Skip to content

December 3, 2009

TIBCO Developers Library – What is Policy Manager?

Many businesses nowadays are not only concerned with the operations and functions of the different business processes but also on how these processes are used, managed, and secured. In the formulation and design of services, the functionality and the policies governing the usage of these services are both considered by the technical team. Thus, it takes a lot of time and effort to finish and implement these services since both the functionality and the policies are hardcoded by programmers and it does not provide much flexibility in case some variable values have to be changed over time.

To address this issue as well as to shorten the length of time it takes for TIBCO consultants and architects to develop and implement the functionality and the policies, TIBCO Policy Manager brings a solution to this problem by separating the policy formulation from functionality, supplying configurable policy templates, and making policies declarative rather than procedural, thereby enabling dynamic businesses to be easily adjusted as the circumstances demand. It also makes policy formulation very simple that even personnel who do not have sufficient knowledge and experience in policy formulation such as people from the administration or management department of a company may be able to define policies. In this document, several questions regarding Policy Manager are presented such as the definition of Policy Manager, how it is used, and its features and advantages.

What is Policy Manager?

Policy Manager is a TIBCO software that oversees and directs policies to services deployed in TIBCO ActiveMatrix Service Grid software. It makes policy-based governance simpler, easier, and more manageable. The control over security and other aspects of the Service Oriented Architecture can easily be controlled and changed; thus, it is flexible. It also extends policy-based governance to services deployed outside of ActiveMatrix Service Grid environments, such as those deployed using TIBCO BusinessWorks. This can be done by using the TIBCO ActiveMatrix Policy Agent.

What is meant by runtime governance?

Runtime governance is a feature of Policy Manager that separates the functionality of a service from the policies on how the service is used.

Differentiate functionality from policy.

Functionality refers to the everyday activities within your business such as debiting an account, releasing checks, and similar others. Policies are declarative conditions, variable values and key factors that modify the daily operations of functional units affecting performance and security.

What are the advantages of declaring policies at runtime over hard-coding policies into functional components?

You can separate the creation of the functionality which is done by the I.T. department from the formulation and implementation of policies which is done by the management. Thus, you can save time, resources, and effort. You can maximize the use of declarative policies by reusing policy templates readily available in Policy Manager. You can concisely define declarative policies which merges policy templates with a small number of parameters which can be set and adjusted according to a specific business situation. Since policies are declarative rather than procedural, they are easier to understand and change since you need to keep up to the demands and requirements of dynamic business.

What are the examples of policies you can use in Policy Manager?

Most policies you can readily use in Policy Manager are related to security and logging. You can use a policy that adds a digital signature to outbound messages sent to the provider and validating that digital signature in inbound messages received by the provider. There is also a policy that screen request messages by checking that the requestor has valid credentials and appropriate access permissions for the request. If the request passes the screening, the agent forwards it to the service. If it fails, the agent logs the rejected message and does not forward it to the service. A policy can also encrypt messages as they exit on an endpoint and decrypt messages as they enter an endpoint. There is also a policy that automatically attaches credentials to request messages before they arrive at messages. When an error occurs, a policy can log its details and this can be studied by the administrator.

What are the three conceptual components of TIBCO ActiveMatrix policy software?

The three conceptual components of TIBCO ActiveMatrix policy software are the Policy Manager Console, the central service, and Policy Agents. Policy Manager console is a friendly graphical user interface that lets appropriate users define and administer policies and monitor them. You can have the console in two forms as a TIBCO ActiveMatrix Administrator plug-in for Service Grid users, or as a TIBCO Administrator plug-in for Policy Agent and BusinessWorks users. The central service is a set of network applications that provide the underlying infrastructure for Policy Manager such as database repository, validation, and distribution. Policy agents enforce policy by intercepting and analyzing messages to and from managed services and processing them in accordance with applied policies. You can have either a Node agent or a Proxy agent. A Node agent enforces policies for services deployed in ActiveMatrix Service Grid Nodes, while you use a proxy agent to enforce policies for Non-ActiveMatrix services. When you deploy services in ActiveMatrix Service Grid, these services are automatically registered and managed in Policy Manager. The non-ActiveMatrix services should be explicitly registered and managed using proxy agents.

Give an example of policy enforcement.

For example, the consumer sends a request message. The policy agent intercepts the message and encrypts the outbound data. Before that message arrives at the provider, another agent intercepts the message and enforces policies that check credentials and access permissions, decrypt the inbound data, and log requests. The provider processes a request and sends back a response message. Before that message goes back to the consumer, an agent encrypts the message and attaches a digital signature and gathers response time statistics. Before the message actually reaches the consumer, another agent intercepts it, decrypts the inbound data, and verifies the digital signatures. Finally, the consumer receives the response message.

Differentiate an endpoint from a managed endpoint.

An endpoint is an address for interacting with services. Similarly, a managed endpoint is also an endpoint itself but it is where an agent can enforce policies.

What are the four phases involved in creating and applying policy?

The four phases involved in creating and applying policy are the following: first, register your services. This means that the WSDL data about the service is extracted and recorded in the database. Second, manage the services. To manage means to designate one or more endpoints as managed endpoints and to instruct the agent to manage those endpoints or to intercept and inspect messages at all relevant endpoints that pertain to that service. Third, you can now define policies. Select a policy template and supply the values for the template variables depending on a specific situation or according to the needs of your business. You can define, for instance, the name of the policies, endpoints, Identity Management Systems, and connections. You have to specify the criteria to select target policies for services. Fourth and the last, you can now apply policies. After defining policies, policies assigned to services are saved to the database. The target service is validated and enforcement details are sent to the appropriate policy agents.

Give examples of infrastructure resources and how they are used in Policy Manager.

Certain infrastructure resources are readily available in Policy Manager. All you need to do is register and define them. You have the Keystore set, Identity Management System, Connections, and Universal Description Discovery and Integration (UDDI). Keystore sets contain certificates and key information for encryption, decryption, signing, and others for this purpose. Identity Management Systems (IMS) are directory systems similar to Domain Name Systems for the Internet. IMS provide identity-based access control to systems and resources. The supported IMS in Policy Manager are Lightweight Directory Access Protocol (LDAP) servers and CA SiteMinder. Connection refers to the messaging service. The supported messaging service in Policy Manager is the Java Message Service. Lastly, we have the UDDI registry that maintains public information about available services, endpoints, policies, and related resources. Except JMS, all of these infrastructure resources are automatically targeted to all agents. JMS are only automatically available to all proxy agents but not to node agents, since ActiveMatrix services use the Service Grid messaging service.

TIBCO Policy Manager is therefore a powerful, dynamic software that is helpful for all types of businesses when it comes to providing security and usage control over services. If you want to gain leverage in your business and make development of services and their security faster, more reliable, and more efficient, the best choice is to use Policy Manager.

NOTE: This article was written by one of the TIBCO Certified Professionals of Xmarter, Inc., a technology consulting firm that specializes in delivering business solutions using TIBCO technology. To schedule a technical interview with the consultants, send an email to info@xmarter.com.

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

*