IBM Security Web Gateway Appliance Version 7.0 Web Reverse Proxy Stanza Reference SC27-4443-01
IBM Security Web Gateway Appliance Version 7.0 Web Reverse Proxy Stanza Reference SC27-4443-01
Note Before using this information and the product it supports, read the information in Notices on page 327. Edition tice Note: This edition applies to version 7, release 0, modification 0 of IBM Security Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2002, 2013. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents About this publication........ ix Intended audience............ ix Access to publications and termilogy..... ix Related publications.......... xii Accessibility.............. xiv Technical training............ xiv Support information........... xiv Stanza reference........... 1 [acnt-mgt] stanza............. 1 account-expiry-tification......... 1 account-inactivated........... 1 account-locked............. 2 allow-unauthenticated-logout........ 3 allowed-referers............ 3 cert-failure.............. 4 cert-stepup-http............ 5 certificate-login............ 5 change-password-auth.......... 6 client-tify-tod............ 6 enable-html-redirect........... 7 enable-local-response-redirect........ 7 enable-passwd-warn........... 8 enable-secret-token-validation........ 9 help................ 10 http-rsp-header............ 10 html-redirect............. 11 login................ 11 login-redirect-page........... 12 login-success............. 13 logout............... 13 passwd-change............ 14 passwd-change-failure.......... 14 passwd-change-success......... 15 passwd-expired............ 15 passwd-warn............. 16 passwd-warn-failure.......... 16 redirect-to-root-for-pkms......... 17 single-sigff-uri........... 17 stepup-login............. 18 switch-user............. 19 temp-cache-response.......... 19 too-many-sessions........... 20 use-restrictive-logout-filenames....... 20 use-filename-for-pkmslogout....... 21 [auth-cookies] stanza........... 21 cookie............... 21 [authentication-levels] stanza........ 22 level................ 22 [aznapi-configuration] stanza........ 23 audit-attribute............ 23 auditcfg.............. 23 auditlog.............. 24 cache-refresh-interval.......... 25 cred-attribute-entitlement-services...... 25 dynamic-adi-entitlement-services...... 26 input-adi-xml-prolog.......... 26 listen-flags.............. 27 logaudit.............. 27 logclientid.............. 28 logcfg............... 28 logflush.............. 29 logsize............... 30 permission-info-returned......... 30 policy-attr-separator.......... 31 policy-cache-size............ 31 resource-manager-provided-adi....... 32 xsl-stylesheet-prolog.......... 33 [azn-decision-info] stanza.......... 33 azn-decision-info............ 33 [ba] stanza............... 34 ba-auth............... 34 basic-auth-realm............ 35 [cdsso] stanza............. 35 authtoken-lifetime........... 35 cdsso-argument............ 36 cdsso-auth.............. 36 cdsso-create............. 37 clean-cdsso-urls............ 37 propagate-cdmf-errors.......... 38 use-utf8.............. 38 [cdsso-incoming-attributes] stanza....... 39 attribute_pattern............ 39 [cdsso-peers] stanza........... 40 fully_qualified_hostname.......... 40 [cdsso-token-attributes] stanza........ 40 <default>.............. 40 domain_name............. 41 [certificate] stanza............ 42 accept-client-certs........... 42 cert-cache-max-entries.......... 42 cert-cache-timeout........... 43 cert-prompt-max-tries.......... 43 disable-cert-login-page.......... 44 eai-data............... 45 eai-uri............... 46 [cert-map-authn] stanza.......... 47 debug-level............. 47 rules-file.............. 47 [cfg-db-cmd:entries] stanza......... 48 stanza::entry............. 48 [cfg-db-cmd:files] stanza.......... 49 files................ 49 [cluster] stanza............. 49 is-master.............. 50 master-name............. 50 max-wait-time............ 51 [compress-mime-types] stanza........ 51 mime_type.............. 51 [compress-user-agents] stanza........ 52 pattern............... 52 Copyright IBM Corp. 2002, 2013 iii
[content] stanza............. 53 utf8-template-macros-enabled....... 53 [content-cache] stanza........... 53 MIME_type............. 53 [content-encodings] stanza......... 54 extension.............. 54 [content-index-icons] stanza......... 55 type................ 55 [credential-policy-attributes] stanza...... 56 policy-name.............. 56 [credential-refresh-attributes] stanza...... 57 attribute_name_pattern.......... 57 authentication_level.......... 57 [dsess] stanza.............. 58 dsess-sess-id-pool-size.......... 58 dsess-cluster-name........... 58 [dsess-cluster] stanza........... 59 basic-auth-user............ 59 basic-auth-passwd........... 59 gsk-attr-name............. 60 handle-idle-timeout........... 61 handle-pool-size............ 61 response-by............. 62 server............... 62 ssl-fips-enabled............ 63 ssl-keyfile.............. 64 ssl-keyfile-label............ 64 ssl-keyfile-stash............ 65 ssl-valid-server-dn........... 65 timeout............... 66 [eai] stanza.............. 66 eai-auth.............. 66 eai-auth-level-header.......... 67 eai-flags-header............ 67 eai-pac-header............ 68 eai-pac-svc-header........... 68 eai-redir-url-header........... 69 eai-session-id-header.......... 69 eai-user-id-header........... 70 eai-verify-user-identity.......... 70 eai-xattrs-header............ 71 retain-eai-session........... 72 [eai-trigger-urls] stanza.......... 72 trigger............... 72 trigger............... 73 [e-community-domains] stanza........ 74 name............... 74 [e-community-domain-keys] stanza...... 74 domain_name............. 74 [e-community-domain-keys:domain] stanza.... 75 domain_name............. 75 [e-community-sso] stanza.......... 75 cache-requests-for-ecsso......... 75 e-community-name........... 76 disable-ec-cookie........... 76 e-community-sso-auth.......... 77 ec-cookie-domain........... 77 ec-cookie-lifetime........... 78 ecsso-allow-unauth........... 78 ecsso-propagate-errors.......... 79 handle-auth-failure-at-mas........ 79 is-master-authn-server.......... 80 master-authn-server.......... 80 master-http-port............ 81 master-https-port........... 82 propagate-cdmf-errors.......... 82 use-utf8.............. 83 vf-argument............. 83 vf-token-lifetime............ 84 vf-url............... 84 [ecsso-incoming-attributes] stanza....... 85 attribute_pattern............ 85 [ecsso-token-attributes] stanza........ 86 <default>.............. 86 domain_name............. 86 [enable-redirects] stanza.......... 87 redirect............... 87 [failover] stanza............. 87 clean-ecsso-urls-for-failover........ 87 enable-failover-cookie-for-domain...... 88 failover-auth............. 89 failover-cookie-lifetime......... 89 failover-cookies-keyfile......... 90 failover-include-session-id........ 90 failover-require-activity-timestamp-validation.. 91 failover-require-lifetime-timestamp-validation.. 91 failover-update-cookie.......... 92 reissue-missing-failover-cookie....... 92 use-utf8.............. 93 [failover-add-attributes] stanza........ 93 attribute_pattern............ 93 session-activity-timestamp........ 94 session-lifetime-timestamp........ 94 [failover-restore-attributes] stanza....... 95 attribute_pattern............ 95 attribute_pattern............ 96 [filter-content-types] stanza......... 96 type................ 96 [filter-events] stanza........... 97 HTML_tag.............. 97 [filter-request-headers] stanza........ 99 header............... 99 [filter-schemes] stanza.......... 100 scheme.............. 100 [filter-url] stanza............ 101 HTML_tag............. 101 [flow-data] stanza............ 102 flow-data-enabled........... 102 flow-data-stats-interval......... 103 [forms] stanza............. 103 allow-empty-form-fields......... 103 forms-auth............. 104 [gso-cache] stanza............ 105 gso-cache-enabled........... 105 gso-cache-entry-idle-timeout....... 105 gso-cache-entry-lifetime......... 106 gso-cache-size............ 106 [header-names] stanza.......... 107 header-data............. 107 [http-transformations] stanza........ 108 resource-name............ 108 [ICAP:<resource>] stanza......... 109 iv IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
URL............... 109 transaction............. 110 timeout.............. 110 [illegal-url-substrings] stanza........ 111 substring.............. 111 [interfaces] stanza............ 111 interface_name............ 111 [itim] stanza.............. 112 is-enabled............. 112 itim-server-name........... 113 itim-servlet-context.......... 113 keydatabase-file........... 114 keydatabase-password......... 114 keydatabase-password-file........ 115 principal-name............ 116 principal-password.......... 116 service-password-dn.......... 117 service-source-dn........... 118 service-token-card-dn.......... 119 servlet-port............. 120 [jdb-cmd:replace] stanza.......... 121 jct-id=search-attr-value replace-attr-value.... 121 [junction] stanza............ 121 allow-backend-domain-cookies...... 121 basicauth-dummy-passwd........ 122 crl-ldap-server............ 122 crl-ldap-server-port.......... 123 crl-ldap-user............. 124 crl-ldap-user-password......... 124 disable-ssl-v2............ 125 disable-ssl-v3............ 125 disable-tls-v1............ 126 disable-tls-v11............ 126 disable-tls-v12............ 127 dont-reprocess-jct-404s......... 127 dynamic-addresses.......... 128 http-timeout............. 129 https-timeout............ 130 insert-client-real-ip-for-option-r...... 130 io-buffer-size............ 131 jct-cert-keyfile............ 131 jct-cert-keyfile-stash.......... 132 jct-cert-keyfile-pwd.......... 133 jct-ocsp-enable............ 134 jct-ocsp-max-response-size........ 134 jct-ocsp-nce-check-enable........ 135 jct-ocsp-nce-generation-enable...... 135 jct-ocsp-proxy-server-name........ 136 jct-ocsp-proxy-server-port........ 136 jct-ocsp-url............. 137 jct-ssl-reneg-warning-rate........ 137 jct-undetermined-revocation-cert-action.... 138 jmt-map.............. 138 managed-cookies-list.......... 139 mangle-domain-cookies......... 139 match-vhj-first............ 140 max-cached-persistent-connections..... 141 max-webseal-header-size........ 142 pass-http-only-cookie-atr........ 142 persistent-con-timeout......... 143 ping-method............ 144 ping-time.............. 144 ping-uri.............. 145 recovery-ping-time.......... 145 reprocess-root-jct-404s......... 146 reset-cookies-list........... 147 response-code-rules.......... 147 share-cookies............ 148 support-virtual-host-domain-cookies..... 149 use-new-stateful-on-error........ 149 validate-backend-domain-cookies...... 150 worker-thread-hard-limit........ 151 worker-thread-soft-limit......... 151 disable-local-junctions......... 152 [junction:junction_name] stanza....... 152 [ldap] stanza............. 153 auth-timeout............ 153 auth-using-compare.......... 153 bind-dn.............. 154 bind-pwd.............. 154 cache-enabled............ 155 cache-group-expire-time......... 155 cache-group-membership........ 156 cache-group-size........... 156 cache-policy-expire-time......... 157 cache-policy-size........... 157 cache-return-registry-id......... 158 cache-user-expire-time......... 158 cache-user-size............ 159 cache-use-user-cache.......... 159 default-policy-override-support...... 160 enabled.............. 160 host............... 161 login-failures-persistent......... 162 max-search-size............ 162 prefer-readwrite-server......... 163 port............... 163 replica............... 164 search-timeout............ 165 ssl-enabled............. 165 ssl-keyfile............. 166 ssl-keyfile-dn............ 166 ssl-keyfile-pwd............ 167 ssl-port.............. 167 timeout.............. 168 user-and-group-in-same-suffix....... 169 [local-response-macros] stanza........ 169 macro............... 169 [local-response-redirect] stanza....... 170 local-response-redirect-uri........ 170 [logging] stanza............ 171 absolute-uri-in-request-log........ 171 agents............... 171 audit-mime-types........... 172 audit-response-codes.......... 173 flush-time............. 173 gmt-time.............. 174 host-header-in-request-log........ 174 log-invalid-requests.......... 175 max-size.............. 175 referers.............. 176 requests.............. 176 Contents v
request-log-format........... 177 server-log-cfg............ 178 [ltpa] stanza.............. 180 ltpa-auth.............. 180 cookie-name............. 180 cookie-domain............ 181 jct-ltpa-cookie-name.......... 181 keyfile............... 182 update-cookie............ 182 use-full-dn............. 183 [ltpa-cache] stanza............ 184 ltpa-cache-enabled........... 184 ltpa-cache-entry-idle-timeout....... 184 ltpa-cache-entry-lifetime......... 185 ltpa-cache-size............ 185 [mpa] stanza............. 186 mpa............... 186 [oauth-eas] stanza............ 186 apply-tam-native-policy......... 186 bad-gateway-rsp-file.......... 187 bad-request-rsp-file.......... 187 cache-size............. 188 cluster-name............. 189 default-fed-id............ 189 default-mode............ 190 fed-id-param............ 190 mode-param............. 191 realm-name............. 192 trace-component........... 192 unauthorized-rsp-file.......... 193 [obligations-levels-mapping] stanza...... 193 obligation.............. 193 [p3p-header] stanza........... 194 access............... 194 categories............. 195 disputes.............. 197 n-identifiable............ 197 p3p-element............. 198 purpose.............. 198 recipient.............. 200 remedies.............. 201 retention.............. 202 [PAM] stanza............. 202 pam-enabled............ 202 pam-max-memory........... 203 pam-use-proxy-header......... 203 pam-http-parameter.......... 204 pam-coalescer-parameter........ 204 pam-log-cfg............. 205 pam-log-audit-events.......... 206 pam-disabled-issues.......... 207 pam-resource-rule........... 207 [pam-resource:<uri>] stanza........ 208 pam-issue.............. 208 [preserve-cookie-names] stanza....... 209 name............... 209 [process-root-filter] stanza......... 210 root............... 210 [reauthentication] stanza.......... 210 reauth-at-any-level.......... 210 reauth-extend-lifetime......... 211 reauth-for-inactive........... 211 reauth-reset-lifetime.......... 212 terminate-on-reauth-lockout....... 212 [replica-sets] stanza........... 213 replica-set............. 213 [rtss-eas] stanza............ 213 apply-tam-native-policy......... 214 audit-log-cfg............. 214 cluster-name............. 216 context-id............. 216 trace-component........... 217 [rtss-cluster:<cluster>] stanza........ 217 basic-auth-user............ 217 basic-auth-passwd........... 218 handle-idle-timeout.......... 218 handle-pool-size........... 219 server............... 219 ssl-fips-enabled............ 220 ssl-keyfile............. 221 ssl-keyfile-label............ 221 ssl-keyfile-stash............ 222 ssl-valid-server-dn........... 223 timeout.............. 223 [script-filtering] stanza.......... 224 hostname-junction-cookie........ 224 rewrite-absolute-with-absolute....... 224 script-filter............. 225 [server] stanza............. 226 allow-shift-jis-chars.......... 226 allow-unauth-ba-supply......... 226 allow-unsolicited-logins......... 227 auth-challenge-type.......... 227 cache-host-header........... 228 capitalize-content-length......... 229 client-connect-timeout......... 230 chunk-responses........... 230 concurrent-session-threads-hard-limit.... 231 concurrent-session-threads-soft-limit..... 231 connection-request-limit......... 232 cope-with-pipelined-request....... 232 decode-query............ 233 disable-timeout-reduction........ 233 double-byte-encoding.......... 234 dynurl-allow-large-posts......... 235 dynurl-map............. 235 enable-ie6-2gb-downloads........ 236 filter-nhtml-as-xhtml......... 236 force-tag-value-prefix.......... 237 http............... 238 http-method-disabled-local........ 238 http-method-disabled-remote....... 239 http-port.............. 239 https............... 240 https-port............. 240 igre-missing-last-chunk........ 241 intra-connection-timeout......... 241 io-buffer-size............ 242 ip-support-level........... 242 ipv6-support............ 243 late-lockout-tification......... 244 max-client-read............ 244 vi IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
max-file-cat-command-length....... 245 max-file-descriptors.......... 245 max-idle-persistent-connections...... 246 network-interface........... 247 persistent-con-timeout......... 247 pre-410-compatible-tokens........ 248 pre-510-compatible-token........ 248 preserve-base-href........... 249 preserve-base-href2.......... 249 preserve-p3p-policy.......... 250 process-root-requests.......... 250 redirect-using-relative......... 251 reject-invalid-host-header........ 252 reject-request-transfer-encodings...... 252 request-body-max-read......... 253 request-max-cache........... 253 send-header-ba-first.......... 254 send-header-spnego-first......... 255 server-name............. 255 slash-before-query-on-redirect....... 256 strip-www-authenticate-headers...... 257 suppress-backend-server-identity...... 257 suppress-dynurl-parsing-of-posts...... 258 suppress-server-identity......... 258 tag-value-missing-attr-tag........ 259 use-existing-username-macro-in-custom-redirects 259 use-http-only-cookies.......... 260 utf8-form-support-enabled........ 261 utf8-qstring-support-enabled....... 261 utf8-url-support-enabled......... 262 validate-query-as-ga.......... 262 web-host-name............ 263 web-http-port............ 263 web-http-protocol........... 264 worker-threads............ 264 [session] stanza............. 265 dsess-enabled............ 265 dsess-last-access-update-interval...... 265 enforce-max-sessions-policy....... 266 inactive-timeout........... 266 logout-remove-cookie.......... 267 max-entries............. 268 prompt-for-displacement........ 268 register-authentication-failures....... 269 require-mpa............. 269 resend-webseal-cookies......... 270 send-constant-sess........... 270 shared-domain-cookie......... 271 ssl-id-sessions............ 272 ssl-session-cookie-name......... 272 standard-junction-replica-set....... 273 tcp-session-cookie-name......... 273 temp-session-cookie-name........ 274 temp-session-max-lifetime........ 274 timeout.............. 275 update-session-cookie-in-login-request.... 275 user-session-ids............ 276 user-session-ids-include-replica-set..... 277 use-same-session........... 277 [session-cookie-domains] stanza....... 278 domain.............. 278 [session-http-headers] stanza........ 278 header_name............. 278 [ssl] stanza.............. 279 base-crypto-library.......... 279 crl-ldap-server............ 279 crl-ldap-server-port.......... 280 crl-ldap-user............. 281 crl-ldap-user-password......... 281 disable-ssl-v2............ 282 disable-ssl-v3............ 282 disable-tls-v1............ 283 disable-tls-v11............ 283 disable-tls-v12............ 284 enable-duplicate-ssl-dn-t-found-msgs... 284 fips-mode-processing.......... 285 gsk-attr-name............ 285 gsk-crl-cache-entry-lifetime........ 287 gsk-crl-cache-size........... 287 jct-gsk-attr-name........... 288 ocsp-enable............. 289 ocsp-max-response-size......... 290 ocsp-nce-check-enable......... 290 ocsp-nce-generation-enable....... 291 ocsp-proxy-server-name......... 291 ocsp-proxy-server-port......... 292 ocsp-url.............. 292 ssl-keyfile............. 293 ssl-keyfile-label............ 293 ssl-keyfile-pwd............ 294 ssl-keyfile-stash............ 294 ssl-local-domain........... 295 ssl-max-entries............ 295 ssl-v2-timeout............ 296 ssl-v3-timeout............ 297 suppress-client-ssl-errors........ 297 undetermined-revocation-cert-action..... 298 webseal-cert-keyfile.......... 298 webseal-cert-keyfile-label........ 299 webseal-cert-keyfile-pwd........ 299 webseal-cert-keyfile-sni......... 300 webseal-cert-keyfile-stash........ 301 [ssl-qop] stanza............. 301 ssl-qop-mgmt............ 301 [ssl-qop-mgmt-default] stanza........ 302 default.............. 302 [ssl-qop-mgmt-hosts] stanza........ 303 host-ip............... 303 [ssl-qop-mgmt-networks] stanza....... 304 network/netmask............ 304 [step-up] stanza............ 305 retain-stepup-session.......... 305 show-all-auth-prompts......... 305 step-up-at-higher-level......... 306 verify-step-up-user.......... 306 [system-environment-variables] stanza..... 307 env-name.............. 307 [tfimsso:<jct-id>] stanza.......... 308 always-send-tokens.......... 308 applies-to.............. 308 one-time-token............ 309 preserve-xml-token.......... 309 Contents vii
renewal-window........... 310 service-name............ 310 tfim-cluster-name........... 311 token-collection-size.......... 311 token-type............. 312 token-transmit-name.......... 313 token-transmit-type.......... 313 [tfim-cluster:<cluster>] stanza........ 314 basic-auth-user............ 314 basic-auth-passwd........... 314 gsk-attr-name............ 315 handle-idle-timeout.......... 316 handle-pool-size........... 316 server............... 317 ssl-fips-enabled............ 317 ssl-keyfile............. 318 ssl-keyfile-label............ 319 ssl-keyfile-stash............ 319 ssl-valid-server-dn........... 320 timeout.............. 321 [uraf-registry] stanza........... 321 bind-id.............. 321 cache-lifetime............ 322 cache-mode............. 322 cache-size............. 323 [user-agent] stanza........... 324 user-agent.............. 324 Notices.............. 327 Index............... 331 viii IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
About this publication Intended audience Welcome to the IBM Security Web Gateway Appliance: Web Reverse Proxy Stanza Reference. IBM Security Access Manager for Web, formerly called IBM Tivoli Access Manager for e-business, is a user authentication, authorization, and web single sign-on solution for enforcing security policies over a wide range of web and application resources. The IBM Security Web Gateway Appliance includes Security Access Manager. The appliance uses a Web Reverse Proxy to provide user access and authentication management for web application sessions. This guide uses the term WebSEAL to reference this proxy. Security Access Manager WebSEAL is the resource manager for web-based resources in a Security Access Manager secure domain. WebSEAL is a high performance, multi-threaded web server that applies fine-grained security policy to the protected web object space. WebSEAL can provide single sign solutions and incorporate back-end web application server resources into its security policy. This guide provides the complete stanza reference for configuring WebSEAL. You can use this guide in conjunction with the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy, which provides valuable background and concept information for the wide range of WebSEAL functionality. This guide is for system administrators responsible for configuring and maintaining a Security Access Manager WebSEAL environment. Readers should be familiar with the following: v PC and UNIX or Linux operating systems v Database architecture and concepts v Security management v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and Telnet v Lightweight Directory Access Protocol (LDAP) and directory services v A supported user registry v WebSphere Application Server administration v Authentication and authorization If you are enabling Secure Sockets Layer (SSL) communication, you also should be familiar with SSL protocol, key exchange (public and private), digital signatures, cryptographic algorithms, and certificate authorities. Access to publications and termilogy This section provides: Copyright IBM Corp. 2002, 2013 ix
v v v A list of publications in the IBM Security Access Manager for Web library. Links to Online publications on page xii. A link to the IBM Termilogy website on page xii. IBM Security Access Manager for Web library The following documents are in the IBM Security Access Manager for Web library: v IBM Security Access Manager for Web Quick Start Guide, GI11-9333-01 Provides steps that summarize major installation and configuration tasks. v IBM Security Web Gateway Appliance Quick Start Guide Hardware Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Hardware Appliance, SC22-5434-00 v IBM Security Web Gateway Appliance Quick Start Guide Virtual Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Virtual Appliance. v IBM Security Access Manager for Web Installation Guide, GC23-6502-02 Explains how to install and configure Security Access Manager. v IBM Security Access Manager for Web Upgrade Guide, SC23-6503-02 Provides information for users to upgrade from version 6.0, or 6.1.x to version 7.0. v IBM Security Access Manager for Web Administration Guide, SC23-6504-02 Describes the concepts and procedures for using Security Access Manager. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. v IBM Security Access Manager for Web WebSEAL Administration Guide, SC23-6505-02 Provides background material, administrative procedures, and reference information for using WebSEAL to manage the resources of your secure Web domain. v IBM Security Access Manager for Web Plug-in for Web Servers Administration Guide, SC23-6507-02 Provides procedures and reference information for securing your Web domain by using a Web server plug-in. v IBM Security Access Manager for Web Shared Session Management Administration Guide, SC23-6509-02 Provides administrative considerations and operational instructions for the session management server. v IBM Security Access Manager for Web Shared Session Management Deployment Guide, SC22-5431-00 Provides deployment considerations for the session management server. v IBM Security Web Gateway Appliance Administration Guide, SC22-5432-00 Provides administrative procedures and technical reference information for the WebSEAL Appliance. v IBM Security Web Gateway Appliance Configuration Guide for Web Reverse Proxy, SC22-5433-00 Provides configuration procedures and technical reference information for the WebSEAL Appliance. v IBM Security Web Gateway Appliance Web Reverse Proxy Stanza Reference, SC27-4442-00 x IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
v v v v v v v v v v v v Provides a complete stanza reference for the IBM Security Web Gateway Appliance Web Reverse Proxy. IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference, SC27-4443-00 Provides a complete stanza reference for the WebSEAL Appliance. IBM Global Security Kit: CapiCmd Users Guide, SC22-5459-00 Provides instructions on creating key databases, public-private key pairs, and certificate requests. IBM Security Access Manager for Web Auditing Guide, SC23-6511-02 Provides information about configuring and managing audit events by using the native Security Access Manager approach and the Common Auditing and Reporting Service. You can also find information about installing and configuring the Common Auditing and Reporting Service. Use this service for generating and viewing operational reports. IBM Security Access Manager for Web Command Reference, SC23-6512-02 Provides reference information about the commands, utilities, and scripts that are provided with Security Access Manager. IBM Security Access Manager for Web Administration C API Developer Reference, SC23-6513-02 Provides reference information about using the C language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. IBM Security Access Manager for Web Administration Java Classes Developer Reference, SC23-6514-02 Provides reference information about using the Java language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. IBM Security Access Manager for Web Authorization C API Developer Reference, SC23-6515-02 Provides reference information about using the C language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Authorization Java Classes Developer Reference, SC23-6516-02 Provides reference information about using the Java language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Web Security Developer Reference, SC23-6517-02 Provides programming and reference information for developing authentication modules. IBM Security Access Manager for Web Error Message Reference, GI11-8157-02 Provides explanations and corrective actions for the messages and return code. IBM Security Access Manager for Web Troubleshooting Guide, GC27-2717-01 Provides problem determination information. IBM Security Access Manager for Web Performance Tuning Guide, SC23-6518-02 Provides performance tuning information for an environment that consists of Security Access Manager with the IBM Tivoli Directory Server as the user registry. About this publication xi
Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security Access Manager for Web Information Center The http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/ com.ibm.isam.doc_70/welcome.html site displays the information center welcome page for this product. IBM Publications Center The http://www-05.ibm.com/e-business/linkweb/publications/servlet/ pbi.wss site offers customized search functions to help you find all the IBM publications that you need. IBM Termilogy website The IBM Termilogy website consolidates termilogy for product libraries in one location. You can access the Termilogy website at http://www.ibm.com/ software/globalization/termilogy. Related publications This section lists the IBM products that are related to and included with the Security Access Manager solution. Note: The following middleware products are t packaged with IBM Security Web Gateway Appliance. IBM Global Security Kit Security Access Manager provides data encryption by using Global Security Kit (GSKit) version 8.0.x. GSKit is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. GSKit version 8 includes the command-line tool for key management, GSKCapiCmd (gsk8capicmd_64). GSKit version 8 longer includes the key management utility, ikeyman (gskikm.jar). ikeyman is packaged with IBM Java version 6 or later and is w a pure Java application with dependency on the native GSKit runtime. Do t move or remove the bundled java/jre/lib/gskikm.jar library. The IBM Developer Kit and Runtime Environment, Java Techlogy Edition, Version 6 and 7, ikeyman User's Guide for version 8.0 is available on the Security Access Manager Information Center. You can also find this document directly at: Note: http://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/ 60/iKeyman.8.User.Guide.pdf GSKit version 8 includes important changes made to the implementation of Transport Layer Security required to remediate security issues. The GSKit version 8 changes comply with the Internet Engineering Task Force (IETF) Request for Comments (RFC) requirements. However, it is t compatible xii IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
with earlier versions of GSKit. Any component that communicates with Security Access Manager that uses GSKit must be upgraded to use GSKit version 7.0.4.42, or 8.0.14.26 or later. Otherwise, communication problems might occur. IBM Tivoli Directory Server IBM Tivoli Directory Server version 6.3 FP17 (6.3.0.17-ISS-ITDS-FP0017) is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can find more information about Tivoli Directory Server at: http://www.ibm.com/software/tivoli/products/directory-server/ IBM Tivoli Directory Integrator IBM Tivoli Directory Integrator version 7.1.1 is included on the IBM Tivoli Directory Integrator Identity Edition V 7.1.1 for Multiplatform product image or DVD for your particular platform. You can find more information about IBM Tivoli Directory Integrator at: http://www.ibm.com/software/tivoli/products/directory-integrator/ IBM DB2 Universal Database IBM DB2 Universal Database Enterprise Server Edition, version 9.7 FP4 is provided on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can install DB2 with the Tivoli Directory Server software, or as a stand-alone product. DB2 is required when you use Tivoli Directory Server or z/os LDAP servers as the user registry for Security Access Manager. For z/os LDAP servers, you must separately purchase DB2. You can find more information about DB2 at: http://www.ibm.com/software/data/db2 IBM WebSphere products The installation packages for WebSphere Application Server Network Deployment, version 8.0, and WebSphere extreme Scale, version 8.5.0.1, are included with Security Access Manager version 7.0. WebSphere extreme Scale is required only when you use the Session Management Server (SMS) component. WebSphere Application Server enables the support of the following applications: v Web Portal Manager interface, which administers Security Access Manager. v Web Administration Tool, which administers Tivoli Directory Server. v Common Auditing and Reporting Service, which processes and reports on audit events. v Session Management Server, which manages shared session in a Web security server environment. v Attribute Retrieval Service. You can find more information about WebSphere Application Server at: About this publication xiii
http://www.ibm.com/software/webservers/appserv/was/library/ Accessibility Technical training Support information Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive techlogies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Visit the IBM Accessibility Center for more information about IBM's commitment to accessibility. For technical training information, see the following IBM Education website at http://www.ibm.com/software/tivoli/education. IBM Support provides assistance with code-related problems and routine, short duration installation or usage questions. You can directly access the IBM Software Support site at http://www.ibm.com/software/support/probsub.html. The IBM Security Access Manager for Web Troubleshooting Guide provides details about: v What information to collect before you contact IBM Support. v The various methods for contacting IBM Support. v How to use IBM Support Assistant. v Instructions and problem-determination resources to isolate and fix the problem yourself. Note: The Community and Support tab on the product information center can provide more support resources. xiv IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Stanza reference [acnt-mgt] stanza This guide provides a complete stanza reference for the WebSEAL configuration file, alphabetized by stanza name. You can use the IBM Security Web Gateway Appliance Local Management Interface (LMI) to edit the WebSEAL configuration file. On the Reverse Proxy management page, select the appropriate WebSEAL instance and click Manage > Configuration > Edit Configuration File to open the Advanced Configuration File Editor. You can use this editor to directly edit the WebSEAL configuration file. For more details about the WebSEAL configuration file naming and structure, see the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. For more information about administering the appliance and navigating the LMI, see the IBM Security Web Gateway Appliance: Administration Guide. account-expiry-tification account-expiry-tification = { } Specifies whether WebSEAL informs the user of the reason for a login failure when the failure is due to an invalid or expired account. When this entry is set to, the user receives the same error message as that which is sent when a login fails due to invalid authentication information, such as an invalid user name or password. Enable. Disable. account-expiry-tification = account-inactivated account-inactivated = filename Copyright IBM Corp. 2002, 2013 1
Page displayed when nsaccountlock is true for a user (in Sun Directory Server) when they attempt to login. This page will only be displayed if they provide the correct password during login. NOTE: This option has effect unless the corresponding Security Access Manager LDAP option is enabled ([ldap] enhanced-pwd-policy=). This LDAP option must be supported for the particular LDAP registry type. filename Page displayed when nsaccountlock is true for the user who has provided the correct password during login. None. NOTE: The value for this option in the template configuration file is acct_locked.html. account-inactivated = acct_locked.html account-locked account-locked = filename Page displayed when the user authentication fails due to a locked user account. filename Page displayed when the user authentication fails due to a locked user account. acct_locked.html account-locked = acct_locked.html 2 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
allow-unauthenticated-logout allow-unauthenticated-logout = { } Determines whether unauthenticated users are able to request the pkmslogout resource without authenticating first. Allow unauthenticated users to be able to request the pkmslogout resource. Unauthenticated users must authenticate before the pkmslogout resource is returned. allow-unauthenticated-logout = allowed-referers allowed-referers = referer_filter For protection against cross-site request forgery (CSRF) attacks, you can configure WebSEAL to validate the HTTP Request referer header for all account management pages. WebSEAL uses the value provided for this configuration entry to determine whether the referrer host name in an incoming request is "valid". If this entry is configured, when WebSEAL receives a request for an account management page, WebSEAL: 1. Checks whether the referer header is present in the HTTP Request header. 2. Validates the host name portion of that referrer against the allowed-referers entries. If WebSEAL finds that an incoming request does t match any of the configured allowed-referers filters, the request fails and WebSEAL returns an error page. Entries can contain the following wildcard characters: v * - match 0 or more characters. v? - match any single character. v \ - Literal match of the following character. Stanza reference 3
You can use the value %HOST% for this entry. This value is a special filter, which indicates to WebSEAL that a referrer is "valid" if the host name portion of the referer header matches the host header. If there are allowed-referers entries then WebSEAL does t complete this validation. Note: You can specify this entry multiple times to define multiple "allowed" referrer filters. WebSEAL uses all of these entries when validating the referrer. For more information about referrer validation, search for "CSRF" in the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. referer_filter Specifies a filter for a referrer host name that WebSEAL can accept as "valid". This stanza entry is optional. None. cert-failure The following entry matches any referrer host name that begins with the characters ac, followed by zero or more characters, and ends with the characters me. allowed-referers = ac*me The following entry indicates that a referrer is "valid" if the host name portion of the referer header matches the host header. allowed-referers = %HOST% cert-failure = filename Page displayed when certificates are required and a client fails to authenticate with a certificate. filename Page displayed when certificates are required and a client fails to authenticate with a certificate. 4 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
certfailure.html cert-failure = certfailure.html cert-stepup-http cert-stepup-http = filename WebSEAL displays this HTML page when a client attempts to increase authentication strength level (step-up) to certificates while using HTTP protocol. filename WebSEAL displays this HTML page when a client attempts to increase authentication strength level (step-up) to certificates while using HTTP protocol. certstepuphttp.html cert-stepup-http = certstepuphttp.html certificate-login certificate-login = filename Form requesting client-side certificate authentication login. This form is used only when the accept-client-certs key in the [certificate] stanza is set to prompt_as_needed. filename Form requesting client-side certificate authentication login. This stanza entry is required when delayed certificate authentication or authentication strength level (step-up) for certificates is enabled. Stanza reference 5
certlogin.html certificate-login = certlogin.html change-password-auth change-password-auth = { } Enable this option to allow users to authenticate when changing a password. Enable. Disable. change-password-auth = client-tify-tod client-tify-tod = { } Enable the display of an error page when authorization is denied due to a POP time of day check. The error page is 38cf08cc.html. Enable. Disable. 6 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
client-tify-tod = enable-html-redirect enable-html-redirect = { } Configures WebSEAL to use the HTML redirect page to handle redirections rather than returning an HTTP 302 response redirect. When a user successfully authenticates, WebSEAL typically uses an HTTP 302 response to redirect the user back to the resource that was originally requested. HTML redirection causes WebSEAL to send a static page back to the browser instead of a 302 redirect. WebSEAL can then use the JavaScript or any other code that is embedded in this static page to process the redirect. You can use the html-redirect configuration entry, which is also in the [acnt-mgt] stanza, to specify the page that contains the HTML redirection. For more information about HTML redirection, see the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. Note: If you enable this configuration entry, you must t specify a value for the login-redirect-page entry, which is also in the [acnt-mgt] stanza. Enable. Disable. enable-html-redirect = enable-local-response-redirect enable-local-response-redirect = { } Enable or disable sending a redirection to a response application instead of serving management or error pages from the local system. Stanza reference 7
You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [acnt-mgt:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. Enable. Disable. enable-local-response-redirect = enable-passwd-warn enable-passwd-warn = { } Enable WebSEAL to detect the attribute REGISTRY_PASSWORD_EXPIRE_TIME added to a users' credential when the LDAP password policy indicates that their password is soon to expire. The value of this attribute is the number of seconds until their password expires. When this attribute is detected, at login to WebSEAL, a password warning form will appear. NOTE: This option must be set in order to use the associated options, which are also in the [acnt-mgt] stanza: passwd-warn and passwd-warn-failure. The corresponding Security Access Manager LDAP option must be enabled ([ldap] enhanced-pwd-policy=) and supported for the particular LDAP registry type. Enable the detection of the REGISTRY_PASSWORD_EXPIRE_TIME to ultimately warn the user when their password is soon to expire. Disable the detection of the REGISTRY_PASSWORD_EXPIRE_TIME attribute. WebSEAL will t be able to tify users when their passwords are soon to expire. This stanza entry is optional. 8 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
The option will default to if it is t specified in the configuration file. NOTE: The value for this option in the template configuration file is. enable-passwd-warn = enable-secret-token-validation enable-secret-token-validation = {true false} Use this entry to enable secret token validation, which protects certain WebSEAL account management pages against cross-site request forgery (CSRF) attacks. If you set this entry to true, WebSEAL adds a token to each session and validates the "token" query argument for the following account management requests: v /pkmslogin.form v /pkmslogout v /pkmslogout-mas v /pkmssu.form v /pkmsskip v /pkmsdisplace v /pkmspaswd.form For example, you must change the /pkmslogout request to pkmslogout?token=<value>, where <value> is the unique session token. If secret token validation is enabled and the token argument is missing from the request or does t match the session token, WebSEAL returns an error page. For more information about secret token validation, search for "CSRF" in the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. true WebSEAL uses secret token validation to protect against CSRF attacks. Note: This setting modifies the URLs for the affected WebSEAL management pages. Each of these management requests must contain a "token" argument with the current session token. false WebSEAL does t use secret token validation. This stanza entry is optional. false enable-secret-token-validation = true Stanza reference 9
help help = filename Page containing links to valid administration pages. filename Page containing links to valid administration pages. help.html help = help.html http-rsp-header http-rsp-header = header-name:macro Inserts custom headers whenever WebSEAL returns a custom response to the client. header-name The name of the header that holds the value. macro That type of value to be inserted. This parameter can be one of the following values: v TAM_OP v AUTHNLEVEL v ERROR_CODE v ERROR_TEXT v v CREDATTR(<name>), where <name> is the name of the credential attribute. USERNAME This stanza entry is optional. 10 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: You can specify this entry multiple times to include multiple headers in the response. None. html-redirect login The following example inserts the Security Access Manager error code in a response header named tam-error-code: http-rsp-header = tam-error-code:error_code html-redirect = filename Specifies the standard HTML redirection page. filename Standard HTML redirection page. redirect.html. html-redirect = redirect.html login = filename Standard login form. filename Standard login form. Stanza reference 11
login.html login = login.html login-redirect-page login-redirect-page = destination Page to which users are automatically redirected after completing a successful authentication. The configured redirect destination can be either: v A server-relative Uniform Resource Locator (URL), or v An absolute URL, or v A macro which allows dynamic substitution of information from WebSEAL. The supported macros include: %AUTHNLEVEL% Level at which the session is currently authenticated. %HOSTNAME% Fully qualified host name. %PROTOCOL% The client connection protocol used. Can be HTTP or HTTPS. %URL% The original URL requested by the client. %USERNAME% The name of the logged in user. %HTTPHDR{name}% The HTTP header that corresponds to the specified name. For example: %HTTPHDR{Host}% %CREDATTR{name}% The credential attribute with the specified name. For example: %CREDATTR{tagvalue_session_index}% Note: You cant use this configuration entry if the enable-js-redirect entry (also in the [acnt-mgt] stanza) is set to. These redirects are t compatible with one ather. destination Uniform Resource Locator (URL) to which users are automatically redirected after login, or a macro for dynamic substitution of information from WebSEAL. This stanza entry is optional. 12 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
None. of a server relative URL: login-redirect-page = /jct/page.html of an absolute URL: login-redirect-page = http://www.ibm.com/ that uses a macro: login-redirect-page = /jct/intro-page.html?level=%authnlevel%&url=%url% login-success logout login-success = filename Page displayed after successful login. filename Page displayed after successful login. login_success.html login-success = login_success.html logout = filename Page displayed after successful logout. filename Page displayed after successful logout. Stanza reference 13
logout.html logout = logout.html passwd-change passwd-change = filename Page containing a change password form. filename Page containing a change password form. passwd.html passwd-change = passwd.html passwd-change-failure passwd-change-failure = filename Page displayed when password change request fails. filename Page displayed when password change request fails. 14 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
passwd.html passwd-change-failure = passwd.html passwd-change-success passwd-change-success = filename Page displayed when password change request succeeds. filename Page displayed when password change request succeeds. passwd_rep.html passwd-change-success = passwd_rep.html passwd-expired passwd-expired = filename Page displayed when the user authentication fails due to an expired user password. filename Page displayed when the user authentication fails due to an expired user password. passwd_exp.html Stanza reference 15
passwd-warn passwd-expired = passwd_exp.html passwd-warn = filename Page displayed after login if WebSEAL detects the LDAP password is soon to expire. NOTE: This option has effect unless enable-passwd-warn (also in the [acnt-mgt] stanza) is set to and the corresponding Security Access Manager LDAP option is also enabled ([ldap] enhanced-pwd-policy=). This LDAP option must be supported for the particular LDAP registry type. filename Page displayed as a warning that the LDAP password is soon to expire. None. NOTE: The value for this option in the template configuration file is passwd_warn.html. passwd-warn = passwd_warn.html passwd-warn-failure passwd-warn-failure = filename Page displayed if the user fails to change their password after being tified that the LDAP password is soon to expire. This page gives the user ather chance to change their password and indicates the cause of the error. NOTE: This option has effect unless enable-passwd-warn (also in the [acnt-mgt] stanza) is set to and the corresponding Security Access Manager LDAP option is also enabled ([ldap] enhanced-pwd-policy=). This LDAP option must be supported for the particular LDAP registry type. 16 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
filename Page displayed if the user does t change their password after receiving tification that the LDAP password is soon to expire. None. NOTE: The value for this option in the template configuration file is passwd_warn.html. passwd-warn-failure = passwd_warn.html redirect-to-root-for-pkms redirect-to-root-for-pkms = { } In older releases, WebSEAL would, in rare cases, redirect clients to the document root directory instead of returning the login success page following a successful authentication. This behavior was eliminated in later releases. Set redirect-to-root-for-pkms to to restore the previous behavior. Restore previous behavior. Maintain default behavior. redirect-to-root-for-pkms = single-sigff-uri single-sigff-uri = URI Stanza reference 17
When a user session is terminated in WebSEAL, any sessions that might exist on backend application servers are t destroyed. You can use this configuration entry to change this default behavior. When a WebSEAL user session is terminated and this stanza entry is configured, WebSEAL sends a request to the resource specified by the configured URI. The request contains any configured headers and cookies for the junction point on which the resource resides. The backend application can use this information to terminate any sessions for that user. Note: You can configure more than one single-sign-off-uri entry to send a request to multiple URIs. URI The resource identifier of the application that receives the single sigff request from WebSEAL. Note: The URI must be server relative and correspond to a resource on a standard junction. This stanza entry is optional. None. stepup-login single-sigff-uri = /management/logoff stepup-login = filename Step-up authentication login form. filename Step-up authentication login form. stepuplogin.html 18 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
switch-user stepup-login = stepuplogin.html switch-user = filename Switch user management form. filename Switch user management form. switchuser.html switch-user = switchuser.html temp-cache-response temp-cache-response = filename The default page that WebSEAL returns if URL redirect is supplied with the pkmstempsession request. The pkmstempsession page is accessed to achieve session sharing with Microsoft Office applications. For more information about sharing sessions with Microsoft Office applications, see the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. filename The default page that WebSEAL returns for a pkmstempsession request. This stanza entry is optional. temp_cache_response.html Stanza reference 19
temp-cache-response = temp_cache_response.html too-many-sessions too-many-sessions = filename Page displayed when a user has too many concurrent sessions and must either cancel their new login or terminate the other sessions. filename Page displayed when a user has too many concurrent sessions and must either cancel their new login or terminate the other sessions. too_many_sessions.html too-many-sessions = too_many_sessions.html use-restrictive-logout-filenames use-restrictive-logout-filenames = { } Control the restrictions rmally enforced on the name of the /pkmslogout custom response file. Use default restrictions to enforce the name of the /pkmslogout custom response file. Only slash (/), backslash (\), characters outside of the ASCII range 0x20-0x7E, and filenames that begin with a period (.) will be disallowed. 20 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
use-restrictive-logout-filenames = use-filename-for-pkmslogout use-filename-for-pkmslogout = { } Controls whether or t the appended query string (specifying a custom response page) in a pkmslogout command is used to override the default response page. Enables the operation of the query string. If a query string in a pkmslogout URL specifies a custom response page, that custom page is used instead of the default page. Disables the operation of the query string. Any query string in a pkmslogout URL that specifies a custom response page is igred. Only the default response page is used upon logout. [auth-cookies] stanza cookie use-filename-for-pkmslogout = cookie = cookie-name Specifies HTTP cookies to be used for authentication. Note: This option is enabled only when the http-headers-auth option in the [http-headers] stanza is configured for http, https, or both. cookie-name Name of HTTP cookie to be used for authentication. Stanza reference 21
This stanza entry is optional. None. cookie = authcookie [authentication-levels] stanza level level = method-name Step-up authentication levels. WebSEAL enables authenticated users to increase the authentication level by use of step-up authentication. This key=value pair specifies which step-up authentication levels are supported by this WebSEAL server. Do t specify an authentication level unless the authentication method is enabled. For example, you must enable either basic authentication or forms authentication before you set level = password. Enter a separate key=value pair for each supported level. Supported levels include: v unauthenticated v password v ssl v ext-auth-interface The position of the entry in the file dictates the associated authentication level. The first row, typically unauthenticated, is associated with authentication level of 0. Each subsequent line is associated with the next higher level. You can add multiple entries for the same method. It is possible for the method to set the authentication level itself. For example, an External Authentication Interface (EAI) implementation might set either authentication level of 2 or 3 depending on the authentication transaction that the client undertakes. The EAI can set this authentication level directly in the identity attributes returned to WebSEAL. To support this implementation, you can create two identical lines in positions 3 and 4. For example: level = unauthenticated (associated with level 0) level = password (associated with level 1) level = ext-auth-interface (associated with level 2) level = ext-auth-interface (associated with level 3) 22 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
