TIBCO ActiveMatrix Policy Director Administration · TIBCO ActiveMatrix® Policy Director Administration Software Release 2.0.0 November 2014 Document Updated: January 2015 Two-Second

TIBCO ActiveMatrix® Policy DirectorAdministrationSoftware Release 2.0.0November 2014 Document Updated: January 2015

Two-Second Advantage®

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCHEMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY(OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THEEMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANYOTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.

USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS ANDCONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTEDSOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THECLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOADOR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE)OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USERLICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THESOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, ANDYOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BEBOUND BY THE SAME.

This document contains confidential information that is subject to U.S. and international copyright lawsand treaties. No part of this document may be reproduced in any form without the writtenauthorization of TIBCO Software Inc.

TIBCO and Two-Second Advantage are either registered trademarks or trademarks of TIBCO SoftwareInc. in the United States and/or other countries.

Enterprise Java Beans (EJB), Java Platform Enterprise Edition (Java EE), Java 2 Platform EnterpriseEdition (J2EE), and all Java-based trademarks and logos are trademarks or registered trademarks ofOracle Corporation in the U.S. and other countries.

All other product and company names and marks mentioned in this document are the property of theirrespective owners and are mentioned for identification purposes only.

THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOTALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASEDAT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWAREVERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICALERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESECHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCOSOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.

THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY ORINDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE,INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.

Copyright © 2010-2015 TIBCO Software Inc. ALL RIGHTS RESERVED.

TIBCO Software Inc. Confidential Information

2

TIBCO ActiveMatrix® Policy Director Administration

Contents

Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

TIBCO Documentation and Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Governance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Object Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Governance Controls Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Credential Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Applying Security Policies to TIBCO ActiveMatrix BusinessWorks™ 6.2 Applications . . . . . . . . . . . . . . . . . .11

Setting Up Governance for TIBCO ActiveMatrix BusinessWorks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Governance Control Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Using Sample Python Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Creating a Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Creating a TIBCO ActiveMatrix BusinessWorks™ Application Object Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Creating a Governance Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Supported Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Governance Control Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Basic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Basic Credential Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Authentication by Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Authentication by SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Authorization by Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

WSS Consumer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

WSS Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Policy Status List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3


Figures

Interaction of TIBCO ActiveMatrix Policy Director and TIBCO ActiveMatrix BusinessWorks 6 . . . . . . . . . . . . .11

Basic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

4


TIBCO Documentation and Support Services

All TIBCO documentation is available on the TIBCO Documentation site, which can be found here:

https://docs.tibco.com

Product-Specific Documentation

The following documents for this product can be found in the TIBCO Documentation Library:

● Installation and Configuration● Administration

How to Contact TIBCO Support

For comments or problems with this manual or the software it addresses, contact TIBCO Support asfollows:

● For an overview of TIBCO Support, and information about getting started with TIBCO Support,visit this site:

http://www.tibco.com/services/support

● If you already have a valid maintenance or support contract, visit this site:

https://support.tibco.com

Entry to this site requires a user name and password. If you do not have a user name, you canrequest one.

How to Join TIBCOmmunity

TIBCOmmunity is an online destination for TIBCO customers, partners, and resident experts. It is aplace to share and access the collective experience of the TIBCO community. TIBCOmmunity offersforums, blogs, and access to a variety of resources. To register, go to:

http://www.tibcommunity.com

5


https://docs.tibco.com

http://www.tibco.com/services/support

https://support.tibco.com

http://www.tibcommunity.com

Governance Overview

Enforcing policies in an enterprise requires performing a fixed set of tasks involving managingresources, object groups, and governance controls.

For enforcing a security policy, you need the appropriate resource and object groups. The followingtasks need to be performed:

1. Define the required resources.

2. Define the object groups.

3. Create the governance controls.

4. Manage the governance controls.

6


Object Groups

An object group is a user-defined set of governed objects.

You can assign governed objects to a group of similar governed objects to manage and use them as aunit during run time.

Object Groups and Object Group Types

A governed object can be a logical object, such as an TIBCO ActiveMatrix BusinessWorks™ application,or a physical object, such as a TIBCO ActiveMatrix BusinessWorks™ appNode. An object group alwayscontains the same type of governed objects. For example, an object group can consist of all TIBCOActiveMatrix BusinessWorks™ application instances that belong to a TIBCO ActiveMatrixBusinessWorks™ domain.

TIBCO ActiveMatrix® Policy Director currently only supports the TIBCO ActiveMatrixBusinessWorks™ application instance object group type.

Defining Object Groups

You can define the following object groups in two ways:

● Fixed, with governed objects that are explicitly added and do not change.● Dynamic, or defined by criteria, with governed objects that move in and out of the group as they

meet the standards set for membership.

When an object group is dynamic, you can apply the appropriate governance policies to anygoverned object that the system discovers in the future.

Ways to Use Object Groups

Use an object group to combine governed objects that have the same governance requirements and toapply the same policies to that group.

Examples of using an object group to apply policies to related objects such as all finance applications(policies are enforced on services).

After you create an object group by combining governed objects with the same governancerequirements, you can apply the same policies to the group.

For example, you can apply an encryption policy to all finance applications (enforced on services).

7


Governance Controls Overview

TIBCO ActiveMatrix® Policy Director allows you to secure services using various types of securitypolicies.

Each governance control is designed to perform an intended policy action such as authentication,authorization, confidentiality, integrity, credential mapping, or logging.

You can apply the policies to incoming messages received from service consumers and to the outgoingmessages to service providers. The policies can be applied at the endpoints.

You require the following external resources to enforce a policy at run time:

● Authentication service providers● Identity service providers● Trust service providers

Any of the above providers may be configured and shared among the policies as resources.

For example, If you configure a resource named sampleLdap, the same resource can be used for LDAPauthentication as well as WSS authentication.

TIBCO ActiveMatrix® Policy Director provides the following types of policies:

Policy Types

Category Policy Applies To

Authentication● Basic● Username Token● SAML● SiteMinder● Kerberos (SPNEGO)

● Service

Authorization● Role ● Service

Confidentiality● Encrypt● Decrypt

● Service● Reference

Integrity● Sign● Verify Signature


Credential Mapping● Basic● Username Token● SAML

● Reference

8


Category Policy Applies To

Audit● Logging ● Service

● Reference

Message Delivery● WS Reliable Messaging● WS Addressing


AuthenticationAuthentication is a process of identifying the credential of the user who sent the request. A userrequires proof of identity before establishing trust with the server.

There are different types authentication:

● Basic

The credential used for authentication is obtained from the HTTP authorization header in the formof username and password The username and password are authenticated against an LDAPauthentication provider.

● Username Token

The credential used for authentication is the usernameToken obtained from the security header ofthe SOAP message. The username and password from the usernameToken are authenticated againstan LDAP authentication provider.

● Security Assertion Markup Language (SAML)

The credential used for authentication is the SAML assertion derived from the security header of theSOAP message. The SAML assertion is authenticated using an identity service provider.

● X509

The credential used for authentication is the X509 certificate from the security header of the SOAPmessage. To use the X509 authentication , the SOAP message must be sent using X509 token profile.The SAML assertion is authenticated using an identity service provider.

● Kerberos (SPNEGO)

The credential is an authentication protocol for client-server applications. SPENGO provides amechanism for extending Kerberos to web application using the standard HTTP protocol.

● SiteMinder

The credential provides policy-based authentication and single sign-on for all web-basedapplications. This can be used along with IdentityMinder that manages user profiles, andTransactionMinder that provides access to web services.

9


AuthorizationAuthorization is a process of authorizing a user that has been authenticated to access some resourcesand allowing the user to proceed with the incoming request.

