RSA Access Manager Authorization

Contents

Overview

RSA Access Manager (formerly known as RSA ClearTrust) provides Identity Management and access control services for Web applications. It centrally manages access to Web applications, ensuring that only authorized users are allowed access to resources.

The Enterprise Gateway's Access Manager filter enables integration with RSA Access Manager. This filter can query Access Manager for authorization information for a particular user on a given resource. In other words, the Enterprise Gateway asks Access Manager to make the authorization decision. If the user has been given authorization rights to the Web Service, the request is allowed through to the service. Otherwise, the request is rejected.

Prerequisites

RSA Access Manager integration requires RSA ClearTrust SDK version 6.0.

Enterprise Gateway
When adding third-party binaries to the Enterprise Gateway, you must perform the following steps:

  1. Add the binary files as follows:
    • Add .jar files to the InstallDir/ext/lib directory.
    • Add .dll files to the InstallDir\win32\lib directory.
    • Add .so files to the InstallDir/platform/lib directory.
  2. Restart the Enterprise Gateway.

Policy Studio
When adding third-party binaries to the Policy Studio, you must perform the following steps:

  1. Add .jar files to the InstallDir/plugins/thirdparty.runtime.dependencies_6.0.3 directory.
  2. Restart the Policy Studio.

General Details

Configure the following general setting:

Name:
Enter an appropriate name for the filter.

Connection Details

This section enables you to specify a group of Access Manager servers to connect to in order to authenticate clients. You can select a group of Access Manager servers to provide failover in cases where one or more servers are not available.

Connection Group Type
The Enterprise Gateway can connect to a group of Access Manager Authorization Servers or Dispatcher Servers. When multiple Access Manager Authorization Servers are deployed for load-balancing purposes, the Enterprise Gateway should first connect to a Dispatcher Server, which returns a list of active Authorization Servers. An attempt is then made to connect to one of these Authorization Servers using round-robin DNS. If the first Dispatcher Server in the Connection Group is not available, the Enterprise Gateway attempts to connect to the Dispatcher Server with the next highest priority in the group, and so on.

If a Dispatcher Server has not been deployed, the Enterprise Gateway can connect directly to an Authorization Server. If the Authorization Server with the highest priority in the Connection Group is not available, the Enterprise Gateway attempts to connect to the Authorization Server with the next highest priority, and so on.

Select the type of the Connection Group using the Authorization Server or Dispatcher Server radio button. All servers in the group must be of the same type.

Connection Group:
Click the button on the right, and select the Connection Group to use for authenticating clients. To add a Connection Group, right-click the RSA ClearTrust Connection Sets tree node, and select Add a Connection Set. Alternatively, you can configure a Connection Set under the External Connections node in the Policy Studio tree. For more details, see the topic on Configuring Connection Groups.

Authorization Details

This section describes the resource for which the user is requesting access.

  • Server:
    Enter the name of the server that is hosting the requested resource. The name entered must correspond to a pre-configured Server Name in Access Manager.
  • Resource:
    Enter the name of the requested resource. This resource must also have been pre-configured in Access Manager.

Alternatively, you can enter a property representing a message attribute in the Resource field. The Enterprise Gateway expands this property at runtime to the value of the corresponding message attribute. Enterprise Gateway properties take the following format: 

${message.attribute}

The following example of a typical SOAP message received by the Enterprise Gateway shows how this works: 

POST /services/timeservice HTTP/1.0
Host: localhost:8095
Content-Length: 374
SOAPAction: TimeService
Accept-Language: en-US
Content-Type: text/XML; utf-8

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <ns1:getTime xmlns:ns1="urn:timeservice">
	</ns1:getTime>
  </soap:Body>
</soap:Envelope>

The following table shows an example of property expansion:

Property Expanded To
${http.request.uri} /services/timeservice