Authenticate using Tivoli Access Manager Assertion

The Authenticate using Tivoli Access Manager Assertion instructs the gateway to delegate the authentication and authorization tasks required to gain access to a protected Web service to the IBM Tivoli Access Manager Server.
gateway92
The
Authenticate using Tivoli Access Manager Assertion
instructs the
Layer7 API Gateway
to delegate the authentication and authorization tasks required to gain access to a protected Web service to the IBM Tivoli Access Manager Server.
For instructions on how to install this assertion, see Install the Tivoli Access Manager Assertion. Once installed, this assertion is available from both the Access Control and Custom Assertions palettes.
Note the following when using this assertion:
  • You may receive an HTTP Basic authentication warning when the Authenticate using Tivoli Access Manager assertion is used with these assertions: : Require WS-Security UsernameToken Profile Credentials. You may ignore this policy validation warning.
  • When running this assertion in the browser client, a triangular warning icon (Exclamation_in_triangle.png) may appear next to the dialog box when the assertion properties is displayed. You may ignore this icon.
Contents:
Usage Rules
Note the following rules when using the Authenticate using Tivoli Access Manager assertion:
You can use XML encryption/signing if the  Require Encrypted UsernameToken Profile Credentials Assertion is also present in the policy.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the policy development window, drag and drop the assertion from the palette.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. Right-click
    Authenticate using Tivoli Access Manager
    in the policy window and choose
    Authenticate using Tivoli Access Manager
    or double-click the assertion in the policy window. The properties are displayed.
  3. Configure the dialog as follows:
    Setting
    Description
    TAM Instance
    Specify the TAM instance to use:
    • Leave this field blank to use the default setting, which sets the TAM instance to the same value as
      tam.pd.config.file.name
      in the
      tam_agent.properties
      file on the Gateway.
    • Enter the TAM instance name, as configured in the
      tam_agent.properties
      file on the Gateway. Specifically, this value is the
      "<instanceName>"
      part of the
      tam.pd.config.file.name
      property.
    You can also reference a context variable containing the instance name.
    Resource
    Enter the protected resource defined in the Tivoli Access Manager. You may reference context variables.
    Action
    Enter the requested action (such as “T” or “B”) to be applied to resource for the given user.
    Mode
    Choose how user credentials are passed to the Tivoli Access Manager:
    password
    or
    iv-creds
    .
    The action and resource values are determined by the TAM (Tivoli Access Manager) settings used by the Gateway. The action value is taken from a list of allowable actions defined in the permission setting of the TAM Access Control List, and the resource value is the resource specified in the path in the configured TAM object space. Consult your TAM Administrator for information about the action and resource properties.
  4. Click [
    OK
    ]when done.
Troubleshooting
If configuration errors exist in the Tivoli Access Manager server or the
Layer7 API Gateway
, the following error messages may appear in the Policy Manager Gateway Audit Events window when the Tivoli Access Manager assertion is used in a policy. For information, see  View Gateway Audit Events.
Contact your Administrator if you encounter authentication errors.
Error Message
Description
SEVERE: Not init or failed
This error message appears in the Gateway Audit Events window when:
  • The TAM server is down
  • The TAM process is not running
  • The Gateway is not properly configured to connect to the TAM server.
Verify the Gateway and TAM server connection settings.
WARNING: Authorization (access control) failed
This error message appears in the Gateway Audit Events window when the Gateway connection credentials are not authenticated or authorized by the TAM server. A Log on to Gateway dialog prompts you to re-enter your user name and/or password. Ensure that the user name and password entered in the CA API Gateway - XML VPN Client match those configured in the user database used by the TAM server to authenticate and authorize users.