Reviewing existing Web Reverse Proxy instance point of contact settings
After you upgrade from appliance v8.n.n.n to v9.n.n.n, it might be necessary to review and update some existing Web Reverse Proxy instance point of contact settings for the Advanced Access Control runtime.
Reviewing ACL settings for Authentication Services REST endpoint
A new REST endpoint for the Authentication Services Framework was introduced in v9.0.0.0. The
default URL for this endpoint is “/mga/sps/apiauthsvc
”. After an upgrade from a
Security Access Manager appliance at v8.n.n.n, if you want to use the
“/mga/sps/apiauthsvc
” endpoint with an existing web reverse proxy, it might be
necessary to create an ACL named “isam_mobile_rest_unauth
” and attach it to the
“/mga/sps/apiauthsvc
” endpoint. You can use the following Security Access Manager
policy administration commands to enable this setting.
acl create "isam_mobile_rest_unauth"
acl modify "isam_mobile_rest_unauth" set user "sec_master" TcmdbsvaBRrxl
acl modify "isam_mobile_rest_unauth" set group iv-admin TcmdbsvaBRrxl
acl modify "isam_mobile_rest_unauth" set group webseal-servers Tgmdbsrxl
acl modify "isam_mobile_rest_unauth" set any-other Tmdrxl
acl modify "isam_mobile_rest_unauth" set unauth Tmdrxl
acl attach "/WebSEAL/<web reverse proxy>/mga/sps/apiauthsvc" "isam_mobile_rest_unauth"
Reviewing EAI point of contact settings
Some of the default settings that are related to Advanced Access Control point of contact and EAI headers changed in v9.0.0.0. After an upgrade from v8.n.n.n where an existing Web Reverse Proxy instance has been configured with Advanced Access Control, review the following settings and correct the settings if required.
In the Web Reverse Proxy configuration file, check the [eai] stanza settings:
# EAI HEADER NAMES
# EAI PAC header names
eai-pac-header = am-eai-pac
eai-pac-svc-header = am-eai-pac-svc
# EAI USER ID header names
eai-user-id-header = am-eai-user-id
eai-auth-level-header = am-eai-auth-level
eai-xattrs-header = am-eai-xattrs
# EAI external USER ID header names
eai-ext-user-id-header = am-eai-ext-user-id
eai-ext-user-groups-header = am-eai-ext-user-groups
# EAI COMMON header names
eai-redir-url-header = am-eai-redir-url
The names of the headers must match the point of contact settings for the Advanced Access Control runtime. You can manage these settings with the local management interface by going to
. Review the parameter value settings for the active point of contact profile.AAC point of contact parameter | Reverse Proxy header name |
---|---|
fim.user.response.header.name | am-eai-ext-user-id |
fim.target.response.header.name | am-eai-redir-url |
fim.attributes.response.header.name | am-eai-xattrs |
fim.groups.response.header.name | am-eai-ext |
fim.user.request.header.name | iv-user |
fim.cred.request.header.name | iv-creds |
fim.groups.request.header.name | iv-groups |
fim.cred.response.header.name | am-eai-pac |