)
(Execute)
This type of action map allows a single AAA policy to use different
ACL actions during authorization based on the requested resource.
For example, you could have a TAM action map with the entries
listed in Table 10.
Table 10. Example of TAM action map entries
Pattern
Action
*one*
x (execute)
*two*
r (read)
173
174
175
176
177
178
XACML PDP
Select the PDP to provide authorization services for the
AAA Policy. Refer to Defining a XACML PDP on page
259 for more information.
off
off
179
Refer to Using an AAA Info file on page 246 for more information.
180
181
182
183
To perform this activity, the AAA policy needs the following data:
v The client identity (cname of the Kerberos ticket) for the Kerberos client principal
v The location of the Kerberos keytab file
v The server identity (sname of the Kerberos ticket) for the Kerberos server
principal
For information about SPNEGO, refer to Understanding SPNEGO.
184
185
186
This encrypted directory contains private key and certificate files that
services use in the domain. You can add, delete, and list files in this
directory, but you cannot view or modify these files. Each application
domain contains one cert: directory. This directory is not shared across
domains.
chkpoints:
This directory contains the configuration checkpoint files for the appliance.
Each application domain contains one chkpoints: directory. This directory
is not shared across domains. During an upgrade, the operation deletes the
contents of this directory.
config:
This directory contains the configuration files for the appliance. Each
application domain contains one config: directory. This directory is not
shared across domains.
dpcert:
This encrypted directory contains files that the appliance itself uses. This
directory is available from the command line in the default domain only.
export:
This directory contains the exported configurations that are created with
the Export Configuration utility. Each application domain contains one
export: directory. This directory is not shared across domains.
image: This directory contains the firmware images (primary and secondary) for
the appliance. This directory is where firmware images are stored typically
during an upload or fetch operation. Each appliance contains only one
image: directory. This directory is available in the default domain only.
During an upgrade, the operation deletes the contents of this directory.
local:
This directory contains miscellaneous files that are used by the services
within the domain, such as XSL, XSD, and WSDL files. Each application
domain contains one local: directory. This directory can be made visible to
other domains. When viewed from other domains, the directory name
changes from local: to the name of the application domain.
logstore:
This directory contains log files that are stored for future reference.
Typically, the logging targets use the logtemp: directory for active logs. You
Copyright IBM Corp. 2002, 2011
187
can move log files to the logstore: directory. Each application domain
contains one logstore: directory. This directory is not shared across
domains.
logtemp:
This directory is the default location of log files, such as the
appliance-wide default log. This directory can hold only 13 MB. This
directory cannot be the destination of a copy. Each application domain
contains one logtemp: directory. This directory is not shared across
domains.
pubcert:
This encrypted directory contains the security certificates that are used
commonly by Web browsers. These certificates are used to establish
security credentials. Each appliance contains only one pubcert: directory.
This directory is shared across domains.
sharedcert:
This encrypted directory contains security certificates that are shared with
partners. Each appliance contains only one sharedcert: directory. This
directory is shared across domains. However, you must be in default
domain to create or upload keys and certificates.
store:
This directory contains example style sheets, default style sheets, and
schemas that are used by the local appliance. Do not modify the files in
this directory.
Each appliance contains only one store: directory. By default, this directory
is visible to all domains. You can make changes to the contents of this
directory from the default domain only.
The store: directory has the following subdirectories:
meta
msgcat
This subdirectory contains the message catalogs.
policies
This subdirectory contains the following subdirectories. The
contents of these subdirectories affect Web services policy.
custom
This subdirectory contains custom style sheets.
mappings
This subdirectory contains mapping style sheets.
templates
This subdirectory contains XML files.
profiles
This subdirectory contains style sheets that are used by DataPower
services.
schemas
This subdirectory contains schemas that are used by DataPower
services.
dp
188
pubcerts
This encrypted subdirectory contains files that are used by the
appliance itself. This subdirectory is available from the command
line only.
tasktemplates:
This directory contains the XSL files that define the display of specialized
WebGUI screens. Each appliance contains only one tasktemplates: directory.
This directory is visible to the default domain only.
temporary:
This directory is used as temporary disk space by processing rules. Each
application domain contains one temporary: directory. This directory is not
shared across domains. During an upgrade, the operation deletes the
contents of this directory.
Creating a subdirectory
Subdirectories can only be creates under the local: directory or one of its
subdirectories.
Follow these steps to create a subdirectory under the local: directory or one of its
subdirectories:
1. Launch the File Management utility. Refer to Launching the File Management
utility for details.
2. From the Action column, click Actions aligned with the directory for the
subdirectory to be created.
3. Click Create Subdirectory. The File Management screen displays.
4. Enter the name of the new subdirectory in the directory Name field.
5. Click Confirm Create. The File Management screen refreshes.
6. Click Continue. The File Management screen displays the top-level directories
only.
189
Deleting a directory
Directories can only be deleted in the local: directory or one of its subdirectories.
Follow these steps to delete a directory under the local: directory or one of its
subdirectories:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 189 for details.
2. From the Action column, click Actions aligned with the directory to be deleted.
3. Click Delete Directory. The File Management screen displays.
4. Click Confirm Delete. The File Management screen refreshes.
5. Click Continue. The File Management screen displays the top-level directories
only.
190
Required software
JKS support requires the following software on the WebGUI workstation:
v Version 1.4.2 of the Java runtime environment (j2re1.4.2)
v SDK (j2sdk1.4.2)
v Internet Explorer
Note: You must have the JRE or Java SDK /bin path name in the Windows PATH
environment variable on the WebGUI workstation. The Java Key Store file
cannot reside on any of the local directories. It must be uploaded from a
workstation.
Granting permissions
In addition, the user must have the grant permission for the upload in the
.java.policy file on the workstation that contains the Java Key Store files. The
following example .java.policy file should be defined on the workstation
computer before starting the upload:
grant {
permission java.io.FilePermission "<<ALL FILES>>","read";
permission java.util.PropertyPermission "*", "read";
permission java.lang.RuntimePermission "accessClassInPackage.sun.*";
};
Navigate to the directory into which you want to upload the file.
Click Actions in that row to open the Directory Actions menu.
Click Upload Files to display the File Upload screen.
Click the Java Key Store radio button to display the JKS Upload screen.
Note: When you click the Java Key Store radio button, the Java Console of
the browser opens and shows whether the Java Key Store Access
191
Fetching files
Use the following procedure to retrieve a file from a remote URL (fetch) and store
that file in a specified directory on the appliance:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 189 for details.
2. Navigate to the directory into which you want to upload the file.
Click Actions in that row to open the Directory Actions menu.
Click Fetch Files to display the Fetch File screen.
Specify the location of the file in the Source URL field.
Specify the file name in the Save as field.
If the file already exists in the selected directory and you want to overwrite this
file, check the Overwrite Existing Files check box. If you do not select this
check box and the file already exists, the file is not uploaded.
8. Click Fetch.
9. When the appliance reports success, click Continue to return to the File
Management screen.
3.
4.
5.
6.
7.
The target directory now contains the retrieved file. To verify, use the procedure
described in Displaying directory contents on page 189.
Copying files
Use the following procedure to copy a file from one directory to another:
192
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 189 for details.
2. Navigate to the directory that contains the files to be copied.
3. Select files by clicking the box adjacent to the file name.
4. Scroll to the top or bottom of the screen and click Copy to display the File
Copy screen.
5. From the New Directory Name list, select the target directory.
6. Specify the name for the file, if different, in the New File Name field.
7. If one of the selected files already exists in its associated target directory and
you want to overwrite this file, check the Overwrite Existing Files check box. If
you do not select this check box and the file already exists, the file is not
copied.
8. Click Confirm Copy to copy the files to the target directories.
9. When the appliance reports success, click Continue to return to the File
Management screen.
The target directories now contain the copied files. To verify that the files exist, use
the procedure described in Displaying directory contents on page 189.
Renaming files
Use the following procedure to rename a file:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 189 for details.
2. Navigate to the directory that contains the files to be copied.
3. Select files by clicking the box adjacent to the file name.
4. Click Rename to display the File Rename screen.
5. Specify the name of the file in the New File Name field.
6. If one of the selected files already exists in the target directory and you want to
overwrite this file, check the Overwrite Existing Files check box. If you do not
select this check box and the file already exists, the file is not copied.
7. Click Confirm Rename.
8. When the appliance reports success, click Continue to return to the File
Management screen.
The target directories now contain the renamed files. To verify that the files exist,
use the procedure described in Displaying directory contents on page 189.
Moving files
Use the following procedure to move a file from one directory to another:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 189 for details.
2.
3.
4.
5.
6.
193
Viewing files
Use the following procedure to view a text file:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 189 for details.
2. Navigate to the directory that contains the file.
3. Click the file to open a browser that contains the file.
When finished viewing the file, close the browser.
Editing files
Use the following procedure to edit a text file:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 189 for details.
2. Navigate to the directory that contains the files to be edited.
3. Select the file to be edited by clicking Edit in the row that is associated with
that file. The WebGUI displays a file preview.
4. Click Edit to change to Edit Mode.
5. Edit the file as required.
6. Click Submit to complete the edit process.
7. When the appliance reports success, click Close to return to the File
Management screen.
Deleting files
Use the following procedure to delete a file:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 189 for details.
2. Navigate to the directory that contains the files to be deleted.
3. Select files by clicking the box adjacent to the file name.
4. Scroll to the top or bottom of the screen and click Delete to display the Delete
File screen.
5. Click Confirm Delete to delete the files.
6. When the appliance reports success, click Continue to return to the File
Management screen.
The selected files were deleted. To verify that the files no longer exist, use the
procedure described in Displaying directory contents on page 189.
194
off
195
10. Optional: Click Save Config to save the changes to the startup configuration.
Note: Unless you click Save Config, the included configuration file will not take
affect when the appliance is started.
196
197
Backing up domains
Best practice is to periodically back up all domains individually.
To back up configuration information for one or more application domains, follow
this procedure:
1. Select Administration Configuration Export Configuration to display the
Initial Export Configuration screen.
2. Select Create a backup of one or more application domains and click Next to
display the selection screen.
3. Provide the following inputs:
a. Optional: In the Comments field, enter a descriptive summary.
b. Optional: Create or select the name of a Deployment Policy to accept, filter,
or modify a configuration during import.
c. The Export File Name defaults to export (.zip). If a file of this name exists
in the export: directory, it is overwritten.
d. Select the check boxes adjacent to each domain to export.
e. Click Next
When the backup completes, the file is in the export: directory. You can
download the export file to your workstation. The Import Configuration utility
requires that the export file resides on your workstation.
4. Optional: Click Download to download the file to your workstation.
5. Click Done to close this window and return to the Control Panel.
The export file can be accessed from the export: directory. If downloaded, the
export file is on your workstation.
198
199
200
on
201
202
203
4. Click Delete.
5. Respond to prompts.
204
d. Retain the selection of (none) for the Use Deployment Policy list. For more
information, refer to the Deployment policies on page 207.
e. Set Rewrite Local Service Addresses to control whether to substitute IP
addresses:
2. Click Next to display the Select Application Domains for Import window. If
there are no objects in the configuration you are importing, skip to step 6c.
When importing from any domain other than default, the imported
configuration applies only to the current domain. The WebGUI might display
an error message when importing data that was exported from the default
domain.
3. Select the desired domains. To select all domains, click All. To deselect selected
domains, click None. If a selected domain does not exist on the appliance, as
indicated, it will be created.
4. Click Next to display the Import Object Selection List window.
5. Select the objects to import.
Note: Click Save Config to save the configuration for each domain that
contains imported objects or files.
To effectively complete an appliance import (restore), use the admin
account or dp-admin account on XI50z. The appliance to be restored must
also first be re-initialized through the command line.
6. Click Next to display the Import Summary window, which details the contents
of the target file. In some cases, the summary might indicate differences in file
versions.
Note: Warnings can appear on this screen that alert you to a range of possible
conflicts that the imported configuration might cause. Depending on the
warning, you might want to create a new application domain, or you
might want to choose not to overwrite objects or files.
a. Select each item to overwrite. To select all item, click All. To deselect
selected items, click None. Only selected items are imported.
b. Click Import to initiate file transfer.
At the completion of the import process, the WebGUI displays the Object
Import Results window, which details the results.
c. Click Done to close this window.
If more than one domain is being imported, the Import Summary window is
displayed for the next domain to import.
205
Comparing configurations
To compare configurations, use the following procedure:
1. Select Administration Configuration Compare Configuration to display
the Configuration Comparison screen.
2. From the From list, select which configuration to be the first configuration
source; and from the To list, select which configuration to be the second
configuration source. The source for each of the configurations can be one of
the following:
Persisted Configuration
The last saved configuration on the appliance. This is the default in the
From list.
Running Configuration
The configuration that is currently running on the appliance. This is the
default in the To list.
Domain Configuration
The last saved or currently running domain configuration on the
appliance.
XML Configuration
The XML file that was created during an export operation. This file has
an .xcfg extension.
Export ZIP Bundle
A ZIP file that was created during an export operation. This file has a .zip
extension.
Backup ZIP Bundle
A ZIP file that was created during backup operation. This file has a .zip
extension.
Checkpoint
A ZIP file that was created through a save checkpoint operation. This file
has a .zip extension and is in the chkpoint: directory.
3. When the source (From or To) is XML Configuration, Export ZIP Bundle, or
Backup ZIP Bundle, specify or browse for and select the configuration file.
Also, create or select a deployment Policy that can be used to accept, filter, or
modify a configuration.
4. When the source (From or To) is Checkpoint, select the checkpoint from the
Checkpoint list.
5. From the View list, select whether the report lists only changed objects between
the configurations or all objects in the configurations. The default is changed
objects only.
6. Click Run Comparison to generate the report.
The results are displayed below the horizontal rule.
206
To
Change
The type of change between the From source and the To source. The
change is one of the following values:
v modified
v added
v deleted
Beside each item is a check box.
Reverting changes
After running a comparison and reviewing the results, you can revert select
changes or all changes between the two configurations. You can revert changes at
the property level only. To revert changes to select properties for an object, use the
object-specific configuration screens.
To revert changes, use the following procedures:
1. Determine which objects to revert:
v To revert select objects, select the check box beside those objects.
v To revert all objects, click Select All.
2. Click Undo Selected.
The results are displayed on a new screen.
If a selected object is a referenced object, it cannot be deleted until after the
deletion of its parent object. You might need to run the comparison multiple times
to delete referenced objects. For example, you cannot delete certificates that are
referenced by a validation credentials list until after the deletion of the validation
credentials list itself.
Deployment policies
Deployment policies use fine-grained matching statements and clause types to
control the inclusion of configuration data among imported configuration
packages.
Depending on the clause type, the deployment policy can perform the following
types of configuration management against the new configuration package. The
processing sequence of clauses is as follows:
1. Accepted configuration, the white list, to always include resources that match.
2. Filtered configuration, the black list, to always delete resources that match.
3. Modified configuration to change the resources based on the defined action
type.
207
|
|
|
Click Add.
In the Name field, enter the name for the object.
Optional: In the Comments field, enter a descriptive summary.
Define accept clauses.
a. In the Accepted Configuration field, specify the matching statement, or
click Build.
b. Click Add.
Repeat this step to define another accept clause.
208
To access the builder, click Build. This button is associated with the following
properties:
v Accepted Configuration on the Main tab
v Filtered Configuration on the Main tab
v Configuration Match after clicking Add on the Modified Configuration tab
To use the builder to create a matching statement:
1. Click Build.
2. In the Device Address field, specify the IP address or host alias. The value *
matches all IP addresses.
3. From the Application Domain list, select the name of the domain. Selecting
(none) matches all domains.
4. From the Resource Type list, select the resource type. Selecting (all resources)
matches all resource types.
5. Optional: In the Name Match (PCRE) field, specify a name match for a
resource. This property limits the matching statement to resources of the
specified name. Use a PCRE to select groups of resources. For example, foo*
would match all resources with names that start with foo.
6. Optional: From the Configuration Property list, select the name of the property.
This property limits the matching statement to resources with the specified
property.
7. Optional: In the Configuration Value Match (PCRE) field, specify the value for
the property. This property limits the matching statement to resources with the
specified value. Use a PCRE to select groups of values.
8. Click Save.
The statement is added to the list of matching statements.
address
Specifies the IP address or host alias. The value * matches all IP addresses.
domain Specifies the name of the application domain. The value * matches all
domains.
Chapter 10. Managing the configuration of the appliance
209
resource
Specifies the resource type. The value * matches all resource types.
Name=resource-name
Optional: Specifies a name match for a resource. This property limits the
match statement to resources of the specified name. Use a PCRE to select
groups of resources. For example, foo* would match all resources with
names that start with foo.
Property=property-name
Optional Specifies the name of the property. This property limits the match
statement to resources of the specified property. If changing a value, set
property-name to a null string.
Value=property-value
Optional: Specifies the value for the property. This property limits the
match statement to resources of the specified property. Use a PCRE to
select groups of values.
For information about define a PCRE, go to the PCRE documentation on the web.
210
Message monitors
You build message monitors from the ground up. This approach breaks down
complex configuration into simple, constituent parts. You can reuse these part to
address the requirements for your environment.
The parts, from the ground up, are as follows:
Traffic definition
A traffic definitions identifies which traffic streams are subject to
administrative monitoring and control. Traffic definitions are message
matching templates that describe traffic streams in terms of IP addresses,
requested URL, and HTTP headers. For details, see Traffic definitions on
page 212.
Message type
A message type assigns traffic definitions to a message monitor. A message
type enables a single message monitor to exercise administrative control
over multiple, possibly related, traffic streams. For details, see Message
Type on page 213.
Filter action
A filter action specifies the administrative actions to take in response to the
overuse of appliance or network resources. Filter actions can be cautionary
or stringent. For details, see Message Filter Action on page 213.
211
Message monitor
A message monitor consists of thresholds, a message type, and a filter
action. You can create the following message monitors:
v A count monitor uses an counter to track specific occurrences. It
activates a filter when the number of occurrences exceeds a threshold.
For details, see Configuring count monitors on page 214.
v A duration monitor is clock-based and measures the duration that
transactions take to complete. It activates a filter when the average
completion times exceeds a threshold. For details, see Configuring
duration monitors on page 216.
After configuring a message monitor, activate the monitor by associating it with
one or more DataPower services.
Traffic definitions
Traffic definitions identify traffic streams that are subject to administrative
monitoring and control.
Traffic definitions are message matching templates that describes traffic streams in
terms of the following criteria:
v Included and excluded source IP addresses
v Requested URL
v HTTP method
v Included and excluded HTTP headers
To configure a message matching template:
1. Click Object Monitoring Message Matching.
2. Click Add.
3. In the Name field, enter the name for the object.
4. Set Administrative State to identify the administrative state of the
configuration.
v To make inactive, click disabled.
v To make active, click enabled.
5. Optional: In the Comments field, enter a descriptive summary.
6. In the IP Addresses field, enter a contiguous range of source IP addresses to
include. If blank, includes all source IP addresses.
7. In the Excluded IP Addresses field, enter a contiguous range of source IP
addresses to exclude. If blank, excludes all source IP addresses.
8. From the HTTP Method list, select the type of HTTP method to include. The
value any includes all HTTP methods.
9. In the Request URL field, enter a literal or wildcard expression to define the
URL set to include. If blank, includes all URLs.
10. Optional: Define HTTP headers to include.
a. Click the HTTP Headers tab.
b. Define an HTTP header to include.
1) Click Add.
2) Define the name-value pair for the header.
3) Click Save.
c. Repeat the previous to define another HTTP header.
212
Message Type
Message types assign traffic definitions for use by a message monitor. A message
type enables a single message monitor to exercise administrative control over
multiple, possibly related, traffic streams.
The same message monitor, for example, could monitor the traffic stream
originating from subnet 10.10.10.0/24 along with the traffic stream originating from
the 10.10.1.0/24 subnet.
Even if the message type consists of a single definition, you should assign a traffic
definition to a message type.
To
1.
2.
3.
4.
213
2. Click Add.
3. In the Name field, enter the name for the object.
4. Set Administrative State to identify the administrative state of the
configuration.
v To make inactive, click disabled.
v To make active, click enabled.
5. Optional: In the Comments field, enter a descriptive summary.
6. From the Type list, select the action to enforce.
7. From the Log Priority list, select the severity of the message to write to the
log target.
8. Optional: In the Block Interval field when the action is reject or shape, enter
the blackout period to deny service for over-threshold messages. A value of 0
indicates that the monitor drops over-threshold messages but does not impose
service denial penalty.
9. Click Apply to save the changes to the running configuration.
10. Optional: Click Save Config to save the changes to the startup configuration.
When defining the measurement interval, it works with the rate and burst limits to
define the conditions that activate the filter. For example, the following
combination imposes administrative sanctions when the monitored messages
exceed 50 transactions per second:
v The interval is 1000
v The rate limit is 50
v The burst limit is 100
To configure a count monitor:
1. Click Object Monitoring Message Count Monitor.
2. Click Add.
3. In the Name field, enter the name for the object.
4. Set Administrative State to identify the administrative state of the
configuration.
v To make inactive, click disabled.
v To make active, click enabled.
5. Optional: In the Comments field, enter a descriptive summary.
6. From the Message Type list, select the message type that defines the traffic
definitions to use.
214
7. From the Measure list, select the action that advances the counter.
8. From the Source list, select how to aggregate source IP addresses based on the
associated traffic definitions.
9. In the Header field, enter the HTTP header that contains IP address
information. Generally, retaining X-Client-IP as the value is sufficient.
10. In the Maximum Distinct Sources field, enter the number of distinct IP
addresses to track. When the monitor observes too many distinct counts, the
monitor discards addresses not observed in the longest amount of time.
11. Define thresholds and filters.
a. Click the Threshold/Filters tab.
b. Define a threshold and filter.
1) Click Add.
2) In the Name field, enter the name for the threshold.
3) In the Interval field, enter the measurement interval.
4) In the Rate Limit field, enter the threshold value as message count.
5) In the Burst Limit field, enter the allowed burst value. For details
about setting this value, see Understanding the burst limit for count
monitors.
6) From the Action list, select the filter to trigger when the message type
exceeds thresholds. See Message Filter Action on page 213.
7) Click Save.
c. Repeat the previous step to define another threshold and filter.
12. Click Apply to save the changes to the running configuration.
13. Optional: Click Save Config to save the changes to the startup configuration.
After creating a monitor, activate it by assigning it to one or more DataPower
services.
215
216
1.
2.
3.
4.
217
<service name="BoodleSearchService">
<port name="BoodleSearchPort" binding="typens:BoodleSearchBinding">
<soap:address location="http://api.boodle.com/search/beta2"/>
</port>
</service>
8. In the Endpoint URL field, enter the URL of the endpoint as defined in the
WSDL file. Using the excerpt shown for the Endpoint field, the Endpoint
URL field would have http://api.boodle.com/search/beta2/ as the value.
9. In the Front End URL field, enter the URL that the client uses to access the
endpoint. This URL can be different from the Endpoint URL, which might be
the case when the firewall rewrites the URL during processing. You can use a
wildcard (*) as the value. For example, /search/* could be the value.
10. From the Transport Type list, select the transport that the endpoint uses. This
value should match the transport identified in the WSDL file. Using the
following excerpt from a WSDL file, the choice would be SOAP-RPC.
<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
11. Define the operations to monitor. To monitor both error count and transaction
rate, create two operations. Create one operation for error count, which
monitor the errors that occur at the front (or client request) URL. Create
another operation for transaction rate, which monitors the transaction rate for
the entire Web service.
a. Click the Operations to Monitor tab.
b. Define an operation to monitor.
1) Click Add.
