Web Services Security Guides › CA SiteMinder® Web Services Security Policy Configuration Guide › How to Define the Security Policy for One or More Related Web Services from a WSDL File

How to Define the Security Policy for One or More Related Web Services from a WSDL File

To protect web services in your organization, you create application security policies. These policies define the resources you want protected and specify who is allowed access to the protected application.

Application objects provide an intuitive method of defining a complete security policy for one or more related web services. Application objects associate resources with user roles to specify entitlement policies that determine what web service users can access what web service application resources. Roles identify the set of users who have access to a resource or group of resources in terms of a named or unnamed expression.

This scenario describes how a policy administrator defines the security policy for web service resources from their associated Web Service Definition Language (WSDL) files.

To define the security policy for one or more related web services from a WSDL file, do the following procedures:

1. Verify your administrative rights.
2. Create an application object for the web service resources that you want to protect.
3. (Optional) Configure responses to associate with web service resources.
4. Generate the security policy from the web service definition contained in a WSDL file.
5. Modify the default role created by the wizard to define user access rights.
6. (Optional) Create additional roles to define user access rights.
7. Repeat Steps 4, 5, and 6 for any additional web services defined in other WSDL files that you want to protect in the same application.
8. Modify role assignments in the security policy.

Verify Your Administrative Rights

To implement application security policies, you require the necessary administrative rights. An administrator can be assigned the following application-related rights:

Application administration

The application administration right lets you create, modify, and delete an application and its components.

Policy administration

The policy administration right lets you define the resources, roles, and policies that are associated with an application.

If you do not have the necessary rights, contact the CA SiteMinder® superuser.

Create an Application Object for the Web Services That You Want to Protect

The application object you create for one or more related web services must specify the top-level location of the resources that you want to protect, and a directory of users who are authorized to use the resources.

To identify the application and select the directory server

1. Log in to the Administrative UI
2. Click Policies, Application
3. Click Applications.
4. Click Create Application.

   The Create Application pane opens.

5. Enter values for the fields in the General group box. Choose distinctive values that help you remember its purpose or function, as shown in the following examples:

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   Name

   Name of the application

   Description

   (Optional) A description of the application.

6. In the Components group box, specify values for a default component description.

   Note: These fields are mandatory, but the component they define is not used; component definitions for your web services will be created from their WSDL files.

   Agent Type

   Web Agent

   Agent

   Any SiteMinder WSS Agent.

   Resource Filter

   *

7. Accept the defaults for the remaining settings.
8. In the User Directories group box, click Add/Remove.

   The Choose User Directories dialog opens.

9. Select one or more directories that contain the the users that you want to be access the web service resources then click the right arrow to move the selected directory or directories from the Available members column to the Selected Members column.
10. Click OK.

    You return to the General tab.

11. Click Submit.

    The application is identified and the directory selected.

(Optional) Configure Responses to Associate With Web Service Resources

To include a response (for example, to generate WS-Security headers) in the application security policy you generate from a WSDL file, first configure the response.

Follow these steps:

1. Log in to the Administrative UI
2. Open the application object that defines the security policy for web service resources in an editable state.
3. Click the Response tab.
4. Click Create Response.

   The Create Application Response pane opens.

5. Type the name of the response in the General group box.
6. Click Create Response Attribute to create a response attribute, then complete the following steps on the Create Response Attribute pane that opens:
   1. Select a response attribute type from the Attribute drop-down list in the Attribute Type section.

      To configure a response to produce WS-Security headers, select WebAgent-WS-Security-Token. To configure a response to produce SAML Session Tickets, select WebAgent-SAML-Session-Ticket-Variable.

   2. Select an attribute type in the Attribute Kind (one of Static, User Attribute, DN Attribute, and Active Response) section.

      The fields on the Attribute Fields group box are updated to match the specified attribute type.

   3. Complete the fields in the Attribute Fields section to specify required Variable Name/Variable Value pairs.

      Note: For WebAgent-SAML-Session-Ticket-Variable and WebAgent-WS-Security-Token attributes, you can either enter values directly in the Variable Name and Variable Value fields or populate those fields with valid values from the Select a Name and Select a Value lists that appear.

   4. Specify Cache Value or Recalculate value every ... seconds on the Attribute Caching group box.
   5. Click Submit.

      The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Create Response Attribute pane.

7. Create further response attributes as required.
8. Click OK.

   The Create Response Task is submitted for processing and you are returned to the Responses tab.

More information:

How to Configure Responses to Produce WS-Security Headers

How to Configure Responses to Produce SAML Session Tickets

Generate the Security Policy from the Web Service Definition Contained in a WSDL File

After you create the application object, you generate the security policy to protect web service resources from their associated WSDL file.

Follow these steps:

1. Log in to the Administrative UI
2. Click Policies, Application.
3. Click Secure Web Services from WSDL.

   The Secure Web Services from WSDL: Select Application pane appears.

4. Select the application to secure from the Choose an Existing Application list.
5. Click Next.

   The Secure Web Services from WSDL: Input WSDL pane appears.

6. Specify whether you want to open a WSDL file that resides on your local system or at a specific URL by selecting the File or URL option, and identifying the file accordingly as follows:
   • If you chose FILE, click Browse and navigate to its location.
   • If you chose URL, type the URL.in the Enter the WSDL URL field. For example,

     http://example.com/WSDL/my-wsdl.wsdl

7. Click Next.

   The Secure Web Services from WSDL: Define Policies pane appears, displaying a selectable table of the web services (ports) defined in the WSDL file.

8. Define the web service or services to protect in the Define Web Service Protection Policy table:
   • Select the web service or services that you want to protect in the Port Name column.
   • Assign the SiteMinder WSS Agent that will protect each protected web service from the Agent list.
   • Assign an authentication scheme to use to protect each web service from the Authentication Scheme list.
   • (Optional) Choose a response to bind to a web service from the Response list.
9. (Optional) Set the Propagate Authentication Scheme of Web Service to all its operations option to apply the authentication scheme you assigned to protect each web service to all of its constituent operations.
10. Click on a web service entry in the Port Name column to drill down to see its constituent operations in the Define Web Service Protection Policy table and select individual operations to protect, authentication schemes to use, and optionally, response bindings.

    (To return to the top-level WSDL view, click the All Web Services link at the top-left corner of the table.)

11. When your policy definitions are complete, click Next.

    The Secure Web Services from WSDL: Summary pane opens, displaying a summary of the components, subcomponents, and resources that will be created according to your selections.

12. If the summary is correct, click Finish.

    The Administrative UI creates component and resource definitions corresponding to your settings for all specified web service ports and operations, a default application role (that defines no user access), and a security policy that binds that default role with resources.

    However, if you assigned different authentication schemes to a web service port and any of its operations, you must manually create a resource definition for that web service port:

    1. Click Policies, Application, Modify Application.

       The Modify Application pane opens

    2. Specify search criteria, and click Search.

       A list of applications that match the search criteria opens.

    3. Select your application from the list, and click Select.

       The Modify Object: Name pane opens.

    4. Click on the Resources Tab.
    5. Choose the appropriate entry for the web service port from the Select a context root pulldown. No resources should be listed.
    6. Click Create.

       The Create Application Resource pane opens.

       Specifiy a name for the resource, accept the default resource filter (/*) and select the ProcessSOAP and ProcessXML Web Agent actions.

    7. Click OK.
    8. Click Submit.

The Administrative UI creates component and resource definitions corresponding to your settings for all specified web service ports and operations, a default role (that defines no user access), and a security policy that binds that default role with resources.

The web services you chose to protect are now secure. No access requests will be authorized until you modify the default role to define access privileges or create more roles and bind them to resources in the authorization policy.

Note: You can repeat this procedure to add the resources from multiple WSDL files to the same application. However, the Secure Web Services from WSDL operation is only intended for initial generation of policy objects from a particular WSDL file; if a web service changes or you must enable other operations from a previously loaded WSDL file you must delete the previously created application or edit it manually.

Modify the Default Role Created By the Wizard to Define User Access Rights

Roles associate resources with groups of users must be created.The Secure Web Services from WSDL wizard creates a default role that allows no access when it secures web services from a WSDL file. You must modify this role to define a group of users that can access a resource to which the role is assigned.

To create a new role

1. Log in to the Administrative UI
2. Click Policies, Application,
3. Click Applications.
4. Click Modify Application.

   The Modify Application pane opens

5. Specify search criteria, and click Search.

   A list of applications that match the search criteria opens.

6. Select your application from the list, and click Select.

   The Modify Object: Name pane opens.

7. Click the Roles tab.
8. Click the Edit button beside the default role.
9. Ensure the Create a new object of type Role button is selected, and then click OK.

   The Modify Role pane opens.

10. Define the groups, organizations, and user attribute expressions that define the members of the role by making selections in the Users Setup group box.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

11. Click OK.

    The role is modified.

Create Additional Roles to Define User Access Rights

Roles associate resources with groups of users must be created. The Secure Web Services from WSDL wizard creates a default role which is assigned to all resources in when it secures web services from a WSDL file. If required, you can create additional roles.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

To create a new role

1. Log in to the Administrative UI
2. Click Policies, Application
3. Click Applications.
4. Click Modify Application.

   The Modify Application pane opens

5. Specify search criteria, and click Search.

   A list of applications that match the search criteria opens.

6. Select your application from the list, and click Select.

   The Modify Object: Name pane opens.

7. Click the Roles tab.
8. Click Create Role.
9. Verify that the Create a new object of type Role button is selected, and then click OK.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

10. Enter a name and optionally, a description for the role.
11. Specify whether the role applies to All Users or Selected Users in the configured user directories.

    Note: The Users Setup and Advanced sections do not apply when the All Users option is set and are no longer displayed.

12. Define the groups, organizations, and user attribute expressions that define the members of the role by making selections in the Users Setup group box.
13. Click OK.

    The role is created.

14. Repeat steps 8 through 13 for each additional required role.

Modify Role Assignments in the Security Policy

The Secure Web Services from WSDL wizard generates an application security policy that binds the web service resources specified in a WSDL to a default. You can modify this policy to change the roles assigned to resources to allow different groups of users to access different resources protected by the application.

Follow these steps:

1. Log in to the Administrative UI
2. Click Policies, Application
3. Click Applications.
4. Click Modify Application.
5. Specify search criteria, and click Search.

   A list of applications that match the search criteria opens.

6. Select your application from the list, and click Select.

   The Modify Object: Name pane opens.

7. Click the Policies tab.

   The Policies pane opens and displays a table listing the configured resources and available roles. This table lets you quickly see which roles can be granted access to which resources.

8. Place or remove checks in the role column to set the required role assignments for each web service resource.

   For example, if you had a human resources application that secures a web service for benefits management and another for performance appraisals and separate roles for employees and managers, you could:

   1. Check the Employees role beside the rows of resources that protect the benefits management operations to create a policy that allows employees to manage their benefits.
   2. Check the Managers beside the rows of resources that protect the performance appraisals to create a policy that allows only managers to access the performance appraisals web service.
9. Click Submit.

   Security policies are created for each role assigned.

Note: If you need to edit resources or roles, you must make the changes on the respective tabs and not on the Policies pane.