How to overcome the last mile security issue when service is secured using proxy agent not plugin agent?
Article ID: KB0086347
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix Policy Manager | - |
| Not Applicable | - |
Description
Resolution:
Last mile security between proxy agent and service can be ensure by following the procedure explained below.
1. Configure the service to accept the requests only from the IP address of the machine on which Proxy Agent is running. Usually application servers provide a facility to restrict the traffic to a service based on IP address. This will ensure that no other client running on any other machine can invoke the service. Still if any other client running on the same machine Proxy Agent then it will be able to invoke the service.
For your services running on BW, you can use two properties offered by BW 5.6.0 version onwards that will allow you to restrict/allow ip addresses from making the call, they are
*bw.plugin.http.server.allowIPAddresses - a comma-separated list of regular expression patterns that is compared with the remote client's IP address before accepting or rejecting requests from the client. The remote IP address of the client must match for the request to be accepted.
*bw.plugin.http.server.restrictIPAddresses - a comma-separated list of regular expression patterns that is compared with the remote client's IP address before accepting or rejecting requests from the client. The remote IP address of the client must not match for any request from this client to be accepted.
The above properties will internally set the values for allow/deny in the tomca't RemoteAddrValve object. You need to add these properties to deployed bwengine tra file.
more details about the tomca't RemoteAddrValve object
http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html
2. To prevent any other client running on the same machine as Proxy Agent from accessing the service, you can secure the communication between service and Proxy Agent to use SSL. This will prevent any other client running on the machine on which Proxy Agent is running from accessing the service. Please refer the following documentation on how to Proxy Agent to use SSL.
TIBCO ActiveMatrix Policy Agent
User's Guide
Chapter 8 Secure Proxy Endpoints : Proxy Agent Uses SSL
Proxy Agent Uses SSL
Issue/Introduction
Feedback
