RSA Access Manager authorization


RSA Access Manager (formerly known as RSA ClearTrust) provides identity management and access control services for web applications. It centrally manages access to web applications, ensuring that only authorized users are allowed access to resources.

The Access Manager filter enables integration with RSA Access Manager. This filter can query Access Manager for authorization information for a particular user on a given resource. In other words, API Gateway asks Access Manager to make the authorization decision. If the user has been given authorization rights to the web service, the request is allowed through to the service. Otherwise, the request is rejected.


Integration with RSA Access Manager requires the RSA ClearTrust SDK, version 6.0. You must add the required third-party binaries to your API Gateway and Policy Studio installations.

Add third-party binaries to API Gateway

To add third-party binaries to the API Gateway, perform the following steps:

  1. Add the binary files as follows:

    • Add .jar files to the install-dir/apigateway/ext/lib directory.

    • Add .dll files to the install-dir\apigateway\Win32\lib directory.

    • Add .so files to the install-dir/apigateway/platform/lib directory.

  2. Restart API Gateway.

Add third-party binaries to Policy Studio

To add third-party binaries to Policy Studio, perform the following steps:

  1. Select Windows > Preferences > Runtime Dependencies in the Policy Studio main menu.

  2. Click Add to select a JAR file to add to the list of dependencies.

  3. Click Apply when finished. A copy of the JAR file is added to the plugins directory in your Policy Studio installation.

  4. Click OK.

  5. Restart Policy Studio.

General settings

Configure the following general setting:


Enter an appropriate name for the filter.

Connection details

The Connection Details section enables you to specify a group of Access Manager servers to connect to in order to authenticate clients. You can select a group of Access Manager servers to provide failover in cases where one or more servers are not available.

Connection Group Type

The API Gateway can connect to a group of Access Manager authorization servers or dispatcher servers. When multiple Access Manager authorization servers are deployed for load-balancing purposes, the API Gateway should first connect to a dispatcher server, which returns a list of active authorization servers. An attempt is then made to connect to one of these authorization servers using round-robin DNS. If the first dispatcher server in the connection group is not available, the API Gateway attempts to connect to the dispatcher server with the next highest priority in the group, and so on.

If a dispatcher server has not been deployed, the API Gateway can connect directly to an authorization server. If the authorization server with the highest priority in the connection group is not available, the API Gateway attempts to connect to the authorization server with the next highest priority, and so on. Select the type of the connection group (Authorization Server or Dispatcher Server). All servers in the group must be of the same type.

Connection Group:

Click the button on the right, and select the connection group to use for authenticating clients. To add a connection group, right-click the RSA ClearTrust Connection Sets tree node, and select Add a Connection Set. Alternatively, you can configure a connection set under the External Connections node in the Policy Studio tree. For more details, see the topic on Configure connection groups.

Authorization details

The Authorization Details section describes the resource for which the user is requesting access.

  • Server:

    Enter the name of the server that is hosting the requested resource. The name entered must correspond to a preconfigured server name in Access Manager.

  • Resource:

    Enter the name of the requested resource. This resource must be preconfigured in Access Manager.

Alternatively, you can enter a selector representing a message attribute in the Resource field. The API Gateway expands this selector at runtime to the value of the corresponding message attribute. API Gateway message attribute selectors take the following format:


The following example of a typical SOAP message received by the API Gateway shows how this works:

POST /services/timeservice HTTP/1.0
Host: localhost:8095
Content-Length: 374
SOAPAction: TimeService
Accept-Language: en-US
Content-Type: text/XML; utf-8

<soap:Envelope xmlns:soap="">
    <ns1:getTime xmlns:ns1="urn:timeservice">

The following table shows an example of selector expansion:

Selector Expanded To
${http.request.uri} /services/timeservice

For more details on selectors, see Select configuration values at runtime.