Broker 10.15 | webMethods Broker Documentation | Administering webMethods Broker | Using Access Labels | Acquiring an Access Label through Access Label Adapter | The Access Label Process
 
The Access Label Process
Use the following procedure to create an access label.
*To create an access label
1. Configure the Broker.
The Broker uses clients connected to the system-defined client group accessLabelAdapter for access label lookups. You can use an ACL on the client group to restrict access to trusted adapters.
2. Start the ALA.
Multiple ALAs can be connected to a single Broker, and a single ALA can be connected to multiple Brokers. Client group replication helps support this usage by distributing the ACL. It is up to you to maintain consistency across multiple instances of the ALA.
The adapter does not need to make any subscriptions.
In a trusted system, the ALA should use SSL and have a certificate that matches one listed in the client group ACL.
3. Create the Broker client.
The creation of the client includes an application-defined hint string.
4. The Broker asks for an access label.
The Broker builds a Broker::ALA::lookup request document to get an access label for the client. The document includes the client user information (DN and issuer DN) and the application defined hint string.
5. The Broker delivers the document to one of the connected ALAs.
If there are no ALAs running on the Broker, the lookup fails and the client does not get an access label.
6. ALA returns an access label.
The ALA can make one of two responses to each label request: an access label or an error.
*A successful response (Broker::ALA::label) includes the access label.
*A failure response (Broker::ALA::error) includes an error type, DN, and optional error detail.
A response takes the form of a document delivered to the local Broker.
The ALA should be coded to ignore documents not from the local Broker (for example: check that_env.pubId is equal to"//brokername").
The ALA should send its reply using awDeliverReplyEvent (or the equivalent Java API function) to make sure the envelope is properly set up. If the ALA does not use this function, the _env.tag field from the Broker::ALA::lookup document will not be copied over, and the result of the lookup will affect all outstanding lookup requests for that client's owning user.
The ALA should also copy the user and authenticator values from the request to the response. If the ALA does not copy these values, no clients will receive the labels.
7. The Broker gets a response from the ALA.
The Broker handles each kind of ALA response:
ALA Response
Broker Action
Broker::ALA::label
The Broker assigns the access label to the requesting client if this document includes a tag. If the tag is not set, any clients with pending requests for that user (DN and issuer DN) are updated.
Broker::ALA::error
Any clients with pending requests for that user (DN and issuer DN) get a failure code.