Usage of Evaluate Hostname Action with wM Mediator

1. INTRODUCTION

This tutorial will explain the configuration and usage of the runtime action " Evaluate Hostname Action" using CentraSite and webMethods Mediator

The Evaluate Hostname runtime policy enforcement will help in the following

  • Identify the consumer application hostname making the request for the virtual service

  • Validate against a set of global or pre-registered consumer applications with the hostname in wM Mediator

2. PRE-REQUISITE

  1. Knowledge in basics of wM Mediator runtime
  2. wM Mediator target should be created in CentraSite
  3. CentraSite configuration should be done in Mediator to validate the result

Steps involved when using Evaluate Hostname Action in CentraSite BusinessUI or Control

  1. Create a Consumer Application ( HostNameConsumers ) with Identification token ( VMCHNSMGME01 ) and deploy it to wM Mediator
  2. Create a virtual alias in BusinessUI
  3. Configure virtual alias with Evaluate Hostname action for policy enforcement
  4. Deploy the virtual alias to wM Mediator
  5. Invoke the virtual service deployed in Mediator using SOAP Client (eg. SOAPUI)
  6. Validation and troubleshooting

3. CONFIGURATIONS

3.1 Create and configure a consumer application with identification token:

Login to CentraSite Control UI and Create an asset type of “Application”
Choose " Identification token" as identifier and set the attribute value to the hostname of client machine ( VMCHNSMGME01 ) where the expected request coming from

  1. Navigate to Operations → Deployment and invoke " Deploy Consumers " tab. Select target(s) and invoke " Syncronize " to deploy the Consumer Application to wM Mediator and confirm the status as success.
    (User can now enforce the restriction of allowing only these consumer applications or identifying the calling applications for virtual services in Mediator using the Evaluate Hostname policy)
  2. Validate deployed consumer application with expected attribute in wM Mediator

Open wM Mediator page, http://:5555/WmMediator and click on “Consumers” link and verify the deployed Consumer Application is listed as in the screen below

3.2 Create a virtual alias in BusinessUI with Evaluate Hostname Action

Perform the following steps to create a virtual alias with evaluate hostname action

    1. Login to BusinessUI and open a service details page of the service that needs to be virtualized.

Click on " Virtualize " action to get virtualization wizard screen. Provide alias name (eg.VS_EchoWS_Hostname) in " Create a New Virtual Alias " input box and select an endpoint from the list of " Endpoints of to Virtualize " and click " Next ".

3.3 Configure the Evaluate Hostname policy

  1. Navigate to " Policy Enforcement " heading → " Security " → drag & drop " Evaluate Hostname " action into " Enforce " message flow.
  2. Click on the configure icon, the icon will appears on mouse over of " Evaluate Hostname " text in message flow.
  3. Select one of the following option to identify the consumer(s)
  4. " Global Consumers " - Mediator will try to verify the client’s Hostname against a list of all global consumers available in the Mediator.
  5. " Registered Consumers" - Mediator will try to verify the client’s Hostname against the list of consumer applications which are registered as consumers for this specific API.

Optional Step: Apply Log Invocation Policy to the virtual service and select CentraSite to send the log data. This step is only to generate and validate the events

  1. Click " Virtualize " to complete the virtualization of the service.

4. DEPLOY AND VALIDATE THE DEPLOYMENT

Deploy the virtual alias (Eg. VS_EchoWS_Hostname) to webMethods Mediator target(s) by clicking " Publish…" option from BusinessUI.
image

Verify the mediated service in webMethods Mediator page
Invoke http://<mediator_host>:5555/WmMediator from a web browser and provide credentials to access the page

Click “Services” link to get list of mediated service(s) in the webMethods Mediator and find the virtual service (eg.VS_EchoWS_Hostname).
image

Validate virtual service definition in wM Mediator

  1. In the above page, click on the [VSD] link for the virtual service to see the virtual service definition
  2. It should be able to find the following entries in the VSD as seen below when Global Consumers ( relax ) is selected.
    The VSD with Evaluate Hostname
<enforcement-actions allow-anon="false">

 
   <expressions>

 
       <expression>

 
          <params identify="relax" type="hostNameAddress" />

 
        </expression>

 
   </expressions>

 
</enforcement-actions>

If Registered Consumers is selected as identify ( strict ) method then the enforcement action element should be looks below. This is to identify the consumer from the register consumers list


 
<enforcement-actions allow-anon="false">


 
   <expressions>


 
       <expression>


 
          <params identify="strict" type="hostNameAddress" />


 
        </expression>


 
   </expressions>


 
</enforcement-actions>
  1. EXECUTION AND VERIFICATION OF VIRTUAL SERVICE RUNTIME INVOCATION

  2. Get the WSDL by clicking on [WSDL] to invoke the virtual service as stated in the above step 4.2.

  3. Verify the scenario by invoking the virtual service (Eg.VS_EchoWS_Hostname) using a SOAP Client
    2.1. Invoke the virtual service from the specified host client (VMCHNSMGME01) to identify as HostnameConsumers.
    Execute the virtual service with a SOAP Client in the hostname specified in wM Mediator’s consumer application(s). This can be verified in step 5.5.
    2.2. Invoke the virtual service from the non-specified client host (Eg. other than VMCHNSMGME01) to validate anonymous access to the virtual service.
    3.The sample Virtual Service request looks like

Request Headers:

 
Content-Type: application/soap+xml;charset=UTF-8;

 
Host: VMCHNSMGME01


 
Request:

 
<soapenv:Envelope xmlns:soapenv=" xmlns:axis=">

 
   <soapenv:Header/>

 
   <soapenv:Body>

 
      <axis:sayHello>

 
         <axis:name>Software AG</axis:name>

 
      </axis:sayHello>

 
   </soapenv:Body>

 
</soapenv:Envelope>

The sample Virtual Service response looks like the below if the consumer successfully identified

<soapenv:Envelope xmlns:soapenv=">

 
   <soapenv:Body>

 
      <ns:sayHelloResponse xmlns:ns=">

 
         <ns:return>Hello Software AG</ns:return>

 
      </ns:sayHelloResponse>

 
   </soapenv:Body>

 
</soapenv:Envelope> 
  1. Verifying the result in log invocation event](Apache Axis2 – Apache Axis2/Java - Next Generation Web Services

    1. View Runtime events after invoking the service as guided in step 5.2 and look for Consumer as expected.

Successful consumer identification

Failure consumer identification

Note: ConsumerID attribute value will be set only for API keys consumers. Hence the ConsumerID’s value can be ignored for now.

TROUBLESHOOTING WITH EVALUATE HOSTNAME ACTION

Exception
Consumer could not be identified

Description
The sample fault in the response looks Mediator encountered an error:Consumer could not be identified.

Anonymous access is not allowed for this service!

while executing operation:{Apache Axis2 – Apache Axis2/Java - Next Generation Web Services}sayHello service:

VS_EchoWS_Hostname at time:7:03:44 PM on date:Jun 16, 2014.

The client ip was:100.62.3.123. The current user:Default.

The consumer application:null

Possible cause/ Solution

Make sure the client host name matches as specified in the policy
Make sure the IP resolves the host name as expected.
Make sure the request made from the specified host (client).
Make sure the registered consumers list has the specified host name if identify chosen as strict. (sec. 4.3.c)
- Navigate to Mediator -> Consumers to see list of consumers (sec. 4.2.b)
Make sure the client sends correct Host Name in the request header.

Exception
Deployment failure:

Failed to Publish

Description
INMSOE0038: Policy Conflict. Policy assertion id-consumer exists multiple times

In this case, more than one ID Consumer policies are applied for a Virtual service

Possible cause/ Solution
Check for any duplicate ID Consumer policies and remove them from the virtual service.

Duplicate policies are possible only when a user trying to apply policies from both CentraSite Control and BusinessUI for a virtual service.

Only one ID Consumer policy is allowed per service