2) In the Operation Name field, retain the default value. The current
implementation supports monitoring all operations in the WSDL file.
3) From the Target to Monitor list, select the target.
4) From the Threshold Level list, select the threshold level.
5) In the Threshold Value field, enter the count required to trigger the
action.
6) In the Threshold Action field, select the action to take when reaching
the threshold.
c. Repeat the previous step to define another operation to monitor.
12. Click Apply to save the changes to the running configuration.
13. Optional: Click Save Config to save the changes to the startup configuration.
218
Enabling statistics
To enable statistics:
1. Click Administration Device Statistics Settings.
2. Set Administrative State to enabled.
3. Click Apply to save the changes to the running configuration.
219
220
Main tab
Name Specify the name of the object.
Administrative State
Identifies the administrative state of the configuration.
v To make inactive, click disabled.
v To make active, click enabled.
Comments
Optional: Enter a descriptive summary.
Authorized counter
Optional: Select a message-count monitor. This object monitors and
controls incoming messages authorized by this AAA Policy. This counter
should Measure type XPath to allow the AAA Policy to increment the
counter on successful authorization. See Configuring count monitors on
page 214.
Rejected counter
Optional: Select a message-count monitor This object monitors and controls
incoming messages rejected by this AAA Policy. This counter should
Measure type XPath to allow the AAA Policy to increment the counter on
rejected authorization. Click Rejected Counter Tool to configure a counter
for this purpose. See Configuring count monitors on page 214.
SAML Signature Validation Credentials
Optional and only if the AAA policy uses SAML-based identity extraction,
authentication, or authorization: Select the Crypto Validation Credentials to
validate digitally-signed SAML assertions from the Credentials list. See
Validation credentials on page 32.
Copyright IBM Corp. 2002, 2011
221
222
223
Identity tab
The initial processing performed by an AAA Policy consists of extracting
information from an incoming message and its protocol envelope(s) about the
claimed identity of the service requester.
Use the Identity panel to specify the method or methods used by the AAA Policy
to extract the identity claimed by the service requester. Click the Identity tab to
display the AAA Policy Configuration (Identity) screen.
Use the check boxes to enable (on) or disable (off) one or more identification
methods.
HTTP's Authentication header
The claimed identity of the requester is extracted from the HTTP
Authorization header (name and password).
If selected, the WebGUI prompts for the following property:
HTTP's Basic Authentication Realm
The name of the HTTP Basic Authentication Realm as described by
RFC 2617, HTTP Authentication: Basic and Digest Access Authentication.
A browser might display this name to help determine which
credentials to supply.
UserName element from WS-Security header
The claimed identity of the requester is extracted from the WS-Security
UserName element (name and password) contained in a SOAP header.
BinarySecurityToken element from WS-Security header
The claimed identity of the requester is extracted from the WS-Security
BinarySecurityToken element (using the token's string value as the claimed
identity) contained in a SOAP header.
WS-SecureConversation Identifier
The claimed identity of the requester is extracted from a
WS-SecureConversation Identifier.
WS-Trust Base or Supporting Token
The claimed identity of the requester is extracted from a WS-Trust Base or
Supporting token.
Kerberos AP-REQ from WS-Security header
The claimed identity of the requester is extracted from a Kerberos AP-REQ
contained in the WS-Security header.
Kerberos AP-REQ from SPNEGO token
The claimed identity of the requester is extracted from a Kerberos AP-REQ
contained in the SPNEGO token.
Subject DN of the SSL Client Certificate from the Connection Peer
The claimed identity of the requester is extracted from the SSL client
certificate presented during the SSL handshake. If this is checked, the
Validation Credentials for Signing Certificate appears.
Name from SAML attribute assertion
The claimed identity of the requester is extracted from a SAML assertion that
contains a SAML attribute statement. The name contained in the Subject
element of the attribute statement is used as the claimed identity.
224
225
Optional: Click Save Config to save the changes to the startup configuration.
Authenticate tab
After extracting the claimed identity of the service requester, an AAA Policy
authenticates the claimed identity. The authentication process can use internal or
external resources. Use the Authenticate pane to designate the authentication
method.
1. Click the Authenticate tab.
2. From the Method list, select an authentication method.
Accept a SAML Assertion with a Valid Signature
The requester is authenticated by a SAML assertion with a valid
signature.
Skew Time
Specify the skew time (the difference, in seconds, between the
appliance clock time and other system times) that the SAML
assertion expiration takes into account when the appliance
consumes SAML tokens for the following conditions:
NotBefore
Uses the current time minus the skew time.
NotOnOrAfter
Uses the current time plus the skew time.
Accept an LTPA token
The requester is authenticated by an encrypted LTPA token. If selected,
the WebGUI prompts for the following property values:
LTPA Token Versions
Specifies the LTPA formats supported for authentication purposes.
Use the check boxes to specify the LTPA versions that are
supported for authentication. Select at least one version, or all
LTPA-based authentication will fail.
Because the LTPA token must be decrypted before authentication,
the following properties identify the needed cryptographic
resources.
LTPA Key File
Provide the name of the file that contains the cipher keys to be
used for encryption and decryption.
LTPA Key File Password and Confirm LTPA Key File Password
Provides the cleartext password to the LTPA key file.
Refer to Understanding LTPA for more information.
Bind to Specified LDAP Server
(Default) The requester is authenticated by an LDAP server. If selected,
the WebGUI prompts for the following properties:
226
Host
Port
LDAP Prefix
Optionally specify an LDAP Prefix name. This string is prepended
to the identity extracted before submission to the LDAP server.
The default is cn=.
This property is relevant when the Search for DN is off.
LDAP Suffix
Optionally specify an LDAP Suffix name. This suffix string is
appended to the identity extracted before submission to the LDAP
server. For example, o=datapower.com.
This property is relevant when the Search for DN is off.
LDAP Load Balancer Group
Optionally select a Load Balancer Group. If you select a group,
LDAP queries will be load balanced in accordance with the
settings in the group. Load balancing allows for failover. Refer to
Configuring a load balancer group on page 276 for more
information.
When specified, this property overrides the settings for the Host
and Port properties.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to
remote authentication server. Retain the default value to use a
non-SSL connection.
LDAP Bind DN
Specify the Distinguished Name for the LDAP bind operation.
LDAP Bind Password and Confirm LDAP Bind Password
Specify and confirm the password for the LDAP bind operation.
LDAP Search Attribute
Specify the name of the LDAP attribute that contains the cleartext
password. The default is userPassword.
This property is meaningful only when the identity extraction
method is Password-carrying UsernameToken Element from
WS-Security Header and the <Username> element in the header
has the Type attribute set to PasswordDigest. In this case, the
LDAP server returns the text in the specified LDAP attribute for
the user in the UsernameToken. If the hashed value of the
returned text does not match the value in the <Password> element,
authentication fails.
Search for DN
Indicate whether to perform an LDAP search retrieve the DN of
the user.
on
227
228
The following properties are relevant for attaching WS-Policy, not for
AAA authentication.
Require Client Entropy
Indicates whether to require client entropy as key material in the
WS-Trust request.
on
off
off
off
off
When required, specify the value for the AppliesTo header in the
AppliesTo Header field.
WS-Trust Encryption Certificate
Optional: Select a Crypto Certificate to encrypt WS-Trust elements
in the request. If selected, he public key of the certificate encrypts
the client entropy key material for the recipient. If blank, the
WS-Trust BinarySecret element contains the entropy material. In
this case, use an SSL Proxy Profile to secure the message exchange
with the WS-Trust server.
Appendix A. Referenced objects
229
Port
230
231
232
clock time and other system times) that the SAML assertion expiration
takes into account when the appliance consumes SAML tokens for the
following conditions:
NotBefore
Uses the current time minus the skew time.
NotOnOrAfter
Uses the current time plus the skew time.
3. Click Apply to commit AAA Policy properties.
4. Optional: Click Save Config to save the changes to the startup configuration.
233
Resource tab
After authenticating a client, an AAA policy identifies the specific resource being
requested by that client.
Use the Resource panel to designate the methods used to identify the resource
requested by an authenticated client.
1. Click the Resource tab to display the AAA Policy Configuration (Resource)
screen.
2. Use the check boxes to enable (on) or disable (off) one or more resource
identification methods.
URL sent to back end
The identity of the requested resource is extracted from the (possibly
rewritten) URL sent to the server. The URL can be rewritten by a URL
Rewrite Policy attached to the service or by another processing action
before the AAA Policy.
URL sent by client
The identity of the requested resource is extracted from the original URL
sent by the client. This URL has not been rewritten.
URI of toplevel element in the message
The identity of the requested resource is extracted from the namespace of
the top level application element
Local name of request element
The identity of the requested resource is extracted from the simple name
of the top level application element
HTTP operation (GET/POST)
The identity of the requested resource is extracted from the HTTP method
of the client request
XPath expression
The identity of the requested resource is extracted from the client request
by an XPath expression. If selected, the WebGUI prompts for the
following property:
XPath Expression
Specify the operative XPath expression.
3. Click Apply to commit AAA Policy properties.
4. Optional: Click Save Config to save the changes to the startup configuration.
234
Authorize tab
After authenticating a service requester and extracting the identity of the requested
resource, an AAA Policy next authorizes the client, that is, determines if the
authenticated service requester is allowed access to the requested resource. The
authorization process can use internal or external resources. Use the Authorize
pane to designate the authorization method.
1. Click Authorize.
2. From the Method list, select an authentication method.
Allow Any Authenticated Client
Any authenticated used is authorized.
Contact ClearTrust Server
The requester is authorized via a ClearTrust server. If selected, the
WebGUI prompts for the following properties:
235
236
Subtree
(Default) Specifies that the search matches the input and any
descendents
LDAP Search Filter
Optionally enable the specification of an LDAP search filter which
allows tailored LDAP searches. LDAP filter syntax is defined in RFC
2254, The String Representation of LDAP Search Filters.
User Auxiliary LDAP Attributes
Define the list of LDAP attributes as the auxiliary information for
AAA. Use a comma as the delimiter. For example,
email,cn,userPassword. Results are appended to the context
variable var://context/ldap/auxiliary-attributes. The LDAP
attributes are synchronized to the AAA authorization cache.
Contact Netegrity SiteMinder
The requester is authorized by a Netegrity server. If selected, the WebGUI
prompts for the following properties:
Host
Specify the IP address or domain name of the Netegrity
authorization server.
Port Specify the Netegrity authorization server port number.
Netegrity Base URI
Specify the appropriate URI string.
Netegrity Operation Name Extension
The Netegrity Base URI is combined with the Host, Port, and
Netegrity Operation Name Extension configuration items to form
the URL for attempting Netegrity authentication. The URL is of the
following form:
http://Host:Port/NetegrityBaseURI/operationNetegrityOpNameExtension
r (Read)
237
c (Control)
u (Update)
Always Allow
All messages are forwarded to the backend server.
Generate a SAML Attribute Query
The requester is authorized by a SAML attribute query/response
exchange between the DataPower appliance and a SAML server. If
selected, the WebGUI prompts for the following properties:
URL
Specify the location of the SAML server.
SAML Match
Select the minimum authorization criteria.
All
All-Values
Authorization requires that all configured attribute names
and values be present in the SAML attribute statement
Any
Any-Value
Authorization requires that a single configured attribute
name and value be present in the SAML attribute statement
XPath Authorization requires that SAML server responses are
evaluated with an XPath expression
SAML XPath
If SAML Match is XPath, specify the operative XPath expression.
SAML Name Qualifier
Optionally specify the value of the NameQualifier attribute of the
NameIdentifier in the generated SAML query. Some SAML
implementations require this value to be present.
SAML Version
Select the SAML protocol version to use when employing SAML for
authorization. Versions 1.0, 1.1 and 2.0 are supported. The version
selected affects the format of the messages sent to SAML authorities.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to remote
authorization server. Retain the default value to use a non-SSL
connection.
Skew Time
Specify the skew time (the difference, in seconds, between the
appliance clock time and other system times) that the SAML
assertion expiration takes into account when the appliance
consumes SAML tokens for the following conditions:
NotBefore
Uses the current time minus the skew time.
NotOnOrAfter
Uses the current time plus the skew time.
238
All-Values
Authorization requires that all configured attribute names and
values be present in the SAML attribute statement
Any Authorization requires the presence of a single SAML attribute
Any-Value
Authorization requires that a single configured attribute name
and value be present in the SAML attribute statement
XPath
Authorization requires that SAML server responses are
evaluated with an XPath expression
SAML XPath
If SAML Match is XPath, specifies the operative XPath expression
SAML Name Qualifier
Optionally specify the value of the NameQualifier attribute of the
NameIdentifier in the generated SAML query. Some SAML
implementations require this value to be present.
SAML Version
Select the SAML protocol version to use when employing SAML for
authorization. Versions 1.0, 1.1 and 2.0 are supported. The version
selected affects the format of the messages sent to SAML authorities.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to remote
authorization server. Retain the default value to use a non-SSL
connection.
Skew Time
Specify the skew time (the difference, in seconds, between the
appliance clock time and other system times) that the SAML
assertion expiration takes into account when the appliance
consumes SAML tokens for the following conditions:
NotBefore
Uses the current time minus the skew time.
NotOnOrAfter
Uses the current time plus the skew time.
Contact Tivoli Access Manager
The requester is authorized by Tivoli Access Manager (TAM). A TAM
object must exist for this method to succeed. Refer to Creating Tivoli
Access Manager objects on page 252 for more information.
239
All-Values
Authorization requires that all configured attribute names
and values be present in the SAML attribute statement
Any
Any-Value
Authorization requires that a single configured attribute
name and value be present in the SAML attribute statement
XPath Authorization requires that SAML server responses are
evaluated with an XPath expression
SAML XPath
If SAML Match is XPath, specifies the operative XPath expression
Use XACML Authorization Decision
The requester is authorized by an XACML Policy Decision Point (PDP),
which might be configured and located on the DataPower appliance, or
which might reside on a remote network appliance. If selected, the
WebGUI prompts for the following properties:
XACML Version
Select the XACML version (1.0 or 2.0, the default) used for
communications between the PDP and this AAA Policy, acting as an
XACML Policy Enforcement Point (PEP).
PEP Type
Select how the AAA Policy, acting as an XACML PEP, processes the
PDP authorization response.
Base PEP
If the XACML response to the authorization request is
permit, the client is authorized; if the permit response is
accompanied by obligations, the client is authorized only if
the AAA Policy, acting as a PEP, can understand and
discharge the conditions.
If the XACML response to the authorization request is deny,
the client is rejected; if the deny response is accompanied by
obligations, the client is rejected only if the AAA Policy,
acting as a PEP, can understand and discharge the
conditions.
Deny-biased PEP
If the XACML response to the authorization request is
permit, the client is authorized; if the permit response is
accompanied by obligations, the client is authorized only if
the AAA Policy, acting as a PEP, can understand and
discharge the conditions.
240
off
off
241
242
v
v
v
v
v
243
1. Click the SAML Attributes tab to display the AAA Policy Configuration
(SAML Attributes).
2. Click Add to display the SAML Attributes Property window.
3. Provide the following inputs:
Namespace URI
Specify the attribute namespace URI.
Local Name
Specify the attribute name.
Attribute Value
Specify the appropriate value.
4. Click Save to return to the AAA Policy Configuration (SAML Attributes).
5. Click Apply to commit AAA Policy properties.
6. Optional: Click Save Config to save the changes to the startup configuration.
(Default) Use the value explicitly assigned by the value for the
LTPA User Attribute Static Value property
244
245
add name-value pairs to the LTPA token, use the following procedure:
Click LTPA User Attributes to display the catalog.
Click Add to display the LTPA User Attributes window.
Provide the following inputs:
LTPA User Attribute Name
Specify the name of the attribute.
LTPA User Attribute Type
Select the type of attribute.
Static
246
Note: An XML file could be used for one or more of these operations. Only the
part of the file that supports the desired operation needs to be completed.
For example, if the file is only used for Map Credentials, it does not need to
include an Authenticate, Map Resource, or Authorize section.
The schema for an AAA Info file uses the AAAInfo.xsd file in the store: directory.
One or more XML files could be used for these operations. In each case, the field
that offers the ability to select an XML file has the + (create) and ... (modify)
buttons. Clicking either button launches the AAA Info file editor. Refer to AAA
Info file editor for more information.
Note: The AAA Info file can be edited outside of the AAA Info file editor and
uploaded to the appliance.
Authenticate element: The Authenticate element or elements contain the
database of identities that can be authenticated by this file. Identities can be
identified by one or more of the following attributes:
v User name
v Password
v IP address or host name
v IP network
v Distinguished name (DN)
v Custom token
Each identity is given a credential by this element.
MapCredentials element: The MapCredentials element takes in a credential string
and maps it to another. The input can be matched by a PCRE regular expression.
This element can be fed directly from an Authenticate element contained in this
file. Usually, however, this element is used to map an identity extracted from a
message to another identity more meaningful to the authorization method.
MapResource element: The MapResource element takes in a resource string
extracted from the message and maps it to another, perhaps more meaningful to
the authorization method. Input resources can be one or more of the following
types:
v
v
v
v
v
v
These resource inputs map to Resource Extraction methods used by the AAA
Policy. The input resource name can be matched by a PCRE regular expression.
Authorize element: The Authorize element takes in a Credential and a Resource
and returns an access status (allow or deny). Both the Credential and the Resource
can be matched by a PCRE regular expression.
247
248
extraction methods Token extracted from the message and Token extracted
as cookie value return this value. If those methods are not used for
extraction, do not use this field.
Credential Name
The credential returned by the authentication. This can be the same as the
extracted identity or different. The value should be meaningful either to
the AAA Policy Map Credentials method or to the AAA Policy Authorize
method.
All of the fields that contain information must be matched for the authentication to
succeed. If the identity extraction method returns only a user name (such as with
SAML) and the Authenticate Identity entry contains both user name and password,
authentication will fail. The AAA policy, however, tests an extracted identity
against all entries in the order in which they are listed, stopping after it finds a
complete match. It is possible to create one entry for user name Bob that also has a
password of foo and another with no password entry. Should the extraction
method only retrieve the user name and not the password, Bob will still
authenticate.
Map credentials: The Map Credentials page presents a list of all credential maps
contained in the file. When creating a new file, this list is empty.
Click Next to move to the next page if this file will not be used for mapping
credentials. Click Add to create a new credential map.
Input Credential
The credential input to the mapping. This field accepts PCRE expressions,
allowing a single expression to match more than one input credential.
Entering foo causes the AAA policy to match all input credentials that
contain the string foo.
Credential Name
The credential to output in place of the input credential. This is the value
to which the input credential is mapped. This is not a regular expression.
Click Submit to add the new map to the list of maps. Create as many mapping
entries as needed by clicking Add for each new entry.
Note: If this file is used for mapping credentials, any input credential that does
not match a map is converted to a blank credential for the purposes of
authorization.
Map resources: The Map Resource page presents a list of all resource mappings
contained in the file. Resource mapping is used to map the resource identifier
extracted from the message to something else. If the AAA Policy uses more than
one resource extraction method, all methods will be executed.
Click Next if this file will not be used for resource identity mapping. Click Add to
create a new map.
Original URL
The URL sent by the client submitting the message. This is a PCRE
expression.
Target URL
The URL used to send the message to the back end server, after the
firewall URL Rewrite Policy has executed. This is a PCRE expression.
Appendix A. Referenced objects
249
Request URI
The Namespace URI of the action or method requested in the body of the
SOAP message. This is identified as the topmost element in the SOAP:Body
element.
Request Operation
The name of the operation requested in the body of the SOAP message.
HTTP Method
Select the desired method. Select any to allow any method.
Result of XPath Expression
Any value that is extracted from the message by an XPath expression. This
is a PCRE expression.
Resource
The resource string to which the input resource is mapped. This field is
required.
Note: If this file is used for mapping resources, any resource that does not mapped
by the file will be converted to a blank resource for the purposes of
authorization.
Authorized access to resources: The Authorize page presents a list of all
authorization pairs contained in this file. Authorization is based on an input
credential (after mapping, if any) and an input resource (after mapping, if any).
If this file is not used for authorization, click Next. To create an authorization entry,
click Add.
Credential
The credential to match for authorization. This field accepts PCRE
expressions.
Resource
The resource to match for authorization. This field accepts PCRE
expressions.
Access
Select allow or deny as the authorization result.
Note: When this file is used for authorization, access is denied by default. Any
unmatched entries result in denied access. Access is allowed only if a match
is found and the Access for that match is allow.
File Information: The file information page provides a means to name the file
and add a comment if desired.
This file is typically placed in the local: directory.
Confirmation: The last page of the reflects the name of the file and offers the
opportunity to make changes or save the changes to the file.
v Click Cancel to abandon all changes and close the window.
v Click Back to move backward through the file to make any additional changes
needed.
v Click Commit to save the file and close the window.
250
251
252
1) Click Add to display the properties window. Use this window to specify
the operational parameters.
2) Define the operational parameters. Refer to the online help for details.
3) Click Save.
c. If necessary, repeat the previous step to create another replica.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
253
254
X.509 Token
Indicates a WS-Security X.509 Token.
h. When using TFIM 6.0, TFIM 6.1, or TFIM 6.2 and when Request Token
Format is Custom, select the location of the custom style sheet in the
Custom Request field. The custom style sheet file must be in the local: or
store: directory. Click Upload or Fetch to upload the custom style sheet file.
i. When Request Token Format is not Custom, define the following properties:
1) When using TFIM 6.0, TFIM 6.1, or TFIM 6.2, specify the scope for this
security token in the Applies-To Address field. For example, specify the
services to which this token applies:
http://tfim.ibm.com:9080/EchoApplication/Services/EchoServiceUser
http://9.33.97.251:9080/EchoApplication/Services/EchoServiceUser
The TFIM trust service uses this information to determine which trust
chain to invoke. To determine the correct value, consult your TFIM
administrator.
3) When using TFIM 6.1 or TFIM 6.2, optionally specify the name of the
Web services port type to use in the Port Type field. A port type is a
group of Web services operations. For example:
EchoService
The TFIM trust service uses this information to determine which trust
chain to invoke with finer granularity. If a value is not specified, a
default value of NotSpecified is used. To determine the correct value,
consult your TFIM administrator.
4) When using TFIM 6.1 or TFIM 6.2, optionally specify the name of the
Web services operation to use in the Operation field. For example:
echo
The TFIM trust service uses this information to determine which trust
chain to invoke with finer granularity. If a value is not specified, a
default value of NotSpecified is used. To determine the correct value,
consult your TFIM administrator.
j. From the SSL Proxy Profile list, select an SSL Proxy Profile to manage
secure communications with the peer.
k. Set Schema Validate Response to specify whether to schema-validate
responses from the TFIM server. When enabled, TFIM responses are
schema-validated with the WS-Trust version that is defined by the
compatibility mode.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
Kerberos objects
A basic description of the Kerberos authentication protocol is helpful for
understanding the support provided by the DataPower appliance.
Appendix A. Referenced objects
255
The Kerberos authentication protocol uses a star topology. The Key Distribution
Center (KDC) is at the center of the star. Each Kerberos principal (a human, a
computer client, or an instance of a service running a specific computer) is
registered with the KDC and has a shared secret known only to the principal and
to the KDC. This shared secret takes the form of a password for human principals
and a randomly generated keytab file for nonhuman principals.
When a Kerberos client (for example, Alice) wants to communicate securely with a
Kerberos server (for example, the FTP service), Alice must access KDC of her
Kerberos realm and request a ticket for the FTP service. At this point, the KDC has
the option of requiring pre-authentication before responding, or the KDC can
immediately issue the ticket to Alice.