Authorization of a request is supported based on roles. When a request is authenticated, an SAMLassertion is generated that may contains the roles as attributes of the SAML assertions. The roles in theSAML assertion may be originated as follows:

● From the groups defined in the LDAP which is applicable for basic or Username Tokenauthentication.

● From the authenticated SAML assertion which is applicable for SAML.

ConfidentialityConfidentiality ensures that the data is accessible only to the intended user.

Data is encrypted by the sender using a public certificate. The receiver decrypts the data using a privatekey before using the data.

IntegrityIntegrity ensures that the data has not been tampered with.

The data is signed by the party who sends the request and includes the signature along with a digitalcertificate. The receiver can verify the signature using the certificate to determine the integrity of thedata received.

Credential MappingCredential Mapping is used to propagate an identity to the outgoing request using usernameToken orSAML assertion.

Credential mapping supports the following policies:

● Basic● Username Token● SAML

10


Applying Security Policies to TIBCO ActiveMatrixBusinessWorks™ 6.2 Applications

Using TIBCO ActiveMatrix® Policy Director, you can apply security policies to TIBCO ActiveMatrixBusinessWorks applications. TIBCO ActiveMatrix Policy Director offers dynamic policy-basedgovernance to TIBCO ActiveMatrix BusinessWorks which allows you to manage and enforce securitypolicies separately from the TIBCO ActiveMatrix BusinessWorks application implementation anddeployment.

TIBCO ActiveMatrix Policy Director includes support for TIBCO® Enterprise Administrator (TEA).Administration capabilities for TIBCO ActiveMatrix Policy Director are enabled in TEA through a TEAagent embedded within the TIBCO ActiveMatrix Policy Director server.

TIBCO ActiveMatrix Policy Director also works with TIBCO ® Security Server installed with TEA.TIBCO Security Server manages resources such as LDAP, keystores, and Trust and Identity Providers.

The TIBCO ActiveMatrix Policy Director server deploys policies to Governance Agents (PolicyEnforcement Points) running within each TIBCO ActiveMatrix BusinessWorks AppNode.

The image below provides an overview of how the components within the TIBCO ActiveMatrix PolicyDirector, TIBCO ActiveMatrix BusinessWorks (Enterprise mode), and TIBCO Enterprise Administratorinteract with each other to manage and provide security policies for a TIBCO ActiveMatrixBusinessWorks application.

Interaction of TIBCO ActiveMatrix Policy Director and TIBCO ActiveMatrix BusinessWorks 6

11


Setting Up Governance for TIBCO ActiveMatrix BusinessWorksThe Governance Lifecycle Event Listener within the bwagent and the Governance Agent within eachAppNode are disabled by default. You must enable them by setting properties within their respectiveconfig.ini files.

Prerequisites

● You must have the following software installed:

— TIBCO ActiveMatrix BusinessWorks™ 6.2 and its Hotfix 2— TIBCO Enterprise Message Service™ 7.0 or greater— TIBCO® Enterprise Administrator Version 2.1 or greater— TIBCO ActiveMatrix® Policy Director 2.0

● The following software must be running:

— TIBCO Enterprise Message Service server— TEA server— TIBCO Security Server— TIBCO ActiveMatrix Policy Director server

● You must have Python installed and configured to communicate with the TEA server. Refer to theTIBCO® Enterprise Administrator Installation Guide for details on configuring Python.

In order to apply security policies to TIBCO ActiveMatrix BusinessWorks applications, do thefollowing:

1. In TIBCO ActiveMatrix BusinessWorks, do the following:

a. Make sure that the bwagent is configured for the Enterprise mode.

b. Enable and configure the Governance Lifecycle Event Listener in bwagent.

c. Enable and configure Governance Agents in AppNodes of an AppSpace.

2. In the TIBCO Security Server, do the following:

a. Create resources using the TIBCO Security Server.

3. In TIBCO ActiveMatrix Policy Director, do the following:

a. Create governance control in TIBCO ActiveMatrix Policy Director.

Ensuring that bwagent is Configured for Enterprise Mode

Verify that the bwagent is configured in the Enterprise mode. To do so:

1. Open the <BW_HOME>\6.2\config\bwagent.ini file.

2. Verify that the bw.admin.mode property is set to the following:bw.admin.mode=enterprise

Enabling and Configuring the Governance Lifecycle Event Listener in bwagent

TIBCO ActiveMatrix Policy Director server listens to lifecycle events such as, application deploy orundeploy on the bwagent, so that it can discover applications on which to enforce policies.

To enable and configure the Governance Lifecycle Event Listener properties for the bwagent, performthe following steps:

12


For the TIBCO ActiveMatrix Policy Director server to receive lifecycle events, ensure that thebw.governance.jms.* properties in the bwagent.ini file correspond correctly with thebw.governance.jms.* properties in the jms.conf file located at <PD_CONFIG_HOME>\tibco\cfgmgmt\pd\conf directory. For the server to deploy policies to the AppSpace and receive notifications fromthe governance agents running in the AppNodes, ensure that the bw.governance.jms.* properties inthe AppSpace config.ini correspond correctly with the bw.governance.jms.* properties in thejms.conf file located at <PD_CONFIG_HOME>\tibco\cfgmgmt\pd\conf directory.

1. Stop the bwagent if it is running using the following command:bwagent -x stop

2. Open one of the JSON files, bwagent_db.json or bwagent_as.json located in <BW_HOME>\config(Windows) or ${BW_HOME}/config (Unix) and update it as follows:

● Set governanceenabled property to true.

● Configure the remaining governance lifecycle event listener properties in the JSON fileaccording to your environment.

Use the bwagent_db.json file if bwagent is configured to use an external database fordata persistence and TIBCO Enterprise Message Service for communication transport. Usethe bwagent_as.json file if bwagent is configured to use TIBCO ActiveSpaces® for bothdata persistence and communication transport.

3. Run the following command to create the bwagent.ini file in the correct location.

● If you updated the bwagent_db.json file, run:<BW_HOME>\bin>bwadmin config -cf ../config/bwagent_db.json agent

● If you updated the bwagent_as.json file, run:<BW_HOME>\bin>bwadmin config -cf ../config/bwagent_as.json agent

4. Start the bwagent by running the following command:bwagent -x startagent

For the TIBCO ActiveMatrix BusinessWorks applications that were deployed before you enabled theGovernance Lifecycle Event Listener and the Governance Agent, use the TIBCO ActiveMatrix PolicyDirector utilities located in <TIBCO_HOME>\tea\agents\pd\2.0\samples\utilities to apply ad hocchanges.

Enabling the Governance Agents in the AppNodes of an AppSpace

Each AppNode in TIBCO ActiveMatrix BusinessWorks includes a Governance Agent, which interactswith TIBCO ActiveMatrix Policy Director to enforce policies for TIBCO ActiveMatrix BusinessWorksapplications. The Governance Agents are disabled by default. In order to apply security policies, youmust enable these Governance Agents and configure the environment as described below.

To enable governance on AppSpace, configure the Governance Agent properties for an AppSpace byfollowing these steps:

1. Copy the existing AppSpace configuration file appspace_config.ini (located in the root of theAppSpace folder), or the AppSpace configuration template file, appspace_config.ini_template,(located in <BW_HOME>\config\) to a temporary location.

Do not modify the original AppSpace configuration file, config.ini (located in the root ofthe AppSpace folder), or the AppSpace configuration template file,appspace_config.ini_template file. Instead, make changes to the copy of the file that isin the temporary location.

13


2. Edit the configuration file in the temporary location to set the following properties.

If TIBCO ActiveMatrix Policy Director is already setup, ensure that the JMS serverproperties specified in the AppSpace configuration file match the JMS server configured inthe TIBCO ActiveMatrix Policy Director server.

#-------------------------------------------------------------------------# Section: BW Governance Agent & SPM Configuration. The properties in # this section are applicable to Governance Agent and the Governance SPM # EventSubscriber that is executed within a BW AppNode.#-------------------------------------------------------------------------# Enable or disable the governance agent. This property is optional and # itspecifies whether the governance agent should be enabled or disabled# in the AppNode. The supported values are: true or false. The default # value is “false”.bw.governance.enabled=true

# BW Governance Agent JMS URL. This property is optional and it is used# to specify the JMS server URL used to communicate with the# TIBCO Policy Director Administrator. If this property is not set, then# the BW Governance agent will not attempt to connect to the JMS server. # The URL is expected to start with 'tcp://' or 'ssl://' and the failover # URLs can be specified as a ',' or '+' separated list.bw.governance.jms.server.url=tcp://localhost:7222

# BW Governance Agent JMS User Name. This property is required if the# Governance Agent JMS URL is specified.bw.governance.jms.server.username=admin

# BW Governance Agent JMS User Password. This property is required if the# Governance Agent JMS URL is specified.bw.governance.jms.server.password=

# BW Governance Agent JMS SSL connection trust store type. This property # is required if the JMS server protocol is ssl. The supported values are # 'JKS'and 'JCEKS'. The default value is 'JKS'bw.governance.jms.ssl.trust.store.type=JKS

# BW Governance Agent JMS SSL connection trust store location. This # property is required if the JMS server protocol is ssl.bw.governance.jms.ssl.trust.store.location=

# BW Governance Agent JMS SSL connection trust store password. This # property is required if the JMS server protocol is ssl. The password # may be clear text or supplied as an obfuscated string.bw.governance.jms.ssl.trust.store.password=

# BW Governance Agent JMS Connection attempt count. This property is # required if the Governance Agent JMS URL is specified and it specifies # the number of JMS connection attempts the Governance Agent will make. # The default value is '120'.bw.governance.jms.reconnect.attempt.count=120

# BW Governance Agent JMS Connection attempt timeout. This property is # required if the Governance Agent JMS URL is specified and it specifies # the timeout between the attempt to reestablish connection to the JMS # server. The default value is '500'.bw.governance.jms.reconnect.attempt.timeout=500

# BW Governance Agent JMS Connection attempt delay. This property is # required if the Governance Agent JMS URL is specified and it specifies # the delay in milliseconds between attempts to establish reestablish # connection to the JMS server. The default value is '500'.bw.governance.jms.reconnect.attempt.delay=500

# BW Governance Agent JMS receiver queue name. This property is required# if the Governance Agent JMS URL is specified and it specifies receiver# queue name for the governance agent and administrator communication.# The default value is 'queue.bw.governance.agent.bw.default’.

14


bw.governance.jms.queue.receiver.name=queue.governance.agent.bw.default

# BW Governance Agent JMS sender queue name. This property is required# if the Governance Agent JMS URL is specified and it specifies the # sender queue name for the governance agent and administrator # communication. It must match the value specified in the Policy Director # Administrator configuration.# The default value is 'governance.de.bw.default’.bw.governance.jms.queue.sender.name=governance.de.bw.default

# BW Governance Agent JMS JNDI custom property. This property is optional# and it provides the ability to specify custom property for the# JMS JNDI Initial Context. For example to provide a custom property# called "myProperty" for the JNDI Initial Context, then specify# a property "bw.governance.jms.application.property.myProperty=".#bw.governance.jms.application.property.<UserCustomProperty>=<userValue># BW Governance Agent Shared Resource lookup. This property is optional# and it provides ability for the Governance Agent to lookup shared # resources. # bw.governance.sr.WSSConfiguration=com.tibco.trinity.runtime.core.# provider.authn.wss

3. Run the following command to push the configuration to the AppSpace:bwadmin[admin] > config -d <Domain-name> -a <AppSpace-name> -cf <temporaryLocation>/<config-file-name>

4. Restart the AppNode and AppSpace from the TIBCO ActiveMatrix BusinessWorks agent userinterface in TEA.

Creating Governance Control

You must create the governance controls before applying policies. Make sure that your TEA server,TIBCO Security Server, and TIBCO ActiveMatrix Policy Director server are running before creating thegovernance controls.

To create governance controls, follow these steps:

1. Create an object group that identifies a group of applications on which you want to apply thepolicies. Refer to Creating a TIBCO ActiveMatrix BusinessWorks™ Application Object Group.

2. Configure your resources for example, an LDAP resource, a keystore resource or any resourcerequired for your policy. Refer to Creating a Resource.

3. Tie the object groups with resources using the governance control. Refer to Creating a GovernanceControl.

Refer to the Governance Control Management section in this guide for details.

Deploying Policies on an Application

To deploy a policy on an application, do the following:

1. In the TEA web user interface ( http://localhost:8777/tea/), click TIBCO ActiveMatrix PolicyDirector agent card.

2. Click the Governance Controls link or icon in the left vertical pane.

3. Click the link for the policy under the Name column.

4. Click deploy in the list of commands above the Summary tab.

5. Click the deploy button.

15


Governance Control Management

Governance control management involves creating resources, object groups, governance controls, anddeploying them appropriately.

You can create governance control and do such actions as synchronize, display, copy, delete, deploy,activate and deactivate policies from either the TIBCO® Security Server web user interface (from withinthe TEA user interface) or by running the appropriate sample Python script bundled with TIBCOActiveMatrix® Policy Director.

Using Sample Python ScriptsTIBCO ActiveMatrix® Policy Director comes bundled with sample Python scripts that you can use as astarting point to create resources, object groups and governance controls.

Creating a PolicyTo create a policy, use the sample Python scripts that come bundled with TIBCO ActiveMatrix® PolicyDirector. You must modify the scripts according to your environment before using them.Creating a policy involves the following steps:

Procedure

1. Create the necessary resource for the policy.

2. Create a TIBCO ActiveMatrix BusinessWorks™ application object group.

3. Create a governance control.

Creating a Resource

The first step when creating a policy is to create one or more resource(s) that will be used by that policy.To create a resource, do the following:

Procedure

1. Modify the appropriate sample script according to your environment and save it.

2. Run the script using the command python3 <scriptname>.

3. Verify that the resource has been created by going to http://localhost:8777/tea in a browser andnavigating to the TIBCO® Security Server user interface.You should see your newly created resource there.

Applying subsequent changes made to a resource to the Policy that uses that resource

If a TIBCO Security resource is changed after it's used by any Policy, the following utility (pythonscript) must be run to push the changes to the affected Governance agents: <TIBCO_HOME>/samples/utilities/registerResourceUpdateEvent.py

In the script, specify the resource name and its type, for example:

pd.notifySecuritySRUpdate('SampleLdapAuthNResource', 'LdapAuthNResource')

where the 'SampleLdapAuthNResource' is the resource name and the dapAuthNResource' is theresource type. Valid resource types are listed in the sample script. The resource type for a particularresource can also be found from the TEA UI on the resource object page.

16


Creating a TIBCO ActiveMatrix BusinessWorks™ Application Object Group

Policies created in TIBCO ActiveMatrix® Policy Director can be applied to groups of applications calledobject groups.

Procedure

1. Edit the script, <TIBCO_HOME>\tea\agents\pd\2.0\samples\objectGroup\createBW6ApplicationGroup.py according to your environment.

2. In a terminal window, change directory to <TIBCO_HOME>\tea\agents\pd\2.0\samples\ObjectGroup and run python3 createBW6ApplicationGroup .py.

3. Verify that the object group has been created by going to http://localhost:8777/tea in a browser andnavigating to the TIBCO ActiveMatrix® Policy Director user interface.You should see your newly created object group there.

