WSS Consumer Policy Resource

You can use the WSS Consumer policy resource to enforce confidentiality, integrity, timestamp, and credential mapping.

General Configurations

You can specify the general information of the WSS Consumer policy resource.

The following table lists the general configurations of the WSS Consumer policy resource:

Field Module Property? Description
Package No The name to be displayed as the label of the policy resource package.
Name No The name of the policy resource.
Description No A description of the policy resource.

Shared Resource for WSS Processing

In the Shared Resource for WSS Processing panel, you can specify the WSS Authentication shared resource.

The following table lists the configuration in the Shared Resource for WSS Processing panel of the WSS Consumer policy resource:

Field Module Property? Description
WSS Authentication No The WSS Authentication shared resource that the WSS Consumer policy references.
Note: This function is only supported in TIBCO ActiveMatrix BusinessWorks.

Service Provider Details

In the Service Provider Details panel, you can specify parameters in the Confidentiality tab, the Integrity tab, the Timestamp tab, and the Credential Mapping tab.

Confidentiality

In the Confidentiality tab, you can configure the policy for an outbound request to be encrypted and an inbound response to be decrypted at its endpoint.

The following table lists the configurations in the Confidentiality tab:

Field Description
Encrypt Request The outbound request required to be encrypted.
When you select this check box, you can configure the following parameters:
  • Trust Provider: select a Trust Provider shared resource.
  • Key Alias: specify a key alias.
  • Algorithm Suite: specify the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths.

    The default value is Basic128. You can also select a different algorithm suite from the list.

  • Encrypt Parts: select the Body or Header check box, or both.

    The Body check box is selected by default.

Decrypt Response The inbound response required to be decrypted.

Integrity

In the Integrity tab, you can sign an outbound request and verify the signature of an inbound response.

The following table lists the configurations in the Integrity tab:

Field Description
Sign Request The outbound request required to be signed.
When you select this check box, you can configure the following parameters:
  • Subject Provider: select a Subject Provider shared resource.
  • Digest Algorithm for Signature: select a digest algorithm for signature.

    The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.

    The default value is SHA-256. You can also select a different type from the list.

  • Algorithm Suite: specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths.

    The default value is Basic128. You can also select a different algorithm suite from the list.

  • Sign Parts: select the Body or Header check box, or both.

    The Body check box is selected by default.

Verify Signature on Response The signature of an inbound response required to be verified.
Select an option from the Verify parts that are Signed list:
  • Entire message
  • Message header
  • Message body

Timestamp

In the Timestamp tab, you can insert a timestamp in an outbound request and verify a timestamp in the inbound response.

The following table lists the configurations in the Timestamp tab:

Field Description
Set Timestamp on Request Time-to-live in seconds for an outbound request. You can specify this value in the Specify Time-To-Live Value (sec) field.
Verify Timestamp on Response The timestamp to be verified in the inbound response.

Credential Mapping

In the Credential Mapping tab, you can select either Username token credential mapping or SAML token credential mapping to map credentials to the outbound request.

The following table lists the configurations in the Credential Mapping tab:

Field Description
No Credentials Credential mapping is not enforced.
Username Token based Credential Mapping Two options can be selected for the credential mechanism:
  • Fixed: specify an Identity Provider resource in the Identity Provider field.

    This check box is selected by default.

  • Conditional: specify the types of users your application maps credentials for. You can choose to map credentials for authenticated users with roles, authenticated users, and anonymous users.

    Credentials are mapped for authenticated users if the request comes from an authenticated service. Credentials are mapped for anonymous users if the request comes from unauthenticated service.

    • Role based Identity Providers: type roles for authenticated users and associate an identity provider with each role. You can reuse the same identity provider for multiple roles.
    • Authenticated Identity Provider: select an Identity Provider shared resource for authenticated users.
    • Anonymous Identity Provider: specify an identity provider for anonymous users to access your secure application. If you do not want anonymous users to access, do not specify an identity provider.
      Note: Application logic can also affect how credentials are mapped for anonymous users. For example, application logic might require that anonymous requests are redirected to specific entry points. If an anonymous request is directed to an enforced entry point, the request is rejected.
SAML Token based Credential Mapping The following parameters can be configured for the SAML token based credential mapping:
  • SAML Token Profile: select a token type, either SAML 1.1 Token 1.1 or SAML 2.0 Token 1.1.
  • Sign SAML Assertion: if you select this option, specify a subject provider, a digest algorithm for signature, and an algorithm suite.
  • SAML Issuer Name: type a SAML issuer name.
  • SAML Assertion Validity: select SAML Assertion Validity (forever) to ensure that the SAML assertion is valid indefinitely. Optionally, you can enter a value in the Specify Validity Period (sec) field to specify the number of seconds the SAML assertion is valid.