In this section: |
The following list outlines the configuration steps that are required in iWay Service Manager (iSM).
The KeyStore file must contain the root Certificate Authority (CA) that signed the Secure Sockets Layer (SSL) certificate used by WSO2 Identity Server. By default, the SSL certificate is self-signed, so the root CA is the SSL certificate itself.
Select the KeyStore Provider that was configured in step 1 for the TrustStore. The KeyStore can remain empty. The Security Protocol is TLS or higher.
Select the SSL Context Provider that was configured in step 2 for the SSL Context
For more information on how to configure a KeyStore Provider, SSL Context Provider, and HTTP Client Provider, see the iWay Service Manager User’s Guide.
If you use WSO2 Identify Server only to authorize access with eXtensible Access Control Markup Language (XACML), then there is no need to create a WSO2 realm. You can proceed directly to Configuring the XACML Provider and XACML Service.
The Authentication Realms pane opens, as shown in the following image.
The Authentication Realm pane opens, as shown in the following image.
The Authentication Realm pane is refreshed for the specific type of realm (in this case, WSO2), as shown in the following image.
The default user name and password is admin.
This account is used to login to WSO2 Identity Server through HTTP Basic Authentication. The password is sent essentially in clear text, but the connection is using SSL.
Configure a listener that is realm-aware (for example, the NHTTP listener).
The Listeners pane opens, as shown in the following image.
The Select listener type pane opens, as shown in the following image.
The configuration parameters for the NHTTP listener are displayed.
Note: Basic Auth is insecure unless it operates under HTTPS.
A listener name and description pane opens, as shown in the following image.
When this listener is deployed as part of a channel, it will ask for a user name and password, which will be checked against the user store within WSO2 Identity Server.
If you use WSO2 Identify Server only to authenticate users, then there is no need to create an XACML Provider or an XACML service.
The XACML Provider helps centralize the XACML Policy Decision Point (PDP) configuration. It can also be used later as the site of a future XACML cache.
The Authorization Provider pane opens, as shown in the following image.
The XACML Provider pane opens, as shown in the following image.
https://localhost:9443/services/EntitlementService.EntitlementServiceHttpsSoap11Endpoint/
Currently, the XACML provider assumes that the service location accepts SOAP 1.1.
The default user name and password is admin.
Parameter |
Description |
---|---|
Subject |
Determines who is requesting access to the resource. Enter the following: enter _getprin('user') This assumes the process flow is running under a listener configured with an authentication realm. This function returns the name of the logged in user, which is taken from the current principal. |
Resource |
Enter the name of the resource for which you wish to authorize access. |
Action |
Enter the type of action you wish to authorize (for example, read). Note: The Resource name and the Action is arbitrary, but it must be agreed with the XACML policy author. |
XACML Provider |
The name of the XACML Provider you configured earlier (for example, xacml_provider_test), which is used to send the XACML request. |
The XACML Service returns as success if the Policy Decision Point (PDP) returns Permit and fail_security otherwise. The actual decision from the PDP is available in the xacml_decision Special Register (SREG) if there is a need to distinguish Deny, NotApplicable, or Indeterminate.
The XACML Service calls the EntitlementService of the WSO2 Identity Server.
A sample request document can have the following structure:
<env:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://org.apache.axis2/xsd"> <env:Body> <ws:getDecisionByAttributes> <ws:subject>user1</ws:subject> <ws:resource>http://localhost:9999/resource1</ws:resource> <ws:action>read</ws:action> </ws:getDecisionByAttributes> </env:Body> </env:Envelope>
Within WSO2 Identity Server, this is mapped to an XACML request document, which has the following structure:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user1</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:9999/resource1 </AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> </Attribute> </Attributes> </Request>
A sample response document from the EntitlementService can have the following structure:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:getDecisionByAttributesResponse xmlns:ns="http://org.apache.axis2/xsd"> <ns:return><![CDATA[<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <Result> <Decision>Deny</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> </Status> </Result> </Response>]]></ns:return> </ns:getDecisionByAttributesResponse> </soapenv:Body> </soapenv:Envelope>
Notice the XACML response is returned as a string, and not as embedded XML.
iWay Software |