Authenticate using Tivoli Access Manager Assertion

The Authenticate using Tivoli Access Manager Assertion instructs the gateway to delegate the authentication and authorization tasks required to gain access to a protected Web service to the IBM Tivoli Access Manager Server.

gateway92

The Authenticate using Tivoli Access Manager Assertion
instructs the CA API Gateway to delegate the authentication and authorization tasks required to gain access to a protected Web service to the IBM Tivoli Access Manager Server.

For instructions on how to install this assertion, see Install the Tivoli Access Manager Assertion. Once installed, this assertion is available from both the Access Control and Custom Assertions palettes.

Note the following when using this assertion:

You may receive an HTTP Basic authentication warning when the Authenticate using Tivoli Access Manager assertion is used with these assertions: : Require XPath Credentials, Require FTP Credentials, or Require WS-Security UsernameToken Profile Credentials. You may ignore this policy validation warning.

When running this assertion in the browser client, a triangular warning icon (

) may appear next to the dialog box when the assertion properties is displayed. You may ignore this icon.

Contents:

Usage Rules

Note the following rules when using the Authenticate using Tivoli Access Manager assertion:

This assertion cannot be used with:

Authentication assertions that encrypt passwords, such as the Require SSL or TLS Transport Assertion (with client authentication)

Authentication assertion (a clear text password is required)

Sign Element Assertion or Encrypt Element Assertion

Authenticate User or Group Assertion

This assertion can be used with:

Require HTTP Basic Credential Assertion

Username Token (including the Require Encrypted UsernameToken Profile Credentials Assertion)

Require XPath Credentials Assertion

Require SSL or TLS Transport Assertion (without client authentication enabled)

Any other assertion not listed in the above exclusion list .

A policy can only contain a single Authenticate using Tivoli Access Manager assertion per authentication scheme. For complex policies that contain more than one authentication scheme, multiple instances of this assertion may be used.

You can use XML encryption/signing if the Require Encrypted UsernameToken Profile Credentials Assertion is also present in the policy.

Using the Assertion

Do one of the following:

To add the assertion to the policy development window, drag and drop the assertion from the palette.

To change the configuration of an existing assertion, proceed to step 2 below.

Right-click Authenticate using Tivoli Access Manager
in the policy window and choose Authenticate using Tivoli Access Manager
or double-click the assertion in the policy window. The properties are displayed.

Configure the dialog as follows:

Setting	Description
TAM Instance	Specify the TAM instance to use: Leave this field blank to use the default setting, which sets the TAM instance to the same value as tam.pd.config.file.name in the tam_agent.properties file on the Gateway. Enter the TAM instance name, as configured in the tam_agent.properties file on the Gateway. Specifically, this value is the "<instanceName>" part of the tam.pd.config.file.name property. You can also reference a context variable containing the instance name.
Resource	Enter the protected resource defined in the Tivoli Access Manager. You may reference context variables.
Action	Enter the requested action (such as “T” or “B”) to be applied to resource for the given user.
Mode	Choose how user credentials are passed to the Tivoli Access Manager: password or iv-creds .

The action and resource values are determined by the TAM (Tivoli Access Manager) settings used by the Gateway. The action value is taken from a list of allowable actions defined in the permission setting of the TAM Access Control List, and the resource value is the resource specified in the path in the configured TAM object space. Consult your TAM Administrator for information about the action and resource properties.

Click [OK
]when done.

Troubleshooting

If configuration errors exist in the Tivoli Access Manager server or the CA API Gateway, the following error messages may appear in the Policy Manager Gateway Audit Events window when the Tivoli Access Manager assertion is used in a policy. For information, see View Gateway Audit Events.

Contact your Administrator if you encounter authentication errors.

Error Message	Description
SEVERE: Not init or failed	This error message appears in the Gateway Audit Events window when: The TAM server is down The TAM process is not running The Gateway is not properly configured to connect to the TAM server. Verify the Gateway and TAM server connection settings.
WARNING: Authorization (access control) failed	This error message appears in the Gateway Audit Events window when the Gateway connection credentials are not authenticated or authorized by the TAM server. A Log on to Gateway dialog prompts you to re-enter your user name and/or password. Ensure that the user name and password entered in the CA API Gateway - XML VPN Client match those configured in the user database used by the TAM server to authenticate and authorize users.

Content feedback and comments

CA API Gateway 9.1

Authenticate using Tivoli Access Manager Assertion