The KDC response contains two items:
v A randomly generated session key encrypted with Alice's shared secret
v A ticket for the FTP service
The ticket contains:
v
v
v
v
The ticket is encrypted with the shared secret of the FTP service principal.
Consequently, there are two encrypted copies of the session key (one for Alice, and
one for the FTP service).
At this point, Alice uses her shared secret to decrypt her copy of the session key
and generates an authenticator (which proves that the person talking to the FTP
service is the client for which this ticket was issued, and not a malicious user
replaying a previously issued ticket) that she sends along with her ticket to the
FTP service. The ticket plus authenticator is called an AP-REQ message.
When the FTP service receives the AP-REQ from Alice, it decrypts the ticket and
verifies the authenticator. At this point the FTP server has authenticated Alice, and
they share a session key which can be used to secure the rest of their
communications.
256
There is no restriction in Kerberos that specifies which clients can request tickets
for a particular service.
Note: Microsoft Windows, when configured to use an Active Directory domain, is
based on a security infrastructure that is, at its core, Kerberos. As of
Windows 2000, authentication in a Windows domain is handled by
Kerberos. Such authentication is entirely transparent to the user. Refer to
Understanding SPNEGO for implementation details.
off
257
|
|
|
|
|
|
258
Friendly Name
A meaningful name for the SAML attribute.
5. Click Apply to save the configuration.
6. Repeat step 3 on page 258 through step 5 to define as many SAML attributes as
needed.
7. After defining all SAML attributes, click Apply.
259
260
clear xsl cache command. This command also clears the compiled XACML
policies that are referenced by AAA polices that are supported by the XML
manager.
Use a URL Refresh Policy
Use a URL Refresh Policy whose conditions match the internal URL
xacmlpolicy:///pdpName to perform periodic cache refreshes.
v When TTL for the PDP is 0 (cache never expires), the URL Refresh
Policy controls cache refresh
v When the URL Refresh Policy is no-cache, XACML policies are never
cached, regardless of any assigned TTL value
v When the URL Refresh Policy is protocol-specified, the TTL setting for
the PDP will govern cache refresh unless its value is 0
v When the URL Refresh Policy is default with a refresh interval, the TTL
for the PDP is ignored and the URL Refresh Policy refresh interval
controls cache refresh
v When the URL Refresh Policy is no-flush with a refresh interval, the
greater of the URL Refresh Policy refresh interval or the TTL for the PDP
controls cache refresh
Conformance Policy
A Conformance Policy defines which profiles to use to validate whether received
messages are in conformance to the selected profiles. A Conformance Policy
supports the following profiles:
v Web Services Interoperability (WS-I) Basic Profile, version 1.0, at
http://www.ws-i.org/Profiles/BasicProfile-1.0.html
v WS-I Basic Profile, version 1.1, at http://www.ws-i.org/Profiles/BasicProfile1.1.html
v WS-I Attachments Profile, version 1.0, at http://www.ws-i.org/Profiles/
AttachmentsProfile-1.0.html
v WS-I Basic Security Profile, version 1.0, at http://www.ws-i.org/Profiles/
BasicSecurityProfile-1.0.html
A Conformance Policy is useful when a client generates non-conformant requests
for a conformant backend server. You can configure a Conformance Policy to fix
non-conformant requests during message processing. If the request contains signed
or encrypted data, a Conformance Policy cannot fix nonconformance issues unless
the cryptographic protection is removed before correction and replied afterward.
You can define whether all the requirements in a profile should be a conformance
check, or you can determine which requirements in a profile can be ignored. You
can also change conformance policy behavior by defining a distinct set of logging
and rejection parameters for responses or requests.
Note: When defining a Conformance Policy for a conformance filter, the
Conformance Policy cannot apply corrective style sheets or add WS-I Basic
Profile 1.0 assertions.
To define a Conformance Policy, use the following procedure:
1. Select Objects XML Processing Conformance Policy to display the
catalog.
2. Click Add to display the configuration screen.
Appendix A. Referenced objects
261
262
Warning
Records conformance reports that indicate conformance warnings or
conformance failures.
Always
Always records conformance reports.
16. (Optional) For all nonconformance reporting levels except Never, specify the
target URL to which to send conformance reports for responses in the
Destination field.
17. From the Reject non-confirming response messages list, selects the degree of
nonconformance to cause the response message to be rejected.
Never (Default) Never reject messages.
Failure
Rejects messages with conformance failures.
Warning
Rejects messages with conformance warnings or with conformance
failures.
18. Set Include response error summary to determine whether to include the
summary for the conformance analysis in the rejection message for requests.
This option is for all nonconformance rejection levels except Never.
19. Click Apply to save the changes to the running configuration.
20. Optional: Click Save Config to save the changes to the startup configuration.
263
Administrative State
Identifies the administrative state of the configuration.
v To make inactive, click disabled.
v To make active, click enabled.
Comments
Optional: Enter a descriptive summary.
URL-encoded
URL unescape, then XML escape the output
XML (Default) Input is treated literally, no processing
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
IMS Connect
An IMS Connect object handles IMS protocol communications from a DataPower
service to IMS applications. This object contains settings that affect the behavior of
the connection.
To define the connection to an IMS Connect server:
1. Click Objects Network IMS Connect.
2. Click Add.
3. In the Name field, enter the name for the object.
4. Set Administrative State to identify the administrative state of the
configuration.
v To make inactive, click disabled.
v To make active, click enabled.
5. Optional: In the Comments field, enter a descriptive summary.
6. Specify the host name or IP address of the remote IMS Connect server in the
Host field.
7. Specify the port that the IMS Connect server monitors in the Port field.
264
off
(Default) Does not convert IMS headers to EBCDIC.
9. Specify the two-letter prefix for the generated client ID in the Generate Client
ID Prefix field. If not specified, the prefix is set to DP.
10. In the Maximum Segment Size field, enter an integer in the range of 0 to 32
to specify the maximum segment size in kilobytes. The default is 0 which
disables segmentation.
v A Maximum Segment Size of 0 disables IMS message segmenting. With
message segmenting disabled, you must use a policy to handle an IMS
message with a segmented payload and with LL and ZZ segment headers.
v A Maximum Segment Size in the range from 1 to 32 enables message
segmenting and specifies the maximum segment size. The IMS message is
split into multiple segments of the specified size to send to IMS. A
multi-segment message from IMS is transformed into a message with one
continuous payload. Request side processing adds the LL and ZZ segment
headers. Response side processing removes the LL and ZZ segment headers.
The headers are handled the same for a message with a payload smaller
than the Maximum Segment Size.
11. Set Expect LLLL Response Header to indicate whether the response message
includes an extra 4-byte (LLLL) response message header specifying the total
response message size back from IMS Connect.
on
off
12. In the Sync Level field, specify whether to use an IMS Sync Level of 0x00 or
0x01. The default is 0x00 which disables the sending of an ACK.
v A Sync Level of 0x00 identifies that the IMS Sync Level is set to NONE.
v A Sync Level of 0x01 identifies that the IMS Sync Level is set to CONFIRM.
When communicating with the IMS Connect server on the backend and a
transaction is specified with the Sync Level of 0x01, the client must send an
ACK (successful) or a NAK (unsuccessful) after processing the response.
The IMS Connect server then sends DEALLOCATE CONFIRM (successful)
or DEALLOCATE ABORT (unsuccessful) back to the client. The DataPower
appliance always sends an ACK upon receiving the response and then
checks for the DEALLOCATE CONFIRM.
13. Override default IMS Connect configuration value. All the properties on the
Default Headers tab are default values. Some of them can be overridden in
the URL, and others through header injection.
a. Click the Default Headers tab.
b. Specify the exit program to use for all IMS connections in the Exit
Program field.
c. Specify the name of the IMS client identifier in the Client ID field. If
blank, the user exit must generate it.
d. Specify the transaction code to invoke in the Transaction Code field. This
value can be overridden by specifying it in the backend URL. Refer to
Building an IMS Connect URL on page 46 for more information.
Appendix A. Referenced objects
265
e. Specify the name of the data store (IMS destination ID) in the Data Store
field. This property must be specified by the client. The IMS Connect
returns the data store name from the exit in the OMUSR_DESTID OTMA
header field. This value can be overridden by specifying it in the backend
URL. Refer to Building an IMS Connect URL on page 46 for more
information.
f. Specify an override value in the Logical Terminal Name field. OTMA
places this value in the IOPCB field. If you do not specify an override value,
OTMA places the IMS Connect-defined TPIPE name in the IOPCB field. The
TPIPE name is set to one of the following values based on the commit
mode:
v If the commit mode is 0, sets the value to the client identifier (CLIENT
ID).
v If the commit mode is 1, sets the value to the port identifier (PORT ID.
If you use the LTERM value in the IOPCB to make logic decisions, be aware
of the naming conventions of the IOPCB LTERM name.
Note: For IMS host applications, the value for this property is set by the
user message exit. The user exit message either moves this value to
the OMHDRLTM OTMA field or sets OMHDRLTM with a predetermined
value.
g. Specify the plaintext string sent to the server to identify the client in the
RACF ID field.
h. Specify the RACF password in the RACF Password field.
i. Specify the RACF password again in the Confirm RACF Password field.
j. Specify the group to which the security ID belongs in the RACF Group
field.
k. Select the Unicode encoding scheme of the data from the Encoding
scheme list.
(none) (Default) Uses the encoding that is set by the IMS Connect
Handler object or by a transform action in the processing policy.
Default
Uses the encoding that is set by the message.
UCS2 Uses UCS-2 encoding.
UTF8
266
Credentials mapping
The parameters for an LDAP search to retrieve the group name (DN or
attribute) based on the DN of the authenticated user.
You need to add a prefix and optionally add a suffix to create the LDAP filter. The
prefix and suffix are constructs of the LDAP filter expression, as defined in LDAP:
String Representations of Search Filters. This filter is used to perform the LDAP
search and return matching entries.
To create an LDAP Search Parameters object, use the following procedure:
1. Select Objects Access Settings LDAP Search Parameters.
2. Click Add to display the configuration pane.
3. In the Name field, enter the name for the object.
4. Set Administrative State to identify the administrative state of the
configuration.
v To make inactive, click disabled.
v To make active, click enabled.
5. Optional: In the Comments field, enter a descriptive summary.
6. Specify the base DN to begin the search in the LDAP Base DN field. This
value identifies the entry level of the tree used by the LDAP Scope property.
7. Specify the name of the attribute to return for each entry that matches the
search criteria in the LDAP Returned Attribute field. The default is the dn
attribute.
8. Specify the prefix of the LDAP filter expression in the LDAP Filter Prefix
field.
If the prefix is mail= and the user name is bob@example.com, the LDAP search
filter would be mail=bob@example.com.
9. Optionally specify the suffix of the LDAP filter expression in the LDAP Filter
Suffix field.
If the prefix is mail=, the suffix is )(c=US)), and the user name is
bob@example.com, the LDAP search filter would be
(&(mail=bob@example.com)(c=US)).
10. Select the depth of the search from the LDAP Scope list:
Base
One level
Searches the entry level of the tree and any object that is one-level
below the input.
Subtree
(Default) Search the entry level of the tree and all of its descendents.
11. Click Apply to save the changes to the running configuration.
12. Optional: Click Save Config to save the changes to the startup configuration.
267
DataPower
appliance
Load Balancer
Group
Application
server A
Application
server B
Application
server C
Application
server D
Figure 12. Load balancer group with static members to support load balancing
268
DataPower
appliance
WebSphere
Cell
Deployment
manager
ODCInfo
Load Balancer
Group
The communication between the DataPower appliance and the cell in the
WebSphere environment is as follows:
1. The ODCInfo application retrieves data about the application servers in the cell.
2. The WebSphere cell configuration retrieves the information from the ODCInfo
application and updates the data in the load balancer group.
3. The load balancer group uses this data to adapt to changing traffic conditions
and application server capabilities to optimally distribute traffic among the
application servers in the cell.
If your application server must maintain session affinity, you can configure session
affinity to override load balancing decisions.
|
Application intelligence
|
|
|
|
|
|
|
|
v Routing rules
|
|
|
|
|
|
|
|
Using this information, the load balancer group can ensure that a request is
targeted to a specific application and the application is running. If application
edition rollout is used, the request is routed to the new edition when it comes
online. If a request is for an application that is not available on any of the
application servers, the appliance rejects the request and returns a 404 or Not
Found error response to indicate that there is no matching application. This saves
processing on the application server. If the application is found, but is not active
on a server, a 500 or Internal Server error response is returned.
|
|
269
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The application routing decision is made based on the Host: header and the URI
of the incoming HTTP request to route the request to the appropriate application
server. For a request to be properly routed, the Host: header must contain a value
that matches the vHostGroup host and port information defined in the WebSphere
Cell. And, the URI must match the URI information defined in the WebSphere Cell
WebModules and WebRouteWorkClasses. If the matching is unsuccessful, a 404
response code is returned. With application routing disabled, the appliance cannot
respond with a 404 response. Instead, it forwards the request to one of the servers
in the Cell regardless of the active applications on that server. HTTP/1.0 requests
that typically do not contain Host: headers will be answered with 404 responses.
|
|
|
|
|
|
|
|
|
|
|
|
Performs a rollout of a new edition replacing the edition on half of the cluster
members at a time. Serves all user requests with a consistent edition of the
application.
Two settings are used to enable application intelligence in the load balancer group:
|
|
|
See the tasks for configuring these objects for additional information.
Required software
For full support of dynamic membership and weights, you must install WebSphere
Application Server Network Deployment or WebSphere Virtual Enterprise.
v For WebSphere Application Server Network Deployment, an administrator uses
the WebSphere Administrative Console to manually update the membership and
weight information of application servers.
|
|
270
|
|
|
|
After enabling intelligent load distribution for a load balancer group of WebSphere
servers, the load balancer group can take advantage of the following features:
v Application routing that provides the ability to route based on URI or host
values
v Edition rollout that provides rollout of a new edition of an application in a
seamless fashion
v The ability to dynamically update membership. This feature addresses the
addition or removal of WebSphere servers in the WebSphere cell.
v The ability to dynamically update the weight of members to adapt to changes in
traffic conditions. This feature addresses the following conditions:
When an application server is overloaded, its weight is reduced to receive less
traffic
When an application server is under utilized, its weight is increased to receive
more traffic
v The ability to use the weighted least connection algorithm to optimally
distribute traffic to application servers.
v Automatic session affinity configuration based on the WAS DM configuration as
well as the ability to override this configuration
|
|
|
|
|
|
271
First alive
The first alive algorithm uses the concept of a primary server and backup servers.
v The primary server is the first server in the members list.
v A backup server is any subsequent server in the members list.
When the primary server is healthy, the DataPower service forwards all
connections to this server. When the primary server is quarantined or convalescent,
the DataPower service forwards connections to the next server in the list.
Hash
The hash algorithm uses the IP address of the client or the value of an HTTP
header as the basis for server selection.
When using an HTTP header, use the Load Balancer Hash Header property to
identify the header to read. This property is available for only Multi-Protocol
Gateway and Web Service Proxy services. Additionally, this property is available
on only the Main tab in the object view.
With the hash algorithm, the same client is served by the same server. Use this
algorithm for applications that require the storage of server-side state information,
such as cookies.
Least connections
The least connections algorithm maintains a record of active server connections and
forward a new connection to the server with the least number of active
connections.
Round robin
The round robin algorithm maintains a list of servers and forwards a new
connection to the next server in the members list.
272
Membership
A load balancer group generally contains two or more members. Members can be
defined through static or dynamic membership.
Static membership
A load balancer group that uses a static membership configuration contains the
configuration settings that an administrator on the DataPower appliance explicitly
defined and persisted. These configuration settings do not change except under the
following conditions:
v The processing of a style sheet changes configuration settings for group
members
v An administrator enables and configures the workload management feature
Dynamic configuration
A load balancer group that uses a dynamic membership configuration retrieves
membership data through the workload management feature. To create a dynamic
membership configuration, you need to enable and configure the workload
management feature.
Even after enabling and configuring the workload management feature, a firmware
load uses the persisted configuration. Only after retrieving the workload
management information and updating the membership of the load balancer group
can the load balancer group use dynamic weight and membership information in
any load balancing decision.
When enabled, the load balancer group retrieves runtime information from the
WebSphere On Demand Configuration (ODCInfo) application. This information
overrides the membership information in the running configuration of the load
balancer group. The retrieved workload management information alters the
Appendix A. Referenced objects
273
membership and weight of application server members in the load balancer group
so that the load balancer group can route traffic to the application server that can
best handle the load.
As new servers are brought online or as existing servers are taken offline, the
membership information in the load balancer group adapts to these changes.
Health checks
A health check is essentially a scheduled rule that sends the same request to each
member. The successful completion of the health check requires that the server
passes normal TCP and HTTP connection criteria. Optionally, the health check
contains a filter to test the response from the server. The expected response is
always valid XML. The response is analyzed using the defined XPath expression. If
the filter accepts the response, the server is considered to be healthy; otherwise, it
is considered to be convalescent.
Session affinity
Session affinity overrides the load-balancing algorithm by directing all requests in
a session to a specific application server. For some applications to work correctly,
the application requires session affinity between the client and the application
server.
274
275
276
5.
6.
7.
8.
277
A nonzero value overrides the value for the Remote Port property of the
health check. This property is available during the configuration of the
health check on the Health tab.
f. Retain the default setting for Admin State. To place in an inactive
administrative state, click disabled.
g. Click Save.
5. Repeat the previous step to add another server as a static member.
6. Click Apply to save the changes to the running configuration.
7. Optional: Click Save Config to save the changes to the startup configuration.
278
Procedure
Click Network > Other > Load Balancer Group
Click the name of load balancer group.
Click the Session Affinity tab.
Set the Override WebSphere Cell Configuration check box. The pane refreshes
to display additional parameters.
5. From the Mode list, select the type of session affinity.
6. For active-conditional: Define the cookies to monitor.
1.
2.
3.
4.
a. In the Monitored Cookies field, enter the name of the cookie to monitor.
b. Click Add
7. Optional: Repeat the previous step to add another cookie. The configuration
requires at least one cookie.
8. Click Apply to save the changes to the running configuration information.
9. Optional: Click Save Config to save the changes to the startup configuration.
Results
Session affinity is enabled for non-WebSphere application servers.
279
b. In the XSL Health Check Filter field, enter the location (URL) of the style
sheet to filter the server response.
13. Optional for standard health checks: From the SSL proxy profile list, select
the SSL proxy profile to provide for a secured connection.
14. Click Apply to save the changes to the running configuration.
15. Optional: Click Save Config to save the changes to the startup configuration.
Procedure
1. Click Objects > Network Settings > Load Balancer Group.
2. Click the name of the load balancer group to modify.
3. Modify a load balancer group to use the workload management information
from the WebSphere cell (WebSphere deployment manager).
a. Set Retrieve Workload Management Information to on. The WebGUI
refreshes to display additional properties.
b. From Workload Management Retrieval list, select WebSphere Cell.
c. From WebSphere Cell Subscription list, select a WebSphere Cell
configuration.
d. In Workload Management Group Name field, enter the name of the
WebSphere cluster.
4. Optional: Set Enable Application Routing to on to use application intelligence.
When using application edition, either atomic or group rollout, set the Update
Method of the WebSphere Cell object to subscribe.
|
|
|
5. Optional: Review the session affinity information on the Session Affinity tab to
ensure that session affinity is correctly configured.
6. Click Apply to save the changes to the running configuration information.
7. Optional: Click Save Config to save the changes to the startup configuration.
Results
The load balancer group begins to request information from the ODCInfo
application.
280
Disabling members
If you need to disable a member, you can disable the member from the load
balancer group without deleting the member from the group.
To disable specific members to not participate in load balancing decisions:
1. Click Objects Network Load Balancer Group.
2. Click the name of the load balancer group to modify.
3. Click the Members tab.
4. Disable members.
a. Click the pencil icon to edit the member.
b. Set Administrative State to disabled to place the member in an inactive
administrative state.
c. Click Save.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
281
v ODCInfoUninstall.jacl
from the directory /AO on your CD-ROM or Fix Central.
Procedure
Install the Open Services Gateway initiative (OSGi) bundle.
Install the ODCInfo application on the deployment manager.
Start the ODCInfo application.
Create or modify a load balancer group to use the ODCInfo application to
retrieve workload management information from the WebSphere cell.
1.
2.
3.
4.
|
|
|
|
|
Note: Uninstall any previous version of the OSGi bundle before installing another
version.
|
|
The OSGi bundle is used to enable the ODCInfo application to interface with the
WebSphere Application server.
|
|
|
|
Procedure
Install the Open Services Gateway initiative (OSGi) bundle on the WebSphere
Application Server deployment manager.
cd /opt/IBM/WebSphere/AppServer/bin
|
|
|
|
diag com.ibm.datapower.odc.osgi
6. Verify that a message states: No unresolved constraints.
What to do next
282
|
|
|
|
|
Note: Uninstall any previous version of the ODCInfo application before installing
another version.
Procedure
|
|
|
What to do next
Start the ODCInfo application.
Start the ODCInfo application to begin collecting the remote topology and
application information.
283
Procedure
1. Copy ODCInfoStart.jacl to a local directory on the deployment manager.
2. Log in from the command line to the deployment manager.
3. Navigate to the /bin directory under the deployment manager profile.
cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
4. Start the application by entering:
./wsadmin.sh -f script_path/ODCInfoStart.jacl cellName
dmgr_node_name ODCInfo
For example:
./wsadmin.sh -f /tmp/ODCInfoStart.jacl dpblade34Cell01
dpblade34CellManager01 ODCInfo
5. Verify that the ODCInfo application started.
a. Log in to the WebSphere Administrative Console.
b. Click Applications > Enterprise Applications.
What to do next
Create or modify a DataPower load balancer group.
|
|
|
Before installing a new version of the OSGi bundle, uninstall any previous version.
|
|
Procedure
|
|
|
cd /opt/IBM/WebSphere/AppServer/bin
2. Start the OSGi console: ./osgiConsole.sh.
3. From the console, run the following command:
|
|
|
uninstall com.ibm.datapower.odc.osgi
4. From the <WAS_HOME>/plugins directory, delete the
com.ibm.datapower.odc.osgi.jar file.
To remove the OSGi bundle from the WebSphere Application Server deployment
manager, run the uninstall command.
284
Procedure
1. Copy the ODCInfoUninstall.jacl file to a local directory on the WebSphere
deployment manager.
2. Log in from the command line to the deployment manager.
3. Navigate to the bin directory of the deployment manager profile. For example:
cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
4. Uninstall the application by entering:
./wsadmin.sh -f script_path/ODCInfoUninstall.jacl cellName
dmgr_server_name ODCInfo
For example:
./wsadmin.sh -f /tmp/ODCInfoUninstall.jacl wasnode2Cell01 dmgr
ODCInfo
5. Verify by entering:
./wsadmin.sh -f script_path/ODCInfoCheckInstall.jacl cellName
dmgr_server_name ODCInfo
The response indicates success or failure.
What to do next
Install the ODCInfo application.
|
|
|
|
|
|
|
|
|
|
|
|
285
|
|
|
|
|
|
|
|
|
|
|
Procedure
Results
|
|
|
|
|
|
|
|
|
The following steps describe the message flow and processing actions that are
enabled with this configuration:
1. The WebSphere Cell sends an HTTP, or an HTTPS, GET request to the custom
software application periodically.
2. The custom software application returns an HTTP, or an HTTPS, response
containing load balancer group member configuration information to the
WebSphere Cell or optionally to the XML Firewall.
3. Optional: The XML Firewall performs schema validation, as defined in the
ODCInfo.xsd schema, on the XML document in the response.
