WebSEAL Configuration Stanza Reference - IBM · IBM SecurityAccess Manager Version 7.0 WebSEAL...

IBM Security Access ManagerVersion 7.0

WebSEAL Configuration StanzaReference

SC27-4442-01

��

IBM Security Access ManagerVersion 7.0

WebSEAL Configuration StanzaReference

SC27-4442-01

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 359.

Edition notice

Note: This edition applies to version 7, release 0, modification 0 of IBM Security Access Manager (productnumber 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2002, 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this publication . . . . . . . . ixIntended audience . . . . . . . . . . . . ixAccess to publications and terminology . . . . . ix

Related publications . . . . . . . . . . xiiAccessibility . . . . . . . . . . . . . . xivTechnical training . . . . . . . . . . . . xivSupport information . . . . . . . . . . . xiv

Stanza reference . . . . . . . . . . . 1[acnt-mgt] stanza . . . . . . . . . . . . . 1

account-expiry-notification. . . . . . . . . 1account-inactivated . . . . . . . . . . . 1account-locked. . . . . . . . . . . . . 2allow-unauthenticated-logout . . . . . . . . 3allowed-referers . . . . . . . . . . . . 3cert-failure . . . . . . . . . . . . . . 4cert-stepup-http . . . . . . . . . . . . 5certificate-login . . . . . . . . . . . . 5change-password-auth . . . . . . . . . . 6client-notify-tod . . . . . . . . . . . . 6enable-html-redirect . . . . . . . . . . . 7enable-local-response-redirect . . . . . . . . 8enable-passwd-warn . . . . . . . . . . . 8enable-secret-token-validation. . . . . . . . 9help . . . . . . . . . . . . . . . . 10http-rsp-header . . . . . . . . . . . . 10html-redirect . . . . . . . . . . . . . 11login. . . . . . . . . . . . . . . . 11login-redirect-page . . . . . . . . . . . 12login-success . . . . . . . . . . . . . 13logout . . . . . . . . . . . . . . . 14mgt-pages-root . . . . . . . . . . . . 14next-token . . . . . . . . . . . . . . 15passwd-change . . . . . . . . . . . . 15passwd-change-failure . . . . . . . . . . 15passwd-change-success . . . . . . . . . 16passwd-expired . . . . . . . . . . . . 16passwd-warn . . . . . . . . . . . . . 17passwd-warn-failure . . . . . . . . . . 17redirect-to-root-for-pkms . . . . . . . . . 18single-signoff-uri . . . . . . . . . . . 19stepup-login . . . . . . . . . . . . . 19switch-user . . . . . . . . . . . . . 20temp-cache-response . . . . . . . . . . 20token-login . . . . . . . . . . . . . 21too-many-sessions . . . . . . . . . . . 21use-restrictive-logout-filenames . . . . . . . 22use-filename-for-pkmslogout . . . . . . . 22

[amwebars] stanza . . . . . . . . . . . . 23service-url . . . . . . . . . . . . . . 23

[arm] stanza . . . . . . . . . . . . . . 23accept-correlators . . . . . . . . . . . 23app-group . . . . . . . . . . . . . . 24app-instance . . . . . . . . . . . . . 25correlator-header . . . . . . . . . . . 25

enable-arm . . . . . . . . . . . . . 26library . . . . . . . . . . . . . . . 26report-transactions . . . . . . . . . . . 27

[auth-cookies] stanza . . . . . . . . . . . 27cookie . . . . . . . . . . . . . . . 27

[auth-headers] stanza . . . . . . . . . . . 28header . . . . . . . . . . . . . . . 28

[authentication-levels] stanza . . . . . . . . 28level . . . . . . . . . . . . . . . . 28

[authentication-mechanisms] stanza . . . . . . 29cert-ldap . . . . . . . . . . . . . . 29cert-ssl . . . . . . . . . . . . . . . 30cred-ext-attrs . . . . . . . . . . . . . 31ext-auth-interface . . . . . . . . . . . 31failover-cdsso. . . . . . . . . . . . . 32failover-certificate . . . . . . . . . . . 32failover-ext-auth-interface. . . . . . . . . 33failover-http-request . . . . . . . . . . 33failover-kerberosv5 . . . . . . . . . . . 33failover-password . . . . . . . . . . . 34failover-token-card . . . . . . . . . . . 34http-request . . . . . . . . . . . . . 35kerberosv5. . . . . . . . . . . . . . 35ltpa . . . . . . . . . . . . . . . . 36passwd-cdas . . . . . . . . . . . . . 36passwd-ldap . . . . . . . . . . . . . 37passwd-strength . . . . . . . . . . . . 37passwd-uraf . . . . . . . . . . . . . 38post-pwdchg-process . . . . . . . . . . 38sso-consume . . . . . . . . . . . . . 39sso-create . . . . . . . . . . . . . . 39su-cdsso . . . . . . . . . . . . . . 40su-certificate . . . . . . . . . . . . . 40su-http-request . . . . . . . . . . . . 40su-kerberosv5. . . . . . . . . . . . . 41su-passwd . . . . . . . . . . . . . . 41su-token-card . . . . . . . . . . . . . 42token-cdas . . . . . . . . . . . . . . 42

[aznapi-configuration] stanza . . . . . . . . 43audit-attribute . . . . . . . . . . . . 43auditcfg . . . . . . . . . . . . . . 43auditlog . . . . . . . . . . . . . . 44cache-refresh-interval . . . . . . . . . . 45cred-attribute-entitlement-services . . . . . . 45db-file . . . . . . . . . . . . . . . 46dynamic-adi-entitlement-services . . . . . . 46input-adi-xml-prolog . . . . . . . . . . 47listen-flags. . . . . . . . . . . . . . 47logaudit . . . . . . . . . . . . . . 48logclientid . . . . . . . . . . . . . . 48logcfg . . . . . . . . . . . . . . . 49logflush . . . . . . . . . . . . . . 50logsize . . . . . . . . . . . . . . . 50permission-info-returned . . . . . . . . . 51policy-attr-separator . . . . . . . . . . 51policy-cache-size. . . . . . . . . . . . 52

© Copyright IBM Corp. 2002, 2013 iii

resource-manager-provided-adi . . . . . . . 53service-id . . . . . . . . . . . . . . 53xsl-stylesheet-prolog . . . . . . . . . . 54

[aznapi-entitlement-services] stanza . . . . . . 54service-id . . . . . . . . . . . . . . 54

[aznapi-external-authzn-services] stanza . . . . . 55policy-trigger . . . . . . . . . . . . . 55

[azn-decision-info] stanza. . . . . . . . . . 57azn-decision-info . . . . . . . . . . . . 57

[ba] stanza. . . . . . . . . . . . . . . 58ba-auth . . . . . . . . . . . . . . . 58basic-auth-realm . . . . . . . . . . . . 59

[cdsso] stanza . . . . . . . . . . . . . 59authtoken-lifetime . . . . . . . . . . . 59cdsso-argument . . . . . . . . . . . . 60cdsso-auth . . . . . . . . . . . . . . 60cdsso-create . . . . . . . . . . . . . 61clean-cdsso-urls . . . . . . . . . . . . 61propagate-cdmf-errors . . . . . . . . . . 62use-utf8 . . . . . . . . . . . . . . 62

[cdsso-incoming-attributes] stanza . . . . . . . 63attribute_pattern . . . . . . . . . . . . 63

[cdsso-peers] stanza . . . . . . . . . . . 64fully_qualified_hostname. . . . . . . . . . 64

[cdsso-token-attributes] stanza . . . . . . . . 64<default> . . . . . . . . . . . . . . 64domain_name . . . . . . . . . . . . . 65

[certificate] stanza . . . . . . . . . . . . 65accept-client-certs . . . . . . . . . . . 65cert-cache-max-entries . . . . . . . . . . 66cert-cache-timeout . . . . . . . . . . . 67cert-prompt-max-tries . . . . . . . . . . 67disable-cert-login-page. . . . . . . . . . 68eai-data. . . . . . . . . . . . . . . 69eai-uri . . . . . . . . . . . . . . . 70

[cert-map-authn] stanza . . . . . . . . . . 70debug-level . . . . . . . . . . . . . 70rules-file . . . . . . . . . . . . . . 71

[cfg-db-cmd:entries] stanza . . . . . . . . . 71stanza::entry . . . . . . . . . . . . . 71

[cfg-db-cmd:files] stanza . . . . . . . . . . 72files . . . . . . . . . . . . . . . . 72

[cgi] stanza . . . . . . . . . . . . . . 73cgi-timeout . . . . . . . . . . . . . 73

[cgi-environment-variables] stanza. . . . . . . 74ENV. . . . . . . . . . . . . . . . 74

[cgi-types] stanza . . . . . . . . . . . . 75file_extension . . . . . . . . . . . . . 75

[cluster] stanza . . . . . . . . . . . . . 75is-master . . . . . . . . . . . . . . 76master-name . . . . . . . . . . . . . 76max-wait-time . . . . . . . . . . . . 77

[compress-mime-types] stanza . . . . . . . . 77mime_type . . . . . . . . . . . . . . 77

[compress-user-agents] stanza . . . . . . . . 78pattern . . . . . . . . . . . . . . . 78

[content] stanza . . . . . . . . . . . . . 79delete-trash-dir . . . . . . . . . . . . 79directory-index . . . . . . . . . . . . 79doc-root . . . . . . . . . . . . . . 80error-dir . . . . . . . . . . . . . . 80

user-dir. . . . . . . . . . . . . . . 81utf8-template-macros-enabled . . . . . . . 81

[content-cache] stanza . . . . . . . . . . . 82MIME_type . . . . . . . . . . . . . 82

[content-encodings] stanza . . . . . . . . . 83extension . . . . . . . . . . . . . . 83

[content-index-icons] stanza . . . . . . . . . 84type . . . . . . . . . . . . . . . . 84

[content-mime-types] stanza . . . . . . . . . 85deftype . . . . . . . . . . . . . . . 85extension . . . . . . . . . . . . . . 85

[credential-policy-attributes] stanza . . . . . . 87policy-name. . . . . . . . . . . . . . 87

[credential-refresh-attributes] stanza . . . . . . 87attribute_name_pattern . . . . . . . . . . 87authentication_level . . . . . . . . . . 88

[dsess] stanza. . . . . . . . . . . . . . 88dsess-sess-id-pool-size . . . . . . . . . . 88dsess-cluster-name . . . . . . . . . . . 89

[dsess-cluster] stanza . . . . . . . . . . . 89basic-auth-user . . . . . . . . . . . . 89basic-auth-passwd . . . . . . . . . . . 90gsk-attr-name. . . . . . . . . . . . . 90handle-idle-timeout. . . . . . . . . . . 91handle-pool-size . . . . . . . . . . . . 92response-by . . . . . . . . . . . . . 92server . . . . . . . . . . . . . . . 93ssl-fips-enabled . . . . . . . . . . . . 94ssl-keyfile . . . . . . . . . . . . . . 94ssl-keyfile-label . . . . . . . . . . . . 95ssl-keyfile-stash . . . . . . . . . . . . 95ssl-valid-server-dn . . . . . . . . . . . 96timeout . . . . . . . . . . . . . . . 96

[eai] stanza . . . . . . . . . . . . . . 97eai-auth . . . . . . . . . . . . . . 97eai-auth-level-header . . . . . . . . . . 97eai-flags-header . . . . . . . . . . . . 98eai-pac-header . . . . . . . . . . . . 99eai-pac-svc-header . . . . . . . . . . . 99eai-redir-url-header . . . . . . . . . . 100eai-session-id-header . . . . . . . . . . 100eai-user-id-header . . . . . . . . . . . 101eai-verify-user-identity . . . . . . . . . 101eai-xattrs-header . . . . . . . . . . . 102retain-eai-session . . . . . . . . . . . 102

[eai-trigger-urls] stanza . . . . . . . . . . 103trigger. . . . . . . . . . . . . . . 103trigger. . . . . . . . . . . . . . . 103

[e-community-domains] stanza . . . . . . . 104name . . . . . . . . . . . . . . . 104

[e-community-domain-keys] stanza . . . . . . 105domain_name . . . . . . . . . . . . . 105

[e-community-domain-keys:domain] stanza . . . 105domain_name . . . . . . . . . . . . . 105

[e-community-sso] stanza . . . . . . . . . 106cache-requests-for-ecsso . . . . . . . . . 106e-community-name . . . . . . . . . . 106disable-ec-cookie . . . . . . . . . . . 107e-community-sso-auth . . . . . . . . . 107ec-cookie-domain . . . . . . . . . . . 108ec-cookie-lifetime . . . . . . . . . . . 108

iv IBM Security Access Manager Version 7.0: WebSEAL Configuration Stanza Reference

ecsso-allow-unauth . . . . . . . . . . 109ecsso-propagate-errors . . . . . . . . . 109handle-auth-failure-at-mas . . . . . . . . 110is-master-authn-server . . . . . . . . . 110master-authn-server . . . . . . . . . . 111master-http-port . . . . . . . . . . . 112master-https-port . . . . . . . . . . . 112propagate-cdmf-errors . . . . . . . . . 113use-utf8 . . . . . . . . . . . . . . 113vf-argument . . . . . . . . . . . . . 114vf-token-lifetime . . . . . . . . . . . 114vf-url . . . . . . . . . . . . . . . 115

[ecsso-incoming-attributes] stanza . . . . . . 115attribute_pattern . . . . . . . . . . . . 115

[ecsso-token-attributes] stanza . . . . . . . . 116<default> . . . . . . . . . . . . . . 116domain_name . . . . . . . . . . . . . 117

[enable-redirects] stanza . . . . . . . . . . 117redirect . . . . . . . . . . . . . . 117

[failover] stanza . . . . . . . . . . . . 118clean-ecsso-urls-for-failover . . . . . . . . 118enable-failover-cookie-for-domain. . . . . . 119failover-auth. . . . . . . . . . . . . 119failover-cookie-lifetime . . . . . . . . . 120failover-cookies-keyfile . . . . . . . . . 120failover-include-session-id . . . . . . . . 121failover-require-activity-timestamp-validation 121failover-require-lifetime-timestamp-validation 122failover-update-cookie . . . . . . . . . 122reissue-missing-failover-cookie . . . . . . 123use-utf8 . . . . . . . . . . . . . . 123

[failover-add-attributes] stanza . . . . . . . 124attribute_pattern . . . . . . . . . . . . 124session-activity-timestamp . . . . . . . . 125session-lifetime-timestamp . . . . . . . . 125

[failover-restore-attributes] stanza . . . . . . 126attribute_pattern . . . . . . . . . . . . 126attribute_pattern . . . . . . . . . . . . 126

[filter-content-types] stanza . . . . . . . . . 127type . . . . . . . . . . . . . . . 127

[filter-events] stanza . . . . . . . . . . . 128HTML_tag . . . . . . . . . . . . . 128

[filter-request-headers] stanza . . . . . . . . 129header. . . . . . . . . . . . . . . 129

[filter-schemes] stanza . . . . . . . . . . 130scheme . . . . . . . . . . . . . . 130

[filter-url] stanza . . . . . . . . . . . . 131HTML_tag . . . . . . . . . . . . . 131

[forms] stanza . . . . . . . . . . . . . 133allow-empty-form-fields . . . . . . . . . 133forms-auth . . . . . . . . . . . . . 133

[gso-cache] stanza . . . . . . . . . . . . 134gso-cache-enabled . . . . . . . . . . . 134gso-cache-entry-idle-timeout . . . . . . . 134gso-cache-entry-lifetime . . . . . . . . . 135gso-cache-size . . . . . . . . . . . . 136

[header-names] stanza . . . . . . . . . . 136header-data . . . . . . . . . . . . . 136

[http-headers] stanza . . . . . . . . . . . 138http-headers-auth . . . . . . . . . . . 138

[http-transformations] stanza . . . . . . . . 138

resource-name . . . . . . . . . . . . 138[ICAP:<resource>] stanza . . . . . . . . . 139

URL . . . . . . . . . . . . . . . 139transaction . . . . . . . . . . . . . 140timeout . . . . . . . . . . . . . . 140

[icons] stanza . . . . . . . . . . . . . 141backicon . . . . . . . . . . . . . . 141diricon . . . . . . . . . . . . . . 141unknownicon . . . . . . . . . . . . 142

