Topic
7 replies Latest Post - ‏2013-09-05T21:23:54Z by tcb-dw
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic DP v5 Security Policy Only Enforced if not WSRR SLA

‏2013-02-12T20:45:36Z |
We are using DP v5 XI52 integrated with WSRR v8. We had great success prototyping the use of Mediation Policies configured in WSRR, and pulled in to DP via polling or notification to enforce QoS at runtime.

Tried to prototype WS-SecurityPolicy WSRR/DP integration the same way, using steps from this DW article and other articles.
http://www.ibm.com/developerworks/websphere/library/techarticles/0911_rasmussen/0911_rasmussen.html
Using the attached username token required policy, the policy is enforced if I attach it directly to a WSDL in DP.
Works perfectly. Requests with no UNT are rejected. Requests with UNT are accepted.

I move the exact same policy to WSRR and attach it to a working SLA, and DP appears to update and configure itself fine.
I can even see the correct policy assigned to my operations in the WSP SLA policy details view. However the policy is ignored at runtime and requests go through whether they have the UNT or not.

No obvious clues in debug log or debug probe. Any troubleshooting advice would be appreciated. Transitioning our licenses around in a corporate re-org so may take a few days till I can open PMR.

Thanks.
Updated on 2013-02-21T21:00:31Z at 2013-02-21T21:00:31Z by SystemAdmin
  • tcb-dw
    tcb-dw
    5 Posts
    ACCEPTED ANSWER

    Re: DP v5 Security Policy Only Enforced if not WSRR SLA

    ‏2013-02-15T14:56:49Z  in response to SystemAdmin
    Hi jj348,
    When you attached the security policy directly in datapower config, did you attach it as an SLA (e.g. you specified a Message Content Filter) or SLD (no MCF specified).

    The reason I ask is because I suspect that the consumer identity provided with the request is not matching the configuration for cinsumer identity in WSRR (ContextID and ConsumerID must both match). Such a case which would result in the policy attached as an SLA to never be enforced. This can be verified using probe.

    In Probe, when you expand the details of a transaction (the + beside the magnifying glass), you should see a sequence of rules enforced like this on the request. (the numbers may vary)
    my-gateway_default_request-rule
    <policysubj>_30_2-req
    <policysubj>_30_2_sla1-req

    where <policysubj> is a value that varies depending on where you attaced the policy (e.g. service, operation, etc).

    If you see slaN in the rule, then there was a match. Otherwise, the identity provided on the request did not match the identity configured in WSRR (e.g. Perhaps the identity is being sent as a header, but in WSRR it is specified as XPath).

    I hope this helps...
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: DP v5 Security Policy Only Enforced if not WSRR SLA

      ‏2013-02-15T16:03:12Z  in response to tcb-dw
      First of all THANKS tcb-dw!! Everything is working now thanks to your advice. I had been testing with only a consumer ID and no SLA level context identifier because I wanted to apply the UNT consumer requirement regardless of any consumer specific mediation policies.
      Clearly I have a lot to learn about WSRR policy enforcment.

      I still need some learning curve advice if you don't mind. I had trouble figuring out use of "Consumer Identifier" when searching WSRR 8.0 InfoCenter. I mostly relied on this nice article from Developer Works.
      http://www.ibm.com/developerworks/websphere/library/techarticles/1212_willoughby/1212_willoughby.html

      Article goes in to specifying how to tell SLD where to look for consumer and context identifier. Then in SLA config panel in WSRR context identfier is an input field so feels like they are telling me that different consumer agreements == different context ID?? And I didn't see obvious place to enter "Consumer Identifier" value in any of the WSRR SLD or SLA config panels?

      What would be the (high level) steps to set up an SLD that enforces for ALL consumers requirement for a UNT, and then a separate SLA for each consumer of the service that give them various quality of service meditation policies specifying this guy gets 1000 requests a second, while this guy only gets to call between midnight and 6am etc. etc.

      Do you have some good learning references for the whold concept and implementation of consumer vs contexd Identifier and how I could implement my scenario?

      Thanks!
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: DP v5 Security Policy Only Enforced if not WSRR SLA

        ‏2013-02-18T16:21:00Z  in response to SystemAdmin
        Please ignore the last batch of how-to questions. A little more hands on experimentation and review of WSRR v8 InfoCenter answered all my questions on usage and runtime DataPower enforcement based on "Consumer" and "Context" Identifiers. Thanks again, all is going well now.
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: DP v5 Security Policy Only Enforced if not WSRR SLA

          ‏2013-02-21T21:00:31Z  in response to SystemAdmin
          Also, besides the article you listed, there are several others published resources that might be of interest to you as they provide additional how-to training and use cases for SLA policy in DataPower:

          • SOA governance using WebSphere DataPower and WebSphere Service Registry and Repository, Part 1: Leveraging WS-MediationPolicy capabilities (devWorks article):
          http://www.ibm.com/developerworks/websphere/library/techarticles/1204_burke/1204_burke.html

          • SOA governance using WebSphere DataPower and WebSphere Service Registry and Repository, Part 2: Authoring and enforcing custom policy vocabularies (devWorks article):
          http://www.ibm.com/developerworks/websphere/library/techarticles/1212_burke/1212_burke.html

          • SOA Policy, Service Gateway, and SLA Management (draft Redbook):
          http://www.redbooks.ibm.com/redpieces/abstracts/sg248101.html?Open
    • tallurisri
      tallurisri
      51 Posts
      ACCEPTED ANSWER

      Re: DP v5 Security Policy Only Enforced if not WSRR SLA

      ‏2013-09-05T19:57:04Z  in response to tcb-dw

      Hi tcb-dw

       

      We are also in the same page, we are trying to implement mediation policy in WSRR v8.0 and using DataPower XI52 v5.0. We followed steps mentioned in this article: http://www.ibm.com/developerworks/websphere/library/techarticles/1204_burke/1204_burke.html 

      successfully we created mediation policy and added to SLD in WSRR, created WSP in DataPower, web service working fine with wsdl subscription from wsrr but mediation policy not working, when I check WSP SLA policy details view I don't see any details there(no SLA/SLD/Policy).

      If I attache this policy to WSDL in DP WSP policy working perfectly as per condition in enforcing policy.

      Can you help me out to resolve this why it's not working from WSRR?

       

      Thanks,

      Sri.

  • tallurisri
    tallurisri
    51 Posts
    ACCEPTED ANSWER

    Re: DP v5 Security Policy Only Enforced if not WSRR SLA

    ‏2013-09-05T19:39:59Z  in response to SystemAdmin

    Hi tcb-dw/GVS

     

    We are also in the same page, we are trying to implement mediation policy in WSRR v8.0 and using DataPower XI52 v5.0. We followed steps mentioned in this article: http://www.ibm.com/developerworks/websphere/library/techarticles/1204_burke/1204_burke.html  

    successfully we created mediation policy and added to SLD in WSRR, created WSP in DataPower, web service working fine with wsdl subscription from wsrr but mediation policy not working, when I check WSP SLA policy details view I don't see any details there(no SLA/SLD/Policy).

    If I attache this policy to WSDL in DP WSP policy working perfectly as per condition in enforcing policy.

    Can you help me out to resolve this why it's not working from WSRR?

     

    Thanks,

    Sri.

  • tcb-dw
    tcb-dw
    5 Posts
    ACCEPTED ANSWER

    Re: DP v5 Security Policy Only Enforced if not WSRR SLA

    ‏2013-09-05T21:23:54Z  in response to SystemAdmin

    Hi tallurisri,
    If the governance state of certian objects are not correct the policy will never make be sent by WSRR to DP.

    Please ensure that the policy document is in "Approved" state, and the SLA is in "SLA Active" state.

    Regards,