IBM Tivoli Access Manager integration

IBM Tivoli Access Manager for e-business (TAM) is a commonly used product for securing web resources. You can integrate API Gateway with TAM and leverage your existing access management policies, so you do not have to maintain duplicate policies in both products. All authentication filters can pass identity credentials to TAM for authorization. At runtime, the Tivoli filters in API Gateway can delegate authentication and authorization decisions to TAM, and can also retrieve user attributes.

In integration with TAM, a message filter in API Gateway forwards policy decisions to TAM. TAM makes the policy decision, and API Gateway then enforces the decision. The architecture can be seen in the following diagram.

API Gateway supports integration with IBM Tivoli Access Manager for e-business v6.1 on Windows.

Note   Each API Gateway instance can connect to a single Tivoli server.

Flow description

Diagram illustrating IBM Tivoli integration

  1. A client sends a message to API Gateway using, for example, SOAP over HTTPS.
  2. API Gateway allocates the message to the appropriate policy and executes the filters.
  3. Using Tivoli filters in the policy, API Gateway requests TAM to authenticate, authorize, or retrieve attributes for a given user.
  4. TAM makes the security decision based on the user information, and returns the decision to API Gateway.
  5. API Gateway enforces the security decision.
    • On success, API Gateway routes the message on to a configured target system.
    • On failure, API Gateway blocks the message and returns an error to the client.

Prerequisites

IBM Tivoli Access Manager integration has the following prerequisites.

  • An existing API Gateway 7.5.2 installation with SP 1 installed, or later
  • An existing IBM Tivoli Access Manager for e-business 6.1 configuration

Configuration process

The example policy uses HTTP Basic to authenticate the end user, but you can replace it with another authentication mechanism, if required.

The following steps are required to integrate API Gateway with IBM Tivoli Access Manager for e-business:

  1. Configure API Gateway for IBM Tivoli Access Manager
  2. Configure Tivoli connection
  3. Configure Tivoli repository
  4. Configure API Gateway policy

Related Links