Chapter 5. Programming 187
5.1.1 External authentication C API
In previous releases, custom authentication modules were built using the Tivoli
Access Manager
cross-domain authentication services or CDAS. This term is no
longer used because its scope is not wide enough to cover all the functions
performed by Web security resource manager authentication modules. The
replacement term is
external authentication C API. The new term reflects only a
change in terminology.
The external authentication C API performs the following tasks:
򐂰 Receives authentication data from the runtime.
򐂰 Organizes the data into a standard format.
򐂰 Passes the data to the authentication modules.
򐂰 Receives statuses, identity structures, or both back from the authentication
򐂰 Passes the statuses, identity structures, or both back to the runtime.
As shown in Figure 5-4 on page 188, the external authentication C API enables
you to substitute the default built-in WebSEAL authentication mechanism with a
highly flexible shared library mechanism that allows custom handling and
processing of client authentication information.
Every authentication module implements one or more of four functions defined
by the external authentication module interface. This is true for the built-in
authentication modules as well as for custom modules that you can develop
Note: EAI is configured for the Plug-in for Web Servers in the [ext-auth-int]
stanza. This stanza can be qualified by virtual host if necessary.
The configuration options are similar to those used for WebSEAL. However,
there are some differences:
auth-url is the “start” page of the EAI application. When the EAI
authentication module is selected for authentication it will return this
page to the client to start EAI authentication.
When the
trigger-url is matched by the EAI authentication post-authn
module it will request access to the response from this page. Multiple
trigger URLs can be specified.
When the EAI Authentication response module is called it will look for
the configured headers. If appropriate headers are found, it will trigger
the building of a credential and an authentication event. If the headers
are not found, the response will be sent back to the client. The EAI
headers are configured in the same way as for WebSEAL.
188 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
using the external authentication C API. The complete programming reference
for the external authentication C API is described in detail in developers
In summary, the four functions of the external authentication C API are:
xauthn_initialize() Initializes a specified authentication module
shared library.
xauthn_authenticate() Performs the authentication module
authentication tasks.
xauthn_change_password() Performs a password change.
xauthn_shutdown() Shuts down a specified authentication module
shared library.
Figure 5-4 WebSEAL authentication model with CDAS
Extending the built-in capabilities of authentication mechanisms provided by
Access Manager is another reason to build a custom EAI. This method enables
you to authenticate clients who are not direct members of the Access Manager
secure domain. In that case, the custom EAI can direct authentication data to be
processed by an external authentication mechanism and third-party registry (for
example, RACF®, One-Time Password Server, or authentication via personal
question). Ultimately, the EAI returns an Access Manager identity to WebSEAL
for querying the Access Manager user registry and creating a credential.
Authentication Service
Validate user identity
information and return Access
Manager user ID
Create Credential
Access Manager
User Registry
Service Registry

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.