Risk-Based Access External Authorization Service plug-in

The Risk-Based Access (RBA) External Authorization Service (EAS) component provides a runtime XACML EAS plug-in for WebSEAL to enforce a policy decision. WebSEAL becomes the authorization enforcement point to access resources protected by RBA.

The EAS collects context information about the user and the request, creates an XACML over SOAP decision request, and sends the information to the server.

Manage the EAS with entries in the webseald.conf file.

For more information about the risk-based EAS, see the Configuring topics in the IBM Knowledge Center. Search for Runtime security services external authorization service for details.

For assistance in troubleshooting RBA EAS issues, you can enable tracing, then review the logs for information about any issue that might be occurring.

Enabling External Authorization Service tracing on WebSEAL

To enable tracing and logging for the XACML EAS plug-in, issue the following pdadmin command:

pdadmin > server task WebSEAL_server_name trace set xacml_eas_comp_name 9 
filepath=path_to_log_file

where:

webseal_server_name: Is the name of the WebSEAL server.
xacml_eas_comp_name: Is the name of the XACML EAS component.
path_to_log_file: Is the directory where you want to store the trace log file.

For example:

pdadmin > server task default-webseald-localhost
trace set pdweb.xacml 9 file path=/tmp/xacml.log

Note: Tracing is disabled when you restart WebSEAL.