CentraSite Documentation : Runtime Governance with CentraSite : Run-Time Governance Reference : Built-In Run-Time Actions Reference for APIs : Summary of the Run-Time Actions : Policy Enforcement Actions : Security Actions
Security Actions
Security actions provide client validation (through WSS X.509 certificates, WSS username tokens, and so on), confidentiality (through encryption) and integrity (through signatures) for request and response messages.
For the client validation, Mediator maintains a list of consumer applications specified in CentraSite that are authorized to access the API published to Mediator. Mediator synchronizes this list of consumer applications through a manual process initiated from CentraSite.
Generally speaking there are two different lists of consumers in the Mediator:
*List of Registered Consumers
List of users and consumer applications (represented as Application assets) who are registered as consumers for the API in CentraSite, and available in the Mediator.
*List of Global Consumers
List of all users and consumer applications (represented as consumers) available in the Mediator.
Mediator provides “Evaluate” actions that you can include in a message flow to identify and/or validate clients, and then configure their parameters to suit your needs. You use these “Evaluate” actions to perform the following actions:
*Identify the clients who are trying to access the APIs (through IP address or hostname).
*Validate the client's credentials.
Evaluate Client Certificate for SSL Connectivity
Mediator validates the client's certificate that the client submits to the API in CentraSite. The client certificate that is used to identify the client is supplied by the client to the Mediator during the SSL handshake over the transport layer.
Evaluate Hostname
*Mediator tries to identify the client against either the Registered Consumers list (the list of registered consumers in Mediator) or the Global Consumers list (the list of available consumers in Mediator).
*Mediator tries to validate the client's hostname against the specified list of consumers in the Integration Server on which Mediator is running.
Evaluate HTTP Basic Authentication
*Mediator tries to identify the client against either the Registered Consumers list (the list of registered consumers in Mediator) or the Global Consumers list (the list of available consumers in Mediator).
*Mediator tries to validate the client's authentication credentials contained in the request's Authorization header against the specified list of consumers in the Integration Server on which Mediator is running.
Evaluate IP Address
*Mediator tries to identify the client against either the Registered Consumers list (the list of registered consumers in Mediator) or the Global Consumers list (the list of available consumers in Mediator).
*Mediator tries to validate the client's IP address against the specified list of consumers in the Integration Server on which Mediator is running.
Evaluate KerberosToken
Mediator tries to authenticate the client based on the Kerberos token and the authenticated client principal name is verified with the Registered Consumers list (the list of registered consumers in Mediator) or the Global Consumers list (the list of available consumers in Mediator).
Evaluate OAuth2 Token
*Mediator tries to identify the client against either the Registered Consumers list (the list of registered consumers in Mediator) or the Global Consumers list (the list of available consumers in Mediator).
*Mediator tries to validate the client's OAuth access token against the specified list of consumers in the Integration Server on which Mediator is running.
Evaluate WSS Username Token
Applicable only for SOAP APIs.
*Mediator tries to identify the client against either the Registered Consumers list (the list of registered consumers in Mediator) or the Global Consumers list (the list of available consumers in Mediator).
*Mediator tries to validate the client's WSS username token against the specified list of consumers in the Integration Server on which Mediator is running.
Evaluate WSS X.509 Certificate
Applicable only for SOAP APIs.
*Mediator tries to identify the client against either the Registered Consumers list (the list of registered consumers in Mediator) or the Global Consumers list (the list of available consumers in Mediator).
*Mediator tries to validate the client's WSS X.509 token against the specified list of consumers in the Integration Server on which Mediator is running.
Evaluate XPath Expression
*Mediator tries to identify the client against either the Registered Consumers list (the list of registered consumers in Mediator) or the Global Consumers list (the list of available consumers in Mediator).
*Mediator tries to validate the client's XPath expression against the specified list of consumers in the Integration Server on which Mediator is running.
Require Encryption
Applicable only for SOAP APIs.
Requires that a request's XML element, which is represented by an XPath expression or parts of SOAP request such as SOAP body or SOAP headers to be encrypted.
Require Signing
Applicable only for SOAP APIs.
Requires that a request's XML element, which is represented by an XPath expression or parts of SOAP request such as SOAP body or soap headers be signed.
Require SSL
Applicable only for SOAP APIs.
Requires that requests be sent through SSL client certificates.
Require Timestamps
Applicable only for SOAP APIs.
Requires that timestamps be included in the request header. Mediator checks the timestamp value against the current time to ensure that the request is not an old message. This serves to protect your system against attempts at message tampering, such as replay attacks.
Require WSS SAML Token
Applicable only for SOAP APIs.
Uses a WSS Security Assertion Markup Language (SAML) assertion token to validate API clients.
Validate SAML Audience URIs
The policy is used to validate the Audience Restriction in the conditions section of the SAML assertion. The policy verifies whether any valid Audience URI within a valid condition element in a SAML assertion matches with any of the configured URIs.
Copyright © 2005-2016 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback