Console Online Help

Security Configuration

This section includes the following topics:

Overview of Security Configuration

This section includes the following topics:

You use the Security Configuration module to determine who has access to the resources in AquaLogic Service Bus. You configure transport-level security and message-level security by configuring credentials and access control policies, using WSDLs, WS-Policy statements, and while creating and editing proxy and business services. For more information, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

The following table lists the pages you can access from the Security Configuration module. The tasks and help topics associated with each are provided:

Page	Associated Tasks	Help Topics
Summary of Users	View a list of users	Listing and Locating Users
	Filter the list	Listing and Locating Users
	Add a user	Adding a User
	Delete a user	Deleting a User
User Details	View details of a specific user	Viewing and Changing User Details
User Details	Update details of a specific user	Viewing and Changing User Details
Summary of Groups	View a list of groups	Listing and Locating Groups
	Filter the list	Listing and Locating Groups
	Add a group	Adding a Group
	Delete a group	Deleting a Group
Group Details	View details of a specific group	Viewing and Changing Group Details
Group Details	Update details of a specific group	Viewing and Changing Group Details
Global Roles	View a list of roles	Listing and Locating Roles
	Filter the list	Listing and Locating Roles
	Add a role	Adding a Role
	Delete a role	Deleting a Role
Role Details	View details of a specific role	Viewing and Changing Role Details
Role Details	Update details of a specific role	Viewing and Changing Role Details
Summary of Credentials	View a list of credentials	Listing and Locating Credentials
	Filter the list	Listing and Locating Credentials
	Add a credential	Adding a Credential
	Delete a credential	Deleting a Credential
Credential Details	View details of a specific credential	Viewing and Changing Credential Details
Credential Details	Update details of a specific credential	Viewing and Changing Credential Details

Users

Users are entities that can be authenticated. You can define users to authenticate access to a proxy service or access to the console. Each user is assigned a unique identity within the realm. To make it easier to administer a large number of users, users can be organized into named groups. Groups can in turn be assigned membership in other groups.

User type depends on the group to which the user is assigned. You can create the following types of users:

Property	Description
Administrators	Has complete access to all AquaLogic Service Bus objects and functions.
Deployers	Has read access to all objects. Can create, delete, edit, import or export resources, services, proxy service providers, or projects.
IntegrationAdministrators	Has complete access to all AquaLogic Service Bus objects and functions, except for defining access control policies and editing users, group, and roles.
IntegrationDeployers	Has read access to all objects. Can create, delete, edit, import or export resources, services, proxy service providers, or projects.
IntegrationMonitors	Has read access to all objects. Can export any resource, service, proxy service provider, or project.
IntegrationOperators	Has read and export access to all objects. Can configure alerts, enable or disable metric collection, and suspend or resume services.
Monitors	Has read access to all objects. Can export any resource, service, proxy service provider, or project.
Operators	Has read and export access to all objects. Can configure alerts, enable or disable metric collection, and suspend or resume services.

Groups

To make it easier to administer a large number of users, users can be organized into named groups. Groups can in turn be assigned membership in other groups.

The following table lists the group types:

Property	Description
Administrators	Has complete access to all AquaLogic Service Bus objects and functions.
Deployers	Has read access to all objects. Can create, delete, edit, import or export resources, services, proxy service providers, or projects.
IntegrationAdministrators	Has complete access to all AquaLogic Service Bus objects and functions.
IntegrationDeployers	Has read access to all objects. Can create, delete, edit, import or export resources, services, proxy service providers, or projects.
IntegrationMonitors	Has read access to all objects. Can export any resource, service, proxy service provider, or project.
IntegrationOperators	Has read and export access to all objects. Can configure alerts, enable or disable metric collection, and suspend or resume services.
Monitors	Has read access to all objects. Can export any resource, service, proxy service provider, or project.
Operators	Has read and export access to all objects. Can configure alerts, enable or disable metric collection, and suspend or resume services.

Roles

BEA AquaLogic Service Bus supports role-based authorization. Although the specific users that require access to the components that make up your AquaLogic Service Bus application may change depending upon the deployment environment, the roles that require access are typically more stable. Authorization involves granting an entity permissions and rights to perform certain actions on a resource.

In role-based authorization, security policies define the roles that are authorized to access the resource. In addition to the built-in roles that are associated with certain administrative and monitoring privileges, security policies that control access to the following resources can be configured from the AquaLogic Service Bus Console. Only a WebLogic Server administrator can edit security roles. To learn more about roles, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

This Global Roles page displays key information about each global security role that has been configured in this security realm.

There are four types of roles:

Type	Name	Description
A	Integration Administrator	Has complete access to all AquaLogic Service Bus objects and functions.
O	Integration Operator	Has read and export access to all objects. Can configure alerts, enable or disable metric collection, and suspend or resume services.
M	Integration Monitor	Has read access to all objects. Can export any resource, service, proxy service provider, or project.
D	Integration Deployer	Has read access to all objects. Can create, delete, edit, import or export resources, services, proxy service providers, or projects.

Role-Based Access in AquaLogic Service Bus Console

The following table shows the matrix of the actions that can be carried out in the console modules by users in the various roles:

Console Module	Action	Permissions ¹
Role Type		A	O	M	D
Monitoring
Dashboard
Services	View Statistics
Alerts	View Alerts
Message Reports	View Message Reports

Resource Browser
Services
Business Service Definition	Create Service
	View Service
	Edit Service
	Delete Service
Proxy Service Definition	Create Proxy Service
	View Proxy Service
	Edit Proxy Service
	Delete Proxy Service
Alert Rule	Create Alert Rule
	View Alert Rule
	Edit Alert Rule
	Delete Alert Rule
Operational Configuration	View...
	Create/Update/Delete
WS-Policies	Create WS-Policy
	View WS-Policy
	Edit WS-Policy
	Delete WS-Policy
WSDLs	Create WSDLs
	View WSDLs
	Edit WSDLs
	Delete WSDLs
XML Schemas	Create XML Schemas
	View XML Schemas
	Edit XML Schemas
	Delete XML Schemas
XQuery Transformations	Create XQuery
	View XQuery
	Edit XQuery
	Delete XQuery
XSLTs	Create XSLT
	View XSLT
	Edit XSLT
	Delete XSLT
MFLs	Create MFL
	View MFL
	Edit MFL
	Delete MFL
Proxy Service Providers	Create Proxy Service Provider
	View Proxy Service Provider
	Edit Proxy Service Provider
	Delete Proxy Service Provider

Project Explorer
Projects	Create Project
	View Project
	Edit Project
	Delete Project
Folders	Create Folder
	View Folder
	Edit Folder
	Delete Folder

Security Configuration
Users	Create User
	View User
	Edit User
	Delete User
Groups	Create Group
	View Group
	Edit Group
	Delete Group
Roles	Create Role
	View Role
	Edit Role
	Delete Role
Credentials	Create Credential
	View Credential
	Edit Credential
	Delete Credential
Access Controls	Create Policy
	View Policy
	Edit Policy
	Delete Policy

System Administration
Configuration Repository	Import Resources
	Export Resources
Deployment History	View Task
	Undo Task

Change Center
Session Management	Begin Session
	View Session
	Undo Task
	Discard Session
	Commit Session

1. Permission to perform an action is indicated by a checkmark (

) in the Role Type columns in the table.

Adding a User

The Create New User - General Configuration page enables you to add a new user. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

To Add a User

From the left navigation pane, select Security Configuration. The Summary of Users page is displayed.

Click Add New. The Create a New User - General Configuration page is displayed.

In the User Name field, enter a unique name. This is a required field.

In the Password field, enter a password. The password must be at least 8 characters long. This is a required field.

In the Confirm Password field, enter the same password you entered for the Password field. This is a required field.

In the Authentication Provider field, select the authentication provider for this user.

In the Group Membership field, select a group for this user:

Select a group from the Available Groups field.

Click the arrow to move the group into the Current Groups field.

Note: The group you select determines the level of access this user has in the AquaLogic Service Bus Console. To learn about types of groups and role-based access, see Groups and Role-Based Access in AquaLogic Service Bus Console in Overview of Security Configuration.

Do one of the following:

To create the user, click Save.

The Summary of Users page is displayed. The new user is included in the list.

To disregard changes and return to the Summary of Users page, click Cancel.

Note: You cannot export users, groups, roles, credentials, certificates or access control policies when you export a configuration, as these objects are created through the WebLogic Server. You must create these objects again when you import the exported configuration, or where available use specific WebLogic Server tools to export and import them.

Listing and Locating Users

The Summary of Users page enables you to view a list of users that have been created in the AquaLogic Service Bus Console. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

To List and Locate Users

From the left navigation pane, select Users from under Security Configuration. The Summary of Users page is displayed, which displays the following information for each user. For a more detailed description of the properties, see Viewing and Changing User Details:

Property	Description
User Name	The name assigned to the user. The name is a link to the View User Details page. To learn more, see Viewing and Changing User Details.
Group Membership	The name of the group to which this user belongs. The name is a link to the View Group Details page. To learn more, see Viewing and Changing Group Details.
Authentication Provider	The authentication provider for this user.
Options	Click the Delete icon to delete a specific user. To learn more, see Deleting a User.

To locate a specific user, do one of the following:

Filter by user name. Click Search, enter the search target, then click Search again. Wild cards can be used. The users matching the search criteria are displayed.
Resort the list. Ascending and descending arrow buttons indicate sortable columns—in this case, the Group Name and Authentication Provider fields. Click the button to change the sort order.
Scroll through the pages. Use the controls in the lower right corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.

The Summary of Users page also enables you to do the following:

To create a new user, click Add New. To learn more, see Adding a User.

Viewing and Changing User Details

The View User Details page enables you to view and change details of a specific user. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

To View and Change User Details

Locate the user. To learn more, see Listing and Locating Users.

Click the user name. The View User Details page displays the following information:

Property	Description
User Name	The name of this user
Authentication Provider	The authentication provider for this user.
Group Membership	The name of the group to which this user belongs.

Click Reconfigure. The Edit User Details page is displayed.

Make the appropriate changes to the New Password, Confirm Password, and Group Membership fields. See Adding a User for a description of the fields.

Note: You cannot change the User Name field.

Do one of the following:

To update the user, click Save Changes. The Summary of Users page is displayed.
To disregard changes and return to the Summary of Users page, click Cancel.

Adding a Group

The Create New Group page enables you to add a new group. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic User Guide.

To Add a Group

From the left navigation pane, select Groups from under Security Configuration. The Summary of Groups page is displayed.

Click Add New.

In the Group Name field, enter a unique name. Note that you cannot enter spaces or special characters. This is a required field.

In the Authentication Provider field, select the authentication provider.

In the Group Membership field, select a group to which this group can belong:

Select a group from the Available Groups field.

Click the arrow to move the group into the Current Groups field.

Do one of the following:

To create the group, click Save.

The Summary of Groups page is displayed. The new group is included in the list.

To disregard changes and return to the Summary of Groups page, click Cancel.

Listing and Locating Groups

The Summary of Groups page enables you to view a list of groups. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

To List and Locate Groups

From the left navigation pane, select Groups from under Security Configuration. The Summary of Groups page is displayed, which displays the following information for each group. For a more detailed description of the properties, see Viewing and Changing Group Details.

Property	Description
Group Name	The name of the group. The name is a link to the View Group Details page. To learn more, see Viewing and Changing Group Details.
Group Membership	The group to which this group belongs. The name is a link to the View Group Details page. To learn more, see Viewing and Changing Group Details.
Authentication Provider	The authentication provider for this group.
Delete	Click the Delete icon to delete a specific group. To learn more, see Deleting a Group.

To locate a specific group, do one of the following:

Filter by group name. Click Search, enter the search target, then click Search again. Wild cards can be used. The groups matching the search criteria are displayed.
Resort the list. Ascending and descending arrow buttons indicate sortable columns—in this case, the Group Name and Authentication Provider fields. Click the button to change the sort order.
Scroll through the pages. Use the controls in the lower right corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.

The Summary of Groups page also enables you to do the following:

To create a new group, click Add New. See Adding a Group.

Viewing and Changing Group Details

The View Group Details page enables you to view and change details of a specific group. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

To View and Change Group Details

Locate the group. To learn more, see Listing and Locating Groups.

Click the group name. The View Group Details page displays the following information:

Property	Description
Group Name	The name of this group
Authentication Provider	The authentication provider for this group
Groups	The group to which this group belongs

Click Reconfigure. The Edit Group Details page is displayed.

Make the appropriate changes to the Group Membership field. See Adding a Group for a description of the field.

Note: You cannot change the Group Name field.

Do one of the following:

To update the group, click Save Changes. The Summary of Groups page is displayed.
To disregard changes and return to the Summary of Groups page, click Cancel.

Adding a Role

The Create New Role page enables you to add a new role. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

To Add a New Role

From the left navigation pane, select Roles from under Security Configuration. The Global Roles page is displayed.

Click New.

In the Role Name field, enter a unique name. Note that you cannot enter spaces or special characters. This is a required field.

Note: Be sure that there are no spaces or < > characters in the security role name. Security role names are case sensitive. The BEA convention is that all security role names are singular.

Do one of the following:

To create the role, click OK.

The Global Roles page is displayed. The new role is included in the list.

To disregard changes and return to the Global Roles page, click Cancel.

When you click OK to create the role, the next step is to define the conditions under which the role applies. On the Global Roles page, click the name of the new global role.
The Global Role Conditions page is displayed.

Under Role Conditions, click Add Condition.

The following prompt is displayed:
Choose the predicate you wish to use as your new condition

Choose a predicate from the list box. Typically, you choose Group. When a group is used to create a security role, the security role can be granted to all members of the group (that is, multiple users).

Click Next. The next steps depend on what you chose for your condition predicate. Do one of the following:

Condition Predicate...	Complete These Steps...
If you selected Group, enter one or more arguments that define the group or groups that should hold this role	1. In the Group Argument Name field, enter an argument that defines the group. 2. Click Add. 3. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list. 4. Click Finish.
If you selected User, enter one or more arguments that define the user or users that should hold this role	1. In the User Argument Name field, enter an argument that defines the user. 2. Click Add. 3. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list. 4. Click Finish.
If you selected Server is in development mode, Allow access to everyone or Deny access to everyone	Click Finish.
If you selected a time-constrained predicate such as Access occurs between specified hours, select start and end times and a GMT offset	1. In the Starting Time field, enter the earliest permissible time in the format `hh:mm:ss AM\|PM`. For example, enter 12:45:00 AM. 2. In the Ending Time field, enter the latest permissible time in the format `hh:mm:ss AM\|PM`. For example, enter 12:45:00 AM. 3. In the GMT offset field, enter the time ahead of GMT in the format `GMT+hh:mm`, or behind GMT in the format `GMT-hh:mm`. For example, Eastern Standard Time in the USA is GMT-5:00. 4. Click Finish.
If you selected Context element defined, enter a context element name	1. In the Context element name field, enter the name of the context element. 2. Click Finish.
If you selected Context element's value equals a numeric constant, Context element's value is greater than a numeric constant, or Context element's value is less than a numeric constant, enter a context element name and a numeric value to compare it against	1. In the Context element name field, enter the name of the context element the value of which is to be evaluated. 2. In the Numeric Value field, enter a numeric value. 3. Click Finish.
If you selected Context element's value equals a string value, enter a context element name and a string value to compare it against	1. In the Context element name field, enter the name of the context element the value of which is to be evaluated. 2. In the String Value field, enter the string value that you want to compare. 3. Click Finish.
If you selected a time-constrained predicate such as Access occurs before or Access occurs after	1. In the Date field, enter a date in the format `mm/dd/yy`. For example, enter 1/1/04. You can add an optional time in the format `hh:mm:ss AM\|PM`. For example, you can enter 1/1/04 12:45:00 AM. 2. Click Finish.
If you selected the time-constrained predicate Access occurs on specified days of the week, select the day of the week and a GMT offset	1. In the Day of week field, enter the day of the week. 2. In the GMT offset field, enter the time ahead of GMT in the format `GMT+hh:mm`, or behind GMT in the format `GMT-hh:mm`. For example, Eastern Standard Time in the USA is GMT-5:00. 3. Click Finish.
If you selected a time-constrained predicate such as Access occurs on a specified day of the month, Access occurs before a specified day of the month, or Access occurs after a specified day of the month	1. In the Day of the Month field, enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month. 2. In the GMT offset field, enter the time ahead of GMT in the format `GMT+hh:mm`, or behind GMT in the format `GMT-hh:mm`. For example, Eastern Standard Time in the USA is GMT-5:00. 3. Click Finish.

If necessary, repeat steps 5-7 to add expressions based on different role conditions. You can do the following in the Role Conditions section to modify the expressions:

To...	Complete These Steps...
Change the ordering of the selected expression	Click Move Up and Move Down.
Merge or unmerge role conditions and switch the highlighted and and or statements between expressions.	Click Combine and Uncombine.
Make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.	Click Negate.
Delete a selected expression	Click Remove.

When all the expressions in the Role Conditions section are correct, click Save. To activate these changes, in the Change Center, click Activate.

Note: Some changes affect only particular servers. Not all changes take effect immediately—some require a restart.

Listing and Locating Roles

The Global Roles page enables you to view a list of roles. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

To List and Locate Roles

From the left navigation pane, select Roles from under Security Configuration. The Global Roles page is displayed, which displays the following information for each role. For a more detailed description of the properties, see Viewing and Changing Role Details:

Property	Description
Role Name	The name of the role. The name is a link to the View Role Details page. To learn more, see Viewing and Changing Role Details.
Provider Name	The authentication provider for this group.

To locate a specific role, scroll through the pages. Use the controls in the lower right corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.

This page also enables you to do the following:

To create a new role, click Add New. To learn more, see Adding a Role.
To delete a selected role, click Delete. To learn more, see Deleting a Role.

Viewing and Changing Role Details

The View Role Details page enables you to view and change details of a specific role. To learn more about users, groups, and roles, see Overview of Security Configuration, and "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

To View and Change Role Details

Locate the role. To learn more, see Listing and Locating Roles.

Click the role name. The View Role Details page enables you to view and change details of a specific role. It displays the following information:

Property	Description
Name	The name of the role.
Role Conditions	The conditions which determine membership in this role.

Do one of the following:

To...	Complete This Step...
Change the ordering of the selected expression	Click Move Up and Move Down.
Merge or unmerge role conditions and switch the highlighted and and or statements between expressions.	Click Combine and Uncombine.
Make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.	Click Negate.
Delete a selected expression	Click Remove.

Click Save. The Global Roles page is displayed.

Adding a Credential

The Create New Credential page allows you to add a new credential. To learn more about credentials, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

Note: To access the Credentials or Access Controls page in the AquaLogic Service Bus Console, you must first activate the session. Credentials and access controls are created outside of sessions and associated with resources that are already activated. Activating a session deploys the resources you have configured to run time, making them available to credentials and access controls.

To Add a Credential

From the left navigation pane, select Credentials from under Security Configuration. The View Summary of Credential Resources page is displayed.

Click Add New. The Create a New Credential - General Configuration page is displayed.

In the Select Resource Type field, select a resource type for which you want to create credentials. You can select one of the following resource types:

Resource Type...	Description...
Proxy Service Provider	Proxy service providers encapsulate all the PKI (Public Key Infrastructure) credentials used by one or more proxy services. Different PKI credentials (private-key/certificate pairs) for different purposes can be assigned to a proxy service provider. When a proxy is created, a proxy service provider can be specified. If the proxy needs PKI credentials, for example to open an HTTPS connection with client-certificate authentication, it gets the credentials from the proxy service provider. Multiple proxies can use the same proxy service provider. The PKI credential mapper is a security provider and must be configured with the location of a keystore, (relative to the domain root), keystore password, keystore type (optional), and keystore provider (optional). This keystore can be the same as the server's identity keystore or a different one. If you define a proxy service provider, you must configure a PKI credential mapper in your security realm. By default the realm configuration does not have a PKI mapper. If do not define a proxy service provider, you do not need to define a PKI mapper within the security realm. For more information, see Digital Certificates in Security Fundamentals in Understanding WebLogic Security. To learn more about proxy service providers, see Overview of Proxy Service Providers.
Service Account	A service account is an alias resource for a username and password. AquaLogic Service Bus uses service accounts to provide authentication when connecting to a service or server. To learn more about service accounts, see Overview of Service Accounts.

Resource Type...

Description...

Proxy Service Provider

Proxy service providers encapsulate all the PKI (Public Key Infrastructure) credentials used by one or more proxy services. Different PKI credentials (private-key/certificate pairs) for different purposes can be assigned to a proxy service provider. When a proxy is created, a proxy service provider can be specified. If the proxy needs PKI credentials, for example to open an HTTPS connection with client-certificate authentication, it gets the credentials from the proxy service provider. Multiple proxies can use the same proxy service provider.

The PKI credential mapper is a security provider and must be configured with the location of a keystore, (relative to the domain root), keystore password, keystore type (optional), and keystore provider (optional). This keystore can be the same as the server's identity keystore or a different one. If you define a proxy service provider, you must configure a PKI credential mapper in your security realm. By default the realm configuration does not have a PKI mapper. If do not define a proxy service provider, you do not need to define a PKI mapper within the security realm. For more information, see Digital Certificates in Security Fundamentals in Understanding WebLogic Security.

To learn more about proxy service providers, see Overview of Proxy Service Providers.

Service Account

A service account is an alias resource for a username and password. AquaLogic Service Bus uses service accounts to provide authentication when connecting to a service or server.

To learn more about service accounts, see Overview of Service Accounts.

Click Next. If you selected Proxy Service Provider, a list of available proxy service providers is displayed. If you selected Service Account, a list of available service accounts is displayed.

Note: You must have previously created the proxy service providers and service accounts in a session and activated that session to display these resources on this page.

In the Select column, click Select for the specific resource you want to use.

In the Purpose of this Credential field, select the purpose of the credential that you want to associate with the selected resource.

For proxy service providers, you can select one of the following purposes: Available Purpose... Description... SSL Client Authentication TLS/SSL (Secure Sockets Layer) provides secure connections by allowing two applications connecting over a network to authenticate the other's identity and by encrypting the data exchanged between the applications. Authentication allows a server, and optionally a client, to verify the identity of the application on the other end of a network connection. This key-pair is used when a proxy is required to invoke a service that requires TLS/SSL client certificate authentication. Digital Signature This key-pair is used with Web service security when a proxy is required to sign one or more parts of a SOAP envelope. Digital signature provides message integrity. Encryption This key-pair is used with Web service security when a proxy is required to decrypt one or more parts of a SOAP envelope. Encryption provides message confidentiality. Web Services Security X509 Token This key-pair is used with web service security when a proxy is required to include an authentication token in the SOAP envelope.

Available Purpose...	Description...
SSL Client Authentication	TLS/SSL (Secure Sockets Layer) provides secure connections by allowing two applications connecting over a network to authenticate the other's identity and by encrypting the data exchanged between the applications. Authentication allows a server, and optionally a client, to verify the identity of the application on the other end of a network connection. This key-pair is used when a proxy is required to invoke a service that requires TLS/SSL client certificate authentication.
Digital Signature	This key-pair is used with Web service security when a proxy is required to sign one or more parts of a SOAP envelope. Digital signature provides message integrity.
Encryption	This key-pair is used with Web service security when a proxy is required to decrypt one or more parts of a SOAP envelope. Encryption provides message confidentiality.
Web Services Security X509 Token	This key-pair is used with web service security when a proxy is required to include an authentication token in the SOAP envelope.

Click Next.

In the Credential Provider field, select the credential provider.

Click Next.

In the Username field, select a valid user name.

In the Key Password field, enter a password (minimum 8 characters).

In the Confirm Key Password field, enter the same password you entered in the Key Password field.

Click Next. A summary of the data you entered is displayed.

Review the data you entered for this new credential.

Do one of the following:

To create the credential, click Finish.

The View Summary of Credential Resources page is displayed. The new credential is included in the list.

To disregard changes and return to the View Summary of Credential Resources page, click Cancel.

Listing and Locating Credentials

The View Summary of Credential Resources page enables you to view a list of credentials. To learn more about credentials, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

To List and Locate Credentials

From the home page, select Credentials from under Security Configuration. The View Summary of Credential Resources page is displayed, which displays the following information for each credential resource. For a more detailed description of the properties, see Viewing and Changing Credential Details:

Property	Description
Name of Resource	The resource name, which is a link to the resource details. Click the name to view and change details. To learn more, see Viewing and Changing Credential Details.
Resource Type	The resource type: Proxy Service Provider Service Account
Credential Purpose	The purpose of the credential
Credential Provider Name	The name of the credential provider
Options	Click the Delete icon to delete a specific credential resource. To learn more, see Deleting a Credential.

To locate a specific credential, do one of the following:

Filter by credential name. Enter the search target, then click Search. The credentials matching the search criteria are displayed.
Resort the list. Ascending and descending arrow buttons indicate sortable columns. Click the button to change the sort order.
Scroll through the pages. Use the controls in the lower right corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.

From this page, you can also do the following:

To create a new credential resource, click Add New. See Adding a Credential.
To delete a selected credential, click Delete. See Deleting a Credential.

Viewing and Changing Credential Details

The View Credential Details page enables you to view and change details of a specific credential. To learn more about credentials, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

Note: To access the Credentials or Access Controls page in the AquaLogic Service Bus Console, you must first activate the session. Credentials and access controls are created outside of sessions and associated with resources that are already activated. Activating a session deploys the resources you have configured to run time, making them available to credentials and access controls.

To View and Change Credential Details

Locate the credential resource. See Listing and Locating Credentials.

Click the name of the resource. The Create a New Credential - General Configuration page is displayed. The page displays the following information:

Property	Description
General Configuration
Resource Name	The resource name.
Resource Type	The resource type: Proxy Service Provider Service Account
Purpose of this Credential	The purpose of the credential
Credential Configuration
Username	The user name associated with this credential.

Do one of the following:

To change the details of this credential, click Edit.
To return to the View Summary of Credential Resources page, click OK.

Make the appropriate changes to the fields that are displayed. See Adding a Credential for a description of the fields.

Do one of the following:

To update the credential, click Finish.

The View Summary of Credential Resources page is displayed. The new credential is included in the list.

To return to the previous page, click Back.
To disregard changes and return to the View Summary of Credential Resources page, click Cancel.

Listing and Locating Access Control Policies

The Access Control for Proxy Services page lists the defined access control policies. Only a WebLogic Server administrator can define access control policies. To learn more, see "Access Control Security" in Securing Inbound and Outbound Messages in the BEA AquaLogic Service Bus User Guide.

Note: To view the access control policies for a proxy service in the AquaLogic Service Bus Console, you must first activate the session. Credentials and access control policies are created outside of sessions and associated with resources that are already activated. Activating a session deploys the resources you have configured to run time, making them available to credentials and access controls.

To List and Locate Access Control Policies

From the left navigation pane, select Access Controls from under Security Configuration. The Access Control for Proxy Services page is displayed, which displays the following information for each access control policy:

Property	Description
Name	The name of the access control policy. The name is a link to the Proxy Service Details page. To learn more, see Viewing and Changing Proxy Services.
Transport Authorization Policy	The transport authorization policy, if there is one. The policy is a link to the View Policy Details page. This only applies to HTTP or HTTPS proxy services.
Service Authorization Policy	The service authorization policy, if there is one. The policy is a link to the View Policy Details page. This policy is related to WS-Security. This only applies to SOAP proxy services that have Web service security policies in the WSDL.

From this page, you can also do the following:

To view proxy services, click View Proxy Services. To learn more, see Listing and Locating Proxy Services.

Note: The Policy Details page allows you to configure a new access control policy, edit an existing access control policy or delete an access control policy. For more information, see Security Policies in Securing WebLogic Resources and Manage Security Policies in the BEA WebLogic Server Administration Console Online Help.

Security Configuration

Overview of Security Configuration

Users

Groups

Roles

Role-Based Access in AquaLogic Service Bus Console

Adding a User

To Add a User

Related Topics

Listing and Locating Users

To List and Locate Users

Related Topics

Viewing and Changing User Details

To View and Change User Details

Related Topics

Deleting a User

To Delete a User

Related Topics

Adding a Group

To Add a Group

Related Topics

Listing and Locating Groups

To List and Locate Groups

Related Topics

Viewing and Changing Group Details

To View and Change Group Details

Related Topics

Deleting a Group

To Delete a Group

Related Topics

Adding a Role

To Add a New Role

Related Topics

Listing and Locating Roles

To List and Locate Roles

Related Topics

Viewing and Changing Role Details

To View and Change Role Details

Related Topics

Deleting a Role

To Delete a Role

Related Topics

Adding a Credential

To Add a Credential

Related Topics

Listing and Locating Credentials

To List and Locate Credentials

Related Topics

Viewing and Changing Credential Details

To View and Change Credential Details

Related Topics

Deleting a Credential

To Delete a Credential

Related Topics

Listing and Locating Access Control Policies

To List and Locate Access Control Policies

Related Topics