Professional Documents
Culture Documents
Version 3.8.0
Version 3.8.0
Note
Before using this information and the product it supports, read the information in Notices and trademarks on page 419.
Contents
Preface . . . . . . . . . . . . . . vii
Who should read this document . . . . . . . vii
How this document is organized . . . . . . . vii
Publications . . . . . . . . . . . . . . viii
Installation and upgrade documentation . . . viii
Administration documentation . . . . . . . ix
Development documentation. . . . . . . . ix
Reference documentation . . . . . . . . . ix
Integration documentation . . . . . . . . ix
Problem determination documentation . . . . x
Supplemental documentation . . . . . . . . x
External resources . . . . . . . . . . . . xi
File naming guidelines . . . . . . . . . . . xi
Object naming guidelines. . . . . . . . . . xii
Typeface conventions . . . . . . . . . . . xii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
1
1
1
2
2
3
3
4
4
4
4
4
5
5
5
5
6
6
7
. . 9
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
. 9
. 9
. 10
. 11
. 12
. 13
. 13
. 13
. 15
. 15
. 16
. 16
. 17
. 18
. 20
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
20
20
21
21
22
.
.
.
.
. 22
. 23
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
25
25
29
30
31
31
32
33
33
34
37
39
39
41
43
46
46
47
47
48
48
49
51
. 54
. 60
. 60
.
.
.
.
.
.
.
.
.
.
61
62
62
63
64
64
64
65
66
67
. 67
. 68
. 69
iii
72
74
76
80
83
85
86
87
87
88
89
89
90
90
93
94
94
94
95
95
96
97
97
iv
. 99
100
100
104
104
104
105
105
106
106
106
108
109
. 109
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
110
111
119
121
134
135
135
136
139
142
142
146
147
150
150
151
152
153
155
155
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
156
156
162
164
165
165
165
166
167
168
168
169
171
172
173
179
186
188
188
190
192
199
200
200
200
200
201
201
201
201
201
202
202
203
203
203
203
204
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
205
207
207
207
208
208
208
209
209
209
209
209
210
210
211
Moving files .
Viewing files
Editing files .
Deleting files
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
211
212
212
212
.
.
.
.
.
.
.
.
to
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
213
214
215
216
216
217
219
220
.
.
.
.
.
.
.
.
.
.
.
.
.
.
220
221
221
222
222
222
224
224
225
225
226
226
227
228
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
229
230
231
233
233
234
236
238
238
238
240
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
243
243
246
248
254
255
256
257
263
264
264
265
265
266
266
266
267
271
328
330
331
331
Contents
274
276
279
281
284
284
285
285
286
287
289
289
291
293
293
294
296
299
300
301
301
304
305
305
305
306
307
307
308
309
309
310
311
312
312
313
313
314
314
315
315
315
316
316
317
320
322
323
324
326
UDDI Registry . . . . . . . . . . .
UDDI Subscription . . . . . . . . .
Publishing to a UDDI registry . . . . . .
Viewing the status of UDDI subscriptions . .
URL Map. . . . . . . . . . . . . .
URL Map Rule tab . . . . . . . . .
URL Rewrite Policy . . . . . . . . . .
Creating a URL Rewrite Policy . . . . .
User Agent . . . . . . . . . . . . .
Creating a user agent. . . . . . . . .
Modifying the basic configuration . . . .
Adding an HTTP proxy policy . . . . .
Adding an SSL proxy policy . . . . . .
Adding a basic authentication policy . . .
Adding a SOAP action policy . . . . . .
Adding a public key authentication policy. .
Adding a compression policy . . . . . .
Adding a header retention policy. . . . .
Adding an HTTP 1.0 restriction policy . . .
Adding a header injection policy . . . . .
Adding a chunked upload policy. . . . .
Adding an FTP client policy . . . . . .
Creating Web Service Proxy objects . . . . .
Creating a new Web Service Proxy . . . .
Specifying basic proxy operation . . . . .
Configuring Proxy settings . . . . . . .
Setting HTTP options. . . . . . . . .
Setting Parser Limits . . . . . . . . .
Assigning Monitors . . . . . . . . .
Enabling support for WS-Addressing . . .
Configuring Dynamic Endpoints . . . . .
Enabling Web Service Reliable Messaging . .
Adding a proprietary header . . . . . .
Deleting a header from the message stream .
Passing parameter-value pairs to style sheets
Refreshing WSDL Cache. . . . . . . .
Editing or adding WSDL files . . . . . .
Defining a user policy for WSDL operations .
Specifying UDDI Subscriptions . . . . .
WSRR Subscription tab . . . . . . . .
Operation Priority tab . . . . . . . .
Operation Conformance Policy tab . . . .
Operation Policy Subject Opt Out tab . . .
Policy Parameters tab . . . . . . . .
Reliable Messaging tab . . . . . . . .
WS-Proxy Endpoint Rewrite . . . . . . .
Main tab . . . . . . . . . . . . .
Local Rewrite Rule tab . . . . . . . .
Remote Rewrite Rule tab . . . . . . .
Publish Rewrite Rule tab . . . . . . .
Subscription Local Rewrite Rule tab . . . .
Subscription Remote Rewrite Rule tab . . .
Subscription Publish Rewrite Rule tab . . .
WebSphere JMS servers . . . . . . . . .
Transactional messaging . . . . . . . .
Configuring a WebSphere JMS server . . .
WebSphere Service Registry and Repository . .
vi
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
332
333
334
334
335
335
335
336
339
340
340
341
341
342
342
343
343
344
344
345
345
346
346
347
348
350
355
356
357
357
358
359
365
365
366
366
367
367
369
369
369
371
372
373
374
375
376
376
378
379
380
381
382
383
383
386
390
. 390
. 391
. 392
394
. 394
. 395
. 395
. 396
. 396
. 397
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
399
399
400
400
401
401
401
402
402
403
Service variables . . . . . . . . . . . .
General service variables . . . . . . . .
Multi-Protocol Gateway and Web Service Proxy
service variables . . . . . . . . . . .
Configuration services service variables . . .
Load balancer service variables . . . . . .
Legacy MQ-specific service variables . . . .
Multistep variables . . . . . . . . . .
Transaction variables . . . . . . . . . . .
Asynchronous transaction variables . . . . .
Error handling transaction variables . . . . .
Headers transaction variables . . . . . . .
Persistent connection transaction variables. . .
Routing transaction variables . . . . . . .
URL-based transaction variables . . . . . .
Web Services Management transaction variables
Extension variables . . . . . . . . . . .
System variables . . . . . . . . . . . .
List of available variables . . . . . . . . .
404
404
404
405
406
406
407
408
408
409
410
410
411
411
412
412
414
415
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 417
. 417
. 418
. 419
Index . . . . . . . . . . . . . . . 421
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Preface
IBM WebSphere DataPower SOA Appliances are purpose-built, easy-to-deploy
network appliances that simplify, help secure, and accelerate your XML and Web
services deployments while extending your SOA infrastructure. These appliances
offer an innovative, pragmatic approach to harness the power of SOA while
simultaneously enabling you to leverage the value of your existing application,
security, and networking infrastructure investments.
Developers should also be familiar with SSL protocol, key exchange (public and
private), digital signatures, cryptographic algorithms, and certificate authorities.
This document assumes that an Administrator has installed and initially
configured the appliance as described in the IBM WebSphere DataPower SOA
Appliances: 9003: Installation Guide or in the IBM WebSphere DataPower SOA
Appliances: Type 9235: Installation Guide, depending on the model type.
vii
Publications
The IBM WebSphere DataPower library is organized into the following categories:
v Installation and upgrade documentation
v
v
v
v
v
viii
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Provides instructions for upgrading Generation 2 firmware and for rolling back
firmware upgrades.
Administration documentation
v IBM WebSphere DataPower SOA Appliances: Appliance Overview
Provides an introduction and understanding of the IBM Websphere DataPower
SOA appliances.
v IBM WebSphere DataPower XML Integration Appliance XI50: Administrators Guide
Provides instructions for using the DataPower GUI for managing user access,
network access, appliance configuration and system configuration of the
appliance.
v IBM WebSphere DataPower SOA Appliances: Hardware Security Module Guide
A user guide for using a Hardware Security Module (HSM) installed in the
appliance.
Development documentation
v IBM WebSphere DataPower XML Integration Appliance XI50: XSL Accelerator
Developers Guide
Provides instructions for using the WebGUI to configure XSL Proxy and XSL
Coprocessor services.
v IBM WebSphere DataPower XML Integration Appliance XI50: XML Firewall
Developers Guide
Provides instructions for using the WebGUI to configure XML Firewall services.
v IBM WebSphere DataPower XML Integration Appliance XI50: Web Application
Firewall Developers Guide
Provides instructions for using the WebGUI to configure Web Application
Firewall services.
v IBM WebSphere DataPower XML Integration Appliance XI50: Multi-Protocol Gateway
Developers Guide
Provides instructions for using the WebGUI to configure Multiple-Protocol
Gateway services.
v IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy
Developers Guide
Provides instructions for using the WebGUI to configure Web Service Proxy
services.
Reference documentation
v IBM WebSphere DataPower XML Integration Appliance XI50: Command Reference
Product-specific documentation for using commands from the command line.
The documentation provides an alphabetic list of all commands with syntax and
functional descriptions.
v IBM WebSphere DataPower SOA Appliances: Extension Elements and Functions
Catalog
Provides programming information about the usage of DataPower XSLT
extension elements and extension functions.
Integration documentation
The following documents are available for managing the integration of related
products that can be associated with the DataPower appliance:
Preface
ix
Supplemental documentation
v Converting between JSON and JSONx
Provides information about and procedures for converting between JavaScript
Object Notation (JSON) and JSONx. JSONx is the JSON as XML.
v Configuring DoD PKI
Provides conceptual information about and procedures for configuring the
DataPower appliance with Department of Defense (DoD) Public Key
Infrastructure (PKI).
v Optimizing through Streaming
Provides conceptual information about and procedures for optimizing the
DataPower appliance through streaming.
v Securing the Last Mile
Provides conceptual information about and procedures for understanding the
DataPower appliance while securing the last mile.
v Understanding LTPA
Provides conceptual information about how the DataPower appliance can use
Lightweight Third Party Authentication (LTPA).
v Understanding SPNEGO
Provides conceptual information about how the DataPower appliance can use
Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). SPNEGO is
also referred to as Integrated Windows Authentication.
v Understanding Web Services Policy
Provides conceptual information about how the DataPower appliance can use
Web Services Policy (WS-Policy).
v Understanding WS-Addressing
Provides conceptual information about how the DataPower appliance can use
WS-Addressing.
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
External resources
Beyond the online help, no other informational resource is available on the
appliance. You can access the following external resources if a problem occurs or if
you need help.
DataPower Product Documentation Portal
You can access and download documents in the DataPower library using
the details in technical flash 1377654.
http://www.ibm.com/support/docview.wss?rs=2362
&uid=swg21377654
DataPower product Web site
http://www.ibm.com/software/integration/datapower
This Web site provides information about the appliances in the DataPower
portfolio. From this page, you can access the product library, news, and
support areas. The Support link, in particular, has important flash notes
plus a wealth of pointers to Redbooks, frequently asked questions, and
troubleshooting information.
An important link of this page on the DataPower Support page is
Firmware and documentation download. From this page, you can access
and download updated documentation and firmware images for your
particular appliance. This page also provides directions for getting
assistance from IBM Support.
Redbooks Web site
http://www.redbooks.ibm.com
This Web site provides a search field where you can query for documents
that are related to DataPower products. A query against the term
DataPower yields a number of resources in the Redbooks series. These
documents relate to integrating DataPower products with other products in
the IBM ESB portfolio.
developerWorks
http://www.ibm.com/developerworks
This Web site yields an extensive list of articles about DataPower products.
DataPower discussion forum
http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198
This forum is the only discussion area that is officially sanctioned by IBM.
In this forum, you can find members from the IBM technical community
(technical sales, engineering, support, and field consultants) to answer
questions on a continual basis. This forum is not formal product support.
Answers to the questions that you post to this forum are on an ad-hoc
basis.
Preface
xi
If the directory (or domain) supports subdirectories, the path to the file can have a
length of 4000 characters. When you create a domain, its name is the base file
name in several DataPower directories when viewed from the default domain.
The following characters are valid in directory and file names:
v a through z
v A through Z
v 0 through 9
v _ (underscore)
v - (dash)
v . (period)
Note: Names cannot contain two consecutive periods (..).
Typeface conventions
The following typeface conventions are used in the documentation:
bold
italics
monospaced
Identifies user-supplied input or computer output.
xii
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Welcome screen
After successfully logging in, the WebGUI displays its Welcome screen. Visibility of
objects in the WebGUI is controlled by a combination of the Role-based
management (RBM) object and whether the administrator is in the default domain
or an application domain.
Input
When the WebGUI displays this type of input field, you can specify the referenced
object in the following ways:
v Select the name of an existing referenced object from the list.
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
v Use the + button to create a new referenced object. When created, the input field
contains the name of the newly created referenced object.
v Use the ... button to modify the referenced object whose name is in the input
field. When modified, the input field retains the name of the referenced object.
When you click the + button or ... button, the WebGUI launches a new window
that displays the configuration screen for that type of object.
Input
Delete
Add
When the WebGUI displays this type of list, you can manage referenced objects in
the following ways:
v Select the name of an existing referenced object from the list. Click Add to add it
to the list of referenced objects.
v Use the + button to create a new referenced object. When created, the input field
contains the name of the new referenced object. Click Add to add it to the list of
referenced objects.
v Use the ... button to modify the referenced object whose name is in the input
field. When modified, the input field retains the name of the referenced object.
Click Add to add it to the list of referenced objects.
v Select the name of a referenced object from the list (either the input field or the
list of referenced objects). Click Delete to remove it from the list of referenced
objects.
When you click the + button or ... button, the WebGUI launches a new window
that displays the configuration screen for that type of object.
4. Click Cancel.
Deleting an object
Exporting the configuration of an object
Viewing configuration-specific messages of an object
Viewing status of an object
Cloning a service
Accessing probe captures
Canceling changes
As you use the WebGUI to manage objects, click Cancel to not save the current
changes to the running configuration. If you click Cancel, you return to object
catalog and lose all changes.
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Resetting objects
Independent of whether the settings are saved to the configuration, you can reset
an object to its default configuration.
Use the following procedure to revert changes to a specific object:
1. Display the catalog for the object. The catalog lists the available instances of
this object.
2. Click the name of the object for which to reset to display the configuration
screen.
3. Click Undo.
4. Follow the prompts.
Deleting objects
You might want to delete objects that are no longer needed. If no other object
depends on the object to be deleted, you can delete it at any time. Because a
DataPower service is a top-level object, you can delete it at any time. Conversely,
you cannot delete an object that is active and that is in use by a higher-level object.
Use the following procedure to delete an object:
1. Display the catalog for the object. The catalog lists the available instances of
this object.
2. Click the name of the object to delete to display the configuration screen.
3. Click Delete.
4. Follow the prompts.
Deleting an object deletes that object only. Deleting an object does not delete any
referenced object.
Exporting objects
Use the following procedure to export an object:
1. Display the catalog for the object. The catalog lists the available instances of
this object.
2. Click the name of the object to export to display the configuration screen.
3. Click Export.
4. Follow the prompts.
1. Display the catalog for the object. The catalog lists the available instances of
this object.
2. Click the name of the instance.
3. Click View Logs.
Cloning services
You might want to create a service that is similar to an existing service. For
example, you need two equivalent services, but each service communicates with a
different remote server. In these cases, you can create a clone of an existing service
and edit the clone. The cloning process can expedite the creation of a similar
service.
Use the following procedure to clone a server:
1. Display the catalog for the service. The catalog lists the available instances of
this service.
2.
3.
4.
5.
Click the name of the service to clone to display the configuration screen.
Click Clone.
When the screen refreshes, specify the name of the clone.
Specify the Ethernet interface that the service monitors for incoming client
requests in the Device Address field. Use the default address (0.0.0.0) to specify
all interfaces.
6. Specify the Ethernet port that the service monitors for incoming client requests
in the Device Port field.
7. As necessary, edit the other properties.
8. Click Apply to save the changes to the running configuration.
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
9. Optional: Click Save Config to save the changes to the startup configuration.
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
5. Store the signed certificate on the box and create a Certificate object that
references it.
6. Optionally, create an Identification Credentials object that references the key
and certificate objects.
When you create the Identification Credentials object, the key-certificate pair is
validated to ensure that pair is ready for use.
off
(Default) Create the entry in forward RDN order.
b. Optionally specify a country name in the Country Name (C) field.
c. Optionally specify a state or province name in the State or Province (ST)
field.
d. Optionally specify a locality name in the Locality (L) field.
e. Optionally specify the name of an organization in the Organization (O)
field.
f. Optionally specify the name of an organizational unit in the Organizational
Unit (OU) field.
3.
4.
5.
6.
7.
8. Use the Export Private Key toggle to indicate whether the action writes the
key file to the temporary: directory.
10
on
off
(Default) Does not write the key file to the temporary: directory.
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
9. Use the Generate Self-Signed Certificate toggle to indicate whether the action
creates a self-signed certificate that matches the key.
on
off
Does not create a self-signed certificate.
10. Use the Export Self-Signed Certificate toggle to indicate whether the action
writes the self-signed certificate to the temporary: directory.
on
off
Does not write the self-signed certificate to the temporary: directory.
11. Use the Generate Key and Certificate Objects toggle to indicate whether the
action automatically creates the objects from the generated files.
on
off
Does not create the objects from the generated files.
12. Specify the name for the Key and Certificate objects in the Object Name field.
Leave blank to allow the action to generate the names from from the input
information (based on the Common Name (CN) or File Name property).
13. Specify the name of an existing Key object in the Using Existing Key Object
field. If supplied and valid, the action generates a new certificate and a new
Certificate Signing Request (CSR) that is based on the key in the identified
Key object. In this case, the appliance does not generate a new key.
14. Click Generate Key to generate a private key and, if requested, a self-signed
certificate. A CSR is created automatically.
15. Follow the prompts.
The CSR can be submitted to a certificate authority (CA) to receive a certificate that
is based on this private key. This action creates the following files and objects:
v Creates the private key file in the cert: directory; for example,
cert:///sample-privkey.pem
v Creates the CSR in the temporary: directory; for example, temporary:///
sample.csr
v If Generate Self-Signed Certificate is enabled, creates a self-signed certificate in
the cert: directory; for example, cert:///sample-sscert.pem
v If Export Self-Signed Certificate is enabled, creates a copy of the self-signed
certificate in the temporary: directory; for example, temporary:///samplesscert.pem
v If Generate Key and Certificate Objects is enabled, creates a Key object and a
Certificate object
If the action creates a self-signed certificate, you can use this certificate-key pair for
the following purposes:
v Establish Identification Credentials
v Encrypt or decrypt XML documents
11
12
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Password
Optionally specify a password for accessing the file. Any entity or
agent needing to access the file must supply this password.
Password Alias
The password can optionally be given an alias, providing a level of
indirection and thus additional security. If an alias is established, use
the alias instead of the actual password.
4. Click Import Crypto Object.
An object with the specified name is created. Otherwise, an error is returned.
13
nssclient
Specifies an existing NSS client object.
ZOSCERTLABEL
Specifies the label name of an existing SAF certificate
residing on the z/OS system.
Password
Depending of business security policies, provide one of the following:
v If local security policies provide for password-protected keys, specify
the password (or a password alias).
v If local polices do not support password protection, leave blank.
v If key files are protected by a plaintext password, specify the
password.
Note: Plaintext passwords appear as such in the configuration script.
v If key files are protected by an aliased password, specify the alias.
The CLI provides a password-map command that uses a
locally-generated key to 3DES encrypt a password used to access a
private key file. The command maps the encrypted password to a
password alias in a password map file. The password map and the
locally-generated key are saved to separate files on the appliance.
Plaintext passwords are not stored in memory or saved on the
appliance.
Password Alias
Use the toggle to specify if the text entered in the Password field is a
plaintext password or a password alias.
on
off
on
14
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
15
Admin State
Retain the default setting. To place the object in an inactive
administrative state, click disabled.
Crypto Key
Access a list of all Key objects, and select the Key object for this
Identification Credentials. Refer to Defining Key objects on page 17
for more information.
Certificate
Access a list of all Certificate objects, and select the Certificate object for
this Identification Credentials. Refer to Defining Certificate objects on
page 13 for more information.
Intermediate CA Certificate
Intermediate CA certificates might be required when the CA that is
signing this certificate is not widely-recognized. If the intermediate CA
certificate is also signed by a less recognized CA, an additional
intermediate CA certificate might be required for that CA. You can
specify as many intermediate certificates as are required.
If necessary, use the list of available Certificate objects to establish a
verifiable trust-chain. A trust-chain consists of one or more Certification
Authority (CA) certificates and provides a linked path from the
certificate that is in the Identification Credentials to a CA that is trusted
by a remote appliance. The trust chain enables the appliance to
authenticate the certificate.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
Use a key object created with a private key that is retrieved from z/OS the same
way you use a key object created with a local private key. Use a key object created
with a private key that is stored on z/OS to make requests for decryption or
signature generation on the z/OS system.
To create key objects, the DataPower appliance communicates with z/OS using a
z/OS NSS client object. The z/OS NSS client object must be defined and in the up
operational state when you create key objects.
16
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
To use a retrieved z/OS key, the key must be a SAF key that is not stored in ICSF.
The SAF key is cached locally on the appliance until the associated application
domain or the appliance is restarted.
To use a remote z/OS key, the key must be a SAF key that is stored in ICSF. The
SAF key is never taken off of your z/OS system. Therefore, the z/OS NSS client
object must be in the up operational state when using remote key objects. For more
information about the z/OS NSS client object, see z/OS NSS Client on page 396.
To access and use z/OS keys, the z/OS NSS client object on DataPower must have
permission to access the z/OS keys. See your z/OS documentation for more
information on these settings.
nssclient
Specifies an existing NSS client object.
ZOSKEYLABEL
Specifies the label name of an existing SAF key residing on the
z/OS system. A saf-key:// must be a SAF key that is not stored
in ICSF. A saf-remote-key:// must be a SAF key that is stored in
ICSF.
Password
Depending on business security policies, provide one of the following:
v If local security policies provide for password-protected keys, specify
the password (or a password alias).
v If local polices do not support password protection, leave blank.
Chapter 2. Securing communication
17
off
18
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
DEFAULT
Includes all cipher suites, except for the following ciphers and
cipher suites:
v eNULL ciphers
v Cipher suites that use DH authentication
v Cipher suites that contain the RC4, RSA, and SSL version 2
ciphers
HIGH Includes all high encryption cipher suites. These ciphers
support a key length in excess of 128 bits.
MEDIUM
Includes all medium encryption cipher suites. These ciphers
support a key length of 128 bits.
LOW
EXPORT
Includes all cipher suites that support a key length of 40 or 56 bits
and are eligible for export outside of the United States.
For a detailed list of ciphers, refer to the profile command in the
product-specific version of the Command Reference.
Options
Use the check boxes to disable support for SSL versions and variants. By
default, SSL Version 2, SSL Version 3, and Transaction Level Security
(TLS) Version 1 are enabled.
v To disable SSL Versions 2, click Disable-SSLv2.
v To disable SSL Version 3, click Disable-SSLv3.
v To disable TLS Version 1, click Disable-TLSv1.
Send Client CA List
Use the toggle to enable the transmission of a Client CA List during the
SSL handshake.
Note: Transmission of a Client CA List is meaningful only when this
Profile object supports a reverse (or server) proxy and when this
Profile object has an assigned Validation Credentials.
on
off
19
20
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
off
11. Use the Always Request Client Authentication toggle to control when to
request SSL client authentication.
on
off
21
9. Specify the time that session-specific state data is maintained in the server
cache in the Server-side Session Cache Timeout field.
10. Specify the maximum size of the server-side cache in the Server-side Session
Cache Size field.
11. Use the Client-side Session Caching toggle to enable or disable client side
caching.
12. Use the Client Authentication is optional toggle to control when SSL client
authentication is optional.
on
on
off
Validation credentials
A Validation Credentials consists of a list of certificate objects. Validation
Credentials are used to validate the authenticity of received certificates and digital
signatures. You can create Validation Credentials with the following types of
credentials:
v All non-expiring, non-password-protected credentials
v Select credentials
Independent of which type of Validation Credentials, the creation starts at the
same location. To create any Validation Credential, select Objects Crypto
Validation Credentials.
22
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
To save the Validation Credentials to the startup configuration, click Save Config.
off
Require CRLs
When CRLs are checked during processing of the certificate chain,
determines whether the processing should fail when no CRL is available.
on
Processing fails.
off
23
The algorithm can end with an empty policy tree unless Policy
Constraints extensions in the chain require an explicit policy.
4. Click Apply to save the object to the running configuration and return to the
object catalog.
5. Optionally, click Save Config to save the object to the startup configuration.
off
24
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
25
26
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
b. Select the enforcement mode for the WSDL file from the WS-Policy
Enforcement Mode list.
27
enforce
Creates a configuration that might transform client requests or
client responses to satisfy policy.
filter
28
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
a. Select a Front Side Handler from the Local Endpoint Handler list. The
handler determines the location that accepts client requests. You can
assign the same handler to each operation or assign a different handler
to each operation. Refer to Chapter 4, Handler configuration, on page
69 for details.
b. For the Local URI:
Select From WSDL to determine the URI that the Web Service Proxy
uses to accept client requests. When the URL is determined in this
way, the Web Service Proxy obtains the subscription information from
the registry, parses the WSDL information in that subscription, and
instantiates the necessary URLs based on the contents of the WSDL.
Select the other radio button and specify a fixed URI in the associated
field. A URI does not include the protocol, address, or port. For
example, the value /agent/scheduler could represent the URI.
c. Adjust the Remote Endpoint configuration, as needed. An adjustment
might be useful to redirect traffic to an alternate endpoint while
maintenance or an upgrade is performed on the application server.
d. Adjust the Published Endpoint configuration, as needed. An adjustment
usually is not needed. By default, the Published endpoint is the same as
the Local Endpoint configuration.
8. Click Next to display the summary.
If the summary lists an error under WSDL Status or WS-I BP Status, click the
red text (for example, Warning) to view the details.
9. Repeat step 4 on page 26 through step 8 to define all of the configuration
sources for the Web Service Proxy.
10. Click Apply.
To test the service, submit requests to the addresses that are defined by the Front
Side Handlers.
To check the status for subscription-based configurations, select Status Web
Services and view the appropriate UDDI or WSRR subscription-related providers.
29
WSDL template
Use this template to create a WSDL-specific SLM to monitor all
transactions and errors in the scope of a WSDL file; note that if the Web
Service Proxy is based upon a single WSDL file this template and the
Services Proxy template are equivalent.
WSDL Service template
Use this template to create a WSDL-service-specific SLM to monitor all
transactions and errors in the scope of a WSDL service.
WSDL Port template
Use this template to create a WSDL-port-specific SLM to monitor all
transactions and errors in the scope of a WSDL port.
WSDL Operation template
Use this template to create a WSDL-operation-specific SLM to monitor all
transactions and errors in the scope of a WSDL operation.
Each template supports the specification of a transaction-based rule and an
error-based role. The transaction-based rule is based on a raw count of
transactions. The error-based rule is based on transaction errors. Dual rules mean
that you can implement level-specific restrictions based on transaction volume and
error frequency.
1. In the Request area, define a basic transaction-based rule to count all user
transactions during the specified interval. This rule is always scheduled.
a. In the Interval field, enter the number of seconds to count user transaction.
b. In the Limit field, enter the maximum rate of allowed transactions per
second.
c. From the Action list, select the SLM action to enforce for transactions in
excess of the maximum rate.
2. In the Failure area, define a basic error-based rule to count all error
transactions during the specified interval. This rule is always active.
a. In the Interval field, enter the number of seconds to count user transaction.
b. In the Limit field, enter the maximum rate of allowed transactions per
second.
c. From the Action list, select the SLM action to enforce for transactions in
excess of the maximum rate.
3. Click Apply to complete basic specification.
Submit requests to the Web Service Proxy to create a flow of traffic. At any time,
click the Graph alongside any level at which you specified some threshold. A new
window displays a graph of the traffic during the selected interval. Refer to
Reading traffic graphs for details.
30
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
31
10. From the Threshold Type list, select the threshold type.
11. In the Threshold Level field, enter the count or value threshold to trigger the
action. The units of measure depends on the threshold type.
v If the threshold type is a count, the value indicates an aggregate number.
v If the threshold type is for latency, the value indicates a number of seconds.
12. In the Reporting Aggregation Interval field, enter the reporting interval in
minutes. This property determines the interval to report statistics. This
property has no effect on threshold intervals.
13. In the Maximum Records Across Intervals field, enter the maximum
aggregate of reporting records.
14. In the Maximum Records Across Intervals field, enter the maximum
aggregation of reporting records. A single aggregation interval could contain
multiple records; for example, one record per resource or credential. Use this
property to configure the maximum number of total records to save across the
maximum number of saved intervals.
15. In the Maximum Credentials-Resource Combinations field, enter the number
of records for the combination of credentials and resources. This property
limits the maximum number of combinations and allows a maximum
memory-consumption threshold to be set.
16. Click Add SLM Statement.
WS-I Conformance:
value
Priority:
value
rule-name (rule-type)
rule-name (rule-type)
+ Add Rule
wsdl: WSDL-name
Figure 3. Sample policy screen
2. Determine the view from which to manage the policy. Refer to Determining
the view for the policy on page 33 for details.
3. Define processing rules at any level by clicking the level-specific Add Rule
button. Refer to Processing rules on page 33 for details.
4. Define the Web Security Policy to apply to this level of the WSDL file. Refer to
Defining the Web Services policy on page 34 for details.
32
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
5. Define the Web Security conformance policy to apply to this level of the WSDL
file. Refer to Defining the Web Security conformance policy on page 37 for
details.
6. Define the priority to apply to this level of the WSDL file. Refer to Defining
the service priority on page 39 for details.
7. Define the user policy to apply to this level of the WSDL file. Refer to
Defining the user policy on page 39 for details.
8. Click Apply to save the changes to the running configuration.
9. Optional: Click Save Config to save the changes to the startup configuration.
On requests, the Web Service Proxy uses the policy as defined by the following
flow:
1. The defined Web Security policy
2. The defined Web Security Conformance Policy
3. The defined user policy
4. The defined processing rule
On responses, the Web Service Proxy uses the policy as defined by the following
flow:
1. The defined user policy
2. The defined processing rule
3. The defined Web Security Conformance Policy
4. The defined Web Security policy
Processing rules
A Web Service Proxy automatically runs a number of actions before running the
first visible action in its processing rules. Specifically, a Web Service Proxy runs an
slm action and a validate action.
Note: The validate action might reject the message before running any visible
action. Use the User Policy check boxes to control the behavior of the
implied validate action. Refer to Defining the user policy on page 39 for
details.
33
Processing rules in the policy hierarchy execute from most specific to least specific.
A processing rule at the Operation level executes before a processing rule at the
Service, WSDL, or Proxy level. Only one processing rule executes on any single
message.
To create a processing rule at any level, use the following procedure:
1. Click Add Rule at the appropriate level. The screen refreshes to show the
processing rule area.
2. Define the processing rule. Refer to Chapter 5, Processing policies, on page 99
for details.
Note: Processing Policy objects and Processing Rule objects for Web Service Proxy
Services cannot be used by other DataPower services. Conversely, Processing
Policy objects and Processing Rule objects for other DataPower services
cannot be used by Web Service Proxy services.
Web Service Proxy services can accept encrypted messages when the entire
payload is encrypted. Either the root node of the message must be encrypted, or
the first child of the SOAP:Body element must be encrypted.
The Web Service Proxy automatically decrypts the encrypted payload. The
decryption uses the private key that corresponds to the certificate that encrypted
the data. The certificate is identified by an Identification Credential object or is
identified by the Decrypt Key property on the Proxy Settings tab.
Note: Web Service Proxy services do not automatically perform field-level
decryption.
Use the following procedure to enable field-level decryption:
1. Use the User Policy check boxes to disable automatic validation. Refer to
Defining the user policy on page 39 for details.
2. Create a new rule with the decrypt and validate actions.
v Configure the decrypt action to perform the field-level decryption.
v Configure the validate action to perform any required validation.
Refer to Chapter 5, Processing policies, on page 99 for details.
34
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
v At the wsdl level, the Processing tab provides a property to indicate the
enforcement mode (enforce or filter). This is the only level where this
property is available. Although the Sources tab is enabled, you can only
indicate whether or not you want to use policy that is defined in or
referenced by the source WSDL file. At this level, you cannot augment policy.
v At the service level, all tabs are enabled. You can augment policy through
the WebGUI. The augmented policy applies to the service policy subject (for
example, wsdl11:service).
v At the port, binding, and portType levels, all tabs are enabled. You can
augment policy through the WebGUI. The augmented policy applies to the
endpoint policy subject (for example, wsdl11:port, wsdl11:binding, or
wsdl11:portType).
Note: If you added support for additional bindings, the Sources tab is
disabled on the synthesized port. The augmented policy for
synthesized ports must be inherited from the service level.
v At the binding-operation and portType-operation levels, all tabs are
enabled. You can augment policy through the WebGUI. The augmented
policy applies to the operation policy subject (for example,
wsdl11:operation).
v At the port-operation level, the Sources tab is disabled. At this level, you
cannot use the WebGUI to augment policy. To augment policy for the
operation policy subject, you must manually edit the WSDL file to provide
the policies as embedded policy.
2. Select the enforcement mode for the WSDL file from the WS-Policy
Enforcement Mode list.
enforce
Creates a configuration that might transform client requests or client
responses to satisfy policy.
Creates a configuration that rejects client requests and server responses
that do not satisfy policy. A rejection triggers error handling.
For example, if a policy requires a response to be encrypted, filter will reject
the response and trigger error handling if the response is not encrypted, but
enforce will encrypt the response.
filter
If the mode is enforce and the configuration does not provide the required
policy parameters to encrypt the response, the mode switches to filter behavior
and triggers error handling and the log contains a message that is similar to the
following warning:
Wed Nov 07 2007 08:24:00 [ws-security-policy][ws-proxy][warn]
wsgw(wssp-policy-015h): tid(1425)[request]: WS-SecurityPolicy
Mapping: A message cannot be encrypted during enforcement
3. Select the Policy Parameter object from the Policy Parameter Set list, click the +
button to create a new object, or click the ... button to edit an existing object. A
Policy Parameters object defines policy parameters as key-value pairs for use in
a policy mapping style sheet. The Policy Parameter object persists the values of
the policy parameters.
A policy parameter is the way that you must map the needed parameters that
are defined in or referenced by the WSDL file or that are defined in an attached
source to the specific DataPower object. If you do not define all of the needed
parameters, processing a message with the defined WS-Policy generates errors.
35
For example, you might need an X.509 token to use the defined WS-Policy. If
you need an X.509 token, you need to define which certificate that is stored on
the DataPower appliance to use. If the certificate is alice, you would need to
set the {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}wssecpol-Certificate parameter to alice.
Note: If you defined a policy parameters at the port or port-operation level,
these parameters are not applied to its parallel synthesized port or
operation. The policy parameters for synthesized ports and operations
must be inherited from the service level or redefined at the synthesized
level.
If creating a new object or modifying an existing object, use the following
procedure:
a. Specify the name of the Policy Parameter in the Name field.
b. Select the policy domain from the Policy Domain list. Using the previous
example, select http://docs.oasis-open.org/ws-sx/ws-securitypolicy/
200702.
c. Select the assertion filter from the Assertion Filter list. Using the previous
example, select X509Token.
d. Select the parameter name from the Parameter Name list. Using the
previous example, select ws-secpol-Certificate.
e. Specify the value for the parameter in the Parameter Value field. Using the
previous example, specify alice.
f. Click Add.
Repeat this procedure for each required policy parameter.
g. After defining all policy parameters, click Submit.
4. Click the Sources tab to define the behavior of policy attachments.
a. In the WSDL-Embedded Policy References area, click the Use WSDL
Policy References check box to enable policies that are attached to WSDL
with wsp:PolicyURIs attributes or with <wsp:PolicyReference> elements.
v An wsp:PolicyURIs attribute allows policy expressions to be attached to
arbitrary XML elements. These attachments can be referred to as XML
element attachments.
v An <wsp:PolicyReference> element references a policy expression to be
attached to the policy subjects that are in the policy scope. These
attachments can be referred to as external policy attachments.
b. Use the Use Additional Policy Sources area to collect individual policy
assertions into a policy expression. To help you configure policy that defines
policy expression, select the template file that contains the policy expression
store:///policies/templates
The templates in this directory correlate to a well-known set of
security patterns for deployed Web services.
store:///policies/templates/bea
The templates in this directory interoperate with BEA-specific
security patterns.
store:///policies/templates/dotnet
The templates in this directory interoperate with .NET-specific
security patterns.
Refer to online help for details about individual template files.
1) Select or specify the URL of the XML template file that contains the
policy expression.
36
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
2) If the template contains multiple Policy elements and you do not want
to use all of these elements, select the identifier of the element to add
from the wsu:ID list.
3) Click Attach Source.
4) After adding all external attachments, click Done.
Beside the WS-Policy button, the WebGUI shows the number of external
attachments. If there are two external attachments, the WebGUI shows 2
external attachments. If there are no external attachments, the WebGUI
shows (default).
5. Click the Enabled Subjects tab to indicate whether policy defined for that
policy subject should be enforced during processing, not during configuration.
Note: If you modified enablement at the port or port-operation level, these
settings are not applied to its parallel synthesized port or operation.
These settings for synthesized ports and operations must be inherited
from the service level or redefined at the synthesized level.
Use the following check boxes to enable the associated policy subjects. When
not selected, the policies that are defined for the associated policy subjects are
disabled. These policies are disabled regardless of how the policy was defined.
Remember that policy can be defined in the following manners:
v Directly in the configuration source (WSDL file or subscription)
v As XML element attachments (wsp:PolicyURIs attributes) in the configuration
source (WSDL file or subscription)
v As external policy attachments (<wsp:PolicyReference> elements) in the
configuration source (WSDL file or subscription)
v Through policy subject inheritance
v Through refinement by augmenting policy (additional policy sources on the
Sources tab)
Service Subject
If selected, enforce the policy that is defined for the service policy
subject.
Endpoint Subject
If selected, enforce the policy that is defined for the endpoint policy
subject.
Operation Subject
If selected, enforce the policy that is defined for the operation policy
subject.
Message Input Subject
If selected, enforce the policy that is defined for the message policy
subject when the message is an input message.
Message Output Subject
If selected, enforce the policy define for the message policy subject
when the message is an output message.
6. Click Done.
Click Close to close this configuration area.
37
1. Click WS-I Conformance to open the configuration area. This button is shown
in Figure 3 on page 32.
2. Click Create New to display the configuration details.
3. Specify the name of the policy in the Conformance Policy Name field.
4. Use the Profiles check boxes to select the profiles against which to check
messages for conformance.
WS-I BP 1.0
Validates messages against the requirements that are defined in WS-I
Basic Profile, version 1.0.
WS-I BP 1.1
(Default) Validates messages against the requirements that are defined
in WS-I Basic Profile, version 1.1.
WS-I AP 1.0
(Default) Validates messages against the requirements that are defined
in WS-I Attachments Profile, version 1.0.
WS-I BSP 1.0
(Default) Validates messages against the requirements that are defined
in WS-I Basic Security Profile, version 1.0.
5. Select the degree of nonconformance to cause the message to be rejected from
the Reject non-conforming messages list.
Never (Default) Never rejects messages.
Failure
Rejects messages with conformance failures.
Warning
Rejects messages with conformance warnings or with conformance
failures.
6. Click the Advanced tab.
7. Select the degree of nonconformance to cause a conformance report to be
recorded from the Record Report list.
Never (Default) Never records conformance reports.
Failure
Records conformance reports that indicate conformance failures.
Warning
Records conformance reports that indicate conformance warnings or
conformance failures.
Always
Always records conformance reports.
8. For all nonconformance reporting levels except Never, specify the target URL
to which to send conformance reports in the Destination field.
9. Use the Ignored Requirements controls to define which requirements to
ignore. Specify a string in the profile:reqid format to define the requirement:
profile
Specifies the literal representation for the name of the profile.
