Topic
  • 4 replies
  • Latest Post - ‏2013-01-09T19:13:57Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic Datapower: How to create AAA policy

‏2013-01-09T13:43:16Z |
Hello everyone;

I got another question; how i can develop of create a new AAA policy? i don't understand anything about the steps for the creation of this policy, i got several documentation but i can't got the concept and this is neccesary for my actual project, i got that AAA permit the authorization and aunthentication in a LDAP or AD level, but it's required to create code (XSL) for manipulate this info, or i can take the XML with the auth data and apply in the AAA policy? I read the RedBooks about AAA implementation and the DataPower Handbook in search for answers but i cannot see the light in this concept.

Can you assist me with a better concept of AAA?

Regards from Colombia;
Cristian.
Updated on 2013-01-09T19:13:57Z at 2013-01-09T19:13:57Z by SystemAdmin
  • kenhygh
    kenhygh
    1577 Posts

    Re: Datapower: How to create AAA policy

    ‏2013-01-09T14:55:43Z  
    Cristian,
    You really want to get a copy of the DataPower Handbook, it contains good explanations for many of the concepts in DataPower. http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194

    An AAA action is intended to check the incoming request for user identification, permissions checking, and logging of attempts to use a resource such as a web service. It performs these functions in several steps:

    Extract Identity - is how DP is going to get the user identification from the request. Could be in a lot of places, including Mutual-Auth SSL's client certificate, an HTTP basic auth header with a password, SAML assertion, etc.

    Authenticate - does DataPower know this user. This is often done by passing the extracted credentials to an LDAP server, but again DataPower supports multiple ways of doing this.

    Map User - sometimes for the rest of the processing you don't want to know the individual's name, but just the group or something they belong to. You can do this here.

    Extract Resource - WHAT is it the user is requesting? In order to decide whether or not to allow the user - who you now know who is - to perform the request, you need to know how to identify what they're requesting. This is often the URI or SOAP-Action or somesuch

    Map Resource - again, you may want map the resource to something more generic like an application name.

    Authorize - is the user allowed to make this request? Again, this can be done by checking with LDAP or something else

    Post Process - sometimes there are other things we want to do with some of the AAA stuff. An example is getting user attributes from LDAP or fancy logging or something.

    and that's all there is to it :-)

    Ken
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Datapower: How to create AAA policy

    ‏2013-01-09T17:00:22Z  
    • kenhygh
    • ‏2013-01-09T14:55:43Z
    Cristian,
    You really want to get a copy of the DataPower Handbook, it contains good explanations for many of the concepts in DataPower. http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194

    An AAA action is intended to check the incoming request for user identification, permissions checking, and logging of attempts to use a resource such as a web service. It performs these functions in several steps:

    Extract Identity - is how DP is going to get the user identification from the request. Could be in a lot of places, including Mutual-Auth SSL's client certificate, an HTTP basic auth header with a password, SAML assertion, etc.

    Authenticate - does DataPower know this user. This is often done by passing the extracted credentials to an LDAP server, but again DataPower supports multiple ways of doing this.

    Map User - sometimes for the rest of the processing you don't want to know the individual's name, but just the group or something they belong to. You can do this here.

    Extract Resource - WHAT is it the user is requesting? In order to decide whether or not to allow the user - who you now know who is - to perform the request, you need to know how to identify what they're requesting. This is often the URI or SOAP-Action or somesuch

    Map Resource - again, you may want map the resource to something more generic like an application name.

    Authorize - is the user allowed to make this request? Again, this can be done by checking with LDAP or something else

    Post Process - sometimes there are other things we want to do with some of the AAA stuff. An example is getting user attributes from LDAP or fancy logging or something.

    and that's all there is to it :-)

    Ken
    Wow, thanks for your answer :)

    Only one more question, it's true what it's necessary to develop code for this AAA policy, or only it's a group of options used for the develop of the flow? Like the XSL in the XML Firewall, it's required to use code for the AAA tailoring?

    Regards from Colombia;
    Cristian.
  • kenhygh
    kenhygh
    1577 Posts

    Re: Datapower: How to create AAA policy

    ‏2013-01-09T18:04:31Z  
    Wow, thanks for your answer :)

    Only one more question, it's true what it's necessary to develop code for this AAA policy, or only it's a group of options used for the develop of the flow? Like the XSL in the XML Firewall, it's required to use code for the AAA tailoring?

    Regards from Colombia;
    Cristian.
    It's pretty rare to have to write any code.

    Which means, of course, that the GUI is confusing because (almost) every possible option is a checkbox or dropdown.

    Ken
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Datapower: How to create AAA policy

    ‏2013-01-09T19:13:57Z  
    • kenhygh
    • ‏2013-01-09T18:04:31Z
    It's pretty rare to have to write any code.

    Which means, of course, that the GUI is confusing because (almost) every possible option is a checkbox or dropdown.

    Ken
    Hello and thanks for your answer;

    OK, i will try to catch the concept with the answers of my question, and i work in the AAA policy on the double, it seems that is a easy content and easy to manipulate or tailor, thanks to all for the answers.

    Regards from Colombia;
    Cristian.