WebAPI for Credential Management - IBM - United States€¦ · WebAPI for Credential Management ... It covers procedures for using virtual appliance, ... v IBM Security Access Manager

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2

Web API for Credential Management

SC14-7646-00

��

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2

Web API for Credential Management

SC14-7646-00

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 33.

Edition notice

Note: This edition applies to version 8.2 of IBM Security Access Manager for Enterprise Single Sign-On,(product number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in neweditions.

© Copyright IBM Corporation 2002, 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this publication . . . . . . . . vIntended audience . . . . . . . . . . . . vWhat this publication contains . . . . . . . . vPublications . . . . . . . . . . . . . . v

IBM Security Access Manager for EnterpriseSingle Sign-On library . . . . . . . . . . vAccessing terminology online . . . . . . . viiAccessing publications online . . . . . . . viiOrdering publications . . . . . . . . . viii

Accessibility . . . . . . . . . . . . . . viiiTivoli technical training . . . . . . . . . . viiiTivoli user groups . . . . . . . . . . . . viiiSupport information . . . . . . . . . . . viiiConventions used in this publication . . . . . . ix

Typeface conventions . . . . . . . . . . ixOperating system-dependent variables and paths ix

Web API overview . . . . . . . . . . 1Installing and configuring . . . . . . . . . . 1

Installing the Web API EAR file . . . . . . . 2Installing the Tivoli Federated Identity Manager . 2Enabling SSL between the two WebSphereinstances. . . . . . . . . . . . . . . 3

Deploying security token service modules . . . . 4Using the security trust chain. . . . . . . . . 6

Testing the security trust chain . . . . . . . 7Getting a user credential . . . . . . . . . 8

Getting a user credential updated after aspecified date. . . . . . . . . . . . . 13Getting a user credential for an authenticationservice . . . . . . . . . . . . . . . 16Setting a user credential for an authenticationservice . . . . . . . . . . . . . . . 19Getting a user credential updated after aspecified date for one authentication service . . 20Deleting user credentials (Web API) . . . . . 23

Appendix A. Troubleshooting Web API 25

Appendix B. Password-basedencryption . . . . . . . . . . . . . 27CryptoUtil.java file . . . . . . . . . . . . 27Base64.java file . . . . . . . . . . . . . 29

Appendix C. Security Token Service(STS) Universal User document . . . . 31

Notices . . . . . . . . . . . . . . 33

Glossary . . . . . . . . . . . . . . 37

Index . . . . . . . . . . . . . . . 45

© Copyright IBM Corp. 2002, 2012 iii

iv IBM® Security Access Manager for Enterprise Single Sign-On: Web API for Credential Management

About this publication

IBM® Security Access Manager for Enterprise Single Sign-On provides sign-on andsign-off automation, authentication management, and user tracking to provide aseamless path to strong digital identity. The IBM Security Access Manager forEnterprise Single Sign-On Web API for Credential Management Guide describes how toinstall, configure and troubleshoot Web API, and how to use the security trustchain.

Important: WebAPI for Credential Management requires integration and supportfrom IBM partners.

Intended audienceThis publication is for system administrators who must install and configure WebAPI.

Readers must be familiar with the following topics:v Web APIv Security Trust Chain

What this publication containsThis publication contains the following sections:v “Web API overview,” on page 1

Provides an overview of the IBM Security Access Manager for Enterprise SingleSign-On Web API, including how to install and configure the Web API and theTivoli Federated Identity Manager Security Token Service (STS).

v Appendix A, “Troubleshooting Web API,” on page 25Lists the relevant error codes and log files necessary for troubleshooting WebAPI.

v Appendix B, “Password-based encryption,” on page 27Discusses the Web API encryption mechanism.

v Appendix C, “Security Token Service (STS) Universal User document,” on page31Describes the elements of the Security Token Service Universal User document.

PublicationsThis section lists publications in the IBM Security Access Manager for EnterpriseSingle Sign-On library. The section also describes how to access Tivoli®

publications online and how to order Tivoli publications.

IBM Security Access Manager for Enterprise Single Sign-Onlibrary

The following documents are available in the IBM Security Access Manager forEnterprise Single Sign-On library:v IBM Security Access Manager for Enterprise Single Sign-On Quick Start Guide,

CF38DML

© Copyright IBM Corp. 2002, 2012 v

Read this guide for a quick start on the main installation and configuration tasksto deploy and use IBM Security Access Manager for Enterprise Single Sign-On.

v IBM Security Access Manager for Enterprise Single Sign-On Planning and DeploymentGuide, SC23995203Read this guide before you do any installation or configuration tasks. This guidehelps you to plan your deployment and prepare your environment. It providesan overview of the product features and components, the required installationand configuration, and the different deployment scenarios. It also describes howto achieve high availability and disaster recovery.

v IBM Security Access Manager for Enterprise Single Sign-On Installation Guide,GI11930901Read this guide for the detailed procedures on installation, upgrade, oruninstallation of IBM Security Access Manager for Enterprise Single Sign-On.This guide helps you to install the different product components and theirrequired middleware, and also do the initial configurations required to completethe product deployment. It covers procedures for using virtual appliance,WebSphere® Application Server Base editions, and Network Deployment.

v IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide,GC23969201Read this guide if you want to configure the IMS Server settings, theAccessAgent user interface, and its behavior.

v IBM Security Access Manager for Enterprise Single Sign-On Administrator Guide,SC23995103This guide is intended for the Administrators. It covers the differentAdministrator tasks. This guide provides procedures for creating and assigningpolicy templates, editing policy values, generating logs and reports, and backingup the IMS Server and its database. Use this guide together with the IBMSecurity Access Manager for Enterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Help Desk Guide,SC23995303This guide is intended for Help desk officers. The guide helps Help desk officersto manage queries and requests from users usually about their authenticationfactors. Use this guide together with the IBM Security Access Manager forEnterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide,SC23969401Read this guide for the detailed descriptions of the different user, machine, andsystem policies that Administrators can configure in AccessAdmin. Use thisguide along with the IBM Security Access Manager for Enterprise SingleSign-On Administrator Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting andSupport Guide, GC23969301Read this guide if you have any issues with regards to installation, upgrade, andproduct usage. This guide covers the known issues and limitations of theproduct. It helps you determine the symptoms and workaround for the problem.It also provides information about fixes, knowledge bases, and support.

v IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide,SC23995603Read this guide if you want to create or edit profiles. This guide providesprocedures for creating and editing standard and advanced AccessProfiles for

vi IBM® Security Access Manager for Enterprise Single Sign-On: Web API for Credential Management

different application types. It also covers information about managingauthentication services and application objects, and information about otherfunctions and features of AccessStudio.

v IBM Security Access Manager for Enterprise Single Sign-On Provisioning IntegrationGuide, SC23995703Read this guide for information about the different Java™ and SOAP API forprovisioning. It also covers procedures for installing and configuring theProvisioning Agent.

v IBM Security Access Manager for Enterprise Single Sign-On Web API for CredentialManagement Guide, SC14764600Read this guide if you want to install and configure the Web API for credentialmanagement.

v IBM Security Access Manager for Enterprise Single Sign-On Lightweight AccessAgentmode on Terminal Server SDK Guide, SC14765700Read this guide for the details on how to develop a virtual channel connectorthat integrates AccessAgent with Terminal Services applications.

v IBM Security Access Manager for Enterprise Single Sign-On Serial ID SPI Guide,SC14762600IBM Security Access Manager for Enterprise Single Sign-On has a ServiceProvider Interface (SPI) for devices that contain serial numbers, such as RFID.See this guide to know how to integrate any device with serial numbers and useit as a second authentication factor with AccessAgent.

v IBM Security Access Manager for Enterprise Single Sign-On Context ManagementIntegration Guide, SC23995403Read this guide if you want to install and configure the Context Managementsolution.

v IBM Security Access Manager for Enterprise Single Sign-On User Guide, SC23995003This guide is intended for the end users. This guide provides instructions forusing AccessAgent and Web Workplace.

v IBM Security Access Manager for Enterprise Single Sign-On Error Message ReferenceGuide, GC14762400This guide describes all the informational, warning, and error messagesassociated with IBM Security Access Manager for Enterprise Single Sign-On.

Accessing terminology onlineThe IBM Terminology Web site consolidates the terminology from IBM productlibraries in one convenient location. You can access the Terminology Web site at thefollowing Web address:

http://www.ibm.com/software/globalization/terminology

Accessing publications onlineIBM posts publications for this and all other Tivoli products, as they becomeavailable and whenever they are updated, to the Tivoli Information Center Website at http://www.ibm.com/tivoli/documentation.

Note: If you print PDF documents on other than letter-sized paper, set the optionin the File > Print window that allows Adobe Reader to print letter-sized pages onyour local paper.

About this publication vii

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/tivoli/documentation

Ordering publicationsYou can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivolipublications. To locate the telephone number of your local representative, performthe following steps:1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.2. Select your country from the list and click Go.3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see "Accessibility features" in the IBM Security AccessManager for Enterprise Single Sign-On Planning and Deployment Guide.

Tivoli technical trainingFor Tivoli technical training information, see the following IBM Tivoli EducationWeb site at http://www.ibm.com/software/tivoli/education.

Tivoli user groupsTivoli user groups are independent, user-run membership organizations thatprovide Tivoli users with information to assist them in the implementation ofTivoli Software solutions. Through these groups, members can share informationand learn from the knowledge and experience of other Tivoli users. Tivoli usergroups include the following members and groups:v 23,000+ membersv 144+ groups

Access the link for the Tivoli Users Group at www.tivoli-ug.org.

Support informationIf you have a problem with your IBM software, you want to resolve it quickly. IBMprovides the following ways for you to obtain the support you need:

OnlineGo to the IBM Software Support site at http://www.ibm.com/software/support/probsub.html and follow the instructions.

IBM Support AssistantThe IBM Support Assistant is a free local software serviceability workbench

viii IBM® Security Access Manager for Enterprise Single Sign-On: Web API for Credential Management

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss

http://www.ibm.com/software/tivoli/education

http://www.tivoli-ug.org

http://www.ibm.com/software/support/probsub.html

http://www.ibm.com/software/support/probsub.html

that helps you resolve questions and problems with IBM softwareproducts. The IBM Support Assistant provides quick access tosupport-related information and serviceability tools for problemdetermination. To install the IBM Support Assistant software, go tohttp://www.ibm.com/software/support/isa.

Troubleshooting GuideFor more information about resolving problems, see the IBM Security AccessManager for Enterprise Single Sign-On Troubleshooting and Support Guide.

Conventions used in this publicationThis publication uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface conventionsThis publication uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwisedifficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spinbuttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, propertysheets) and labels (such as Tip: and Operating system considerations:)

v Keywords and parameters in text

Italic

v Citations (examples: titles of publications, diskettes, and CDs)v Words defined in text (example: a nonswitched line is called a

point-to-point line)v Emphasis of words and letters (words as words example: "Use the word

that to introduce a restrictive clause."; letters as letters example: "TheLUN address must start with the letter L.")

v New terms in text (except in a definition list): a view is a frame in aworkspace that contains data.

v Variables and values you must provide: ... where myname represents....

Monospace

v Examples and code examplesv File names, programming keywords, and other elements that are difficult

to distinguish from surrounding textv Message text and prompts addressed to the userv Text that the user must typev Values for arguments or command options

Operating system-dependent variables and pathsThis publication uses the UNIX convention for specifying environment variablesand for directory notation.

When using the Windows command line, replace $variable with % variable% forenvironment variables and replace each forward slash (/) with a backslash (\) indirectory paths. The names of environment variables are not always the same in

About this publication ix

http://www.ibm.com/software/support/isa

the Windows and UNIX environments. For example, %TEMP% in Windowsenvironments is equivalent to $TMPDIR in UNIX environments.

Note: You can use the UNIX conventions if you are using the bash shell on aWindows system.

x IBM® Security Access Manager for Enterprise Single Sign-On: Web API for Credential Management

Web API overview

With the Web Application Programming Interface (Web API), you can create, read,update, or delete a user credential if you know the ISAM ESSO password of theuser.