BP1.0
Indicates WS-I Basic Profile, version 1.0
BP1.1
Indicates WS-I Basic Profile, version 1.1
38
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
BSP1.0
Indicates WS-I Basic Security Profile, version 1.0
AP1.0
Indicates WS-I Attachment Profile, version 1.0
reqid
Specifies the identifier of the requirement in that profile. This identifier
follows the naming convention in the profile documentation.
To specify requirement R4221 in the WS-I Basic Security Profile, version 1.0,
add BSP1.0:R4221 to the list.
10. Use the Corrective Stylesheets controls to specify which style sheets to invoke
after conformance analysis. These style sheets can transform the analysis
results to repair instances of nonconformance. Corrective style sheets cannot
be applied to filter actions.
11. Use the Include error summary toggle to determine whether to include the
summary for the conformance analysis in the rejection message for requests.
This option is for all nonconformance rejection levels except Never.
on
off
(Default) Does not includes the summary.
12. Use the Use analysis as results toggle to determine whether to deliver a
conformance analysis.
on
off
Normal
(Default) Receives normal priority.
Low
39
Note: You can control the degree of validation performed on WSDL components
with a Compile Options Policy object. The Compile Options Policy is part of
the configuration of an XML Manager. The assignment of an XML Manager
is part of the configuration of the Web Service Proxy. Refer to Compile
Options Policy objects on page 284 for more information.
To control the availability and behavior of WSDL components, click any of the
small icons at the desired level to display the form that controls behavior. Figure 4
show the series of icons.
Use the check boxes to establish the desired policy. After establishing the policy,
the icons represent the applied selections.
v When a check box is selected, it indicates that the selection is applied. The icon
for this selection contains a green check mark.
v When a check box is not selected, it indicates that a selection is not applied. The
icon for this selection contains a red x.
The established policy cascades. When the policy cascades, the policy applies to all
components that are contained by the current level.
Use the following controls to establish the availability and behavior of policy to
apply to WSDL components:
Enable this component
When selected, allows requests for the operations and services included by
this component level. A WSDL component, for example, includes all ports,
services and operations defined in the WSDL.
Publish in WSDL
When selected, include the component in any WSDL published to external
directories or returned in the WSDL produced by the proxy in response to
requests by external clients. It is possible to enable an operation but not
publish it until some other time, or to stop publishing it after a sunset
period, for example.
Schema validate fault messages
When selected, validates fault messages against the schema contained in
the corresponding WSDL. Not all WSDL files contain schema information
for faults; for this reason, the Proxy will allow fault messages to pass when
no fault schema information is available. When this is checked, and the
WSDL contains fault schema information, fault messages are checked
against that schema and rejected if they do not validate.
Schema validate request messages
When selected, validates request messages against the schema contained in
the corresponding WSDL. Otherwise, disables standard schema validation
for requests.
Schema validate response messages
When selected, validates response messages against the schema contained
in the corresponding WSDL. Otherwise, disables standard schema
validation for responses.
40
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
3.
4.
5.
6.
7. Use the SOAP Action Policy radio buttons to determine the handling of the
HTTP SOAPAction header.
Lax (Default) An empty header or a header that contains the empty string
from the client is considered a match. The client can quote the SOAP
action header. For example, SOAPAction:"" is treated as a match.
Off The header is ignored when issued by clients and is never compared
against the content in the WSDL.
Chapter 3. Configuring Web Service Proxy services
41
Strict
The client must provide the header as it is specified in the WSDL file.
The client can quote the SOAP action header.
8. Select an XML Manager from the XML Manager list. Refer to XML Manager
on page 394 for more information.
9. Select an AAA Policy from the AAA Policy list. Refer to Chapter 6, AAA
Policy configuration, on page 171 for more information.
10. If the Type is Static Backend, specify the URL of the backend server in the
Backend URL field. The URL provides the protocol to use. For assistance in
generating a valid URL, click the appropriate Helper button.
If the URL starts with https://, the proxy uses the HTTPS protocol. This
protocol requires an SSL Proxy Profile.
11. Optionally select the SSL Proxy Profile from the SSL Proxy Profile list. The
SSL Proxy Profile acts as an SSL client (that is, when using a secure connection
to the backend servers) and provides the credentials to use when acting as an
SSL client. Refer to SSL Proxy Profile objects on page 20 for more
information.
Note: If a User Agent is in use by the assigned XML Manager, that User
Agent might contain settings that override these SSL settings. Click the
... button beside the XML Manager to access the User Agent. Refer to
User Agent on page 339 for more information.
12. Specify the number of seconds in the Back Side Timeout field that a server
connection can remain idle before it times out and is closed. Use an integer in
the range of 10 through 86400. The default is 120.
13. Select the streaming behavior from the Stream Output to Back list.
Buffer Messages
Buffers submitted messages until all processing is verified as
complete. After verification, forward the message to the appropriate
backend.
Stream Messages
Begins to send the message to the backend before all processing is
complete. This behavior potentially increases processing speed. Select
this option when the selected XML Manager has streaming enabled or
when streaming of attachments is enabled.
14. Select the HTTP protocol version for server-side connections from the HTTP
Version to Server list.
v HTTP 1.0
v HTTP 1.1 (Default)
15. Use the Propagate URI toggle to turn the URI propagation behavior on
(default) or off.
If the backend URL is in an MQ, TIBCO EMS, or WebSphere JMS format,
disable URI propagation (set to off).
Enabling URI propagation is meaningful in the following situations only:
v When the service is configured to use a static backend.
v When the service is configured to use a dynamic backend and dynamic
routing is set with a route with style sheet (route-action) action in the
processing policy. In this case, use the dp:set-target() extension element to
define that target backend server.
For the other dynamic routing options that are available with the
route-action and route-set actions, the URI is absolute.
42
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
When enabled, the service rewrites the URI of the backend URL to the URI in
the client request. If URI propagation is enabled and the client submits
http://host/service and the backend URL is http://server/listener, the
URL is rewritten to http://server/service.
Notes:
v When enabled, any Matching Rule in a response processing rule
must match the rewritten URL.
v Any action in the Processing Policy can change the URI that is sent
to the backend server. The rewritten URI could override the
intended effect of this setting.
16. Use the Compression toggle to enable (on) or disable (off) GZIP compression
negotiation with the backend server. By default, compression negotiation is
disabled.
17. Specify the number of seconds in the Front Side Timeout field that a client
connection can remain idle before it times out and is closed. Use an integer in
the range of 10 through 86400. The default is 120.
Note: For a Stateful Raw XML connection, set this value higher to ensure that
the connection is not closed due to a timeout.
18. Select the streaming behavior from the Stream Output to Front list.
Buffer Messages
Buffers submitted messages until all processing is verified as
complete. After verification, forward the message to the appropriate
requesting client.
Stream Messages
Begins to send the message to the requesting client all processing is
complete. This behavior potentially increases processing speed. Select
this option when the selected XML Manager has streaming enabled or
when streaming of attachments is enabled.
19. Click Apply to save changes to the running configuration.
20. Optional: Click Save Config to save the changes to the startup configuration.
43
(Default) Ignores the error condition, and processes the response rule.
off
44
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
before the first MIME boundary in the body of the message. These MIME
headers can contain important information that is not available in the
protocol headers, such as the string identifying the MIME boundary.
v When enabled, the Web Service Proxy processes these MIME headers.
v When enabled and there are no MIME headers, the Web Service Proxy
continues to try and parse the message with the available protocol header
information.
v When disabled and MIME headers are present in the body of the message,
these MIME headers are considered part of the preamble and not used to
parse out the message. If the protocol headers (such as HTTP) indicate the
MIME boundaries, the appliance can parse and process individual
attachments. If such information is not available, no attachments can be
parsed from the body of the message.
By default, MIME support is enabled.
Front Side MIME Header Processing
Use this toggle to enable (on) or disable (off) MIME (Multi-Purpose Internet
Mail Extensions) header processing support.
The body of a message (that is, the payload, independent of any protocol
headers) can sometimes contain MIME headers before any preamble and
before the first MIME boundary contained in the body of the message. These
MIME headers can contain important information not available in the
protocol headers, such as the string identifying the MIME boundary.
v When enabled, the Web Service Proxy processes these MIME headers.
v When enabled and there are no MIME headers in the message, the Web
Service Proxy continues to try and parse the message with the available
protocol header information.
v When disabled and MIME headers are present in the body of the message,
these MIME headers are considered part of the preamble and not used to
parse out the message. If the protocol headers (such as HTTP) indicate the
MIME boundaries, the appliance can parse and process individual
attachments. If such information is not available, no attachments can be
parsed from the body of the message.
By default, MIME support is enabled.
Service Priority
Optionally select the service priority.
High
Low
Normal
(Default) Receives normal priority.
Default parameter namespace
Optionally specify the default XML namespace for parameters that are made
available from the CLI or WebGUI. The default namespace for such
parameters is http://www.datapower.com/param/config.
Query parameter namespace
Optionally specify the default XML namespace for parameters that are made
available from a URL query string. The default namespace for such
parameters is http://www.datapower.com/param/query.
SOAP Schema URL
When the traffic type is SOAP, the SOAP Schema URL field appears. Use
Chapter 3. Configuring Web Service Proxy services
45
this field to specify the full URL to the schema to validate the SOAP schema
for SOAP-formatted messages. When a service is in SOAP mode, either on
the request or response side, it validates incoming messages against a W3C
Schema for SOAP messages. You can customize the schema to use by
changing this property. Change the schema to accommodate nonstandard
configurations or special cases.
Message Processing Modes
Optionally select the check box for one or more message processing modes.
Request rule in order
Enforces first-in first-out serial processing of messages for actions in
the request rule. The appliance initiates and completes request rule
processing for messages in the order that they were pulled from the
frontend request queue. The appliance starts the request rule for the
second message in the request queue only after it completes the
processing of the first message. The backend request queue accepts
whatever message arrives first, except when you enforce Backend in
order serial processing. In that case, the appliance buffers messages
so that it sends messages to the backend request queue in the same
order that they were pulled from the frontend request queue.
Backend in order
Enforces the serial processing of messages delivered to the backend
request queue. If needed, the appliance will buffer messages that
complete request rule processing out of order and only deliver
messages to the backend request queue in the same order that they
were pulled from the frontend request queue.
Response rule in order
Enforces serial processing of messages for actions in the response
rule. The appliance initiates and completes response rule processing
for messages in the order that they were pulled from the backend
reply queue. The appliance starts the response rule for the second
message in the reply queue only after it completes the processing of
the first message. The appliance always buffers messages so that it
sends messages to the frontend reply queue in the same order that
they were pulled from the backend reply queue.
Credentials
Optionally select a Firewall Credentials Set. Refer to Defining Firewall
Credentials objects on page 15 for more information.
Click Apply to save changes to the running configuration.
Optional: Click Save Config to save the changes to the startup configuration.
46
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
47
off
48
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
49
off
50
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
off
51
Select the URL Rewrite Policy used to manipulate the contents of the
original FaultTo header.
Rewrite WS-Addressing To Header
Identifies the URL Rewrite Policy used to rewrite the contents of the
WS-Addressing To header. Use this property to modify the contents of an
incoming To header that identifies the message destination.
Select the URL Rewrite Policy used to manipulate the contents of the
original To header.
Default WS-Addressing Reply-To
Forces the inclusion of the optional ReplyTo header in WS-Addressing
messages. Use this property to ensure that all messages contain the
optional WS-Addressing ReplyTo header that identifies the recipient
endpoint of a response message.
Because the WS-Addressing specifications do not require the inclusion of
the ReplyTo header, the service could receive messages that do not contain
a ReplyTo header, or that contain the header with no value.
When this happens, the DataPower service modifies the WS-Addressing
message to include a ReplyTo header that contains the URL value specified
by this property.
If a default recipient endpoint of response messages is not explicitly
identified by this command, the DataPower service provides
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous (the
default value).
Default WS-Addressing Fault-To
Forces the inclusion of the optional FaultTo header in WS-Addressing
messages. Use this property to ensure that all messages contain the
optional WS-Addressing FaultTo header that identifies the recipient
endpoint of a response message.
Because the WS-Addressing specifications do not require the inclusion of
the FaultTo header, the service could receive messages that do not contain
a FaultTo header or that contain the header with no value.
When this happens, the DataPower service modifies the WS-Addressing
message to include a FaultTo header that contains the URL value specified
by this property.
If a default recipient endpoint of response messages is not explicitly
identified by this command, the DataPower service provides
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous (the
default value).
Force Incoming WS-Addressing
Forces the inclusion of WS-Addressing headers into server-originated
traditionally addressed messages.
In WS-Addressing to Synchronous Mode, the DataPower service generally
handles a mix of Web Service addressed and traditionally addressed
messages.
Use this property to ensure that all messages use WS-Addressing.
on
52
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
53
off
54
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
that are received by the Reliable Messaging destination with the correct
identifier but on a different SSL/TLS session are rejected.
The lifetime of a SSL/TLS protected sequence is bound by the lifetime of
the SSL/TLS session this is used to protect that sequence.
on
off
(Default) Enables this feature. If enabled, both the client and the
server can use Reliable Messaging to send messages to this
DataPower service.
off
off
55
off
off
56
on
off
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Required on Response
Indicates whether to require the use of Reliable Messaging for all SOAP
messages that response rules process. Any SOAP message without a
Sequence results in a SOAP fault.
Note: When WS-Addressing is in use, SOAP messages without a
WS-Addressing RelatesTo SOAP Header are processed by the
request rule, not the response rule, even if the message come from
the backend server.
on
off
off
Include an offer.
off
off
57
off
58
on
off
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
59
60
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
61
62
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
XML virus
Viruses are typically contained in message attachments. XML Virus Protection sets
parameters that handle the following types of attacks in attachments:
v XML virus attacks
v XML encapsulation attacks
v Payload hijack attacks
v Binary injection attacks
First determine whether to process attachments. If you process attachments, define
an antivirus action to check attachments for viruses.
Streaming
Provides limited processing of XML attachments, and streams XML
and non-XML attachments to output.
Unprocessed
Allows messages that contain attachments, but does not process
attachments.
For additional information about streaming attachments, refer to
Optimizing through Streaming.
Response attachment processing mode or Response Attachments
Specifies the processing mode for attachments in server responses.
Allow Processes the message root and needed XML and non-XML
attachments. Needed attachments are buffered. Attachments that
are not needed might be streamed directly to output.
Reject Rejects messages that contain attachments.
Strip
Streaming
Provides limited processing of XML attachments, and streams XML
and non-XML attachments to output.
63
Unprocessed
Allows messages that contain attachments, but does not process
attachments.
For additional information about streaming attachments, refer to
Optimizing through Streaming.
For the XML Firewall services only, these properties are on both the General tab
and the XML Threat Protection tab. A change on either tab affects the property on
both tabs.
URL builders
To use a URL builder, click the protocol-specific button. The WebGUI launches a
utility that assists in building the protocol-specific URL.
v For information about using the utility to build an IMS Connect URL, refer to
Building an IMS Connect URL.
v For information about using the utility to build an MQ URL, refer to Building
an MQ URL on page 65.
v For information about using the utility to build a TIBCO EMS URL, refer to
Building a TIBCO EMS URL on page 66.
v For information about using the utility to build a WebSphere JMS URL, refer to
Building a WebSphere JMS URL on page 67.
64
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
3. Specify the transaction name for the connection in the Transaction Name field.
This property sets the TranCode parameter. This property overrides the value of
the Transaction Code property for the IMS Connect object.
4. Specify the datastore name (IMS destination ID) for the connection in the Data
Store ID field. This property sets the DataStoreID parameter. This property
overrides the value of the Data Store ID property for the IMS Connect object.
5. Click Build.
The utility creates a URL in the following format:
dpims://object?TranCode=code;DataStoreID=ID
Refer to the url-open extension element in the IBM WebSphere DataPower SOA
Appliances: Extension Elements and Functions Catalog for details about changing the
URL for a secure connection or for adding other query parameters.
Building an MQ URL
When constructing a service that uses MQ for the back-end URL, the URL of the
response from the back end often contains the query string. The matching criteria
in the response rule for the processing policy must allow for this query string. For
example, if the request to the service is http://gwaddr/SomeURL and the response
from the back end is http://gwaddr/
SomeURL?RequestQueue=1;ResponseQueue=2;PMO=2048, matching criteria of */SomeURL
will fail for the response.
To use the MQ URL builder for assistance in the construction of a URL, use the
following procedure:
1. Click MQ Helper.
2. Fom the Queue Manager list, select an existing instance of the MQ Queue
Manager object.
3. In the URI field, specify a string, such as /SomeBank/Services/checking to
include in the URL.
4. In the RequestQueue field, specify the name of a queue that the Queue
Manager manages. The service puts requests on this queue.
5. In the PublishTopicString field, specify a topic string associated with the
identified queue manager. The service publishes requests to this topic string. If
the RequestQueue field is specified, this field is ignored.
6. In the ReplyQueue field, specify the name of a queue that the Queue
Manager manages. The service polls this queue for responses.
7. In the SubscribeTopicString field, specify a topic string. If the ReplyQueue is
specified, this field is ignored.
8. In the SubscriptionName field, specify the name for the durable subscription.
9. Use the Transactionality toggle to indicate whether communications must use
transactional unit-of-work. When enabled (on), the service enforces
transactional unit-of-work in the communication by inserting
Transactional=true in the URL and does not consider a message to be
successfully posted until it receives a response.
10. Use the User Identifier toggle to indicate whether to set the UserIdentity
value in the MQ header.
v If enabled (on), the builder inserts PMO=2052 in the URL. This value assumes
the following MQPMO options:
MQPMO_NO_SYNCPOINT (decimal 4, hexadecimal 0x00000004)
MQPMO_SET_ALL_CONTEXT (decimal 2048, hexadecimal 0x00000800)
Chapter 3. Configuring Web Service Proxy services
65
v If disabled (off), the builder does not insert a value. The service assumes
MQPMO_NO_SYNCPOINT only.
11. Use the ReplyToQ toggle to indicate whether to set the ReplyToQ value in the
MQMD header for a request message.
v If enabled (on, inserts SetReplyTo=true in the URL. The processing policy
overwrites the ReplyToQ value with the value of the ReplyQueue option.
v If disabled (off), the processing policy does not change the value of
ReplyToQ in the MQMD header.
12. Click Build.
The utility creates a URL in the following format, which becomes the value for the
Backend URL field:
dpmq://server/URI?RequestQueue=queue;ReplyQueue=queue;
Transactional=true;PMO=2052;SetReplyTo=true
Refer to the url-open extension element in the IBM WebSphere DataPower SOA
Appliances: Extension Elements and Functions Catalog for details about changing the
URL for a secure connection, for using another MQPMO value, or for adding other
query parameters.
4.
5.
6.
7.
8.
Refer to the url-open extension element in the IBM WebSphere DataPower SOA
Appliances: Extension Elements and Functions Catalog for details about changing the
URL for a secure connection or for adding other query parameters.
66
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Refer to the url-open extension element in the IBM WebSphere DataPower SOA
Appliances: Extension Elements and Functions Catalog for details about changing the
URL for a secure connection or for adding other query parameters.
67
b. Specify LBGroup (the Load Balancer Group) as the address of the back-end
server for the DataPower service. Depending on the DataPower service or
the view of that DataPower service, the field could be Remote Address,
Server Address, or something similar.
With a Web Service Proxy that is configured statically from a WSDL file, the
field is part of the configuration of the Remote Rewrite Rules of the
WS-Proxy Endpoint Rewrite object. The field is either Remote Endpoint
Host (object view) or Hostname (IP Address) (service view).
For complete information about managing Load Balancer Group objects, refer to
Load balancer groups on page 289.
WSDL Retrieval
WSDL queries are restricted to GET and HEAD requests:
v A GET request retrieves the entire WSDL.
v A HEAD request informs that the WSDL service is live.
Before issuing these types of WSDL queries, enable the HTTP GET and HEAD
methods on the Front Side Handler.
To expose a WSDL from within a Web Service Proxy with the ?wsdl URI, use the
following format for the URL:
http://host:port]/URI?wsdl
68
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
69
where:
filename
The file name for the renamed input file.
serial
timestamp
The timestamp.
Note: File renaming cannot be used with an FTP server that supports only 8.3
file names.
For example if the input files are NNNNNN.input and you want to rename them
to NNNNNN.processing, then the match pattern would be ([0-9] {6})\.input$
and the processing pattern would be $1.processing. The resultant file name of
the server would be:
70
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
NNNNNN.processing.serial.domain.poller.timestamp
on
on
(Default) Creates the result file using the naming pattern specified
by the Result File Name Pattern property.
off
Does not create the result file.
b. on, specify the PCRE to use as the match pattern to build the name of the
result file in the Result File Name Pattern field. This PCRE will normally
have a back reference for the base input file. For instance, if input files are
NNNNNN.input and you want to rename them to NNNNNN.result, the match
pattern would be ([0-9] {0-6})\.input$ and the rename pattern would
be $1.result.
Some servers might allow this pattern to indicate a path that puts the file
in a different directory, if it allows cross-directory renames. For instance,
the match pattern would be (.*) and the rename pattern would be
../result/$1.
13. Define the processing seize behavior.
a. Specify the time to wait in seconds before processing a file that is already
in the processing state in the Processing Seize Timeout field. Use an
integer in the range of 0 through 1000. The default is 0.
Chapter 4. Handler configuration
71
72
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
73
Defining as transparent
To configure an instance of the FTP Server Front Side Handler object to access a
transparent file system, use the following procedure:
1. Select Objects Protocol Handlers FTP Server Front Side Handler to
display the catalog.
2. Click Add to display the configuration screen.
3. In the Name field, enter the name for the object.
4. Retain the default setting for Admin State. To place in an inactive
administrative state, click disabled.
5. Optional: In the Comment field, enter a descriptive summary.
6. Define the connection from the client to the appliance.
a. Specify the IP address on which the FTP server listens in the Local IP
Address field. Defaults to 0.0.0.0, which indicates that the service is active
on all IP addresses.
To use a local Host Alias instead of a static IP address, click Host Alias. A
Host Alias allows you to specify a locally configured alias that resolves to
a static IP address. Aliasing can help when moving configurations across
systems.
b. Specify the port that the FTP Server service monitors in the Port field. This
port is the port on which FTP control connections can be established. This
port does not control the TCP port that is used for the data connections. If
the FTP client uses the PASV command, data connections will use an
arbitrary, unused TCP port. The default is 21.
7. Define the characteristics of the file system.
a. Select Transparent from the Filesystem Type list.
b. Retain the default value in the Default Directory field.
c. Specify the maximum file name length on the FTP server in the Maximum
Filename Length field. Use an integer in the range of 1 through 4000. The
default is 256.
8. Select an instance of the Access Control List object to apply from the Access
Control List list.
9. Define secure connection.
a. Use the Require TLS toggle to select whether FTP control connections
require explicit TLS encryption. If required, the FTP client must use the
FTP AUTH TLS command before any other command. This setting does
not control encryption of data transfers. The default is off.
b. Select an instance of the SSL Proxy Profile object to assign from the SSL
Proxy list.
10. Define user authentication.
a. Select an instance of the AAA Policy object from the Password AAA
Policy list. This instance performs authentication of user names and
passwords provided to the FTP server by the client with the USER and
PASS commands. If the authentication succeeds, the FTP client can use all
of the features of the FTP server. If the authentication fails, a 530 error is
returned, and the user can attempt to authenticate again. If no Password
AAA Policy is configured, any user name and password is accepted.
b. Select an instance of the AAA Policy object from the Certificate AAA
Policy list. This instance performs secondary authentication of the
information in the TLS/SSL certificate that is provided during TLS
negotiation after the AUTH TLS command to the FTP server. Primary
74
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
75
d.
e.
f.
g.
12. Specify the number of seconds that the FTP control connection can be idle in
the Idle Timeout field. After the specified duration elapses, the FTP server
closes the control connection. Defaults to 0, which disables the timeout.
13. Click Apply to save the changes to the running configuration.
14. Optional: Click Save Config to save the changes to the startup configuration.
76
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
77
2) If allowing or requiring support, use the Limit Port Range for Passive
Connections toggle to control whether to limit the TCP port range that
the FTP server can dynamically allocate.
3) If limiting the port range, define the port range and define the timeout
for establishing a data connection.
a) Specify the lower end of the range in the Minimum Passive Port
field. The default is 1024.
b) Specify the upper end of the range in the Maximum Passive Port
field. The default is 1050.
c) Specify the number of seconds that the server waits for a client to
establish a passive data connection in the Passive Data Connection
Idle Timeout field.
4) Use the Disable Passive Data Connection (PASV) IP Security Check
toggle to specify whether to disable the IP security check that verifies
that the incoming data connection comes from the already connected
client. The default is off to perform the check.
5) Use the Disable Active Data Connection (PORT) IP Security Check
toggle to specify whether to disable the IP security check that verifies
that outgoing data connections can only connect to the client. The
default is off to perform the check.
6) Define behavior for alternate IP address support.
a) Select the behavior for alternate IP address support from the Use
Alternate PASV IP Address toggle.
b) If allowing support, use the Alternate PASV IP Address field to
specify the numeric IP address.
c. Select the use of encryption for data connections (file transfers) from the
File Transfer Data Encryption list. Data encryption is controlled by the
FTP PROT P command. The default is Allow Data Encryption.
d. Use the Allow Compression toggle to select whether the FTP client can
use FTP MODE Z compression. After enabling FTP compression, the FTP
client can use the zlib method to compress data transfers. The default is
on.
e. Define behavior for unique file names
1) Use the Allow Unique File Name (STOU) toggle to select whether the
FTP client can use the FTP STOU command. When enabled, the FTP
server generates a unique file name for each transferred file. The
default is off.
2) If enabled, specify the prefix for file names that are generated when
using the FTP STOU command in the Unique File Name Prefix field.
When defining the prefix, use the ^[^/]*$ format. The directory
separator (/) is not allowed. The default is to not add a prefix, which is
an empty string.
12. Specify the number of seconds that the FTP control connection can be idle in
the Idle Timeout field. After the specified duration elapses, the FTP server
closes the control connection. Defaults to 0, which disables the timeout.
13. Define response behavior and storage for responses.
a. Select how to make response files available for gateway transactions
started the FTP STOR or SOUT operation from the Response Type list.
The default is No Response.
b. If FTP Client, which indicates that the response is written by the FTP
client:
78
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
79
80
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
passwords provided to the FTP server by the client with the USER and
PASS commands. If the authentication succeeds, the FTP client can use all
of the features of the FTP server. If the authentication fails, a 530 error is
returned, and the user can attempt to authenticate again. If no Password
AAA Policy is configured, any user name and password is accepted.
b. Select an instance of the AAA Policy object from the Certificate AAA
Policy list. This instance performs secondary authentication of the
information in the TLS/SSL certificate that is provided during TLS
negotiation after the AUTH TLS command to the FTP server. Primary
authentication is done by the SSL Proxy Profile, which can completely
reject a certificate. This authentication stage controls whether an FTP
password will be demanded or not. If the result of this authentication
succeeds, the FTP client will only have to use the USER command to login
after the AUTH TLS. If this authentication fails, the FTP client will have to
use both the USER and PASS commands to complete the login process. If
no Certificate AAA Policy is configured, USER and PASS will always be
required. If the AUTH TLS command is not used by the FTP client, USER
and PASS will always be required.
11. Define FTP support.
a. Use the Allow CCC Command toggle to select whether the FTP CCC
command can be used to turn off TLS encryption of the FTP control
connection after user authentication. If allowed, the CCC command can be
used to turn off encryption after authentication. Turning off encryption is
necessary when the FTP control connection crosses a firewall or NAT
device that needs to sniff the control connection. Turning off encryption
eliminates the secrecy of the files being transferred and allows TCP packets
injection attacks. The default is on.
b. Define behavior for passive command support.
1) Select the support behavior for passive commands from the Passive
(PASV) Command list. Without the PASV command, the STOR,
SOUT, and RETR commands will fail when issued by the FTP client.
When not allowing passive mode, the FTP client must use the FTP
PORT command. The default is Allow Passive Mode.
2) If allowing or requiring support, use the Limit Port Range for Passive
Connections toggle to control whether to limit the TCP port range that
the FTP server can dynamically allocate.
3) If limiting the port range, define the port range and define the timeout
for establishing a data connection.
a) Specify the lower end of the range in the Minimum Passive Port
field. The default is 1024.
b) Specify the upper end of the range in the Maximum Passive Port
field. The default is 1050.
c) Specify the number of seconds that the server waits for a client to
establish a passive data connection in the Passive Data Connection
Idle Timeout field.
4) Use the Disable Passive Data Connection (PASV) IP Security Check
toggle to specify whether to disable the IP security check that verifies
that the incoming data connection comes from the already connected
client. The default is off to perform the check.
5) Use the Disable Active Data Connection (PORT) IP Security Check
toggle to specify whether to disable the IP security check that verifies
that outgoing data connections can only connect to the client. The
default is off to perform the check.
Chapter 4. Handler configuration
81
82
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
commands. The URL must be an FTP URL that starts with ftp://. The
URL should include a directory, but not a file name. The URL cannot
include query parameters. The URL should be in the
^(|ftp://[^/]+(/[^/]+)*)$ format. The default is to have no response
generated (an empty string).
3) Specify the maximum size in megabytes for the temporary file system
in the Temporary Storage Size field. Use an integer in the range of 1
through 2048. The default is 32.
c. If Virtual Filesystem, which indicates that the response is made available
as a file in the virtual file system that can be read by the FTP client:
1) Specify the directory to store the response in the Response Storage
field.
2) If NFS:
a) Specify the suffix to add when generating response files in the
Response Suffix field. The directory separator (/) is not allowed.
The suffix should be in the ^[^/]*$ format. Defaults to an empty
string.
b) Select an NFS static mount to apply. Each response file will have a
unique file name in the NFS directory from the Response NFS
Mount list. The name of the response file is not related to the file
name that the virtual file system presents to the FTP client.
Generally, this NFS directory is not made available through the FTP
server. This directory should not be used for any other purpose.
3) If Temporary:
a) Specify the suffix to add to the end of the input file name in the
Response Suffix field.
b) Specify the maximum size in megabytes for the temporary file
system in the Temporary Storage Size field. Use an integer in the
range of 1 through 2048. The default is 32.
14. Define virtual directories. The FTP client can use all of these directories to
write file to be processed. The root directory (/) is always present and cannot
be created. Its response directory is always the root directory.
a. Click the Virtual Directories tab.
b. Create a virtual directory.
1) Click Add.
2) Specify the directory in the virtual file system of the FTP server where
the FTP client can find this directory in the Virtual Directory field.
3) Specify the directory in the virtual file system of the FTP server where
the responses to files are stored in this directory will go in the
Response Directory field.
4) Click Save.
c. Repeat the previous step to define another virtual directory.
15. Click Apply to save the changes to the running configuration.
16. Optional: Click Save Config to save the changes to the startup configuration.
83
To configure an instance of the HTTP Front Side Handler object, use the following
procedure:
1. Select Objects Protocol Handlers HTTP Front Side Handler.
2. Click Add to display the configuration screen.
3. In the Name field, enter the name for the object.
4. Retain the default setting for Admin State. To place in an inactive
administrative state, click disabled.
5. Optional: In the Comment field, enter a descriptive summary.
6. Define the connection from the client to the appliance.
a. Specify the host alias or IP address on which the service listens in the
Local IP Address field. The default is 0.0.0.0, which indicates that the
service is active on all IP addresses.
To use a local Host Alias instead of a static IP address, click Host Alias. A
Host Alias allows you to specify a locally configured alias that resolves to
a static IP address. Aliasing can help when moving configurations across
systems.
7.
8.
9.
10.
b. Specify the listening port in the Port Number field. The default is 443.
Select the HTTP version to use on the client connection from the HTTP
Version to Client list. The default is HTTP 1.1
Use the Allowed Methods and Versions check boxes to select the allowed
methods and versions for incoming HTTP requests.
Use the Persistent Connections toggle to enable or disable the negotiation of
persistent connections.
Use the Compression toggle to enable or disable the negotiation of GZIP
compression
84
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
85
12. Select the instance of the SSL Proxy Profile object to assign from the SSL
Proxy list.
13. Select the instance of the Access Control List object to apply from the Access
Control List list.
14. Click Apply to save the changes to the running configuration.
15. Optional: Click Save Config to save the changes to the startup configuration.
off
Disables persistent connections.
10. Use the EBCDIC Input Header Encoding toggle to select the encoding for
input headers as EBCDIC or ASCII. This setting does not affect payload
processing. Payload is not automatically processed.
on
off
11. Select an Access Control List from the Access Control List list.
12. In the Maximum Segment Size field, enter an integer in the range of 0 to 32
to specify the maximum segment size in KB. The default is 0 which disables
segmentation.
86
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
High-level configuration
To configure an MQ Front Side Handler:
1. Select Objects Protocol Handlers MQ Front Side Handler to display the
MQ Front Side Handler catalog.
2. Click Add.
3. Define the basic configuration of the handler. Refer to Defining the basic
configuration on page 88 for details.
4. Define the publish and subscribe configuration. These fields are only supported
with WebSphere MQ V7 queue managers. Refer to Defining the publish and
subscribe configuration on page 89 for details.
5. Define the properties and headers configuration. Refer to Defining the
properties and headers configuration on page 89 for details.
6. Define the advanced configuration. Refer to Defining the advanced
configuration on page 90 for details.
7. Click Apply to save the changes to the running configuration.
8. Optional: Click Save Config to save the changes to the startup configuration.
Chapter 4. Handler configuration
87
88
on
off
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
11. Use the Use Queue Manager in URL field to determine whether the
var://service/URL-in variable returns the name of MQ Queue Manager or
the name of the MQ Queue Manager Group when this configuration defines a
queue manager group as the queue manager.
on
off
(Default) The variable returns the name of the queue manager group.
12. In the CCSI field, specify the Coded Character Set Identifier that the remote
MQ queue manager converts output data. The default CCSI is for ISO-8859-1
(latin-1). Refer to the IBM Code Pages on the Web for a list of CCSI
identifiers.
This property is meaningful only when the MQ Queue Manager object has the
Convert Input property set to on.
off
89
(Default) No header
MQRFH
MQRFH header
MQRFH2
MQRFH2 header
5. If Header to Extract Content-Type is not None, specify the XPath expression to
extract the value of the Content-Type header in the XPath expression to extract
Content-Type from MQ header field. Click XPath Tool for help building the
XPath expression.
off
90
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
7. Specify the number of milliseconds to wait after the completion of one poll
before starting the next interval in the Delay Between Polls field. Use an
integer in the range of 25 through 100000. The default is 60000.
8. Specify the PCRE to use to match the contents of the directory being polled in
the Input File Match Pattern field. If there is file-renaming or there is a
response, this PCRE must create PCRE back references using () pairs.
For example, if the input files are NNNNNN.input, then the match pattern would
be ([0-9] {6})\.input.
9. Specify the PCRE to use to rename a file that is being processed in the
Processing File Renaming Pattern field. This functionality allows multiple
poller objects to poll the same directory with the same match pattern. There is
no lack of atomicity if the rename operation on the server is atomic. The
poller that succeeds in renaming the input file will proceed to process the file.
Any other poller that tries to rename the file at the same time will fail to
rename the file and will proceed to try the next file that matches the specified
match pattern.
To ensure uniqueness, the resulting file name will be in the following format:
filename.serial.domain.poller.timestamp
where:
filename
The file name for the renamed input file.
serial
timestamp
The timestamp.
Note: File renaming cannot be used with an NFS server that supports only 8.3
file names.
For example if the input files are NNNNNN.input and you want to rename them
to NNNNNN.processing, then the match pattern would be ([0-9] {6})\.input$
and the processing pattern would be $1.processing. The resultant file name of
the server would be:
NNNNNN.processing.serial.domain.poller.timestamp
91
Some servers might allow this pattern to indicate a path that puts the file
in a different directory, if it allows cross-directory renames. For instance,
the match pattern would be (.*) and the rename pattern would be
../processed/$1.
11. Define the process for deleting files on processing error.
a. Use the Delete File on Processing Error toggle to select whether to delete
the input or processing rename file when it could not be processed.
on
(Default) Creates the result file using the naming pattern specified
by the Result File Name Pattern property.
off
b. on, specify the PCRE to use as the match pattern to build the name of the
result file in the Result File Name Pattern field. This PCRE will normally
have a back reference for the base input file. For instance, if input files are
NNNNNN.input and you want to rename them to NNNNNN.result, the match
pattern would be ([0-9] {0-6})\.input$ and the rename pattern would
be $1.result.
Some servers might allow this pattern to indicate a path that puts the file
in a different directory, if it allows cross-directory renames. For instance,
the match pattern would be (.*) and the rename pattern would be
../result/$1.
13. Define the processing seize behavior.
a. Specify the time to wait in seconds before processing a file that is already
in the processing state in the Processing Seize Timeout field. Use an
integer in the range of 0 through 1000. The default is 0.
Processing seize allows failure handling of a poller when multiple data
routers are polling the same target. If another data router renames a file
and does not process (and rename or delete) it in the specified number of
seconds, this system attempts to take over processing. This system will
attempt to take over processing when all of these three conditions are met
when compared to the processing seize pattern. 1) The base file name (first
match phrase) is the processing seize pattern, 2) The host name (second
match phrase) is not the name of this system, 3) The timestamp (third
match phrase) is further in the past than the wait time specified by this
timeout. When these three conditions are met, this system renames the file
(with its host name and fresh timestamp) and locally processes the file.
This processing assumes that the rename succeeded.
b. Specify the PCRE to use to find files that were renamed to indicate that
they are in the being processed state but the processing was never
completed in the Processing Seize Pattern field.
92
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
14.
15.
16.
17.
The processing seize pattern contains three phrases that must be in \(\)
pairs. The first phrase is the base file name that includes the configured
processing suffix. The second phrase is the host name. The third phrase is
the timestamp.
Select the XML Manager that contains the User Agent configuration to use
from the XML Manager list.
In the Maximum File Transfers Per Poll Cycle field, specify the number of
concurrent connections. Enter a value from 0 to 100. The default value is 0
which means unlimited number of connections based on available system
resources.
Click Apply to save the changes to the running configuration.
Optional: Click Save Config to save the changes to the startup configuration.
93
94
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
For example, consider a topic hierarchy split into the following topic spaces:
v library topics for document management
v sales topics for marketing and sales tracking
v engineering topics for engineering and technology
The topic volumes can appear in all three topic spaces, and have a very different
meaning in each.
95
v If blank, all incoming client request messages are transferred by the handler
to the server object for processing.
v If specified, only those client requests that match the criteria specified by
the expression are forwarded to the server object for processing. All other
messages are dropped from the GET queue.
The conditional expression does not operate on the body of the message,
rather it examines the required headers and properties (proprietary
user-created headers that could appear between the required headers and the
message body).
The following headers are required:
Destination
Contains the destination (queue) to which the message is being sent
DeliveryMode
Contains the delivery mode (PERSISTENT or NON_PERSISTENT)
Expiration
Contains a message TTL or a value of 0 indicating an unlimited TTL
Priority
Contains the message priority expressed as a digit from 0 (lowest
priority) to 9 (highest priority)
MessageID
Contains a unique message identifier starting with the ID: prefix or a
null value. A null value effectively disables the message ID
Timestamp
Contains the time the message was handed off for transmission, not
the time it was actually sent
CorrelationID
Contains a means of associating one message (for example, a
response) with another message (for example, the original request)
ReplyTo
Contains the destination (queue) to which a reply to this message
should be sent
Type
9.
10.
11.
12.
13.
Redelivered
Contains a Boolean indicating that the message has been delivered in
the past, but not yet acknowledged
Select the TIBCO EMS server to associate from the TIBCO EMS Server list.
Select an SSL Proxy Profile to assign from the SSL Proxy Profile list.
Select an Access Control List to apply from the Access Control List list.
Click Apply to save the changes to the running configuration.
Optional: Click Save Config to save the changes to the startup configuration.
96
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
97
v If blank, all incoming client request messages are transferred by the handler
to the server object for processing.
v If specified, only those client requests that match the criteria specified by
the expression are forwarded to the server object for processing. All other
messages are dropped from the GET queue.
The conditional expression does not operate on the body of the message,
rather it examines the required headers and properties (proprietary
user-created headers that could appear between the required headers and the
message body).
The following headers are required:
Destination
Contains the destination (queue) to which the message is being sent
DeliveryMode
Contains the delivery mode (PERSISTENT or NON_PERSISTENT)
Expiration
Contains a message TTL or a value of 0 indicating an unlimited TTL
Priority
Contains the message priority expressed as a digit from 0 (lowest
priority) to 9 (highest priority)
MessageID
Contains a unique message identifier starting with the ID: prefix or a
null value. A null value effectively disables the message ID
Timestamp
Contains the time the message was handed off for transmission, not
the time it was actually sent
CorrelationID
Contains a means of associating one message (for example, a response)
with another message (for example, the original request)
ReplyTo
Contains the destination (queue) to which a reply to this message
should be sent
Type
Redelivered
Contains a Boolean indicating that the message has been delivered in
the past, but not yet acknowledged
12. Click Apply to save the changes to the running configuration.
13. Optional: Click Save Config to save the changes to the startup configuration.
98
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Matching rules
A matching rule determines whether candidate traffic is subject to an associated
processing rule in a processing policy. Matching rules support the implementation
of processing policies and XML manager-based schema validation rules. The
processing policy evaluates candidate documents against all expressions in the
matching rules. A document matches the rule only if it conforms to all expressions
in the rule. Documents that fail to match all expressions do not match the rule.
Matching rules come in the following flavors:
v An HTTP method matching rule matches on the http method type PUT, DELETE,
GET, POST and HEAD in the http request.
v An HTTP matching rule tests HTTP header content. Simple matching expressions
enable the identification of specific HTTP header fields and header field
contents. These expressions are similar to those that define a Compile Options
Policy or a URL Refresh Policy.
v A URL matching rule uses simple matching patterns to test incoming URLs.
v An XPath matching rule uses an XPath expression applied to the incoming
message to determine a match. If the expression evaluates to true, a match is
made. The XPath Tool is available to help construct this expression.
While HTTP, URL, and XPath matching rules determine if incoming traffic is
subject to a processing rule, an error code rule provides the ability to provide
custom, user-defined error processing. As error codes are written as hexadecimal
integers, the error code expression matches one or more hexadecimal integers.
99
Processing rules
A processing rule specifies the processing actions to apply to incoming documents.
A processing rule can be as simple as a single action to transform of an incoming
XML document using a style sheet. On the other hand, a processing rule can be as
complex as an action that performs the following actions:
v Use several schema validations and style sheet filters to ensure that the
client-generated payload is not malicious.
v Transform the document to remove elements that are not needed by the backend
server.
v Route the transformed document to a dynamically determined server.
Processing rules are characterized by their direction.
v
v
v
v
Processing actions
Processing rules can contain the following actions. For details about defining the
listed actions within a processing rule, refer to Defining processing actions on
page 106.
AAA
Antivirus
An antivirus action invokes a named, reusable rule. This action sends
messages to a virus scanning server at a defined host/port or URI. This
action calls a style sheet that corresponds to the ICAP Host Type selected
to perform the scanning, sets the type of virus handling and error handling
to perform on the message after scanning, and sets the level of Virus
Scanner logs. Refer to Adding an antivirus action on page 106 for details.
Call processing
A call action invokes a named, reusable rule. After the action completes,
processing continues to the next action, if any. Refer to Adding a call
processing rule (call) action on page 108 for details.
Checkpoint event
A checkpoint action specifies an event to trigger the collection of
information for WS-Management agents and Service Level Monitors. This
action is available for Web Service Proxy services only. Refer to Adding a
checkpoint event (checkpoint) action on page 109 for details.
Conditional
A conditional action implements programmatic if-then-else processing. If an
XPath expression returns true when applied to the input context of the
action, a designated processing action runs. Any number of if-then clauses
can be configured. A final else clause that uses an empty XPath expression
() runs a designated action when no other XPath expression matches the
input. You can designate a call action. The call action provides the ability
100
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
to run a complete processing rule that contains one or more actions. You
can configure a conditional action to provide the same service as a
complete processing policy, which gives you the ability to conditionally
invoke different processing policies on input.
Convert query parameters to XML
A convert-http action converts non-XML CGI-encoded input (an HTTP
POST, an HTML form, or URI parameters) into an equivalent XML
message. This action in the active rule alerts the service to treat input as
non-XML CGI-encoded input. For a service to use this action, the request
type for that service must be set to XML. Refer to Adding a convert query
parameters to XML (convert-http) action on page 110 for details.
Crypto binary
A cryptobin action signs, verifies, encrypts, or decrypts binary data. This
action uses the syntax and methodologies that are described in RFC 2311,
S/MIME Version 2 Message Specification, dated March 1988, and RFC 2315,
PKCS #7: Cryptographic Message Syntax 1.5, dated March 1998. This action
requires that the appliance has the PKCS7-SMIME license. Refer to
Cryptographic binary (cryptobin) action on page 111 for details.
Decrypt
A decrypt action performs full or field-level document decryption. Refer to
Adding a decrypt action on page 119 for details.
Encrypt
A encrypt action performs complete or field-level document encryption
using either WS-Security or XML encryption standards. Refer to Adding
an encrypt action on page 121 for details.
Event-sink
An event-sink action causes processing to wait until designated
asynchronous actions complete. The outputs of these asynchronous actions
can then be safely used by subsequent actions that are contained in the
processing rule. This action is useful for the parallel processing of actions.
For example, the appliance can parallelly contact remote resources, such as
an authentication server or a Web server, that located on the network. With
parallel processing, the processing time is reduced to the latency of the
slowest response. With serial processing, the appliance waits for network
operations to complete and therefore incur the latency of network
operations. By including network-oriented actions in this action, their
results become available for subsequent processing.
Extract
An extract action applies an XPath expression to a specified context and
stores the result in another context. Refer to Adding an extract using
XPath (extract) action on page 135 for details.
Fetch
Filter
For-each
The for-each action implements a programmatic loop for each of the defined
actions. Each time an XPath expression returns true, a designated action
runs. The for-each can be used to apply a series of style sheets to input
data, if desired. Instead of using XPath expressions, the loop can be
processed a specific number of times. Each iteration of the loop stores its
Chapter 5. Processing policies
101
The log action sends the contents of the input context as a log message to
the identified location. The contents are sent with the log level and log
type that are specified. The response, if any, is stored in the output context,
if one is defined. Refer to Adding a log action on page 142 for details.
On error
An on-error action defines a named rule that enables user-defined error
handling when subsequent processing encounters errors. The on-error
action either stops processing or continues to the next processing step.
Optionally the action calls the named rule to handle the error condition.
Without an on-error action, the default error handling is to stop processing
and log a message.
A processing rule can contain one or more on-error actions. Each action
defines error handling for subsequent actions until another on-error action
is found. When another action is found, error-handling procedures are set
to the new on-error action. As such, this action enables conditional error
handling in a processing context.
Refer to Adding an on-error action on page 146 for details.
Note: A processing policy can contain on-error actions and an error rule.
When a processing policy contains both on-error actions and an
error rule, the on-error action overrides the error rule. An error rule,
if the processing policy contains one, is invoked when an error
occurs during processing. In this case, the error rule acts as an error
handler.
Results
A results action sends a message to a URL. A results action can optionally
specify a context in which to store the response. Refer to Adding a results
action on page 148 for details.
Results asynchronous
A results-async action asynchronously sends a message to a URL. This
action does not support sending a message to an output context. With this
action, processing continues without waiting for a response. Refer to
Adding a results asynchronous (results-async) action on page 149 for
details.
Rewrite header
A rewrite action rewrites HTTP headers or URLs using a URL rewrite
policy. Refer to Adding a rewrite header (rewrite) action on page 150 for
details.
Rewrite HTTP method
A rewrite-method action rewrites the HTTP method. Refer to Adding a
method rewrite action on page 150 for details.
Route with style sheet or XPath
A route-action action performs style sheet-based routing or XPath
expression-based routing. Refer to Adding a route with style sheet
(route-action) action on page 151 and Adding a route with XPath
expression (route-action) action on page 151, respectively, for details.
102
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
103
Contexts
A context can be described as a temporary variable that contains data used by a
processing action. The input context, the context specified for the Input field,
contains the data to be processed. The output context, the context specified for the
Output field, receives the data produced by the action.
v Some actions require both an input context and an output context.
v Some actions require an input context only.
v Some actions require an output context only.
v Some actions require neither an input context or an output context.
The data for the contexts can be XML or non-XML. XML data is expressed in a tree
format. Non-XML data is binary. When the data is XML, the XML tree can include
lists of variables and attached documents.
The context can also be a variable. Refer to Adding a set variable (setvar) action
on page 152 for more information.
Context keywords
Processing rules recognize the following keywords and apply special context to
them:
INPUT
PIPE
104
The output of an action becomes the input to the next action. As such, any
action that uses the PIPE context as output must be followed by an action
that uses the PIPE context as input. The PIPE context is useful in certain
instances to reduce processing latency. The PIPE context is the correct
choice for streaming operations.
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
2.
3.
4.
5.
v For a Web Service Proxy service, select Services Web Service Proxy Edit
Web Service Proxy to display the configuration screen. Select the Policy tab.
Continue with step 4.
Click Add New Policy to display the processing policy configuration screen.
Specify the name of the processing policy in the Policy Name field.
In the Rules section, click New Rule to define a processing rule for this
Processing Policy. For Web Service Proxy services, click Add Rule. The Rule
Name field contains an auto-generated name.
Modify the name of the rule as appropriate.
6. Select the directory of the rule or indicate that the rule is an error-handling rule
from the Rule Direction list.
105
Both Directions
The rule applies to all traffic going through the service.
Error
Client to Server
The rule applies to client-generated requests that go through the
service. Client requests arrive at the front end addresses of the service.
Server to Client
The rule applies to server-generated responses that go through the
service. Server responses arrive at the backend addresses of the service.
7. Double-click the Match icon to display the Match Assignment window.
a. From the Matching Rule list, select a matching rule. Refer to Defining
Matching Rule objects on page 304 for more information.
b. Click Done to assign the matching rule to the processing rule.
8. Create the processing rule by dragging action icons to the configuration path.
9. After adding the last action to the processing rule, click Apply to add the
completed rule to the processing policy.
To add additional processing rules to the processing policy, repeat step 4 on page
105 through step 9.
All candidate documents are processed by the rule that conforms to the defined
direction and matching rule.
4. From the AAA Policy list, select an AAA policy. Refer to Creating AAA
policies on page 172 for complete information about creating an AAA policy.
5. Set Asynchronous to on to process the action asynchronously. For
asynchronous processing, this action does not need to complete before the
processing rule begins processing its next defined action.
6. Optional: In the Output field, enter or select the context for the data produced.
7. Click Done.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
106
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
2. Double-click the Advanced icon to display a window that lists the advanced
action types.
3. Click the Anti-Virus radio button.
4. Click Next to display the Configure Anti-Virus action window.
5. Specify or select the context for the data to be processed in the Input field.
6. Set Asynchronous to on to process the action asynchronously. For
asynchronous processing, this action does not need to complete before the
processing rule begins processing its next defined action.
7. Determine the type of antivirus scan with the Anti-Virus Scan Type radio
buttons.
v To scan the message body and attachments, click Scan Entire Message.
v To scan attachments only, click Scan All Attachments.
v To scan attachments only when the Content-Type header matches a PCRE:
a. Click Scan Attachments by Content Type
b. Specify the PCRE in the Attachment Content-Type (PCRE) field.
v To scan attachments only when the URI matches a PCRE:
a. Click Scan Attachments by URI
b. Specify the PCRE in the Attachment URI (PCRE) field.
v To scan only the contents of a message that matches an XPath expression:
a. Click Scan by XPath Expression
b. Specify the XPath expression in the XPath field.
For assistance in creating the XPath expression, click XPath Tool. This
tool allows you to load an XML document and build the expression by
selecting the desired mode.
8. Determine which ICAP Host to use for the Virus Scanner server with the
ICAP Host Type radio button.
v To use a
v To use a
v To use a
Micro.
v To use a
107
12. Determine the behavior of the Antivirus Policy with the AntiVirus Policy
radio buttons:
v To have the Antivirus Policy log but not reject messages or strip
attachments, click Log.
v To have the Antivirus Policy reject the message, click Reject.
v To have the Antivirus Policy strip offending attachments, click Strip.
13. Determine the behavior of the Antivirus Error Policy with the AntiVirus Error
Policy radio buttons.
v To have the Antivirus Error Policy log but not reject messages or strip
attachments, click Log.
v To have the Antivirus Error Policy reject the message, click Reject.
v To have the Antivirus Error Policy strip offending attachments, click Strip.
14. Use the Log Category list to assign a Log Category.
15. Specify or select the context for the data produced in the Output field.
16. Click Done to complete the action. The configuration path shows the
Antivirus icon.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
108
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
109
110
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
on
None
(Default) use this value for all inputs other than Base64.
Base64
Use this value to characterize the data to be signed using Base64
encoding.
Chapter 5. Processing policies
111
11. Select the output format to characterize the signed PKCS #7 object (SignedData
produced by the signature process) from the Output Encoding Format list.
12. Use the Binary Data toggle to indicate whether the input data is true binary
and should be canonicalized. This finer characterization enables or disables
the canonicalization of line endings in the input data.
on
Indicates that the input data is not true binary and can be
canonicalized. Use this setting if the input data is a raw-text string
that consists of meaningful 7-bit data units.
When creating a detached S/MIME signature (where Output Encoding
Format is S/MIME and Include Content Data is off), setting Binary Data to
off can produce an unverifiable signature since the data is not canonicalized
as expected for an S/MIME message.
off
True binary data should be Base64 encoded before signing with a detached
S/MIME signature.
Binary Data can be set to off for Base64 encoded data.
13. Specify or select the context for the data produced in the Output field.
By default, this action uses the pkcs7-sign.xsl style sheet to sign documents. To use
another style sheet, use the Advanced panel to identify the style sheet and any
parameter that is required by that style sheet.
14. If the action is complete, click Done. The configuration path shows the Crypto
Binary icon.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
Defining advanced settings: Use the Advanced screen to identify the style sheet
and define less commonly used settings.
1. Click the Advanced tab to display the Advanced screen.
2. Confirm the Input setting.
3. Confirm that the Action Type is cryptobin.
4. Confirm that the PKCS#7 Sign radio button is selected.
5. Confirm the Asynchronous setting.
6. Use the Processing Control File field or select the style sheet to perform
PKCS #7 signing.
v If the style sheet is not stored on the appliance, specify its location or a
variable that expands to a URL. If a variable, use the var://context/name
form.
v If the style sheet is in the store: or local: directory, select the style sheet.
You can click Upload or Fetch to obtain the file.
7. To define parameters for the style sheet, click Add Parameter (at the bottom
of the window).
a. In the Stylesheet Parameter Name field, specify the name of the
parameter.
b. In the Stylesheet Parameter Value field, specify the value for the
parameter.
112
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
8.
9.
10.
11.
12.
c. Click Submit to return to the Advanced window, which now lists the
newly defined parameter.
Repeat this step to define each additional parameter.
Confirm the Signers setting.
Confirm the Include Content Data setting.
Confirm the Input Encoding Format setting.
Confirm the Output Encoding Format setting.
Confirm the Binary Data setting.
113
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
114
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
7. To define parameters for the style sheet, click Add Parameter (at the bottom
of the window).
a. In the Stylesheet Parameter Name field, specify the name of the
parameter.
b. In the Stylesheet Parameter Value field, specify the value for the
parameter.
c. Click Submit to return to the Advanced window, which now lists the
newly defined parameter.
Repeat this step to define each additional parameter.
8. Confirm the Validation Credential setting.
9. Confirm the Input Encoding Format setting.
10. Confirm the Output Encoding setting.
11. If necessary, define the following settings:
Maximum Number of Signatures to Verify
By default, the action verifies a maximum of 10 signatures. This
limitation guards against a Denial of Service (DoS) attack launched by
a document that contains an exceedingly large number of signatures.
You can change the default to any integer between 1 and 25.
Additional Certificates to Check for Signers
Certificates of PKCS #7 signers are identified by the issuing CAs
distinguished name and by the issuer-specific serial number that is
contained in the PKCS #7 SignerInfo type. The standard does not
specify that the certificate itself be included with the signed content.
You can use the Add and Delete buttons with the list to create a list of
certificates used to validate the certificates presented or referenced by
document signatories.
Allow Internal Signers Certificates
Certificates providing a chain-of-trust for signatories can be optionally
included in the PKCS #7 SignedData type; certificates need not be
included.
By default, the action uses included certificates in its efforts to verify
signatures, in addition to the certificates that are specified by the
Additional Certificates to Check for Signers property.
Setting Allow Internal Signers Certificates to off, prohibits the action
from using included certificates, thus limiting its verification efforts to
the certificate set that is specified by Additional Certificates to Check
for Signers.
URL Location of Detached Data
Specifies the location of the detached data that was signed by the
PKCS #7 SignedData type. Used only when verifying a detached
signature where the encoding format of the input data not S/MIME.
Detached Data Encoding Format
Specifies the encoding format of the detached data that was signed.
Base64 encoded binary
Specifies that the data is Base64 encoded
Binary
Specifies binary data
115
off
Indicates that the input data is not true binary and can be
canonicalized. Use this setting if the input data is a raw-text string
consisting of meaningful 7-bit data units.
116
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
Advanced settings: Use the Advanced screen to identify the style sheet and
define less commonly used settings.
1. Click the Advanced tab to display the Advanced screen.
2.
3.
4.
5.
6.
117
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
118
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
7. To define parameters for the style sheet, click Add Parameter (at the bottom
of the window).
a. In the Stylesheet Parameter Name field, specify the name of the
parameter.
b. In the Stylesheet Parameter Value field, specify the value for the
parameter.
c. Click Submit to return to the Advanced window, which now lists the
newly defined parameter.
Repeat this step to define each additional parameter.
8. Confirm the Input Encoding Format setting.
9. Confirm the Output Encoding Format setting.
10. Confirm the Recipients setting.
11. If necessary, define the following settings.
Remove text/plain Header
Removes a Content-Type:text/plain MIME header from the plaintext,
decrypted data. Used only when Input Encoding Format is S/MIME.
By default, the header (if present) is not removed.
Name of Context Variable Holding Output Metadata
Specifies the name of the context variable to which the output of this
operation (including error strings, if any) is written. The string
var://context/ is prepended to the specified name.
12. Click Done to complete the action. The configuration path shows the Crypto
Binary icon.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
119
Advanced settings
Use the Advanced screen to identify the style sheet and define less commonly used
settings.
1. Click the Advanced tab to display the Advanced screen.
2. Use the Processing Control File field or select the style sheet used by this
decrypt action.
v If the style sheet is not stored on the appliance, specify its location or a
variable that expands to a URL. If a variable, use the var://context/name
form.
v If the style sheet is in the store: or local: directory, select the style sheet.
You can click Upload or Fetch to obtain the file.
3. Use the Optimize Element Description toggle to enable or disable optimization
of the decrypted data.
According to the encryption specifications, decrypting element-encrypted data
(instead of content-encrypted) should result in valid XML. The decrypted data
should contain all of the required namespace prefix bindings that are needed to
parse the resulting XML data.
on
Enables optimization. If you know that the source of the encrypted data
follows this specification, use this setting. Enabling optimization might
improve performance. Decryption does not require extra
canonicalization.
a. In the Stylesheet Parameter Name field, specify the name of the parameter.
b. In the Stylesheet Parameter Value field, specify the value for the parameter.
c. Click Submit to return to the Advanced window, which now lists the newly
defined parameter.
Repeat this step to define each additional parameter.
120
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
121
v To use the same key, change the setting of the One Ephemeral Key
property to on.
v To not use the same key, retain the setting of the One Ephemeral Key
property.
When enabled, there is only one ephemeral key encryption. Its corresponding
EncryptedKey adds a DataReference URI for each EncryptedData. Using one
ephemeral key provides better performance.
10. Optionally select a Crypto Certificate from the Recipient Certificate list.
The selected certificate overrides any setting that is established for the service.
For example, this certificate can override the XML Firewall Credentials setting
by referencing a certificate that is not in those credentials.
Additional certificate and encryption settings are available on the Advanced tab.
11. Optionally click the Advanced tab configure advanced properties.
a. Confirm the Input property.
Confirm the Action Type property.
Confirm the Envelope Method property.
Confirm the Message Type property.
Specify or select the name and location of the encryption style sheet in the
Processing Control File field. The default is the encrypt-wssec.xsl file in
the store: directory.
f. Select how to interpret the response from the server from the Output Type
list.
b.
c.
d.
e.
v Binary
v Default
v XML
The default is Default.
g. Confirm the Asynchronous property.
h. Confirm the Message and Attachment Handling property.
i. Confirm the Use Dynamically Configured Recipient Certificate property.
j. Confirm the One Ephemeral Key property.
k. Confirm the Recipient Certificate property.
l. Select the algorithm to use for encryption from the Encryption algorithm
list. The default is 3DES-CBC.
m. Type the identifier for the SOAP 1.1 actor or SOAP 1.2 role in processing a
WS-Security security header in the SOAP Actor/Role Identifier field. This
identifier is effective only when a SOAP message is being used for
WS-Security 1.0 or 1.1. Use one of the following well-known values:
http://schemas.xmlsoap.org/soap/actor/next
Everyone, including the intermediary and ultimate receiver, receives
the message and should be able to process the security header.
http://www.w3.org/2003/05/soap-envelope/role/none
No one should process the security header.
http://www.w3.org/2003/05/soap-envelope/role/next
Everyone, including the intermediary and ultimate receiver, receives
the message and should be able to process the security header.
http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver
(Default) The ultimate receiver can process the security header.
122
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
123
124
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
125
126
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
127
128
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
129
Use Key Derivation without a SCT, and issue an Encrypted Key for
the DKT
1) Select the version of WS-SecureConversation to use from the
WS-SecureConversion Version list.
v 1.1
v 1.2 (Default)
v 1.3
2) Specify where in the byte stream of a lengthy generated key
sequence the derived key starts in the Offset of the
Derived Key in the key sequence field. The default is 0.
This field is mutually exclusive with the Generation of the
Derived Key in the Key Sequence field.
3) If you removed the offset setting, specify which generation
of the key to use in the Generation of the Derived Key in
the Key Sequence field. The generation is the index number
of the fixed key in the lengthy key sequence.
4) Specify the label of the derived key in the Label of the
Derived Key field.
No WS-SecureConversation Key Derivation
Does not derive a key.
Use Key Derivation if a SCT Token is Available
Checks for an existing wsc:SecurityContextToken and derives a
key from it. Otherwise, uses the generated asymmetric key
without key derivation.
1) Specify where in the byte stream of a lengthy generated key
sequence the derived key starts in the Offset of the
Derived Key in the key sequence field. The default is 0.
This field is mutually exclusive with the Generation of the
Derived Key in the Key Sequence field.
2) If you removed the offset setting, specify which generation
of the key to use in the Generation of the Derived Key in
the Key Sequence field. The generation is the index number
of the fixed key in the lengthy key sequence.
3) Specify the label of the derived key in the Label of the
Derived Key field.
12. If you configured advanced properties, click the Basic tab.
13. Specify or select the context for the data produced in the Output field.
14. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
130
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
131
v Default
v XML
The default is Default.
g. Confirm the Asynchronous property.
h. Select the algorithm to use for encryption from the Encryption algorithm
list. The default is 3DES-CBC.
i. Select how to encrypt from the Encryption Type list.
Content
(Default) Encrypts the contents of an XML element but not the
element itself.
Element
Encrypts an XML element and its contents.
132
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
133
134
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
135
Filter actions
A processing policy provides following implementations:
Standard filter
Creates a filter that checks the document for user-defined elements. A
standard filter uses the specified style sheet to accept or reject the
submitted document. You can use the filter-accept-all.xsl or
filter-reject-all.xsl style sheets in the store: directory.
Replay filter
Creates a filter that checks the document for replay attacks. A replay filter
uses the replay-filter.xsl style sheet in the store: directory to cache a
selected value from submitted documents. When that value occurs in any
subsequent requests, the request is rejected.
Required elements filter
Creates a filter that checks the document for the presence of required
elements in the SOAP header. A required elements filter uses the
required-elements-filter.xsl style sheet in the store: directory.
Message layout filter
Creates a filter that checks the document for WS-Security message layout.
A message layout filter uses the wssecurity-message-layout-filter.xsl style
sheet in the store: directory.
Conformance filter
Creates a filter that checks the document for conformance against the
define Conformance Policy. A conformance filter uses the
conformance-filter.xsl style sheet in the store: directory.
5.
6.
7.
8.
v If the style sheet is not stored on the appliance, specify its location or a
variable that expands to a URL. If a variable, use the var://context/name
form.
v If the style sheet is in the store: or local: directory, select the style sheet.
You can click Upload or Fetch to retrieve the file.
Click WSDL Tool to invoke the WSDL Tool wizard. This wizard reads a
specified WSDL file and creates the necessary style sheet to filter on particular
operations. The files are stored in the local: directory.
Set Asynchronous to on to process the action asynchronously. For
asynchronous processing, this action does not need to complete before the
processing rule begins processing its next defined action.
Specify or select the context for the data produced in the Output field.
Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
136
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
11.
12.
v Custom XPath
Specify, in milliseconds, the duration to use the extracted value in the Replay
duration field. Use an integer greater than 0.
If the filter type is Custom XPath, specify the XPath expression in the Custom
XPath Expression field.
For assistance in creating the XPath expression, click XPath Tool. This tool
allows you to load an XML document and build the expression by selecting
the desired mode.
Specify or select the context for the data produced in the Output field.
Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
For assistance in creating the XPath expression, click XPath Tool. This tool
allows you to load an XML document and build the expression by selecting
the desired mode.
9. Specify or select the context for the data produced in the Output field.
10. Click Done to complete the action.
137
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
9. Specify or select the context for the data produced in the Output field.
10. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
6.
7.
8.
138
Drag the Filter icon to the configuration path (the horizontal line).
Double-click the Filter icon to display the Filter action window.
Specify or select the context for the data to be processed in the Input field.
Specify or select the store:///conformance-filter.xsl style sheet with the
Processing Control File fields.
Set Asynchronous to on to process the action asynchronously. For
asynchronous processing, this action does not need to complete before the
processing rule begins processing its next defined action.
Select the conformance policy from the Conformance Policy list. Refer to
Conformance Policy on page 281 for details.
Specify or select the context for the data produced in the Output field.
Click Done to complete the action.
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
139
7. Select the desired method of iteration from the Iterator Type list.
Count Runs the Loop Action on the entire message in the input context for
the number of times set in the Iterator Count field. The screen
refreshes to display the Iterator Count field. Use an integer in the
range of 1 through 32768.
XPath Expression
Runs the Loop Action on each node set that is returned by the XPath
expression in the XPath Expression field. The screen refreshes to
display the XPath Expression field.
If the XPath expression is /*[namespace-uri()='http://joe.com' and
local-name()='Order']/*[namespace-uri()='http://joe.com' and
local-name()='Item'], the loop runs three times for the following input:
<joe:Order xmlns:joe="http://schemas.joes.com/schemas">
<joe:Item>
<joe:Qty>5</joe:Qty>
<joe:ProdID>32145-12</joe:ProdID>
</joe:Item>
<joe:Item>
<joe:Qty>10</joe:Qty>
<joe:ProdID>78-697-24</joe:ProdID>
</joe:Item>
<joe:Item>
<joe:Qty>10</joe:Qty>
<joe:ProdID>091356-3</joe:ProdID>
</joe:Item>
</joe:Order>
140
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Attempt All
Sends the results in the input context to all potential destinations
and succeeds even if all of the remote servers fail.
First Available
(Default) Sends the results in the input context to each of the
potential destinations one at a time and stops with success after
sending the input to at least one of the remote servers.
Require All
Sends the results in the input context to all potential destinations
and fails if any of the remote servers fails.
b. Use the Use Multiple Outputs toggle to determine whether to write
parallel outputs into separate contexts.
on
off
(Default) The output context contains the result of the last iteration
only, not the aggregated results of each iteration.
10. Specify or select the context for the data produced in the Output field. The
value cannot be PIPE.
11. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
141
var://service/multistep/loop-count
This variable returns the number of times the loop has iterated.
MQ header action
The MQ Header action can perform the following header and queue modifications:
Modify MQMD Request Message Headers
Selectively override specified headers values in a request message or drops
all header values from the request message and replaces with new or
auto-generated values.
Retrieve Responses using Message Id or Correlation Id
Modify how the service retrieves response messages from a backend reply
queue by specifying a message ID or Correlation ID. By default, the service
looks in the backend reply queue for response messages that have a
Correlation Id that matches the Message Id of the request message.
Modify MQMD Response Message Headers
Selectively override specified header values in a response message or
drops all header values from the response message and replaces with new
or auto-generated values.
142
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
(Default) Ignores all MQMD header values from the original request
message. The new header values are inserted into the request
message. If blank, the service populates those fields with
auto-generated defaults.
10. Specify an override value for any of the following MQMD header fields:
v Message Id
v Correlation Id
off
v Character Set Id
v Format Name
v ReplyToQ
v ReplyToQMgr
11. Select an Output context or specify a new context name. Select auto to allow
the processing policy to determine the output context automatically.
12. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
143
144
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
v Character Set Id
v Format Name
v ReplyToQ
v ReplyToQMgr
11. Select an output context or specify a new context name. Select auto to allow
the processing policy to determine the output context automatically.
12. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
145
146
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Continue
Continue with the next sequential processing action.
6. Optionally use the Processing Rule controls to select the target rule. The
target rule is the rule that this action calls. For information about creating
reusable processing rules, refer to Defining reusable rules on page 165.
To define a target rule, do one of the following:
7.
8.
9.
10.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
Results actions
A processing policy provides two actions that can send results in the input context
to remote servers:
results
Optionally sends results to one or more remote servers and, when
processing in synchronous mode, waits for a response from the remote
servers. When configured to process in asynchronous mode, the results
action is equivalent to the results-async action. However with the results
action, you can include an event-sink action in the processing rule to wait
for the response from the remote servers. Refer to Adding a results
action on page 148 for configuration details.
results-async
Sends results to one or more remote server and does not wait for a
response from the remote servers. Refer to Adding a results asynchronous
(results-async) action on page 149 for configuration details.
Both of the results-type actions offer the following options:
v The ability to send results to multiple destinations. For the results action, the
specification of a destination is optional. For a results-async action, the
specification of a destination is required.
v Can control the number of connection retries.
Because a results-async action does not support an output context, the results
action provides the following options that are not available for a results-async
Chapter 5. Processing policies
147
action. These options are meaningful only when processing in synchronous mode
or when processing in asynchronous mode and the processing rule contains a
subsequent event-sink action.
v The ability to create multiple output contexts.
v The ability to control the aggregation of multiple output contexts.
v The ability to control the interpretation of the server response, if any.
148
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
off
(Default) The output context contains the result of the last iteration
only, not the aggregated results of each iteration.
10. Optionally enter or select the context for the data produced in the Output
field.
Leave blank if no response is expected or if the response can be ignored. A
value is required when the Use Multiple Outputs toggle is set to on.
11. For HTTP protocols: From the Method list, select the HTTP method type.
12. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
149
Require All
Sends the results in the input context to all potential destinations and
fails if any of the remote servers fails.
8. Enter an integer in the Number of Retries field to set the number of times the
service retries a failed connection to the destination. The default is 0.
9. Enter an integer in the Retry Interval field to set the number of milliseconds
the service waits before retrying a connection. The default is 1000.
10. For HTTP protocols: From the Method list, select the HTTP method type.
11. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
150
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Route-type actions
A processing policy provides three routing implementations using two actions to
select the destination:
Stylesheets
Uses the route-set action to implement style sheet-based routing. Refer to
Adding a route with style sheet (route-action) action for details.
XPath expressions
Uses the route-set action to implement XPath expression-based routing.
Refer to Adding a route with XPath expression (route-action) action for
details
Variables
Uses the route-set action to implement variable-based routing. Refer to
Route with variables (route-set) action on page 152 for details.
151
3. Specify or select the context for the data to be processed in the Input field.
4. For the Selection Method radio buttons, select Use XPath to Select
Destination. The window refreshes.
5. From the XPath Routing Map list, select the map that contains the routing
information.
6. Set Asynchronous to on to process the action asynchronously. For
asynchronous processing, this action does not need to complete before the
processing rule begins processing its next defined action.
7. Optionally specify or select the context for the data produced in the Output
field.
8. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
152
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
153
154
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
Static
(Default) Indicates that the SQL statement is contained in the SQL Text
field.
Stylesheet
Indicates that the SQL statement is derived by executing the style
155
10.
11.
12.
13.
14.
15.
Variable
Indicates that the SQL statement is contained in the variable specified
by the Variable Name field.
If the SQL Input Method is Static, use the SQL Text field to provide an SQL
statement. This setting indicates that the SQL statement that is used by the
action is provided by this property.
If the SQL Input Method is Stylesheet, use either the Processing Control File
dialog or the Variable Name field to identify a style sheet. This setting
indicates that the SQL statement that is used by the action is constructed by
executing the specified style sheet against the contents of the Input context.
If the SQL Input Method is Variable, use the Variable Name field to identify
a style sheet. This setting indicates that the SQL statement that is used by the
action is the contents of the specified variable.
Set Asynchronous to on to process the action asynchronously. For
asynchronous processing, this action does not need to complete before the
processing rule begins processing its next defined action.
Optionally specify or select the context for the data produced in the Output
field.
Click Done to complete the action. The configuration path shows the SQL
icon.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
Transform-type actions
A processing policy provides the following transform implementations:
Transform for XML messages
Uses the xform action to transform XML documents. The action identifies
the XSLT style sheet to use to perform the transform.
156
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
7.
8.
9.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
157
7.
8.
9.
10. Click Done to complete the action. The configuration path shows The
Transform Binary icon.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
Drag the Transform icon to the configuration path (the horizontal line).
Double-click the Transform icon to display the Transform action window.
Specify or select the context for the data to be processed in the Input field.
In the Processing Control File field, specify or select the style sheet to use.
v If the style sheet is not stored on the appliance, specify its location or a
variable that expands to a URL. If a variable, use the var://context/name
form.
v If the style sheet is in the store: or local: directory, select the style sheet.
158
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
159
off
160
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
11. Select the disposition table from the SOAP Header Disposition Table list.
This table contains a list of instructions that controls how to handle SOAP
headers, child elements, or both SOAP headers and child elements. Refer to
SOAP Header Disposition Table on page 314 for information.
12. Specify or select the context for the data produced in the Output field.
13. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
161
4. Retain the default (Use XSLT specified in this action) from the Use
Document Processing Instructions radio buttons.
5. In the Processing Control File field, specify or select the store:///
conformance-xform.xsl style sheet.
6. Optionally select the rewrite policy to rewrite the style sheet URL that is
extracted from the incoming document from the URL Rewrite Policy list.
Refer to URL Rewrite Policy on page 335 for more information.
7. Set Asynchronous to on to process the action asynchronously. For
asynchronous processing, this action does not need to complete before the
processing rule begins processing its next defined action.
8. Select the conformance policy from the Conformance Policy list. Refer to
Conformance Policy on page 281 for details.
9. Specify or select the context for the data produced in the Output field.
10. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
162
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Body or Detail
Apply the schema against the contents of the detail element for SOAP
faults, and the contents of the Body otherwise.
Ignore Faults
If the document is a SOAP fault, pass it through without further
validation; otherwise, validate the contents of the SOAP Body.
This setting does not affect validating the INPUT context to ensure that it is a
valid document. If you are validating an intermediate context, such as the
result of an XSLT transform or an externally retrieved document, this content
is not implicitly validated as SOAP. You might want to select Envelope to
validate the entire document.
10. Set Asynchronous to on to process the action asynchronously. For
asynchronous processing, this action does not need to complete before the
processing rule begins processing its next defined action.
11. Specify or select the context for the data produced in the Output field.
12. Click Done to complete the action.
Chapter 5. Processing policies
163
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
Verify actions
A verify action validates digital signatures in messages. The basic configuration
requires the selection of the type or types of signatures to verify. The verify action
can validate RSA/DSA (asymmetric) signatures, HMAC (symmetric) signatures, or
both types of signatures. If a message contains signatures that are signed by
RSA/DSA and HMAC algorithms, the verify action can validate one type of
signing algorithm and ignore the other. If set to a single signature type and the
signing method is different, verification fails.
During processing, the verify action can retrieve the key information from the
WS-Security token or from the signature information.
v RSA/DSA verification uses public keys (certificates).
v HMAC verification uses shared secret keys.
Kerberos signature verification: You must define the verifier principal and the
keytab that contains the shared secret key.
Optionally, you can define the signer principal to
validate that this principal signed this message.
These setting are available on the Advanced tab.
By default, the verify action checks the expiration of the WS-Security timestamp.
You can modify this behavior and other timestamp checks on the Advanced tab.
164
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
v Optional: SAML remote tokens (WS-Security 1.1) processing for both HMAC
and RSA/DSA verification
v Optional: Caching of extracted session key from the verified message.
Cached key is for future cryptographic operations that use
EncryptedKeySHA1.
v Optional: Processing of security header based on SOAP actor/role
9. Click Done to complete the action.
If this is the last action to add to the rule, click Apply Policy to add the completed
rule to the processing policy. Otherwise, drag another action icon to the
configuration path.
WebGUI label
Optional or
Required
Number of servers
fetch
Source
Required
Only one
for-each
Source
Required
One or more
log
Destination
Required
One or more
results
Destination
Optional
One or more
results-async
Destination
Required
One or more
route-set
Destination
Required
Only one
165
v
v
v
v
v
v
v
v
v
v
v
Predefined variable
Use a predefined variable in the var://context/name form that expands to
a URL (Source or Destination field) or to multiple URLs (Destination field
only).
For a single URL
Use the setvar action to define the var://context/remote1 variable
with a value of http://server1.domain.com:2222. Then, specify
var://context/remote1 in the Source or Destination field.
For multiple URLs
Use the setvar action to define the var://context/results/
remote-multi variable with the following value:
<results mode="require-all" multiple-outputs="true">
<url input="context1">http://127.0.0.1:22223</url>
<url input="context2">http://127.0.0.1:22224</url>
<url input="context3">http://127.0.0.1:22225</url>
<url input="context4">http://127.0.0.1:22226</url>
</results>
166
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
<url input="context4">http://127.0.0.1:22226</url>
</results>
</xsl:variable>
<dp:set-variable name="'var://context/results/remoteMany'" value="$URLs"/>
Attachment protocol
The fetch, results, and results-async actions support the attachment protocol.
This protocol identifies a SOAP attachment and has the following format:
attachment://context/cid:content_id[?query_param_1[&query_param_2]]
Compress=gzip
Archive=tar or Archive=zip
Filename=file_name
Parsable=true
Manifest=true
The following code excerpt shows a configuration that uses the attachment and
cid protocols:
rule swa-zip-003
# fetch base64 encoded zip file into archive-base64
fetch
cid:contract123.zip
archive-base64
strip-attachments INPUT
# add archive-base64 as a new attachment to input and decode
results
archive-base64
attachment://INPUT/cid:archive-zip?Decode=base64
# fetch binary file into context x
fetch
http://zoostation/clitest-importpackage.zip
new-file-to-add
# add file to archive
results
new-file-to-add
attachment://INPUT/cid:archive-zip?Archive=zip&Filename=testfile
Chapter 5. Processing policies
167
The context value for the input argument cannot be INPUT, OUTPUT, or PIPE.
For the setvar action, you can create a custom context variable or select an existing
service, extension, or system variable. The created or selected variable must be a
write-only or read-write variable. After clicking Var Builder the area shown in
168
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Figure 7 is visible.
Figure 7. Variable builder for custom context, service, extension, and system variables
After defining a custom context variable, click Use Custom. The variable builder
closes, and the field contains the defined variable.
169
170
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Extract Resource
Authenticate
Allow | Deny
Map Credentials
Map Resource
Authorize
Allow | Deny
Post Processing
Output
Message
Generate
Error
After extracting the service requester identity and resource, the policy authenticates
the claimed identity. Authentication is most commonly accomplished via an
external service (for example, a RADIUS or LDAP server), but other custom
processing methods, such as site-specific XML- or XPath-based solutions, are
readily supported. During policy definition, you select a single authentication
method from a menu of supported methods, and (depending upon the selected
method) provide a few items of additional required information, such as a server
address or the URL of a custom processing resource.
171
172
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
v
v
v
v
v
173
<wsse:Password>Flintstone</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</S11:Header>
WS-SecureConversation Identifier
The claimed identity of the requester is extracted from a
WS-SecureConversation Identifier. A client that has established a
security context could provide credentials in addition to the security
context identifier to help with authentication; if present, the <wst:Base>
174
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
175
176
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
SAML Artifact
The AAA policy captures a SAML artifact, which is then used during
the Authenticate step to provide an authenticated identity. An artifact
might appear in the URL used by the client.
https://server.domain.com/service?SAMLART=h48ck4klje
Client IP Address
The IP address of the client is used for authentication.
Subject DN from Certificate in the Messages signature
The claimed identity of the requester is extracted from a certificate used
to validate a digitally-signed message. The AAA policy verifies the
validity of the signature. If valid, uses the Subject DN that is extracted
from the certificate that is associated with the signature as the claimed
identity.
<?xml version="1.0" encoding="UTF-8"?>
<message xmlns="http://www.example.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.com message.xml">
<to>Alice</to>
<from>Bob</from>
<subject>Important</subject>
<body>
Traveling to San Francisco, Honolulu, and Ashtabula.
See you in the sky.
</body>
<method>Fax</method>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"
xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SignedInfo>
...
</SignedInfo>
<SignatureValue>MBwxXIuY2...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICMjCCTfMCFB9mFK6vs= </X509Certificate>
<X509IssuerSerial>
<X509IssuerName>CN=jrb@somedomain.com</X509IssuerName>
<X509SerialNumber>0</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</KeyInfo>
</Signature>
</message>
on
177
178
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Processing Metadata
Extract the identity from the processing metadata, such as protocol
headers, system variables, and other custom metadata sources. If
selected, the WebGUI displays the following property:
Processing Metadata Item
Select a Processing Metadata object to identify extracted items.
Refer to Processing Metadata on page 305 for more information.
You must use custom style sheet for authentication.
Custom Template
The claimed identity of the requester is extracted by a custom or
proprietary identification resource (for example, a style sheet).
If selected, the WebGUI displays the following property:
Specify a URL
v If the resource is stored in the local: or store: directory, select
the resource.
v If the resource is remote to the local: or store directory, specify
the location of the resource.
v If the resource is stored on the WebGUI workstation, click
Upload to transfer the file.
v If the resource is stored on a remote server, click Fetch to
transfer the file.
2. After enabling one or more identity extraction methods, click Next to display
the Authentication window and continue with the Authentication phase of the
AAA Policy definition.
179
180
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Enables an LDAP search for the users group. The login name
of the user along with the LDAP Search Parameters will be
used as part of an LDAP search to retrieve the users DN.
v If off, the WebGUI removes the LDAP Prefix and LDAP Suffix
fields:
LDAP Prefix
Optionally specify an LDAP prefix name. The specified string is
prefixed to the identity that is extracted before submission to the
LDAP server. The default is cn=.
LDAP Suffix
Optionally specify an LDAP Suffix name. This specified string is
appended to the identity that is extracted before submission to the
LDAP server. For example, o=datapower.
Contact a SAML Server for a SAML Authentication Statement
The requester is authenticated by a SAML server. If authentication
succeeds, a SAML Authentication statement is returned and used for
further communication. If selected, the WebGUI displays the following
properties:
SAML signature validation credentials
Optionally select the Validation Credentials set used to validate a
digitally-signed SAML authentication statement. The AAA policy
validates the signature against these credentials. If the certificate
cannot be validated, authentication fails. Refer to Validation
credentials on page 22 for more information.
SAML Authentication Query Server URL
Specify the URL of the SAML Authentication server to use to retrieve
a SAML authentication statement.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to remote
authentication server. Retain the default value to use a non-SSL
connection.
SAML Version
Select the SAML version. Versions 1.0, 1.1 (Default) and 2.0 are
supported. This version determines the protocol level of SAML
Chapter 6. AAA Policy configuration
181
off
When required, specify the size of the client entropy in bytes in the
Client Entropy Size field. The size refers to the length of the client
entropy before Base64 encoding. Use an integer in the range of 8
through 128. The default is 32.
Require Server Entropy
Indicates whether to require server entropy in the WS-Trust response.
on
off
182
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
off
off
When required, specify the value for the AppliesTo header in the
AppliesTo Header field.
WS-Trust Encryption Certificate
Optionally select a Crypto Certificate to encrypt WS-Trust elements in
the request. If selected, he public key of the certificate encrypts the
client entropy key material for the recipient. If blank, the WS-Trust
BinarySecret element contains the entropy material. In this case, use
an SSL Proxy Profile to secure the message exchange with the
WS-Trust server.
Contact ClearTrust server
The requester is authenticated by a ClearTrust server. If selected, the
WebGUI displays the following properties:
ClearTrust Server URL
Specify the URL used to access the ClearTrust server.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to remote
authentication server. Retain the default value to use a non-SSL
connection.
Contact Netegrity SiteMinder
The requester is authenticated by a Netegrity server. If selected, the
WebGUI displays the following properties:
Host
Specify the IP address or host name of the Netegrity server.
Port Specify the port number of the Netegrity server.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to remote
authentication server. Retain the default value to use a non-SSL
connection.
Netegrity Base URI
Optionally specify a Base URI for the identified Netegrity server. The
Base URI consists of the concatenation of the combination of the
servlet-name and url-pattern from its web.xml file. Given the
following entries in a web.xml file, specify datapoweragent/.
<servlet-mapping>
<servlet-name>datapoweragent</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
183
184
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
185
XPath Expression
Specify an XPath expression to be applied to the incoming document
to extract the signed portion of the document.
For assistance in creating the XPath expression, click XPath Tool. This
tool allows you to load an XML document and build the expression
by selecting the desired node.
If the defined expression contains namespace elements, click XPath
Binding to provide namespace/prefix data. Refer to Setting
namespace data for XPath bindings on page 266 for more
information.
Retrieve Remote Token
Select whether to retrieve the remote token. Refer to Security token
references on page 400 for details.
off
on
186
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Custom
Identifies a custom, credentials mapping resource; for example, a style
sheet. If selected, the WebGUI displays the following property:
Specify a URL
v If the resource is stored in the local: or store: directory, select the
resource.
v If the resource is remote to the local: or store directory, specify the
location of the resource.
v If the resource is stored on the WebGUI workstation, click Upload
to transfer the file.
v If the resource is stored on a remote server, click Fetch to transfer
the file.
None
TFIM Credentials are taken from a TFIM configuration. If selected, the WebGUI
prompts from the following property:
TFIM Configuration
Select a TFIM configuration. Refer to Creating TFIM objects on
page 274 for more information.
WS-SecureConversation
Credentials are taken from the WS-SecureConversation context token.
XML File
Identifies an XML file as the mapping resource. If selected, the WebGUI
displays the following property:
URL
v If the resource is stored in the local: or store: directory, select the
resource.
v If the resource is remote to the local: or store directory, specify the
location of the resource.
v If the resource is stored on the WebGUI workstation, click Upload
to transfer the file.
v If the resource is stored on a remote server, click Fetch to transfer
the file.
Refer to Using an AAA Info file on page 267 for more information.
XPath Identifies an XPath expression as the mapping resource. If selected, the
WebGUI displays the following property:
XPath Expression
Specify an XPath expression to be applied to the value extracted
during the identity extraction phase.
For assistance in creating the XPath expression, click XPath Tool. This
tool allows you to load an XML document and build the expression
by selecting the desired node.
If the defined expression contains namespace elements, click XPath
Binding to provide namespace or prefix data. Refer to Setting
namespace data for XPath bindings on page 266 for more
information.
187
188
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
xmlns:S11="http://schemas.xmlsoap.org/soap/envelope/">
<S11:Header>...</S11:Header>
<S11:Body>...</S11:Body>
</S11:Envelope>
XPath expression
The identity of the requested resource is extracted from the client request
by an XPath expression. If selected, the WebGUI displays the following
properties:
XPath expression
Specify an XPath expression to be applied to the value extracted
during the Resource Extraction step.
For assistance in creating the XPath expression, click XPath Tool. This
tool allows you to load an XML document and build the expression
by selecting the desired node.
If the defined expression contains namespace elements, click XPath
Binding to provide namespace/prefix data. Refer to Setting
namespace data for XPath bindings on page 266 for more
information.
For example, you could specify /*[local-name()="message"]/*[localname()="transitmethod"] for the following message:
<?xml version="1.0"?>
<message xmlns="http://www.example.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.com message.xml">
<to>Alice</to>
<from>Bob</from>
<subject>Important</subject>
<body>
Traveling to San Francisco, Honolulu, and Ashtabula.
See you in the sky.
</body>
<transitmethod>Fax</transitmethod>
</message>
Processing Metadata
Extract the resource from the processing metadata, such as protocol
headers, system variables, and other custom metadata sources. If selected,
the WebGUI displays the following property:
Chapter 6. AAA Policy configuration
189
tivoli
TAMBI prefix
Indicates that the output of the mapped resource uses the prefix
style from Tivoli Access Manager for Business Integration. If
selected, the WebGUI displays the following property:
Tivoli object space instance prefix
Specify the name of the queue manager and the queue
separated by a forward slash (/). When implemented, the
mapped resource output is:
/PDMQ/queue_manager/queue/mapped_resource_name
TFIM prefix
Indicates that the output of the mapped resource uses the prefix
190
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
WebSEAL prefix
(Default) Indicates that the output of the mapped resource uses
the prefix style used by the WebSEAL component of Tivoli
Access Manager for e-business. If selected, the WebGUI displays
the following properties:
Tivoli object space instance prefix
Specify the name of the WebSEAL instance. When
implemented, the mapped resource output is:
/WebSEAL/instance_name/mapped_resource_name
191
c (Control)
r (Read)
d (Delete)
s (Server Admin)
g (Delegate)
T (Traverse)
l
m
N
R
t
v
W
x
(List Directory)
(Modify)
(Create)
(Bypass AuthAZ)
(Trace)
(View)
(Password)
(Execute)
Resource/Action map
Select an existing action map file.
This type of action map allows a single AAA policy to use different
ACL actions during authorization based on the requested resource.
For example, you could have a TAM action map with the entries
listed in Table 2.
Table 2. Example of TAM action map entries
Pattern
Action
*one*
x (execute)
*two*
r (read)
192
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
For information about creating or editing this type of action map, use
the WebGUI online help.
Refer to Creating Tivoli Access Manager objects on page 273 for more
information.
Contact Netegrity SiteMinder
The requester is authorized by a Netegrity SiteMinder server. If selected,
the WebGUI displays the following properties:
Host
Specify the IP address or host name of the Netegrity SiteMinder
server.
Port Specify the port number of the Netegrity SiteMinder server. The
default is 389.
Netegrity Base URI
Optionally specify a base URI for the Netegrity SiteMinder server.
Contact NSS for SAF Authorization
The requester is authorized by the SAF. If selected, the WebGUI prompts
for the following property:
z/OS NSS Client Configuration
Select the z/OS NSS Client object that specifies the details for
connecting to the NSS server for SAF authorization. Refer to z/OS
NSS Client on page 396 for more information.
Contact ClearTrust Server
The requester is authorized by a ClearTrust server. If selected, the WebGUI
displays the following properties:
ClearTrust Server URL
Specify the URL used to access the ClearTrust Server
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to remote
authorization server. Retain the default value to use a non-SSL
connection.
Custom template
The requester is authorized by an unlisted resource; for example, a style
sheet. If selected, the WebGUI displays the following properties:
Specify a URL
v If the resource is stored in the local: or store: directory, select the
resource.
v If the resource is remote to the local: or store directory, specify the
location of the resource.
v If the resource is stored on the WebGUI workstation, click Upload
to transfer the file.
v If the resource is stored on a remote server, click Fetch to transfer
the file.
Check for membership in an LDAP group
The requester is authorized by an LDAP server. If selected, the WebGUI
displays the following properties:
Host
Specify the IP address or host name of the LDAP server.
193
194
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
195
196
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
197
off
198
on
off
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
SOAP Enveloping
Use the toggle to determine whether the external PDP
requires SOAP enveloping. If the custom binding style
sheet generated SOAP enveloping, retain the default
setting.
on
off
199
Absolute
(Default) Caches all authorization data with an explicit TTL (specified
in the TTL field).
Disabled
Disables caching of authorization data.
Maximum
Compares the explicit TTL with the received TTL, if any. If it is less
than the explicit TTL, use the data-specific TTL; otherwise, use the
explicit value.
Minimum
Compares the explicit TTL with the received TTL, if any. If it is greater
than the explicit TTL, use the data-specific TTL; otherwise, use the
explicit value.
3. Specify the explicit TTL in seconds in the TTL field.
4. Click Next to return to the AAA Policy configuration where you can define
post processing activities.
200
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Note: Log targets accepts log entries at a configured level. A log target accepts
only entries at or above the configured level. Setting this level too high
might not capture the desired log entries. Setting this level too low might
create too many log entries.
201
An AAA policy supports SAML versions 1.0, 1.1, and 2.0. The version determines
the protocol level of SAML messages. The version affects the extraction of the
identity from the original message and the format of messages.
To perform this activity, the AAA policy needs the following data:
v The SAML version
v The assertion originator (issuer identity)
v Optional: The NameQualifier as defined by the SAML protocol version
v Optional: The key-certificate pair to generate digital signatures
If a custom style sheet generates a SAML assertion, this activity will not generate
additional SAML assertions.
202
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
203
To perform this activity, the AAA policy needs the name of an existing TFIM
configuration. For more information, refer to Creating TFIM objects on page 274.
204
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
This encrypted directory contains private key and certificate files that
services use in the domain. You can add, delete, and view files, but you
cannot modify these files while in the domain. Each application domain
contains one cert: directory. This directory is not shared across domains.
chkpoints:
This directory contains the configuration checkpoint files for the appliance.
Each application domain contains one chkpoints: directory. This directory
is not shared across domains.
config:
This directory contains the configuration files for the appliance. Each
application domain contains one config: directory. This directory is not
shared across domains.
dpcert:
This encrypted directory contains files that the appliance itself uses. This
directory is available from the command line in the default domain only.
export:
This directory contains the exported configurations that are created with
the Export Configuration utility. Each application domain contains one
export: directory. This directory is not shared across domains.
image: This directory contains the firmware images (primary and secondary) for
the appliance. This directory is where firmware images are stored typically
during an upload or fetch operation. Each appliance contains only one
image: directory. This directory is available in the default domain only.
local:
This directory contains miscellaneous files that are used by the services
within the domain, such as XSL, XSD, and WSDL files. Each application
domain contains one local: directory. This directory can be made visible to
other domains. When viewed from other domains, the directory name
changes from local: to the name of the application domain.
logstore:
This directory contains log files that are stored for future reference.
Typically, the logging targets use the logtemp: directory for active logs. You
can move log files to the logstore: directory. Each application domain
contains one logstore: directory. This directory is not shared across
domains.
Copyright IBM Corp. 2004, 2009
205
logtemp:
This directory is the default location of log files, such as the
appliance-wide default log. This directory can hold only 13 MB. This
directory cannot be the destination of a copy. Each application domain
contains one logtemp: directory. This directory is not shared across
domains.
pubcert:
This encrypted directory contains the security certificates that are used
commonly by Web browsers. These certificates are used to establish
security credentials. Each appliance contains only one pubcert: directory.
This directory is shared across domains.
sharedcert:
This encrypted directory contains security certificates that are shared with
partners. Each appliance contains only one sharedcert: directory. This
directory is shared across domains. However, you must be in default
domain to create or upload keys and certificates.
store:
This directory contains example style sheets, default style sheets, and
schemas that are used by the local appliance. Do not modify the files in
this directory.
Each appliance contains only one store: directory. By default, this directory
is visible to all domains. You can make changes to the contents of this
directory from the default domain only.
The store: directory has the following subdirectories:
meta
msgcat
This subdirectory contains the message catalogs.
policies
This subdirectory contains the following subdirectories. The
contents of these subdirectories affect Web services policy.
custom
This subdirectory contains custom style sheets.
mappings
This subdirectory contains mapping style sheets.
templates
This subdirectory contains XML files.
profiles
This subdirectory contains style sheets that are used by DataPower
services.
schemas
This subdirectory contains schemas that are used by DataPower
services.
dp
206
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
pubcerts
This encrypted subdirectory contains files that are used by the
appliance itself. This subdirectory is available from the command
line only.
tasktemplates:
This directory contains the XSL files that define the display of specialized
WebGUI screens. Each appliance contains only one tasktemplates: directory.
This directory is visible to the default domain only.
temporary:
This directory is used as temporary disk space by processing rules. Each
application domain contains one temporary: directory. This directory is not
shared across domains.
Creating a subdirectory
Subdirectories can only be creates under the local: directory or one of its
subdirectories.
Follow these steps to create a subdirectory under the local: directory or one of its
subdirectories:
1. Launch the File Management utility. Refer to Launching the File Management
utility for details.
2. From the Action column, click Actions aligned with the directory for the
subdirectory to be created.
3.
4.
5.
6.
207
Deleting a directory
Directories can only be deleted in the local: directory or one of its subdirectories.
Follow these steps to delete a directory under the local: directory or one of its
subdirectories:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 207 for details.
2. From the Action column, click Actions aligned with the directory to be deleted.
3. Click Delete Directory. The File Management screen displays.
4. Click Confirm Delete. The File Management screen refreshes.
5. Click Continue. The File Management screen displays the top-level directories
only.
208
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Required software
JKS support requires the following software on the WebGUI workstation:
v Version 1.4.2 of the Java runtime environment (j2re1.4.2)
v SDK (j2sdk1.4.2)
v Internet Explorer
Note: You must have the JRE or Java SDK /bin path name in the Windows PATH
environment variable on the WebGUI workstation. The Java Key Store file
cannot reside on any of the local directories. It must be uploaded from a
workstation.
Granting permissions
In addition, the user must have the grant permission for the upload in the
.java.policy file on the workstation that contains the Java Key Store files. The
following example .java.policy file should be defined on the workstation
computer before starting the upload:
grant {
permission java.io.FilePermission "<<ALL FILES>>","read";
permission java.util.PropertyPermission "*", "read";
permission java.lang.RuntimePermission "accessClassInPackage.sun.*";
};
Navigate to the directory into which you want to upload the file.
Click Actions in that row to open the Directory Actions menu.
Click Upload Files to display the File Upload screen.
Click the Java Key Store radio button to display the JKS Upload screen.
Note: When you click the Java Key Store radio button, the Java Console of
the browser opens and shows whether the Java Key Store Access
209
Fetching files
Use the following procedure to retrieve a file from a remote URL (fetch) and store
that file in a specified directory on the appliance:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 207 for details.
2. Navigate to the directory into which you want to upload the file.
Click Actions in that row to open the Directory Actions menu.
Click Fetch Files to display the Fetch File screen.
Specify the location of the file in the Source URL field.
Specify the file name in the Save as field.
If the file already exists in the selected directory and you want to overwrite this
file, check the Overwrite Existing Files check box. If you do not select this
check box and the file already exists, the file is not uploaded.
8. Click Fetch.
9. When the appliance reports success, click Continue to return to the File
Management screen.
3.
4.
5.
6.
7.
The target directory now contains the retrieved file. To verify, use the procedure
described in Displaying directory contents on page 207.
Copying files
Use the following procedure to copy a file from one directory to another:
210
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 207 for details.
2. Navigate to the directory that contains the files to be copied.
3. Select files by clicking the box adjacent to the file name.
4. Scroll to the top or bottom of the screen and click Copy to display the File
Copy screen.
5. From the New Directory Name list, select the target directory.
6. Specify the name for the file, if different, in the New File Name field.
7. If one of the selected files already exists in its associated target directory and
you want to overwrite this file, check the Overwrite Existing Files check box. If
you do not select this check box and the file already exists, the file is not
copied.
8. Click Confirm Copy to copy the files to the target directories.
9. When the appliance reports success, click Continue to return to the File
Management screen.
The target directories now contain the copied files. To verify that the files exist, use
the procedure described in Displaying directory contents on page 207.
Renaming files
Use the following procedure to rename a file:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 207 for details.
2. Navigate to the directory that contains the files to be copied.
3. Select files by clicking the box adjacent to the file name.
4. Click Rename to display the File Rename screen.
5. Specify the name of the file in the New File Name field.
6. If one of the selected files already exists in the target directory and you want to
overwrite this file, check the Overwrite Existing Files check box. If you do not
select this check box and the file already exists, the file is not copied.
7. Click Confirm Rename.
8. When the appliance reports success, click Continue to return to the File
Management screen.
The target directories now contain the renamed files. To verify that the files exist,
use the procedure described in Displaying directory contents on page 207.
Moving files
Use the following procedure to move a file from one directory to another:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 207 for details.
2.
3.
4.
5.
6.
211
Viewing files
Use the following procedure to view a text file:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 207 for details.
2. Navigate to the directory that contains the file.
3. Click the file to open a browser that contains the file.
When finished viewing the file, close the browser.
Editing files
Use the following procedure to edit a text file:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 207 for details.
2. Navigate to the directory that contains the files to be edited.
3. Select the file to be edited by clicking Edit in the row that is associated with
that file. The WebGUI displays a file preview.
4. Click Edit to change to Edit Mode.
5. Edit the file as required.
6. Click Submit to complete the edit process.
7. When the appliance reports success, click Close to return to the File
Management screen.
Deleting files
Use the following procedure to delete a file:
1. Launch the File Management utility. Refer to Launching the File Management
utility on page 207 for details.
2. Navigate to the directory that contains the files to be deleted.
3. Select files by clicking the box adjacent to the file name.
4. Scroll to the top or bottom of the screen and click Delete to display the Delete
File screen.
5. Click Confirm Delete to delete the files.
6. When the appliance reports success, click Continue to return to the File
Management screen.
The selected files were deleted. To verify that the files no longer exist, use the
procedure described in Displaying directory contents on page 207.
212
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
on
off
213
XML
off
Does not import the file if a file of the same name exists.
9. Use the Overwrite Objects toggle to control the overwrite behavior.
214
on
off
Does not import the objects if an objects of the same name exists.
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
off
Retains the original IP address in the configuration package.
12. Use the Import on Startup toggle to indicate whether to import the
configuration package at startup.
on
215
To ensure that all other objects and files are exported, use the admin account.
For any other user, only objects and files that are accessible to that user are
included in the export package.
To start a back up or export operation, select Administration Configuration
Export Configuration to display the initial Export Configuration screen. This
screen provides the following export options:
v Create a backup of the entire system
v Create a backup of one or more application domains
v Export configuration and files from the current domain
v Copy or move configuration and files between domains
Backing up domains
Best practice is to periodically back up all domains individually.
To back up configuration information for one or more application domains, follow
this procedure:
1. Select Administration Configuration Export Configuration to display the
Initial Export Configuration screen.
2. Select Create a backup of one or more application domains and click Next to
display the selection screen.
3. Provide the following inputs:
a. Optional: In the Comment field, enter a descriptive summary.
b. Optionally create or select the name of a Deployment Policy to accept, filter,
or modify a configuration during import.
216
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
c. The Export File Name defaults to export (.zip). If a file of this name exists
in the export: directory, it is overwritten.
d. Select the check boxes adjacent to each domain to export.
e. Click Next
When the backup completes, the file is in the export: directory. You can optionally
download the export file to your workstation.
Note: The Import Configuration utility requires that the export file resides on your
workstation.
4. Optionally click Download to download the file to your workstation.
5. Click Done to close this window and return to the Control Panel.
The export file can be accessed from the export: directory. If downloaded, the
export file is on your workstation.
217
218
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
The export file can be accessed from the export: directory. If downloaded, the
export file is on your workstation.
off
219
220
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
221
222
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Best practice when the goal is to add, modify or delete values in a configuration
package is to use a deployment policy while importing the configuration package.
Use the following procedure to import configuration data.
1. Select Administration Configuration Import Configuration to display the
Import Configuration window.
a. Use the From radio buttons to specify the import format.
XML Config
Imports configuration data as XML files.
ZIP Bundle
Imports configuration data in compressed ZIP format.
b. Retain the selection of the File radio button.
c. Click Browse to select the file to import.
d. Retain the selection of (none) for the Use Deployment Policy list. For more
information, refer to the Deployment policies on page 226.
e. Use the Rewrite Local Service Addresses toggle to control whether to
substitute IP addresses:
on
off
Does not allow local IP addresses to be rewritten.
2. Click Next to display the Select Application Domains for Import window. If
there are no objects in the configuration you are importing, skip to step 6c on
page 224.
When importing from any domain other than default, the imported
configuration applies only to the current domain. The WebGUI might display
an error message when importing data that was exported from the default
domain.
3. Select the desired domains. To select all domains, click All. To deselect selected
domains, click None. If a selected domain does not exist on the appliance, as
indicated, it will be created.
4. Click Next to display the Import Object Selection List window.
5. Select the objects to import.
Note: Click Save Config to save the configuration for each domain that
contains imported objects or files.
To effectively complete an appliance import (restore), use the admin
account. The appliance to be restored must also first be re-initialized
through the command line.
6. Click Next to display the Import Summary window, which details the contents
of the target file. In some cases, the summary might indicate differences in file
versions.
Note: Warnings can appear on this screen that alert you to a range of possible
conflicts that the imported configuration might cause. Depending on the
warning, you might want to create a new application domain, or you
might want to choose not to overwrite objects or files.
a. Select each item to overwrite. To select all item, click All. To deselect
selected items, click None. Only selected items are imported.
b. Click Import to initiate file transfer.
223
At the completion of the import process, the WebGUI displays the Object
Import Results window, which details the results.
c. Click Done to close this window.
If more than one domain is being imported, the Import Summary window is
displayed for the next domain to import.
Comparing configurations
To compare configurations, use the following procedure:
1. Select Administration Configuration Compare Configuration to display
the Configuration Comparison screen.
2. From the From list, select which configuration to be the first configuration
source; and from the To list, select which configuration to be the second
configuration source. The source for each of the configurations can be one of
the following:
Persisted Configuration
The last saved configuration on the appliance. This is the default in the
From list.
Running Configuration
The configuration that is currently running on the appliance. This is the
default in the To list.
Domain Configuration
The last saved or currently running domain configuration on the
appliance.
XML Configuration
The XML file that was created during an export operation. This file has
an .xcfg extension.
Export ZIP Bundle
A ZIP file that was created during an export operation. This file has a .zip
extension.
Backup ZIP Bundle
A ZIP file that was created during backup operation. This file has a .zip
extension.
224
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Checkpoint
A ZIP file that was created through a save checkpoint operation. This file
has a .zip extension and is in the chkpoint: directory.
3. When the source (From or To) is XML Configuration, Export ZIP Bundle, or
Backup ZIP Bundle, specify or browse for and select the configuration file.
Also, create or select a deployment Policy that can be used to accept, filter, or
modify a configuration.
4. When the source (From or To) is Checkpoint, select the checkpoint from the
Checkpoint list.
5. From the View list, select whether the report lists only changed objects between
the configurations or all objects in the configurations. The default is changed
objects only.
6. Click Run Comparison to generate the report.
The results are displayed below the horizontal rule.
To
Change
The type of change between the From source and the To source. The
change is one of the following values:
v modified
v added
v deleted
Beside each item is a check box.
Reverting changes
After running a comparison and reviewing the results, you can revert select
changes or all changes between the two configurations. You can revert changes at
the property level only. To revert changes to select properties for an object, use the
object-specific configuration screens.
To revert changes, use the following procedures:
1. Determine which objects to revert:
v To revert select objects, select the check box beside those objects.
v To revert all objects, click Select All.
2. Click Undo Selected.
Chapter 8. Managing the configuration of the appliance
225
Deployment policies
Deployment policies use fine-grained matching statements and clause types to
control the inclusion of configuration data from imported configuration packages.
Depending on the clause type, the deployment policy can perform the follow types
configuration management against the imported configuration package:
v Use an accepted configuration to include resources in the package that match
specified criteria.
v Use a filtered configuration to delete resources in the package that match specified
criteria.
v Use a modified configuration to modify resources in the package that match the
specified criteria. Modified configurations support the following actions:
Add
Adds the property with the identified value during the import.
Changed
Substitutes the value for the identified property during the import.
Deleted
Deletes the property during the import.
The processing sequence is as follows:
1. Process the accepted configuration, the whitelist, to always include resources
that match.
2. Process the filtered configuration, the blacklist, to always delete resources that
match.
3. Process the modified configuration to change the resources based on the
defined action type.
226
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
To access the builder, click Build. This button is associated with the following
properties:
v Accepted Configuration on the Main tab
v Filtered Configuration on the Main tab
v Configuration Match in the properties Window that the WebGUI displays after
clicking Add on the Modified Configuration tab
To create a matching statement with the builder, use the following procedure:
1. Click Build to open the builder.
Chapter 8. Managing the configuration of the appliance
227
2. Specify the IP address or host alias in the Device Address field. The value *
matches all IP addresses.
3. Select the name of the application domain from the Application Domain list.
The selection (none) matches all domains.
4. Select the resource type from the Resource Type list. The select (all resources)
matches all resource types.
5. Optional: In the Name Match (PCRE) field, specify a name match for a
resource. This property limits the matching statement to resources of the
specified name. Use a PCRE to select groups of resource instances. For
example, foo* would match all resources with names that start with foo.
6. Optional: From the Configuration Property list, select the name of the
configuration property. This property limits the matching statement to resources
of the specified property.
7. Optional: In the Configuration Value Match (PCRE) field, specify the value for
the configuration property. This property limits the matching statement to
resources of the specified value. Use a PCRE Match Expression to select groups
of configuration property values.
8. Click Save.
The statement is added to the list of matching statements.
address
Specifies the IP address or host alias. The value * matches all IP addresses.
domain Specifies the name of the application domain. The value * matches all
domains.
resource
Specifies the resource type. The value * matches all resource types.
Name=resource-name
Optionally specifies a name match for a resource. This property limits the
matching statement to resources of the specified name. Use a PCRE to
select groups of resource instances. For example, foo* would match all
resources with names that start with foo.
Property=property-name
Optionally specifies the name of the configuration property. This property
limits the matching statement to resources of the specified property.
Value=property-value
Optionally specifies the value for the configuration property. This property
limits the matching statement to resources of the specified property.
PCRE documentation is available at the following Web site:
http://www.pcre.org
228
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Monitor types
Monitors enable the definition of a message set, the specification of a count-based
or time-based threshold, and the design of administrative controls imposed when
the message set exceeds configured threshold values.
Monitors are of the following types:
v Message count monitors that measure traffic volume. Using a message count
monitor, you, for example, can track all requests for a specific URL or URL set
originating from an identified subnet, and limit such requests to 100 per second.
For details, refer to Configuring count monitors on page 234.
v Message duration monitors that measure appliance processing time and latency.
Using a message duration, you, for example, can measure the average server
response time, and impose sanctions (temporarily deny service) if the average
time exceeds a configured value. For details, refer to Configuring duration
monitors on page 236.
v Web services monitors are WSDL-based and combine the properties of both
message count and message duration monitors. Web services monitors provide
the ability to watch, or observe traffic flowing to and from a particular Web
services endpoint. Web service monitors can implement a dual-threshold scheme
in which a first-level threshold could generate a log message while a
second-level threshold could throttle (drop) traffic.
Using a Web services monitor, you can, for example, observe all traffic flowing
to a particular endpoint, issue notification when a first-level error count is
exceeded, and then throttle operations if the error count continues to rise.
For procedural details, refer to Configuring Web services monitors on page
238.
v Service level monitors provide a much finer level of user control. For example, a
service level monitor enables the creation and assignment of monitors at the
Copyright IBM Corp. 2004, 2009
229
WSDL service, port and operations level. User control also extends to the precise
definition of monitored users and monitored resources and the scheduling of
monitoring operations.
Using a service level monitor, you can, for example, create a peak-hours monitor
that provides strict monitoring of set of frequently-accessed resources, by a set or
sets of defined user groups, along with a companion off-hours monitor that
provides less-stringent controls over the same set of resources and user groups.
Unlike other monitor types, service level monitors can be applied across
multiple DataPower appliances thus allowing installations to enforce SLM
policies based on aggregated counts across peer appliances.
Message monitors
In common with most other configuration objects, message monitors are
constructed from the ground up. This approach facilitates appliance
configuration by breaking down compound, and possibly complex, objects into
their simple constituent parts, which can then be reused and mixed and matched
to address site-specific concerns and requirements.
The initial step in configuring a message monitor is to identify the traffic streams
that are subject to administrative monitoring and control. Identification of a
specific traffic stream is accomplished using a traffic definition object, which is
essentially a template that describes a traffic stream in terms of source IP address,
requested URL, HTTP header field values, and HTTP methods. For procedural
details on creating traffic definitions, refer to Traffic definitions on page 231.
You complete the traffic identification process by assigning one or more traffic
definitions to an aggregate object referred to as a message type, which is essentially
a list of traffic definitions. A message type enables a single message monitor to
exercise administrative control over multiple, possibly related, traffic streams. The
same message monitor, for example, could monitor the traffic stream originating
from subnet 10.10.10.0/24 along with the traffic stream originating from the
10.10.1.0/24 subnet. For procedural details on compiling message types, refer to
Message Type on page 233.
After identifying target traffic streams, proceed to define a filter that specifies the
administrative actions to take in response to the overuse of appliance or network
resources by a monitored message type. Policies might be relatively benign (the
simple generation of a logging message), or more stringent, possibly resulting in a
temporary denial of service to the offending message type. You can define
compound policies that activate an initial cautionary response when a message
type exceeds a low threshold value, and activate more stringent sanctions when
the same message type exceeds a higher threshold value For procedural details on
defining monitor policies, refer to Message Filter Action on page 233.
You next create the message monitor object, which consists of a threshold value or
values, an associated message type, and an associated monitor filter. You can create
two types of message monitors.
v A message count monitor, as its name implies, uses an counter to track specific
occurrences. It activates a monitoring filter when the number of occurrences,
over a measured interval, exceeds a threshold value.
For procedural details, refer to Configuring count monitors on page 234.
v A message duration monitor, as its name implies, is clock-based and measures
how long it takes to complete certain transactions. It activates a monitoring filter
when the average completion times exceeds a threshold value.
230
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Traffic definitions
Traffic definitions, which identify raw traffic streams, are the most basic
components used by message monitors. A traffic definition can identify a target
message stream in terms of the following criteria:
v Included IP source address
v Excluded IP source address
v Requested URL
v HTTP method
v Included HTTP header field/value
v Excluded HTTP header field/value
1. Click Object Monitoring Message Matching.
2. Click Add.
3. Provide the following inputs:
Name Specify the name of the object.
Admin State
Retain the default setting. To place the object in an inactive
administrative state, click disabled.
Comments
Specify a descriptive object-specific summary.
IP Addresses
Specify a contiguous range of IP source addresses included in this
traffic definition.
Leave blank if you do not want to use IP source address as a criterion
for inclusion in this traffic definition. Leaving the field blank includes
traffic from all IP source addresses in the current traffic definition.
Specify an address range by providing an IP network address followed
by a prefix length, inserting a slash (/) between the network address
and the prefix length.
For example, 10.10.100.0/28 specifies the address range 10.10.100.0
through 10.10.100.15, but 10.10.100.9/32 specifies a single host
address.
Excluded IP Addresses
Specify a contiguous range of IP source addresses excluded from this
traffic definition.
Leave blank if you do not want to use IP source address as a criterion
for exclusion from this traffic definition.
Specify an address range by providing an IP network address followed
by a prefix length, inserting a slash (/) between the network address
and the prefix length.
For example, 10.10.100.0/28 specifies the address range 10.10.100.0
through 10.10.100.15, but 10.10.100.9/32 specifies a single host
address.
Chapter 9. Managing monitors
231
HTTP Method
Specify an HTTP method type (CONNECT, DELETE, GET, HEAD,
OPTIONS, POST, PUT, TRACE) to include in this traffic definition.
Retain the default value (any) to include all HTTP traffic (HTTP
method types).
To include only certain kinds of HTTP traffic, set this field to identify
the HTTP method.
Request URL
Specify a set of requested URLs included in this traffic definition. Leave
blank if you do not want to use the requested URL as a criterion for
inclusion in this traffic definition. Leaving this field blank includes all
URLs.
Match patterns can contain the following wildcard syntax:
*
[]
[]
232
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
d. Click Save.
5. Use the following procedure to specify HTTP-based exclusion criteria:
a. Click the HTTP Headers tab.
b. Click Add.
c. Provide the following inputs:
Name Specify the name of the target HTTP header field.
Value Match
Specify a set of header field values excluded from this traffic
definition.
Match patterns can contain the following wildcard syntax:
*
[]
Message Type
A message type is a list of traffic definitions and enables a message monitor to
exercise administrative control over multiple traffic streams. You should assign a
traffic definition to a message type, even if the type consists of a single definition.
1. Click Object Monitoring Message Type.
2. Click Add.
3. Provide the following inputs:
Name Specify the name of the object.
Admin State
Retain the default setting. To place the object in an inactive
administrative state, click disabled.
Comments
Specify a descriptive object-specific summary.
Message Matchings
Add one or more traffic definitions to the message type.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
233
target configured with an event subscription of class Monitor and a priority equal
to or lower than the priority set by the filter.
1. Click Object Monitoring Message Filter Action.
2. Click Add.
3. Provide the following inputs:
Name Specify the name of the object.
Admin State
Retain the default setting. To place the object in an inactive
administrative state, click disabled.
Comments
Specify a descriptive object-specific summary.
Type
Log Priority
Select the priority of the log messages generated when threshold values
are exceeded by a message type.
Note: Log targets will not include messages generated by a monitor
unless the log target is configured with an Event Subscription
class of Monitor or All and a Priority level equal to or lower
than the value set here.
Block Interval
Specify an optional blackout period during which an over-threshold
message type is denied service.
Meaningful only when the sanction is of the reject type, specifies the
duration of service denial (from 1 to 500 milliseconds). The default
value (0) indicates that while over-threshold messages are dropped, no
service denial penalty is imposed.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
234
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Comments
Specify a descriptive object-specific summary.
Message Type
Select the message type for message count monitor to monitor.
Measure
Select how to increment the counter.
Requests
Indicates that the receipt of a client request of the monitored
message type increments the counter.
Responses
Indicates that the receipt of a server response of the monitored
message type increments the counter.
XPath Indicates that the a style sheet increments the counter. Use the
dp:increment-integer extension element in a style sheet. This
extension element increments the counter that the count
monitor maintains. For example, if the name of the count
monitor is monitor1, the style sheet must contain the following
statement:
<dp:increment-integer name="'/monitor-count/monitor1'"/>
Each IP
Gathers and reports IP address information for individual IP
addresses (up to a maximum of 10000) in the address range.
IP from Header
Gathers and reports IP address information for individual IP
addresses (up to a maximum of 10000) in the address range. IP
addresses are determined by the value of the HTTP Header
identified by the Header property.
Header
Specify the HTTP Header that contains IP address information.
Maximum Distinct Sources
Specify the number of distinct IP addresses to track. When too many
distinct counts are observed, the addresses not observed in the longest
amount of time are discarded. The default is 10000.
4. Click the Threshold/Filters tab.
5. Click Add.
6. Provide the following inputs:
Name Specify the name of this threshold.
235
Interval
Specify the measurement interval (expressed as milliseconds). Interval
works with Rate Limit and Burst Limit to define the conditions that
activate a monitor filter.
The example, the following combination imposes administrative
sanctions when the monitored message type exceeds 50 transactions per
second:
v The Interval property set to 1000
v The Rate Limit property set to 50
v The Burst Limit property set to 100
Rate Limit
Specify the threshold value (expressed as a number of messages).
Burst Limit
Specify the allowed burst value. A monitor accrues the number of
messages below the rate limit per interval. A burst can be as large as
the accrued number of unused messages during a single interval, up to
the limit set here.
For example, the rate limit is 100 and only 90 were received during
each of the first five intervals. In the sixth interval, the monitor allows a
burst of as many as 150 transactions. If the burst limit is 140 and 150
transactions occur, the monitor takes the configured action. The formula
to calculate burst is as follows:
L(t) = min( R + max( L(t-1) - M(t-1), 0 ), B )
236
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
237
Enabling statistics
To enable statistics, use the following procedure:
1. Click Administration Device Statistics Settings.
2. Set Admin State to enabled.
3. Click Apply to save the changes to the running configuration.
4. Optional: Click Save Config to save the changes to the startup configuration.
238
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Admin State
Retain the default setting. To place the object in an inactive
administrative state, click disabled.
Comments
Specify a descriptive object-specific summary.
WSDL URL
The URL of the WSDL file that defines the Endpoints, Transport Type,
and Operations watched by this monitor. The WSDL file can reside on
the appliance or elsewhere on the network. Example values include
local:///service.wsdl or https://www.service.com/Services/
service.wsdl.
Endpoint
Specify the name of the Endpoint, as defined in the WSDL file
identified above, this monitor will watch. For example, a WSDL file
might have the following definition:
<service name="BoodleSearchService">
<port name="BoodleSearchPort" binding="typens:BoodleSearchBinding">
<soap:address location="http://api.boodle.com/search/beta2"/>
</port>
</service>
239
240
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
a.
b.
c.
d.
e.
Click Add.
Select Second Limit in Threshold Level.
Provide the Threshold Value.
Select the Threshold Action.
Click Save.
241
242
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Main tab
Name Specify the name of the object.
Admin State
Retain the default setting. To place the object in an inactive administrative
state, click disabled.
Comments
Specify a descriptive object-specific summary.
Authorized counter
Optional: Select a message-count monitor. This object monitors and
controls incoming messages authorized by this AAA Policy. This counter
should Measure type XPath to allow the AAA Policy to increment the
counter on successful authorization. Refer to Configuring count monitors
on page 234 for more information.
Rejected counter
Optional: Select a message-count monitor This object monitors and controls
incoming messages rejected by this AAA Policy. This counter should
Measure type XPath to allow the AAA Policy to increment the counter on
rejected authorization. Click Rejected Counter Tool to configure a counter
for this purpose. Refer to Configuring count monitors on page 234 for
more information.
SAML Signature Validation Credentials
Optional and only if the AAA policy uses SAML-based identity extraction,
authentication, or authorization: Select the Crypto Validation Credentials to
validate digitally-signed SAML assertions from the Credentials list. Refer
to Validation credentials on page 22 for more information.
Copyright IBM Corp. 2004, 2009
243
244
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
245
Identity tab
The initial processing performed by an AAA Policy consists of extracting
information from an incoming message and its protocol envelope(s) about the
claimed identity of the service requester.
Use the Identity panel to specify the method or methods used by the AAA Policy
to extract the identity claimed by the service requester. Click the Identity tab to
display the AAA Policy Configuration (Identity) screen.
Use the check boxes to enable (on) or disable (off) one or more identification
methods.
HTTPs Authentication header
The claimed identity of the requester is extracted from the HTTP
Authorization header (name and password).
If selected, the WebGUI prompts for the following property:
HTTPs Basic Authentication Realm
The name of the HTTP Basic Authentication Realm as described by
RFC 2617, HTTP Authentication: Basic and Digest Access Authentication.
A browser might display this name to help determine which
credentials to supply.
UserName element from WS-Security header
The claimed identity of the requester is extracted from the WS-Security
UserName element (name and password) contained in a SOAP header.
BinarySecurityToken element from WS-Security header
The claimed identity of the requester is extracted from the WS-Security
BinarySecurityToken element (using the tokens string value as the claimed
identity) contained in a SOAP header.
WS-SecureConversation Identifier
The claimed identity of the requester is extracted from a
WS-SecureConversation Identifier.
WS-Trust Base or Supporting Token
The claimed identity of the requester is extracted from a WS-Trust Base or
Supporting token.
Kerberos AP-REQ from WS-Security header
The claimed identity of the requester is extracted from a Kerberos AP-REQ
contained in the WS-Security header.
Kerberos AP-REQ from SPNEGO token
The claimed identity of the requester is extracted from a Kerberos AP-REQ
contained in the SPNEGO token.
Subject DN of the SSL Client Certificate from the Connection Peer
The claimed identity of the requester is extracted from the SSL client
246
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
247
Custom template
The claimed identity of the requester is extracted by a custom or proprietary
identification resource (for example, a style sheet). If selected, the WebGUI
prompts for the following property:
Custom URL
Specify the local or remote URL of the identification resource.
Click Apply to commit AAA Policy properties.
Optional: Click Save Config to save the changes to the startup configuration.
Authenticate tab
After extracting the claimed identity of the service requester, an AAA Policy
authenticates the claimed identity. The authentication process can use internal or
external resources. Use the Authenticate panel to designate the authentication
method.
1. Click the Authenticate tab to display the AAA Policy Configuration
(Authenticate) screen.
2. From the Method list, select an authentication method.
Accept a SAML Assertion with a Valid Signature
The requester is authenticated by a SAML assertion with a valid
signature.
Accept an LTPA token
The requester is authenticated by an encrypted LTPA token. If selected,
the WebGUI prompts for the following property values:
LTPA Token Versions
Specifies the LTPA formats supported for authentication purposes.
Use the check boxes to specify the LTPA versions that are
supported for authentication. Select at least one version, or all
LTPA-based authentication will fail.
Because the LTPA token must be decrypted before authentication,
the following properties identify the needed cryptographic
resources.
LTPA Key File
Provide the name of the file that contains the cipher keys to be
used for encryption and decryption.
LTPA Key File Password and Confirm LTPA Key File Password
Provides the cleartext password to the LTPA key file.
Refer to Understanding LTPA for more information.
Bind to Specified LDAP Server
(Default) The requester is authenticated by an LDAP server. If selected,
the WebGUI prompts for the following properties:
248
Host
Port
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
LDAP Prefix
Optionally specify an LDAP Prefix name. This string is prepended
to the identity extracted before submission to the LDAP server.
The default is cn=.
This property is relevant when the Search for DN is off.
LDAP Suffix
Optionally specify an LDAP Suffix name. This suffix string is
appended to the identity extracted before submission to the LDAP
server. For example, o=datapower.com.
This property is relevant when the Search for DN is off.
LDAP Load Balancer Group
Optionally select a Load Balancer Group. If you select a group,
LDAP queries will be load balanced in accordance with the
settings in the group. Load balancing allows for failover. Refer to
Configuring a load balancer group on page 296 for more
information.
When specified, this property overrides the settings for the Host
and Port properties.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to
remote authentication server. Retain the default value to use a
non-SSL connection.
LDAP Bind DN
Specify the Distinguished Name for the LDAP bind operation.
LDAP Bind Password and Confirm LDAP Bind Password
Specify and confirm the password for the LDAP bind operation.
LDAP Search Attribute
Specify the name of the LDAP attribute that contains the cleartext
password. The default is userPassword.
This property is meaningful only when the identity extraction
method is Password-carrying UsernameToken Element from
WS-Security Header and the <Username> element in the header
has the Type attribute set to PasswordDigest. In this case, the
LDAP server returns the text in the specified LDAP attribute for
the user in the UsernameToken. If the hashed value of the
returned text does not match the value in the <Password> element,
authentication fails.
Search for DN
Indicate whether to perform an LDAP search retrieve the DN of
the user.
on
249
off
250
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
off
off
off
When required, specify the value for the AppliesTo header in the
AppliesTo Header field.
WS-Trust Encryption Certificate
Optionally select a Crypto Certificate to encrypt WS-Trust
elements in the request. If selected, he public key of the certificate
encrypts the client entropy key material for the recipient. If blank,
the WS-Trust BinarySecret element contains the entropy material.
In this case, use an SSL Proxy Profile to secure the message
exchange with the WS-Trust server.
Contact ClearTrust Server
The requester is authenticated via a ClearTrust server. If selected, the
WebGUI prompts for the following properties:
ClearTrust Server URL
Provide a local or remote URL that locates the authentication
resource.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to
remote authentication server. Retain the default value to use a
non-SSL connection.
Contact Netegrity SiteMinder
The requester is authenticated by a Netegrity server. If selected, the
WebGUI prompts for the following properties:
Host
251
Port
252
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
253
254
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
TFIM Configuration
Select an existing TFIM object. Refer to Creating TFIM objects
on page 274 for more information.
Credentials from WS-SecureConversation Token
The authentication credentials are mapped via a
WS-SecureConversation exchange.
AAA Info File
The authentication credentials are mapped using an XML file as the
mapping resource. If selected, the WebGUI prompts for the following
property:
AAA Info File URL
Specify the location of the XML file used for authentication
purposes.
To identify a local resource, use the form store:///authfile.xml.
Open store://authfile.xml to examine a sample AAA Info file.
Apply XPath Expression
The authentication credentials are mapped using an XPath expression
as the mapping resource. If selected, the WebGUI prompts for the
following property:
XPath Expression
Specify the operative XPath expression.
3. Click Apply to commit AAA Policy properties.
4. Optional: Click Save Config to save the changes to the startup configuration.
Resource tab
After authenticating a client, an AAA policy identifies the specific resource being
requested by that client.
Use the Resource panel to designate the methods used to identify the resource
requested by an authenticated client.
1. Click the Resource tab to display the AAA Policy Configuration (Resource)
screen.
2. Use the check boxes to enable (on) or disable (off) one or more resource
identification methods.
URL sent to back end
The identity of the requested resource is extracted from the (possibly
rewritten) URL sent to the server. The URL can be rewritten by a URL
Rewrite Policy attached to the service or by another processing action
before the AAA Policy.
URL sent by client
The identity of the requested resource is extracted from the original URL
sent by the client. This URL has not been rewritten.
URI of toplevel element in the message
The identity of the requested resource is extracted from the namespace of
the top level application element
Local name of request element
The identity of the requested resource is extracted from the simple name
of the top level application element
255
256
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Authorize tab
After authenticating a service requester and extracting the identity of the requested
resource, an AAA Policy next authorizes the client, that is, determines if the
authenticated service requester is allowed access to the requested resource. The
authorization process can use internal or external resources. Use the Authorize
panel to designate the authorization method.
1. Click Authorize to display the AAA Policy Configuration (Authorize) screen.
2. From the Method list, select an authentication method.
Allow Any Authenticated Client
Any authenticated used is authorized.
Contact ClearTrust Server
The requester is authorized via a ClearTrust server. If selected, the
WebGUI prompts for the following properties:
ClearTrust Server URL
Specify a local or remote URL that locates the authorization
resource.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to remote
authorization server. Retain the default value to use a non-SSL
connection.
Custom Template
The requester is authorized by a custom/proprietary resource (for
example, a style sheet). If selected, the WebGUI prompts for the following
property:
Custom URL
Specify a local or remote URL that locates the authorization
resource.
Check for Membership in an LDAP Group
The requester is authorized by an LDAP server. If selected, the WebGUI
prompts for the following properties:
Host
Specify the IP address or domain name of the LDAP authentication
server.
Port Specify the LDAP authentication server port number. If not
specified, defaults to the canonical port number.
Group DN
Specify the Distinguished Name of the LDAP group.
LDAP Load Balancer Group
Optionally select a Load Balancer Group. If a group is selected,
LDAP queries will be load balanced in accordance with the settings
in the group. Load balancing allows for failover when using LDAP
for authorization.
LDAP Bind DN
Specify the Distinguished Name for the LDAP Bind.
LDAP Bind Password and Confirm Bind Password
Specify and confirm the password for the LDAP Bind.
257
258
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
r (Read)
u (Update)
Always Allow
All messages are forwarded to the backend server.
Generate a SAML Attribute Query
The requester is authorized by a SAML attribute query/response
exchange between the DataPower appliance and a SAML server. If
selected, the WebGUI prompts for the following properties:
URL
Specify the location of the SAML server.
SAML Match
Select the minimum authorization criteria.
All
All-Values
Authorization requires that all configured attribute names
and values be present in the SAML attribute statement
Any
Any-Value
Authorization requires that a single configured attribute
name and value be present in the SAML attribute statement
XPath Authorization requires that SAML server responses are
evaluated with an XPath expression
SAML XPath
If SAML Match is XPath, specify the operative XPath expression.
SAML Name Qualifier
Optionally specify the value of the NameQualifier attribute of the
NameIdentifier in the generated SAML query. Some SAML
implementations require this value to be present.
SAML Version
Select the SAML protocol version to use when employing SAML for
authorization. Versions 1.0, 1.1 and 2.0 are supported. The version
selected affects the format of the messages sent to SAML authorities.
259
All-Values
Authorization requires that all configured attribute names and
values be present in the SAML attribute statement
Any Authorization requires the presence of a single SAML attribute
Any-Value
Authorization requires that a single configured attribute name
and value be present in the SAML attribute statement
XPath
Authorization requires that SAML server responses are
evaluated with an XPath expression
SAML XPath
If SAML Match is XPath, specifies the operative XPath expression
SAML Name Qualifier
Optionally specify the value of the NameQualifier attribute of the
NameIdentifier in the generated SAML query. Some SAML
implementations require this value to be present.
SAML Version
Select the SAML protocol version to use when employing SAML for
authorization. Versions 1.0, 1.1 and 2.0 are supported. The version
selected affects the format of the messages sent to SAML authorities.
SSL Proxy Profile
Select an SSL Proxy Profile to provide a secure connection to remote
authorization server. Retain the default value to use a non-SSL
connection.
Contact Tivoli Access Manager
The requester is authorized by a Tivoli Access Manager (TAM). A TAM
object must exist for this method to succeed. Refer to Creating Tivoli
Access Manager objects on page 273 for more information.
Use SAML Attributes from Authentication
The requester is authorized by the same SAML authentication or attribute
statements used to authenticate the requester. If selected, the WebGUI
prompts for the following property:
SAML Match
Select the minimum authorization criteria.
260
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
All
All-Values
Authorization requires that all configured attribute names
and values be present in the SAML attribute statement
Any
Any-Value
Authorization requires that a single configured attribute
name and value be present in the SAML attribute statement
XPath Authorization requires that SAML server responses are
evaluated with an XPath expression
SAML XPath
If SAML Match is XPath, specifies the operative XPath expression
Use XACML Authorization Decision
The requester is authorized by an XACML Policy Decision Point (PDP),
which might be configured and located on the DataPower appliance, or
which might reside on a remote network appliance. If selected, the
WebGUI prompts for the following properties:
XACML Version
Select the XACML version (1.0 or 2.0, the default) used for
communications between the PDP and this AAA Policy, acting as an
XACML Policy Enforcement Point (PEP).
PEP Type
Select how the AAA Policy, acting as an XACML PEP, processes the
PDP authorization response.
Base PEP
If the XACML response to the authorization request is
permit, the client is authorized; if the permit response is
accompanied by obligations, the client is authorized only if
the AAA Policy, acting as a PEP, can understand and
discharge the conditions.
If the XACML response to the authorization request is deny,
the client is rejected; if the deny response is accompanied by
obligations, the client is rejected only if the AAA Policy,
acting as a PEP, can understand and discharge the
conditions.
Deny-biased PEP
If the XACML response to the authorization request is
permit, the client is authorized; if the permit response is
accompanied by obligations, the client is authorized only if
the AAA Policy, acting as a PEP, can understand and
discharge the conditions.
Any other XACML response results in the clients rejection.
Permit-biased PEP
If the XACML response to the authorization request is deny,
the client is rejected; if the deny response is accompanied by
261
off
off
SOAP Enveloping
Use the toggle to determine whether the external PDP
requires SOAP enveloping. If the custom binding style
sheet generated SOAP enveloping, retain the default
setting.
on
off
262
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
263
For more information about these activities, refer to Post processing activities on
page 201.
264
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
(Default) Use the value explicitly assigned by the value for the
LTPA User Attribute Static Value property
265
add name-value pairs to the LTPA token, use the following procedure:
Click LTPA User Attributes to display the catalog.
Click Add to display the LTPA User Attributes window.
Provide the following inputs:
LTPA User Attribute Name
Specify the name of the attribute.
LTPA User Attribute Type
Select the type of attribute.
Static
266
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Note: An XML file could be used for one or more of these operations. Only the
part of the file that supports the desired operation needs to be completed.
For example, if the file is only used for Map Credentials, it does not need to
include an Authenticate, Map Resource, or Authorize section.
The schema for an AAA Info file uses the AAAInfo.xsd file in the store: directory.
One or more XML files could be used for these operations. In each case, the field
that offers the ability to select an XML file has the + (create) and ... (modify)
buttons. Clicking either button launches the AAA Info file editor. Refer to AAA
Info file editor on page 268 for more information.
Note: The AAA Info file can be edited outside of the AAA Info file editor and
uploaded to the appliance.
267
268
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
269
complete match. It is possible to create one entry for user name Bob that also has a
password of foo and another with no password entry. Should the extraction
method only retrieve the user name and not the password, Bob will still
authenticate.
Map credentials: The Map Credentials page presents a list of all credential maps
contained in the file. When creating a new file, this list is empty.
Click Next to move to the next page if this file will not be used for mapping
credentials. Click Add to create a new credential map.
Input Credential
The credential input to the mapping. This field accepts PCRE expressions,
allowing a single expression to match more than one input credential.
Entering foo causes the AAA policy to match all input credentials that
contain the string foo.
Credential Name
The credential to output in place of the input credential. This is the value
to which the input credential is mapped. This is not a regular expression.
Click Submit to add the new map to the list of maps. Create as many mapping
entries as needed by clicking Add for each new entry.
Note: If this file is used for mapping credentials, any input credential that does
not match a map is converted to a blank credential for the purposes of
authorization.
Map resources: The Map Resource page presents a list of all resource mappings
contained in the file. Resource mapping is used to map the resource identifier
extracted from the message to something else. If the AAA Policy uses more than
one resource extraction method, all methods will be executed.
Click Next if this file will not be used for resource identity mapping. Click Add to
create a new map.
Original URL
The URL sent by the client submitting the message. This is a PCRE
expression.
Target URL
The URL used to send the message to the back end server, after the
firewall URL Rewrite Policy has executed. This is a PCRE expression.
Request URI
The Namespace URI of the action or method requested in the body of the
SOAP message. This is identified as the topmost element in the SOAP:Body
element.
Request Operation
The name of the operation requested in the body of the SOAP message.
HTTP Method
Select the desired method. Select any to allow any method.
Result of XPath Expression
Any value that is extracted from the message by an XPath expression. This
is a PCRE expression.
270
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Resource
The resource string to which the input resource is mapped. This field is
required.
Note: If this file is used for mapping resources, any resource that does not mapped
by the file will be converted to a blank resource for the purposes of
authorization.
Authorized access to resources: The Authorize page presents a list of all
authorization pairs contained in this file. Authorization is based on an input
credential (after mapping, if any) and an input resource (after mapping, if any).
If this file is not used for authorization, click Next. To create an authorization entry,
click Add.
Credential
The credential to match for authorization. This field accepts PCRE
expressions.
Resource
The resource to match for authorization. This field accepts PCRE
expressions.
Access
Select allow or deny as the authorization result.
Note: When this file is used for authorization, access is denied by default. Any
unmatched entries result in denied access. Access is allowed only if a match
is found and the Access for that match is allow.
File Information: The file information page provides a means to name the file
and add a comment if desired.
This file is typically placed in the local: directory.
Confirmation: The last page of the reflects the name of the file and offers the
opportunity to make changes or save the changes to the file.
v Click Cancel to abandon all changes and close the window.
v Click Back to move backward through the file to make any additional changes
needed.
v Click Commit to save the file and close the window.
271
272
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
273
274
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
SAML 1.0
Indicates a SAML Assertion 1.0.
SAML 1.1
Indicates a SAML Assertion 1.1.
Username Token
(Default) Indicates a WS-Security Username Token Type.
v If Version 6.1 or Version 6.2, the following formats are available:
Binary Security Token
Indicates a WS-Security BinarySecurityToken.
Custom
Indicates a custom token. When selected, requires the
specification of a Custom Request.
Custom Token
Indicates a custom token.
SAML 1.0
Indicates a SAML Assertion 1.0.
SAML 1.1
Indicates a SAML Assertion 1.1.
SAML 2.0
Indicates a SAML Assertion 2.0.
Kerberos Token
Indicates a WS-Security Kerberos Token.
Username Token
(Default) Indicates a WS-Security Username Token Type.
X.509 Token
Indicates a WS-Security X.509 Token.
h. When using TFIM 6.0, TFIM 6.1, or TFIM 6.2 and when Request Token
Format is Custom, select the location of the custom style sheet in the
Custom Request field. The custom style sheet file must be in the local: or
store: directory. Click Upload or Fetch to upload the custom style sheet file.
i. When Request Token Format is not Custom, define the following properties:
1) When using TFIM 6.0, TFIM 6.1, or TFIM 6.2, specify the scope for this
security token in the Applies-To Address field. For example, specify the
services to which this token applies:
http://tfim.ibm.com:9080/EchoApplication/Services/EchoServiceUser
http://9.33.97.251:9080/EchoApplication/Services/EchoServiceUser
The TFIM trust service uses this information to determine which trust
chain to invoke. To determine the correct value, consult your TFIM
administrator.
Appendix A. Referenced objects
275
3) When using TFIM 6.1 or TFIM 6.2, optionally specify the name of the
Web services port type to use in the Port Type field. A port type is a
group of Web services operations. For example:
EchoService
The TFIM trust service uses this information to determine which trust
chain to invoke with finer granularity. If a value is not specified, a
default value of NotSpecified is used. To determine the correct value,
consult your TFIM administrator.
4) When using TFIM 6.1 or TFIM 6.2, optionally specify the name of the
Web services operation to use in the Operation field. For example:
echo
The TFIM trust service uses this information to determine which trust
chain to invoke with finer granularity. If a value is not specified, a
default value of NotSpecified is used. To determine the correct value,
consult your TFIM administrator.
j. From the SSL Proxy Profile list, select an SSL Proxy Profile to manage
secure communications with the peer.
k. Use the Schema Validate Response toggle to specify whether to
schema-validate responses from the TFIM server. When enabled, TFIM
responses are schema-validated with the WS-Trust version that is defined by
the compatibility mode.
on
off
Kerberos objects
A basic description of the Kerberos authentication protocol is helpful for
understanding the support provided by the DataPower appliance.
The Kerberos authentication protocol uses a star topology. The Key Distribution
Center (KDC) is at the center of the star. Each Kerberos principal (a human, a
computer client, or an instance of a service running a specific computer) is
registered with the KDC and has a shared secret known only to the principal and
to the KDC. This shared secret takes the form of a password for human principals
and a randomly generated keytab file for nonhuman principals.
When a Kerberos client (for example, Alice) wants to communicate securely with a
Kerberos server (for example, the FTP service), Alice must access KDC of her
Kerberos realm and request a ticket for the FTP service. At this point, the KDC has
the option of requiring pre-authentication before responding, or the KDC can
immediately issue the ticket to Alice.
The KDC response contains two items:
v A randomly generated session key encrypted with Alices shared secret
v A ticket for the FTP service
The ticket contains:
v The idobj for Alice
v The idobj for the FTP service
v A ticket lifetime
276
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
277
Comments
Specify a descriptive object-specific summary.
Kerberos realm name
Specify the name of the Kerberos realm that is serviced by this KDC.
There is exactly one KDC per Kerberos realm.
Kerberos KDC Server
Specify the host name or IP address of the KDC server. Click Ping to
verify connectivity.
Use TCP
Select whether to use UDP or TCP as the Transport Layer protocol to
access the KDC server.
on
off
278
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
off
279
280
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Conformance Policy
A Conformance Policy defines which profiles to use to validate whether received
messages are in conformance to the selected profiles. A Conformance Policy
supports the following profiles:
v Web Services Interoperability (WS-I) Basic Profile, version 1.0, at
http://www.ws-i.org/Profiles/BasicProfile-1.0.html
v WS-I Basic Profile, version 1.1, at http://www.ws-i.org/Profiles/BasicProfile1.1.html
v WS-I Attachments Profile, version 1.0, at http://www.ws-i.org/Profiles/
AttachmentsProfile-1.0.html
v WS-I Basic Security Profile, version 1.0, at http://www.ws-i.org/Profiles/
BasicSecurityProfile-1.0.html
A Conformance Policy is useful when a client generates non-conformant requests
for a conformant backend server. You can configure a Conformance Policy to fix
non-conformant requests during message processing. If the request contains signed
or encrypted data, a Conformance Policy cannot fix nonconformance issues unless
the cryptographic protection is removed before correction and replied afterward.
You can define whether all the requirements in a profile should be a conformance
check, or you can determine which requirements in a profile can be ignored. You
can also change conformance policy behavior by defining a distinct set of logging
and rejection parameters for responses or requests.
Note: When defining a Conformance Policy for a conformance filter, the
Conformance Policy cannot apply corrective style sheets or add WS-I Basic
Profile 1.0 assertions.
To define a Conformance Policy, use the following procedure:
1. Select Objects XML Processing Conformance Policy to display the
catalog.
2. Click Add to display the configuration screen.
3. In the Name field, enter the name for the object.
4. Retain the default setting for Admin State. To place in an inactive
administrative state, click disabled.
Appendix A. Referenced objects
281
282
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
10. For all nonconformance reporting levels except Never, specify the target URL
to which to send conformance reports in the Destination field.
11. Select the degree of nonconformance to cause the message to be rejected from
the Reject non-conforming messages list.
Never (Default) Never rejects messages.
Failure
Rejects messages with conformance failures.
Warning
Rejects messages with conformance warnings or with conformance
failures.
12. Use the Include error summary toggle to determine whether to include the
summary for the conformance analysis in the rejection message for requests.
This option is for all nonconformance rejection levels except Never.
on
off
(Default) Does not includes the summary.
13. Use the Use analysis as results toggle to determine whether to deliver a
conformance analysis.
on
off
(Default) Does not deliver a conformance analysis as a results action.
14. Use the Distinct response behavior toggle to determine whether to define a
distinct set of logging and rejection parameters for responses or requests.
on
off
(Default) Does not allow the definition of a distinct set of logging and
rejection parameters on request messages.
15. From the Record Report (response direction) list, select the degree of
nonconformance to cause a conformance report to be recorded for responses.
Never (Default) Never records conformance reports.
Failure
Records conformance reports that indicate conformance failures.
Warning
Records conformance reports that indicate conformance warnings or
conformance failures.
Always
Always records conformance reports.
16. (Optional) For all nonconformance reporting levels except Never, specify the
target URL to which to send conformance reports for responses in the
Destination field.
17.
From the Reject non-confirming response messages list, selects the degree of
nonconformance to cause the response message to be rejected.
Never (Default) Never reject messages.
Failure
Rejects messages with conformance failures.
Warning
Rejects messages with conformance warnings or with conformance
failures.
Appendix A. Referenced objects
283
18. Use the Include response error summary toggle to determine whether to
include the summary for the conformance analysis in the rejection message for
requests. This option is for all nonconformance rejection levels except Never.
on
off
4. On the WSDL Compiler Options tab, define WSDL properties. This tab is
available on all appliances except for DataPower XML Accelerator XA35
appliances.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
After modifying the object, flush the stylesheet cache. For details, refer to
Flushing the stylesheet cache on page 396.
284
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
285
One level
Searches the entry level of the tree and any object that is one-level
below the input.
286
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Subtree
(Default) Search the entry level of the tree and all of its descendents.
11. Click Apply to save the changes to the running configuration.
12. Optional: Click Save Config to save the changes to the startup configuration.
IMS Connect
An IMS Connect object handles IMS protocol communications from a DataPower
service to IMS applications. This object contains settings that affect the behavior of
the connection.
To configure an IMS Connect object, use the following procedure:
1. Select Objects Network IMS Connect.
2. Click Add.
3. In the Name field, enter the name for the object.
4. Retain the default setting for Admin State. To place in an inactive
administrative state, click disabled.
5. Optional: In the Comment field, enter a descriptive summary.
6. Specify the host name or IP address of the remote IMS Connect server in the
Host field.
7. Specify the port that the IMS Connect server monitors in the Port field.
8. Use the EBCDIC Header Conversion toggle to control EBCDIC header
conversion. Conversion affects only the header, not the payload. To convert
the payload, use a transformation in a processing policy. The user message
exit should be able to process EBCDIC data. Some use message exits can
handle both UTF-8 and EBCDIC.
on
off
(Default) Does not convert IMS headers to EBCDIC.
9. Specify the two-letter prefix for the generated client ID in the Generate Client
ID Prefix field. If not specified, the prefix is set to DP.
10. In the Maximum Segment Size field, enter an integer in the range of 0 to 32
to specify the maximum segment size in kilobytes. The default is 0 which
disables segmentation.
v A Maximum Segment Size of 0 disables IMS message segmenting. With
message segmenting disabled, you must use a policy to handle an IMS
message with a segmented payload and with LL and ZZ segment headers.
v A Maximum Segment Size in the range from 1 to 32 enables message
segmenting and specifies the maximum segment size. The IMS message is
split into multiple segments of the specified size to send to IMS. A
multi-segment message from IMS is transformed into a message with one
continuous payload. Request side processing adds the LL and ZZ segment
headers. Response side processing removes the LL and ZZ segment headers.
The headers are handled the same for a message with a payload smaller
than the Maximum Segment Size.
11. Use the Expect LLLL Response Header toggle to indicate whether the
response message includes an extra 4-byte (LLLL) response message header
specifying the total response message size back from IMS Connect. The default
is off.
on
287
b. Specify the exit program to use for all IMS connections in the Exit
Program field.
c. Specify the name of the IMS client identifier in the Client ID field. If
blank, the user exit must generate it.
d. Specify the transaction code to invoke in the Transaction Code field. This
value can be overridden by specifying it in the backend URL. Refer to
Building an IMS Connect URL on page 64 for more information.
e. Specify the name of the data store (IMS destination ID) in the Data Store
field. This property must be specified by the client. The IMS Connect
returns the data store name from the exit in the OMUSR_DESTID OTMA
header field. This value can be overridden by specifying it in the backend
URL. Refer to Building an IMS Connect URL on page 64 for more
information.
f. Specify an override value in the Logical Terminal Name field. OTMA
places this value in the IOPCB field. If you do not specify an override value,
OTMA places the IMS Connect-defined TPIPE name in the IOPCB field. The
TPIPE name is set to one of the following values based on the commit
mode:
v If the commit mode is 0, sets the value to the client identifier (CLIENT
ID).
v If the commit mode is 1, sets the value to the port identifier (PORT ID.
If you use the LTERM value in the IOPCB to make logic decisions, be aware
of the naming conventions of the IOPCB LTERM name.
Note: For IMS host applications, the value for this property is set by the
user message exit. The user exit message either moves this value to
the OMHDRLTM OTMA field or sets OMHDRLTM with a predetermined
value.
g. Specify the plaintext string sent to the server to identify the client in the
RACF ID field.
h. Specify the RACF password in the RACF Password field.
i. Specify the RACF password again in the Confirm RACF Password field.
j. Specify the group to which the security ID belongs in the RACF Group
field.
k. Select the Unicode encoding scheme of the data from the Encoding
scheme list.
(none) (Default) Uses the encoding that is set by the IMS Connect
Handler object or by a transform action in the processing policy.
Default
Uses the encoding that is set by the message.
UCS2 Uses UCS-2 encoding.
UTF8
288
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
l. Specify an appropriate wait time for IMS server to return data to IMS
Connect in the IRM Timer field. This value sets the IRM_TIMER. Refer to the
IMS Connect documentation for details. For example, a value of 21 sets the
value to 0.21 seconds.
13. Click Apply to save the changes to the running configuration.
14. Optional: Click Save Config to save the changes to the startup configuration.
DataPower
appliance
Load Balancer
Group
Application
server A
Application
server B
Application
server C
Application
server D
Figure 9. Load balancer group with static members to support load balancing
289
DataPower
appliance
WebSphere
Cell
ODCInfo
Load Balancer
Group
The communication between the DataPower appliance and the cell in the
WebSphere environment is as follows:
1. The ODCInfo application retrieves data about the application servers in the cell.
2. The WebSphere cell configuration retrieves the information from the ODCInfo
application and updates the data in the load balancer group.
3. The load balancer group uses this data to adapt to changing traffic conditions
and application server capabilities to optimally distribute traffic among the
application servers in the cell.
If your application server must maintain session affinity, you can configure session
affinity to override load balancing decisions.
Required software
For dynamic membership and weights to work, you must install WebSphere
Application Server Network Deployment or WebSphere Virtual Enterprise.
v For WebSphere Application Server Network Deployment, an administrator uses
the WebSphere Administrative Console to manually update the membership and
weight information of application servers.
v For WebSphere Virtual Enterprise, membership and weight information is
updated dynamically based on runtime conditions. To enable dynamic updates,
an administrator uses the WebSphere Administrative Console to enable dynamic
workload management.
290
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
First alive
Hash
Least connections
Round robin
Weighted least connections
291
could send more traffic to some servers. If there are servers with different
capacities in the group, processing cannot optimize the capacities of all the servers.
First alive
The first alive algorithm uses the concept of a primary server and backup servers.
v The primary server is the first server in the members list.
v A backup server is any subsequent server in the members list.
When the primary server is healthy, the DataPower service forwards all
connections to this server. When the primary server is quarantined or convalescent,
the DataPower service forwards connections to the next server in the list.
Hash
The hash algorithm uses the IP address of the client or the value of an HTTP
header as the basis for server selection.
When using an HTTP header, use the Load Balancer Hash Header property to
identify the header to read. This property is available for only Multi-Protocol
Gateway and Web Service Proxy services. Additionally, this property is available
on only the Main tab in the object view.
With the hash algorithm, the same client is served by the same server. Use this
algorithm for applications that require the storage of server-side state information,
such as cookies.
Least connections
The least connections algorithm maintains a record of active server connections and
forward a new connection to the server with the least number of active
connections.
Round robin
The round robin algorithm maintains a list of servers and forwards a new
connection to the next server in the members list.
292
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Membership
A load balancer group generally contains two or more members. Members can be
defined through static or dynamic membership.
Static membership
A load balancer group that uses a static membership configuration contains the
configuration settings that an administrator on the DataPower appliance explicitly
defined and persisted. These configuration settings do not change except under the
following conditions:
v The processing of a style sheet changes configuration settings for group
members
v An administrator enables and configures the workload management feature
Dynamic configuration
A load balancer group that uses a dynamic membership configuration retrieves
membership data through the workload management feature. To create a dynamic
membership configuration, you need to enable and configure the workload
management feature.
Even after enabling and configuring the workload management feature, a firmware
load uses the persisted configuration. Only after retrieving the workload
management information and updating the membership of the load balancer group
can the load balancer group use dynamic weight and membership information in
any load balancing decision.
When enabled, the load balancer group retrieves runtime information from the
WebSphere On Demand Configuration (ODCInfo) application. This information
overrides the membership information in the running configuration of the load
balancer group. The retrieved workload management information alters the
membership and weight of application server members in the load balancer group
so that the load balancer group can route traffic to the application server that can
best handle the load.
As new servers are brought online or as existing servers are taken offline, the
membership information in the load balancer group adapts to these changes.
Health checks
A health check is essentially a scheduled rule that sends the same request to each
member. The successful completion of the health check requires that the server
passes normal TCP and HTTP connection criteria. Optionally, the health check
293
contains a filter to test the response from the server. If the filter accepts the
response, the server is considered to be healthy; otherwise, it is considered to be
convalescent.
Session affinity
Session affinity overrides the load-balancing algorithm by directing all requests in
a session to a specific application server. For some applications to work correctly,
the application requires session affinity between the client and the application
server.
Session affinity enhances application performance by using in-memory caching, not
a database. Session affinity uses cookies to track session information and,
potentially, to maintain login credentials.
With session affinity, the application server that handles the first client request
generates session information and places it in a Set-Cookie header in the response.
The client inserts this information in a Cookie header in all future requests in this
session with this application server.
Session affinity populates these cookies with a session ID that contains the
following information:
v An identifier for the recovery of session data
v Routing information to ensure that all requests in this session are always routed
to the same application server
294
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
295
5.
6.
7.
8.
296
v Optional for groups of WebSphere servers that will use intelligent load
distribution. Requires the Option for Application Optimization feature.
Optional: On the Session Affinity tab, override the session affinity from a
WebSphere cell. Requires the Option for Application Optimization feature.
Optional: On the Health tab, define health check criteria.
Click Apply to save the changes to the running configuration.
Optional: Click Save Config to save the changes to the startup configuration.
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
297
c. For weighted algorithms: In the Weight field, enter the relative weight
(preference). The greater the value, the more likely this server is to receive a
connection request.
d. In the Mapped Server Port field, enter the member-specific target port or
retain the default value to use the DataPower service-defined port.
By default, member servers are contacted on the DataPower service-defined
port. However, if you have services running on different ports for different
member servers, explicitly identify the member-specific target port. If you
specify a nonzero value, that member server will always be contacted on
this port.
e. In the Health Port field, enter the member-specific health port or retain the
default value to use the load balancer group-defined port.
A nonzero value overrides the value for the Remote Port property of the
health check. This property is available during the configuration of the
health check on the Health tab.
f. Retain the default setting for Admin State. To place in an inactive
administrative state, click disabled.
g. Click Save.
5. Repeat the previous step to add another server as a static member.
6. Click Apply to save the changes to the running configuration.
7. Optional: Click Save Config to save the changes to the startup configuration.
Procedure
1. Click Network Other Load Balancer Group
2. Click the name of load balancer group.
3. Click the Session Affinity tab.
4. Set the Override WebSphere Cell Configuration check box. The pane refreshes
to display additional parameters.
5. From the Mode list, select the type of session affinity.
6. For active-conditional: Define the cookies to monitor.
a. In the Monitored Cookies field, enter the name of the cookie to monitor.
b. Click Add
7. Optional: Repeat the previous step to add another cookie. The configuration
requires at least one cookie.
298
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Results
Session affinity is enabled for non-WebSphere application servers.
299
Procedure
1. Click Objects Network Settings Load Balancer Group.
2. Click the name of the load balancer group to modify.
3. Modify a load balancer group to use the workload management information
from the WebSphere cell (WebSphere deployment manager).
a. Set Retrieve Workload Management Information to on. The WebGUI
refreshes to display additional properties.
b. From Workload Management Retrieval list, select WebSphere Cell.
c. From WebSphere Cell Subscription list, select a WebSphere Cell
configuration.
d. In Workload Management Group Name field, enter the name of the
WebSphere cluster.
4. Review the session affinity information on the Session Affinity tab to ensure
that session affinity is correctly configured.
5. Click Apply to save the changes to the running configuration information.
6. Click Save Config to save the changes to the startup configuration.
Results
The load balancer group begins to request information from the ODCInfo
application.
300
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Disabling members
If you need to disable a member, you can disable the member from the load
balancer group without deleting the member from the group.
To
1.
2.
3.
4. Disable members.
a. Click the pencil icon to edit the member.
b. Set Admin State to disable to place the member in an inactive
administrative state.
c. Click Save.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
ODCInfo_ND60.war
ODCInfo_ND61.war
ODCInfoCheckInstall.jacl
ODCInfoDeploy.jacl
ODCInfoStart.jacl
v ODCInfoUninstall.jacl
from the directory /AO on your CD-ROM or Fix Central.
Procedure
1. Install the ODCInfo application on the deployment manager.
2. Start the ODCInfo application.
3. Create or modify a load balancer group to use the ODCInfo application to
retrieve workload management information from the WebSphere cell.
301
Procedure
1. Copy the ODCInfo.war file, ODCInfoCheckInstall.jacl, ODCInfoStart.jacl, and
ODCInfoDeploy.jacl to a local directory on the deployment manager.
2. Choose the Web archive file that matches the version of WebSphere Application
Server product.
v For version 6.0.x, use ODCInfo_ND60.war
v For version 6.1.x or version 7.0.x, use ODCInfo_ND61.war
3. Log in from the command line to the deployment manager.
4. Navigate to the /bin directory under the deployment manager profile. For
example:
cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
5. Install the ODCInfo application by entering:
./wsadmin.sh -f script_path/ODCInfoDeploy.jacl dmgr_server_name
dmgr_node_name path_to_war_file ODCInfo
For example:
./wsadmin.sh -f /tmp/ODCInfoDeploy.jacl dmgr wasnode2CellManager01
/tmp/ODCInfo_ND61.war ODCInfo
6. Verify the installation by entering:
./wsadmin.sh -f script_path/ODCInfoCheckInstall.jacl cellName
dmgr_server_name ODCInfo
A message is displayed indicating whether the application is installed.
7. Ensure that you define the host name and port for the ODCInfo application as
a host_alias for the default_host under WebSphere Application Server virtual
hosts.
What to do next
Start the ODCInfo application.
302
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Procedure
1. Copy ODCInfoStart.jacl to a local directory on the deployment manager.
2. Log in from the command line to the deployment manager.
3. Navigate to the /bin directory under the deployment manager profile.
cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
4. Start the application by entering:
./wsadmin.sh -f script_path/ODCInfoStart.jacl cellName
dmgr_node_name ODCInfo
For example:
./wsadmin.sh -f /tmp/ODCInfoStart.jacl dpblade34Cell01
dpblade34CellManager01 ODCInfo
5. Verify that the ODCInfo application started.
a. Log in to the WebSphere Administrative Console.
b. Click Applications Enterprise Applications.
What to do next
Create or modify a DataPower load balancer group.
Procedure
1. Copy the ODCInfoCheckUninstall.jacl file to a local directory on the
WebSphere deployment manager.
2. Log in from the command line to the deployment manager.
3. Navigate to the bin directory of the deployment manager profile. For example:
cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
Appendix A. Referenced objects
303
What to do next
Install the ODCInfo application.
off
(Default) Uses shell style expressions.
7. Use the Boolean Or Combinations toggle to indicate whether to combine the
match criteria with OR semantics or with AND semantics.
on
b. Select the desired match type from the Matching Type list.
c. Define the matching criteria.
d. Click Save.
Repeat this step to define another matching rule.
9. Click Apply to save the changes to the running configuration.
10. Optional: Click Save Config to save the changes to the startup configuration.
304
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Processing Metadata
A Processing Metadata object identifies items of metadata information from or
about a transaction, such as the value of a protocol header (such as HTTP Host) or
the size of the message. These items of information will be retrieved and returned
to the object referencing the Processing Metadata object, such as a AAA Policy.
For example, a business use case might require the DataPower appliance to
authenticate a user based on the user identity in an MQ protocol header, coupled
with the name of the MQ Queue Manager that holds the request message. The
AAA Policy that implements this solution would use a Processing Metadata object
to retrieve those two meta-items and return them in a nodeset to the AAA Extract
Identity step.
To add a Processing Metadata object, use the following procedure:
1. Select Objects XML Processing Processing Metadata to display the
Processing Metadata catalog.
2. Click Add to display the Processing Metadata object configuration screen.
3. Use the properties on the Main tab to define name of the object.
4. Use the controls on the Metadata Item tab to define the metadata items that
this object retrieves.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
Note: Refer to the store:///ProcessingMetadata.html file on the appliance for
complete information about the items available.
Main tab
Use the properties on the Main tab to provide the following inputs:
Name Specify an alphanumeric string for the name. Other objects can use this
name to reference this object.
Admin State
Retain the default setting. To place the object in an inactive administrative
state, click disabled.
Comments
Specify a descriptive object-specific summary.
Continue to the Metadata Item tab to configure the items retrieved by this object.
305
306
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Client to Server
A rule applied only to client-originated documents
Server to Client
A rule applied only to server-originated documents
Both Directions
A bidirectional rule applied to both client- and
server-originated documents
Input Filter
Select a decompression algorithm to apply to the entire message
payload prior to the first action of the rule executing.
gzip
PKZIP
The message will be decompressed using the pkzip algorithm.
307
PKZIP
The message will be decompressed using the pkzip algorithm.
The created archive contains only one file. If the message contains
attachments, the attachments are contained in the one file.
Non-XML Processing
Select whether to enable or disable the processing of non-XML
documents.
on
off
Unprocessed
Select whether to determine whether the actions of the rule will take
effect on the message. This duplicates the Request Type and Response
Type properties of the services.
Actions
Use the Add and Delete buttons, with the list of available processing
actions, to manage actions for this processing rule.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
308
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Rules tab
1. Click the Rules tab to display the Schema Exception Map Configuration (Rules)
screen.
2. Click Add to display the Rules Property window. Use this window to define
schema exception rules.
3. Provide the following inputs:
XPath Expression
Specify an XPath expression. This expression defines a schema element
or elements subject to this rule. Click XPath Tool to launch the
graphically-oriented XPath expression builder. You will need to upload
an example document. The tool then allows you to click on an element
to construct the corresponding XPath expression.
Type
Require Encrypted
Specifies that elements defined by the XPath expression must
be encrypted
4. Click Save to return to the Schema Exception Map Configuration (Rules)
screen, which now displays the exception rule.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
309
Unlike message (count and duration) monitors and Web services monitors, SLMs
are not directly assigned to a DataPower service. SLMs are implemented as part of
a processing policy.
310
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
5) In the Threshold Level field, enter the threshold that triggers the
action.
6) In the High-Low Release Level field, if the algorithm is high-low, enter
the low threshold (stop point).
7) In the Burst Limit field, if the algorithm is token bucket, enter the size
of the committed burst.
i. Define reporting intervals.
1) In the Reporting Aggregation Interval field, enter the interval at which
to report statistics.
2) In the Maximum Records Across Intervals field, enter the maximum
aggregation of reporting records. A single aggregation interval can
contain multiple records; for example, one record per resource or
credential. Use this property to configure the maximum number of total
records to save across the maximum number of intervals.
j. Auto Generated by GUI is read-only.
k. In the Maximum Credentials-Resource Combinations field, enter the
maximum number of records for credential and resource combinations to
set a maximum memory-consumption threshold.
l. Click Save.
9. Repeat the previous step to define another statement.
10. Click Apply to save the changes to the running configuration.
11. Optional: Click Save Config to save the changes to the startup configuration.
311
12. Optional: Click Save Config to save the changes to the startup configuration.
312
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
313
7. In the URL field, enter the URL to communicate with the peer member and
click Add.
8. Click Apply to save the changes to the running configuration.
9. Optional: Click Save Config to save the changes to the startup configuration.
314
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Keep
Remove
Remove this SOAP header or child element.
Fault Generate a SOAP fault if the element exists.
4. Click Save to return to the SOAP Header Disposition Table configuration
(SOAP Header Refine Instruction) screen, which now displays the refinement
instruction.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
High-level configuration
To create a SQL data source:
1. Click Objects Network Setting SQL Data Source.
2. Click Add.
3. On the Main tab, define the basic configuration.
4. Optional: On the Data Source Configuration Parameters tab, define optional
but valid ODBC (or CLI) configuration parameters.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
315
316
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
The TIBCO EMS server provides messaging services for applications that
communicate by monitoring queues. The TIBCO EMS server ensures that sent
messages are directed to the correct receive queue or ensures that messages are
routed to another queue manager.
v Use any service object with a processing policy that contains a style sheet with a
url-open extension function. The url-open must use the HTTP-headers parameter
the same way as it is specified for the soap-call extension function.
v
Use a TIBCO EMS Front Side Handler object to send a response to a response
queue. The response header must contain the name-value pair
DP_JMSMessageType: map.
317
Note: In each case, if the DP_JMSMessageType header is not set, the message is
not converted to the map message format. Instead, XML is sent as the
TIBCO EMS Text or Byte Message.
318
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
</xs:complexType>
</xs:element>
<!-- Element of array-->
<xs:element name="Element">
<xs:complexType mixed="true">
<xs:sequence/>
</xs:complexType>
</xs:element>
</xs:schema>
The following example shows the XML representation of a TIBCO EMS Map
Message:
<Message>
<!-- nested map message #1 -->
<Field name="map1" type="map_message">
<Message>
<Field name="an_empty1_double_array" type="double_array"/>
<Field name="an_empty1_long_array" type="long_array"/>
<Field name="an_empty1_short_array" type="short_array"/>
<Field name="floaty" type="float">100000.00</Field>
<Field name="map11" type="map_message">
<Message>
<Field name="int_array" type="int_array">
<Array>
<Element>100000</Element>
<Element>2147483647</Element>
<Element>-2147483647</Element>
<Element>2147483648</Element>
<Element>-2147483649</Element>
<Element></Element>
<Element>BOGUS</Element>
</Array>
</Field>
<Field name="map111" type="map_message">
<Message/>
</Field>
<Field name="stringy" type="string">This is a quick brown fox.</Field>
</Message>
</Field>
<Field name="map12" type="map_message">
<Message/>
</Field>
</Message>
</Field>
<!-- nested map message #2 -->
<Field name="map2" type="map_message">
<Message>
<Field name="booly" type="bool">True</Field>
<Field name="map21" type="map_message">
<Message/>
</Field>
<Field name="the_bytes" type="bytes">RnJvbSBNb3Njb3cgV2l0aCBMb3ZlCg==</Field>
</Message>
</Field>
<!-- one short array -->
<Field name="short_array" type="short_array">
<Array>
<Element>5146</Element>
<Element>32767</Element>
<Element>-32767</Element>
<Element>32768</Element>
Appendix A. Referenced objects
319
<Element>-32769</Element>
<Element></Element>
<Element>BOGUS</Element>
</Array>
</Field>
<!-- one short field -->
<Field name="shorty" type="short">5146</Field>
</Message>
Transactional messaging
Many times in asynchronous messaging, there is a one-way message flow
paradigm. A message is picked up off a queue or topic, multistep processing runs,
and the message is put on a backside queue or topic. With transactional messaging,
if the backside PUT or any PUT in multistep processing fails, the front-side GET is
rolled back.
Another common message pattern is message fanout. In this case, a message is
picked on the front side and sent to several output queues. With transactional
messaging, if any of these multiple PUT operations fails, the original message is
rolled back on the front side.
To support transactional messaging in these message patterns, use the same TIBCO
EMS session to perform all the operations within the DataPower transaction. To
share the same TIBCO EMS session, receive messages from and deliver messages
to the same TIBCO EMS server.
The following sections describe the requirements to configure transactional
messaging for different scenarios.
With this configuration, the TIBCO EMS Front Side handler and the TIBCO EMS
backend URL share the same TIBCO EMS transacted session. A single COMMIT or
ROLLBACK operation is issued depending on the processing result. This
guarantees once-and-only-once message delivery to TIBCO EMS messages.
320
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
v For the handler and the backend URL, use the same TIBCO EMS Server object
with the Transactional property enabled.
v Define the TIBCO EMS URL using the Sync=true parameter. For example:
dptibems://TIBCOEMSServer?RequestQueue=OUTQUEUE&ReplyQueue=BACK_INQUEUE&Sync=true
This configuration uses the same transacted TIBCO EMS session from TIBCO EMS
to the TIBCO EMS service object for these operations:
1. Receive messages on the front side
2. Send messages on the back
3. Perform a COMMIT or ROLLBACK operation immediately after sending the
request message on the back side.
If the TIBCO EMS Front Side handler is configured with a put queue property, the
reply message from the back response queue is received as a part of a new
transaction. In other words, there are two TIBCO EMS unidirectional transactions:
1. The first transaction carries the message from the front side request queue to
back side request queue.
2. The second transaction carries the reply message from back side response
queue for front side response queue.
321
High-level configuration
When configuring the client connection to the TIBCO EMS server, you can define
the server in the following ways:
v As a unique host (without fault-tolerance or load-balancing)
v As a pair of fault-tolerant hosts
v As a group of load-balanced hosts
v As a group of load-balanced hosts with fault-tolerance
To configure a TIBCO EMS object, use the following high-level procedure:
1. Select Objects Network Settings TIBCO EMS to display the TIBCO EMS
catalog.
2. Click Add to display the TIBCO EMS configuration screen.
3. Define the basic properties on the Main tab.
4. Optionally define load-balancing and fault-tolerance behavior on the Load
Balancing/Fault-Tolerance tab.
5. Click Apply to save the changes to the running configuration.
322
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
6. Optional: Click Save Config to save the changes to the startup configuration.
off
(Default) Disables transactional processing.
In a transacted session, a group of related messages are sent and received
in a single transaction.
b. Specify the memory allocation for pending messages in the Memory
Threshold field. The value is in bytes. Use an integer in the range of
1048576 through 1073741824. The default is 268435456.
c. Specify the MTU for the current TIBCO EMS server in the Maximum
Message Size field. The value is in bytes. The MTU defines the maximum
size of messages that this server can process . Messages that are larger
than the specified value are dropped. Use an integer in the range of
1048576 through 1073741824. The default is 1048576.
d. Select the default message type from the Default Message Type list. The
selected value is used when the message type cannot be determined from
message headers.
Byte
Text
323
For example, with default values (20 for sessions per connection, and 5 for
connection limit) and 3 active fully-subscribed connections, a new session
request generates the establishment of a fourth connection.
9. Optionally enable an automatic critical error-recovery procedure:
a. Use the Automatic Retry toggle to control whether to enable the automatic
recovery procedure. This procedure attempts to reestablish a connection
that was closed in response to an error condition.
on
off
on
off
(Default) Disables the logging facility.
12. Specify the domain name or IP address with the listening port of the TIBCO
EMS server in the TIBCO EMS Server Host field. Specify this value in the
host:port format. Without a port specification, the default is port 7222.
13. Specify the string that identifies the connection client in the TIBCO EMS
Connection Client ID field.
14. Retain the default selection for the Load Balancing Algorithm list.
15. Click Apply to save the changes to the running configuration.
16. Optional: Click Save Config to save the changes to the startup configuration.
324
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
off
(Default) Disables transactional processing.
In a transacted session, a group of related messages are sent and received
in a single transaction.
b. Specify the memory allocation for pending messages in the Memory
Threshold field. The value is in bytes. Use an integer in the range of
1048576 through 1073741824. The default is 268435456.
c. Specify the MTU for the current TIBCO EMS server in the Maximum
Message Size field. The value is in bytes. The MTU defines the maximum
size of messages that this server can process . Messages that are larger
than the specified value are dropped. Use an integer in the range of
1048576 through 1073741824. The default is 1048576.
d. Select the default message type from the Default Message Type list. The
selected value is used when the message type cannot be determined from
message headers.
Byte
off
Disables the automatic critical error-recovery procedure.
b. When enabled, specify the interval between connection attempts in the
Retry Interval field. This interval is in seconds.
10. Optionally select an SSL Proxy Profile from the SSL Profile list. The SSL
Proxy Profile is used to establish a secure connection to the server. Refer to
IBM WebSphere DataPower SOA Appliances: Appliance Overview and IBM
WebSphere DataPower XML Integration Appliance XI50: XSL Accelerator
Developers Guide for details.
11. Use the Enable JMS-Specific Logging toggle to enable an enhanced
JMS-specific logging facility.
on
off
(Default) Disables the logging facility.
12. Specify the domain name or IP address in the TIBCO EMS Server Host field.
Appendix A. Referenced objects
325
off
(Default) Disables transactional processing.
In a transacted session, a group of related messages are sent and received
in a single transaction.
b. Specify the memory allocation for pending messages in the Memory
Threshold field. The value is in bytes. Use an integer in the range of
1048576 through 1073741824. The default is 268435456.
326
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
c. Specify the MTU for the current TIBCO EMS server in the Maximum
Message Size field. The value is in bytes. The MTU defines the maximum
size of messages that this server can process . Messages that are larger
than the specified value are dropped. Use an integer in the range of
1048576 through 1073741824. The default is 1048576.
d. Select the default message type from the Default Message Type list. The
selected value is used when the message type cannot be determined from
message headers.
Byte
For example, with default values (20 for sessions per connection, and 5 for
connection limit) and 3 active fully-subscribed connections, a new session
request generates the establishment of a fourth connection.
9. Optionally enable an automatic critical error-recovery procedure:
a. Use the Automatic Retry toggle to control whether to enable the automatic
recovery procedure. This procedure attempts to reestablish a connection
that was closed in response to an error condition.
on
off
Disables the automatic critical error-recovery procedure.
b. When enabled, specify the interval between connection attempts in the
Retry Interval field. This interval is in seconds.
10. Optionally select an SSL Proxy Profile from the SSL Profile list. The SSL
Proxy Profile is used to establish a secure connection to the server. Refer to
IBM WebSphere DataPower SOA Appliances: Appliance Overview and IBM
WebSphere DataPower XML Integration Appliance XI50: XSL Accelerator
Developers Guide for details.
11. Use the Enable JMS-Specific Logging toggle to enable an enhanced
JMS-specific logging facility.
on
off
(Default) Disables the logging facility.
12. Specify the domain name or IP address in the TIBCO EMS Server Host field.
Note: This property is a required property, but it is ignored in this
configuration.
13. Specify the string that identifies the connection client in the TIBCO EMS
Connection Client ID field.
14. Select the algorithm from the Load Balancing Algorithm list:
Appendix A. Referenced objects
327
None
Least Connections
Creates a connection to the server that has the least number of active
connections.
Byte Rate
Creates a connection to the server that has the lowest total byte rate
(input and output).
15. Define load-balancing capabilities:
a. Click the Load Balancing/Fault-Tolerance tab.
b. Click Add to display the Load Balancing/Fault-Tolerance property
window.
c. Define the load balancing behavior:
1) Specify the domain name or IP address with the listening port of a
member server in the TIBCO EMS Server Host field in the host:port
format. Without a port specification, the default is port 7222.
2) Do not specify anything in the TIBCO EMS Backup Server Host field.
3) Click Save to return to the Load Balancing/Fault-Tolerance property
window.
d. Repeat step 15c for another server for load-balancing.
16. Click Apply to save the changes to the running configuration.
17. Optional: Click Save Config to save the changes to the startup configuration.
off
(Default) Disables transactional processing.
In a transacted session, a group of related messages are sent and received
in a single transaction.
328
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Text
off
Disables the automatic critical error-recovery procedure.
b. When enabled, specify the interval between connection attempts in the
Retry Interval field. This interval is in seconds.
10. Optionally select an SSL Proxy Profile from the SSL Profile list. The SSL
Proxy Profile is used to establish a secure connection to the server. Refer to
IBM WebSphere DataPower SOA Appliances: Appliance Overview and IBM
WebSphere DataPower XML Integration Appliance XI50: XSL Accelerator
Developers Guide for details.
11. Use the Enable JMS-Specific Logging toggle to enable an enhanced
JMS-specific logging facility.
on
off
(Default) Disables the logging facility.
12. Specify the domain name or IP address in the TIBCO EMS Server Host field.
Note: This property is a required property, but it is ignored in this
configuration.
Appendix A. Referenced objects
329
13. Specify the string that identifies the connection client in the TIBCO EMS
Connection Client ID field.
14. Select the algorithm from the Load Balancing Algorithm list:
None
Least Connections
Creates a connection to the server that has the least number of active
connections.
Byte Rate
Creates a connection to the server that has the lowest total byte rate
(input and output).
15. Define load-balancing and fault-tolerance capabilities:
a. Click the Load Balancing/Fault-Tolerance tab.
b. Click Add to display the Load Balancing/Fault-Tolerance property
window.
c. Define the load balancing and fault-tolerance behavior:
1) Specify the domain name or IP address with the listening port of the
primary member server in the TIBCO EMS Server Host field in the
host:port format. Without a port specification, the default is port 7222.
2) To add fault-tolerance to this member server, specify the domain name
or IP address with the listening port of the backup member server in
the TIBCO EMS Backup Server Host field in the host:port format.
Without a port specification, the default is port 7222.
3) Click Save to return to the Load Balancing/Fault-Tolerance property
window.
d. Repeat step 15c for another server for load-balancing or for another
fault-tolerance primary-backup server pair.
16. Click Apply to save the changes to the running configuration.
17. Optional: Click Save Config to save the changes to the startup configuration.
330
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Overview
A UDDI Subscription object defines a collection of UDDI version 3 subscriptions
available on a particular UDDI Registry. UDDI version 3 subscriptions pair a
persistent registry query with a notification mechanism to allow clients to be
notified when data that is matched by the query is updated. When WSDL services
are published in a UDDI Registry, properly configured UDDI subscriptions can be
used to capture the registry information needed to automatically configure a
service virtualization using Web Service Proxy via subscription notifications.
Registry subscriptions
To configure the service virtualization in a Web Service Proxy, the DataPower
appliance needs access to both the interface tModel and the implementation
bindingTemplate. As these registry components can be updated separately, two
different subscriptions in the registry are required:
v One to retrieve the bindingTemplate
v One to retrieve the tModel
Appendix A. Referenced objects
331
In the case of a deployment that follows the more detailed Technical Note
mapping, where the WSDL interface is represented with more than one tModel, the
DataPower appliance needs access to the tModel that represents the wsdl:binding.
Alternately for a deployment that follows one of the previous alternate mappings,
where there is no interface tModel, only the subscription for the bindingTemplate
is required.
The actual registry subscriptions that retrieves the tModel and bindingTemplate
could be configured in several ways. Because bindingTemplates are contained by
businessServices, it is possible to retrieve the bindingTemplate information either
with a bindingTemplate query or with a businessService query. Further, two
different queries are available to retrieve each object kind. Registry objects can be
retrieved directly by key using get queries (get_serviceDetail, get_bindingDetail,
and get_tModelDetail), or matched against a set of criteria using the find queries
(find_service, find_binding, and find_tModel). Get queries can be used as a
simple way to retrieve a particular service from the registry. In more complex
scenarios, it might be desirable to define service categorizations that can be
subscribed to in bulk with find queries, which allows the subscription process to
be de-coupled from the service registration precess. Consult you registry tooling on
how to establish and use custom categories in the registry.
In addition to using one of these queries as a filter, the subscription itself can be
configured for a specific notification interval and specific expiration date. The
subscription can be configured as either brief or verbose mode. The DataPower
appliance supports both modes. When brief is selected, the DataPower appliance
initiates requests back to the registry to retrieve any detailed information it
requires. To receive periodic update notifications, the subscriptions must be
configured to notify the subscription listener service on the XML Management
Interface of the DataPower appliance. Configuring the listener is typically done by
selecting a service endpoint as the notification type, and entering the URL for the
subscription listener service. For example:
https://192.168.1.25:5550/service/uddi-subscription
Note: The XML Interface of the DataPower appliance must be enabled, and the
UDDI Subscriptions box checked to allow the appliance to receive
subscription information notifications.
After the required subscriptions are created in the registry, their keys can be
added to one or more UDDI Subscription objects on the DataPower
appliance. Each UDDI Subscription object must contain all of the keys that
are needed to retrieve all of the required service information. In other
words, UDDI Subscription object will have at least two subscription keys.
UDDI Registry
To create a UDDI Registry object that specifies the location of a UDDI registry and
the information to access it, perform the following procedure:
1. Select Objects Configuration UDDI Registry to display the UDDI
Registry catalog.
2. Click Add to display the UDDI Registry Configuration screen.
3. In the Name field, enter the name for the object.
4. Retain the default setting for Admin State. To place in an inactive
administrative state, click disabled.
5. Optional: In the Comment field, enter a descriptive summary.
6. Specify the domain name or IP address of the UDDI registry in the Host field.
332
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
7. Specify the port number for the SOAP over HTTP interface in the Port field.
This UDDI registry port is generally used for UDDI browsing. The default is
80.
8. Use the Use SSL radio buttons to select how to use SSL when accessing the
UDDI registry.
Publish
(Default) Specifies that publish requests to the UDDI registry use an
SSL connection.
Always
Specifies that all requests to the UDDI registry use an SSL connection.
9. Specify the port number for the SOAP over HTTPS interface of the UDDI
registry in the Port (SSL) field. This UDDI registry port is generally used for
UDDI inquiries. The default is 443.
10. Select the SSL profile to use for access to the UDDI registry from the SSL
proxy profile list.
11. Define the local path (URI) for the different types of requests to the UDDI
registry. Depending on the selection, the complete URL has one of the
following format:
URL for non-SSL access
http://hostname:port/uri
URL for SSL access
https://hostname:port_ssl/uri
a. Specify the URI to complete the URL for query requests in the Inquiry
URL field. The default is /uddi/inquiry.
b. Specify the URI to complete the URL for publish requests in the Publish
URL field. The default is /uddi/publish. Publish requests require SSL
access.
c. Specify the URI to complete the URL for subscribe requests in the
Subscription URL field. The default is /uddi/subscription.
d. Specify the URI to complete the URL for security requests in the Security
URL field. The default is /uddi/security.
12. Select the API version of the UDDI registry from the Version list.
13. Click Apply to save the changes to the running configuration.
14. Optional: Click Save Config to save the changes to the startup configuration.
UDDI Subscription
To create UDDI Subscription objects, perform the following procedure:
1. Select Objects Services UDDI Subscription to display the UDDI
Subscription catalog.
2. Click Add to display the UDDI Subscription Configuration screen.
3. Provide the following inputs:
Name Specify the name of the object. This must be unique among all UDDI
Subscription objects in this or any other application domain. The name
must contain only alphanumeric characters.
Admin State
Retain the default setting. To place the object in an inactive
administrative state, click disabled.
333
Comments
Specify a descriptive object-specific summary.
Subscription Key
This is one or more keys for the subscription, which must already exist
in the UDDI registry. To track services that are modeled in UDDI using
both services and tModels (for example, when following UDDI Best
Practices), several subscriptions will be required to receive updates for
both the service and tModel components. All of these subscriptions
must use the same user name and password.
To include a key, specify the key value in the blank input field
alongside the Add button and click Add. A key value resembles the
following string:
uddi:89069b00-4a67-11db-8c9a-51a164e08c97
Username
Specify the user name used to authenticate with the Registry. This user
name must be defined on the Registry.
Password
Specify the password used to authenticate with the Registry.
Confirm Password
Repeat the password to confirm the value.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
Click the Services tab to display the list of configured Web services.
Click Publish to UDDI to display the UDDI Publish window.
Select the target registry from the UDDI Registry list.
Click Continue.
Specify the login name for registry access in the Username field.
Specify the password for the user in the Password field.
Click Continue.
334
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
URL Map
A URL map contains a list of URLs or shell-style match expressions that define a
URL set. Incoming or cached documents can be evaluated against the match
expressions in the map to determine whether the document is granted specific
processing. For example, an XML manager might reference one or more URL maps
to determine whether a cached style sheet is refreshed periodically or whether it is
subject to a Compile Options Policy.
1. Select Objects XML Processing URL Map to display the URL Map catalog.
2. Click Add to display the URL Map Configuration (Main) screen.
3. Provide the following inputs:
Name Specify the name of this URL Map.
Admin State
Retain the default setting. To place the object in an inactive administrative
state, click disabled.
Comments
Specify a descriptive object-specific summary.
[]
335
The rewrite rules in the URL Rewrite Policy are applied before document
processing. Therefore, the evaluation criteria in the Matching Rule is against the
rewritten value.
Use the following method to create a URL Rewrite Policy:
1. Select Objects XML Processing URL Rewrite Policy to display the URL
Rewrite Policy catalog.
2. Click Add to display the URL Rewrite Policy Configuration (Main) screen.
3. Provide the following inputs:
Name Specify the name of this URL Rewrite Policy.
Admin State
Retain the default setting. To place the object in an inactive
administrative state, click disabled.
URL Rewrite Direction
Select the direction of the URL Rewrite Policy. Direction is applied at
the service level and has no effect on other policies.
Both
Request
Applies to client requests only.
Response
Applies to server responses only.
4. Continue with Creating a URL Rewrite Policy.
336
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
match condition that triggers the rewrite rule. Depending on the rule
type, a candidate URL or specific HTTP header field is matched against
the expression.
v For absolute-rewrite, content-type, and post-body, defines the
expression to be matched against the URL.
.* or *
Matches any string.
(.*)xsl=(.*)\?(.*)
Matches a string of the following format:
a. A text subpattern.
b. Followed by xsl=.
c. Followed by a text subpattern.
d. Followed by ?. The backward slash (\) in the PCRE is a
URL escape.
e. Followed by a text subpattern.
(.*)&[Xx][Ss][Ll]=([^&]+)(.*)
Matches a string of the following format:
a. A text subpattern.
b. Followed by &.
c. Followed by X or x.
d. Followed by S or s.
e. Followed by L or l.
f. Followed by =.
g. Followed by a text subpattern that does not contain an
ampersand (&) character.
h. Followed by a text subpattern.
v For header-rewrite, defines the expression to be matched against the
contents of a specific HTTP header field. For example *.* matches
any value.
PCRE documentation is available at http://www.pcre.org.
Input Replace Expression
Specify a PCRE-style replacement that defines the rewritten URL, HTTP
header field, or HTTP POST body.
v For absolute-rewrite, defines the rewritten URL.
If the match pattern is .* or *, specify the complete replacement.
If the match pattern is (.*)xsl=(.*)\?(.*), specify the evaluation
replacement for any text subpattern or retain the original text
subpattern. To retain the first text subpattern, specify $1; to retain
the second text subpattern, specify $2, and so forth. To replace the
second text subpattern only, specify $1xsl=ident.xsl?$3.
If a rewritten URL begins with a host name or port that is different
from the configured remote address, the host name or port portion of
the rewritten URL is ignored.
v For content-type, defines the replacement value for the Content-Type
header.
v For header-rewrite, defines the replacement value for the specified
header.
v For post-body, defines the rewritten body of the HTTP POST. For
example:
If the match pattern is .* or *, specify the complete replacement.
337
off
off
Header Name
Identifies the name of the header to have its value rewritten. The
header name must be entered exactly as it is defined in the message.
This option is for header-rewrite only.
URL Normalization
Select whether to enable normalization of URL strings. Normalizing a
URL compresses "." and ".." and converts backward slashes (\) to
forward slashes (/).
on
off
Disables normalization.
4. Click Save to return to the URL Rewrite Policy Configuration (Main) screen.
5. Click Apply to save the changes to the running configuration.
6. Optional: Click Save Config to save the changes to the startup configuration.
338
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
User Agent
A user agent is a client that initiates a request for a local service to establish a
connection to a remote server. An XML manager uses a user agent, for example, to
retrieve resources from elsewhere on the network. The settings for a user agent can
affect messages that a DataPower service sends out.
The DataPower provides the default user agent in each application domain. The
configuration of the default user agent is as follows:
v Allows a maximum of eight HTTP redirect messages before declaring the target
as unreachable
v Set the idle timeout to 300 seconds before timing out and closing the connection.
The default user agent does not provide configuration for the following types of
policies:
HTTP proxy
The user agent forwards requests that match the URL expression to an
HTTP server instead of to the target server.
SSL proxy
The user agent establishes a secure connection to the remote server for
requests that match the URL expression.
Basic authentication
The user agent uses these credentials for authentication with the remote
server for requests that match the URL expression. This feature is useful
for HTTP connections.
SOAP Action
The user agent includes the specified contents in the SOAPAction header in
requests that match the URL expression.
Public key authentication
The user agent uses these credentials for authentication with the remote
server for requests that match the URL expression. This feature is useful
for SCP and SFTP connections.
Allow compression
The user agent compresses the payload for requests that match the URL
expression.
Header retention
The user agent retains the specified message headers for requests that
match the URL expression.
Restrict to HTTP 1.0
The user agent restricts HTTP communication to HTTP 1.0 for requests that
match the URL expression.
Inject header
The user agent injects the specified headers into requests that match the
URL expression.
Chunked uploads
The user agent uses HTTP 1.1 Chunked content encoding for requests that
match the URL expression. This feature is useful for streaming large
documents.
FTP client
The user agent controls the client settings for outgoing FTP connections for
Appendix A. Referenced objects
339
requests that match the URL expression. These client settings can be
overridden by query parameters in the URL that initiates the file transfer.
Each type of these policies uses URL matching patterns. When there are multiple
configurations for a policy type, the policy evaluates each candidate URL against
the matching pattern in sequential order. Therefore, order is important.
When you create a new user agent, the configuration defines these default settings.
19. On the FTP Client Policies tab, define FTP client policies.
20. Click Apply to save the changes to the running configuration.
21. Optional: Click Save Config to save the changes to the startup configuration.
340
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
5. Optional: In the Timeout field, change the idle timeout to allow in seconds
before timing out and closing the connection.
6. Click Apply to save the changes to the running configuration.
7. Optional: Click Save Config to save the changes to the startup configuration.
341
4. Add a policy.
a. Click Add.
b. In the URL Matching Expression field, enter a shell-style expression to be
the pattern to match against the URL set.
c. In the Soap Action field, enter the URI of the SOAP action.
d. Click Save to add this policy to the list.
5. Repeat the previous step to add another policy.
6. Click Apply to save the changes to the running configuration.
7. Optional: Click Save Config to save the changes to the startup configuration.
342
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
343
TE
MQMD
To
1.
2.
3.
4. Add a policy.
a. Click Add.
b. In the URL Matching Expression field, enter a shell-style expression to be
the pattern to match against the URL set.
c. From the Header Retention list, select the check boxes for the headers to
retain.
d. Click Save to add this policy to the list.
5. Repeat the previous step to add another policy.
6. Click Apply to save the changes to the running configuration.
7. Optional: Click Save Config to save the changes to the startup configuration.
344
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
2) In the Header Value field, enter the value for the header.
d. Click Save to add this policy to the list.
5. Repeat the previous step to add another policy.
6. Click Apply to save the changes to the running configuration.
7. Optional: Click Save Config to save the changes to the startup configuration.
345
7. Optional: Click Save Config to save the changes to the startup configuration.
346
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
If a Local Endpoint Rewrite policy alters the definitions in the WSDL, the Front
Side Handler must match the result of the rewrite. For example, if the Endpoint
Rewrite policy contains the following rewrite rule, the Front Side Handler must
use port 8010.
absolute-rewrite "(.*)://(.*?)/(.*)" "$1://0.0.0.0:8010/$3"
347
348
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
the backend reply queue. The appliance starts the response rule for
the second message in the reply queue only after it completes the
processing of the first message. The appliance always buffers
messages so that it sends messages to the frontend reply queue in
the same order that they were pulled from the backend reply
queue.
Propagate URI
Control the behavior of URI propagation: on (default) or off.
If the backend URL is in an MQ, TIBCO EMS, or WebSphere JMS format,
disable URI propagation (set to off).
Enabling URI propagation is meaningful in the following situations only:
v When the service is configured to use a static backend.
v When the service is configured to use a dynamic backend and dynamic
routing is set with a route with style sheet (route-action) action in the
processing policy. In this case, use the dp:set-target() extension
element to define that target backend server.
For the other dynamic routing options that are available with the
route-action and route-set actions, the URI is absolute.
When enabled, the service rewrites the URI of the backend URL to the URI
in the client request. If URI propagation is enabled and the client submits
http://host/service and the backend URL is http://server/listener, the
URL is rewritten to http://server/service.
Notes:
v When enabled, any Matching Rule in a response processing rule
must match the rewritten URL.
v Any action in the Processing Policy can change the URI that is
sent to the backend server. The rewritten URI could override the
intended effect of this setting.
Type
349
Proxy listens) and you do use a Endpoint Rewrite Policy to set these
attributes, you must make sure to set Auto Generate Protocol
Handlers to on.
AAA Policy
Select an AAA Policy. All submitted traffic for all service endpoints will be
subjected to this authentication and authorization policy. This allows for
the creation and maintenance of a single policy used across service
endpoints. Refer to Creating AAA Policy objects on page 243 for more
information.
Processing Policy
Select a Processing Policy. Messages submitted to the Proxy will be
processed by this Policy. Refer to Defining Processing Policy objects on
page 306 for more information.
Note: The service automatically validates message traffic as well-formed
SOAP XML, applies schema validation based on the WSDL, and
filters for correct operation names.
Kerberos Encryptor Principal
Specify the full name of the client principal when the Web Service Proxy
needs to decrypt automatically encrypted requests. Use this property when
the encryption uses a Kerberos session key or uses a key that was derived
from the session key.
Kerberos Decryptor Principal
Specify the full name of the server principal when the Web Service Proxy
needs to decrypt automatically encrypted responses. Use this property
when the encryption uses a Kerberos session key or uses a key that was
derived from the session key.
Kerberos Keytab
Select the Kerberos Keytab that contains the principals. The Web Service
Proxy uses these principals to decrypt automatically encrypted requests
and responses
Decrypt Key
Select a Cryptographic Key object. This key will be used to decrypt
encrypted payloads, if any are encountered. The resulting decrypted node
set will then be passed to the Processing Policy rules.
SOAP Action Policy
The service attempts to match requests to the appropriate WSDL using the
SOAPAction header. This setting controls the behavior of this operation.
Lax
Strict
Off
350
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Streaming
Provides limited processing of XML attachments, and streams XML
and non-XML attachments to output.
Unprocessed
Allows messages that contain attachments, but does not process
attachments.
For additional information about streaming attachments, refer to
Optimizing through Streaming.
Response attachment processing mode
When the response type is SOAP or XML, select how to process server
responses with attachments.
Allow Processes the message root and needed XML and non-XML
attachments. Needed attachments are buffered. Attachments that
are not needed might be streamed directly to output.
Appendix A. Referenced objects
351
Streaming
Provides limited processing of XML attachments, and streams XML
and non-XML attachments to output.
Unprocessed
Allows messages that contain attachments, but does not process
attachments.
For additional information about streaming attachments, refer to
Optimizing through Streaming.
Action when required root part is not first
When the attachment processing mode for requests or for responses is
Streaming, select the action to take when the MIME message root part is
not first.
Abort Stops the transaction and return an error.
Buffer To Root
Buffers attachments before the root part into memory. Then
processes the root part, buffered attachments, and subsequent
attachments.
Process In Order
(Default) Processes the attachments and root part in the order that
they appear in the original message. All parts are still processed in
streaming mode even though only attachments after the root will
be streamed from the network.
Front attachment processing format
Select how to interpret client requests with attachments.
Dynamic
(Default) The appliance reads the message and determines the
attachment format (DIME or MIME) from the content-type header.
Conversion between MIME and DIME is possible provided that
attachments are buffered.
MIME Messages adhere to the MIME format. Conversion to DIME is
possible provided that attachments are buffered.
DIME Messages adhere to the DIME format. Conversion to MIME is
possible provided that attachments are buffered.
Detect The appliance reads the message and determines the attachment
format (DIME or MIME) from message data. Conversion between
MIME and DIME is possible provided that attachments are
buffered.
Back attachment processing format
Select how to interpret server responses with attachments.
Dynamic
(Default) The appliance reads the message and determines the
attachment format (DIME or MIME) from the content-type header.
Conversion between MIME and DIME is possible provided that
attachments are buffered.
352
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
353
Pass-Thru
Does not directly characterize the client request, but indicates that
the request is not filtered or transformed by the Proxy - it is passed
as is to the target server.
XML
354
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
355
off
356
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Assigning Monitors
Provide the following inputs:
Service Monitors
Optional: Use the list with the Add and Delete buttons to assign one or
more Web service monitors. Refer to Web services monitors on page 238
for more information.
Count Monitors
Optional: Use the list with the Add and Delete buttons to assign one or
more count monitors. Refer to Configuring count monitors on page 234
for more information.
Duration Monitors
Optional: Use the list with the Add and Delete buttons to assign one or
more duration monitors. Refer to Configuring duration monitors on page
236 for more information.
Monitors Evaluation Method
When a service uses more than one monitor, it is possible to determine
how the monitors interact with each other.
Terminate at First Throttle
(Default) Allows all monitors to take effect on a message until a
monitor takes a shape or reject action. No further monitors will
take effect after this point. The order of monitors matters. If three
monitors are included and the first monitor in the list either shapes
or rejects a message, no other monitors will execute.
Terminate at First Match
Allows all monitors to take effect until a monitor matches a
message. At that point, all monitor processing of the message
stops. In this way, only one monitor increments its counters.
357
that use traditional addressing and servers that use WS-Addressing. Refer
to Configuring Traditional to WS-Addressing on page 48 for
configuration details.
WS-Addressing Gatewayed to Synchronous
Specifies that the DataPower service mediates addressing between clients
that use WS-Addressing and servers that use traditional addressing. Refer
to Configuring Traditional to WS-Addressing on page 48 for
configuration details.
Pure WS-Addressing
Specifies that the DataPower service mediates addressing between clients
and servers that use WS-Addressing. Refer to Configuring WS-Addressing
to WS-Addressing on page 51 for configuration details.
358
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
<service name="SearchService">
<port name="SearchPort" binding="typens:SearchBinding">
<soap:address location="http://api.search.com/search/beta2"/>
</port>
</service>
off
359
off
(Default) Enables this feature. If enabled, both the client and the
server can use Reliable Messaging to send messages to this
DataPower service.
off
off
360
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
off
off
361
messages that request rules process. The client must establish a sequence
with a CreateSequence SOAP call and must include a Sequence in each
SOAP header. Any SOAP message without a Sequence results in a SOAP
fault.
on
off
Required on Response
Indicates whether to require the use of Reliable Messaging for all SOAP
messages that response rules process. Any SOAP message without a
Sequence results in a SOAP fault.
Note: When WS-Addressing is in use, SOAP messages without a
WS-Addressing RelatesTo SOAP Header are processed by the
request rule, not the response rule, even if the message come from
the backend server.
on
off
off
Include an offer.
off
362
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
off
363
364
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
365
366
[]
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
You can use any PCRE-compliant expression. For more information, refer
to http://www.pcre.org.
TTL
The time-to-live, in seconds, for WSDL files that match the value of the
URL Match Expression property. After this time has expired, the file is
automatically refreshed. Any change in the file are reflected by changes in
the configuration of the Proxy.
Click Save.
367
Click Add to create a new User Policy handled by this Proxy. Click the name of an
existing Operation to edit it.
Clicking Add displays the User Policy Property window.
Provide the following inputs:
Target Namespace
Specify a target namespace or * to designate all target name spaces defined
in the WSDL files used by the service. The target namespace is found in
the WSDL definitions element.
WSDL File
Specify the Local Name of a WSDL file (as defined on the WSDL File tab)
or * to designate all WSDL files.
Service
Specify a value of the form wsdl:definitions/wsdl:service/@name (for
example, wsdl:definitions/wsdl:service/@SearchService) to specify a
particular service, or specify * for any service. Here is an example service
defined in a WSDL:
<service name="SearchService">
<port name="SearchPort" binding="typens:SearchBinding">
<soap:address location="http://api.search.com/search/beta2"/>
</port>
</service>
PortType
Specify a value of the form wsdl:definitions/wsdl:portType/@name (for
example, wsdl:definitions/wsdl:portType/@SearchPort) or specify * for
any PortType. The following snippet is an example of a portType definition
from a WSDL:
<portType name="SearchPort">
<operation name="doSearch">
<input message="typens:doSearch"/>
<output message="typens:doSearchResponse"/>
</operation>
</portType>
Binding
Specify a value of the form wsdl:definitions/wsdl:binding/@name (for
example, wsdl:definitions/wsdl:binding/@SearchBinding) or specify * for
any Binding.
<binding name="SearchBinding" type="typens:SearchPort">
<soap:binding style="rpc"
transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="doSearch">
<soap:operation soapAction="urn:GoogleAction"/>
<input>
<soap:body use="encoded" namespace="urn:Search"
encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</input>
<output>
<soap:body use="encoded" namespace="urn:Search"
encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
</output>
</operation>
</binding>
Operation
Specify a value of the form wsdl:definitions//wsdl:operation/@name (for
368
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
369
Service Priority
Assigns a priority for scheduling or for resource allocation. Use one of the
following values:
High
Low
Normal
(Default) Receives normal priority.
WSDL Component Type
Specifies the type of the WSDL component to match. Use one of the
following values:
All
Operation
Matches when the identified operation is requested in the current
transaction.
Matches wsdl:binding/operation/@name when formatted as
{bindingNamespace}name, or matches wsdl:service/wsdl:port
when formatted as {serviceNamespace}port-name/operation-name.
Port
Service
Matches when the operation requested in the current transaction is
included in the identified WSDL service.
Matches wsdl:service/@name when formatted as
{serviceNamespace}name.
Subscription
Matches an identified subscription key.
WSDL
Matches when the operation requested in the current transaction is
defined in the identified WSDL file.
WSDL Component Value
Identifies the value of the WSDL-defined component. The value to specify
depends on the identified WSDL component type.
v If All, specify double quotation marks (""). This combination eliminates
the WSDL component from consideration.
v If Operation, specifies the name of the WSDL operation. Use the
wildcard character (*) to specify all operations.
v If Port, specifies the name of the WSDL port. Use the wildcard character
(*) to specify all ports.
v If Service, specifies the name of the WSDL service. Use the wildcard
character (*) to specify all services.
370
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Operation
Matches when the identified operation is requested in the current
transaction.
Matches wsdl:binding/operation/@name when formatted as
{bindingNamespace}name, or matches wsdl:service/wsdl:port
when formatted as {serviceNamespace}port-name/operation-name.
Port
Service
Matches when the operation requested in the current transaction is
included in the identified WSDL service.
Matches wsdl:service/@name when formatted as
{serviceNamespace}name.
Subscription
Matches an identified subscription key.
WSDL
Matches when the operation requested in the current transaction is
defined in the identified WSDL file.
WSDL Component Value
Identifies the value of the WSDL-defined component. The value to specify
depends on the identified WSDL component type.
v If All, specify double quotation marks (""). This combination eliminates
the WSDL component from consideration.
v If Operation, specifies the name of the WSDL operation. Use the
wildcard character (*) to specify all operations.
371
v If Port, specifies the name of the WSDL port. Use the wildcard character
(*) to specify all ports.
v If Service, specifies the name of the WSDL service. Use the wildcard
character (*) to specify all services.
v If Subscription, specify double quotation marks (""). Any specified
value is ignored.
v If WSDL, specifies either a URL or the local name mnemonic that is
assigned to the WSDL file.
Subscription
Select the name of an existing Subscription object. The property is
meaningful only when the value of the component type is Subscription.
Operation
Matches when the identified operation is requested in the current
transaction.
Matches wsdl:binding/operation/@name when formatted as
{bindingNamespace}name, or matches wsdl:service/wsdl:port
when formatted as {serviceNamespace}port-name/operation-name.
Port
Service
Matches when the operation requested in the current transaction is
included in the identified WSDL service.
Matches wsdl:service/@name when formatted as
{serviceNamespace}name.
Subscription
Matches an identified subscription key.
372
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
WSDL
Matches when the operation requested in the current transaction is
defined in the identified WSDL file.
WSDL Component Value
Identifies the value of the WSDL-defined component. The value to specify
depends on the identified WSDL component type.
v If All, specify double quotation marks (""). This combination eliminates
the WSDL component from consideration.
v If Operation, specifies the name of the WSDL operation. Use the
wildcard character (*) to specify all operations.
v If Port, specifies the name of the WSDL port. Use the wildcard character
(*) to specify all ports.
v If Service, specifies the name of the WSDL service. Use the wildcard
character (*) to specify all services.
v If Subscription, specify double quotation marks (""). Any specified
value is ignored.
v If WSDL, specifies either a URL or the local name mnemonic that is
assigned to the WSDL file.
Subscription
Select the name of an existing Subscription object. The property is
meaningful only when the value of the component type is Subscription.
Operation
Matches when the identified operation is requested in the current
transaction.
Matches wsdl:binding/operation/@name when formatted as
{bindingNamespace}name, or matches wsdl:service/wsdl:port
when formatted as {serviceNamespace}port-name/operation-name.
Port
Service
Matches when the operation requested in the current transaction is
included in the identified WSDL service.
373
374
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Operation
Matches when the identified operation is requested in the current
transaction.
Matches wsdl:binding/operation/@name when formatted as
{bindingNamespace}name, or matches wsdl:service/wsdl:port
when formatted as {serviceNamespace}port-name/operation-name.
Port
Service
Matches when the operation requested in the current transaction is
included in the identified WSDL service.
Matches wsdl:service/@name when formatted as
{serviceNamespace}name.
Subscription
Matches an identified subscription key.
WSDL
Matches when the operation requested in the current transaction is
defined in the identified WSDL file.
WSDL Component Value
Identifies the value of the WSDL-defined component. The value to specify
depends on the identified WSDL component type.
v If All, specify double quotation marks (""). This combination eliminates
the WSDL component from consideration.
v If Operation, specifies the name of the WSDL operation. Use the
wildcard character (*) to specify all operations.
v If Port, specifies the name of the WSDL port. Use the wildcard character
(*) to specify all ports.
v If Service, specifies the name of the WSDL service. Use the wildcard
character (*) to specify all services.
v If Subscription, specify double quotation marks (""). Any specified
value is ignored.
v If WSDL, specifies either a URL or the local name mnemonic that is
assigned to the WSDL file.
Subscription
Select the name of an existing Subscription object. The property is
meaningful only when the value of the component type is Subscription.
375
Note: The local endpoints that the Web Service Proxy uses might also be
determined with protocol handlers. Protocol Handlers override the settings
of an Endpoint Rewrite policy.
To create a WS-Proxy Endpoint Rewrite policy, perform the following procedure:
1. Select Objects Web Services WS-Proxy Endpoint Rewrite to display the
WS-Proxy Endpoint Rewrite catalog.
2. Click Add to display the WS-Proxy Endpoint Rewrite (Main) screen.
3. Define the configuration properties on the Main screen. For details, refer to
Main tab.
4. Click the Local Rewrite Rule tabs and define the configuration properties. For
details, refer to Local Rewrite Rule tab.
5. Click the Remote Rewrite Rule tabs and define the configuration properties.
For details, refer to Remote Rewrite Rule tab on page 378.
6. Click the Publish Rewrite Rule tabs and define the configuration properties.
For details, refer to Publish Rewrite Rule tab on page 379.
7. Click the Subscription Local Rewrite Rule tabs and define the configuration
properties. Valid when using UDDI or WSRR subscriptions. For details, refer
to Subscription Local Rewrite Rule tab on page 380.
8. Click the Subscription Remote Rewrite Rule tabs and define the
configuration properties. Valid when using UDDI or WSRR subscriptions. For
details, refer to Subscription Remote Rewrite Rule tab on page 381.
9. Click the Subscription Publish Rewrite Rule tabs and define the
configuration properties. Valid when using UDDI or WSRR subscriptions. For
details, refer to Subscription Publish Rewrite Rule tab on page 382.
10. Click Apply to save the changes to the running configuration.
11. Optional: Click Save Config to save the changes to the startup configuration.
Main tab
On the Main screen, provide the following inputs
Name Specify the name of this object.
Admin State
Retain the default setting. To place the object in an inactive administrative
state, click disabled.
Comments
Specify a descriptive object-specific summary.
376
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
<service name="SomeSearchService">
<port name="SomeSearchPort" binding="typens:SomeSearchBinding">
<soap:address location="http://search.search.com/search/xml"/>
</port>
</service>
377
SOAP 1.2
Uses the SOAP 1.2 binding for WSDL 1.1 (http://
schemas.xmlsoap.org/wsdl/soap12/).
Local Endpoint WSDL Port Name Suffix
Specify a suffix to add to the name of the WSDL port that will be used
to represent this service endpoint in the rewritten Web service. If
empty, rewrite the original port. The original port can only be rewritten
once.
3. Click Save to return to the catalog.
378
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
379
send requests for this Service. A value of 0 will use the port specified in
the WSDL. If the WSDL does not specify a port, the default HTTP port
(80) is used.
Published Endpoint URI
Specify a string to specify the URI, or local path. This usually matches
the protocol specified in any Local Endpoint Rewrite rule established
for the Service Port, or the actual WSDL definition. If this field is left
blank, the value from the WSDL will be used.
3. Click Save to return to the catalog.
380
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Note: If you retain the default setting (off) for the Use Local Endpoint
Handler toggle, the Auto-Create Source Protocol Handlers
property on the Dynamic Endpoints tab must be set to on or the
Web Service Proxy cannot listen to the network.
Local Endpoint WSDL Binding Protocol
Select the WSDL binding protocol to use in the rewritten Web service.
default
(Default) Uses the binding protocol in the WSDL file.
HTTP GET
Uses the HTTP binding for WSDL 1.1 (http://
schemas.xmlsoap.org/wsdl/http/).
SOAP 1.1
Uses the SOAP 1.1 binding for WSDL 1.1 (http://
schemas.xmlsoap.org/wsdl/soap11/).
SOAP 1.2
Uses the SOAP 1.2 binding for WSDL 1.1 (http://
schemas.xmlsoap.org/wsdl/soap12/).
Local Endpoint WSDL Port Name Suffix
Specify a suffix to add to the name of the WSDL port that will be used
to represent this service endpoint in the rewritten Web service. If
empty, rewrite the original port. The original port can only be rewritten
once.
3. Click Save to return to the catalog.
381
send requests for this Service. A value of 0 will use the port specified in
the WSDL. If the WSDL does not specify a port, the default HTTP port
(80) is used.
Remote Endpoint URI
Specify the part of the URL from web service binding that specifies the
remote path. If this field is left blank, the value from the location
attribute of the soap:address element in the WSDL is used. For the
WebSphere MQ, TIBCO EMS, and WebSphere JMS protocols, the
Remote Endpoint URI must specify a RequestQueue parameter. For
most web services, the ReplyQueue parameter is required to receive the
SOAP response.
WebSphere MQ
Specify the URL portion of the rewritten web service binding that
specifies the WebSphere MQ Queue Manager object. This field is
required when the remote server is WebSphere MQ.
TIBCO EMS
Specify the URL portion of the rewritten web service binding that
specifies the TIBCO EMS object. This field is required when the remote
server is TIBCO EMS.
WebSphere JMS
Specify the URL portion of the rewritten web service binding that
specifies the WebSphere JMS object. This field is required when the
remote server is WebSphere Application Server.
3. Click Save to return to the catalog.
382
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Transactional messaging
Many times in asynchronous messaging, there is a one-way message flow
paradigm. A message is picked up off a queue or topic, multistep processing runs,
and the message is put on a backside queue or topic. With transactional messaging,
if the backside PUT or any PUT in multistep processing fails, the front-side GET is
rolled back.
Another common message pattern is message fanout. In this case, a message is
picked on the front side and sent to several output queues. With transactional
messaging, if any of these multiple PUT operations fails, the original message is
rolled back on the front side.
To support transactional messaging in these message patterns, use the same
WebSphere JMS session to perform all the operations within the DataPower
transaction. To share the same WebSphere JMS session, receive messages from and
deliver messages to the same WebSphere JMS server object.
The following sections describe the requirements to configure transactional
messaging for different scenarios.
383
dptibems://TIBCOEMSServer?RequestQueue=OUTQUEUE&Transactional=true
With this configuration, the WebSphere JMS Front Side handler and the WebSphere
JMS backend URL share the same WebSphere JMS transacted session. A single
COMMIT or ROLLBACK operation is issued depending on the processing result.
This guarantees once-and-only-once message delivery to WebSphere JMS
messages.
This configuration uses the same transacted WebSphere JMS session from
WebSphere JMS to the WebSphere JMS service object for these operations:
1. Receive messages on the front side
2. Send messages on the back
3. Perform a COMMIT or ROLLBACK operation immediately after sending the
request message on the back side.
If the WebSphere JMS Front Side handler is configured with a put queue property,
the reply message from the back response queue is received as a part of a new
transaction. In other words, there are two WebSphere JMS unidirectional
transactions:
1. The first transaction carries the message from the front side request queue to
back side request queue.
2. The second transaction carries the reply message from back side response
queue for front side response queue.
384
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
v Configure the WebSphere JMS Front Side handler and all WebSphere JMS URL
open calls using the same WebSphere JMS server object with the Transactional
property enabled.
v Optional: Use a WebSphere JMS backend URL defined with the
Transactional=true parameter.
In this configuration, the same transacted WebSphere JMS session receives the
message on the front side and sends the message using either a results action or a
dp:url-open extension function and optionally sends on the backend URL. The
WebSphere JMS transacted session is shared not only between the WebSphere JMS
Front Side handler and the WebSphere JMS Backend URL, but also between any
WebSphere JMS URL open calls used in the processing policy.
A single COMMIT or ROLLBACK operation is issued depending on processing
result. This guarantees once-and-only-once message delivery to the WebSphere
JMS messages. All calls to the WebSphere JMS server use the same shared
transacted session.
385
386
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
387
388
SSL
TCP
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
The protocol stack used to access the bootstrap server does not need
to be the same protocol stack that is used for actual message transfer
via the bus.
7. Click Save to bootstrap server identification and to return to the WebSphere
JMS Endpoint catalog.
8. If necessary, repeat steps 5 on page 388 to 7 to identify additional bootstrap
servers.
9. Is you want to establish a secure (SSL-enabled) connection between the
WebSphere JMS object and the remote WAS JMS default message provider,
click the SSL tab to display the WebSphere JMS SSL panel.
10. Provide the following inputs:
SSL Profile
Select an instance of the SSL Proxy Profile object to support secure
connections to the remote WebSphere server.
WebSphere JMS SSL Cipher Specification
Select the IBM cipher specification used by the assigned SSL Proxy
Profile object when establishing a secure connection to the WebSphere
server.
If you specify an SSL Proxy, the cipher suite associated with the proxy
is replaced by an IBM default cipher specification
(SSL_RSS_WITH_NULL_MD5), or with the suite specified.
Select one of the following values:
v SSL_RSA_WITH_NULL_MD5 (Default)
v SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
v SSL_RSA_EXPORT_WITH_RC4_40_MD5
v SSL_RSA_WITH_RC4_128_MD5
v SSL_RSA_WITH_NULL_SHA
v SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
v SSL_RSA_WITH_RC4_128_SHA
v SSL_RSA_WITH_DES_CBC_SHA
v SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
v SSL_RSA_FIPS_WITH_DES_CBC_SHA
v SSL_RSA_WITH_3DES_EDE_CBC_SHA
v SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
v TLS_RSA_WITH_DES_CBC_SHA
v TLS_RSA_WITH_3DES_EDE_CBC_SHA
Summary of cipher specification descriptors:
40
key length
128
key length
CBC
DES
EDE
EXPORT
Exportable
FIPS
389
MD5
NULL No encryption
RC2
RC4
RSA
SHA
SSL
TLS
390
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
WSRR Server
To configure a WSRR server, use the following procedure:
1. Select Objects Configuration WSRR Server to display the WSRR Server
catalog.
2. Click Add to display the WSRR Server configuration screen.
3. Provide the following input:
Name Specify the name of the object.
Admin State
Retain the default setting. To place the object in an inactive
administrative state, click disabled.
Comments
Specify a descriptive object-specific summary.
SOAP URL
Specify the URL to access the SOAP API on the WSRR server. The URL
takes one of the following formats:
v http://host:port/URI
v https://host:port/URI
Where:
host
port
URI
391
Confirm Password
Specify the password again. Leave blank if the WSRR server does not
enforce authentication.
WSRR Server Version
Select the version of WSRR in use.
6.0
6.1 or later
Uses WSRR Server, version 6.1 or later.
4. Click Apply to save the changes to the running configuration.
5. Optional: Click Save Config to save the changes to the startup configuration.
WSRR Subscription
To configure a WSRR subscription, use the following procedure:
1. Select Objects Services WSRR Subscription to display the WSRR
Subscription catalog.
2. Click Add to display the WSRR Subscription configuration screen.
3. Provide the following input:
Name Specify the name of the object.
Admin State
Retain the default setting. To place the object in an inactive
administrative state, click disabled.
Comments
Specify a descriptive object-specific summary.
WSRR Server
Select the WSRR Server object that stores the WSDL files and all
associated files that are needed by the Web Service Proxy service.
Namespace
Specify the resource namespace. The namespace is assigned when a
resource, such as a WSDL file, is loaded to a WSRR or when a
collection of resources is aggregated as a concept. This property in
conjunction with the Object Name property uniquely identify the
subscribed-to WSRR resource.
Subscription Object
Select the WSRR resource type.
WSDL Document
(Default) Indicates that the resource is a single WSDL file.
Concept
Indicates that the resource is a concept. A concept is a package
for metadata that is created and maintained by a WSRR
administrator. The package contains one or more WSDL files
with potentially any number of associated XSD schema files or
XML files.
Object Name
Specify the name of the object. The name is assigned when a resource,
such as a WSDL file, is loaded to a WSRR or when a collection of
resources is aggregated as a concept. This property in conjunction with
the Namespace property uniquely identify the subscribed-to WSRR
resource.
392
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Synchronization Method
Select the method used to synchronize the local copy with the version
on the WSRR server.
Poll
Manual
Require user-intervention to synchronize. Refer to Manually
synchronizing WSRR subscriptions on page 394 for details.
Refresh Interval
When the Synchronization Method is Poll, specify the interval, in
seconds, between scheduled WSRR queries. Use a value in the range of
60 through 4294967. The default is 864000.
Note: The special value of 0 disables synchronization.
Use WSDL Version
Use the toggle to specify whether the WSRR subscription service
should retrieve a WSDL file with a user-specified version number from
the registry.
on
off
The WSRR registry maintains a Version attribute for WSDL files. The
Version is a user-defined suffix value that identifies different versions
of a WSDL file. For example, you might identify subsequent versions of
a WSDL file as WSDL 1, WSDL 1.1, WSDL 1.2, and so on. If you enable
Use WSDL Version, you must spell the Version correctly, for example
1.1, or the subscription service will not return the WSDL. The
following are some WSDL processing scenarios:
v If you do not enable Use WSDL Version, and there are multiple
versions of the WSDL in the registry, then the subscription service
uses its own internal sorting logic to retrieve one of the WSDL files.
v If you enable Use WSDL Version and leave the WSDL Version
blank (NULL) and there is a WSDL in the registry with a Version
number, then the subscription service will not retrieve the WSDL file.
v Do not enable Use WSDL Version if there is only a single WSDL file
in the registry.
Fetch Policy Attachments (WSRR 6.1 or later)
Use the toggle to specify whether the WSRR subscription service
should retrieve external Web Services Policy attachments that apply to
a WSDL file.
on
off
393
XML Manager
The firmware creates a default XML Manager object in the default domain and in
each application. The default instance in each domain can be edited like any other
instance of an XML Manager object. The default instance in each domain operates
independently of each other.
An XML Manager object obtains and manages XML documents, style sheets, and
other document resources on behalf of one or more services. An XML Manager
also provides the following capabilities:
v Basic network configuration, such as load balancing and accessing remote
servers.
v Set manager-associated limits on the parsing of XML documents. By default, the
appliance imposes limits on various characteristics of XML documents. These
limitations provide for increased security and stability to protect against DoS
attacks or runaway data. Parser limits defined by the XML Manager object that
is associated with a service can be overridden by service-specific settings.
v Enable the caching of documents that this XML Manager object obtains. XML
Manager objects obtain documents via HTTP. The number of documents in the
cache depends on the availability of allocated memory.
394
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
395
v The configuration screen for an XML Manager object (Objects XML Processing
XML Manager)
v The status screen for the document cache (Status XML Processing
Document Cache)
Remote Address
Remote Port
SSL Proxy Profile
Client ID
System Name
v User Name
v Password
Based on these properties and the request type, the following actions occur:
v DataPower requests a secure connection to the z/OS Communications Server
v RACF performs authentication of users
v RACF performs authorization to resources
v RACF logs authorized and unauthorized attempts to access RACF-protected
resources
v z/OS Communications Server NSS protocol provides return codes and reason
codes for connectivity requests
To support this functionality, the NSS server must be configured to support the
NSS client. See the following z/OS Communications Server documentation for
these configuration steps:
v Enable the XMLAppliance discipline support. For further information, refer to the
section on network security services server in the z/OS Communications Server: IP
Configuration Reference.
396
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
v Authorize the client userid to SAF profiles representing security services and
resources. For further information, refer to the section on preparing to provide
network security services in the z/OS Communications Server: IP Configuration
Guide.
v Configure SSL for the TCP connection between the client and server. For further
information, refer to the section on configuring the NSS server in the z/OS
Communications Server: IP Configuration Guide.
Only one physical connection per Remote Address, Remote Port, and Client ID is
allowed. Additional z/OS NSS Client objects might be configured, but if more than
one client with the same tuple try to connect, the connection will fail. If the
connection is not established or the provided parameters are not valid, the object
operational state is down and shows one of the following event codes:
v Invalid registration parameters
v TCP connection retry (interval is 1 minute)
v TCP connection in progress
v Communication failed
v Cannot connect to host
For additional information on logged NSS protocol return codes and reason codes,
refer to http://www.ibm.com/support/docview.wss?rs=852&uid=swg21329236 for
z/OS Communications Server: IP Diagnosis Guide updates.
Contact NSS for SAF Authentication is selected as the Authenticate method in the
AAA policy configuration and Contact NSS for SAF Authorization is selected for
the Authorization method.
397
15. Optional: Click Save Config to save the changes to the startup configuration.
398
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
ID references
The DataPower appliance, when acting as a message receiver, can process any
reference that uses one of the following attribute formats:
v @wsu:Id
v @xml:Id
v local @Id
References in these attribute formats can be used by processing policies in the
following situations:
v Implementing an AAA policy
v Performing message-level encryption or field-level encryption
v Performing signature operations with one of the following algorithms:
wssec
hmac
kerberos-hmac
Note: Receiver-side support requires no additional configuration.
When encrypting or signing messages, the DataPower service acts as a message
sender. Message-sender operations are supported by the WS-Sec ID Reference
Type property. For this property, select one of the following values as the ID
attribute type:
v wsu:Id
v xml:Id
The default is wsu:Id. This ID attribute type was the only type that was allowed in
early versions of the specification.
This property is available on the Advanced tab of the encrypt and sign actions.
EncryptedData tokens
The <xenc:EncryptedData> element can be included as a child of a
<wsse:Security> header. The <xenc:EncryptedData> element contains an encrypted
UsernameToken or BinarySecurityToken.
For the encrypt action, the DataPower appliance automatically includes the
appropriate token during field-level WS-Security encryption. For the decrypt
action, the appliance automatically decrypts the token during field-level or
message-level decryption.
399
X.509 certificates
The DataPower appliance supports STR Dereference Transform with X.509 tokens
as follows:
v Within a verify action
v During the Identity Extraction phase of an AAA policy when the method is
Subject DN from Certificate in the Messages signature
v During the Authentication phase of an AAA policy when the method is Validate
the Signer Certificate for a Digitally Signed.
For this transform, the token type can be as follows:
Binary Security Token
A <wsse:SecurityTokenReference> element contains a
<wsse:Reference/@URI> element that references a local
<wsse:BinarySecurityToken> element or a remote data source that contains
the token data.
PKCS#7
A <wsse:SecurityTokenReference> element contains a
<wsse:Reference/@URI> element that references a local
<wsse:BinarySecurityToken> element or a remote data source that contains
the token data.
PKIPath Binary Security Token
A <wsse:SecurityTokenReference> element contains a
<wsse:Reference/@URI> element that references a local
<wsse:BinarySecurityToken> element or a remote data source that contains
the token data.
Subject Key Identifier
A <wsse:SecurityTokenReference> element contains a
<wsse:KeyIdentifier> element that identifies the token with the value of
the X.509 version 3 Subject Key Identifier extension for the certificate. A
400
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
SAML assertions
The DataPower appliance supports STR Dereference Transform with SAML
assertions as follows:
v Within a verify action
v During the Identity Extraction phase of an AAA policy when the method is
Subject DN from Certificate in the Messages signature
v During the Authentication phase of an AAA policy when the method is Validate
the Signer Certificate for a Digitally Signed.
For this transform, the token type can be as follows:
SAML version 1.1 or version 2.0 local token
The local token is either the holder of the key or the sender of vouches.
SAML version 1.1 or version 2.0 remote token
The remote token is either the holder of the key or the sender of vouches.
Signature confirmation
The <wsse11:SignatureConfirmation> element is available when using WS-Security
1.1. This element is not available when using WS-Security 1.0.
401
The DataPower appliance does not automatically save the signature information
for sign and verify actions. Saving the signature information requires a
modification to the configuration for these actions. The change in configuration
depends on whether the action is generating or is verifying a signature
confirmation.
402
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
The local context does not persist beyond the scope of the multistep
transaction. A multistep transaction can include both a request component
and a response component. The local context cannot be accessed by any
object outside of the scope of the multistep transaction. In other words, the
service cannot read and use the variable.
A local context variables can be user-defined or based on an extension
variable. For a complete list of the available extension variables, refer to
Extension variables on page 412.
var://context/context/variable
Addresses a variable called variable in a context called context. The
following example transforms the document in the tmp1 context with a
style sheet that is referenced by the stylesheet-1 variable (in the apple
context) and stores the transformed document in the tmp2 context:
xform tmp1 var://context/apple/stylesheet-1 tmp2
A named context does not persist beyond the scope of the multistep
transaction. A multistep transaction can include both a request component
and a response component. The local context cannot be accessed by any
object outside of the scope of the multistep transaction. In other words, the
service cannot read and use the variable.
Note: Creating variables in a named context is the recommended
approach. This form decouples the variable from the input and
output contexts and allows the variable to be accessed from any step
in a multistep scope.
A named context variables can be user-defined or based on an extension
variable. For a complete list of the available extension variables, refer to
Extension variables on page 412.
var://service/variable
Address a variable that is made available to a service (such as HTTP or
XSL Co-Processor) that is attached to a multistep session. The majority of
service variables are read-only and cannot be set.
403
Service variables
Service variables enable the setting and retrieval of pieces of state that usually
reflect the state of the current transaction.
The available service variables are separated alphabetically into the following
categories:
v Service variables that are available to all DataPower services
v Service variables that are available to only Multi-Protocol Gateway and Web
Service Proxy services
v Configuration services
v Load balancer service
v Legacy MQ-specific services
Permission
var://service/soap-fault-response
Read-write
Read-write variables
var://service/soap-fault-response
Set when the response input rule is treated as a SOAP fault.
404
Variable name
Permission
var://service/mpgw/backend-timeout
Read-write
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Table 4. Names and permissions for general service variables that are available to only
Multi-Protocol Gateway and Web Service Proxy services (continued)
Variable name
Permission
var://service/mpgw/skip-backside
Write-only
var://service/reply-to-q
Write-only
var://service/reply-to-qm
Write-only
Write-only variables
var://service/mpgw/skip-backside
For Multi-Protocol Gateway and Web Service Proxy services only, indicates
that the service skips backside processing.
Set this variable to 1 to prevent backside processing. Use this variable as a
custom redirect implementation, not as the point of the service. Because
the service is not aware of the processing flow, unusual messages might be
written to the event log.
Read-write variables
var://service/mpgw/backend-timeout
For Multi-Protocol Gateway and Web Service Proxy services only, gets or
sets the backend timeout, in seconds. Setting this variable overrides the
default timeout. Use an integer in the range of 1 through 86400.
var://service/reply-to-q
Read and write the value in the ReplyToQ (Reply to Queue) MQ header.
When read, shows the input message value. When write, changes the
dynamic routing.
var://service/reply-to-qm
Read and write the value in the ReplyToQMgr (Reply to Queue Manager)
MQ header. When read, shows the input message value. When write,
changes the dynamic routing.
Permission
var://service/config-param
Write-only
var://service/max-call-depth
Read-write
Write-only variables
var://service/config-param/parameterName value
Sets the specified stylesheet parameter to the specified value.
Read-write variables
var://service/max-call-depth
Gets or sets the maximum call depth for each transaction. This variable
controls how many levels of called rules can be layered before an error is
thrown. The default is 128.
Appendix C. Working with variables
405
Permission
var://service/lbhealth/
Write-only
Write-only variables
var://service/lbhealth/
Sets the member and state of a load balancer group.
Permission
var://service/correlation-identifier
Read-write
var://service/expiry
Read-write
var://service/format
Read-write
var://service/message-identifier
Read-write
var://service/message-type
Read-write
var://service/mq-ccsi
Write-only
var://service/mqmd-reply-to-q
Write-only
var://service/mqmd-reply-to-qm
Write-only
var://service/persistence
Read-write
var://service/priority
Read-write
var://service/reply-to-q
Read-write
var://service/reply-to-qm
Read-write
var://service/report
Read-write
Write-only variables
var://service/mq-ccsi
Sets the MQ message descriptor character set for an MQ Host or MQ
Proxy service.
var://service/mqmd-reply-to-q
Sets the output MQ message descriptor.ReplyToQ value for an MQ Host
or MQ Proxy service.
var://service/mqmd-reply-to-qm
Sets the output MQ message descriptor.ReplyToQMgr value for an MQ
Host or MQ Proxy service.
406
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Read-write variables
var://service/correlation-identifier
Read and write the MQ value in the Correlation Identifier header for
MQ Host and MQ Proxy services.
var://service/expiry
Read and write the MQ value in the Expiry header for MQ Host and MQ
Proxy services.
var://service/format
Read and write the MQ value in the Format header for MQ Host and MQ
Proxy services.
var://service/message-identifier
Read and write the MQ value in the Message Identifier header for MQ
Host and MQ Proxy services.
var://service/message-type
Read and write the MQ value in the Message Type header for MQ Host
and MQ Proxy services.
var://service/persistence
Read and write the MQ value in the Persistence for MQ Host and MQ
Proxy services.
var://service/priority
Read and write the MQ value in the Priority header for MQ Host and
MQ Proxy services.
var://service/reply-to-q
Read and write the MQ value in the ReplyToQ (Reply to Queue) header for
MQ Host and MQ Proxy services. When read, shows the input message
value. When write, changes the dynamic routing.
var://service/reply-to-qm
Read and write the MQ value in the ReplyToQMgr (Reply to Queue
Manager) header for MQ Host and MQ Proxy services. When read, shows
the input message value. When write, changes the dynamic routing.
var://service/report
Read and write the MQ value in the Report header for MQ Host and MQ
Proxy services.
Multistep variables
This section contains information about system variables in alphabetic order by
permission category. Multistep variables usually impact the behavior of specific
actions in the context of a processing rule. Table 8 lists the names and permission
for these variables.
Table 8. Names and permissions for variables that are available to all services
Variable name
Permission
var://service/log/soapversion
Read-write
Read-write variables
var://service/log/soapversion
Gets or sets the version of SOAP for use by a SOAP log targets. Use a
setvar action before a log action to change the version of SOAP to use
when logging this message.
Appendix C. Working with variables
407
Transaction variables
The available transaction variables are separated alphabetically into the following
categories:
v Asynchronous transactions
v Error handling
v Headers
v Persistent connections
v Routing
v URL
v Web Services Management (WSM)
Permission
var://service/soap-oneway-mep
Read-write
var://service/transaction-key
Write-only
var://service/transaction-name
Write-only
var://service/transaction-timeout
Write-only
Write-only variables
var://service/transaction-key
Sets the token for asynchronous transactions.
var://service/transaction-name
Sets the name for asynchronous transactions.
var://service/transaction-timeout
Sets the timeout for asynchronous transactions.
Read-write variables
var://service/soap-oneway-mep
Gets or sets the SOAP one-way Message Exchange Pattern (MEP)
notification.
v When true, notifies the service layer that this transaction is performing a
one-way MEP operation. This setting enables the service layer to
optimize resource usage while preventing Web Services Addressing
(WSA) from waiting for and faulting on a response that will never
arrive.
v When false, no notification is sent. When using WSA and one-way
MEPs, the service layer will time out waiting for a response.
When a DataPower service is configured for WSA-to-WSA and it receives a
WSA annotated message without the wsa:MessageId, the DataPower service
408
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
assumes that this is a one-way MEP and notifies the service layer by
setting this value of this variable to true.
This variable is not needed for Web Service Proxy services, as one-way
MEPs are identified by reviewing the specifics of the port operation.
Permission
var://service/error-code
Read-write
var://service/error-ignore
Read-write
var://service/error-message
Read-write
var://service/error-protocol-reason-phrase
Write-only
var://service/error-protocol-response
Write-only
var://service/error-subcode
Read-write
var://service/strict-error-mode
Read-write
Write-only variables
var://service/error-protocol-reason-phrase
Sets the protocol-specific reason phrase for an error. This variable
overwrites the reason phrase in the response to provide a short description
that an be understood by people.
var://service/error-protocol-response
Sets the protocol-specific response for an error. This variable overwrites the
protocol-specific response code in an error condition.
Read-write variables
var://service/error-code
Gets or sets the assigned error code from the Result Code table.
var://service/error-ignore
Gets or sets a flag that controls how the Front Side Handler processes error
condition. If the value is set and greater than zero, it does not run any
error handling action and produces a regular response. The content of the
message is produced by an error rule.
The default value is 0.
Currently, on the TIBCO EMS and WebSphere JMS Front Side Handler use
this variable. If any error happens and the variable is set, the Front Side
Handler acknowledges a request message and puts the response message
in the PUT queue. This response message will be a SOAP-fault or any
output that error rule generates.
var://service/error-message
Gets or sets the generic error message that is sent to the client. This
variable contains the error condition that stopped multistep processing.
Setting this variable overwrites the error response that is sent to the client
in an error condition. To set the error message that is written to the log
file, use the var://service/formatted-error-message variable.
Appendix C. Working with variables
409
var://service/error-subcode
Gets or sets the error sub-code. This variable can help to disambiguate the
reason for which the error rule was invoked. Often, the sub-code is the
same as the value of the var://service/error-code variable. Sometimes,
the sub-code is a more specific result code.
var://service/strict-error-mode
Gets or sets the strict error mode. This variable controls the error mode for
multistep processing.
v If the value is set, an invocation of the dp:reject extension element
stops multistep processing.
v If the value is not set, an invocation of the dp:reject extension element
logs a message but does not stop multistep processing.
Permission
var://service/append-request-header/
Write-only
var://service/append-response-header/
Write-only
var://service/set-request-header/
Write-only
var://service/set-response-header/
Write-only
Write-only variables
var://service/append-request-header/
Appends to the protocol request header.
var://service/append-response-header/
Appends to the protocol response header.
var://service/set-request-header/
Sets the protocol request header. This variable directly correlates to the
dp:set-request-header() extension function. Setting the
var://service/set-request-header/FOO variable to the value BAR would
set the request header FOO to BAR.
var://service/set-response-header/
Sets the protocol response header. This variable directly correlates to the
dp:set-response-header() extension function. Setting the
var://service/set-response-header/FOO variable to the value BAR would
set the response header FOO to BAR.
410
Variable name
Permission
var://service/connection/note
Read-write
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Read-write variables
var://service/connection/note
Gets or sets the annotation for the current connection. This variable allows
the user to annotate the current protocol session. The value could be an
identifier that could be used to maintain the state based on an existing
protocol session.
Permission
var://service/routing-url
Write-only
var://service/routing-url-sslprofile
Write-only
Write-only variables
var://service/routing-url
For XML Firewall, Multi-Protocol Gateway, and Web Service Proxy
services, sets the routing URL. This variable can be set one time only and
takes the following format:
<dp:set-variable name="var://service/routing-url"
value="'protocol://target/URI'" />
411
Table 14. Names and permissions for variables that are available for URL-based
transactions
Variable name
Permission
var://service/protocol-method
Read-write
var://service/URI
Read-write
Read-write variables
var://service/protocol-method
Gets or sets the HTTP method of the transaction.
var://service/URI
Gets or sets the request URI of the transaction.
Permission
var://service/wsa/timeout
Read-write
var://service/wsa/genpattern
Read-write
var://service/wsm/wsdl-error
Write-only
var://service/wsm/wsdl-warning
Write-only
Write-only variables
var://service/wsm/wsdl-error
Sets the WSDL error.
var://service/wsm/wsdl-warning
Sets the WSDL warning.
Read-write variables
var://service/wsa/timeout
Gets or sets the timeout value for the WS-Addressing asynchronous reply.
var://service/wsa/genpattern
Gets or sets the pattern for the WS-Addressing asynchronous reply.
Extension variables
This section contains information about system variables in alphabetic order by
permission category. Extension variables usually impact the behavior of specific
actions, particularly fetch, results, and results-async actions. Table 16 lists the
names and permission for these variables.
Table 16. Names and permissions for extension variables
412
Variable name
Permission
var://local/_extension/allow-compression
Write-only
var://local/_extension/donot-follow-redirect
Write-only
var://local/_extension/header/
Write-only
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Permission
var://local/_extension/http-10-only
Write-only
var://local/_extension/prevent-persistent-connection
Write-only
var://local/_extension/sslprofile
Write only
Write-only variables
var://local/_extension/allow-compression
Enables compression of HTTP requests. Set this variable to allow
compression of outgoing results content and negotiate the returned
document to be compressed if the underlying protocol supports it. For
HTTP, this means the content-encoding and accept-encoding headers.
var://local/_extension/donot-follow-redirect
Disables HTTP redirects. Set this variable to prevent the following of
protocol-level redirect sequences on the outgoing results and fetch calls
that are associated with this context. By default, redirects are followed.
var://local/_extension/header/
Appends the specified header field to the protocol connection. Variables of
the following form can be set to append headers to the dp:url-open()
extension function or results action or fetch action connection when a
context that contains them is used as the input context:
_extension/header/*
The following example would add the HTTP header X-foo: bar to the
HTTP request:
setvar tmpvar2 var://local/_extension/header/X-foo bar
results tmpvar2 http://foo.bar.com/foome.asp tmpvar3"
var://local/_extension/http-10-only
Restricts HTTP to version 1.0. Set this variable to prevent the use of
HTTP/1.1 on the related context of a results action or fetch action.
var://local/_extension/prevent-persistent-connection
Disables HTTP persistent connection. Set this variable to prevent persistent
connections of the outgoing a results action call or fetch action call that is
associated with this context. Persistent connections are supported by
default, where appropriate.
var://local/_extension/sslprofile
Sets the SSL proxy profile for the request. This variable can be set on the
input context to a dp:url-open() extension function or to a results action or
to a fetch action to override the selection of an SSL Proxy Profile. For
instance:
results tmpvar2 https://foo.bar.com/foome.asp tmpvar3
would normally use the SSL Proxy Profile that is associated with any
user-agent configuration for the URL
https://foo.bar.com/foome.asp
413
var://local/_extension/timeout
Sets the request timeout on an input context to override any previously set
timeout parameter. Set the value in seconds.
System variables
This section contains information about system variables in alphabetic order by
permission category. Table 17 lists the names and permission for these variables.
Table 17. Names and permissions for system variables
Variable name
Permission
var://system/map/debug
Read-write
var://system/tasktemplates/debug
Read-write
Read-write variables
var://system/map/debug
Gets or sets the debugging level for role-based management (RBM).
var://system/tasktemplates/debug
Gets or sets the debugging level for task templates.
414
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Category
allow-compression
var://local/_extension/allow-compression
Extension
append-request-header
var://service/append-request-header
Transaction,
headers
append-response-header
var://service/append-response-header
Transaction,
headers
backend-timeout
var://service/mpgw/backend-timeout
Service, general
config-param
var://service/config-param
Service,
configuration
correlation-identifier
var://service/correlation-identifier
Service, MQ
debug
var://system/map/debug
System
var://system/tasktemplates/debug
donot-follow-redirect
var://local/_extension/donot-follow-redirect
Extension
error-code
var://service/error-code
Transaction, error
handling
error-ignore
var://service/error-ignore
Transaction, error
handling
error-message
var://service/error-message
Transaction, error
handling
error-protocol-reason-phrase
var://service/error-protocol-reason-phrase
Transaction, error
handling
error-protocol-response
var://service/error-protocol-response
Transaction, error
handling
error-subcode
var://service/error-subcode
Transaction, error
handling
expiry
var://service/expiry
Service, MQ
format
var://service/format
Service, MQ
genpattern
var://service/wsa/genpattern
Transaction, WSM
header
var://local/_extension/header
Extension
http-10-only
var://local/_extension/http-10-only
Extension
lbhealth
var://service/lbhealth
Service, load
balancer
max-call-depth
var://service/max-call-depth
Service,
configuration
message-identifier
var://service/message-identifier
Service, MQ
message-type
var://service/message-type
Service, MQ
mq-ccsi
var://service/mq-ccsi
Service, MQ
mqmd-reply-to-q
var://service/mqmd-reply-to-q
Service, MQ
mqmd-reply-to-qm
var://service/mqmd-reply-to-qm
Service, MQ
note
var://service/connection/note
Transaction,
persistent
connection
415
Category
persistence
var://service/persistence
Service, MQ
prevent-persistent-connection
var://local/_extension/prevent-persistentconnection
Extension
priority
var://service/priority
Service, MQ
reply-to-q
var://service/reply-to-q
Service, MQ
reply-to-qm
var://service/reply-to-qm
Service, MQ
report
var://service/report
Service, MQ
routing-url
var://service/routing-url
Transaction,
routing
routing-url-sslprofile
var://service/routing-url-sslprofile
Transaction,
routing
set-request-header
var://service/set-request-header
Transaction,
headers
set-response-header
var://service/set-response-header
Transaction,
headers
skip-backside
var://service/mpgw/skip-backside
Service, general
soap-fault-response
var://service/soap-fault-response
Service, general
soap-oneway-mep
var://service/soap-oneway-mep
Transaction,
asynchronous
soapversion
var://service/log/soapversion
Service, multistep
sslprofile
var://local/_extension/sslprofile
Extension
strict-error-mode
var://service/strict-error-mode
Transaction, error
handling
timeout
var://service/wsa/timeout
Transaction, WSM
transaction-key
var://service/transaction-key
Transaction,
asynchronous
transaction-name
var://service/transaction-name
Transaction,
asynchronous
transaction-timeout
var://service/transaction-timeout
Transaction,
asynchronous
URI
var://service/URI
Transaction, URL
wsdl-error
var://service/wsm/wsdl-error
Transaction, WSM
wsdl-warning
var://service/wsm/wsdl-warning
Transaction, WSM
416
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Getting a fix
A product fix might be available to resolve your problem. To determine what fixes
are available for your IBM product, check the product support site by performing
the following steps:
1. Go to the IBM Support site at the following Web address:
http://www.ibm.com/support
2. Select Support & Downloads Download to open the Support & downloads
page.
3. From the Category list, select WebSphere.
4. From the Sub-Category list, select WebSphere DataPower SOA Appliances.
5. Click the GO icon to display the list of most recent updates.
6. Click the link for the firmware and documentation download that is specific to
your WebSphere DataPower product.
7. Follow the instructions in the technote to download the fix.
417
418
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Trademarks
IBM, the IBM logo, CICS, developerWorks, DB2, DataPower, IMS, RACF,
Redbooks, Tivoli, WebSphere, and z/OS are registered trademarks of the
International Business Machines Corporation in the United States or other
countries.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
and/or other countries.
Microsoft and Windows are trademarks of Microsoft Corporation in the United
States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Sun Microsystems, Inc. in the United States and other countries.
Copyright IBM Corp. 2004, 2009
419
Other company, product, and service names may be trademarks or service marks
of others.
420
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Index
Special characters
?wsdl URI 68
... button
list of referenced object 3
referenced object 2
.java.policy file 209
[configuration-database] stanza, file
entry 272
[ldap] stanza, ssl-keyfile-pwd entry 272
[manager] stanza, replica entry 272
<results> element 168
<url> element 168
+ button
list of referenced object 3
referenced object 2
A
AAA
authentication
search parameters 286
search parameters 286
TFIM 274
aaa action
dictionary attack, protection 64
purpose 100
AAA action
defining 106
AAA Info file
Authenticate element 268
Authorize element 268
editor
authenticated identities 269
authorized access to
resources 271
confirmation 271
credentials 269
default credential 268
file information 271
map credentials 270
map resources 270
overview 268
unauthenticated identity 268
MapCredentials element 268
MapResource element 268
overview 267
AAA Info File
authentication 185
authorization, AAA 199
credentials mapping, AAA 187
resources mapping, AAA 191
AAA Policy
AAA Info file
Authenticate element 268
Authorize element 268
MapCredentials element 268
MapResource element 268
overview 267
authentication
AAA info file 185
Copyright IBM Corp. 2004, 2009
421
422
actions (continued)
convert-http
defining 110
purpose 101
cryptobin
defining 111
purpose 101
decrypt
defining 119
Encrypted tokens 399
purpose 101
defining 106
encrypt
defining 121
Encrypted tokens 399
ID references 399
purpose 101
SOAP message with
WS-Security 121
SOAP message with XML
encryption 130
XML message with XML
encryption 132
event-sink 134
purpose 101
extract
defining 135
purpose 101
fetch
attachment protocol 167
defining 135
locating remote resources 165
purpose 101
query parameters 167
specifying remote locations 166
filter
conformance filter 138
defining 136
purpose 101
replay filter 137
required elements filter 137
standard filter 136
WS-Security message layout
filter 138
for-each 139
purpose 101
for-each action
specifying multiple URLs 166
log
defining 142
locating remote resources 165
purpose 102
specifying remote locations 166
method rewrite
defining 150
MQ Header
modifying reply queue 145
modifying reply queue
manager 146
modifying request message
headers 143
modifying response message
headers 144
overview 142
retrieving responses with
correlation ID 144
actions (continued)
MQ Header (continued)
retrieving responses with message
ID 144
on-error
defining 146
defining reusable rules 165
purpose 102
variable builder 168
purpose 100
results
attachment protocol 167
defining 148
locating remote resources 165
purpose 102
query parameters 167
specifying multiple URLs 166
specifying remote locations 166
results-async
attachment protocol 167
defining 149
locating remote resources 165
purpose 102
query parameters 167
specifying multiple URLs 166
specifying remote locations 166
rewrite header
purpose 102
rewrite header (rewrite)
defining 150
rewrite method
purpose 102
route-action
defining with style sheet 151
defining with XPath
expression 151
purpose 102
route-set
defining 152
locating remote resources 165
purpose 102
specifying remote location 166
setvar
defining 152
purpose 103
variable builder 168
sign
defining 153
generating signature
confirmation 402
ID references 399
purpose 103
verifying signature
confirmation 402
slm
defining 155
purpose 103
sql
defining 155
purpose 103
strip-attachments
defining 156
purpose 103
supported protocols 165
validate 162
purpose 103
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
actions (continued)
verify
adding 164
generating signature
confirmation 402
Kerberos AP-REQ tokens,
remote 401
purpose 103, 164
SAML assertions, remote 401
verifying signature
confirmation 402
X.509 certificates, remote 400
xform
defining 157
defining buffer attachment
transform 161
defining conformance
transform 161
defining SOAP refinement
transform 159
purpose 103
xformbin
defining 157
purpose 103
xformpi
defining 158
purpose 103
Add button
list of referenced object 3
admin account
exporting configuration data 215
Administration menu 1
administrative states, objects 6
allow compression policy, user
agent 343
antivirus (antivirus) action
defining 106
antivirus action
purpose 100
AP-REQ message, Kerberos 276
appliance configuration
backing up 215, 216
comparing 224
configuration checkpoints 220
copying
files 219
objects 219
exporting 215
select objects and files 217
importing configuration 222
managing configuration changes 224
moving
files 219
objects 219
reading change report 225
reverting changes 225
undoing changes 225
appliance-wide log
location 205
application domains
backing up configuration 216
Apply button 4
asymmetric signatures
verifying 164
asynchronous transaction variables
service/transaction-timeout 408
B
backend-timeout variable 405
basic configuration
MQ Front Side Handler 88
Basic Profile 1.0
Conformance Policy 281
Basic Profile 1.1
Conformance Policy 281
Basic Security Profile 1.0
Conformance Policy 281
BinarySecurityToken
authentication, AAA 184
identity extraction, AAA 174
binding
Web Service Proxy 33
bold typeface xii
buffer-attachments.xsl style sheet 161
builder
deployment policy 227
buttons
... 2
+ 2
Apply 4
Cancel 4
Delete 5
Edit 3
Logout 1
Save Config 1, 4
Undo 5
View 3
C
CA Unicenter Manager 394
caches
flushing
document cache 395
stylesheet cache 396
caching policy
AAA Policy
authentication 188
authorization 199
call action
defining 108
defining reusable rules 165
purpose 100
call processing rule (call) action
variable builder 168
call processing rule action
See call action
Cancel button 4
cert: directory 205
certificate files
location 205
Index
423
Certificate objects
export packages 215
certificates
DER 9
exporting 11
generating 10
importing 12
PEM 9
PKCS #12 9
PKCS #8 9
security
location, shared 206
location, Web browsers 206
supported formats 9
uploading 209
checkpoint action
purpose 100
checkpoint configuration files
location 205
checkpoint event (checkpoint) action
defining 109
chkpoints: directory 205
CICS Transaction Server 204
clear pdp cache CLI 280
clear xsl cache CLI 280
ClearTrust
authentication, AAA 183
authorization, AAA 193
client-to-server rule 100
Clone link 6
commands
clear pdp cache 280
clear xsl cache 280
web-mgmt 1
Compile Options Policy
object pages 284
compression policy, user agent 343
conditional action
defining 109
purpose 100
config: directory 205
configuration
managing appliance
configuration 213
configuration checkpoints
defining number to allow 220
deleting 222
listing 221
loading 222
overwriting 221
rolling back 222
saving 221
configuration data
applying 4
backing up
WebGUI 215, 216
backing up application domains 216
comparing
WebGUI 224
configuration checkpoints 220
copying
files 219
objects 219
different release level 215
exchanging 215
exporting
location of files 205
424
count monitors
configuring 234
Count Monitors
Web Service Proxy 357
credentials
identification
configuring 15
creating 15
credentials mapping
LDAP 286
search parameters 286
credentials mapping, AAA
AAA Info file 187
available methods 186
custom 186
from identity extraction 187
none 187
TFIM 187
WS-SecureConversation 187
crypto binary (cryptobin) action
defining 111
crypto binary action
See cryptobin action
Crypto Certificate
configuring 13
creating 13
object pages 13
Crypto Firewall Credentials
object pages 15
Crypto Identification Credentials
object pages 15
Crypto Key
configuring 16
creating 16
object pages 16
Crypto Profile
configuring 18
creating 18
object pages 18
Crypto Tools
exporting certificates 11
exporting keys 11
generating certificates 10
generating keys 10
importing certificates 12
importing keys 12
Crypto Validation Credentials
object pages 22
cryptobin action
defining 111
purpose 101
cryptography
shared secrets 20
customer support
contacting 418
obtaining fixes 417
searching knowledge bases 417
D
dashboard 1
DataPower discussion forum xi
DataPower product Web site xi
debugging
processing policies 169
decrypt action
defining 119
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Duration Monitors
Web Service Proxy
Dynamic Endpoints
Web Service Proxy
357
358
E
Edit button 3
elements
EncryptedData element 399
SecurityTokenReference 400
SignatureConfirmation 401
enabled administrative state 6
encoding, chunked content 345
encrypt action
defining 121
Encrypted tokens 399
ID references 399
purpose 101
SOAP message with WS-Security 121
SOAP message with XML
encryption 130
XML message with XML
encryption 132
encrypt-soap.xsl file 130
encrypt-wssec.xsl file 121
encrypt.xsl file 132
encrypted tokens
EncryptedData element 399
EncryptedData element 399
Endpoint Rewrite Policy
description 375
error code rule 99
error handling variables
listing 409
service/error-code 409
service/error-ignore 409
service/error-message 409
service/error-protocol-reasonphrase 409
service/error-protocol-response 409
service/error-subcode 409
service/strict-error-mode 410
error rule 100
event-sink action
defining event-sink 134
purpose 101
examples
specifying dual thresholds 240
Export link 5
export packages
admin account 215
files not included 215
objects not included 215
permission 215
export: directory 205
Extensible Access Control Markup
Language
See XACML PDP
extension functions
node-set() 394
set-target() 151
xs:decimal() 284
extension variables
listing 412
local/_extension/allowcompression 413
F
fault-tolerance
TIBCO EMS 324, 328
fetch action
attachment protocol 167
defining 135
locating remote resources 165
purpose 101
query parameters 167
specifying remote locations 166
supported protocols 165
file entry, [configuration-database]
stanza 272
File Management utility, launching 207
file system
See directories
files
.java.policy 209
AAAInfo.xsd 267
auto-config.cfg 4
certificates
location 205
checkpoint configurations
location 205
configurations
location 205
copying 210
remote URL 210
decrypt.xsl 120
deleting 212
editing
during configuration 4
File Management utility 212
encrypt-soap.xsl 130
encrypt-wssec.xsl 121
encrypt.xsl 132
exported, location 205
fetching 210
managing 205
moving 211
not in export packages
firmware files 215
log files 215
pkcs7-decrypt.xsl 118
pkcs7-encrypt.xsl 116
pkcs7-sign.xsl 112
pkcs7-verify.xsl 114
Index
425
files (continued)
private keys
location 205
renaming 211
SQL-Injection-Filter.xsl 62
SQL-Injection-Patterns.xml 62
TAM
ASCII configuration 272
creating configuration 273
modifying configuration 272
obfuscated configuration 272
SSL key 272
SSL stash 272
tibco.conf 330
uploading
JKS 209
remote 210
workstation 208
viewing
during configuration 4
File Management utility 212
filter action
conformance filter 138
Conformance Policy 281
defining 136
purpose 101
replay filter 137
required elements filter 137
SQL injections, protection 62
standard filter 136
WS-Security message layout
filter 138
filter-accept-all.xsl style sheet 136
filter-reject-all.xsl style sheet 136
filtered configuration
deployment policy 226
Firewall Credentials
configuring 15
creating 15
firmware files
between release levels 215
export packages 215
firmware images
location 205
fixes, obtaining 417
flash drive
See directories
for-each
purpose 101
for-each action
defining for-each 139
locating remote resources 165
specifying multiple URLs 166
use cases 139
Front Side Handler
object pages
FTP Poller 69
FTP Server 72
HTTP 83
HTTPS 85
IMS Connect 86
MQ 87
NFS Poller 90
Stateful Raw XML 93
Stateless Raw XML 94
TIBCO EMS 95
WebSphere JMS 97
426
FTP client
command channel
encrypting 346
stopping encryption after
authentication 346
data (ASCII, binary) 346
encrypting file transfers 346
NAT compatibility 346
passive mode 346
sending command to server 346
unique file names (STOU, STOR) 346
user agent 346
FTP Poller
Front Side Handler 69
ftp protocol 165
FTP Server
Front Side Handler 72
G
general variables
listing 404
service/soap-fault-response
GET requests
WSDL file 68
404
H
HEAD requests
WSDL file 68
header injection policy, user agent 345
header retention policy, user agent 344
heartbeat detection, TIBCO 330
HMAC signatures
verifying 164
HTTP 1.0 restriction policy, user
agent 344
HTTP 1.1
chunked contents 345
Content-Length header 345
HTTP Front Side Handler 83
HTTP header
identity extraction, AAA 173
HTTP Header Injection
Web Service Proxy 365
HTTP header matching rule 99
HTTP header parameters
Web Service Proxy
configuring 46
injection parameters 46
suppression parameters 47
HTTP Header Suppression
Web Service Proxy 365
HTTP headers
Accept-Encoding, retaining 344
Authorization 342
Content-Length 345
MQMD, retaining 344
Range, retaining 344
request-header 340
SoapAction 342
TE, retaining 344
HTTP method matching rule 99
HTTP operations
resource extraction, AAA 189
HTTP Options
Web Service Proxy 355
http protocol 165
HTTP proxy policy
securing with SSL proxy policy
user agent 341
HTTPS Front Side Handler 85
https protocol 165
341
I
IBM Tivoli Access Manager
See TAM
IBM Tivoli Federated Identity Manager
See TFIM
ICRX token 204
ID references
encrypt action 399
sign action 399
Identification Credentials
configuring 15
creating 15
identity extraction
AAA
BinarySecurityToken, WS-Security
Header 174
identity extraction, AAA
available methods 173
client IP address 177
connection peer
Token Subject DN, SSL 176
custom 179
extracted token
as cookie value 178
from message 178
HTTP Authentication Header 173
LTPA token 178
Processing Metadata 178
SAML artifact 177
SAML assertion
AttributeStatement 176
AuthenticationStatement 176
SPNEGO
Kerberos AP-REQ 175
subject DN
certificate in message
signature 177
SAML assertions, remote 401
SSL certificate 176
X.509 certificates, remote 400
WS-SecureConversation
Identifier 174
WS-Security Header
Kerberos AP-REQ 175
UsernameToken, derived-key 174
UsernameToken,
password-carrying 173
WS-Trust
Base 175
Supporting 175
image: directory 205
Import Package
creating 214
IMS Connect
object pages
Main 287
URL builder 64
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Kerberos keytab
configuring 278
definition 276
Kerberos Keytab File
object pages 278
Key Distribution Center
See KDC
Key objects
export packages 215
key-certificate pairs
creating 9
keys
DER 9
exporting 11
generating 10
importing 12
PEM 9
PKCS #12 9
PKCS #7 9
supported formats 9
keywords
contexts
INPUT 104
NULL 104
OUTPUT 104
PIPE 104
knowledge bases
searching 417
J
J2RE (j2re1.4.2) 209
j2re1.4.2 (J2RE) 209
j2sdk1.4.2 (SDK) 209
Java Crypto Extension
See SunJCE
Java Crypto Extension Key Store
See JCEKS
Java Key Store
See JKS
Java Message Service
See JMS
java.security package 209
JCE
See SunJCE
JCEKS 209
JetStream Formats and Protocols
See JFAP
JKS
crypto extension 209
granting permissions 209
java.security package 209
keytool utility 209
managing 209
required software 209
uploading certificates 209
working with 209
K
KDC, Kerberos 276
Kerberos
AP-REQ message 276
configuring KDC server 277
KDC 276
keytab 276
principal 276
signature verification 164
Kerberos AP-REQ
authentication, AAA 185
identity extraction, AAA
SPNEGO 175
WS-Security Header 175
post processing, AAA 202
verify action 401
Kerberos AP-REQ tokens, remote
Kerberos KDC server
configuring 277
creating 277
object pages 277
401
LDAP
authentication
search parameters 286
authentication, AAA 180
authorization, AAA 193
credentials mapping
search parameters 286
search parameters 286
licensing
sending inquiries 419
links
Clone 6
Export 5
Show Probe 7
View Logs 5
View Status 6
load balancer group
adding members 297
basic configuration 297
creating 289, 296
health
convalescent (down) 294
healthy (up) 294
quarantined (softdown) 294
health checks
enabling 299
overriding port 297
health of members 294
members
assigning weight 300
disabling members 301
server state 289
Load Balancer Group
example
DataPower service 67
replacing back-end server 67
M
map message
TIBCO EMS 95
MapCredentials element, AAA Info
file 268
MapResource element, AAA Info
file 268
Matching Rule
object pages 304
matching rules
error code 99
HTTP header 99
HTTP method 99
processing policies 99
URL 99
XPath 99
Index
427
matching statements
deployment policy builder 227
deployment policy, manual 228
message catalogs 206
message layout filter, WS-Security 138
message monitors
configuring 230
count monitors 234
duration monitors 236
filter action 233
message type 233
traffic definition 231
messages
validating conformance 281
method rewrite action
defining 150
MMXDoS, protection 61
modified configuration
deployment policy 226
Modified configuration state 6
monitoring statistics, enabling 238
monitors
count monitors
configuring 234
duration monitors
configuring 236
message monitors
configuring 230
count monitors 234
duration monitors 236
filter action 233
message type 233
traffic definition 231
types 229
Web Service Proxy 357
Web services monitors
configuring 238
enabling 238
overview 238
specifying dual thresholds 240
monospaced typeface xii
MQ
URL builder 65
MQ Front Side Handler 87
advanced configuration 90
basic configuration 88
configuration 87
properties and headers
configuration 89
publish and subscribe
configuration 89
MQ Get Message Options (GMO)
MQGET options 88
MQGMO_* 88
MQ header action
modifying
reply queue 145
reply queue manager 146
request message headers 143
response message headers 144
overview 142
retrieving responses
with correlation ID 144
with message ID 144
MQ Host variables
listing 406
service/correlation-identifier 407
428
N
namespace mappings, AAA Policy
NAT
FTP clients 346
navigation
Administration menu 1
Network menu 1
Objects menu 1
Services menu 1
Status menu 1
Netegrity
authentication, AAA 183
authorization, AAA 193
Network Address Translation
See NAT
266
Network menu 1
New configuration state 6
NFS Poller Front Side Handler 90
node-set() extension function 394
notices 419
NULL keyword 104
O
object pages
AAA Policy
Authenticate 248
Authorize 257
Identity 246
LTPA Attributes 265
Main 243
Map Credentials 254
Map Resource 256
Namespace Mapping 264
Post Processing 263
Resource 255
SAML Attributes 264
Transaction Priority 265
Compile Options Policy 284
Conformance Policy 281
Crypto Certificate 13
Crypto Firewall Credentials 15
Crypto Identification Credentials 15
Crypto Key 16
Crypto Profile 18
Crypto Validation Credentials 22
Deployment Policy 226
Document Crypto Map
Main 285
Namespace Mappings 285
Front Side Handler
FTP Poller 69
FTP Server 72
HTTP 83
HTTPS 85
IMS Connect 86
MQ 87
NFS Poller 90
Stateful Raw XML 93
Stateless Raw XML 94
TIBCO EMS 95
WebSphere JMS 97
IMS Connect
Main 287
Include Configuration File 213
Kerberos KDC server 277
Kerberos Keytab File 278
Matching Rule 304
Processing Metadata
Main 305
Metadata Items 305
Processing Policy
Main 306
Policy Maps 307
Processing Rule 307
Schema Exception Map
Main 308
Rules 309
SLM Action 312
SLM Credentials Class 311
SLM Resource Class 312
SLM Schedule 313
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
objects (continued)
referenced (continued)
+ button 2
creating 2
modifying 2
selecting 2
status 6
TFIM 274
Objects menu 1
on-error
variable builder 168
on-error action
defining 146
defining reusable rules 165
purpose 102
Operation Priority
Web Service Proxy 369
operational states, objects 6
output context, actions 104
OUTPUT keyword 104
P
parameters, HTTP header
Web Service Proxy
configuring 46
injection parameters 46
suppression parameters 47
parameters, style sheets
Web Service Proxy
defining 47
Parser Limits
Web Service Proxy 356
patents 419
peer group
defining 313
PEM
certificate format 9
key format 9
persistent connections variables
listing 410
service/connection/note 411
PIPE keyword 104
PKCS #12
certificate format 9
key format 9
PKCS #7
certificate format 9
decrypting documents 118
encrypting documents 116
signing documents 111
verifying signed documents 114
PKCS #8
key format 9
pkcs7-decrypt.xsl file 118
pkcs7-encrypt.xsl file 116
pkcs7-sign.xsl file 112
pkcs7-verify.xsl file 114
Policy Decision Point
See XACML PDP
portType
Web Service Proxy 33
post processing, AAA
Authorized Counter 200
available activities 201
CICS Transaction Server 204
Count Monitors 200
Q
query parameters
actions 167
attachment protocol 167
queues
TIBCO EMS 94
WebSphere JMS 96
Index
429
R
RADIUS
authentication, AAA 185
Range header, retaining 344
Redbooks Web site xi
referenced objects
... button 2
+ button 2
creating 2
modifying 2
selecting 2
referenced objects, lists
... button 3
+ button 3
Add button 3
adding 3
creating 3
Delete button 3
deleting 3
modifying 3
selecting 3
registry objects
UDDI Registry
configuring 332
Rejected Counter Tool 200
replay filter 137
replay-filter.xsl style sheet 137
replica entry, [manager] stanza 272
request-header, HTTP 340
required-elements-filter.xsl style
sheet 137
resource extraction, AAA
available methods 188
HTTP operations 189
local name of request element 189
Processing Metadata 189
URI of top-level element 188
URL from client 188
URL to backend 188
XPath from request 189
resources mapping, AAA
AAA Info File 191
available methods 190
custom 190
none 190
TAM 190
TFIM 190
XPath from resource extraction 191
restriction policy for HTTP 1.0, user
agent 344
results action
<results> element 168
<url> element 168
attachment protocol 167
defining 148
locating remote resources 165
purpose 102
query parameters 167
specifying multiple URLs 166
supported protocols 165
results asynchronous action
See results-async action
results-async
defining 149
results-async action
<results> element 168
<url> element 168
430
S
S11:actor SOAP attribute 159
S11:mustUnderstand SOAP attribute 159
S12:mustUnderstand SOAP attribute 159
S12:notUnderstood SOAP attribute 159
S12:relay SOAP attribute 159
S12:role SOAP attribute 159
SAML assertion
authentication, AAA
artifact 184
valid signature 179
identity extraction, AAA
AttributeStatement 176
AuthenticationStatement 176
post processing, AAA 201
SAML assertions 401
AAA Policy
authentication 401
identity extraction 401
verify action 401
SAML attributes
defining, AAA Policy 266
SAML server
authorization, AAA
attribute query 195
authorization query 195
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
SLM action
See slm action
SLM Action
creating 312
object pages 312
SLM Credentials Class
creating 311
object pages 311
SLM Peer Group
Web Service Proxy 31
SLM policy
adding statements 310
creating 310
creating SLM actions 312
SLM Policy
creating SLM Credentials Class
objects 311
creating SLM Resource Class
objects 312
creating SLM schedules 313
SLM Resource Class
creating 312
object pages 312
SLM Schedule
creating 313
object pages 313
SLM statements
adding to policy 310
overview 309
smtp protocol 165
SOAP attributes
S11:actor 159
S11:mustUnderstand 159
S12:mustUnderstand 159
S12:notUnderstood 159
S12:relay 159
S12:role 159
SOAP Header Disposition Table
object pages
Main 314
SOAP Header Refine
Instruction 314
SOAP refinement transform 159
SOAP service provider type 159
soap-refine.xsll style sheet 159
SoapAction header 342
specifying remote locations 166
specifying multiple URLs 166
SPNEGO
identity extraction, AAA 175
Kerberos AP-REQ 175
post processing, AAA 203
sql action
defining 155
purpose 103
SQL action
See sql action
SQL Data Source
adding configuration parameters 316
base configuration 315
defining 315
high-level configuration 315
SQL injections, protection 62
sql protocol 165
SQL-Injection-Filter.xsl style sheet 62
SQL-Injection-Patterns.xml file 62
SSL
client proxy, creating 20
forward proxy, creating 20
reverse, proxy, creating 21
server proxy, creating 21
two-way proxy, creating 21
SSL authentication 18
SSL proxy policy, user agent 341
SSL Proxy Profile
creating
client proxy 20
forward proxy 20
reverse proxy 21
server proxy 21
two-way proxy 21
object pages 20
ssl-keyfile-pwd entry, [ldap] stanza 272
Stateful Raw XML Handler 93
Stateless Raw XML Handler 94
statistics, enabling 238
Status menu 1
store: directory 206
STR dereference transform 400, 401
strip-attachments action
defining 156
purpose 103
style sheets
buffer-attachments.xsl 161
conformance-filter.xsl 138
conformance-xform.xsl 161
filter-accept-all.xsl 136
filter-reject-all.xsl 136
flushing the cache 396
location 206
replay-filter.xsl 137
required-elements-filter.xsl 137
soap-refine.xsl 159
wssecurity-message-layoutfilter.xsl 138
Stylesheet Parameter
Web Service Proxy 366
stylesheet parameters
Web Service Proxy
defining 47
subdirectories
creating 207
deleting 208
subscribe
MQ Front Side Handler 89
SunJCE
JCEKS 209
support
See customer support
symmetric signatures
verifying 164
Synchronous to WS-Addressing
Mode 48
system variables
listing 414
system/map/debug 414
system/tasktemplates/debug 414
system/map/debug variable 414
system/tasktemplates/debug
variable 414
Index
431
T
TAM
ASCII configuration file 272
authentication, AAA 184
authorization server replicas 273
authorization, AAA 192
configuration, general 272
configuring TAM objects 273
creating configuration files 273
creating TAM objects 273
licensing 271
modifying configuration files 272
obfuscated configuration file 272
object pages 273
refreshing certificates 273
resources mapping, AAA 190
security 272
SSL key file 272
SSL stash file 272
tasktemplates: directory 207
tcp protocol 165
tcps protocol 165
TE header, retaining 344
temporary: directory 207
TFIM
AAA 274
credentials mapping, AAA 187
object 274
object pages 274
post processing, AAA 203
resources mapping, AAA 190
TFIM endpoint
WS-Trust messages 274
threat protection
denial-of-service
multiple message 61
single message 60
dictionary attack 64
protocol 62
SQL injections 62
XML virus (X-Virus) 63
TIBCO EMS
fault-tolerant hosts 324, 328
heartbeat detection 330
load-balanced hosts 326, 328
map message 317
object pages 316
tibco.conf 330
transactional messaging 320
unique host 323
URL builder 66
TIBCO EMS Front Side Handler
map message 95
purpose 94
queues 94
support 94
topic spaces 94
TIBCO Rendezvous 94
TIBCO SmartSockets 94
tibco.conf file 330
Tivoli Access Manager
See TAM
topic spaces
TIBCO EMS 94
WebSphere JMS 97
trademarks 419
432
U
UDDI registry
publishing to 334
UDDI Registry
configuring 332
object pages 332
UDDI subscription
viewing status 334
UDDI Subscription
configuring UDDI Subscription
objects 333
creating UDDI Subscription
objects 333
object pages 333
UDDI subscriptions
Web Service Proxy 25
ultimate service provider, SOAP 159
Undo button 5
up operational state 6
URI, ?wsdl 68
URL builder
IMS Connect 64
MQ 65
TIBCO EMS 66
WebSphere JMS 67
URL Map
object pages
Main 335
URL Map Rule 335
URL matching rule 99
URL Rewrite Policy
object pages
Main 335
URL Rewrite Rule 336
use cases
for-each action 139
User Agent
creating 340
default configuration 339
modifying basic configuation 340
overview 339
policies
allow-compression policy 343
basic authentication 339, 342
chunked upload 345
chunked uploads, HTTP 1.1 339
compression 339
compression policy 343
FTP client 339, 346
header injection 339, 345
header retention 339, 344
HTTP 1.0 restriction policy 344
HTTP proxy 339
HTTP proxy policy 341
public key authentication 339, 343
restriction, HTTP 1.0 339
SOAP action 342
SOAPAction 339
SSL proxy 339
SSL proxy policy 341
User objects
export packages 215
user policy
Web Service Proxy 39
User Policy
Web Service Proxy 367
UsernameToken
identity extraction, AAA
derived-key 174
password-carrying 173
post processing, AAA 203
utilities
keytool 209
V
validate action 162
purpose 103
Validation Credentials
creating
non expiring, non-passwordprotected certificates 22
select certificates 23
types of lists 22
variable builder 168
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
variables
asynchronous
service/soap-oneway-mep 408
asynchronous transactions
listing 408
service/transaction-key 408
service/transaction-name 408
service/transaction-timeout 408
configuration service
listing 405
service/config-param/ 405
service/max-call-depth 405
error handling
listing 409
service/error-code 409
service/error-ignore 409
service/error-message 409
service/error-protocol-reasonphrase 409
service/error-protocolresponse 409
service/error-subcode 409
service/strict-error-mode 410
extension
listing 412
local/_extension/allowcompression 413
local/_extension/donot-followredirect 413
local/_extension/header/ 413
local/_extension/http-10-only 413
local/_extension/preventpersistent-connection 413
local/_extension/sslprofile 413
local/_extension/timeout 414
general
listing 404
service/soap-fault-response 404
list, all available 415
load balancer service
listing 406
service/lbhealth/ 406
MQ Host
listing 406
service/correlation-identifier 407
service/expiry 407
service/format 407
service/message-identifier 407
service/message-type 407
service/mq-ccsi 406
service/mqmd-reply-to-q 406
service/mqmd-reply-to-qm 406
service/persistence 407
service/priority 407
service/reply-to-q 407
service/reply-to-qm 407
service/report 407
MQ Proxy
listing 406
service/correlation-identifier 407
service/expiry 407
service/format 407
service/message-identifier 407
service/message-type 407
service/mq-ccsi 406
service/mqmd-reply-to-q 406
service/mqmd-reply-to-qm 406
variables (continued)
MQ Proxy (continued)
service/persistence 407
service/priority 407
service/reply-to-q 407
service/reply-to-qm 407
service/report 407
Multi-Protocol Gateway
backend-timeout 405
service/reply-to-q 405
service/reply-to-qm 405
skip-backside 405
multistep
log/soapversion 407
persistent connections
listing 410
service/connection/note 411
service
listing 404
type 404
system
listing 414
system/map/debug 414
system/tasktemplates/debug 414
transaction
listing 408
type 408
transaction headers
listing 410
service/append-request-header/
410
service/append-response-header/
410
service/set-request-header/ 410
service/set-response-header/ 410
transaction routing
listing 411
service/routing-url 411
service/routing-url-sslprofile 411
transaction URL
listing 411
service/protocol-method 412
service/URI 412
types 403
using 403
Web Service Proxy
backend-timeout 405
service/reply-to-q 405
service/reply-to-qm 405
skip-backside 405
WSM
listing 412
service/wsa/genpattern 412
service/wsa/timeout 412
service/wsm/wsdl-error 412
service/wsm/wsdl-warning 412
verify action
adding 164
generating signature
confirmation 402
Kerberos AP-REQ tokens, remote 401
purpose 103, 164
SAML assertions, remote 401
verifying signature confirmation 402
X.509 certificates, remote 400
View button 3
View Logs link 5
W
Web Management Interface 1
Web Service Proxy
basic configuration
UDDI subscriptions 25
WSDL files 25
WSRR subscriptions 25
configuring 25
configuring processing policies 32
configuring SLM peer group 31
configuring SLMs 29
configuring user policy 39
configuring Web Service Proxy
objects 346
creating 25
creating Web Service Proxy
objects 346
HTTP header
configuring parameters 46
injection parameters 46
suppression parameters 47
minimal working configuration 347
object pages
Dynamic Endpoints 358
HTTP Header Injection 365
HTTP Header Suppression 365
HTTP Options 355
Main 348
Monitors 357
Operation Conformance
Policy 371
Operation Policy Subject Opt
Out 372
Operation Priority 369
Parser Limits 356
Policy Parameters 373
Proxy Settings 350
Reliable Messaging 374
Stylesheet Parameter 366
UDDI Subscription 369
User Policy 367
WS-Addressing 357
WS-ReliableMessaging 359
WSDL Cache Policy 366
WSDL File 367
WSRR Subscription 369
proxy settings
advanced 43
basic 41
publishing to UDDI registry 334
reading traffic graphs 30
service description 346
service variables
backend-timeout 405
service/reply-to-q 405
service/reply-to-qm 405
skip-backside 405
show portType and binding
nodes 33
style sheets
defining parameters 47
threat protection 60
WS-Addressing
configuring 48
Index
433
434
WS-Addressing to WS-Addressing 51
WS-Proxy
Endpoint Rewrite 375
WS-Proxy Endpoint Rewrite
Local Rewrite Rule 376
object pages
Local Rewrite Rules 376
Main 376
Publish Rewrite Rule 379
Remote Rewrite Rule 378
Subscription Local Rewrite
Rule 380
Subscription Publish Rewrite
Rule 382
Subscription Remote Rewrite
Rule 381
Publish Rewrite Rule 379
Remote Rewrite Rule 378
Subscription Local Rewrite Rule 380
Subscription Publish Rewrite
Rule 382
Subscription Remote Rewrite
Rule 381
WS-ReliableMessaging
Web Service Proxy 359
configuring 54
WS-SecureConversation
authentication, AAA 184
credentials mapping, AAA 187
identity extraction, AAA 174
WS-Security
message layout filter 138
WS-Security Header
identity extraction, AAA
BinarySecurityToken 174
UsernameToken, derived-key 174
UsernameToken,
password-carrying 173
WS-Security Management
See WSSM
WS-Trust
authentication, AAA 182
identity extraction, AAA 175
post processing, AAA 202
WS-Trust messages
TFIM endpoint 274
WSDL
GET method 68
HEAD method 68
retrieving 68
verify as live 68
WSDL Cache Policy
Web Service Proxy 366
WSDL File
Web Service Proxy 367
WSM variables
listing 412
service/wsa/genpattern 412
service/wsa/timeout 412
service/wsm/wsdl-error 412
service/wsm/wsdl-warning 412
WSRR
configuration overview 390
overview 390
server configuration 391
subscription configuration 392
WSRR Server
object pages 391
WSRR Subscription
concept 392
object pages 392
synchronizing, manual
available methods 394
from configuration screen 394
from Status object 394
WSRR subscriptions
Web Service Proxy 25
wssecurity-message-layout-filter.xsl style
sheet 138
WTX
xformbin action 157
X
X-Virus, protection 63
X.509 certificates 400
AAA Policy
authentication 400
identity extraction 400
verify action 400
XACML PDP
authorization, AAA 198
configuring 279
object pages 279
XDoS, protection 60
xform
defining standard transform 157
XML messages 157
xform action
defining 157
defining buffer attachment
transform 161
defining conformance transform 161
defining SOAP refinement
transform 159
purpose 103
xformbin action
defining 157
purpose 103
xformpi action
defining 158
purpose 103
XML Manager
caches
flushing the document cache 395
flushing the stylesheet cache 396
configuring 394
document cache, flushing 395
Load Balancer Group
DataPower service 67
modifying 394
object pages 394
XML virus, protection 63
XPath bindings
AAA Policy 266
XPath matching rule 99
xs:decimal() extension function 284
Z
z/OS identity propagation
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
204
Index
435
436
IBM WebSphere DataPower XML Integration Appliance XI50: Web Service Proxy Developers Guide
Printed in USA