method-name Name of authentication method. unauthenticated password level = unauthenticated level = password [aznapi-configuration] stanza audit-attribute audit-attribute = attribute Attributes to be audited. attribute Attributes to be audited. tagvalue_su-admin audit-attribute = tagvalue_su-admin auditcfg auditcfg = {azn authn http} Indicates the components for which auditing of events is configured. To enable component specific audit records, add the appropriate definition. Stanza reference 23
azn authn http Capture authorization events. Capture authentication events. Capture HTTP events. These correspond to the events logged by the request, referer, and agent logging clients. auditlog This stanza entry is optional for WebSEAL. However, this stanza entry is required when auditing is enabled (logaudit = ). There is default value for WebSEAL, because auditing is disabled by default. Create a separate stanza entry for each component to be activated. The components are included in the default configuration file but are commented out. To activate a commented out entry, remove the pound sign (#) from the start of the entry. : auditcfg = azn #auditcfg = authn #auditcfg = http auditlog = file_name Name of the audit trail file for WebSEAL. file_name The file name value represents an alphanumeric string. This stanza entry is required when auditing is enabled. aznapi_webseald-<instance_name>.log. where: <instance_name> The WebSEAL instance name. For example, default. auditlog = aznapi_webseald-default.log 24 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
cache-refresh-interval cache-refresh-interval = {disable default number_of_seconds} Poll interval between checks for updates to the master authorization server. disable The interval value in seconds is t set. default When value is to default, an interval of 600 seconds is used. number_of_seconds Integer value indicating the number of seconds between polls to the master authorization server to check for updates. The minimum number of seconds is 0. There is maximum value. This stanza entry is optional. disable cache-refresh-interval = disable cred-attribute-entitlement-services cred-attribute-entitlement-services = service-id Enables the credential policy entitlements service. service-id ID of service. This stanza entry is optional. TAM_CRED_POLICY_SVC Stanza reference 25
cred-attribute-entitlement-services = TAM_CRED_POLICY_SVC dynamic-adi-entitlement-services dynamic-adi-entitlement-services = service-id A list of configured entitlements service IDs that are queried by the rules engine if missing ADI is detected during an authorization rule evaluation. service-id Service ID that is queried by the rules engine if missing ADI is detected during an authorization rule evaluation. This stanza entry is optional. None. dynamic-adi-entitlement-services = AMWebARS_A input-adi-xml-prolog input-adi-xml-prolog = prolog The prolog to be added to the top of the XML document that is created using the Authorization Decision Information (ADI) needed to evaluate a boolean authorization rule. prolog The prolog to be added to the top of the XML document that is created using the Authorization Decision Information (ADI) needed to evaluate a boolean authorization rule. This stanza entry is optional. <?xml version= 1.0 encoding= UTF-8?> 26 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
listen-flags logaudit input-adi-xml-prolog = <?xml version= 1.0 encoding= UTF-8?> listen-flags = {enable disable} Enables or disables the reception by WebSEAL of policy cache update tifications from the master authorization server. enable Activates the tification listener. disable Deactivates the tification listener. disable listen-flags = enable logaudit = { true false} Enables or disables auditing. true false Enable auditing. Enable auditing. Disable auditing. Disable auditing. Stanza reference 27
logclientid logcfg logaudit = logclientid = webseald Name of the daemon whose activities are audited through use of authorization API logging. webseald Name of the daemon whose activities are audited through use of authorization API logging. webseald logclientid = webseald logcfg = category:{stdout stderr file remote rsyslog}[ [parameter=value ] [,parameter=value]...] Specifies event logging for the specified category. Specifies event logging for the specified category. For WebSEAL, the categories are: audit.azn Authorization events. audit.authn Credentials acquisition authentication. http All HTTP logging information. http.clf HTTP request information as defined by the request-log-format configuration entry in the [logging] stanza. 28 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
logflush http.ref HTTP Referer header information. http.agent HTTP User_Agent header information {stdout stderr file remote rsyslog} Event logging supports a number of output destination types. WebSEAL auditing typically is configured to use the file type. parameter = value Each event logging type supports a number of optional parameter = value options. For more information about output destination types and optional parameter = value settings, see the IBM Security Access Manager for Web: Administration Guide. This stanza entry is optional. None. entry for request.log (common log format) (entered as one line): logcfg = http.clf:file path=request_file, flush=time,rollover=max_size, log_id=httpclf,buffer_size=8192,queue_size=48 logflush = number_of_seconds Integer value indicating the frequency, in seconds, to force a flush of log buffers. number_of_seconds The minimum value is 1 second. The maximum value is 600 seconds. This stanza entry is optional. 20 Stanza reference 29
logsize logflush = 20 logsize = number_of_bytes Integer value indicating the size limit of audit log files. The size limit is also referred to as the rollover threshold. When the audit log file reaches this threshold, the original audit log file is renamed and a new log file with the original name will be created. number_of_bytes When the value is zero (0), rollover log file is created. When the value is a negative integer, the logs are rolled over daily, regardless of the size. When the value is a positive integer, the value indicates the maximum size, in bytes, of the audit log file before the rollover occurs. The allowable range is from 1 byte to 2 megabytes This stanza entry is optional. 2000000 logsize = 2000000 permission-info-returned permission-info-returned = permission-attribute Specifies the permission information returned to the resource manager (for example, WebSEAL) from the authorization service. permission-attribute The azn_perminfo_rules_adi_request setting allows the authorization service to request ADI from the current WebSEAL client request. The azn_perminfo_reason_rule_failed setting specifies that rule failure reasons be returned to the resource manager (this setting is required for R junctions). 30 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
To enable the Privacy Redirection capabilities of the AMWebARS Web Service, the azn_perminfo_amwebars_redirect_url must be included. This stanza entry is optional. azn_perminfo_rules_adi_request azn_perminfo_reason_rule_failed permission-info-returned = azn_perminfo_rules_adi_request azn_perminfo_reason_rule_failed policy-attr-separator policy-attr-separator = separator Specifies the character that WebSEAL uses for the following services: v Credential policy entitlements service. v Registry entitlements service. Note: For the credential policy entitlements service to work properly, a user's DN cant contain the specified separator. If the user DN contains this separator then WebSEAL fails when attempting to retrieve the user's policy attributes. separator The character that WebSEAL uses for the credential policy entitlements service and the registry entitlements service. Ensure that the chosen character is t present in any User DN values. This stanza entry is optional. By default, WebSEAL uses colon (:) as the separator for these services. policy-attr-separator = # policy-cache-size policy-cache-size = cache_size Stanza reference 31
The maximum size of the in-memory policy cache is configurable. The cache consists of policy and the relationships between policy and resources. The kwledge that a resource has directly associated policy is also cached. cache_size The maximum cache size should be relative to the number of policy objects defined and the number of resources protected and the available memory. A reasonable algorithm to begin with is: (number of policy objects * 3) + (number of protected resources * 3) This value controls how much information is cached. A larger cache will potentially improve the application performance but use additional memory as well. Size is specified as the number of entries. This stanza entry is optional. None. policy-cache-size = 32768 resource-manager-provided-adi resource-manager-provided-adi = prefix A list of string prefixes that identify Authorization Decision Information (ADI) to be supplied by the resource manager (in this case, WebSEAL). prefix The default settings below tell the authorization engine that when it requires ADI with the prefixes AMWS_hd_, AMWS_qs_,or AMWS_pb_ to evaluate a boolean authorization rule, and the ADI is t available in either the credential or application context passed in with the access decision call, that the engine should fail the access decision and request that the resource manager retry the request and provide the required data in the application context of the next request. This stanza entry is optional. 32 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
AMWS_hd_, AMWS_pb_, AMWS_qs_ resource-manager-provided-adi = AMWS_hd_ resource-manager-provided-adi = AMWS_pb_ resource-manager-provided-adi = AMWS_qs_ xsl-stylesheet-prolog xsl-stylesheet-prolog = prolog The prolog to be added to the top of the XSL stylesheet that is created using the XSL text that defines a boolean authorization rule. prolog The prolog to be added to the top of the XSL stylesheet that is created using the XSL text that defines a boolean authorization rule. This stanza entry is optional. <?xml version= 1.0 encoding= UTF-8?> <xsl:stylesheet xmlns:xsl= http:// www.w3.org/1999/xsl/transform version= 1.0 > <xsl:output method = text omit-xml-declaration= indent= /> <xsl:template match= text() > </xsl:template> [azn-decision-info] stanza xsl-stylesheet-prolog = <?xml version= 1.0 encoding= UTF-8?> <xsl:stylesheet xmlns:xsl= http://www.w3.org/1999/xsl/transform version= 1.0 > <xsl:output method = text omit-xml-declaration= indent= /> <xsl:template match= text() > </xsl:template> azn-decision-info <attr-name> = <http-info> This stanza defines any extra information that is available to the authorization framework when making authorization decisions. This extra information can be obtained from various elements of the HTTP request, namely: v HTTP method v HTTP scheme Stanza reference 33
v v v v HTTP cookies Request URI HTTP headers POST data If the requested element is t in the HTTP request, corresponding attribute is added to the authorization decision information. <attr-name> The name of the attribute that contains the HTTP information. <http-info> The source of the information. It can be one of the following values: v method v scheme v uri v header:<header-name> v post-data:<post-data-name> v cookie:<cookie-name> This stanza entry is optional. N/A HTTP_REQUEST_METHOD = method HTTP_HOST_HEADER= header:host [ba] stanza ba-auth ba-auth = {ne http https both} Enables authentication using the Basic Authentication mechanism. When basic authentication is enabled, you must also configure an appropriate authentication library by setting a key=value pair in the [authenticationmechanisms] stanza. {ne http https both} Specifies which protocols are supported. The value both means both HTTP and HTTPS. 34 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[cdsso] stanza https ba-auth = https basic-auth-realm basic-auth-realm = Realm_name String value that specifies the realm name. Realm_name This name is displayed in the browser's dialog box when the user is prompted for login information. The string must consist of ASCII characters, and can contain spaces. This stanza entry is optional. Access Manager basic-auth-realm = Access Manager authtoken-lifetime authtoken-lifetime = number_of_seconds Positive integer that expresses the number of seconds for which the single sign authentication token is valid. number_of_seconds Minimum value: 1. There is maximum value. Stanza reference 35
180 authtoken-lifetime = 180 cdsso-argument cdsso-argument = argument_name Name of the argument containing the cross-domain single sign token in a query string in a request. This is used to identify incoming requests that contain CDSSO authentication information. argument_name Name of the argument containing the cross-domain single sign token in a query string in a request. Valid characters are any ASCII characters, except for question mark (?),ampersand (&),and equals sign (=). PD-ID cdsso-auth cdsso-argument = PD-ID cdsso-auth = {ne http https both} Enables WebSEAL to accept tokens. Requires that an authentication mechanism is specified for the token consume (sso-consume) library in the [authenticationmechanisms] stanza. {ne http https both} Specifies which protocols are supported. The value both means both HTTP and HTTPS. 36 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
ne cdsso-auth = ne cdsso-create cdsso-create = {ne http https both} Enables WebSEAL to accept tokens. Requires that an authentication mechanism is specified for the token create (sso-create) library in the [authenticationmechanisms] stanza. {ne http https both} Specifies which protocols are supported. The value both means both HTTP and HTTPS. ne cdsso-create = ne clean-cdsso-urls clean-cdsso-urls = { } The cdsso-argument (PD-ID) and PD-REFERER query string arguments can be passed to junctions. When this option is set to, these will be removed from the URI before the request is passed to the junction. The argument containing the CDSSO token in a request query string and the PD-REFERER query string argument are removed from the URI before the request is passed to the junction. Stanza reference 37
The CDSSO and PD-REFERER arguments are t removed from the URI before the request is passed to the junction. clean-cdsso-urls = propagate-cdmf-errors propagate-cdmf-errors = { } Controls subsequent behavior of the token creation process when the cdmf_get_usr_attributes call fails to obtain the required extended attribute information and returns an error. A "" value forces the token creation process to abort when CDMF fails to obtain attributes and returns an error. A "" value (default) allows the token creation process to proceed even when CDMF fails to obtain attributes and returns an error. This stanza entry is t required. use-utf8 propagate-cdmf-errors = use-utf8 = {true false} Use UTF 8 encoding for tokens used in cross domain single sign. Beginning with version 5.1, WebSEAL servers use UTF-8 encoding by default. For more information about multi-locale support with UTF-8, see the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. 38 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
true false When this stanza entry is set to true, tokens can be exchanged with other WebSEAL servers that use UTF-8 encoding. This configuration enables tokens to be used across different code pages (such as for a different language). For backward compatibility with tokens created by WebSEAL servers from version prior to 5.1, set this stanza entry to false. true use-utf8 = true [cdsso-incoming-attributes] stanza attribute_pattern attribute_pattern = {preserve refresh} Attributes to accept from incoming CDSSO authentication tokens. The attributes typically match those declared in the [cdsso-token-attributes] stanza for the WebSEAL server in the source domain. The attribute_pattern can be either a specific value or can be a pattern that uses standard Security Access Manager wildcard characters ( *, [], ^, \,?). The order of attribute_pattern entries is important. The first entry that matches the attribute is used. Other entries are igred. preserve Attributes matching a preserve entry, or matching ne of the entries, are kept. If entries are configured, then all attributes are kept. refresh Attributes in CDSSO authentication tokens that match a refresh entry are removed from the token before the CDMF library is called to map the remote user into the local domain. This stanza entry is optional. Stanza reference 39
None. my_cred_attr1 = preserve [cdsso-peers] stanza fully_qualified_hostname fully_qualified_hostname = key_file List of peer servers that are participating in cross-domain single-sign on. key_file The name of server's key file. This stanza entry is optional. None. webhost2.ibm.com = cdsso.key [cdsso-token-attributes] stanza <default> <default> = pattern1 [<default> = pattern2 ]... [<default> = patternn] Credential attributes to include in CDSSO authentication tokens. When WebSEAL cant find a domain_name entry to match the domain, the entries in <default> are used. The word <default> is a key word and must t be modified. 40 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
pattern The value for each <default> entry can be either a specific value or can be a pattern that uses standard Security Access Manager wildcard characters ( *, [], ^, \,?). This stanza entry is optional. None. domain_name <default> = my_cdas_attr_* domain_name = pattern1 [domain_name = pattern2]... [domain_name = patternn] Credential attributes to include in CDSSO authentication tokens. domain_name The domain_name specifies the destination domain containing the server that will consume the token. pattern The value for each domain_name entry can be either a specific value or can be a pattern that uses standard Security Access Manager wildcard characters ( *, [], ^, \,?). This stanza entry is optional. None. example1.com = my_cdas_attr_* example1.com = some_exact_attribute Stanza reference 41
[certificate] stanza accept-client-certs accept-client-certs = {never required optional prompt_as_needed} Specifies how to handle certificates from HTTPS clients. When certificate authentication is enabled, you must also configure an appropriate authentication library by setting a key=value pair in the [authenticationmechanisms] stanza. never Never request a client certificate required Always request a client certificate. Do t accept the connection if the client does t present a certificate. When this value is set to required, all other authentication settings are igred for HTTPS clients. optional Always request a client certificate. If presented, use it. prompt_as_needed Do t prompt for a client certificate until the client attempts to access a resource that requires certificate authentication. Note: When this value is set, ensure that the ssl-id-sessions stanza entry in the [session] stanza is set to. never accept-client-certs = never cert-cache-max-entries cert-cache-max-entries = number_of_entries Maximum number of concurrent entries in the Certificate SSL ID cache. 42 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
number_of_entries There is absolute maximum size for the cache. However, the size of the cache cant exceed the size of the SSL ID cache. A maximum size of 0 allows an unlimited cache size. This stanza entry is required only when the accept-client-certs key is set to prompt_as_needed. 1024 cert-cache-max-entries = 1024 cert-cache-timeout cert-cache-timeout = number_of_seconds Maximum lifetime, in seconds, for an entry in the Certificate SSL ID cache. number_of_seconds The minimum value is zero (0). A value of zero mean that when the cache is full, the entries are cleared based on a Least Recently Used algorithm. This stanza entry is required only when the accept-client-certs key is set to prompt_as_needed. 120 cert-cache-timeout = 120 cert-prompt-max-tries cert-prompt-max-tries = number_of_tries During certificate authentication, WebSEAL prompts the browser to present the client's certificate. The SSL certificate negotiation process requires that the browser open and use a new (t existing) TCP connection. Stanza reference 43
Browsers typically maintain several open TCP connections to a given server. When WebSEAL tries to prompt the browser for a certificate, the browser often tries to reuse an existing TCP connection instead of opening a new TCP connection. Therefore, the prompting process must be retried. WebSEAL might need to prompt for a certificate several times before the browser opens a new TCP connection and allows the prompting process to succeed. This configuration option controls how many times WebSEAL attempts to begin the SSL certificate negotiation process with the browser before assuming the client cant provide a certificate. number_of_tries Set the value to 5 because most browsers maintain a maximum of four TCP connections to a Web server. As each attempt by the browser to process the certificate prompts on an existing TCP connection fails, that TCP connection is closed. On the fifth attempt, with all TCP connections closed, the browser's only option is to open a new TCP connection. If the value is set to less to 5, intermittent failures of certificate authentication might occur because the browser reuses existing TCP connections instead of opening a new TCP connection. These failures are more likely to occur in environments where login or other pages contain images that browsers access immediately before triggering the certificate prompts. Values less than 2 or greater than 15 are t permitted. This value is t used unless accept-client-certs =prompt_as_needed. 5 cert-prompt-max-tries = 5 disable-cert-login-page disable-cert-login-page = { } Determines whether the initial login page with an option to prompt for certificate is presented or if WebSEAL will bypass the page and directly prompt for the certificate. 44 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
The initial login page with an option to prompt for certificate is t presented; instead, WebSEAL bypasses this page and directly prompts for the certificate. The initial login page with an option to prompt for certificate is presented. eai-data disable-cert-login-page = eai-data = data:header_name The client certificate data elements that will be passed to the EAI application. Multiple pieces of client certificate data can be passed to the EAI application by including multiple eai-data configuration entries. header_name Used to indicate the name of the HTTP header which will contain the data. data Used to indicate the data that will be included in the header. It should be one of the following: v Base64Certificate v SerialNumber v SubjectCN v SubjectLocality v SubjectState v SubjectCountry v SubjectOrganization v SubjectOrganizationalUnit v SubjectDN v SubjectPostalCode v SubjectEmail v SubjectUniqueID v IssuerCN v IssuerLocality v IssuerState v IssuerCountry Stanza reference 45
v v v v v v v v v v v v v v v v v IssuerOrganization IssuerOrganizationUnit IssuerDN IssuerPostalCode IssuerEmail IssuerUniqueID Version SignatureAlgorithm ValidFrom ValidFromEx ValidTo ValidToEx PublicKeyAlgorithm PublicKey PublicKeySize FingerprintAlgorithm Fingerprint This stanza entry is required for EAI based client certificate authentication. eai-data = SubjectCN:eai-cn eai-data = SubjectDN:eai-dn eai-uri eai-uri = uri The resource identifier of the application which will be invoked to perform the certificate authentication. This URI should be relative to the root web space of the WebSEAL server. If this configuration entry is t defined, the standard CDAS authentication mechanism will be used to handle the authentication. uri The resource identifier of the application which will be invoked to perform the certificate authentication. This URI should be relative to the root web space of the WebSEAL server. This stanza entry is required for EAI based client certificate authentication. 46 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[cert-map-authn] stanza debug-level eai-uri = /jct/cgi-bin/eaitest/eaitest.pl debug-level = level Controls the trace level for the authentication module. level Specifies the initial trace level, with 1 designating a minimal amount of tracing and 9 designating the maximum amount of tracing. Note: You can also use the Security Access Manager pdadmin trace commands to modify the trace level by using the trace component name of pd.cas.certmap. This trace component is only available after the first HTTP request is processed. This stanza entry is optional. 0 Note: A debug level of 0 results in tracing output. rules-file debug-level = 5 rules-file = file-name The name of the rules file that the CDAS can use for certificate mapping. file-name The name of the rules file for the certificate mapping CDAS. Stanza reference 47
None. rules-file = cert-rules.txt [cfg-db-cmd:entries] stanza stanza::entry stanza::entry = {include exclude} Specifies the configuration entries that will be imported or exported from the configuration database using the cfgdb server task commands. Each configuration entry is checked sequentially against each item in the [cfg-db-cmd:entries] stanza until a match is found. This first match then controls whether the configuration entry is included in, or excluded from, the configuration database. If match is found, the configuration entry is excluded from the configuration database. entry stanza This field defines the stanza entry to be included or excluded. It may contain any pattern matching characters. This field defines the stanza containing the data entry to be included or excluded. It may contain any pattern matching characters. include Include the specified configuration entries when importing or exporting data from the configuration database using the cfgdb server task commands. exclude Exclude the specified configuration entries when importing or exporting data from the configuration database using the cfgdb server task commands. This stanza entry is t required. WebSEAL uses the values configured in the WebSEAL configuration file. See the WebSEAL configuration file template for the default entries. 48 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
server::unix-root = include ldap::* = exclude *::* = include [cfg-db-cmd:files] stanza files [cluster] stanza Either: files = cfg(stanza::entry) Or: files = file_name Defines the files that will be included (that is, imported or exported ) in the configuration database using the cfgdb server task commands. stanza This field specifies the name of the stanza that contains the entry with the name of the file to be included in the configuration database. The configuration value defined by stanza and entry must contain the name of the file. entry This field specifies the stanza entry that contains the name of the file to be included in the configuration database. The configuration value defined by stanza and entry must contain the name of the file. file_name The name of the file. This stanza entry is t required. file = cfg(ssl::webseal-cert-keyfile) file = cfg(ssl::webseal-cert-keyfile-stash) file = cfg(junction::jmt-map) file = cfg(server::dynurl-map) file = cert-rules.txt file = jmt.conf file = cfg(junction::jmt-map) Notes: Stanza reference 49
v v v is-master It is vital that this configuration stanza is t included in the configuration database. The cluster::* = exclude configuration entry in the [cfg-db-cmd:entries] stanza ensures this exclusion. In addition to the configuration entries listed here, a config-version entry is added at run time in a clustered environment. This configuration entry contains version information about the current configuration. Do NOT manually edit this version information. All cluster members must be the same server type. You can cluster either: WebSEAL servers that are running on Web Gateway appliances. WebSEAL servers that are running on standard operating systems. is-master = { } Is this server the master for the WebSEAL cluster? You need to have a single master for each cluster. Any modifications to the configuration of a cluster must be made on the master. This server is the master for the WebSEAL cluster. This server is t the master for the WebSEAL cluster. The name of the master server must be specified in the master-name configuration entry that is also in the [cluster] stanza. This stanza entry is required in a clustered environment. This stanza entry is t required for a single server environment. There is default value. is-master = master-name master-name = azn-name Defines the authorization server name of the master for the WebSEAL cluster. 50 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
azn-name The authorization server name of the master. This stanza entry is required if the value for is-master (also in the [cluster] stanza) is set to. Iftheis-master entry is set to, WebSEAL igres this master-name entry. There is default value. master-name = default-webseald-master.ibm.com max-wait-time max-wait-time = number Specifies the maximum amount of time to wait, in seconds, for a slave server to be restarted. This configuration entry is only applicable to the master server. number The maximum number of seconds to wait for a slave server to be restarted. This configuration entry is required if is-master (also in the [cluster] stanza) is set to. 60 max-wait-time = 60 [compress-mime-types] stanza mime_type mime_type = minimum_doc_size:[compression_level] Stanza reference 51
Enables or disables HTTP compression based on the mime-type of the response and the size of the returned document. mime_type The mime_type can contain a wild card pattern such as an asterisk (*)for the subtype, or it can be "*/*" to match all mime-types. minimum_doc_size The minimum_doc_size is an integer than can be positive, negative or zero. A size of -1 means do t compress this mime-type. A size of 0 means to compress the document regardless of its size. A size greater than 0 means to compress the document only when its initial size is greater than or equal to minimum_doc_size. compression_level The compression_level is an integer value between 1 and 9. The larger number results in a higher amount of compression. When compression-level is t specified, a default level of 1 is used. This stanza entry is optional. */*=-1 image/* = -1 text/html = 1000 [compress-user-agents] stanza pattern pattern = { } Enables or disables HTTP compression based on the user-agent header sent by clients. This entry is used to disable compression for clients which send an "accept-encoding: gzip" HTTP header but do t actually handle gzip content-encodings properly. An example of a user agent is a browser, such as Microsoft Internet Explorer 6.0 Enables HTTP compression based on the user-agent header sent by clients. Disables HTTP compression based on the user-agent header sent by clients. 52 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[content] stanza This stanza entry is optional. None. *MSIE 6.0* = utf8-template-macros-enabled utf8-template-macros-enabled = { } Specifies how standard WebSEAL HTML files, such as login.html, have data inserted into them when %MACRO% strings are encountered. This entry affects files in the management and errors directories. You can manage these directories from the Manage Reverse Proxy Management Root page of the LMI. WebSEAL HTML pages use a UTF-8 character set by default. If you modify the character set to specify the local code page, set this entry to. When set to, data is inserted in UTF-8 format. When set to, data is inserted in the local code page format. [content-cache] stanza MIME_type utf8-template-macros-enabled = MIME_type = cache_type:cache_size:maximum_age Stanza reference 53
List of entries that define the caches which WebSEAL uses to store documents in memory. MIME_type Any valid MIME type conveyed in an HTTP Content-Type: response header. This value may contain an asterisk to dete a wildcard (*). A value of */* represents a default object cache that holds any object that does t correspond to an explicitly configured cache. cache_type Defines the type of backing store to use for the cache. Only memory caches are supported. cache_size The maximum size, in kilobytes, to which the cache grows before objects are removed according to a least-recently-used algorithm. The minimum allowable value is 1 kilobyte. WebSEAL reports an error and fails to start if the value is less than or equal to zero (0). WebSEAL does t impose a maximum allowable value. def-max-age Specifies the maximum age (in seconds) if expiry information is missing from the original response. If value is provided, a default maximum age of 3600 (one hour) will be applied. The configured default maximum age is only used when the cached response is missing the cache control headers: Cache-Control, Expires, and Last-Modified. Note: If only Last-Modified is present, the maximum age will be calculated as ten percent of the difference between the current time and the last-modified time. This stanza entry is optional. None. text/html = memory:2000:3600 # image/* = memory:5000:3600 # */* = memory:1000:3600 [content-encodings] stanza extension extension = encoding_type 54 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Entries in this stanza map a document extension to an encoding type. This mapping is used by WebSEAL to report the correct MIME type in its response content-type header for local junction files. This mapping is necessary so that WebSEAL can communicate to a browser that encoded (binary) data is being returned. The MIME types defined in this stanza must also be defined in [content-mime-types]. When WebSEAL encounters a document with two extensions, such as:.txt.z, it produces two headers: content-type: text/plain content-encoding: x-compress Thus even though the data is compressed, the response to the browser says text/plain. However, the extra content-encoding header tells the browser that the data is compressed text/plain. In most cases, the administrator does t need to add additional entries. However, if the administrator introduces a new extension type that requires more than a text/plain response, the extension and encoding_type should be added to this stanza. encoding_type Encoding type. gz = x-gzip Z = x-compress gz = x-gzip Z = x-compress [content-index-icons] stanza type type = relative_pathname Entries in this stanza specify icons to use in directory indices. The relative_pathname is the path name to the location of the icon. Administrators can add additional entries. The type must refer to valid MIME types. The wildcard character (*) is limited to entries of one collection of MIME Stanza reference 55
types. For example, image/*. No further wildcard expansion is done. For a list of MIME types, see the [content-mime-types] stanza. The relative_pathname can be any valid URI within the WebSEAL protected object space, as defined in doc-root. type The type indicates a wildcard pattern for a collection of MIME types. relative_pathname The path name is relative to the WebSEAL protected object space, as set in the doc-root entry in the [content] stanza. The entries in this stanza are optional. The WebSEAL configuration file provides the following default entries: image/* = /icons/image2.gif video/* = /icons/movie.gif audio/* = /icons/sound2.gif text/html = /icons/generic.gif text/* = /icons/text.gif application/x-tar = /icons/tar.gif application/* = /icons/binary.gif image/* =/icons/image2.gif [credential-policy-attributes] stanza policy-name policy-name = credential-attribute-name Controls which Access Manager policy values are stored in credentials during authentication credential-attribute-name Credential attribute name. This stanza entry is optional. None. 56 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
AZN_POLICY_MAX_FAILED_LOGIN = tagvalue_max_failed_login [credential-refresh-attributes] stanza attribute_name_pattern attribute_name_pattern = {preserve refresh} Specifies whether a attribute, or group of attributes that match a pattern, should be preserved or refreshed during a credential refresh. preserve Original attribute value preserved in new credential. refresh Original attribute value refreshed in new credential. This stanza entry is optional. preserve tagvalue_* = preserve authentication_level authentication_level = {preserve refresh} Specifies whether the authentication level for the user should be preserved or refreshed during a credential refresh. The authentication level can reflect the results of an authentication strength policy (step-up authentication). In most cases, this level should be preserved during a credential refresh. preserve Original attribute value preserved in new credential. refresh Original attribute value refreshed in new credential. Stanza reference 57
preserve authentication_level = preserve [dsess] stanza dsess-sess-id-pool-size dsess-sess-id-pool-size = number The maximum number of session IDs that are pre-allocated within the replica set. Note: This option is used by the [dsess-cluster] stanza. number The maximum number of session IDs that are pre-allocated within the replica set. This stanza entry is required when: [session] dsess-enabled = 125 dsess-sess-id-pool-size = 125 dsess-cluster-name dsess-cluster-name = SMS cluster name Specifies the name of the SMS cluster to which this SMS server belongs. 58 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
SMS cluster name The name of the SMS cluster to which this SMS server belongs. This field must be defined and reference an existing dsess-cluster stanza qualified by the value of this entry. This stanza entry is required when: [session] dsess-enabled = dsess [dsess-cluster] stanza dsess-cluster-name = dsess basic-auth-user basic-auth-user = user_name Specifies the name of the user that is included in the basic authentication header. user_name The user name to be included in the basic authentication header. This stanza entry is optional None basic-auth-user = user_name basic-auth-passwd basic-auth-passwd = password Specifies the password that is included in the basic authentication header. Stanza reference 59
password The password to be included in the basic authentication header. This stanza entry is optional None basic-auth-passwd = password gsk-attr-name gsk-attr-name = {enum string number}:id:value Specify additional GSKit attributes to use when initializing an SSL connection with the Session Management Server (SMS). A complete list of the available attributes is included in the GSKit SSL API documentation. This configuration entry can be specified multiple times. Configure a separate entry for each GSKit attribute. {enum string number} The GSKit attribute type. id value The identity associated with the GSKit attribute. The value for the GSKit attribute. This stanza entry is optional. You cant configure the following restricted GSKit attributes: GSK_KEYRING_FILE GSK_KEYRING_STASH_FILE GSK_KEYRING_LABEL GSK_CIPHER_V2 GSK_V3_CIPHER_SPECS GSK_PROTOCOL_TLSV1 GSK_FIPS_MODE_PROCESSING If you attempt to modify any of these attributes then an error message will be generated. None. 60 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, which has an identity value of 225: gsk-attr-name = string:225:proxy.ibm.com See also gsk-attr-name on page 285 jct-gsk-attr-name on page 288 gsk-attr-name on page 315 handle-idle-timeout handle-idle-timeout = number Limits the length of time that a handle remains idle before it is removed from the handle pool cache. number The length of time, in seconds, before an idle handle will be removed from the handle pool cache. This stanza entry is required when: [session] dsess-enabled = 240 handle-idle-timeout = 240 handle-pool-size handle-pool-size = number The maximum number of idle Simple Access Object Protocol (SOAP) handles that the dsess client will maintain at any given time. number The maximum number of idle SOAP handles that the dsess client will maintain at any given time. Stanza reference 61
This stanza entry is required when: [session] dsess-enabled = 10 response-by server handle-pool-size = 10 response-by = seconds The length of time (in seconds) that the dsess client will block to wait for updates from the Session Management Server (SMS). seconds The length of time (in seconds) that the dsess client will block to wait for updates from the SMS. This stanza entry is required when: [session] dsess-enabled = 60 response-by = 60 server = {[0-9],}<URL> Specifies a priority level and URL for each SMS server that is a member of this cluster. Multiple server entries can be specified for a given cluster. 62 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
0-9 A digit, 0-9, that represents the priority of the server within the cluster (9 being the highest, 0 being the lowest). If the priority is t specified, a priority of 9 is assumed. Note: There can be space between the comma (,) and the URL. If priority is specified, the comma is omitted. URL A well-formed HTTP or HTTPS uniform resource locator for the server. This stanza entry is required when: [session] dsess-enabled = This entry is disabled by default. server = 9,http://sms.example.com/DSess/services/DSess ssl-fips-enabled ssl-fips-enabled = { } Determines whether Federal Information Process Standards (FIPS) mode is enabled on the session management server. If configuration entry is present, the setting from the global setting as determined by the ssl-fips-enabled entry in the [ssl] stanza of the policy server takes effect. When set to "" or the setting in the policy server configuration file is set to "", Transport Layer Security (TLS) version 1 (TLSv1) is the secure communication protocol used. When set to "" or the setting in the policy server configuration file is set to "", SSL version 3 (SSLv3) is the secure communication protocol used. Indicates that TLSv1 is the secure communication protocol. Indicates that SSLv3 is the secure communication protocol. This stanza entry is optional. None. If a different FIPS level than that of the policy server is required, it is the responsibility of the administrator to edit the configuration file, uncomment the stanza entry, and specify this value. Stanza reference 63
ssl-keyfile ssl-fips-enabled = ssl-keyfile = file_name The name of the key database file, which houses the client certificate to be used. file_name The name of the key database file that houses the client certificate for WebSEAL to use. This stanza entry is only required if one or more of the cluster server URLs specified in the server entries uses SSL (that is, contains an HTTPS protocol specification in the URL). If cluster server uses the HTTPS protocol, this entry is t required. If this entry is required but is t specified in the [dsess-cluster] stanza, the value will be taken from the global [ssl] stanza. [session] dsess-enabled = None. ssl-keyfile = file_name ssl-keyfile-label ssl-keyfile-label = label_name The label of the client certificate within the key database. label_name Client certificate label name. This stanza entry is required when: [session] dsess-enabled = 64 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: If this entry is required but is t specified in the [dsess-cluster] stanza, the value will be taken from the global [ssl] stanza. None. ssl-keyfile-label = label_name ssl-keyfile-stash ssl-keyfile-stash = file_name The name of the password stash file for the key database file. file_name The password stash file. This stanza entry is required when: [session] dsess-enabled = Note: If this entry is required but is t specified in the [dsess-cluster] stanza, the value will be taken from the global [ssl] stanza. None. ssl-keyfile-stash = file_name ssl-valid-server-dn ssl-valid-server-dn = certificate_dn Specifies the DN of the server (obtained from the server SSL certificate) that is accepted. If entry is configured, any valid certificate signed by a CA in the key file is accepted. value Specifies the DN of the server (obtained from the server SSL certificate) that is accepted. If entry is configured, any valid certificate signed by a CA in the key file is accepted. Stanza reference 65
[eai] stanza timeout This stanza entry is required when: [session] dsess-enabled = None. ssl-valid-server-dn = value timeout = seconds The length of time (in seconds) to wait for a response to be received back from the SMS. seconds The length of time (in seconds) to wait for a response to be received back from the SMS. This stanza entry is required when: [session] dsess-enabled = 30 eai-auth timeout = 30 eai-auth = {ne http https both} Enables the external authentication interface. 66 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
{ne http https both} Enables the external authentication interface. No other external authentication interface parameters will take effect if set to "ne". ne eai-auth = ne eai-auth-level-header eai-auth-level-header = header-name Specifies the name of the header that contains the authentication strength level for the generated credential. header-name The name of the header that contains the authentication strength level for the generated credential. This stanza entry is optional. am-eai-auth-level eai-auth-level-header = am-eai-auth-level eai-flags-header eai-flags-header = header-name Specifies the name of the header that 'flags' the authentication response with extra processing information. WebSEAL supports the following header values as flags: Stanza reference 67
stream Causes WebSEAL to stream the EAI authentication response back to the client. For more details, see the information about external authentication interface authentication flags in the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. header-name The name of EAI flags header. This stanza entry is optional. am-eai-flags eai-flags-header = am-eai-flags eai-pac-header eai-pac-header = header-name Specifies the name of Privilege Attribute Certificate (PAC) header that contains authentication data returned from the external authentication interface server. header-name The name of privilege attribute certificate (PAC) header that contains authentication data returned from the external authentication interface server. This stanza entry is optional. am-eai-pac eai-pac-header = am-eai-pac eai-pac-svc-header eai-pac-svc-header = header-name 68 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Specifies the name of the header that contains the service ID that is used to convert the PAC into a credential. header-name The name of the header that contains the service ID that is used to convert the PAC into a credential. This stanza entry is optional. am-eai-pac-svc eai-pac-svc-header = am-eai-pac-svc eai-redir-url-header eai-redir-url-header = header-name Specifies the name of the header that contains the URL a client is redirected to upon successful authentication. header-name The name of the header that contains the URL a client is redirected to upon successful authentication. This stanza entry is optional. am-eai-redir-url eai-redir-url-header = am-eai-redir-url eai-session-id-header eai-session-id-header = header-name Stanza reference 69
The name of the header that contains the session identifier of the distributed session to be shared across multiple DNS domains. header-name The session identifier of the distributed session to be shared across multiple DNS domains. am-eai-session-id eai-session-id-header = am-eai-session-id eai-user-id-header eai-user-id-header = header-name Specifies the name of the header that contains the ID of the user used when generating a credential. header-name The name of the header that contains the ID of the user used when generating a credential. This stanza entry is optional. am-eai-user-id eai-user-id-header = am-eai-user-id eai-verify-user-identity eai-verify-user-identity = { } 70 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
During the EAI re-authentication process, this configuration entry determines whether the new user identity must match the user identity from the previous authentication. During EAI authentication, the new user identity is compared with the user identity from the previous authentication. If the user identities do t match, an error is returned. EAI authentication proceeds without verifying the new user identity. This stanza entry is optional. eai-verify-user-identity = eai-xattrs-header eai-xattrs-header = header-name[,header-name...] Specifies a comma-delimited list of header names. WebSEAL examines the response for headers with the specified names and creates extended attributes using the name of the header as the attribute name and the value of the header as the attribute value. For example, if the following headers are returned in the HTTP response: am-eai-xattrs: creditcardexpiry, streetaddress creditcardexpiry: 090812 streetaddress: 555 homewood lane WebSEAL will: 1. Examine the am-eai-xattrs header 2. Detect two headers to look for in the response 3. Find those headers and their values 4. Add the two specified attributes to the credential header-name[,header-name...] One or more (comma delimited) header names that are added to the credential as extended attributes. Stanza reference 71
This stanza entry is optional. am-eai-xattrs eai-xattrs-header = am-eai-xattrs retain-eai-session retain-eai-session = { } Specifies whether the existing session and session cache entry for a client are retained or replaced when an already-authenticated EAI client authenticates through an EAI a second time. If an already-authenticated EAI client authenticates through an EAI a second time, the existing session and session cache entry for the client are retained, and the new credential is stored in the existing cache entry. If an already-authenticated EAI client authenticates through an EAI a second time, the existing session and session cache entry for the client are completely replaced and the new credential is stored in the new cache entry. retain-eai-session = [eai-trigger-urls] stanza trigger trigger = url-pattern Format for standard WebSEAL junctions. Specifies the trigger URL that causes WebSEAL to set a special flag on the request. Responses to this request also 72 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
trigger contain the flag, which causes WebSEAL to intercept and examine the response for authentication data located in special HTTP headers. url-pattern The trigger URL (format for standard WebSEAL junctions) that causes WebSEAL to set a special flag on the request. There must be at least one entry when eai-auth is t "ne". None. trigger = /jct/cgi-bin/eaitest/* trigger = HTTP[S]://virtual-host-name[:port_number]/url-pattern Format for virtual host junctions. Specifies the trigger URL that causes WebSEAL to set a special flag on the request. Responses to this request also contain the flag, which causes WebSEAL to intercept and examine the response for authentication data located in special HTTP headers. For virtual host junctions to match a trigger, they must use the same protocol and the same virtual-host-name and port number as the trigger. HTTP[S]://virtual-host-name[:port_number]/url-pattern The trigger URL (format for virtual host junctions) that causes WebSEAL to set a special flag on the request. There must be at least one entry when eai-auth is t "ne". None. trigger = HTTPS://vhost1.example.com:4344/jct/cgi-bin/eaitest/* Stanza reference 73
[e-community-domains] stanza name name = domain The e-community cookie domains used by virtual host junctions. The domain used by a particular virtual host junction is chosen by finding the longest domain in the table that matches the virtual host name. Each of these domains must also have a corresponding table of keys defined by creating a stanza of the format [e-community-domain-keys:domain]. domain The e-community cookie domain used by virtual host junctions. This stanza entry is optional. None. name = www.example.com [e-community-domain-keys] stanza domain_name domain_name = key_file File names for keys for any domains that are participating in the e-community. This includes the domain in which the WebSEAL server is running. These are shared on a pair-wise-by-domain basis. domain_name A domain that is participating in the e-community. key_file File name for key for any domain that is participating in the e-community. This stanza entry is optional. 74 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
None. ecssoserver.subnet.example.com = ecsso.key [e-community-domain-keys:domain] stanza domain_name domain_name = key_file Keys for any domains that are participating in the e-community, including the domain in which the virtual host junction is running. These are shared on a pair-wise-by-domain basis. domain_name Domain that is participating in the e-community, including the domain in which the virtual host junction is running. key_file Key for any domain that is participating in the e-community, including the domain in which the virtual host junction is running. This stanza entry is optional. None. [e-community-sso] stanza [e-community-domain-keys:www.example.com] ecssoserver.subnet.example.com = ecsso.key cache-requests-for-ecsso cache-requests-for-ecsso = { } Specifies whether or t to cache request data from an unauthenticated request while the e-community master authentication server (MAS) authenticates the user. Stanza reference 75
If an unauthenticated request is made, the request data is cached while the e-community master authentication server (MAS) authenticates the user. If an unauthenticated request is made, the request data is t cached while the e-community master authentication server (MAS) authenticates the user. The original request data will be lost. cache-requests-for-ecsso = e-community-name e-community-name = name String value that specifies an e-community name. When e-community single sign is supported, this name must match any vouch-for tokens or e-community cookies that are received. name String value that specifies an e-community name. The string must t contain the equals sign (=)or ampersand (&). This stanza entry is optional. None. e-community-name = company1 disable-ec-cookie disable-ec-cookie = { } Provides an option to override default e-community Single Sign-On (ecsso) behavior and prohibit WebSEAL from using e-community-cookies. 76 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Prohibits WebSEAL from using the e-community-cookie; only the master authentication server (MAS) will be permitted to generate vouch-for tokens. The default ecsso behavior in WebSEAL is left unchanged. This stanza entry is optional. disable-ec-cookie = e-community-sso-auth e-community-sso-auth = {ne http https both} Enables participation in e-community single sign. {ne http https both} Specifies which protocols are supported. The value both means both HTTP and HTTPS. ne e-community-sso-auth = ne ec-cookie-domain ec-cookie-domain = domain If t set, WebSEAL uses the domain from the automatically determined host name (or web-host-name if specified). Stanza reference 77
domain If t set, WebSEAL uses the domain from the automatically determined host name (or web-host-name if specified). If t set, WebSEAL uses the domain from the automatically determined host name (or web-host-name if specified). None. ec-cookie-domain = www.example.com ec-cookie-lifetime ec-cookie-lifetime = number_of_minutes Positive integer value indicating the lifetime of an e-community cookie. number_of_minutes Positive integer value indicating the lifetime, in minutes, of an e-community cookie. Minimum value is 1. There is maximum value. 300 ec-cookie-lifetime = 300 ecsso-allow-unauth ecsso-allow-unauth = { } Enables or disables unauthenticated access to unprotected resources on an e-community SSO slave server. The value enables unauthenticated access. 78 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
The value disables access. For compatibility with versions of WebSEAL prior to version 5.1 set this value to. ecsso-allow-unauth = ecsso-propagate-errors ecsso-propagate-errors = { } Specifies whether authentication errors returned by the master-authn-server in vouch-for tokens are propagated to the ERROR_CODE and ERROR_TEXT macros used by facilities such as local response redirect. Authentication errors are propagated to ERROR_CODE and ERROR_TEXT macros. Authentication errors are t propagated to ERROR_CODE and ERROR_TEXT macros. ecsso-propagate-errors = handle-auth-failure-at-mas handle-auth-failure-at-mas = { } Provides an option to override default ecsso behavior and allow the MAS to handle login failures without redirecting the Web browser back to the requesting host. Stanza reference 79
Enables the MAS to handle login failures directly without redirecting the Web browser back to the requesting host. The default ecsso behavior in WebSEAL is left unchanged. On a login failure, the MAS will generate a vouch-for token and redirect the Web browser back to the requesting host. This stanza entry is optional. handle-auth-failure-at-mas = is-master-authn-server is-master-authn-server = { } Specifies whether this WebSEAL server accepts vouch-for requests from other WebSEAL instances. The WebSEAL instances must have domain keys listed in the [e-community-domain-keys] stanza. This WebSEAL server accepts vouch-for requests from other WebSEAL instances. When this value is, this WebSEAL server is the master authentication server. This WebSEAL server does t accept vouch-for requests from other WebSEAL instances. This stanza entry is optional. None. is-master-authn-server = master-authn-server master-authn-server = fully_qualified_hostname 80 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Location of the master authentication server. This value must be specified when is-master-authn-server is set to. If a local domain login has t been performed then authentication attempts are routed through the master machine. The master machine will vouch for the user identity. The domain key for the master-authn-server needs to be listed in the [e-community-domain-keys] stanza. fully_qualified_hostname Location of the master authentication server. This stanza entry is optional. None. master-authn-server = diamond.dev.example.com master-http-port master-http-port = port_number Integer value specifying the port number on which the master-authn-server listens for HTTP request. The setting is necessary when e-community-sso-auth permits use of the HTTP protocol, and the master-authn-server listens for HTTP requests on a port other than the standard HTTP port (port 80). This stanza entry is igred if this WebSEAL server is the master authentication server. port_number Integer value specifying the port number on which the master-authn-server listens for HTTP request. This stanza entry is optional. None. master-http-port = 81 Stanza reference 81
master-https-port master-https-port = port_number Integer value specifying the port number on which the master-authn-server listens for HTTPS requests. The setting is necessary when e-community-sso-auth permits use of the HTTPS protocol, and the master-authn-server listens for HTTPS requests on a port other than the standard HTTPS port (port 443). This stanza entry is igred if this WebSEAL server is the master authentication server. port_number Integer value specifying the port number on which the master-authn-server listens for HTTPS requests. This stanza entry is optional. None. master-https-port = 444 propagate-cdmf-errors propagate-cdmf-errors = { } Controls subsequent behavior of the token creation process when the cdmf_get_usr_attributes call fails to obtain the required extended attribute information and returns an error. A "" value forces the token creation process to abort when CDMF fails to obtain attributes and returns an error. A "" value (default) allows the token creation process to proceed even when CDMF fails to obtain attributes and returns an error. 82 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
use-utf8 propagate-cdmf-errors = use-utf8 = { } Use UTF 8 encoding for tokens used in e-community single sign. Beginning with version 5.1, WebSEAL servers use UTF-8 encoding by default. When this stanza entry is set to, tokens can be exchanged with other WebSEAL servers that use UTF-8 encoding. This enables tokens to used across different code pages (such as for a different language). For backward compatibility with tokens created by WebSEAL servers from version prior to 5.1, set this stanza entry to. use-utf8 = vf-argument vf-argument = vouch-for_token_name String value containing the name of the vouch-for token contained in a vouch-for reply. This is used to construct the vouch-for replies by the master authentication server, and to distinguish incoming requests as ones with vouch-for information by participating e-community single sign servers. vouch-for_token_name Valid characters for the string are ASCII characters except for ampersand ( & ), equals sign ( =), and question mark (?). This stanza entry is optional. Stanza reference 83
PD-VF vf-argument = PD-VF vf-token-lifetime vf-url vf-token-lifetime = number_of_seconds Positive integer indicating the lifetime, in seconds, of the vouch-for token. This is set to account for clock skew between participant servers. number_of_seconds Positive integer indicating the lifetime, in seconds, of the vouch-for token. The minimum value is 1 second. There is maximum value. This stanza entry is optional. 180 vf-token-lifetime = 180 vf-url = URL_designation Designator for vouch-for URL. This specifies the start of a URL relative to the server root. This is used to construct vouch-for requests for participating e-community single sign servers, and to distinguish requests for vouch-for information from other requests by the master authentication server. URL_designation The URL_designation string can contain alphanumeric characters and the following special characters: dollar sign ( $), hyphen (-), underscore (_), period (.),plus sign (+),exclamation point (!),asterisk (*),single quote ('),parentheses "()"and comma (,).Questions marks (?)are t allowed. 84 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This stanza entry is optional. When the stanza entry is t present in the configuration file, the default value is /pkmsvouchfor. vf-url = /pkmsvouchfor [ecsso-incoming-attributes] stanza attribute_pattern attribute_pattern = {preserve refresh} Extended attributes to extract from incoming ecsso authentication tokens. The attributes typically match those declared in the [cdsso-token-attributes] stanza for the WebSEAL server in the source domain. The attribute_pattern can be either a specific value or can be a pattern that uses standard Security Access Manager wildcard characters ( *, [], ^, \,?). The order of attribute_pattern entries is important. The first entry that matches the attribute is used. Other entries are igred. preserve Attributes in ecsso vouch-for tokens that match a "preserve" entry, or matching ne of the entires, are kept. If entries are configured, then all attributes are kept. refresh Attributes in ecsso vouch-for tokens that match a "refresh" entry are removed from the token before the CDMF library is called to map the remote user into the local domain. This stanza entry is optional. None. my_cred_attr1 = preserve Stanza reference 85
[ecsso-token-attributes] stanza <default> <default> = pattern1 [<default> = pattern2]... [<default> = patternn] Credential attributes to include in ecsso authentication tokens. When WebSEAL cant find a domain_name entry to match the domain, the entries in "<default>" are used. The word <default> is a key word and must t be modified. pattern The pattern can either be a specific value or a pattern that uses standard Security Access Manager wildcard characters ( *, [], ^, \,?). This stanza entry is optional. None. domain_name <default> = my_cdas_attr_* domain_name = pattern1 [domain_name = pattern2]... [domain_name = patternn] Credential attributes to include in ecsso authentication tokens. domain_name The domain_name specifies the destination domain containing the server that will consume the token. pattern The pattern for each entry can either a specific value or can be a pattern that uses standard Security Access Manager wildcard characters ( *, [], ^, \,?). This stanza entry is optional. 86 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
None. [enable-redirects] stanza redirect [failover] stanza example1.com = my_cdas_attr_* example1.com = some_exact_attribute redirect = {forms-auth basic-auth cert-auth ext-auth-interface} Enables redirection for use with one or more authentication mechanism. {forms-auth basic-auth cert-auth ext-auth-interface} Redirection is supported for: v Forms authentication v Basic authentication v Certificate authentication v External authentication interface The configuration file must contain a separate entry for each authentication mechanism for which redirection is enabled. This stanza entry is optional. None. entries that enables redirection for forms authentication and basic authentication: redirect = forms-auth redirect = basic-auth clean-ecsso-urls-for-failover clean-ecsso-urls-for-failover = { } Stanza reference 87
You can enable Failover Authentication and ecsso in your environment. During failover authentication, if a user was originally authenticated using ecsso, WebSEAL updates the URL that it sends to the back-end server. WebSEAL sends PD-VFHOST and PD-VF tokens as query arguments, along with the original URL. Use the clean-ecsso-urls-for-failover configuration entry to control whether these tokens are removed from the URL. The query arguments that contain the PD-VFHOST and PD-VF tokens are removed from the URL. The query arguments that contain the PD-VFHOST and PD-VF tokens are t removed from the URL. This stanza entry is optional. clean-ecsso-urls-for-failover = enable-failover-cookie-for-domain enable-failover-cookie-for-domain = { } Enables the failover cookie for the domain. Enables the failover cookie for the domain. Disables the failover cookie for the domain. enable-failover-cookie-for-domain = 88 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
failover-auth failover-auth = {ne http https both} Enables WebSEAL to accept failover cookies. {ne http https both} Specifies which protocols are supported. The value both means both HTTP and HTTPS. ne failover-auth = ne failover-cookie-lifetime failover-cookie-lifetime = number_of_minutes An integer value specifying the number of minutes that failover cookie contents are valid. number_of_minutes An integer value specifying the number of minutes that failover cookie contents are valid. Must be a positive integer. There is maximum value. 60 failover-cookie-lifetime = 60 Stanza reference 89
failover-cookies-keyfile failover-cookies-keyfile = file_name A key file for failover cookie encryption. Use the SSO Keys management page of the LMI to generate this file. file_name Name of the key file for failover cookie encryption. This stanza entry is optional. None. failover-cookies-keyfile = failover.key failover-include-session-id failover-include-session-id = { } Enable or disable WebSEAL to reuse a client's original session ID to improve failover authentication response and performance in a n-sticky load-balancing environment. WebSEAL reuses the original session ID by storing the ID as an extended attribute to the failover cookie. Enable WebSEAL to reuse a client's original session ID to improve failover authentication response and performance in a n-sticky load-balancing environment. Disable WebSEAL to reuse a client's original session ID to improve failover authentication response and performance in a n-sticky load-balancing environment. 90 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
failover-include-session-id = failover-require-activity-timestamp-validation failover-require-activity-timestamp-validation = { } Enables or disables the requirement of a session activity timestamp validation in the failover cookie. Enables the requirement of a session activity timestamp validation in the failover cookie. Disables the requirement of a session activity timestamp validation in the failover cookie. For backward compatibility with versions of WebSEAL server prior to version 5.1, set this stanza entry to. Versions prior to version 5.1 did t create the session activity timestamp in the failover cookie. failover-require-activity-timestamp-validation = failover-require-lifetime-timestamp-validation failover-require-lifetime-timestamp-validation = { } Enables or disables the requirement of a session lifetime timestamp validation in the failover cookie. Enables the requirement of a session lifetime timestamp validation in the failover cookie. Disables the requirement of a session lifetime timestamp validation in the failover cookie. For backward compatibility with versions of WebSEAL server prior to version 5.1, set this stanza entry to. Versions prior to version 5.1 did t create the session lifetime timestamp in the failover cookie. Stanza reference 91
failover-require-lifetime-timestamp-validation = failover-update-cookie failover-update-cookie = number_of_seconds The maximum interval, in number of seconds, allowed between updates of the session activity timestamp in the failover cookies. The value is an integer. When the server receives a request, if the number of seconds specified for this parameter has passed, the session activity timestamp is updated. number_of_seconds When the value is 0, the session activity timestamp is updated on every request. When the value is less than zero (negative number), the session activity timestamp is never updated. There is maximum value. -1 failover-cookie-update = 60 reissue-missing-failover-cookie reissue-missing-failover-cookie = { } Allows WebSEAL to reissue a cached original failover cookie in the response to a client, if the client makes a request that does t include the failover cookie. Enables the failover cookie reissue mechanism. Disables the failover cookie reissue mechanism. 92 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
use-utf8 reissue-missing-failover-cookie = use-utf8 = { } Use UTF 8 encoding for strings in the failover authentication cookie. Beginning with version 5.1, WebSEAL servers use UTF-8 encoding by default. When this stanza entry is set to, cookies can be exchanged with other WebSEAL servers that use UTF-8 encoding. This enables cookies to used across different code pages (such as for a different language). For backward compatibility with cookies created by WebSEAL servers from version prior to 5.1, set this stanza entry to. use-utf8 = [failover-add-attributes] stanza attribute_pattern attribute_pattern = add List of attributes from the original credential that must be preserved in the failover cookie. The order of entries in the stanza is important. Rules (patterns) that appear earlier in the stanza take precedence over those that appear later in the stanza. Attributes Stanza reference 93
that do t match any pattern will t be added to the failover cookie. attribute_pattern The attribute pattern is a t case-sensitive wildcard pattern. add Add attribute. Entries in this stanza are optional. There are default entries in this stanza. However, the attributes AUTHENTICATION_LEVEL and AZN_CRED_AUTH_METHOD are added to the failover cookie by default. These attributes do t need to be included in the configuration stanza. tagvalue_failover_amweb_session_id = add session-activity-timestamp session-activity-timestamp = add This entry specifies that the timestamp for the last user activity be taken from the failover cookie and added to the new session on the replicated server. This attribute cant be specified by pattern matching. This entry must be added exactly as it is written. add Add attribute. This stanza entry is optional and must be manually added to the configuration file. None. session-activity-timestamp = add session-lifetime-timestamp session-lifetime-timestamp = add 94 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This entry specifies that the timestamp for creation of the original session be taken from the failover cookie and added to the new session on the replicated server. This attribute cant be specified by pattern matching. This entry must be added exactly as it is written. add Add attribute. This stanza entry is optional and must be manually added to the configuration file. None. session-lifetime-timestamp = add [failover-restore-attributes] stanza attribute_pattern attribute_pattern = preserve List of attributes to put in the new credential when recreating a credential from a failover cookie. The order of entries in the stanza is important. Rules (patterns) that appear earlier in the stanza take precedence over those that appear later in the stanza. Attributes that do t match any pattern will t be added to the credential. attribute_pattern The attribute pattern is a t case-sensitive wildcard pattern. preserve When WebSEAL recreates a credential, all failover cookie attributes are igred unless specified by an entry with the value preserve. Entries in this stanza are optional. None. Stanza reference 95
tagvalue_failover_amweb_session_id = preserve attribute_pattern attribute_pattern = refresh A list of failover cookie attributes to omit from the recreated user credential. This list is t needed in all configurations. The default behavior when recreating a user credential is to omit all attributes that are t specified with a value of preserve. In some cases it might be necessary to specify an exception to a wildcard pattern matching, to ensure that a specific attribute gets refreshed, t preserved. This specification might be necessary, for example, when using a custom external authentication C API module. The order of entries in the stanza is important. Rules (patterns) that appear earlier in the stanza take precedence over those that appear later in the stanza. Attributes that do t match any pattern will t be added to the credential. attribute_pattern The attribute pattern is a t case-sensitive wildcard pattern. refresh Specifies an exception to a wildcard pattern matching, to ensure that a specific attribute gets refreshed, t preserved. Entries in this stanza are optional. None. [filter-content-types] stanza type tagvalue_failover_amweb_session_id = refresh type = type_name List of entries that specify MIME types to be filtered by WebSEAL when received from junctioned servers. 96 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Administrators can add additional MIME types that refer to a document that contains HTML or HTML-like content. type_name MIME type. This list of stanza entries is required. Do t remove the default entries. type = text/html type = text/vnd.wap.wml [filter-events] stanza HTML_tag type = text/html type = text/vnd.wap.wml HTML_tag = event_handler List of HTML tags used by WebSEAL to identify and filter absolute URLs embedded in JavaScript. JavaScript allows HTML tags to contain event handlers that are invoked when certain events occur. For example, the HTML tag: <form onsubmit="javascript:dosomething()"> causes the JavaScript function dosomething() to be called when the form is submitted. The entries in this stanza are used to identify HTML tags that may contain JavaScript code. When such a tag is discovered, WebSEAL searches the tag to filter any absolute URLs embedded in the JavaScript. For example, if the "form onsubmit" example looked like: <form onsubmit="javascript:dosomething( http://junction.server.com )"> WebSEAL HTML filtering would modify the tag to look like: <form onsubmit="javascript:dosomething( /junction )"> Administrators can add additional entries when necessary. New entries must consist of valid HTML tags that are built into JavaScript. When adding new entries, maintain alphabetical order. Stanza reference 97
HTML_tag HTML tag. event_handler JavaScript event handler. This list is required. Although t all tags are required by all applications, the unused tags do harm. Leave the default entries in this list. Default HTML tags and event handlers: A = ONCLICK A = ONDBLCLICK A = ONMOUSEDOWN A = ONMOUSEOUT A = ONMOUSEOVER A = ONMOUSEUP AREA = ONCLICK AREA = ONMOUSEOUT AREA = ONMOUSEOVER BODY = ONBLUR BODY = ONCLICK BODY = ONDRAGDROP BODY = ONFOCUS BODY = ONKEYDOWN BODY = ONKEYPRESS BODY = ONKEYUP BODY = ONLOAD BODY = ONMOUSEDOWN BODY = ONMOUSEUP BODY = ONMOVE BODY = ONRESIZE BODY = ONUNLOAD FORM = ONRESET FORM = ONSUBMIT FRAME = ONBLUR FRAME = ONDRAGDROP FRAME = ONFOCUS FRAME = ONLOAD FRAME = ONMOVE FRAME = ONRESIZE FRAME = ONUNLOAD IMG = ONABORT IMG = ONERROR IMG = ONLOAD INPUT = ONBLUR INPUT = ONCHANGE INPUT = ONCLICK INPUT = ONFOCUS INPUT = ONKEYDOWN INPUT = ONKEYPRESS INPUT = ONKEYUP INPUT = ONMOUSEDOWN INPUT = ONMOUSEUP INPUT = ONSELECT LAYER = ONBLUR LAYER = ONLOAD LAYER = ONMOUSEOUT LAYER = ONMOUSEOVER 98 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
SELECT = ONBLUR SELECT = ONCHANGE SELECT = ONFOCUS TEXTAREA = ONBLUR TEXTAREA = ONCHANGE TEXTAREA = ONFOCUS TEXTAREA = ONKEYDOWN TEXTAREA = ONKEYPRESS TEXTAREA = ONKEYUP TEXTAREA = ONSELECT IMG = ONABORT [filter-request-headers] stanza header header = header_name List of HTTP headers that WebSEAL filters before sending the request to a junctioned server. A default list is built-in to WebSEAL. The default entries are t included in the configuration file. The addition of new entries in this stanza is optional. For example, an administrator could add the accept-encoding header. This would instruct WebSEAL to remove any accept-encoding headers from requests before forwarding the request to the junction. The removal of the accept-encoding header would cause the junction server to return the document in an unencoded form, allowing WebSEAL to filter the document if necessary. New entries must consist of valid HTTP headers. header_name HTTP header name. The addition of new entries in this stanza is optional. Default built-in header list: host connection proxy-connection expect te iv-ssl-jct iv-user iv_user iv-groups iv_groups Stanza reference 99
iv-creds iv_creds iv_remote_address iv-remote-address [filter-schemes] stanza scheme header = accept-encoding scheme = scheme_name List of URL schemes that are t to be filtered by WebSEAL. A scheme is a protocol identifier. This list is utilized when WebSEAL encounters a document containing a base URL. For example: <head> <base href="http://www.foo.com"> </head> <a href="mailto:bee@bee.com>send me mail",/a> WebSEAL identifies the scheme mailto because this scheme is included by default in the [filter-schemes] stanza. If mailto was t identified as a scheme, WebSEAL would interpret it as document and perform rmal filtering. WebSEAL would then rewrite the link as: <a href="http://www.foo.com/mailto:bee@bee.com" This would be incorrect. scheme_name Scheme name. WebSEAL provides a set of default schemes. The administrator can extend the list if additional protocols are used. Do t delete entries from the list. Default list entries: scheme = file scheme = ftp scheme = https scheme = mailto scheme = news scheme = telnet 100 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[filter-url] stanza HTML_tag scheme = telnet HTML_tag = URL_attribute List of URL attributes that WebSEAL server filters in responses from junctioned servers. Administrators can add additional entries when necessary. New entries must consist of valid HTML tags and attributes. When adding new entries, maintain alphabetical order. URL_attribute URL attribute. This list is required. Although t all tags are required by all applications, the unused tags do harm. Leave the default entries in this list. Default HTML tags and attributes: A = HREF APPLET = CODEBASE AREA = HREF BASE = HREF BGSOUND = SRC BLOCKQUOTE = CITE BODY = BACKGROUND DEL = CITE DIV = EMPTYURL DIV = IMAGEPATH DIV = URL DIV = VIEWCLASS EMBED = PLUGINSPAGE EMBED = SRC FORM = ACTION FRAME = LONGDESC FRAME = SRC HEAD = PROFILE IFRAME = LONGDESC IFRAME = SRC ILAYER = BACKGROUND ILAYER = SRC IMG = SRC IMG = LOWSRC IMG = LONGDESC IMG = USEMAP IMG = DYNSRC Stanza reference 101
[flow-data] stanza INPUT = SRC INPUT = USEMAP INS = CITE ISINDEX = ACTION ISINDEX = HREF LAYER = BACKGROUND LAYER = SRC LINK = HREF LINK = SRC OBJECT = CODEBASE OBJECT = DATA OBJECT = USEMAP Q = CITE SCRIPT = SRC TABLE = BACKGROUND TD = BACKGROUND TH = BACKGROUND TR = BACKGROUND WM:CALENDARPICKER = FOLDERURL WM:CALENDARPICKER = IMAGEPREVARROW WM:CALENDARPICKER = IMAGENEXTARROW WM:CALENDARVIEW = FOLDERURL WM:MESSAGE = DRAFTSURL WM:MESSAGE = URL WM:NOTIFY = FOLDER WM:REMINDER = FOLDER?IMPORT = IMPLEMENTATION IMG = SRC flow-data-enabled flow-data-enabled = { } The appliance can record statistical information about incoming WebSEAL requests. Use this parameter to enable or disable the recording of flow data statistics. If you set this parameter to, you can also use the flow-data-stats-interval parameter in the [flow-data] stanza to set the frequency for gathering statistics. Note: You can configure the [user-agent] stanza to categorize the incoming user-agent requests and make the statistical data more useful. You can then view a statistical breakdown of all requests based on user-agent and junction. WebSEAL records statistics about incoming requests. WebSEAL does t record statistics about incoming requests. This stanza entry is optional. 102 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[forms] stanza flow-data-enabled = flow-data-stats-interval flow-data-stats-interval = number_of_seconds This parameter determines how frequently the appliance collects flow data statistics. This parameter specifies the statistics interval in seconds. At each time interval, WebSEAL records statistical information about incoming requests. The default value of 600 records statistics every 10 minutes. To gather statistics at the specified interval, you must use the flow-data-enabled parameter, also in the [flow-data] stanza, to enable the flow data statistics on the appliance. Note: You can configure the [user-agent] stanza to categorize the incoming user-agent requests and make the statistical data more meaningful. You can then view a statistical breakdown of all requests based on user-agent and junction. number_of_seconds Specifies the interval that the appliance uses to collect flow data statistics. This stanza entry is optional. 600 flow-data-stats-interval = 600 allow-empty-form-fields allow-empty-form-fields = {true false} If a forms login request is received with either an empty user name or an empty password, then WebSEAL returns the login form without stating an error. If you prefer that an error message is displayed with the returned login form, then set Stanza reference 103
this value to "true". In this case, WebSEAL attempts to authenticate the user, and if the values have zero length, the registry returns the appropriate error. true false Error message is displayed with the returned login form. Error message is t displayed with the returned login form. false forms-auth allow-empty-form-fields = false forms-auth = {ne http https both} Enables authentication using the Forms Authentication mechanism. When forms authentication is enabled, you must also configure an appropriate authentication library by setting a key=value pair in the [authenticationmechanisms] stanza. {ne http https both} Specifies which protocols are supported. The value both means both HTTP and HTTPS. ne forms-auth = ne 104 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[gso-cache] stanza gso-cache-enabled gso-cache-enabled = { } Enables or disables the Global Sign (GSO) cache. Enables the Global Sign (GSO) cache. Disables the Global Sign (GSO) cache. gso-cache-enabled = gso-cache-entry-idle-timeout gso-cache-entry-idle-timeout = number_of_seconds Integer value that specifies the timeout, in seconds, for cache entries that are idle. number_of_seconds The value must be greater than or equal to zero (0). A value of 0 means that entries are t removed from the GSO cache due to inactivity. However, they may still be removed due to either the gso-cache-size being exceeded or the gso-cache-entry-lifetime stanza entry being exceeded. WebSEAL does t impose a maximum value. This stanza entry is required, but is igred when GSO caching is disabled. 120 Stanza reference 105
gso-cache-entry-idle-timeout = 120 gso-cache-entry-lifetime gso-cache-entry-lifetime = number_of_seconds Integer value that specifies the lifetime, in seconds, of a GSO cache entry. number_of_seconds The value must be greater than or equal to zero (0). A value of 0 means that entries are t removed from the GSO cache due to their entry lifetime being exceeded. However, they may still be removed due to either the gso-cache-size being exceeded or the gso-cache-entry-idle-timeout stanza entry being exceeded. WebSEAL does t impose a maximum value. This stanza entry is required, but is igred when GSO caching is disabled. 900 gso-cache-entry-lifetime = 900 gso-cache-size gso-cache-size = number_of_entries Integer value indicating the number of entries allowed in the GSO cache. number_of_entries The value must be greater than or equal to zero (0). Zero means that there is limit on the size of the GSO cache. This is t recommended. WebSEAL does t impose a maximum value. Choose your maximum value to stay safely within the bounds of your available system memory. This stanza entry is required, but is igred when GSO caching is disabled. 106 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
1024 gso-cache-size = 1024 [header-names] stanza header-data Use the header-data stanza entry to add HTTP headers to the request that WebSEAL sends to junctioned applications. <header-data> = <header-name> Controls the addition of HTTP headers into the request that is passed to junctioned applications. To include the same <header-data> in different headers, specify multiple entries with the same <header-data> value. Note: Do t include more than one entry with the same <header-name> value. The <header-name> values must be unique. If there is more than one entry for a particular <header-name>, WebSEAL processes the last entry for that <header-name>. Any preceding entries are disregarded. <header-data> The type of data that WebSEAL adds to the <header-name> header of the request. The valid values for this entry are as follows: server-name The Security Access Manager authorization server name for the WebSEAL server. This name is the name of the authorization API administration server that is used in the server task commands. client-ip-v4 The IPv4 address of the client of this request. client-ip-v6 The IPv6 address of the client of this request. host-name The host name of the WebSEAL server. WebSEAL obtains this host name from the web-host-name configuration entry in the [server] stanza if specified. Otherwise, WebSEAL returns the host name of the server itself. httphdr{<name>} An HTTP header from the request as specified by the <name> field. If the HTTP header is t found in the request, WebSEAL uses the value in the [server] tag-value-missing-attr-tag configuration entry as the value for the header. Stanza reference 107
<header-name> The name of the HTTP header that holds the data. Valid strings are limited to the following characters: A-Z, a-z, 0 9, hyphen (-), or underscore (_). server-name = iv_server_name server-name = iv_server_name In this example, WebSEAL passes the following header and value to the junction if the WebSEAL instance is default-webseald-diamond.example.com: iv_server_name:default-webseald-diamond.example.com Other example entries: client-ip-v4 = X-Forwarded-For client-ip-v4 = X-Header httphdr{host} = X-Forwarded-Host host-name = X-Forwarded-Server [http-transformations] stanza resource-name resource-name = resource-file Defines HTTP transformation resources. This configuration information is necessary to support WebSEAL HTTP transformations. You can use WebSEAL HTTP transformations to modify HTTP requests and HTTP responses (excluding the HTTP body) using XSLT. Note: To enable the HTTP transformations for a particular resource, attach a POP to the appropriate part of the object space. This POP must contain an extended attribute with the name HTTPTransformation and one of the following values: v Request = resource-name v Response = resource-name For more details, see the information about HTTP transformations in the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. resource-name The name of the HTTP transformation resource. resource-file The name of the resource file. 108 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: You must restart WebSEAL for changes to an XSL rules file to take effect. This stanza entry is optional. Comments If an HTTP transformation rule modifies the URI or host header of the request, WebSEAL reprocesses the transformed request. This reprocessing ensures that the transformation does t bypass WebSEAL authorization. This behavior also means that administrators can define HTTP transformations rules to send requests to different junctions. Note: WebSEAL performs reprocessing (and authorization) on the first HTTP transformation only. Transformed requests undergo HTTP transformation again if there is an appropriate POP attached to the associated object space. However, WebSEAL does t reprocess the new requests that result from these subsequent transformations. None. resourceone = resourceone.xsl [ICAP:<resource>] stanza URL The [ICAP:<resource>] stanza is used to define a single ICAP resource. The <resource> component of the stanza name must be changed to the actual name of the resource. To enable the ICAP resource for a particular object, a POP must be attached to the appropriate part of the object space. This POP must contain an extended attribute with the name ICAP, and a value that is equal to the name of the configured ICAP resource. URL = URL string The complete URL on which the ICAP server is expecting requests. URL URL string Required Stanza reference 109
None transaction URL = icap://icap.example.net:1344/filter?mode=strict Note: In the example, icap is the protocol being used. transaction = {req rsp} The transaction for which the resource is invoked. req rsp The ICAP server is invoked on the HTTP request. The ICAP server is invoked on the HTTP response. timeout Required None transaction = req timeout = seconds The maximum length of time (in seconds) that WebSEAL waits for a response from the ICAP server. timeout The time in seconds, that WebSEAL waits for a response from the ICAP server. Required 110 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
None timeout = 120 [illegal-url-substrings] stanza substring Note: The [illegal-url-substrings] feature is deprecated. IBM might remove this feature in a subsequent release of the product. substring= string WebSEAL blocks HTTP requests containing any of the substrings specified by these entries. Used to help mitigate the problems of cross-site scripting. string Character string. <script [interfaces] stanza substring = <script substring = <applet substring = <embed interface_name interface_name = property=value[;property=value...] This stanza is used to define additional interfaces on which this WebSEAL instance can receive requests. A network interface is defined as the combined set of values for a specific group of properties that include HTTP or HTTPS port setting, IP address, worker threads setting, and certificate handling setting. Stanza reference 111
property Interface property. Can be selected from: network-interface=<ipaddress> http-port=<port> "disabled" https-port=<port> "disabled" certificate-label=<keyfilelabel> accept-client-certs="never" "required" "optional" "prompt_as_needed" worker-threads=<count> "default" value Value of the property. s, if t present, include: network-interface=0.0.0.0 http-port ="disabled" https-port ="disabled" certificate-label= (Uses key marked as default in key file.) accept-client-certs="never" worker-threads="default" Entries in this stanza are optional. None. (Entered as one line:) support = network-interface=9.0.0.8;https-port=444;certificate-label=ws6; worker-threads=16 [itim] stanza is-enabled This stanza contains the configuration options for the IBM Security Identity Manager Password Synchronization Plug-in. The Password Synchronization Plug-in synchronizes user passwords from IBM Security Access Manager for Web to IBM Security Identity Manager, previously kwn as IBM Tivoli Identity Manager. For more information about this plug-in, see the Password Synchronization Plug-in for IBM Security Access Manager Installation and Configuration Guide, which you can find in the IBM Security Identity Manager Information Center: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/ com.ibm.isim.doc_6.0/ic-homepage.htm. is-enabled = {true false} Determines whether the Password Synchronization Plug-in for IBM Security Identity Manager, is enabled. 112 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
true false Enables the Password Synchronization Plug-in. Disables the Password Synchronization Plug-in. This stanza entry is optional. false is-enabled = false itim-server-name itim-server-name = <itim_server> Specifies the host name or IP address of the server that is running IBM Security Identity Manager. Note: In a WebSphere Application Server cluster environment, you must configure SSL for the IBM HTTP Server. In a WebSphere Application Server single-server environment, you do t need to configure SSL for the IBM HTTP Server. <itim_server> Specifies the host name or IP address of the IBM Security Identity Manager server that communicates with IBM Security Access Manager for Web. This stanza entry is required when the is_enabled configuration entry in the [itim] stanza is set to true. None. itim-server-name = identitymgr01.ibm.com itim-servlet-context itim-servlet-context = <directory_path> Stanza reference 113
Indicates the password synchronization context root on the application server. <directory_path> Specifies the directory path for the password synchronization context root on the application server. This stanza entry is required when the is_enabled configuration entry in the [itim] stanza is set to true. /passwordsynch/synch. itim-servlet-context = /passwordsynch/synch keydatabase-file keydatabase-file = <file_name> Specifies the name of the key database file. <file_name> The name of the key database file. This stanza entry is required when the is_enabled configuration entry in the [itim] stanza is set to true. None. keydatabase-file = revpwdsync.kdb keydatabase-password keydatabase-password = <db_password> Specifies the password for the key database in the keydatabase-file. 114 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: The IBM Security Web Gateway Appliance uses stash files to manage the passwords for key files. As a result, key file passwords are t available to the administrator of the appliance. If you do t kw the password for the key database file, you can use the keydatabase-password-file entry to specify the name of the password stash file instead. If you configure the keydatabase-password-file entry, you can leave the keydatabase-password entry unconfigured. The Password Synchronization Plug-in requires kwledge of the database password. Therefore, if you do t configure the keydatabase-password-file entry, you must configure the keydatabase-password entry. To complete this configuration, follow this process: 1. Create the key file externally to the appliance. Use a kwn password to generate the new key file. 2. Import the key file on to the appliance. 3. Configure the keydatabase-password configuration entry with the kwn password for the Password Synchronization Plug-in. <db_password> Specifies the password for the key database file. If the is_enabled configuration entry in the [itim] stanza is set to true, you must set one of the following entries for the key database password: v keydatabase-password v keydatabase-password-file Note: If there is a value configured for both of these entries, WebSEAL uses the keydatabase-password. None. keydatabase-password = mypassword1 keydatabase-password-file keydatabase-password-file = <password_stash_file> Specifies the name of the stash file that stores the password for the key database. <password_stash_file> Specifies the name of the stash file that stores the password for the key database. Stanza reference 115
If the is_enabled configuration entry in the [itim] stanza is set to true, you must set one of the following entries for the key database password: v keydatabase-password v keydatabase-password-file Note: If there is a value configured for both of these entries, WebSEAL uses the keydatabase-password. None. keydatabase-password-file = dbpassword.sth principal-name principal-name = <user_name> Specifies an IBM Security Identity Manager user ID that has the necessary permissions to complete the check and synchronization operations. Note: Do t use the ITIM manager account for this purpose. Create a separate account on the IBM Security Identity Manager server with the same permissions. <user_name> Specifies the name of the IBM Security Identity Manager user that the Password Synchronization Plug-in can use to request synchronization operations. This stanza entry is required when the is_enabled configuration entry in the [itim] stanza is set to true. None. principal-name = admin_usera principal-password principal-password = <user_password> 116 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Specifies the password of the IBM Security Identity Manager user that is specified by principal-name. <user_password> Specifies the password for the IBM Security Identity Manager account. This stanza entry is required when the is_enabled configuration entry in the [itim] stanza is set to true. None. principal-password = mypassword1 service-password-dn service-password-dn = <service_pseudo_dn> Defines the pseudo distinguished name of the service that issues the password synchronization request. The Password Synchronization Plug-in uses the service-password-dn pseudo-distinguished name for requests that use the standard password authentication method. If this configuration entry is specified, it overrides service-source-dn when using the password authentication method. Note: You can specify more than one pseudo-distinguished name. Separate the pseudo-distinguished names with a semicolon (;) character. The Password Synchronization Plug-in iterates through the list of service names until it finds an account for one of the services. If the Password Synchronization Plug-in cant find an account for the specified services, it returns an error message. Each pseudo-distinguished name is a comma-separated list of the following attributes: v v The erservicename attribute of the Security Access Manager service name, as defined in IBM Security Identity Manager. For example, erservicename=tam 6.0 Service. The o attribute of the organization to which the service belongs. For example, o=international Business Machines. v The ou and dc attributes from the service distinguished name in IBM Security Identity Manager. For example, ou=ibm,dc=com. The pseudo-distinguished name that is formed from these example values is: erservicename=tam 6.0 Service,o=International Business Machines, ou=ibm,dc=com. Stanza reference 117
<service_pseudo_dn> Specifies the service pseudo distinguished name for the standard password authentication method. If the is_enabled configuration entry in the [itim] stanza is set to true, then you must configure at least one of the following configuration entries: v service-source-dn v service-password-dn v service-token-card-dn None. service-password-dn = erservicename=isam Employees Service,o=IBM,ou=IBM,dc=com service-source-dn service-source-dn = <service_pseudo_dn> Defines the pseudo distinguished name of the service that issues the password synchronization request. The service-source-dn is for the pseudo-distinguished name for all authentication methods. Note: You can specify more than one pseudo-distinguished name in the value of this configuration entry. Separate the pseudo-distinguished names with a semicolon (;) character. The Password Synchronization Plug-in iterates through the list of service names until it finds an account for one of the services. If the Password Synchronization Plug-in cant find an account for the specified services, it returns an error message. Each pseudo-distinguished name is a comma-separated list of the following attributes: v v The erservicename attribute of the Security Access Manager service name, as defined in IBM Security Identity Manager. For example, erservicename=tam 6.0 Service. The o attribute of the organization to which the service belongs. For example, o=international Business Machines. v The ou and dc attributes from the service distinguished name in IBM Security Identity Manager. For example, ou=ibm,dc=com. The pseudo-distinguished name that is formed from these example values is: erservicename=tam 6.0 Service,o=International Business Machines, ou=ibm,dc=com. 118 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
<service_pseudo_dn> Specifies the service pseudo distinguished name for all authentication methods. If the is_enabled configuration entry in the [itim] stanza is set to true, then you must configure at least one of the following configuration entries: v service-source-dn v service-password-dn v service-token-card-dn None. service-source-dn = erservicename=isam Employees Service,o=IBM,ou=IBM, dc=com;erservicename=tam Customers Service,o=IBM,ou=IBM,dc=com service-token-card-dn service-token-card-dn = <service_pseudo_dn> Defines the pseudo distinguished name of the service that issues the password synchronization request. The Password Synchronization Plug-in uses the service-token-card-dn pseudo-distinguished name for requests that use the token card authentication method. If this configuration entry is specified, it overrides service-source-dn when using the token card authentication method. Note: You can specify more than one pseudo-distinguished name. Separate the pseudo-distinguished names with a semicolon (;). The Password Synchronization Plug-in iterates through the list of service names until it finds an account for one of the services. If the Password Synchronization Plug-in cant find an account for the specified services, it returns an error message. Each pseudo-distinguished name is a comma-separated list of the following attributes: v v v The erservicename attribute of the Security Access Manager service name, as defined in IBM Security Identity Manager. For example, erservicename=tam 6.0 Service. The o attribute of the organization to which the service belongs. For example, o=international Business Machines. The ou and dc attributes from the service distinguished name in IBM Security Identity Manager. For example, ou=ibm,dc=com. Stanza reference 119
The pseudo-distinguished name that is formed from these example values is: erservicename=tam 6.0 Service,o=International Business Machines, ou=ibm,dc=com. <service_pseudo_dn> Specifies the service pseudo distinguished name for the token card authentication method. If the is_enabled configuration entry in the [itim] stanza is set to true then you must configure at least one of the following configuration entries: v service-source-dn v service-password-dn v service-token-card-dn None. servlet-port service-token-card-dn = erservicename=isam Employees Service,o=IBM,ou=IBM,dc=com servlet-port = <port_number> Specifies the port number for communicating with the IBM Security Identity Manager server that is specified by the itim-server-name configuration entry. The default HTTPS port is 9443 for a single server configuration and 443 for a IBM Security Identity Manager cluster with HTTP SSL configured. <port_number> Specifies the port number for communication with the IBM Security Identity Manager server. This stanza entry is required when the is_enabled configuration entry in the [itim] stanza is set to true. 9443 servlet-port = 9443 120 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[jdb-cmd:replace] stanza [junction] stanza jct-id=search-attr-value replace-attr-value jct-id=search-attr-value replace-attr-value Defines the mapping rules for the jdb import command. These mapping rules are applied to each attribute in the junction archive file before you import the new junction database. jct-id Refers to the junction point for a standard junction which includes the leading / (slash) or the virtual host label for a virtual host junction. search-attr-value Specifies the attribute value in the junction definition for which you want to search and replace. replace-attr-value Specifies the new attribute value in the junction definition for which you want to search and replace. This stanza entry is t required. None. /test-jct = webseal.au.ibm.com webseal.gc.au.ibm.com allow-backend-domain-cookies allow-backend-domain-cookies = { } Indicates whether WebSEAL is allowed to send domain cookies from a back-end server to a client. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. Stanza reference 121
Enable WebSEAL to send domain cookies from a back-end server to a client. Disable WebSEAL to send domain cookies from a back-end server to a client. allow-backend-domain-cookies = basicauth-dummy-passwd basicauth-dummy-passwd = dummy_password Global password used when supplying basic authentication data over junctions that were created with the -b supply argument. dummy_password Global password used when supplying basic authentication data over junctions that were created with the -b supply argument. Passwords must consist of ASCII characters. dummy basicauth-dummy-passwd = dummy crl-ldap-server crl-ldap-server = server_name Specifies the Server to be contacted to obtain Certificate Revocation Lists (CRL). 122 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
server_name This parameter can be set to one of two types of values: 1. The name of the LDAP server to be referenced as a source for Certificate Revocation Lists (CRL) during authentication across SSL junctions. If this is used, you may also need to set the following parameters: v crl-ldap-server-port v crl-ldap-user v crl-ldap-user-password 2. The literal string URI. In the case where direct LDAP Server is available, this allows GSKit to obtain revocation information from LDAP or the HTTP Servers as specified by the CA in the Certificate Distribution Point (CDP) extension of the certificate. Note: In addition to specifying the string "URI", it is also possible to specify an HTTP server for crl-ldap-server. However, WebSEAL does t currently support the ability to specify an HTTP proxy server, which can provide performance improvements when HTTP servers are used. This stanza entry is optional. None. crl-ldap-server = diamond.example.com crl-ldap-server-port crl-ldap-server-port = port_number Port number for communication with the LDAP server specified in crl-ldap-server. The LDAP server is referenced for Certificate Revocation List (CRL) checking during authentication across SSL junctions. port_number Port number for communication with the LDAP server specified in crl-ldap-server. This stanza entry is optional. When crl-ldap-server is specified, this stanza entry is required. Stanza reference 123
None. crl-ldap-user crl-ldap-server-port = 389 crl-ldap-user = user_dn Fully qualified distinguished name (DN) of an LDAP user who has permissions to retrieve the Certificate Revocation List. user_dn Fully qualified distinguished name (DN) of an LDAP user who has permissions to retrieve the Certificate Revocation List. A null value for crl-ldap-server indicates that the SSL authenticator should bind to the LDAP server anymously. This stanza entry is optional. None. crl-ldap-user = user_dn crl-ldap-user-password crl-ldap-user-password = password The password for the LDAP user specified in the crl-ldap-user stanza entry. password The password for the LDAP user specified in the crl-ldap-user stanza entry. This stanza entry is optional. When crl-ldap-user is specified, this stanza entry is required. 124 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
None. crl-ldap-user-password = mypassw0rd disable-ssl-v2 disable-ssl-v2 = { } Disables support for SSL Version 2 for junction connections. Support for SSL v2 is disabled by default. The value means support is disabled. The value means the support is enabled. This stanza entry is optional. When t specified, the default is. The WebSEAL configuration sets this value. disable-ssl-v2 = disable-ssl-v3 disable-ssl-v3 = { } Disables support for SSL Version 3 for junction connections. Support for SSL V3 is enabled by default. The value means support is disabled. The value means the support is enabled This stanza entry is optional. When t specified, the default is. The WebSEAL configuration sets this value. Stanza reference 125
disable-ssl-v3 = disable-tls-v1 disable-tls-v1 = { } Disables support for TLS Version 1 for junction connections. Support for TLS V1 is enabled by default. The value means support is disabled. The value means the support is enabled. This stanza entry is optional. When t specified, the default is. The WebSEAL configuration sets this value. disable-tls-v1 = disable-tls-v11 disable-tls-v11 = { } Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.1 for junction connections. Support for TLS v1.1 is enabled by default. The value disables support for TLS version 1.1. The value enables support for TLS version 1.1. This stanza entry is optional. If this entry is t specified, the default is. 126 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
disable-tls-v11 = disable-tls-v12 disable-tls-v12 = { } Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.2 for junction connections. Support for TLS v1.2 is enabled by default. The value disables support for TLS version 1.2. The value enables support for TLS version 1.2. This stanza entry is optional. If this entry is t specified, the default is. disable-tls-v12 = dont-reprocess-jct-404s dont-reprocess-jct-404s = { } If a resource cant be found on a back-end server, that server returns an HTTP 404 error. The dont-reprocess-jct-404s stanza entry controls whether or t WebSEAL processes the request again by prepending the junction name to the URL. You should never need to enable this stanza entry if you follow this best practice for junctions: The junction name should t match any directory name used in the Web space of the back-end server if HTML pages from that server contain programs (such as JavaScript or applets) with server-relative URLs to that directory. The following scenario can occur when one does t adhere to this best practice for junctions: Stanza reference 127
1. A resource is located in the following subdirectory (using the same name as the junction) on the back-end server: /jct/page.html. 2. A page received by the client from this back-end server contains the following URL: /jct/page.html 3. When the link is followed, WebSEAL can immediately process the request because it recognizes what it thinks is the junction name in the URL. No configured URL modification technique is required. 4. At the time the request is forwarded to the back-end server, the junction name (/jct) removed from the URL. The resource (/page.html) is t found at the root of the back-end server file system. The server returns a 404 error. 5. If WebSEAL is configured for dont-reprocess-jct-404s=, it reprocesses the URL and prepends the junction name to the original URL: /jct/jct/page.html 6. Now the resource is successfully located at /jct/page.html on the back-end server. NOTE: v The default behavior in WebSEAL is to reprocess a request URL after an HTTP 404 error is returned from the back-end server. You can set the value of dont-reprocess-jct-404s to to override this default behavior. v If the reprocess-root-jct-404s entry (also in the [junction] stanza) has been set to then root junction resource requests that result in a HTTP 404 error will be reprocessed regardless of the setting of this dont-reprocess-jct-404s stanza entry. When the back-end server returns an HTTP 404 error, do t reprocess the request URL. When the back-end server returns an HTTP 404 error, reprocess the request URL by prepending the junction name to the existing URL. The default value in the template configuration file is. dont-reprocess-jct-404s = dynamic-addresses dynamic-addresses = { } Indicates when the junction server host name is resolved to its corresponding IP address and used in communication with the junction server. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. 128 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. The junction server host name is resolved to its corresponding IP address immediately before any communication with the junction server. The junction server host name is resolved to its corresponding IP address and this address is used for subsequent communication with the junction server. http-timeout dynamic-addresses = http-timeout = number_of_seconds Integer value indicating the timeout, in seconds, for sending to and reading from a TCP junction. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. number_of_seconds Integer value indicating the timeout, in seconds, for sending to and reading from a TCP junction. The minimum value is 0. When the value is 0, there is timeout. WebSEAL does t impose a maximum value. 120 http-timeout = 120 Stanza reference 129
https-timeout https-timeout = number_of_seconds Integer value indicating the timeout, in seconds, for sending to and reading from a Secure Socket Layer (SSL) junction. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. number_of_seconds Integer value indicating the timeout, in seconds, for sending to and reading from a Secure Socket Layer (SSL) junction. The minimum value is 0. When the value is 0, there is timeout. WebSEAL does t impose a maximum value. 120 https-timeout = 120 insert-client-real-ip-for-option-r insert-client-real-ip-for-option-r = { } Determines whether to use the current IP address of the client or the one cached in the credentials at authentication time for the value passed in a header to junctions created with the -r option. Use the current IP address of the client for the value passed in a header to junctions created with the -r option. Use the client IP address cached in the credentials at authentication time for the value passed in a header to junctions created with the -r option. 130 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
io-buffer-size insert-client-real-ip-for-option-r = io-buffer-size = number_of_bytes Positive integer value indicating the buffer size, in bytes, for low-level reads from and writes to a junction. number_of_bytes Positive integer value indicating the buffer size, in bytes, for low-level reads from and writes to a junction. The minimum value is 1. WebSEAL does t impose a maximum value. A very small value (for instance, 10 bytes) can hurt performance by causing very frequent calls to the low-level read/write APIs. Up to a certain point, larger values improve performance because they correspondingly reduce the calls to the low-level I/O functions. However, the low-level I/O functions may have their own internal buffers, such as the TCP send and receive buffers. Once io-buffer-size exceeds the size of those buffers (which are typically t large), there is longer any performance improvement at all because those functions only read part of the buffer at the time. Reasonable values for io-buffer-size range between 1 kb and 8 kb. Values smaller than this range causes calling the low-level I/O functions too frequently. Values larger than this range wastes memory. A 2 MB I/O buffer size uses 4 MB for each worker thread communicating with the junctioned server, since there is both an input and output buffer. 4096 io-buffer-size = 4096 jct-cert-keyfile jct-cert-keyfile = file_name Stanza reference 131
WebSEAL provides an option to configure a separate certificate key database for junction SSL operations rather than sharing the one used for client certificates specified in the [ssl] stanza. The jct-cert-keyfile parameter specifies the junction certificate keyfile. If this option is enabled, this is the keyfile used for CA and client certificates when negotiating SSL sessions with junctions. Note: This stanza entry is commented out in the WebSEAL configuration file. To enable the option of using a separate certificate key database for junctioned servers, create the pdjct.kdb keyfile (and optional stash file) using ikeyman, and uncomment the options jct-cert-keyfile and either jct-cert-keyfile-stash or jct-cert-keyfile-pwd in the configuration file. file_name The name of the optional, separate junction certificate keyfile. Note: If jct-cert-keyfile is defined, then either jct-cert-keyfile-pwd or jct-cert-keyfile-stash must also be defined. This stanza entry is optional. pdjct.kdb jct-cert-keyfile = pdjct.kdb jct-cert-keyfile-stash jct-cert-keyfile-stash = file_name WebSEAL provides an option to configure a separate certificate key database for junction SSL operations rather than sharing the one used for client certificates specified in the [ssl] stanza. The jct-cert-keyfile-stash parameter specifies the stash file for the optional, separate junction certificate database. Note: This stanza entry is commented out in the WebSEAL configuration file. To enable the option of using a separate certificate key database for junctioned servers, create the pdjct.kdb keyfile (and optional stash file) using ikeyman, and uncomment the options jct-cert-keyfile and either jct-cert-keyfile-stash or jct-cert-keyfile-pwd in the configuration file. file_name The name of the stash file for the optional, separate junction certificate database. 132 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: If jct-cert-keyfile is defined, then either jct-cert-keyfile-pwd or jct-cert-keyfile-stash must also be defined. This stanza entry is optional. pdjct.sth jct-cert-keyfile-stash = pdjct.sth jct-cert-keyfile-pwd jct-cert-keyfile-pwd = password WebSEAL provides an option to configure a separate certificate key database for junction SSL operations rather than sharing the one used for client certificates specified in the [ssl] stanza. When this stanza entry is assigned a value, that value is used instead of any password that is contained in the stash file specified by jct-cert-keyfile-stash. This stanza entry stores the password in plain text. Use the stash file for optimum security. Note: This stanza entry is commented out in the WebSEAL configuration file. To enable the option of using a separate certificate key database for junctioned servers, create the /var/pdweb/www-default/certs/pdjct.kdb keyfile (and optional stash file) using ikeyman, and uncomment the options jct-cert-keyfile and either jct-cert-keyfile-stash or jct-cert-keyfile-pwd in the configuration file. password Password used to protect private keys in the optional, separate junction key certificate database. Note: If jct-cert-keyfile is defined, then either jct-cert-keyfile-pwd or jct-cert-keyfile-stash must also be defined. This stanza entry is optional. ne jct-cert-keyfile-pwd = J73R45huu Stanza reference 133
jct-ocsp-enable jct-ocsp-enable = { } Enable Online Certificate Status Protocol (OCSP) for checking the revocation status of certificates supplied by a junction server using the OCSP URL embedded in the certificate using an Authority Info Access (AIA) extension. Enable OCSP to check the revocation status of junction server supplied certificates. Disable OCSP checking of junction server supplied certificates. This stanza entry is optional. Note: This option can be used as an alternative to, or in conjunction with, the jct-ocsp-url option. jct-ocsp-enable = jct-ocsp-max-response-size jct-ocsp-max-response-size = number of bytes Sets the maximum response size (in bytes) that will be accepted as a response from an OCSP responder. This limit helps protect against a denial of service attack. Maximum response size, in bytes. This stanza entry is optional. 204080 jct-ocsp-max-response-size = 20480 134 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
jct-ocsp-nce-check-enable jct-ocsp-nce-check-enable = { } Determines whether WebSEAL checks the nce in the OCSP response. Enabling this option improves security but can cause OCSP Response validation to fail if there is a caching proxy between WebSEAL and the OCSP Responder. Note that enabling this option automatically enables the jct-ocsp-nce-generation-enable option. WebSEAL checks the nce in the OCSP response to verify that it matches the nce from the request. WebSEAL does t check the nce in the OCSP response. This stanza entry is optional. jct-ocsp-nce-check-enable = jct-ocsp-nce-generation-enable jct-ocsp-nce-generation-enable = { } Determines whether WebSEAL generates a nce as part of the OCSP request. Enabling this option can improve security by preventing replay attacks on WebSEAL but may cause an excessive load on an OCSP Responder appliance as the responder cant use cached responses and must sign each response. WebSEAL generates a nce as part of the OCSP request. WebSEAL does t generate a nce as part of the OCSP request. This stanza entry is optional. Stanza reference 135
jct-ocsp-nce-generation-enable = jct-ocsp-proxy-server-name jct-ocsp-proxy-server-name = <proxy host name> Specifies the name of the proxy server that provides access to the OCSP responder. proxy host name Fully qualified name of the proxy server. This stanza entry is optional. None jct-ocsp-proxy-server-name = proxy.ibm.com jct-ocsp-proxy-server-port jct-ocsp-proxy-server-port = <proxy host port number> Specifies the port number of the proxy server that provides access to the OCSP Responder. proxy host port number Port number used by the proxy server to route OCSP requests and responses. This stanza entry is optional. None jct-ocsp-proxy-server-port = 8888 136 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
jct-ocsp-url jct-ocsp-url = <OCSP Responder URL> Specifies the URL for the OCSP Responder. If a URL is provided, WebSEAL will use OCSP for all revocation status checking regardless of whether the certificate has an Authority Info Access (AIA) extension, which means that OCSP will work with existing certificates. WebSEAL will first try the OCSP Responder that is configured by this method rather than using a location specified by AIA extension.if revocation status is undetermined, and if jct-ocsp-enable is set to, then WebSEAL will try to obtain revocation status using the access method in the AIA extension. OCSP Responder URL URL of the OCSP Responder. This stanza entry is optional. None jct-ocsp-url = http://responder.ibm.com/ jct-ssl-reneg-warning-rate jct-ssl-reneg-warning-rate = number_renegotiations/minute When this option is set to a value greater than zero (0), WebSEAL produces a warning message if the SSL session renegotiation rate between junction servers and WebSEAL reaches this level or greater. The value is specified as the number of renegotiations per minute. number_renegotiations/minute Rate of session renegotiations between junction servers and WebSEAL. 0 Stanza reference 137
jct-ssl-reneg-warning-rate = 0 jct-undetermined-revocation-cert-action jct-undetermined-revocation-cert-action = {igre log reject} Controls the action that WebSEAL takes if OCSP or CRL is enabled but the responder cant determine the revocation status of a certificate (that is, the revocation status is unkwn). The appropriate values for this entry should be provided by the OCSP or CRL Responder owner. igre WebSEAL igres the undetermined revocation status and permits use of the certificate. log reject WebSEAL logs the fact that the certificate status is undetermined and permits use of the certificate. WebSEAL logs the fact that the certificate status is undetermined and rejects the certificate. This stanza entry is optional. log jmt-map jct-undetermined-revocation-cert-action = log jmt-map = file_name The name of the file that contains the location of the Junction-to- Request Mapping Table (JMT). The administrator can rename this file if necessary. The file name can be any file name valid for the operating system file system. file_name Name of the file that contains the location of the Junction-to- Request Mapping Table (JMT). 138 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
jmt.conf jmt-map = jmt.conf managed-cookies-list managed-cookies-list = list The managed-cookies-list contains a comma-separated list of patterns that will be matched against the names of cookies returned by junctioned servers. Cookies with names that match the patterns in this list are stored in the WebSEAL cookie jar and t returned to the client. Cookies that do t match these patterns are returned to the client browser. The WebSEAL cookie jar is turned off by t specifying any cookies in the managed-cookies-list. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. list A comma-separated list of pattern-matched cookie names. This stanza entry is optional. This option is empty by default. managed-cookies-list = JSESS*,Ltpa* mangle-domain-cookies mangle-domain-cookies = { } Stanza reference 139
Enables or disables WebSEAL domain cookie name mangling behavior. Note: 1. This option enables domain cookie mangling on a server-wide basis. The option cant be configured on a per-junction basis. 2. This option is relevant only for junctions that use a reprocessing solution such as -j or JMT. 3. This option does t affect cookies listed in preserve-cookie-names. Enables WebSEAL to mangle the names of domain cookies. Information identifying the junction is added to the cookie name, and the cookie is only associated with that junction. If mangle-path-into-cookie-name is set to, then the backend path attribute information is also mangled into the cookie name. WebSEAL will t mangle the names of domain cookies. This stanza entry is optional. This option is disabled by default. mangle-domain-cookies = match-vhj-first Helps determine the order in which WebSEAL searches for a request in a standard or a virtual host junction table. match-vhj-first = { } WebSEAL manages separate junction tables for standard and virtual host junctions. When a request comes in, WebSEAL searches the virtual host junction table first. If WebSEAL does t find a match, it searches the table that manages standard junctions. The match-vhj-first configuration can reverse the search order so that WebSEAL searches the standard junction table before searching the virtual host junction table. WebSEAL searches the virtual host junction table first. WebSEAL searches the standard junction table first. 140 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This stanza entry is t optional. The following example tells WebSEAL to search the standard junction table first: match-vhj-first = max-cached-persistent-connections max-cached-persistent-connections = number_of_connections The maximum number of persistent connections that will be stored in the cache for future use. Connections with junctioned Web servers will be cached for future use unless the configured limit (as defined by this configuration entry) is reached, or unless the connection:close header is received in the HTTP response. Note: If this setting is enabled, there is the potential for different user sessions to use the same connection when processing junction requests. To disable the persistent connection functionality, specify a max-cached-persistent-connections value of zero (0). You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. number_of_connections Integer value indicating the maximum number of persistent connections that will be stored in the cache for future use. A value of zero (0) disables this support. WebSEAL imposes maximum on this value. 0 max-cached-persistent-connections = 0 Stanza reference 141
max-webseal-header-size max-webseal-header-size = number_of_bytes Integer value indicating the maximum size, in bytes, of HTTP headers generated by the WebSEAL server. Headers greater in size that this value are split across multiple HTTP Headers. Note: The max-webseal-header-size entry does t limit the maximum size of HTTP-Tag-Value headers. number_of_bytes Integer value indicating the maximum size, in bytes, of HTTP headers generated by the WebSEAL server. A value of zero (0) disables this support. WebSEAL imposes maximum on this value. 0 max-webseal-header-size = 0 pass-http-only-cookie-atr pass-http-only-cookie-atr = { } Indicates whether WebSEAL will pass or remove the HTTPOnly attribute from the Set-Cookie headers sent by junctioned servers. Enables WebSEAL to pass the HTTPOnly attribute from Set-Cookie headers sent by junctioned servers. Enables WebSEAL to remove the HTTPOnly attribute from Set-Cookie headers sent by junctioned servers. 142 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
pass-http-only-cookie-atr = persistent-con-timeout persistent-con-timeout = number_of_seconds Indicates the maximum number of seconds a persistent connection can remain idle in a cache before the connection is cleaned up and closed by WebSEAL. Use an integer value lower than the configured maximum connection lifetime for the junctioned web server. For example, the connection lifetime for a junctioned Apache web server is controlled by the KeepAliveTimeout configuration entry. You can customize the persistent-con-timeout configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_id}] stanza. where {junction_id} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. Note: If you do t use an integer value lower than the connection lifetime on the junctioned web server, you might encounter the following problem. If the [junction] max-cached-persistent-connections configuration entry is set to a value greater than zero, WebSEAL reuses its TCP/IP session with the junctioned back-end server. If the junctioned back-end server closes the socket at the same time that WebSEAL starts to use this session to send a request, the request fails. To send the request again, WebSEAL opens a new TCP/IP session. If the request body is larger than the size that WebSEAL can cache, WebSEAL fails to resend the request and generates a 500 error. number_of_seconds Integer value that indicates the maximum number of seconds a persistent connection can remain idle in a cache before the connection is closed by WebSEAL. The minimum value is 1. WebSEAL does t impose a maximum value. 5 Stanza reference 143
ping-method persistent-con-timeout = 5 ping-method = method The WebSEAL server performs a periodic background ping of each junctioned Web server, to determine whether it is running. The optional ping-method entry sets the HTTP request type used in these pings. The valid options include any valid HTTP request method (for example, HEAD or GET, for HTTP HEAD and HTTP GET requests respectively). This configuration item may be customized for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. method Perform a HTTP request using the specified method to determine the state of the junctioned server. None. ping-time HEAD ping-method = GET ping-time = number_of_seconds Integer value indicating the number of seconds between pings issued by the WebSEAL server. The pings are issued periodically in the background to verify that junctioned WebSEAL servers are running. If the server is deemed t running, the recovery-ping-time value determines the interval at which pings are sent until the server is running. The type of ping used is determined by the ping-method value. HTTP response code rules can be defined using the response-code-rules configuration entry. 144 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
ping-uri number_of_seconds Integer value indicating the number of seconds between pings issued by the WebSEAL server. The minimum value is 1. WebSEAL does t impose a maximum value. To turn this ping off, set this entry to zero. If this entry is set to zero, the recovery-ping-time must be set. 300 ping-time = 300 ping-uri = uri The WebSEAL server performs a periodic background ping of each junctioned Web server to determine whether it is running. The optional ping-uri configuration entry defines the URI that is accessed by the ping request. The defined URI is relative to the root Web space of the junctioned Web server. If the URI is missing, this value defaults to a /. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. uri The URI that is accessed by the ping request. This stanza entry is optional. / ping-uri = /apps/status recovery-ping-time recovery-ping-time = 300 Stanza reference 145
The WebSEAL server performs a periodic background ping of each junctioned Web server, to determine whether it is running. This entry sets the interval, in seconds, between pings when the server is determined to be t running. number_of_seconds Integer value indicating the number of seconds between pings issued by the WebSEAL server to a junctioned server that is determined to be t running. The minimum value is 1. WebSEAL does t impose a maximum value. If this entry is t set, the recovery-ping-time defaults to the ping-time value. 300 recovery-ping-time = 300 reprocess-root-jct-404s reprocess-root-jct-404s = { } Used to reprocess requests for root junction resources that result in an HTTP 404 error. The dont-reprocess-jct-404s entry (also in the [junction] stanza) can be set to to avoid multiple attempts to prepend a junction point to the beginning of the URL string when reprocessing requests that have resulted in an HTTP 404 status code. WebSEAL determines whether the request is already kwn to be for a n-local junction.however, WebSEAL fails to add a junction point when requests have been made for a root junction created at "/". To modify this behavior and cause requests for root junction resources that result in an HTTP 404 error to be reprocessed, you can use this reprocess-root-jct-404s stanza entry. Cause requests for root junction resources that result in an HTTP 404 error to be reprocessed regardless of the setting of the dont-reprocess-jct-404s entry (also in the [junction] stanza). The value for the dont-reprocess-jct-404s entry (also in the [junction] stanza) will determine whether root junction requests that result in an HTTP 404 error are reprocessed. That is, if the value for dont-reprocess-jct-404s is then the HTTP 404 errors will still be reprocessed. 146 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This stanza entry is optional. reprocess-root-jct-404s = reset-cookies-list reset-cookies-list = list Determines which cookies are reset when the user session is logged out. The request received from the client and the response sent back to the client are both examined for matching cookies. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. list A comma-separated list of patterns. WebSEAL will reset any cookies with names that match the patterns in this list. nil reset-cookies-list = JSESS*,Ltpa* response-code-rules response-code-rules = list The WebSEAL server performs a periodic background ping of each junctioned Web server to determine whether it is running. The optional response-code-rules configuration entry defines the rules that are used to determine whether HTTP responses indicate a healthy or an unhealthy junctioned Web server. Stanza reference 147
The configuration entry contains a space separated list of rules. Each rule has the format: [+ -]<code> (e.g. -50?) where: + Indicates that this is a healthy response code. - Indicates that this is an unhealthy response code. <code> The corresponding response code, which can also contain pattern matching characters such as * and? The HTTP response codes are evaluated against each rule in sequence until a match is found. The corresponding code (+ -) determines whether the junctioned Web server is healthy or t.if the response code matches configured rules, the junctioned Web server is considered healthy. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. list A space separated list of response code rules. These rules determine whether the response from a junctioned Web server indicates a healthy or an unhealthy server. This stanza entry is optional. nil response-code-rules = +2?? -* share-cookies share-cookies = { } The share-cookies item is used to control whether the cookie jar will be shared across different junctions or whether each junction will have a dedicated cookie jar. If this entry is set to, cookies will be sent over all junctions, regardless of the junction from which the cookie originated. If this entry is set to, only cookies received from the junction will be sent in requests to that junction. 148 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
share-cookies = support-virtual-host-domain-cookies support-virtual-host-domain-cookies = { } If allow-backend-domain-cookies is set to, then this option modifies how WebSEAL validates the domain. This option has effect if validate-backenddomain-cookies =. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. If set to "" then the domain cookie is validated by comparing it with the virtual host specified for a backend server with the -v junction option. If set to "", or if virtual host was specified for a junction, then the fully qualified host name is compared with the domain value of a backend cookie for validation. support-virtual-host-domain-cookies = use-new-stateful-on-error use-new-stateful-on-error = { } Control how WebSEAL responds to a stateful server that becomes unavailable. Stanza reference 149
This configuration item may be customized for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. For example: [junction:/webapp] When set to "" and the original server becomes unavailable during a session, WebSEAL directs the user's next request (containing the original stateful cookie) to a new replica server on the same stateful junction. If a new replica server is found on that stateful junction, and is responsive to the request, WebSEAL sets a new stateful cookie on the user's browser. Subsequent requests during this same session (and containing the new stateful cookie) are directed to this same new server. When set to "" and the original server becomes unavailable during a session, WebSEAL does t direct the user's subsequent requests to a new replica server on the same stateful junction. Instead, WebSEAL returns an error and attempts to access the same server for subsequent requests by the user during this session. use-new-stateful-on-error = validate-backend-domain-cookies validate-backend-domain-cookies = { } Specifies how WebSEAL validates the domain. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [junction:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. If set to "" then domain cookies that adhere to the cookie specification are forwarded to the user. If the fully qualified host name of the originating back-end machine is the domain, then the cookie is forwarded to the user with domain specified. 150 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
If set to "", then all domain cookies are forwarded to the user, regardless of their content. validate-backend-domain-cookies = worker-thread-hard-limit worker-thread-hard-limit = number_of_threads Integer value indicating the limit, expressed as a percentage, of the total worker threads that are to be used for processing requests for junctions. number_of_threads Integer value indicating the limit, expressed as a percentage, of the total worker threads that are to be used for processing requests for junctions. The default value of 100 means that there is limit. When the value of worker-thread-hard-limit is less than 100, and the limit is exceeded, WebSEAL generates an error message. 100 worker-thread-hard-limit = 100 worker-thread-soft-limit worker-thread-soft-limit = number_of_threads Integer value indicating the limit, expressed as a percentage, of the total worker threads that are to be used for processing requests for junctions. number_of_threads Stanza reference 151
Integer value indicating the limit, expressed as a percentage, of the total worker threads that are to be used for processing requests for junctions. When the value of worker-thread-soft-limit is less than 100, and the limit is exceeded, WebSEAL generates a warning message. 90 worker-thread-soft-limit = 90 disable-local-junctions WebSEAL can serve pages from a local web server through local junctions. disable-local-junctions = { } If local junctions are t used, you can disable the functionality with the disable-local-junctions configuration item. Disables local junction functionality. Enables local junction functionality. Optional. The following example enables local junction functionality: disable-local-junctions= [junction:junction_name] stanza Note: This stanza is optional and must be manually inserted into the WebSEAL configuration file. The junction_name in the stanza name is the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. For details about the configuration entries supported in this junction specific stanza, see the description of the corresponding configuration entry in the [junction] stanza. 152 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[ldap] stanza auth-timeout auth-timeout = value{0 number_seconds} Amount of time (in seconds) that will be allowed for authentication operations before the LDAP server is considered to be down. If specified, this value overrides any value of timeout for authentication operations. Note: Do t specify this parameter in the ldap.conf server configuration file. 0 No timeout is allowed. number_seconds The specified number of seconds allowed for authentication operations, specified as an integer positive whole number. There is range limitation for timeout values. This stanza entry is optional. 0 auth-timeout = 0 auth-using-compare auth-using-compare = { true false} Enables or disables authentication using password comparison. When disabled, authentication using LDAP bind is performed. For those LDAP servers that allow it, a compare operation might perform faster than a bind operation. true A password compare operation is used to authenticate LDAP users. false A bind operation is used to authenticate LDAP users. Stanza reference 153
bind-dn bind-pwd This stanza entry is optional. The default value, when LDAP is enabled, is. auth-using-compare = bind-dn = LDAP_DN LDAP user distinguished name (DN) that is used when binding (or signing on) to the LDAP server. This is the name that represents the WebSEAL server daemon. LDAP_DN LDAP user distinguished name (DN) that is used when binding (or signing on) to the LDAP server. This stanza entry is required when LDAP is enabled. The default value is built by combining the daemon name webseald with the host_name that was specified by the administrator during the configuration of the Security Access Manager runtime component. bind-dn = cn=webseald/surf,cn=securitydaemons,secauthority=default bind-pwd = LDAP_password Password for the LDAP user distinguished name declared in the bind-dn stanza entry. LDAP_password Password for the LDAP user distinguished name declared in the bind-dn stanza entry. 154 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This stanza entry is required when LDAP is enabled. The default value of this stanza entry is set during WebSEAL configuration. The WebSEAL configuration reads the LDAP_password that was specified by the administrator during the configuration of the Security Access Manager runtime component. This value is read from the Security Access Manager configuration file, pd.conf. bind-pwd = zs77wvolszn1rkrl cache-enabled cache-enabled = { true false} Enable and disable LDAP client-side caching. true Enable LDAP client-side caching. false Disable LDAP client-side caching. Anything other than true, including a blank value, is interpreted as false. cache-enabled = cache-group-expire-time cache-group-expire-time = number_of_seconds Specifies the amount of time to elapse before a group entry in the cache is discarded. This entry is used only when cache-enabled = { true}. Stanza reference 155
number_of_seconds Specifies the amount of time to elapse before a group entry in the cache is discarded. This stanza entry is optional. There is default value, but when t set the default value used is 300 seconds. cache-group-expire-time = 300 cache-group-membership cache-group-membership = { } Indicates whether group membership information should be cached. This entry is used only when cache-enabled = { true} Cache group membership information. Do t cache group membership information. This stanza entry is optional. There is default value, but when t set the group information is cached. cache-group-membership = cache-group-size cache-group-size = number Specifies the number of entries in the LDAP group cache. This entry is used only when cache-enabled = { true}. 156 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
number Specifies the number of entries in the LDAP group cache. This stanza entry is optional. There is default value, but when t set the default value used is 64. cache-group-size = 64 cache-policy-expire-time cache-policy-expire-time = number_of_seconds Specifies the amount of time to elapse before a policy entry in the cache is discarded. This entry is used only when cache-enabled = { true}. number_of_seconds Specifies the amount of time to elapse before a policy entry in the cache is discarded. This stanza entry is optional. There is default value, but when t set the default value used is 30 seconds. cache-policy-expire-time = 30 cache-policy-size cache-policy-size = number Specifies the number of entries in the LDAP policy cache. This entry is used only when cache-enabled = { true}. Stanza reference 157
number Specifies the number of entries in the LDAP policy cache. This stanza entry is optional There is default value, but when t set the default value used is 20. cache-policy-size = 20 cache-return-registry-id cache-return-registry-id = Indicates whether to cache the user identity as it is stored in the registry or cache the value as entered during authentication. Igred if the cache is t enabled. If t set, the default is. Cache the user identity as it is stored in the registry. cache the user identity as it was entered during authentication. This stanza entry is optional cache-return-registry-id = cache-user-expire-time cache-user-expire-time = number_of_seconds Specifies the amount of time to elapse before a user entry in the cache is discarded. This entry is used only when cache-enabled = { true}. 158 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
number_of_seconds Specifies the amount of time to elapse before a user entry in the cache is discarded. This stanza entry is optional. There is default value, but when t set the default value used is 30 seconds. cache-user-expire-time = 30 cache-user-size cache-user-size = number Specifies the number of entries in the LDAP user cache. This entry is used only when cache-enabled = { true}. number Specifies the number of entries in the LDAP user cache. This stanza entry is optional. There is default value, but when t set the default value used is 256. cache-user-size = 256 cache-use-user-cache cache-use-user-cache = { } Indicates whether to use the user cache information or t. This entry is used only when cache-enabled = { true} Stanza reference 159
Use the user cache information. Do t use the user cache information. This stanza entry is optional. There is default value, but when t set the user cache information is used. cache-use-user-cache = default-policy-override-support enabled default-policy-override-support = { true false} Indicates whether default policy overrides user level policy during LDAP searches. When this stanza entry is set to, only the default policy is checked. true User policy support is disabled and only the global (default) policy is checked. This option allows the user policy to be igred, even when it is specified. false User policy support is enabled. When a user policy is specified by the administrator, it overrides the global policy. This stanza entry is optional. By default, the value is t specified during WebSEAL configuration. When the value is t specified, the default behavior is enable user policy support. This is equivalent to setting this stanza entry to. default-policy-override-support = enabled = { true false} 160 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Indicates whether or t LDAP is being used as the user registry. true Enable LDAP user registry support. false Disables LDAP user registry support and indicates that LDAP is t the user registry being used. Anything other than true, including a blank value, is interpreted as false, This stanza entry is required when LDAP is the user registry. The default value is always taken (during WebSEAL initialization) from the corresponding parameter in the [ldap] stanza of the ldap.conf configuration file for the LDAP server. enabled = host host = host_name Host name of the LDAP server. host_name Valid values for host_name include any valid IP host name. The host_name does t have to be a fully qualified domain name. The default value is always taken (during WebSEAL initialization) from the corresponding parameter in the [ldap] stanza of the ldap.conf configuration file for the LDAP server. host = diamond host = diamond.example.com Stanza reference 161
login-failures-persistent login-failures-persistent = { true false} When set to "", login hits are tracked in the registry instead of only in the local process cache. Persistent login hit recording impacts performance but allows consistent login hit counting across multiple servers. true When set to "", login hits are tracked in the registry instead of only in the local process cache. false When set to "", login hits are t tracked in the registry instead of only in the local process cache. This stanza entry is optional. The value is t specified by default during WebSEAL configuration. When the value is t specified, the default value is. login-failures-persistent = max-search-size max-search-size = {0 number_entries} Limit for the maximum search size, specified as the number of entries, that can be returned from the LDAP server. The value for each server can be different, depending on how the server was configured. 0 The number is unlimited; there is limit to the maximum search size. number_entries The maximum number of entries for search, specified as an integer whole number. This value can be limited by the LDAP server itself. This stanza entry is optional. 162 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
The default value is always taken (during WebSEAL initialization) from the corresponding parameter in the [ldap] stanza of the ldap.conf configuration file for the LDAP server. max-search-size = 2048 prefer-readwrite-server port prefer-readwrite-server = { true false} Allows or disallows the client to question the Read/Write LDAP server before querying any replica Read-only servers configured in the domain. true Enable the choice. false Disable the choice. Anything other than true, including a blank value, is interpreted as false. This stanza entry is optional. prefer-readwrite-server = port = port_number Number of the TCP/IP port used for communicating with the LDAP server. Note that this is t for SSL communication. port_number A valid port number is any positive integer that is allowed by TCP/IP and that is t currently being used by ather application. Stanza reference 163
replica This stanza entry is required when LDAP is enabled. The default value is always taken (during WebSEAL initialization) from the corresponding parameter in the [ldap] stanza of the ldap.conf configuration file for the LDAP server. port = 389 replica = ldap-server, port, type, pref Definition of the LDAP user registry replicas in the domain. Security Access Manager supports a maximum of one host and nine LDAP replica servers, which are listed in the ldap.conf file. If more than nine LDAP replica entries are listed, the Security Access Manager servers cant start. ldap-server The network name of the server. port type pref The port number for the LDAP server. A valid port number is any positive number that is allowed by TCP/IP and that is t currently being used by ather application. One of read-only or read/write. A number from 1 to 10 (10 is the highest preference). This stanza entry is optional. is that replicas are specified. Any value is always taken during WebSEAL initialization from the corresponding parameter in the [ldap] stanza of the ldap.conf configuration file for the LDAP server. of one replica specified and two replicas commented out: replica = rep1,390,readonly,1 #replica = rep2,391,readwrite,2 #replica = rep3,392,readwrite,3 164 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
search-timeout search-timeout = {0 number_seconds} Amount of time (in seconds) that will be allowed for search operations before the LDAP server is considered to be down. If specified, this value overrides any value of timeout for search operations. Note: Do t specify this parameter in the ldap.conf server configuration file. 0 No timeout is allowed. number_seconds The specified number of seconds allowed for search operations, specified as an integer positive whole number. There is range limitation for timeout values. This stanza entry is optional. 0 ssl-enabled search-timeout = 0 ssl-enabled = { true false} Enables or disables SSL communication between WebSEAL and the LDAP server. true Enable SSL communication. false Disable SSL communication. This stanza entry is optional. Stanza reference 165
ssl-keyfile SSL communication is disabled by default. During WebSEAL server configuration, the WebSEAL administrator can choose to enable it. ssl-enabled = ssl-keyfile = file_name SSL key file name. The SSL key file handles certificates that are used in LDAP communication. file_name The WebSEAL administrator specifies this file name during WebSEAL configuration. The file name can be any arbitrary choice, but the extension is usually.kdb. This stanza entry is required when SSL communication is enabled, as specified in the ssl-enabled stanza entry. None. : ssl-keyfile-dn ssl-keyfile = webseald.kdb ssl-keyfile-dn = key_label String that specifies the key label of the client personal certificate within the SSL key file. This key label is used to identify the client certificate that is presented to the LDAP server. key_label String that specifies the key label of the client personal certificate within the SSL key file. 166 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This stanza entry is optional. A label is t required when one of the certificates in the keyfile has been identified as the default certificate. The decision whether to identify a certificate as the default was made previously by the LDAP administrator when configuring the LDAP server. The WebSEAL configuration utility prompts the WebSEAL administrator to supply a label. When the administrator kws that the certificate contained in the keyfile is the default certificate, the administrator does t have to specify a label. None. ssl-keyfile-dn = "PD_LDAP" ssl-keyfile-pwd ssl-port ssl-keyfile-pwd = password Password to access the SSL key file. password Password to access the SSL key file. The WebSEAL administrator specifies this password during WebSEAL configuration. The password associated with the default SSL keyfile is gsk4ikm Deprecated: The ssl-keyfile-pwd entry is deprecated in the [ldap] stanza. Although this entry might exist in a configuration file, it will be igred. None. ssl-keyfile-pwd = gsk4ikm ssl-port = port_number SSL IP port that is used to connect to the LDAP server. Note that this is for SSL communication. Stanza reference 167
timeout port_number A valid port number is any positive number that is allowed by TCP/IP and that is t currently being used by ather application. This stanza entry is required only when LDAP is enabled and the LDAP server is configured to perform client authentication (ssl-enabled = ). The default value is always taken (during WebSEAL initialization) from the corresponding parameter in the [ldap] stanza of the ldap.conf configuration file for the LDAP server. ssl-port = 636 timeout = {0 number_seconds} Amount of time (in seconds) that is allowed for authentication or search operations before the LDAP server is considered to t available. If specified, a value for the stanza entries authn-timeout or search-timeout overrides the value of this stanza entry. Note: Do t specify this parameter in the ldap.conf server configuration file. 0 No timeout is allowed. number_seconds The number of seconds allowed for authentication or search, specified as a positive integer whole number. There is range limitation for timeout values. This stanza entry is optional. 0 timeout = 0 168 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
user-and-group-in-same-suffix user-and-group-in-same-suffix = { true false} Indicates whether the groups, in which a user is a member, are defined in the same LDAP suffix as the user definition. When a user is authenticated, the groups in which the user is a member must be determined in order to build a credential. Normally, all LDAP suffixes are searched to locate the groups of which the user is a member. true The groups are assumed to be defined in same LDAP suffix as the user definition. Only that suffix is searched for group membership. This behavior can improve the performance of group lookup because only a single suffix is searched for group membership. This option should only be specified if group definitions are restricted to the same suffix as the user definition. false The groups might be defined in any LDAP suffix. This stanza entry is optional. The value is t specified by default during WebSEAL configuration. When the value is t specified, the default value is. user-and-group-in-same-suffix = [local-response-macros] stanza macro macro = macro[:name] URL-encoded macros to include in the query string for all redirected management page requests. WebSEAL provides a default set of macros. By default, WebSEAL uses the macro values as arguments in the generated query string. Alternatively, you can customize the name of the arguments used in the query string by adding a colon followed by a name value. Stanza reference 169
macro name URL-encoded macro. WebSEAL uses this custom name as an argument in the response URI. If you do t provide a value for this custom name then WebSEAL defaults to using the macro value as an argument in the response URI. Note: For the HTTPHDR macro, the default value is HTTPHDR_<name>, where <name> is the name of the HTTP header defined in the macro. For the CREDATTR macro, the default value is CREDATTR_<name>, where <name> is the name of the attribute defined in the macro. This stanza entry is optional. None. The following entry causes WebSEAL to use the default value USERNAME as an argument in the query string. macro = USERNAME The following entry causes WebSEAL to use the custom value myusername as an argument in the query string. macro = USERNAME:myUserName [local-response-redirect] stanza local-response-redirect-uri local-response-redirect-uri = URI URL to which management page requests are redirected. All requests for management pages are redirected to this URL with a query string indicating the operation requested, along with any macros (as configured in the [local-response-macros] stanza). You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [local-response-redirect:{junction_name}] stanza. where {junction_name} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. URI URL to which management page requests are redirected. 170 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[logging] stanza This stanza entry is optional. None. of a server relative URL: local-response-redirect-uri = /jct/page.html of an absolute URL: local-response-redirect-uri = http://www.example.com/ absolute-uri-in-request-log absolute-uri-in-request-log = { } Log the absolute URI in the request log, combined log, and HTTP audit records. Adds protocol and host to the path. Log the absolute URI. Do t log the absolute URI. agents absolute-uri-in-request-log = agents = { } Enables or disables the agents log. This log records the contents of the User_Agent: header of each HTTP request. Stanza reference 171
The value enables agents logging. The value disables agents logging. agents = audit-mime-types mime-pattern = { } Determines whether WebSEAL will generate an audit event for an HTTP request based on the content-type of the HTTP response. WebSEAL will generate an audit event for a response that contains the corresponding content MIME-type. WebSEAL will t generate an audit event for a response that contains the corresponding content MIME-type. This stanza entry is optional. Note: 1. More specific MIME patterns take precedence over less specific MIME patterns. For example, if image/* = (general) but image/jpeg = (more specific), then an HTTP response with an image MIME-type other than JPEG will generate an audit event; a response with a JPEG MIME-type will t generate an audit event. 2. If an HTTP response does t match any of the MIME patterns listed in this stanza, WebSEAL will generate an audit event. None image/jpeg = image/* = */*= 172 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
audit-response-codes code = { } Determines whether WebSEAL will generate an audit event for an HTTP request based on the response code of the HTTP response. WebSEAL will generate an audit event for an HTTP response that matches the corresponding response code. WebSEAL will tgenerate an audit event for an HTTP response that matches the corresponding response code. This stanza entry is optional. None. 200= 304= 401 = flush-time flush-time = number_of_seconds Integer value indicating the frequency, in seconds, to force a flush of log buffers. number_of_seconds Integer value indicating the frequency, in seconds, to force a flush of log buffers. The minimum value is 1 second. The maximum value is 600 seconds. This stanza entry is optional. 20 Stanza reference 173
gmt-time flush-time = 20 gmt-time = { } Enables or disables logging requests using Greenwich Mean Time (GMT) instead of the local timezone. A value of means to use GMT A value of means to use the local timezone. gmt-time = host-header-in-request-log host-header-in-request-log = { } Log the Host header at the front of each line in the request log and the combined log. Log the Host header. Do t log the Host header. host-header-in-request-log = 174 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
log-invalid-requests log-invalid-requests = { } Specifies whether or t WebSEAL logs all requests that are malformed or for some other reason is t processed to completion. WebSEAL logs every request, even if a request is malformed or for some other reason is t processed to completion. WebSEAL logs most requests. In some cases, requests that are malformed or for some other reason are t processed to completion will t be logged. This option exists for compatibility with versions of WebSEAL prior to version 6.0. max-size log-invalid-requests = max-size = number_of_bytes Integer value indicating the size limit of the log files. This value applies to the request, referer, and agent logs. The size limit is also referred to as the rollover threshold. When the log file reaches this threshold, the original log file is renamed and a new log file with the original name is created. number_of_bytes When the value is zero (0), rollover log file is created. When the value is a negative integer, the logs are rolled over daily, regardless of the size. When the value is a positive integer, the value indicates the maximum size, in bytes, of the log file before the rollover occurs. The allowable range is from 1 byte to 2 gigabytes. Stanza reference 175
referers 2000000 max-size = 2000000 referers = { } Enables or disables the referers log. This log records the Referer: header of each HTTP request. The value enables referers logging. The value disables referers logging. requests referers = requests = { } Enables or disables the requests log. This log records standard logging of HTTP requests. The value enables requests logging. The value disables requests logging. 176 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
requests = request-log-format request-log-format = directives Contains the format in which a customized request log should be created. See the IBM Security Access Manager for Web: Auditing Guide for more information. The following directives can be used: %a Remote IP Address. %A Local IP Address. %b Bytes in the reply excluding HTTP headers in CLF format: '-' instead of 0 when bytes are returned. %B Bytes in the reply excluding HTTP headers. %{Attribute}C Attribute from the Security Access Manager credential named 'Attribute'. %d Transaction identifier, or session sequence number. %F Time taken to serve the request in microseconds. %h Remote host. %H Request protocol. %{header-name}i Contents of the Header header-name in the request. %j The name of the junction in the request. %l Remote logname. %m Request method (that is, GET, POST, HEAD). %{header-name}o Contents of the Header header-name in the reply. %p Port of the WebSEAL server the request was served on. %q The query string (prepended with '?' or empty). %Q Logs raw query strings that the user must decode manually. %r First line of the request. %R First line of the request including HTTP://HOSTNAME. %s Status. %t Time and date in CLF format. Stanza reference 177
%{format}t The time and date in the given format. %T Time taken to serve the request in seconds. %u Remote user. %U The URL requested. %v Canical ServerName of the server serving the request. %z The path portion of the URL in decoded form. %Z The path portion of the URL in raw form. The request-log-format string CANNOT contain the # character. The default of this parameter is equivalent to the rmal default log output. It is commented out by default. on UNIX or Linux: request-log-format = %h %l %u %t "%r" %s %b server-log-cfg server-log-cfg = agent [parameter=value],[parameter=value]... Configures the server for logging. You can use the available parameters to configure the logging agents. agent Specifies the logging agent. The agent controls the logging destination for server events. Valid agents include: v stdout v stderr v file v remote v rsyslog Note: If you use the remote agent to send audit events to a remote authorization server, ensure that the destination server is configured to process the received events. In particular, the logcfg configuration entry in the aznapi-configuration stanza must be set on the remote authorization server. You must use the following format for the category value in this logcfg entry: remote.webseal.hostname.webseald 178 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
where hostname The name of the appliance that originated the event. For example, the following entry configures the remote authorization server to accept logging events from the iswga.au.ibm.com server, and send these events to the event.log file: logcfg = remote.webseal.iswga.au.ibm.com.webseald:file path=/var/ PolicyDirector/log/event.log The remote authorization server discards any events that originate from a server for which there is matching logcfg rule. parameter The different agents support the following configuration parameters: Table 1. Logging agent configuration parameters Parameter Supporting agents buffer_size remote compress remote dn remote error_retry remote, rsyslog flush_interval all hi_water all log_id file, rsyslog max_event_len rsyslog mode file path all port remote, rsyslog queue_size all rebind_retry remote, rsyslog rollover_size file server remote, rsyslog ssl_keyfile rsyslog ssl_label rsyslog ssl_stashfile rsyslog Note: For a complete description of the available logging agents and the supported configuration parameters, see the Security Access Manager: Auditing Guide. None. Stanza reference 179
To log server events in a file called msg webseald.log: server-log-cfg = file path=msg webseald.log To send server events to a remote syslog server: server-log-cfg = rsyslog server=timelord,port=514,log_id=webseal-instance [ltpa] stanza ltpa-auth Accept and generate LTPA cookies for authentication. ltpa-auth = {https https both ne} Enables support for LTPA cookie generation and authentication. http https both ne Enables support for http cookies. Disables support for https cookies. Enables support for both http and https cookies. Disables support for both http and https cookies. ne ltpa-auth = https cookie-name cookie-name = cookie_name The name of the LTPA cookie that WebSEAL issues to clients. cookie_name This must be Ltpatoken2 as only LTPA version 2 cookies are supported. 180 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Ltpatoken2 cookie-name = Ltpatoken2 cookie-domain cookie-domain = domain_name The domain of the LTPA cookie that WebSEAL issues to clients. If you do t specify a cookie domain, WebSEAL creates the LTPA cookie as a host-only cookie. domain_name The domain of the LTPA cookie. ne cookie-domain = ibm.com jct-ltpa-cookie-name jct-ltpa-cookie-name = cookie_name The name of the cookie containing the LTPA token that WebSEAL sends across the junction to the backend server. If you do t specify a value for this item, WebSEAL uses the following default values: v LtpaToken for cookies containing LTPA tokens. v LtpaToken2 for cookies containing LTPA version 2 tokens. WebSphere also uses these default values. Stanza reference 181
keyfile cookie_name This name must match the LTPA cookie name that the WebSphere application uses on this junction. This stanza entry is optional. The default value for LTPA tokens is LtpaToken. The default value for LTPA2 tokens is LtpaToken2. jct-ltpa-cookie-name = mycookiename keyfile = keyfile_name The key file used when accessing LTPA cookies. The value must correspond to a valid LTPA key file, as generated by WebSphere. keyfile_name Name of a valid LTPA key file, as generated by WebSphere. This stanza entry is optional. ne keyfile = keyfile123 update-cookie update-cookie = number_of_seconds The number of seconds that pass between updates of the LTPA cookie with the lifetime of the cookie.with each request, if n seconds have passed since the last cookie update, ather update will occur. A zero value will cause the lifetime timestamp in the LTPA cookie to be updated with each request.negative values 182 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
will cause the lifetime of the cookie to be set to the same value as the lifetime of the user session.this setting is used in an attempt to mimic the inactivity timeout of a user session. Note: This configuration entry affects the LTPA cookie that WebSEAL issues to clients. It is the lifetime of the cookie specified by the cookie-name configuration entry in the [ltpa] stanza. number_of_seconds The number of seconds that pass between updates of the LTPA cookie with the lifetime of the cookie. -1 use-full-dn update-cookie = 0 use-full-dn = {true false} Controls whether the generated LTPA cookie contains the full DN of the user, or the Security Access Manager short name of the user. true false WebSEAL inserts the full DN of the user into the LTPA cookie. WebSEAL inserts the Security Access Manager short name of the user into the LTPA cookie. This stanza entry is optional. true use-full-dn = true Stanza reference 183
[ltpa-cache] stanza ltpa-cache-enabled ltpa-cache-enabled = { } Enables or disables the Lightweight Third Party Authentication cache. A value of enables caching. A value of disables caching. ltpa-cache-enabled = ltpa-cache-entry-idle-timeout ltpa-cache-entry-idle-timeout = number_of_seconds Integer value that specifies the timeout, in seconds, for cache entries that are idle. number_of_seconds Integer value that specifies the timeout, in seconds, for cache entries that are idle. The value must be greater than or equal to zero (0). A value of zero means that entries are t removed from the LTPA cache due to inactivity. However, they may still be removed due to either the ltpa-cache-size being exceeded or the ltpa-cache-entry-lifetime stanza entry being exceeded. WebSEAL does t impose a maximum value. This stanza entry is required, but is igred when LTPA caching is disabled. 600 184 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
gso-cache-entry-idle-timeout = 600 ltpa-cache-entry-lifetime ltpa-cache-entry-lifetime = number_of_seconds Integer value that specifies the lifetime, in seconds, of a LTPA cache entry. number_of_seconds Integer value that specifies the lifetime, in seconds, of a LTPA cache entry. The value must be greater than or equal to zero (0). A value of zero means that entries are t removed from the LTPA cache due to their entry lifetime being exceeded. However, they may still be removed due to either the ltpa-cache-size being exceeded or the ltpa-cache-entry-idle-timeout stanza entry being exceeded. WebSEAL does t impose a maximum value. This stanza entry is required, but is igred when LTPA caching is disabled. 3600 ltpa-cache-entry-lifetime = 3600 ltpa-cache-size ltpa-cache-size = number_of_entries Integer value indicating the number of entries allowed in the LTPA cache. number_of_entries Integer value indicating the number of entries allowed in the LTPA cache. The value must be greater than or equal to zero (0). A value of zero means that there is limit on the size of the LTPA cache. This is t recommended. WebSEAL does t impose a maximum value. Choose your maximum value to stay safely within the bounds of your available system memory. Stanza reference 185
This stanza entry is required, but is igred when LTPA caching is disabled. 4096 ltpa-cache-size = 4096 [mpa] stanza mpa mpa = { } Enables support for multiplexing proxy agents. Enables support for multiplexing proxy agents. Disables support for multiplexing proxy agents. mpa= [oauth-eas] stanza Notes: v You can configure this stanza to support OAuth authorization decisions as part of WebSEAL requests. For more information about OAuth authorization decisions support, see the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. v The OAuth EAS is used for a particular object if the effective POP for the object has an attribute called eas-trigger, with an associated value of trigger_oauth_eas. apply-tam-native-policy apply-tam-native-policy = {true false} 186 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Determines whether the native Security Access Manager ACL policy still takes effect, in addition to the OAuth authorization. true false The OAuth EAS checks with Security Access Manager whether the user has permission to access the resource based on the ACL policy. The OAuth EAS does t check the Security Access Manager ACL policy to determine whether the user has permission to access the resource. This stanza entry is required when configuring OAuth EAS authentication. None. apply-tam-native-policy = false bad-gateway-rsp-file bad-gateway-rsp-file = <file_name> Specifies the file that contains the body that is used when constructing a 502 Bad Gateway response. This response is generated when Tivoli Federated Identity Manager fails to process the request. <file_name> The name of the 502 Bad Gateway response file. This stanza entry is required when configuring OAuth EAS authentication. None. bad-gateway-rsp-file = bad_gateway.html bad-request-rsp-file bad-request-rsp-file = <file_name> Stanza reference 187
Specifies the file that contains the body that is used when constructing a 400 Bad Request response. This response is generated when required OAuth elements are missing from a request. <file_name> The name of the 400 Bad Request response file. This stanza entry is required when configuring OAuth EAS authentication. None. cache-size bad-request-rsp-file = bad_rqst.html cache-size = <number_decisions> Specifies the maximum number of OAuth 2.0 bearer token authorization decisions to cache. This EAS has a built-in cache for storing authorization decisions so that WebSEAL can repeatedly use the same OAuth 2.0 bearer token without sending repeated requests to Tivoli Federated Identity Manager. WebSEAL can cache bearer token decisions because they do t require signing of the request, unlike OAuth 1.0 requests. The lifetime of the cache entry depends on the Expires attribute that Tivoli Federated Identity Manager returns. If Tivoli Federated Identity Manager does t return this attribute, WebSEAL does t cache the decision. This EAS implements a Least Recently Used cache. The decision associated with the least recently used bearer token is forgotten when a new bearer token decision is cached. A cache-size of 0 disables caching of authorization decisions. <number_decisions> The maximum number of OAuth 2.0 bearer token authorization decisions that WebSEAL caches. This stanza entry is optional. 188 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
The default value is 0, which disables caching of authorization decisions. cache-size = 0 cluster-name cluster-name = <cluster> The name of the Tivoli Federated Identity Manager cluster that hosts this OAuth service. You must also specify a corresponding [tfim-cluster:<cluster>]stanza, which contains the definition of the cluster. <cluster> The name of the Tivoli Federated Identity Manager cluster where the OAuth service is hosted. This stanza entry is required when configuring OAuth EAS authentication. None. cluster-name = oauth-cluster For this example, there needs to be a corresponding [tfim-cluster:oauth-cluster] stanza to define the cluster. default-fed-id default-fed-id = <provider_url> The Provider ID of the default OAuth federation in Tivoli Federated Identity Manager. By default, WebSEAL uses this provider ID for OAuth requests. You can override this default provider for an individual request by including a request parameter that has the name specified by the fed-id-param configuration entry. Stanza reference 189
<provider_url> The IP address for the federation provider that WebSEAL uses for OAuth requests. You can find the Provider ID of a federation on the federation properties page. This stanza entry is required when configuring OAuth EAS authentication. None default-mode default-fed-id = https://localhost/sps/oauthfed/oauth10 default-mode = <oauth_mode> The default OAuth mode that this EAS uses. The mode affects the validation of request parameters and the construction of the RequestSecurityToken (RST) sent to Tivoli Federated Identity Manager. You can override this default mode for an individual request by providing a valid mode value [OAuth10 OAuth20Bearer] in a request parameter. The request parameter must have the name that is specified by the mode-param configuration entry. <oauth_mode> The OAuth mode that the OAuth EAS uses by default. This stanza entry is required when configuring OAuth EAS authentication. None. fed-id-param default-mode = OAuth10 fed-id-param = <request_param_name> 190 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
The name of the parameter that you can include in a request to override the Provider ID that is specified by the default-fed-id configuration entry. If this fed-id-param configuration entry is set, WebSEAL checks incoming requests for a parameter with the specified name. If this request parameter exists, WebSEAL uses the Provider ID contained in the request rather than the default-fed-id Provider ID. Note: You can delete this configuration entry to ensure that WebSEAL always uses the default provider that is specified by default-fed-id. <request_param_name> The name of the request parameter whose value specifies the Provider ID for WebSEAL to include in OAuth requests. If such parameter exists in the request, WebSEAL uses the Provider ID specified by default-fed-id. This stanza entry is optional. Note: If you do t configure this stanza entry, WebSEAL always uses the provider that is configured as the default-fed-id. None. mode-param fed-id-param = FederationId mode-param = <mode_name> The name of the parameter that you can include in a request to override the mode that is specified by the default-mode configuration entry. If this mode-param configuration entry is set, WebSEAL checks incoming requests for a parameter with the specified name. If this request parameter exists, WebSEAL uses the mode contained in the request rather than the mode specified by default-mode. Note: You can delete this configuration entry to ensure that WebSEAL always uses the default mode that is specified by default-mode. <mode_name> The name of the request parameter whose value specifies the mode for the OAuth EAS to use. If such parameter exists in the request, WebSEAL uses the mode specified by default-mode. Stanza reference 191
This stanza entry is optional. Note: If you do t configure this stanza entry, WebSEAL always uses the mode that is configured as the default-mode. None. realm-name mode-param = mode realm-name = <realm_name> The name of the OAuth realm that is used in a 401 request for OAuth data. <realm_name> The name of the OAuth realm. This stanza entry is required when configuring OAuth EAS authentication. None. realm-name = realmone trace-component trace-component = <component_name> The name of the Security Access Manager trace component that the OAuth EAS uses. <component_name> The name of the Security Access Manager trace component. 192 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This stanza entry is required when configuring OAuth EAS authentication. Note: The pdweb.oauth component traces the data that passes into the OAuth EAS, which is governed by the [azn-decision-info] stanza. This trace might contain sensitive information. None. trace-component = pdweb.oauth unauthorized-rsp-file unauthorized-rsp-file = <file_name> Specifies the file that contains the body that is used when constructing a 401 Unauthorized response. This response is generated when either of the following scenarios occur: v All OAuth data is missing from a request. v The OAuth data fails validation. <file_name> The name of the 401 Unauthorized response file. This stanza entry is required when configuring OAuth EAS authentication. None. unauthorized-rsp-file = unauth_response.html [obligations-levels-mapping] stanza obligation <obligation> =<authentication-level> Stanza reference 193
Defines the mappings between the obligation levels that the policy decision point (PDP) returns and the WebSEAL step-up authentication levels. Include a separate entry for each obligation that runtime security services (RTSS) returns to the runtime security services EAS. The mapping between the obligation levels and the WebSEAL authentication levels must be one-to-one. The user must authenticate only through the appropriate obligation mechanisms. The runtime security services EAS maps the obligation to the authentication level specified in this stanza and requests WebSEAL to authenticate the user at that level. <obligation> The name of the obligation that RTSS returns to the runtime security services EAS. <authentication-level> The WebSEAL authentication level that the runtime security services EAS includes in the WebSEAL request. This value is a number that represents the authentication level in the [authentication-levels] stanza. Each entry in the [authentication-levels] is assigned a number based on its position in the list; the first entry is level 0. For more information, see the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy and search for specifying authentication levels. None. [p3p-header] stanza access life_questions=2 otp=3 email=4 voice=5 access = {ne all nident contact-and-other ident-contact other-ident} Specifies the type of access the user has to the information contained within and linked to the cookie. 194 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
ne No access to identified data is given. all Access is given to all identified data. contact-and-other Access is given to identified online and physical contact information as well as to certain other identified data. ident-contact Access is given to identified online and physical contact information. For example, users can access things such as a postal address. nident Web site does t collect identified data. other-ident Access is given to certain other identified data. For example, users can access things such as their online account charges ne categories access = ne categories = {physical online uniqueid purchase financial computer navigation interactive demographic content state political health preference location government other-category} Specifies the type of information stored in the cookie or linked to by the cookie. When the n-identifiable stanza entry is set to, then categories need be configured. physical Information that allows an individual to be contacted or located in the physical world. For example, telephone number or address. online Information that allows an individual to be contacted or located on the Internet. uniqueid Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. purchase Information actively generated by the purchase of a product or service, including information about the method of payment. Stanza reference 195
financial Information about an individual's finances including account status and activity information such as account balance, payment or overdraft history, and information about an individual's purchase or use of financial instruments including credit or debit card information. computer Information about the computer system that the individual is using to access the network. For example, IP number, domain name, browser type or operating system. navigation Data passively generated by browsing the Web site. For example, which pages are visited, and how long users stay on each page. interactive Data actively generated from or reflecting explicit interactions with a service provider through its site. For example, queries to a search engine, or logs of account activity. demographic Data about an individual's characteristics. For example, gender, age, and income. content The words and expressions contained in the body of a communication. For example, the text of email, bulletin board postings, or chat room communications. state Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously. For example, HTTP cookies. political Membership in or affiliation with groups such as religious organizations, trade unions, professional associations and political parties. health Information about an individual's physical or mental health, sexual orientation, use or inquiry into health care services or products, and purchase of health care services or products preference Data about an individual's likes and dislikes. For example, favorite color or musical tastes. location Information that can be used to identify an individual's current physical location and track them as their location changes. For example, Global Positioning System position data. government Identifiers issued by a government for purposes of consistently identifying the individual. other-category Other types of data t captured by the above definitions. 196 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
disputes uniqueid categories = uniqueid disputes = { } Specifies whether the full P3P policy contains some information regarding disputes over the information contained within the cookie. The value means that information about disputes is contained in the full P3P policy. The value means that information about disputes is contained in the policy. disputes = n-identifiable n-identifiable = { } Specifies that information in the cookie, or linked to by the cookie, personally identifies the user. Data that is collected identifies the user. No data is collected (including Web logs), or the information collected does t identify the user. Stanza reference 197
p3p-element purpose n-identifiable = p3p-element = policyref=location_of_policy_reference Specifies elements to add to the P3P header in addition to the elements specified by the other configuration items in this stanza. Typically this is done by referring to the location of a full XML policy. policyref=location_of_policy_reference The default entry points to a default policy reference located on the World Wide Web Consortium Web site. The default entry points to a default policy reference located on the World Wide Web Consortium Web site. policyref="/w3c/p3p.xml" p3p-element = policyref="/w3c/p3p.xml" purpose = {current admin develop tailoring pseudo-analysis pseudo-decision individual-analysis individual-decision contact historical telemarketing other-purpose} [:[opt-in opt-out always]] Specifies the purpose of the information in the cookie and linked to by the cookie. current Information can be used by the service provider to complete the activity for which it was provided. 198 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
admin Information can be used for the technical support of the Web site and its computer system. develop Information can be used to enhance, evaluate, or otherwise review the site, service, product, or market. tailoring Information can be used to tailor or modify content or design of the site where the information is used only for a single visit to the site. pseudo-analysis Information can be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will t be used to attempt to identify specific individuals. pseudo-decision Information can be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will t be used to attempt to identify specific individuals. individual-analysis Information can be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. individual-decision Information can be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. contact Information can be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. historical Information can be archived or stored for the purpose of preserving social history as governed by an existing law or policy. telemarketing Information can be used to contact the individual though a voice telephone call for promotion of a product or service. other-purpose Information may be used in other ways t captured by the above definitions. For all values except current, an additional option can be specified. The possible values are: always Users cant opt-in or opt-out of this use of their data. Stanza reference 199
recipient opt-in opt-out Data may be used for this purpose only when the user affirmatively requests this use. Data may be used for this purpose unless the user requests that it t be used in this way. When additional option is specified, the default value is always. The default values are current and other-purpose:opt-in. purpose = current purpose = other-purpose:opt-in recipient = {ours delivery same unrelated public other-recipient}[:[opt-in opt-out always]] Specifies the recipients of the information in the cookie, and linked to by the cookie. ours Ourselves and/or entities acting as our agents, or entities for whom we are acting as an agent. An agent is a third party that processes data only on behalf of the service provider. delivery Legal entities performing delivery services that may use data for purposes other than completion of the stated purpose. same Legal entities following our practices. These are legal entities who use the data on their own behalf under equable practices. unrelated Unrelated third parties. These are legal entities whose data usage practices are t kwn by the original service provider. public Public forums. These are public forums such as bulletin boards, public directories, or commercial CD-ROM directories. other-recipient Legal entities following different practices. These are legal entities that are constrained by and accountable to the original service provider, but may use the data in a way t specified in the service provider's practices. For all values an additional option can be specified. The possible values are: 200 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
always Users cant opt-in or opt-out of this use of their data. opt-in opt-out Data may be used for this purpose only when the user affirmatively requests this use. Data may be used for this purpose unless the user requests that it t be used in this way. When additional option is specified, the default value is always. ours remedies recipient = ours recipient = public:opt-in remedies = {correct money law} Specifies the types of remedies in case a policy breach occurs. When this entry has value, there is remedy information in the P3P compact policy. correct money law Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service. If the service provider violates its privacy policy it will pay the individual an amount specified in the human readable privacy policy or the amount of damages. Remedies for breaches of the policy statement will be determined based on the law referenced in the human readable description. correct remedies = correct Stanza reference 201
retention [PAM] stanza retention = {-retention stated-purpose legal-requirement business-practices indefinitely} Specifies how long the information in the cookie or linked to by the cookie is retained. -retention Information is t retained for more than a brief period of time necessary to make use of it during the course of a single online interaction. stated-purpose Information is retained to meet the stated purpose, and is to be discarded at the earliest time possible. legal-requirement Information is retained to meet a stated purpose, but the retention period is longer because of a legal requirement or liability. business-practices Information is retained under a service provider's stated business practices. indefinitely Information is retained for an indeterminate period of time. -retention pam-enabled retention = -retention pam-enabled = {true false} Enables or disables the IBM Internet Security Systems Protocol Analysis Module. The module inspects the HTTP content of selected requests, checking for potential security vulnerabilities. 202 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
true false Enables the Protocol Analysis Module. Disables the Protocol Analysis Module. false pam-enabled = false pam-max-memory pam-max-memory = memory_size The amount of memory, in bytes, that the IBM Internet Security Systems Protocol Analysis Module can use. The module uses this value to tune the size of its caches for the amount of available memory. memory_size The amount of memory, in bytes, that is available to the module. This stanza entry is optional. None. pam-max-memory = 16777216 pam-use-proxy-header pam-use-proxy-header = {true false} Controls whether the Protocol Analysis Module uses the X-Forwarded-For header to identify the client. This configuration item is useful if a network-terminating proxy is located between the server and the client. If the value is set to false, the module identifies the client based on the socket connection information. Stanza reference 203
true false The module uses the X-Forwarded-For header to identify the client. The module uses the available socket connection information to identify the client. false pam-use-proxy-header = false pam-http-parameter pam-http-parameter = parameter:value Defines specific parameters for WebSEAL to pass to the Protocol Analysis Module HTTP interface during initialization. For a list of valid Protocol Analysis Module parameters, see the module documentation at http://www.iss.net/security_center/ reference/help/pam. Note: You can specify this configuration entry multiple times, one for each parameter. parameter:value The Protocol Analysis Module parameter and its assigned value. This stanza entry is optional. None. pam-http-parameter = param1:val1 pam-http-parameter = param2:val2 pam-coalescer-parameter pam-coalescer-parameter = parameter:value 204 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Defines specific parameters for WebSEAL to pass to the Protocol Analysis Module coalescer interface during initialization. The Protocol Analysis Module uses this interface to combine module-related issues into a single event. For a list of valid Protocol Analysis Module parameters, see the module documentation at http://www.iss.net/security_center/reference/help/pam. Note: You can specify this configuration entry multiple times, one for each parameter. parameter:value The Protocol Analysis Module parameter and its assigned value. This stanza entry is optional. None. pam-log-cfg pam-coalescer-parameter = combine:on pam-log-cfg = agent [parameter=value],[parameter=value]... Configures the IBM Internet Security Systems Protocol Analysis Module for logging. You can use the available parameters to configure the logging agents. agent Specifies the logging agent. The agent controls the logging destination for server events. Valid agents include: v stdout v stderr v file v remote v rsyslog parameter The different agents support the following configuration parameters: Table 2. Logging agent configuration parameters Parameter buffer_size compress Supporting agents remote remote Stanza reference 205
Table 2. Logging agent configuration parameters (continued) Parameter dn error_retry flush_interval hi_water log_id max_event_len mode path port queue_size rebind_retry rollover_size server ssl_keyfile ssl_label ssl_stashfile Supporting agents remote remote, rsyslog all all file, rsyslog rsyslog file all remote, rsyslog all remote, rsyslog file remote, rsyslog rsyslog rsyslog rsyslog Note: For a complete description of the available logging agents and the supported configuration parameters, see the IBM Security Access Manager for Web: Auditing Guide. None. To send logging from the Protocol Analysis Module to a file called pam.log: pam-log-cfg = file path=pam.log To send logging from the module to a remote syslog server: pam-log-cfg = rsyslog server=timelord,port=514,log_id=webseal-instance pam-log-audit-events pam-log-audit-events = {true false} Specifies whether audit events are sent to the Protocol Analysis Module log file. 206 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: You can use the pam-log-cfg entry in the [PAM] stanza to configure the log file for the module. true The Protocol Analysis Module sends audit events to the log file. Note: This setting dramatically increases the number of logged events. false The Protocol Analysis Module does t send audit events to the log file. false pam-log-audit-events = false pam-disabled-issues pam-disabled-issues = list_of_issues Specifies a comma-separated list of Protocol Analysis Module issues to disable. By default, all Protocol Analysis Module issues are enabled. list_of_issues A comma-separated list of Protocol Analysis Module issues. The module disables each issue in the list. This stanza entry is optional. None. The following entry disables Ace_Filename_Overflow and HTTPS_Apache_ClearText_DoS. pam-disabled-issues = 2121050,2114033 pam-resource-rule pam-resource-rule = [+ -]{URI} Stanza reference 207
Specifies the rules that WebSEAL uses to determine whether to pass a particular resource down to the Protocol Analysis Module. WebSEAL examines each rule in sequence until a match is found. The first successful match determines whether WebSEAL passes the request to the module. WebSEAL does t pass the request to the module layer if match is found. You can define multiple resource rules. Each entry has the format: [+ -]{URI}. For example, -*.gif. + Configures WebSEAL to pass matching requests to the Protocol Analysis Module layer. - Configures WebSEAL t to pass matching requests to the Protocol Analysis Module layer. {URI} Contains a pattern that WebSEAL uses to match against the URI that is found in the request. You can use the wildcard characters * and?. This stanza entry is optional. None. pam-resource-rule = -*.gif pam-resource-rule = +*.html [pam-resource:<uri>] stanza pam-issue You can use this stanza to customize the Protocol Analysis Module processing for individual resources and events. The <URI> value contains a pattern that WebSEAL can match against the URI that is found in the request. You can use the wildcard characters * and?. For example, [pam-resource:test.html] or [pam-resource:*.js]. pam-issue = action You can use the entries in this stanza to control the processing of certain module-related events. pam-issue Contains a pattern, which WebSEAL uses to match a Protocol Analysis Module issue. You can use the wildcard characters * and?. 208 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
action The action to undertake for the issue. The action can be either of the following values: block Blocks the connection for a specified number of seconds. For example, block:30. igre Igres the issue and continues to process the request. None. 212105? = block:0 2119002 = block:20 [preserve-cookie-names] stanza name name = cookie_name List of specific cookie names that WebSEAL must t modify. WebSEAL, by default, modifies the names of cookies returned in responses from junctions created with pdadmin using j flag. WebSEAL also by default modifies the name of cookies listed in the junction mapping table (JMT). This default modification is done to prevent naming conflicts with cookies returned by other junctions. When a front-end application depends on the names of specific cookies, the administrator can disable the modification of cookie names for those specific cookies. The administrator does this by listing the cookies in this stanza. cookie_name When entering a value for cookie_name, use ASCII characters. This stanza entry is optional. There are cookie names set by default. Name = JSESSIONID Stanza reference 209
[process-root-filter] stanza root root = pattern Specifies the patterns for which you want root junction requests processed at the root junction when process-root-requests = filter. pattern Values for pattern must be standard WebSEAL wildcard patterns. Entries in this stanza are required when process-root-requests = filter. root = /index.html root = /cgi-bin* root = /index.html root = /cgi-bin* [reauthentication] stanza reauth-at-any-level reauth-at-any-level = { } Controls whether a different authentication level or mechanism is permitted during a reauthentication operation. During a reauthentication operation, a user can be authenticated using a different authentication level or mechanism from that which is currently held by the user. The user's new credential replaces the old one. Note: If this configuration option is set to, the credential can change one or more times during the lifetime of the session. Also, the credential will always be updated upon a successful reauthentication regardless of the existing authentication level of the credential. During a reauthentication operation, a user can only be authenticated at the same authentication level or mechanism as the user's current credential. 210 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
reauth-at-any-level = reauth-extend-lifetime reauth-extend-lifetime = number_of_seconds Integer value expressing the time in seconds that the credential cache timer should be extended to allow clients to complete a reauthentication. number_of_seconds When the value is zero (0), the lifetime timer is t extended. WebSEAL imposes maximum. The maximum value is limited only by the integer data type. 0 reauth-extend-lifetime = 0 reauth-for-inactive reauth-for-inactive = { } Enables WebSEAL to prompt users to reauthenticate when their entry in the WebSEAL credential cache has timed out due to inactivity. Enable reauthentication. Disable reauthentication. Stanza reference 211
reauth-for-inactive = reauth-reset-lifetime reauth-reset-lifetime = { } Enables WebSEAL to reset the lifetime timer for WebSEAL credential cache entries following successful reauthentication. Enable. Disable. reauth-reset-lifetime = terminate-on-reauth-lockout terminate-on-reauth-lockout = { } Specifies whether or t to remove the session cache entry of a user who reaches the max-login-failures policy limit during reauthentication. When the maximum number of failed login attempts (specified by the max-login-failures policy) is reached during reauthentication, the user is logged out and the user's session is removed. 212 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
When the maximum number of failed login attempts (specified by the max-login-failures policy) is reached during reauthentication, the user is locked out as specified by the disable-time-interval setting, and tified of the lockout as specified by the late-lockout-tification setting. The user is t logged out and the initial login session is still valid. The user can still access other resources that are t protected by a reauthn POP. [replica-sets] stanza replica-set [rtss-eas] stanza terminate-on-reauth-lockout = replica-set = replica_set_name If WebSEAL is configured to use the SMS for session storage, the WebSEAL server joins each of the replica sets listed in this stanza. The entries listed here must be replica sets configured on the SMS. replica_set_name Replica set name. This stanza entry is optional. None. replica-set = seta You can use the rtss-eas configuration stanza to configure the EAS that communicates with the RBA server. The runtime security services EAS is used for a particular object if the effective POP for the object has an attribute called eas-trigger with an associated value of trigger_rba_eas. Stanza reference 213
apply-tam-native-policy apply-tam-native-policy = {true false} Determines whether the IBM Security Access Manager for Web ACL policy takes effect. true false Runtime security services EAS checks with Security Access Manager whether the user has permission to access the resource based on the ACL policy. Runtime security services EAS does t check the Security Access Manager ACL policy to determine whether the user has permission to access the resource. None. audit-log-cfg apply-tam-native-policy = true audit-log-cfg = <agent>[<parameter>=<value>],[<parameter>=<value>],... Configures audit logging for the runtime security service. You can use the available parameters to configure the logging agents. <agent> Specifies the logging agent. The agent controls the logging destination for server events. Valid agents include: v stdout v stderr v file v remote v rsyslog <parameter> The different agents support the following configuration parameters: 214 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Table 3. Logging agent configuration parameters Parameter Supporting agents buffer_size remote compress remote dn remote error_retry remote, rsyslog flush_interval all hi_water all log_id file, rsyslog max_event_len rsyslog mode file path all port remote, rsyslog queue_size all rebind_retry remote, rsyslog rollover_size file server remote, rsyslog ssl_keyfile rsyslog ssl_label rsyslog ssl_stashfile rsyslog Note: For a complete description of the available logging agents and the supported configuration parameters, see the Security Access Manager: Auditing Guide. This stanza entry is optional. Note: You must configure this attribute if you want WebSEAL to log runtime security audit events. If there is value set, then WebSEAL does t log any audit events for the runtime security service. None. To log audit events in a file called rtss-audit.log: audit-log-cfg = file path=/tmp/rtss-audit.log,flush_interval=20, rollover_size=2000000,queue_size=48 To send audit logs to STDOUT: audit-log-cfg = stdout Stanza reference 215
cluster-name cluster-name = <cluster_name> The name of the runtime security services SOAP cluster that hosts this runtime security SOAP service. You must also specify a corresponding [rtss-cluster:<cluster>] stanza, which contains the definition of the cluster. <cluster_name> The name of the runtime security services SOAP cluster where the runtime security SOAP service is hosted. None. context-id cluster-name = cluster1 For this example, there needs to be a corresponding [rtss-cluster:cluster1] stanza to define the cluster. context-id = <service_name> Specifies the context-id that the runtime security services EAS uses when sending XACML requests to runtime security services (RTSS). This value must match the service name of the deployed policy. Note: If the context-id parameter is t set, it defaults to the WebSEAL server name. <service_name> The context-id that EAS uses to send XACML requests to RTSS. This stanza entry is optional. 216 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
If there is value provided for this parameter, it defaults to the WebSEAL server name. context-id = webseal.ibm.com trace-component trace-component = <component_name> Specifies the name of the Security Access Manager trace component that the EAS uses. <component_name> The name of the Security Access Manager trace component. Note: The configured component traces the data that passes into the runtime security services EAS, which is governed by the [azn-decision-info] stanza. This trace might contain sensitive information. None. trace-component = pdweb.rtss [rtss-cluster:<cluster>] stanza This stanza contains the configuration entries for the runtime security services SOAP servers. basic-auth-user basic-auth-user = <user_name> Specifies the name of the user for WebSEAL to include in the basic authentication header when communicating with the runtime security services SOAP server. Stanza reference 217
<user_name> The user name for WebSEAL to include in the basic authentication header. This stanza entry is optional. Note: Configure this entry if the runtime security services SOAP server is configured to require basic authentication. None. basic-auth-user = usera basic-auth-passwd basic-auth-passwd = <password> Specifies the password for WebSEAL to include in the basic authentication header when communicating with the runtime security services SOAP server. <password> The password that WebSEAL includes in the basic authentication header. This stanza entry is optional. Note: Configure this entry if the runtime security services SOAP server is configured to require basic authentication. None. basic-auth-passwd = password handle-idle-timeout handle-idle-timeout = <number> 218 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Specifies the length of time, in seconds, before an idle handle is removed from the handle pool cache. <number> Length of time, in seconds, before an idle handle is removed from the handle pool cache. None. handle-idle-timeout = 240 handle-pool-size server handle-pool-size = <number> The maximum number of cached handles that WebSEAL uses to communicate with runtime security services SOAP. <number> The maximum number of handles that WebSEAL uses for runtime security services SOAP communication. None. handle-pool-size = 10 server = {[0-9],}<URL> Stanza reference 219
Specifies a priority level and URL for each runtime security services SOAP server that is a member of this cluster. Multiple server entries can be specified for a given cluster for failover and load balancing. [0-9] A digit, 0-9, that represents the priority of the server in the cluster (9 being the highest, 0 being the lowest). If the priority is t specified, a priority of 9 is assumed. <URL> Note: There can be space between the comma (,) and the URL. If priority is specified, the comma is omitted. A well-formed HTTP or HTTPS uniform resource locator for the runtime security services (RTSS). None. server = 9,http://localhost:9080/rtss/authz/services/AuthzService ssl-fips-enabled ssl-fips-enabled = { } Determines whether Federal Information Process Standards (FIPS) mode is enabled with runtime security services SOAP. Note: If configuration entry is present, the setting from the global setting, determined by the Access Manager policy server, takes effect. FIPS mode is enabled. FIPS mode is disabled. This stanza entry is required if both of the following conditions are true: v One or more of the cluster server entries use SSL. That is, at least one server entry specifies a URL that uses the HTTPS protocol. v A certificate is required other than the default certificate used by WebSEAL when communicating with the policy server. The [ssl] stanza contains details of the default certificate. 220 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: If this entry is required, but it is t specified in the [rtsscluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza. None. ssl-keyfile Note: If you want to use a FIPS level that is different to the Access Manager policy server, edit the configuration file and specify a value for this entry. ssl-fips-enabled = ssl-keyfile = <file_name> The name of the key database file that houses the client certificate for WebSEAL to use. <file_name> The name of the key database file that houses the client certificate for WebSEAL to use. This stanza entry is required if both of the following conditions are true: v One or more of the cluster server entries use SSL. That is, at least one server entry specifies a URL that uses the HTTPS protocol. v A certificate is required other than the default certificate used by WebSEAL when communicating with the policy server. The [ssl] stanza contains details of the default certificate. Note: If this entry is required, but it is t specified in the [rtsscluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza. None. ssl-keyfile = file_name ssl-keyfile-label ssl-keyfile-label = <label_name> Stanza reference 221
The label of the client certificate in the key database. <label_name> Client certificate label name. This stanza entry is required if both of the following conditions are true: v One or more of the cluster server entries use SSL. That is, at least one server entry specifies a URL that uses the HTTPS protocol. v A certificate is required other than the default certificate used by WebSEAL when communicating with the policy server. The [ssl] stanza contains details of the default certificate. Note: If this entry is required, but it is t specified in the [rtsscluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza. None. ssl-keyfile-label = label_name ssl-keyfile-stash ssl-keyfile-stash = <file_name> The name of the password stash file for the key database file. <file_name> The name of the password stash file for the key database file. This stanza entry is required if both of the following conditions are true: v One or more of the cluster server entries use SSL. That is, at least one server entry specifies a URL that uses the HTTPS protocol. v A certificate is required other than the default certificate used by WebSEAL when communicating with the policy server. The [ssl] stanza contains details of the default certificate. Note: If this entry is required, but it is t specified in the [rtsscluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza. 222 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
None. ssl-keyfile-stash = file_name ssl-valid-server-dn timeout ssl-valid-server-dn = <DN-value> Specifies the distinguished name of the server (obtained from the server SSL certificate) that WebSEAL can accept. <DN-value> The distinguished name of the server (obtained from the server SSL certificate) that WebSEAL accepts. If value is specified, then WebSEAL considers all domain names valid. You can specify multiple domain names by including multiple ssl-valid-server-dn configuration entries. This stanza entry is required if both of the following conditions are true: v One or more of the cluster server entries use SSL. That is, at least one server entry specifies a URL that uses the HTTPS protocol. v A certificate is required other than the default certificate used by WebSEAL when communicating with the policy server. The [ssl] stanza contains details of the default certificate. Note: If this entry is required, but it is t specified in the [rtsscluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza. None. ssl-valid-server-dn = CN=Access Manager,OU=SecureWay,O=Tivoli,C=US timeout = <seconds> The length of time (in seconds) to wait for a response from runtime security services SOAP. Stanza reference 223
<seconds> The length of time (in seconds) to wait for a response from runtime security services SOAP. None. timeout = 240 [script-filtering] stanza hostname-junction-cookie hostname-junction-cookie = { } Enables WebSEAL to uniquely identify the cookie used for resolving unfiltered links. This is used when ather WebSEAL server has created a junction to this WebSEAL server, using a WebSEAL to WebSEAL junction. Enable. Disable. This stanza entry is optional, but it is included by default in the configuration file. hostname-junction-cookie = rewrite-absolute-with-absolute rewrite-absolute-with-absolute = { } 224 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Enables WebSEAL to rewrite absolute URLs with new absolute URLs that contain the protocol, host, and port (optionally) that represent how the user accessed the WebSEAL server. Enable. Disable. This stanza entry is optional. There is default value, but if the entry is t specified in this configuration file, WebSEAL assumes the value is. script-filter rewrite-absolute-with-absolute = script-filter = { } Enables or disables script filtering support. When enabled, WebSEAL can filter absolute URLs encountered in scripts such as JavaScript. A value of means enabled. A value of means disabled. This stanza entry is optional, but is included by default. When it is t declared, the value for the script-filter functionality is by default. script-filter = Stanza reference 225
[server] stanza allow-shift-jis-chars allow-shift-jis-chars = { } Specifies whether junctions created using -w will allow all Shift-JIS multibyte characters in junction file and path names. Junctions created using -w will allow all Shift-JIS multibyte characters in junction file and path names. Junction file and path names using Shift-JIS multibyte characters containing the single byte character '\' will be rejected. allow-shift-jis-chars = allow-unauth-ba-supply allow-unauth-ba-supply = { } This parameter determines access to -b supply junctions by unauthenticated users. By default, unauthenticated users are required to login before accessing any resource located on a junctioned server where that junction was created with the -b supply argument. When allow-unauth-ba-supply is set to, unauthenticated users can access -b supply junctions. The basic authentication header supplied by WebSEAL in the forwarded request contains the string unauthenticated for the value of the header. When allow-unauth-ba-supply is set to, unauthenticated users cant access -b supply junctions. Users receive a login prompt. 226 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
allow-unauth-ba-supply = allow-unsolicited-logins allow-unsolicited-logins = { } This parameter controls whether WebSEAL accepts unsolicited authentication requests. If this parameter is set to, WebSEAL accepts a login request only if WebSEAL sent the login form to the client to prompt authentication. When allow-unsolicited-logins is set to, WebSEAL accepts unsolicited logins. When allow-unsolicited-logins is set to, WebSEAL does t accept unsolicited logins. This setting ensures that WebSEAL always issues a login form to the client as part of the authentication process. This stanza entry is optional. allow-unsolicited-logins = auth-challenge-type auth-challenge-type = list Contains a comma-separated list of authentication types that is used when challenging a client for authentication information. Each authentication type can be customized for particular user agent strings. For more information about authentication challenges based on the user agent, see the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. You can customize this configuration item for a particular junction by adding the adjusted configuration item to a [server:{jct_id}] stanza. Stanza reference 227
where {jct-id} refers to the junction point for a standard junction (including the leading / character) or the virtual host label for a virtual host junction. list A comma-separated list of authentication types that is used when challenging a client for authentication information. The supported authentication types include: v ba v forms v cert v eai The corresponding authentication configuration entry (for example, ba-auth) must be enabled for each specified authentication challenge type. Each authentication type can also be qualified with a set of rules to specify the user agents that receive a given challenge type. These rules are separated by semicolons and placed inside square brackets preceding the authentication type. Each rule consists of a plus (+) or minus (-) symbol to indicate inclusion or exclusion, and the pattern to match on. The pattern can include: v Alphanumeric characters v Spaces v Periods (.) v Wildcard characters, such as, question mark (?) and asterisk (*) This stanza entry is optional. By default, the list of authentication challenge types matches the list of configured authentication mechanisms. auth-challenge-type = ba auth-challenge-type = forms auth-challenge-type = ba, forms auth-challenge-type = [-msie;+ms]ba, [+mozilla*;+*explorer*]forms cache-host-header cache-host-header = { } This configuration option determines whether WebSEAL caches the host and protocol of the original request. By default, when caching an original request, WebSEAL only caches the URL. That is, WebSEAL does t cache the host and protocol of the original request. In this case, when returning a redirect to the original URL, WebSEAL simply redirects to 228 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
the current host. This causes problems if a request for a protected resource on one virtual host, hosta, results in an authentication operation being processed on a different virtual host, hostb. In this case, the client is incorrectly redirected to hostb rather than hosta. This behavior can be corrected by enabling this stanza entry so that WebSEAL can cache the host and protocol of the original request to be used for redirection. WebSEAL caches the host and protocol of the original request in addition to the URL. In this case: v v v Both the host and protocol are cached and used in redirects. They cant be separately managed. The protocol is t cached if the host header is t present. Requests will only be recovered from the cache if the protocol, the host and the URL all match the original request. Limitations associated with this caching behavior: v The contents of the existing URL macro will t include the protocol and host. No new macros have been added to represent these elements. v It is t possible to specify a protocol and host when a switch user administrator specifies a URL. WebSEAL only caches the URL associated with the original request and redirects to the current host. This stanza entry is optional. cache-host-header = capitalize-content-length capitalize-content-length = { } This parameter determines whether WebSEAL uses capitalized first letters in the content-length header. That is, whether the name of the HTTP content-length header is Content-Length or content-length. NOTE: The Documentum client application expects the name of the HTTP content-length header to be Content-Length, with a capitalized "C" and "L". WebSEAL uses the Documentum-compliant header name Content-Length. WebSEAL used all lower case for the content-length header. That is, content-length. Stanza reference 229
This stanza entry is optional. capitalize-content-length = client-connect-timeout client-connect-timeout = number_of_seconds After the initial connection handshake has occurred, this parameter dictates how long ( in seconds) WebSEAL holds the connection open for the initial HTTP or HTTPS request. number_of_seconds Must be a positive integer. Other values have unpredictable results and should t be used. Maximum allowed value: 2147483647. 120 client-connect-timeout = 120 chunk-responses chunk-responses = { } Enables WebSEAL to write chunked data to HTTP/1.1 clients. his can improve performance by allowing connections to be reused even when the exact response length is t kwn before the response is written. Enable. Disable. 230 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
chunk-responses = concurrent-session-threads-hard-limit concurrent-session-threads-hard-limit = number_of_threads The maximum number of concurrent threads that a single user session can consume. When a user session reaches its thread limit, WebSEAL stops processing any new requests for the user session and returns an error to the client. If you do t specify a value for this entry, there is limit to the number of concurrent threads that a user session can consume. number_of_threads The maximum number of concurrent threads that a single user session can consume before WebSEAL returns an error. This stanza entry is optional. Unlimited. concurrent-session-threads-hard-limit = 10 concurrent-session-threads-soft-limit concurrent-session-threads-soft-limit = number_of_threads The maximum number of concurrent threads that a single user session can consume before WebSEAL generates warning messages. WebSEAL continues processing requests for this session until it reaches the configured concurrent-session-threads-hard-limit (also in the [server] stanza). Stanza reference 231
number_of_threads Integer value representing the maximum number of concurrent threads that a single session can consume before WebSEAL generates warning messages. This stanza entry is optional. Unlimited. concurrent-session-threads-soft-limit = 5 connection-request-limit connection-request-limit = number_of_requests Specifies the maximum number of requests that will be processed on a single persistent connection. number_of_requests The maximum number of requests that will be processed on a single persistent connection. 100 connection-request-limit = 100 cope-with-pipelined-request cope-with-pipelined-request = { } WebSEAL does t support pipelined requests from browsers. If this option is set to, when WebSEAL detects pipelined requests it will close the connection and inform the browser that is should re-send the pipelined requests in a rmal 232 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
manner. This parameter should always be set to unless the previous WebSEAL behavior is required. Enable. Disable. cope-with-pipelined-request = decode-query decode-query = { } Validates the query string in requests according to the utf8-qstring-supportenabled parameter. When decode-query is set to WebSEAL validates the query string in requests according to the utf8-qstring-support-enabled parameter. Otherwise, WebSEAL does t validate the query string. When decode-query is set to, then dynurl must be disabled. decode-query = disable-timeout-reduction disable-timeout-reduction = { } Stanza reference 233
By default, WebSEAL automatically reduces the timeout duration for threads as the number of in-use worker threads increases. The timeout duration is the maximum length of time that a persistent connection with the client can remain inactive before WebSEAL terminates the connection. This configuration option determines whether WebSEAL reduces the timeout duration to help control the number of active worker threads. This option is available on all platforms. Disables the timeout reduction done by WebSEAL as the number of worker threads in-use increases. WebSEAL performs timeout reduction as the number of worker threads in-use increases. This stanza entry is optional. disable-timeout-reduction = See also max-file-descriptors on page 245 double-byte-encoding double-byte-encoding = { } Specifies whether WebSEAL assumes that encoded characters within URLs are always encoded in Unicode, and do t contain UTF-8 characters. WebSEAL assumes that encoded characters within URLs are always encoded in Unicode, and do t contain UTF-8 characters. WebSEAL does t assume that encoded characters within URLs are always encoded in Unicode, and do t contain UTF-8 characters. 234 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
double-byte-encoding = dynurl-allow-large-posts dynurl-allow-large-posts = { } Allows or disallows POST requests larger than the current value for the stanza entry request-body-max-read in the [server] stanza. When set to, WebSEAL compares only up to request-body-max-read bytes of POST request to the URL mappings contained in dynurl configuration file (dynurl.conf). When set to, WebSEAL disallows POST requests with a body larger than request-body-max-read. dynurl-map dynurl-allow-large-posts = dynurl-map = file_name Specifies the file that contains mappings for URLs to protected objects. file_name The name of the file that contains mappings for URLs to protected objects. This stanza entry is optional. Stanza reference 235
None, but this entry is usually configured to dynurl.conf. dynurl-map = dynurl.conf enable-ie6-2gb-downloads enable-ie6-2gb-downloads = { } Allows you to disable the HTTP Keep-Alives Enabled option for responses sent back to Internet Explorer, version 6, client browsers. The primary purpose of this is to allow WebSEAL to mimic the Internet Information Services workaround published at http://support.microsoft.com/kb/298618. This will allow clients using Microsoft Internet Explorer, version 6.0, to download files greater than 2GB, but less than 4GB. NOTE: v This stanza entry is t necessary for Internet Explorer 7 or for other n-microsoft browsers. v Enabling this workaround will cause WebSEAL to t use persistent connections for Internet Explorer, version 6, client connections when the data to be returned in the response is >= 2GB in length. Disables the HTTP Keep-Alives Enabled option, allowing clients using Internet Explorer, version 6, to download files greater than 2GB, but less than 4GB. The HTTP Keep-Alives Enabled is t disabled. This stanza entry is optional. enable-ie6-2gb-downloads = filter-nhtml-as-xhtml filter-nhtml-as-xhtml = { } 236 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Enable tag-based filtering of static URLs for new MIME types added to the [filter-content-types] stanza. Enable tag-based filtering of static URLs for new MIME types added to the [filter-content-types] stanza Disable tag-based filtering of static URLs for new MIME types added to the [filter-content-types] stanza filter-nhtml-as-xhtml = force-tag-value-prefix force-tag-value-prefix = { } Determines whether each attribute name set in a junction object's HTTP-Tag-Value is automatically prefixed with "tagvalue_" before it is placed in the credential. This prohibits access to credential attributes that do t have names beginning with "tagvalue_" such as AUTHENTICATION_LEVEL. When this options set to, the automatic prefixing of "tagvalue_" will t occur so that all credential attributes can be specified in HTTP-Tag-Value. Enable the automatic prefixing of "tagvalue_" to each attribute name set in a junction object's HTTP-Tag-Value. Disable the automatic prefixing of "tagvalue_" so that all credential attributes can be specified in HTTP-Tag-Value. force-tag-value-prefix = Stanza reference 237
http http = { } Specifies whether HTTP requests will be accepted by the WebSEAL server. This value is set by the administrator during WebSEAL server configuration. Accept HTTP requests. Do t accept HTTP requests. http = http-method-disabled-local http-method-disabled-local = [HTTP_methods] Specifies the HTTP methods that WebSEAL blocks when processing HTTP requests for local resources. By default, WebSEAL blocks the TRACE HTTP method. HTTP_methods A comma-separated list of HTTP methods that are blocked when requesting local resources. TRACE http-method-disabled-local = TRACE 238 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
http-method-disabled-remote http-method-disabled-remote = [HTTP_methods] Specifies the HTTP methods that WebSEAL blocks when processing HTTP requests for junctioned resources. By default, WebSEAL blocks the TRACE HTTP method. HTTP_methods A comma-separated list of HTTP methods that are blocked when requesting remote resources. TRACE http-port http-method-disabled-remote = TRACE http-port = port_number Port on which WebSEAL listens for HTTPS requests. This value is set during WebSEAL configuration. When the default HTTP port is already in use, WebSEAL configuration suggests the next available (unused) port number. port_number The administrator can modify this number. Valid values include any port number t already in use on the host. 80 http-port = 80 Stanza reference 239
https https = { } Specifies whether HTTPS requests will be accepted by the WebSEAL server. This value is set by the administrator during WebSEAL server configuration. Accept HTTPS requests. Do t accept HTTPS requests. https-port https = https-port = port_number Port on which WebSEAL listens for HTTPS requests. This value is set during WebSEAL configuration. When the default port is already in use, WebSEAL configuration suggests the next available (unused) port number. port_number The administrator can modify this number. Valid values include any port number t already in use on the host. 443 https-port = 443 240 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
igre-missing-last-chunk igre-missing-last-chunk = { } Controls whether WebSEAL igres a missing last chunk in a data-stream from a backend server that is using chunked transfer-encoding. WebSEAL will igre a missing last-chunk in a data-stream from a backend server that is using chunked transfer-encoding. This matches the behavior in prior releases of WebSEAL. WebSEAL will RST (reset) the connection to the front-end browser if the last-chunk is t present. This stanza entry is optional. igre-missing-last-chunk = intra-connection-timeout intra-connection-timeout = number_of_seconds This parameter affects request and response data sent as two or more fragments. The parameter specifies the timeout (in seconds) between each request data fragment after the first data fragment is received by WebSEAL. The parameter also governs the timeout between response data fragments after the first data fragment is returned by WebSEAL. number_of_seconds If the value of this parameter is set to 0 (or t set), connection timeouts between data fragments are governed instead by the client-connecttimeout parameter. The exception to this rule occurs for responses returned over HTTP (TCP). In this case, there is timeout between response fragments. If a connection timeout occurs on a n-first data fragment due to the intra-connection-timeout setting, a TCP RST (reset) packet is sent. Stanza reference 241
60 io-buffer-size intra-connection-timeout = 60 io-buffer-size = number_of_bytes Positive integer value that indicates the buffer size, in bytes, for low-level reads from and writes to a client. number_of_bytes Positive integer value that indicates the buffer size, in bytes, for low-level reads from and writes to a client. The minimum value is 1. WebSEAL does t impose a maximum value. A small value (for instance, 10 bytes) can hurt performance by causing frequent calls to the low-level read/write APIs. Up to a certain point, larger values improve performance because they correspondingly reduce the calls to the low-level I/O functions. However, the low-level I/O functions might have their own internal buffers, such as the TCP send and receive buffers. When io-buffer-size exceeds the size of those buffers, there is longer any performance improvement because those functions read only part of the buffer at the time. Reasonable values for io-buffer-size range from 1-16kB.Values smaller than this range causes calling the low-level I/O functions too frequently. Values larger than this range wastes memory. A 2 MB I/O buffer size uses 4 MB for each worker thread that communicates with the client, since there is an input and output buffer. 4096 io-buffer-size = 4096 ip-support-level ip-support-level = {displaced-only generic-only displaced-and-generic} 242 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Controls the amount of network information stored in a credential by specifying the required IP level. displaced-only WebSEAL only generates the IPv4 attribute when building user credentials and when authenticating users through external authentication C API modules. generic-only WebSEAL only generates new generic attributes that support both IPv4 and IPv6 when building user credentials and when authenticating users through external authentication C API modules. displaced-and-generic Both sets of attribute types (produced by displaced-only and generic-only) are used when building user credentials and when authenticating users through external authentication C API modules. generic-only ipv6-support ip-support-level = generic-only ipv6-support = { } Enable/disable WebSEAL support for IPv6 format. Enable WebSEAL support for IPv6 format. Disable WebSEAL support for IPv6 format. ipv6-support = Stanza reference 243
late-lockout-tification late-lockout-tification = { } WebSEAL returns a server response error page (acct_locked.html) that tifies the user of the penalty for reaching or exceeding the maximum value set by the max-login-failures policy. This stanza entry specifies whether this tification occurs when the user reaches the max-login-failures limit, or at the next login attempt after reaching the limit. Upon reaching the maximum value set by the max-login-failures policy, WebSEAL returns ather login prompt to the user. WebSEAL does t send the account disabled error page to the user until the next login attempt. This response represents pre-version 6.0 behavior for the max-login-failures policy. Upon reaching the maximum value set by the max-login-failures policy, WebSEAL immediately sends the account disabled error page to the user. Required The default for new installations is. The default for migrated installations is. late-lockout-tification = max-client-read max-client-read = number_of_bytes Specifies the maximum number of bytes of request line and header information that WebSEAL holds in internal buffers when reading an HTTP request from a client. One purpose for max-client-read is to help protect WebSEAL from denial-of-service attacks. As of Security Access Manager WebSEAL 6.0, the max-client-read stanza entry longer impacts the request-body-max-read and request-max-cache stanza entries. number_of_bytes 244 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
The minimum value for this parameter is 32678 bytes. If the total size of the request line and headers is greater than the value specified for this parameter, WebSEAL closes the connection without reading any more data or sending any response to the client. If the value is set to a number below 32768, the value is igred and a value of 32768 is used. There is maximum value. URL and header information in a typical request rarely exceeds 2048 bytes. 32768 max-client-read = 32768 max-file-cat-command-length max-file-cat-command-length = number_of_bytes Specifies the maximum size of the file, specified in bytes, which may be returned from the file cat server task command. If the value of this parameter is less than the size of the file specified in the file cat command, the returned file will be truncated. This parameter takes precedence over the optional -max bytes value in the file cat command. number_of_bytes The maximum size of the file, specified in bytes, which may be returned from the file cat command. 1024 max-file-cat-command-length = 512 max-file-descriptors max-file-descriptors = number_of_descriptors Stanza reference 245
Sets the maximum number of sockets that WebSEAL uses in a Windows environment. This setting directly affects the number of worker threads available. Note: You can use connection-request-limit option, which is also in the [server] stanza, to increase the number of requests that WebSEAL processes on a persistent connection. number_of_descriptors Integer value representing the maximum number of file descriptors (sockets) that WebSEAL uses. This setting directly affects the number of worker threads available to WebSEAL. The minimum value, and default, is the compiled FD_SETSIZE, which is 2048 for Windows. This stanza entry is optional. Note: This configuration option is available only on Windows. WebSEAL igres this setting on all other platforms. The default value is the compiled FD_SETSIZE, which is 2048 for Windows. max-file-descriptors = 2048 See also disable-timeout-reduction on page 233 connection-request-limit on page 232 max-idle-persistent-connections max-idle-persistent-connections = number_of_connections The maximum number of idle client persistent connections. Use a value less than the maximum number of connections supported by WebSEAL to ensure that the idle connections do t consume all the available connections. number_of_connections Integer value indicating the maximum number of idle client persistent connections. 246 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
512 max-idle-persistent-connections = 512 network-interface network-interface = ip-address Specify an alternative IP address to be used by this instance of WebSEAL. This allows two or more WebSEAL instances to use different IP addresses and host names when running on the same machine. ip-address IP address. This stanza entry is optional. 0.0.0.0 network-interface = 9.0.0.9 persistent-con-timeout persistent-con-timeout = number_of_seconds HTTP/1.1 connection timeout, in seconds. This setting affects connections to clients, t to backend server systems. number_of_seconds HTTP/1.1 connection timeout, in seconds. Must be a positive integer. Other values have unpredictable results and should t be used. Maximum allowed value: 2147483647. A value of 0 causes WebSEAL to set the 'Connection: close' header and then close the connection on every response. If the value of this stanza entry is set to 0, the connection does t remain open for future requests. Stanza reference 247
5 persistent-con-timeout = 5 pre-410-compatible-tokens pre-410-compatible-tokens = { } WebSEAL supports a common method of generating tokens for cross-domain single sign, failover, and e-community single sign. The security of these tokens was increased for version 4.1. This increase is t backward compatible with previous versions of WebSEAL. When the Security Access Manager deployment includes multiple WebSEAL servers, and some of the WebSEAL servers are version 3.9 or prior, set this value to. Support pre-410-compatible tokens. Do t support pre-410-compatible tokens. pre-410-compatible-tokens = pre-510-compatible-token pre-510-compatible-token = { } WebSEAL supports a common method of generating tokens for cross-domain single sign, failover, and e-community single sign. The format of these tokens changed for version 5.1. This change is t backward compatible with previous versions of WebSEAL. When the Security Access Manager deployment includes multiple WebSEAL servers, and some of the WebSEAL servers are version 4.1 or prior, set this value to. 248 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Support pre-510-compatible tokens. Do t support pre-510-compatible tokens. pre-510-compatible-tokens = preserve-base-href preserve-base-href = { } Specifies whether WebSEAL will remove all BASE HREF tags from filtered HTML documents and prepend the base tag to filtered links. When set to, WebSEAL filters the BASE HREF tag. When set to, WebSEAL removes BASE HREF tags. preserve-base-href = preserve-base-href2 preserve-base-href2 = { } Used in conjunction with the preserve-base-href option to specify the level of filtering on the BASE HREF tags. NOTE: This option has effect unless preserve-base-href (also in the [server] stanza) is set to. Stanza reference 249
When set to, WebSEAL only performs the minimum filtering of the BASE HREF tag necessary to insert the WebSEAL host and junction names. When set to, WebSEAL completely filters the BASE HREF tags. For BASE tags that do t contain a trailing slash WebSEAL strips the last component. This stanza entry is optional. preserve-base-href2 = preserve-p3p-policy preserve-p3p-policy = { } Specifies whether to replace or preserve p3p headers from junctioned servers. The value means that headers are preserved. A value of means that headers are replaced. preserve-p3p-policy = process-root-requests process-root-requests = {never always filter} Specifies how WebSEAL responds to requests for resources located at the root ("/") junction. 250 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
never Root junction requests are never processed at the root junction. always Always attempt to process requests for the root junction at the root junction first before attempting to use a junction mapping mechanism. filter Examine all root junction requests to determine whether they start with the patterns specified in the [process-root-filter] stanza. always process-root-requests = always redirect-using-relative redirect-using-relative = {true false} Specifies that WebSEAL use a server-relative format for the URL in the Location header of an HTTP 302 redirect response. This configuration change affects all redirect responses generated by WebSEAL. These redirect situations include: v Redirect after authentication v Redirect after logout v Redirect after changing password v Redirects during the e-community single sign authentication process v Redirects during the cross-domain single sign authentication process v Switch user processing v Certificate authentication (prompt-as-needed only) v Session displacement true Use a server-relative format for the URL in the Location header of an HTTP 302 redirect response. false Use an absolute format for the URL in the Location header of an HTTP 302 redirect response. This stanza entry is t required and is a hidden entry. Stanza reference 251
false redirect-using-relative = true reject-invalid-host-header reject-invalid-host-header = { } Determines whether requests to WebSEAL that have an invalid host header (see RFC2616) are rejected with a status of 400, "Bad Request." All requests to WebSEAL with an invalid host header will be rejected with a status of 400, "Bad Request." Requests with an invalid host header are t rejected. reject-invalid-host-header = reject-request-transfer-encodings reject-request-transfer-encodings = { } Specifies the WebSEAL response to requests containing the Transfer-Encoding header. WebSEAL rejects (with error status of 501, Not Implemented) any request with a Transfer-Encoding header value of anything other than "identity" or "chunked". WebSEAL may reject the request, or may forward it on the junctioned server in a corrupted state. This setting is available for compatibility with versions of WebSEAL prior to version 6.0. 252 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
reject-request-transfer-encodings = request-body-max-read request-body-max-read = number_of_bytes Maximum number of bytes to read in as content from the body of POST requests. The request-body-max-read stanza entry affects the request body only. It does t impose limits on other components of a request, such as request line and headers. Used for dynurl, authentication, and request caching. number_of_bytes Maximum number of bytes to read in as content from the body of POST requests. Used for dynurl, authentication, and request caching. Minimum number of bytes: 512. 4096 request-body-max-read = 4096 request-max-cache request-max-cache = number_of_bytes Maximum amount of data to cache. This is used to cache request data when a user is prompted to authenticate before a request can be fulfilled. Stanza reference 253
number_of_bytes This value should be a positive integer. If set to zero (0), the user login succeeds but the request fails because WebSEAL cant cache the request data. There is maximum value. 8192 request-max-cache = 8192 send-header-ba-first send-header-ba-first = { } By default, WebSEAL selects the authentication challenge to return to the client by sequentially searching the available authentication mechanisms until it finds one that is enabled. You can use the send-header-ba-first entry to ensure that WebSEAL selects the BA header before any of the other configured authentication mechanisms. WebSEAL sends the header first. WebSEAL searches sequentially through the available authentication mechanisms and sends the first one that is enabled. This stanza entry is optional. send-header-ba-first = See also send-header-spnego-first on page 255 254 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
send-header-spnego-first send-header-spnego-first = { } By default, WebSEAL selects the authentication challenge to return to the client by sequentially searching the available authentication mechanisms until it finds one that is enabled. You can use the send-header-spnego-first entry to ensure that WebSEAL selects SPNEGO header first before any of the other configured authentication mechanisms. SPNEGO authentication can use either forms login or a header. Note: If send-header-ba-first is set to and send-header-spnego-first is set to, WebSEAL sends a BA header first, but uses the default search for an SPNEGO forms login. WebSEAL sends the header first. WebSEAL searches sequentially through the available authentication mechanisms and sends the first one that is enabled. This stanza entry is optional. send-header-spnego-first = See also server-name send-header-ba-first on page 254 server-name = host_name-instance_name The WebSEAL instance name. host_name-instance_name The WebSEAL instance name, based on the host name of the machine and the instance name of the WebSEAL server. This value is set by the Stanza reference 255
administrator during WebSEAL configuration. WebSEAL instance names must be alphanumeric. The maximum number of characters allowed is 20. None. initial WebSEAL server with the default instance name accepted, on a host named diamond: server-name = diamond-default instance WebSEAL instance, specified as web2, on a host named diamond: server-name = diamond-web2 slash-before-query-on-redirect slash-before-query-on-redirect = { } When a client URL specifies a directory location that does t end in a trailing slash (/), the client is redirected to the same URL with a trailing slash added.this is necessary for ACL checks to work properly. This stanza entry controls where the slash is added if the original URL contains a query string. Setting this value to causes the trailing slash to be added before the query string. For example: /root/directoryname?query becomes /root/directoryname/?query Setting this value to causes the trailing slash to be added after the query string. For example: /root/directoryname?query becomes /root/directoryname?query/ NOTE: A setting of could cause browser errors. This option exists for backwards compatibility only. This stanza entry is optional. 256 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
slash-before-query-on-redirect = strip-www-authenticate-headers strip-www-authenticate-headers = { } Controls whether WebSEAL removes the following headers from the responses that it receives from junctioned servers: v Negotiate www-authenticate header. v NTLM www-authenticate header. When set to, WebSEAL removes these www-authenticate headers from junctioned server responses. When set to, WebSEAL does t remove these www-authenticate headers from junctioned server responses. This stanza entry is optional. strip-www-authenticate-headers = suppress-backend-server-identity suppress-backend-server-identity = { } Suppresses the identity of the back-end application server from HTTP responses. These responses rmally include the line: Server: IBM_HTTP_SERVER/version_number Apache/version_number (Win32) Setting this value to deletes the above header line from the server response. Setting this value to leaves the above header line in the server response. Stanza reference 257
suppress-backend-server-identity = suppress-dynurl-parsing-of-posts suppress-dynurl-parsing-of-posts = { } Determines whether POST bodies are used in dynurl processing. Note: Before enabling this option, make certain that dynurl checked server applications accept arguments from POST bodies so that dynurl checks cant be bypassed using a POST instead of a Query string. POST bodies will t be used in dynurl processing, only Query strings will be used. POST bodies can be used in dynurl processing. suppress-dynurl-parsing-of-posts = suppress-server-identity suppress-server-identity = { } Suppresses the identity of the WebSEAL server from HTTP responses. These responses rmally include the line: Server: WebSEAL/version_number 258 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Setting this value to deletes the above header line from the server response. Setting this value to leaves the above header line in the server response. suppress-server-identity = tag-value-missing-attr-tag tag-value-missing-attr-tag = tag_for_missing_attribute WebSEAL allows credential attributes to be inserted into the HTTP stream as HTTP headers. In the event that a requested attribute is t found in the credential, the HTTP header is still created with a static string. The tag-value-missing-attr-tag configuration entry defines the contents of the header. tag_for_missing_attribute Tag inserted in the HTTP header in place of a missing attribute. NOT_FOUND tag-value-missing-attr-tag = NOT_FOUND use-existing-username-macro-in-custom-redirects use-existing-username-macro-in-custom-redirects = { } When using Local Response Redirection, you can use this configuration option to control how WebSEAL processes the USERNAME macro. By default, WebSEAL Stanza reference 259
sets the USERNAME macro value to the string "unauthenticated" after an inactivity timeout. This processing does t match the behavior when WebSEAL serves static pages. Use this option to override the default behavior and configure WebSEAL to set the USERNAME macro value to the authenticated username. That is, with this option set to, WebSEAL processes the USERNAME macro the same when using Local Response Redirection as it does when serving static pages. When using Local Response Redirection, the USERNAME macro value is set to the authenticated username after an inactivity timeout. When using Local Response Redirection, the USERNAME macro value is set to the string "unauthenticated" after an inactivity timeout. This stanza entry is optional. use-existing-username-macro-in-custom-redirects = use-http-only-cookies use-http-only-cookies = { } Indicates whether WebSEAL will add the HTTP-only attribute to the Session, LTPA and Failover Set-Cookie headers sent by WebSeal. Enables WebSEAL to add the HTTP-only attribute to Session, LTPA and Failover Set-Cookie headers. Prevents WebSEAL from adding the HTTP-only attribute to Session, LTPA and Failover Set-Cookie headers. use-http-only-cookies = 260 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
utf8-form-support-enabled utf8-form-support-enabled = { auto} UTF-8 encoding support. auto WebSEAL only recognizes UTF-8 encoding in forms and the data is used without modification. WebSEAL does t recognize UTF-8 encoding in forms. Used for local code page only. When set to auto, WebSEAL attempts to distinguish between UTF-8 and other forms of language character encoding. When encoding is t recognized as UTF-8, WebSEAL processes the coding as n-utf-8. utf8-url-support-enabled = utf8-qstring-support-enabled utf8-qstring-support-enabled = { auto} UTF-8 encoding support. auto WebSEAL only recognizes UTF-8 encoding in strings and the data is used without modification. WebSEAL does t recognize UTF-8 encoding in strings. Used for local code page only. When set to auto, WebSEAL attempts to distinguish between UTF-8 and other forms of language character encoding. When encoding is t recognized as UTF-8, WebSEAL processes the coding as n-utf-8. Stanza reference 261
utf8-qstring-support-enabled = utf8-url-support-enabled utf8-url-support-enabled = { auto} Enable or disable support for UTF-8 encoded characters in URLs. auto WebSEAL only recognizes UTF-8 encoding in URLs and the data is used without modification. WebSEAL does t recognize UTF-8 encoding in URLs. Used for local code page only. When set to auto, WebSEAL attempts to distinguish between UTF-8 and other forms of language character encoding. When encoding is t recognized as UTF-8, WebSEAL processes the coding as n-utf-8. utf8-url-support-enabled = validate-query-as-ga validate-query-as-ga = { } Determines whether WebSEAL returns a "Bad Request" error when there is an invalid character present in the query portion of the URL. WebSEAL does t return a "Bad request" error when there is an invalid character present in the query portion of the URL. WebSEAL returns a "Bad Request" error when there is an invalid character present in the query portion of the URL. 262 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This stanza entry is optional. validate-query-as-ga = web-host-name web-host-name = manually-set-webseal-hostname The manual setting for the WebSEAL server's host name.if left unset, WebSEAL attempts to automatically determine the server's host name. On systems with many hostnames, interfaces, or WebSEAL instances, the automatic determination may t always be correct. The manual setting for web-host-name resolves any conflicts. manually-set-webseal-hostname The manual setting for the WebSEAL server's host name, based on the fully qualified machine name. This stanza entry is optional. www.webseal.com web-host-name = abc.example.com web-http-port web-http-port = port for web-http-protocol Defines the port that the client Web browser uses to connect to WebSEAL for requests that WebSEAL receives on a TCP interface. port for web-http-protocol Stanza reference 263
This stanza entry is optional. same as HTTP port web-http-port = 443 web-http-protocol web-http-protocol = {http https} Defines the protocol that the client Web browser uses to connect to WebSEAL for requests that WebSEAL receives on a TCP interface. http https WebSEAL functions will behave as if the client is connected to WebSEAL in an HTTP environment (t HTTPS). Most WebSEAL functions will behave as if the client is connected to WebSEAL in an HTTPS environment. There are exceptions and limitations to this rule. You cant obtain SSL IDs or SSL client certificates using this parameter; therefore, [session] ssl-id-sessions cant be used as a session key and [certificate] accept-client-certs cant be used for authentication. This stanza entry is optional. http web-http-protocol = http worker-threads worker-threads = number_of_threads Number of WebSEAL worker threads. 264 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
number_of_threads Number of WebSEAL worker threads. The minimum value is 1. The maximum number of threads is based on the number of file descriptors set for WebSEAL at compile time. Note that this number varies per operating system. If the value is set to a number larger than the WebSEAL-determined limit, WebSEAL reduces the value to the acceptable limit and issues a warning message. 300 [session] stanza worker-threads = 300 dsess-enabled dsess-enabled = { } Enable or disable use of the Session Management Server (SMS). Enable use of the Session Management Server (SMS). If this is set to "" the [dsess] stanza must have information about how to communicate with the SMS. Disable use of the Session Management Server (SMS). This stanza entry is optional. dsess-enabled = dsess-last-access-update-interval dsess-last-access-update-interval = seconds Stanza reference 265
Specifies the frequency at which WebSEAL updates the session last access time at the SMS. seconds Smaller values offer more accurate inactivity timeout tracking, at the expense of sending updates to the SMS more frequently. Values of less than 1 second are t permitted. requiredoptional 60 dsess-last-access-update-interval = 60 enforce-max-sessions-policy enforce-max-sessions-policy = { } Control whether or t a specific WebSEAL instance enforces the max-concurrent-web-sessions policy. Enforce the max-concurrent-web-sessions policy. Do t enforce the max-concurrent-web-sessions policy. This stanza entry is igred unless WebSEAL is using the SMS for session storage. enforce-max-sessions-policy = inactive-timeout inactive-timeout = number_of_seconds 266 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Integer value for lifetime, in seconds, of inactive entries in the credential cache. The value can be configured for a specific session cache (authenticated or unauthenticated) by adding an additional entry, prefixedby auth or unauth. number_of_seconds The minimum number for this value is 0. WebSEAL does t impose a maximum value. A stanza entry value of "0" disables this inactivity timeout feature (inactivity timeout value is unlimited). The control of cache entries is then governed by the timeout and max-entries stanza entries. When a cache is full, the entries are cleared based on a least-recently-used algorithm. 600 inactive-timeout = 600 unauth-inactive-timeout = 300 logout-remove-cookie logout-remove-cookie = { } Specifies whether or t to remove the session cookie from a user's browser when the user logs out from the WebSEAL domain. Setting this stanza entry to is necessary for the correct operation and use of the %OLDSESSION% macro. Remove the session cookie from a user's browser when the user logs out from the WebSEAL domain. Do t remove the session cookie from a user's browser when the user logs out from the WebSEAL domain. Stanza reference 267
max-entries logout-remove-cookie = max-entries = number_of_entries Maximum number of concurrent entries in the credentials cache. When the cache size reaches this value, entries are removed from the cache according to a least recently used algorithm to allow new incoming logins. The value can be configured for a specific session cache (authenticated or unauthenticated) by adding an additional entry, prefixedby auth or unauth. number_of_entries The following conditions affect the specified value: v If the specified value is less than or equal to 0, the cache size becomes unlimited. v If the specified value is between 0 and 8192, the actual number of entries allowed is rounded up to the next multiple of 32. v Any specified value greater than 8192 is accepted as given. WebSEAL does t impose a maximum value. 4096 max-entries = 4096 unauth-max-entries = 1024 prompt-for-displacement prompt-for-displacement = { } Determines whether or t a user is prompted for appropriate action when the max-concurrent-web-sessions displace policy has been exceeded. Enables the interactive option, where the user is prompted for appropriate 268 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
action. When a second login is attempted, the user receives the too_many_sessions.html response page. Enables the n-interactive option, where the user is t prompted for appropriate action. When a second login is attempted, the original (older) login session is automatically terminated with prompt. A new session is created for the user and the user is logged in to this new session transparently. The original (older) session is longer valid. prompt-for-displacement = register-authentication-failures register-authentication-failures = { } Configure WebSEAL to tify the SMS when login failures occur. SMS can generate a login history based on this information. If set to, WebSEAL tifies the SMS when login failures occur so that users can be shown a history of their last successful and failed logins. If set to, WebSEAL does t tify the SMS when login failures occur. require-mpa This stanza entry is optional. register-authentication-failures = require-mpa = { } Stanza reference 269
Controls whether WebSEAL accepts HTTP headers from requests that are proxied through an authenticated multiplexing proxy agent (MPA). WebSEAL only accepts HTTP headers from requests that are proxied through an authenticated multiplexing proxy agent (MPA). WebSEAL accepts HTTP headers under any condition. require-mpa = resend-webseal-cookies resend-webseal-cookies = { } When you configure WebSEAL to use session cookies, specifies whether or t WebSEAL sends the session cookie to the browser with every response. Specifies that WebSEAL sends the session cookie to the browser with every response. This action helps to ensure that the session cookie remains in the browser memory. Specifies that WebSEAL does t send the session cookie to the browser with every response. resend-webseal-cookies = send-constant-sess send-constant-sess = { } 270 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Determines whether a session cookie containing a separate, constant identifier is issued during step-up operations to enable tracking for each authenticated session. The identifier remains constant across a single session, regardless of whether the session key changes. The name of the cookie is that of the actual session code appended with the suffix -2, for example, PD_S_SESSION_ID_2. This feature is intended to augment the -k junction option. A session cookie containing a separate, constant identifier is issued during step-up operations to allow tracking for each authenticated session. No session cookie is issued during step-up operations. send-constant-sess = shared-domain-cookie shared-domain-cookie = { } Enables a cookie-based session to be shared across all standard and virtual host junctions on a single WebSEAL instance. To share a session in this manner, the WebSEAL instance must store a single session key as an independent value in a multi-valued domain cookie. The multi-valued domain cookie must be indexed by the instance name. The domain cookie itself is shared across all participating WebSEAL instances, but the session values are specific to each instance. If WebSEAL exists in an environment where SMS already handles single sign-on across domains, do t enable this configuration item. Enables single sign-on across virtual host junctions in the same WebSEAL instance. Disables single sign-on across virtual host junctions in WebSEAL. This stanza entry is optional. Stanza reference 271
shared-domain-cookie = ssl-id-sessions ssl-id-sessions = { } Indicates whether to use the SSL ID to maintain a user's HTTP login session. Use the SSL ID to maintain a user's HTTP login session. Do t use the SSL ID to maintain a user's HTTP login session. This value must be set to when the following key = value pair is set: [certificate] accept-client-certs = prompt_as_needed ssl-id-sessions = ssl-session-cookie-name ssl-session-cookie-name = name Specifies the default or custom name of WebSEAL session cookies. name Specifies the default or custom name of WebSEAL session cookies. PD-S-SESSION-ID 272 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
ssl-session-cookie-names = PD-S-SESSION-ID standard-junction-replica-set standard-junction-replica-set = replica_set_name The replica set to use for sessions created when users access standard WebSEAL junctions. Virtual host junctions either use the replica set specified with the virtualhost create -z option or the virtual host name for the junction. If using the SMS for session storage, the replica set specified here must also be specified in the [replica-sets] stanza. value Replica set name. default standard-junction-replica-set = default tcp-session-cookie-name tcp-session-cookie-name = name Specifies the default or custom name of WebSEAL session cookies. name Specifies the default or custom name of WebSEAL session cookies. PD-H-SESSION-ID tcp-session-cookie-names = PD-H-SESSION-ID Stanza reference 273
temp-session-cookie-name temp-session-cookie-name = cookie_name Sets the name of the temporary session cookie that is created for session sharing with Microsoft Office applications. WebSEAL creates a temporary cookie with this name when it responds to a /pkmstempsession management page request. cookie_name A string value that represents the name of the single-use cookie that WebSEAL uses to store session information. Note: This configuration entry must be used in conjunction with a n-zero value for the temp-session-max-lifetime entry, which is also in the [session] stanza. For more information about sharing sessions with Microsoft Office applications, see the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. None. temp-session-cookie-name = PD-TEMP-SESSION-ID temp-session-max-lifetime temp-session-max-lifetime = number_of_seconds Positive integer that expresses the maximum lifetime (in seconds) of entries in the temporary session cache. number_of_seconds A positive integer that represents the maximum lifetime in seconds. Specify a value of 0 to disable the temporary session cache. Note: A n-zero value must be configured to enable session sharing with Microsoft Office applications. For more information about sharing sessions with Microsoft Office applications, see the IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy. 274 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
timeout This stanza entry is optional. None. temp-session-max-lifetime = 10 timeout = number_of_seconds Integer value for maximum lifetime, in seconds, for an entry in the credential cache. The value can be configured for a specific session cache (authenticated or unauthenticated) by adding an additional entry, prefixedby auth or unauth. number_of_seconds The minimum number for this value is 0. WebSEAL does t impose a maximum value. A stanza entry value of "0" disables this timeout feature (lifetime value is unlimited). The control of cache entries is then governed by the inactive-timeout and max-entries stanza entries. When the cache is full, the entries are cleared based on a least-recently-used algorithm. 3600 timeout = 3600 unauth-timeout = 600 update-session-cookie-in-login-request update-session-cookie-in-login-request = { } Stanza reference 275
Controls whether the existing session cookie, found in the HTTP request, is updated if the session ID is modified during the processing of the request. The existing session cookie is updated if the session ID is modified during the processing of the request. The existing session cookie is t updated if the session ID is modified during the processing of the request. This stanza entry is optional. update-session-cookie-in-login-request = user-session-ids user-session-ids = { } Enables or disables the creation and handling of user session IDs. Enables the creation and handling of user session IDs. Disables the creation and handling of user session IDs. user-session-ids = 276 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
user-session-ids-include-replica-set user-session-ids-include-replica-set = { } Include the replica set in the user session ID. If set to "", then user-session-ids = includes the replica set. If set to "", then WebSEAL does t include the replica set for user-session-ids = and assumes that any user session specified in the pdadmin terminate session command belongs to the default replica set. user-session-ids-include-replica-set = use-same-session use-same-session = { } Indicates whether to use the same session for SSL and HTTP clients. When set to, a user who has authenticated over HTTP will be authenticated when connecting over HTTPS. Likewise, the user who has authenticated over HTTPS will be authenticated when connecting over HTTP. Using will override ssl-id-sessions =, because HTTP clients do t read an SSL ID to maintain sessions. Do t use the same session for SSL and HTTP clients. use-same-session = Stanza reference 277
[session-cookie-domains] stanza domain domain = url Normally WebSEAL session cookies are host cookies that browsers only return to the host that originally set them. This stanza is used to configure domain session cookies that are sent to any host in a particular DNS domain. url Domains that share the domain cookie. This stanza entry is optional. None. domain = example.com [session-http-headers] stanza header_name header_name = {http https} Configures HTTP headers to maintain session state. http https Configures HTTP headers to maintain session state over the HTTP transport. Configures HTTP headers to maintain session state over the HTTPS transport. This stanza entry is optional. 278 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
None. entrust-client = https [ssl] stanza base-crypto-library base-crypto-library = {Default RSA ICC} Specifies the cipher engine used by GSKit. Default The value Default tells GSKit to use the optimal cryptographic base. RSA ICC Use RSA. Note that setting it to RSA affects the settings possible for fips-mode-processing. Use ICC. Default base-crypto-library = Default crl-ldap-server crl-ldap-server = server_name Specifies the Server to be contacted to obtain Certificate Revocation Lists (CRL). server_name This parameter can be set to one of two types of values: 1. The name of the LDAP server to be referenced as a source for Certificate Revocation Lists (CRL) during authentication across SSL junctions. If this is used, you may also need to set the following parameters: Stanza reference 279
v crl-ldap-server-port v crl-ldap-user v crl-ldap-user-password 2. The literal string URI. In the case where direct LDAP Server is available, this allows GSKit to obtain revocation information from LDAP or the HTTP Servers as specified by the CA in the Certificate Distribution Point (CDP) extension of the certificate. NOTE:In addition to specifying the string "URI", it is also possible to specify an HTTP server for crl-ldap-server. However, WebSEAL does t currently support the ability to specify an HTTP proxy server, which can provide performance improvements when HTTP servers are used. This stanza entry is optional. None. crl-ldap-server = diamond.example.com crl-ldap-server-port crl-ldap-server-port = port_number Port number for communication with the LDAP server specified in crl-ldap-server. The LDAP server is referenced for Certificate Revocation List (CRL) checking during SSL authentication. port_number Port number for communication with the LDAP server specified in crl-ldap-server. This stanza entry is optional. When crl-ldap-server is set, this stanza entry is required. None. crl-ldap-server-port = 389 280 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
crl-ldap-user crl-ldap-user = user_dn Fully qualified distinguished name (DN) of an LDAP user that has access to the Certificate Revocation List. user_dn Fully qualified distinguished name (DN) of an LDAP user that has access to the Certificate Revocation List. This stanza entry is optional. A null value for crl-ldap-user indicates that the SSL authenticator should bind to the LDAP server anymously. None. crl-ldap-user = cn=webseald/diamond,cn=securitydaemons,secauthority=default crl-ldap-user-password crl-ldap-user-password = password Password for the user specified in crl-ldap-user. password Password for the user specified in crl-ldap-user. This stanza entry is optional. None. crl-ldap-user-password = mypassw0rd Stanza reference 281
disable-ssl-v2 disable-ssl-v2 = { } Disables support for SSL version 2. Support for SSL v2 is disabled by default. The WebSEAL configuration sets this value. Support is disabled. Support is enabled. This stanza entry is optional. When t specified, the default is. disable-ssl-v2 = disable-ssl-v3 disable-ssl-v3 = { } Disables support for SSL Version 3. Support for SSL V3 is enabled by default. The WebSEAL configuration sets this value. The value means support is disabled. The value means the support is enabled. This stanza entry is optional. When t specified, the default is. disable-ssl-v3 = 282 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
disable-tls-v1 disable-tls-v1 = { } Disables support for TLS Version 1. Support for TLS V1 is enabled by default. The WebSEAL configuration sets this value. The value means support is disabled The value means the support is enabled. This stanza entry is optional. When t specified, the default is. disable-tls-v1 = disable-tls-v11 disable-tls-v11 = { } Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.1. WebSEAL supports TLS version 1.1 by default. The value disables support for TLS version 1.1. The value enables support for TLS version 1.1. This stanza entry is optional. If this entry is t specified, the default is. disable-tls-v11 = Stanza reference 283
disable-tls-v12 disable-tls-v12 = { } Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.2. WebSEAL supports TLS version 1.2 by default. The value disables support for TLS version 1.2. The value enables support for TLS version 1.2. This stanza entry is optional. If this entry is t specified, the default is. disable-tls-v12 = enable-duplicate-ssl-dn-t-found-msgs enable-duplicate-ssl-dn-t-found-msgs = { } Determines whether WebSEAL logs a warning message every time you open a connection to a junction that has: v Either the -K or the -B flag set, but v The -D flag is t set. By default, WebSEAL logs duplicate messages whenever it opens ather connection to the junction. These messages appear in the following format: DPWIV1212W No server DN is defined for server.ibm.com. The junctioned server DN verification is t performed." Duplicate messages are created. Every time a connection is opened to a junction that has the -K or -B flags specified without the -D option, WebSEAL logs a warning. When the server starts, WebSEAL logs a single warning only for each affected junction. 284 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
enable-duplicate-ssl-dn-t-found-msgs = fips-mode-processing fips-mode-processing = { } Enables or disables FIPS mode processing. A value of enables FIPS mode processing. A value of disables FIPS mode processing. When base-crypto-library = RSA, this value must be. fips-mode-processing = gsk-attr-name gsk-attr-name = {enum string number}:id:value Specify additional GSKit attributes to use when initializing an SSL connection with the client. A complete list of the available attributes is included in the GSKit SSL API documentation. This configuration entry can be specified multiple times. Configure a separate entry for each GSKit attribute. {enum string number} The GSKit attribute type. id value The identity associated with the GSKit attribute. The value for the GSKit attribute. Stanza reference 285
This stanza entry is optional. You cant configure the following restricted GSKit attributes: GSK_BASE_CRYPTO_LIBRARY GSK_SSL_FIPS_MODE_PROCESSING GSK_FIPS_MODE_PROCESSING GSK_OCSP_ENABLE GSK_OCSP_URL GSK_OCSP_NONCE_GENERATION_ENABLE GSK_OCSP_NONCE_CHECK_ENABLE GSK_OCSP_REQUEST_SIGKEYLABEL GSK_OCSP_REQUEST_SIGALG GSK_OCSP_PROXY_SERVER_NAME GSK_OCSP_PROXY_SERVER_PORT GSK_OCSP_RETRIEVE_VIA_GET GSK_OCSP_MAX_RESPONSE_SIZE GSK_KEYRING_FILE GSK_KEYRING_PW GSK_CRL_CACHE_SIZE GSK_CRL_CACHE_ENTRY_LIFETIME GSK_KEYRING_STASH_FILE GSK_KEYRING_LABEL GSK_LDAP_SERVER GSK_LDAP_SERVER_PORT GSK_LDAP_USER GSK_LDAP_USER_PW GSK_ACCELERATOR_NCIPHER_NF GSK_ACCELERATOR_RAINBOW_CS GSK_PKCS11_DRIVER_PATH GSK_PKCS11_TOKEN_LABEL GSK_PKCS11_TOKEN_PWD GSK_PKCS11_ACCELERATOR_MODE GSK_V2_SESSION_TIMEOUT GSK_V3_SESSION_TIMEOUT GSK_PROTOCOL_SSLV2 GSK_PROTOCOL_SSLV3 GSK_PROTOCOL_TLSV1 GSK_CLIENT_AUTH_TYPE GSK_SESSION_TYPE GSK_IO_CALLBACK GSK_RESET_SESSION_TYPE_CALLBACK GSK_RESET_SESSION_TYPE_CALLBACK GSK_NO_RENEGOTIATION GSK_ALLOW_ABBREVIATED_RENEGOTIATION If you attempt to modify any of these attributes then an error message will be generated. None. The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, which has an identity value of 225: gsk-attr-name = string:225:proxy.ibm.com 286 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
