Configuring iWay Service Manager

In this section:

The following list outlines the configuration steps that are required in iWay Service Manager (iSM).

  1. Configure a KeyStore Provider to serve as the TrustStore.

    The KeyStore file must contain the root Certificate Authority (CA) that signed the Secure Sockets Layer (SSL) certificate used by WSO2 Identity Server. By default, the SSL certificate is self-signed, so the root CA is the SSL certificate itself.

  2. Configure an SSL Context Provider.

    Select the KeyStore Provider that was configured in step 1 for the TrustStore. The KeyStore can remain empty. The Security Protocol is TLS or higher.

  3. Configure an HTTP Client Provider.

    Select the SSL Context Provider that was configured in step 2 for the SSL Context

  4. Continue the iSM configuration with the remaining topics in this section that are applicable.

For more information on how to configure a KeyStore Provider, SSL Context Provider, and HTTP Client Provider, see the iWay Service Manager User’s Guide.
Top of page
x
Configuring an Authentication Realm for WSO2 Identity Server

If you use WSO2 Identify Server only to authorize access with eXtensible Access Control Markup Language (XACML), then there is no need to create a WSO2 realm. You can proceed directly to Configuring the XACML Provider and XACML Service.
x
Procedure: How to Configure an Authentication Realm for WSO2 Identity Server
  1. In the iWay Service Manager Administration Console, click Server in the top pane, and then click Authentication Realms in the left pane, as shown in the following image.

    The Authentication Realms pane opens, as shown in the following image.

  2. Click New.

    The Authentication Realm pane opens, as shown in the following image.

  3. From the Realm Type drop-down list, select wso2realm.

    The Authentication Realm pane is refreshed for the specific type of realm (in this case, WSO2), as shown in the following image.

  4. Enter a name for the new realm you are creating (for example, wso2realm_test).
  5. Enter the name of the Provider and the location of the WSO2 Identity Server.
  6. Enter the URL where WSO2 Identity Server can be accessed.
  7. Specify the user name and password for the administrator account in WSO2 Identity Server.

    The default user name and password is admin.

    This account is used to login to WSO2 Identity Server through HTTP Basic Authentication. The password is sent essentially in clear text, but the connection is using SSL.

  8. From the HTTP Client Provider drop-down list, select the HTTP Client Provider that you defined earlier for the HTTP Client.
  9. Click Add.
x
Procedure: How to Configure a Listener

Configure a listener that is realm-aware (for example, the NHTTP listener).

  1. In the iWay Service Manager Administration Console, click Registry in the top pane, and then click Listeners in the left pane, as shown in the following image.

    The Listeners pane opens, as shown in the following image.

  2. Click Add.

    The Select listener type pane opens, as shown in the following image.

  3. Select HTTP 1.1 [nonblocking] (nhttp) from the Type drop-down list and click Next.

    The configuration parameters for the NHTTP listener are displayed.

  4. Specify a port where HTTP requests will be received.
  5. Scroll down to the Authentication Realm parameter and enter the name of the WSO2 realm that was configured in the iSM Administration Console.

  6. From the Authentication Scheme drop-down list, select Basic Auth {httpbasic}.

    Note: Basic Auth is insecure unless it operates under HTTPS.

  7. Click Next at the bottom of the page to continue.

    A listener name and description pane opens, as shown in the following image.

  8. Enter a name for the selected listener and a brief description (optional).
  9. Click Finish.

When this listener is deployed as part of a channel, it will ask for a user name and password, which will be checked against the user store within WSO2 Identity Server.
Top of page
x
Configuring the XACML Provider and XACML Service

If you use WSO2 Identify Server only to authenticate users, then there is no need to create an XACML Provider or an XACML service.
x
Procedure: How to Configure the XACML Provider

The XACML Provider helps centralize the XACML Policy Decision Point (PDP) configuration. It can also be used later as the site of a future XACML cache.

  1. In the iWay Service Manager Administration Console, click Server in the top pane, and then click Authorization Provider in the left pane, as shown in the following image.

    The Authorization Provider pane opens, as shown in the following image.

  2. Click New.

    The XACML Provider pane opens, as shown in the following image.

  3. Enter a name for the new XACML Provider you are creating (for example, xacml_provider_test).
  4. In the PDP URL field, the default service location for the server is entered as follows: 
    https://localhost:9443/services/EntitlementService.EntitlementServiceHttpsSoap11Endpoint/

    Currently, the XACML provider assumes that the service location accepts SOAP 1.1.

  5. Specify the user name and password for the administrator account in WSO2 Identity Server.

    The default user name and password is admin.

  6. From the HTTP Client Provider drop-down list, select the HTTP Client Provider that you defined earlier for the HTTP Client.
  7. Click Add.
x
Procedure: How to Configure the XACML Service
  1. Create a process flow and add a Service object that points to XACML Service (com.ibi.agents.XDXacmlAgent).
  2. Enter values for the XACML Service parameters as listed and described in the following table.

    Parameter

    Description

    Subject

    Determines who is requesting access to the resource. Enter the following:

    enter _getprin('user')

    This assumes the process flow is running under a listener configured with an authentication realm. This function returns the name of the logged in user, which is taken from the current principal.

    Resource

    Enter the name of the resource for which you wish to authorize access.

    Action

    Enter the type of action you wish to authorize (for example, read).

    Note: The Resource name and the Action is arbitrary, but it must be agreed with the XACML policy author.

    XACML Provider

    The name of the XACML Provider you configured earlier (for example, xacml_provider_test), which is used to send the XACML request.

  3. Save the settings for the Service object for XACML Service (com.ibi.agents.XDXacmlAgent).

    The XACML Service returns as success if the Policy Decision Point (PDP) returns Permit and fail_security otherwise. The actual decision from the PDP is available in the xacml_decision Special Register (SREG) if there is a need to distinguish Deny, NotApplicable, or Indeterminate.

    The XACML Service calls the EntitlementService of the WSO2 Identity Server.

A sample request document can have the following structure:

<env:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://org.apache.axis2/xsd">
	   <env:Body>
	      <ws:getDecisionByAttributes>
	         <ws:subject>user1</ws:subject>
	         <ws:resource>http://localhost:9999/resource1</ws:resource>
	         <ws:action>read</ws:action>
	      </ws:getDecisionByAttributes>
	   </env:Body>
	</env:Envelope>

Within WSO2 Identity Server, this is mapped to an XACML request document, which has the following structure:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
	   <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
	      <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
	         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user1</AttributeValue>
	      </Attribute>
	   </Attributes>
	   <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
	      <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:9999/resource1
          </AttributeValue>
	      </Attribute>
	   </Attributes>
	   <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
	      <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
	         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
	      </Attribute>
	   </Attributes>
	</Request>

A sample response document from the EntitlementService can have the following structure:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
	   <soapenv:Body>
	      <ns:getDecisionByAttributesResponse xmlns:ns="http://org.apache.axis2/xsd">
	         <ns:return><![CDATA[<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
	<Result>
	<Decision>Deny</Decision>
	<Status>
	<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
	</Status>
	</Result>
	</Response>]]></ns:return>
	      </ns:getDecisionByAttributesResponse>
	   </soapenv:Body>
	</soapenv:Envelope>

Notice the XACML response is returned as a string, and not as embedded XML.

iWay Software