[illegal-url-substrings] stanza . . . . . . . . 142substring . . . . . . . . . . . . . . 143

[interfaces] stanza . . . . . . . . . . . . 143interface_name . . . . . . . . . . . . 143

[ipaddr] stanza . . . . . . . . . . . . . 144ipaddr-auth . . . . . . . . . . . . . 144

[jdb-cmd:replace] stanza . . . . . . . . . . 145jct-id=search-attr-value|replace-attr-value . . . . 145

[junction] stanza . . . . . . . . . . . . 145allow-backend-domain-cookies . . . . . . 145basicauth-dummy-passwd . . . . . . . . 146crl-ldap-server . . . . . . . . . . . . 146crl-ldap-server-port . . . . . . . . . . 147crl-ldap-user. . . . . . . . . . . . . 148crl-ldap-user-password . . . . . . . . . 148disable-ssl-v2 . . . . . . . . . . . . 149disable-ssl-v3 . . . . . . . . . . . . 149disable-tls-v1 . . . . . . . . . . . . 150disable-tls-v11 . . . . . . . . . . . . 150disable-tls-v12 . . . . . . . . . . . . 151dont-reprocess-jct-404s . . . . . . . . . 151dynamic-addresses . . . . . . . . . . 152http-timeout . . . . . . . . . . . . . 153https-timeout . . . . . . . . . . . . 154insert-client-real-ip-for-option-r . . . . . . 154io-buffer-size . . . . . . . . . . . . 155jct-cert-keyfile . . . . . . . . . . . . 155jct-cert-keyfile-stash . . . . . . . . . . 156jct-cert-keyfile-pwd . . . . . . . . . . 157jct-ocsp-enable . . . . . . . . . . . . 158jct-ocsp-max-response-size . . . . . . . . 158jct-ocsp-nonce-check-enable. . . . . . . . 159jct-ocsp-nonce-generation-enable . . . . . . 159jct-ocsp-proxy-server-name . . . . . . . . 160jct-ocsp-proxy-server-port . . . . . . . . 160jct-ocsp-url . . . . . . . . . . . . . 161jct-ssl-reneg-warning-rate . . . . . . . . 161jct-undetermined-revocation-cert-action. . . . 162jmt-map . . . . . . . . . . . . . . 162junction-db . . . . . . . . . . . . . 163managed-cookies-list . . . . . . . . . . 163mangle-domain-cookies . . . . . . . . . 164match-vhj-first . . . . . . . . . . . . 165max-cached-persistent-connections . . . . . 165max-webseal-header-size . . . . . . . . 166pass-http-only-cookie-atr . . . . . . . . 166persistent-con-timeout . . . . . . . . . 167ping-method . . . . . . . . . . . . 168ping-time. . . . . . . . . . . . . . 168ping-uri . . . . . . . . . . . . . . 169recovery-ping-time . . . . . . . . . . 170reprocess-root-jct-404s . . . . . . . . . 170

Contents v

reset-cookies-list . . . . . . . . . . . 171response-code-rules . . . . . . . . . . 172share-cookies . . . . . . . . . . . . 172support-virtual-host-domain-cookies. . . . . 173use-new-stateful-on-error . . . . . . . . 174validate-backend-domain-cookies . . . . . . 174worker-thread-hard-limit . . . . . . . . 175worker-thread-soft-limit . . . . . . . . . 176disable-local-junctions . . . . . . . . . 176

[junction:junction_name] stanza . . . . . . . 177[ldap] stanza . . . . . . . . . . . . . 177

auth-timeout . . . . . . . . . . . . 177auth-using-compare . . . . . . . . . . 177bind-dn . . . . . . . . . . . . . . 178bind-pwd. . . . . . . . . . . . . . 178cache-enabled . . . . . . . . . . . . 179cache-group-expire-time . . . . . . . . . 180cache-group-membership . . . . . . . . 180cache-group-size . . . . . . . . . . . 181cache-policy-expire-time . . . . . . . . . 181cache-policy-size . . . . . . . . . . . 182cache-return-registry-id . . . . . . . . . 182cache-user-expire-time . . . . . . . . . 183cache-user-size . . . . . . . . . . . . 183cache-use-user-cache . . . . . . . . . . 184default-policy-override-support . . . . . . 184enabled . . . . . . . . . . . . . . 185host . . . . . . . . . . . . . . . 185ldap-server-config . . . . . . . . . . . 186login-failures-persistent . . . . . . . . . 186max-search-size. . . . . . . . . . . . 187prefer-readwrite-server . . . . . . . . . 188port . . . . . . . . . . . . . . . 188replica. . . . . . . . . . . . . . . 189search-timeout . . . . . . . . . . . . 189ssl-enabled . . . . . . . . . . . . . 190ssl-keyfile . . . . . . . . . . . . . 191ssl-keyfile-dn . . . . . . . . . . . . 191ssl-keyfile-pwd . . . . . . . . . . . . 192ssl-port . . . . . . . . . . . . . . 192timeout . . . . . . . . . . . . . . 193user-and-group-in-same-suffix . . . . . . . 193

[local-response-macros] stanza. . . . . . . . 194macro . . . . . . . . . . . . . . . 194

[local-response-redirect] stanza . . . . . . . 195local-response-redirect-uri . . . . . . . . 195

[logging] stanza . . . . . . . . . . . . 196absolute-uri-in-request-log . . . . . . . . 196agents . . . . . . . . . . . . . . . 196agents-file . . . . . . . . . . . . . 197audit-mime-types . . . . . . . . . . . 197audit-response-codes . . . . . . . . . . 198config-data-log . . . . . . . . . . . . 199flush-time . . . . . . . . . . . . . 199gmt-time . . . . . . . . . . . . . . 200host-header-in-request-log . . . . . . . . 200log-invalid-requests . . . . . . . . . . 201max-size . . . . . . . . . . . . . . 201referers . . . . . . . . . . . . . . 202referers-file . . . . . . . . . . . . . 202requests . . . . . . . . . . . . . . 203

requests-file . . . . . . . . . . . . . 203request-log-format . . . . . . . . . . . 204server-log . . . . . . . . . . . . . 205

[ltpa] stanza . . . . . . . . . . . . . . 206ltpa-auth . . . . . . . . . . . . . . 206cookie-name. . . . . . . . . . . . . 206cookie-domain . . . . . . . . . . . . 207jct-ltpa-cookie-name . . . . . . . . . . 207keyfile . . . . . . . . . . . . . . . 208update-cookie . . . . . . . . . . . . 208use-full-dn . . . . . . . . . . . . . 209

[ltpa-cache] stanza. . . . . . . . . . . . 210ltpa-cache-enabled. . . . . . . . . . . 210ltpa-cache-entry-idle-timeout . . . . . . . 210ltpa-cache-entry-lifetime . . . . . . . . . 211ltpa-cache-size . . . . . . . . . . . . 211

[mpa] stanza . . . . . . . . . . . . . 212mpa . . . . . . . . . . . . . . . 212

[oauth-eas] stanza . . . . . . . . . . . . 212apply-tam-native-policy . . . . . . . . . 212bad-gateway-rsp-file . . . . . . . . . . 213bad-request-rsp-file . . . . . . . . . . 213cache-size . . . . . . . . . . . . . 214cluster-name. . . . . . . . . . . . . 215default-fed-id . . . . . . . . . . . . 215default-mode . . . . . . . . . . . . 216fed-id-param . . . . . . . . . . . . 216mode-param. . . . . . . . . . . . . 217realm-name . . . . . . . . . . . . . 218trace-component . . . . . . . . . . . 218unauthorized-rsp-file . . . . . . . . . . 219

[obligations-levels-mapping] stanza . . . . . . 219obligation . . . . . . . . . . . . . . 219

[p3p-header] stanza . . . . . . . . . . . 220access . . . . . . . . . . . . . . . 220categories . . . . . . . . . . . . . 221disputes . . . . . . . . . . . . . . 223non-identifiable. . . . . . . . . . . . 223p3p-element . . . . . . . . . . . . . 224purpose . . . . . . . . . . . . . . 224recipient . . . . . . . . . . . . . . 226remedies . . . . . . . . . . . . . . 227retention . . . . . . . . . . . . . . 228

[policy-director] stanza . . . . . . . . . . 228config-file . . . . . . . . . . . . . 228

[preserve-cookie-names] stanza . . . . . . . 229name . . . . . . . . . . . . . . . 229

[process-root-filter] stanza . . . . . . . . . 230root . . . . . . . . . . . . . . . 230

[reauthentication] stanza. . . . . . . . . . 230reauth-at-any-level . . . . . . . . . . 230reauth-extend-lifetime . . . . . . . . . 231reauth-for-inactive . . . . . . . . . . . 231reauth-reset-lifetime . . . . . . . . . . 232terminate-on-reauth-lockout . . . . . . . 232

[replica-sets] stanza . . . . . . . . . . . 233replica-set . . . . . . . . . . . . . 233

[rtss-eas] stanza . . . . . . . . . . . . 233apply-tam-native-policy . . . . . . . . . 234audit-log-cfg. . . . . . . . . . . . . 234cluster-name. . . . . . . . . . . . . 236

vi IBM Security Access Manager Version 7.0: WebSEAL Configuration Stanza Reference

context-id . . . . . . . . . . . . . 236trace-component . . . . . . . . . . . 237

[rtss-cluster:<cluster>] stanza . . . . . . . . 237basic-auth-user . . . . . . . . . . . . 237basic-auth-passwd . . . . . . . . . . . 238handle-idle-timeout . . . . . . . . . . 239handle-pool-size . . . . . . . . . . . 239server . . . . . . . . . . . . . . . 240ssl-fips-enabled . . . . . . . . . . . . 240ssl-keyfile . . . . . . . . . . . . . 241ssl-keyfile-label . . . . . . . . . . . . 242ssl-keyfile-stash. . . . . . . . . . . . 242ssl-valid-server-dn. . . . . . . . . . . 243timeout . . . . . . . . . . . . . . 243

[script-filtering] stanza . . . . . . . . . . 244hostname-junction-cookie . . . . . . . . 244rewrite-absolute-with-absolute. . . . . . . 245script-filter . . . . . . . . . . . . . 245

[server] stanza . . . . . . . . . . . . . 246allow-shift-jis-chars . . . . . . . . . . 246allow-unauth-ba-supply . . . . . . . . . 246allow-unsolicited-logins . . . . . . . . . 247auth-challenge-type . . . . . . . . . . 247cache-host-header . . . . . . . . . . . 248capitalize-content-length. . . . . . . . . 249client-connect-timeout . . . . . . . . . 250chunk-responses . . . . . . . . . . . 250concurrent-session-threads-hard-limit . . . . 251concurrent-session-threads-soft-limit . . . . . 252connection-request-limit . . . . . . . . . 252cope-with-pipelined-request . . . . . . . 253decode-query . . . . . . . . . . . . 253disable-timeout-reduction . . . . . . . . 254double-byte-encoding. . . . . . . . . . 254dynurl-allow-large-posts. . . . . . . . . 255dynurl-map . . . . . . . . . . . . . 255enable-IE6-2GB-downloads . . . . . . . . 256filter-nonhtml-as-xhtml . . . . . . . . . 257force-tag-value-prefix . . . . . . . . . . 257http . . . . . . . . . . . . . . . 258http-method-disabled-local . . . . . . . . 258http-method-disabled-remote . . . . . . . 259http-port . . . . . . . . . . . . . . 259https . . . . . . . . . . . . . . . 260https-port . . . . . . . . . . . . . 260ignore-missing-last-chunk . . . . . . . . 261intra-connection-timeout. . . . . . . . . 261io-buffer-size . . . . . . . . . . . . 262ip-support-level . . . . . . . . . . . 263ipv6-support . . . . . . . . . . . . 263late-lockout-notification . . . . . . . . . 264max-client-read . . . . . . . . . . . . 265max-file-cat-command-length . . . . . . . 265max-file-descriptors . . . . . . . . . . 266max-idle-persistent-connections . . . . . . 267network-interface . . . . . . . . . . . 267persistent-con-timeout . . . . . . . . . 268pre-410-compatible-tokens . . . . . . . . 268pre-510-compatible-token . . . . . . . . 269preserve-base-href . . . . . . . . . . . 269preserve-base-href2 . . . . . . . . . . 270

preserve-p3p-policy . . . . . . . . . . 270process-root-requests . . . . . . . . . . 271redirect-using-relative . . . . . . . . . 271reject-invalid-host-header . . . . . . . . 272reject-request-transfer-encodings . . . . . . 273request-body-max-read . . . . . . . . . 273request-max-cache . . . . . . . . . . . 274send-header-ba-first . . . . . . . . . . 274send-header-spnego-first. . . . . . . . . 275server-name . . . . . . . . . . . . . 276server-root . . . . . . . . . . . . . 276slash-before-query-on-redirect . . . . . . . 277strip-www-authenticate-headers . . . . . . 278suppress-backend-server-identity . . . . . . 278suppress-dynurl-parsing-of-posts . . . . . . 279suppress-server-identity . . . . . . . . . 279tag-value-missing-attr-tag . . . . . . . . 280unix-group . . . . . . . . . . . . . 280unix-pid-file . . . . . . . . . . . . . 281unix-user . . . . . . . . . . . . . . 281use-existing-username-macro-in-custom-redirects 282use-http-only-cookies . . . . . . . . . . 283utf8-form-support-enabled . . . . . . . . 283utf8-qstring-support-enabled . . . . . . . 284utf8-url-support-enabled. . . . . . . . . 284validate-query-as-ga . . . . . . . . . . 285web-host-name . . . . . . . . . . . . 285web-http-port . . . . . . . . . . . . 286web-http-protocol . . . . . . . . . . . 286worker-threads . . . . . . . . . . . . 287

[session] stanza. . . . . . . . . . . . . 288dsess-enabled . . . . . . . . . . . . 288dsess-last-access-update-interval . . . . . . 288enforce-max-sessions-policy . . . . . . . 289inactive-timeout . . . . . . . . . . . 289logout-remove-cookie. . . . . . . . . . 290max-entries . . . . . . . . . . . . . 290prompt-for-displacement . . . . . . . . 291register-authentication-failures . . . . . . . 292require-mpa . . . . . . . . . . . . . 292resend-webseal-cookies . . . . . . . . . 293send-constant-sess . . . . . . . . . . . 293shared-domain-cookie . . . . . . . . . 294ssl-id-sessions . . . . . . . . . . . . 294ssl-session-cookie-name . . . . . . . . . 295standard-junction-replica-set . . . . . . . 295tcp-session-cookie-name . . . . . . . . . 296temp-session-cookie-name . . . . . . . . 296temp-session-max-lifetime . . . . . . . . 297timeout . . . . . . . . . . . . . . 297update-session-cookie-in-login-request . . . . 298user-session-ids. . . . . . . . . . . . 299user-session-ids-include-replica-set . . . . . 299use-same-session . . . . . . . . . . . 300

[session-cookie-domains] stanza . . . . . . . 300domain . . . . . . . . . . . . . . 300

[session-http-headers] stanza . . . . . . . . 301header_name . . . . . . . . . . . . . 301

[spnego] stanza. . . . . . . . . . . . . 301spnego-auth . . . . . . . . . . . . . 301spnego-krb-keytab-file . . . . . . . . . 302

Contents vii

spnego-krb-service-name . . . . . . . . 302use-domain-qualified-name. . . . . . . . 303

[ssl] stanza . . . . . . . . . . . . . . 304base-crypto-library . . . . . . . . . . 304crl-ldap-server . . . . . . . . . . . . 304crl-ldap-server-port . . . . . . . . . . 305crl-ldap-user. . . . . . . . . . . . . 306crl-ldap-user-password . . . . . . . . . 306disable-ncipher-bsafe . . . . . . . . . . 307disable-rainbow-bsafe . . . . . . . . . 307disable-ssl-v2 . . . . . . . . . . . . 308disable-ssl-v3 . . . . . . . . . . . . 308disable-tls-v1 . . . . . . . . . . . . 309disable-tls-v11 . . . . . . . . . . . . 309disable-tls-v12 . . . . . . . . . . . . 310enable-duplicate-ssl-dn-not-found-msgs . . . 310fips-mode-processing . . . . . . . . . . 311gsk-attr-name . . . . . . . . . . . . 311gsk-crl-cache-entry-lifetime . . . . . . . . 313gsk-crl-cache-size . . . . . . . . . . . 313jct-gsk-attr-name . . . . . . . . . . . 314neg-delay-fix-disable . . . . . . . . . . 315ocsp-enable . . . . . . . . . . . . . 316ocsp-max-response-size . . . . . . . . . 316ocsp-nonce-check-enable. . . . . . . . . 317ocsp-nonce-generation-enable . . . . . . . 317ocsp-proxy-server-name . . . . . . . . . 318ocsp-proxy-server-port . . . . . . . . . 318ocsp-url . . . . . . . . . . . . . . 319pkcs11-driver-path. . . . . . . . . . . 319pkcs11-token-label . . . . . . . . . . . 320pkcs11-token-pwd . . . . . . . . . . . 320pkcs11-symmetric-cipher-support . . . . . . 321ssl-keyfile . . . . . . . . . . . . . 321ssl-keyfile-label . . . . . . . . . . . . 322ssl-keyfile-pwd . . . . . . . . . . . . 322ssl-keyfile-stash. . . . . . . . . . . . 323ssl-local-domain . . . . . . . . . . . 324ssl-max-entries . . . . . . . . . . . . 324ssl-v2-timeout . . . . . . . . . . . . 325ssl-v3-timeout . . . . . . . . . . . . 325suppress-client-ssl-errors . . . . . . . . 326undetermined-revocation-cert-action . . . . . 326webseal-cert-keyfile . . . . . . . . . . 327webseal-cert-keyfile-label . . . . . . . . 327webseal-cert-keyfile-pwd . . . . . . . . 328webseal-cert-keyfile-sni . . . . . . . . . 328webseal-cert-keyfile-stash . . . . . . . . 329

[ssl-qop] stanza. . . . . . . . . . . . . 330ssl-qop-mgmt . . . . . . . . . . . . 330

[ssl-qop-mgmt-default] stanza . . . . . . . . 330default . . . . . . . . . . . . . . 330

[ssl-qop-mgmt-hosts] stanza . . . . . . . . 331host-ip . . . . . . . . . . . . . . . 331

[ssl-qop-mgmt-networks] stanza . . . . . . . 332network/netmask . . . . . . . . . . . . 332

[step-up] stanza . . . . . . . . . . . . 334retain-stepup-session . . . . . . . . . . 334show-all-auth-prompts . . . . . . . . . 334step-up-at-higher-level . . . . . . . . . 335verify-step-up-user . . . . . . . . . . 335

[system-environment-variables] stanza . . . . . 336env-name . . . . . . . . . . . . . . 336

[tfimsso:<jct-id>] stanza . . . . . . . . . . 337always-send-tokens . . . . . . . . . . 337applies-to. . . . . . . . . . . . . . 337one-time-token . . . . . . . . . . . . 338preserve-xml-token . . . . . . . . . . 338renewal-window . . . . . . . . . . . 339service-name . . . . . . . . . . . . 339tfim-cluster-name . . . . . . . . . . . 340token-collection-size . . . . . . . . . . 340token-type . . . . . . . . . . . . . 341token-transmit-name . . . . . . . . . . 342token-transmit-type . . . . . . . . . . 342

[tfim-cluster:<cluster>] stanza . . . . . . . . 343basic-auth-user . . . . . . . . . . . . 343basic-auth-passwd . . . . . . . . . . . 343gsk-attr-name . . . . . . . . . . . . 344handle-idle-timeout . . . . . . . . . . 345handle-pool-size . . . . . . . . . . . 345server . . . . . . . . . . . . . . . 346ssl-fips-enabled . . . . . . . . . . . . 346ssl-keyfile . . . . . . . . . . . . . 347ssl-keyfile-label . . . . . . . . . . . . 348ssl-keyfile-stash. . . . . . . . . . . . 348ssl-valid-server-dn. . . . . . . . . . . 349timeout . . . . . . . . . . . . . . 350

[token] stanza . . . . . . . . . . . . . 350token-auth . . . . . . . . . . . . . 350

[uraf-registry] stanza . . . . . . . . . . . 351bind-id . . . . . . . . . . . . . . 351cache-lifetime . . . . . . . . . . . . 351cache-mode . . . . . . . . . . . . . 352cache-size . . . . . . . . . . . . . 353uraf-registry-config . . . . . . . . . . 354

[webseal-config] stanza . . . . . . . . . . 354instance-name . . . . . . . . . . . . 354orig-version . . . . . . . . . . . . . 355status . . . . . . . . . . . . . . . 356tivoli_common_dir . . . . . . . . . . 356version . . . . . . . . . . . . . . 357

Notices . . . . . . . . . . . . . . 359

Index . . . . . . . . . . . . . . . 363

viii IBM Security Access Manager Version 7.0: WebSEAL Configuration Stanza Reference

About this publication

Welcome to the IBM Security Access Manager: WebSEAL Configuration StanzaReference.

IBM Security Access Manager for Web, formerly called IBM Tivoli Access Managerfor e-business, is a user authentication, authorization, and web single sign-onsolution for enforcing security policies over a wide range of web and applicationresources.

Security Access Manager WebSEAL is the resource manager for web-basedresources in a Security Access Manager secure domain. WebSEAL is a highperformance, multi-threaded web server that applies fine-grained security policy tothe protected web object space. WebSEAL can provide single signon solutions andincorporate back-end web application server resources into its security policy.

This guide provides the complete stanza reference for configuring WebSEAL. Youcan use this guide in conjunction with the IBM Security Access Manager: WebSEALAdministration Guide, which provides valuable background and concept informationfor the wide range of WebSEAL functionality.

Intended audienceThis guide is for system administrators responsible for configuring andmaintaining a Security Access Manager WebSEAL environment.

Readers should be familiar with the following:v PC and UNIX or Linux operating systemsv Database architecture and conceptsv Security managementv Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and

Telnetv Lightweight Directory Access Protocol (LDAP) and directory servicesv A supported user registryv WebSphere® Application Server administrationv Authentication and authorization

If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Access Manager for Web library” on

page x.v Links to “Online publications” on page xi.v A link to the “IBM Terminology website” on page xii.

© Copyright IBM Corp. 2002, 2013 ix

IBM Security Access Manager for Web library

The following documents are in the IBM Security Access Manager for Web library:v IBM Security Access Manager for Web Quick Start Guide, GI11-9333-01

Provides steps that summarize major installation and configuration tasks.v IBM Security Web Gateway Appliance Quick Start Guide – Hardware Offering

Guides users through the process of connecting and completing the initialconfiguration of the WebSEAL Hardware Appliance, SC22-5434-00

v IBM Security Web Gateway Appliance Quick Start Guide – Virtual OfferingGuides users through the process of connecting and completing the initialconfiguration of the WebSEAL Virtual Appliance.

v IBM Security Access Manager for Web Installation Guide, GC23-6502-02Explains how to install and configure Security Access Manager.

v IBM Security Access Manager for Web Upgrade Guide, SC23-6503-02Provides information for users to upgrade from version 6.0, or 6.1.x to version7.0.

v IBM Security Access Manager for Web Administration Guide, SC23-6504-02Describes the concepts and procedures for using Security Access Manager.Provides instructions for performing tasks from the Web Portal Managerinterface and by using the pdadmin utility.

v IBM Security Access Manager for Web WebSEAL Administration Guide, SC23-6505-02Provides background material, administrative procedures, and referenceinformation for using WebSEAL to manage the resources of your secure Webdomain.

v IBM Security Access Manager for Web Plug-in for Web Servers Administration Guide,SC23-6507-02Provides procedures and reference information for securing your Web domainby using a Web server plug-in.

v IBM Security Access Manager for Web Shared Session Management AdministrationGuide, SC23-6509-02Provides administrative considerations and operational instructions for thesession management server.

v IBM Security Access Manager for Web Shared Session Management Deployment Guide,SC22-5431-00Provides deployment considerations for the session management server.

v IBM Security Web Gateway Appliance Administration Guide, SC22-5432-00Provides administrative procedures and technical reference information for theWebSEAL Appliance.

v IBM Security Web Gateway Appliance Configuration Guide for Web Reverse Proxy,SC22-5433-00Provides configuration procedures and technical reference information for theWebSEAL Appliance.

v IBM Security Web Gateway Appliance Web Reverse Proxy Stanza Reference,SC27-4442-00Provides a complete stanza reference for the IBM® Security Web GatewayAppliance Web Reverse Proxy.

v IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference,SC27-4443-00Provides a complete stanza reference for WebSEAL.

x IBM Security Access Manager Version 7.0: WebSEAL Configuration Stanza Reference

v IBM Global Security Kit: CapiCmd Users Guide, SC22-5459-00Provides instructions on creating key databases, public-private key pairs, andcertificate requests.

v IBM Security Access Manager for Web Auditing Guide, SC23-6511-02Provides information about configuring and managing audit events by using thenative Security Access Manager approach and the Common Auditing andReporting Service. You can also find information about installing andconfiguring the Common Auditing and Reporting Service. Use this service forgenerating and viewing operational reports.

v IBM Security Access Manager for Web Command Reference, SC23-6512-02Provides reference information about the commands, utilities, and scripts thatare provided with Security Access Manager.

v IBM Security Access Manager for Web Administration C API Developer Reference,SC23-6513-02Provides reference information about using the C language implementation ofthe administration API to enable an application to perform Security AccessManager administration tasks.

v IBM Security Access Manager for Web Administration Java Classes DeveloperReference, SC23-6514-02Provides reference information about using the Java™ language implementationof the administration API to enable an application to perform Security AccessManager administration tasks.

v IBM Security Access Manager for Web Authorization C API Developer Reference,SC23-6515-02Provides reference information about using the C language implementation ofthe authorization API to enable an application to use Security Access Managersecurity.

v IBM Security Access Manager for Web Authorization Java Classes Developer Reference,SC23-6516-02Provides reference information about using the Java language implementation ofthe authorization API to enable an application to use Security Access Managersecurity.

v IBM Security Access Manager for Web Web Security Developer Reference,SC23-6517-02Provides programming and reference information for developing authenticationmodules.

v IBM Security Access Manager for Web Error Message Reference, GI11-8157-02Provides explanations and corrective actions for the messages and return code.

v IBM Security Access Manager for Web Troubleshooting Guide, GC27-2717-01Provides problem determination information.

v IBM Security Access Manager for Web Performance Tuning Guide, SC23-6518-02Provides performance tuning information for an environment that consists ofSecurity Access Manager with the IBM Tivoli Directory Server as the userregistry.

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

About this publication xi

IBM Security Access Manager for Web Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.html site displays the information centerwelcome page for this product.

IBM Security Systems Documentation Central and Welcome pageIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product documentation and links to theproduct information center for specific versions of each product.

Welcome to IBM Security Systems Information Centers provides andintroduction to, links to, and general information about IBM SecuritySystems information centers.

IBM Publications CenterThe http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss site offers customized search functions to help you find all the IBMpublications that you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

Related publicationsThis section lists the IBM products that are related to and included with theSecurity Access Manager solution.

Note: The following middleware products are not packaged with IBM SecurityWeb Gateway Appliance.

IBM Global Security Kit

Security Access Manager provides data encryption by using Global Security Kit(GSKit) version 8.0.x. GSKit is included on the IBM Security Access Manager for WebVersion 7.0 product image or DVD for your particular platform.

GSKit version 8 includes the command-line tool for key management,GSKCapiCmd (gsk8capicmd_64).

GSKit version 8 no longer includes the key management utility, iKeyman(gskikm.jar). iKeyman is packaged with IBM Java version 6 or later and is now apure Java application with no dependency on the native GSKit runtime. Do notmove or remove the bundled java/jre/lib/gskikm.jar library.

The IBM Developer Kit and Runtime Environment, Java Technology Edition, Version 6and 7, iKeyman User's Guide for version 8.0 is available on the Security AccessManager Information Center. You can also find this document directly at:

http://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdf

Note:

GSKit version 8 includes important changes made to the implementation ofTransport Layer Security required to remediate security issues.

xii IBM Security Access Manager Version 7.0: WebSEAL Configuration Stanza Reference

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.html

https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20Security%20Systems%20Documentation%20Central/page/Welcome

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology



The GSKit version 8 changes comply with the Internet Engineering Task Force(IETF) Request for Comments (RFC) requirements. However, it is not compatiblewith earlier versions of GSKit. Any component that communicates with SecurityAccess Manager that uses GSKit must be upgraded to use GSKit version 7.0.4.42,or 8.0.14.26 or later. Otherwise, communication problems might occur.

IBM Tivoli Directory Server

IBM Tivoli Directory Server version 6.3 FP17 (6.3.0.17-ISS-ITDS-FP0017) is includedon the IBM Security Access Manager for Web Version 7.0 product image or DVD foryour particular platform.

You can find more information about Tivoli Directory Server at:

http://www.ibm.com/software/tivoli/products/directory-server/

IBM Tivoli Directory Integrator

IBM Tivoli Directory Integrator version 7.1.1 is included on the IBM Tivoli DirectoryIntegrator Identity Edition V 7.1.1 for Multiplatform product image or DVD for yourparticular platform.

You can find more information about IBM Tivoli Directory Integrator at:

http://www.ibm.com/software/tivoli/products/directory-integrator/

IBM DB2 Universal Database™

IBM DB2 Universal Database Enterprise Server Edition, version 9.7 FP4 is providedon the IBM Security Access Manager for Web Version 7.0 product image or DVD foryour particular platform. You can install DB2® with the Tivoli Directory Serversoftware, or as a stand-alone product. DB2 is required when you use TivoliDirectory Server or z/OS® LDAP servers as the user registry for Security AccessManager. For z/OS LDAP servers, you must separately purchase DB2.

You can find more information about DB2 at:

http://www.ibm.com/software/data/db2

IBM WebSphere products

The installation packages for WebSphere Application Server Network Deployment,version 8.0, and WebSphere eXtreme Scale, version 8.5.0.1, are included withSecurity Access Manager version 7.0. WebSphere eXtreme Scale is required onlywhen you use the Session Management Server (SMS) component.

WebSphere Application Server enables the support of the following applications:v Web Portal Manager interface, which administers Security Access Manager.v Web Administration Tool, which administers Tivoli Directory Server.v Common Auditing and Reporting Service, which processes and reports on audit

events.v Session Management Server, which manages shared session in a Web security

server environment.v Attribute Retrieval Service.

About this publication xiii

http://www.ibm.com/software/tivoli/products/directory-server

http://www.ibm.com/software/tivoli/products/directory-integrator/

http://www.ibm.com/software/data/db2

You can find more information about WebSphere Application Server at:

http://www.ibm.com/software/webservers/appserv/was/library/

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Visit the IBM Accessibility Center for more information about IBM's commitmentto accessibility.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

The IBM Security Access Manager for Web Troubleshooting Guide provides detailsabout:v What information to collect before you contact IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide more support resources.

xiv IBM Security Access Manager Version 7.0: WebSEAL Configuration Stanza Reference

http://www.ibm.com/software/webservers/appserv/was/library/

http://www-03.ibm.com/able/

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Stanza reference

This guide provides a complete stanza reference for the WebSEAL configurationfile, alphabetized by stanza name.

For more details about the WebSEAL configuration file naming and structure, seethe IBM Security Access Manager: WebSEAL Administration Guide.

[acnt-mgt] stanzaUse the [acnt-mgt] stanza to configure the WebSEAL account management pages.

account-expiry-notificationUse the account-expiry-notification stanza entry to control how WebSEALreports login failures that are caused by invalid or expired accounts.

Syntaxaccount-expiry-notification = {yes|no}

Description

Specifies whether WebSEAL informs the user of the reason for a login failure whenthe failure is caused by an invalid or expired account. When this entry is set to no,the user receives the same error message as the message that is sent when a loginfails as a result of invalid authentication information, such as an invalid user nameor password.

Options

yes Enable.

no Disable.

Usage

This stanza entry is required.

Default value

no

Exampleaccount-expiry-notification = yes

account-inactivatedUse the account-inactivated stanza entry to configure the page that WebSEALdisplays when a user with an inactive account tries to log in with the correctpassword.