See also gsk-attr-name on page 60 gsk-attr-name on page 315 jct-gsk-attr-name on page 288 gsk-crl-cache-entry-lifetime gsk-crl-cache-entry-lifetime = number_of_seconds Integer value specifying the lifetime timeout, in seconds, for individual entries in the GSKit CRL cache. See also the standards documents for SSL V3 and TLS V1 (RFC 2246) for more information on CRLs. number_of_seconds Integer value specifying the lifetime timeout, in seconds, for individual entries in the GSKit CRL cache. The minimum value is 0. The maximum value is 86400. Neither WebSEAL r GSKit impose a maximum value on the cache entry lifetime. 0 gsk-crl-cache-entry-lifetime = 0 gsk-crl-cache-size gsk-crl-cache-size = number_of_entries Integer value indicating the maximum number of entries in the GSKit CRL cache. See the standards documents for SSL V3 and TLS V1 (RFC 2246) for more information on CRLs. number_of_entries Integer value indicating the maximum number of entries in the GSKit CRL cache. Minimum value is 0. A value of 0 means that entries are cached. Neither WebSEAL r GSKit impose a maximum value on this cache. Stanza reference 287
0 gsk-crl-cache-size = 0 jct-gsk-attr-name jct-gsk-attr-name = {enum string number}:id:value Specify additional GSKit attributes to use when initializing an SSL connection with a junctioned server. A complete list of the available attributes is included in the GSKit SSL API documentation. This configuration entry can be specified multiple times. Configure a separate entry for each GSKit attribute. {enum string number} The GSKit attribute type. id value The identity associated with the GSKit attribute. The value for the GSKit attribute. This stanza entry is optional. You cant configure the following restricted GSKit attributes: GSK_KEYRING_FILE GSK_KEYRING_PW GSK_KEYRING_STASH_FILE GSK_V2_SIDCACHE_SIZE GSK_V3_SIDCACHE_SIZE GSK_V2_SESSION_TIMEOUT GSK_V3_SESSION_TIMEOUT GSK_PROTOCOL_SSLV2 GSK_PROTOCOL_SSLV3 GSK_PROTOCOL_TLSV1 GSK_LDAP_SERVER GSK_LDAP_SERVER_PORT GSK_LDAP_USER GSK_LDAP_USER_PW GSK_CRL_CACHE_SIZE GSK_CRL_CACHE_ENTRY_LIFETIME GSK_ACCELERATOR_NCIPHER_NF GSK_ACCELERATOR_RAINBOW_CS GSK_PKCS11_DRIVER_PATH GSK_PKCS11_TOKEN_LABEL GSK_PKCS11_TOKEN_PWD GSK_PKCS11_ACCELERATOR_MODE GSK_BASE_CRYPTO_LIBRARY 288 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
GSK_OCSP_ENABLE GSK_OCSP_URL GSK_OCSP_NONCE_GENERATION_ENABLE GSK_OCSP_NONCE_CHECK_ENABLE GSK_OCSP_REQUEST_SIGKEYLABEL GSK_OCSP_REQUEST_SIGALG GSK_OCSP_PROXY_SERVER_NAME GSK_OCSP_PROXY_SERVER_PORT GSK_OCSP_RETRIEVE_VIA_GET GSK_OCSP_MAX_RESPONSE_SIZE If you attempt to modify any of these attributes then an error message will be generated. None. The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, which has an identity value of 225: jct-gsk-attr-name = string:225:proxy.ibm.com See also ocsp-enable gsk-attr-name on page 60 gsk-attr-name on page 285 gsk-attr-name on page 315 ocsp-enable = { } Enable Online Certificate Status Protocol (OCSP) for checking the revocation status of certificates supplied by a server using the OCSP URL embedded in the certificate using an Authority Info Access (AIA) extension. Enable OCSP to check the revocation status of server supplied certificates. Disable OCSP checking of server supplied certificates. This stanza entry is optional. Note: This option can be used as an alternative to, or in conjunction with, the ocsp-url option. Stanza reference 289
ocsp-enable = ocsp-max-response-size ocsp-max-response-size = number of bytes Sets the maximum response size (in bytes) that will be accepted as a response from an OCSP responder. This limit helps protect against a denial of service attack. number of bytes Maximum response size, in bytes. Note: A value of zero (0) indicates that the value is t set in the configuration file and call to GSKit will be made to adjust its value; in this case, the option will assume the GSKit default of 20480 bytes.non-zero values will be passed on to GSKit. This stanza entry is optional. 204080 ocsp-max-response-size = 20480 ocsp-nce-check-enable ocsp-nce-check-enable = { } Determines whether WebSEAL checks the nce in the OCSP response. Enabling this option improves security but can cause OCSP Response validation to fail if there is a caching proxy between WebSEAL and the OCSP Responder. Note that enabling this option automatically enables the jct-ocsp-nce-generation-enable option. WebSEAL checks the nce in the OCSP response to verify that it matches the nce from the request. WebSEAL does t check the nce in the OCSP response. 290 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This stanza entry is optional. ocsp-nce-check-enable = ocsp-nce-generation-enable ocsp-nce-generation-enable = { } Determines whether WebSEAL generates a nce as part of the OCSP request. Enabling this option can improve security by preventing replay attacks on WebSEAL but may cause an excessive load on an OCSP Responder appliance as the responder cant use cached responses and must sign each response. WebSEAL generates a nce as part of the OCSP request. WebSEAL does t generate a nce as part of the OCSP request. This stanza entry is optional. ocsp-nce-generation-enable = ocsp-proxy-server-name ocsp-proxy-server-name = <proxy host name> Specifies the name of the proxy server that provides access to the OCSP responder. proxy host name Fully qualified name of the proxy server. Stanza reference 291
This stanza entry is optional. None ocsp-proxy-server-name = proxy.ibm.com ocsp-proxy-server-port ocsp-url ocsp-proxy-server-port = <proxy host port number> Specifies the port number of the proxy server that provides access to the OCSP Responder. proxy host port number Port number used by the proxy server to route OCSP requests and responses. This stanza entry is optional. None ocsp-proxy-server-port = 8888 ocsp-url = <OCSP Responder URL> Specifies the URL for the OCSP Responder. If a URL is provided, WebSEAL will use OCSP for all revocation status checking regardless of whether the certificate has an Authority Info Access (AIA) extension, which means that OCSP will work with existing certificates. WebSEAL will first try the OCSP Responder that is configured by this method rather than using a location specified by AIA extension.if revocation status is undetermined, and if ocsp-enable is set to, then WebSEAL will try to obtain revocation status using the access method in the AIA extension. 292 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
OCSP Responder URL URL of the OCSP Responder. This stanza entry is optional. None ssl-keyfile ocsp-url = http://responder.ibm.com/ ssl-keyfile = file_name Specifies the keystore that WebSEAL uses for communicating with other Security Access Manager servers over SSL. file_name String specifying the name of the keystore that WebSEAL uses to communicate with other Security Access Manager servers over SSL. <instance_name>-webseald.kdb, where <instance_name> is the name of the WebSEAL instance. ssl-keyfile = default-webseald.kdb ssl-keyfile-label ssl-keyfile-label = label_name String containing a label for the SSL certificate keyfile. When this label is t specified, the default label is used. This stanza entry is typically modified only by the WebSEAL configuration utility. Stanza reference 293
label_name String containing a label for the SSL certificate keyfile. This stanza entry is optional, but is assigned during WebSEAL configuration. PD Server ssl-keyfile-label = PD Server ssl-keyfile-pwd ssl-keyfile-pwd = password String containing the password to protect the private keys in the SSL keyfile. This stanza entry is typically modified only by the WebSEAL configuration utility. password When this stanza entry is assigned a value, that value is used instead of any password that is contained in the stash file specified by ssl-keyfile-stash. This stanza entry stores the password in plain text. Use the ssl-keyfile-stash for optimum security. This stanza entry is optional. None. ssl-keyfile-pwd = mypassw0rd ssl-keyfile-stash ssl-keyfile-stash = file_name Name of the file containing an obfuscated version of the password used to protect private keys in the SSL keyfile. 294 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This stanza entry is typically modified only by the WebSEAL configuration utility. file_name Name of the file containing an obfuscated version of the password used to protect private keys in the SSL keyfile. instance_name-webseald.sth, whereinstance_name is the name of the WebSEAL instance. ssl-keyfile-stash = default-webseald.sth ssl-local-domain ssl-local-domain = local domain name This option specifies the local domain for a particular instance of WebSEAL, which allows a single server to host multiple WebSEAL instances, each of which could access a separate domain. local domain name The local domain for which this instance of WebSEAL is configured. The local domain is provided during WebSEAL configuration and set by the svrsslcfg utility. This stanza entry is optional. Default ssl-local-domain = abc.ibm.com ssl-max-entries ssl-max-entries = number_of_entries Stanza reference 295
Integer value indicating the maximum number of concurrent entries in the SSL cache. number_of_entries Integer value indicating the maximum number of concurrent entries in the SSL cache. The minimum value is zero (0), which means that caching is unlimited. Entries between 0 and 256 are set to 256. There is maximum limit. This stanza entry is optional. When the stanza entry is t assigned a value, WebSEAL uses a default value of 0. The WebSEAL configuration utility, however, assigns a default value of 4096. ssl-max-entries = 4096 ssl-v2-timeout ssl-v2-timeout = number_of_seconds Session timeout in seconds for SSL v2 connections between clients and servers. This timeout value controls how often a full SSL handshake is completed between clients and WebSEAL. This value is set by the WebSEAL configuration utility. number_of_seconds Valid range of values for number_of_seconds is from 1-100 seconds. This stanza entry is required when SSL is enabled. 100 ssl-v2-timeout = 100 296 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
ssl-v3-timeout ssl-v3-timeout = number_of_seconds Session timeout in seconds for SSL v3 connections between clients and servers. This timeout value controls how often a full SSL handshake is completed between clients and WebSEAL. This value is set by the WebSEAL configuration utility. number_of_seconds Valid range of values for number_of_seconds is from 1-86400 seconds, where 86400 seconds is equal to 1 day. If you specify a number outside this range, the default number of 7200 seconds will be used. This stanza entry is required when SSL is enabled. 7200 ssl-v3-timeout = 7200 suppress-client-ssl-errors suppress-client-ssl-errors = {true false} This stanza entry suppresses error messages that originate from SSL communication problems with the client. true false Suppress error messages that originate from SSL communication problems with the client. Do t suppress error messages that originate from SSL communication problems with the client. This stanza entry is required when SSL is enabled. false Stanza reference 297
suppress-client-ssl-errors = false undetermined-revocation-cert-action undetermined-revocation-cert-action = {igre log reject} Controls the action that WebSEAL takes if OCSP or CRL is enabled but the responder cant determine the revocation status of a certificate (that is, the revocation status is unkwn). The appropriate values for this entry should be provided by the OCSP or CRL Responder owner. igre WebSEAL igres the undetermined revocation status and permits use of the certificate. log reject WebSEAL logs the fact that the certificate status is undetermined and permits use of the certificate. WebSEAL logs the fact that the certificate status is undetermined and rejects the certificate. The option defaults to igre if it is t specified in the configuration file. Note: The value for this option in the template configuration file is log. undetermined-revocation-cert-action = log webseal-cert-keyfile webseal-cert-keyfile = file_name Specifies the WebSEAL certificate keyfile. This is the server certificate that WebSEAL exchanges with browsers when negotiating SSL sessions. file_name Name of the WebSEAL certificate keyfile. 298 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
pdsrv.kdb webseal-cert-keyfile = pdsrv.kdb webseal-cert-keyfile-label webseal-cert-keyfile-label = label_name String specifying a label to use for WebSEAL certificate keyfile. When this is t specified, the default label is used. label_name String specifying a label to use for WebSEAL certificate keyfile. This stanza entry is optional, but is set by default during WebSEAL configuration. WebSEAL-Test-Only webseal-cert-keyfile-label = WebSEAL-Test-Only webseal-cert-keyfile-pwd webseal-cert-keyfile-pwd = password Password used to protect private keys in WebSEAL certificate file. password When this stanza entry is assigned a value, that value is used instead of any password that is contained in the stash file specified by webseal-cert-keyfile-stash. This stanza entry stores the password in plain text. Use the stash file for optimum security. This stanza entry is optional. Stanza reference 299
None. webseal-cert-keyfile-pwd = j73r45huu webseal-cert-keyfile-sni Use the webseal-cert-keyfile-sni stanza entry to configure WebSEAL to send a server certificate that contains a host name, which matches the host name in the initial browser request. webseal-cert-keyfile-sni = <host_name>:<label> This configuration has the following requirements: v The user uses TLS over SSL to connect to WebSEAL. SSLv2 and SSLv3 are t supported. v The browser supports Server Name Indication. Use the webseal-cert-keyfile-sni configuration entry to specify the certificate that WebSEAL sends for a particular host name. You can specify this configuration entry multiple times. Specify a separate entry for each server certificate. If WebSEAL does t find an entry for the host name in the browser request, WebSEAL sends the default certificate that is specified by the webseal-certkeyfile-label entry. WebSEAL also uses the default certificate if the request does t meet the Server Name Indication requirements. For example, if the browser does t support Server Name Indication. <host_name> The name of the host to which WebSEAL returns the certificate. <label> The label of the certificate for WebSEAL to use. Note: Specify the certificate that contains a dn value of cn=<host_name>. This stanza entry is optional. None. webseal-cert-keyfile-sni = hosta.abc.ibm.com:hostacert webseal-cert-keyfile-sni = vhostb.abc.ibm.com:vhostbcert 300 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[ssl-qop] stanza webseal-cert-keyfile-stash webseal-cert-keyfile-stash = file_name Name of the file containing an obfuscated version of the password used to protect private keys in the keyfile. file_name Name of the file containing an obfuscated version of the password used to protect private keys in the keyfile. This stanza entry is optional. pdsrv.sth webseal-cert-keyfile-stash = pdsrv.sth ssl-qop-mgmt ssl-qop-mgmt = { } Enables or disables SSL quality of protection management. The value enables SSL quality of protection management. The value disables SSL quality of protection management. ssl-qop-mgmt = Stanza reference 301
[ssl-qop-mgmt-default] stanza default default = {ALL NONE cipher_level} List of string values to specify the allowed encryption levels for HTTPS access. Values specified in this stanza entry are used for all IP addresses that are t matched in either the [ssl-qop-mgmt-hosts] stanza entries or the [ssl-qop-mgmt-networks] stanza entries. ALL The value ALL allows all ciphers. NONE The value NONE disables all ciphers and uses an MD5 MAC check sum. cipher_level Legal cipher values are: NULL, DES-56, FIPS-DES-56, DES-168, FIPS-DES-168, RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128, AES-256 Value NULL DES-56 FIPS-DES-56 DES-168 FIPS-DES-168 RC2-40 RC2-128 RC4-40 RC4-56 RC4-128 AES-128 AES-256 Cipher name in GSKit TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RC2_CBC_128_CBC_WITH_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA ALL 302 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[ssl-qop-mgmt-hosts] stanza host-ip To specify a selected group of ciphers, create a separate entry for each cipher. For example: default = RC4-128 default = RC2-128 default = DES-168 host-ip = {ALL NONE cipher_level} List of string values to specify the allowed encryption levels for HTTPS access for a specific IP address. Note that this stanza has been deprecated and is retained only for backward compatibility. ALL The value ALL allows all ciphers. NONE The value NONE disables all ciphers and uses an MD5 MAC check sum. cipher_level Legal cipher values are: NULL, DES-56, FIPS-DES-56, DES-168, FIPS-DES-168, RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128, AES-256 Value NULL DES-56 FIPS-DES-56 DES-168 FIPS-DES-168 RC2-40 RC2-128 RC4-40 RC4-56 RC4-128 AES-128 AES-256 Cipher name in GSKit TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RC2_CBC_128_CBC_WITH_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA This stanza entry is optional. Stanza reference 303
None. To specify allowable ciphers for a selected group of IP addresses, create a separate entry for each address. For example: 111.222.333.444 = RC4-128 222.666.333.111 = RC2-128 [ssl-qop-mgmt-networks] stanza network/netmask network/netmask = {ALL NONE cipher_level} List of string values to specify the allowed encryption levels for HTTPS access for a specific combination of IP address and netmask. Note that this stanza has been deprecated and is retained only for backward compatibility. ALL The value ALL allows all ciphers. NONE The value NONE disables all ciphers and uses an MD5 MAC check sum. cipher_level Legal cipher values are: NULL, DES-56, FIPS-DES-56, DES-168, FIPS-DES-168, RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128, AES-256 Value NULL DES-56 FIPS-DES-56 DES-168 FIPS-DES-168 RC2-40 RC2-128 RC4-40 RC4-56 RC4-128 AES-128 AES-256 Cipher name in GSKit TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RC2_CBC_128_CBC_WITH_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA 304 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[step-up] stanza This stanza entry is optional. None. To specify allowable ciphers for a selected group of IP addresses and netmasks, create a separate entry for each address/netmask combination. For example: 111.222.333.444/255.255.255.0 = RC4-128 222.666.333.111/255.255.0.0 = RC2-128 retain-stepup-session retain-stepup-session = { } Determines whether a session cookie issued during a step-up operation is allowed to be reused or t. This option is only in effect if the verify-step-up-user option is set to. Enables session cookie to be reused during a step-up operation. Prevents session cookie from being reused during a step-up operation. retain-stepup-session = show-all-auth-prompts show-all-auth-prompts = { } Controls login prompt response for an unauthenticated user who requests an object protected by a step-up authentication POP attribute. Stanza reference 305
A value of "" provides multiple login prompts one for each enabled authentication method on each login page. A value of "" provides only the login prompt for the specific authentication level required by the POP(default). show-all-auth-prompts = step-up-at-higher-level step-up-at-higher-level = { } This configuration entry controls whether an authentication mechanism that is higher than the requested step-up level is accepted during a step-up operation. Authentication levels higher than the level specified in the POP are accepted during step-up operations. Higher authentication levels are disallowed during step-up operations. This stanza entry is optional. step-up-at-higher-level = verify-step-up-user verify-step-up-user = { } Determines whether the identity of the user performing a step-up operation must match the identity of the user that performed the previous authentication. 306 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
The identity of the user performing the step-up operation must match the identity of the user that performed the previous authentication. In this case, the existing session key will be retained during step-up authentication. The value of the retain-stepup-session option controls whether the existing session key will be retained during step-up authentication. The identity of the user performing the step-up operation need t match the identity of the user that performed the previous authentication operation. In this case, the session key must change during step-up authentication. verify-step-up-user = [system-environment-variables] stanza env-name env-name = env-value Defines system environment variables that are exported by WebSEAL. During initialization, the WebSEAL daemon exports the environment variables that are defined as entries in the [system-environment-variables] stanza. You must include a separate entry for each system environment variable that you want to export. env-name The name of the system environment variable. env-value The value of the system environment variable. This stanza entry is optional. Note: v This functionality is t supported on Windows platforms. v The environment variable names are case-sensitive. Stanza reference 307
None. [tfimsso:<jct-id>] stanza The following example sets the LANG and GSK_TRACE_FILE environment variables. LANG = de GSK_TRACE_FILE = /tmp/gsk.trace always-send-tokens always-send-tokens = { true false} Indicates whether a security token should be sent for every HTTP request or whether WebSEAL should wait for a 401 response before adding the security token. This configuration item is used to avoid the unnecessary overhead of generating and adding a security token to every request if the back-end Web server is capable of maintaining user sessions. This configuration item is only useful if the request for authentication involves a 401 response, which currently only applies to TFIM SSO. WebSEAL sends a security token for every HTTP request. WebSEAL waits for a 401 response before sending a security token for an HTTP request. This stanza entry is required when TFIM SSO authentication is used over junctions. None applies-to always-send-tokens = false applies-to = http://<webseal-server>/<junction> Path to specify the location to search for the appropriate Security Token Service (STS) module in Tivoli Federated Identity Manager. 308 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
http://<webseal-server>/<junction> The host name or IP address of the WebSEAL server, along with the junction name. This address is similar to the URL that is used to access the junction. This stanza entry is required when TFIM SSO authentication is used over junctions. None applies-to = http://webseal-server/jct one-time-token one-time-token = {true false} This boolean value is used to indicate whether the security token that is produced by TFIM is only valid for a single transaction. An example of a one-time-token is a Kerberos token, which can only be used for a single authentication operation. This stanza entry is required when TFIM SSO authentication is used over junctions. True. one-time-token = false preserve-xml-token preserve-xml-token = {true false} This value controls whether to use the requested BinarySecurityToken XML structure in its entirety or whether only the encapsulated token should be used. Set this configuration entry to true only if the junctioned Web server understands and expects the BinarySecurityToken XML structure. Stanza reference 309
This stanza entry is required when TFIM SSO authentication is used over junctions. True. preserve-xml-token = false renewal-window renewal-window = number of seconds The length of time, in seconds, by which the expiration of security tokens will be reduced. This entry is used to make allowances for differences in system times and transmission times for the security tokens. number of seconds Number of seconds by which the expiration of security tokens will be reduced to make allowances for differences between system times and transmission times for security tokens. This stanza entry is required when TFIM SSO authentication is used over junctions. None renewal-window = 15 service-name service-name = <servicename> 1. Used by TFIM when searching for a matching trust chain. This configuration entry will be compared against the configured AppliesTo service name value for each trust chain. The second field within the AppliesTo service name configuration entry should be set to either asterisk (*) to match all service names, or it should be set to the value defined by this configuration item. See the TFIM documentation for further details on configuring Trust Chains. 310 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
2. Used as the service principal name of the delegating user when creating a Kerberos token. The service principal name can be determined by executing the Microsoft utility setspn (that is, setspn -L user, where user is the identity of the user on the junctioned Web server). <service name> The service name which is used to locate the trust chain within TFIM. This stanza entry is required when TFIM SSO authentication is used over junctions. None service-name = HTTP/bigblue.wma.ibm.com tfim-cluster-name tfim-cluster-name = name of cluster The name of the WebSphere cluster for the Tivoli Federated Identity Manager service. The cluster is defined by this stanza entry along with a corresponding [tfim-cluster:<cluster>] stanza. name of cluster The name of the WebSphere cluster that contains the Tivoli Federated Identity Manager service. This stanza entry is required when TFIM SSO authentication is used over junctions. None tfim-cluster-name = wascluster01 token-collection-size token-collection-size = number Stanza reference 311
Specifies the number of security tokens for WebSEAL to retrieve from Tivoli Federated Identity Manager in a single request. This construct is currently only supported for the Kerberos STS module. Note: The number value for this stanza entry should be relatively low. Each token retrieved from Tivoli Federated Identity Manager (TFIM) is quite large; specifying a large number dramatically increases the size of the packets received from TFIM, which in turn increases the size of the session and the amount of memory used by WebSEAL. number The number of security tokens that WebSEAL will retrieve from Tivoli Federated Identity Manager and cache for subsequent requests. This stanza entry is required when TFIM SSO authentication is used over junctions. None token-type token-collection-size = 10 token-type = token_type Specifies the type of token to be requested from Tivoli Federated Identity Manager. This value should correspond to the 'Token Type URI' field for the corresponding trust chain within TFIM. token_type Indicates that the type of token to be requested from Tivoli Federated Identity Manager. Available options are Kerberos, SAML and LDAP. This stanza entry is required when TFIM SSO authentication is used over junctions. None 312 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
token-type = http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1. 1#GSS_Kerberosv5_AP_REQ token-transmit-name token-transmit-name = text The name given to the security token within the junctioned Web server request. text This is a free text field. This stanza entry is required when TFIM SSO authentication is used over junctions. None token-transmit-name = Authorization token-transmit-type token-transmit-type = {header cookie} The type of mechanism which will be used to transmit the security token to the junctioned Web server. header cookie The security token will be included in a header. The security token will be included in a cookie. This stanza entry is required when TFIM SSO authentication is used over junctions. None token-transmit-type = header Stanza reference 313
[tfim-cluster:<cluster>] stanza This stanza contains definitions for a particular cluster of Tivoli Federated Identity Manager servers. basic-auth-user basic-auth-user = <user_name> Specifies the name of the user for WebSEAL to include in the basic authentication header when communicating with the Tivoli Federated Identity Manager server. <user_name> The user name that WebSEAL includes in the basic authentication header. This stanza entry is optional. Note: Configure this entry if the Tivoli Federated Identity Manager server is configured to require basic authentication. None. basic-auth-user = user_name basic-auth-passwd basic-auth-passwd = <password> Specifies the password for WebSEAL to include in the basic authentication header when communicating with the Tivoli Federated Identity Manager server. <password> The password that WebSEAL includes in the basic authentication header. This stanza entry is optional. Note: Configure this entry if the Tivoli Federated Identity Manager server is configured to require basic authentication. 314 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
None. basic-auth-passwd = password gsk-attr-name gsk-attr-name = {enum string number}:id:value Specify additional GSKit attributes to use when initializing an SSL connection with Tivoli Federated Identity Manager. A complete list of the available attributes is included in the GSKit SSL API documentation. This configuration entry can be specified multiple times. Configure a separate entry for each GSKit attribute. {enum string number} The GSKit attribute type. id value The identity associated with the GSKit attribute. The value for the GSKit attribute. This stanza entry is optional. You cant configure the following restricted GSKit attributes: GSK_KEYRING_FILE GSK_KEYRING_STASH_FILE GSK_KEYRING_LABEL GSK_CIPHER_V2 GSK_V3_CIPHER_SPECS GSK_PROTOCOL_TLSV1 GSK_FIPS_MODE_PROCESSING If you attempt to modify any of these attributes then an error message will be generated. None. The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, which has an identity value of 225: gsk-attr-name = string:225:proxy.ibm.com Stanza reference 315
See also gsk-attr-name on page 60 gsk-attr-name on page 285 jct-gsk-attr-name on page 288 handle-idle-timeout handle-idle-timeout = <number> Specifies the length of time, in seconds, before an idle handle is removed from the handle pool cache. <number> Length of time, in seconds, before an idle handle is removed from the handle pool cache. This stanza entry is required when Kerberos authentication is used over junctions. None handle-idle-timeout = 240 handle-pool-size handle-pool-size = <number> Specifies the maximum number of cached handles that WebSEAL uses when communicating with Tivoli Federated Identity Manager. <number> Maximum number of handles that WebSEAL caches to communicate with Tivoli Federated Identity Manager. This stanza entry is required when Kerberos authentication is used over junctions. 10 316 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
handle-pool-size = 10 server server = {[0-9],}<URL> Specifies the priority level and URL for a single Tivoli Federated Identity Manager server that is a member of the cluster identified for this [tfim-cluster:<cluster>] stanza. [0-9] A digit, 0-9, that represents the priority of this server within the cluster (9 is the highest, 0 is the lowest). If the priority is t specified, a priority of 9 is assumed. Note: There can be space between the comma (,) and the URL. If priority is specified, the comma is omitted. <URL> A well-formed HTTP or HTTPS uniform resource locator for the server. This stanza entry is required when Kerberos authentication is used over junctions. Note: You can specify multiple server entries for a particular cluster for failover and load balancing. None server = 9,http://tfim-server.example.com/TrustServerWST13/ services/requestsecuritytoken ssl-fips-enabled ssl-fips-enabled = { } Determines whether Federal Information Process Standards (FIPS) mode is enabled with Tivoli Federated Identity Manager. Note: If configuration entry is present, the setting from the global setting, determined by the Access Manager policy server, takes effect. Stanza reference 317
FIPS mode is enabled. FIPS mode is disabled. This stanza entry is required if both of the following conditions are true: v One or more of the cluster server entries use SSL (that is, contains an HTTPS protocol specification in the URL). v A certificate is required other than the default certificate used by WebSEAL when communicating with the policy server. The [ssl] stanza contains details of the default certificate. Note: If this entry is required, but it is t specified in the [tfimcluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza. None. ssl-keyfile Note: If you want to use a FIPS level that is different to the Access Manager policy server, edit the configuration file and specify a value for this entry. ssl-fips-enabled = ssl-keyfile = <file_name> Specifies the name of the key database file that houses the client certificate for WebSEAL to use. <file_name> Name of the key database file that contains the client-side certificate for WebSEAL to use when Tivoli Federated Identity Manager single sign-on is enabled for the junction. This stanza entry is required if both of the following conditions are true: v One or more of the cluster server entries use SSL (that is, contains an HTTPS protocol specification in the URL). v A certificate is required other than the default certificate used by WebSEAL when communicating with the policy server. The [ssl] stanza contains details of the default certificate. Note: If this entry is required, but it is t specified in the [tfimcluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza. 318 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
None. ssl-keyfile = default-webseald.kdb ssl-keyfile-label ssl-keyfile-label = <label-name> Specifies the label of the client-side certificate in the key database. <label-name> Label of the client-side certificate in the key database. This stanza entry is required if both of the following conditions are true: v One or more of the cluster server entries use SSL (that is, contains an HTTPS protocol specification in the URL). v A certificate is required other than the default certificate used by WebSEAL when communicating with the policy server. The [ssl] stanza contains details of the default certificate. Note: If this entry is required, but it is t specified in the [tfimcluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza. None. ssl-keyfile-label = WebSEAL-Test ssl-keyfile-stash ssl-keyfile-stash = <filename.sth> Specifies the name of the password stash file for the key database file. <filename.sth> The name of the password stash file for the key database file. Stanza reference 319
This stanza entry is required if both of the following conditions are true: v One or more of the cluster server entries use SSL (that is, contains an HTTPS protocol specification in the URL). v A certificate is required other than the default certificate used by WebSEAL when communicating with the policy server. The [ssl] stanza contains details of the default certificate. Note: If this entry is required, but it is t specified in the [tfimcluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza. None. ssl-keyfile-stash = default-webseald.sth ssl-valid-server-dn ssl-valid-server-dn = <DN-value> Specifies the distinguished name of the server, which is obtained from the server SSL certificate, that WebSEAL can accept. <DN-value> The distinguished name of the server, which is obtained from the server SSL certificate, that WebSEAL accepts. If value is specified, then WebSEAL considers all domain names valid. You can specify multiple domain names by including multiple ssl-valid-server-dn configuration entries. This stanza entry is required if both of the following conditions are true: v One or more of the cluster server entries use SSL (that is, contains an HTTPS protocol specification in the URL). v A certificate is required other than the default certificate used by WebSEAL when communicating with the policy server. The [ssl] stanza contains details of the default certificate. Note: If this entry is required, but it is t specified in the [tfimcluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza. None. 320 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
timeout ssl-valid-server-dn = CN=Access Manager,OU=SecureWay,O=Tivoli,C=US timeout = <number of seconds> Specifies the length of time, in seconds, to wait for a response from Tivoli Federated Identity Manager. <number of seconds> The length of time, in seconds, to wait for a response from Tivoli Federated Identity Manager. This stanza entry is required when Kerberos authentication is used over junctions. None. timeout = 240 [uraf-registry] stanza bind-id bind-id = server_id An administrator or user login identity for the registry server that WebSEAL can use to bind (sign on) to the registry server. If the ID belongs to a user rather than an administrator, the user must have privileges to update and modify data in the user registry. The WebSEAL configuration process generates this value. Do t change it. server_id The server_id is an alphanumeric string that is t case-sensitive. String values must contain characters that are part of the local code set. Stanza reference 321
The underlying registry determines whether there are any limits on the minimum and maximum lengths of the ID. For Active Directory, the maximum length is 256 alphanumeric characters. This stanza entry is required if you are t using an LDAP registry. The default value is server-specific. bind-id = MySvrAdminID cache-lifetime cache-lifetime = number_seconds Number of seconds that the objects are allowed to stay in the cache. This stanza entry does t appear in the ivmgrd.conf configuration file because you do t want the policy server object to be cached. number_seconds The timeout specified in number of seconds. Use a number within the range of 1 to 86400. For performance tuning, the longer the time specified, the longer the repetitive Read advantage is held. A smaller number of seconds negates the cache advantage for user-initiated Reads. This stanza entry is optional. If cache-mode = enabled and this stanza entry is t used, the default value of 30 seconds will be used. 30 cache-mode cache-lifetime = 63200 cache-mode = {enabled disabled} 322 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Mode for caching that represents the cache being either turned on or turned off. This stanza entry does t appear in the ivmgrd.conf configuration file because you do t want the policy server object to be cached. enabled Turns the cache on. You would enable the cache mode to improve the performance of repetitive Read actions on a specified object, such as: login performance that is done more than once a day. Performance for Write actions would t be improved. disabled Turns the cache off. You would disable the cache mode for better security. Caching opens a small window for users to go from server to server in order to bypass the maximum number of failed login attempts. This stanza entry is optional. This stanza entry is rmally provided for all Security Access Manager servers, except for the policy server pdmgrd. enabled cache-size cache-mode = enabled cache-size = {number_objects object type:cache count value Maximum number of objects for a particular type of object that can be in the cache at one time without hash table collisions. Or, if it is t numeric, it is a list of one or more object types and their cache count values. This stanza entry does t appear in the ivmgrd.conf configuration file because you do t want the policy server object to be cached. number_objects Maximum number of objects must be a prime number for the cache count values. Range value is from 3 to a maximum number that is logical for the task and that does t affect performance. Non-prime numbers are automatically rounded up to the next higher prime number. If the number fails, the default value will be used. object type:cache count value List of one or more object types and their cache count values. s: Stanza reference 323
cache-size = user:251;group:251;resgroup:251;resource:251; rescreds:251; or cache-size = user:251;group:251; The second example sets the user and group cache sizes to 251 and does t use any cache for the others. Performance tuning depends on how much memory space is dedicated to a cache or how many objects you typically have repetitive Read actions on (such as how many users you have logging in a day). For example, a setting of 251 might t be good if you have 1000 users logging in and out several times a day. However, if only 200 of those users log in and out repetitively during the day, 251 might work well. This stanza entry is optional. If cache-mode = enabled and this stanza entry is t used, the default value for cache size will be used. The default value is server-specific. [user-agent] stanza cache-size = 251 user-agent user-agent = pattern When recording flow data statistics, WebSEAL can categorize the incoming requests based on the user-agent string in the HTTP Request header. Categorizing requests based on the user-agent can make the statistical data more useful. Use this stanza to specify a list of category names and patterns for the user-agent strings to match. You can repeat a category so that multiple patterns match a single category. The patterns are evaluated in the order of their definition. WebSEAL selects the first match to categorize each request. Note: The stanza must always end with an entry that contains the match-all pattern *. pattern The appliance uses this pattern to categorize the incoming requests. The appliance categorizes each request by matching the user-agent string value in the HTTP Request header with the defined pattern list. 324 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: The pattern can contain the wildcard characters * and?. The patterns are t case-sensitive. This stanza entry is optional. None. In this example, both Android and ios user-agent strings match the MOBILE category. WebSEAL uses the SUNDRY category if a user-agent string does t match any of the other defined patterns. INTERNET_EXPLORER = *msie* FIREFOX = *firefox* CHROME = *chrome* MOBILE = *android* MOBILE = *ios* SUNDRY = * Stanza reference 325
326 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Notices This information was developed for products and services offered in the U.S.A. IBM may t offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is t intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does t infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any n-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does t give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan The following paragraph does t apply to the United Kingdom or any other country where such provisions are inconsistent with local law : INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do t allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might t apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without tice. Any references in this information to n-ibm Web sites are provided for convenience only and do t in any manner serve as an endorsement of those Web sites. The materials at those Web sites are t part of the materials for this IBM product and use of those Web sites is at your own risk. Copyright IBM Corp. 2002, 2013 327
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning n-ibm products was obtained from the suppliers of those products, their published anuncements or other publicly available sources. IBM has t tested those products and cant confirm the accuracy of performance, compatibility or any other claims related to n-ibm products. Questions on the capabilities of n-ibm products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without tice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without tice. Dealer prices may vary. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to 328 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have t been thoroughly tested under all conditions. IBM, therefore, cant guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. Each copy or any portion of these sample programs or any derivative work, must include a copyright tice as follows: (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. Copyright IBM Corp. _enter the year or years_. All rights reserved. If you are viewing this information in softcopy form, the photographs and color illustrations might t be displayed. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is w part of the Office of Government Commerce. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centri, Intel Centri logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom. Notices 329
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. 330 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Index Special characters pam-issue stanza entry pam-resource: URI stanzauri stanza 208 resource-name stanza entry http-transformations stanza 108 user-agent stanza entry user-agent stanza 324 A absolute-uri-in-request-log stanza entry logging stanza 171 accept-client-certs stanza entry certificate stanza 42 access stanza entry p3p-header stanza 194 accessibility xiv account-expiry-tification stanza entry acnt-mgt stanza 1 account-inactivated stanza entry acnt-mgt stanza 1 account-locked stanza entry acnt-mgt stanza 2 acnt-mgt stanza 1 account-expiry-tification entry 1 account-inactivated entry 1 account-locked entry 2 allow-unauthenticated-logout entry 3 allowed-referers entry 3 cert-failure entry 4 cert-stepup-http entry 5 certificate-login entry 5 change-password-auth entry 6 client-tify-tod entry 6 enable-html-redirect entry 7 enable-local-response-redirect entry 7 enable-passwd-warn entry 8 enable-secret-token-validation entry 9 help entry 10 html-redirect entry 11 http-rsp-header entry 10 login entry 11 login-redirect-page entry 12 login-success entry 13 logout entry 13 passwd-change entry 14 passwd-change-failure entry 14 passwd-change-success entry 15 passwd-expired entry 15 passwd-warn entry 16 passwd-warn-failure entry 16 redirect-to-root-for-pkms entry 17 single-sigff-uri entry 17 stepup-login entry 18 switch-user entry 19 temp-cache-response entry 19 too-many-sessions entry 20 acnt-mgt stanza (continued) use-filename-for-pkmslogout entry 21 use-restrictive-logout-filenames entry 20 agents stanza entry logging stanza 171 allow-backend-domain-cookies stanza entry junction stanza 121, 128 allow-empty-form-fields stanza entry forms stanza 103 allow-shift-jis-chars stanza entry server stanza 226 allow-unauth-ba-supply stanza entry server stanza 226 allow-unauthenticated-logout stanza entry acnt-mgt stanza 3 allow-unsolicited-logins stanza entry server stanza 227 allowed-referers stanza entry acnt-mgt stanza 3 always-send-tokens stanza entry tfimsso: stanza 308 applies-to stanza entry tfimsso: stanza 308 apply-tam-native-policy stanza entry oauth-eas stanza 186 rtss-eas stanza 214 attribute_name_pattern stanza entry credential-refresh-attributes stanza 57 attribute_pattern stanza entry cdsso-incoming-attributes stanza 39 ecsso-incoming-attributes stanza 85 failover-add-attributes stanza 93 failover-restore-attributes stanza 95, 96 audit-attribute stanza entry aznapi-configuration stanza 23 audit-log-cfg stanza entry rtss-eas stanza 214 audit-mime-types stanza entry logging stanza 172 audit-response-codes stanza entry logging stanza 173 auditcfg stanza entry aznapi-configuration stanza 23 auditlog stanza entry aznapi-configuration stanza 24 auth-challenge-type stanza entry server stanza 227 auth-cookies stanza 21 cookie entry 21 auth-timeout stanza entry ldap stanza 153 auth-using-compare stanza entry ldap stanza 153 authentication_level stanza entry credential-refresh-attributes stanza 57 authentication-levels stanza 22 authentication-levels stanza (continued) level entry 22 authtoken-lifetime stanza entry cdsso stanza 35 azn-decision-info stanza 33 azn-decision-info stanza entry azn-decision-info stanza 33 aznapi-configuration stanza 23 audit-attribute entry 23 auditcfg entry 23 auditlog entry 24 cache-refresh-interval entry 25 cred-attribute-entitlement-services entry 25 dynamic-adi-entitlement-services entry 26 input-adi-xml-prolog entry 26 listen-flags entry 27 logaudit entry 27 logcfg entry 28 logclientid entry 28 logflush entry 29 logsize entry 30 permission-info-returned entry 30 policy-attr-separator entry 31 policy-cache-size entry 31 resource-manager-provided-adi entry 32 xsl-stylesheet-prolog entry 33 B ba stanza 34 ba-auth entry 34 basic-auth-realm entry 35 ba-auth stanza entry ba stanza 34 bad-gateway-rsp-file stanza entry oauth-eas stanza 187 bad-request-rsp-file stanza entry oauth-eas stanza 187 base-crypto-library stanza entry ssl stanza 279 basic-auth-passwd stanza entry dsess-cluster stanza 59 tfim-cluster: stanza 314 xacml-cluster:cluster stanzacluster>] stanza 218 basic-auth-realm stanza entry ba stanza 35 basic-auth-user stanza entry dsess-cluster stanza 59 tfim-cluster: stanza 314 xacml-cluster: stanza 217 basicauth-dummy-passwd stanza entry junction stanza 122 bind-dn stanza entry ldap stanza 154 bind-id stanza entry uraf-registry stanza 321 Copyright IBM Corp. 2002, 2013 331
bind-pwd stanza entry ldap stanza 154 C cache-enabled stanza entry ldap stanza 155 cache-group-expire-time stanza entry ldap stanza 155 cache-group-membership stanza entry ldap stanza 156 cache-group-size stanza entry ldap stanza 156 cache-host-header stanza entry server stanza 228 cache-lifetime stanza entry uraf-registry stanza 322 cache-mode stanza entry uraf-registry stanza 322 cache-policy-expire-time stanza entry ldap stanza 157 cache-policy-size stanza entry ldap stanza 157 cache-refresh-interval stanza entry aznapi-configuration stanza 25 cache-requests-for-ecsso stanza entry e-community-sso stanza 75 cache-return-registry-id stanza entry ldap stanza 158 cache-size stanza entry oauth-eas stanza 188 uraf-registry stanza 323 cache-use-user-cache stanza entry ldap stanza 159 cache-user-expire-time stanza entry ldap stanza 158 cache-user-size stanza entry ldap stanza 159 capitalize-content-length stanza entry server stanza 229 categories stanza entry p3p-header stanza 195 cdsso stanza 35 authtoken-lifetime entry 35 cdsso-argument entry 36 cdsso-auth entry 36 cdsso-create entry 37 clean-cdsso-urls entry 37 propagate-cdmf-errors entry 38 use-utf8 entry 38 cdsso-argument stanza entry cdsso stanza 36 cdsso-auth stanza entry cdsso stanza 36 cdsso-create stanza entry cdsso stanza 37 cdsso-incoming-attributes stanza 39 attribute_pattern entry 39 cdsso-peers stanza 40 fully_qualified_hostname entry 40 cdsso-token-attributes stanza 40 domain_name entry 41 entry 40 cert-cache-max-entries stanza entry certificate stanza 42 cert-cache-timeout stanza entry certificate stanza 43 cert-failure stanza entry acnt-mgt stanza 4 cert-map-authn stanza 47 debug-level entry 47 rules-file entry 47 cert-prompt-max-tries stanza entry certificate stanza 43 cert-stepup-http stanza entry acnt-mgt stanza 5 certificate stanza 42 accept-client-certs entry 42 cert-cache-max-entries entry 42 cert-cache-timeout entry 43 cert-prompt-max-tries entry 43 disable-cert-login-page entry 44, 46 eai-data 45 certificate-login stanza entry acnt-mgt stanza 5 cfg-db-cmd:entries stanza 48 cfg-db-cmd:files stanza 49 include entry 49 change-password-auth stanza entry acnt-mgt stanza 6 chunk-responses stanza entry server stanza 230 clean-cdsso-urls stanza entry cdsso stanza 37 clean-ecsso-urls-for-failover stanza entry failover stanza 87 client-connect-timeout stanza entry server stanza 230 client-tify-tod stanza entry acnt-mgt stanza 6 cluster stanza 49 is-master entry 50 master-name entry 50 max-wait-time entry 51 cluster-name stanza entry oauth-eas stanza 189 rtss-eas stanza 216 compress-mime-types stanza 51 mime_type entry 51 compress-user-agents stanza 52 pattern entry 52 concurrent-session-threads-hard-limit stanza entry server stanza 231 concurrent-session-threads-soft-limit stanza entry server stanza 231 connection-request-limit stanza entry server stanza 232 content stanza 53 utf8-template-macros-enabled entry 53 content-cache stanza 53 MIME_type entry 53 content-encodings stanza 54 extension entry 54 content-index-icons stanza 55 type entry 55 context-id stanza entry rtss-eas stanza 216 cookie stanza entry auth-cookies stanza 21 cookie-domain stanza entry ltpa stanza 181 cookie-name stanza entry ltpa stanza 180 cope-with-pipelined-request stanza entry server stanza 232 cred-attribute-entitlement-services stanza entry aznapi-configuration stanza 25 credential-policy-attributes stanza 56 policy-name entry 56 credential-refresh-attributes stanza 57 attribute_name_pattern entry 57 authentication_level entry 57 crl-ldap-server stanza entry junction stanza 122 ssl stanza 279 crl-ldap-server-port stanza entry junction stanza 123 ssl stanza 280 crl-ldap-user stanza entry junction stanza 124 ssl stanza 281 crl-ldap-user-password stanza entry junction stanza 124 ssl stanza 281 D DB2 xii debug-level stanza entry cert-map-authn stanza 47 decode-query stanza entry server stanza 233 default stanza entry ssl-qop-mgmt-default stanza 302 default-fed-id stanza entry oauth-eas stanza 189 default-mode stanza entry oauth-eas stanza 190 default-policy-override-support stanza entry ldap stanza 160 Disable local junctions 152 disable-cert-login-page stanza entry certificate stanza 44, 46 disable-ec-cookie stanza entry e-community-sso stanza 76 disable-local-junctions 152 disable-ssl-v2 stanza entry junction stanza 125 ssl stanza 282 disable-ssl-v3 stanza entry junction stanza 125 ssl stanza 282 disable-timeout-reduction stanza entry server stanza 233 disable-tls-v1 stanza entry junction stanza 126 ssl stanza 283 disable-tls-v11 stanza entry junction stanza 126 ssl stanza 283 disable-tls-v12 stanza entry junction stanza 127 ssl stanza 284 disputes stanza entry p3p-header stanza 197 332 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
