Hi Community,

When I search for information about creating a custom authentication mechanism I am pointed toward a wiki page on the developerWorks site. Since developerWorks no longer works (pun intended) the information is not available that way (check Developing from ISAM documentation on the Software Development Kit page of v9.0.7).

I want to write a Radius Client (similar to what can be found in DataPower appliance) using this framework and an open source java library for a Radius client (e.g. tinyradius or jradius). 

Please help to point to the information that was on developerworks before.

Thanks.

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam
------------------------------

Hi Peter,

You probably know this but, for completeness, the methods for creating a custom authentication system are:
  (1) JavaScript InfoMap in AAC Authentication Service
  (2) Java (OSGi) extension for AAC Authentication Service
  (3) An external "login" application connected with EAI

Right now, the recommendation is to use (1) where possible.  The JavaScript mechanisms provide the most lightweight approach and are also well sandboxed at runtime to avoid issues in the authentication code impacting the operation of the wider system.  I'm not sure if you have access to the native UDP calls that would be needed to interface with a RADIUS server though.

Option (2), which is the one you're asking about I think, is not really recommended.  Methods running in this way are running in the Java context of the AAC process and so issues in the custom code can impact the stability of the AAC engine.  I can imagine there might be concerns with Java compatibilities when upgrading ISAM versions too.  The only advantage I know of with using this approach is ability to load additional classes which wouldn't be available from JavaScript (because of the sandboxing that is present to avoid issues).  You might be able to get access to UDP networking with this approach (I haven't tried it).

One alternative to option (2) is to use option (3) - in this case you have full control of your login process and it won't impact AAC processes because it is hosted outside of the Access Manager system.  Another similar approach would be to create a externally hosted REST service to perform the backend logic for the login process and then interface with this using a JavaScript InfoMap (there are HTTPClient helper classes available for this).

If you still want to look at option (2) then the only asset I have is a video I recorded a long time ago which references the interface and shows some of the process of creation in RAD.  I know it can be done in Eclipse too:
https://ibm.box.com/s/314kr7v3bhnxqfyevyhn982i4frpy6ca

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon March 02, 2020 10:54 AM
From: Peter Gierveld
Subject: Looking for documenationc about creating an authentication mechanism

Hi Community,

When I search for information about creating a custom authentication mechanism I am pointed toward a wiki page on the developerWorks site. Since developerWorks no longer works (pun intended) the information is not available that way (check Developing from ISAM documentation on the Software Development Kit page of v9.0.7).

I want to write a Radius Client (similar to what can be found in DataPower appliance) using this framework and an open source java library for a Radius client (e.g. tinyradius or jradius). 

Please help to point to the information that was on developerworks before.

Thanks.

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam
------------------------------