Syntaxaccount-inactivated = filename

© Copyright IBM Corp. 2002, 2013 1

Description

Page that is displayed when nsAccountLock is true for a user (in Sun DirectoryServer) when they attempt to log in. WebSEAL displays the specified page only ifthe user provides the correct password during login.

Note: This option has no effect unless the corresponding Security Access ManagerLDAP option is enabled ([ldap] enhanced-pwd-policy=yes). This LDAP optionmust be supported for the particular LDAP registry type.

Options

filenamePage that is displayed when nsAccountLock is true for the user whoprovides the correct password during login.

Usage


Default value

None.

Note: The value for this option in the template configuration file isacct_locked.html.

Exampleaccount-inactivated = acct_locked.html

account-lockedUse the account-locked stanza entry to configure the page that WebSEAL displayswhen a user authentication fails because the account is locked.

Syntaxaccount-locked = filename

Description

Page that is displayed when the user authentication fails as a result of a lockeduser account.

Options

filenamePage that is displayed when the user authentication fails as a result of alocked user account.

Usage


Default value

acct_locked.html

2 IBM Security Access Manager Version 7.0: WebSEAL Configuration Stanza Reference

Exampleaccount-locked = acct_locked.html

allow-unauthenticated-logoutUse the allow-unauthenticated-logout stanza entry to control whetherunauthenticated users can request the pkmslogout resource.

Syntaxallow-unauthenticated-logout = {yes|no}

Description

Determines whether unauthenticated users are able to request the pkmslogoutresource without authenticating first.

Options

yes Unauthenticated users can request the pkmslogout resource.

no Unauthenticated users must authenticate before the pkmslogout resource isreturned.

Usage


Default value

no

Exampleallow-unauthenticated-logout = no

allowed-referersUse the allowed-referers stanza entry to specify which referrers can requestmanagement pages.

Syntaxallowed-referers = referer_filter

Description

For protection against cross-site request forgery (CSRF) attacks, you can configureWebSEAL to validate the HTTP Request referer header for all accountmanagement pages. WebSEAL uses the value that is provided for thisconfiguration entry to determine whether the referrer host name in an incomingrequest is "valid".

If this entry is configured, when WebSEAL receives a request for an accountmanagement page, WebSEAL:1. Checks whether the referer header is present in the HTTP Request header.2. Validates the host name portion of that referrer against the allowed-referers

entries.

Stanza reference 3

If WebSEAL finds that an incoming request does not match any of the configuredallowed-referers filters, the request fails and WebSEAL returns an error page.

Entries can contain the following wildcard characters:v * - match 0 or more characters.v ? - match any single character.v \ - Literal match of the following character.

You can use the value %HOST% for this entry. This value is a special filter, whichindicates to WebSEAL that a referrer is "valid" if the host name portion of thereferer header matches the host header.

If there are no allowed-referers entries then WebSEAL does not complete thisvalidation.

Note: You can specify this entry multiple times to define multiple "allowed"referrer filters. WebSEAL uses all of these entries to validate the referrer.

For more information about referrer validation, search for "CSRF" in the IBMSecurity Access Manager: WebSEAL Administration Guide.

Options

referer_filterSpecifies a filter for a referrer host name that WebSEAL can accept as"valid".

Usage

This stanza entry is optional.

Default value

None.

Example

The following entry matches any referrer host name that begins with the charactersac, followed by zero or more characters, and ends with the characters me.allowed-referers = ac*me

The following entry indicates that a referrer is "valid" if the host name portion ofthe referer header matches the host header.allowed-referers = %HOST%

cert-failure

Syntaxcert-failure = filename

Description

Page displayed when certificates are required and a client fails to authenticate witha certificate.


Options

filenamePage displayed when certificates are required and a client fails toauthenticate with a certificate.

Usage


Default value

certfailure.html

Examplecert-failure = certfailure.html

cert-stepup-http

Syntaxcert-stepup-http = filename

Description

WebSEAL displays this HTML page when a client attempts to increaseauthentication strength level (step-up) to certificates while using HTTP protocol.

Options

filenameWebSEAL displays this HTML page when a client attempts to increaseauthentication strength level (step-up) to certificates while using HTTPprotocol.

Usage


Default value

certstepuphttp.html

Examplecert-stepup-http = certstepuphttp.html

certificate-login

Syntaxcertificate-login = filename

Description

Form requesting client-side certificate authentication login.

This form is used only when the accept-client-certs key in the [certificate] stanza isset to prompt_as_needed.

Stanza reference 5

Options

filenameForm requesting client-side certificate authentication login.

Usage

This stanza entry is required when delayed certificate authentication orauthentication strength level (step-up) for certificates is enabled.

Default value

certlogin.html

Examplecertificate-login = certlogin.html

change-password-auth

Syntaxchange-password-auth = {yes|no}

Description

Enable this option to allow users to authenticate when changing a password.

Options

yes Enable.

no Disable.

Usage


Default value

no

Examplechange-password-auth = yes

client-notify-tod

Syntaxclient-notify-tod = {yes|no}

Description

Enable the display of an error page when authorization is denied due to a POPtime of day check. The error page is 38cf08cc.html.

Options

yes Enable.


no Disable.

Usage


Default value

no

Exampleclient-notify-tod = yes

enable-html-redirect

Syntaxenable-html-redirect = {yes|no}

Description

Configures WebSEAL to use the HTML redirect page to handle redirections ratherthan returning an HTTP 302 response redirect.

When a user successfully authenticates, WebSEAL typically uses an HTTP 302response to redirect the user back to the resource that was originally requested.

HTML redirection causes WebSEAL to send a static page back to the browserinstead of a 302 redirect. WebSEAL can then use the JavaScript or any other codethat is embedded in this static page to process the redirect.

You can use the html-redirect configuration entry, which is also in the [acnt-mgt]stanza, to specify the page that contains the HTML redirection.

For more information about HTML redirection, see the IBM Security AccessManager: WebSEAL Administration Guide.

Note: If you enable this configuration entry, you must not specify a value for thelogin-redirect-page entry, which is also in the [acnt-mgt] stanza.

Options

yes Enable.

no Disable.

Usage


Default value

no

Exampleenable-html-redirect = no

Stanza reference 7

enable-local-response-redirect

Syntaxenable-local-response-redirect = {yes|no}

Description

Enable or disable sending a redirection to a response application instead of servingmanagement or error pages from the local system.

You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [acnt-mgt:{junction_name}] stanza.

where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.

Options

yes Enable.

no Disable.

Usage


Default value

no

Exampleenable-local-response-redirect = no

enable-passwd-warn

Syntaxenable-passwd-warn = {yes|no}

Description

Enable WebSEAL to detect the attribute REGISTRY_PASSWORD_EXPIRE_TIME added toa users' credential when the LDAP password policy indicates that their passwordis soon to expire. The value of this attribute is the number of seconds until theirpassword expires. When this attribute is detected, at login to WebSEAL, apassword warning form will appear.

NOTE: This option must be set in order to use the associated options, which arealso in the [acnt-mgt] stanza: passwd-warn and passwd-warn-failure. Thecorresponding Security Access Manager LDAP option must be enabled ([ldap]enhanced-pwd-policy=yes) and supported for the particular LDAP registry type.

Options

yes Enable the detection of the REGISTRY_PASSWORD_EXPIRE_TIME to ultimatelywarn the user when their password is soon to expire.


no Disable the detection of the REGISTRY_PASSWORD_EXPIRE_TIME attribute.WebSEAL will not be able to notify users when their passwords are soonto expire.

Usage


Default value

The option will default to yes if it is not specified in the configuration file.

NOTE: The value for this option in the template configuration file is no.

Exampleenable-passwd-warn = yes

enable-secret-token-validationSyntaxenable-secret-token-validation = {true|false}

Description

Use this entry to enable secret token validation, which protects certain WebSEALaccount management pages against cross-site request forgery (CSRF) attacks. If youset this entry to true, WebSEAL adds a token to each session and validates the"token" query argument for the following account management requests:v /pkmslogin.formv /pkmslogoutv /pkmslogout-nomasv /pkmssu.formv /pkmsskipv /pkmsdisplacev /pkmspaswd.form

For example, you must change the /pkmslogout request topkmslogout?token=<value>, where <value> is the unique session token.

If secret token validation is enabled and the token argument is missing from therequest or does not match the session token, WebSEAL returns an error page. Formore information about secret token validation, search for "CSRF" in the IBMSecurity Access Manager: WebSEAL Administration Guide.

Options

true WebSEAL uses secret token validation to protect against CSRF attacks.

Note: This setting modifies the URLs for the affected WebSEALmanagement pages. Each of these management requests must contain a"token" argument with the current session token.

false WebSEAL does not use secret token validation.

Stanza reference 9

Usage


Default value

false

Exampleenable-secret-token-validation = true

help

Syntaxhelp = filename

Description

Page containing links to valid administration pages.

Options

filenamePage containing links to valid administration pages.

Usage


Default value

help.html

Examplehelp = help.html

http-rsp-header

Syntaxhttp-rsp-header = header-name:macro

Description

Inserts custom headers whenever WebSEAL returns a custom response to theclient.

Options

header-nameThe name of the header that holds the value.

macro That type of value to be inserted. This parameter can be one of thefollowing values:v TAM_OPv AUTHNLEVEL


v ERROR_CODEv ERROR_TEXTv CREDATTR(<name>), where <name> is the name of the credential

attribute.v USERNAME

Usage


Note: You can specify this entry multiple times to include multiple headers in theresponse.

Default value

None.

Example

The following example inserts the Security Access Manager error code in aresponse header named tam-error-code:http-rsp-header = tam-error-code:ERROR_CODE

html-redirect

Syntaxhtml-redirect = filename

Description

Specifies the standard HTML redirection page.

Options

filenameStandard HTML redirection page.

Usage


Default value

redirect.html.

Examplehtml-redirect = redirect.html

login

Syntaxlogin = filename

Stanza reference 11

Description

Standard login form.

Options

filenameStandard login form.

Usage


Default value

login.html

Examplelogin = login.html

login-redirect-page

Syntaxlogin-redirect-page = destination

Description

Page to which users are automatically redirected after completing a successfulauthentication. The configured redirect destination can be either:v A server-relative Uniform Resource Locator (URL), orv An absolute URL, orv A macro which allows dynamic substitution of information from WebSEAL.

The supported macros include:

%AUTHNLEVEL%Level at which the session is currently authenticated.

%HOSTNAME%Fully qualified host name.

%PROTOCOL%The client connection protocol used. Can be HTTP or HTTPS.

%URL%The original URL requested by the client.

%USERNAME%The name of the logged in user.

%HTTPHDR{name}%The HTTP header that corresponds to the specified name. For example:%HTTPHDR{Host}%

%CREDATTR{name}%The credential attribute with the specified name. For example:%CREDATTR{tagvalue_session_index}%


Note: You cannot use this configuration entry if the enable-js-redirect entry (alsoin the [acnt-mgt] stanza) is set to yes. These redirects are not compatible with oneanother.

Options

destinationUniform Resource Locator (URL) to which users are automaticallyredirected after login, or a macro for dynamic substitution of informationfrom WebSEAL.

Usage


Default value

None.

Example

Example of a server relative URL:login-redirect-page = /jct/page.html

Example of an absolute URL:login-redirect-page = http://www.ibm.com/

Example that uses a macro:login-redirect-page = /jct/intro-page.html?level=%AUTHNLEVEL%&url=%URL%

login-success

Syntaxlogin-success = filename

Description

Page displayed after successful login.

Options

filenamePage displayed after successful login.

Usage


Default value

login_success.html

Examplelogin-success = login_success.html

Stanza reference 13

logout

Syntaxlogout = filename

Description

Page displayed after successful logout.

Options

filenamePage displayed after successful logout.

Usage


Default value

logout.html

Examplelogout = logout.html

mgt-pages-root

Syntaxmgt-pages-root = relative_pathname

Description

Root of account management pages. The actual directory used is a subdirectory ofthis root directory, as determined by localization settings. This path is relative tothe server-root value in the [server] stanza

Options

relative_pathnameRoot of account management pages.

Usage


Default value

lib/html

Examplemgt-pages-root = lib/html


next-token

Syntaxnext-token = filename

Description

Next-token form.

Options

filenameNext-token form.

Usage


Default value

nexttoken.html

Examplenext-token = nexttoken.html

passwd-change

Syntaxpasswd-change = filename

Description

Page containing a change password form.

Options

filenamePage containing a change password form.

Usage


Default value

passwd.html

Examplepasswd-change = passwd.html

passwd-change-failure

Syntaxpasswd-change-failure = filename

Stanza reference 15

Description

Page displayed when password change request fails.

Options

filenamePage displayed when password change request fails.

Usage


Default value

passwd.html

Examplepasswd-change-failure = passwd.html

passwd-change-success

Syntaxpasswd-change-success = filename

Description

Page displayed when password change request succeeds.

Options

filenamePage displayed when password change request succeeds.

Usage


Default value

passwd_rep.html

Examplepasswd-change-success = passwd_rep.html

passwd-expired

Syntaxpasswd-expired = filename

Description

Page displayed when the user authentication fails due to an expired userpassword.


Options

filenamePage displayed when the user authentication fails due to an expired userpassword.

Usage


Default value

passwd_exp.html

Examplepasswd-expired = passwd_exp.html

passwd-warn

Syntaxpasswd-warn = filename

Description

Page displayed after login if WebSEAL detects the LDAP password is soon toexpire.

NOTE: This option has no effect unless enable-passwd-warn (also in the[acnt-mgt] stanza) is set to yes and the corresponding Security Access ManagerLDAP option is also enabled ([ldap] enhanced-pwd-policy=yes). This LDAP optionmust be supported for the particular LDAP registry type.

Options

filenamePage displayed as a warning that the LDAP password is soon to expire.

Usage


Default value

None.

NOTE: The value for this option in the template configuration file ispasswd_warn.html.

Examplepasswd-warn = passwd_warn.html

passwd-warn-failure

Syntaxpasswd-warn-failure = filename

Stanza reference 17

Description

Page displayed if the user fails to change their password after being notified thatthe LDAP password is soon to expire. This page gives the user another chance tochange their password and indicates the cause of the error.

NOTE: This option has no effect unless enable-passwd-warn (also in the[acnt-mgt] stanza) is set to yes and the corresponding Security Access ManagerLDAP option is also enabled ([ldap] enhanced-pwd-policy=yes). This LDAP optionmust be supported for the particular LDAP registry type.

Options

filenamePage displayed if the user does not change their password after receivingnotification that the LDAP password is soon to expire.

Usage


Default value

None.

NOTE: The value for this option in the template configuration file ispasswd_warn.html.

Examplepasswd-warn-failure = passwd_warn.html

redirect-to-root-for-pkms

Syntaxredirect-to-root-for-pkms = {yes|no}

Description

In older releases, WebSEAL would, in rare cases, redirect clients to the documentroot directory instead of returning the login success page following a successfulauthentication. This behavior was eliminated in later releases. Setredirect-to-root-for-pkms to yes to restore the previous behavior.

Options

yes Restore previous behavior.

no Maintain default behavior.

Usage


Default value

no


Exampleredirect-to-root-for-pkms = no

single-signoff-uri

Syntaxsingle-signoff-uri = URI

Description

When a user session is terminated in WebSEAL, any sessions that might exist onbackend application servers are not destroyed. You can use this configuration entryto change this default behavior.

When a WebSEAL user session is terminated and this stanza entry is configured,WebSEAL sends a request to the resource specified by the configured URI. Therequest contains any configured headers and cookies for the junction point onwhich the resource resides. The backend application can use this information toterminate any sessions for that user.

Note: You can configure more than one single-sign-off-uri entry to send a requestto multiple URIs.

Options

URI

The resource identifier of the application that receives the single signoffrequest from WebSEAL.

Note: The URI must be server relative and correspond to a resource on astandard junction.

Usage


Default value

None.

Examplesingle-signoff-uri = /management/logoff

stepup-login

Syntaxstepup-login = filename

Description

Step-up authentication login form.

Stanza reference 19

Options

filenameStep-up authentication login form.

Usage


Default value

stepuplogin.html

Examplestepup-login = stepuplogin.html

switch-user

Syntaxswitch-user = filename

Description

Switch user management form.

Options

filenameSwitch user management form.

