Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
226 views

Authentication Plug-In DeveloperGuide

RSA AAOP 7.1P2

Uploaded by

Madan Sudhindra
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
226 views

Authentication Plug-In DeveloperGuide

RSA AAOP 7.1P2

Uploaded by

Madan Sudhindra
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 50

RSA Adaptive Authentication

(On-Premise) 7.1
Authentication Plug-In Developers Guide
Contact Information
Go to the RSA corporate website for regional Customer Support telephone and fax numbers:
www.emc.com/domains/rsa/index.htm
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or
other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go
to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.

Copyright 2013 EMC Corporation. All Rights Reserved. Published in the USA.
July 2013
RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Contents
Preface................................................................................................................................... 5
About This Guide................................................................................................................ 5
RSA Adaptive Authentication (On-Premise) Documentation ............................................ 5
Support and Service ............................................................................................................ 6
Before You Call Customer Support............................................................................. 6

Chapter 1: Authentication Plug-In Overview ................................................. 7


Overview ............................................................................................................................. 7
Authentication Plug-In Business Process Workflow .......................................................... 7
Authentication Plug-In Workflow Diagram ....................................................................... 9
Third-Party Product Integration with RSA Adaptive Authentication............................... 10
System Requirements........................................................................................................ 10

Chapter 2: Authentication Plug-In SDK ...........................................................11


Authentication Plug-In SDK Overview .............................................................................11
Integrate the Authentication Plug-In SDK.........................................................................11

Chapter 3: Authentication Plug-In Use Cases ............................................ 13


Authentication................................................................................................................... 13
Authentication Status ........................................................................................................ 13
Challenge .......................................................................................................................... 14
Management...................................................................................................................... 15

Chapter 4: Web Services Methods and Messages .................................. 17


Authentication Plug-In Web Services Methods................................................................ 17
Authentication Plug-In Request Objects........................................................................... 18
AuthenticationRequest Object ................................................................................... 18
AuthStatusRequest Object ......................................................................................... 19
ChallengeRequest Object........................................................................................... 20
ManagementRequest Object ...................................................................................... 20
Authentication Plug-In Response Objects ........................................................................ 22
AuthenticationResponse Object................................................................................. 22
AuthStatusResponse Object....................................................................................... 23
ChallengeResponse Object ........................................................................................ 23
ManagementResponse Object.................................................................................... 24
CallStatus Object ....................................................................................................... 24

Chapter 5: API Implementation Interfaces .................................................... 27


Core Object Factory .......................................................................................................... 27
Generated Object Factory ................................................................................................. 30
Extension Mapper Factory ................................................................................................ 33
Authentication Plug-In Implementation Object ................................................................ 35
Storing Authentication Plug-In Data ......................................................................... 39

Appendix A: Installing the Authentication Plug-In .................................. 43

Contents 3
RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Installation Workflow ....................................................................................................... 43


Configuring the Authentication Plug-In for Adaptive Authentication ............................. 43
Defining the Authentication Plug-In................................................................................. 44
Authentication Plug-In Internal Configuration ................................................................. 44
Authentication Plug-In Type ..................................................................................... 45
Authentication Plug-In Metadata............................................................................... 46
Authentication Plug-In Metadata Entry ..................................................................... 47
Customizing Existing Configuration Files........................................................................ 47
Customizing the Admin Application Configuration File.................................................. 48
Customizing the Policy Management Application ........................................................... 48
Integrating the XSD File ................................................................................................... 48

4 Contents
RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Preface

About This Guide


This guide describes how to integrate and configure your Authentication Plug-in with
RSA Adaptive Authentication (On-Premise) 7.1. This guide is intended for security
administrators, IT implementers, and other trusted personnel. Do not make this guide
available to the general user population.

RSA Adaptive Authentication (On-Premise) Documentation


For more information about RSA Adaptive Authentication (On-Premise), see the
following documentation:
Authentication Plug-In Developers Guide. Describes the Authentication Plug-In
development process that enables external authentication providers to integrate
their products with RSA Adaptive Authentication (On-Premise) 7.1.
Back Office Users Guide. Provides an overview of the following Back Office
applications: Policy Management, Case Management, Access Management,
Customer Service Administration, and the Report Viewer.
Bait Credentials Setup and Implementation Guide. Describes how to set up and
implement RSA bait credentials, which help provide you with accelerated fraud
detection and prevention capabilities.
Best Practices for Challenge Questions. Describes the best practices related to
challenge questions that RSA has evolved through experience at multiple
deployments.
Installation and Upgrade Guide. Describes detailed procedures on how to install,
upgrade, and configure RSA Adaptive Authentication (On-Premise) 7.1.
Integration Guide. Describes how to integrate and deploy RSA Adaptive
Authentication (On-Premise) 7.1.
Operations Guide. Provides information on how to administer and operate
RSA Adaptive Authentication (On-Premise) after upgrade. This guide also
describes how to configure Adaptive Authentication (On-Premise) within the
Configuration Framework.
Performance Guide. Provides information about performance testing and
performance test results for the current release version of RSA Adaptive
Authentication (On-Premise).
Product Overview Guide. Provides a high-level overview of RSA Adaptive
Authentication (On-Premise) 7.1, including system architecture.

Preface 5
RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues. It also includes the supported
platforms and work environments for platform certifications. The latest version of
the Release Notes is available on RSA SecurCare Online at
https://knowledge.rsasecurity.com.
Security Best Practices Guide. Provides recommendations for configuring your
network and RSA Adaptive Authentication (On-Premise) 7.1 securely.
Web Services API Reference Guide. Describes RSA Adaptive Authentication
(On-Premise) 7.1 web services API methods and parameters. This guide also
describes how to build your own web services clients and applications using web
services API to integrate and utilize the capabilities of Adaptive Authentication
(On-Premise).
Whats New. Highlights new features and enhancements in RSA Adaptive
Authentication (On-Premise) 7.1.
Workflows and Processes Guide. Describes the workflows and processes that
allow end users to interact with your system and that allow your system to interact
with RSA Adaptive Authentication (On-Premise) 7.1.

Support and Service


RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.emc.com/support/rsa/index.htm

RSA Solution Gallery https://gallery.emc.com/community/ma


rketplace/rsa?view=overview

RSA SecurCare Online offers a knowledgebase that contains answers to common


questions and solutions to known problems. It also offers information on new releases,
important technical news, and software downloads.
The RSA Solution Gallery provides information about third-party hardware and
software products that have been certified to work with RSA products. The gallery
includes Secured by RSA Implementation Guides with step-by-step instructions and
other information about interoperation of RSA products with these third-party
products.

Before You Call Customer Support


Make sure that you have direct access to the computer running the Adaptive
Authentication (On-Premise) software.
Please have the following information available when you call:
Your RSA Customer/License ID.
Authentication Plug-In software version number.
The make and model of the machine on which the problem occurs.
The name and version of the operating system under which the problem occurs.

6 Preface
RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

1 Authentication Plug-In Overview

Overview
RSA Adaptive Authentication (On-Premise) for the web is a flexible, layered
authentication solution designed to match security with transaction risk, customer
need, preference, and usability. The Adaptive Authentication system offers two
distinct systems that take different authentication approaches in helping to meet the
needs of your user base:
Risk-Based Authentication
Multi-Credential Framework
The Authentication Plug-In enables external authentication providers to easily
integrate products with the Adaptive Authentication (On-Premise) system.
Authentication Plug-In software is integrated with the RSA Multi-Credential
Framework (MCF) to support particular types of authentication credentials. The
Authentication Plug-In is activated by the Adaptive Authentication core system, for
various business flows, according to the credential payload provided.
For each business flow, the Authentication Plug-In populates a data structure, stored
by MCF in the Core Database, as a part of the user information. Similarly, MCF can
provide an Authentication Plug-In with data stored for a user.

Authentication Plug-In Business Process Workflow


The Authentication Plug-In business workflow is as follows:
1. Each request from an organization that contains a credential payload is handled by
the RSA Adaptive Authentication MCF, which identifies the type of credential
payload provided.
2. If the payload provided is an Authentication Plug-In type, a wrapper class handles
the request and sends the request to the Authentication Plug-In.
3. According to the credential payload, the wrapper identifies which Authentication
Plug-In must be activated.
4. The wrapper accesses the Authentication Plug-In configuration and retrieves a
Core Object Factory, which is used to create an Authentication Plug-In
implementation object.
The created implementation object is populated with the following objects:
AcspContext, which contains the Authentication Plug-In level configuration, and
RequestContext, which contains data that is solely relevant for the current request.
5. After an Authentication Plug-In implementation object is allocated, the relevant
method is called, passing a business request as a parameter.

1: Authentication Plug-In Overview 7


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

6. The wrapper receives a business response from the Authentication Plug-In. The
plug-in is responsible for populating the business response, for example, setting
the call status.
7. During the Authentication Plug-In flow execution, the plug-in can use
AcspContext for retrieving global plug-in definitions, and Request context for
handling session-level and user-level data. This data can be modified by the
plug-in and is stored in the Adaptive Authentication PassMarkDB database
(inside SESSIONACSP and ACSPUSERACCOUNT data) at the end of the flow
for future requests, as described in Storing Authentication Plug-In Data.
8. The wrapper returns one of the following responses:
Management
Authentication
Challenge
authStatus

8 1: Authentication Plug-In Overview


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Authentication Plug-In Workflow Diagram


The following sequence diagram of the main business flow shows how the core
system activates the Authentication Plug-In implementation.
In the workflow diagrams in this guide, shapes are bordered in colors. Green indicates
an interface, provided by the SDK, which should be implemented by the developer.
Red indicates actual implementation of the back end, which must be created by the
developer. Black indicates existing code that should not be modified or used.

1: Authentication Plug-In Overview 9


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Third-Party Product Integration with RSA Adaptive Authentication


Third-party libraries, such as Apache Commons and Spring, are provided as part of
the Adaptive Authentication (On-Premise) web application package. You should
check the target deployment for a complete and specific list of third-party libraries that
the Authentication Plug-In implementation supports. Third-party libraries may change
from one release to another.

System Requirements
The following are the system requirements for developing the SDK:
Platform that supports JDK 5 and earlier
Apache Ant

10 1: Authentication Plug-In Overview


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

2 Authentication Plug-In SDK

Authentication Plug-In SDK Overview


The Authentication Plug-In SDK, provided with the RSA Adaptive Authentication
(On-Premise) application package, generates the required request and response
objects for the API.
The SDK receives an XML schema, created by the implementer, which defines data
payloads to extend the ability to support the Authentication Plug-In. Each
Authentication Plug-In must have its own XML schema, which is later integrated into
the Adaptive Authentication Web Services Description Language (WSDL) file.
The Adaptive Authentication (On-Premise) application package also includes the
AdaptiveAuthentication.wsdl file and references the ACSP.xsd file, which contains
the parent payload definitions for each business request and response and for all
implemented interfaces.

Integrate the Authentication Plug-In SDK


You use the Authentication Plug-In SDK to generate required code and to integrate
your customized Authentication Plug-In. The following steps describe its usage.

To integrate the Authentication Plug-In:


1. Unzip the SDK compressed file, and extract the files.
2. Create an XSD file (containing the WSDL fragment), which contains your
business objects within request and response messages.

Note: The XSD file must reference the ACSP.xsd file included in the SDK for the
compilation to work.

The following is a sample of an XSD file as created by the implementer.


<xsd:import schemaLocation="../../../xsd/ACSP.xsd"
namespace="http://ws.csd.rsa.com"/>
<xsd:complexType name="SampleAcspAuthenticationRequest">
<xsd:complexContent>
<xsd:extension
base="rsa_csd:AcspAuthenticationRequest">
<xsd:annotation>
<xsd:documentation>This type defines the

2: Authentication Plug-In SDK 11


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Specific Authentication Request </xsd:documentation>


</xsd:annotation>
<xsd:sequence>

12 2: Authentication Plug-In SDK


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

3 Authentication Plug-In Use Cases


This chapter provides use cases to help implementers understand the business
requirements and usage of the Authentication Plug-In.

Authentication
An Authentication payload must be populated with data, which is passed to the
Authentication Plug-In, to activate the Authentication request functionality.
The following sample code shows a one-time password (OTP) Authentication Plug-In
for an Authentication payload.
<tns:credentialDataList>
<tns:acspAuthenticationRequestData>
<tns:payload
xsi:type="smpl:SampleAcspAuthenticationRequest">
<smpl:sampleOtp>327453</smpl:sampleOtp>
<smpl:field1>f1</smpl:field1>
<smpl:field2>f2</smpl:field2>
<smpl:field3>f3</smpl:field3>
</tns:payload>
</tns:acspAuthenticationRequestData>

</tns:credentialDataList>

Authentication Status
An Authentication Status payload must be populated with data, which is passed to the
Authentication Plug-In, to activate the Authentication Status functionality.
The following sample code shows an Authentication Plug-In for an Authentication
Status payload.
<tns:credentialAuthStatusRequest>
<tns:acspAuthStatusRequestData>
<tns:payload
xsi:type="smpl:SampleAcspAuthStatusRequest">
<smpl:sampleOtp>849323</smpl:sampleOtp>
<smpl:field1>f1</smpl:field1>
<smpl:field2>f2</smpl:field2>
<smpl:field3>f3</smpl:field3>
</tns:payload>

