Policy Templates Reference - TIBCO ActiveMatrix BPM Composite Development. Software Release Sep

You can configure these policies by copying a template into an external policy set, and modifying the parameters appropriately.

You can find sample templates in the file TIBCO_HOME^{/ amx/}version/ samples/policy/samples.zip.

Template Description Category

Authorization By Role Policies on page 154 Authorization

Basic Authentication Policies on page 154 Authentication

Basic Or Username Token Authentication Policies on page 156 SAML Authentication For SSO Policies on page 156

Username Token Authentication Policies on page 157 Basic Credential Mapping Policies on page 154 Credential Mapping

SAML Credential Mapping For SSO Policies on page 156 WS-Security Consumer Policies on page 157

WS-Security

WS-Security Provider Policies on page 158

Policy Template to Intents Reference

The intents that a policy can provide is a subset of the intents that the policy template can provide; the policy configuration can narrow that set.

The intents that each policy template can provide are listed below.

Can Provide these Intents Policy Set Template

scaext:authorization.role Authorization By Role Policies on page 154

scaext:clientAuthentication.basic Basic Authentication Policies on page 154

scaext:credentialMapping.basic Basic Credential Mapping Policies on page 154

scaext:clientAuthentication.basic Basic Or Username Token Authentication Policies on

page 156

scaext:clientAuthentication.usernameToken scaext:clientAuthentication.ssoSAML SAML Authentication For SSO Policies on page 156

scaext:credentialMapping.ssoSAML SAML Credential Mapping For SSO Policies on page

156

scaext:clientAuthentication.usernameToken Username Token Authentication Policies on page 157

scaext:credentialMapping.wssSAML WS-Security Consumer Policies on page 157

scaext:credentialMapping.usernameToken scaext:consumerIntegrity.wss

scaext:consumerConfidentiality.wss scaext:clientAuthentication.wssSAML WS-Security Provider Policies on page 158

scaext:clientAuthentication.usernameToken scaext:clientAuthentication.x509

scaext:providerIntegrity.wss scaext:providerConfidentiality.wss

TIBCO Business Studio lets you specify several security intents on a binding or component. For simplicity, we recommend satisfying those intents with fewer policies and policy sets (rather than proliferating many).

That is, where possible, use policies that satisfy several intents.

The policy samples in TIBCO_HOME^/amx/version/samples/policy/samples.zip represent some typical use cases. They are organized in subdirectories by policy template name.

Authorization By Role Policies

You can configure Authorization By Role policies by copying a template into an external policy set, and modifying the parameters appropriately. You can find sample templates in an archive file under TIBCO_HOME^/amx/version/samples/policy/samples.zip

Several template samples are available.

Template File

AllOperationsAllowedForRole.policysets AuthenticatedUsersOnly.policysets EveryoneAllowed.policysets NobodyAllowed.policysets

SpecificOperationAllowedForALLRoles.policysets SpecificOperationSpecificRole.policysets

Can Provide these Intents scaext:authorization.role

Basic Authentication Policies

You can configure the Basic Authentication policy by copying a template into an external policy set, and modifying the parameters appropriately. You can find a sample template in an archive file under TIBCO_HOME^/amx/version/samples/policy/samples.zip

Template File

BasicAuthenticationWithWebAppUsingLDAP.policysets

Can Provide these Intents scaext:clientAuthentication.basic

Basic Credential Mapping Policies

You can configure Basic Credential Mapping policies by copying a template into an external policy set, and modifying the parameters appropriately. You can find sample templates in an archive file under

TIBCO_HOME^/amx/version/samples/policy/samples.zip

You can configure this policy to retrieve user credentials from an Identity Provider resource instance. When using an Identity Provider resource instance to retrieve user credentials for a policy, in the Identity Provider resource template, check the Enable Access to Credential Store Containing Identity checkbox. The JCEKS keystore used in the Identity Provider resource template should be able to store symmetric keys.

Several template samples are available.

Template File

BasicCredentialMappingFixed.policysets BasicCredentialMappingRoleBased.policysets

Can Provide these Intents scaext:credentialMapping.basic

UsernameToken - Nonce and Created Elements

When a Basic Credential Mapping or WSS Credential Mapping policy is used to insert a UsernameToken in the SOAP security header, the Nonce and Created elements can be optionally added.

You can configure a Basic Credential Mapping or WS-Security Consumer Credential Mapping policy to have the UsernameToken without the Nonce and Created elements by copying the template below and modifying the parameters appropriately. See the Policy Sets, Policy Templates Reference section in the Composite Development guide for more information about configuring policy sets.

The sample Basic Credential Mapping policy below generates the UsernameToken without the Nonce and Created elements.

<?xml version="1.0" encoding="UTF-8"?>

<ep:policySetContainer xmlns:ep="http://xsd.tns.tibco.com/amf/models/externalpolicy"

xmlns:sca="http://www.osoa.org/xmlns/sca/1.0"

xmlns:scaext="http://xsd.tns.tibco.com/amf/models/sca/extensions"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"

xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0 .xsd"

xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009"

xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"

xmlns:tpc="http://xsd.tns.tibco.com/governance/policy/common/2009"

xmlns:jmsbt="http://xsd.tns.tibco.com/amf/models/sca/bindingtype/jms"

xmlns:soapbt="http://xsd.tns.tibco.com/amf/models/sca/binding/soap"

xmlns:webapp="http://xsd.tns.tibco.com/amf/models/sca/implementationtype/webapp"

targetNamespace="http://www.example.org">

<sca:policySet name="CredentialMappingUsernameToken"

provides="scaext:clientAuthentication.usernameToken"

appliesTo="soapbt:binding.soap.service">

<wsp:Policy template="tpt:WssConsumer" xmlns:tpt="

http://xsd.tns.tibco.com/governance/policy/template/2009">

<wsp:All>

</sca:policySet>

</ep:policySetContainer>

Basic Or Username Token Authentication Policies

You can configure the Basic Or Username Token Authentication policy by copying a template into an external policy set, and modifying the parameters. You can find a sample template in an archive file under

TIBCO_HOME/amx/version/samples/policy/samples.zip

One template sample is available.

Template File

BasicOrUsernameTokenAuthenticationWithSoapEpUsingLDAP.policysets

Can Provide these Intents scaext:clientAuthentication.basic

scaext:clientAuthentication.usernameToken

SAML Authentication For SSO Policies

You can configure SAML Authentication For SSO Policies by copying a template into an external policy set, and modifying the parameters. You can find sample templates in an archive file under

TIBCO_HOME^/amx/version/samples/policy/samples.zip.

Component services or promoted references authenticate the consumer's identity using a single sign-on SAML token. (Credential mapping policies propagate the SAML token to providers within the ActiveMatrix environment.

Several template samples are available.

Template File

SAMLAuthenticationForSSOSigned.policysets SAMLAuthenticationForSSOUnsigned.policysets

Can Provide these Intents

scaext:clientAuthentication.ssoSAML

SAML Credential Mapping For SSO Policies

You can configure SAML Credential Mapping For SSO policies by copying a template into an external policy set, and modifying the parameters. You can find sample templates in an archive file under

TIBCO_HOME^/amx/version/samples/policy/samples.zip.

References (or promoted services) propagate a SAML token asserting the consumer's identity to providers within the AvtiveMatrix environment.

Several template samples are available.

Template File

SAMLCredentialMappingForSSOSigned.policysets SAMLCredentialMappingForSSOUnsigned.policysets

Can Provide these Intents

scaext:credentialMapping.ssoSAML

Username Token Authentication Policies

You can configure Username Token Authentication policies by copying a template into an external policy set, and modifying the parameters. You can find a sample template in an archive file under

TIBCO_HOME^/amx/version/samples/policy/samples.zip. One template sample is available.

Template File

UsernameTokenAuthenticationWithSoapEpUsingLDAP.policysets

Can Provide these Intents

scaext:clientAuthentication.usernameToken

WS-Security Consumer Policies

You can configure WS-Security Consumer policies by copying a template into an external policy set, and modifying the parameters. You can find sample templates in an archive file under

TIBCO_HOME^/amx/version/samples/policy/samples.zip. Several template samples are available.

Template File

WssConsumerAddUsernameTokenTimestampSignAndEncrypt.policysets WssConsumerCredentailMappingSAMLSigned.policysets

WssConsumerCredentailMappingSAMLUnsigned.policysets WssConsumerCredentailMappingUsernameTokenFixed.policysets WssConsumerCredentailMappingUsernameTokenRoleBased.policysets

Can Provide these Intents

scaext:credentialMapping.wssSAML scaext:credentialMapping.usernameToken scaext:consumerIntegrity.wss

scaext:consumerConfidentiality.wss