Usage


Default value

switchuser.html

Exampleswitch-user = switchuser.html

temp-cache-response

Syntaxtemp-cache-response = filename

Description

The default page that WebSEAL returns if no URL redirect is supplied with thepkmstempsession request. The pkmstempsession page is accessed to achieve sessionsharing with Microsoft Office applications. For more information about sharingsessions with Microsoft Office applications, see the IBM Security Access Manager:WebSEAL Administration Guide.


Options

filenameThe default page that WebSEAL returns for a pkmstempsession request.

Usage


Default value

temp_cache_response.html

Exampletemp-cache-response = temp_cache_response.html

token-login

Syntaxtoken-login = filename

Description

Token login form.

Options

filenameToken login form.

Usage


Default value

tokenlogin.html

Exampletoken-login = tokenlogin.html

too-many-sessions

Syntaxtoo-many-sessions = filename

Description

Page displayed when a user has too many concurrent sessions and must eithercancel their new login or terminate the other sessions.

Options

filenamePage displayed when a user has too many concurrent sessions and musteither cancel their new login or terminate the other sessions.

Stanza reference 21

Usage


Default value

too_many_sessions.html

Exampletoo-many-sessions = too_many_sessions.html

use-restrictive-logout-filenames

Syntaxuse-restrictive-logout-filenames = {yes|no}

Description

Control the restrictions normally enforced on the name of the /pkmslogout customresponse file.

Options

yes Use default restrictions to enforce the name of the /pkmslogout customresponse file.

no Only slash (/), backslash (\), characters outside of the ASCII range 0x20 -0x7E, and filenames that begin with a period (.) will be disallowed.

Usage


Default value

yes

Exampleuse-restrictive-logout-filenames = yes

use-filename-for-pkmslogout

Syntaxuse-filename-for-pkmslogout = {yes|no}

Description

Controls whether or not the appended query string (specifying a custom responsepage) in a pkmslogout command is used to override the default response page.

Options

yes Enables the operation of the query string. If a query string in apkmslogout URL specifies a custom response page, that custom page isused instead of the default page.

no Disables the operation of the query string. Any query string in a


pkmslogout URL that specifies a custom response page is ignored. Onlythe default response page is used upon logout.

Usage


Default value

no

Exampleuse-filename-for-pkmslogout = yes

[amwebars] stanza

service-url

Syntaxservice-url = url-of-amwebars-web-service

Description

Specifies the URL to the attribute retrieval service located in the WebSphereenvironment.

Options

url-of-amwebars-web-serviceURL to the attribute retrieval service located in the WebSphereenvironment.

Usage


Default value

None.

Exampleservice-url = http://websphere_hostname:websphere_port/amwebars/amwebars/ServiceToIServicePortAdapter

[arm] stanza

accept-correlatorsUse the accept-correlators stanza entry to control whether WebSEAL correlatesits transactions to upstream applications.

Syntaxaccept-correlators = {yes|no}

Stanza reference 23

Description

Indicates whether WebSEAL correlates its transactions to upstream applications.

Options

yes WebSEAL examines client requests for a header name that is specified bythe correlator-header option. If the header is present, WebSEAL parses anduses it with the reporting of its initial transaction. This processing allowsWebSEAL to correlate its transactions, and the transactions of its junctions,to upstream applications.

no WebSEAL does not correlate its transactions.

Usage


Default value

no

Exampleaccept-correlators = no

app-groupUse the app-group stanza entry to specify a name for a group of applicationinstances in ARM.

Syntaxapp-group = <application group name>

Description

Enables applications to report to ARM as a member of a group of applications.

Options

<application group name>Contains the identity of a group of application instances, if any. If set, thisvalue is passed to ARM when WebSEAL registers itself as an ARMapplication.

Usage


Default value

None.

Exampleapp-group = myWebAppGroup


app-instanceUse the app-instance stanza entry to specify the name for the WebSEALapplication instance in ARM.

Syntaxapp-instance = <application instance name>

Description

Identifies the instance of an application.

Options

<application instance name>Name to give the WebSEAL application instance in ARM. If this value isnot provided, ARM provides a default value; typically the host name of theserver on which WebSEAL is running.

Usage


Default value

Provided by ARM.

Exampleapp-instance = myAppInstance

correlator-header

Syntaxcorrelator-header = <header name>

Description

Used to override the default name of the HTTP header that WebSEAL passes ARMcorrelators to junctions and optionally accepts correlators in from upstreamapplications such as browsers.

Options

<header name>Name to use for the ARM HTTP header.

Usage


Default value

arm_correlator

Examplecorrelator-header = arm_correlator

Stanza reference 25

enable-arm

Syntaxenable-arm = {yes|no}

Description

Enables or disables application response measurement (ARM).

Options

yes WebSEAL will register itself to ARM as an application and register itstransaction names.

no Disables ARM; all other [arm] options are ignored.

Usage


Default value

no

Exampleenable-arm = no

library

Syntaxlibrary = <name of ARM library>

Description

Allows the name of the ARM shared library to be configurable. This option can beused to override the default name of the ARM client library used by WebSEAL toregister and report ARM transactions.

Options

<name of ARM library>Note that a full path name, such as /usr/lib/libarm4.so, is permitted.

Usage


Default value

libarm4.a for AIX®.

libarm4.dll for Windows.

libarm4.so for all other operating systems.


Examplelibrary = libarm4.so

report-transactions

Syntaxreport-transactions = {yes|no}

Description

Sets the reporting state with which WebSEAL starts. At any time while WebSEALis running, the pdadmin command arm {on|off} can be used to change this state.

Options

yes WebSEAL starts with a reporting state of on and will report transactions.Once started, WebSEAL will report transactions until an arm off commandis issued.

no WebSEAL will not report transactions until an arm on command is issued.

Usage


Default value

no

Examplereport-transactions = no

[auth-cookies] stanza

cookie

Syntaxcookie = cookie-name

Description

Specifies HTTP cookies to be used for authentication.

Note: This option is enabled only when the http-headers-auth option in the[http-headers] stanza is configured for http, https, or both.

Options

cookie-nameName of HTTP cookie to be used for authentication.

Usage


Stanza reference 27

Default value

None.

Examplecookie = authcookie

[auth-headers] stanza

header

Syntaxheader = header-name

Description

Use this stanza to specify all supported HTTP header types. By default, the built-inshared library is hard-coded to support Entrust Proxy header data.

Options

header-nameValues for header_name must be ASCII and conform to the HTTPspecification for header names. The values for header_name are typicallydetermined by a particular header name that is required by a third-partyapplication. The WebSEAL administrator configures WebSEAL to supportthese other header names by setting this value.

Usage


Default value

None.

Exampleheader = entrust-client

[authentication-levels] stanza

level

Syntaxlevel = method-name

Description

Step-up authentication levels. WebSEAL enables authenticated users to increase theauthentication level by use of step-up authentication. This key=value pair specifieswhich step-up authentication levels are supported by this WebSEAL server.


Do not specify an authentication level unless the authentication method is enabled.For example, you must enable either basic authentication or forms authenticationbefore you set level = password.

Enter a separate key=value pair for each supported level. Supported levels include:v unauthenticatedv passwordv token-cardv sslv ext-auth-interface

The position of the entry in the file dictates the associated authentication level. Thefirst row, typically unauthenticated, is associated with authentication level of 0.Each subsequent line is associated with the next higher level. You can add multipleentries for the same method.

It is possible for the method to set the authentication level itself. For example, anExternal Authentication Interface (EAI) implementation might set eitherauthentication level of 2 or 3 depending on the authentication transaction that theclient undertakes.

The EAI can set this authentication level directly in the identity attributes returnedto WebSEAL. To support this implementation, you can create two identical lines inpositions 3 and 4. For example:level = unauthenticated (associated with level 0)level = password (associated with level 1)level = ext-auth-interface (associated with level 2)level = ext-auth-interface (associated with level 3)

Options

method-nameName of authentication method.

Usage


Default value

unauthenticated

password

Examplelevel = unauthenticatedlevel = password

[authentication-mechanisms] stanza

cert-ldap

Syntaxcert-ldap = cert-ldap-library

Stanza reference 29

Description

Fully qualified path for a library that implements certificate authentication forinternal Security Access Manager server communication.

This stanza entry should not be modified. To implement a custom certificateauthentication module, use cert-ssl.

Options

cert-ldap-libraryFully qualified path for a library that implements certificate authenticationfor internal Security Access Manager server communication.

Usage


Default value

The default value for the built-in library on Solaris is (entered as one line):cert-ldap =/opt/PolicyDirector/lib/libcertauthn.so & -cfgfile[/opt/pdweb/etc/webseal-default.conf]

Example

Example on Windows (entered as one line):cert-ldap = C:\PROGRA~1\Tivoli\POLICY~1\lib\libcertauthn.dll &-cfgfile [C:/Program Files/Tivoli/PDWeb/etc/webseald-default.conf]

cert-ssl

Syntaxcert-ssl = cert-ssl-library

Description

Fully qualified path for a library that implements certificate authentication.

Use this parameter (not cert-ldap) to implement a custom certificate authenticationmodule.

Options

cert-ssl-libraryFully qualified path for a library that implements certificate authentication.

Usage


Default value

None.


Examplecert-ssl = /opt/pdwebrte/lib/libamwcertmapauthn.sl

cred-ext-attrs

Syntaxcred-ext-attrs = cred-ext-attrs-library

Description

Fully qualified path for a library that supplies extended attribute data to the usercredential.

The cred-ext-attrs stanza entry supports custom credential attribute modules builtwith the external authentication C API. The current method for supplyingextended attributes in credentials is now provided by the credential attributeentitlements service.

Options

cred-ext-attrs-libraryFully qualified path for a library that supplies extended attribute data tothe user credential.

Usage


Default value

None.

Examplecred-ext-attrs = cred-ext-attrs-library

ext-auth-interface

Syntaxext-auth-interface = ext-auth-interface-library

Description

Fully qualified path for a library that implements custom authentication using theexternal authentication interface.

Options

ext-auth-interface-libraryFully qualified path for a library that implements custom authenticationusing the external authentication interface.

Usage


Stanza reference 31

Default value

None.

failover-cdsso

Syntaxfailover-cdsso = failover-cdsso-library

Description

Fully qualified path for a library that implements failover cookie authentication forcross-domain single signon authentication.

Options

failover-cdsso-libraryFully qualified path for a library that implements failover cookieauthentication for cross-domain single signon authentication.

Usage


Default value

None.

failover-certificate

Syntaxfailover-certificate = failover-certificate-library

Description

Fully qualified path for a library that implements failover cookie authentication forcertificate authentication.

Options

failover-certificate-libraryFully qualified path for a library that implements failover cookieauthentication for certificate authentication.

Usage


Default value

None.


failover-ext-auth-interface

Syntaxfailover-ext-auth-interface = failover-ext-auth-interface-library

Description

Fully qualified path for a library that implements failover cookie authentication forcustom authentication using the external authentication interface.

Options

failover-ext-auth-interface-libraryFully qualified path for a library that implements failover cookieauthentication for custom authentication using the external authenticationinterface.

Usage


Default value

None.

failover-http-request

Syntaxfailover-http-request = failover-http-library

Description

Fully qualified path for a library that implements failover cookie authentication forHTTP header authentication or IP address authentication.

Options

failover-http-libraryFully qualified path for a library that implements failover cookieauthentication for HTTP header authentication or IP addressauthentication.

Usage


Default value

None.

failover-kerberosv5

Syntaxfailover-kerberosv5 = failover-kerberosv-library

Stanza reference 33

Description

Fully qualified path for a library that implements failover cookie authentication forSPNEGO authentication.

Options

failover-kerberosv-libraryFully qualified path for a library that implements failover cookieauthentication for SPNEGO authentication.

Usage


Default value

None.

failover-password

Syntaxfailover-password = failover-password-library

Description

Fully qualified path for a library that implements failover cookie authentication forbasic authentication or forms authentication.

Options

failover-password-libraryFully qualified path for a library that implements failover cookieauthentication for basic authentication or forms authentication.

Usage


Default value

None.

failover-token-card

Syntaxfailover-token-card = failover-token-library

Description

Fully qualified path for a library that implements failover cookie authentication fortoken card authentication.


Options

failover-token-libraryFully qualified path for a library that implements failover cookieauthentication for token card authentication.

Usage


Default value

None.

http-request

Syntaxhttp-request = http-request-library

Description

Fully qualified path for a library that implements HTTP header or IP addressauthentication.

Options

http-request-libraryFully qualified path for a library that implements HTTP header or IPaddress authentication.

Usage


Default value

None.

kerberosv5

Syntaxkerberosv5 = stli-authn-library

Description

Fully qualified path for a library that implements WebSEAL support for SPNEGOauthentication. This library is used to provide WebSEAL's Windows desktop singlesignon.

Options

stli-authn-libraryFully qualified path for a library that implements WebSEAL support forSPNEGO authentication.

Stanza reference 35

Usage


Default value

None.

Examplekerberosv5 = /opt/PolicyDirector/lib/stliauthn.so

ltpa

Syntaxltpa = ltpa-library

Description

Fully qualified path for a library that implements custom authentication using anLTPA cookie.

Options

ltpa-libraryFully qualified path for a library that implements custom authenticationusing an LTPA cookie.

Usage


Default value

None.

Exampleltpa = /opt/pdwebrte/lib/libltpaauthn.so

passwd-cdas

Syntaxpasswd-cdas = passwd-cdas-module

Description

Fully qualified path for the external authentication C API module that implementseither basic authentication or forms authentication.

Options

passwd-cdas-moduleFully qualified path for the external authentication C API module.

Usage



Default value

None.

passwd-ldap

Syntaxpasswd-ldap = passwd-ldap-library

Description

Fully qualified path for a library that implements basic authentication or formsauthentication with an LDAP user registry.

Options

passwd-ldap-libraryFully qualified path for a library that implements basic authentication orforms authentication with an LDAP user registry.

Usage


Default value

None.

Example

(Entered as one line):passwd-ldap = C:\PROGRA~1\Tivoli\POLICY~1\bin\ldapauthn.dll& -cfgfile[C:/Program Files/Tivoli/PDWeb/etc/webseald-default.conf]

passwd-strength

Syntaxpasswd-strength = passwd-strength-library

Description

Fully qualified path for a library that implements password strengthauthentication.

Options

passwd-strength-libraryFully qualified path for a library that implements password strengthauthentication.

Usage


Stanza reference 37

Default value

None.

passwd-uraf

Syntaxpasswd-uraf = uraf-authn-library

Description

Fully qualified path for a library that implements basic authentication or formsauthentication using the Security Access Manager URAF interface to underlyinguser registry types.

Options

uraf-authn-libraryFully qualified path for a library that implements basic authentication orforms authentication using the Security Access Manager URAF interface tounderlying user registry types.

Usage


Default value

None.

post-pwdchg-process

Syntaxpost-pwdchg-process = post-pwdchg-process-library

Description

Fully qualified path for a library that implements post password changeprocessing. This is called by WebSEAL when the user changes a password usingthe pkmspasswd password change page.

Options

post-pwdchg-process-libraryFully qualified path for a library that implements post password changeprocessing.

Usage


Default value

None.


Example

The following example shows the path name to the built-in post password changelibrary, as supplied with WebSEAL on Solaris:post-pwdchg-process = /opt/PolicyDirector/lib/libxauthn.so

sso-consume

Syntaxsso-consume = sso-consumption-library

Description

Fully qualified path for a library that implements WebSEAL single signon tokenconsumption.

Options

sso-consumption-libraryFully qualified path for a library that implements WebSEAL single signontoken consumption.

Usage


Default value

None.

sso-create

Syntaxsso-create = sso-creation-library

Description

Fully qualified path for a library that implements WebSEAL single signon tokencreation.

Options

sso-creation-libraryFully qualified path for a library that implements WebSEAL single signontoken creation.

Usage


Default value

None.

Stanza reference 39

su-cdsso

Syntaxsu-cdsso = value

Description

Fully qualified path for a library that implements switch user authentication forcross-domain single signon authentication.

Options

su-cdsso-libraryFully qualified path for a library that implements switch userauthentication for cross-domain single signon authentication.

Usage


Default value

None.

su-certificate

Syntaxsu-certificate = su-certificate-library

Description

Fully qualified path for a library that implements switch user authentication forcertificate authentication.

