Review existing web reverse proxy instance point of contact settings (AAC)
After upgrading from appliance v8.n.n.n to v9.n.n.n, it might be necessary to review and update some existing web reverse proxy instance point of contact settings for the Advanced Access Control runtime.
Review ACL settings for Authentication Services REST endpoint
A new REST endpoint for the Authentication Services Framework was introduced in v9.0.0.0. The default URL for this endpoint is “/mga/sps/apiauthsvc”. After an upgrade from a ISAM appliance at v8.n.n.n, if to use the “/mga/sps/apiauthsvc” endpoint with an existing web reverse proxy, it might be necessary to create an ACL named “isam_mobile_rest_unauth” and attach it to the “/mga/sps/apiauthsvc” endpoint. We can use the following Security Verify Access policy administration commands to enable this setting.
acl create "isam_mobile_rest_unauth"
acl attach "/WebSEAL/<web reverse proxy>/mga/sps/apiauthsvc" "isam_mobile_rest_unauth"
acl modify "isam_mobile_rest_unauth" set user "sec_master" TcmdbsvaBRrxl
acl modify "isam_mobile_rest_unauth" set group iv-admin TcmdbsvaBRrxl
acl modify "isam_mobile_rest_unauth" set group webseal-servers Tgmdbsrxl
acl modify "isam_mobile_rest_unauth" set any-other Tmdrxl
acl modify "isam_mobile_rest_unauth" set unauth Tmdrxl
Review EAI point of contact settings
Some of the default settings related to Advanced Access Control point of contact and EAI headers changed in v9.0.0.0. After an upgrade from v8.n.n.n where an existing web reverse proxy instance has been configured with Advanced Access Control, review the following settings and correct the settings if required.
In the web reverse proxy configuration file, check the [eai] stanza settings:
# EAI HEADER NAMES
# EAI PAC header names
eai-pac-header = am-eai-pac
eai-pac-svc-header = am-eai-pac-svc
# EAI USER ID header names
eai-user-id-header = am-eai-user-id
eai-auth-level-header = am-eai-auth-level
eai-xattrs-header = am-eai-xattrs
# EAI external USER ID header names
eai-ext-user-id-header = am-eai-ext-user-id
eai-ext-user-groups-header = am-eai-ext-user-groups
# EAI COMMON header names
eai-redir-url-header = am-eai-redir-urlThe names of the headers must match the point of contact settings for the Advanced Access Control runtime. We can manage these settings with the local management interface by going to AAC > Global Settings > Point of Contact. Review the parameter value settings for the active point of contact profile.
AAC point of contact parameter Reverse Proxy header name fim.user.response.header.name am-eai-ext-user-id fim.target.response.header.name am-eai-redir-url fim.attributes.response.header.name am-eai-xattrs fim.groups.response.header.name am-eai-ext fim.user.request.header.name iv-user fim.cred.request.header.name iv-creds fim.groups.request.header.name iv-groups fim.cred.response.header.name am-eai-pac
Parent topic: Upgrade configuration