Deployment Policy in Datapower

1.       What is Deployment Policy?

        An object in Datapower used to modify/filter imported configurations. When we import object(s) from one domain or environment to another, we may want to filter out or change       certain object configurations for the new domain or environment. This can be achieved using         (DP)Deployment Policy.

2.       How does DP work?

      Deployment Policy works through rules.  A DP may contain three types of rules-

      a) Accepted Configuration - Only the matching configuration is accepted during import.

      b) Filtered Configuration - The matching configuration is excluded during import.

      c) Modified Configuration - The matching configuration is altered during import.

3.       Describe configuration of Deployment policy along with each type of rule mentioned above.

      To create a DP, follow the below steps:

i)       In the left search panel in Datapower, type Deployment Policy .

ii)     The below window opens. Go to Add.

iii)   In the Main tab, enter a name for the Deployment Policy. Write comment (optional) for this DP.

a)      Accepted Configuration-

Accept configuration rules are used to import ONLY the configurations that match the accept rule. Rest all other configurations, if being imported along with this DP, will be ignored and will NOT be imported. As an example, let us assume we want to import ONLY a crypto cert named, myCert.

We would need to provide exact configuration match corresponding to myCert.

It is a good practice to use match builder to write exact matching configuration.

Go to Accepted Configuration -> Build

A Match Builder dialog box appears where details need to be entered for an exact configuration path. The below six fields need to be filled –

·         Device Address - Identifies the local management IP address of the device to which the statement is applied. Leave blank (or ‘*’) for all.

·         Application Domain - Identifies the application domain to which the statement is applied. Select (none) for all.

·         Resource Type – Identifies the name of the resource type, eg. Crypto certificate, web service proxy etc. To match all types, select '(all resources)'.

·         Name Match (PCRE) - Limits the statement to resources with the specified names. Use a PCRE to select groups of resource instances. (PCRE refers to regular expression -  eg. myCer*)

·         Configuration Property- Limits the statement to the configuration property with the specified name.

·         Configuration Value Match (PCRE) – Refers to configuration with matching property values. Use a PCRE Match Expression to select groups of configuration property values.

For this scenario, where we need only myCert to be imported from the entire set of objects, we would mention as below-

Since we need to import the entire myCert object, and not just a particular property, we would leave the last two options blank, as shown above.

Once we save, the below Accepted Configuration expression would be formed –

Next, Apply and save configuration.

This gives a Deployment Policy DPDemo which needs to be included along with imported object(s) to get only myCert imported during importing configuration.

b)      Filtered Configuration –

In case when certain objects/configurations need to be filtered out during import, this property would be used. The configuration of Filtered Configuration expression is similar to the way we saw in Accepted Configuration. Kindly refer the process explained above (point a) for the same.

c)       Modified Configuration –

As described above, Modified Configuration property would be used when the requirement is to change or modify certain properties/configurations in the imported object(s).

There is a separate tab for Modified Configuration.

As an example, suppose the requirement is to change the port number of the Front Side Handler (myFSH) getting imported from a different domain or environment.

Let the existing port number be 4788 and it needs to be changed to 4789.

Following steps would be followed to get the correct  expression:

1.       Go to Modified Configuration tab and click Add.

In the edit modified configuration window, entry is required.

2.       Go to Build to create a proper configuration match expression. Make the below entry –

The entry made, shows the existing FSH property that needs to be changed. Save the changes. The resultant expression is : */*/protocol/http?Name=myFSH&Property=LocalPort&Value=4788

3.       Next, in Modification Type, there are three options –

·         Add Configuration- To add a new property  to the existing configuration

·         Change Configuration- To change an existing configuration

·         Delete Configuration- To delete an existing configuration

Here, in this example we need to change the existing configuration. So we follow the below steps. (In case one needs to add or delete, similar steps need to be followed. The options are self-explanatory.)

Next, Apply.

The below expression is formed. Apply and Save.

*/*/protocol/http?Name=myFSH&Property=LocalPort&Value=4788

Thus we get a new Deployment Policy DPDemo which should be included in the imported configuration to get the desired change.

Datapower Deployment Scenarios

This article explains on the Datapower Deployment Scenarios and their specific functions inside an enterprise environment.

1. Lab environment – this is an isolated environment that allows testing of any major new firmware release features to be tested without any impact on ongoing development streams. This assist change management of new features and testing new feature before implementation.

2. Development environment – this is an very common practice to isolate Datapower service development to a dedicated environment. This will usually be an single appliance for developers as an black sandbox to develop as well as do project-specific configurations.

3. Testing environment – this is an isolated test environment from the development environment mentioned above. This environment is used to test all developed services. The appliance provide easy to service migration between appliances and domains.

4. Staging environment – the environment allows testing pre-releases, or rolling new releases into production. The environment is used to do performance testing to determine sizing and scaling of production appliances.

5. Production environment – appliances in the production environment can be deployed as a cluster in an active/passive configuration or active/active configuration. Appliances can balance traffic to target servers using the Application Optimization feature.

6. DR environment – Many organization require full data center failover to a second fully equipped site. The DR environment will provide failover appliance.

OAuth Implementation in Datapower XI52

OAuth is an authorization framework that allows a resource owner to grant permission to access their resources without sharing their credentials with a third party. Traditionally in client-server authentication model, the client uses its credentials to access its resources hosted by the server. OAuth introduces a third role called the resource owner. In this model, the client (which is not the resource owner, but is acting on its behalf) requests access to resources controlled by the resource owner, but hosted by the server.

Below figure shows OAuth in Datapower,

How to Use It?

To use the OAuth protocol, we need an AAA policy. The AAA policy must be defined in a processing rule of Web Token Service or Multi-Protocol Gateway.After successfully generating an access token, processing returns a node set that becomes part of the JSON object that contains the access token and optionally a refresh token.

1.     When configured through a Web Token Service, the service supports as authorization server endpoints

2.     When configured through a Multi-Protocol Gateway, the service supports as authorization server endpoints and enforcement point for resource servers.

Types of Protocol Flow

1.     Three Legged Flow – There are 3 entities namely the resource owner, an OAuth client who wants to access the resource, the resource server. The resource owner does not share its credentials to client instead it gives authorization grant and a client ID by an authorization service. Using authorization grant, OAuth client request an access token from authorization service to access the resource on resource server.

2.     Two Legged Flow – There are only 2 entities where the resource owner and OAuth client overlaps. The client needs resource owner credentials or a client credentials grant type. There are four credential grant type scenarios.

1. Implementation (Two legged Flow) through WTS (Grant type scenario- resource owner password credentials)

This scenario involves exchanging the resource owner’s username and password for an access token and make use of that token to access resources, which means the client possess the resource owner’s credentials. Client application sends a token request containing the resource owner username and password as well as its information to an authorization server and receives an access token. When acting as an authorization server, Datapower accepts and verifies an OAuth request and generates an access token. When acting as an enforcement point for a resource server, Datapower verifies the access token and validates it against the resource the client is requesting. Below steps describes this implementation,

STEP 1 Create an OAuth client object as below,

STEP 2 Create an OAuth client group object as below,

STEP 3 Create a AAA Policy with OAuth Config,

3 A. Extract Identity (EI)

3 B. Authentication (AU)

3 C. Resource Extraction(ER)

3 D. Authorization (AZ)

Sample AAA file,

STEP 4 Create an authorization server using the Web Token Service as below,

4 A.WTS Config,

4 B.WTS generated Processing Policy,

STEP 5 Create a resource server enforcement point using the Multi-Protocol Gateway as below,

5 A. Front Side Handler Config,

5 B. Processing policy for enforcement,

5 C. choose a static backend type, here it is a simple loopback XML Firewall. Request type as non-xml, Response type as Pass through and propagate URI to on.

STEP 6 Testing the Configuration,

6 A. Client request to invoke the authorization service and fetch access token (Web token service)

Curl command,

curl -k https://<dp:ip>:5040/ –user password-client:passw0rd -d “grant_type=password&username=john&password=passW&scope=/getAccount {“token_type”:”bearer”,”access_token”:”bearer”,”expires_in”:3600 }”

6 B. Access token verified by the MPGW (Resource Service)

Curl command,

curl -k https://<dp:ip>:5041/getAccount -H “Authorization: Bearer AAEPcGFzc3dvcmQtY2xpZW50tOItBbbumS0yrr/H+fPT8VbAvrI3xX55MSfy7Pnjz07usWpDnPm+0evCFTcPjtUwt5SrAhdplb3QnH+Dy36pCg”

2.Implementation (Two legged Flow) through WTS (Grant Type Scenario-Client Credential)

In this scenario client itself the resource owner, which means client can get an access token by presenting its own credentials, avoiding its credentials from being exposed in each and every resource request.However,client credentials flow implementation is similar to resource owner password credentials configuration,

STEP 1 Configure the OAuth client application with the Datapower,

1 A.Configure an OAuth Client Profile similar to above implementation except for the grant type as below,

1 B. Configure the created client profile with OAuth Client Group,

1 C. Use the OAuth client group in AAA policy to implement in Authorization service,

Authentication(AU)

Resource Extraction(ER)

Authorization (AZ)

1 D. Use the OAuth client group in another AAA policy(below Config) to implement in Enforcement service,

Resource Extraction(ER)

Authorization(AZ)

STEP 2 Create an authorization service using the Web Token Service,

Create a WTS with SSL proxy profile and get the processing policy generated with AAA action that has OAuth Client configured earlier,

STEP 3 Create a resource server enforcement point using the Multi-Protocol Gateway,

3 A. Create a front side handler that listens the WTS Authorization service,

3 B. Create a processing policy for the enforcement point having the,

3 C. Choose a static backend type, here it is a simple loopback XML Firewall. Request type as non-xml, Response type as Pass through and propagate URI to on.

Troubleshooting the Configurations,

Scenario 1: Scope not sufficient

Request to invoke WTS Authorization service and get access token,

Curl Command,

curl -k https://<dp:ip>:5050/token -u ac-appln:passw0rd -d “grant_type=client_credentials&scope=getAccount”

Response,

Request with access token to enforcement service to get the response,

Curl Command,

curl -k https://<dp:ip>:5051/getAccount -H “Authorization: Bearer AAEIYWMtYXBwbG5NYwZ3Pi01cM3Rge0qjdvfh4VJ19KCNQoEfkbyiiXvCw9oZLfPdwC7OarGlixMcD46KqjChfuuHB6U/vpL7lWp”

Response,

We get the response as insufficient_scope because URL sent by client is checked for the ER phase for the endpoint server AAA policy, here the scope in the token request includes the leading slash.

Scenario 2: Invalid Client Application

Curl Command,

curl -k https://<dp:ip>:5050/token -d “grant_type=client_credentials&scope=/getAccount&client_id=application&client_secret=passw0rd”

Response,

Scenario 3: Success

Curl Command,

curl -k https://<dp:ip>:5050/token -u ac-appln:passw0rd -d “grant_type=client_credentials&scope=getAccount”

Request to invoke enforcement service(MPG),

curl -k https://<dp:ip>:5051/getAccount -H “Authorization: Bearer AAEIYWMtYXBwbG5NYwZ3Pi01cM3Rge0qjdvfh4VJ19KCNQoEfkbyiiXvCw9oZLfPdwC7OarGlixMcD46KqjChfuuHB6U/vpL7lWp“

Response,