domain stanza entry session-cookie-domains stanza 278 domain_name stanza entry cdsso-token-attributes stanza 41 e-community-domain-keys stanza 74 e-community-domain-keys:domain stanza 75 ecsso-token-attributes stanza 86 dont-reprocess-jct-404s stanza entry junction stanza 127 double-byte-encoding stanza entry server stanza 234 dsess stanza 58 dsess-cluster-name entry 58 dsess-sess-id-pool-size entry 58 dsess-cluster stanza 59 basic-auth-passwd entry 59 basic-auth-user entry 59 gsk-attr-name entry 60 handle-idle-timeout entry 61 handle-pool-size entry 61 response-by entry 62 server entry 62 ssl-fips-enabled entry 63 ssl-keyfile entry 64 ssl-keyfile-label entry 64 ssl-keyfile-stash entry 65 ssl-valid-server-dn entry 65 timeout entry 66 dsess-cluster-name stanza entry dsess stanza 58 dsess-enabled stanza entry session stanza 265 dsess-last-access-update-interval stanza entry session stanza 265 dsess-sess-id-pool-size stanza entry dsess stanza 58 dynamic-adi-entitlement-services stanza entry aznapi-configuration stanza 26 dynurl-allow-large-posts stanza entry server stanza 235 dynurl-map stanza entry server stanza 235 E e-community-domain-keys stanza 74 domain_name entry 74 e-community-domain-keys:domain stanza 75 domain_name entry 75 e-community-domains stanza 74 name entry 74 e-community-name stanza entry e-community-sso stanza 76 e-community-sso stanza 75 cache-requests-for-ecsso entry 75 disable-ec-cookie entry 76 e-community-name entry 76 e-community-sso-auth entry 77 ec-cookie-domain entry 77 ec-cookie-lifetime entry 78 ecsso-allow-unauth entry 78 ecsso-propagate-errors entry 79 handle-auth-failure-at-mas entry 79 e-community-sso stanza (continued) is-master-authn-server entry 80 master-authn-server entry 80 master-http-port entry 81 master-https-port entry 82 propagate-cdmf-errors entry 82 use-utf8 entry 83 vf-argument entry 83 vf-token-lifetime entry 84 vf-url entry 84 e-community-sso-auth stanza entry e-community-sso stanza 77 eai stanza 66 eai-auth entry 66 eai-auth-level-header entry 67 eai-flags-header entry 67 eai-pac-header entry 68 eai-pac-svc-header entry 68 eai-redir-url-header entry 69 eai-session-id-header entry 69 eai-user-id-header entry 70 eai-verify-user-identity entry 70 eai-xattrs-header entry 71 retain-eai-session entry 72 eai-auth stanza entry eai stanza 66 eai-auth-level-header stanza entry eai stanza 67 eai-data certificate stanza 45 eai-flags-header stanza entry eai stanza 67 eai-pac-header stanza entry eai stanza 68 eai-pac-svc-header stanza entry eai stanza 68 eai-redir-url-header stanza entry eai stanza 69 eai-session-id-header stanza entry eai stanza 69 eai-trigger-urls stanza 72 trigger entry 72, 73 eai-user-id-header stanza entry eai stanza 70 eai-verify-user-identity stanza entry eai stanza 70 eai-xattrs-header stanza entry eai stanza 71 ec-cookie-domain stanza entry e-community-sso stanza 77 ec-cookie-lifetime stanza entry e-community-sso stanza 78 ecsso-allow-unauth stanza entry e-community-sso stanza 78 ecsso-incoming-attributes stanza 85 attribute_pattern entry 85 ecsso-propagate-errors stanza entry e-community-sso stanza 79 ecsso-token-attributes stanza 86 domain_name entry 86 entry 86 education xiv enable-duplicate-ssl-dn-t-found-msgs stanza entry ssl stanza 284 enable-failover-cookie-for-domain stanza entry failover stanza 88 enable-html-redirect stanza entry acnt-mgt stanza 7 enable-ie6-2gb-downloads stanza entry server stanza 236 enable-local-response-redirect stanza entry acnt-mgt stanza 7 enable-passwd-warn stanza entry acnt-mgt stanza 8 enable-redirects stanza 87 redirect entry 87 enable-secret-token-validation stanza entry acnt-mgt stanza 9 enabled stanza entry ldap stanza 160 enforce-max-sessions-policy stanza entry session stanza 266 entries 86 pam-issue pam-resource:uri stanza 208 resource-name http-transformations stanza 108 user-agent user-agent stanza 324 absolute-uri-in-request-log logging stanza 171 accept-client-certs certificate stanza 42 access p3p-header stanza 194 account-expiry-tification acnt-mgt stanza 1 account-inactivated acnt-mgt stanza 1 account-locked acnt-mgt stanza 2 agents logging stanza 171 allow-backend-domain-cookies junction stanza 121, 128 allow-empty-form-fields forms stanza 103 allow-shift-jis-chars server stanza 226 allow-unauth-ba-supply server stanza 226 allow-unauthenticated-logout acnt-mgt stanza 3 allow-unsolicited-logins server stanza 227 allowed-referers acnt-mgt stanza 3 always-send-tokens tfimsso: jct-id stanza 308 applies-to tfimsso: jct-id stanza 308 apply-tam-native-policy oauth-eas stanza 186 rtss-eas stanza 214 attribute_name_pattern credential-refresh-attributes stanza 57 Index 333
entries (continued) attribute_pattern cdsso-incoming-attributes stanza 39 ecsso-incoming-attributes stanza 85 failover-add-attributes stanza 93 failover-restore-attributes stanza 95, 96 audit-attribute aznapi-configuration stanza 23 audit-log-cfg rtss-eas stanza 214 audit-mime-types logging stanza 172 audit-response-codes logging stanza 173 auditcfg aznapi-configuration stanza 23 auditlog aznapi-configuration stanza 24 auth-challenge-type server stanza 227 auth-timeout ldap stanza 153 auth-using-compare ldap stanza 153 authentication_level credential-refresh-attributes stanza 57 authtoken-lifetime cdsso stanza 35 azn-decision-info azn-decision-info stanza 33 ba-auth ba stanza 34 bad-gateway-rsp-file oauth-eas stanza 187 bad-request-rsp-file oauth-eas stanza 187 base-crypto-library ssl stanza 279 basic-auth-passwd [rtss-cluster:<cluster>] stanza 218 dsess-cluster stanza 59 tfim-cluster: cluster stanza 314 basic-auth-realm ba stanza 35 basic-auth-user dsess-cluster stanza 59 rtss-clustercluster stanza 217 tfim-cluster: cluster stanza 314 basicauth-dummy-passwd junction stanza 122 bind-dn ldap stanza 154 bind-id uraf-registry stanza 321 bind-pwd ldap stanza 154 cache-enabled ldap stanza 155 cache-group-expire-time ldap stanza 155 cache-group-membership ldap stanza 156 entries (continued) cache-group-size ldap stanza 156 cache-host-header server stanza 228 cache-lifetime uraf-registry stanza 322 cache-mode uraf-registry stanza 322 cache-policy-expire-time ldap stanza 157 cache-policy-size ldap stanza 157 cache-refresh-interval aznapi-configuration stanza 25 cache-requests-for-ecsso e-community-sso stanza 75 cache-return-registry-id ldap stanza 158 cache-size oauth-eas stanza 188 uraf-registry stanza 323 cache-use-user-cache ldap stanza 159 cache-user-expire-time ldap stanza 158 cache-user-size ldap stanza 159 capitalize-content-length server stanza 229 categories p3p-header stanza 195 cdsso-argument cdsso stanza 36 cdsso-auth cdsso stanza 36 cdsso-create cdsso stanza 37 cdsso-token-attributes stanza 40 cert-cache-max-entries certificate stanza 42 cert-cache-timeout certificate stanza 43 cert-failure acnt-mgt stanza 4 cert-prompt-max-tries certificate stanza 43 cert-stepup-http acnt-mgt stanza 5 certificate-login acnt-mgt stanza 5 change-password-auth acnt-mgt stanza 6 chunk-responses server stanza 230 clean-cdsso-urls cdsso stanza 37 clean-ecsso-urls-for-failover failover stanza 87 client-connect-timeout server stanza 230 client-tify-tod acnt-mgt stanza 6 cluster-name oauth-eas stanza 189 rtss-eas stanza 216 entries (continued) concurrent-session-threads-hard-limit server stanza 231 concurrent-session-threads-soft-limit server stanza 231 connection-request-limit server stanza 232 context-id rtss-eas stanza 216 cookie auth-cookies stanza 21 cookie-domain ltpa stanza 181 cookie-name ltpa stanza 180 cope-with-pipelined-request server stanza 232 cred-attribute-entitlement-services aznapi-configuration stanza 25 crl-ldap-server junction stanza 122 ssl stanza 279 crl-ldap-server-port junction stanza 123 ssl stanza 280 crl-ldap-user junction stanza 124 ssl stanza 281 crl-ldap-user-password junction stanza 124 ssl stanza 281 debug-level cert-map-authn stanza 47 decode-query server stanza 233 default ssl-qop-mgmt-default stanza 302 default-fed-id oauth-eas stanza 189 default-mode oauth-eas stanza 190 default-policy-override-support ldap stanza 160 disable-cert-login-page certificate stanza 44, 46 disable-ec-cookie e-community-sso stanza 76 disable-ssl-v2 junction stanza 125 ssl stanza 282 disable-ssl-v3 junction stanza 125 ssl stanza 282 disable-timeout-reduction server stanza 233 disable-tls-v1 junction stanza 126 ssl stanza 283 disable-tls-v11 junction stanza 126 ssl stanza 283 disable-tls-v12 junction stanza 127 ssl stanza 284 disputes p3p-header stanza 197 334 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
entries (continued) domain session-cookie-domains stanza 278 domain_name cdsso-token-attributes stanza 41 e-community-domain-keys stanza 74 e-community-domain-keys:domain stanza 75 ecsso-token-attributes stanza 86 dont-reprocess-jct-404s junction stanza 127 double-byte-encoding server stanza 234 dsess-cluster-name dsess stanza 58 dsess-enabled session stanza 265 dsess-last-access-update-interval session stanza 265 dsess-sess-id-pool-size dsess stanza 58 dynamic-adi-entitlement-services aznapi-configuration stanza 26 dynurl-allow-large-posts server stanza 235 dynurl-map server stanza 235 e-community-name e-community-sso stanza 76 e-community-sso-auth e-community-sso stanza 77 eai-auth eai stanza 66 eai-auth-level-header eai stanza 67 eai-data certificate stanza 45 eai-flags-header eai stanza 67 eai-pac-header eai stanza 68 eai-pac-svc-header eai stanza 68 eai-redir-url-header eai stanza 69 eai-session-id-header eai stanza 69 eai-user-id-header eai stanza 70 eai-verify-user-identity eai stanza 70 eai-xattrs-header eai stanza 71 ec-cookie-domain e-community-sso stanza 77 ec-cookie-lifetime e-community-sso stanza 78 ecsso-allow-unauth e-community-sso stanza 78 ecsso-propagate-errors e-community-sso stanza 79 ecsso-token-attributes stanza 86 enable-duplicate-ssl-dn-t-foundmsgs ssl stanza 284 entries (continued) enable-failover-cookie-for-domain failover stanza 88 enable-html-redirect acnt-mgt stanza 7 enable-ie6-2gb-downloads server stanza 236 enable-local-response-redirect acnt-mgt stanza 7 enable-passwd-warn acnt-mgt stanza 8 enable-secret-token-validation acnt-mgt stanza 9 enabled ldap stanza 160 enforce-max-sessions-policy session stanza 266 env-name system-environment-variables stanza 307 extension content-encodings stanza 54 failover-auth failover stanza 89 failover-cookie-lifetime failover stanza 89 failover-cookies-keyfile failover stanza 90 failover-include-session-id failover stanza 90 failover-require-activity-timestampvalidation failover stanza 91 failover-require-lifetime-timestampvalidation failover stanza 91 failover-update-cookie failover stanza 92 fed-id-param oauth-eas stanza 190 filter-nhtml-as-xhtml server stanza 236 fips-mode-processing ssl stanza 285 flow-data-enabled flow-data stanza 102 flow-data-stats-interval flow-data stanza 103 flush-time logging stanza 173 force-tag-value-prefix server stanza 237 forms-auth forms stanza 104 fully_qualified_hostname cdsso-peers stanza 40 gmt-time logging stanza 174 gsk-attr-name dsess-cluster stanza 60 ssl stanza 285 tfim-cluster: cluster stanza 315 gsk-crl-cache-entry-lifetime ssl stanza 287 gsk-crl-cache-size ssl stanza 287 entries (continued) gso-cache-enabled gso-cache stanza 105 gso-cache-entry-idle-timeout gso-cache stanza 105 gso-cache-entry-lifetime gso-cache stanza 106 gso-cache-size gso-cache stanza 106 handle-auth-failure-at-mas e-community-sso stanza 79 handle-idle-timeout rtss-cluster:<cluster> stanza 218 tfim-cluster: cluster stanza 316 handle-pool-size [rtss-cluster:<cluster>] stanza 219 dsess-cluster stanza 61 tfim-cluster: cluster stanza 316 header filter-request-headers stanza 99 header_name session-http-headers stanza 278 header-data header-names stanza 107 help acnt-mgt stanza 10 host ldap stanza 161 host-header-in-request-log logging stanza 174 host-ip ssl-qop-mgmt-hosts stanza 303 hostname-junction-cookie script-filtering stanza 224 HTML_tag filter-events stanza 97 filter-url stanza 101 html-redirect acnt-mgt stanza 11 http server stanza 238 http-method-disabled-local server stanza 238 http-method-disabled-remote server stanza 239 http-port server stanza 239 http-rsp-header acnt-mgt stanza 10 http-timeout junction stanza 129 https server stanza 240 https-port server stanza 240 https-timeout junction stanza 130 igre-missing-last-chunk server stanza 241 inactive-timeout session stanza 266 input-adi-xml-prolog aznapi-configuration stanza 26 insert-client-real-ip-for-option-r junction stanza 130 interface_name interfaces stanza 111 Index 335
entries (continued) intra-connection-timeout server stanza 241 io-buffer-size junction stanza 131 server stanza 242 ip-support-level server stanza 242 ipaddr-auth ipaddr stanza 121 ipv6-support server stanza 243 is-enabled itim stanza 112 is-master cluster stanza 50 is-master-authn-server e-community-sso stanza 80 itim-server-name itim stanza 113 itim-servlet-context itim stanza 113 jct-cert-keyfile junction stanza 131 jct-cert-keyfile-pwd junction stanza 133 jct-cert-keyfile-stash junction stanza 132 jct-gsk-attr-name ssl stanza 288 jct-ltpa-cookie-name ltpa stanza 181 jct-ocsp-enable junction stanza 134 jct-ocsp-max-response-size junction stanza 134 jct-ocsp-nce-check-enable junction stanza 135 jct-ocsp-nce-generation-enable junction stanza 135 jct-ocsp-proxy-server-name junction stanza 136 jct-ocsp-proxy-server-port junction stanza 136 jct-ocsp-url junction stanza 137 jct-ssl-reneg-warning-rate junction stanza 137 jct-undetermined-revocation-certaction junction stanza 138 jmt-map junction stanza 138 keydatabase-file itim stanza 114 keydatabase-password itim stanza 114 keydatabase-password-file itim stanza 115 keyfile ltpa stanza 182 late-lockout-tification server stanza 244 level authentication-levels stanza 22 listen-flags aznapi-configuration stanza 27 entries (continued) local-response-redirect-uri local-response-redirect stanza 170 log-invalid-requests logging stanza 175 logaudit aznapi-configuration stanza 27 logcfg aznapi-configuration stanza 28 logclientid aznapi-configuration stanza 28 logflush aznapi-configuration stanza 29 login acnt-mgt stanza 11 login-failures-persistent ldap stanza 162 login-redirect-page acnt-mgt stanza 12 login-success acnt-mgt stanza 13 logout acnt-mgt stanza 13 logout-remove-cookie session stanza 267 logsize aznapi-configuration stanza 30 ltpa-auth ltpa stanza 180, 182 ltpa-cache-enabled ltpa-cache stanza 184 ltpa-cache-entry-idle-timeout ltpa-cache stanza 184 ltpa-cache-entry-lifetime ltpa-cache stanza 185 ltpa-cache-size ltpa-cache stanza 185 macro local-response-macros stanza 169 managed-cookies-list junction stanza 139 mangle-domain-cookies junction stanza 139 master-authn-server e-community-sso stanza 80 master-http-port e-community-sso stanza 81 master-https-port e-community-sso stanza 82 master-name cluster stanza 50 match-vhj-first junction stanza 140 max-cached-persistent-connections junction stanza 141 max-client-read server stanza 244 max-entries session stanza 268 max-file-cat-command-length server stanza 245 max-file-descriptors server stanza 245 max-idle-persistent-connections server stanza 246 max-search-size ldap stanza 162 entries (continued) max-size logging stanza 175 max-wait-time cluster stanza 51 max-webseal-header-size junction stanza 142 mime_type compress-mime-types stanza 51 MIME_type content-cache stanza 53 mode-param oauth-eas stanza 191 mpa mpa stanza 186 name e-community-domains stanza 74 preserve-cookie-names stanza 209 network-interface server stanza 247 network/netmask ssl-qop-mgmt-networks stanza 304 n-identifiable p3p-header stanza 197 obligation obligations-levels-mapping stanza 193 ocsp-enable ssl stanza 289 ocsp-max-response-size ssl stanza 290 ocsp-nce-check-enable ssl stanza 290 ocsp-nce-generation-enable ssl stanza 291 ocsp-proxy-server-name ssl stanza 291 ocsp-proxy-server-port ssl stanza 292 ocsp-url ssl stanza 292 one-time-token tfimsso: jct-id stanza 309 p3p-element p3p-header stanza 198 pam-coalescer-parameter PAM stanza 204 pam-disabled-issues PAM stanza 207 pam-enabled PAM stanza 202 pam-http-parameter PAM stanza 204 pam-log-audit-events PAM stanza 206 pam-log-cfg logging stanza 205 pam-max-memory PAM stanza 203 pam-resource-rule PAM stanza 207 pam-use-proxy-header PAM stanza 203 pass-http-only-cookie-atr junction stanza 142 336 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
entries (continued) passwd-change acnt-mgt stanza 14 passwd-change-failure acnt-mgt stanza 14 passwd-change-success acnt-mgt stanza 15 passwd-expired acnt-mgt stanza 15 passwd-warn acnt-mgt stanza 16 passwd-warn-failure acnt-mgt stanza 16 pattern compress-user-agents stanza 52 permission-info-returned aznapi-configuration stanza 30 persistent-con-timeout junction stanza 143 server stanza 247 ping-method junction stanza 144 ping-time junction stanza 144 ping-uri junction stanza 145 policy-attr-separator aznapi-configuration stanza 31 policy-cache-size aznapi-configuration stanza 31 policy-name credential-policy-attributes stanza 56 port ldap stanza 163 pre-410-compatible-tokens server stanza 248 pre-510-compatible-token server stanza 248 prefer-readwrite-server ldap stanza 163 preserve-base-href server stanza 249 preserve-base-href2 server stanza 249 preserve-p3p-policy server stanza 250 preserve-xml-token tfimsso:jct-id stanza 309 principal-name itim stanza 116 principal-password itim stanza 116 process-root-requests server stanza 250 prompt-for-displacement session stanza 268 propagate-cdmf-errors cdsso stanza 38 e-community-sso stanza 82 purpose p3p-header stanza 198 realm-name oauth-eas stanza 192 reauth-at-any-level reauthentication stanza 210 entries (continued) reauth-extend-lifetime reauthentication stanza 211 reauth-for-inactive reauthentication stanza 211 reauth-reset-lifetime reauthentication stanza 212 recipient p3p-header stanza 200 recovery-ping-time junction stanza 145 redirect enable-redirects stanza 87 redirect-to-root-for-pkms acnt-mgt stanza 17 redirect-using-relative server stanza 251 referers logging stanza 176 register-authentication-failures session stanza 269 reissue-missing-failover-cookie failover stanza 92 reject-invalid-host-header server stanza 252 reject-request-transfer-encodings server stanza 252 remedies p3p-header stanza 201 renewal-window tfimsso: jct-id stanza 310 replica ldap stanza 164 replica-set replica-sets stanza 213 reprocess-root-jct-404s junction stanza 146 request-body-max-read server stanza 253 request-log-format logging stanza 177 request-max-cache server stanza 253 requests logging stanza 176 require-mpa session stanza 269 resend-webseal-cookies session stanza 270 reset-cookies-list junction stanza 147 resource-manager-provided-adi aznapi-configuration stanza 32 response-by dsess-cluster stanza 62 response-code-rules junction stanza 147 retain-eai-session eai stanza 72 retain-stepup-session step-up stanza 305 retention p3p-header stanza 202 rewrite-absolute-with-absolute script-filtering stanza 224 root process-root-filter stanza 210 entries (continued) rules-file cert-map-authn stanza 47 scheme filter-schemes stanza 100 script-filter script-filtering stanza 225 search-timeout ldap stanza 165 send-constant-sess session stanza 270 send-header-ba-first server stanza 254 send-header-spnego-first server stanza 255 server [rtss-cluster:<cluster>] stanza 219 dsess-cluster stanza 62 tfim-cluster: cluster stanza 317 server-log-cfg logging stanza 178 server-name server stanza 255 service-name tfimsso: jct-id stanza 310 service-password-dn itim stanza 117 service-source-dn itim stanza 118 service-token-card-dn itim stanza 119 servlet-port itim stanza 120 session-activity-timestamp failover-add-attributes stanza 94 session-lifetime-timestamp failover-add-attributes stanza 94 share-cookies junction stanza 148 shared-domain-cookie session stanza 271 show-all-auth-prompts step-up stanza 305 single-sigff-uri acnt-mgt stanza 17 slash-before-query-on-redirect server stanza 256 ssl-enabled ldap stanza 165 ssl-fips-enabled dsess-cluster stanza 63 rtss-cluster:<cluster> stanza 220 tfim-cluster:<cluster> stanza 317 ssl-id-sessions session stanza 272 ssl-keyfile [rtss-cluster:<cluster>] stanza 221 dsess-cluster stanza 64 ldap stanza 166 ssl stanza 293 tfim-cluster: cluster stanza 318 ssl-keyfile-dn ldap stanza 166 ssl-keyfile-label [rtss-cluster:<cluster>] stanza 221 dsess-cluster stanza 64 ssl stanza 293 Index 337
entries (continued) ssl-keyfile-label (continued) tfim-cluster:cluster stanza 319 ssl-keyfile-pwd ldap stanza 167 ssl stanza 294 ssl-keyfile-stash [rtss-cluster:<cluster>] stanza 222 ssl stanza 294 tfim-cluster: cluster stanza 319 ssl-local-domain ssl stanza 295 ssl-max-entries ssl stanza 295 ssl-port ldap stanza 167 ssl-qop-mgmt ssl-qop stanza 301 ssl-session-cookie-name session stanza 272 ssl-v2-timeout ssl stanza 296 ssl-v3-timeout ssl stanza 297 ssl-valid-server-dn dsess-cluster stanza 65 rtss-cluster:<cluster> stanza 223 tfim-cluster:cluster stanza 320 standard-junction-replica-set session stanza 273 step-up-at-higher-level step-up stanza 306 stepup-login acnt-mgt stanza 18 strip-www-authenticate-headers server stanza 257 substring illegal-url-substrings stanza 111 support-virtual-host-domain-cookies junction stanza 149 suppress-backend-server-identity server stanza 257 suppress-client-ssl-errors ssl stanza 297 suppress-dynurl-parsing-of-posts server stanza 258 suppress-server-identity server stanza 258 switch-user acnt-mgt stanza 19 tag-value-missing-attr-tag server stanza 259 tcp-session-cookie-name session stanza 273 temp-cache-response acnt-mgt stanza 19 temp-session-cookie-name session stanza 274 temp-session-max-lifetime session stanza 274 terminate-on-reauth-lockout reauthentication stanza 212 tfim-cluster-name tfimsso: jct-id stanza 311 timeout [rtss-cluster:<cluster>] stanza 223 dsess-cluster stanza 66 entries (continued) timeout (continued) ldap stanza 168 session stanza 275 tfim-cluster: cluster stanza 321 token-collection-size tfimsso: jct-id stanza 311 token-transmit-name tfimsso: jct-id stanza 313 token-transmit-type tfimsso: jct-id stanza 313 token-type tfimsso: jct-id stanza 312 too-many-sessions acnt-mgt stanza 20 trace-component oauth-eas stanza 192 rtss-eas stanza 217 trigger eai-trigger-urls stanza 72, 73 type content-index-icons stanza 55 filter-content-types stanza 96 unauthorized-rsp-file oauth-eas stanza 193 undetermined-revocation-cert-action ssl stanza 298 update-session-cookie-in-login-request session stanza 275 use-existing-username-macro-incustom-redirects server stanza 259 use-filename-for-pkmslogout acnt-mgt stanza 21 use-full-dn ltpa stanza 183 use-http-only-cookies server stanza 260 use-new-stateful-on-error junction stanza 149 use-restrictive-logout-filenames acnt-mgt stanza 20 use-same-session session stanza 277 use-utf8 cdsso stanza 38 e-community-sso stanza 83 failover stanza 93 user-and-group-in-same-suffix ldap stanza 169 user-session-ids session stanza 276 user-session-ids-include-replica-set session stanza 277 utf8-form-support-enabled server stanza 261 utf8-qstring-support-enabled server stanza 261 utf8-template-macros-enabled content stanza 53 utf8-url-support-enabled server stanza 262 validate-backend-domain-cookies junction stanza 150 validate-query-as-ga server stanza 262 entries (continued) verify-step-up-user step-up stanza 306 vf-argument e-community-sso stanza 83 vf-token-lifetime e-community-sso stanza 84 vf-url e-community-sso stanza 84 web-host-name server stanza 263 web-http-port server stanza 263 web-http-protocol server stanza 264 webseal-cert-keyfile ssl stanza 298 webseal-cert-keyfile-label ssl stanza 299 webseal-cert-keyfile-pwd ssl stanza 299 webseal-cert-keyfile-sni ssl stanza 300 webseal-cert-keyfile-stash ssl stanza 301 worker-thread-hard-limit junction stanza 151 worker-thread-soft-limit junction stanza 151 worker-threads server stanza 264 xsl-stylesheet-prolog aznapi-configuration stanza 33 entries dsess-cluster stanza handle-idle-timeout 61 ssl-keyfile-stash 65 env-name stanza entry system-environment-variables stanza 307 exclude stanza entry cfg-db-cmd:entries stanza 48 extension stanza entry content-encodings stanza 54 F failover stanza 87 clean-ecsso-urls-for-failover entry 87 enable-failover-cookie-for-domain entry 88 failover-auth entry 89 failover-cookie-lifetime entry 89 failover-cookies-keyfile entry 90 failover-include-session-id entry 90 failover-require-activity-timestampvalidation entry 91 failover-require-lifetime-timestampvalidation entry 91 failover-update-cookie entry 92 reissue-missing-failover-cookie entry 92 use-utf8 entry 93 failover-add-attributes stanza 93 attribute_pattern entry 93 session-activity-timestamp entry 94 session-lifetime-timestamp entry 94 338 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
failover-auth stanza entry failover stanza 89 failover-cookie-lifetime stanza entry failover stanza 89 failover-cookies-keyfile stanza entry failover stanza 90 failover-include-session-id stanza entry failover stanza 90 failover-require-activity-timestampvalidation stanza entry failover stanza 91 failover-require-lifetime-timestampvalidation stanza entry failover stanza 91 failover-restore-attributes stanza 95 attribute_pattern entry 95, 96 failover-update-cookie stanza entry failover stanza 92 fed-id-param stanza entry oauth-eas stanza 190 Federal Information Process Standards (FIPS) ssl-fips-enabled stanza entry 63 files include cfg-db-cmd:files stanza 49 filter-content-types stanza 96 type entry 96 filter-events stanza 97 HTML_tag entry 97 filter-nhtml-as-xhtml stanza entry server stanza 236 filter-request-headers stanza 99 header entry 99 filter-schemes stanza 100 scheme entry 100 filter-url stanza 101 HTML_tag entry 101 FIPS (Federal Information Process Standards ) ssl-fips-enabled stanza entry 63 fips-mode-processing stanza entry ssl stanza 285 flow-data stanza 102 flow-data-enabled entry 102 flow-data-stats-interval entry 103 flow-data-enabled stanza entry flow-data stanza 102 flow-data-stats-interval stanza entry flow-data stanza 103 flush-time stanza entry logging stanza 173 force-tag-value-prefixstanza entry server stanza 237 forms stanza 103 allow-empty-form-fields entry 103 forms-auth entry 104 forms-auth stanza entry forms stanza 104 fully_qualified_hostname stanza entry cdsso-peers stanza 40 G gmt-time stanza entry logging stanza 174 gsk-attr-name stanza entry dsess-cluster stanza 60 ssl stanza 285 tfim-cluster: cluster stanza 315 gsk-crl-cache-entry-lifetime stanza entry ssl stanza 287 gsk-crl-cache-size stanza entry ssl stanza 287 gskcapicmd xii gskikm.jar xii GSKit documentation xii gso-cache stanza 105 gso-cache-enabled entry 105 gso-cache-entry-idle-timeout entry 105 gso-cache-entry-lifetime entry 106 gso-cache-size entry 106 gso-cache-enabled stanza entry gso-cache stanza 105 gso-cache-entry-idle-timeout stanza entry gso-cache stanza 105 gso-cache-entry-lifetime stanza entry gso-cache stanza 106 gso-cache-size stanza entry gso-cache stanza 106 H handle-auth-failure-at-mas stanza entry e-community-sso stanza 79 handle-idle-timeout stanza entry dsess-cluster stanza 61 tfim-cluster: stanza 316 xacml-cluster: stanza 218 handle-pool-size stanza entry dsess-cluster stanza 61 tfim-cluster: cluster stanza 316 xacml-cluster: cluster stanzacluster>] stanza 219 header stanza entry filter-request-headers stanza 99 header_name stanza entry session-http-headers stanza 278 header-data stanza entry header-names stanza 107 header-names stanza 107 header-data entry 107 help stanza entry acnt-mgt stanza 10 host stanza entry ldap stanza 161 host-header-in-request-log stanza entry logging stanza 174 host-ip stanza entry ssl-qop-mgmt-hosts stanza 303 hostname-junction-cookie stanza entry script-filtering stanza 224 HTML_tag stanza entry filter-events stanza 97 filter-url stanza 101 html-redirect stanza entry acnt-mgt stanza 11 http stanza entry server stanza 238 http-method-disabled-local stanza entry server stanza 238 http-method-disabled-remote stanza entry server stanza 239 http-port stanza entry server stanza 239 http-rsp-header stanza entry acnt-mgt stanza 10 http-timeout stanza entry junction stanza 129 http-transformations stanza 108 resource-name entry 108 https stanza entry server stanza 240 https-port stanza entry server stanza 240 https-timeout stanza entry junction stanza 130 I IBM Software Support xiv Support Assistant xiv icap stanza 109 ICAP stanza 109, 110 ICAP: resource 110 ICAP:resource 109 igre-missing-last-chunk stanza entry server stanza 241 ikeyman xii illegal-url-substrings stanza 111 substring entry 111 inactive-timeout stanza entry session stanza 266 include stanza entry cfg-db-cmd:files stanza 49 input-adi-xml-prolog stanza entry aznapi-configuration stanza 26 insert-client-real-ip-for-option-r stanza entry junction stanza 130 interface_name stanza entry interfaces stanza 111 interfaces stanza 111 interface_name entry 111 internet content adaptation protocol 109, 110 intra-connection-timeout stanza entry server stanza 241 io-buffer-size stanza entry junction stanza 131 server stanza 242 ip-support-level stanza entry server stanza 242 ipaddr stanza ipaddr-auth entry 121 ipaddr-auth stanza entry ipaddr stanza 121 ipv6-support stanza entry server stanza 243 is-enabled stanza entry itim stanza 112 is-master stanza entry cluster stanza 50 is-master-authn-server stanza entry e-community-sso stanza 80 itim stanza 112 is-enabled entry 112 Index 339
itim stanza (continued) itim-server-name entry 113 itim-servlet-context entry 113 keydatabase-file entry 114 keydatabase-password entry 114 keydatabase-password-file entry 115 principal-name entry 116 principal-password entry 116 service-password-dn entry 117 service-source-dn entry 118 service-token-card-dn entry 119 servlet-port entry 120 itim-server-name stanza entry itim stanza 113 itim-servlet-context stanza entry itim stanza 113 J jct-cert-keyfile stanza entry junction stanza 131 jct-cert-keyfile-pwd stanza entry junction stanza 133 jct-cert-keyfile-stash stanza entry junction stanza 132 jct-gsk-attr-name stanza entry ssl stanza 288 jct-ltpa-cookie-name stanza entry ltpa stanza 181 jct-ocsp-enable stanza entry junction stanza 134 jct-ocsp-max-response-size stanza entry junction stanza 134 jct-ocsp-nce-check-enable stanza entry junction stanza 135 jct-ocsp-nce-generation-enable stanza entry junction stanza 135 jct-ocsp-proxy-server-name stanza entry junction stanza 136 jct-ocsp-proxy-server-port stanza entry junction stanza 136 jct-ocsp-url stanza entry junction stanza 137 jct-ssl-reneg-warning-rate stanza entry junction stanza 137 jct-undetermined-revocation-cert-action stanza entry junction stanza 138 jdb-cmd:replace stanza 121 jmt-map stanza entry junction stanza 138 junction stanza 121 allow-backend-domain-cookies entry 121, 128 basicauth-dummy-passwd entry 122 crl-ldap-server entry 122 crl-ldap-server-port entry 123 crl-ldap-user entry 124 crl-ldap-user-password entry 124 disable-ssl-v2 entry 125 disable-ssl-v3 entry 125 disable-tls-v1 entry 126 disable-tls-v11 entry 126 disable-tls-v12 entry 127 dont-reprocess-jct-404s entry 127 http-timeout entry 129 junction stanza (continued) https-timeout entry 130 insert-client-real-ip-for-option-r entry 130 io-buffer-size entry 131 jct-cert-keyfile entry 131 jct-cert-keyfile-pwd entry 133 jct-cert-keyfile-stash entry 132 jct-ocsp-enable entry 134 jct-ocsp-max-response-size entry 134 jct-ocsp-nce-check-enable entry 135 jct-ocsp-nce-generation-enable entry 135 jct-ocsp-proxy-server-name entry 136 jct-ocsp-proxy-server-port entry 136 jct-ocsp-url entry 137 jct-ssl-reneg-warning-rate entry 137 jct-undetermined-revocation-certaction entry 138 jmt-map entry 138 managed-cookies-list entry 139 mangle-domain-cookies entry 139 match-vhj-first entry 140 max-cached-persistent-connections entry 141 max-webseal-header-size entry 142 pass-http-only-cookie-atr entry 142 persistent-con-timeout entry 143 ping-method entry 144 ping-time entry 144 ping-uri entry 145 recovery-ping-time entry 145 reprocess-root-jct-404s entry 146 reset-cookies-list entry 147 response-code-rules entry 147 share-cookies entry 148 support-virtual-host-domain-cookies entry 149 use-new-stateful-on-error entry 149 validate-backend-domain-cookies entry 150 worker-thread-hard-limit entry 151 worker-thread-soft-limit entry 151 junction:junction_name stanza 152 K key xii keydatabase-file stanza entry itim stanza 114 keydatabase-password stanza entry itim stanza 114 keydatabase-password-file stanza entry itim stanza 115 keyfile stanza entry ltpa stanza 182 L late-lockout-tification stanza entry server stanza 244 LDAP server on z/os xii ldap stanza 153 auth-timeout entry 153 ldap stanza (continued) auth-using-compare entry 153 bind-dn entry 154 bind-pwd entry 154 cache-enabled entry 155 cache-group-expire-time entry 155 cache-group-membership entry 156 cache-group-size entry 156 cache-policy-expire-time entry 157 cache-policy-size entry 157 cache-return-registry-id entry 158 cache-use-user-cache entry 159 cache-user-expire-time entry 158 cache-user-size entry 159 default-policy-override-support entry 160 enabled entry 160 host entry 161 login-failures-persistent entry 162 max-search-size entry 162 port entry 163 prefer-readwrite-server entry 163 replica entry 164 search-timeout entry 165 ssl-enabled entry 165 ssl-keyfile entry 166 ssl-keyfile-dn entry 166 ssl-keyfile-pwd entry 167 ssl-port entry 167 timeout entry 168 user-and-group-in-same-suffix entry 169 level stanza entry authentication-levels stanza 22 listen-flags stanza entry aznapi-configuration stanza 27 local junctions disable 152 local-response-macros stanza 169 macro entry 169 local-response-redirect stanza 170 local-response-redirect-uri entry 170 local-response-redirect-uri stanza entry local-response-redirect stanza 170 log-invalid-requests stanza entry logging stanza 175 logaudit stanza entry aznapi-configuration stanza 27 logcfg stanza entry aznapi-configuration stanza 28 logclientid stanza entry aznapi-configuration stanza 28 logflush stanza entry aznapi-configuration stanza 29 logging stanza 171 absolute-uri-in-request-log entry 171 agents entry 171 audit-mime-types entry 172 audit-response-codes entry 173 flush-time entry 173 gmt-time entry 174 host-header-in-request-log entry 174 log-invalid-requests entry 175 max-size entry 175 pam-log-cfg entry 205 referers entry 176 request-log-format entry 177 340 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
logging stanza (continued) requests entry 176 server-log-cfg entry 178 login stanza entry acnt-mgt stanza 11 login-failures-persistent stanza entry ldap stanza 162 login-redirect-page stanza entry acnt-mgt stanza 12 login-success stanza entry acnt-mgt stanza 13 logout stanza entry acnt-mgt stanza 13 logout-remove-cookie stanza entry session stanza 267 logsize stanza entry aznapi-configuration stanza 30 ltpa stanza 180 cookie-domain entry 181 cookie-name entry 180 jct-ltpa-cookie-name entry 181 keyfile entry 182 ltpa-auth entry 180, 182 use-full-dn entry 183 ltpa-auth stanza entry ltpa stanza 180, 182 ltpa-cache stanza 184 ltpa-cache-enabled entry 184 ltpa-cache-entry-idle-timeout entry 184 ltpa-cache-entry-lifetime entry 185 ltpa-cache-size entry 185 ltpa-cache-enabled stanza entry ltpa-cache stanza 184 ltpa-cache-entry-idle-timeout stanza entry ltpa-cache stanza 184 ltpa-cache-entry-lifetime stanza entry ltpa-cache stanza 185 ltpa-cache-size stanza entry ltpa-cache stanza 185 M macro stanza entry local-response-macros stanza 169 managed-cookies-list stanza entry junction stanza 139 mangle-domain-cookies stanza entry junction stanza 139 master-authn-server stanza entry e-community-sso stanza 80 master-http-port stanza entry e-community-sso stanza 81 master-https-port stanza entry e-community-sso stanza 82 master-name stanza entry cluster stanza 50 match-vhj-first stanza entry junction stanza 140 max-cached-persistent-connectionse stanza entry junction stanza 141 max-client-read stanza entry server stanza 244 max-entries stanza entry session stanza 268 max-file-cat-command-length stanza entry server stanza 245 max-file-descriptors stanza entry server stanza 245 max-idle-persistent-connections stanza entry server stanza 246 max-search-size stanza entry ldap stanza 162 max-size stanza entry logging stanza 175 max-wait-time stanza entry cluster stanza 51 max-webseal-header-size stanza entry junction stanza 142 mime_type stanza entry compress-mime-types stanza 51 MIME_type stanza entry content-cache stanza 53 mode-param stanza entry oauth-eas stanza 191 mpa stanza 186 mpa entry 186 mpa stanza entry mpa stanza 186 N name stanza entry e-community-domains stanza 74 preserve-cookie-names stanza 209 network-interface stanza entry server stanza 247 network/netmask stanza entry ssl-qop-mgmt-networks stanza 304 n-identifiable stanza entry p3p-header stanza 197 O oauth-eas stanza 186 apply-tam-native-policy entry 186 bad-gateway-rsp-file entry 187 bad-request-rsp-file entry 187 cache-size entry 188 cluster-name entry 189 default-fed-id entry 189 default-mode entry 190 fed-id-param entry 190 mode-param entry 191 realm-name entry 192 trace-component entry 192 unauthorized-rsp-file entry 193 obligation stanza entry obligations-levels-mapping stanza 193 obligations-levels-mapping stanza 193 obligation entry 193 ocsp-enable stanza entry ssl stanza 289 ocsp-max-response-size stanza entry ssl stanza 290 ocsp-nce-check-enable stanza entry ssl stanza 290 ocsp-nce-generation-enable stanza entry ssl stanza 291 ocsp-proxy-server-name stanza entry ssl stanza 291 ocsp-proxy-server-port stanza entry ssl stanza 292 ocsp-url stanza entry ssl stanza 292 one-time-token stanza entry tfimsso: stanza 309 online publications ix termilogy ix P p3p-element stanza entry p3p-header stanza 198 p3p-header stanza 194 access entry 194 categories entry 195 disputes entry 197 n-identifiable entry 197 p3p-element entry 198 purpose entry 198 recipient entry 200 remedies entry 201 retention entry 202 PAM stanza 202 pam-coalescer-parameter entry 204 pam-disabled-issues entry 207 pam-enabled entry 202 pam-http-parameter entry 204 pam-log-audit-events entry 206 pam-max-memory entry 203 pam-resource-rule entry 207 pam-use-proxy-header entry 203 pam-coalescer-parameter stanza entry PAM stanza 204 pam-disabled-issues stanza entry PAM stanza 207 pam-enabled stanza entry PAM stanza 202 pam-http-parameter stanza entry PAM stanza 204 pam-log-audit-events stanza entry PAM stanza 206 pam-log-cfg stanza entry logging stanza 205 pam-max-memory stanza entry PAM stanza 203 pam-resource-rule entry PAM stanza 207 pam-resource:uri stanza<uri> stanza 208 pam-resource:uri stanzauri stanza pam-issue entry 208 pam-use-proxy-header stanza entry PAM stanza 203 pass-http-only-cookie-atr stanza entry junction stanza 142 passwd-change stanza entry acnt-mgt stanza 14 passwd-change-failure stanza entry acnt-mgt stanza 14 Index 341
passwd-change-success stanza entry acnt-mgt stanza 15 passwd-expired stanza entry acnt-mgt stanza 15 passwd-warn stanza entry acnt-mgt stanza 16 passwd-warn-failure stanza entry acnt-mgt stanza 16 pattern stanza entry compress-user-agents stanza 52 permission-info-returned stanza entry aznapi-configuration stanza 30 persistent-con-timeout stanza entry junction stanza 143 server stanza 247 ping-method stanza entry junction stanza 144 ping-time stanza entry junction stanza 144 ping-uri stanza entry junction stanza 145 policy-attr-separator stanza entry aznapi-configuration stanza 31 policy-cache-size stanza entry aznapi-configuration stanza 31 policy-name stanza entry credential-policy-attributes stanza 56 port stanza entry ldap stanza 163 pre-410-compatible-tokens stanza entry server stanza 248 pre-510-compatible-token stanza entry server stanza 248 prefer-readwrite-server stanza entry ldap stanza 163 preserve-base-href stanza entry server stanza 249 preserve-base-href2 stanza entry server stanza 249 preserve-cookie-names stanza 209 name entry 209 preserve-p3p-policy stanza entry server stanza 250 preserve-xml-token stanza entry tfimsso: stanza 309 principal-name stanza entry itim stanza 116 principal-password stanza entry itim stanza 116 problem-determination xiv process-root-filter stanza 210 root entry 210 process-root-requests stanza entry server stanza 250 prompt-for-displacement stanza entry session stanza 268 propagate-cdmf-errors stanza entry cdsso stanza 38 e-community-sso stanza 82 publications accessing online ix list of for this product ix purpose stanza entry p3p-header stanza 198 R realm-name stanza entry oauth-eas stanza 192 reauth-at-any-level stanza entry reauthentication stanza 210 reauth-extend-lifetime stanza entry reauthentication stanza 211 reauth-for-inactive stanza entry reauthentication stanza 211 reauth-reset-lifetime stanza entry reauthentication stanza 212 reauthentication stanza 210 reauth-at-any-level entry 210 reauth-extend-lifetime entry 211 reauth-for-inactive entry 211 reauth-reset-lifetime entry 212 terminate-on-reauth-lockout entry 212 recipient stanza entry p3p-header stanza 200 recovery-ping-time stanza entry junction stanza 145 redirect stanza entry enable-redirects stanza 87 redirect-to-root-for-pkms stanza entry acnt-mgt stanza 17 redirect-using-relative stanza entry server stanza 251 referers stanza entry logging stanza 176 register-authentication-failures stanza entry session stanza 269 reissue-missing-failover-cookie stanza entry failover stanza 92 reject-invalid-host-header stanza entry server stanza 252 reject-request-transfer-encodings stanza entry server stanza 252 remedies stanza entry p3p-header stanza 201 renewal-window stanza entry tfimsso: stanza 310 replica stanza entry ldap stanza 164 replica-set stanza entry replica-sets stanza 213 replica-sets stanza 213 replica-set entry 213 reprocess-root-jct-404s stanza entry junction stanza 146 request-body-max-read stanza entry server stanza 253 request-log-format stanza entry logging stanza 177 request-max-cache stanza entry server stanza 253 requests stanza entry logging stanza 176 require-mpa stanza entry session stanza 269 resend-webseal-cookies stanza entry session stanza 270 reset-cookies-list stanza entry junction stanza 147 resource-manager-provided-adi stanza entry aznapi-configuration stanza 32 response-by stanza entry dsess-cluster stanza 62 response-code-rules entry junction stanza 147 retain-eai-session stanza entry eai stanza 72 retain-stepup-session stanza entry step-up stanza 305 retention stanza entry p3p-header stanza 202 rewrite-absolute-with-absolute stanza entry script-filtering stanza 224 root stanza entry process-root-filter stanza 210 rtss-eas stanza apply-tam-native-policy entry 214 audit-log-cfg entry 214 cluster-name entry 216 context-id entry 216 trace-component entry 217 rtss-eas stanza rtss-eas stanzas 213 rules-file stanza entry cert-map-authn stanza 47 S scheme stanza entry filter-schemes stanza 100 script-filter stanza entry script-filtering stanza 225 script-filtering stanza 224 hostname-junction-cookie entry 224 rewrite-absolute-with-absolute entry 224 script-filter entry 225 search-timeout stanza entry ldap stanza 165 send-constant-sess stanza entry session stanza 270 send-header-ba-first stanza entry server stanza 254 send-header-spnego-first stanza entry server stanza 255 server stanza 226 allow-shift-jis-chars entry 226 allow-unauth-ba-supply 226 allow-unsolicited-logins 227 auth-challenge-type entry 227 cache-host-header entry 228 capitalize-content-length entry 229 chunk-responses entry 230 client-connect-timeout entry 230 concurrent-session-threads-hard-limit entry 231 concurrent-session-threads-soft-limit entry 231 connection-request-limit entry 232 cope-with-pipelined-request entry 232 decode-query entry 233 disable-timeout-reduction entry 233 double-byte-encoding entry 234 342 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
server stanza (continued) dynurl-allow-large-posts entry 235 dynurl-map entry 235 enable-ie6-2gb-downloads entry 236 filter-nhtml-as-xhtml entry 236 force-tag-value-prefix entry 237 http entry 238 http-method-disabled-local entry 238 http-method-disabled-remote entry 239 http-port entry 239 https entry 240 https-port entry 240 igre-missing-last-chunk entry 241 intra-connection-timeout entry 241 io-buffer-size entry 242 ip-support-level entry 242 ipv6-support entry 243 late-lockout-tification entry 244 max-client-read entry 244 max-file-cat-command-length entry 245 max-file-descriptors entry 245 max-idle-persistent-connections entry 246 network-interface entry 247 persistent-con-timeout entry 247 pre-410-compatible-tokens entry 248 pre-510-compatible-token entry 248 preserve-base-href entry 249 preserve-base-href2 entry 249 preserve-p3p-policy entry 250 process-root-requests entry 250 redirect-using-relative entry 251 reject-invalid-host-header entry 252 reject-request-transfer-encodings entry 252 request-body-max-read entry 253 request-max-cache entry 253 send-header-ba-first 254 send-header-spnego-first 255 server-name entry 255 slash-before-query-on-redirect entry 256 strip-www-authenticate-headers entry 257 suppress-backend-server-identity entry 257 suppress-dynurl-parsing-of-posts entry 258 suppress-server-identity entry 258 tag-value-missing-attr-tag entry 259 use-existing-username-macro-incustom-redirects entry 259 use-http-only-cookies entry 260 utf8-form-support-enabled entry 261 utf8-qstring-support-enabled entry 261 utf8-url-support-enabled entry 262 validate-query-as-ga entry 262 web-host-name entry 263 web-http-port entry 263 web-http-protocol entry 264 worker-threads entry 264 server stanza entry dsess-cluster stanza 62 server stanza entry (continued) tfim-cluster: cluster stanzacluster stanza 317 xacml-cluster: cluster stanzacluster>] stanza 219 server-log-cfg stanza entry logging stanza 178 server-name stanza entry server stanza 255 service-name stanza entry tfimsso: jct-id stanza 310 service-password-dn stanza entry itim stanza 117 service-source-dn stanza entry itim stanza 118 service-token-card-dn stanza entry itim stanza 119 servlet-port stanza entry itim stanza 120 session stanza 265 dsess-enabled entry 265 dsess-last-access-update-interval entry 265 enforce-max-sessions-policy entry 266 inactive-timeout entry 266 logout-remove-cookie entry 267 max-entries entry 268 prompt-for-displacement entry 268 register-authentication-failures entry 269 require-mpa entry 269 resend-webseal-cookies entry 270 send-constant-sess entry 270 shared-domain-cookie entry 271 ssl-id-sessions entry 272 ssl-session-cookie-name entry 272 standard-junction-replica-set entry 273 tcp-session-cookie-name entry 273 temp-session-cookie-name entry 274 temp-session-max-lifetime entry 274 timeout entry 275 update-session-cookie-in-login-request entry 275 use-same-session entry 277 user-session-ids entry 276 user-session-ids-include-replica-set entry 277 session-activity-timestamp stanza entry failover-add-attributes stanza 94 session-cookie-domains stanza 278 domain entry 278 session-http-headers stanza 278 header_name entry 278 session-lifetime-timestamp stanza entry failover-add-attributes stanza 94 share-cookies stanza entry junction stanza 148 shared-domain-cookie stanza entry session stanza 271 show-all-auth-prompts stanza entry step-up stanza 305 single-sigff-uri stanza entry acnt-mgt stanza 17 slash-before-query-on-redirect stanza entry server stanza 256 ssl stanza 279 base-crypto-library entry 279 crl-ldap-server entry 279 crl-ldap-server-port entry 280 crl-ldap-user entry 281 crl-ldap-user-password entry 281 disable-ssl-v2 entry 282 disable-ssl-v3 entry 282 disable-tls-v1 entry 283 disable-tls-v11 entry 283 disable-tls-v12 entry 284 enable-duplicate-ssl-dn-t-foundmsgs entry 284 fips-mode-processing entry 285 gsk-attr-name entry 285 gsk-crl-cache-entry-lifetime entry 287 gsk-crl-cache-size entry 287 jct-gsk-attr-name entry 288 ocsp-enable entry 289 ocsp-max-response-size entry 290 ocsp-nce-check-enable entry 290 ocsp-nce-generation-enable entry 291 ocsp-proxy-server-name entry 291 ocsp-proxy-server-port entry 292 ocsp-url entry 292 ssl-keyfile entry 293 ssl-keyfile-label entry 293 ssl-keyfile-pwd entry 294 ssl-keyfile-stash entry 294 ssl-local-domain entry 295 ssl-max-entries entry 295 ssl-v2-timeout entry 296 ssl-v3-timeout entry 297 suppress-client-ssl-errors entry 297 undetermined-revocation-cert-action entry 298 webseal-cert-keyfile entry 298 webseal-cert-keyfile-label entry 299 webseal-cert-keyfile-pwd entry 299 webseal-cert-keyfile-sni entry 300 webseal-cert-keyfile-stash entry 301 ssl-enabled stanza entry ldap stanza 165 ssl-fips-enabled stanza entry dsess-cluster stanza 63 tfim-cluster:cluster stanzacluster> stanza 317 xacml-cluster:cluster stanzacluster> stanza 220 ssl-id-sessions stanza entry session stanza 272 ssl-keyfile stanza entry dsess-cluster stanza 64 ldap stanza 166 ssl stanza 293 tfim-cluster: stanza 318 xacml-cluster:cluster stanzacluster>] stanza 221 ssl-keyfile-dn stanza entry ldap stanza 166 ssl-keyfile-label stanza entry dsess-cluster stanza 64 ssl stanza 293 Index 343
ssl-keyfile-label stanza entry (continued) tfim-cluster: stanza 319 xacml-cluster:cluster stanzacluster>] stanza 221 ssl-keyfile-pwd stanza entry ldap stanza 167 ssl stanza 294 ssl-keyfile-stash stanza entry dsess-cluster stanza 65 ssl stanza 294 xacml-cluster:cluster stanzacluster>] stanza 222 ssl-keyfile-stash stanza entry cluster stanza tfim-cluster: stanza 319 ssl-local-domain stanza entry ssl stanza 295 ssl-max-entries stanza entry ssl stanza 295 ssl-port stanza entry ldap stanza 167 ssl-qop stanza 301 ssl-qop-mgmt entry 301 ssl-qop-mgmt stanza entry ssl-qop stanza 301 ssl-qop-mgmt-default stanza 302 default entry 302 ssl-qop-mgmt-hosts stanza 303 host-ip entry 303 ssl-qop-mgmt-networks stanza 304 network/netmask entry 304 ssl-session-cookie-name stanza entry session stanza 272 ssl-v2-timeout stanza entry ssl stanza 296 ssl-v3-timeout stanza entry ssl stanza 297 ssl-valid-server-dn stanza entry dsess-cluster stanza 65 tfim-cluster:cluster stanzacluster stanza 320 xacml-cluster:cluster stanzacluster> stanza 223 standard-junction-replica-set stanza entry session stanza 273 stanza ICAP: resource 110 tfim-cluster: cluster 314 xacml-cluster: 217 Stanza ICAP:resource 109 stanza cluster 218 stanza entry 40, 48, 86 stanza reference 1 stanzas acnt-mgt 1 auth-cookies 21 authentication-levels 22 azn-decision-info 33 aznapi-configuration 23 ba 34 cdsso 35 cdsso-incoming-attributes 39 cdsso-peers 40 cdsso-token-attributes 40 cert-map-authn 47 certificate 42 stanzas (continued) cfg-db-cmd:entries 48 cfg-db-cmd:files 49 cluster 49 compress-mime-types 51 compress-user-agents 52 content 53 content-cache 53 content-encodings 54 content-index-icons 55 credential-policy-attributes 56 credential-refresh-attributes 57 dsess 58 dsess-cluster 59 e-community-domain-keys 74 e-community-domainkeys:domain 75 e-community-domains 74 e-community-sso 75 eai 66 eai-trigger-urls 72 ecsso-incoming-attributes 85 ecsso-token-attributes 86 enable-redirects 87 failover 87 failover-add-attributes 93 failover-restore-attributes 95 filter-content-types 96 filter-events 97 filter-request-headers 99 filter-schemes 100 filter-url 101 flow-data 102 forms 103 gso-cache 105 header-names 107 http-transformations 108 icap 109 illegal-url-substrings 111 interfaces 111 itim 112 junction 121 junction:junction_name 152 ldap 153 local-response-macros 169 local-response-redirect 170 logging 171 ltpa 180 ltpa-cache 184 mpa 186 oauth-eas 186 obligations-levels-mapping 193 p3p-header 194 PAM 202 pam-resource:<uri> 208 preserve-cookie-names 209 process-root-filter 210 reauthentication 210 replica-sets 213 script-filtering 224 server 226 session 265 session-cookie-domains 278 session-http-headers 278 ssl 279 ssl-qop 301 ssl-qop-mgmt-default 302 stanzas (continued) ssl-qop-mgmt-hosts 303 ssl-qop-mgmt-networks 304 step-up 305 system-environment-variables 307 tfimsso: 308 uraf-registry 321 user-agent 324 step-up stanza 305 retain-stepup-session entry 305 show-all-auth-prompts entry 305 step-up-at-higher-level entry 306 verify-step-up-user entry 306 step-up-at-higher-level stanza entry step-up stanza 306 stepup-login stanza entry acnt-mgt stanza 18 strip-www-authenticate-headers stanza entry server stanza 257 substring stanza entry illegal-url-substrings stanza 111 support-virtual-host-domain-cookies stanza entry junction stanza 149 suppress-backend-server-identity stanza entry server stanza 257 suppress-client-ssl-errors stanza entry ssl stanza 297 suppress-dynurl-parsing-of-posts stanza entry server stanza 258 suppress-server-identity stanza entry server stanza 258 switch-user stanza entry acnt-mgt stanza 19 system-environment-variables stanza 307 env-name entry 307 T tag-value-missing-attr-tag stanza entry server stanza 259 tcp-session-cookie-name stanza entry session stanza 273 temp-cache-response stanza entry acnt-mgt stanza 19 temp-session-cookie-name stanza entry session stanza 274 temp-session-max-lifetime stanza entry session stanza 274 terminate-on-reauth-lockout stanza entry reauthentication stanza 212 termilogy ix tfim-cluster-name stanza entry tfimsso: stanza 311 tfim-cluster: cluster stanza basic-auth-passwd entry 314 basic-auth-user entry 314 gsk-attr-name entry 315 handle-idle-timeout entry 316 handle-pool-size entry 316 ssl-keyfile entry 318 timeout entry 321 344 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
tfim-cluster: cluster stanzacluster stanza 314 server entry 317 ssl-keyfile-label entry 319 ssl-keyfile-stash entry 319 ssl-valid-server-dn entry 320 tfim-cluster: cluster stanzacluster> stanza ssl-fips-enabled entry 317 tfimsso: jct-id stanza 308 always-send-tokens entry 308 applies-to entry 308 one-time-token entry 309 preserve-xml-token entry 309 renewal-window entry 310 service-name entry 310 tfim-cluster-name entry 311 token-collection-size entry 311 token-transmit-name entry 313 token-transmit-type entry 313 token-type entry 312 timeout stanza entry dsess-cluster stanza 66 ldap stanza 168 session stanza 275 tfim-cluster: stanza 321 xacml-cluster: cluster stanzacluster>] stanza 223 Tivoli Directory Integrator xii Tivoli Directory Server xii token-collection-size stanza entry tfimsso: stanza 311 token-transmit-name stanza entry tfimsso: stanza 313 token-transmit-type stanza entry tfimsso: stanza 313 token-type stanza entry tfimsso: stanza 312 too-many-sessions stanza entry acnt-mgt stanza 20 trace-component stanza entry oauth-eas stanza 192 rtss-eas stanza 217 training xiv trigger stanza entry eai-trigger-urls stanza 72, 73 troubleshooting xiv tstanza ICAP:resource 110 type stanza entry content-index-icons stanza 55 filter-content-types stanza 96 U unauthorized-rsp-file stanza entry oauth-eas stanza 193 undetermined-revocation-cert-action stanza entry ssl stanza 298 update-session-cookie-in-login-request stanza entry session stanza 275 uraf-registry stanza 321 bind-id entry 321 cache-lifetime entry 322 cache-mode entry 322 cache-size entry 323 use-existing-username-macro-in-customredirects stanza entry server stanza 259 use-filename-for-pkmslogout stanza entry acnt-mgt stanza 21 use-full-dn stanza entry ltpa stanza 183 use-http-only-cookies stanza entry server stanza 260 use-new-stateful-on-error stanza entry junction stanza 149 use-restrictive-logout-filenames stanza entry acnt-mgt stanza 20 use-same-session stanza entry session stanza 277 use-utf8 stanza entry cdsso stanza 38 e-community-sso stanza 83 failover stanza 93 user-agent stanza 324 user-agent entry 324 user-and-group-in-same-suffix stanza entry ldap stanza 169 user-session-ids stanza entry session stanza 276 user-session-ids-include-replica-set stanza entry session stanza 277 utf8-form-support-enabled stanza entry server stanza 261 utf8-qstring-support-enabled stanza entry server stanza 261 utf8-template-macros-enabled stanza entry content stanza 53 utf8-url-support-enabled stanza entry server stanza 262 V validate-backend-domain-cookies stanza entry junction stanza 150 validate-query-as-ga stanza entry server stanza 262 verify-step-up-user stanza entry step-up stanza 306 vf-argument stanza entry e-community-sso stanza 83 vf-token-lifetime stanza entry e-community-sso stanza 84 vf-url stanza entry e-community-sso stanza 84 W web-host-name stanza entry server stanza 263 web-http-port stanza entry server stanza 263 web-http-protocol stanza entry server stanza 264 webseal-cert-keyfile stanza entry ssl stanza 298 webseal-cert-keyfile-label stanza entry ssl stanza 299 webseal-cert-keyfile-pwd stanza entry ssl stanza 299 webseal-cert-keyfile-sni stanza entry ssl stanza 300 webseal-cert-keyfile-stash stanza entry ssl stanza 301 WebSphere Application Server Network Deployment xii WebSphere extreme Scale xii worker-thread-hard-limit stanza entry junction stanza 151 worker-thread-soft-limit stanza entry junction stanza 151 worker-threads stanza entry server stanza 264 X xacml-cluster: cluster stanza 217 xacml-cluster: cluster stanzacluster stanza handle-idle-timeout entry 218 xacml-cluster: cluster stanzacluster> stanza basic-auth-user entry 217 ssl-fips-enabled entry 220 ssl-valid-server-dn entry 223 xacml-cluster:cluster stanzacluster>] stanza basic-auth-passwd entry 218 handle-pool-size entry 219 server entry 219 ssl-keyfile entry 221 ssl-keyfile-label entry 221 ssl-keyfile-stash entry 222 timeout entry 223 xsl-stylesheet-prolog stanza entry aznapi-configuration stanza 33 Index 345
346 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Printed in USA SC27-4443-01