TEC Workbook - IBM
TEC Workbook - IBM
TEC Workbook - IBM
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>IBM</strong> Software<br />
4.3 Credential and resource mapping<br />
Successful server-based authentication generates a set of credentials attesting to the service requester’s<br />
identity. These credentials can then be mapped into another set more appropriate for the authorization<br />
method selected. In addition, the extracted resource name can also be optionally mapped to something<br />
more appropriate for the authorization method selected.<br />
The resulting credentials, along with the resulting resource name, form the basis for client authorization,<br />
which determines if the now identified client has access to the requested resource.<br />
4.4 Authorize<br />
Like authentication, authorization is most commonly accomplished via an external policy server such as<br />
Tivoli Access Manager or an LDAP. The result of the authorization phase is to either allow or deny the<br />
request to proceed.<br />
If either authentication or authorization denies access, the system generates an error which is returned to<br />
the calling entity. This error may be handled, as with any other errors within multi-step processing, by an<br />
on-error action or an error rule. Either method allows for the creation of custom error messages.<br />
4.5 Audit & accounting<br />
The final phase of the AAA policy performs auditing and security mediation tasks such as converting<br />
between WS-Security UsernameToken element and Kerberos/SPNEGO. This phase has the ability to<br />
generate various types of security tokens, including Kerberos/SPNEGO, LTPA, and SAML assertions. A<br />
stylesheet can also be identified for execution to do any custom auditing tasks.<br />
4.6 LDAP authentication<br />
In this section, you’ll add an AAA action to your processing rule to authenticate requests against an<br />
LDAP.<br />
__1. Re-open the policy editor by clicking on the ellipsis button in the Multi-Protocol Gateway Policy<br />
field.<br />
__2. In the Client-to-Server rule, drag an AAA action and drop it after the initial match action.<br />
Page 70 WebSphere Lab Jam