Use the Tivoli Federated Identity Manager Security Token Service (STS) module ormodules to demonstrate the following operations:v Getting a user credential.v Getting a user credential updated after a specified date.v Getting a user credential for one authentication service.v Getting a user credential after a specified date for one authentication service.v Setting a user credential for an authentication service.v Deleting a user credential.

To access a web service, a request security token message is sent to TivoliFederated Identity Manager STS through WS-Trust. The IBM Security AccessManager for Enterprise Single Sign-On Web API uses WS-Trust protocol forsecurity token exchanges.

Tivoli Federated Identity Manager STS uses SOAP protocol and SSL security tocommunicate with the web service on IBM Security Access Manager for EnterpriseSingle Sign-On. Tivoli Federated Identity Manager STS responds with a requestsecurity token response message.

Installing and configuringInstall the Web API and the Tivoli Federated Identity Manager STS.

Note: This tutorial assumes that the Web API and the Tivoli Federated IdentityManager STS used to interact with the Web API are installed on separateWebSphere Application Server instances and profiles.

The following components are required for installing and configuring Web API andthe Tivoli Federated Identity Manager STS.v IMS Serverv Web API EAR file

– com.ibm.tamesso.webapi.wsEAR.earv Tivoli Federated Identity Manager plug-ins

– com.tivoli.am.fim.sts.modules.tamesso.jar– com.ibm.tamesso.webapi.wsClient.jar– com.ibm.tamesso.webapi.wsClientWrapper.jar– com.ibm.tamesso.webapi.contract.jar

The IMS Server and Tivoli Federated Identity Manager can be on the sameWebSphere Application Server. The custom STS modules that are inserted into theTivoli Federated Identity Manager make web services calls into IMS Server. TheSTS modules must be able to locate the IMS Server.

© Copyright IBM Corp. 2002, 2012 1

Installing the Web API EAR fileUpload the Web API EAR file in the WebSphere Application Server to install theWeb API.

About this task

Use WebSphere Application Server on Windows x86 or x64.

Procedure1. Start the administrative console. Select Start > All Programs > IBM

WebSphere > Application Server<version> > Profiles > <profile name> >Administrative console.

2. Log on to the Integrated Solutions Console.3. On the Integrated Solutions Console navigation pane, click Applications >

Applications > New Application.4. Click New Enterprise Application.

5. Specify the path for the EAR file to upload and install.You can select from either local or remote file system and then Browse to thelocation of the com.ibm.tamesso.webapi.wsEAR.ear file.

6. Click Next. The Preparing for the application installation page is displayed.7. Select either of the options.

v Fast Path - Prompt only when additional information is required

v Detailed - Show all installation options and parameters

8. Click Next.9. Retain the default values under Select installation options.

10. Click Next.11. For clusters and servers selections, Map modules to servers for both fast and

detail path.If you are using WebSphere Application Server stand-alone, you can use thedefault value.

12. Select com.ibm.tamesso.webapi.wsEAR.ear.13. Click Apply.14. Click Next.15. In the message box, click Save. Changes are saved to the master configuration.

Installing the Tivoli Federated Identity ManagerInstall and configure the Tivoli Federated Identity Manager on the installedWebSphere Application Server instance. Custom STS modules are inserted into theTivoli Federated Identity Manager to make web services calls into the IMS Server.

Before you begin1. Install WebSphere Application Server Version 7.0.0.9 (fix pack 9).

Download the WebSphere Application Server Version 7.0 fix pack 9 from:http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24025888

2. Install the WebSphere Application Server IFIX 7.0.0.3-WS-WAS-IFPM09018.pak.

Download the WebSphere Application Server interim fix from:http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24026593

2 IBM® Security Access Manager for Enterprise Single Sign-On: Web API for Credential Management

http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24025888

http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24026593

Important: You must apply the correct fix pack and interim fix. Other fix packscan create issues with Tivoli Federated Identity Manager.

Procedure1. Install Tivoli Federated Identity Manager 6.2.1.0 on the installed WebSphere

Application Server instance.a. Run the Tivoli Federated Identity Manager 6.2.1.0 installer.b. Accept the default settings for feature selection. All required components

are installed.

For more information about the installation, see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.tivoli.fim.doc_6.2.1/ic/ic-homepage.html.

2. Configure the Tivoli Federated Identity Manager.a. Log on to the WebSphere Administrator Console at https://<IP

address>:<admin_port>/ibm/console/. The default admin port is 9043.b. Select Domains and create a domain.c. Set the newly created domain as the active management domain. A message

to restart WebSphere Application Server is displayed.d. Restart the WebSphere Application Server. Restarting applies the

configuration changes to the Tivoli Federated Identity Manager run time.3. Disable the WebSphere Application Server application security.

a. Log on to the WebSphere Administrator console at https://<IPaddress>:<admin port>/ibm/console/. The default value for <admin port> is9043.

b. Select Security > Global Security.c. Ensure that the Enable application security check box is cleared. If Enable

application security is selected, clear the check box and click Apply.d. Save the changes to the master configuration.e. Restart the WebSphere Application Server.

Enabling SSL between the two WebSphere instancesIf Tivoli Federated Identity Manager and Web API are installed in differentWebSphere Application Servers, you can enable SSL between the two WebSphereinstances.

Procedure1. Select Start > All Programs > IBM WebSphere > Application Server

<version> > Profiles > <profile name> > Administrative console.2. Log on to the IBM Integrated Solutions Console.3. On the Integrated Solutions Console navigation pane, select Security > SSL

certificate and key management.4. Under Related items, click Key stores and certificates.5. From the Keystore usages list, select SSL keystores.6. Click NodeDefaultTrustStore.7. Under Additional Properties, click Signer certificates.8. Click Retrieve from port.9. In General Properties, enter information in the following fields:

Host

Web API overview 3

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.tivoli.fim.doc_6.2.1/ic/ic-homepage.html



Enter the Web API IMS Server hostname.

Port

Enter the SSL port number.

SSL configuration for outbound connection

Select NodeDefaultSSLSettings.

Alias

Enter an alias for the imported certificate. For example, webapi_root.10. Click OK.11. Click Save.

Deploying security token service modulesUse the Tivoli Federated Identity Manager management console to configure anddeploy a security token service.

Before you beginv Before you create a trust chain, you must understand the concepts of module

types, module instances, module modes, and trust service chains.v Install the Tivoli Federated Identity Manager management console. For the

procedure, see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6.2.1%2Ftask%2Finstallingconsole.html.

v For information about the installation and configuration of token exchangescenarios, see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6.2.1%2Fconcept%2FHowToCfgSTS.html.

About this task

Deploying STS modules involves creating instances of module types, andassembling module instances into a security trust service chain. Each module is setto one token handling task.

Procedure1. Copy these jar files to the <TFIM installation root path>/plugins directory:

v com.tivoli.am.fim.sts.modules.tamesso.jarv com.ibm.tamesso.webapi.contract.jarv com.ibm.tamesso.webapi.wsClient.jarv com.ibm.tamesso.webapi.wsClientWrapper.jar

2. Use the Tivoli Federated Identity Manager console to publish the modules:a. Expand the Tivoli Federated Identity Manager Options pane.b. Select Domain Management > Runtime Node Management.c. Click Publish Plug-In. A message prompts you to load configuration

changes.d. Click Load Configuration changes to Tivoli Federated Identity Manager

runtime.3. Create new instances of the custom STS modules:

a. In the Management Console, click Configure Trust Service > ModuleInstances.


http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6.2.1%2Ftask%2Finstallingconsole.html



http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6.2.1%2Fconcept%2FHowToCfgSTS.html



b. Click Create.c. Select a module type. For example: VerifyUser.d. Click Next.e. Type a name for each instance, for example VerifyUserInstance.f. Repeat steps b to d until you create the following module instances:

Module types Name each module instance

VerifyUser VerifyUserInstance

GetUserCredentials GetUserCredentialsInstance

SetUserCredentials SetUserCredentialsInstance

DeleteUserCredentials DeleteUserCredentialsInstance

EncryptUserCredentials EncryptUserCredentialsInstance

MultiUsernameToken MultiUsernameTokenInstance

g. Click Load configuration changes to Tivoli Federated Identity Managerruntime and wait for the process to complete. You must do this step beforeyou can use the modules in a security trust service chain.

4. Create the trust service chain.A trust service chain is a chain of modules operating in different modes, forexample validate, map and issue.a. In Management Console, click Configure Trust Service > Trust Service

Chains

b. Click Create.c. In the Chain Mapping Identification area, in Chain Mapping Name, type

EssoChain.d. Click Next.e. In Request Type, select Validate.f. In Lookup Type, select Use Traditional WS-Trust Elements (AppliesTo,

Issuer, and TokenType).g. In the AppliesTo area, in Address, type esso/*.h. In the Issuer area, in Address, type esso/.

i. In Token Type, select Any Token.5. Add the following module instances to the trust chain, and specify the mode in

the following sequence:

Order Module Instance Mode

1 VerifyUserInstance Validate

2 GetUserCredentialsInstance Map

3 SetUserCredentialsInstance Map

4 DeleteUserCredentialsInstance Map

5 EncryptUserCredentialsInstance Map

6 MultiUsernameTokenInstance Issue

VerifyUserInstanceIn Validate mode, the module instance extracts the UserName tokenfrom the Request Security Token (RST). The module also calls the IMSweb service to log on the user by using the IBM Security AccessManager for Enterprise Single Sign-On user name and password.

Web API overview 5

The VerifyUserInstance module finally sets the session and IBMSecurity Access Manager for Enterprise Single Sign-On user name andpassword to the STSUU.

Note: In Map mode, the module extracts the user name and passwordfrom the STSUU. The module also calls the IMS web service to log onby using the IBM Security Access Manager for Enterprise SingleSign-On user name and password. The VerifyUser module in Mapmode is not used in these examples.

GetUserCredentialsInstanceGets all the application user name and passwords for the user and addsthem to the Security Token Service Universal User (STSUU) document.To learn more about the STSUU, see Appendix C, “Security TokenService (STS) Universal User document,” on page 31

SetUserCredentialsInstanceSets the user credentials for a given authentication service.

DeleteUserCredentialsInstanceDeletes the user credentials when given the user name andauthentication service.

EncryptUserCredentialsInstanceEncrypts all the user credentials by using the Tivoli Access Managerpassword by employing password-based encryption. To learn moreabout password-based encryption, see Appendix B, “Password-basedencryption,” on page 27

MultiUsernameTokenInstanceGenerates a user name token for each user credential, then wraps eachtoken in a Request Security Token Response (RSTR) message. Themodule instance then wraps all the RSTR into a Request Security TokenResponse Collection (RSTR Collection).

6. Configure Module Instance Settings.VerifyUserInstance: Type the URL of the WebSphere instance on which theIBM Security Access Manager for Enterprise Single Sign-On API is installed.For example: http://<server_name>:9080

Note: Ensure that you enter the SSL port if you want the IBM Security AccessManager for Enterprise Single Sign-On API and the STS to communicate byusing SSL. The default SSL port is 9443.

7. Click Load configuration changes to Tivoli Federated Identity Managerruntime.

Using the security trust chainUse a single trust chain to perform the credential management tasks.

To perform each operation, see the value for the elements in the RST message:

To Value for elements in the RST message

Get all user credentials for a specific user Applies To: esso/get/


To Value for elements in the RST message

Get all user credentials for a specific userupdated after a certain date

Applies To: esso/get/

Claims:<date>

Note: <date> is the date in the XMLDateTime format.

Get user credentials for one authenticationservice

Applies To: esso/get/<authenticationservice>

Note: <authentication service> is theservice ID in ISAM ESSO, for example, anemail system.

Get user credentials updated after a certaindate for one authentication service

Applies To: esso/get/<authenticationservice>

Note: <authentication service> is the serviceID in ISAM ESSO, for example, an emailsystem.

Claims:<date>Note: <date> is the date in the XMLDateTime format.

Set user credentials for one authenticationservice

Applies To: esso/set/<authenticationservice>

Note: <authentication service> is theservice ID in ISAM ESSO. For example, anemail system. <authentication service> canalso be a new personal authenticationservice ID that you want to create.

Delete user credentials Applies To: esso/delete/<user id>

Testing the security trust chainTest the security trust chain to verify if the credential management tasks areworking.

Procedure1. For each operation, create the RST message and save it. You can create the

rst.xml from the RST samples described in:v “Getting a user credential” on page 8v “Getting a user credential updated after a specified date” on page 13v “Getting a user credential for an authentication service” on page 16v “Getting a user credential updated after a specified date for one

authentication service” on page 20v “Deleting user credentials (Web API)” on page 23v “Setting a user credential for an authentication service” on page 19

Note: The trust chain is configured to validate requests. All RST messages tothe web service:v Must have the RequestType element set to Validate.v Must contain a ValidateTarget element with the ISAM ESSO username and

password.

Web API overview 7

rst.xml file example<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"><soapenv:Header/><soapenv:Body><wst:RequestSecurityToken><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType>

.

.

.<wst:ValidateTarget>

<wss:UsernameTokenwsu:Id="username8a2fcf7b-0128-124a-b5d0-adafae3d9ad1"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>user1</wss:Username><wss:Password>p@ssw0rd</wss:Password>

</wss:UsernameToken></wst:ValidateTarget>

.

.

.</wst:RequestSecurityToken></soapenv:Body>

</soapenv:Envelope>

Note:

v If password synchronization with enterprise directory is enabled in the IMSServer, logon occurs with the enterprise directory credentials.

v If system secrets are also enabled and the enterprise password is changed,the IMS Server password and Wallet for the user is updated.

v If the enterprise directory password has expired or needs to be changed,appropriate error codes are returned to the user. See Appendix A,“Troubleshooting Web API,” on page 25.

2. In a console, run the following command:curl --header "soapaction: anything" --data-binary @rst.xmlhttp://localhost:9080/TrustServer/SecurityTokenService > rstr.xml

The curl command:v Sends a Request Security Token (RST) message in the form of an XML file.v Calls the Tivoli Federated Identity Manager to respond with a Request

Security Token Response (RSTR) message.The message is stored in rstr.xml file.

3. Open the rstr.xml file.The file rstr.xml contains the Request Security Token Response (RSTR)message.The status code and description are stored in the RSTR message. For the list ofrelevant status codes and descriptions, see Appendix A, “Troubleshooting WebAPI,” on page 25.

Getting a user credentialUse a security trust chain to get all the credentials for a user.

rst.xml fileUse the example RST message to get user credentials with the STS modules.

This RST and the example chain do not use the optional TokenType for matchingchains. To use the RST message, see “Using the security trust chain” on page 6.


Note: The ampersand character (&) is not a valid XML character. The rst.xml filemust not contain this character. Otherwise, it will cause an error.

Content Description

<wst:ValidateTarget><wss:UsernameToken ...><wss:Username>user1</wss:Username><wss:Password>password</wss:Password>

... </wss:UsernameToken></wst:ValidateTarget>

The wss:UserNameToken element contains theISAM ESSO user name and password.wss:UserNameToken is stored in theValidateTarget element of the RST.

In the following example of an RST messagein the ValidateTarget element, user1 andpassword are specified as the username andpassword. If the logon fails because ofvalues that are not correct, the STS chainreturns an Invalid Username or Passwordstatus.

<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/

trust/Validate</wst:RequestType>

The wst:RequestType must be set to validatebecause the trust chain was configured tovalidate requests.

<wst:Issuer><wsa:Address>esso/</wsa:Address></wst:Issuer>

The address for the issuer is the value youspecified when configuring the chain. Forexample: esso/.

<wsp:AppliesTo>...<wsa:Address>esso/get/</wsa:Address>...</wsp:AppliesTo>

The AppliesTo address must be esso/get/.

Example<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<soapenv:Header/><soapenv:Body><wst:RequestSecurityToken><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType><wst:Issuer><wsa:Address>esso/</wsa:Address></wst:Issuer><wsp:AppliesTo><wsa:EndpointReference><wsa:Address>esso/get/</wsa:Address></wsa:EndpointReference></wsp:AppliesTo>

<wst:ValidateTarget><wss:UsernameToken wsu:Id="username8a2fcf7b-0128-124a-b5d0-adafae3d9ad1"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wss:Username>user1</wss:Username><wss:Password>password</wss:Password><wsu:Created>2010-05-25T01:45:08Z</wsu:Created></wss:UsernameToken></wst:ValidateTarget></wst:RequestSecurityToken></soapenv:Body></soapenv:Envelope>

rstr.xml fileThe rstr.xml file contains the response from the Tivoli Federated Identity ManagerSTS test after an RST message is sent to the service.

The RSTR content has the following characteristics:

Web API overview 9

v The message response from the STS is in the form of a Request Security TokenResponse Collection (RSTRC). The collection consists of multiple independentRequest Security Token Response (RSTR) elements.Example of a Request Security Token Response Collection:<wst:RequestSecurityTokenResponseCollection ...><wst:RequestSecurityTokenResponse ...> ...</wst:RequestSecurityTokenResponse></wst:RequestSecurityTokenResponseCollection>

v Each RSTR contains a UsernameToken for one authentication service. Theauthentication service is mentioned in the second AppliesTo element of eachRSTR.

v The 'Salt' used for Password-Based Encryption (PBE) is in the Nonce field of theUsernameToken. See Appendix B, “Password-based encryption,” on page 27.

v The status is in the wst:status element of the RSTR.

Example<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header /><soapenv:Body><wst:RequestSecurityTokenResponseCollection xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><wst:RequestSecurityTokenResponse wsu:Id="uuidd05dc72a-012a-14c4-9b65-b007b664caa0"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsa:EndpointReference><wsa:Address>esso/get/</wsa:Address></wsa:EndpointReference>

</wsp:AppliesTo><wst:Status> <wst:Code>0x00000000</wst:Code>

<wst:Reason>Credentials Successfully Fetched</wst:Reason></wst:Status></wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuidd05dce6f-012a-1937-b2e6-b007b664caa0"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:AppliesToxmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">


</wsp:AppliesTo><wst:RequestedSecurityToken><wss:UsernameToken wsu:Id="usernamed05dce6e-012a-1824-afcf-b007b664caa0"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>app_user0</wss:Username><wss:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">262FBFGv6RFz/aQLNo+bTGS7yFQ=</wss:Nonce><wss:Password Type="PBEwithSHA-256andAES-128">w2bP1aUShGvBw1BmIFI1cg==</wss:Password></wss:UsernameToken>

</wst:RequestedSecurityToken><wsp:AppliesToxmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsa:EndpointReference><wsa:Address>dir_notes0</wsa:Address></wsa:EndpointReference>

</wsp:AppliesTo></wst:RequestSecurityTokenResponse>

<wst:RequestSecurityTokenResponse wsu:Id="uuidd05dce71-012a-1d47-b129-b007b664caa0"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsp:AppliesToxmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">


</wsp:AppliesTo><wst:RequestedSecurityToken>

<wss:UsernameToken wsu:Id="usernamed05dce70-012a-1c34-bf3e-b007b664caa0"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"


xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>app_user1</wss:Username><wss:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">FjKLvY4sanhFHgf4jwErvpsostg=</wss:Nonce><wss:Password Type="PBEwithSHA-256andAES-128">xeAhpgKD9/gg5mpcIBLBKA==</wss:Password></wss:UsernameToken></wst:RequestedSecurityToken><wsp:AppliesToxmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">



<wst:RequestSecurityTokenResponse wsu:Id="uuidd05dce73-012a-1b21-9d29-b007b664caa0"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">



</wsp:AppliesTo><wst:RequestedSecurityToken><wss:UsernameToken wsu:Id="usernamed05dce72-012a-1a0d-ab81-b007b664caa0"

xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>app_user2</wss:Username><wss:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">exqgk1beWmB4QAHIaoUNCyBvfxc=</wss:Nonce><wss:Password Type="PBEwithSHA-256andAES-128">eNpik0bz2ctC31pbUkddRw==</wss:Password></wss:UsernameToken></wst:RequestedSecurityToken><wsp:AppliesToxmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">



<wst:RequestSecurityTokenResponsewsu:Id="uuidd05dce75-012a-1193-98ee-b007b664caa0"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">



</wsp:AppliesTo><wst:RequestedSecurityToken><wss:UsernameToken wsu:Id="usernamed05dce74-012a-1080-8b16-b007b664caa0"


<wss:Username>app_user3</wss:Username><wss:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">4m4Drdt1SNqjmKt3IDNWHb8rl3Q=</wss:Nonce>

<wss:Password Type="PBEwithSHA-256andAES-128">Yg6BdbItSHy2GT2Y02Z3Fw==</wss:Password></wss:UsernameToken>




<wst:RequestSecurityTokenResponse wsu:Id="uuidd05dce77-012a-1f6d-94c6-b007b664caa0"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">



</wsp:AppliesTo><wst:RequestedSecurityToken><wss:UsernameToken wsu:Id="usernamed05dce76-012a-1e5a-8afd-b007b664caa0"

Web API overview 11


<wss:Username>app_user4</wss:Username>

<wss:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iTq4h9PxL21VpXvLoY8ctFyQ6Ak=</wss:Nonce>

<wss:Password Type="PBEwithSHA-256andAES-128">6R8d4wmV9pWwMdDc5MMYmg==</wss:Password></wss:UsernameToken>



</wsp:AppliesTo></wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuidd05dce79-012a-15e0-bab1-b007b664caa0"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">




<wss:UsernameToken wsu:Id="usernamed05dce78-012a-14cc-a90c-b007b664caa0"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>app_user5</wss:Username><wss:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01-200401-wss-soap-message-security-1.0#Base64Binary">eLShBvgzMlRVrJNONBs7s40w+Zk=</wss:Nonce>

<wss:Password Type="PBEwithSHA-256andAES-128">ZkC1CMcyh0fEiVy5Gs2Dzw==</wss:Password></wss:UsernameToken>

</wst:RequestedSecurityToken>



</wsp:AppliesTo></wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuidd05dce7b-012a-13b9-a6af-b007b664caa0"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">




<wss:UsernameToken wsu:Id="usernamed05dce7a-012a-12a6-96a2-b007b664caa0"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>app_user6</wss:Username><wss:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">AYRVH0fb08dfSm0mMh5jSwnfuUg=</wss:Nonce><wss:Password Type="PBEwithSHA-256andAES-128">I+6R63rtCLmj41HVHdCUbQ==</wss:Password></wss:UsernameToken>



</wsp:AppliesTo></wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuidd05dce7d-012a-1a2c-960b-b007b664caa0"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">





<wss:UsernameToken wsu:Id="usernamed05dce7c-012a-1919-afae-b007b664caa0"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>app_user7</wss:Username><wss:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">qtJwksZRZqSLMb//xR+kKJQHap0=</wss:Nonce><wss:Password Type="PBEwithSHA-256andAES-128">GcpnTkwGIf740a0HuWZPlw==</wss:Password></wss:UsernameToken>



</wsp:AppliesTo></wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuidd05dce7f-012a-1806-96ec-b007b664caa0"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">




<wss:UsernameToken wsu:Id="usernamed05dce7e-012a-16f3-b2e2-b007b664caa0"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>app_user8</wss:Username><wss:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Yg/VfWMr5qw2M7/us6GWqrzxp18=</wss:Nonce><wss:Password Type="PBEwithSHA-256andAES-128">yvtkFmnpeTtBrWFfsk48Qg==</wss:Password></wss:UsernameToken>

</wst:RequestedSecurityToken><wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">


</wsp:AppliesTo></wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuidd05dce81-012a-1dc2-bb21-b007b664caa0"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">




<wss:UsernameToken wsu:Id="usernamed05dce80-012a-1caf-9103-b007b664caa0"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>app_user9</wss:Username><wss:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">oKW67zrzn7QzF83LO7ERFgHzOmY=</wss:Nonce><wss:Password Type="PBEwithSHA-256andAES-128">kYJReye6L4bMJSDd5U+1QQ==</wss:Password></wss:UsernameToken>



</wsp:AppliesTo></wst:RequestSecurityTokenResponse></wst:RequestSecurityTokenResponseCollection></soapenv:Body></soapenv:Envelope>

Getting a user credential updated after a specified dateUse a security trust chain to get all the updated credentials of a user. Get thecredentials that are updated after a specified date.

