Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

developerWorks Community:

  • Close [x]

Developing a custom Java module

Tivoli Federated Identity Manager 6.2

Shane B. Weeden, Senior Software Engineer, IBM Tivoli
Shane Weeden
Shane Weeden is a senior software engineer with the IBM Tivoli Federated Identity Manager development team. He has worked in IT security since 1992, and since 2000 has been working with Tivoli Security products including Tivoli Access Manager for eBusiness and Tivoli Federated Identity Manager. Shane now divides his time between customer focused engagements and core product development activities. He holds a Bachelor of Information Technology from the University of Queensland in Australia.
(An IBM developerWorks Professional Author)
Ann-Louise Blair (, Software Engineer, IBM Tivoli
Ann-Louise Blair is a Software Engineer in the IBM Australia Development Laboratory. She has four years experience working in the IT industry and holds a Bachelor of Software Engineering degree from the University of Queensland. Having worked in both testing and development roles in the Gold Coast Integration Factory team, Ann-Louise has gained expertise working with many Tivoli software products.
Simon Chen (, Staff Software Engineer, IBM Tivoli
Simon Chen
Jiayue (Simon) Chen was going to devote his career to building robots until he realized that sniffing fumes from a soldering iron could cause more harm than good. So instead, he's now working as a staff software engineer with the Tivoli Federated Identity Manager development team, where the radiation from the computers in his office keeps him warm. Simon graduated from Georgia Tech with an B.S. in Electrical Engineering and has been with IBM full-time since 2006. His technical interests include Eclipse and OSGi.

Summary:  In this tutorial, we will walk through the complete development process for creating a custom trust service (aka Security Token Service or STS) plug-in for Tivoli® Federated Identity Manager (TFIM) 6.2. Customers might develop their own plug-ins for a variety of reasons including advanced user mapping and attribute gathering capabilities, or to support validation and issuing proprietary security token types. This tutorial will use as a working example a simple mapping module which adds a configurable name/value parameter pair as an attribute to the TFIM Trust Service's STSUniversalUser. For those readers familiar with developing STS modules for previous versions of TFIM (see Developing Custom STS Modules), the development interfaces are largely unchanged; however, the packaging and deployment is different as TFIM 6.2 has now moved to an Open Services Gateway Initiative (OSGi) plug-in framework for extensions. This OSGi plug-in framework is used for developing a variety of supported extension points in TFIM, including the STSModule extension point which is the focus of this tutorial.

Date:  12 Sep 2008
Level:  Advanced


Deploying the module

Custom module deployment

This section describes how to deploy our custom module into TFIM 6.2.
First copy the custom module jar file to the <TFIM_install_root>/plugins directory. The remaining high level steps involved in the deployment are as follows:

  1. Publish the plug-ins through the TFIM Console
  2. Re-Load the TFIM runtime*
  3. Create an instance of our custom module
  4. Configure a trust chain that uses the new plug-in

The remainder of this section describes these steps in more detail.

*NOTE: In previous versions of TFIM, the TFIM Runtime had to be re-deployed in order to detect and load changes to the <TFIM_Home>/plugins directory.
TFIM 6.2 provides the 'Publish Plug-ins' capability which copies jar files from the <TFIM_Home>/plugins directory on the server hosting the TFIM Management Application to the <WebSphereProfileRoot>/config/itfim/plugins directory of all TFIM Runtime nodes in that TFIM domain.

The 'Publish Plug-ins' operation does not reload the TFIM Runtime, but it does reload the TFIM Management application. The console will indicate when updated plug-in data is detected in the plug-ins directory with a message prompting a re-load.
The TFIM runtime must be explicitly reloaded before the new plug-in(s) can be used. The prompt can generally be ignored until all the necessary configuration required for the new plug-in is complete.

Publish the plug-in

Log in to TFIM console: https://<ip_address>:9043/ibm/console/. The TFIM Console shown in Figure 34 will be displayed.

Figure 34. The WebSphere / TFIM Console
TFIM Console

Expand the Tivoli® Federated Identity Manager options and select Domain Management -> Runtime Node Management. Figure 35 shows the Runtime Management panel.

Figure 35. Publishing Plug-ins with the Runtime Node Management Panel
Publish Plug-ins

Click on the Publish plug-ins button.

Load the configuration changes

Once the Publish plug-ins operation completes, a warning message will be displayed in the TFIM Console prompting you to load the recent configuration changes, as shown in Figure 36.

Figure 36. Load Configuration Changes
Load Configuration Changes

Click on the Load configuration changes to Tivoli Federated Identity Manager runtime button and wait for the process to complete.

Create an instance of the custom module

Create an instance of module in the TFIM Console. Navigate to the Configure Trust Service -> Module Instances section of the Management Console. Click on the Create button. A Module Type screen as shown in Figure 37 will appear. The DemoMap class that defines our custom module should be included in the list of available modules. Note that it may appear on the second page.

Figure 37. Module Types
Module Types

Select the DemoMap module, then click Next as shown in Figure 38.

Figure 38. Selecting the DemoMap Module Type
Selecting a module type

Enter a name and description for the new instance being created as illustrated in Figure 39.

Figure 39. Naming the new Module Instance
Name the instance

Click Finish and then re-load the configuration changes to TFIM runtime as prompted.

Create a Trust Service Chain

We can now create new Trust Service Chains that include the 'demoMapInstance' of our custom module.
Navigate to the Configure Trust Service -> Trust Service Chains section of the Management Console. A Trust Service Chains panel as shown in Figure 40 will be displayed.

Figure 40. Trust Chain Management
Trust Chain Management

Click on the Create button and the Trust Service Chain Mapping Wizard will begin. Figure 41 shows the Introduction screen for this wizard.

Figure 41. Trust Chain Wizard
Trust Chain Wizard

Click Next to proceed to the Chain Mapping Identification screen, as shown in Figure 42. Enter the following values for our basic trust chain and then click Next:

  • Chain Mapping Name:DemoChain
  • Description: Test DemoMap module instance

Figure 42. Chain Mapping Identification

The next screen allows you to configure the Chain Mapping Lookup properties. The RequestType for our chain should be set to Validate and addresses for AppliesTo and Issuer need to be entered as shown in Figure 43.

Figure 43. Chain Mapping Lookup Parameters

Click Next and the Chain Identification details can be entered:

  • Chain Name: DemoChain
  • Description: Demo chain including custom mapping module

Figure 44. Chain Identification
Chain Identification

Click Next. We can now specify the Chain Assembly. For simplicity in this tutorial we have decided to include the custom mapping module in a basic trust chain consisting of a Default STSUU Instance in 'validate' mode, followed by the custom module in 'map' mode to add an extra attribute and finally another Default STSUU Instance to 'issue' the token.

Add these selected module instances to the chain so that the created chain assembly appears as illustrated in Figure 45.

Figure 45. Chain Assembly
Chain Assembly

Click Next to continue. The next screen in the Wizard, as shown in Figure 46, is the configuration screen for the first module in the chain. This module is the Default STSUU instance in validation mode. There is no configuration required for this module.

Figure 46. STSUU Validate Properties
STSUU Validate

Click Next and the configuration screen of our custom module will be displayed as shown in Figure 47. Enter the name and value for the attribute that should be added to the STSUU object. For this tutorial we will add a test attribute with name 'testName' and value 'testValue'.

Figure 47. DemoMap Configuration Properties
Configure DemoMap

Click Next. The next screen in the Wizard is the configuration screen for the last module in the chain, as shown in Figure 48. This module configuration is also for the Default STSUU instance (this time in issue mode). Once again, there is no configuration required.

Figure 48. STSUU Issue Properties

Click Next and a summary of the new trust chain is displayed as shown in Figure 49.

Figure 49. Chain Summary
Chain Summary

Click Finish to complete the wizard. Click on the button to load the latest configuration changes into the TFIM runtime.

Figure 50. Created Chain
Created Chain

Figure 50 above shows the new chain which appears in the TFIM console.

6 of 14 | Previous | Next


Zone=Tivoli (service management), Tivoli, Java technology, Security
TutorialTitle=Developing a custom Java module