56 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
in this version of Tivoli Access Manager all have names that begin with a PD
prefix, for example:
PDUser class Represents a user in the Tivoli Access Manager Policy
PDGroup class Represents a group in the Tivoli Access Manager Policy
2.5.3 External authentication interface (EAI)
Tivoli Access Manager uses a flexible framework that allows the functions that
handle authentication operations to be easily modified or replaced.
In the previous versions of Access Manager, WebSEAL and the WebPI used the
CDAS infrastructure for all user authentication. The appropriate information was
gathered by the server (userid/password, userid/token, or client certificate
information) and then this was passed to the CDAS. The CDAS would then verify
the information and return a user identity.
The CDAS infrastructure is still available in Access Manager 6.0 and is still the
only way to perform authentication for non-HTTP authentication (for example,
client certificate authentication). Only the CDAS name has become obsolete and
is now called
external authentication C API. It is also still used for
inter-component authentication. All existing CDAS interfaces are also still
Access Manager for e-business 6.0 introduces a new
external authentication
HTTP interface
known as EAI. This interface enables you to extend the
functionality of the built-in authentication process to allow a remote service to
handle the authentication process. The identity information in the HTTP
response headers is used to generate user credentials. The EAI interface is an
alternative way to customize authentication when the authentication information
is passed in HTTP messages. It allows a back-end application server to perform
the authentication of the user (with the HTTP messages passing through
WebSEAL) and then, upon successful authentication, return an identity to
WebSEAL/WebPI using some pre-defined HTTP headers.
Allowing an application server to perform authentication provides a very flexible
solution. Almost any desired authentication strategy can be implemented using
this technique. Another potentially big advantage of using an external
authentication HTTP interface to perform authentication is that you are not
restricted to using C as the programming language.
Another benefit from implementing an external authorization interface is, the
restrictions on user registries for authentication are no longer applicable. In

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.