4. The load balancer group uses the configuration data in the response to
determine traffic routing when the appliance receives requests directed to the
load balancer group.
|
|
|
|
|
|
|
|
|
|
When not using the ODCInfo application, a custom software application must be
able to respond to a GET request with a properly formatted XML document. The
response contains the configuration data for new and current cluster members.
This section describes how to properly format the response XML document.
|
|
|
When not using the ODCInfo application, you must create a custom software
application that responds to an HTTP, or an HTTPS, GET request with an XML
document that defines the cluster configuration information.
|
|
|
|
clusterData
Contains all of the clusters that were requested. The version attribute is
associated with the version of the custom software application and is
optional.
Define the XML document that the custom software application provides in
response to the GET request.
286
|
|
|
cluster
Contains all information associated with a single cluster or workload
management group.
|
|
|
|
|
|
|
|
v The cluster structure name attribute specifies the name given to the
cluster and corresponds with the workload management group name in
the DataPower load balancer group
v The version attribute specifies what revision of the data is sent to the
DataPower appliance. The version is used to determine if there are any
updates to the information since the previous poll. If the version
attribute is not present, a manual algorithm is used to determine if the
structure has changed.
|
|
|
|
|
affinityMode
The value attribute contains what type of session affinity to use for
this cluster. Valid values are active, active-conditional, passive,
or null. The affinityMode must be the same for all applications
within the load balancer group.
|
|
|
|
|
cookieNames
The value attribute contains a comma (,) separated list of session
cookie names used by any of the applications installed to this load
balancer group. This list is used for active-conditional or passive
session affinity.
|
|
|
|
|
|
protocol
The type attribute specifies the protocol. Valid values are http or
https. No other transport protocols are supported for this function.
|
|
|
|
member
The member contains the host (hostname), port number, id (unique
identifier for this application server), and weight associated with
this application server instance over this transport protocol.
Example
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A properly formatted GET response for a single cluster, that is single workload
group name:
<?xml version="1.0"?>
<clusterData version="3.8.1.0">
<cluster name="myCluster">
<affinityMode value="active-conditional"/>
<cookieNames value="WSJSESSIONID,JSESSIONID,SSLJSESSIONID"/>
<protocol type="http">
<member host="myhost34.example.com" port="9081" id="13jbh6o3q"
<member host="myhost33.example.com" port="9081" id="13jbh6qko"
<member host="myhost32.example.com" port="9081" id="140pntcf3"
</protocol>
<protocol type="https">
<member host="myhost34.example.com" port="9444" id="13jbh6o3q"
<member host="myhost33.example.com" port="9444" id="13jbh6qko"
<member host="myhost32.example.com" port="9444" id="140pntcf3"
</protocol>
</cluster>
</clusterData>
weight="20"/>
weight="20"/>
weight="20"/>
weight="20"/>
weight="20"/>
weight="20"/>
287
What to do next
|
|
Optionally, define an XML Firewall on the DataPower appliance if you want the
appliance to perform schema validation on the XML document.
|
|
|
|
|
|
|
|
If desired, an XML Firewall on the DataPower appliance can validate the XML
document that the custom software application sends. Most often, this would be
done during initial testing of the application. Once it is proven that the application
responds with a valid XML document, remove the XML Firewall from the flow to
optimize performance.
|
|
|
|
|
Procedure
|
|
|
|
7. Optional: Click Save Config to save the changes to the startup configuration.
What to do next
|
|
|
|
|
|
|
|
|
|
If you created a DataPower XML Firewall for schema validation of the XML data
from a custom software application, you must know the address and port number
of the XML Firewall.
|
|
|
When not using the ODCInfo application, add and configure a WebSphere Cell to
query the custom software application. If there is an information update, the
WebSphere Cell sends the updated information to the load balancer group.
Procedure
288
|
|
|
|
|
|
|
|
|
|
|
|
2. In the Deployment Manager Host field, if you are not using an XML Firewall
for schema validation, enter either the host name or the IP address of the
custom software application. If you are using an XML Firewall for schema
validation, enter the address used to access the XML Firewall.
3. In the Deployment Manager Port number field, if you are not using an XML
Firewall for schema validation, enter the port number associated with the
specified host name. If you are using an XML Firewall for schema validation,
enter the port number associated with the XML Firewall.
4. In the Update Method field, select poll. This is the only supported update
method in this configuration.
5. Click Apply to save the changes to the running configuration information.
6. Optional: Click Save Config to save the changes to the startup configuration.
What to do next
|
|
|
|
|
|
|
|
Procedure
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4. Optional: Set Enable Application Routing to off. This is the only supported
option in this configuration.
5. Optional: Review the session affinity information on the Session Affinity tab to
ensure that session affinity is correctly configured.
6. Click Apply to save the changes to the running configuration information.
7. Optional: Click Save Config to save the changes to the startup configuration.
Appendix A. Referenced objects
289
Results
|
|
The load balancer group begins to request information (through the WebSphere
cell) from the custom software application.
MTOM Policy
The message transmission optimization mechanism (MTOM) policy provides a way
to optimize the transmission and wire format of an XML/SOAP message.
Optimization is performed by selecting elements with Base64 encoded character
data. The selected elements are decoded and attached as MIME attachment parts
before transmission. Decoding before transmission reduces the overhead that is
associated with Base64 encoded data.
To use an MTOM policy with a DataPower service:
1. Define a processing policy that includes a transform action for the MTOM
operation.
2. In the transform action:
a. Click the Use XSLT specified in this action radio button.
b. Specify the location of the MTOM processing control file; for example,
store:///mtom.xsl.
c. On the Advanced tab, select the MTOM policy that becomes the stylesheet
parameter for the transform action.
To create an MTOM policy:
290
1.
2.
3.
4.
291
292
v When not defined, the hash algorithm uses the IP address of the client.
This property is relevant only when the value defined by the algorithm for
the Load Balancer Group is hash.
Process Message Whose Body is Empty
Whether to force the processing of XML messages when their message
body is empty or missing in RESTful Web services.
|
|
|
293
Streaming
Provides limited processing of XML attachments, and streams XML
and non-XML attachments to output.
Unprocessed
Allows messages that contain attachments, but does not process
attachments.
For additional information about streaming attachments, refer to
Optimizing through Streaming.
Response attachment processing mode
When the response type is SOAP or XML, select how to process server
responses with attachments.
Allow Processes the message root and needed XML and non-XML
attachments. Needed attachments are buffered. Attachments that
are not needed might be streamed directly to output.
Reject Rejects messages that contain attachments.
Strip
Streaming
Provides limited processing of XML attachments, and streams XML
and non-XML attachments to output.
Unprocessed
Allows messages that contain attachments, but does not process
attachments.
For additional information about streaming attachments, refer to
Optimizing through Streaming.
Action when required root part is not first
When the attachment processing mode for requests or for responses is
Streaming, select the action to take when the MIME message root part is
not first.
Abort Stops the transaction and return an error.
Buffer To Root
Buffers attachments before the root part into memory. Then
processes the root part, buffered attachments, and subsequent
attachments.
Process In Order
(Default) Processes the attachments and root part in the order that
they appear in the original message. All parts are still processed in
streaming mode even though only attachments after the root will
be streamed from the network.
Front attachment processing format
Select how to interpret client requests with attachments.
294
Dynamic
(Default) The appliance reads the message and determines the
attachment format (DIME or MIME) from the content-type header.
Conversion between MIME and DIME is possible provided that
attachments are buffered.
MIME Messages adhere to the MIME format. Conversion to DIME is
possible provided that attachments are buffered.
DIME Messages adhere to the DIME format. Conversion to MIME is
possible provided that attachments are buffered.
Detect The appliance reads the message and determines the attachment
format (DIME or MIME) from message data. Conversion between
MIME and DIME is possible provided that attachments are
buffered.
Back attachment processing format
Select how to interpret server responses with attachments.
Dynamic
(Default) The appliance reads the message and determines the
attachment format (DIME or MIME) from the content-type header.
Conversion between MIME and DIME is possible provided that
attachments are buffered.
MIME Messages adhere to the MIME format. Conversion to DIME is
possible provided that attachments are buffered.
DIME Messages adhere to the DIME format. Conversion to MIME is
possible provided that attachments are buffered.
Detect The appliance reads the message and determines the attachment
format (DIME or MIME) from message data. Conversion between
MIME and DIME is possible provided that attachments are
buffered.
Front Side MIME Header Processing
Enable (on) or disable (off) MIME (Multi-Purpose Internet Mail Extensions)
header processing support.
The body of a message (that is, the payload, independent of any protocol
headers) can sometimes contain MIME headers before any preamble and
before the first MIME boundary in the body of the message. These MIME
headers can contain important information that is not available in the
protocol headers, such as a string that identifies the MIME boundary.
v If on, MIME headers are processed.
v If on and there are no MIME headers in the message, the appliance
continues to try and parse the message with the available protocol
header information.
v If off and MIME headers are in the body of the message, these MIME
headers are considered part of the preamble and not used to parse the
message. If the protocol headers (such as HTTP) indicate MIME
boundaries, the appliance can parse and process individual attachments.
If such information is not available, no attachments can be parsed from
the body of the message.
MIME support is enabled by default.
295
296
Non-XML
Does not directly characterize the message. The message body is
not filtered or transformed. The service can take other actions, such
as determining a route or authenticating the message, before
passing it to the target server.
SOAP Identifies the message as a SOAP message.
Pass-Thru
Does not directly characterize the message, but indicates that the
message is not filtered or transformed by the service. The message
is passed as is to its target.
XML
Response Type
Characterize the server-generated response.
JSON Identifies the message as JavaScript Object Notation (JSON). The
service validates the message as well-formed JSON, performs
user-designated document processing, and forwards the resulting
material to the client. User-designated document processing can be
applied on the __JSONASJSONX context that represents the JSON
input as JSONx.
Non-XML
Does not directly characterize the message. The message body is
not filtered or transformed. The service can take other actions, such
as determining a route or authenticating the message, before
passing it to the target server.
SOAP Identifies the message as a SOAP message.
Pass-Thru
Does not directly characterize the message, but indicates that the
message is not filtered or transformed by the service. The message
is passed as is to its target.
XML
Flow Control
Enable (on) or disable (off) flow control support. Use flow control to
manage the transmission of large files when the front side and back end
have different latencies and throughput while in streaming mode. This
option is available when the request type and the response type are
Non-XML or Pass-Thru. By default, flow control is disabled.
Note: The streaming behavior for output to back and output to front must
be set to Stream Messages. Also, if either the front side or the back
end will use the HTTP(S) protocol, Allow Chunked Uploads must
be set to on.
SOAP Schema URL
When the traffic type is SOAP, the SOAP Schema URL field appears. Use
this field to specify the full URL to the schema to validate the SOAP
schema for SOAP-formatted messages. When a service is in SOAP mode,
either on the request or response side, it validates incoming messages
against a W3C Schema for SOAP messages. You can customize the schema
to use by changing this property. Change the schema to accommodate
nonstandard configurations or special cases.
297
Monitors tab
Service Monitors
Optional: Use the list with the Add and Delete buttons to assign one or
more Web services monitors. See Configuring Web services monitors on
page 217.
Count Monitors
Optional: Use the list with the Add and Delete buttons to assign one or
more count monitors. See Configuring count monitors on page 214.
Duration Monitors
Optional: Use the list with the Add and Delete buttons to assign one or
more duration monitors. See Configuring duration monitors on page 216.
298
299
300
301
Direction
Select the direction of the message.
Header Tag
Specify the name of the target header to delete.
Click Save to return to the Gateway Header Suppression Panel.
WS-Addressing tab
For information about configuring Web Services Addressing (WS-Addressing), refer
to the online help.
WS-ReliableMessaging tab
WS-ReliableMessaging
Enable or disables Web Services Reliable Messaging.
on
off
302
off
(Default) Enables this feature. If enabled, both the client and the
server can use Reliable Messaging to send messages to this
DataPower service.
off
off
off
303
off
off
Required on Response
Indicates whether to require the use of Reliable Messaging for all SOAP
messages that response rules process. Any SOAP message without a
Sequence results in a SOAP fault.
304
off
off
Include an offer.
off
off
305
off
off
306
307
v With a specified Front Side Protocol Handler and the response process
causes a CreateSequence SOAP message to be sent, the AcksTo element
of the CreateSequence SOAP message will be set to the URL that is
specified in back AcksTo.
v Without a Front Side Protocol Handler, the AcksTo element has the value
http://www.w3.org/2005/08/addressing/anonymous, which indicates
synchronous Acks.
Source Maximum Simultaneous Sequences
Sets a limit on the maximum number of simultaneously active sequences
from Reliable Messaging sources of this DataPower server. Each remote
Reliable Messaging destination endpoint reference (URL) requires one
sequence. Transactions that request the creation of sequences in excess of
this limit result in a SOAP Fault. This property controls memory resource
utilization.
The default is 400.
Policy Parameters
A Policy Parameters object defines policy parameters as key-value pairs for use in
a policy mapping style sheet. Specify the key with the {policy-domain-ns}key
format.
A policy parameters is the way that you must map the needed parameters that are
defined in or referenced by the WSDL policy or that are defined in an attached
source to the specific DataPower object. If you do not define all the needed
parameters, processing a message with the defined WS-Policy generates errors.
For example, you might need an X.509 token to use the defined WS-Policy. If you
need an X.509 token, you need to define which certificate that is stored on the
DataPower appliance to use. If the certificate is alice, you would need to set the
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ws-secpolCertificate parameter to alice.
Note: If you defined a policy parameters at the port or port-operation level, these
parameters are not applied to its parallel synthesize port or operation. The
policy parameters for synthesized ports and operations must be inherited
from the service level or redefined at the synthesized level.
To define policy parameters, use the following procedure:
308
Main tab
To define policy parameters, use the following procedure:
1. Select Objects Policy Policy Parameters to display the Policy Parameters
catalog.
2. Click the Main tab.
3. Provide the following inputs:
Name Specify the name of the object.
Administrative State
Identifies the administrative state of the configuration.
v To make inactive, click disabled.
v To make active, click enabled.
Comments
Optional: Enter a descriptive summary.
4. Continue to the Policy Parameters tab to define the policy parameters.
309
310
Filter
For Each
Implements a programmatic loop for each of the defined
actions. Each time an XPath expression returns true, a
designated action runs. The for-each action can be used to
apply a series of style sheets to input data, if desired. Instead of
using XPath expressions, the loop can be processed a specific
number of times. Each iteration of the loop stores its results in
a separate output context. These output contexts are available
to any other action in the processing policy.
Log
On Error
Specifies a nondefault error handling procedure.
An on-error action requires only the selection of an Error
Mode. Optionally identify an error-rule and specify input and
output contexts for that rule.
Results
Sends the contents of a named context to another context or to
a remote location.
A results action requires that an Input context (the source of
the content to be sent) be identified, and optionally allows the
identification of an External URL (the content destination), the
identification of an Output context (which receives an expected
response from the content recipient), and characterization of the
Output Type.
You can use the Output Type property to characterize the type
of output data (in this case, the response from the destination
that received the results).
Results Asynchronous
Asynchronously sends the contents of a named context to
another context.
A results-async action requires that an Input context (the
source of the content to be sent) and an External URL (the
content destination) be identified.
Rewrite Header
Implements a URL Rewrite Policy.
311
312
Use when the Action Type is aaa, call, convert-http, extract, filter,
log, results, results-async, route-action, setvar, slm,
strip-attachments, validate, xform, xformbin, or xformpi. In all of
these cases, specify the name of the context that contains the document
or service request on which the action will operate. When the action is
not the first action in a rule, this value is very likely not going to be
INPUT but rather a context-sensitive name (such as tempvar1, for
example).
Use the reserved word INPUT to identify the original input to the
processing policy. That is, the original client request or server response.
Leave blank if the Action Type is call, fetch, rewrite, route-set, or
setvar. These actions do not operate on the Input context.
Transform
Use when the Action Type is filter, route-action, xform, xformbin, or
xformpi.
Specify the location of the style sheet that performs document filtering,
transformation, or routing.
You can specify the style sheet location as a URL or as a var:// URL
that expands to a URL.
If using a dynamic style sheet to perform filtering, routing, or
transformation, specify dynamic-stylesheet and use the Dynamic
Stylesheet property to specify the object from which to generate the
dynamic style sheet; for example, a Document Crypto Map object.
WTX Map File
Specify the WTX-generated map file that the Binary Transform
(xformbin) action uses to determine the input contexts and the output
313
314
Schema URL
When the Action Type is validate, specify the location of the schema
that performs document validation.
You can specify the schema location as a URL or as a var:// URL that
expands to a URL.
If using a dynamic schema to perform validation, specify
dynamic-schema for the Schema URL property and use the Dynamic
Schema property to specify the object (for example, a Schema
Exception Map) from which the dynamic schema is generated.
Locate Named Inputs and Outputs
Use when the Action Type is xformbin to select how the transform
determines the input contexts and the output contexts. For additional
information, refer to IBM WebSphere DataPower SOA Appliances:
Integrating with WebSphere Transformation Extender.
URL Rewrite Policy
When the Action Type is rewrite, validate, xform, or xformpi, select
the URL Rewrite Policy implemented by this Processing Action.
Note: This URL Rewrite Policy rewrites the URLs found in the
document being processed. This affects the location of additional
resources, such a schema identified in a namespace declaration
in the XML payload, used during processing. This does not
change the destination of the output.
Refer to URL Rewrite Policy on page 345 for more information.
AAA Policy
Use when the Action Type is aaa to select the AAA Policy
implemented by this Processing Action. Refer to Creating AAA Policy
objects on page 221 for more information.
SLM Policy
Use when the Action Type is slm to select the SSL Policy implemented
by this Processing Action. Refer to Service level monitors on page 324
for more information.
Dynamic Schema
Optional when the Action Type is validate. Select the object (Schema
Exception Map) from which the dynamic schema is generated.
If using a dynamic schema to perform validation, first specify
dynamic-schema for the Schema URL property.
Refer to Schema Exception Map on page 323 for more information.
Dynamic Stylesheet
Optional when the Action Type is filter, route-action, xform,
xformbin, or xformpi. Select the object from which to generate the
dynamic style sheet; for example, a Document Crypto Map object.
If using a dynamic style sheet to perform filtering, routing, or
transformation, first specify dynamic-stylesheet for the Transform
property.
Refer to Document Crypto Map on page 263 for more information.
315
Output Type
Optional when the Action Type is fetch, log, results, xform, or
xformpi to specify the format of the output. The following output types
are available:
Default
Read the content-type from the resulting document. If the
content-type is XML or not declared, the content is treated as
XML, otherwise as binary.
XML
Binary
The content is treated as binary and not parsed.
Event Use when the Action Type is checkpoint to select the type of event that
triggers the checkpoint. The following events are available:
Authentication Complete
(Default) Signifies the completion on an authentication process.
Fault
Request
Signifies the input as a server-originated document.
Response
Signifies the input as a client-originated document.
Input Conversion
Optional: When the Action Type is convert-http, select the Input
Conversion Map used by this processing rule to perform HTTP-to-XML
conversion. Refer to HTTP Input Conversion Map on page 263 for
more information.
XPath Use when the Action Type is extract. Specify the XPath expression
that is applied to the context identified by the Input property.
You can specify the expression in standard XPath format or as a var://
URL that expands to an XPath expression.
XPath Map
Use when Action Type is route-action, select an XPath Map.
Variable Name
Use with the Variable Assignment property when Action Type is
setvar or extract.
v For setvar, specify the variable to be created.
v Optional: For extract, specify the variable in which to store the
results of the XPath operation.
Variable Assignment
Use with the Variable Name property when Action Type is setvar or
extract. Specify the variable value.
SSL Cred
Optional: When the Action Type is route-set, specify the name of the
SSL Proxy Profile to establish a secure connection with the routing
destination.
Refer to SSL Proxy Profile objects on page 29 for more information.
316
Attachment URI
Optional: When the Action Type is strip-attachments, specify the URI
of the specific attachment to be discarded.
Error Mode
When the Action Type is on-error, select the action to take upon an
error condition .
Abort Stop executing the current rule
Continue
Continue executing the current rule
Error Input
Optional: When the Action Type is on-error, identify the input context
to the error-rule identified by Style Policy Rule. If no input context is
identified, the input context of the failed action is used as the default
input context for the invoked error-rule.
Error Output
Optional: When the Action Type is on-error, identify the output
context from the error-rule identified by Style Policy Rule. If no output
context is identified, the output context of the failed action is used as
the default output context for the invoked error-rule.
Use OUTPUT to transmit the error message to the requesting client.
Processing Rule
Use when the Action Type is call or on-error.
Specify the name of the Processing Rule or error-rule invoked by the
action.
Log Level
When the Action Type is log, select the priority of the generated log
message. Defaults to notice.
Log Type
Optional: When the Action Type is log, characterize log contents.
Defaults to none.
After completing the basic configuration, optionally identify
parameter-value pairs that are available to style sheets used by this
action.
Asynchronous
Determine whether the action is asynchronous:
on
off
317
Processing Metadata
A Processing Metadata object identifies items of metadata information from or
about a transaction, such as the value of a protocol header (such as HTTP Host) or
the size of the message. These items of information will be retrieved and returned
to the object referencing the Processing Metadata object, such as a AAA Policy.
For example, a business use case might require the DataPower appliance to
authenticate a user based on the user identity in an MQ protocol header, coupled
with the name of the MQ Queue Manager that holds the request message. The
AAA Policy that implements this solution would use a Processing Metadata object
to retrieve those two meta-items and return them in a nodeset to the AAA Extract
Identity step.
To add a Processing Metadata object, use the following procedure:
1. Select Objects XML Processing Processing Metadata to display the
Processing Metadata catalog.
2. Click Add to display the Processing Metadata object configuration screen.
3. Use the properties on the Main tab to define name of the object.
4. Use the controls on the Metadata Item tab to define the metadata items that
this object retrieves.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
318
Main tab
Use the properties on the Main tab to provide the following inputs:
Name Specify an alphanumeric string for the name. Other objects can use this
name to reference this object.
Administrative State
Identifies the administrative state of the configuration.
v To make inactive, click disabled.
v To make active, click enabled.
Comments
Optional: Enter a descriptive summary.
Continue to the Metadata Item tab to configure the items retrieved by this object.
319
320
Client to Server
A rule applied only to client-originated documents
Server to Client
A rule applied only to server-originated documents
Both Directions
A bidirectional rule applied to both client- and
server-originated documents
Input Filter
Select a decompression algorithm to apply to the entire message
payload prior to the first action of the rule executing.
gzip
PKZIP
The message will be decompressed using the pkzip algorithm.
If the message is not compressed using the selected algorithm, an error
will result. This is, in effect, a filter.
Output Filter
Select a compression algorithm to apply to the entire message payload
after the last action of the rule executes.
gzip
PKZIP
The message will be decompressed using the pkzip algorithm.
The created archive contains only one file. If the message contains
attachments, the attachments are contained in the one file.
Non-XML Processing
Select whether to enable or disable the processing of non-XML
documents.
on
off
321
Unprocessed
Select whether to determine whether the actions of the rule will take
effect on the message. This duplicates the Request Type and Response
Type properties of the services.
Actions
Use the Add and Delete buttons, with the list of available processing
actions, to manage actions for this processing rule.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
RADIUS Settings
RADIUS settings define RADIUS servers. RADIUS settings can be defined in the
default domain only.
Within the DataPower appliance, RADIUS servers can be used for the following
purposes:
v On any appliance, to authenticate access using RBM.
v On all appliances except XML Accelerator XA35, to authenticate access in AAA
Policy objects.
Each RADIUS server has a positional value that the DataPower appliance uses to
determine the order in which to contact the servers. The appliances contacts the
servers from most preferred (lowest number) to least preferred (highest number).
The appliance sends the request to the next server based on the global timeout
value and the global retry value.
If the configuration defines three RADIUS servers with positional values of 10, 20,
and 30, the appliance contacts the servers in the following sequence:
1. Requests are always first sent to server 10.
2. If the request times out, it is sent to server 20.
3. If the request times out, it is sent to server 30.
NAS-identifier
The DataPower appliance is a client to RADIUS servers. The NAS-identifier is a
RADIUS attribute that the client uses to identify itself to a RADIUS server. The
NAS-Identifier, as defined in Section 5.32 of RFC 2865, can be used instead of an IP
address to identify the client. The NAS-identifier consists of one or more octets and
must be unique in the scope of the RADIUS server. The NAS-identifier is often the
fully qualified domain name (FQDN) of the RADIUS client.
322
d. Specify the interval in milliseconds that the appliance waits for a reply from
a RADIUS server before retransmitting the outstanding request in the
Timeout field. Use an integer in the range of 1 through 5000. The default is
1000.
e. Specify the number of times that the appliance retransmits an unanswered
request to a RADIUS server before contacting another server in the list in
the Retries field.
3. Do not define RADIUS servers to authentication CLI access without the use of
RBM. In other words, do not define any RADIUS servers on the CLI Servers
tab. This functionality is deprecated. If using RADIUS for authentication, define
RADIUS as the RBM method and define the appropriate RADIUS servers on
the AAA/RBM Servers tab.
4. Define RADIUS servers for use by AAA Policy objects or by the RBM policy.
a. Click the AAA/RBM Servers tab.
b. Define a server.
1) Click Add.
2) Specify the relative position of this server in the list in the Number
field.
3) Specify the IP address or domain name of the server in the Server
Address field,
4) Specify the listening port on the remote server in the Server Port field.
The default is 1812.
5) Specify the password to log in to the server in the Secret field.
6) Reenter the password in the Confirm Secret field.
7) Click Save.
c. Repeat the previous step to add additional servers to the list.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
323
Rules tab
1. Click the Rules tab to display the Schema Exception Map Configuration (Rules)
screen.
2. Click Add to display the Rules Property window. Use this window to define
schema exception rules.
3. Provide the following inputs:
XPath Expression
Specify an XPath expression. This expression defines a schema element
or elements subject to this rule. Click XPath Tool to launch the
graphically-oriented XPath expression builder. You will need to upload
an example document. The tool then allows you to click on an element
to construct the corresponding XPath expression.
Type
Require Encrypted
Specifies that elements defined by the XPath expression must
be encrypted
4. Click Save to return to the Schema Exception Map Configuration (Rules)
screen, which now displays the exception rule.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
324
v A threshold that defines the limit (maximum transactions per second) before
triggering the action
Unlike message (count and duration) monitors and Web services monitors, SLMs
are not directly assigned to a DataPower service. SLMs are implemented as part of
a processing policy.
325
2) From the Threshold Interval Type list, select how to measure intervals.
3) From the Threshold Algorithm list, select the methodology that
calculates the threshold.
4) From the Threshold Type list, select how to apply the threshold to the
monitored count or latency.
5) In the Threshold Level field, enter the threshold that triggers the
action.
6) In the High-Low Release Level field, if the algorithm is high-low, enter
the low threshold (stop point).
7) In the Burst Limit field, if the algorithm is token bucket, enter the size
of the committed burst.
i. Define reporting intervals.
1) In the Reporting Aggregation Interval field, enter the interval at which
to report statistics.
2) In the Maximum Records Across Intervals field, enter the maximum
aggregation of reporting records. A single aggregation interval can
contain multiple records; for example, one record per resource or
credential. Use this property to configure the maximum number of total
records to save across the maximum number of intervals.
j. Auto Generated by GUI is read-only.
k. In the Maximum Credentials-Resource Combinations field, enter the
maximum number of records for credential and resource combinations to
set a maximum memory-consumption threshold.
l. Click Save.
9. Repeat the previous step to define another statement.
10. Click Apply to save the changes to the running configuration.
11. Optional: Click Save Config to save the changes to the startup configuration.
326
9. In the Custom Style Sheet field, if the resource type is for a custom style
sheet, enter the location of the style sheet.
10. In the UDDI Subscription field, if the resource type is a UDDI subscription,
enter the subscription key.
11. From the WSRR Subscription list, if the resource type is a WSRR
subscription, select the subscription.
12. In the XPath Filter field, if the resource type is an XPath expression, enter the
expression. Alternatively, click XPath Tool to define the expression.
13. Click Apply to save the changes to the running configuration.
14. Optional: Click Save Config to save the changes to the startup configuration.
327
328
v Use the XML Management Interface to exchange data as SOAP over HTTPS.
Update messages (SOAP over HTTPS) with the new information is aggregated
in the information store of each peer member.
v Be clock-synchronized. You can use the NTP service. For information about the
NTP service, refer to the IBM WebSphere DataPower Integration Appliance XI50:
Administrators Guide.
To define a peer groups:
1. Click Objects Network Peer Groups.
2. Click Add.
3. In the Name field, enter the name for the object.
4. Set Administrative State to identify the administrative state of the
configuration.
v To make inactive, click disabled.
5.
6.
7.
8.
9.
329
Namespace URI
Specify the namespace URI of the SOAP header element. The default is
a blank string, which indicates no restriction.
Header Local Name
Specify the local name of the SOAP header element. The default is a
blank string, which indicates no restriction.
Child Element Local Name
Specify the local name of the direct child element of the SOAP header.
The default is a blank string, which indicates no restriction.
Refine Action
Select the refinement action to take. By default the processing rule,
defined by the SOAP specification, is used to remove the SOAP header,
to keep the SOAP header, or to issue a SOAP fault with the assumption
that all SOAP headers were processed by previous actions.
Processed
Take the default SOAP action, because the specified element
was processed.
Unprocessed
Take the default SOAP action, because the specified element
was not processed.
Keep
Remove
Remove this SOAP header or child element.
Fault Generate a SOAP fault if the element exists.
4. Click Save to return to the SOAP Header Disposition Table configuration
(SOAP Header Refine Instruction) screen, which now displays the refinement
instruction.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
330
High-level configuration
To
1.
2.
3.
9.
10.
11.
12.
b. In the Returned Data Size Limit field, enter the data size limit in
kilobytes.
Optional: Set Allow Read-Only Access to on to allow read-only access to the
data source.
Optional: in the Maximum Connections field, enter the maximum number of
concurrent connections to allow.
Click Apply to save the changes to the running configuration.
Optional: Click Save Config to save the changes to the startup configuration.
331
332
v Use any service object with a processing policy with a Results action or a Results
Asynchronous action configured as follows:
The destination is set to tibems:// or dptibems://
The context header var://context/CONTEXT_NAME/_extension/header/
DP_JMSMessageType is set to the value map
v Use any service object with a processing policy that contains a style sheet with a
soap-call extension function. The soap-call must use the HTTP-headers
parameter to set the DP_JMSMessageType header as in the following example:
<xsl:template match="/*">
<xsl:variable name="httpHeaders">
<header name="DP_JMSMessageType">map</header>
</xsl:variable>
<xsl:variable name="result"
select="dp:soap-call(http://x.xx.xx.xxx:nnnn/soapcalltest,
$call/*,,0,,$httpHeaders/*)"/>
<xsl:copy-of select="$result"/>
</xsl:template>
v Use any service object with a processing policy that contains a style sheet with a
url-open extension function. The url-open must use the HTTP-headers parameter
the same way as it is specified for the soap-call extension function.
v Use a TIBCO EMS Front Side Handler object to send a response to a response
queue. The response header must contain the name-value pair
DP_JMSMessageType: map.
Note: In each case, if the DP_JMSMessageType header is not set, the message is not
converted to the map message format. Instead, XML is sent as the TIBCO
EMS Text or Byte Message.
333
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
<xs:enumeration
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:restriction>
</xs:complexContent>
</xs:complexType>
</xs:element>
value="byte"/>
value="char"/>
value="short"/>
value="int"/>
value="long"/>
value="float"/>
value="double"/>
value="bytes"/>
value="string"/>
value="short_array"/>
value="int_array"/>
value="long_array"/>
value="float_array"/>
value="double_array"/>
value="map_message"/>
The following example shows the XML representation of a TIBCO EMS Map
Message:
<Message>
<!-- nested map message #1 -->
<Field name="map1" type="map_message">
<Message>
<Field name="an_empty1_double_array" type="double_array"/>
<Field name="an_empty1_long_array" type="long_array"/>
<Field name="an_empty1_short_array" type="short_array"/>
<Field name="floaty" type="float">100000.00</Field>
<Field name="map11" type="map_message">
<Message>
<Field name="int_array" type="int_array">
<Array>
<Element>100000</Element>
<Element>2147483647</Element>
<Element>-2147483647</Element>
<Element>2147483648</Element>
<Element>-2147483649</Element>
<Element></Element>
<Element>BOGUS</Element>
</Array>
</Field>
<Field name="map111" type="map_message">
334
<Message/>
</Field>
<Field name="stringy" type="string">This is a quick brown fox.</Field>
</Message>
</Field>
<Field name="map12" type="map_message">
<Message/>
</Field>
</Message>
</Field>
<!-- nested map message #2 -->
<Field name="map2" type="map_message">
<Message>
<Field name="booly" type="bool">True</Field>
<Field name="map21" type="map_message">
<Message/>
</Field>
<Field name="the_bytes" type="bytes">RnJvbSBNb3Njb3cgV2l0aCBMb3ZlCg==</Field>
</Message>
</Field>
<!-- one short array -->
<Field name="short_array" type="short_array">
<Array>
<Element>5146</Element>
<Element>32767</Element>
<Element>-32767</Element>
<Element>32768</Element>
<Element>-32769</Element>
<Element></Element>
<Element>BOGUS</Element>
</Array>
</Field>
<!-- one short field -->
<Field name="shorty" type="short">5146</Field>
</Message>
Transactional messaging
Many times in asynchronous messaging, there is a one-way message flow
paradigm. A message is picked up off a queue or topic, the appropriate rules in the
processing policy runs, and the message is put on a backside queue or topic. With
transactional messaging, if the backside PUT or any PUT in the processing policy
fails, the front-side GET is rolled back.
Another common message pattern is message fanout. In this case, a message is
picked on the front side and sent to several output queues. With transactional
messaging, if any of these multiple PUT operations fails, the original message is
rolled back on the front side.
To support transactional messaging in these message patterns, use the same TIBCO
EMS session to perform all the operations within the DataPower transaction. To
share the same TIBCO EMS session, receive messages from and deliver messages
to the same TIBCO EMS server.
The following sections describe the requirements to configure transactional
messaging for different scenarios.
335
With this configuration, the TIBCO EMS Front Side handler and the TIBCO EMS
backend URL share the same TIBCO EMS transacted session. A single COMMIT or
ROLLBACK operation is issued depending on the processing result. This
guarantees once-and-only-once message delivery to TIBCO EMS messages.
This configuration uses the same transacted TIBCO EMS session from TIBCO EMS
to the TIBCO EMS service object for these operations:
1. Receive messages on the front side
2. Send messages on the back
3. Perform a COMMIT or ROLLBACK operation immediately after sending the
request message on the back side.
If the TIBCO EMS Front Side handler is configured with a put queue property, the
reply message from the back response queue is received as a part of a new
transaction. In other words, there are two TIBCO EMS unidirectional transactions:
1. The first transaction carries the message from the front side request queue to
back side request queue.
2. The second transaction carries the reply message from back side response
queue for front side response queue.
336
v Configure a processing policy with at least one action that uses a TIBCO EMS
URL open call such as a results action, a dp:url-open or a dp:soap-call
extension function.
Note: Asynchronous actions do not support the TIBCO EMS transacted session.
v Configure all URL open calls with the Transactional=true parameter.
v Configure the TIBCO EMS Front Side handler and all TIBCO EMS URL open
calls using the same TIBCO EMS server object with the Transactional property
enabled.
v Optional: Use a TIBCO EMS backend URL defined with the Transactional=true
parameter.
In this configuration, the same transacted TIBCO EMS session receives the message
on the front side and sends the message using either a results action or a
dp:url-open extension function and optionally sends on the backend URL. The
TIBCO EMS transacted session is shared not only between the TIBCO EMS Front
Side handler and the TIBCO EMS Backend URL, but also between any TIBCO EMS
URL open calls used in the processing policy.
A single COMMIT or ROLLBACK operation is issued depending on processing
result. This guarantees once-and-only-once message delivery to the TIBCO EMS
messages. All calls to the TIBCO EMS server use the same shared transacted
session.
337
If the TIBCO EMS URL is defined with a reply queue parameter or if the
processing policy contains any other actions that will be using the same shared
transacted TIBCO EMS session, a new transaction is created. This new transaction
will be committed or rolled back either when the processing policy finishes or
when some other action is configured with TIBCO EMS URL open call with the
Sync=true parameter.
High-level configuration
When configuring the client connection to the TIBCO EMS server, you can define
the server in the following ways:
v As a unique host (without fault-tolerance or load-balancing)
v As a pair of fault-tolerant hosts
v As a group of load-balanced hosts
v As a group of load-balanced hosts with fault-tolerance
To configure a TIBCO EMS object, use the following high-level procedure:
1. Select Objects Network Settings TIBCO EMS to display the TIBCO EMS
catalog.
2. Click Add to display the TIBCO EMS configuration screen.
3. Define the basic properties on the Main tab.
4. Optionally define load-balancing and fault-tolerance behavior on the Load
Balancing/Fault-Tolerance tab.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
338
c. In the Maximum Message Size field, specify the MTU in bytes for the
current TIBCO EMS server. The MTU defines the maximum size of
messages that this server can process . Messages that are larger than the
specified value are dropped.
d. From the Default Message Type list, select the default message type. The
selected value is used when the message type cannot be determined from
message headers.
v If Byte, indicates that the message payload is accessed as a Java byte
array.
v If Text, indicates that the message payload is accessed as a Java string
value.
8. Define the session and connection limits:
a. Specify the maximum number of concurrent, open connections to allow to
the server in the Total Connection Limit field. The minimum is 1. The
default is 5.
b. Specify the maximum number of concurrent multiplexed sessions that a
single connection can support in the Maximum Number of Sessions per
Connection field. The minimum is 5. The default is 20.
If the number of current connections is less than the connection limit, a new
session requests in excess of this value trigger the establishment of a new
connection to the server.
For example, with default values (20 for sessions per connection, and 5 for
connection limit) and 3 active fully-subscribed connections, a new session
request generates the establishment of a fourth connection.
9. Optional: Enable an automatic critical error-recovery procedure. This
procedure attempts to reestablish a connection that was closed in response to
an error condition.
a. Set Automatic Retry to control whether to enable the automatic recovery
procedure.
b. In the Retry Interval field, specify the interval between connection
attempts.
10. From the SSL Profile list, select the client crypto profile to support secured
connections to the TIBCO EMS server.
11. Set Enable JMS-Specific Logging to enable or disable the enhanced
JMS-specific logging facility.
12. Specify the domain name or IP address with the listening port of the TIBCO
EMS server in the TIBCO EMS Server Host field. Specify this value in the
host:port format. Without a port specification, the default is port 7222.
13. Specify the string that identifies the connection client in the TIBCO EMS
Connection Client ID field.
14. Retain the default selection for the Load Balancing Algorithm list.
15. Click Apply to save the changes to the running configuration.
16. Optional: Click Save Config to save the changes to the startup configuration.
339
340
10. From the SSL Profile list, select the client crypto profile to support secured
connections to the TIBCO EMS server.
11. Set Enable JMS-Specific Logging to enable or disable the enhanced
JMS-specific logging facility.
12. Specify the domain name or IP address in the TIBCO EMS Server Host field.
Note: This property is a required property, but it is ignored in this
configuration.
13. Specify the string that identifies the connection client in the TIBCO EMS
Connection Client ID field.
14. Retain the default selection for the Load Balancing Algorithm list.
15. Define fault-tolerance capabilities:
a. Click the Load Balancing/Fault-Tolerance tab.
b. Click Add to display the Load Balancing/Fault-Tolerance property
window.
c. Define the fault-tolerance behavior:
1) Specify the domain name or IP address with the listening port of the
primary server in the TIBCO EMS Server Host field in the host:port
format. Without a port specification, the default is port 7222.
2) Specify the domain name or IP address with the listening port of the
backup server in the TIBCO EMS Backup Server Host field in the
host:port format. Without a port specification, the default is port 7222.
3) Click Save to return to the Load Balancing/Fault-Tolerance property
window.
d. Repeat step 15c for another fault-tolerance primary-backup server pair.
16. Click Apply to save the changes to the running configuration.
17. Optional: Click Save Config to save the changes to the startup configuration.
341
342
Least Connections
Creates a connection to the server that has the least number of active
connections.
Byte Rate
Creates a connection to the server that has the lowest total byte rate
(input and output).
15. Define load-balancing capabilities:
a. Click the Load Balancing/Fault-Tolerance tab.
b. Click Add to display the Load Balancing/Fault-Tolerance property
window.
c. Define the load balancing behavior:
1) Specify the domain name or IP address with the listening port of a
member server in the TIBCO EMS Server Host field in the host:port
format. Without a port specification, the default is port 7222.
2) Do not specify anything in the TIBCO EMS Backup Server Host field.
3) Click Save to return to the Load Balancing/Fault-Tolerance property
window.
d. Repeat step 15c for another server for load-balancing.
16. Click Apply to save the changes to the running configuration.
17. Optional: Click Save Config to save the changes to the startup configuration.
343
c. In the Maximum Message Size field, specify the MTU in bytes for the
current TIBCO EMS server. The MTU defines the maximum size of
messages that this server can process . Messages that are larger than the
specified value are dropped.
d. From the Default Message Type list, select the default message type. The
selected value is used when the message type cannot be determined from
message headers.
v If Byte, indicates that the message payload is accessed as a Java byte
array.
v If Text, indicates that the message payload is accessed as a Java string
value.
8. Define the session and connection limits:
a. Specify the maximum number of concurrent, open connections to allow to
the server in the Total Connection Limit field. The minimum is 1. The
default is 5.
b. Specify the maximum number of concurrent multiplexed sessions that a
single connection can support in the Maximum Number of Sessions per
Connection field. The minimum is 5. The default is 20.
If the number of current connections is less than the connection limit, a new
session requests in excess of this value trigger the establishment of a new
connection to the server.
For example, with default values (20 for sessions per connection, and 5 for
connection limit) and 3 active fully-subscribed connections, a new session
request generates the establishment of a fourth connection.
9. Optional: Enable an automatic critical error-recovery procedure. This
procedure attempts to reestablish a connection that was closed in response to
an error condition.
a. Set Automatic Retry to control whether to enable the automatic recovery
procedure.
b. In the Retry Interval field, specify the interval between connection
attempts.
10. From the SSL Profile list, select the client crypto profile to support secured
connections to the TIBCO EMS server.
11. Set Enable JMS-Specific Logging to enable or disable the enhanced
JMS-specific logging facility.
12. Specify the domain name or IP address in the TIBCO EMS Server Host field.
Note: This property is a required property, but it is ignored in this
configuration.
13. Specify the string that identifies the connection client in the TIBCO EMS
Connection Client ID field.
14. Select the algorithm from the Load Balancing Algorithm list:
None
Least Connections
Creates a connection to the server that has the least number of active
connections.
Byte Rate
Creates a connection to the server that has the lowest total byte rate
(input and output).
15. Define load-balancing and fault-tolerance capabilities:
344
345
1. Select Objects XML Processing URL Rewrite Policy to display the URL
Rewrite Policy catalog.
2. Click Add to display the URL Rewrite Policy Configuration (Main) screen.
3. Provide the following inputs:
Name Specify the name of this URL Rewrite Policy.
Administrative State
Identifies the administrative state of the configuration.
v To make inactive, click disabled.
v To make active, click enabled.
URL Rewrite Direction
Select the direction of the URL Rewrite Policy. Direction is applied at
the service level and has no effect on other policies.
Both
Request
Applies to client requests only.
Response
Applies to server responses only.
4. Continue with Creating a URL Rewrite Policy.
346
.* or *
Matches any string.
(.*)xsl=(.*)\?(.*)
Matches a string of the following format:
a. A text subpattern.
b. Followed by xsl=.
c. Followed by a text subpattern.
d. Followed by ?. The backward slash (\) in the PCRE is a
URL escape.
e. Followed by a text subpattern.
(.*)&[Xx][Ss][Ll]=([^&]+)(.*)
Matches a string of the following format:
a. A text subpattern.
b. Followed by &.
c. Followed by X or x.
d. Followed by S or s.
e. Followed by L or l.
f. Followed by =.
g. Followed by a text subpattern that does not contain an
ampersand (&) character.
h. Followed by a text subpattern.
v For header-rewrite, defines the expression to be matched against the
contents of a specific HTTP header field. For example *.* matches
any value.
PCRE documentation is available at http://www.pcre.org.
Input Replace Expression
Specify a PCRE-style replacement that defines the rewritten URL, HTTP
header field, or HTTP POST body.
v For absolute-rewrite, defines the rewritten URL.
If the match pattern is .* or *, specify the complete replacement.
If the match pattern is (.*)xsl=(.*)\?(.*), specify the evaluation
replacement for any text subpattern or retain the original text
subpattern. To retain the first text subpattern, specify $1; to retain
the second text subpattern, specify $2, and so forth. To replace the
second text subpattern only, specify $1xsl=ident.xsl?$3.
If a rewritten URL begins with a host name or port that is different
from the configured remote address, the host name or port portion of
the rewritten URL is ignored.
v For content-type, defines the replacement value for the Content-Type
header.
v For header-rewrite, defines the replacement value for the specified
header.
v For post-body, defines the rewritten body of the HTTP POST. For
example:
If the match pattern is .* or *, specify the complete replacement.
If the match pattern is (.*)xsl=(.*)\?(.*), specify the evaluation
replacement for any text subpattern or retain the original text
subpattern. To retain the first text subpattern, specify $1; to retain
the second text subpattern, specify $2, and so forth. To omit the
second text subpattern only, specify $1$3.
347
off
off
Header Name
Identifies the name of the header to have its value rewritten. The
header name must be entered exactly as it is defined in the message.
This option is for header-rewrite only.
URL Normalization
Select whether to enable normalization of URL strings. Normalizing a
URL compresses "." and ".." and converts backward slashes (\) to
forward slashes (/).
on
off
Disables normalization.
4. Click Save to return to the URL Rewrite Policy Configuration (Main) screen.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
User Agent
A user agent is a client that initiates a request for a local service to establish a
connection to a remote server. An XML manager uses a user agent, for example, to
retrieve resources from elsewhere on the network. The settings for a user agent can
affect messages that a DataPower service sends out.
The DataPower provides the default user agent in each application domain. The
configuration of the default user agent is as follows:
348
v Allows a maximum of eight HTTP redirect messages before declaring the target
as unreachable
v Set the idle timeout to 300 seconds before timing out and closing the connection.
The default user agent does not provide configuration for the following types of
policies:
HTTP proxy
The user agent forwards requests that match the URL expression to an
HTTP server instead of to the target server.
Note: The HTTP proxy is not intended to work with XSL Proxy or XML
Firewall services.
SSL proxy
The user agent establishes a secure connection to the remote server for
requests that match the URL expression.
Basic authentication
The user agent uses these credentials for authentication with the remote
server for requests that match the URL expression. This feature is useful
for HTTP and SFTP connections.
SOAP Action
The user agent includes the specified contents in the SOAPAction header in
requests that match the URL expression.