Options

su-certificate-libraryFully qualified path for a library that implements switch userauthentication for certificate authentication.

Usage


Default value

None.

su-http-request

Syntaxsu-http-request = su-http-request-library


Description

Fully qualified path for a library that implements switch user authentication forHTTP header or IP address authentication.

Options

su-http-request-libraryFully qualified path for a library that implements switch userauthentication for HTTP header or IP address authentication.

Usage


Default value

None.

su-kerberosv5

Syntaxsu-kerberosv5 = su-kerberosv5-library

Description

Fully qualified path for a library that implements switch user authentication forSPNEGO (Kerberos) authentication.

Options

su-kerberosv5-libraryFully qualified path for a library that implements switch userauthentication for SPNEGO (Kerberos) authentication.

Usage


Default value

None.

su-passwd

Syntaxsu-passwd = su-passwd-library

Description

Fully qualified path for a library that implements switch user authentication forbasic authentication or forms authentication.

Stanza reference 41

Options

su-passwd-libraryFully qualified path for a library that implements switch userauthentication for basic authentication or forms authentication.

Usage


Default value

None.

su-token-card

Syntaxsu-token-card = su-token-card-library

Description

Fully qualified path for a library that implements switch user authentication fortoken authentication.

Options

su-token-card-libraryFully qualified path for a library that implements switch userauthentication for token authentication.

Usage


Default value

None.

token-cdas

Syntaxtoken-cdas = token-cdas-module

Description

Fully qualified path for a module that implements token authentication.

Options

token-cdas-moduleFully qualified path for a library that implements token authentication.

Usage



Default value

None.

[aznapi-configuration] stanza

audit-attributeUse the audit-attribute stanza entry to list the attributes to audit.

Syntaxaudit-attribute = attribute

Description

Attributes to be audited.

Note: You can configure multiple audit-attribute entries. Create a separateaudit-attribute entry for each attribute to be audited.

Options

attributeAttributes to be audited.

Usage


Default value

tagvalue_su-admin

Exampleaudit-attribute = tagvalue_su-admin

auditcfgUse the auditcfg stanza entry to configure which events WebSEAL audits.

Syntaxauditcfg = {azn|authn|http}

Description

Indicates the components for which auditing of events is configured. To enablecomponent-specific audit records, add the appropriate definition.

Options

azn Capture authorization events.

authn Capture authentication events.

http Capture HTTP events. These events correspond to the events logged by therequest, referrer, and agent logging clients.

Stanza reference 43

Usage

This stanza entry is optional for WebSEAL. However, this stanza entry is requiredwhen auditing is enabled (logaudit = yes).

Default value

There is no default value for WebSEAL because auditing is disabled by default.

Example

Create a separate stanza entry for each component to be activated. The componentsare included in the default configuration file, but are commented out. To activate acommented out entry, remove the pound sign (#) from the start of the entry.

Example:auditcfg = azn#auditcfg = authn#auditcfg = http

auditlogUse the auditlog stanza entry to specify the WebSEAL audit trail file.

Syntaxauditlog = fully_qualified_path

Description

Location of the audit trail file for WebSEAL.

Options

fully_qualified_pathThe fully qualified path value represents an alphanumeric string.

Usage

This stanza entry is required when auditing is enabled.

Default value

The default value is set during WebSEAL configuration by appendinglog/aznapi_webseald-<instance_name>.log to the path for the WebSEALinstallation directory.

where:

<instance_name>The WebSEAL instance name. For example, default.

Example

Example on UNIX:auditlog = /var/pdweb/log/aznapi_webseald-default.log


cache-refresh-interval

Syntaxcache-refresh-interval = {disable|default|number_of_seconds}

Description

Poll interval between checks for updates to the master authorization server.

Options

disableThe interval value in seconds is not set.

defaultWhen value is to default, an interval of 600 seconds is used.

number_of_secondsInteger value indicating the number of seconds between polls to the masterauthorization server to check for updates.

The minimum number of seconds is 0. There is no maximum value.

Usage


Default value

disable

Examplecache-refresh-interval = disable

cred-attribute-entitlement-services

Syntaxcred-attribute-entitlement-services = service-ID

Description

Enables the credential policy entitlements service.

Options

service-IDID of service.

Usage


Default value

TAM_CRED_POLICY_SVC

Stanza reference 45

Examplecred-attribute-entitlement-services = TAM_CRED_POLICY_SVC

db-file

Syntaxdb-file = fully_qualified_path

Description

Fully qualified path to the WebSEAL policy database cache file.

Options

fully_qualified_pathFully qualified path to the WebSEAL policy database cache file.

Usage


Default value

The default value is a path name that has db/webseald.db appended to theWebSEAL installation directory path.

Example

Example on UNIX:db-file = /var/pdweb/db/webseald.db

dynamic-adi-entitlement-services

Syntaxdynamic-adi-entitlement-services = service-ID

Description

A list of configured entitlements service IDs that are queried by the rules engine ifmissing ADI is detected during an authorization rule evaluation.

Options

service-IDService ID that is queried by the rules engine if missing ADI is detectedduring an authorization rule evaluation.

Usage


Default value

None.


Exampledynamic-adi-entitlement-services = AMWebARS_A

input-adi-xml-prolog

Syntaxinput-adi-xml-prolog = prolog

Description

The prolog to be added to the top of the XML document that is created using theAuthorization Decision Information (ADI) needed to evaluate a booleanauthorization rule.

Options

prolog The prolog to be added to the top of the XML document that is createdusing the Authorization Decision Information (ADI) needed to evaluate aboolean authorization rule.

Usage


Default value

<?xml version=’1.0’ encoding=’UTF-8’?>

Exampleinput-adi-xml-prolog = <?xml version=’1.0’ encoding=’UTF-8’?>

listen-flags

Syntaxlisten-flags = {enable|disable}

Description

Enables or disables the reception by WebSEAL of policy cache update notificationsfrom the master authorization server.

Options

enableActivates the notification listener.

disableDeactivates the notification listener.

Usage


Default value

disable

Stanza reference 47

Examplelisten-flags = enable

logaudit

Syntaxlogaudit = {yes|true|no|false}

Description

Enables or disables auditing.

Options

yes Enable auditing.

true Enable auditing.

no Disable auditing.

false Disable auditing.

Usage


Default value

no

Examplelogaudit = no

logclientid

Syntaxlogclientid = webseald

Description

Name of the daemon whose activities are audited through use of authorization APIlogging.

Options

websealdName of the daemon whose activities are audited through use ofauthorization API logging.

Usage


Default value

webseald


Examplelogclientid = webseald

logcfg

Syntaxlogcfg = category:{stdout|stderr|file|pipe|remote|rsyslog}[ [parameter=value ][,parameter=value]...]

Description

Specifies event logging for the specified category.

Options

Specifies event logging for the specified category.

For WebSEAL, the categories are:

audit.aznAuthorization events.

audit.authnCredentials acquisition authentication.

http All HTTP logging information.

http.clfHTTP request information as defined by the request-log-formatconfiguration entry in the [logging] stanza.

http.refHTTP Referer header information.

http.agentHTTP User_Agent header information

{stdout|stderr|file|pipe|remote|rsyslog}Event logging supports a number of output destination types. WebSEALauditing typically is configured to use the file type.

parameter = value

Each event logging type supports a number of optional parameter = valueoptions.

For more information about output destination types and optionalparameter = value settings, see the IBM Security Access Manager for Web:Administration Guide.

Usage


Default value

None.

Example

Example entry for request.log (common log format) (entered as one line):

Stanza reference 49

logcfg = http.clf:file path=request_file,flush=time,rollover=max_size,log_id=httpclf,buffer_size=8192,queue_size=48

logflush

Syntaxlogflush = number_of_seconds

Description

Integer value indicating the frequency, in seconds, to force a flush of log buffers.

Options

number_of_seconds

The minimum value is 1 second.

The maximum value is 600 seconds.

Usage


Default value

20

Examplelogflush = 20

logsize

Syntaxlogsize = number_of_bytes

Description

Integer value indicating the size limit of audit log files. The size limit is alsoreferred to as the rollover threshold. When the audit log file reaches this threshold,the original audit log file is renamed and a new log file with the original namewill be created.

Options

number_of_bytes

When the value is zero (0), no rollover log file is created.

When the value is a negative integer, the logs are rolled over daily,regardless of the size.

When the value is a positive integer, the value indicates the maximum size,in bytes, of the audit log file before the rollover occurs. The allowablerange is from 1 byte to 2 megabytes


Usage


Default value

2000000

Examplelogsize = 2000000

permission-info-returned

Syntaxpermission-info-returned = permission-attribute

Description

Specifies the permission information returned to the resource manager (forexample, WebSEAL) from the authorization service.

Options

permission-attribute

The azn_perminfo_rules_adi_request setting allows the authorizationservice to request ADI from the current WebSEAL client request. Theazn_perminfo_reason_rule_failed setting specifies that rule failure reasonsbe returned to the resource manager (this setting is required for –Rjunctions).

To enable the Privacy Redirection capabilities of the AMWebARS WebService, the azn_perminfo_amwebars_redirect_url must be included.

Usage


Default value

azn_perminfo_rules_adi_request azn_perminfo_reason_rule_failed

Examplepermission-info-returned = azn_perminfo_rules_adi_requestazn_perminfo_reason_rule_failed

policy-attr-separator

Syntaxpolicy-attr-separator = separator

Description

Specifies the character that WebSEAL uses for the following services:v Credential policy entitlements service.v Registry entitlements service.

Stanza reference 51

Note: For the credential policy entitlements service to work properly, a user's DNcannot contain the specified separator. If the user DN contains this separator thenWebSEAL fails when attempting to retrieve the user's policy attributes.

Options

separator

The character that WebSEAL uses for the credential policy entitlementsservice and the registry entitlements service. Ensure that the chosencharacter is not present in any User DN values.

Usage


Default value

By default, WebSEAL uses colon (:) as the separator for these services.

Examplepolicy-attr-separator = #

policy-cache-size

Syntaxpolicy-cache-size = cache_size

Description

The maximum size of the in-memory policy cache is configurable. The cacheconsists of policy and the relationships between policy and resources. Theknowledge that a resource has no directly associated policy is also cached.

Options

cache_size

The maximum cache size should be relative to the number of policy objectsdefined and the number of resources protected and the available memory.

A reasonable algorithm to begin with is: (number of policy objects * 3) +(number of protected resources * 3)

This value controls how much information is cached. A larger cache willpotentially improve the application performance but use additionalmemory as well.

Size is specified as the number of entries.

Usage


Default value

None.


Examplepolicy-cache-size = 32768

resource-manager-provided-adi

Syntaxresource-manager-provided-adi = prefix

Description

A list of string prefixes that identify Authorization Decision Information (ADI) tobe supplied by the resource manager (in this case, WebSEAL).

Options

prefix The default settings below tell the authorization engine that when itrequires ADI with the prefixes AMWS_hd_, AMWS_qs_ ,or AMWS_pb_ toevaluate a boolean authorization rule, and the ADI is not available ineither the credential or application context passed in with the accessdecision call, that the engine should fail the access decision and requestthat the resource manager retry the request and provide the required datain the application context of the next request.

Usage


Default value

AMWS_hd_, AMWS_pb_, AMWS_qs_

Exampleresource-manager-provided-adi = AMWS_hd_resource-manager-provided-adi = AMWS_pb_resource-manager-provided-adi = AMWS_qs_

service-id

Syntaxservice-id = path-to-dll[ & parameters...]

Description

Each stanza entry defines a different type of authorization API service.

Options

service-idThe string by which the service can be identified by the authorizationAPIclient.

path-to-dllThe fully qualified path to the DLL which contains the service executablecode.

parametersOptionally you can specify parameters to pass to the service when it is

Stanza reference 53

initialized by the aznAPI. The parameters are considered to be all datafollowing the "&" symbol in the string.

Usage


Default value

None.

xsl-stylesheet-prolog

Syntaxxsl-stylesheet-prolog = prolog

Description

The prolog to be added to the top of the XSL stylesheet that is created using theXSL text that defines a boolean authorization rule.

Options

prolog The prolog to be added to the top of the XSL stylesheet that is createdusing the XSL text that defines a boolean authorization rule.

Usage


Default value

<?xml version=’1.0’ encoding=’UTF-8’?> <xsl:stylesheet xmlns:xsl=’http://www.w3.org/1999/XSL/Transform’ version=’1.0’> <xsl:output method = ’text’omit-xml-declaration=’yes’ indent=’no’/> <xsl:template match=’text()’></xsl:template>

Examplexsl-stylesheet-prolog = <?xml version=’1.0’ encoding=’UTF-8’?><xsl:stylesheet xmlns:xsl=’http://www.w3.org/1999/XSL/Transform’version=’1.0’> <xsl:output method = ’text’ omit-xml-declaration=’yes’indent=’no’/> <xsl:template match=’text()’> </xsl:template>

[aznapi-entitlement-services] stanza

service-id

Syntaxservice-id = library_base_name

Description

The Security Access Manager authorization API provides a framework for addingentitlement services into the authorization decision making process. Theauthorization API obtains knowledge of active entitlement services by reading


entries from stanza files, such as this one, and by reading initialization stanzaentries that are sent to the API upon startup.

WebSEAL uses a built-in entitlement service that is supplied as a shared library.This configuration file entry provides a service-id of AZN_ENT_EXT_ATR.

For more information on entitlement services, see the IBM Security Access Managerfor Web: Authorization C API Developer Reference

Options

library_base_name

The Authorization API uses the service-id to denote the presence of aservice that is to be loaded at API initialization time. For more information,see IBM Security Access Manager for Web: Authorization C API DeveloperReference.

This configuration file entry also specifies the name of the shared library:azn_ent_ext_attr.

The file name of the azn_ent_ext_attr shared library, and its locationwithin the file system, is specific to each operating system. For example, onWindows platforms, the names of shared libraries contain the suffix .dll.However, the base name for the library is common across operating systems.This value is specified in library_base_name.

WebSEAL reads the library_base_name and then uses an internal searchalgorithm to find the appropriate shared library by cycling through theknown prefixes, suffixes, and file locations.

Usage

This stanza entry is required. Administrator should not change this entry.

Default value

AZN_ENT_EXT_ATTR = azn_ent_ext_attr

Example

Specifications for credential policy entitlements service:TAM_CRED_POLICY_SVC = amwcredpolsvcTAM_REG_ENT_SVC = azn_ent_registry_svc

Specifications for dynamic ADI entitlement services:service_ID_of_AMWebARS_Entitlement_Service = azn_ent_amwebars

[aznapi-external-authzn-services] stanza

policy-trigger

Syntaxpolicy-trigger = plug-in_location [-weight N [& plug-in_parameters]]

Stanza reference 55

Description

Defines the external authorization service.

Options

policy-trigger

Any string that is recognized as a valid key name. Stanza key namescannot contain white space or the open bracket ([) and close bracket (])characters. The bracket characters are used to define new stanza names.The policy-trigger is case sensitive for action set definitions because theactions themselves are case sensitive. However, the policy-trigger is caseinsensitive if the trigger is a protected object policy (POP) attribute.

plug-in_location

The path name to the shared library or DLL module that contains theimplementation of the plug-in for the specified policy trigger. The pathname can be in a truncated form if the external authorization service is tobe loaded by clients on multiple platforms. In this case, the servicedispatcher searches for the plug-in using platform-specific prefixes andsuffixes to match DLL names.

The name of the OAuth EAS plug-in is amwoautheas and its library iscontained in the pdwebrte/lib directory. For example:/opt/pdwebrte/lib/libamwoautheas.so

N

The weight parameter is an unsigned size_t value and is optional. Thevalue signifies the weight that any decision returned by this externalauthorization service is given in the entire decision process.

plug-in_parameters

Optionally, the external authorization service can be passed additionalinitialization information in the form of arguments. The arguments must bepreceded by the ampersand "&". The authorization service takes theremainder of the string following the ampersand &, breaks the string upinto white space separated tokens, and passes the tokens directly to theadministration service's initialization interface, azn_svc_initialize(), inthe argv array parameter. The number of strings in the argv array isindicated by the argc function parameter.

