Autorregulación de conducta

The RTSS is a Java application that provides the runtime capabilities for applications to evaluate policies produced by Tivoli Security Policy Manager. There are two valid patterns of RTSS deployment: server and client in remote mode (referred to as remote client), and client in local mode (referred to as local client). The RTSS server maintains a copy of the effective policy that is

distributed to it from the policy server and handles remote client authorization queries using the XACML/SOAP protocol.

6 _{Visit the Tivoli Security Policy Manager wiki at the following address:}

https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Tivoli%20S ecurity%20Policy%20Manager/page/Home

An RTSS local client also maintains a copy of the effective policy distributed from the policy server. The local client operates completely independent and does not require an RTSS server. Figure 3-6 shows the two valid patterns for RTSS deployment.

RTSS server and remote client

Figure 3-7 shows the component architecture of an RTSS server and a remote client, and the interfaces that the RTSS server and client supports.

Figure 3-7 Tivoli runtime security service architecture (server and remote client)

RTSS server

An RTSS server runs inside WebSphere Application Server, and consists of an administration service, authorization service, common authorization

components, which include a PIP interface and a rules interface, auditing service, and policy storage service, and so on. An RTSS server is used as a PDP, and multiple RTSS servers can be deployed and clustered to improve availability and performance.

The RTSS administration service handles remote administration and policy exchange with the Tivoli Security Policy Manager policy server. After an RTSS server is registered with a Tivoli Security Policy Manager policy server, the policy server can perform remote administration tasks on the RTSS server.

RTSS server policy update and exchange follows WS-Notification and

WS-MetadataExchange protocols. Each RTSS server is registered as a policy distribution target (PDT) in the Tivoli Security Policy Manager policy server, and it subscribes to the policies related to its local services. Whenever a policy

subscribed by the RTSS server has been updated, the policy server will send a notification to the RTSS server using the WS-Notification protocol. The RTSS server then retrieves the updated policy from the policy server using the WS-MetaDataExchange protocol and replicates it locally. The storage service maintains the local replica of the XACML policy.

The RTSS server provides an authorization services interface for RTSS remote clients and applications that support the XACML over SOAP protocol directly. For example, a .NET application can use the XACML over SOAP interface for getting authorization decisions. One RTSS server can support multiple RTSS remote clients.

RTSS common authorization components provide a PIP interface and a rule interface. The policy information and external rules engine can be integrated into the authorization check at run time. RTSS supports the use of information from existing identity management systems, identity and attribute repositories, and rules engines when evaluating authorization policy. The context of the policy information can be based on identity, service, environment, and business. Currently RTSS provides integrations with context providers through JNDI for access to user repositories, JDBC for access to databases, WS-Trust for access to Trust Services, and Java interface for generic purposes. The rule interface can be used to integrate with external rules engines such as IBM WebSphere ILOG® JRules.

RTSS remote client

The RTSS remote client is a lightweight proxy to an RTSS server. As such, it does not maintain a local copy of the effective policy; instead, it forwards all authorization queries to an RTSS server. The RTSS remote client provides an API for applications to build their own PEPs. This API, called the

Tivoli Security

Policy Manager Authorization API

In addition to the RTSS client for the WebSphere platform that is shipped with the product, there can be additional RTSS clients or plug-ins for different platforms, for example, an RTSS plug-in for the .NET platform.

RTSS local client

The Tivoli Security Policy Manager RTSS local client is most similar to the RTSS server, except that it is deployed as part of a WebSphere Application Server instance. As with the RTSS server, the RTSS local client maintains its own local copy of the effective policy from Tivoli Security Policy Manager. It has a local authorization service that only serves local applications, and does not provide a remote authorization service for other RTSS clients or external applications. A Java Authorization Contract for Containers (JACC) provider is provided as a part of its local authorization service to support container based authorization. A JavaEE application can also use the Tivoli Security Policy Manager Authorization API to obtain authorization decisions from the RTSS local authorization service directly. Figure 3-8 shows the RTSS local client architecture.

The RTSS local client is also registered as a policy distribution target (PDT) with the Tivoli Security Policy Manager policy server. The policy exchange procedure between the policy server and the RTSS local client is the same as with the RTSS server; it only retrieves the policies that apply to its local services. The “local mode” here indicates that the client replicates the related XACML policies locally and that it makes authorization decisions based upon those policies.