Runtime security services external authorization service
The runtime security services external authorization service (EAS) provides the policy enforcement point function for context-based access.
We can configure the runtime security services EAS to include context-based access decisions as part of the standard authorization on WebSEAL requests. WebSEAL becomes the authorization enforcement point for access to resources that context-based access protects. The runtime security services EAS constructs a request that it sends to the policy decision point (PDP). Based on the policy decision that is received from the PDP, the EAS takes one of the actions listed in the following table.
Action Description Permit Grant access to the protected resource. Deny Deny access to the protected resource. Permit with Authentication Grant access to the protected resource, after a specific authentication action successfully takes place. Permit with Obligation Grant access to the protected resource, after the user successfully authenticates with a secondary challenge. Deny with Obligation Deny access to the protected resource, after the user unsuccessfully responds to a secondary challenge.
The following steps set up the initial integration with Advanced Access Control:
- Configure runtime security services for client certificate authentication.
- Run the isamcfg tool to automatically update the WebSEAL configuration file and to complete other configuration setup.
- (Optional) Update the WebSEAL configuration file to:
- Retain the version 7.0 attribute IDs.
- Define custom attributes for the authorization service.
- Map an obligation to a URL.
- Permit access decisions when runtime security services cannot be contacted.
For information about WebSEAL, see web reverse proxy configuration.
- Configure runtime security services for client certificate authentication
Configure runtime security services for client certificate authentication used for authentication between WebSEAL and Advanced Access Control.- Permitting access decisions when runtime security services cannot be contacted
Update the WebSEAL configuration file to change the behavior when runtime security services servers cannot be contacted by the EAS.- Retaining the version 7.0 attribute IDs in existing policies
If your existing policies contain any of the changed attribute IDs, we can update our WebSEAL configuration file to continue using risk-based access version 7.0 IDs.
Parent topic: Advanced Access Control configuration