You can use the WSS Consumer policy resource to enforce confidentiality, integrity, timestamp, and credential mapping.
General Configurations
You can specify the general information of the WSS Consumer policy resource.
The following table lists the general configurations of the WSS Consumer policy resource:
Field
|
Module Property?
|
Description
|
Package
|
No
|
The name to be displayed as the label of the policy resource package.
|
Name
|
No
|
The name of the policy resource.
|
Description
|
No
|
A description of the policy resource.
|
Shared Resource for WSS Processing
In the
Shared Resource for WSS Processing panel, you can specify the WSS Authentication shared resource.
The following table lists the configuration in the
Shared Resource for WSS Processing panel of the WSS Consumer policy resource:
Field
|
Module Property?
|
Description
|
WSS Authentication
|
No
|
The WSS Authentication shared resource that the WSS Consumer policy references.
Note: This function is only supported in TIBCO ActiveMatrix BusinessWorks.
|
Service Provider Details
In the
Service Provider Details panel, you can specify parameters in the
Confidentiality tab, the
Integrity tab, the
Timestamp tab, and the
Credential Mapping tab.
Confidentiality
In the
Confidentiality tab, you can configure the policy for an outbound request to be encrypted and an inbound response to be decrypted at its endpoint.
The following table lists the configurations in the
Confidentiality tab:
Field
|
Description
|
Encrypt Request
|
The outbound request required to be encrypted.
When you select this check box, you can configure the following parameters:
|
Decrypt Response
|
The inbound response required to be decrypted.
|
Integrity
In the
Integrity tab, you can sign an outbound request and verify the signature of an inbound response.
The following table lists the configurations in the
Integrity tab:
Field
|
Description
|
Sign Request
|
The outbound request required to be signed.
When you select this check box, you can configure the following parameters:
- Subject Provider: select a Subject Provider shared resource.
- Digest Algorithm for Signature: select a digest algorithm for signature.
The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.
The default value is
SHA-256. You can also select a different type from the list.
- Algorithm Suite: specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths.
The default value is
Basic128. You can also select a different algorithm suite from the list.
- Sign Parts: select the
Body or
Header check box, or both.
The
Body check box is selected by default.
|
Verify Signature on Response
|
The signature of an inbound response required to be verified.
Select an option from the
Verify parts that are Signed list:
- Entire message
- Message header
- Message body
|
Timestamp
In the
Timestamp tab, you can insert a timestamp in an outbound request and verify a timestamp in the inbound response.
The following table lists the configurations in the
Timestamp tab:
Field
|
Description
|
Set Timestamp on Request
|
Time-to-live in seconds for an outbound request. You can specify this value in the
Specify Time-To-Live Value (sec) field.
|
Verify Timestamp on Response
|
The timestamp to be verified in the inbound response.
|
Credential Mapping
In the
Credential Mapping tab, you can select either Username token credential mapping or SAML token credential mapping to map credentials to the outbound request.
The following table lists the configurations in the
Credential Mapping tab:
Field
|
Description
|
No Credentials
|
Credential mapping is not enforced.
|
Username Token based Credential Mapping
|
Two options can be selected for the credential mechanism:
- Fixed: specify an Identity Provider resource in the
Identity Provider field.
This check box is selected by default.
- Conditional: specify the types of users your application maps credentials for. You can choose to map credentials for authenticated users with roles, authenticated users, and anonymous users.
Credentials are mapped for authenticated users if the request comes from an authenticated service. Credentials are mapped for anonymous users if the request comes from unauthenticated service.
- Role based Identity Providers: type roles for authenticated users and associate an identity provider with each role. You can reuse the same identity provider for multiple roles.
- Authenticated Identity Provider: select an Identity Provider shared resource for authenticated users.
- Anonymous Identity Provider: specify an identity provider for anonymous users to access your secure application. If you do not want anonymous users to access, do not specify an identity provider.
Note: Application logic can also affect how credentials are mapped for anonymous users. For example, application logic might require that anonymous requests are redirected to specific entry points. If an anonymous request is directed to an enforced entry point, the request is rejected.
|
SAML Token based Credential Mapping
|
The following parameters can be configured for the SAML token based credential mapping:
- SAML Token Profile: select a token type, either
SAML 1.1 Token 1.1 or
SAML 2.0 Token 1.1.
- Sign SAML Assertion: if you select this option, specify a subject provider, a digest algorithm for signature, and an algorithm suite.
- SAML Issuer Name: type a SAML issuer name.
- SAML Assertion Validity: select
SAML Assertion Validity (forever) to ensure that the SAML assertion is valid indefinitely. Optionally, you can enter a value in the
Specify Validity Period (sec) field to specify the number of seconds the SAML assertion is valid.
|