A single parameter is required by the OAuth EAS. This parametercorresponds to the name of the OAuth EAS configuration file. That is, thefile that contains the [oauth-eas] stanza and the corresponding[tfim-cluster:<cluster>] stanza.

Usage

This stanza entry is required when configuring OAuth EAS authentication.

Default value

None.


Example

The following example is an operation-based trigger with a user-defined actiongroup of Printer and the actions rxT within that group. To specify the primaryaction group you would specify only :rxT. The primary action group can berepresented with an empty action group name or the string primary can be usedexplicitly. All lowercase letters are required if primary is used explicitly. Anypolicy-trigger that does not contain a colon (:) character is considered to be a POPattribute name.Printer:rxT = eas_plugin -weight 60 & -server barney

The following example is for a POP attribute trigger called webseal_pop_trigger.When a POP that contains a reference to this string is encountered, the appropriateexternal authorization service is called to take part in the access decision.webseal_pop_trigger = eas_plugin_2 -weight 70 & -hostname fred

Note that in order for the above POP attribute trigger to work, POP configurationmust have been completed previously by the secure domain administrator, usingthe pdadmin pop commands.

The following is an example configuration for the OAuth EAS, where the file/opt/pdweb/etc/oauth_eas.conf contains the [oauth-eas] stanza and thecorresponding [tfim-cluster:<cluster>] stanza. This example is entered as oneline in the WebSEAL configuration file:webseal_pop_trigger = /opt/pdwebrte/lib/libamwoautheas.so & /opt/pdweb/etc/oauth_eas.conf

[azn-decision-info] stanza

azn-decision-info

Syntax<attr-name> = <http-info>

Description

This stanza defines any extra information that is available to the authorizationframework when making authorization decisions. This extra information can beobtained from various elements of the HTTP request, namely:v HTTP methodv HTTP schemev HTTP cookiesv Request URIv HTTP headersv POST data

If the requested element is not in the HTTP request, no corresponding attribute isadded to the authorization decision information.

Options

<attr-name>The name of the attribute that contains the HTTP information.

Stanza reference 57

<http-info>The source of the information. It can be one of the following values:v methodv schemev uriv header:<header-name>v post-data:<post-data-name>v cookie:<cookie-name>

Usage


Default value

N/A

ExampleHTTP_REQUEST_METHOD = methodHTTP_HOST_HEADER= header:Host

[ba] stanza

ba-auth

Syntaxba-auth = {none|http|https|both}

Description

Enables authentication using the Basic Authentication mechanism.

When basic authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.

Options

{none|http|https|both}

Specifies which protocols are supported. The value both means both HTTPand HTTPS.

Usage


Default value

https

Exampleba-auth = https


basic-auth-realm

Syntaxbasic-auth-realm = Realm_name

Description

String value that specifies the realm name.

Options

Realm_name

This name is displayed in the browser's dialog box when the user isprompted for login information. The string must consist of ASCIIcharacters, and can contain spaces.

Usage


Default value

Access Manager

Examplebasic-auth-realm = Access Manager

[cdsso] stanza

authtoken-lifetime

Syntaxauthtoken-lifetime = number_of_seconds

Description

Positive integer that expresses the number of seconds for which the single signonauthentication token is valid.

Options

number_of_secondsMinimum value: 1. There is no maximum value.

Usage


Default value

180

Exampleauthtoken-lifetime = 180

Stanza reference 59

cdsso-argument

Syntaxcdsso-argument = argument_name

Description

Name of the argument containing the cross-domain single signon token in a querystring in a request. This is used to identify incoming requests that contain CDSSOauthentication information.

Options

argument_nameName of the argument containing the cross-domain single signon token ina query string in a request. Valid characters are any ASCII characters,except for question mark ( ? ), ampersand ( & ), and equals sign ( = ).

Usage


Default value

PD-ID

Examplecdsso-argument = PD-ID

cdsso-auth

Syntaxcdsso-auth = {none|http|https|both}

Description

Enables WebSEAL to accept tokens. Requires that an authentication mechanism isspecified for the token consume (sso-consume) library in the [authentication-mechanisms] stanza.

Options

{none|http|https|both}Specifies which protocols are supported. The value both means both HTTPand HTTPS.

Usage


Default value

none

Examplecdsso-auth = none


cdsso-create

Syntaxcdsso-create = {none|http|https|both}

Description

Enables WebSEAL to accept tokens. Requires that an authentication mechanism isspecified for the token create (sso-create) library in the [authentication-mechanisms] stanza.

Options


Usage


Default value

none

Examplecdsso-create = none

clean-cdsso-urls

Syntaxclean-cdsso-urls = {yes|no}

Description

The cdsso-argument (PD-ID) and PD-REFERER query string arguments can bepassed to junctions. When this option is set to yes, these will be removed from theURI before the request is passed to the junction.

Options

yes The argument containing the CDSSO token in a request query string andthe PD-REFERER query string argument are removed from the URI beforethe request is passed to the junction.

no The CDSSO and PD-REFERER arguments are not removed from the URIbefore the request is passed to the junction.

Usage


Default value

no

Stanza reference 61

Exampleclean-cdsso-urls = no

propagate-cdmf-errors

Syntaxpropagate-cdmf-errors = {yes|no}

Description

Controls subsequent behavior of the token creation process when thecdmf_get_usr_attributes call fails to obtain the required extended attributeinformation and returns an error.

Options

yes A "yes" value forces the token creation process to abort when CDMF failsto obtain attributes and returns an error.

no A "no" value (default) allows the token creation process to proceed evenwhen CDMF fails to obtain attributes and returns an error.

Usage

This stanza entry is not required.

Default value

no

Examplepropagate-cdmf-errors = no

use-utf8

Syntaxuse-utf8 = {true|false}

Description

Use UTF–8 encoding for tokens used in cross domain single signon. Beginningwith version 5.1, WebSEAL servers use UTF-8 encoding by default. For moreinformation about multi-locale support with UTF-8, see the IBM Security AccessManager: WebSEAL Administration Guide.

Options

true When this stanza entry is set to true, tokens can be exchanged with otherWebSEAL servers that use UTF-8 encoding. This configuration enablestokens to be used across different code pages (such as for a differentlanguage).

false For backward compatibility with tokens created by WebSEAL servers fromversion prior to 5.1, set this stanza entry to false.


Usage


Default value

true

Exampleuse-utf8 = true

[cdsso-incoming-attributes] stanza

attribute_patternUse the attribute_pattern stanza entry to control the attributes that WebSEALaccepts from the incoming CDSSO authentication token.

Syntaxattribute_pattern = {preserve|refresh}

Description

Attributes to accept from incoming CDSSO authentication tokens.

The attributes typically match those attributes declared in the [cdsso-token-attributes] stanza for the WebSEAL server in the source domain.

The attribute_pattern can be either a specific value or can be a pattern that usesstandard Security Access Manager wildcard characters (*, [], ^, \,?).

The order of attribute_pattern entries is important. WebSEAL uses the first entrythat matches the attribute. Other entries are ignored.

Options

preserveAttributes matching a preserve entry, or matching none of the entries, arekept. If no entries are configured, then all attributes are kept.

refreshAttributes in CDSSO authentication tokens that match a refresh entry areremoved from the token. These attributes are removed before the CDMFlibrary is called to map the remote user into the local domain.

Usage


Default value

None.

Examplemy_cred_attr1 = preserve

Stanza reference 63

[cdsso-peers] stanza

fully_qualified_hostname

Syntaxfully_qualified_hostname = key_file

Description

List of peer servers that are participating in cross-domain single-sign on.

Options

key_fileThe location of server's key file.

Usage


Default value

None.

Examplewebhost2.ibm.com = /tmp/cdsso.key

[cdsso-token-attributes] stanza

<default>

Syntax<default> = pattern1[<default> = pattern2 ]...[<default> = patternN]

Description

Credential attributes to include in CDSSO authentication tokens.

When WebSEAL cannot find a domain_name entry to match the domain, the entriesin <default> are used. The word <default> is a key word and must not bemodified.

Options

pattern The value for each <default> entry can be either a specific value or can bea pattern that uses standard Security Access Manager wildcard characters (*, [], ^, \, ?).

Usage



Default value

None.

Example<default> = my_cdas_attr_*

domain_name

Syntaxdomain_name = pattern1[domain_name = pattern2]...[domain_name = patternN]

Description

Credential attributes to include in CDSSO authentication tokens.

Options

domain_nameThe domain_name specifies the destination domain containing the serverthat will consume the token.

pattern The value for each domain_name entry can be either a specific value or canbe a pattern that uses standard Security Access Manager wildcardcharacters ( *, [], ^, \, ?).

Usage


Default value

None.

Exampleexample1.com = my_cdas_attr_*example1.com = some_exact_attribute

[certificate] stanza

accept-client-certsUse the accept-client-certs stanza entry to control how WebSEAL handles clientcertificates from HTTPS clients.

Syntaxaccept-client-certs = {never|required|optional|prompt_as_needed}

Description

Specifies how to handle certificates from HTTPS clients.

Stanza reference 65

When certificate authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.

Options

never Never request a client certificate

requiredAlways request a client certificate. Do not accept the connection if theclient does not present a certificate. When this value is set to required, allother authentication settings are ignored for HTTPS clients.

optionalAlways request a client certificate. If presented, use it.

prompt_as_neededDo not prompt for a client certificate until the client attempts to access aresource that requires certificate authentication.

Note: When this value is set, ensure that the ssl-id-sessions stanza entryin the [session] stanza is set to no.

Usage


Default value

never

Exampleaccept-client-certs = never

cert-cache-max-entries

Syntaxcert-cache-max-entries = number_of_entries

Description

Maximum number of concurrent entries in the Certificate SSL ID cache.

Options

number_of_entriesThere is no absolute maximum size for the cache. However, the size of thecache cannot exceed the size of the SSL ID cache. A maximum size of 0allows an unlimited cache size.

Usage

This stanza entry is required only when the accept-client-certs key is set toprompt_as_needed.

Default value

1024


Examplecert-cache-max-entries = 1024

cert-cache-timeout

Syntaxcert-cache-timeout = number_of_seconds

Description

Maximum lifetime, in seconds, for an entry in the Certificate SSL ID cache.

Options

number_of_secondsThe minimum value is zero (0). A value of zero mean that when the cacheis full, the entries are cleared based on a Least Recently Used algorithm.

Usage

This stanza entry is required only when the accept-client-certs key is set toprompt_as_needed.

Default value

120

Examplecert-cache-timeout = 120

cert-prompt-max-tries

Syntaxcert-prompt-max-tries = number_of_tries

Description

During certificate authentication, WebSEAL prompts the browser to present theclient's certificate. The SSL certificate negotiation process requires that the browseropen and use a new (not existing) TCP connection.

Browsers typically maintain several open TCP connections to a given server. WhenWebSEAL tries to prompt the browser for a certificate, the browser often tries toreuse an existing TCP connection instead of opening a new TCP connection.Therefore, the prompting process must be retried. WebSEAL might need to promptfor a certificate several times before the browser opens a new TCP connection andallows the prompting process to succeed.

This configuration option controls how many times WebSEAL attempts to beginthe SSL certificate negotiation process with the browser before assuming the clientcannot provide a certificate.

Options

number_of_tries

Stanza reference 67

Set the value to 5 because most browsers maintain a maximum of fourTCP connections to a Web server. As each attempt by the browser toprocess the certificate prompts on an existing TCP connection fails, thatTCP connection is closed. On the fifth attempt, with all TCP connectionsclosed, the browser's only option is to open a new TCP connection.

If the value is set to less to 5, intermittent failures of certificateauthentication might occur because the browser reuses existing TCPconnections instead of opening a new TCP connection. These failures aremore likely to occur in environments where login or other pages containimages that browsers access immediately before triggering the certificateprompts.

Values less than 2 or greater than 15 are not permitted.

This value is not used unless accept-client-certs =prompt_as_needed.

Usage


Default value

5

Examplecert-prompt-max-tries = 5

disable-cert-login-page

Syntaxdisable-cert-login-page = {yes|no}

Description

Determines whether the initial login page with an option to prompt for certificateis presented or if WebSEAL will bypass the page and directly prompt for thecertificate.

Options

yes The initial login page with an option to prompt for certificate is notpresented; instead, WebSEAL bypasses this page and directly prompts forthe certificate.

no The initial login page with an option to prompt for certificate is presented.

Usage


Default value

no

Exampledisable-cert-login-page = no


eai-data

Syntaxeai-data = data:header_name

Description

The client certificate data elements that will be passed to the EAI application.Multiple pieces of client certificate data can be passed to the EAI application byincluding multiple eai-data configuration entries.

Options

header_nameUsed to indicate the name of the HTTP header which will contain the data.

data Used to indicate the data that will be included in the header. It should beone of the following:v Base64Certificatev SerialNumberv SubjectCNv SubjectLocalityv SubjectStatev SubjectCountryv SubjectOrganizationv SubjectOrganizationalUnitv SubjectDNv SubjectPostalCodev SubjectEmailv SubjectUniqueIDv IssuerCNv IssuerLocalityv IssuerStatev IssuerCountryv IssuerOrganizationv IssuerOrganizationUnitv IssuerDNv IssuerPostalCodev IssuerEmailv IssuerUniqueIDv Versionv SignatureAlgorithmv ValidFromv ValidFromExv ValidTov ValidToExv PublicKeyAlgorithmv PublicKeyv PublicKeySize

Stanza reference 69

v FingerprintAlgorithmv Fingerprint

Usage

This stanza entry is required for EAI based client certificate authentication.

Default value

no

Exampleeai-data = SubjectCN:eai-cneai-data = SubjectDN:eai-dn

eai-uri

Syntaxeai-uri = uri

Description

The resource identifier of the application which will be invoked to perform thecertificate authentication. This URI should be relative to the root web space of theWebSEAL server. If this configuration entry is not defined, the standard CDASauthentication mechanism will be used to handle the authentication.

Options

uri The resource identifier of the application which will be invoked to performthe certificate authentication. This URI should be relative to the root webspace of the WebSEAL server.

Usage

This stanza entry is required for EAI based client certificate authentication.

Default value

no

Exampleeai-uri = /jct/cgi-bin/eaitest/eaitest.pl

[cert-map-authn] stanza

debug-level

Syntaxdebug-level = level

Description

Controls the trace level for the authentication module.


Options

level Specifies the initial trace level, with 1 designating a minimal amount oftracing and 9 designating the maximum amount of tracing.

Note: You can also use the Security Access Manager pdadmin tracecommands to modify the trace level by using the trace component name ofpd.cas.certmap. This trace component is only available after the first HTTPrequest is processed.

Usage


Default value

0

Note: A debug level of 0 results in no tracing output.

Exampledebug-level = 5

rules-file

Syntaxrules-file = file-path

Description

Fully qualified path to the rules file that the CDAS can use for certificate mapping.

Options

file-pathFully qualified path to the rules file for the certificate mapping CDAS.

Usage


Default value

None.

Examplerules-file = /opt/pdwebrte/etc/cert-rules.txt

[cfg-db-cmd:entries] stanza

stanza::entry

Syntaxstanza::entry = {include|exclude}

Stanza reference 71

Description

Specifies the configuration entries that will be imported or exported from theconfiguration database using the cfgdb server task commands. Each configurationentry is checked sequentially against each item in the [cfg-db-cmd:entries] stanzauntil a match is found. This first match then controls whether the configurationentry is included in, or excluded from, the configuration database. If no match isfound, the configuration entry is excluded from the configuration database.

Syntax

entry This field defines the stanza entry to be included or excluded. It maycontain any pattern matching characters.

stanza This field defines the stanza containing the data entry to be included orexcluded. It may contain any pattern matching characters.

Options

includeInclude the specified configuration entries when importing or exportingdata from the configuration database using the cfgdb server taskcommands.

excludeExclude the specified configuration entries when importing or exportingdata from the configuration database using the cfgdb server taskcommands.

Usage


Default value

WebSEAL uses the values configured in the WebSEAL configuration file. See theWebSEAL configuration file template for the default entries.

Exampleserver::unix-root = includeldap::* = exclude*::* = include

[cfg-db-cmd:files] stanza

files

Syntax

Either:files = cfg(stanza::entry)

Or:files = file_name


Description

Defines the files that will be included (that is, imported or exported ) in theconfiguration database using the cfgdb server task commands.

