Configure API Gateway policy

This section describes how to configure policies that leverage IBM Tivoli Access Manager (TAM) in Policy Studio. For more information on working in Policy Studio, see the API Gateway Policy Developer Guide.

The Tivoli authetication repository is available from all authentication filters. Here, the example policy uses the HTTP Basic authentication filter to authenticate a client against a Tivoli repository using a user name and password combination. You can configure a different authentication mechanism as required.

Configure a Tivoli authorization policy

  1. Add a new policy named, for example, IBM Tivoli Authorization.
  2. Open the Authentication category in the palette, and drag a HTTP Basic filter onto the policy canvas.
  3. Set the following, and click Finish:
    • Credential Format: User Name.
    • Allow client challenge: Select this.
    • Repository Name: The repository you configured (Tivoli Repository).
  4. For more details on the fields and options in this configuration window, see HTTP basic authentication in the API Gateway Policy Developer Filter Reference.
  5. Right-click the HTTP Basic filter, and select Set as Start.
  6. Open the Authorization category in the palette, and drag a Tivoli filter onto the policy canvas.
  7. Set Object Space to your Tivoli objectspace (for example, axway/test).
  8. In Permissions, set the permissions for the client. A client is only authorized to access the requested resource if it has the relevant permissions checked in the table.
  9. In Attributes, specify what user attributes, if any, to retrieve from the Tivoli server, and click Finish.
    For more details on the fields and options in this configuration window, see Tivoli authorization in the API Gateway Policy Developer Filter Reference.
  10. Connect the filters with a success path.
  11. Click on the Add Relative Path icon to create a new relative path (for example, /ibm_tivoli_authorize) that links to this policy, and deploy the policy to API Gateway.

Configure a Tivoli attribute retrieval policy

You can use the Retrieve from Tivoli filter to retrieve user attributes independently from authorizing the user against Tivoli Access Manager. This example policy is based on the previously configured Tivoli policy. The user is authenticated, but not authorized using Tivoli. Instead, Tivoli is used just to retrieve attributes.

  1. Copy the Tivoli policy you created (IBM Tivoli Authorization).
  2. Rename it (for example, IBM Tivoli Attribute), and delete the Tivoli filter.
  3. Open the Attributes category in the palette, and drag a Retrieve from Tivoli filter onto the policy canvas.
  4. Set User ID to ${authentication.subject.id}. Using a selector here enables you to retrieve attributes for multiple end users.
  5. Specify what user attributes to retrieve from the Tivoli server, and click Finish.
    For more details on the fields and options in this configuration window, see Retrieve attribute from Tivoli in the API Gateway Policy Developer Filter Reference.
  6. Connect the filters with a success path.
  7. Click on the Add Relative Path icon to create a new relative path (for example, /ibm_tivoli_attribute) that links to this policy, and deploy the policy to API Gateway.

Related Links