10.1.6 Adding Policy Extensions

If Access Manager does not supply the action, the data type, or the condition that you need for a policy, you can add a customized policy extension. For example, suppose you need a policy that grants access based on whether a user has a specific role which is assigned to users in an Oracle database. The custom extension can read role assignments of a user from the Oracle database and return a string containing the role names. You can use this data to determine access to resources.

For information about how to create a policy extension, see the NetIQ Access Manager 4.5 SDK Guide.

After a policy extension has been created, perform the following tasks to use the extension:

After configuring the extension, you can perform the following tasks:

Installing the Extension on Administration Console

The policy extension can be delivered as a JAR file or a ZIP file.

Uploading and Configuring a JAR File

To install an extension, you need to have access to the JAR file and know the following information about the extension or extensions contained within the file:

What you need to create

  • A display name for the extension.

  • A description for the extension.

What you need to know

  • The policy type of the extension, which defines the policy type it can be used with. You must know whether it is an extension for an Access Gateway Authorization policy, an Access Gateway Identity Injection policy, or an Identity Server Role policy.

  • The name of the Java class that is used by the extension. Each data type usually uses a different Java factory class.

  • The filename of the extension.

  • The names, IDs, and mapping type of any configuration parameters. Configuration parameters allow the policy engine to pass data to the extension, which the extension can then use to retrieve data or to evaluate a condition.

  • The type of data the extension manipulates.

 

Authorization Policy: You can use it to return the following:

  • An action of deny, permit, or obligation.

  • A condition that the extension evaluates and returns either true or false.

  • A data element that the extension retrieves and the policy can use for evaluating a condition.

Identity Injection Policy: A data extension that retrieves data for injecting into a header.

Identity Role Policy: You can use it to return the following:

  • A condition that the extension evaluates and returns either true or false.

  • A data element that the extension retrieves which can be used in evaluating a condition or used to assign roles.

External Attribute Source Policy: A data extension that retrieves attributes from external sources.

If the file contains more than one extension, create a configuration for each extension in the file.

  1. Copy the JAR file to a location that you can browse to from Administration Console.

  2. Click Policies > Extensions.

  3. Click Upload > Browse, select the file, and click Open.

  4. (Conditional) If you want this JAR file to overwrite an existing version of the file, select Overwrite existing *.jar file.

  5. Click OK.

    The file is uploaded to Administration Console, but nothing is visible on the Extensions page until you create a configuration.

  6. To create an extension configuration, click New, and specify the following details:

    Name: Specify a display name for the extension.

    Description: (Optional) Specify the purpose of the extension and how it must be used.

    Policy Type: Select the type of extension you have uploaded.

    Type: Select the data type of the extension.

    Class Name: Specify the name of the class that creates the extension, such as com.acme.policy.action.successActionFactory.

    File Name: Select the JAR file that contains the Java class that implements the extension and its corresponding factory. This must be the file you uploaded in Step 3.

  7. Click OK.

  8. (Conditional) If the extension requires data from Access Manager, click the name of the extension.

  9. In the Configuration Parameters section, click New, specify a name and ID, and click OK.

    The developer of the extension must supply the name and ID that the extension requires.

  10. In the Mapping column, select the required data type.

    The developer of the extension must supply the data type that is required. If the data type is a data string, then the developer needs to explain the type of information you need to supply in the text field.

  11. (Conditional) If the extension requires more than one data item, repeat Step 9 and Step 10.

  12. Click OK.

    The extension is now available for the policy type it was created for.

  13. (Conditional) If the class can be used for multiple policy types, you need to create an extension configuration for each policy type.

    For example, if an extension can be used for both an Identity Injection policy and a Role policy, you need to create an entry for both. The File Name option must contain the same value, but the other options must contain unique values.

  14. Continue with Distributing a Policy Extension.

Importing a ZIP File

A ZIP file with an exported extension contains both the JAR file and the extension configuration.

  1. Copy the ZIP file to a location that you can browse to from Administration Console.

  2. Click Policies > Extensions.

  3. Click Upload > Browse, select the file, and click Open.

  4. (Conditional) If you want the JAR file in the import to overwrite an existing version of the file, select Overwrite existing *.jar file.

  5. Click OK.

  6. (Conditional) If the extension requires some customizing, click the name of the extension and follow the instructions that came with the extension.

  7. Continue with Distributing a Policy Extension.

Distributing a Policy Extension

To distributed the policy extension to the devices that need it:

  1. Create a policy that uses the extension:

  2. Assign the policy to a device:

    IMPORTANT:Do not update the device at this time. The JAR files must be distributed before you update the device.

  3. Distribute the JAR files:

    1. Click Policies > Extensions.

    2. Select the extension, then click Distribute JARs.

    3. Restart Tomcat on the devices listed for reboot.

      • Linux: Enter the following commands:

        In Access Gateways: /etc/init.d/novell-mag restart.

        In Identity Servers: /etc/init.d/novell-idp restart.

      • Windows: Enter the following commands:

        net stop Tomcat8
        net start Tomcat8
  4. (Conditional) If the extension is for an Authorization policy or an Identity Injection policy, update Access Gateway.

Managing a Policy Extension Configuration

  1. Click Policies > Extensions.

  2. To export a policy extension, select the policy, then click Export.

  3. To delete an extension, a policy cannot be using it. Use the Used By column to determine the policies that are using the extension. Modify the listed policies. When the extension is no longer used by any policies, select the extension, then click Delete.

  4. To rename a policy extension, select the extension, click Rename, specify a new name, then click OK. When a policy extension is renamed and the extension is in use by a policy, the policy is updated. This causes the Apply Changes button to be active on the Policy List page.

Viewing Extension Details

You can modify the details of an existing extension and control the information Access Manager provides to the extension when the data is evaluated.

  1. Click Policies > Extensions.

  2. Click the name of the extension.

    You can view or modify the following details:

    Description: (Optional) Specifies the purpose of the extension and how it must be used.

    Class Name: Specifies the name of the class that creates the extension, for example com.acme.policy.action.successActionFactory.

    File Name: Specifies the JAR file that contains the Java class that implements the extension and its corresponding factory. Select the appropriate file from the list.

  3. (Conditional) Specify the Condition Parameters required by the extension.

    The documentation for the extension must tell you the number of parameters it requires and the data type of each parameter. Create the parameter with a unique name and unique ID.

    • To add a configuration parameter, click New, enter a name (a string) and an ID (a number) for the parameter, then click OK. In Mapping, select the data item from the list. The selected data is available whenever the extension class is called to evaluate an action, a condition, or data.

    • To delete a configuration parameter, select the parameter, then click Delete.

  4. Click OK.