Creating a Governance Control

Use the sample Python scripts bundled with TIBCO ActiveMatrix® Policy Director to create agovernance control.To create a governance control using the sample Python scripts, do the following:

Prerequisites

1. Make sure that you have created resource(s) that are needed for the policy.

2. Make sure that you have created a TIBCO ActiveMatrix BusinessWorks™ Application Object Group.

Procedure

1. Edit the appropriate script in <TIBCO_HOME>\tea\agents\pd\2.0\samples\governanceControl\authentication\ directory according to your environment. Refer to the Readme in the directoryfor instructions on how to edit the script.

2. In a terminal window, change directory to <TIBCO_HOME>\tea\agents\pd\2.0\samples\governanceControl\authentication\ and run python3 <scriptname>.

3. Verify that the governance control has been created by going to http://localhost:8777/tea in abrowser and navigating to the TIBCO ActiveMatrix® Policy Director user interface.You should see your newly created governance control there.

4. Click Deploy.

Supported PoliciesTIBCO ActiveMatrix® Policy Director currently supports the following policies.

Create the policies using the sample Python scripts bundled with TIBCO ActiveMatrix® PolicyDirector. The scripts to create each policy are located in the locations stated in the sections for eachpolicy below.

Basic Authentication Policy

Use these scripts to do the following steps to create a Basic Authentication policy.

Refer to the corresponding text file in <TIBCO_Home>\tea\agents\pd\2.0\samples\readme folder fordetails on this policy.

Create an LDAP Resource: <TIBCO_Home>\tea\agents\pd\2.0\samples\resources

17


Create an Object Group: <TIBCO_Home>\tea\agents\pd\2.0\samples\objectGroups

Create a Governance Control: <TIBCO_Home>\tea\agents\pd\2.0\samples\governanceControls\authentication

Username Token Authentication Policy

Use these scripts to do the following steps to create a Username Token Authentication policy.


Create an LDAP Resource: <TIBCO_Home>\tea\agents\pd\2.0\samples\resources


Create a Governance Control: <TIBCO_Home>\tea\agents\pd\2.0\samples\governanceControls\authentication

SiteMinder Authentication Policy

Use these scripts to do the following steps to create a SiteMinder authentication policy:

Create a SiteMinder Resource: <TIBCO_Home>\tea\agents\tss\1.0\samples\resourceManagerService\siteminder


Create a Governance Control: <TIBCO_Home>\tea\agents\pd\2.0\samples\governanceControls\wssProvider

SPNEGO-Based Kerberos Policy

Use these scripts to do the following steps to create a SPNEGO-Based Kerberos policy:

Create a Kerberos Resource: <TIBCO_Home>\tea\agents\tss\1.0\samples\resourceManagerService\kerberos



SAML Authentication Policy

Use these scripts to do the following steps to create a SAML Authentication policy.


Create a WSS Processor Resource: <TIBCO_Home>\tea\agents\pd\2.0\samples\resources



Authorization By Role Policy

Use these scripts to do the following steps to create a Authorization By Role policy:

Does not need to specify a resource, however, prerequisite is to pair it with an authentication policy.


18


Create an Authorization Governance Control: <TIBCO_Home>\tea\agents\pd\2.0\samples\governanceControls\authorization

WSS Provider Policy

Use these scripts to do the following steps to create a WSS Provider policy.


Create WSS Authentication Resource: <TIBCO_Home>\tea\agents\pd\2.0\samples\resources


Create a WSS Provider Governance Control: <TIBCO_Home>\tea\agents\pd\2.0\samples\governanceControls\wssProvider

19


Governance Control Reference

Governance control policies are broadly categorized into the following types - security, WS-addressing,and reliability.

Basic AuthenticationBasic authentication is a security policy that ensures that a consumer request is validated based on thecredentials in the HTTP header.

Basic Authentication

Policy Requirement

Policy Resources Object Group Types

Basic Authentication● LDAP Authentication

BW Application instance(enforced on SOAP/HTTP,REST/HTTP)

Basic Credential MappingBasic Credential Mapping is a policy to ensure that the credentials in the consumer request arevalidated once and propagated across domains.

