Open
the DataPower URL
Login
with admin username and password and make sure you select the
appropriate domain
1- First
we need to create SSL profile to be used with the HTTPS front side
handler
Please
Note: we don’t need to re-do this step for each service
Preliminary DataPower configuration
Configure the SSL
Generating keys
To
begin, we must create a public and private key pair. In this
scenario, the public key is
stored
in a self-signed X.509 certificate. Note that in a production or
real-world scenario, the
certificate
is signed by a trusted Certificate Authority (CA).
To
create the certificate and private key:
1.
By using the DataPower WebGUI, select Administration → Crypto
Tools to
navigate to
the
cryptographic tools page.
2.
On the Generate Key tab of the Crypto Tools page, enter the details
as shown in
Figure
1-2 on page 6. Use the password itso for
the key. Then click the Generate
Key
button.
Figure
1-2 Generating a private key and self-signed certificate
3.
In the confirmation window that opens, click Confirm to
create the key and certificate. The
appliance
creates the key.
4.
The window (Figure 1-3) that opens indicates successful completion of
the operation.
Click Close to
return to the Generate Key page.
Creating a Crypto Identification Credential
DataPower
uses a Crypto
Identification Credential to
associate or match a public key and
private
key for use in cryptographic operations such as establishing SSL
connections. In this
section,
we use the certificate and private key that we created in the
previous section to build
a
new Crypto Identification Credential.
1.
With the DataPower WebGUI, navigate to Objects → Crypto
Identification Credentials.
2.
On the Configure Crypto Identification Credentials page,
click Add and
configure a Crypto
Identification
Credential as shown in Figure 1-4 on page 8.
3.
Click Apply to
save the changes.
Creating a Crypto Validation Credential
DataPower
uses Validation
Credentials (ValCred)
to validate digital signatures and received
certificates.
A Validation Credential is a list of certificate objects and is
required by the
DataPower
SSL configuration.
To
create a Validation Credential:
1.
Select Objects → Crypto
Validation Credentials to
navigate to the Validation Credential
creation
page.
2.
On the Configure Crypto Validation Credentials page, click Add.
3.
Configure a new Validation Credential as shown in Figure 1-5 on page
9. Click Apply to
save
the changes.
Creating a Crypto Profile
A
Crypto Profile in the DataPower appliance associates a Crypto
Identification with a Crypto
Validation
Credential. A Crypto Profile is required when configuring an SSL
Proxy Profile,
which
we create in “Creating an SSL Proxy profile” on page 11.
To
create a Crypto Profile:
1.
In the DataPower WebGUI, select Objects → Crypto → Crypto
Profile.
2.
On the Configure Crypto Profile page, click Add.
3.
Create a new Crypto Profile as shown in Figure 1-6 on page 10.
Click Apply to
save the
changes.
Creating an SSL Proxy profile
To
manage the SSL connection, the identification and validation objects
are grouped together
to
form an SSL
Proxy Profile.
To
create an SSL Proxy Profile:
1.
In the DataPower WebGUI, select Objects → Crypto → SSL
Proxy Profile.
2.
On the Configure SSL Proxy Profile page, click Add.
3.
Create a new SSL Proxy Profile as shown in Figure 1-7.
1. Click Save
Config to
save the running configuration.
Configuring a Web service proxy
In
this section, we explain how to create a Web service proxy on the
DataPower XI50
appliance
that will support the example scenario. With a Web service proxy, a
Web service
can
be rapidly integrated with a DataPower appliance. By using only the
Web Service
Description
Language (WSDL) file that describes the Web service, a nearly
complete
implementation
that proxies the actual Web service can be constructed.
Client
Authentication Is Optional field: We
select on for
the Client Authentication Is
Optional
field to ensure that the SSL Proxy Profile does not prompt
the requesting client
to
present a certificate for verification when the SSL connection is
initiated.
12 IBM
WebSphere DataPower SOA Appliances Part II: Authentication and
Authorization
The
following steps are required to build the Web service proxy:
1.
Create the Web service proxy object.
2.
Create and configure an HTTPS listener.
Creating a Web service proxy
To
create the Web service proxy:
1.
From the main page of the DataPower WebGUI (Figure 1-8),
select Control
Panel → Web
Service
Proxy to
navigate to the Web service proxy creation object.
2.
