TIBCO ACTIVEMATRIX POLICY MANAGER

Contents
1.Introduction ................................................................................................................................................................... 2 2.Need for a Policy Manager............................................................................................................................................. 2 3. Technical Insight............................................................................................................................................................ 3 4. Key Benefits & Attributes:............................................................................................................................................. 5

Revision History
Name Samarth Gupta Date 19-08-2011 Reason For Changes Document Created Version 0.1

2011. HCL Technologies Ltd. No information may be reproduced or retransmitted without explicit permission from the company.

1.Introduction
Policy Manager is a TIBCO software that oversees and directs policies to services deployed in TIBCO ActiveMatrix Service Grid software. It makes policy-based governance simpler, easier, and more manageable. The control over security and other aspects of the Service Oriented Architecture can easily be controlled and changed; thus, its flexible. It also extends policy-based governance to services deployed outside of ActiveMatrix Service Grid environments, such as those deployed using TIBCO BusinessWorks. This can be done by using the TIBCO ActiveMatrix Policy Agent. TIBCO ActiveMatrix Policy Manager enables companies to centrally define policies for security, auditing, logging and service level agreements as rules and to enforce policies consistently across services built on Java and .NET or in custom and packaged applications.

2.Need for a Policy Manager

Managing Services includes many questions that want answers:
Is Security enforced? For example, as you deploy a new service in a functional domain, you want to guarantee that security is enforced at the right level, with the proper Authentication, Authorization, Privacy and Integrity as required by the specific environment. It will be very different to secure an internal access to a catalog where any authenticated users can access freely the information or if it is a payment operation for which the highest security is needed including cryptography. Are my services performing to their SLA and are you servicing the most important request properly? Service Level Agreement may be based on contextual information contained in the message itself, such as a customer service level or even a dollar amount for the given transaction. Are you getting the response time that you committed and if not, how can you quickly readjust the system to accept new load. Is my service infrastructure running smoothly? With an increasing number of components to manage: services, service engines, containers, machines, how do you keep track of the health of the entire system Whether the service infrastructure is ready for tomorrows load? Whether it is sheer scalability to accompany company growth or just the ability to handle a distinctive event that will increase temporarily the demand on the system. Like a targeted marketing campaign, an end of quarter event, or the like. And for the entire above how do you troubleshoot anything going on in this environment.

With service-oriented architecture (SOA),applications are composed out of reusable services built with different technologies that run on different machines. This makes deployment and management challenging. Implementing security, auditing, and logging; maintaining uptime; and meeting service level agreements are often performed differently on each platform and hard coded. Not only does this result in more development work. These differences make the services harder to change, reuse, and manage. TIBCO ActiveMatrix Policy Manager enables organizations to centrally define policies for security, auditing, logging, and service level agreements. It separates a services business logic from these policies and replaces policy hard-coding with more flexible rules. This separation allows organizations to apply policies uniformly across all services regardless of location or underlying technology such as Java or .NET. It also means companies can implement security, regulatory requirements, and service level agreements much faster than before because changes are no longer required to the existing applications. This results in much greater flexibility, lower costs, and the ability to deliver applications that are driven by the rules of the business. 2011. HCL Technologies Ltd. No information may be reproduced or retransmitted without explicit permission from the company.

3. Technical Insight
The 3 conceptual components of TIBCO ActiveMatrix policy software are the Policy Manager Console, the central service, and Policy Agents. Policy Manager console is a friendly graphical user interface that lets appropriate users define and administer policies and monitor them. You can have the console in 2 forms as a TIBCO ActiveMatrix Administrator plug-in for Service Grid users, or as a TIBCO Administrator plug-in for Policy Agent and BusinessWorks users. The central service is a set of network applications that provide the underlying infrastructure for Policy Manager such as database repository, validation, and distribution. Policy agents enforce policy by intercepting and analyzing messages to and from managed services and processing them in accordance with applied policies. You can have either a Node agent or a Proxy agent. A Node agent enforces policies for services deployed in ActiveMatrix Service Grid Nodes, while you use a proxy agent to enforce policies for Non-ActiveMatrix services. When you deploy services in ActiveMatrix Service Grid, these services are automatically registered and managed in Policy Manager. The non-ActiveMatrix services should be explicitly registered and managed using proxy agents. You can see that the service implementer and the policy creator can actually be very distinct role and people in an IT organization. This needs to be reflected closely in the separation of the lifecycles. Lets look at it more closely from an architecture point of view..

In fact, there is not one lifecycle for policies but multiple of them, each type of Policy whether it is Security, auditing or Routing may involve a different user or role, each one will focus on a different subject but all of them need to get deployed in a cohesive manner.

2011. HCL Technologies Ltd. No information may be reproduced or retransmitted without explicit permission from the company.

In many systems today security or other systems management functionality are directly embedded into the service upon creation and are very rigid. Applications may need to get redeployed to accommodate any significant change such as restricting authorization or upping the level of cryptography used.

This drives toward having more explicit policies as separate assets in the deployment. These policies can now have their own lifecycle and decisions about them can be made independently. An agent deployed into each container is now responsible for enforcing the policy where the services are deployed. A policy manager is responsible for storing the policies and distributing them to the proper endpoint. You can notice here that Policy is only remotely linked to services for which they are enforced. Lets take a closer look at how the policies are enforced

These policies come in many different type from security related to Logging, Tracking, Auditing, Routing or Schema Validation. They all have a common characteristic which is that they all are operating on your actual data, and can alter the flow and the data significantly. Unlike most of the conventional systems management tools as external observer of a component.

The policies are getting through a lifecycle in three steps. First we start with a Policy Template which holds a set of policy action which can be configured to some extent. At configuration time, a policy template is configured for a specific environment, and second it is scoped to a certain set of services. After a policy is configured, it is getting applied to the proper agents endpoints, at which point it becomes an applied policy or enforced policy which can be monitored.

2011. HCL Technologies Ltd. No information may be reproduced or retransmitted without explicit permission from the company.

BW and POLICY MANAGER:

A proxy agent provides multiple endpoints, each for a different service. You can apply different management policies at each management endpoint. Is deployed separately from the service endpoint it is managing. You can use it to manage interactions with services residing outside of sphere. Requires a separate hop during both the request and response phases of the service invocation. Requires modification of the WSDL to point to the proxy agent in lieu of the service implementation [change address client uses to connect with service]. The system creates a new endpoint in the eProxy web application each time you add a new proxy agent Best choice for applying routing, load-balancing, failover policies.

4. Key Benefits & Attributes:

Enables business and IT service level, regulatory, or security requirements to be rapidly implemented as rules without requiring changes to existing service-oriented applications. Increases service flexibility by replacing rigid code with rules-based policy management. Promotes service reuse by allowing the same services to have different policies for different consumers. Increases control over service infrastructure and reduces risk by consistently enforcing policies such as security, auditing, logging, and routing across services. Ensures that business and IT service level agreements are met by applying and enforcing rules-based servicelevel policies across services. Reduces complexity in development and operations by providing a complete governance solution across Java, .NET, legacy, and packaged applications.

2011. HCL Technologies Ltd. No information may be reproduced or retransmitted without explicit permission from the company.

A few key attributes: Policy Management for Heterogeneous SoA: ActiveMatrix Policy Manager enables uniform policy management across a variety of technologies and architectures. It can enforce policies using a combination of distributed, proxybased agents that intercept all service requests and embedded agents that execute in-process with the service. TIBCOs proxy-based agents can manage any service including external services hosted on application servers or services exposed from legacy and packaged applications. ActiveMatrix also provides embedded agents for Java, .NET, TIBCO ActiveMatrix BusinessWorks, and TIBCO ActiveMatrix Service Bus. Rich Set of Pre-Built Policy Templates: ActiveMatrix Policy Manager includes a broad range of policy templates that are used within the TIBCO ActiveMatrix Administrator console to graphically configure policies. Administrators can also design custom policies as XML templates for special requirements based on message content, header, or custom instrumentation.

Built-In Governance: ActiveMatrix provides built-in support for defining, deploying, and managing services, including built-in support for policy management. All policy management is done within TIBCOs common administrative console, ActiveMatrix Administrator. Administrators can automatically discover and introspect services hosted in ActiveMatrix or browse UDDI registries such as TIBCO ActiveMatrix Registry. ActiveMatrix can automatically synchronize service and policy information in its repository with registries. Administrators can drilldown in ActiveMatrix Administrator from policies to service details including performance information and logs. Policy management is built on ActiveMatrix common logging, which synchronizes logs across components. Simplified Definition of Rules-Based Policies: ActiveMatrix Policy Manager includes an Ajax based plug-in to ActiveMatrix Administrator that makes it easy to graphically define policies for distributed services. The policy management plugin provides a unified view of policies and services with drop-down menus and drag-and-drop operations for configuring different policies and choosing the deployment options such as embedded or proxy-based enforcement. Automatic Policy Provisioning: ActiveMatrix Policy Manager automatically distributes policies to those endpoints running related services by dynamically applying filters based on service characteristics. It intelligently identifies what policies need to be deployed to each distributed node in the grid, and automatically redeploys policies each time services are (re-)deployed or policies changed. Supports Leading Security Standards: ActiveMatrix Policy Manager supports leading third-party LDAP and identity management systems and leading security standards and protocols including Security, XML Signature, XML Encryption, and SAML.

***********************************************************************************************

2011. HCL Technologies Ltd. No information may be reproduced or retransmitted without explicit permission from the company.