Sentry administrators often inquire how different policy objects associate to each other. This article includes a sample REST Policy for the OpenWeatherMap API with a corresponding "map" that outlines how the different policy objects tie together. While this article uses a REST policy, the associations are the same for other Content Policies.
The OpenWeatherMap REST API Policy
Attached is a Sentry REST Policy (FSG file) that can be imported into Sentry v8.3 (built with 8.3.408). This REST policy secures the OpenWeatherMap API by providing the following:
- TLS on the HTTP Listener - Enforces TLSv1.2 or TLSv1.1 between the client application and Sentry (TLS is not enabled between Sentry and the API)
- Basic Authentication via LDAP Lookup on the Virtual Directory - Utilizes the FS Online LDAP Server
- Default Sentry IDP Rules - Intrusion Detection and Prevention rules for size limits, HTTP Method and header validation, etc...
The REST API consists of the following policy objects:
- REST Policy - Master policy object that associates all child policy objects listed below
- Virtual Directory - Associates several of the policy objects together, including the User ACL and Network Policies
- LDAP Policy - points to the FS Online LDAP server
- User ACL - with LDAP policy associated, used to validate the basic auth credentials provided by the client
- HTTPS Listener Policy - The protocol, IP, and port that Sentry is listening on for incoming traffic
- SSL Termination Policy - Associated to the HTTPS Listener policy, to process the SSL handshake between Sentry and the client
- Key Pair - Used with SSL Termination policy, this is the server cert provided by Sentry during the SSL handshake
- HTTP Remote Policy - The protocol, host/IP, and port of the remote server Sentry will forward the processed request to (the OpenWeatherMap server)
- Request Task List Group - Contains one task list and is associated to the REST Policy
- Request Task List - Adds the mode=xml query parameter and value to the URI so that the response from the API is in XML format
Importing the REST Policy
This REST policy can be imported into Sentry v8.3 on the System-->Configuration-->Import/Export screen under the GDM Import section.
The import password is "password" without the quotes.
The import will include all of the policy objects listed above.
Testing the REST Policy
After importing, you can test this REST policy using a web browser. Basic Authentication credentials are required.
Follow the steps below.
1. Use the following URL, replacing "your_sentry_ip" with your Listener Policy IP or a hostname that resolves to the same.
2. You will receive an SSL Warning because the Sentry server cert is not trusted by your browser. Click through it.
3. When prompted, enter the credentials above.
The result should be in XML format, similar to the following:
<city id="2643743" name="London">
<coord lon="-0.13" lat="51.51"/>
<sun rise="2015-02-27T06:49:09" set="2015-02-27T17:37:12"/>
<temperature value="277.542" min="277.542" max="277.542" unit="kelvin"/>
<humidity value="84" unit="%"/>
<pressure value="1022.5" unit="hPa"/>
<speed value="3.81" name="Gentle Breeze"/>
<direction value="210.001" code="SSW" name="South-southwest"/>
<clouds value="32" name="scattered clouds"/>
<weather number="802" value="scattered clouds" icon="03n"/>
- Attached is a Sentry System log session showing a successful transaction for the attached REST policy.
- Sentry is adding the query parameter (and value) mode=xml to the end of the request URL as it connects to the OpenWeatherMap API. If this task list is disabled (and the mode parameter is missing), the result will be in JSON format.
- Some browsers may not display the XML response correctly. To see the XML response, view the source and/or check your Sentry log file.
For more information on the OpenWeatherMap API see: http://openweathermap.org/api.
REST Policy Map
The REST Policy Map below shows all dependencies for the REST policy and outlines how each component is associated.
- There are a few policy objects in this map that are not included in the attached sample REST policy. They are included in this map to illustrate how they are associated to the REST policy.
- There are some additional policy associations not included in this map. An example is a Sign Data task, which includes an associated Signature Policy, which in turn contains an association to a key pair.
The map is also attached in PDF format which is best for zooming.