RSA Access Manager (formerly known as RSA ClearTrust) provides Identity Management and access control services for Web applications. It centrally manages access to Web applications, ensuring that only authorized users are allowed access to resources.
The API Gateway's Access Manager filter enables integration with RSA Access Manager. This filter can query Access Manager for authorization information for a particular user on a given resource. In other words, the API Gateway asks Access Manager to make the authorization decision. If the user has been given authorization rights to the Web Service, the request is allowed through to the service. Otherwise, the request is rejected.
Integration with RSA Access Manager requires the RSA ClearTrust SDK, version 6.0. You must add the required third-party binaries to your API Gateway and Policy Studio installations.
API Gateway
To add third-party binaries to the API Gateway, you must perform the following steps:
-
Add the binary files as follows:
-
Add
.jar
files to theinstall-dir/apigateway/ext/lib
directory. -
Add
.dll
files to theinstall-dir\apigateway\Win32\lib
directory. -
Add
.so
files to theinstall-dir/apigateway/platform/lib
directory.
-
-
Restart the API Gateway.
Policy Studio
To add third-party binaries to Policy Studio, you must perform the following steps:
-
Select Windows -> Preferences -> Runtime Dependencies in the Policy Studio main menu.
-
Click Add to select a JAR file to add to the list of dependencies.
-
Click Apply when finished. A copy of the JAR file is added to the
plugins
directory in your Policy Studio installation. -
Click OK.
-
Restart Policy Studio.
Configure the following general setting:
Name:
Enter an appropriate name for the filter.
This section enables you to specify a group of Access Manager servers to connect to in order to authenticate clients. You can select a group of Access Manager servers to provide failover in cases where one or more servers are not available.
Connection Group Type
The API Gateway can connect to a group of Access Manager Authorization Servers or Dispatcher Servers. When multiple Access Manager Authorization Servers are deployed for load-balancing purposes, the API Gateway should first connect to a Dispatcher Server, which returns a list of active Authorization Servers. An attempt is then made to connect to one of these Authorization Servers using round-robin DNS. If the first Dispatcher Server in the Connection Group is not available, the API Gateway attempts to connect to the Dispatcher Server with the next highest priority in the group, and so on.
If a Dispatcher Server has not been deployed, the API Gateway can connect directly to an Authorization Server. If the Authorization Server with the highest priority in the Connection Group is not available, the API Gateway attempts to connect to the Authorization Server with the next highest priority, and so on. Select the type of the Connection Group (Authorization Server or Dispatcher Server). All servers in the group must be of the same type.
Connection Group:
Click the button on the right, and select the Connection Group to use for authenticating clients. To add a Connection Group, right-click the RSA ClearTrust Connection Sets tree node, and select Add a Connection Set. Alternatively, you can configure a Connection Set under the External Connections node in the Policy Studio tree. For more details, see the topic on Configuring Connection Groups.
This section describes the resource for which the user is requesting access.
-
Server:
Enter the name of the server that is hosting the requested resource. The name entered must correspond to a pre-configured Server Name in Access Manager.
-
Resource:
Enter the name of the requested resource. This resource must be pre-configured in Access Manager.
Alternatively, you can enter a selector representing a message attribute in the Resource field. The API Gateway expands this selector at runtime to the value of the corresponding message attribute. API Gateway message attribute selectors take the following format:
${message.attribute}
The following example of a typical SOAP message received by the API Gateway shows how this works:
POST /services/timeservice HTTP/1.0 Host: localhost:8095 Content-Length: 374 SOAPAction: TimeService Accept-Language: en-US Content-Type: text/XML; utf-8 <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ns1:getTime xmlns:ns1="urn:timeservice"> </ns1:getTime> </soap:Body> </soap:Envelope>
The following table shows an example of selector expansion:
For more details on selectors, see Selecting Configuration Values at Runtime.