Chapter 5. Programming 191
Each type of service has a separate section within the configuration file. The
default configuration files for every plug-in are shown in Table 5-1.
Table 5-1 Stanza entries for authorization plug-ins
In the following sections we describe some of those interfaces in more detail.
5.2.2 Entitlement service interface
An entitlement service interface is a part of the aznAPI that is called during the
building of a credential. This entitlement service receives the basic user
credential being created and is able to specify a list of additional custom
attributes to be added to the credential before it is returned to the application.
The entitlement service interface is called from within the aznAPI, so the function
is available to all Access Manager applications regardless of the registry and
regardless of the authentication method used. Each entitlement service plug-in is
a standalone module that is dynamically loaded into the authorization service.
The Tivoli Access Manager authorization service recognizes and registers
entitlement service plug-ins with the service dispatcher by reading entries in the
aznapi.conf configuration file. Entitlement service plug-ins are declared in the
configuration file under the stanza entry called [aznapi-entitlement-services].
In this stanza, every entitlement service gets a unique ID. The value assigned to
this ID can be either the service, or an entirely different one written by an
authorization API application developer. (The Tivoli Access Manager
authorization service also recognizes and registers entitlement service plug-ins
through arguments passed to the init_data parameter of the azn_initialize()
Figure 5-5 on page 192 shows the architecture for adding attributes to a new
user credential. The main aspect is that the Resource Manager can be any
Access Manager aznAPI application — it is no longer limited to just WebSEAL
and the Web Server Plug-in.
Initially the application calls the aznAPI to request a credential. The aznAPI
builds a basic Access Manager credential for the user (1) and then calls the
Entry Service type
[aznapi-entitlement-services] Entitlement service plug-ins
[aznapi-pac-services] Privilege attribute certificate service plug-ins
[aznapi-cred-modification-services] Credentials modification service plug-ins
[aznapi-admin-services] Administration service plug-ins
[aznapi-extern-authzn-services] External Authorization Service plug-ins