You can configure these policies by copying a template into an external policy set, and modifying the parameters appropriately.
You can find sample templates in the file TIBCO_HOME/ amx/version/ samples/policy/
samples.zip.
Category Template Description
Authorization Authorization By Role Policies on page 137 Authentication Basic Authentication Policies on page 138
Basic Or Username Token Authentication Policies on page 139 SAML Authentication For SSO Policies on page 140
Username Token Authentication Policies on page 141 Credential
Mapping Basic Credential Mapping Policies on page 138
SAML Credential Mapping For SSO Policies on page 140
WS-Security WS-Security Consumer Policies on page 141 WS-Security Provider Policies on page 143
Policy Template to Intents Reference
The intents that a policy can provide is a subset of the intents that the policy template can provide; the policy configuration can narrow that set.
The intents that each policy template can provide are listed below.
Policy Set Template Can Provide these Intents
Authorization By Role Policies on page 137 scaext:authorization.role
Basic Authentication Policies on page 138 scaext:clientAuthentication.basic
Basic Credential Mapping Policies on page 138 scaext:credentialMapping.basic
Basic Or Username Token Authentication
Policies on page 139 scaext:clientAuthentication.basic
scaext:clientAuthentication.usernameToken
SAML Authentication For SSO Policies on page scaext:clientAuthentication.ssoSAML
Policy Set Template Can Provide these Intents SAML Credential Mapping For SSO Policies on
page 140 scaext:credentialMapping.ssoSAML
Username Token Authentication Policies on
page 141 scaext:clientAuthentication.usernameToken
WS-Security Consumer Policies on page 141 scaext:credentialMapping.wssSAML
scaext:credentialMapping.usernameToken scaext:consumerIntegrity.wss
scaext:consumerConfidentiality.wss
WS-Security Provider Policies on page 143 scaext:clientAuthentication.wssSAML
scaext:clientAuthentication.usernameToken scaext:clientAuthentication.x509
scaext:providerIntegrity.wss scaext:providerConfidentiality.wss TIBCO Business Studio lets you specify several security intents on a binding or component. For simplicity, we recommend satisfying those intents with fewer policies and policy sets (rather than proliferating many). That is, where possible, use policies that satisfy several intents.
The policy samples in TIBCO_HOME/amx/version/samples/policy/samples.zip represent some typical use cases. They are organized in subdirectories by policy template name.
Authorization By Role Policies
You can configure Authorization By Role policies by copying a template into an external policy set, and modifying the parameters appropriately. You can find sample templates in an archive file under
TIBCO_HOME/amx/version/samples/policy/samples.zip
Several template samples are available.
Template File
AllOperationsAllowedForRole.policysets AuthenticatedUsersOnly.policysets EveryoneAllowed.policysets NobodyAllowed.policysets
SpecificOperationAllowedForALLRoles.policysets SpecificOperationSpecificRole.policysets
Can Provide these Intents scaext:authorization.role
Basic Authentication Policies
You can configure the Basic Authentication policy by copying a template into an external policy set, and modifying the parameters appropriately. You can find a sample template in an archive file under
TIBCO_HOME/amx/version/samples/policy/samples.zip
Template File
BasicAuthenticationWithWebAppUsingLDAP.policysets
Can Provide these Intents scaext:clientAuthentication.basic
Basic Credential Mapping Policies
You can configure Basic Credential Mapping policies by copying a template into an external policy set, and modifying the parameters appropriately. You can find sample templates in an archive file under
TIBCO_HOME/amx/version/samples/policy/samples.zip
You can configure this policy to retrieve user credentials from an Identity Provider resource instance.
When using an Identity Provider resource instance to retrieve user credentials for a policy, in the Identity Provider resource template, check the Enable Access to Credential Store Containing Identity checkbox. The JCEKS keystore used in the Identity Provider resource template should be able to store symmetric keys.
Several template samples are available.
Template File
BasicCredentialMappingFixed.policysets BasicCredentialMappingRoleBased.policysets
Can Provide these Intents scaext:credentialMapping.basic
UsernameToken - Nonce and Created Elements
When a Basic Credential Mapping or WSS Credential Mapping policy is used to insert a
UsernameToken in the SOAP security header, the Nonce and Created elements can be optionally added.
You can configure a Basic Credential Mapping or WS-Security Consumer Credential Mapping policy to have the UsernameToken without the Nonce and Created elements by copying the template below and modifying the parameters appropriately. See the Policy Sets, Policy Templates Reference section in the Composite Development guide for more information about configuring policy sets.
The sample Basic Credential Mapping policy below generates the UsernameToken without the Nonce
xmlns:scaext="http://xsd.tns.tibco.com/amf/models/sca/extensions"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
<wsp:Policy template="tpt:WssConsumer" xmlns:tpt="
http://xsd.tns.tibco.com/governance/policy/template/2009">
<wsp:All>
Basic Or Username Token Authentication Policies
You can configure the Basic Or Username Token Authentication policy by copying a template into an external policy set, and modifying the parameters. You can find a sample template in an archive file under TIBCO_HOME/amx/version/samples/policy/samples.zip
One template sample is available.
