Create a new resource server

To create a new Resource Server with the local management interface, use the API Access Control resources page.

Steps

1. In the appliance top menu, Web > API Access Control > Resources.
2. The user is prompted to set the user name, password, and domain for the Policy Server if these credentials are not already set. See Store the IBM Security Verify Access operations for managing Access Control Policies.
3. Expand the Reverse Proxy instance to show the list of available resource servers. These are the 2nd level objects in the tree.

4. Click Add. A dialog box is displayed prompting for the resource server details.

5. In the API Host tab enter the details for the API host server.

   1. Enter the server details using the basic or advanced data.

      For Basic Data, click the Basic Radio button

      1. Enter the path prefix in the Path Prefix field. This becomes the standard junction point to the server.

      2. Enter a user friendly description for this resource server in the Description field.

      3. Enter the hostname or IP address for this resource server in the Server field.

      4. Enter the port for this resource server in the Port field.

      5. If SSL is required check the SSL checkbox, otherwise leave it unchecked.
      6. After the server and port are entered optionally, click the Load Key button to load the CA certificate from the server into the reverse proxy keyfile.
      7. For server authentication data click None if not required.
      8. For server authentication data, click Client Certificate for certificate authentication and select the certificate from the drop-down list.
      9. For server authentication data, click Basic Authentication for basic authentication and enter the username and password

      For Advanced Data, click the Advanced Radio button

      1. Select the Standard junction radio button to create a new standard junction.

      2. Select the Virtual junction radio button to create a new virtual junction.

      3. Click the Create button. This changes the dialog box to allow the advanced junction data to be entered. See Create virtual junctions or Create standard junctions.

      4. Once all the values are entered, click OK to return to the previous dialog box.

      At this stage the advanced junction is not yet created. Values can be changed by clicking Create on the API Host tab again.

6. In the Authentication tab enter the details for how the OAuth token is validated.

   1. To use the existing reverse proxy configuration select the Current Reverse Proxy Authentication radio button.

   2. To use an external OAuth introspection endpoint select the OAuth Introspection radio button and enter the details.

      1. Enter the URL for the introspection endpoint in the Introspection URL field.
      2. After the URL is entered optionally, click the Load Key button to load the CA certificate from the endpoint into the reverse proxy keyfile.
      3. Choose the method by which the authentication data is presented to the introspection endpoint by selecting either Basic Authentication or POST parameter from the drop-down list.

      4. If the authentication data is client ID and/or client secret, click the Client Credentials radio button and enter the Client Id and/or Client secret.

      5. If the authentication data is a client ID header name, select the HTTP Header and enter the Header Name.

      6. If the mapped identity must correspond to an existing Verify Access identity, select the OAuth Identity must correspond to a known Verify Access identity radio button. If the mapped identity is not required to correspond to an existing Verify Access identity, select OAuth Identity does not need to correspond to a known Verify Access identity radio button.

      7. To add a new Introspection attribute definition, click the Add button in the Introspection Response Attributes toolbar.
         1. Choose Whether this definition is to include or not include this attribute in the response.

         2. Enter the Attribute name.

         3. Click OK.

      8. Click Delete to remove an Introspection attribute definition.

      9. Click Move Up to move an attribute definition up in the ordered list.

7. In the policy tab select the policy that is to be attached to this resource server.
   1. Use the parent policy and select the default Verify Access Policy radio button. Do not attach any policy directly.

   2. Click the No Access Permitted (disabled) radio button to not allow access.

   3. Click the Unauthenticated Access Allowed radio button to allow unauthenticated access.

   4. Click the Any Authenticated radio button to allow any authenticated access.

   5. Click the Custom radio button to use a custom Access Control Policy. Custom policy name form the drop-down list.

8. In the Response tab, set any static response headers to Create.

   1. Click Add to add a new response header.

      1. In the dialog box, select the Header Name or enter a new value in the Header Name field.

      2. Enter the header value.

      3. Click Save.

   2. Click Delete to delete a response header from the header list.

9. In the new Identity tab, set the JWT configuration:

   1. Check the Enable JWT check-box to enable JWT generation.

   2. Specify the HTTP header name for the generated JWT in the Header Name field.

   3. Certificate used to sign the generated JWT from the Certificate dropddown. This dropddown is populated with the available personal certificates from either:
      1. The keystore configured in the jct-cert-keyfile entry of the junction stanza in the reverse proxy configuration file.

      2. If the jct-cert-keyfile entry is not configured, the keystore configured in the webseal-cert-keyfile entry of the ssl stanza in the reverse proxy configuration file.

   4. Set the list of claims to add to the generated JWT using the toolbar for the claims table.

      1. Click the Add button to create a new claim.

         1. Click the Literal claim radio button if the claim is a literal text value.

         2. Click the Credential attribute claim radio button if the claim value is retrieved from a credential attribute.

         3. Enter the value for a literal claim or the attribute name for a credential attribute claim. The attribute name can include wildcard characters “*” or “?” if a pattern of attributes is to be included in the generated JWT.

         4. Enter the name for the claim in Claim Name field. This field is optional when the claim is a credential attribute claim. If the claim is a credential attribute claim and the attribute name includes a wildcard this field is not valid. Instead the claim name for each matched attribute is set as the name of the matched attribute.

            If the claim is a credential attribute claim and this field is not set, the claim name is set to the attribute name.

         5. Click the Save button to add the new claim to the list of claims.

      2. Claim to edit and click the Edit button to update an existing claim.

      3. Claim to remove and click the Delete button to remove an existing claim.

10. Once all of the data is set, click Save, to create the new resource server.
    • When a new resource server is created the junction specific management and error pages directories are created.

    • To view a list of all of the internal Verify Access operations that are run to create a new policy see the api_access_control.log as described in Audit the Verify Access operations performed when managing API Access Control components.

Parent topic: Resource Servers