Install and configure all components of Access Manager. For installation and configuration information, see the NetIQ Access Manager 5.0 Installation and Upgrade Guide and Setting Up a Basic Access Manager Configuration
in the Access Manager 5.0 Administration Guide.
A basic understanding of Access Gateway Authorization and Access Gateway Identity Injection policies. See Access Manager Policies
in the Access Manager 5.0 Administration Guide.
An integrated Java development environment.
Download nxpe.jar from the /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib directory (for roles) or /opt/novell/nam/mag/webapps/nesp/WEB-INF/lib (for other policies) of your Identity Server and add these to your development project.
For information about how to download a file, see Downloading Files from a Server in the NetIQ Access Manager 5.0 Administration Guide.
For information about how to add a file, see Adding Configurations to a Cluster in the NetIQ Access Manager 5.0 Administration Guide.
You can use the policy extension API to create the following types of policy extensions:
Action: This type of extension allows a new action to be added to the policy. When the policy is evaluated and the conditions evaluate to true, the extension is called so that it can execute its action. The action can be a permit, deny, or obligation. Actions extensions are used in Access Gateway Authorization policies.
For example, when a user is denied access to an Access Gateway resource, the extension generates a dynamic page that is displayed to the user and updates a database with the details of the attempted access.
Condition: This type of extension allows a new condition to be added to the policy. When the policy is evaluated, the extension is called to evaluate the condition and is responsible for returning a True, False, or Error value for the condition. Condition extensions are used in Access Gateway Authorization policies and Identity Server Role policies.
For example, the Acme company requires historical sales records to be available via the corporate Intranet. Access to the records is granted according to regular procedures set up by the accounting department. The accounting department manages the access rights in a database that supports SQL. In order for Access Manager to take advantage of the access granting process already in place in the accounting department, a condition extension is created that queries the accounting access rights database and returns true, false, or error.
Data: This type of extension retrieves data from an external source that can then be injected into a policy and used as input for evaluating a condition or an action. Data extensions can be used in Access Gateway Authorization policies, Access Gateway Identity Injection policies, Identity Server Role policies, External Attribute Source policies.
For example, suppose a policy needs to use the role assignments made in an Oracle* database to determine whether a user is assigned an Access Manager role. The data extension could retrieve the role assignments from the database and return them in a string object that could be used by Access Manager in evaluating the condition for the Role policy.
When the policy engine processes a policy, the first step is to configure the policy. The following elements can be marked as external elements in the policy:
Conditions
Data elements
Actions
When the policy engine configures a policy, it calls the extension if it encounters an external element. The engine expects the extension to return an extension type-specific object, unless an exception occurs. The object contains the data that the extension needs for processing, and the object is returned to the policy engine with the required data to continue processing the policy.
For specific details, see the following sections:
When the policy engine processes a policy and encounters a condition marked as an extension, it instantiates an object that must comply with the NxpeConditionFactory interface. It then calls the getInstance method and expects an NxpeCondition object from the extension unless NxpeException is thrown by the NxpeConditionFactory object.
This process is illustrated in the following code snippet:
public interface NxpeConditionFactory { NxpeCondition getInstance() throws NxpeException; } /* NxpeConditionFactory */
The policy engine then calls the NxpeCondition.initialize method and sends an NxpeParameterList object for configuration parameters. Configuration parameters are used to initialize the NxpeCondition object. The extension needs these parameters for evaluating the condition. Values for these parameters are retrieved at evaluation from the NxpeInformationContext object that is sent by the policy engine.
The initialize method is called before any other method, followed by a method that sets an ID for the condition.
The following code snippet illustrates this process:
public interface NxpeCondition { void initialize( NxpeParameterList configurationValues) throws NxpeException; NxpeResult evaluate( NxpeInformationContext informationContext, NxpeResponseContext responseContext) throws NxpeException; void setInterfaceId( String interfaceId) throws NxpeException; }
When the policy engine is processing a policy and encounters a data element marked as an extension, the engine instantiates an object that must comply with the NxpeContextDataElementFactory interface. The engine then calls the getInstance() method, passing the name, enumerativeValue, and parameter as arguments, and expects the extension to return an NxpeContextDataElement object unless the NxpeContextDataElementFactory object throws an NxpeException. The following code snippet illustrates this process:
public interface NxpeContextDataElementFactory { NxpeContextDataElement getInstance( String name, int enumerativeValue, String parameter) throws NxpeException; } /* NxpeContextDataElementFactory */
During the next part of the configuration phase, the policy engine calls the NxpeContextDataElement.initialize() method, passing an NxpeParameterList object with configureParameters. The configureParameters are used to initialize the NxpeContextDataElement object and are the parameters required during policy evaluation. It is expected that the values for these configureParameters are retrieved from the NxpeInformationContext object passed by the policy engine.
The following code snippet illustrates this process:
public interface NxpeContextDataElement { void initialize( NxpeParameterList configurationValues) throws NxpeException; String getName(); int getEnumerativeValue(); String getParameter(); Object getValue( NxpeInformationContext informationContext, NxpeResponseContext responseContext) throws NxpeException; } /* NxpeContextDataElement */
The policy engine calls the NxpeContextDataElement.intialize() method to initialize a component in preparation for policy evaluation. Derived classes are required to implement this method. This method is guaranteed to be called before any other method is called, because it is part of object construction.
The configurationValues parameter contains a list of the configuration data required by the external ContextDataElement handler. If the context data element wants to preserve configuration data, it must maintain a reference to the configuration value parameters.
When the policy engine is processing a policy and encounters an action marked as an extension, the engine instantiates an object that must comply with the NxpeActionFactory interface. The engine then calls the getInstance() method, and expects the extension to return an NxpeAction object unless the NxpeActionFactory object throws an NxpeException.
This process is illustrated in the following code snippet:
public interface NxpeActionFactory { NxpeAction getInstance() throws NxpeException; } /* NxpeActionFactory */
During the next part of the configuration phase, the policy engine calls the NxpeAction.initialize() method, passing an NxpeParameterList object with the configureParameters. The configureParameters are used to initialize the NxpeAction object. The configureParameters are those parameters needed during NxpePolicy.evaluate(). It is expected that the values for these configureParameters are retrieved from the NxpeInformationContext passed by the policy engine.The following code snippet illustrates this process:
public interface NxpeAction { void initialize( NxpeParameterList configurationValues) throws NxpeException;
The NxpeParameterList is a list of configuration data required by the external action extension. If the action extension wants to preserve configuration data, the extension must maintain a reference to the configuration value parameters.
The second method called is the setInterfaceId method, which sets up a value for trace evaluation. The interfaceId parameter sets a unique sting value for the action. The following code snippet illustrates this last step in the NxpeAction interface.
void setInterfaceId( String interfaceId) throws NxpeException; } /* NxpeAction */
The policy engine calls the doAction method to initiate the action. It has the following parameters:
The informationCtx parameter contains the policy enforcement Point information context to query for values
The responseCtx is a reflection object for communicating detailed response information back to the application. This is additional information and does not replace the need to place an action completion status in the return value from this call.
This method returns an NxpeResult, which contains an error code, permit, deny, or obligation. Derived classes are require to override this method to implement the supported action.
The following code snippet illustrates this process:
NxpeResult doAction( NxpeInformationContext informationCtx, NxpeResponseContext responseCtx) throws NxpeException;