CentraSite Documentation : Runtime Governance with CentraSite : Virtualized APIs in CentraSite Business UI : Managing Consumer Applications : Identifying and Authenticating Consumer Applications
Identifying and Authenticating Consumer Applications
To identify and authenticate consumer applications, you perform the following high-level steps:
1. Include the Evaluate (consumer) action in the API's Message Flow.
To identify and authenticate the consumer applications that are requesting a virtual API, that API must have a run-time policy that includes one of the Evaluate action. In an Evaluate action, you specify the consumer identifier you want to use for identifying and authenticating consumer applications. This action extracts the specified identifier from an incoming request and locates the consumer application defined by that identifier.
For example, if you configure the Evaluate IP Address action to identify and authenticate consumers, the PEP extracts the IP address from a request’s HTTP header at run time and searches its list of application assets for the application that is defined by that IP address.
You can configure an “Evaluate” action to identify consumer applications based on the appropriate consumer identifier in a request message:
Action Name
Consumer Identifier
Description
Evaluate IP Address
IP Address
The IP address from which the request originated.
Evaluate Hostname
Host Name
The name of the host machine from which the request originated.
Evaluate HTTP Basic Authentication
HTTP Authentication Token
The user ID submitted by the requestor when it was asked to provide basic HTTP credentials (user name and password).
Evaluate WSS Username Token
WS-Security Authentication Token
The WSS username token supplied in the header of the SOAP or XML request that the consumer application submitted to the virtual API.
Evaluate XPath Expression
Custom Identification
A string produced by applying a specified XPath expression to the SOAP or XML request that the consumer application submitted to the virtual API.
Evaluate WSS X.509 Certificate
Consumer Certification
The X.509 certificate supplied in the header of the SOAP or XML request that the consumer application submitted to the asset.
Evaluate Client Certificate for SSL Connectivity
Client Certificate for SSL Connectivity
The client's certificate that the consumer application submits to the asset. The certificate is supplied during the SSL handshake over the Transport layer. Communication between the client and the asset must be over HTTPS.
When deciding which “Evaluate” action to use to identify and authenticate a consumer application, consider the following points:
*Whatever identifier you choose to identify a consumer application, it must be unique to the application. Identifiers that represent user names are often not suitable because the identified users might submit requests for multiple applications.
*Identifying applications by IP address or host name is often a suitable choice, however, it does create a dependency on the network infrastructure. If a consumer application moves to a new machine, or its IP address changes, you must update the identifiers in the application asset.
*Using X.509 certificates or a custom token that is extracted from the SOAP or XML message itself (using an XPATH expression), is often the most trouble-free way to identify a consumer application.
For more information about the "Evaluate" actions, see Usage Cases for Identifying/Authenticating Consumers.
2. Create an application asset in the registry.
In the application asset you specify precise values for the consumer identifier(s) that you specified in the "Evaluate" action. For details, see Creating a Consumer Application.
3. Specify the application asset in the Consume action of the API to be consumed.
The Consume action is located in the API's detail page.
The run-time behavior of identifying and authenticating consumers is as follows:
1. CentraSite translates the application asset to the appropriate WS-Security policy assertions or an equivalent XML when the application asset is enforced by the PEP.
2. When a consumer application requests access to an asset, the PEP tries to map the consumer's identifier (which is found in the request) to an identifier in the application asset.
*If the identifier is an IP address, a host name, a custom identification string or a consumer certificate, the PEP tries to identify the consumer (the consumer is not authenticated).
*If the identifier is an HTTP Authentication token or a WS-Security Authentication token, the PEP tries to authenticate the consumer. If you use webMethods Mediator, authentication is handled by LDAP or by another external authentication mechanism, depending on how Mediator is configured. If you use a third-party PEP, authentication capabilities depend on the PEP.
3. The identified or authenticated consumer information is published back to the registry as part of the transaction or other events. This information is used to correlate the consumer-specific run-time dependencies.
Copyright © Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback