Resource Servers

A resource server is the definition of the server that provides access to the RESTful API being protected. Each resource server corresponds to a Reverse Proxy junction. The API Access Control component provides an extended configuration mechanism that allows more than just the standard junction management. It provides a way to:

1. Create a basic standard junction with only the minimal required configuration or an advanced junction creation that provides all of the standard junction create options.

2. Set the authentication options for incoming requests to the resource server.

3. Set the default authentication policy for all requests to the resource server.

4. Set static response headers that are set on every response to requests to the resource server.

The base level operations that occur internally when you creating a new resource server include the following:

• The junction is created.
• The Reverse Proxy administrative pages root directories are updated to include new directories specific to the new resource server. Pages specific to the resource server can be placed in these locations.
• The Reverse Proxy configuration file is updated to include any OAuth introspection configuration as well as static response header definitions.
• A new IBM Security Verify Access protected object is created to represent the new resource server.
• A new Access Control List (ACL) might be created to represent the authentication policy. This ACL is then attached to the new protected object.

Due to the different mix of IBM Security Verify Access operations performed, there are some tasks which are completed immediately (for example, pdadmin tasks) and some tasks that are not completed until the next commit operation is executed. This means there might be orphaned protected objects, ACLs and POPs if the creation is followed by a rollback of the pending changes. Therefore, take precaution if the administrator chooses to roll back the pending changes instead of deploying them. Take the following actions, if a cleanup or audit of orphaned API Access Control artifacts is required:

• Objects under the /WebSEAL_API object space must be reviewed and unnecessary objects removed;
• ACLs that have a suffix of "_resource_access_control_policy" must be reviewed and unnecessary ACLs must be removed.

Parent topic: Overview of the API Access Control