Template File
BasicOrUsernameTokenAuthenticationWithSoapEpUsingLDAP.policysets
Can Provide these Intents
scaext:clientAuthentication.basic
scaext:clientAuthentication.usernameToken
SAML Authentication For SSO Policies
You can configure SAML Authentication For SSO Policies by copying a template into an external policy set, and modifying the parameters. You can find sample templates in an archive file under
TIBCO_HOME/amx/version/samples/policy/samples.zip.
Component services or promoted references authenticate the consumer's identity using a single sign-on SAML token. (Credential mapping policies propagate the SAML token to providers within the
ActiveMatrix environment.
Several template samples are available.
Template File
SAMLAuthenticationForSSOSigned.policysets SAMLAuthenticationForSSOUnsigned.policysets
Can Provide these Intents
scaext:clientAuthentication.ssoSAML
SAML Credential Mapping For SSO Policies
You can configure SAML Credential Mapping For SSO policies by copying a template into an external policy set, and modifying the parameters. You can find sample templates in an archive file under
TIBCO_HOME/amx/version/samples/policy/samples.zip.
References (or promoted services) propagate a SAML token asserting the consumer's identity to providers within the AvtiveMatrix environment.
Several template samples are available.
Template File
SAMLCredentialMappingForSSOSigned.policysets SAMLCredentialMappingForSSOUnsigned.policysets
Can Provide these Intents
scaext:credentialMapping.ssoSAML
Username Token Authentication Policies
You can configure Username Token Authentication policies by copying a template into an external policy set, and modifying the parameters. You can find a sample template in an archive file under
TIBCO_HOME/amx/version/samples/policy/samples.zip. One template sample is available.
Template File
UsernameTokenAuthenticationWithSoapEpUsingLDAP.policysets
Can Provide these Intents
scaext:clientAuthentication.usernameToken
WS-Security Consumer Policies
You can configure WS-Security Consumer policies by copying a template into an external policy set, and modifying the parameters. You can find sample templates in an archive file under
TIBCO_HOME/amx/version/samples/policy/samples.zip. Several template samples are available.
You can configure this policy to retrieve user credentials from an Identity Provider resource instance.
When using an Identity Provider resource instance to retrieve user credentials for a policy, in the Identity Provider resource template, check the Enable Access to Credential Store Containing Identity checkbox. The JCEKS keystore used in the Identity Provider resource template should be able to store symmetric keys.
Template File
WssConsumerAddUsernameTokenTimestampSignAndEncrypt.policysets WssConsumerCredentailMappingSAMLSigned.policysets
WssConsumerCredentailMappingSAMLUnsigned.policysets WssConsumerCredentailMappingUsernameTokenFixed.policysets WssConsumerCredentailMappingUsernameTokenRoleBased.policysets
Can Provide these Intents
scaext:credentialMapping.wssSAML scaext:credentialMapping.usernameToken scaext:consumerIntegrity.wss
scaext:consumerConfidentiality.wss
UsernameToken - Nonce and Created Elements
When a Basic Credential Mapping or WSS Credential Mapping policy is used to insert a
UsernameToken in the SOAP security header, the Nonce and Created elements can be optionally added.
You can configure a Basic Credential Mapping or WS-Security Consumer Credential Mapping policy to have the UsernameToken without the Nonce and Created elements by copying the template below and modifying the parameters appropriately. See the Policy Sets, Policy Templates Reference section in the Composite Development guide for more information about configuring policy sets.
The sample Basic Credential Mapping policy below generates the UsernameToken without the Nonce and Created elements.
<?xml version="1.0" encoding="UTF-8"?>
<ep:policySetContainer xmlns:ep="http://xsd.tns.tibco.com/amf/models/
externalpolicy"
xmlns:sca="http://www.osoa.org/xmlns/sca/1.0"
xmlns:scaext="http://xsd.tns.tibco.com/amf/models/sca/extensions"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
<wsp:Policy template="tpt:WssConsumer" xmlns:tpt="
http://xsd.tns.tibco.com/governance/policy/template/2009">
<wsp:All>
WS-Security Provider Policies
You can configure WS-Security Provider policies by copying a template into an external policy set, and modifying the parameters. You can find sample templates in an archive file under TIBCO_HOME/amx/
version/samples/policy/samples.zip. Template File
WssProviderAuthenticateSAMLSigned.policysets WssProviderAuthenticateSAMLUnsigned.policysets
WssProviderAuthenticateUsernameTokenAndTimestamp.policysets
WssProviderDecryptAuthenticateUsernameTokenAndSigatureTimestamp.policysets
Can Provide these Intents
scaext:clientAuthentication.wssSAML scaext:clientAuthentication.usernameToken scaext:clientAuthentication.x509
scaext:providerIntegrity.wss scaext:providerConfidentiality.wss
Transactions
TIBCO ActiveMatrix support for transactions conforms to the OASIS Service Component Architecture Policy specification and supports several transaction types.
The following types of transactions are supported: