TIBCO Developer Library – What is TIBCO Policy Manager?

Today, many companies are concerned not only with the operations and functions of different business processes, but also with how these processes are used, managed, and secured. In the formulation and design of the services, the functionality and the policies that govern the use of these services are considered by the technical team. Therefore, it takes a lot of time and effort to finalize and implement these services, as both the functionality and the policies are hard-coded and it doesn’t provide much flexibility in case some variable values ​​have to be changed over time. To address this problem, as well as to shorten the time it takes to develop and deploy functionality and policies, TIBCO Policy Manager provides a solution to this problem by separating policy formulation from functionality, providing configurable policy templates, and making declarative policies rather than procedural, allowing dynamic companies to easily adjust as circumstances demand. It also makes policy formulation very simple, as even personnel who do not have sufficient knowledge and experience in policy formulation, such as people in the administration or management department of a company, can define policies. This document presents several questions about Policy Manager, such as the definition of Policy Manager, how it is used, and its features and benefits.

1. What is Policy Manager?

Policy Manager is TIBCO software that monitors and directs policies to services implemented in TIBCO ActiveMatrix Service Grid software. It makes policy-based governance simpler, easier, and more manageable. Control over security and other aspects of Service Oriented Architecture can be easily controlled and changed; therefore, it is flexible. It also extends policy-based governance to services implemented outside of ActiveMatrix Service Grid environments, such as those implemented through TIBCO BusinessWorks. This can be done using the TIBCO ActiveMatrix Policy Agent.

2. What is meant by run-time governance?

Runtime governance is a feature of Policy Manager that separates the functionality of a service from the policies on how the service is used.

3. Differentiate the functionality of the policy.

Functionality refers to the daily activities within your business, such as debiting an account, releasing checks, and the like. Policies are declarative conditions, variable values, and key factors that modify the daily operations of functional units, affecting performance and safety.

4. What are the advantages of declaring policies at runtime over hard-coding policies on functional components?

You can separate the creation of functionality by IT from the formulation and implementation of policies by management. Therefore, you can save time, resources, and effort. You can maximize the use of declarative policies by reusing the policy templates available in Policy Manager. You can define declarative policies in a concise way that merges policy templates with a small number of parameters that can be set and adjusted according to a specific business situation. Since policies are declarative rather than procedural, they are easier to understand and change as you need to keep up with the demands and requirements of dynamic businesses.

5. What are the sample policies that you can use in Policy Manager?

Most of the policies that you can easily use in Policy Manager are related to security and registry. You can use a policy that adds a digital signature to outgoing messages sent to the provider and validates that digital signature on incoming messages received by the provider. There is also a policy that filters request messages by verifying that the requestor has valid credentials and the proper access permissions for the request. If the request passes the selection, the agent forwards it to the service. If it fails, the agent logs the rejected message and does not forward it to the service. A policy can also encrypt messages when they leave an endpoint and decrypt messages when they enter an endpoint. There is also a policy that automatically attaches credentials to request messages before they reach the messages. When an error occurs, a policy can record its details and this can be studied by the administrator.

6. What are the three conceptual components of TIBCO ActiveMatrix policy software?

The three conceptual components of TIBCO ActiveMatrix policy software are the Policy Manager Console, the Central Service, and the Policy Agents. The Policy Manager console is a friendly graphical user interface that allows appropriate users to define and manage policies and monitor them. You can have the console in two forms as a TIBCO ActiveMatrix Administrator plug-in for Service Grid users, or as a TIBCO Administrator plug-in for Policy Agent and BusinessWorks users. The core service is a set of network applications that provide the underlying infrastructure for Policy Manager, such as database repository, validation, and distribution. Policy agents enforce policies by intercepting and analyzing messages to and from managed services and processing them according to applied policies. You can have a node agent or a proxy agent. A node agent enforces policies for services deployed on ActiveMatrix service grid nodes, while you use a proxy agent to enforce policies for non-ActiveMatrix services. When you deploy services to the ActiveMatrix Service Grid, these services are automatically registered and managed in Policy Manager. Non-ActiveMatrix services must be explicitly registered and managed by proxy agents.

7. Give an example of policy enforcement.

For example, the consumer sends a request message. The policy agent intercepts the message and encrypts the outgoing data. Before that message reaches the provider, another agent intercepts the message and enforces policies that verify credentials and access permissions, decrypt incoming data, and log requests. The provider processes a request and sends a response message. Before that message is returned to the consumer, an agent encrypts the message, attaches a digital signature, and collects response time statistics. Before the message actually reaches the consumer, another agent intercepts it, decrypts the incoming data, and verifies the digital signatures. Finally, the consumer receives the response message.

8. Differentiate an end point from a managed end point.

An endpoint is an address to interact with services. Similarly, a managed endpoint is also an endpoint in its own right, but it is where an agent can enforce policies.

9. What are the four phases involved in creating and applying policies?

The four phases involved in creating and enforcing policies are as follows: First, register your services. This means that the WSDL data about the service is extracted and recorded in the database. Second, manage the services. Managing means designating one or more endpoints as managed endpoints and instructing the agent to manage those endpoints or to intercept and inspect messages on all relevant endpoints that belong to that service. Third, you can now define policies. Select a policy template and provide the values ​​for the template variables based on a specific situation or your business needs. You can define, for example, the name of policies, endpoints, identity management systems, and connections. You must specify the criteria for selecting target policies for services. Fourth and last, you can now apply policies. After defining the policies, the policies assigned to the services are saved in the database. The target service is validated and the details of the application are sent to the appropriate policy agents.

10. Give examples of infrastructure resources and how they are used in Policy Manager.

Certain infrastructure resources are available in Policy Manager. All you need to do is register and define them. It has the keystore suite, identity management system, connections, and Universal Description Discovery and Integration (UDDI). Keystore sets contain certificates and key information for encryption, decryption, signing, and others for this purpose. Identity Management Systems (IMS) are directory systems similar to domain name systems for the Internet. IMS provides identity-based access control to systems and resources. The IMS supported in Policy Manager are Lightweight Directory Access Protocol (LDAP) and CA SiteMinder servers. Connection refers to the messaging service. The supported messaging service in Policy Manager is Java Message Service. Lastly, we have the UDDI registry that maintains public information about available services, endpoints, policies, and related resources. Except for JMS, all of these infrastructure resources are automatically directed to all agents. JMS is only automatically available to all proxy agents, but not to node agents, as ActiveMatrix services use the Service Grid messaging service.

Therefore, TIBCO Policy Manager is a powerful and dynamic software that is useful for all types of companies when it comes to providing security and control of the use of services. If you want to leverage your business and make service development and your security faster, more reliable and more efficient, the best option is to use Policy Manager.