Layer7 API Management

  • 1.  Consume WCF Service

    Posted Aug 17, 2016 01:32 PM

    Hi Folks,

                 We want to consume an existing WCF service from API gateway. The WCF service is implementing Security Token based authentication scheme. We raised a Support ticket & they asked us to post a question in community. Please can you point us to an example policy to understand it?

     

    Thanks,

    Abhishek



  • 2.  Re: Consume WCF Service
    Best Answer

    Broadcom Employee
    Posted Aug 29, 2016 01:36 PM

    Abhishek,

     

    For some reason which I will look into, the WCF component of the online documentation did not include the components that use to exist in the shipped PDF back in 8.2. I've attached that Layer 7 Policy Manager User Manual  document plus several sample policies to help with the various roles that the gateway can act in for Secure Conversation. In the user manual look at the "How to Integrate the Gateway with WCF"

    Scenario 1: Gateway as Pass-Thru

    In this scenario, the gateway sits in the middle of the client and the end service. The secure conversation session is established for the gateway and the endpoint service, but the session is also shared by the client and the gateway. Think of it as a "legitimized Man-In-The-Middle attack".

    Overview "Gateway As Pass-Thru"
    • The gateway receives a RST/SCT request from the client to establish a secure conversation with the endpoint service.
    • The gateway forwards the request to the endpoint service.
    • The gateway receives a RSTR/SCT response with a SCT from the endpoint service.
    • The gateway establishes an outbound secure conversation session by using the SCT.
    • The gateway forwards the RSTR/SCT response (without any mediation) to the client.
    • The gateway receives a service request (i.e., business request) from the client to request an actual service.
    • The gateway makes a mediation on the service request, re-decorates it, and sends it to the endpoint service.
    • The gateway receives a service response from the endpoint service.
    • If no need to mediate the response, then the gateway directly forwards the service response to the client.
    • If there needs to mediate the response, then gateway processes/parses the response message, modify it, re-decorates it, and sends it back to the client.

    Scenario 2: Gateway as WCF Client

    In this scenario, the gateway acts as WCF Client, which establishes a secure conversation with the WCF service and then sends the service/business request to the WCF service.

    Overview "Gateway as WCF Client"
    • The gateway receives a service request from the client application.
    • The gateway sends a RST/SCT request to the STS to establish a secure conversation.
    • The gateway receives a RSTR/SCT response with a SCT from the STS.
    • The gateway sends a RST/Issue request to the STS to request a SAML token, which will be used later to authenticate the gateway in the end service.
    • The gateway receives a RSTR/Issue response with a SAML token from the STS.
    • The gateway builds a RST/SCT request with the SAML token and send the request to the endpoint service to establish a secure conversation.
    • The gateway receives a RSTR/SCT response with a SCT from the endpoint service and establish an outbound secure conversation.
    • The gateway sends a service request protected by the shared secret to the end service.
    • The gateway receives a service response request from the endpoint service.
    • The gateway processes and modifies the response (If the decoration is needed, then decorate the response message before sending it back to the client application.)
    • The gateway sends the response message back to the client application.

    Scenario 3: Gateway as WCF Service

    In this scenario, the gateway acts as WCF Service, which establishes a secure conversation with a WCF client and handle the client's service request.

    Overview "Gateway as WCF Service"
    • The gateway receives a RST/SCT request (maybe with a SAML token) from the client, which wants to establish a secure conversation with the gateway.
    • The gateway sends the RST/SCT request to an Security Context Token internal service, which generates a SCT.
    • The gateway receives a RSTR/SCT response with a SCT and a server entropy.
    • The gateway sends the client the RSTR/SCT response with the SCT and the server entropy.
    • The gateway receives a service request from the client.
    • The gateway undecorates the service request secured by the SC session and then handle the service request.
    • The gateway generates a service response (secured by the SC session) and sends it back to the client
    • The gateway receives a RST/Cancel request from the client to cancel the secure conversation.
    • The gateway sends a RSTR/Cancel response to the client after the secure conversation is canceled.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support

    Attachment(s)

    zip
    WcfClient.xml.zip   4 KB 1 version
    zip
    WcfService.xml.zip   4 KB 1 version
    zip
    WcfPassThru.xml.zip   5 KB 1 version