CentraSite 10.3 | CentraSite User’s Guide | Runtime Governance | Run-Time Policy Management | Built-In Run-Time Actions Reference (CentraSite Business UI) | Effective Policies
 
Effective Policies
When you publish an API to Mediator, CentraSite automatically validates the API's policy enforcement workflow to ensure that:
CentraSite informs you of any violation, and you have to correct the violations before publishing the API.
When you publish an API to Mediator, CentraSite combines the actions specified within the proxy API's enforcement definition, and generates what is called the effective policy for the API. For example, suppose your API is configured with two run-time actions: one that performs a logging action and another that performs a security action. When you publish the API, CentraSite automatically combines the two actions into one effective policy. The effective policy, which contains both the logging action and the security action, is the policy that CentraSite actually publishes to Mediator with the API.
When CentraSite generates the effective policy, it validates the resulting action list to ensure that:
*Any action that appears in a single message flow multiple times is allowed to appear multiple times.
For those actions that can appear in a message flow only once (for example, Evaluate IP Address), Mediator selects only one, which might cause problems or unintended results.
*All action dependencies are properly met. That is, some actions must be used in conjunction with another particular action.
If the list contains conflicts or inconsistencies, CentraSite resolves them according to Policy Resolution Rules.
The effective policy that CentraSite produces for an API is contained in an object called a virtual service definition (VSD). The VSD is given to Mediator when you publish the API. After you publish an API to Mediator, you can view its VSD (and thus examine the effective policy that CentraSite generated for it) from the Mediator user interface.
The following table shows:
*Action is WS-Security Policy 1.2 compliant.
*Action dependencies, that is, whether an action must be used in conjunction with another particular action.
*Action exclusives, that is, whether an action cannot be used in conjunction with another particular action.
*Action occurrences, that is, whether an action can occur once or multiple times within a message flow stage. An action can occur multiple times in a policy if the selection criteria is combined using an AND operator (not an OR operator).
Action
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
Require JMS
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
Require HTTP / HTTPS
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Multiple
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Multiple
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
WS-Security based actions
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
Yes
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
Yes
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
Yes
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
Yes
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
Yes
Dependency Requirement
At least one of the following actions:
*Evaluate WSS Username Token
*Evaluate WSS X.509 Certificate
*Require Signing
*Require Encryption
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
If you Evaluate Kerberos Token at:
*Message Level: Yes
*Transport Level: No
Dependency Requirement
None
Mutually Exclusive
No
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
*Evaluate OAuth2 Authentication
*OAuth2 Authentication
*NTLM Authentication
Once or multiple in a policy?
Once
WS-Security Policy Compliant
Yes
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
Yes
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
At least one Evaluate action, or the Require WSS SAML Token.
Mutually Exclusive
None
Once or multiple in a policy?
Multiple
WS-Security Policy Compliant
No
Dependency Requirement
At least one Evaluate action, or the Require WSS SAML Token.
Mutually Exclusive
None
Once or multiple in a policy?
Multiple
WS-Security Policy Compliant
No
Dependency Requirement
At least one of the Evaluate actions, or the Require WSS SAML Token, provided the Alert for Consumer Applications value is specified.
Mutually Exclusive
None
Once or multiple in a policy?
Multiple
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
At least one Routing based action.
Mutually Exclusive
*NTLM Authentication
*OAuth2 Authentication
*JMS Routing Rule
*Evaluate OAuth2 Authentication
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
At least one Routing based action.
Mutually Exclusive
*HTTP Basic Authentication
*OAuth2 Authentication
*JMS Routing Rule
*Evaluate HTTP Basic Authentication
*Evaluate OAuth2 Authentication
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
At least one of the Routing actions.
Mutually Exclusive
*HTTP Basic Authentication
*NTLM Authentication
*JMS Routing Rule
*Evaluate HTTP Basic Authentication
Once or multiple in a policy?
Once
WS-Security Policy Compliant
If you Evaluate Kerberos Token at:
*Message Level: Yes
*Transport Level: No
Dependency Requirement
Only the Evaluate HTTP Basic Authentication policy is enforced and the Authenticate User option is selected.
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
Routing based actions
Once or multiple in a policy?
Once
WS-Security Policy Compliant
Yes
Dependency Requirement
None
Mutually Exclusive
*HTTP Basic Authentication
*NTLM Authentication
*JMS Routing Rule
*Evaluate HTTP Basic Authentication
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
JMS Routing Rule
Mutually Exclusive
Routing based actions
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
JMS Routing Rule
Mutually Exclusive
Routing based actions
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
Routing based actions
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
Routing based actions
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
Routing based actions
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
Routing based actions
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
At least one Routing based action.
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Multiple
WS-Security Policy Compliant
No
Dependency Requirement
If Context Variable is selected as the Route using option then 'Invoke webMethods Integration Server' must be configured as part of Request Handling to set the Context Variable for ROUTING_ENDPOINT.
Mutually Exclusive
*Straight Through Routing
*Content Based Routing
*Load Balancing and Failover Routing
*Context Based Routing
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Multiple
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once
WS-Security Policy Compliant
No
Dependency Requirement
None
Mutually Exclusive
None
Once or multiple in a policy?
Once