Asian Journal October 12-18, 2012 edition

Overview Layer 7 Gateway

* Layer 7 Gateway is a policy-optimized and ASIC-accelerated (Application Specific Integrated Circuit) XML Firewall and Web Services gateway that - protects and controls how shared web services are accessed by and exposed to external applications. * Layer 7 Gateway comes in three form factors: - Virtual applicance. See on how to install Layer 7 virtual appliance. - ASIC-accelerated DMZ appliance. ASIC stands for application specific integrated circuit. - 64-bit ASIC-accelerated appliance for EAI or ESB.

SecureSpan XML VPN Client

* Is a cross-domain enablement product designed to speed and secure web services integrations spanning identity and security domains. * Available in three form factors: - Class lib - Executable - Integrated inside a Gateway for drop-in partner connectivity and web services federation

Policy Manager

* GUI based application (either standalone or browser based) that allows administrators to centrally define, provision, verify, and audit fine-grained security and connectivity policies for cross-domain web services and XML integrations. * Available as software for: - Windows - RHEL - Solaris - SOAP API

Policy Manager

The Layer 7 Gateway supports SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol) messages, both inbound and outbound. This allows the Gateway to work with backend services which rely on these protocols. These messages are secured using the SSH2 protocol (SSH1 is not supported). * Using Inbound SSH: - configure an internal SSH server running on a Gateway listen port. This is done by creating a new listen port using the SSH2 protocol. - The SSH listener supports inbound SCP upload and inbound SFTP PUT commands to the Gateway. - This listener automatically opens and closes the SSH port on start and stop. - Can use both password authentication or pki authentication. * Using Outbound SSH: - outbound SCP upload and download with an external SCP server - outbound SFTP "PUT" and "GET" with an external SFTP server

Manage KeyStore Working with Services Publish Services

* Web services from existing WSDL: - use Publish SOAP Web Service Wizard - Default Gateway URI: * Web services require the generation of a new WSDK: - use Create WSDL Wizard * Non-SOAP applications: - use Publish REST, Web API, or Other Service Wizard

Service Properties * Accessed by right clicking and select Service Properties. * General properties: - Rename service display name - Disable/enable service - Enable WS-Security processing - Enable policy debug tracing * HTTP/FTP properties: - Change resolution path - Check resolution conflicts - Change HTTP methods * WSDL properties: - Reset WSDL - Edit WSDL - Change SOAP version - Allow requests intended for operations not supported by the WSDL * UDDI properties Working with Internal Services Gateway Management Service * expose Gateway Management API Security Token Service (STS) * requires WSDL * uses various tokens, e.g. Create SAML Token, Create Security Context Token UDDI Notification Service * Notifies client about changes in UDDI registry: Handle UDDI Subscription Notification assertion WSDM QosMetrics Service * Allows client to request metrics data for a given managed resource. * Has one method: - GetMultipleResourceProperties WSDM Subscription Service * Allows client tosubscribe to receive notifications about changes in a resource * Has three methods: - Subscribe - Renew - Unsubscribe Specifying a Resource for an WSDM Service * Include resource id within the URL: http:// :8080/wsdm/qosmetrics? serviceoid=12345 * Include service id as part of the SOAP message:   <ResourceId> </ResourceId>   * Include resource URI within the URL of the query string: http:// :8080/wsdm/qosmetrics? serviceuri=/myuris/service1uri Working with Security Token Service (STS) * STS issues following tokens: - SAML tokens using Create SAML Token assertion - Security Context tokens using Create Security Context Token assertion * Issued tokens can be returned in a Request Security Token Response (RSTR) using Build RSTP SOAP Response assertion * Security Context tokens can be cancelled using the Cancel Security Context assertion * Publish STS: * Default STS policy: * Sample Messages Workingwith FTP Requests Publish Test Service Public Test Service * Click Home > Publish SOAP Web Service - Or click Tasks > Publish SOAP Web Service * Enter WSDL location, e.g., and click Next: * Select Custom resolution path and enter value /HelloWorld * Click Finish to accept all defaults. * Service should show up in the Service panel: * New WSDL can now be accessed from Layer7 with URL: Setup Internal Identity Provider (IIP) * Add a new user named l7test with password Welcome1! * Add a new group named Accounting * Query internal identity provider: Authenticate a Message against IIP * Double click the service, e.g. HelloWorldImplService, to open the service policy panel: * Authenticate against any user from IIP: - Drag and drop Assertions > Access Control > Authenticate Against Identity Provider to policy panel * Authenticate against a specific user or group from IIP: - Drag and drop Assertions > Access Control > Authenticate User or Group to policy panel * Authenticate against multipleusers or groups from IIP: - Drag and drop additional Assertions > Access Control > Authenticate User or Group to policy panel Create an AD Identity Provider * Create a service account on AD with user name svc.l7 and password Welcome1! * Right click Identity Provider and then select Create LDAP Identity Provider * Select Provider Type: MicrosoftActiveDirectory and enter login info: * Click Test button to validate connection. * Accept default Group Object Classes screen and click Next * Accept default User Object Classes screen and click Next * Accept default Advanced Configuration screen and click Next * Accept default Certificate Settings screen and click Next * Click Finish Require SSL Connection * Double click service to open policy panel. * Drag and drop Assertions > Transport Layer Security (TLS) > Require SSL or TLS Transport into policy panel. * Click Save and Activate. * From SoapUI, check that request to endpoint is not longer working. * From SoapUI, check that request toendpoint is still working. Add HTTP Basic Auth * Double click service to open policy panel. * Drag and drop Assertions > Access Control > Require HTTP Basic Credentials into policy panel and immediately under Require SSL or TLS Transport. * Drag and drop Assertions > Access Control > Authenticate User or Group into policy panel and immediately under Require HTTP Basic Credentials. * Select ad.mytest.local > Service Layer7 * Right click Authenticate User: svc.l7 from [ad.mytest.local] and select Target Message. Select Request and click OK button. * Click Save and Activate. * From SoapUI, check that request to endpoint now requires authentication. * Add to SoapUI request: - Authorisation Type: Preemptive - Username: svc.l7 - Password: Welcome1! * Check that request is successful with correct username and password. SecureSpan Policy Language Policy Types * Constraint assertions: - Require SSL - Require credentials - Require signatures/encryption * Action assertions - Authenticate