Pinned topic DP v5 Security Policy Only Enforced if not WSRR SLA
Tried to prototype WS-SecurityPolicy WSRR/DP integration the same way, using steps from this DW article and other articles.
Using the attached username token required policy, the policy is enforced if I attach it directly to a WSDL in DP.
Works perfectly. Requests with no UNT are rejected. Requests with UNT are accepted.
I move the exact same policy to WSRR and attach it to a working SLA, and DP appears to update and configure itself fine.
I can even see the correct policy assigned to my operations in the WSP SLA policy details view. However the policy is ignored at runtime and requests go through whether they have the UNT or not.
No obvious clues in debug log or debug probe. Any troubleshooting advice would be appreciated. Transitioning our licenses around in a corporate re-org so may take a few days till I can open PMR.
tcb-dw 110000CV565 PostsACCEPTED ANSWER
Re: DP v5 Security Policy Only Enforced if not WSRR SLA2013-02-15T14:56:49Z in response to SystemAdminHi jj348,
When you attached the security policy directly in datapower config, did you attach it as an SLA (e.g. you specified a Message Content Filter) or SLD (no MCF specified).
The reason I ask is because I suspect that the consumer identity provided with the request is not matching the configuration for cinsumer identity in WSRR (ContextID and ConsumerID must both match). Such a case which would result in the policy attached as an SLA to never be enforced. This can be verified using probe.
In Probe, when you expand the details of a transaction (the + beside the magnifying glass), you should see a sequence of rules enforced like this on the request. (the numbers may vary)
where <policysubj> is a value that varies depending on where you attaced the policy (e.g. service, operation, etc).
If you see slaN in the rule, then there was a match. Otherwise, the identity provided on the request did not match the identity configured in WSRR (e.g. Perhaps the identity is being sent as a header, but in WSRR it is specified as XPath).
I hope this helps...
Re: DP v5 Security Policy Only Enforced if not WSRR SLA2013-02-15T16:03:12Z in response to tcb-dwFirst of all THANKS tcb-dw!! Everything is working now thanks to your advice. I had been testing with only a consumer ID and no SLA level context identifier because I wanted to apply the UNT consumer requirement regardless of any consumer specific mediation policies.
Clearly I have a lot to learn about WSRR policy enforcment.
I still need some learning curve advice if you don't mind. I had trouble figuring out use of "Consumer Identifier" when searching WSRR 8.0 InfoCenter. I mostly relied on this nice article from Developer Works.
Article goes in to specifying how to tell SLD where to look for consumer and context identifier. Then in SLA config panel in WSRR context identfier is an input field so feels like they are telling me that different consumer agreements == different context ID?? And I didn't see obvious place to enter "Consumer Identifier" value in any of the WSRR SLD or SLA config panels?
What would be the (high level) steps to set up an SLD that enforces for ALL consumers requirement for a UNT, and then a separate SLA for each consumer of the service that give them various quality of service meditation policies specifying this guy gets 1000 requests a second, while this guy only gets to call between midnight and 6am etc. etc.
Do you have some good learning references for the whold concept and implementation of consumer vs contexd Identifier and how I could implement my scenario?
Re: DP v5 Security Policy Only Enforced if not WSRR SLA2013-02-18T16:21:00Z in response to SystemAdminPlease ignore the last batch of how-to questions. A little more hands on experimentation and review of WSRR v8 InfoCenter answered all my questions on usage and runtime DataPower enforcement based on "Consumer" and "Context" Identifiers. Thanks again, all is going well now.
Re: DP v5 Security Policy Only Enforced if not WSRR SLA2013-02-21T21:00:31Z in response to SystemAdminAlso, besides the article you listed, there are several others published resources that might be of interest to you as they provide additional how-to training and use cases for SLA policy in DataPower:
- SOA governance using WebSphere DataPower and WebSphere Service Registry and Repository, Part 1: Leveraging WS-MediationPolicy capabilities (devWorks article):
- SOA governance using WebSphere DataPower and WebSphere Service Registry and Repository, Part 2: Authoring and enforcing custom policy vocabularies (devWorks article):
- SOA Policy, Service Gateway, and SLA Management (draft Redbook):
tallurisri 270001VNUP51 PostsACCEPTED ANSWER
Re: DP v5 Security Policy Only Enforced if not WSRR SLA2013-09-05T19:39:59Z in response to SystemAdmin
We are also in the same page, we are trying to implement mediation policy in WSRR v8.0 and using DataPower XI52 v5.0. We followed steps mentioned in this article: http://www.ibm.com/developerworks/websphere/library/techarticles/1204_burke/1204_burke.html.
successfully we created mediation policy and added to SLD in WSRR, created WSP in DataPower, web service working fine with wsdl subscription from wsrr but mediation policy not working, when I check WSP SLA policy details view I don't see any details there(no SLA/SLD/Policy).
If I attache this policy to WSDL in DP WSP policy working perfectly as per condition in enforcing policy.
Can you help me out to resolve this why it's not working from WSRR?
tcb-dw 110000CV565 PostsACCEPTED ANSWER
Re: DP v5 Security Policy Only Enforced if not WSRR SLA2013-09-05T21:23:54Z in response to SystemAdmin
If the governance state of certian objects are not correct the policy will never make be sent by WSRR to DP.
Please ensure that the policy document is in "Approved" state, and the SLA is in "SLA Active" state.