Policy sets
Policy sets and bindings define and configure your WS-Security and WS-RM requirements, supported by IBM® Integration Bus, for the SOAPInput, SOAPReply, SOAPRequest, SOAPAsyncRequest, and SOAPAsyncResponse nodes.
A policy set is a container for the WS-Security and WS-RM policy types.
A policy set binding is associated with a policy set and contains information that is specific to the environment and platform, such as information about keys.
- Authentication for the following tokens:
- Username tokens (requires a security profile to specify the external security provider)
- X.509 certificates (requires the integration node keystore and truststore, or a security profile to specify the external security provider)
- SAML assertions, using SAML 1.1 or 2.0 pass-through (requires a security profile to specify the external security provider)
- LTPA tokens, using LTPA pass-through (requires a security profile to specify the external security provider)
- Asymmetric encryption (confidentiality) using X.509 certificates (requires the integration node keystore and truststore)
- Symmetric encryption (confidentiality) using Kerberos tokens (requires the host to be configured for Kerberos)
- Asymmetric signature (integrity) (requires the integration node keystore and truststore)
Either the whole SOAP message body, or specific parts of the SOAP message header and body can be encrypted and signed.
You administer policy sets and bindings from IBM Integration Toolkit, where you can add, delete, display and edit policy sets and bindings. Any changes to policy sets or bindings are saved directly to the associated integration node. You must stop and then restart the message flow for the new configuration information to take effect.
Policy sets are associated with a message flow, a node (or both) in the BAR file editor. For convenience, you can specify settings for provider and consumer at the message flow level. The provider setting applies to all SOAPInput and SOAPReply nodes in the message flow. The consumer setting applies to all SOAPRequest, SOAPAsyncRequest, and SOAPAsyncResponse nodes. Individual policy set and binding assignments can be applied at the node level in the BAR editor, and these take precedence over the flow-level provider and consumer settings. The default setting is none, meaning that no policy set and bindings are to be used. For more information, see Associating policy sets and bindings with message flows and nodes.
Several nodes in the same message flow can refer to the same policy set and bindings. It is the responsibility of the administrator to ensure that the required policy sets are available to the integration node at run time. An error is reported if the integration node cannot find the associated policy set or bindings.
The rest of this topic describes some of the terms that you will meet when configuring policy sets and bindings.
Default policy set and bindings
When an integration node is created, a default policy set and bindings are created called WSS10Default. This default contains a limited security policy which specifies that a Username token is present in request messages (inbound) to SOAPInput nodes in the associated message flow. A default WS-RM policy set called WSRMDefault is also created.
The default policy set binding refers to the default WSS10Default policy set, but not to WSRMDefault. They are not editable.
Consumer and provider nodes
Request and response
Node | Integration node viewpoint | Request | Response |
---|---|---|---|
SOAPInput | SOAP message inbound | Inbound message | Not applicable |
SOAPReply | SOAP message outbound | Not applicable | Outbound message |
SOAPRequest | SOAP message outbound followed by a SOAP message inbound | Outbound message | Inbound message |
SOAPAsyncRequest | SOAP message outbound | Outbound message | Not applicable |
SOAPAsyncResponse | SOAP message inbound | Not applicable | Inbound message |
Initiator and recipient
Node | Integration node viewpoint | Initiator | Recipient |
---|---|---|---|
SOAPInput | SOAP message inbound | External client sending SOAP message to the integration node. | SOAPInput node |
SOAPReply | SOAP message outbound | External client that sent the original SOAP message to the integration node. | SOAPReply node |
SOAPRequest (outbound) | SOAP message outbound followed by a SOAP message inbound | SOAPRequest node | External provider receiving the SOAP message |
SOAPRequest (inbound) | SOAP message outbound followed by a SOAP message inbound | SOAPRequest node | External provider receiving the SOAP message |
SOAPAsyncRequest | SOAP message outbound | SOAPAsyncRequest node | External provider receiving the SOAP message |
SOAPAsyncResponse | SOAP message inbound | SOAPAsyncRequest node | External provider receiving the SOAP message |
SOAPInput and SOAPReply nodes
In this diagram, the integration node acts as recipient. A SOAPInput node receives a message from a client (initiator). A SOAPReply node replies. Inbound and outbound messages are signed and encrypted.- The initiator uses the integration node's public encryption token to encrypt the message, and its own private signature token to sign it.
- The integration node uses its own private encryption token to decrypt the message, and the initiator's public signature token to verify the signature.
- The integration node uses the initiator's public encryption token to encrypt the message, and its own private signature token to sign the message.
- The initiator uses its own private encryption token to decrypt the message, and the integration node's public signature token to verify the signature.
SOAPRequest node
This diagram shows the integration node acting as an initiator. It uses the SOAPRequest node to make a synchronous request to an external provider (the recipient). Inbound and outbound messages are signed and encrypted. Use of tokens is similar to the example of the asynchronous SOAP nodes, shown earlier.- The integration node uses the recipient's public encryption token to encrypt the message, and its own private signature token to sign the message.
- The recipient uses its own private encryption token to decrypt the message, and the integration node's public signature token to verify the signature.
- The recipient uses the integration node's public encryption token to encrypt the message, and its own private signature token to sign the message.
- The integration node uses its own private encryption token to decrypt the message, and the initiator's public signature token to verify the signature.
Asynchronous SOAP nodes
- The integration node uses the recipient's public encryption token to encrypt the message, and its own private signature token to sign the message.
- The recipient uses its own private encryption token to decrypt the message, and the integration node's public signature token to verify the signature.
- The recipient uses the integration node's public encryption token to encrypt the message, and its own private signature token to sign the message.
- The integration node uses its own private encryption token to decrypt the message, and the initiator's public signature token to verify the signature.