Web API overview 13

rst.xmlUse the example RST message to get a user credential updated after a specifieddate with the STS modules.

This RST and the example chain do not use the optional TokenType for matchingchains. To use the RST message, see “Using the security trust chain” on page 6.


Content Description

<wst:ValidateTarget><wss:UsernameToken...><wss:Username>user1 </wss:Username><wss:Password>password </wss:Password>...


The wss:UserNameToken element contains theISAM ESSO user name and password. Thewss:UserNameToken is stored in theValidateTarget element of the RST.

In the following example of an RSTmessage, user1 and password are specifiedas the username and password. If the logonfails because of values that are not correct,the STS chain returns an Invalid Usernameor Password status.



The wst:RequestType must be set to validatebecause the trust chain was configured tovalidate requests.



<wsp:AppliesTo>...<wsa:Address>esso/get/</wsa:Address>...

</wsp:AppliesTo>

The AppliesTo address must be esso/get/.

<wst:Claims><AccountUpdatedAfter>2011-05-22T12:33:00Z</AccountUpdatedAfter></wst:Claims>

In this example, the AccountUpdatedAfternode must be set to the date value,2011-05-22T12:33:00Z

Example<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"><soapenv:Header /><soapenv:Body><wst:RequestSecurityToken><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType><wst:Issuer><wsa:Address>esso/</wsa:Address>

</wst:Issuer><wsp:AppliesTo><wsa:EndpointReference><wsa:Address>esso/get/</wsa:Address>

</wsa:EndpointReference></wsp:AppliesTo><wst:ValidateTarget><wss:UsernameToken wsu:Id="username8a2fcf7b-0128-124a-b5d0-adafae3d9ad1"

xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-wssecurity-secext-1.0.xsd"


xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wss:Username>user1</wss:Username><wss:Password>p@ssw0rd</wss:Password>

</wss:UsernameToken></wst:ValidateTarget><wst:Claims><AccountUpdatedAfter>2011-05-22T12:33:00Z</AccountUpdatedAfter> </wst:Claims>

</wst:RequestSecurityToken></soapenv:Body>

</soapenv:Envelope>

rstr.xmlThe rstr.xml file contains the response from the STS test after an RST message issent to get a credential after a specified date.

The RSTR content has the following characteristics:v The message response from the STS is in the form of a Request Security Token

Response Collection (RSTRC). The collection consists of multiple independentRequest Security Token Response (RSTR) elements.Example of a Request Security Token Response Collection:<wst:RequestSecurityTokenResponseCollection ...><wst:RequestSecurityTokenResponse ...> ...</wst:RequestSecurityTokenResponse></wst:RequestSecurityTokenResponseCollection>




Example<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Header /><soapenv:Body>

<wst:RequestSecurityTokenResponseCollection xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><wst:RequestSecurityTokenResponse wsu:Id="uuid2f8e7b3c-0130-14ff-87b9-f88a0599ea80"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">


<wsa:EndpointReference><wsa:Address>esso/get/</wsa:Address>

</wsa:EndpointReference></wsp:AppliesTo><wst:Status>

<wst:Code>0x0</wst:Code><wst:Reason>Account Credentials retrieved successfully</wst:Reason>

</wst:Status></wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuid2f8e7dce-0130-1314-85e4-f88a0599ea80"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">



</wsa:EndpointReference></wsp:AppliesTo><wst:RequestedSecurityToken><wss:UsernameToken wsu:Id="username2f8e7dcd-0130-164e-a8fc-f88a0599ea80"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>user2</wss:Username><wss:Nonce

EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Nl1h9u+vT1u06/OfbiunwrAfEy0=</wss:Nonce>

<wss:Password Type="PBEwithSHA-256andAES-128">Hl12u2zsoVPvD4kcpj6s0A==</wss:Password></wss:UsernameToken></wst:RequestedSecurityToken><wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"

Web API overview 15

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference>

<wsa:Address>mail</wsa:Address></wsa:EndpointReference>

</wsp:AppliesTo></wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuid2f8e7dd0-0130-1724-93c5-f88a0599ea80"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">


</wsa:EndpointReference></wsp:AppliesTo><wst:RequestedSecurityToken><wss:UsernameToken wsu:Id="username2f8e7dcf-0130-1427-917a-f88a0599ea80"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">


EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">W3PBe5qjpb+XiS4Md1REIP9mBpw=</wss:Nonce><wss:Password Type="PBEwithSHA-256andAES-128">3aZu1VwBRY4MeByUpRm3rQ==</wss:Password>

</wss:UsernameToken></wst:RequestedSecurityToken><wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsa:EndpointReference><wsa:Address>notes</wsa:Address>

</wsa:EndpointReference></wsp:AppliesTo></wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuid2f8e7dd2-0130-14fd-b898-f88a0599ea80"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">



</wsa:EndpointReference></wsp:AppliesTo><wst:RequestedSecurityToken>

<wss:UsernameToken wsu:Id="username2f8e7dd1-0130-1837-b349-f88a0599ea80"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">


EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">UrZoQGodbzS/EPlFSkaXiZPkFf4=</wss:Nonce>

<wss:Password Type="PBEwithSHA-256andAES-128">bA9gvoiAPfT46tFh/lxxgg==</wss:Password></wss:UsernameToken>

</wst:RequestedSecurityToken><wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">-<wsa:EndpointReference>

<wsa:Address>dir_skype</wsa:Address></wsa:EndpointReference></wsp:AppliesTo>

</wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuid2f8e7dd4-0130-1b70-af1a-f88a0599ea80"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">


</wsa:EndpointReference></wsp:AppliesTo><wst:RequestedSecurityToken><wss:UsernameToken wsu:Id="username2f8e7dd3-0130-1611-96d0-f88a0599ea80"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">


EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">tz5f6KP56AZ3jXEnnRFejSGcodc=</wss:Nonce><wss:Password Type="PBEwithSHA-256andAES-128">ki40fjbr8H9RRtr0hPbu7Q==</wss:Password>


<wsa:EndpointReference><wsa:Address>dir_ibm.example.com</wsa:Address>

</wsa:EndpointReference></wsp:AppliesTo></wst:RequestSecurityTokenResponse></wst:RequestSecurityTokenResponseCollection>

</soapenv:Body></soapenv:Envelope>

Getting a user credential for an authentication serviceUse Web API to get all the user credentials for an authentication service.


rst.xml fileUse the example RST message to get credentials for an authentication service.

The RST and example chain do not use the optional TokenType for matchingchains. To use the sample RST message to send a service request, see “Using thesecurity trust chain” on page 6.


Content Description

<wst:ValidateTarget><wss:UsernameToken ...>...





The RequestType element is set to validatebecause the trust chain is configured tovalidate requests.


The issuer address must have an addressthat matches the value specified whenconfiguring the chain. For example: esso/.

<wsp:AppliesTo>...<wsa:Address>esso/get/<authentication service>... </wsp:AppliesTo>

The wsp:AppliesTo element address must beesso/get/<authentication service>. The<authentication service> is the service ID inISAM ESSO. For example: mail, for an emailsystem.

<wss:Username>user1</wss:Username><wss:Password>password</wss:Password>

The wss:Username element contains theISAM ESSO user name.

The wss:Password element contains theISAM ESSO password.

Example<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><soapenv:Header/><soapenv:Body><wst:RequestSecurityToken><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType><wst:Issuer><wsa:Address>esso/</wsa:Address></wst:Issuer><wsp:AppliesTo>

<wsa:EndpointReference><wsa:Address>esso/get/mail</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:ValidateTarget><wss:UsernameToken

wsu:Id="username8a2fcf7b-0128-124a-b5d0-adafae3d9ad1"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wss:Username>user1</wss:Username><wss:Password>password</wss:Password><wsu:Created>2010-05-25T01:45:08Z</wsu:Created>

Web API overview 17

</wss:UsernameToken> </wst:ValidateTarget></wst:RequestSecurityToken>


rstr.xml fileThe rstr.xml file contains the response from the STS test to get a user credentialfrom an authentication service.

The message response has the following characteristics:v The response from the STS is in the form of a Request Security Token Response

Collection (RSTRC). The collection consists of multiple independent RequestSecurity Token Response (RSTR) elements.Example of a Request Security Token Response Collection:<wst:RequestSecurityTokenResponseCollection...><wst:RequestSecurityTokenResponse...>...</wst:RequestSecurityTokenResponse></wst:RequestSecurityTokenResponseCollection>

v Each RSTR contains a UsernameToken for 1 authentication service.v The authentication service is mentioned in the second AppliesTo element of each

RSTR.v The status is in the wst:status element of the RST.

Example<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Header/><soapenv:Body>

<wst:RequestSecurityTokenResponseCollectionxmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">

<wst:RequestSecurityTokenResponse wsu:Id="uuidd058f7b8-012a-110c-afe2-b007b664caa0"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">


<wsa:EndpointReference><wsa:Address>esso/get/mail</wsa:Address>

</wsa:EndpointReference></wsp:AppliesTo>

<wst:Status><wst:Code>0x00000000</wst:Code><wst:Reason>Credentials Successfully Fetched</wst:Reason>

</wst:Status> </wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuidd058fad6-012a-1ae4-9fe0-b007b664caa0"

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:AppliesTo

xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsa:EndpointReference><wsa:Address>esso/get/mail</wsa:Address>

</wsa:EndpointReference></wsp:AppliesTo><wst:RequestedSecurityToken>

<wss:UsernameToken wsu:Id="usernamed058fad5-012a-1e1d-b48c-b007b664caa0"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wss:Username>app_user0</wss:Username><wss:Nonce

EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">0+Nx140dzSSQHPqFfa8xxlAUdN8=

</wss:Nonce> <wss:Password Type="PBEwithSHA-256andAES-128">dmISqch7uCsCw7xr/URYjw==</wss:Password></wss:UsernameToken> </wst:RequestedSecurityToken>


<wsa:EndpointReference><wsa:Address>mail</wsa:Address>



</wst:RequestSecurityTokenResponse></wst:RequestSecurityTokenResponseCollection>


Setting a user credential for an authentication serviceUse a security trust chain to set the user credentials for an authentication service. Ifthe authentication service does not exist, create a personal authentication servicefor the user and then save the credentials.

rst.xml fileUse the example RST message content to set user credentials for an authenticationservice.

This RST and the example chain do not use the optional TokenType for matchingchains. To test the RST message, see “Using the security trust chain” on page 6.


Content Description

<wst:ValidateTarget><wss:UsernameToken ...><wss:Username>user1</wss:Username><wss:Password>password</wss:Password>...</wss:UsernameToken></wst:ValidateTarget>

The wss:UserNameToken element contains theISAM ESSO user name and password. Thewss:UserNameToken is in the ValidateTargetelement of the RST.

In the following example of an RST messagein ValidateTarget element, user1 andpassword are specified as the username andpassword. If the logon fails because ofvalues that are not correct, the STS chainreturns an Invalid Username or Passwordstatus.



Set RequestType to validate because the trustchain is configured to validate requests.

<wst:Issuer><wsa:Address>esso/

</wsa:Address></wst:Issuer>

The address of the issuer must be the valueyou specified when configuring the chain.For example: esso/.

<wsp:AppliesTo><wsa:EndpointReference><wsa:Address>esso/set/mail</wsa:Address>


The AppliesTo address isesso/set/<authentication service>. The<authentication service> is the service IDin ISAM ESSO. For example: mail. It canalso be a new service ID that a user createsfor themselves.

<wst:Base><wss:UsernameToken ...>...

</wss:UsernameToken></wst:Base>

The UsernameToken containing thecredentials to be set is put in the wst:Baseelement of the RST.

Example<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"

Web API overview 19

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><soapenv:Header/><soapenv:Body><wst:RequestSecurityToken><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType><wst:Issuer><wsa:Address>esso/</wsa:Address>

</wst:Issuer><wsp:AppliesTo><wsa:EndpointReference><wsa:Address>esso/set/mail</wsa:Address>

</wsa:EndpointReference></wsp:AppliesTo><wst:ValidateTarget><wss:UsernameToken



<wsu:Created>2010-05-25T01:45:08Z</wsu:Created></wss:UsernameToken>

</wst:ValidateTarget><wst:Base><wss:UsernameTokenwsu:Id="username8a2fcf7b-0128-124a-b5d0-adafae3d9ad1"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">



</wst:Base></wst:RequestSecurityToken>


rstr.xml fileThe rstr.xml file contains the response from the STS test to set a user credentialfor an authentication service.v The status (whether setting credentials was a success or a failure) is reflected in

the wst:Status element.

Example<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header/><soapenv:Body><wst:RequestSecurityTokenResponse wsu:Id="uuidd06e666a-012a-150a-8eb8-b007b664caa0"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:AppliesToxmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference><wsa:Address>esso/set/mail</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Status>

<wst:Code>0x00000000</wst:Code><wst:Reason>Setting of Credential Successful</wst:Reason>

</wst:Status> </wst:RequestSecurityTokenResponse></soapenv:Body></soapenv:Envelope>

Getting a user credential updated after a specified date forone authentication service

Use a security trust chain to get all the updated credentials of a user. Get thecredentials that are updated after a specified date.


rst.xml fileUse the example RST message to get user credentials with the STS modules.

The RST and the example chain do not use the optional TokenType for matchingchains. To use the RST message, see “Using the security trust chain” on page 6.


Content Description

<wst:ValidateTarget><wss:UsernameToken...><wss:Username>user1</wss:Username><wss:Password>password</wss:Password>...</wss:UsernameToken></wst:ValidateTarget>


In the following example RST message , inValidateTarget element, user1 and passwordare specified as the username and password.If the logon fails because of values that arenot correct, the STS chain returns an InvalidUsername or Password status.



The wst:RequestType must be set tovalidate because the trust chain wasconfigured to validate requests.



<wsp:AppliesTo>...<wsa:Address>esso/get/<authentication service></wsa:Address>...</wsp:AppliesTo>

The AppliesTo address must beesso/get/<authentication service>. The<authentication service> is the service IDin ISAM ESSO. For example: mail, for anemail system.

<wss:Username>user1</ wss:Username><wss:Password>password</ wss:Password>

The wss:Username element contains theISAM ESSO user name.

The wss:Password element contains theISAM ESSO password.

<wst:Claims> <AccountUpdatedAfter>2011-05-22T12:33:00Z</AccountUpdatedAfter></wst:Claims>

For example, the ClaimsAccountUpdatedAfter node must be set tothe date value, 2011-05-22T12:33:00Z.

Example<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"><soapenv:Header /><soapenv:Body><wst:RequestSecurityToken><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType><wst:Issuer><wsa:Address>esso/</wsa:Address></wst:Issuer><wsp:AppliesTo><wsa:EndpointReference>

Web API overview 21

<wsa:Address>esso/get/</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:ValidateTarget><wss:UsernameToken wsu:Id="username8a2fcf7b-0128-124a-b5d0-adafae3d9ad1"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wss:Username>test22</wss:Username><wss:Password>p@ssw0rd</wss:Password>

</wss:UsernameToken></wst:ValidateTarget><wst:Claims><AccountUpdatedAfter>2011-05-22T12:33:00Z</AccountUpdatedAfter></wst:Claims>

</wst:RequestSecurityToken></soapenv:Body></soapenv:Envelope>

rstr.xml fileThe rstr.xml file contains the response from the STS test to get a credentialupdated after a specified date.

The RSTR content has the following characteristics:v The message response from the STS is in the form of a Request Security Token

Response Collection (RSTRC). The collection consists of multiple independentRequest Security Token Response (RSTR) elements.Example of a Request Security Token Response Collection:<wst:RequestSecurityTokenResponseCollection ...><wst:RequestSecurityTokenResponse ...> ...</wst:RequestSecurityTokenResponse></wst:RequestSecurityTokenResponseCollection>




Example<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header /><soapenv:Body><wst:RequestSecurityTokenResponseCollection xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">

<wst:RequestSecurityTokenResponse wsu:Id="uuid2fb0cee5-0130-1e07-86b2-dcb8f1d2f433"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsa:EndpointReference><wsa:Address>esso/get/mail</wsa:Address></wsa:EndpointReference>

</wsp:AppliesTo><wst:Status>


</wst:Status></wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse wsu:Id="uuid2fb0d03e-0130-1b95-bfdd-dcb8f1d2f433"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsa:EndpointReference><wsa:Address>esso/get/mail</wsa:Address></wsa:EndpointReference>


<wss:UsernameToken wsu:Id="username2fb0d03d-0130-1ecf-9049-dcb8f1d2f433"xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wss:Username>user2</wss:Username><wss:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/


oasis-200401-wss-soap-message-security-1.0#Base64Binary">veFaIFIzRoD6PqG7/F67a2M9Xdc=</wss:Nonce><wss:Password Type="PBEwithSHA-256andAES-128">j03hcXeHYZmRjdWpXvu8+Q==</wss:Password>


<wsa:EndpointReference><wsa:Address>mail</wsa:Address></wsa:EndpointReference>


</wst:RequestSecurityTokenResponseCollection></soapenv:Body></soapenv:Envelope>

Deleting user credentials (Web API)Delete the user credentials for a given user name.

rst.xml fileUse the example RST to delete a user.


Content Description

<wst:ValidateTarget><wss:UsernameToken ...>...</wss:UsernameToken></wst:ValidateTarget>

The UsernameToken containing the ESSOusername/password is put in theValidateTarget element of the RST.



The wst:RequestType should be set toValidate since the TrustChain wasconfigured to Validate requests.

<wst:Issuer><wsa:Address>esso/</wsa:Address> </wst:Issuer>

The issuer address must have an addressthat matches the value specified whenconfiguring the chain, for example, esso/.

<wsp:AppliesTo><wsa:EndpointReference><wsa:Address>esso/delete/mail</wsa:Address></wsa:EndpointReference></wsp:AppliesTo>

The AppliesTo Address must beesso/delete/<authentication service>where <authentication service> is theauthentication service for which thecredential are to be deleted. For example,esso/delete/mail.

<wss:UsernameToken...>...</wss:UsernameToken>

The UsernameToken containing thecredentials to be deleted is put in the Baseelement of the RST. The password andcreated elements of this token are notsignificant. These can be omitted.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><soapenv:Header/><soapenv:Body><wst:RequestSecurityToken><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType><wst:Issuer><wsa:Address>esso/</wsa:Address>

</wst:Issuer><wsp:AppliesTo><wsa:EndpointReference>

Web API overview 23

<wsa:Address>esso/delete/mail</wsa:Address></wsa:EndpointReference>

</wsp:AppliesTo><wst:Base>

<wss:UsernameTokenwsu:Id="username8a2fcf8c-0128-124a-b5d0-adafae3d9ad4"


<wss:Username>userX2</wss:Username><wss:Password>p@ssw0rd1</wss:Password>


</wst:Base><wst:ValidateTarget><wss:UsernameToken


<wss:Username>imsTest3</wss:Username><wss:Password>p@ssw0rd1</wss:Password>


</wst:ValidateTarget></wst:RequestSecurityToken>


rstr.xml fileThe rstr.xml file contains the response from the STS test to delete a user.

Item Description

<wst:Status> <wst:Code>0x0</wst:Code><wst:Reason>Account Credentialsretrieved successfully</wst:Reason></wst:Status>

The status of whether setting of credentialswas successful or unsuccessful is reflected inthe wst:Status element of the RST.

<soapenv:Envelopexmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header/><soapenv:Body><wst:RequestSecurityTokenResponse wsu:Id="uuid145c7e1f-012d-1b3f-b991-fccbe5dc5e42"xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference><wsa:Address>esso/get/dir_skype</wsa:Address>

</wsa:EndpointReference></wsp:AppliesTo><wst:Status>


</wst:Status></wst:RequestSecurityTokenResponse></soapenv:Body></soapenv:Envelope>


Appendix A. Troubleshooting Web API

Use the system and trace logs to troubleshoot possible problems and solutions.

The relevant error codes for the different tasks are:v Success : 0x00000000v Invalid login : 0x53000250v Enterprise directory password must be changed : 0x530003061

v Enterprise directory password expired : 0x530003152

v Invalid authentication service : 0x53008150v Unknown authentication service : 0x53008101v User not logged in : 0x53009301

v Unexpected error : 0x53009300

v Illegal argument : 0x53008405

Note: This error code is typically encountered when one or more arguments arenull.

v Datastore exception : 0x23005000

v Account not found (for delete operation) : 0x53008403

Note: This error code is typically encountered during deletion of account.

The SystemOut.log and SystemErr.log logs are located in <was_home>\profiles\AppSrv14\logs\server1. For example:C:\Program Files\IBM\WebSphere\AppServer7.0\profiles\AppSrv14\logs\server1.

Out-of-memory error

If you encounter an out-of- memory issue while deploying Web API, increase theJVM maximum heap size to at least 1024MB.

1. Applicable when Active Directory password sync is enabled.

2. Applicable when Active Directory password sync is enabled.



Appendix B. Password-based encryption

Web API uses a password-based encryption process to encrypt all applicationpasswords, which are returned in the RequestSecurityTokenCollection.

The encryption process generates a secret key from the ISAM ESSO password. Theencryption process uses a collection of random bytes called salt when generatingthe secret key. The secret key encrypts the application passwords by using anAES-128 bit encryption algorithm. The algorithm generates a key according to thefollowing process:1. Append the salt to the password and generate a hash by using the SHA-256

algorithm.2. Append the salt to the digest and generate the hash by using the SHA-256

algorithm. Repeat this process 1000 times.

The key is the first 16 bytes of the final digest.

CryptoUtil.java fileUse the CryptoUtils class to decrypt application passwords and return thepassword as plain text. Call the getDecryptedAppPassword method with theencryptedAppPassword, the salt, and the ISAM ESSO password.import javax.crypto.*;import javax.crypto.spec.SecretKeySpec;import java.security.*;import java.util.logging.*;

/** Password-Based Encryption(PBE)

* In this class we are using the ISAMESSO password to encrypt the application* passwords which are returned in the RSTR. In this process we generate a secret key* using the ISAMESSO password and a collection of random bytes called the ’Salt’. This* key is then used to encrypt the application password using the AES-128 encryption* algorithm.* The algorithm to generate the key is as follows:* 1. Append the Salt(a collection of random bytes) to the password and generate a hash* using the SHA-256 hashing algorithm.* 2. Append the Salt to the digest and generate the hash using the SHA-256 algorithm.* Repeat this process 1000 times.* 3. The first 16 bytes of the final digest is our key.*** This class provides functions to implement PBE*/public class CryptoUtils {

/**This decrypts the encryptedAppPassword and returns it as plain-text. It converts* the byte array returned by decrypt into UTF-8* @param Encrypted Application Password* @param Salt* @param Esso Password* @return Decrypted Application Password*/

private static final String CLASS = CryptoUtils.class.getName();private static final Logger log = Logger.getLogger(CLASS);

private static final String ENCRYPTION_ALGO = "AES";private static final String HASHING_ALGO = "SHA-256";private static final String PROVIDER = "com.ibm.crypto.fips.provider.IBMJCEFIPS";//JCE providerprivate static final String ENCODING = "UTF-8";private static final int ITERATIONS = 1000;//number of ITERATIONS for generating the Secret Key


public static String getDecryptedAppPassword(String encryptedAppPassword,String salt,String essoPassword)

throws IllegalArgumentException{String methodName_ = "getDecryptedAppPassword()";log.entering(CLASS, methodName_);if(encryptedAppPassword==null||salt==null||essoPassword==null) throw

new IllegalArgumentException("One or more of the parameters are Null");String result = null;try{Security.addProvider((Provider) ((Class.forName(PROVIDER))

.newInstance()));byte[] encryptedAppPassword1 = Base64.decode(encryptedAppPassword);byte[] salt1 = Base64.decode(salt);byte[] arr = decrypt(essoPassword.getBytes(ENCODING),encryptedAppPassword1,salt1);result = new String(arr,ENCODING);log.exiting(CLASS,methodName_);}catch(Exception e){log.log(Level.WARNING,e.getMessage(),e);}return result;}

/**This decrypts the encryptedAppPassword and returns it as a byte array* given the Salt and the essoPassword using PBE* @param essoPassword* @param appPassword* @param salt* @return De-crypted Application Password as an array of bytes*/public static byte[] decrypt(byte[] essoPassword,byte[] appPassword,byte[] salt)throws IllegalArgumentException{String methodName_ = "decrypt";log.entering(CLASS, methodName_);if(essoPassword==null||appPassword==null||salt==null) throw

new IllegalArgumentException("One or more of the parameters are Null");byte[] result = null;try{if(essoPassword==null||appPassword==null||salt==null) throw

new NullPointerException();SecretKey key = generateKey(essoPassword,salt);Cipher aesCipher;aesCipher = Cipher.getInstance(ENCRYPTION_ALGO);aesCipher.init(Cipher.DECRYPT_MODE,key);log.exiting(CLASS,methodName_);result = aesCipher.doFinal(appPassword);}catch(Exception e){log.log(Level.WARNING,e.getMessage(),e);}return result;}

/**This encrypts the AppPassword and returns it as a byte array given the* Salt and the essoPassword using PBE* @param essoPassword* @param appPassword* @param salt* @return De-crypted Application Password as an array of bytes* @throws IllegalArgumentException*/public static byte[] encrypt(byte[] essoPassword,byte[] appPassword,byte[] salt)throws IllegalArgumentException{String methodName_ = "encrypt";log.entering(CLASS,methodName_);if(essoPassword==null||appPassword==null||salt==null) throw

new IllegalArgumentException("One or more of the parameters are Null");byte[] result = null;try{SecretKey key = generateKey(essoPassword,salt);Cipher aesCipher;aesCipher = Cipher.getInstance("AES");aesCipher.init(Cipher.ENCRYPT_MODE,key);


log.entering(CLASS,methodName_);result = aesCipher.doFinal(appPassword);}catch(Exception e){log.log(Level.WARNING,e.getMessage(),e);}return result;}

/**This generates the secret key given the essoPassword and Salt using PBE* @param essoPassword* @param salt* @return SecretKey obtained from the ESSO password using PBE* @throws IllegalArgumentException*/public static SecretKey generateKey(byte[] essoPassword,byte[] salt)throws IllegalArgumentException{String methodName_ = "generateSecretKey";log.entering(CLASS, methodName_);if(essoPassword==null||salt==null) throw new IllegalArgumentException("One or more of the parameters are Null");SecretKey aesKey = null;try{essoPassword = append(essoPassword,salt);SecretKeyFactory factory = SecretKeyFactory.getInstance(ENCRYPTION_ALGO);MessageDigest md = MessageDigest.getInstance(HASHING_ALGO);byte[] hashedKey = md.digest(essoPassword);for(int i=0;i<ITERATIONS-1;i++){

hashedKey = append(hashedKey,salt);hashedKey = md.digest(hashedKey);

}SecretKeySpec keySpec = new SecretKeySpec(hashedKey,0,16,HASHING_ALGO);aesKey = factory.generateSecret(keySpec);}catch(Exception e){log.log(Level.WARNING,e.getMessage(),e);}return aesKey;}

/**This appends the second byte array to the first one.* @param array1* @param array2* @return array2 appended to array1*/private static byte[] append(byte[] array1,byte[] array2){byte[] array3 = new byte[array1.length+array2.length];int index = 0;for(int i=0;i<array1.length;i++){array3[index++] = array1[i];}for(int i=0;i<array2.length;i++){array3[index++] = array2[i];}return array3;}}

Base64.java fileUse the Base64 class to provide methods for Base64 encoding and decodingschemes.package com.ibm.tamesso.utils;

import java.util.prefs.*;import java.util.logging.*;

/**This class provides methods for Base-64 encoding and decoding*/public class Base64 {

private static final String CLASS = Base64.class.getName();private static final Logger log=Logger.getLogger(CLASS);

/**This encodes a byte array into a Base-64 string

Appendix B. Password-based encryption 29

* @param array* @return Base-64 encoded string*/public static String encode(byte[] array){String methodName_ = "encode";log.entering(CLASS, methodName_);Preferences prefs = Preferences.userNodeForPackage(Base64.class);prefs.putByteArray("key1",array);log.exiting(CLASS,methodName_);return prefs.get("key1", null);}

/**This decodes a base-64 string into a byte array* @param str* @return byte array*/public static byte[] decode(String str){String methodName_ = "decode";log.entering(CLASS, methodName_);Preferences prefs = Preferences.userNodeForPackage(Base64.class);prefs.put("key2", str);log.exiting(CLASS, methodName_);return prefs.getByteArray("key2", null);}

}


Appendix C. Security Token Service (STS) Universal Userdocument

The Security Token Service Universal User (STSUU) document is an XMLrepresentation of a request that passes through a trust module chain in the STS.

The three elements in the STS Universal User document are:v Principalv AttributeListv RequestSecurityToken

For more information about the Security Token Service (STS) Universal Userdocument, see the Tivoli Federated Identity Manager Information Center athttp://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.tivoli.fim.doc_6.2.1/ic/ic-homepage.html.


http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.tivoli.fim.doc_6.2.1/ic/ic-homepage.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.tivoli.fim.doc_6.2.1/ic/ic-homepage.html


Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to


IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at Copyright andtrademark information; at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Notices 35

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marksof others.


Glossary

AccessAdmin. A web-based management console thatAdministrators and Helpdesk officers use to administerthe IMS Server and to manage users and policies.

AccessAgent plug-in. A piece of script, written inVBscript or Javascript, that is embedded within anAccessProfile to perform custom checking of conditionsor to execute custom actions. It is used for extendingthe capability of an AccessProfile beyond the built-intriggers and actions.

AccessAgent. The client software that manages theidentity of the user, authenticates the user, andautomates single sign-on and sign-off.

AccessAssistant. The web-based interface that helpsusers to reset their passwords and retrieve theirapplication credentials.

AccessProfile widget / widget. An independentAccessProfile that consists of pinnable states, which canbe used to build another AccessProfile.

AccessProfiles. AccessAgent uses these XMLspecifications to identify application screens that it canperform single sign-on and automation.

AccessStudio. An application used by Administratorsfor creating and maintaining AccessProfiles.

Account data bag. A data structure that holds usercredentials in memory while single sign-on isperformed on an application.

Account data item template. A template that definesthe properties of an account data item.

Account data item. The user credentials required forlogon.

Account data template. A template that defines theformat of account data to be stored for credentialscaptured by using a specific AccessProfile.

Account data. The logon information required toverify an authentication service. It can be the username, password, and the authentication service whichthe logon information is stored.

Action. In profiling, an act that can be performed inresponse to a trigger. For example, automatic filling ofuser name and password details as soon as a sign-onwindow displays.

Active Directory (AD). A hierarchical directory servicethat enables centralized, secure management of anentire network, which is a central component of theMicrosoft Windows platform.

Active Directory credentials. The Active Directoryuser name and password.

Active Directory password synchronization. An IBMSecurity Access Manager for Enterprise Single Sign-Onfeature that synchronizes the ISAM ESSO passwordwith the Active Directory password.

Active RFID (ARFID). ARFID is both a secondauthentication factor and a presence detector. It candetect the presence of a user and AccessAgent can beconfigured to perform specific actions. In previousreleases, it is called Active Proximity Badge.

ActiveCode. Short-lived authentication codes that aregenerated and verified by IBM Security AccessManager for Enterprise Single Sign-On. There are twotypes of ActiveCodes: Mobile ActiveCodes andPredictive ActiveCodes.

Mobile ActiveCodes are generated by IBM SecurityAccess Manager for Enterprise Single Sign-On anddispatched to the mobile phone or email account of theuser. Predictive ActiveCodes, or One Time Passwords,are generated from OTP tokens when a user presses itsbutton.

Combined with alternative channels or devices,ActiveCodes provide effective second-factorauthentication.

Administrator. A person responsible foradministrative tasks such as access authorization andcontent management. Administrators can also grantlevels of authority to users.

Application policies. A collection of policies andattributes governing access to applications.

Application programming interface (API). Aninterface that allows an application program written ina high-level language to use specific data or functionsof the operating system or another program.

Application. One or more computer programs orsoftware components that provide a function in directsupport of a specific business process or processes. InAccessStudio, it is the system that provides the userinterface for reading or entering the authenticationcredentials.

Audit. A process that logs the user, Administrator, andHelpdesk activities.

Authentication factor. The different devices,biometrics, or secrets required as credentials forvalidating digital identities. Examples of authentication


factors are passwords, smart card, RFID, biometrics,and one-time password tokens.

Authentication service. In IBM Security AccessManager for Enterprise Single Sign-On, a service thatverifies the validity of an account against their ownuser store or against a corporate directory. Identifies theauthentication service associated with a screen. Accountdata saved under a particular authentication service isretrieved and auto-filled for the logon screen that isdefined. Account data captured from the logon screendefined is saved under this authentication service.

Authorization code. An alphanumeric code generatedfor administrative functions, such as password resets ortwo-factor authentication bypass with AccessAgent,AccessAssistant, and Web Workplace.

Auto-capture. A process that allows a system to collectand reuse user credentials for different applications.These credentials are captured when the user entersinformation for the first time, and then stored andsecured for future use.

Automatic sign-on. A feature where users can log onto the sign-on automation system and the system logson the user to all other applications.

Base distinguished name. A name that indicates thestarting point for searches in the directory server.

Bidirectional language. A language that uses a script,such as Arabic and Hebrew, whose general flow of textproceeds horizontally from right to left, but numbers,English, and other left-to-right language text arewritten from left to right.

Bind distinguished name. A name that specifies thecredentials for the application server to use whenconnecting to a directory service. The distinguishedname uniquely identifies an entry in a directory. Seealso Distinguished name.

Biometrics. The identification of a user based on aphysical characteristic of the user, such as a fingerprint,iris, face, voice, or handwriting.

Card Serial Number (CSN). A unique data item thatidentifies a hybrid smart card. It has no relation to thecertificates installed in the smart card

Cell. In WebSphere Application Server, a cell is avirtual unit that consists of a deployment manager andone or more nodes.

Certificate authority (CA). A trusted organization orcompany that issues the digital certificates. Thecertificate authority typically verifies the identity of theindividuals who are granted the unique certificate.

IMS Server Certificate. Used in IBM Security AccessManager for Enterprise Single Sign-On. The IMS ServerCertificate allows clients to identify and authenticate anIMS Server.

Client AccessAgent. AccessAgent installed andrunning on the client machine.

Client workstation, client machine, client computers.Computers where AccessAgent installed.

Clinical Context Object Workgroup (CCOW). Avendor independent standard, for the interchange ofinformation between clinical applications in thehealthcare industry.

Clustering. In WebSphere Application Server,clustering is the ability to group application servers.

Clusters. A group of application servers thatcollaborate for the purposes of workload balancing andfailover.

Command line interface. A computer interface inwhich the input command is a string of text characters.

Credentials. Information acquired duringauthentication that describes a user, group associations,or other security-related identity attributes, and that isused to perform services such as authorization,auditing, or delegation. For example, a user ID andpassword are credentials that allow access to networkand system resources.

Cryptographic application programming interface(CAPI). An application programming interface thatprovides services to enable developers to secureapplications using cryptography. It is a set ofdynamically-linked libraries that provides anabstraction layer which isolates programmers from thecode used to encrypt the data.

Cryptographic Service Provider (CSP). A feature ofthe i5/OS® operating system that provides APIs. TheCCA Cryptographic Service Provider enables a user torun functions on the 4758 Coprocessor.

Data source. The means by which an applicationaccesses data from a database.

Database (DB) server. A software program that uses adatabase manager to provide database services tosoftware programs or computers.

DB2®. A family of IBM licensed programs forrelational database management.

Deployment manager profiles. A WebSphereApplication Server runtime environment that managesoperations for a logical group, or cell, of other servers.

Deployment manager. A server that manages andconfigures operations for a logical group or cell ofother servers.


Deprovision. To remove a service or component. Forexample, to deprovision an account means to delete anaccount from a resource.

Desktop application. Application that runs in adesktop.

Desktop Manager. Manages concurrent user desktopson a single workstation

Direct auth-info. In profiling, direct auth-info is adirect reference to an existing authentication service.

Directory service. A directory of names, profileinformation, and computer addresses of every user andresource on the network. It manages user accounts andnetwork permissions. When a user name is sent, itreturns the attributes of that individual, which mightinclude a telephone number, or an email address.Directory services use highly specialized databases thatare typically hierarchical in design and provide fastlookups.

Directory. A file that contains the names andcontrolling information for objects or other directories.

Disaster recovery site. A secondary location for theproduction environment in case of a disaster.

Disaster recovery. The process of restoring a database,system, policies after a partial or complete site failurethat was caused by a catastrophic event such as anearthquake or fire. Typically, disaster recovery requiresa full backup at another location.

Distinguished name. The name that uniquelyidentifies an entry in a directory. A distinguished nameis made up of attribute:value pairs, separated bycommas. For example, CN=person name andC=country or region.

Distributed IMS Server. The IMS Servers aredeployed in multiple geographical locations.

Domain name server (DNS). A server program thatsupplies name-to-address conversion by mappingdomain names to IP addresses.

Dynamic link library (DLL). A file containingexecutable code and data bound to a program at loadtime or run time, rather than during linking. The codeand data in a DLL can be shared by severalapplications simultaneously.

Enterprise directory. A directory of user accounts thatdefine IBM Security Access Manager for EnterpriseSingle Sign-On users. It validates user credentialsduring sign-up and logon, if the password issynchronized with the enterprise directory password.An example of an enterprise directory is ActiveDirectory.

Enterprise Single Sign-On (ESSO). A mechanism thatallows users to log on to all applications deployed inthe enterprise by entering a user ID and othercredentials, such as a password.

Enterprise user name. The user name of a useraccount in the enterprise directory.

ESSO audit logs. A log file that contains a record ofsystem events and responses. ESSO audit logs arestored in the IMS Database.

ESSO Credential Provider. Previously known as theEncentuate Credential Provider (EnCredentialProvider),this is the IBM Security Access Manager for EnterpriseSingle Sign-On GINA for Windows Vista and Windows7.

ESSO credentials. The ISAM ESSO user name andpassword.

ESSO GINA. Previously known as the EncentuateGINA (EnGINA). IBM Security Access Manager forEnterprise Single Sign-On GINA provides a userinterface that is integrated with authentication factorsand provide password resets and second factor bypassoptions.

ESSO Network Provider. Previously known as theEncentuate Network Provider (EnNetworkProvider).An AccessAgent module that captures the ActiveDirectory server credentials and uses these credentialsto automatically log on the users to their Wallet.

ESSO password. The password that secures access tothe user Wallet.

Event code. A code that represents a specific eventthat is tracked and logged into the audit log tables.

Failover. An automatic operation that switches to aredundant or standby system in the event of asoftware, hardware, or network interruption.

Fast user switching. A feature that allows users toswitch between user accounts on a single workstationwithout quitting and logging out of applications.

Federal Information Processing Standard (FIPS). Astandard produced by the National Institute ofStandards and Technology when national andinternational standards are nonexistent or inadequate tosatisfy the U.S. government requirements.

Fix pack. A cumulative collection of fixes that is madeavailable between scheduled refresh packs,manufacturing refreshes, or releases. It is intended toallow customers to move to a specific maintenancelevel.

Fully qualified domain name (FQDN). In Internetcommunications, the name of a host system that

Glossary 39

includes all of the subnames of the domain name. Anexample of a fully qualified domain name isrchland.vnet.ibm.com.

Graphical Identification and Authentication (GINA).A dynamic link library that provides a user interfacethat is tightly integrated with authentication factors andprovides password resets and second factor bypassoptions.

Group Policy Object (GPO). A collection of grouppolicy settings. Group policy objects are the documentscreated by the group policy snap-in. Group policyobjects are stored at the domain level, and they affectusers and computers contained in sites, domains, andorganizational units.

High availability (HA). The ability of IT services towithstand all outages and continue providingprocessing capability according to some predefinedservice level. Covered outages include both plannedevents, such as maintenance and backups, andunplanned events, such as software failures, hardwarefailures, power failures, and disasters.

Host name. In Internet communication, the namegiven to a computer. The host name might be a fullyqualified domain name such asmycomputer.city.company.com, or it might be a specificsubname such as mycomputer.

Hot key. A key sequence used to shift operationsbetween different applications or between differentfunctions of an application.

Hybrid smart card. An ISO-7816 compliant smart cardwhich contains a public key cryptography chip and anRFID chip. The cryptographic chip is accessible throughcontact interface. The RFID chip is accessible throughcontactless (RF) interface.

IBM HTTP server. A web server. IBM offers a webserver, called the IBM HTTP Server, that acceptsrequests from clients and forward to the applicationserver.

IMS Bridge. A module embedded in third-partyapplications and systems to call to IMS APIs forprovisioning and other purposes.

IMS Configuration Utility. A utility of the IMS Serverthat allows Administrators to manage lower-levelconfiguration settings for the IMS Server.

IMS Configuration wizard. Administrators use thewizard to configure the IMS Server during installation.

IMS Connector. A module that connects IMS toexternal systems to dispatch a mobile active code to amessaging gateway.

IMS data source. A WebSphere Application Serverconfiguration object that defines the location andparameters for accessing the IMS database.

IMS Database. The relational database where the IMSServer stores all ESSO system, machine, and user dataand audit logs.

IMS Root CA. The root certificate authority that signscertificates for securing traffic between AccessAgentand IMS Server.

IMS Server. An integrated management system forISAM ESSO that provides a central point of secureaccess administration for an enterprise. It enablescentralized management of user identities,AccessProfiles, authentication policies, provides lossmanagement, certificate management, and auditmanagement for the enterprise.

Indirect auth-info. In profiling, indirect auth-info is anindirect reference to an existing authentication service.

Interactive graphical mode. A series of panels thatprompts for information to complete the installation.

IP address. A unique address for a device or logicalunit on a network that uses the Internet Protocolstandard.

Java Management Extensions (JMX). A means ofdoing management of and through Java technology.JMX is a universal, open extension of the Javaprogramming language for management that can bedeployed across all industries, wherever management isneeded.

Java runtime environment (JRE). A subset of a Javadeveloper kit that contains the core executableprograms and files that constitute the standard Javaplatform. The JRE includes the Java virtual machine(JVM), core classes, and supporting files.

Java virtual machine (JVM). A softwareimplementation of a processor that runs compiled Javacode (applets and applications).

Keystore. In security, a file or a hardwarecryptographic card where identities and private keysare stored, for authentication and encryption purposes.Some keystores also contain trusted, or public, keys.

Lightweight Directory Access Protocol (LDAP). Anopen protocol that uses TCP/IP to provide access todirectories that support an X.500 model. An LDAP canbe used to locate people, organizations, and otherresources in an Internet or intranet directory.

Lightweight mode. A Server AccessAgent mode.Running in lightweight mode reduces the memoryfootprint of AccessAgent on a Citrix/Terminal Serverand improves the single sign-on startup duration.


Load balancing. The monitoring of application serversand management of the workload on servers. If oneserver exceeds its workload, requests are forwarded toanother server with more capacity.

Lookup user. A user who is authenticated in theEnterprise Directory and searches for other users. IBMSecurity Access Manager for Enterprise Single Sign-Onuses the lookup user to retrieve user attributes from theActive Directory or LDAP enterprise repository.

Main AccessProfile. The AccessProfile that containsone or more AccessProfile widgets

Managed node. A node that is federated to adeployment manager and contains a node agent andcan contain managed servers.

Microsoft Cryptographic application programminginterface (CAPI). An interface specification fromMicrosoft for modules that provide cryptographicfunctionality and that allow access to smart cards.

Mobile ActiveCode (MAC). A one-time password thatis used by users for two-factor authentication in WebWorkplace, AccessAssistant, and other applications.This OTP is randomly generated and dispatched touser through SMS or email.

Mobile authentication. An authentication factorwhich allows mobile users to sign-on securely tocorporate resources from anywhere on the network.

Network deployment. Also known as a clustereddeployment. A type of deployment where the IMSServer is deployed on a WebSphere Application Servercluster.

Node agent. An administrative agent that manages allapplication servers on a node and represents the nodein the management cell.

Nodes. A logical group of managed servers.

One-Time Password (OTP). A one-use passwordgenerated for an authentication event, sometimescommunicated between the client and the serverthrough a secure channel.

OTP token. A small, highly portable hardware devicethat the owner carries to authorize access to digitalsystems and physical assets.

Password aging. A security feature by which thesuperuser can specify how often users must changetheir passwords.

Password complexity policy. A policy that specifiesthe minimum and maximum length of the password,the minimum number of numeric and alphabeticcharacters, and whether to allow mixed uppercase andlowercase characters.

Personal applications. Windows and web-basedapplications where AccessAgent can store and entercredentials.

Some examples of personal applications are web-basedmail sites such as Company Mail, Internet bankingsites, online shopping sites, chat, or instant messagingprograms.

Personal desktop. The desktop is not shared with anyother users.

Personal Identification Number (PIN). InCryptographic Support, a unique number assigned byan organization to an individual and used as proof ofidentity. PINs are commonly assigned by financialinstitutions to their customers.

Pinnable state. A state from the AccessProfile widgetthat is declared as 'Can be pinned in anotherAccessProfile'.

Pinned state. A pinnable state that is attached to astate in the main AccessProfile.

Policy template. A predefined policy form that helpsusers define a policy by providing the fixed policyelements that cannot be changed and the variablepolicy elements that can be changed.

Portal. A single, secure point of access to diverseinformation, applications, and people that can becustomized and personalized.

Presence detector. A device that, when fixed to acomputer, detects when a person moves away from it.This device eliminates manually locking the computerupon leaving it for a short time.

Primary authentication factor. The IBM SecurityAccess Manager for Enterprise Single Sign-Onpassword or directory server credentials.

Private desktop. Under this desktop scheme, usershave their own Windows desktops in a workstation.When a previous user return to the workstation andunlocks it, AccessAgent switches to the desktop sessionof the previous user and resumes the last task.

Private key. In computer security, the secret half of acryptographic key pair that is used with a public keyalgorithm. The private key is known only to its owner.Private keys are typically used to digitally sign dataand to decrypt data that has been encrypted with thecorresponding public key.

Provisioning API. An interface that allows IBMSecurity Access Manager for Enterprise Single Sign-Onto integrate with user provisioning systems.

Provisioning bridge. An automatic IMS Servercredential distribution process with third partyprovisioning systems that uses API libraries with aSOAP connection.

Glossary 41

Provisioning system. A system that provides identitylifecycle management for application users inenterprises and manages their credentials.

Provision. To provide, deploy, and track a service,component, application, or resource.

Public Key Cryptography Standards. A set ofindustry-standard protocols used for secure informationexchange on the Internet. Domino® CertificateAuthority and Server Certificate Administrationapplications can accept certificates in PKCS format.

Published application. Application installed on CitrixXenApp server that can be accessed from Citrix ICAClients.

Published desktop. A Citrix XenApp feature whereusers have remote access to a full Windows desktopfrom any device, anywhere, at any time.

Radio Frequency Identification (RFID). An automaticidentification and data capture technology thatidentifies unique items and transmits data using radiowaves.

Random password. An arbitrarily generated passwordused to increase authentication security between clientsand servers.

Registry hive. In Windows systems, the structure ofthe data stored in the registry.

Registry. A repository that contains access andconfiguration information for users, systems, andsoftware.

Remote Authentication Dial-In User Service(RADIUS). An authentication and accounting systemthat uses access servers to provide centralizedmanagement of access to large networks.

Remote Desktop Protocol (RDP). A protocol thatfacilitates remote display and input over networkconnections for Windows-based server applications.RDP supports different network topologies andmultiple connections.

Replication. The process of maintaining a defined setof data in more than one location. Replication involvescopying designated changes for one location (a source)to another (a target) and synchronizing the data in bothlocations.

Revoke. To remove a privilege or an authority froman authorization identifier.

Root certificate authority (CA). The certificateauthority at the top of the hierarchy of authorities bywhich the identity of a certificate holder can beverified.

Scope. A reference to the applicability of a policy, atthe system, user, or machine level.

Secret question. A question whose answer is knownonly to the user. A secret question is used as a securityfeature to verify the identity of a user.

Secure Remote Access. The solution that providesweb browser-based single sign-on to all applicationsfrom outside the firewall.

Secure Sockets Layer (SSL). A security protocol thatprovides communication privacy. With SSL,client/server applications can communicate in a waythat is designed to prevent eavesdropping, tampering,and message forgery.

Secure Sockets Layer virtual private network (SSLVPN). A form of VPN that can be used with astandard web browser.

Security Token Service (STS). A web service used forissuing and exchanging of security tokens.

Security trust service chain. A group of moduleinstances that are configured for use together. Eachmodule instance in the chain is called in turn toperform a specific function as part of the overallprocessing of a request.

Self-service features. Features in IBM Security AccessManager for Enterprise Single Sign-On which users canuse to perform basic tasks such as resetting passwordsand secrets with minimal assistance from Help desk oryour Administrator.

Serial ID Service Provider Interface (SPI). Aprogrammatic interface intended for integratingAccessAgent with third-party Serial ID devices used fortwo-factor authentication.

Serial number. A unique number embedded in theIBM Security Access Manager for Enterprise SingleSign-On Keys, which is unique to each Key and cannotbe changed.

Server AccessAgent. AccessAgent deployed on aMicrosoft Windows Terminal Server or a Citrix server.

Server locator. A locator that groups a related set ofweb applications that require authentication by thesame authentication service. In AccessStudio, serverlocators identify the authentication service with whichan application screen is associated.

Service Provider Interface (SPI). An interface throughwhich vendors can integrate any device with serialnumbers with IBM Security Access Manager forEnterprise Single Sign-On and use it as a second factorin AccessAgent.

Session management. Management of user session onprivate desktops and shared desktops.

Shared desktop. A desktop configuration wheremultiple users share a generic Windows desktop.


Shared workstation. A workstation shared amongusers.

Sign up. To request a resource.

sign-on automation. A technology that works withapplication user interfaces to automate the sign-onprocess for users.

sign-on information. Information required to provideaccess to users to any secure application. Thisinformation can include user names, passwords,domain information, and certificates.

Signature. In profiling, unique identificationinformation for any application, window, or field.

Silent mode. A method for installing or uninstalling aproduct component from the command line with noGUI display. When using silent mode, you specify thedata required by the installation or uninstallationprogram directly on the command line or in a file(called an option file or response file).

Simple Mail Transfer Protocol (SMTP). An Internetapplication protocol for transferring mail among usersof the Internet.

Simple Object Access Protocol (SOAP). Alightweight, XML-based protocol for exchanginginformation in a decentralized, distributedenvironment. SOAP can be used to query and returninformation and invoke services across the Internet.

Single sign-on. An authentication process in which auser can access more than one system or application byentering a single user ID and password.

Smart card middleware. Software that acts as aninterface between smart card applications and thesmart card hardware. Typically the software consists oflibraries that implement PKCS#11 and CAPI interfacesto smart cards.

Smart card. An intelligent token that is embeddedwith an integrated circuit chip that provides memorycapacity and computational capabilities.

Stand-alone deployment. A deployment where theIMS Server is deployed on an independent WebSphereApplication Server profile.

Stand-alone server. A fully operational server that ismanaged independently of all other servers, and it usesits own administrative console.

Strong authentication. A solution that usesmulti-factor authentication devices to preventunauthorized access to confidential corporateinformation and IT networks, both inside and outsidethe corporate perimeter.

Strong digital identity. An online persona that isdifficult to impersonate, possibly secured by privatekeys on a smart card.

System modal message. A system dialog box that istypically used to display important messages. When asystem modal message is displayed, nothing else canbe selected on the screen until the message is closed.

Terminal emulator. A program that allows a devicesuch as a microcomputer or personal computer to enterand receive data from a computer system as if it were aparticular type of attached terminal

Thin client. A client machine that has little or noinstalled software. It has access to applications anddesktop sessions that is running on network serversthat are connected to it. A thin client machine is analternative to a full-function client such as aworkstation.

Tivoli Common Reporting tool. A reportingcomponent that you can use to create, customize, andmanage reports.

Tivoli Identity Manager adapter. An intermediarysoftware component that allows IBM Security AccessManager for Enterprise Single Sign-On to communicatewith Tivoli Identity Manager.

Transparent screen lock. A feature that, whenenabled, permits users to lock their desktop screens butstill see the contents of their desktop.

Trigger. In profiling, an event that causes transitionsbetween states in a states engine, such as, the loadingof a web page or the appearance of window on thedesktop.

Trust service chain. A chain of modules operating indifferent modes. For example: validate, map and issue.

Truststore. In security, a storage object, either a file ora hardware cryptographic card, where public keys arestored in the form of trusted certificates, forauthentication purposes in web transactions. In someapplications, these trusted certificates are moved intothe application keystore to be stored with the privatekeys.

TTY (terminal type). A generic device driver for a textdisplay. A tty typically performs input and output on acharacter-by-character basis.

Two-factor authentication. The use of two factors toauthenticate a user. For example, the use of passwordand an RFID card to log on to AccessAgent.

Uniform resource identifier. A compact string ofcharacters for identifying an abstract or physicalresource.

Glossary 43

User credential. Information acquired duringauthentication that describes a user, group associations,or other security-related identity attributes, and that isused to perform services such as authorization,auditing, or delegation. For example, a user ID andpassword are credentials that allow access to networkand system resources.

User deprovisioning. Removing the user account fromIBM Security Access Manager for Enterprise SingleSign-On.

User provisioning. The process of signing up a userto use IBM Security Access Manager for EnterpriseSingle Sign-On.

Virtual appliance. A virtual machine image with aspecific application purpose that is deployed tovirtualization platforms.

Virtual channel connector. A connector that is used ina terminal services environment. The virtual channelconnector establishes a virtual communication channelto manage the remote sessions between the ClientAccessAgent component and the Server AccessAgent.

Virtual Member Manager (VMM). A WebSphereApplication Server component that providesapplications with a secure facility to access basicorganizational entity data such as people, logonaccounts, and security roles.

Virtual Private Network (VPN). An extension of acompany intranet over the existing framework of eithera public or private network. A VPN ensures that thedata that is sent between the two endpoints of itsconnection remains secure.

Visual Basic (VB). An event-driven programminglanguage and integrated development environment(IDE) from Microsoft.

Wallet caching. When performing single sign-on foran application, AccessAgent retrieves the logoncredentials from the user credential Wallet. The usercredential Wallet is downloaded on the user machineand stored securely on the IMS Server. So users canaccess their Wallet even when they log on to IBMSecurity Access Manager for Enterprise Single Sign-Onfrom a different machine later.

Wallet manager. The IBM Security Access Manager forEnterprise Single Sign-On GUI component that userscan use to manage application credentials in thepersonal identity Wallet.

Wallet Password. A password that secures access tothe Wallet.

Wallet. A secured data store of access credentials of auser and related information, which includes user IDs,passwords, certificates, encryption keys.

Web server. A software program that is capable ofservicing Hypertext Transfer Protocol (HTTP) requests.

Web service. A self-contained, self-describing modularapplication that can be published, discovered, andinvoked over a network using standard networkprotocols. Typically, XML is used to tag the data, SOAPis used to transfer the data, WSDL is used fordescribing the services available, and UDDI is used forlisting what services are available.

Web Workplace. A web-based interface that users canlog on to enterprise web applications by clicking linkswithout entering the passwords for individualapplications. This interface can be integrated with theexisting portal or SSL VPN of the customer.

WebSphere Administrative console. A graphicaladministrative Java application client that makesmethod calls to resource beans in the administrativeserver to access or modify a resource within thedomain.

WebSphere Application Server profile. TheWebSphere Application Server administrator user nameand profile. Defines the runtime environment.

WebSphere Application Server. Software that runs ona web server and that can deploy, integrate, execute,and manage e-business applications.

Windows logon screen, Windows logon UI mode.The screen where users enter their user name andpassword to log on to the Windows desktop.

Windows native fast user switching. A Windows XPfeature which allows users to quickly switch betweenuser accounts.

Windows Terminal Services. A Microsoft Windowscomponent that users use to access applications anddata on a remote computer over a network.

WS-Trust. A web services security specification thatdefines a framework for trust models to establish trustbetween web services.


Index

Aaccessibility viiiAES-128 bit algorithm 27algorithms 27

BBASE64.JAVA file 29books

See publications

Cconventions

typeface ixCRYPTOUTIL.JAVA file 27curl command 7

Ddirectory names, notation ix

EEAR files 1, 2education

See Tivoli technical trainingenvironment variables, notation ixerror codes 25

Iinstalling

Tivoli Federated Identity Managerplug-in 2

JJAR files 1, 4JAVA files

BASE64.JAVA file 29CRYPTOUTIL.JAVA file 27

Llog files 25

Mmanuals

See publications

Nnotation

environment variables ix

notation (continued)path names ixtypeface ix

Oonline publications

accessing viiordering publications viii

Ppassword-based encryption

See PBEpasswords

decrypting 27path names, notation ixPBE 27publications v

accessing online viiordering viii

RRequest Security Token

See RSTRequest Security Token Message

See RSTRRequest Security Token Response

CollectionSee RSTRC

RST 6, 7deleting credentials 23getting a user credential updated after

a certain date 14getting updated credentials by

date 21getting user credentials 8getting user credentials, authentication

service 17setting user credentials 19

RSTR 8deleting credentials 24getting updated credentials by

date 22getting user credentials 9getting user credentials after a certain

date 15getting user credentials, authentication

service 18message 1setting user credentials 20

RSTRC 6, 9, 18, 22example 15

SSecure Sockets Layer

See SSL

security token service modulesDeleteUserCredentials 5deploying 4EncryptUserCredentials 5GetUserCredentials 5installing 1MultiUsernameToken 5SetUserCredentials 5VerifyUser 5

Security Token Service Universal UserSee STSUU

SHA-256 algorithm 27SSL

deploying security tokens 6enabling 3

STSUU 4, 31

TTivoli Federated Identity Manager

configuring 1installing 1installing plug-in 2security token service 1

Tivoli Information Center viiTivoli technical training viiiTivoli user groups viiitraining, Tivoli technical viiitroubleshooting

See error codestrust chain

See also security token service modulestesting 7using 6

trust service chain 4typeface conventions ix

Uuser credentials

authentication 19authentication service 17deleting 23getting 8, 14, 21

user groups, Tivoli viii

Vvariables, notation for ix

WWeb API

deploying security token servicemodules 4

installing 2module instances 4module modes 4module types 4


Web API (continued)testing 7


��

Printed in USA

SC14-7646-00

Documents

WebAPI for Credential Management - IBM - United States€¦ · WebAPI for Credential Management ... It covers procedures for using virtual appliance, ... v IBM Security Access Manager