Modify an existing resource server

Edit online

To modify an existing Resource Server with the local management interface, use the API Access Control resources page.

Procedure

  1. In the appliance top menu, Web > API Access Control > Resources.
  2. Click the icon next to the Reverse Proxy instance that holds the Resource Server.
    These are the root level objects in the tree.
  3. Select the resource server to modify.
  4. Click Edit.
  5. The API Host tab only allows the host server to be edited in advanced mode. If any of the data needs to be edited, click the Edit button.
    This changes the dialog box to allow the advanced junction data to be entered. See Creating virtual junctions or Creating standard junctions.
  6. In the Authentication tab enter the details for how the OAuth token is validated.
    1. To use the existing reverse proxy configuration select the Current Reverse Proxy Authentication radio button.
    2. To use an external OAuth introspection endpoint select the OAuth Introspection radio button and enter the details.
      1. Enter the URL for the introspection endpoint in the Introspection URL field.
      2. After the URL is entered optionally, click the Load Key button to load the CA certificate from the endpoint into the reverse proxy keyfile.
      3. Choose the method by which the authentication data is presented to the introspection endpoint by selecting either Basic Authentication or POST parameter from the drop-down list.
      4. If the authentication data is client ID and/or client secret, click the Client Credentials radio button and enter the Client Id and/or Client secret.
      5. If the authentication data is a client ID header name, select the HTTP Header and enter the Header Name.
      6. If the mapped identity must correspond to an existing Verify Identity Access identity, select the OAuth Identity must correspond to a known Verify Identity Access identity radio button. If the mapped identity is not required to correspond to an existing Verify Identity Access identity, select OAuth Identity does not need to correspond to a known Verify Identity Access identity radio button.
      7. To add a new Introspection attribute definition, click the Add button in the Introspection Response Attributes toolbar.
        1. Choose whether this definition is to include or not include this attribute in the response.
        2. Enter the Attribute name.
        3. Click OK.
      8. Click Delete to remove an Introspection attribute definition.
      9. Click Move Up to move an attribute definition up in the ordered list.
  7. In the policy tab select the policy that is to be attached to this resource server.
    1. Use the parent policy and select the default Verify Identity Access Policy radio button. Do not attach any policy directly.
    2. Click the No Access Permitted (disabled) radio button to not allow access.
    3. Click the Unauthenticated Access Allowed radio button to allow unauthenticated access.
    4. Click the Any Authenticated radio button to allow any authenticated access.
    5. Click the Custom radio button to use a custom Access Control Policy. Select the custom policy name form the drop-down list.
  8. In the Response tab, set any static response headers to Create.
    1. Click Add to add a new response header.
      1. In the dialog box, select the Header Name or enter a new value in the Header Name field.
      2. Enter the header value.
      3. Click Save.
    2. Click Delete to delete a response header from the header list.
  9. In the new Identity tab, set the JWT configuration:
    1. Check the Enable JWT check-box to enable JWT generation.
    2. Specify the HTTP header name for the generated JWT in the Header Name field.
    3. Select the certificate that is used to sign the generated JWT from the Certificate dropddown. This dropddown is populated with the available personal certificates from either:
      1. The keystore configured in the jct-cert-keyfile entry of the junction stanza in the reverse proxy configuration file.
      2. If the jct-cert-keyfile entry is not configured, the keystore configured in the webseal-cert-keyfile entry of the ssl stanza in the reverse proxy configuration file.
    4. Set the list of claims to add to the generated JWT by using the toolbar for the claims table.
      1. Click the Add button to create a new claim.
        1. Click the Literal claim radio button if the claim is a literal text value.
        2. Click the Credential attribute claim radio button if the claim value is retrieved from a credential attribute
        3. Enter the value for a literal claim or the attribute name for a credential attribute claim. The attribute name can include wildcard characters “*” or “?” if a pattern of attributes is to be included in the generated JWT.
        4. Enter the name for the claim in Claim Name field. This field is optional when the claim is a credential attribute claim.
          Note: If the claim is a credential attribute claim and the attribute name includes a wildcard this field is not valid. Instead the claim name for each matched attribute is set as the name of the matched attribute.

          If the claim is a credential attribute claim and this field is not set, the claim name is set to the attribute name.

        5. Click the Save button to add the new claim to the list of claims.
      2. Select the claim to edit and click the Edit button to update an existing claim.
      3. Select the claim to remove and click the Delete button to remove an existing claim.
  10. Once all of the data is set, click Save, to update the resource server.