Public key authentication
The user agent uses these credentials for authentication with the remote
server for requests that match the URL expression. This feature is useful
for SCP and SFTP connections.
Allow compression
The user agent compresses the payload for requests that match the URL
expression.
Header retention
The user agent retains the specified message headers for requests that
match the URL expression.
Restrict to HTTP 1.0
The user agent restricts HTTP communication to HTTP 1.0 for requests that
match the URL expression.
Inject header
The user agent injects the specified headers into requests that match the
URL expression.
Chunked uploads
The user agent uses HTTP 1.1 Chunked content encoding for requests that
match the URL expression. This feature is useful for streaming large
documents.
FTP client
The user agent controls the client settings for outgoing FTP connections for
requests that match the URL expression. These client settings can be
overridden by query parameters in the URL that initiates the file transfer.
SFTP client
The user agent controls the client settings for outgoing SFTP connections
for requests that match the URL expression. These client settings can be
overridden by query parameters in the URL that initiates the file transfer.
Appendix A. Referenced objects
349
Each type of these policies uses URL matching patterns. When there are multiple
configurations for a policy type, the policy evaluates each candidate URL against
the matching pattern in sequential order. Therefore, order is important.
When you create a new user agent, the configuration defines these default settings.
350
5. Optional: In the Timeout field, change the idle timeout to allow in seconds
before timing out and closing the connection.
6. Click Apply to save the changes to the running configuration.
7. Optional: Click Save Config to save the changes to the startup configuration.
351
352
7. Optional: Click Save Config to save the changes to the startup configuration.
353
TE
MQMD
To
1.
2.
3.
4. Add a policy.
a. Click Add.
b. In the URL Matching Expression field, enter a shell-style expression to be
the pattern to match against the URL set.
c. From the Header Retention list, select the check boxes for the headers to
retain.
d. Click Save to add this policy to the list.
5. Repeat the previous step to add another policy.
6. Click Apply to save the changes to the running configuration.
7. Optional: Click Save Config to save the changes to the startup configuration.
354
2) In the Header Value field, enter the value for the header.
d. Click Save to add this policy to the list.
5. Repeat the previous step to add another policy.
6. Click Apply to save the changes to the running configuration.
7. Optional: Click Save Config to save the changes to the startup configuration.
355
7. Optional: Click Save Config to save the changes to the startup configuration.
356
Client Policies is specified for the user agent, then the client authentication
settings are controlled by the Basic-Auth and Pubkey-Auth policies.
To
1.
2.
3.
4. Add a policy.
a. Click Add.
b. In the URL Matching Expression field, enter a shell-style expression to be
the pattern to match against the URL set.
c. From the SSH client profile field, select an existing SSH client profile from
the list of existing profiles. Refer to Creating an SSH Client Profile on
page 29 for information.
d. Optional: To disable the generation of a unique file name for puts to a
remote directory, select off in the Use unique file names field.
5. Repeat the previous step to add another policy.
6. Click Apply to save the changes to the running configuration.
7. Click Save to add this policy to the list.
|
WebSphere Cell
|
|
|
|
|
|
|
|
|
The WebSphere Cell object initiates requests to the ODCInfo application and
receives the results as an XML representation of membership, weights, and session
affinity information. When the WebSphere Cell object receives the response, it
notifies each Load Balancer Group of the new information. The Load Balancer
Group then updates its membership, weights, and session affinity information
accordingly.
|
|
|
The update method specifies how to retrieve the information from the ODCInfo
application on the WebSphere Application Server Network Deployment or
WebSphere Virtual Enterprise.
|
|
|
|
|
|
The poll update method uses a static polling interval. The poll to retrieve the
WebSphere Cell information occurs every interval regardless of whether the
WebSphere Cell configuration has changed.
|
|
|
|
The subscribe update method specifies that the request to retrieve the WebSphere
Cell information waits for either the duration of the time interval to expire or for
the WebSphere Cell information to change, whichever occurs first. If the ODCInfo
application has any new information, the application immediately responds with
v Poll
v Subscribe
357
|
|
|
|
|
|
|
|
|
|
|
|
Note: To use the subscribe update method, the version of the ODCInfo application
must match the firmware version. A back-level ODCInfo application is not
supported.
|
|
|
|
|
|
|
|
|
|
|
|
The ODCInfo application must be installed, and you need to know the host and
port of the WebSphere deployment manager where this application is installed. To
find the port number
1. From the WebSphere Administrative Console, click System Administration >
Deployment Manager > ports.
2. Select the port name:
v Click the WC_adminhost port name for HTTP.
v Click the WC_adminhost_secure port name for HTTPS.
|
|
To create this configuration, the DataPower appliances require the Option for
Application Optimization feature.
|
|
|
|
Add and configure a WebSphere Cell to query the ODCInfo application for current
information about the host weights or if a new host has been added or removed
from the cluster. If there is an information update, the WebSphere Cell sends the
updated information to the load balancer group.
Procedure
1. Click Objects > Configuration Management > WebSphere Cell .
2. Click Add.
3. In the Name field, enter a name.
|
|
|
|
|
|
|
|
|
|
358
|
|
|
|
|
|
|
|
|
|
8. Optional: From the SSL Proxy Profile list, select the SSL proxy profile for a
secured connection.
9. In the Update Method field, indicate whether to use a static polling interval
or to subscribe to the WebSphere cell information.
10. In the Time Interval field, if the update method is poll, specify the amount of
time in seconds between poll requests. If the update method is subscribe,
specify the maximum duration of the request in seconds. The recommended
value is 10 seconds.
11. Click Apply to save the changes to the running configuration information.
12. Optional: Click Save Config to save the changes to the startup configuration.
What to do next
Transactional messaging
Many times in asynchronous messaging, there is a one-way message flow
paradigm. A message is picked up off a queue or topic, the appropriate rules in the
processing policy runs, and the message is put on a backside queue or topic. With
transactional messaging, if the backside PUT or any PUT in document processing
fails, the front-side GET is rolled back.
Another common message pattern is message fanout. In this case, a message is
picked on the front side and sent to several output queues. With transactional
messaging, if any of these multiple PUT operations fails, the original message is
rolled back on the front side.
To support transactional messaging in these message patterns, use the same
WebSphere JMS session to perform all the operations within the DataPower
transaction. To share the same WebSphere JMS session, receive messages from and
deliver messages to the same WebSphere JMS server object.
The following sections describe the requirements to configure transactional
messaging for different scenarios.
359
v Configure the service with a WebSphere JMS Front Side handler and a
WebSphere JMS backend URL.
v For the handler and the backend URL, use the same WebSphere JMS server
object with the Transactional property enabled.
v Define the WebSphere JMS URL using the Transactional=true parameter. For
example:
dptibems://TIBCOEMSServer?RequestQueue=OUTQUEUE&Transactional=true
With this configuration, the WebSphere JMS Front Side handler and the WebSphere
JMS backend URL share the same WebSphere JMS transacted session. A single
COMMIT or ROLLBACK operation is issued depending on the processing result.
This guarantees once-and-only-once message delivery to WebSphere JMS
messages.
This configuration uses the same transacted WebSphere JMS session from
WebSphere JMS to the WebSphere JMS service object for these operations:
1. Receive messages on the front side
2. Send messages on the back
3. Perform a COMMIT or ROLLBACK operation immediately after sending the
request message on the back side.
If the WebSphere JMS Front Side handler is configured with a put queue property,
the reply message from the back response queue is received as a part of a new
transaction. In other words, there are two WebSphere JMS unidirectional
transactions:
1. The first transaction carries the message from the front side request queue to
back side request queue.
2. The second transaction carries the reply message from back side response
queue for front side response queue.
360
v Configure a processing policy with at least one action that uses a WebSphere
JMS URL open call such as a results action, a dp:url-open or a dp:soap-call
extension function.
Note: Asynchronous actions do not support the WebSphere JMS transacted
session.
v Configure all URL open calls with the Transactional=true parameter.
v Configure the WebSphere JMS Front Side handler and all WebSphere JMS URL
open calls using the same WebSphere JMS server object with the Transactional
property enabled.
v Optional: Use a WebSphere JMS backend URL defined with the
Transactional=true parameter.
In this configuration, the same transacted WebSphere JMS session receives the
message on the front side and sends the message using either a results action or a
dp:url-open extension function and optionally sends on the backend URL. The
WebSphere JMS transacted session is shared not only between the WebSphere JMS
Front Side handler and the WebSphere JMS Backend URL, but also between any
WebSphere JMS URL open calls used in the processing policy.
A single COMMIT or ROLLBACK operation is issued depending on processing
result. This guarantees once-and-only-once message delivery to the WebSphere
JMS messages. All calls to the WebSphere JMS server use the same shared
transacted session.
361
session is shared between the front and back side, this COMMIT or ROLLBACK
serves as an the end of transactions for both receive and send operation.
If the WebSphere JMS URL is defined with a reply queue parameter or if the
processing policy contains any other actions that will be using the same shared
transacted WebSphere JMS session, a new transaction is created. This new
transaction will be committed or rolled back either when the processing policy
finishes or when some other action is configured with WebSphere JMS URL open
call with the Sync=true parameter.
362
363
364
HTTPS
Specifies the predefined BootstrapTunneledSecureMessaging
transport chain (tunnels JFAP using HTTPS wrappers)
7.
8.
9.
10.
SSL
TCP
The protocol stack used to access the bootstrap server does not need
to be the same protocol stack that is used for actual message transfer
via the bus.
Click Save to bootstrap server identification and to return to the WebSphere
JMS Endpoint catalog.
If necessary, repeat steps 5 on page 364 to 7 to identify additional bootstrap
servers.
Is you want to establish a secure (SSL-enabled) connection between the
WebSphere JMS object and the remote WAS JMS default message provider,
click the SSL tab to display the WebSphere JMS SSL panel.
Provide the following inputs:
SSL Profile
Select the client crypto profile to support secured connections to the
WebSphere JMS server.
WebSphere JMS SSL Cipher Specification
Select the IBM cipher specification used by the assigned SSL Proxy
Profile object when establishing a secure connection to the WebSphere
server.
If you specify an SSL Proxy, the cipher suite associated with the proxy
is replaced by an IBM default cipher specification
(SSL_RSS_WITH_NULL_MD5), or with the suite specified.
Select one of the following values:
v SSL_RSA_WITH_NULL_MD5 (Default)
v SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
v SSL_RSA_EXPORT_WITH_RC4_40_MD5
v SSL_RSA_WITH_RC4_128_MD5
v SSL_RSA_WITH_NULL_SHA
v SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
v SSL_RSA_WITH_RC4_128_SHA
v SSL_RSA_WITH_DES_CBC_SHA
v SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
v SSL_RSA_FIPS_WITH_DES_CBC_SHA
v SSL_RSA_WITH_3DES_EDE_CBC_SHA
v SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
v TLS_RSA_WITH_DES_CBC_SHA
v TLS_RSA_WITH_3DES_EDE_CBC_SHA
Summary of cipher specification descriptors:
40
key length
128
key length
CBC
365
DES
EDE
EXPORT
Exportable
FIPS
MD5
NULL No encryption
RC2
RC4
RSA
SHA
SSL
TLS
XML Manager
The firmware creates a default XML Manager object in the default domain and in
each application. The default instance in each domain can be edited like any other
instance of an XML Manager object. The default instance in each domain operates
independently of each other.
An XML Manager object obtains and manages XML documents, style sheets, and
other document resources on behalf of one or more services. An XML Manager
also provides the following capabilities:
v Basic network configuration, such as load balancing and accessing remote
servers.
v Set manager-associated limits on the parsing of XML documents. By default, the
appliance imposes limits on various characteristics of XML documents. These
limitations provide for increased security and stability to protect against DoS
attacks or runaway data. Parser limits defined by the XML Manager object that
is associated with a service can be overridden by service-specific settings.
v Enable the caching of documents that this XML Manager object obtains. XML
Manager objects obtain documents via HTTP. The number of documents in the
cache depends on the availability of allocated memory.
v Define extension function mapping. An XML Manager object can automatically
map custom style sheet extension functions to DataPower extension functions.
This ability removes the need to alter or rewrite a style sheet for use by the
appliance. The most common example is the node-set() extension function. If a
service uses style sheets that reference the Microsoft node-set, Oracle node-set,
366
or Salon nodeset XSLT extension functions, you must map these extensions to
their DataPower equivalent. It is possible to map any extension function to a
DataPower extension function.
v Define the caching policy for documents. This policy allows an administrator to
determine how to cache documents. The policy defines the time-to-live, the
priority, and the type. For more information, see Document cache policy URL
matching expression.
v Enable schema validation by defining schema-validation rules. These rules apply
to all documents that match predefined criteria. Alternatively, the appliance can
validate documents with a validate action in a processing rule. Do not mix and
match schema validation strategies. Policy-based schema validation is the
preferred strategy.
v Schedule processing rules. Certain applications might require the running of a
scheduled processing rule. Integration with a CA Unicenter Manager is
facilitated by a regularly scheduled processing rule that obtains relationship data
from the Unicenter Manager.
Policy type
Priority
*.xml
Protocol-based
20
*192.0.2.24*
Protocol-based
*usrconfig*
no-cache
10
367
6. On the Extension Functions tab, define the maps for custom extension
functions to DataPower extension functions.
7. On the Document Cache Policy tab, define the documents to store in the
document cache.
8. On the Schema Validation Rules tab, define rules to enforce validation of all
documents that match the defined criteria.
9. On the Scheduled Processing Policy Rule tab, define scheduled processing
rules.
10. Click Apply to save the changes to the running configuration.
11. Optional: Click Save Config to save the changes to the startup configuration.
NSS Client
The NSS client enables integration with RACF on the z/OS Communications
Server. The NSS Client object specifies the authentication information required to
allow the DataPower appliance to function as an NSS client. The NSS Client object
specifies the following properties:
v Remote Address
v Remote Port
v SSL Proxy Profile
v Client ID
v System Name
v User Name
v Password
Based on these properties and the request type, the following actions occur:
v DataPower requests a secure connection to the z/OS Communications Server
368
369
6. In the Remote Address field, specify the IP address or hostname of the NSS
server.
7. In the Remote Port field, specify the port on which the NSS server listens.
8. From the SSL Proxy list, select an SSL Proxy Profile to provide a secured
connection to the remote authentication server.
9. In the Client ID field, specify the client ID to use for registration with the
NSS server.
10. In the System Name field, specify the system name to identify the NSS client
to the NSS server.
11. In the User Name field, specify the user name to use to authenticate with the
SAF.
12. In the Password field, specify the password to use to authenticate with the
SAF.
13. Reenter the password in the Confirm Password field.
14. Click Apply to save the changes to the running configuration.
15. Optional: Click Save Config to save the changes to the startup configuration.
370
ID references
The DataPower appliance, when acting as a message receiver, can process any
reference that uses one of the following attribute formats:
v @wsu:Id
v @xml:Id
v local @Id
References in these attribute formats can be used by processing policies in the
following situations:
v Implementing an AAA policy
v Performing message-level encryption or field-level encryption
v Performing signature operations with one of the following algorithms:
wssec
hmac
kerberos-hmac
Note: Receiver-side support requires no additional configuration.
When encrypting or signing messages, the DataPower service acts as a message
sender. Message-sender operations are supported by the WS-Sec ID Reference
Type property. For this property, select one of the following values as the ID
attribute type:
v wsu:Id
v xml:Id
The default is wsu:Id. This ID attribute type was the only type that was allowed in
early versions of the specification.
This property is available on the Advanced tab of the encrypt and sign actions.
EncryptedData tokens
The <xenc:EncryptedData> element can be included as a child of a
<wsse:Security> header. The <xenc:EncryptedData> element contains an encrypted
UsernameToken or BinarySecurityToken.
For the encrypt action, the DataPower appliance automatically includes the
appropriate token during field-level WS-Security encryption. For the decrypt
action, the appliance automatically decrypts the token during field-level or
message-level decryption.
371
X.509 certificates
The DataPower appliance supports STR Dereference Transform with X.509 tokens
as follows:
v Within a verify action
v During the Identity Extraction phase of an AAA policy when the method is
Subject DN from Certificate in the Message's signature
v During the Authentication phase of an AAA policy when the method is Validate
the Signer Certificate for a Digitally Signed.
For this transform, the token type can be as follows:
Binary Security Token
A <wsse:SecurityTokenReference> element contains a
<wsse:Reference/@URI> element that references a local
<wsse:BinarySecurityToken> element or a remote data source that contains
the token data.
PKCS#7
A <wsse:SecurityTokenReference> element contains a
<wsse:Reference/@URI> element that references a local
<wsse:BinarySecurityToken> element or a remote data source that contains
the token data.
PKIPath Binary Security Token
A <wsse:SecurityTokenReference> element contains a
<wsse:Reference/@URI> element that references a local
<wsse:BinarySecurityToken> element or a remote data source that contains
the token data.
Subject Key Identifier
A <wsse:SecurityTokenReference> element contains a
<wsse:KeyIdentifier> element that identifies the token with the value of
the X.509 version 3 Subject Key Identifier extension for the certificate. A
372
SAML assertions
The DataPower appliance supports STR Dereference Transform with SAML
assertions as follows:
v Within a verify action
v During the Identity Extraction phase of an AAA policy when the method is
Subject DN from Certificate in the Message's signature
v During the Authentication phase of an AAA policy when the method is Validate
the Signer Certificate for a Digitally Signed.
For this transform, the token type can be as follows:
SAML version 1.1 or version 2.0 local token
The local token is either the holder of the key or the sender of vouches.
SAML version 1.1 or version 2.0 remote token
The remote token is either the holder of the key or the sender of vouches.
Signature confirmation
The <wsse11:SignatureConfirmation> element is available when using WS-Security
1.1. This element is not available when using WS-Security 1.0.
373
The DataPower appliance does not automatically save the signature information
for sign and verify actions. Saving the signature information requires a
modification to the configuration for these actions. The change in configuration
depends on whether the action is generating or is verifying a signature
confirmation.
374
The local context does not persist beyond the scope of the transaction. A
transaction can include both a request component and a response
component. The local context cannot be accessed by any object outside of
the scope of the transaction. In other words, the service cannot read and
use the variable.
A local context variables can be user-defined or based on an extension
variable. For a complete list of the available extension variables, see
Extension variables on page 385.
var://context/context/variable
Addresses a variable called variable in a context called context. The
following example transforms the document in the tmp1 context with a
style sheet that is referenced by the stylesheet-1 variable (in the apple
context) and stores the transformed document in the tmp2 context:
xform tmp1 var://context/apple/stylesheet-1 tmp2
A named context does not persist beyond the scope of the transaction. A
transaction can include both a request component and a response
component. The local context cannot be accessed by any object outside of
the scope of the transaction. In other words, the service cannot read and
use the variable.
Note: Creating variables in a named context is the recommended
approach. This form decouples the variable from the input and
output contexts and allows the variable to be accessed from any step
in a document processing scope.
A named context variables can be user-defined or based on an extension
variable. For a complete list of the available extension variables, see
Extension variables on page 385.
var://service/variable
Address a variable that is made available to a service (such as HTTP or
XSL Co-Processor) that is attached to a document processing session. The
majority of service variables are read-only and cannot be set.
375
Service variables
Service variables enable the setting and retrieval of pieces of state that usually
reflect the state of the current transaction.
The available service variables are separated alphabetically into the following
categories:
v Service variables that are available to all DataPower services
v Service variables that are available to only Multi-Protocol Gateway and Web
Service Proxy services
v Configuration services
v Load balancer services
v Legacy MQ-specific services
Permission
var://service/soap-fault-response
Read-write
Read-write variables
var://service/soap-fault-response
Set when the response input rule is treated as a SOAP fault.
376
Table 13. Names and permissions for general service variables that are available to only
Multi-Protocol Gateway and Web Service Proxy services
Variable name
Permission
var://service/mpgw/backend-timeout
Read-write
var://service/mpgw/skip-backside
Write-only
var://service/reply-to-q
Read-write
var://service/reply-to-qm
Read-write
Write-only variables
var://service/mpgw/skip-backside
For Multi-Protocol Gateway and Web Service Proxy services only, indicates
that the service skips backside processing.
Set this variable to 1 to prevent backside processing. Use this variable as a
custom redirect implementation, not as the point of the service. Because
the service is not aware of the processing flow, unusual messages might be
written to the event log.
Read-write variables
var://service/mpgw/backend-timeout
For Multi-Protocol Gateway and Web Service Proxy services only, gets or
sets the backend timeout, in seconds. Setting this variable overrides the
default timeout. Use an integer in the range of 1 through 86400.
var://service/reply-to-q
Read and write the value in the ReplyToQ (Reply to Queue) MQ header.
When read, shows the input message value. When write, changes the
dynamic routing.
var://service/reply-to-qm
Read and write the value in the ReplyToQMgr (Reply to Queue Manager)
MQ header. When read, shows the input message value. When write,
changes the dynamic routing.
Permission
var://service/config-param
Write-only
var://service/max-call-depth
Read-write
Write-only variables
var://service/config-param/parameterName value
Sets the specified stylesheet parameter to the specified value.
377
Read-write variables
var://service/max-call-depth
Gets or sets the maximum call depth for each transaction. This variable
controls how many levels of called rules can be layered before an error is
thrown. The default is 128.
Permission
var://service/lbhealth/
Write-only
Write-only variables
var://service/lbhealth/
Sets the member and state of a load balancer group.
Permission
var://service/correlation-identifier
Read-write
var://service/expiry
Read-write
var://service/format
Read-write
var://service/message-identifier
Read-write
var://service/message-type
Read-write
var://service/mq-ccsi
Write-only
var://service/mqmd-reply-to-q
Read-write
var://service/mqmd-reply-to-qm
Read-write
var://service/persistence
Read-write
var://service/priority
Read-write
var://service/reply-to-q
Read-write
var://service/reply-to-qm
Read-write
var://service/report
Read-write
Write-only variables
var://service/mq-ccsi
Sets the MQ message descriptor character set for an MQ Host or MQ
Proxy service.
378
var://service/mqmd-reply-to-q
Sets the output MQ message descriptor.ReplyToQ value for an MQ Host
or MQ Proxy service.
var://service/mqmd-reply-to-qm
Sets the output MQ message descriptor.ReplyToQMgr value for an MQ
Host or MQ Proxy service.
Read-write variables
var://service/correlation-identifier
Read and write the MQ value in the Correlation Identifier header for
MQ Host and MQ Proxy services.
var://service/expiry
Read and write the MQ value in the Expiry header for MQ Host and MQ
Proxy services.
var://service/format
Read and write the MQ value in the Format header for MQ Host and MQ
Proxy services.
var://service/message-identifier
Read and write the MQ value in the Message Identifier header for MQ
Host and MQ Proxy services.
var://service/message-type
Read and write the MQ value in the Message Type header for MQ Host
and MQ Proxy services.
var://service/persistence
Read and write the MQ value in the Persistence for MQ Host and MQ
Proxy services.
var://service/priority
Read and write the MQ value in the Priority header for MQ Host and
MQ Proxy services.
var://service/reply-to-q
Read and write the MQ value in the ReplyToQ (Reply to Queue) header for
MQ Host and MQ Proxy services. When read, shows the input message
value. When write, changes the dynamic routing.
var://service/reply-to-qm
Read and write the MQ value in the ReplyToQMgr (Reply to Queue
Manager) header for MQ Host and MQ Proxy services. When read, shows
the input message value. When write, changes the dynamic routing.
var://service/report
Read and write the MQ value in the Report header for MQ Host and MQ
Proxy services.
Multistep variables
This section contains information about system variables in an alphabetic order by
permission category. Multistep variables usually impact the behavior of specific
actions in the context of a processing rule. Table 17 lists the names and permission
for these variables.
Table 17. Names and permissions for variables that are available to all services
Variable name
Permission
var://service/log/soapversion
Read-write
Appendix C. Working with variables
379
Read-write variables
var://service/log/soapversion
Gets or sets the version of SOAP for use by a SOAP log targets. Use a
setvar action before a log action to change the version of SOAP to use
when logging this message.
Supports the following values:
soap11 Uses SOAP 1.1.
soap12 (Default) Uses SOAP 1.2.
Transaction variables
The available transaction variables are separated alphabetically into the following
categories:
v Asynchronous transactions
v Error handling
v Headers
v Persistent connections
v Routing
v URL
v Web Services Management (WSM)
Permission
var://service/soap-oneway-mep
Read-write
var://service/transaction-key
Write-only
var://service/transaction-name
Write-only
var://service/transaction-timeout
Write-only
Write-only variables
var://service/transaction-key
Sets the token for asynchronous transactions.
var://service/transaction-name
Sets the name for asynchronous transactions.
var://service/transaction-timeout
Sets the timeout for asynchronous transactions.
Read-write variables
var://service/soap-oneway-mep
Gets or sets the SOAP one-way Message Exchange Pattern (MEP)
notification.
v When true, notifies the service layer that this transaction is performing a
one-way MEP operation. This setting enables the service layer to
380
Permission
var://service/error-code
Read-write
var://service/error-ignore
Read-write
var://service/error-message
Read-write
var://service/error-protocol-reason-phrase
Write-only
var://service/error-protocol-response
Write-only
var://service/error-subcode
Read-write
var://service/strict-error-mode
Read-write
Write-only variables
var://service/error-protocol-reason-phrase
Sets the protocol-specific reason phrase for an error. This variable
overwrites the reason phrase in the response to provide a short description
that can be understood by people.
var://service/error-protocol-response
Sets the protocol-specific response for an error. This variable overwrites the
protocol-specific response code in an error condition.
Read-write variables
var://service/error-code
Gets or sets the assigned error code from the Result Code table.
var://service/error-ignore
Gets or sets a flag that controls how the Front Side Handler processes error
condition. If the value is set and greater than zero, it does not run any
error handling action and produces a regular response. The content of the
message is produced by an error rule.
The default value is 0.
Currently, on the TIBCO EMS and WebSphere JMS Front Side Handler use
this variable. If any error happens and the variable is set, the Front Side
381
Permission
var://service/append-request-header/
Write-only
var://service/append-response-header/
Write-only
var://service/set-request-header/
Write-only
var://service/set-response-header/
Write-only
Write-only variables
var://service/append-request-header/
Appends to the protocol request header.
var://service/append-response-header/
Appends to the protocol response header.
var://service/set-request-header/
Sets the protocol request header. This variable directly correlates to the
dp:set-request-header() extension function. Setting the
var://service/set-request-header/FOO variable to the value BAR would
set the request header FOO to BAR.
var://service/set-response-header/
Sets the protocol response header. This variable directly correlates to the
dp:set-response-header() extension function. Setting the
var://service/set-response-header/FOO variable to the value BAR would
set the response header FOO to BAR.
382
Permission
var://service/connection/note
Read-write
Read-write variables
var://service/connection/note
Gets or sets the annotation for the current connection. This variable allows
the user to annotate the current protocol session. The value could be an
identifier that could be used to maintain the state based on an existing
protocol session.
Variable name
Permission
var://service/routing-url
Read-write
var://service/routing-url-delay-content-type-determination
Read-write
var://service/routing-url-sslprofile
Read-write
Read-write variables
var://service/routing-url
For XML Firewall, Multi-Protocol Gateway, and Web Service Proxy
services, gets or sets the routing URL. This variable can be set one time
only and takes the following format:
<dp:set-variable name="var://service/routing-url"
value="protocol://target/URI" />
383
var://service/routing-url-delay-content-type-determination
Gets or sets the routing URL with delayed content-type determination.
|
|
|
|
|
|
|
|
Permission
var://service/protocol-method
Read-write
var://service/URI
Read-write
Read-write variables
var://service/protocol-method
Gets or sets the HTTP method of the transaction.
var://service/URI
Gets or sets the request URI of the transaction.
384
Variable name
Permission
var://service/wsa/timeout
Read-write
var://service/wsa/genpattern
Read-write
var://service/wsm/wsdl-error
Write-only
var://service/wsm/wsdl-warning
Write-only
Write-only variables
var://service/wsm/wsdl-error
Sets the WSDL error.
var://service/wsm/wsdl-warning
Sets the WSDL warning.
Read-write variables
var://service/wsa/timeout
Gets or sets the timeout value for the WS-Addressing asynchronous reply.
var://service/wsa/genpattern
Gets or sets the pattern for the WS-Addressing asynchronous reply.
Extension variables
This section contains information about system variables in an alphabetic order by
permission category. Extension variables usually impact the behavior of specific
actions, particularly fetch, results, and results-async actions. Table 25 lists the
names and permission for these variables.
Table 25. Names and permissions for extension variables
Variable name
Permission
var://local/_extension/allow-compression
Write-only
var://local/_extension/donot-follow-redirect
Write-only
var://local/_extension/header/
Write-only
var://local/_extension/http-10-only
Write-only
var://local/_extension/prevent-persistent-connection
Write-only
var://local/_extension/sslprofile
Write only
Write-only variables
var://local/_extension/allow-compression
Enables compression of HTTP requests. Set this variable to allow
compression of outgoing results content and negotiate the returned
document to be compressed if the underlying protocol supports it. For
HTTP, this means the content-encoding and accept-encoding headers.
var://local/_extension/donot-follow-redirect
Disables HTTP redirects. Set this variable to prevent the following of
protocol-level redirect sequences on the outgoing results and fetch calls
that are associated with this context. By default, redirects are followed.
var://local/_extension/header/
Appends the specified header field to the protocol connection. Variables of
the following form can be set to append headers to the dp:url-open()
extension function or results action or fetch action connection when a
context that contains them is used as the input context:
_extension/header/*
The following example would add the HTTP header X-foo: bar to the
HTTP request:
setvar tmpvar2 var://local/_extension/header/X-foo bar
results tmpvar2 http://foo.bar.com/foome.asp tmpvar3"
Appendix C. Working with variables
385
var://local/_extension/http-10-only
Restricts HTTP to version 1.0. Set this variable to prevent the use of
HTTP/1.1 on the related context of a results action or fetch action.
var://local/_extension/prevent-persistent-connection
Disables HTTP persistent connection. Set this variable to prevent persistent
connections of the outgoing a results action call or fetch action call that is
associated with this context. Persistent connections are supported by
default, where appropriate.
var://local/_extension/sslprofile
Sets the SSL proxy profile for the request. This variable can be set on the
input context to a dp:url-open() extension function or to a results action or
to a fetch action to override the selection of an SSL Proxy Profile. For
instance:
results tmpvar2 https://foo.bar.com/foome.asp tmpvar3
would normally use the SSL Proxy Profile that is associated with any
user-agent configuration for the URL
https://foo.bar.com/foome.asp
var://local/_extension/timeout
Sets the request timeout on an input context to override any previously set
timeout parameter. Set the value in seconds.
System variables
This section contains information about system variables in an alphabetic order by
permission category. Table 26 lists the names and permission for these variables.
Table 26. Names and permissions for system variables
Variable name
Permission
var://system/map/debug
Read-write
var://system/tasktemplates/debug
Read-write
Read-write variables
var://system/map/debug
Gets or sets the debugging level for role-based management (RBM).
var://system/tasktemplates/debug
Gets or sets the debugging level for task templates.
386
Category
allow-compression
var://local/_extension/allow-compression
Extension
append-request-header
var://service/append-request-header
Transaction,
headers
append-response-header
var://service/append-response-header
Transaction,
headers
backend-timeout
var://service/mpgw/backend-timeout
Service, general
config-param
var://service/config-param
Service,
configuration
correlation-identifier
var://service/correlation-identifier
Service, MQ
debug
var://system/map/debug
System
var://system/tasktemplates/debug
donot-follow-redirect
var://local/_extension/donot-follow-redirect
Extension
error-code
var://service/error-code
Transaction, error
handling
error-ignore
var://service/error-ignore
Transaction, error
handling
error-message
var://service/error-message
Transaction, error
handling
error-protocol-reason-phrase
var://service/error-protocol-reason-phrase
Transaction, error
handling
error-protocol-response
var://service/error-protocol-response
Transaction, error
handling
error-subcode
var://service/error-subcode
Transaction, error
handling
expiry
var://service/expiry
Service, MQ
format
var://service/format
Service, MQ
genpattern
var://service/wsa/genpattern
Transaction, WSM
header
var://local/_extension/header
Extension
http-10-only
var://local/_extension/http-10-only
Extension
lbhealth
var://service/lbhealth
Service, load
balancer
max-call-depth
var://service/max-call-depth
Service,
configuration
message-identifier
var://service/message-identifier
Service, MQ
message-type
var://service/message-type
Service, MQ
mq-ccsi
var://service/mq-ccsi
Service, MQ
mqmd-reply-to-q
var://service/mqmd-reply-to-q
Service, MQ
mqmd-reply-to-qm
var://service/mqmd-reply-to-qm
Service, MQ
note
var://service/connection/note
Transaction,
persistent
connection
387
Category
persistence
var://service/persistence
Service, MQ
prevent-persistent-connection
var://local/_extension/prevent-persistentconnection
Extension
priority
var://service/priority
Service, MQ
reply-to-q
var://service/reply-to-q
Service, MQ
reply-to-qm
var://service/reply-to-qm
Service, MQ
report
var://service/report
Service, MQ
routing-url
var://service/routing-url
Transaction,
routing
routing-url-sslprofile
var://service/routing-url-sslprofile
Transaction,
routing
set-request-header
var://service/set-request-header
Transaction,
headers
set-response-header
var://service/set-response-header
Transaction,
headers
skip-backside
var://service/mpgw/skip-backside
Service, general
soap-fault-response
var://service/soap-fault-response
Service, general
soap-oneway-mep
var://service/soap-oneway-mep
Transaction,
asynchronous
soapversion
var://service/log/soapversion
Service, multistep
sslprofile
var://local/_extension/sslprofile
Extension
strict-error-mode
var://service/strict-error-mode
Transaction, error
handling
timeout
var://service/wsa/timeout
Transaction, WSM
transaction-key
var://service/transaction-key
Transaction,
asynchronous
transaction-name
var://service/transaction-name
Transaction,
asynchronous
transaction-timeout
var://service/transaction-timeout
Transaction,
asynchronous
URI
var://service/URI
Transaction, URL
wsdl-error
var://service/wsm/wsdl-error
Transaction, WSM
wsdl-warning
var://service/wsm/wsdl-warning
Transaction, WSM
388
Trademarks
IBM, the IBM logo, DataPower, and WebSphere are registered trademarks of the
International Business Machines Corporation in the United States or other
countries. If these and other IBM trademarked terms are marked on their first
occurrence in this information with a trademark symbol ( or ), these symbols
indicate U.S. registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered or common
law trademarks in other countries. A current list of IBM trademarks is available on
the Web at Copyright and trademark information at www.ibm.com/legal/
copytrade.shtml.
Adobe is either a registered trademark or trademark of Adobe Systems
Incorporated in the United States, and/or other countries.
389
390
Index
Special characters
__JSONASJSONX keyword 93
... button
list of referenced object 9
referenced object 8
.java.policy file 191
[configuration-database] stanza, file
entry 252
[ldap] stanza, ssl-keyfile-pwd entry 252
[manager] stanza, replica entry 252
<results> element 148
<url> element 148
+ button
list of referenced object 9
referenced object 8
A
AAA
authentication
search parameters 266
search parameters 266
TFIM 253
aaa action
purpose 88
AAA action
defining 95
dictionary attack, protection 45
AAA Info file
Authenticate element 247
Authorize element 247
editor
authenticated identities 248
authorized access to
resources 250
confirmation 250
credentials 248
default credential 248
file information 250
map credentials 249
map resources 249
overview 247
unauthenticated identity 248
MapCredentials element 247
MapResource element 247
overview 246
AAA Info File
authentication 165
authorization, AAA 179
credentials mapping, AAA 167
resources mapping, AAA 171
AAA Policy
AAA Info file
Authenticate element 247
Authorize element 247
MapCredentials element 247
MapResource element 247
overview 246
authentication
AAA info file 165
Copyright IBM Corp. 2002, 2011
391
392
actions (continued)
contexts
__JSONASJSONX 92
input 92
output 92
convert-http
defining 99
purpose 89
cryptobin
defining 99
purpose 89
decrypt
defining 107
Encrypted tokens 371
purpose 89
defining 95
encrypt
defining 109
Encrypted tokens 371
ID references 371
purpose 89
SOAP message with
WS-Security 109
SOAP message with XML
encryption 113
XML message with XML
encryption 114
event-sink 115
purpose 89
extract
defining 116
purpose 89
fetch
attachment protocol 147
defining 116
locating remote resources 145
purpose 89
query parameters 147
specifying remote locations 146
filter
conformance filter 119
defining 117
purpose 89
replay filter 117
required elements filter 118
standard filter 117
WS-Security message layout
filter 119
for-each 119
purpose 89
for-each action
specifying multiple URLs 146
log
defining 122
locating remote resources 145
purpose 90
specifying remote locations 146
method rewrite
defining 130
MQ Header
modifying reply queue 125
modifying reply queue
manager 126
modifying request message
headers 124
modifying response message
headers 125
actions (continued)
MQ Header (continued)
overview 123
retrieving responses with
correlation ID 124
retrieving responses with message
ID 124
on-error
defining 126
defining reusable rules 145
purpose 90
variable builder 148
purpose 88
results
attachment protocol 147
defining 128
locating remote resources 145
purpose 90
query parameters 147
specifying multiple URLs 146
specifying remote locations 146
results-async
attachment protocol 147
defining 129
locating remote resources 145
purpose 90
query parameters 147
specifying multiple URLs 146
specifying remote locations 146
rewrite header
purpose 90
rewrite header (rewrite)
defining 130
rewrite method
purpose 90
route-action
defining with style sheet 131
defining with XPath
expression 131
purpose 90
route-set
defining 132
locating remote resources 145
purpose 91
specifying remote location 146
setvar
defining 132
purpose 91
variable builder 148
sign
defining 133
generating signature
confirmation 374
ID references 371
purpose 91
verifying signature
confirmation 374
slm
defining 135
purpose 91
sql
defining 135
purpose 91
strip-attachments
defining 136
purpose 91
supported protocols 146
actions (continued)
validate 142
purpose 92
verify
adding 144
generating signature
confirmation 374
Kerberos AP-REQ tokens,
remote 373
purpose 92, 144
SAML assertions, remote 373
verifying signature
confirmation 374
X.509 certificates, remote 372
xform
defining 137
defining buffer attachment
transform 141
defining conformance
transform 142
defining SOAP refinement
transform 139
purpose 91
xformbin
defining 138
purpose 91
xformpi
defining 138
purpose 91
Add button
list of referenced object 9
admin account
exporting configuration data 197
Administration menu 7
administrative states, objects 12
allow compression policy, user
agent 353
antivirus (antivirus) action
defining 95
antivirus action
purpose 88
AP-REQ message, Kerberos 255
appliance configuration
backing up 197, 198
comparing 206
configuration checkpoints 202
copying
files 200
objects 200
exporting 197
select objects and files 199
importing configuration 204
managing configuration changes 205
moving
files 200
objects 200
reading change report 206
reverting changes 207
undoing changes 207
appliance-wide log
location 188
application domains
backing up configuration 198
Apply button 11
asymmetric signatures
verifying 144
B
backend-timeout variable 377
basic configuration
MQ Front Side Handler 83
Basic Profile 1.0
Conformance Policy 261
Basic Profile 1.1
Conformance Policy 261
Basic Security Profile 1.0
Conformance Policy 261
BinarySecurityToken
authentication, AAA 165
identity extraction, AAA 154
bold typeface 2
buffer-attachments.xsl style sheet 141
builder
deployment policy 209
burst limit
count monitors 215
buttons
... 8
+ 8
Apply 11
Cancel 11
Delete 12
Edit 9
Logout 7
Save Config 7, 11
Undo 11
View 9
C
CA Unicenter Manager 366
caches
flushing
document cache 368
stylesheet cache 368
caching policy
AAA Policy
authentication 168
authorization 180
call action
defining 97
defining reusable rules 145
purpose 88
call processing rule (call) action
variable builder 148
call processing rule action
See call action
Cancel button 11
cert: directory 187
Index
393
certificate files
location 187
Certificate objects
export packages 197
certificates
converting 21
DER 17
exporting 19
generating 18
importing 20
PEM 17
PKCS #12 17
PKCS #8 17
security
location, shared 188
location, Web browsers 188
supported formats 17
uploading 191
checkpoint action
purpose 88
checkpoint configuration files
location 187
checkpoint event (checkpoint) action
defining 97
chkpoints: directory 187
CICS Transaction Server 184
clear pdp cache CLI 260
clear xsl cache CLI 260
ClearTrust
authentication, AAA 163
authorization, AAA 173
client-to-server rule 88
Clone link 13
commands
clear pdp cache 260
clear xsl cache 260
web-mgmt 7
compression policy, user agent 353
conditional action
defining 98
purpose 88
config: directory 187
configuration
managing appliance
configuration 195
configuration checkpoints
defining number to allow 202
deleting 203
listing 203
loading 203
overwriting 202
rolling back 203
saving 202
configuration data
applying 11
backing up
WebGUI 197, 198
backing up application domains 198
comparing
WebGUI 206
configuration checkpoints 202
copying
files 200
objects 200
different release level 197
exchanging 197
394
D
dashboard 7
debugging
processing policies 149
decrypt action
defining 107
Encrypted tokens 371
purpose 89
decrypt.xsl file 107
default log
location 188
Delete button 12
list of referenced object 9
denial-of-service, protection
multiple message (MMXDoS) 42
single message (XDoS) 41
deployment policy
accepted configuration 207
creating 208
filtered configuration 207
modified configuration 207
using the builder 209
Deployment Policy
object pages 208
deployment policy builder
creating matching statements 209
DER
certificate format 17
key format 17
dictionary attack, protection 45
directories
audit: 187
available 187
cert: 187
chkpoints: 187
config: 187
displaying contents 189
dpcert: 187
export: 187
hiding contents 189
image: 187
local: 187
logstore: 187
logtemp: 188
managing 187
pubcert: 188
refreshing contents 190
sharedcert: 188
store: 188
tasktemplates: 189
temporary: 189
disabled administrative state 12
Document Crypto Map
creating 263
documentation conventions, typefaces
Domain list 7
down operation state 12
dpcert: directory 187
dpmq protocol 146
dptibems protocol 146
dpwasjms protocol 146
dpwasjmss protocol 146
DSA signatures
verifying 144
duration monitors
filters 217
Duration monitors 298
E
Edit button 9
elements
EncryptedData element 371
SecurityTokenReference 372
SignatureConfirmation 373
enabled administrative state 12
F
fault-tolerance
TIBCO EMS 339, 343
fetch action
attachment protocol 147
defining 116
locating remote resources 145
purpose 89
query parameters 147
specifying remote locations 146
supported protocols 146
file entry, [configuration-database]
stanza 252
File Management utility, launching 189
file system
See directories
files
.java.policy 191
AAAInfo.xsd 246
auto-config.cfg 11
certificates
location 187
checkpoint configurations
location 187
configurations
location 187
copying 192
remote URL 192
decrypt.xsl 107
deleting 194
editing
during configuration 10
File Management utility 194
encrypt-soap.xsl 113
encrypt-wssec.xsl 109
encrypt.xsl 114
exported, location 187
fetching 192
managing 187
moving 193
not in export packages
firmware files 197
log files 197
pkcs7-decrypt.xsl 106
pkcs7-encrypt.xsl 104
pkcs7-sign.xsl 99
pkcs7-verify.xsl 102
private keys
location 187
renaming 193
SQL-Injection-Filter.xsl 44
SQL-Injection-Patterns.xml 44
TAM
ASCII configuration 251
creating configuration 252
modifying configuration 252
obfuscated configuration 251
SSL key 251
SSL stash 251
tibco.conf 345
uploading
JKS 191
remote 192
workstation 190
viewing
during configuration 10
File Management utility 194
Index
395
filter action
conformance filter 119
Conformance Policy 261
defining 117
purpose 89
replay filter 117
required elements filter 118
SQL injections, protection 44
standard filter 117
WS-Security message layout
filter 119
filter-accept-all.xsl style sheet 117
filter-reject-all.xsl style sheet 117
filtered configuration
deployment policy 207
filters
duration monitors 217
Firewall Credentials
configuring 23
creating 23
firmware files
between release levels 197
export packages 197
firmware images
location 187
flash drive
See directories
for-each
purpose 89
for-each action
defining for-each 119
locating remote resources 145
specifying multiple URLs 146
use cases 119
Front Side Handler
FTP Poller 51
FTP Server 54
HTTP 65
HTTPS 66
IMS Connect 67
NFS Poller 68
object pages
MQ 83
TIBCO EMS 79
WebSphere JMS 81
SFTP Poller 71
SFTP Server 74
Stateful Raw XML 77
Stateless Raw XML 78
FTP client
command channel
encrypting 356
stopping encryption after
authentication 356
data (ASCII, binary) 356
encrypting file transfers 356
NAT compatibility 356
passive mode 356
sending command to server 356
unique file names (STOU, STOR) 356
user agent 356
FTP Poller
Front Side Handler 51
ftp protocol 146
FTP Server
Front Side Handler 54
396
G
general variables
listing 376
service/soap-fault-response
376
H
header injection policy, user agent 355
header retention policy, user agent 354
heartbeat detection, TIBCO 345
HMAC signatures
verifying 144
HTTP 1.0 restriction policy, user
agent 354
HTTP 1.1
chunked contents 355
Content-Length header 355
HTTP Front Side Handler 65
HTTP header
identity extraction, AAA 153
HTTP Header Injection
Multi-Protocol Gateway 301
HTTP header matching rule 87
HTTP Header Suppression
Multi-Protocol Gateway 301
HTTP headers
Accept-Encoding, retaining 354
Authorization 352
Content-Length 355
MQMD, retaining 354
Range, retaining 354
request-header 350
SoapAction 352
TE, retaining 354
HTTP Input Conversion Map
object pages
Input Encoding 264
Main 263
HTTP method matching rule 87
HTTP operations
resource extraction, AAA 169
HTTP Options
Multi-Protocol Gateway 300
http protocol 146
