Chapter 5. Programming 191
Each type of service has a separate section within the configuration file. The
default configuration files for every plug-in are shown in Table 5-1.
Table 5-1 Stanza entries for authorization plug-ins
In the following sections we describe some of those interfaces in more detail.
5.2.2 Entitlement service interface
An entitlement service interface is a part of the aznAPI that is called during the
building of a credential. This entitlement service receives the basic user
credential being created and is able to specify a list of additional custom
attributes to be added to the credential before it is returned to the application.
The entitlement service interface is called from within the aznAPI, so the function
is available to all Access Manager applications regardless of the registry and
regardless of the authentication method used. Each entitlement service plug-in is
a standalone module that is dynamically loaded into the authorization service.
The Tivoli Access Manager authorization service recognizes and registers
entitlement service plug-ins with the service dispatcher by reading entries in the
aznapi.conf configuration file. Entitlement service plug-ins are declared in the
configuration file under the stanza entry called [aznapi-entitlement-services].
In this stanza, every entitlement service gets a unique ID. The value assigned to
this ID can be either the service, or an entirely different one written by an
authorization API application developer. (The Tivoli Access Manager
authorization service also recognizes and registers entitlement service plug-ins
through arguments passed to the init_data parameter of the azn_initialize()
Figure 5-5 on page 192 shows the architecture for adding attributes to a new
user credential. The main aspect is that the Resource Manager can be any
Access Manager aznAPI application — it is no longer limited to just WebSEAL
and the Web Server Plug-in.
Initially the application calls the aznAPI to request a credential. The aznAPI
builds a basic Access Manager credential for the user (1) and then calls the
Entry Service type
[aznapi-entitlement-services] Entitlement service plug-ins
[aznapi-pac-services] Privilege attribute certificate service plug-ins
[aznapi-cred-modification-services] Credentials modification service plug-ins
[aznapi-admin-services] Administration service plug-ins
[aznapi-extern-authzn-services] External Authorization Service plug-ins
192 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
configured credential attribute entitlement services. These gather additional
attributes for the user (from the registry in this example) and return them to the
aznAPI (2). The aznAPI then adds these attributes to the basic Access Manager
credential before returning it to the calling application.
Figure 5-5 Entitlement service
An entitlement service is a very generic plug-in that can be called by the Access
Manager authorization service. It is possible to register multiple credential
attribute entitlement services with the aznAPI. These will all be called, and all of
the attributes are added to the user’s credential.
The input to an entitlement service is a user credential and an application
context. The output of an entitlement service is an attribute list. This is how the
entitlement service passes back its results.
Credential attribute entitlement service
The credential attribute service can obtain the custom credentials from any
source; they don’t have to come from the user registry. Custom entitlement
services can be written to obtain attributes from any desired source.
The credential attribute entitlement service extracts information from a user’s
LDAP entry and adds it to their credential. For example, a back-end application
requires a user’s department number in addition to their user ID in order to build
the application interface appropriately. By using the credential attribute
entitlement service, WebSEAL can pull the user’s department out of their entry in
LDAP, place it in the user’s credential, then use the information from the
credential to place the department value in an HTTP header.
Registry attribute entitlement service
The registry attribute entitlement service is a credential attribute entitlement
service that is supplied with the Tivoli Access Manager authorization runtime
package and that can be used to retrieve attributes from the Tivoli Access
Manager user registry.
AM Registry
1.Build Credential
Entitlement Service(s)
2.Get Attributes

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.