If Access Manager does not supply the action, the data type, or the condition that you need for a policy, you can add a customized policy extension. For example, suppose you need a policy that permits access based on whether a user has a specific role which is assigned to users in an Oracle database. The custom extension could read the role assignments of the user from the Oracle database and return a string containing the role names. This data could then be used to determine access rights to Access Manager resources. For information on how to create a policy extension, see the Novell Access Manager Developer Kit.
After a policy extension has been created, you need to perform the following tasks to use the extension:
After you have configured the extension, you can perform the following tasks:
The policy extension can be delivered as either a .jar file or a .zip file.
To install an extension, you need to have access to the .jar file and know the following information about the extension or extensions contained within the file.
If the file contains more than one extension, you need to create a configuration for each extension in the file.
Copy the .jar file to a location that you can browse to from the Administration Console.
In the Administration Console, click > .
To upload the file, click > , select the file, then click .
(Conditional) If you want this .jar file to overwrite an existing version of the file, select .
Click .
The file is uploaded to the Administration Console, but nothing is visible on the Extensions page until you create a configuration.
To create an extension configuration, click , then fill in the following fields:
Name: Specify a display name for the extension.
Description: (Optional) Specify the purpose of the extension and how it should be used.
Policy Type: From the drop-down list, select the type of extension you have uploaded.
Type: From the drop-down list, select the data type of the extension.
Class Name: Specify the name of the class that creates the extension, such as com.acme.policy.action.successActionFactory.
File Name: From the drop-down list, select the .jar file that contains the Java class that implements the extension and its corresponding factory. This should be the file you uploaded in Step 3.
Click .
(Conditional) If the extension requires data from Access Manager, click the name of the extension.
In the section, click , specify a name and ID, then click .
The developer of the extension must supply the name and ID that the extension requires.
In the column, click the down-arrow, then select the required data type.
The developer of the extension must supply the data type that is required. If the data type is a data string, then the developer needs to explain the type of information you need to supply in the text field.
(Conditional) If the extension requires more than one data item, repeat Step 9 and Step 10.
Click .
The extension is now available for the policy type it was created for.
(Conditional) If the class can be used for multiple policy types, you need to create an extension configuration for each policy type.
For example, if an extension can be used for both an Identity Injection policy and a Role policy, you need to create an entry for both. The option should contain the same value, but the other options should contain unique values.
Continue with Section 1.6.2, Distributing a Policy Extension.
A .zip file with an exported extension contains both the .jar file and the extension configuration.
Copy the .zip file to a location that you can browse to from the Administration Console.
In the Administration Console, click > .
To upload the file, click > , select the file, then click .
(Conditional) If you want the .jar file in the import to overwrite an existing version of the file, select .
Click .
The extension is imported in the Administration Console.
(Conditional) If the extension requires some customizing, click the name of the extension and follow the instructions that came with the extension.
Continue with Section 1.6.2, Distributing a Policy Extension.
To distributed the policy extension to the devices that need it:
Create a policy that uses the extension:
Role Policy: To create a Role policy that uses the extension, see Section 2.2, Creating Roles.
Identity Injection Policy: To create an Identity Injection policy that uses the extension, see Section 4.2, Configuring an Identity Injection Policy.
Authorization Policy: To create an Authorization policy that uses the extension, see Section 3.2, Creating Access Gateway Authorization Policies.
Assign the policy to a device:
For a Role policy, enable it for an Identity Server.
For more information, see Section 2.6, Enabling and Disabling Role Policies.
For an Authorization policy, assign it to a protected resource.
For more information, see Assigning an Authorization Policy to a Protected Resource
in the Novell Access Manager 3.1 SP2 Access Gateway Guide.
For an Identity Injection policy, assign it to a protected resource.
For more information, see Assigning an Identity Injection Policy to a Protected Resource
in the Novell Access Manager 3.1 SP2 Access Gateway Guide.
IMPORTANT:Do not update the device at this time. The .jar files must be distributed before you update the device.
Distribute the .jar files:
Click > .
Select the extension, then click .
Restart Tomcat on the devices listed for reboot.
Linux: Enter the following command:
/etc/init.d/novell-tomcat5 restart
Windows: Enter the following commands:
net stop Tomcat5 net start Tomcat5
(Conditional) If the extension is for an Authorization policy or an Identity Injection policy, update the Access Gateway.
In the Administration Console, click > .
To export a policy extension, select the policy, then click .
To delete an extension, a policy cannot be using it. Use the column to determine the policies that are using the extension. Modify the listed policies. When the extension is no longer used by any policies, select the extension, then click .
To rename a policy extension, select the extension, click , specify a new name, then click . When a policy extension is renamed and the extension is in use by a policy, the policy is updated. This causes the button to be active on the page.
You can modify the details of an existing extension and control the information Access Manager provides to the extension when the data is evaluated.
In the Administration Console, click > .
Click the name of the extension.
You can view or modify the following details:
Description: (Optional) Specifies the purpose of the extension and how it should be used.
Class Name: Specifies the name of the class that creates the extension, for example com.acme.policy.action.successActionFactory.
File Name: Specifies the .jar file that contains the Java class that implements the extension and its corresponding factory. Select the appropriate file from the drop-down list.
(Conditional) Specify the Condition Parameters required by the extension.
The documentation for the extension should tell you the number of parameters it requires and the data type of each parameter. You create the name and ID for the parameter, and they need to be unique for the extension.
To add a configuration parameter, click , enter a name (a string) and an ID (a number) for the parameter, then click . In the field, click the down-arrow, then select the data item from the list. The selected data is available whenever the extension class is called to evaluate an action, a condition, or data.
To delete a configuration parameter, select the parameter, then click .
Click .