Click the Add button
to create a new Web service proxy object.
3.
On the Configure Web Service Proxy page (Figure 1-9), in the Web
Service Proxy Name
field,
type ITSO_PRIMES.
Click the Upload button
to upload the WSDL file for the Primes
Web
service to the appliance.
4.
In the File Management window (Figure 1-10), click
the Browse... button
and select the
file
to upload. Then click Upload.
Ensure
that the file uploads successfully and click Continue to
proceed.
The
Web service proxy that represents the Primes Web service is now
created.
Creating an HTTPS listener
The
Web service proxy must accept SSL connections. Therefore, we must
create an
SSL-enabled
object called an HTTPS
Front Side Handler to
manage SSL connections to the
Web
service.
To
build an HTTPS Front Side Handler:
1.
Navigate to the WSDLs tab
of the Web service proxy object that was just created.
2.
If necessary, expand the plus (+) sign (circled in Figure 1-11)
beneath “WSDL Source
Location”
to display the Web service’s local and remote endpoints.
3.
Edit the Hostname and Port field of the remote endpoint to be the
host name or IP address
of
the machine that is hosting the Primes Web service.
4.
Click the + button
for Local Endpoint Handler to create a new SSL-enabled HTTP listener
for
the Web service proxy, and select the HTTPS
(SSL) Front Side Handler option
(Figure
1-12).
In
the Configure HTTPS (SSL) Front Side Handler window, complete the
fields as shown
in
Figure 1-13.
6.
Scroll down until you see SSL Proxy. Select the SSL Proxy that was
created in the
previous
section from the menu as shown in Figure 1-14.
7.
Click Apply.
The
Front Side Handler of the Web service proxy is now configured.
AAA concepts and policy creation
Creating a processing rule and AAA action
When
a Web service proxy object is created, default request and response
processing rules
are
created. As with other DataPower service objects, such as XML
firewalls, additional
processing
rules can be created. A key difference of Web service proxy objects
is that rules
can
be created to process messages at the WSDL, service, port, and
operation levels of the
Web
service. Additional rules can also be created at the Web service
proxy level.
In
this scenario, we define a processing rule at the WSDL level. To
create the new rule:
1.
In the DataPower WebGUI, navigate to the Policy tab
of the ITSO_PRIMES Web service
proxy.
2.
On the Policy tab (Figure 2-2), click the Add
Rule button.
3.
In the shaded section as shown in Figure 2-3, complete these steps:
a.
Drag the AAA
icon onto
the new processing rule.
b.
Select the Client
to Server radio
button. The Client to Server setting ensures that the
AAA
action is only used on incoming requests.
c.
Double-click the AAA
action to
configure it.
4.
In the Configure AAA Action window, configure the AAA action as shown
in Figure 2-4 and
click Done.
The
AAA action has been added to the new processing rule, as shown in
Figure 2-5.
Extracting the identity
The
first stage of the AAA policy is the extraction of the user’s
identity. On the Configure AAA
Policy
page, click the Identity tab.
On the Identity page (Figure 4-11), select the
Password-carrying
UsernameToken element from WS-Security Header option.
Authenticating requests
The
next logical stage of the AAA policy is the authenticate step. On the
Configure AAA Policy
page,
click the Authenticate tab.
On the Authenticate page, enter the appropriate information
for
the Tivoli Directory Server server location and bind the DN as shown
in Figure 4-12.
Mapping the credentials
You
do not need to perform any credential mapping in this scenario. On
the Configure AAA
Policy
page, click the Resource tab
to configure the resource extraction method.
Extracting the resources
You
must define the resource that the request is trying to access. As
described in Chapter 3,
“AAA
with Tivoli Access Manager” on page 29, several mechanisms are
available in this step.
Like
the Tivoli Access Manager AAA policy, you select the Local
Name of Request Element
option
as shown in Figure 4-13.
Mapping the resources
You
do not need to perform any resource mapping in this scenario. On the
Configure AAA
Policy
page, click the Authorize tab
to configure the authorization mechanism.
Configuring the authorization
Next,
you configure the authorization mechanism. For this AAA policy, you
check the user’s
membership
in the primes Tivoli Directory Server (LDAP) group. Configure the
Authorize
page
as shown in Figure 4-14 and click Apply.
No comments:
Post a Comment