Identifying Consumer Applications
To identify consumer applications, you perform the following high-level steps:
1. Include the Identify Consumer action in the asset's run-time policy.
To identify the consumer applications that are requesting an asset, that asset must have a run-time policy that includes the Identify Consumer action. In this action, you specify the consumer identifier(s) you want to use for identifying consumer applications. (Alternatively, you may configure this action to allow unrestricted access.) This action extracts the specified identifier from an incoming request and locates the consumer application defined by that identifier.
For example, if you configure the Identify Consumer action to identify consumers by IP address, the PEP extracts the IP address from a request’s HTTP header at run time and searches its list of application assets for the application that is defined by that IP address.
You can configure the Identify Consumer action to identify consumer applications based on one or more of the following consumer identifiers in a request message:
Consumer Identifier | Description |
IP Address | The IP address from which the request originated. |
Host Name | The name of the host machine from which the request originated. |
HTTP Authentication Token | The user ID submitted by the requestor when it was asked to provide basic HTTP credentials (user name and password). |
WS-Security Authentication Token | The WSS username token supplied in the header of the SOAP or XML request that the consumer application submitted to the virtualized service. |
Custom Identification | A string produced by applying a specified XPath expression to the SOAP or XML request that the consumer application submitted to the virtualized service. |
Consumer Certification | The X.509 certificate supplied in the header of the SOAP or XML request that the consumer application submitted to the asset. |
Client Certificate for SSL Connectivity | The client's certificate that the consumer application submits to the asset. The certificate is supplied during the SSL handshake over the Transport layer. Communication between the client and the asset must be over HTTPS. |
When deciding which type of identifier to use to identify a consumer application, consider the following points:
Whatever identifier you choose to identify a consumer application, it must be unique to the application. Identifiers that represent user names are often not suitable because the identified users might submit requests for multiple applications.
Identifying applications by IP address or host name is often a suitable choice, however, it does create a dependency on the network infrastructure. If a consumer application moves to a new machine, or its IP address changes, you must update the identifiers in the application asset.
Using X.509 certificates or a custom token that is extracted from the SOAP or XML message itself (using an XPATH expression), is often the most trouble-free way to identify a consumer application.
2. Create an application asset in the registry.
In the application asset you specify precise values for the consumer identifier(s) that you specified in the Identify Consumer action. For details, see
Creating a Consumer Application.
3. Specify the application asset in the Consumers profile of the asset to be consumed.
The Consumers profile is located in the asset's detail page.
The run-time behavior of identifying consumers is as follows:
1. CentraSite translates the application asset to the appropriate WS-Security policy assertions or an equivalent XML when the application asset is enforced by the PEP.
2. When a consumer application requests access to an asset, the PEP tries to map the consumer's identifier (which is found in the request) to an identifier in the application asset.
If the identifier is an IP address, a host name, a custom identification string or a consumer certificate, the PEP tries to identify the consumer (the consumer is not authenticated).
If the identifier is an HTTP Authentication token or a WS-Security Authentication token, the PEP tries to
authenticate the consumer. If you use
webMethods Mediator, authentication is handled by LDAP or by another external authentication mechanism, depending on how
Mediator is configured. If you use a third-party PEP, authentication capabilities depend on the PEP.
3. The identified or authenticated consumer information is published back to the registry as part of the transaction or other events. This information is used to correlate the consumer-specific run-time dependencies.