14 Monitoring and Managing Security Policies
Fusion Middleware Control lets you monitor and manage policies attached to your Service Bus services, including their usage and violation metrics. You can also attach policy sets globally, define policy overrides, and attach and detach policies from your services.
This chapter includes the following topics:
Introduction to Security Policies
Security policies provide a framework to manage and secure web services consistently across your organization. In Service Bus, you attach policies to proxy and business services.
You can manage policies for individual services in your Service Bus projects in JDeveloper, the Oracle Service Bus Console and in Fusion Middleware Control. Both consoles support runtime configuration. Using Fusion Middleware Control, you can also attach policies globally by creating policy sets.
This chapter describes monitoring and managing policies in Fusion Middleware Control. For information about working with policies in Oracle Service Bus Console and Oracle JDeveloper, see "Securing Business and Proxy Services" in Developing Services with Oracle Service Bus.
Configuring Global Policies
You can assign policies to multiple services in a Service Bus project using policy sets in Fusion Middleware Control. These are called global policies.
When you create a global policy set, the policies in the set are automatically attached to the proxy or business services that match the configuration of the policy set. In order for the matching services to use the policies in a global policy set, the services must be configured to use OWSM policies.
The policy set configuration defines the policy subject and any of the following for the service to which you want the policy attached: domain name, application name, and resource path (in the form project_name/folder/subfolder
. You can attach policies to the following Service Bus services:
-
JCA Business Service
-
JCA Proxy Service
-
RESTful Business Service
-
RESTful Proxy Service
-
SOAP Business Service
-
SOAP Proxy Service
For information about global policy attachments and policy sets, see About Attaching Policies to Web Services and Clients Using Fusion Middleware Control in Securing Web Services and Managing Policies with Oracle Web Services Manager. For information about the policy subjects to select for each of these, see Understanding Policy Subjects in Understanding Oracle Web Services Manager.
How to Create a Global Policy Set
To create a policy set, follow the instructions in Creating a Policy Set Using Fusion Middleware Control in Securing Web Services and Managing Policies with Oracle Web Services Manager.
How to Enable a Service for Global Policies
In addition to being able to enable and disable global policy sets in Fusion Middleware Control, you can also configure business and proxy services to use or not use policies. In order to use global policies, a business or proxy service must be enabled to use policies from the OWSM policy store. You configure this in either JDeveloper or the Oracle Service Bus Console. For more information, see How to attach Oracle Web Services Manager Policies in JDeveloper and How to attach Oracle Web Services Manager Policies in the Console in Developing Services with Oracle Service Bus.
To enable a service for global policies:
How to Disable a Service for Global Policies
If a business or proxy service has policies enabled and matches the configuration of a global policy set, the policies in that set are automatically applied to the service. You can prevent this by disabling policies in the service, but this means that policies cannot be individually attached either. You configure this in either JDeveloper or the Oracle Service Bus Console. For more information, see How to attach Oracle Web Services Manager Policies in JDeveloper and How to attach Oracle Web Services Manager Policies in the Console in Developing Services with Oracle Service Bus.
To disable a service for global policies:
Monitoring Security Policies
Fusion Middleware Control lets you monitor the policies being used by the services in your domain by providing a view of the policies used by each proxy or business service.
You can also view any policy violations that have occurred, and you can view and analyze usage for each policy.
Viewing the Policies Attached to a Service
The Policies page of a business or proxy service displays all the policies that are globally and directly attached to a service. You can access the Policies page for a service in a variety of ways. These steps describe accessing it from the project's Service Health page.
To view the policies attached to a service:
Monitoring Policy Usage
Before making any changes to the policies used by your services, Oracle recommends you do a usage analysis to see which subjects are using a particular policy. Policy usage information is only available with a database-based OWSM repository and only for enabled services. The WSM Policies page displays the number of subjects to which a policy is attached. You can then view a list of the policy subjects of the selected type to which the policy is attached.
To monitor policy usage:
Viewing Policy Violations
The list of policies on a service's Policies tab includes the number of policy violations for policies with faults.
To monitor policy violations:
- Access the Policies page for the service you want to configure, as described in Viewing the Policies Attached to a Service.
- In the Directly Attached Policies table, look in the Total Violations column to locate policies that have faults.
- Click the number in the Violations column to view more information about the faults.
Managing Security Policies
In Fusion Middleware Control, you can manage security policies by attaching and detaching policies, overriding policy properties, and creating global policies.
For information about global policies, see Configuring Global Policies.
Overriding Security Policies
You can override the configuration for a policy that is directly attached to a service. This lets you update the configuration on a per service or client basis without creating new policies for each. In this way, you can create policies that define default configuration values and customize those values based on your runtime requirements. You can define overrides in the proxy or business service configuration, as described in "Securing Business and Proxy Services" in Developing Services with Oracle Service Bus.
To override security policies in Fusion Middleware Control: