Friday, 29 April 2016

AAA policy in DataPower

AAA policies
An AAA (authentication, authorization, audit) policy identifies a set of resources and procedures that determine whether a requesting client is granted access to a specific service, file, or document. AAA policies can be considered a type of filter, for they accept or deny a specific client request.


AAA policies are powerful and flexible. They support a range of authentication and authorization mechanisms. You can "mixed and matched"multiple authentication and authorization mechanisms in a single policy. For example, one AAA policy can use a single RADIUS server to provide authentication and authorization services. A second policy can use a RADIUS server for authentication, use a local XML file to map the RADIUS authentication credentials to an LDAP group name, and use an LDAP server to authorize the LDAP group.

Authenticate Requests 
  • Click XML Firewall on the Control Panel.  Click Add Wizard. The Wizard launches. Click the Access Control (AAA) radio button.  Click Next.
  • Enter AAADemo in the Name field.  Click Next. Set the Firewall Type to loopback-proxy.  Click Next.
  • Click XML Firewall on the Control Panel.  Click Add Wizard. The Wizard launches. Click the Access Control (AAA) radio button.  Click Next.
  • Choose the Host Alias for the client-facing port on your device. Specify the port number as 2525. Click Next.
  • Click the + button to create a new AAA Policy.  The AAA Policy Wizard launches.
  • Name policy Cendata.  Click Create.
  • Configure AAA Policy to extract Password-carrying Username Token Element from WS-Security Header. Note the extensive choices for extracting identity. Here you are telling DataPower to pull the user identity and password from the WS-Security headers in Username Token format. Click Next.
  • Configure AAA Policy to Authenticate using DataPower AAA Info File (the default). Here you are telling DataPower to authenticate the username and password extracted from the WS-Security header against an XML file that is resident on the device. Normally you might authenticate that uid/password against an LDAP server.
  • Select XML file store:///AAAInfo.xml from the drop-down lists (this file ships with the device). Note the extensive choices for authenticating users. Click Next.

  • On the next page of the wizard, configure the policy to extract the resource from Local Name of Request element. Since we have now authenticated the user, we need to see what resource they are asking for access to.  If the message is a SOAP message, this is the local name of the child element of the SOAP Body element (the first element after the <soap:body> tag), which for Web services is normally the operation name. Otherwise, if this is a pure XML (non-SOAP) message, this is the local name of the root node of the message. Click Next.
  • On the next page, configure the AAA Policy to authorize any authenticated client (the default). Now that we know who the client is and what they are after, we need to tell DataPower how to do the authorization step to check to see if this is OK. Here we are using loose authorization (any authenticated client). Sometimes this level of authorization is “good enough” for the perimeter, and more fine-grained authorization will be done by the app server on the back-end – for example using J2EE security constraints in the deployment descriptor to add security to Web Services backed by EJB calls. Note the extensive options here for authz. Click Next.



  • On the next page of the AAA wizard, note the extensive Post Processing options for logging, counting, auditing and creating tokens such as LTPA, SAML, and Kerberos/SPNEGO for injection into the message. We will do no post processing for this lab, so leave the page unchanged and click Commit.




    • Click Done to the Firewall Wizard.  The CenData AAA policy that you have just created should be selected. Click Next.
    • The Confirmation Page appears. Click Commit.

      • Click Done. The Control Panel appears. Save your configuration.
      • Submit a well-formed request.

      No comments:

      Post a Comment