3: Authentication Plug-In Use Cases 13


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

</tns:acspAuthStatusRequestData>
</tns:credentialAuthStatusRequest>

Challenge
Even when there is no business data to be passed, an empty Challenge payload is
marked to indicate to the system to activate the Challenge functionality of the current
Authentication Plug-In.
The following sample code illustrates an OTP Authentication Plug-In for an empty
Challenge payload.
<tns:credentialChallengeRequestList>
<tns:acspChallengeRequestData>
<tns:payload xsi:type="otpns:OTPChallengeRequest"/>
</tns:acspChallengeRequestData>
</tns:credentialChallengeRequestList>
Any fields that you provide to the Authentication Plug-In must be included in the
payload, as shown in the following sample code.
<tns:credentialChallengeRequestList>

<tns:acspChallengeRequestData>
<tns:payload
xsi:type="smpl:SampleAcspChallengeRequest">
<smpl:field1>f1</smpl:field1>
<smpl:field2>f2</smpl:field2>
<smpl:field3>f3</smpl:field3>
</tns:payload>
</tns:acspChallengeRequestData>
</tns:credentialChallengeRequestList

14 3: Authentication Plug-In Use Cases


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Management
A Management payload must be populated for an Authentication Plug-In.
Even when there is no business data to be passed to the payload, an empty
Management payload is marked to indicate that the user is enrolled for the current
Authentication Plug-In.
The following sample code illustrates an OTP Authentication Plug-In for an empty
Management payload.
<tns:credentialManagementRequestList>

<tns:acspManagementRequestData>

<tns:credentialProvisioningStatus>ACTIVE</tns:credentialProvisi
oningStatus>
<tns:payload xsi:type="otpns:OTPManagementRequest"/>
</tns:acspManagementRequestData>
</tns:credentialManagementRequestList>
<tns:credentialChallengeRequestList>
<tns:acspChallengeRequestData>
<tns:payload
xsi:type="smpl:SampleAcspChallengeRequest">
<smpl:field1>f1</smpl:field1>
<smpl:field2>f2</smpl:field2>
<smpl:field3>f3</smpl:field3>
</tns:payload>
</tns:acspChallengeRequestData>
</tns:credentialChallengeRequestList>

3: Authentication Plug-In Use Cases 15


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

4 Web Services Methods and Messages

Authentication Plug-In Web Services Methods


RSA Adaptive Authentication (On-Premise) uses a WSDL file to define the available
Web Services methods, parameters, and returned data.
The WSDL file can be extended using Web Services methods, which are mapped to
Authentication Plug-In methods, as shown in the following table.

Adaptive Authentication Authentication


Description
Web Services Method Plug-In Method

Authenticate Authenticate Performs verification for one or more


credentials.

Challenge Challenge Performs one of the following:


Returns the challenge material to
be presented to the user.
Initiates the settings for an
out-of-band (OOB) method, such
as presenting OTP and initiating
the OOB communication.

CreateUser Manage Creates a user and optionally queries


the necessary data to enroll the user.

Query Manage Queries a user's profile including


authentication credentials.

QueryAuthStatus QueryAuthStatus For asynchronous type credentials,


this method returns the
authentication status of the
credential, for example, pending or
success for OOB phone.

UpdateUser Manage Updates a user's profile, including


authentication credentials.

4: Web Services Methods and Messages 17


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Authentication Plug-In Request Objects


The Authentication Plug-In SDK provides a set of tools and a basic schema to
generate the required Authentication Plug-In request objects from the XSD file that
the implementer created. RSA recommends that you do not modify the SDK
generated classes.
The request objects represent the interface through which the implementer can interact
with the Authentication Plug-In implementation. Each business flow presented by the
request type WSDL elements has a corresponding request object.
The following figure shows the request object hierarchy.

AuthenticationRequest Object
The Authentication Plug-In AuthenticationRequest object contains the data elements
required by an Authentication request flow. The AuthenticationRequest object derives
from the AcspAuthenticationRequest class and is passed when the Authenticate
command is called in an Authentication Plug-In interface.
The following code sample shows a generated OTPAuthenticationRequest class
object.
/**
* OTPAuthenticationRequest.java
* This file was auto-generated from Schema
* by the RSA Authentication Plug-In SDK
*/
package com.rsa.csd;

18 4: Web Services Methods and Messages


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

/**
* OTPAuthenticationRequest plug-in bean class
*/
public class OTPAuthenticationRequest extends
com.rsa.acsp.AcspAuthenticationRequest
{
/**
* field for otp
*/
private java.lang.String otp;
/**
* Auto generated getter method
* @return java.lang.String
*/
public java.lang.String getOtp( )
{
return otp;
}
/**
* Auto generated setter method
* @param param Otp
*/
public void setOtp(java.lang.String param)
{
this.otp=param;
}
}

AuthStatusRequest Object
The Authentication Plug-In AuthStatusRequest object contains the data elements
required by the AuthStatus request flow. The AuthStatus business flow is used for an
asynchronous authentication session where this request is used for subsequent status
polling. The AuthStatusRequest object derives from the AcspAuthStatusRequest class
and is passed when the AuthStatus command is called in an Authentication Plug-In
interface.
The following code sample shows a generated OTPAuthStatusRequest object class.
/**
* OTPAuthStatusRequest.java
*
* This file was auto-generated from Schema
* by RSA Authentication Plug-In SDK
*/
package com.rsa.csd;
/**
* OTPAuthStatusRequest plug-in bean class
*/
public class OTPAuthStatusRequest extends
com.rsa.acsp.AcspAuthStatusRequest
{
/**
* field for otp
*/
private java.lang.String otp;

4: Web Services Methods and Messages 19


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

/**
* Auto generated getter method
* @return java.lang.String
*/
public java.lang.String getOtp( )
{
return otp;
}
/**
* Auto generated setter method
* @param param Otp
*/
public void setOtp(java.lang.String param)
{
this.otp=param;
}
}

ChallengeRequest Object
The Authentication Plug-In ChallengeRequest object contains the data elements
required by the Challenge request flow. The ChallengeRequest object derives from the
AcspChallengeRequest class and is passed when the Challenge command is called in
an Authentication Plug-In interface.
The following code sample shows a generated OTPChallengeRequest object class.
/**
* OTPChallengeRequest.java
*
* This file was auto-generated from Schema
* by RSA Authentication Plug-In SDK
*/
package com.rsa.csd;

/**
* OTPChallengeRequest plug-in bean class
*/
public class OTPChallengeRequest extends
com.rsa.acsp.AcspChallengeRequest
{
}

ManagementRequest Object
The Authentication Plug-In ManagementRequest object contains the data elements
required by a Management request. The ManagementRequest object derives from the
Authentication Plug-In ManagementRequest class and is passed when the
Management command is called in an Authentication Plug-In interface.
The following code sample shows a generated OTPManagementRequest object class.
/**
* OTPManagementRequest.java
*
* This file was auto-generated from Schema

20 4: Web Services Methods and Messages


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

* by RSA Authentication Plug-In SDK


*/
package com.rsa.csd;
/**
* OTPManagementRequest plug-in bean class
*/
public class OTPManagementRequest extends
com.rsa.acsp.AcspManagementRequest
{
/**
* field for opcode
*/
private java.lang.String opcode;
/**
* Auto generated getter method
* @return java.lang.String
*/
public java.lang.String getOpcode( )
{
return opcode;
}
/**
* Auto generated setter method
* @param param Opcode
*/
public void setOpcode(java.lang.String param)
{
this.Opcode=param;
}
}

4: Web Services Methods and Messages 21


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Authentication Plug-In Response Objects


Authentication Plug-In response objects, generated by the Authentication Plug-In
SDK, represent the interfaces through which the Authentication Plug-In
implementation returns the status of the Authentication Plug-In to a specific request
type.

Note: RSA recommends that you do not modify the generated response objects.

The following diagram shows the response object hierarchy.

AuthenticationResponse Object
The Authentication Plug-In AuthenticationResponse object contains the data elements
returned for an Authentication request. The AuthenticationResponse object derives
from the AcspAuthenticationResponse class and is returned when the Authenticate
command is called in an Authentication Plug-In interface. The following code sample
shows a generated OTPAuthenticationResponse object class.
/**
* OTPAuthenticationResponse.java
*
* This file was auto-generated from Schema
* by RSA Authentication Plug-In SDK
*/
package com.rsa.csd;
/**
* OTPAuthenticationResponse plug-in bean class
*/
public class OTPAuthenticationResponse extends

22 4: Web Services Methods and Messages


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

com.rsa.acsp.AcspAuthenticationResponse
{
}

AuthStatusResponse Object
The Authentication Plug-In AuthStatusResponse object contains the data elements
returned for an AuthStatus request. The AuthStatusResponse object derives from the
AcspAuthStatusResponse class and is returned when the AuthStatus command is
called in an Authentication Plug-In interface. The following code sample shows a
generated OTPAuthStatusResponse object class.
/**
* OTPAuthStatusResponse.java
*
* This file was auto-generated from Schema
* by RSA Authentication Plug-In SDK
*/
package com.rsa.csd;
/**
* OTPAuthStatusResponse plug-in bean class
*/
public class OTPAuthStatusResponse extends
com.rsa.acsp.AcspAuthStatusResponse
{
}

ChallengeResponse Object
The Authentication Plug-In ChallengeResponse object contains the data elements
returned for a Challenge request. The ChallengeResponse object derives from the
AcspChallengeResponse class and is returned when the Challenge command is called
in an Authentication Plug-In interface. The following code sample shows a generated
OTPChallengeResponse object class.
/**
* OTPChallengeResponse.java
*
* This file was auto-generated from Schema
* by RSA Authentication Plug-In SDK
*/
package com.rsa.csd;
/**
* OTPChallengeResponse plug-in bean class
*/
public class OTPChallengeResponse extends
com.rsa.acsp.AcspChallengeResponse
{
/**
* field for otp
*/
private java.lang.String otp;
/**
* Auto generated getter method
* @return java.lang.String
*/

4: Web Services Methods and Messages 23


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

public java.lang.String getOtp( )


{
return otp;
}
/**
* Auto generated setter method
* @param param otp
*/
public void setOtp(java.lang.String param)
{
this.otp =param;
}
}

ManagementResponse Object
The Authentication Plug-In ManagementResponse object contains the data elements
returned for a Management request. The ManagementResponse object derives from
the AcspManagementResponse class and is returned when the Management command
is called in an Authentication Plug-In interface. The following code sample shows a
generated OTPManagementResponse object class.
/**
* OTPManagementResponse.java
*
* This file was auto-generated from Schema
* by RSA Authentication Plug-In SDK
*/
package com.rsa.csd;
/**
* OTPManagementResponse plug-in bean class
*/
public class OTPManagementResponse extends
com.rsa.acsp.AcspManagementResponse
{
}

CallStatus Object
Each response object returned by the Authentication Plug-In must contain the status
indication of the action performed by Authentication Plug-In and the reason for any
failure.
The status is obtained by using the infrastructural method setStatus(CallStatus), which
is available for each response object. The status must be set for each business flow,
otherwise the system throws an exception.
To create a CallStatus object, use one of the following options:
Constants:
CallStatus.OK: common OK status
CallStatus.SYSTEM_ERROR: unknown system error
CallStatus.INVALID_USER_REQUEST: invalid request supplied

24 4: Web Services Methods and Messages


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

CallStatus constructor new CallStatus(CallStatusCode, StatusDescription) where


CallStatusCode may be one of the following values:
CallStatusCode.UNSUPPORTED: operation is not supported
CallStatusCode.ERROR: operation ended with an error
CallStatusCode.FAIL: operation ended with a business failure
CallStatusCode.SUCCESS: operation succeeded
CallStatusCode.PENDING: operation has not yet been completed
If you use the CallStatus constructor and the CallStatusCode is pending, the result is
unknown and StatusDescription may be created using free text, for example, new
StatusDescription("My Reason"), or obtained from one of the following values:
StatusDescription.NONE: no reason specified
StatusDescription.CHECKING_NONEXISTENT_CHALLENGE: challenge
must be sent before authenticating the user
StatusDescription.SYSTEM_ERROR: unknown system error
StatusDescription.INVALID_CHALLENGE_CONTACT: wrong user data
StatusDescription.MISUSE_COLLECTION_FLOW: collection flow misuse
StatusDescription.INVALID_REQUEST: invalid request
StatusDescription.UNSUPPORTED_METHOD: unsupported method
StatusDescription.NO_ACTION_SPECIFIED: no action specified
The following code sample is an OTP example.
private void populateStatus(AcspResponse response,
CallStatusCode statusCode, String statusDescription)
{
response.setStatus(new CallStatus(statusCode, new
StatusDescription(statusDescription)));
}

4: Web Services Methods and Messages 25


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

The following class figure shows the CallStatus object and related classes.

26 4: Web Services Methods and Messages


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

5 API Implementation Interfaces


This chapter describes interfaces provided by RSA Adaptive Authentication
(On-Premise) for implementing your organizations code together with the
SDK-generated code to integrate the Authentication Plug-In.
Four interfaces must be implemented to develop an Authentication Plug-In. The first
three of the following interfaces are implemented to enable your organizations code
to be plugged into the generic system. The fourth interface contains your business
logic:
Core Object Factory is responsible for plug-in implementation class initialization
and for accessing generated core objects.
Generated Object Factory is responsible for accessing generated Axis objects.
Extension Mapper Factory is responsible for integrating generated Axis object
with the core system.
Plug-In Implementation object contains the actual business logic for the
Authentication Plug-In.

Core Object Factory


The Authentication Plug-In factory is responsible for creating the Authentication
Plug-In implementation object and must implement the AcspFactory interface. The
following table describes the Authentication Plug-In factory methods.

Method Description Parameters

public Acsp Creates an Authentication AcspContext: A wrapper


createAcsp(AcspContext Plug-In implementation object containing
acspContext, class Authentication Plug-In
RequestContext related data, for example,
requestContext) configuration settings and a
Logger object.
RequestContext: Contains
the request session related
data.

All the getter methods for These objects are the


the Request and Response POJO-generated objects
objects used by that do not contain any
Authentication Plug-In Axis code

5: API Implementation Interfaces 27


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

The following class figure shows the Core Object Factory interface.

The following is an OTP code sample.


package com.rsa.csd;
import com.rsa.acsp.*;
/**
* Created by IntelliJ IDEA.
* User: John Smith
* Date: May 6, 2009
* Time: 1:51:29 PM
* This factory implementation:
* 1) creates an Authentication Plug-In instance of OTP
Authentication Plug-In
* 2) creates all the Plug-In core requests and responses
*/
public class OTPFactory implements AcspFactory
{
/**
* Create implementation of OTP Authentication Plug-In
* @param acspContext Authentication Plug-In context
responsible for
* handling Authentication Plug-In related stuff, like
configuration etc.

28 5: API Implementation Interfaces


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

* @param requestContext request context responsible for


handling all the
* business data
* @return Authentication Plug-In implementation
*/
public Acsp createAcsp(AcspContext acspContext,
RequestContext requestContext)
{
return new OTP(acspContext, requestContext);
}
/**
* Get core Authentication Plug-In authentication request
for OTP
* @return core Authentication Plug-In authentication
request for OTP
*/
public AcspAuthenticationRequest
getCoreAcspAuthenticationRequest( )
{
return new OTPAuthenticationRequest( );
}
/**
* Get core Authentication Plug-In authentication
response for OTP
* @return core Authentication Plug-In authentication
response for OTP
*/
public AcspAuthenticationResponse
getCoreAcspAuthenticationResponse( )
{
return new OTPAuthenticationResponse( );
}
/**
* Get core Authentication Plug-In management request for
OTP
* @return core Authentication Plug-In management request
for OTP
*/
public AcspManagementRequest
getCoreAcspManagementRequest( )
{
return new OTPManagementRequest( );
}
/**
* Get core Authentication Plug-In management response
for OTP
* @return core Authentication Plug-In management
response for OTP
*/
public AcspManagementResponse
getCoreAcspManagementResponse( )
{
return new OTPManagementResponse( );
}
/**
* Get core Authentication Plug-In challenge request for

5: API Implementation Interfaces 29


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

OTP
* @return core Authentication Plug-In challenge request
for OTP
*/
public AcspChallengeRequest getCoreAcspChallengeRequest(
)
{
return new OTPChallengeRequest( );
}
/**
* Get core Authentication Plug-In challenge response for
OTP
* @return core Authentication Plug-In challenge response
for OTP
*/
public AcspChallengeResponse
getCoreAcspChallengeResponse( )
{
return new OTPChallengeResponse( );
}
/**
* Get core Authentication Plug-In auth status request
for OTP
* @return core Authentication Plug-In auth status
request for OTP
*/
public AcspAuthStatusRequest
getCoreAcspAuthStatusRequest( )
{
return new OTPAuthStatusRequest( );
}
/**
* Get core Authentication Plug-In auth status response
for OTP
* @return core Authentication Plug-In auth status
response for OTP
*/
public AcspAuthStatusResponse
getCoreAcspAuthStatusResponse( )
{
return new OTPAuthStatusResponse( );
}
}

Generated Object Factory


The Generated Object Factory is similar to the Core Object Factory in that it must
return all possible generated request and response object implementations that are
Axis dependent. The Generated Object Factory implements the AcspGenFactory
interface.
This factory returns the instance of an Extension Mapper Factory.

30 5: API Implementation Interfaces


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

The developer must add to the code, generated by the Authentication Plug-In SDK, a
method called getEnumClassMappings() that will return a map that maps Axis style
classes to POJO classes. The following is an example of this code:
/**
* Get enum class mappings map
* @return enum class mappings map
*/
public Map getEnumClassMappings()
{
Map enumClassMappings = new HashMap();
enumClassMappings.put(org.myorg.ws.MyAxisEnum1.class,
org.myorg.MyPOJOEnum1.class);
enumClassMappings.put(org.myorg.ws.MyAxisEnum2.class,
org.myorg.MyPOJOEnum2.class);
enumClassMappings.put(org.myorg.ws.MyAxisEnum3.class,
org.myorg.MyPOJOEnum3.class);

return enumClassMappings;
}

5: API Implementation Interfaces 31


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

The following class figure shows the Generated Object Factory interface.

The following is an OTP code sample.


package com.otp;
import axis.generic.AcspGenFactory;
import com.rsa.csd.ws.axis.generated.*;
/**
* Created by IntelliJ IDEA.
* User: John_Smith
* Date: May 6, 2009
* Time: 1:51:42 PM
* Implementation for creation of generated requests and
responses for Authentication Plug-In
*/
public class OTPGenFactory implements AcspGenFactory
{
public AcspAuthenticationRequest
getGeneratedAcspAuthenticationRequest( )
{
return new OTPAuthenticationRequest( );
}
public AcspAuthenticationResponse

32 5: API Implementation Interfaces


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

getGeneratedAcspAuthenticationResponse( )
{
return new OTPAuthenticationResponse( );
}
public AcspManagementRequest
getGeneratedAcspManagementRequest( )
{
return new OTPManagementRequest( );
}
public AcspManagementResponse
getGeneratedAcspManagementResponse( )
{
return new OTPManagementResponse( );
}
public AcspChallengeRequest
getGeneratedAcspChallengeRequest( )
{
return new OTPChallengeRequest( );
}
public AcspChallengeResponse
getGeneratedAcspChallengeResponse( )
{
return new OTPChallengeResponse( );
}
public AcspAuthStatusRequest
getGeneratedAcspAuthStatusRequest( )
{
return new OTPAuthStatusRequest( );
}
public AcspAuthStatusResponse
getGeneratedAcspAuthStatusResponse( )
{
return new OTPAuthStatusResponse( );
}
}

Extension Mapper Factory


As a part of the Authentication Plug-In SDK activation, an ExtentionMapper class is
generated. This infrastructural class is used by Axis and must not be changed by the
implementer.
This class retrieves the actual Axis class using the provided namespace and class
name. The ExtensionMapper must be exposed to allow the core system to retrieve the
classes used by the Authentication Plug-In, using the ExtentionMapperFactory
implementation. The ExtensionMapperFactory implementation must be derived from
the ExtensionMapperFactory and must implement the following method:
public Object resolveObject(String namespaceURI, String
typeName, XMLStreamReader reader)
This method receives the namespace and current objects class name, and delegates
the request to the ExtensionMapper of the Authentication Plug-In.

5: API Implementation Interfaces 33


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

The following class figure shows the Extention Mapper factory.

The following is an OTP code sample.


package com.rsa.csd;

import axis.generic.ExtensionMapperFactory;
import com.rsa.csd.ws.ExtensionMapper;
import javax.xml.stream.XMLStreamReader;

/**
* Extension Mapper Factory for OTP
*/
public class OTPExtensionMapperFactory implements
ExtensionMapperFactory
{
/**
* @param namespaceURI namespace
* @param typeName type name
* @param reader reader
* @return resolved object
* @throws java.lang.Exception
*/
public Object resolveObject(String namespaceURI, String
typeName, XMLStreamReader reader) throws Exception
{
return ExtensionMapper.getTypeObject(namespaceURI,
typeName, reader);
}
}

34 5: API Implementation Interfaces


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Authentication Plug-In Implementation Object


The Authentication Plug-In Implementation object class contains the actual
implementation of all business methods relevant to the Authentication Plug-In.
User-level data can be extracted from the Multi-Credential Framework (MCF)
infrastructure level, accessed and modified, and then stored in the Adaptive
Authentication system database. For additional details, see Storing Authentication
Plug-In Data.
This object implements the Authentication Plug-In interface and stores the data for the
user and the plug-in.
The following class figure shows the Plug-In implementation object interface.

5: API Implementation Interfaces 35


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

36 5: API Implementation Interfaces


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

The following is an OTP code sample.


package com.otp;
import com.rsa.acsp.*;
import com.rsa.csd.mcf.acsp.oob.util.TokenConfig;
import com.rsa.csd.mcf.acsp.oob.util.TokenUtility;
import com.otp.payload.*;
import com.passmarksecurity.PassMarkSystemFactory;
import com.passmarksecurity.config.PassMarkConfigException;
import org.apache.log4j.Logger;
import java.util.Map;
/**
* Created by IntelliJ IDEA.
* User: John_Smith
* Date: May 6, 2012
* Time: 1:51:19 PM
* OTP implementation
*/
public class OTP implements Authentication Plug-In
{
protected Logger log = Logger.getLogger(getClass( ));
private AcspContext acspContext;
private RequestContext requestContext;
private String otpProperty;
public void initialize( )
{
log.info("OTP initialize!");
otpProperty = null;
if (acspContext != null)
{
// obtain the loaded configuration map
Map configuration = acspContext.getConfiguration(
);
if (configuration != null)
{
// lookup the OTP key in the configuration map
otpProperty = (String)
configuration.get("otpKey");
}
}
}
public void destroy( )
{
log.info("Destroy OTP!");
}
public AcspManagementResponse
manage(AcspManagementRequest request)
{
log.info("Manage OTP!");
// create an empty management response
return new OTPManagementResponse( );
}
public AcspAuthStatusResponse
getAuthStatus(AcspAuthStatusRequest request)
{
log.info("OTP getAuthStatus!");

5: API Implementation Interfaces 37


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

throw new IllegalStateException("getAuthStatus


operation is not supported by OTP Authentication Plug-In");
}
public AcspChallengeResponse
challenge(AcspChallengeRequest request)
{
log.info("OTP challenge!");
try
{
// generate OTP as a token
( )TokenConfig tokenConfig = (TokenConfig)
PassMarkSystemFactory.getInstance( ).
getConfigLookupManager( ).getConfigLookup(
).lookupObject("tokenConfiguration", null);
if (tokenConfig == null)
{
log.error("Cannot create OTP with no token
configurations - check configs");
throw new RuntimeException("Token
configuration is not found in configs for user with
sessionId " + requestContext.getSessionId( ));
}
String otp =
TokenUtility.generateRoamingToken(tokenConfig);
// put the created OTP on RequestContext it will
be stored in the DB for future use
requestContext.addToAdditionalInfo(otpProperty,
otp);
// create challenge response with OTP
OTPChallengeResponse response = new
OTPChallengeResponse( );
response.setOtp(otp);
return response;
}
catch (PassMarkConfigException e)
{
log.error("Cannot create OTP with no token
configurations - check configs");
throw new RuntimeException("Token configuration
is not found in configs for user with sessionid " +
requestContext.getSessionId( ));
}
}
public AcspAuthenticationResponse
authenticate(AcspAuthenticationRequest request)
{
log.info("OTP authenticate!");
// get OTP from request
String otp =
((OTPAuthenticationRequest)request).getOtp( );
// get stored OTP from RequestContext
Map additionalInfo =
requestContext.getAdditionalInfo( );
String password =
(String)additionalInfo.get(otpProperty);
OTPAuthenticationResponse response = new

38 5: API Implementation Interfaces


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

OTPAuthenticationResponse( );
// check whether OTP matches and populate CallStatus
accordingly
if ((otp != null) && otp.equals(password))
{
response.setStatus(new
CallStatus(CallStatusCode.SUCCESS, new
StatusDescription("OTP matches!")));
}
else
{
response.setStatus(new
CallStatus(CallStatusCode.ERROR, new StatusDescription("OTP
doesn't match!")));
}
return response;
}
public OTP(AcspContext acspContext, RequestContext
requestContext)
{
this.acspContext = acspContext;
this.requestContext = requestContext;
}
}

Storing Authentication Plug-In Data


The Authentication Plug-In implementer can store plug-in related data in the Adaptive
Authentication database in the following modessession-level data and user-level
data.
This process, which is part of the Implementation object, is optional.

Session-Level Data
This data, which is always textual, is stored at the session level and is available during
the current sessions execution.
For example, the OTP value is stored in the database during the Challenge request
execution. Later, when the Authentication request is executed, this data is extracted
from the database and matched with the data provided in the Authentication request.
The storage of the session-level data is limited to the sessions life cycle. The
session-level data life cycle is the same as the life cycle for the entire session. When
the session expires, the session-level data and its life cycle are expelled from the
database.
The sessionData object must be obtained to activate the following API.
/**
* Get map of string values
* The map is cloned and its changes won't affect the
actual data stored in the DB
* @return map of vstring alues
*/
public Map<String, String> getStringData( );
/**

5: API Implementation Interfaces 39


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

* Add value to string map


* @param key key
* @param value string value
*/
public void addStringValue(String key, String
value);
/**
* Get value from string map
* @param key key
* @return string value
*/
public String getStringValue(String key);
/**
* Update value in string map
* @param key key
* @param value string value
*/
public void updateStringValue(String key, String
value);
/**
* Delete value from string map
* @param key key
*/
public void deleteStringValue(String key);
/**
* Clear string map
*/
public void clearStringData( );
/**
* Clear all maps
*/
public void clearAll( );
Examples:
// store OTP value on the session level data
sessionData( ).addStringValue("OTP", "172872");

// obtain OTP value from the session level data


String OTP = sessionData( ).getStringValue("OTP");

User-Level Data
This data contains the information that the Authentication Plug-In implementer wants
to store for a given user. The data can be textual or binary.
The data is available for all Authentication Plug-In methods that are not related to the
current session. The data can be updated in every Authentication Plug-In method. The
life cycle of the user-level data is the same as for the entire Authentication Plug-In. If
the plug-in is disabled for the user, the data is no longer available.
You can extract user-level data from the Adaptive Authentication database,
PassMarkDB, edit it, and then store it again.
The userData object must be obtained to enable activation of the following API.
/**
* Get map of string values

40 5: API Implementation Interfaces


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

* The map is cloned and its changes won't affect the


actual data stored in the DB
* @return map of vstring alues
*/
public Map<String, String> getStringData( );
/**
* Add value to string map
* @param key key
* @param value string value
*/
public void addStringValue(String key, String
value);
/**
* Get value from string map
* @param key key
* @return string value
*/
public String getStringValue(String key);
/**
* Update value in string map
* @param key key
* @param value string value
*/
public void updateStringValue(String key, String
value)
/**
* Delete value from string map
* @param key key
*/
public void deleteStringValue(String key);
/**
* Clear string map
*/
public void clearStringData( );
/**
* Clear all maps
*/
public void clearAll( );
/**
* Get map of binary values
* The map is cloned and its changes won't affect the
actual data stored in the DB
* @return map of binary values
*/
public Map<String, byte[ ]> getBinaryData( );
/**
* Add binary value to binary map
* @param key key
* @param value binary value
*/
public void addBinaryValue(String key, byte[ ]
value);
/**
* Get binary value from binary map
* @param key key
* @return binary value

41 5: API Implementation Interfaces


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

*/
public byte[ ] getBinaryValue(String key);
/**
* Update binary value in binary map
* @param key key
* @param value binary value
*/
public void updateBinaryValue(String key, byte[ ]
value);
/**
* Delete binary value from binary map
* @param key key
*/
public void deleteBinaryValue(String key);
/**
* Clear binary map
*/
public void clearBinaryData( );
Examples:
// store SSN value on the user level data
userData( ).addStringValue("SSN", "182987727");
// obtain SSN value from the user level data
String SSN = userData ( ).getStringValue("SSN");
// update SSN value on the user level data
userData ( ).updateStringValue("SSN", "180019273");
// remove SSN value from the user level data
userData ( ).deleteStringValue("SSN");

42 5: API Implementation Interfaces


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

A Installing the Authentication Plug-In


The Authentication Plug-In allows the RSA Adaptive Authentication (On-Premise)
system to use client-managed authentication.
This chapter provides information on installing and configuring the Authentication
Plug-In in the Adaptive Authentication (On-Premise) system.

Installation Workflow
The Authentication Plug-In allows the RSA Adaptive Authentication (On-Premise)
system to use client-managed authentication. The following is a high-level workflow
for the installation:
1. Install the Authentication Plug-In.
2. Download and uncompress the distribution package. For more information about
distribution package file listings, see the Release Notes.
3. Ensure that the Adaptive Authentication Core database is installed. For more
information, see the Installation and Upgrade Guide.

Note: If you are upgrading from version 6.0.2.1 (or earlier) and want to enable the
Authentication Plug-In, you must upgrade your existing Adaptive Authentication
Core database to 7.1 and install the latest version of Adaptive Authentication
(On-Premise). For more information, see the Installation and Upgrade Guide.

4. Shut down the application server.


5. Configure the Adaptive Authentication (On-Premise) system as required. For
more information, see the Operations Guide.
6. Edit the Authentication Plug-In configuration files, as described in this chapter.
7. Customize the Policy Management application, as described in this chapter.
8. Restart the application server.

Configuring the Authentication Plug-In for Adaptive Authentication


The Adaptive Authentication (On-Premise) system uses Spring files to define its
configuration settings. The Authentication Plug-In implementer must use the Spring
files to set the Authentication Plug-In configuration values so that the plug-in can be
loaded and retrieved by the Adaptive Authentication platform.
The platform loads the Authentication Plug-In configuration settings and passes them
to the Authentication Plug-In Implementation object through the AcspContext object
that, in turn, is passed to the object creation method.

A: Installing the Authentication Plug-In 43


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

The Authentication Plug-In configuration files must be placed together with the rest of
the Adaptive Authentication platform configuration directory.

Defining the Authentication Plug-In


The following entities must be defined, by the implementer, in a new configuration
file:
Authentication Plug-In Internal Configuration
Authentication Plug-In Type
Authentication Plug-In Metadata
Authentication Plug-In Metadata Entry

Note: All of the code represented in the examples below for Authentication Plug-In
internal configuration, type and metadata must be combined together into an XML file
and loaded by the system. For information on integrating this file, see Customizing
the Admin Application Configuration File.

Authentication Plug-In Internal Configuration


A map of keys and their values is defined in the bean implementation class
com.passmarksecurity.config.bean.ClassFreeBean. This map is
loaded as part of an AcspContext file and used, if needed, in the Authentication
Plug-In business methods that are described in this guide.

Example
<bean class="com.passmarksecurity.config.bean.ClassFreeBean"
id="sampleConfiguration">
<property name="parameters">
<map>
<entry key="otpKey">
<value>otp</value>
</entry>
<entry key="otpKeyLength">
<value>5</value>
</entry>
</map>
</property>
</bean>

44 A: Installing the Authentication Plug-In


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

Authentication Plug-In Type


The following property values are defined in the bean implementation class
com.rsa.csd.mcf.acsp.generic.GenericAcspType:
stringVal: The Authentication Plug-In name.
implClass: com.rsa.csd.mcf.acsp.generic.AcspWrapper (Do not modify this
value).
authLevel: The authentication method level in the Risk Engine calculations.
implFactory: Points to the fully qualified class name of the Core Object Factory,
defined in Core Object Factory interface.
isSync: Indicates whether the challenge flow is synchronous (Valid values are true
and false).
configuration: Points to the bean ID of the Internal Configuration, defined in
Authentication Plug-In Internal Configuration.
sessionTimeOut: The available time in seconds allowed for response to the
authentication method before the authentication session expires. The default value
is 600 seconds.
shouldCreAsFraud: A Boolean value that determines whether or not to notify the
Risk Engine of events which are suspected fraud. If False, notification is delayed
until the authentication method session expires. The default is True.
The following code is an example of an Authentication Plug-In configuration with
session time-out and fraud parameters configured in a bean:
<bean class="com.rsa.csd.mcf.acsp.generic.GenericAcspType " id="OTP_TYPE">
<property name="stringVal">
<value>OTP</value>
</property>
<property name="implClass">
<value>com.rsa.csd.mcf.acsp.generic.AcspWrapper</value>
</property>
<property name="authLevel">
<value>650</value>
</property>
<property name="implFactory">
<value>com.rsa.csd.OTPFactory</value>
</property>
<property name="isSync">
<value>true</value>
</property>
<property name="configuration">

A: Installing the Authentication Plug-In 45


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

<ref bean="otpConfiguration"/>
</property>
<property name="sessionTimeOut">
<value>600</value>
</property>
<property name="shouldCreAsFraud">
<value>true</value>
</property>
</bean>

Authentication Plug-In Metadata


The following property values are defined in the bean implementation class
com.rsa.csd.mcf.acsp.AcspMetaData:
acspType: Points to the ID of the Authentication Plug-In type, defined in
Authentication Plug-In Type.
acspStatusString: ACTIVE (Do not modify this value)
billFlag: true (Do not modify this value)
encrypted: Indicates whether the user-level data, stored in the Core database, is
encrypted (Valid values are true and false)

Note: You can change the encryption of any of the out-of-the-box or user-installed
Authentication Plug-Ins in the Adaptive Authentication (On-Premise) system. The
default value for Knowledge-Based Authentication (KBA) and SMS encryption is
true.

Example
<bean class="com.rsa.csd.mcf.acsp.AcspMetaData"
id="SAMPLE_METADATA">
<property name="acspType">
<ref bean="SAMPLE_TYPE"/>
</property>
<property name="acspStatusString">
<value>ACTIVE</value>
</property>
<property name="billFlag">
<value>true</value>
</property>
<property name="encrypted">
<value>true</value>

46 A: Installing the Authentication Plug-In


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

</property>
</bean>

Authentication Plug-In Metadata Entry


This bean contains a reference to the metadata and the Generated Object Factory
beans.
The following property values are defined in the bean implementation class:
axis.generic.GenericMetadataListEntry
metadata: Points to the ID of the Authentication Plug-In metadata defined in
Authentication Plug-In Metadata.
factory: Points to the fully qualified class name of the Generated Object Factory,
defined in the Generated Object Factory interface

Example
<bean
class="com.rsa.csd.mcf.acsp.generic.GenericMetadataListEntry
" id="OTP_METADATA_ENTRY">
<property name="metadata">
<ref bean="SAMPLE_METADATA"/>
</property>
<property name="factory">
<value>org.sample.AcspSampleGenFactory</value>
</property>
</bean>

Customizing Existing Configuration Files


The new Authentication Plug-In metadata entry must be added to the metadata list
bean, which is defined in the c-config-acsp.xml configuration file. The entry name
must match the one described in Authentication Plug-In Metadata Entry.

Note: Make sure that you update the list of authentication method parameters in the
Authentication Methods component of the Administration Console so that the entry
name appears in the Administration Console.

Example
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd">
<bean
class="com.rsa.csd.mcf.acsp.generic.GenericMetadataList"
id="genericMetadataList">
<!--
add ACSP metadata entries here
-->

A: Installing the Authentication Plug-In 47


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

<property name="metadataList">
<list>
<ref bean="OTP_METADATA_ENTRY"/>
<ref bean="KBA_METADATA_ENTRY"/>
<ref bean="OOBSMS_METADATA_ENTRY"/>
</list>
</property>
</bean>

Customizing the Admin Application Configuration File


All of the settings for the RSA Adaptive Authentication (On-Premise) configuration
must also be performed for the Adaptive Authentication Admin configuration.

Customizing the Policy Management Application


After you install the Authentication Plug-In, you can add the new authentication
methods to the list of methods available for use in the Policy Management application.
You can do this using the Authentication Methods parameter located in the
Authentication Methods component of the Administration Console. For more
information, see the chapter Configure Authentication Methods in the Operations
Guide.
When you add an authentication method to the Policy Management application, you
can then apply that method to new rules. You do this by choosing the Challenge
action when you create a new rule or edit an existing rule in Policy Management. You
can then select the appropriate authentication method. For more information, see the
chapter Rule Management in the Back Office Users Guide.

Integrating the XSD File


You must integrate your customized schema (XSD file) with the entire Adaptive
Authentication WSDL, perform the steps below. This is necessary if you want to
regenerate the SOAP client stub with the newly added XSD.
1. Place the customized XSD file together with other generic WSDL code and the
XSD files in the application server environment. For the Adaptive Authentication
web application, copy the new XSD file and all the modified XSD files into the
META-INF folder of the WEB-INF/services/aa-ws-6.0.2.1-*.jar file. This
means that you unzip this .jar file, copy the new XSD file into the META-INF
folder, adapt ACSPImport.xsd, and repack everything. The .jar file can be
packed and unpacked with the zip and unzip commands.
2. Verify that ACSPImport.xsd contains an import statement to import the
customized XSD file. The following is an example of an ACSPImport.xsd:
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:rsa_csd="http://ws.csd.rsa.com"

48 A: Installing the Authentication Plug-In


RSA Adaptive Authentication (On-Premise) 7.1 Authentication Plug-In Developers Guide

xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
targetNamespace="http://ws.csd.rsa.com"
xmlns="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<xsd:import namespace="http://your.namespace"
schemaLocation="Sample.xsd"/>
</xsd:schema>

A: Installing the Authentication Plug-In 49

You might also like