Authenticate using Tivoli Access Manager Assertion

Installing and configuring the TAM (Tivoli Access Manager) Custom Assertion package in the Gateway installs and enables the Authenticate using Tivoli Access Manager assertion in the Policy Manager. This assertion instructs the Gateway to delegate the authentication and authorization tasks required to gain access to a protected service to the IBM® Tivoli® Access Manager (version 6.0) server.

gateway90

Installing and configuring the TAM (Tivoli Access Manager) Custom Assertion package in the Gateway installs and enables the Authenticate using Tivoli Access Manager
assertion in the Policy Manager. This assertion instructs the Gateway to delegate the authentication and authorization tasks required to gain access to a protected service to the IBM® Tivoli® Access Manager (version 6.0) server.

The Administrator is responsible for installing and configuring the TAM Custom Assertion package on the Gateway. For more information, refer to the Custom Assertion Installation Manual
. If you encounter authentication errors during the execution of a policy, refer to the Troubleshoot Errors section below.

(1) You may receive an HTTP Basic authentication warning when the Tivoli Access Manager assertion is used with these assertions: Require XPath Credentials, Require FTP Credentials, or Require WS-Security UsernameToken Profile Credentials. You may ignore this policy validation warning. (2) When running this assertion in the browser client, a triangular warning icon (

) may appear next to the dialog box when the assertion properties is displayed. You may ignore this icon.

Usage Rules

Note the following rules when using the Authenticate using Tivoli Access Manager assertion:

You cannot use this assertion with:

Authentication assertions that encrypt passwords, such as the Require SSL or TLS Transport with Client Authentication assertion (a clear text password is required)

The Sign Element and Encrypt Element assertions

The Authenticate User or Group assertion .

You can use this assertion with:

The Require HTTP Basic Credentials assertion

Username Token (including the Require Encrypted UsernameToken Profile Credentialsassertion)

The Require XPath Credentials assertion

The Require SSL or TLS Transport assertion

Any other assertion not listed in the exclusion list above.

A policy can only contain a single Authenticate using Tivoli Access Manager assertion per authentication scheme. For complex policies that contain more than one authentication scheme, multiple instances of this assertion may be used.

In a policy, the Authenticate using Tivoli Access Manager assertion must appear before the routing assertion and after the Require SSL or TLS Transport assertions.

You can use XML encryption/signing if the Require Encrypted UsernameToken Profile Credentials assertion is also present in the policy.

Using the Assertion

Do one of the following:

To add the assertion to the Policy Development window, see Adding an Assertion.

To change the configuration of an existing assertion, proceed to step 2 below.

Right-click Authenticate using Tivoli Access Manager
in the policy window and choose Authenticate using Tivoli Access Manager
or double-click the assertion in the policy window. The properties are displayed.

Configure the dialog as follows:

Setting	Description
TAM Instance	Specify the TAM instance to use: Leave this field blank to use the default setting, which sets the TAM instance to the same value as tam.pd.config.file.name in the tam_agent.properties file on the Gateway. Enter the TAM instance name, as configured in the tam_agent.properties file on the Gateway. Specifically, this value is the "<instanceName>" part of the tam.pd.config.file.name property. You can also reference a context variable containing the instance name. For more information on TAM instances, see Installing the Tivoli Access Manager Assertion in the Custom Assertions Installation Manual .
Resource	Enter the protected resource defined in the Tivoli Access Manager. You may reference context variables.
Action	Enter the requested action (such as “T” or “B”) to be applied to resource for the given user.
Mode	Choose how user credentials are passed to the Tivoli Access Manager: password or iv-creds .

The action and resource values are determined by the TAM (Tivoli Access Manager) settings used by the Gateway. The action value is taken from a list of allowable actions defined in the permission setting of the TAM Access Control List, and the resource value is the resource specified in the path in the configured TAM object space. Consult your TAM Administrator for information about the action and resource properties.

Click [OK
]when done.

Troubleshooting

If configuration errors exist in the Tivoli Access Manager server or the CA API Gateway, the following error messages may appear in the Policy Manager Gateway Audit Events window when the Tivoli Access Manager assertion is used in a policy. For information about the Gateway Audit Events window, see Gateway Audit Events.

Contact your Administrator if you encounter authentication errors.

Error Message	Description
SEVERE: Not init or failed	This error message appears in the Gateway Audit Events window when: The TAM server is down The TAM process is not running The Gateway is not properly configured to connect to the TAM server. Verify the Gateway and TAM server connection settings.
WARNING: Authorization (access control) failed	This error message appears in the Gateway Audit Events window when the Gateway connection credentials are not authenticated or authorized by the TAM server. A Log on to Gateway dialog prompts you to re-enter your user name and/or password. Ensure that the user name and password entered in the CA API Gateway - XML VPN Client match those configured in the user database used by the TAM server to authenticate and authorize users.

Access Control Assertions

Content feedback and comments

CA API Gateway 9.1

Authenticate using Tivoli Access Manager Assertion