Credentials are mapped using a password identity provider. The identity extracted from the passwordidentity is inserted as HTTP Basic Authentication in the outgoing request. It is applicable to thefollowing endpoints:

Policy Requirement

Policy Resource Object Group Types

Credential Mapping

● Basic● Username Token

● Identity Provider● Keystore provider

BW Application instance

20


Authentication by KerberosAuthentication by Kerberos is a security policy to ensure that consumer requests provide theircredentials as Special Negotiation (SPNEGO) tokens using Kerberos authentication.

Policy Requirement

Policy Shared Resource Object Group Types

Kerberos (SPNEGO)● Kerberos Authentication

resource


Authentication by SiteMinderAuthentication by SiteMinder is a security policy to ensure that the consumer credentials are validatedas username tokens using the SiteMinder protocol.

Policy Requirement


SiteMinder● SiteMinder Authentication


Authorization by RoleAuthorization by Role is a security policy that ensures that a request is authorized based on the roleused in the Security Assertion Markup Language (SAML) tokens.

Policy Requirement


Authorization by Role Does not need to specify aresource, however, prerequisiteis to pair it with anauthentication policy.


WSS ConsumerThis policy facilitates processing of WS-Security Header from response message.

WSS Consumer acts on the Reference side to ensure that the confidentiality, integrity, and timestamp ofa request remains secure. To maintain confidentiality, a response is decrypted at its endpoint. Tomaintain integrity, the response is verified for a valid signature. To track the time of the response, atimestamp is inserted in the response.

To maintain confidentiality, the policy can be configured for an outbound request to be encrypted andan inbound response to be decrypted at its endpoint. To maintain integrity, the outbound request canbe signed and the signature verified in the inbound response. You can also insert a timestamp in anoutbound request and verify a timestamp in the inbound response. You also have an option to attachcredentials to the outbound request.

21


Policy Requirement


WSS Consumer● WSS Authentication● Trust Provider● Identity Provider


Use the sample Python scripts bundled with TIBCO ActiveMatrix® Policy Director to create WSSConsumer.

WSS ProviderThis policy is WSS Provider acts on the Server side to ensure that the confidentiality, integrity, andtimestamp of a request remains secure.

To maintain confidentiality, a request is encrypted at its endpoint. To maintain integrity, the request isverified for a valid signature. To track the time of the request, a timestamp is inserted in the request.

Policy Requirement


WSS Provider● WSS Authentication


Policy Status ListA policy can have multiple statuses through out its life-cycle.

Value Description

Draft A policy is in a Draft state when it is being configured in the TIBCOActiveMatrix Policy Director, and the Distribution Engine has not yetdispatched it to an agent.

Deployed A policy is in a Deployed state when it is residing on an agent, and theagent has all the information related to the policy. When you deploy apolicy for the first time, it is automatically activated.

Activated A policy is in an Activated state when it is residing on an agent, and theagent has enforced the policy on selected object groups.

Deactivated A policy is in an DeActivated state when it is residing on an agent, but theagent has stopped enforcing the policy on selected object groups.

Undeployed A policy is in an Undeployed state when the policy is not residing on anagent.

DeployError The DeployError status is displayed when deploying a policy on some orall of the members of the object group fails.

DeploySuccessful

The DeploySuccessful status is displayed when deploying a policy on allthe members of the object group was successful.

22


Value Description

out-of-sync When the targeted configuration of a policy or the resource instancesassociated with the policy is not synchronized with the deployedconfiguration, the status is displayed as out-of-sync.

In-sync When the targeted configuration of a policy or the resource instancesassociated with the policy is synchronized with the deployed configuration,the status is displayed as in-sync.

23


Documents

TIBCO ActiveMatrix Policy Director Administration · TIBCO ActiveMatrix® Policy Director Administration Software Release 2.0.0 November 2014 Document Updated: January 2015 Two-Second