HTTP proxy policy
securing with SSL proxy policy 351
user agent 351
HTTPS Front Side Handler 66
https protocol 146
I
IBM Tivoli Access Manager
See TAM
IBM Tivoli Federated Identity Manager
See TFIM
ICRX token 184
ID references
encrypt action 371
sign action 371
Identification Credentials
configuring 24
creating 24
identity extraction
AAA
BinarySecurityToken, WS-Security
Header 154
identity extraction, AAA
available methods 153
client IP address 157
connection peer
Token Subject DN, SSL 156
custom 159
extracted token
as cookie value 158
from message 158
HTTP Authentication Header 153
LTPA token 158
Processing Metadata 159
SAML artifact 157
SAML assertion
AttributeStatement 156
AuthenticationStatement 156
SPNEGO
Kerberos AP-REQ 156
subject DN
certificate in message
signature 157
SAML assertions, remote 373
SSL certificate 156
X.509 certificates, remote 372
WS-SecureConversation
Identifier 154
WS-Security Header
Kerberos AP-REQ 155
UsernameToken, derived-key 154
UsernameToken,
password-carrying 153
WS-Trust
Base 155
Supporting 155
image: directory 187
Import Package
creating 196
IMS Connect 264
URL builder 46
IMS Connect Handler 67
ims protocol 146
imsssl protocol 146
Include Configuration File
creating 195
input context, actions 92
INPUT keyword 92
installation images
See firmware images
intellectual property 389
intermediary service provider,
SOAP 139
italics typeface 2
J
J2RE (j2re1.4.2) 191
j2re1.4.2 (J2RE) 191
j2sdk1.4.2 (SDK) 191
Java Crypto Extension
See SunJCE
Java Crypto Extension Key Store
See JCEKS
keywords (continued)
contexts (continued)
PIPE 93
K
KDC, Kerberos 255
Kerberos
AP-REQ message 255
configuring KDC server 257
KDC 255
keytab 255
principal 255
signature verification 144
Kerberos AP-REQ
authentication, AAA 165
identity extraction, AAA
SPNEGO 156
WS-Security Header 155
post processing, AAA 182
verify action 373
Kerberos AP-REQ tokens, remote
Kerberos KDC server
configuring 257
creating 257
object pages 257
Kerberos keytab
configuring 257
definition 255
Key Distribution Center
See KDC
Key objects
export packages 197
key-certificate pairs
creating 17
keys
converting 20
DER 17
exporting 19
generating 18
importing 20
PEM 17
PKCS #12 17
PKCS #7 17
supported formats 17
keywords
contexts
__JSONASJSONX 93
INPUT 92
NULL 93
OUTPUT 92
373
LDAP
authentication
search parameters 266
authentication, AAA 160
authorization, AAA 174
credentials mapping
search parameters 266
search parameters 266
licensing
sending inquiries 389
links
Clone 13
Export 12
Show Probe 13
View Logs 12
View Status 12
load balancer group
adding members 278
basic configuration 277
creating 267, 276
health
convalescent (down) 274
healthy (up) 274
quarantined (softdown) 274
health checks
enabling 279
overriding port 277
health of members 274
members
assigning weight 281
disabling members 281
server state 267
Load Balancer Group
example
DataPower service 48
replacing back-end server 48
load balancer service variables
listing 378
service/lbhealth/ 378
load-balancing
TIBCO EMS 341, 343
local: directory 187
local/_extension/allow-compression
variable 385
local/_extension/donot-follow-redirect
variable 385
local/_extension/header/ variable 385
local/_extension/http-10-only
variable 386
local/_extension/prevent-persistentconnection variable 386
local/_extension/sslprofile variable 386
local/_extension/timeout variable 386
log action
defining 122
locating remote resources 145
purpose 90
specifying remote locations 146
supported protocols 146
log files
export packages 197
12
M
map message
TIBCO EMS 79
MapCredentials element, AAA Info
file 247
MapResource element, AAA Info
file 247
matching rules
defining 290
error code 87
HTTP header 87
HTTP method 87
processing policies 87
URL 87
XPath 87
matching statements
deployment policy builder 209
deployment policy, manual 209
message catalogs 188
message layout filter, WS-Security 119
message monitors
configuring 211, 216
count monitors 214
duration monitors 216
filter action 213
message matching 212
message type 213
traffic definition 212
message tampering, protection 43
message transmission optimization
mechanism
See MTOM
messages
validating conformance 261
method rewrite action
defining 130
MMXDoS, protection 42
modified configuration
deployment policy 207
Modified configuration state 12
Index
397
monitors
See also message monitors
See also Web services monitors
managing 211
Multi-Protocol Gateway 298
types 211
Web services monitors
configuring 217
overview 217
monospaced typeface 2
MQ
URL builder 47
MQ Front Side Handler 83
advanced configuration 85
basic configuration 83
configuration 83
properties and headers
configuration 85
publish and subscribe
configuration 84
MQ Get Message Options (GMO)
MQGET options 83
MQGMO_* 83
MQ header action
modifying
reply queue 125
reply queue manager 126
request message headers 124
response message headers 125
overview 123
retrieving responses
with correlation ID 124
with message ID 124
MQ Host variables
listing 378
service/correlation-identifier 379
service/expiry 379
service/format 379
service/message-identifier 379
service/message-type 379
service/mq-ccsi 378
service/mqmd-reply-to-q 379
service/mqmd-reply-to-qm 379
service/persistence 379
service/priority 379
service/reply-to-q 379
service/reply-to-qm 379
service/report 379
mq protocol 146
MQ Proxy variables
listing 378
service/correlation-identifier 379
service/expiry 379
service/format 379
service/message-identifier 379
service/message-type 379
service/mq-ccsi 378
service/mqmd-reply-to-q 379
service/mqmd-reply-to-qm 379
service/persistence 379
service/priority 379
service/reply-to-q 379
service/reply-to-qm 379
service/report 379
MQ request messages
modifying message headers 124
specifying correlation ID 124
398
N
namespace mappings, AAA Policy 245
NAS-identifier 322
NAT
FTP clients 356
navigation
Administration menu 7
Network menu 7
Objects menu 7
Services menu 7
Status menu 7
Netegrity
authentication, AAA 163
authorization, AAA 173
Network Address Translation
See NAT
Network menu 7
New configuration state 12
NFS
Poller Front Side Handler 68
NFS Poller Front Side Handler 68
node-set() extension function 366
notices 389
NSS Client
creating 369
O
object pages
AAA Policy
Authenticate 226
Authorize 235
Identity 224
LTPA Attributes 244
Map Credentials 233
Map Resource 235
Namespace Mapping 243
Post Processing 242
Resource 234
SAML Attributes 243
Transaction Priority 245
Conformance Policy 261
Crypto Certificate 21
Crypto Firewall Credentials 23
Crypto Identification Credentials
Crypto Key 25
Deployment Policy 208
Front Side Handler
MQ 83
TIBCO EMS 79
WebSphere JMS 81
HTTP Input Conversion Map
Input Encoding 264
Main 263
Kerberos KDC server 257
Multi-Protocol Gateway
HTTP Options 300
Main 291
Proxy Settings 293
WS-Addressing 302
Policy Parameters
Main 309
Policy Parameters 309
Processing Action
Main 309
Named Inputs 317
Named Outputs 318
Stylesheet Parameters 318
Processing Metadata
Main 318
Metadata Items 319
Processing Policy
Main 320
Policy Maps 320
Processing Rule 321
Schema Exception Map
Main 323
Rules 324
SLM Action 327
SLM Credentials Class 326
SLM Resource Class 327
SLM Schedule 328
SOAP Header Disposition Table
Main 329
SOAP Header Refine
Instruction 329
SSH Client Profile 29
SSL Proxy Profile 29
TAM 252
24
P
padding oracle protection 43
Parser Limits
Multi-Protocol Gateway 299
patents 389
peer group
defining 328
PEM
certificate format 17
key format 17
persistent connections variables
listing 383
service/connection/note 383
PIPE keyword 93
PKCS #12
certificate format 17
key format 17
PKCS #7
certificate format 17
decrypting documents 106
encrypting documents 104
signing documents 99
verifying signed documents 102
PKCS #8
key format 17
pkcs7-decrypt.xsl file 106
pkcs7-encrypt.xsl file 104
pkcs7-sign.xsl file 99
pkcs7-verify.xsl file 102
Policy Decision Point
See XACML PDP
Policy Parameters
defining 308
object pages
Main 309
Policy Parameters 309
post processing, AAA
Authorized Counter 180
available activities 181
CICS Transaction Server 184
Count Monitors 180
custom style sheet 182
ICRX token 184
Kerberos AP-REQ 182
logging access attempts 181
LTPA 183
Rejected Counter 180
SAML assertion 182
SAML Assertion/Response 184
SPNEGO 183
TFIM 184
WS-Security UsernameToken 183
WS-Trust 182
z/OS identity propagation 184
principal, Kerberos 255
private key files
location 187
private keys
uploading 191
Processing Action
object pages
Main 309
Named Inputs 317
Named Outputs 318
Stylesheet Parameters 318
Processing Metadata
identity extraction, AAA 159
object pages
Main 318
Metadata Items 319
resource extraction, AAA 170
ssh-password-metadata 74
ssh/password variable 74
ssh/publickey variable 74
ssh/username variable 74
processing policies
contexts 92
creating 93
debugging 149
defining 87
matching rules 87
processing rules 88
Processing Policy
object pages
Main 320
Policy Maps 320
Processing Rule
object pages 321
processing rules
client-to-server 88
contexts 92
direction 88
error 88
matching rules 290
processing policies 88
server-to-client 88
two way 88
protocol handler
quiesce 14
unquiesce 14
protocols
supported 146
Proxy Settings
Multi-Protocol Gateway 293
pubcert validation credentials 32
pubcert: directory 188
publish
MQ Front Side Handler 84
Q
query parameters
actions 147
attachment protocol 147
queues
TIBCO EMS 78
WebSphere JMS 81
quiesce
protocol handler 14
service 14
R
RADIUS
authentication, AAA 165
NAS-identifier 322
purpose 322
Range header, retaining 354
referenced objects
... button 8
+ button 8
creating 8
modifying 8
selecting 8
referenced objects, lists
... button 9
+ button 9
Add button 9
adding 9
creating 9
Delete button 9
deleting 9
modifying 9
selecting 9
Rejected Counter Tool 180
replay filter 117
replay-filter.xsl style sheet 117
replica entry, [manager] stanza 252
request-header, HTTP 350
required-elements-filter.xsl style
sheet 118
resource extraction, AAA
available methods 168
HTTP operations 169
local name of request element 169
Processing Metadata 170
URI of top-level element 169
URL from client 169
URL to backend 168
XPath from request 169
resources mapping, AAA
AAA Info File 171
available methods 170
Index
399
400
S
S11:actor SOAP attribute 139
S11:mustUnderstand SOAP attribute 139
S12:mustUnderstand SOAP attribute 139
S12:notUnderstood SOAP attribute 139
S12:relay SOAP attribute 139
S12:role SOAP attribute 139
SAML assertion 184
authentication, AAA
artifact 164
valid signature 159
identity extraction, AAA
AttributeStatement 156
AuthenticationStatement 156
post processing, AAA 182
SAML assertions 373
AAA Policy
authentication 373
identity extraction 373
verify action 373
SAML attributes
defining, AAA Policy 245, 258
SAML server
authorization, AAA
attribute query 176
authorization query 175
Save Config button 7, 11
Saved configuration state 12
Schema Exception Map
object pages
Main 323
Rules 324
schemas
location 188
SCP protocol
authentication policy, user agent 353
public keys 353
SDK (j2sdk1.4.2) 191
search parameters, LDAP 266
security certificates
shared
location 188
Web browsers
location 188
Security Token Reference
See STR
SecurityContextToken, WS-Trust
post processing, AAA 182
SecurityTokenReference element 372
server pool
See load balancer group
server state
load balancer group 267
server-to-client rule 88
service
quiesce 14
unquiesce 14
service level monitors
See SLM
service variables
listing 376
multistep/loop-count 122
multistep/loop-iterator 122
types 376
service/append-request-header/
variable 382
service/append-response-header/
variable 382
service/config-param/ variable 377
service/connection/note variable 383
service/correlation-identifier
variable 379
service/error-code variable 381
service/error-ignore variable 381
service/error-message variable 382
service/error-protocol-reason-phrase
variable 381
service/error-protocol-response
variable 381
service/error-subcode variable 382
service/expiry variable 379
service/format variable 379
service/lbhealth/ variable 378
service/max-call-depth variable 378
service/message-identifier variable 379
service/message-type variable 379
service/mq-ccsi variable 378
service/mqmd-reply-to-q variable 379
service/mqmd-reply-to-qm variable 379
service/persistence variable 379
service/priority variable 379
service/protocol-method variable 384
service/reply-to-q variable 377, 379
service/reply-to-qm variable 377, 379
service/report variable 379
service/routing-url variable 75, 383
service/routing-url-delay-content-typedetermination variable 384
service/routing-url-sslprofile
variable 384
service/set-request-header/ variable 382
service/set-response-header/
variable 382
service/soap-fault-response variable 376
service/soap-oneway-mep variable 380
service/strict-error-mode variable 382
service/transaction-key variable 380
service/transaction-name variable 380
service/transaction-timeout variable 380
service/URI variable 75, 384
service/wsa/genpattern variable 385
service/wsa/timeout variable 385
service/wsm/wsdl-error variable 385
service/wsm/wsdl-warning
variable 385
Services
Multi-Protocol Gateway Service 291
Services menu 7
set variable (setvar) action
defining 132
variable builder 148
set variable action
See setvar action
set-target() extension function 131
setvar action
<results> element 148
<url> element 148
defining 132
purpose 91
variable builder 148
SFTP Poller
Front Side Handler 71
SFTP protocol
authentication policy, user agent 353
public keys 353
SFTP Server
Front Side Handler 74
SFTP Server Front Side Handler
AAA Policy 74
authentication 74
authorization 74
configuration considerations 74
metadata variables 74
routing 75
URI propagation 75
URL specifications 75
Shared Secret Key
configuring 28
creating 28
shared secrets 28
sharedcert: directory 188
Show Probe link 13
sign action
defining 133
generating signature
confirmation 374
ID references 371
purpose 91
verifying signature confirmation 374
signature confirmation 373
SignatureConfirmation element 373
signatures
verifying 144
signed documents, PKCS #7
decrypting 106
encrypting 104
signing 99
verifying 102
skip-backside variable 377
SLM
overview 324
slm action
defining 135
purpose 91
SLM action
See slm action
SLM Action
creating 327
object pages 327
SLM Credentials Class
creating 326
object pages 326
SLM policy
adding statements 325
creating 325
creating SLM actions 327
SLM Policy
creating SLM Credentials Class
objects 326
creating SLM Resource Class
objects 327
creating SLM schedules 328
SLM Resource Class
creating 327
object pages 327
SLM Schedule
creating 328
object pages 328
SLM statements
adding to policy 325
overview 324
smtp protocol 146
SOAP attributes
S11:actor 139
S11:mustUnderstand 139
S12:mustUnderstand 139
S12:notUnderstood 139
S12:relay 139
S12:role 139
SOAP Header Disposition Table
object pages
Main 329
SOAP Header Refine
Instruction 329
SOAP refinement transform 139
SOAP service provider type 139
soap-refine.xsll style sheet 139
SoapAction header 352
specifying remote locations 146
specifying multiple URLs 146
SPNEGO
identity extraction, AAA 156
Kerberos AP-REQ 156
post processing, AAA 183
sql action
defining 135
purpose 91
SQL action
See sql action
SQL Data Source
adding configuration parameters 332
base configuration 331
defining 330
high-level configuration 331
SQL injections, protection 44
sql protocol 146
SQL-Injection-Filter.xsl style sheet 44
SQL-Injection-Patterns.xml file 44
SSH
AAA Policy 74
authentication 74
authorization 74
client profile, creating 29
metadata variables 74
routing 75
streaming 74
timeout 74
URI propagation 75
URL specifications 75
SSH Client Profile
creating 29
object pages 29
ssh-password-metadata Processing
Metadata 74
ssh/password variable 74
ssh/publickey variable 74
ssh/username variable 74
SSL
client proxy, creating 30
forward proxy, creating 30
reverse, proxy, creating 30
server proxy, creating 30
two-way proxy, creating 31
SSL authentication 27
SSL proxy policy, user agent 351
T
TAM
ASCII configuration file 251
authentication, AAA 164
authorization server replicas 252
authorization, AAA 172
configuration, general 251
configuring TAM objects 252
creating configuration files 252
creating TAM objects 252
licensing 251
modifying configuration files 252
obfuscated configuration file 251
object pages 252
refreshing certificates 253
resources mapping, AAA 170
Index
401
TAM (continued)
security 251
SSL key file 251
SSL stash file 251
tasktemplates: directory 189
tcp protocol 146
tcps protocol 146
TE header, retaining 354
temporary: directory 189
TFIM
AAA 253
credentials mapping, AAA 167
object pages 253
post processing, AAA 184
resources mapping, AAA 170
TFIM endpoint
WS-Trust messages 253
threat protection
denial-of-service
multiple message 42
single message 41
dictionary attack 45
message tampering 43
padding oracle protection 43
SQL injections 44
XML virus (X-Virus) 44
TIBCO EMS
fault-tolerant hosts 339, 343
heartbeat detection 345
load-balanced hosts 341, 343
map message 332
object pages 332
tibco.conf 345
transactional messaging 335
unique host 338
URL builder 46
TIBCO EMS Front Side Handler
map message 79
purpose 78
queues 78
support 78
topic spaces 78
TIBCO Rendezvous 78
TIBCO SmartSockets 78
tibco.conf file 345
Tivoli Access Manager
See TAM
topic spaces
TIBCO EMS 78
WebSphere JMS 81
trademarks 389
transaction headers variables
listing 382
service/append-request-header/ 382
service/append-responseheader/ 382
service/set-request-header/ 382
service/set-response-header/ 382
transaction logging 122
transaction routing variables
listing 383
service/routing-url 383
service/routing-url-delay-contenttype-determination 384
service/routing-url-sslprofile 384
transaction URL variables
listing 384
402
U
ultimate service provider, SOAP 139
Undo button 11
unquiesce
protocol handler 14
service 14
up operational state 12
URL builder
IMS Connect 46
MQ 47
TIBCO EMS 46
WebSphere JMS 47
URL matching rule 87
URL Rewrite Policy
object pages
Main 345
URL Rewrite Rule 346
use cases
for-each action 119
User Agent
creating 350
default configuration 348
modifying basic configuation 350
overview 348
policies
allow-compression policy 353
basic authentication 348, 352
chunked upload 355
chunked uploads, HTTP 1.1 348
V
validate action 142
message tampering, protection 43
purpose 92
validation credentials
non expiring, non-password-protected
certificates 32
pubcert 32
specific certificates 33
supported extensions 33
types 32
validation methods 32
variable builder 148
variables
asynchronous
service/soap-oneway-mep 380
asynchronous transactions
listing 380
service/transaction-key 380
service/transaction-name 380
service/transaction-timeout 380
configuration service
listing 377
service/config-param/ 377
service/max-call-depth 378
error handling
listing 381
service/error-code 381
service/error-ignore 381
service/error-message 382
service/error-protocol-reasonphrase 381
service/error-protocolresponse 381
service/error-subcode 382
service/strict-error-mode 382
extension
listing 385
variables (continued)
extension (continued)
local/_extension/allowcompression 385
local/_extension/donot-followredirect 385
local/_extension/header/ 385
local/_extension/http-10-only 386
local/_extension/preventpersistent-connection 386
local/_extension/sslprofile 386
local/_extension/timeout 386
general
listing 376
service/soap-fault-response 376
list, all available 387
load balancer service
listing 378
service/lbhealth/ 378
MQ Host
listing 378
service/correlation-identifier 379
service/expiry 379
service/format 379
service/message-identifier 379
service/message-type 379
service/mq-ccsi 378
service/mqmd-reply-to-q 379
service/mqmd-reply-to-qm 379
service/persistence 379
service/priority 379
service/reply-to-q 379
service/reply-to-qm 379
service/report 379
MQ Proxy
listing 378
service/correlation-identifier 379
service/expiry 379
service/format 379
service/message-identifier 379
service/message-type 379
service/mq-ccsi 378
service/mqmd-reply-to-q 379
service/mqmd-reply-to-qm 379
service/persistence 379
service/priority 379
service/reply-to-q 379
service/reply-to-qm 379
service/report 379
Multi-Protocol Gateway
backend-timeout 377
service/reply-to-q 377
service/reply-to-qm 377
skip-backside 377
multistep
log/soapversion 380
persistent connections
listing 383
service/connection/note 383
service
listing 376
type 376
service/routing-url 75
service/URI 75
ssh/password 74
ssh/publickey 74
ssh/username 74
variables (continued)
system
listing 386
system/map/debug 386
system/tasktemplates/debug 386
transaction
listing 380
type 380
transaction headers
listing 382
service/append-requestheader/ 382
service/append-responseheader/ 382
service/set-request-header/ 382
service/set-response-header/ 382
transaction routing
listing 383
service/routing-url 383
service/routing-url-delay-contenttype-determination 384
service/routing-url-sslprofile 384
transaction URL
listing 384
service/protocol-method 384
service/URI 384
types 375
using 375
Web Service Proxy
backend-timeout 377
service/reply-to-q 377
service/reply-to-qm 377
skip-backside 377
WSM
listing 384
service/wsa/genpattern 385
service/wsa/timeout 385
service/wsm/wsdl-error 385
service/wsm/wsdl-warning 385
verify action
adding 144
generating signature
confirmation 374
Kerberos AP-REQ tokens, remote 373
purpose 92, 144
SAML assertions, remote 373
verifying signature confirmation 374
X.509 certificates, remote 372
View button 9
View Logs link 12
View Status link 12
W
Web Management Interface 7
Web Service Proxy
defining policy parameters 308
service variables
backend-timeout 377
service/reply-to-q 377
service/reply-to-qm 377
skip-backside 377
Web services monitors 298
configuring 217
overview 217
specifying dual thresholds 218
web-mgmt command 7
WebGUI
accessing 7
Administration menu 7
applying configuration changes 11
canceling changes 11
cloning services 13
common tasks 11
dashboard 7
deleting objects 12
Domain list 7
exporting objects 12
logging in 7
Logout button 7
Network menu 7
Objects menu 7
resetting configuration 11
reverting changes 11
Save Config button 7
saving configuration changes 11
Services menu 7
Status menu 7
viewing configuration-specific
logs 12
viewing object status 12
viewing probe data 13
Welcome screen 7
WebSphere Cell
purpose 357
WebSphere JMS
transactional messaging 359
URL builder 47
WebSphere JMS Front Side Handler
purpose 81
queues 81
support 81
topic spaces 81
WebSphere JMS server
object pages 359
WebSphere Transformation Extender
See WTX
Welcome screen 7
workstation
uploading files 190
WS-Addressing
Multi-Protocol Gateway 302
WS-ReliableMessaging
Multi-Protocol Gateway 302
WS-SecureConversation
authentication, AAA 165
credentials mapping, AAA 167
identity extraction, AAA 154
WS-Security
message layout filter 119
WS-Security Header
identity extraction, AAA
BinarySecurityToken 154
UsernameToken, derived-key 154
UsernameToken,
password-carrying 153
WS-Security Management
See WSSM
WS-Trust
authentication, AAA 162
identity extraction, AAA 155
post processing, AAA 182
WS-Trust messages
TFIM endpoint 253
Index
403
WSM variables
listing 384
service/wsa/genpattern 385
service/wsa/timeout 385
service/wsm/wsdl-error 385
service/wsm/wsdl-warning 385
wssecurity-message-layout-filter.xsl style
sheet 119
WTX
DPA 314
Exported Files 314
input contexts 315
Mapping Logic Disabled 314
Named Inputs 317
Named Outputs 318
output contexts 315
xformbin action 138, 315
X
X-Virus, protection 44
X.509 certificates 372
AAA Policy
authentication 372
identity extraction 372
verify action 372
XACML PDP
authorization, AAA 178
configuring 259
XDoS, protection 41
xform
defining standard transform 137
XML messages 137
xform action
defining 137
defining buffer attachment
transform 141
defining conformance transform 142
defining SOAP refinement
transform 139
purpose 91
xformbin action
defining 138
purpose 91
xformpi action
defining 138
purpose 91
XML Manager
caches
flushing the document cache 368
flushing the stylesheet cache 368
configuring 366
document cache, flushing 368
Load Balancer Group
DataPower service 48
modifying 366
object pages 366
XML virus, protection 44
XPath bindings
AAA Policy 245
XPath matching rule 87
Z
z/OS identity propagation
404
184
Printed in USA