Options

stanza This field specifies the name of the stanza that contains the entry with thename of the file to be included in the configuration database. Theconfiguration value defined by stanza and entry must contain the name ofthe file.

entry This field specifies the stanza entry that contains the name of the file to beincluded in the configuration database. The configuration value defined bystanza and entry must contain the name of the file.

file_nameThe name of a file, which must be relative to:v the WebSEAL instance root (as defined by the server-root configuration

entry), orv the WebSEAL installation root, orv the file system root.

Usage


Default valuefile = cfg(ssl::webseal-cert-keyfile)file = cfg(ssl::webseal-cert-keyfile-stash)file = cfg(junction::jmt-map)file = cfg(server::dynurl-map)

Examplefile = /opt/pdwebrte/etc/cert-rules.txtfile = www-default/lib/jmt.conffile = cfg(junction::jmt-map)

[cgi] stanza

cgi-timeout

Syntaxcgi-timeout = number_of_seconds

Description

Integer value indicating the timeout, in seconds, for writing to and reading fromchild CGI processes. This setting does not apply to Windows systems.

Options

number_of_secondsInteger value indicating the timeout, in seconds, for writing to and readingfrom child CGI processes. Minimum value is 0. This disables the timeout.Disabling the timeout is not recommended. WebSEAL imposes nomaximum value.

Stanza reference 73

Usage


Default value

120

Examplecgi-timeout = 120

[cgi-environment-variables] stanza

ENV

SyntaxENV = environment_variable

Description

List containing system environment variables that need to be exported to CGIapplications. The administrator can add variables to this list, as needed by specificapplications. Entries must be valid environment variable names.

Options

environment_variableSystem environment variable that needs to be exported to CGIapplications.

Usage

These entries are optional.

Default value

The following entries are provided in the default WebSEAL configuration file:ENV = SystemRootENV = PATHENV = LANGENV = LC_ALLENV = LC_CTYPEENV = LC_MESSAGESENV = LOCPATHENV = NLSPATH

The default WebSEAL configuration file provides one inactive (commented out)variable:#ENV = SystemDrive

ExampleENV = PATH


[cgi-types] stanza

file_extension

Syntaxfile_extension = command

Description

This stanza contains entries that map CGI file extensions to Windows commands.On Windows servers, CGI files that have an extension that is not in this list are notexecuted, with the exception of files with the .EXE extension.

Options

commandWindows command.

Usage


Default value

This stanza is used on Windows servers only. There are no default entries.

The WebSEAL configuration file contains by default a number of entries that arecommented out (inactive).

Administrators can add additional entries. Additional entries must consist of ASCIIcharacters.

Example

Examples of uncommented WebSEAL configuration file entries:bat = cmdcmd = cmdpl = perlsh = shtcl = tclsh76

[cluster] stanza

Notes:

v It is vital that this configuration stanza is not included in the configurationdatabase. The cluster::* = exclude configuration entry in the[cfg-db-cmd:entries] stanza ensures this exclusion.

v In addition to the configuration entries listed here, a config-version entry isadded at run time in a clustered environment. This configuration entry containsversion information about the current configuration. Do NOT manually edit thisversion information.

v All cluster members must be the same server type. You can cluster either:– WebSEAL servers that are running on Web Gateway appliances.– WebSEAL servers that are running on standard operating systems.

Stanza reference 75

is-master

Syntaxis-master = {yes|no}

Description

Is this server the master for the WebSEAL cluster? You need to have a singlemaster for each cluster. Any modifications to the configuration of a cluster must bemade on the master.

Options

yes

This server is the master for the WebSEAL cluster.

no This server is not the master for the WebSEAL cluster. The name of themaster server must be specified in the master-name configuration entrythat is also in the [cluster] stanza.

Usage

This stanza entry is required in a clustered environment. This stanza entry is notrequired for a single server environment.

Default value

There is no default value.

Exampleis-master = no

master-name

Syntaxmaster-name = azn-name

Description

Defines the authorization server name of the master for the WebSEAL cluster.

Options

azn-name

The authorization server name of the master.

Usage

This stanza entry is required if the value for is-master (also in the [cluster]stanza) is set to no. If the is-master entry is set to yes, WebSEAL ignores thismaster-name entry.

Default value

There is no default value.


Examplemaster-name = default-webseald-master.ibm.com

max-wait-time

Syntaxmax-wait-time = number

Description

Specifies the maximum amount of time to wait, in seconds, for a slave server to berestarted. This configuration entry is only applicable to the master server.

Options

number

The maximum number of seconds to wait for a slave server to be restarted.

Usage

This configuration entry is required if is-master (also in the [cluster] stanza) is setto yes.

Default value

60

Examplemax-wait-time = 60

[compress-mime-types] stanza

mime_type

Syntaxmime_type = minimum_doc_size:[compression_level]

Description

Enables or disables HTTP compression based on the mime-type of the responseand the size of the returned document.

Options

mime_typeThe mime_type can contain a wild card pattern such as an asterisk ( * ) forthe subtype, or it can be "*/*" to match all mime-types.

minimum_doc_sizeThe minimum_doc_size is an integer than can be positive, negative or zero.A size of -1 means do not compress this mime-type. A size of 0 means tocompress the document regardless of its size. A size greater than 0 meansto compress the document only when its initial size is greater than or equalto minimum_doc_size.

Stanza reference 77

compression_levelThe compression_level is an integer value between 1 and 9. The largernumber results in a higher amount of compression. Whencompression-level is not specified, a default level of 1 is used.

Usage


Default value

*/* = -1

Exampleimage/* = -1text/html = 1000

[compress-user-agents] stanza

pattern

Syntaxpattern = {yes|no}

Description

Enables or disables HTTP compression based on the user-agent header sent byclients. This entry is used to disable compression for clients which send an"accept-encoding: gzip" HTTP header but do not actually handle gzipcontent-encodings properly. An example of a user agent is a browser, such asMicrosoft Internet Explorer 6.0

Options

yes Enables HTTP compression based on the user-agent header sent by clients.

no Disables HTTP compression based on the user-agent header sent by clients.

Usage


Default value

None.

Example*MSIE 6.0* = yes


[content] stanza

delete-trash-dir

Syntaxdelete-trash-dir = fully_qualified_path

Description

Path name to a directory in which files removed by the DELETE method aremoved. Files are held there until an administrator removes them.

This key does not apply to empty directories, which are always deleted.

This key is inactive (commented out in the configuration file) by default. When thekey is inactive, files removed by the DELETE method are immediately removedfrom the file system.

Options

fully_qualified_pathPath name to a directory in which files removed by the DELETE methodare moved.

Usage


Default value

None.

Exampledelete-trash-dir = /tmp/trashdir

directory-index

Syntaxdirectory-index = filename

Description

Name of a directory index file. When a request is made for a directory located onthe local WebSEAL server, WebSEAL looks for this file before attempting adirectory listing.

Options

filenameName of a directory index file.

Usage


Stanza reference 79

Default value

index.html

Exampledirectory-index = index.html

doc-root

Syntaxdoc-root = fully_qualified_path

Description

Root directory of the WebSEAL document tree.

Options

fully_qualified_path

The administrator can either accept the default value of www/docs or specifyan alternate location.

When the administrator accepts the default value, the WebSEALconfiguration appends the default value onto the WebSEAL installationdirectory. Thus the default fully_qualified_path isWebSEAL_installation_directory/www/docs

When the administrator changes this value during configuration, theadministrator must specify a fully qualified path. In this case, WebSEALdoes not append the entry on to the WebSEAL installation directory. In thiscase, the doc-root entry is matches the administrator's input.

Usage


Default value

WebSEAL_installation_directory/www/docs

Exampledoc-root = C:/Program Files/Tivoli/PDWeb/www/docs

error-dir

Syntaxerror-dir = relative_directory

Description

Directory where HTML error pages are located. The directory is relative to thedirectory specified by the server-root entry. When WebSEAL needs to access theerror pages, it automatically appends the name of the locale-specific directory.


Options

relative_directoryDirectory where HTML error pages are located. For example:/opt/pdweb/www-webseal1/lib/errors/C

The error-dir entry specifies only the portion of the path shown in theexample above as lib/errors.

Usage


Default value

lib/errors

Exampleerror-dir = lib/errors

user-dir

Syntaxuser-dir = filename

Description

Directory in users' home directories that contain public HTML documents.

Options

filenameDirectory in users' home directories that contain public HTML documents.

Usage


Default value

public_html

Exampleuser-dir = public_html

utf8-template-macros-enabled

Syntaxutf8-template-macros-enabled = {yes|no}

Description

Specifies how standard WebSEAL HTML files, such as login.html, have datainserted into them when %MACRO% strings are encountered.

Stanza reference 81

This entry affects files in the directories specified by the error-dir andmgt-pages-root (in the [acnt-mgt] stanza) configuration file entries.

WebSEAL HTML pages use a UTF-8 character set by default. If you modify thecharacter set to specify the local code page, set this entry to no.

Options

yes When set to yes, data is inserted in UTF-8 format.

no When set to no, data is inserted in the local code page format.

Usage


Default value

yes

Exampleutf8-template-macros-enabled = yes

[content-cache] stanza

MIME_type

SyntaxMIME_type = cache_type:cache_size:maximum_age

Description

List of entries that define the caches which WebSEAL uses to store documents inmemory.

Options

MIME_typeAny valid MIME type conveyed in an HTTP Content-Type: responseheader. This value may contain an asterisk to denote a wildcard ( * ). Avalue of */* represents a default object cache that holds any object thatdoes not correspond to an explicitly configured cache.

cache_typeDefines the type of backing store to use for the cache. Only memory cachesare supported.

cache_sizeThe maximum size, in kilobytes, to which the cache grows before objectsare removed according to a least-recently-used algorithm. The minimumallowable value is 1 kilobyte. WebSEAL reports an error and fails to start ifthe value is less than or equal to zero (0). WebSEAL does not impose amaximum allowable value.

def-max-ageSpecifies the maximum age (in seconds) if expiry information is missingfrom the original response. If no value is provided, a default maximum ageof 3600 (one hour) will be applied. The configured default maximum age is


only used when the cached response is missing the cache control headers:Cache-Control, Expires, and Last-Modified.

Note: If only Last-Modified is present, the maximum age will be calculatedas ten percent of the difference between the current time and thelast-modified time.

Usage


Default value

None.

Exampletext/html = memory:2000:3600# image/* = memory:5000:3600# */* = memory:1000:3600

[content-encodings] stanza

extension

Syntaxextension = encoding_type

Description

Entries in this stanza map a document extension to an encoding type. Thismapping is used by WebSEAL to report the correct MIME type in its responsecontent-type header for local junction files. This mapping is necessary so thatWebSEAL can communicate to a browser that encoded (binary) data is beingreturned.

The MIME types defined in this stanza must also be defined in[content-mime-types].

When WebSEAL encounters a document with two extensions, such as: .txt.Z, itproduces two headers:content-type: text/plaincontent-encoding: x-compress

Thus even though the data is compressed, the response to the browser saystext/plain. However, the extra content-encoding header tells the browser that thedata is compressed text/plain.

In most cases, the administrator does not need to add additional entries. However,if the administrator introduces a new extension type that requires more than atext/plain response, the extension and encoding_type should be added to this stanza.

Options

encoding_typeEncoding type.

Stanza reference 83

Usage


Default valuegz = x-gzipZ = x-compress

Examplegz = x-gzipZ = x-compress

[content-index-icons] stanza

type

Syntaxtype = relative_pathname

Description

Entries in this stanza specify icons to use in directory indices. Therelative_pathname is the path name to the location of the icon.

Administrators can add additional entries. The type must refer to valid MIMEtypes. The wildcard character (*) is limited to entries of one collection of MIMEtypes. For example, image/*. No further wildcard expansion is done. For a list ofMIME types, see the [content-mime-types] stanza.

The relative_pathname can be any valid URI within the WebSEAL protected objectspace, as defined in doc-root.

Options

type The type indicates a wildcard pattern for a collection of MIME types.

relative_pathnameThe path name is relative to the WebSEAL protected object space, as set inthe doc-root entry in the [content] stanza.

Usage

The entries in this stanza are optional.

Default value

The WebSEAL configuration file provides the following default entries:image/* = /icons/image2.gifvideo/* = /icons/movie.gifaudio/* = /icons/sound2.giftext/html = /icons/generic.giftext/* = /icons/text.gifapplication/x-tar = /icons/tar.gifapplication/* = /icons/binary.gif


Exampleimage/* =/icons/image2.gif

[content-mime-types] stanza

deftype

Syntaxdeftype = MIME_type

Description

Default type to assign to pages that don't match any of the extension = MIME_typeentries defined in this stanza.

Options

MIME_typeDefault type to assign to pages that don't match any of the extension =MIME_type entries defined in this stanza.

Usage


Default value

text/plain

The administrator should not change this value.

Exampledeftype = text/plain

extension

Syntaxextension = MIME_type

Description

This stanza defines the MIME type for specific document extensions. The stanzacontains a list of extension = MIME_type pairs. Many common MIME types aredefined by default. Administrators can add additional entries. Both extensions andMIME_types must be declared using the ASCII character set. The entry of invalidMIME types does not affect WebSEAL, but may cause difficulty for client browsers.

Options

extensionThe file name extension of documents of this MIME type.

MIME_typeThe corresponding MIME type.

Stanza reference 85

Usage

The entries in this stanza are required.

Default value

There following MIME types are defined by default:html = text/htmlhtm = text/htmlgif = image/gifjpeg = image/jpegps = application/postscriptshtml = text/x-server-parsed-htmljpg = image/jpegjpe = image/jpegmpeg = video/mpegmpe = video/mpegmpg = video/mpegbin = application/octet-streamexe = application/octet-streamZ = application/octet-streamEXE = application/octet-streamdll = application/octet-streamDLL = application/octet-streamivsrv = application/octet-streampdf = application/pdfau = audio/basicsnd = audio/basicaiff = audio/x-aiffaifc = audio/x-aiffaif = audio/x-aiffwav = audio/x-wavai = application/postscripteps = application/postscriptrtf = application/rtfzip = application/zip

ief = image/ieftiff = image/tifftif = image/tiffras = image/x-cmu-rasterpnm = image/x-portable-anymappbm = image/x-portable-bitmappgm = image/x-portable-graymapppm = image/x-portable-pixmaprgb = image/x-rgbxbm = image/x-xbitmapxpm = image/x-xpixmapxwd = image/x-xwindowdumptxt = text/plainrtx = text/richtexttsv = text/tab-separated-valuesetx = text/x-setextqt = video/quicktimemov = video/quicktimeavi = video/x-msvideomovie = video/x-sgi-moviejs = application/x-javascriptls = application/x-javascriptmocha = application/x-javascriptwrl = x-world/x-vrmldir = application/x-directordxr = application/x-directordcr = application/x-directorcrt = application/x-x509-ca-certtar = application/x-tar


Examplezip = application/zip

[credential-policy-attributes] stanza

policy-name

Syntaxpolicy-name = credential-attribute-name

Description

Controls which Access Manager policy values are stored in credentials duringauthentication

Options

credential-attribute-nameCredential attribute name.

Usage


Default value

None.

ExampleAZN_POLICY_MAX_FAILED_LOGIN = tagvalue_max_failed_login

[credential-refresh-attributes] stanza

attribute_name_patternUse the attribute_name_pattern stanza entry to specify whether attributes arepreserved or refreshed during a credential refresh.

Syntaxattribute_name_pattern = {preserve|refresh}

Description

Specifies whether an attribute, or group of attributes that match a pattern, arepreserved or refreshed during a credential refresh.

Options

preserveOriginal attribute value is preserved in the new credential.

refreshOriginal attribute value is refreshed in the new credential.

Stanza reference 87

Usage


Default value

preserve

Exampletagvalue_* = preserve

authentication_level

Syntaxauthentication_level = {preserve|refresh}

Description

Specifies whether the authentication level for the user should be preserved orrefreshed during a credential refresh. The authentication level can reflect the resultsof an authentication strength policy (step-up authentication). In most cases, thislevel should be preserved during a credential refresh.

Options

preserveOriginal attribute value preserved in new credential.

refreshOriginal attribute value refreshed in new credential.

Usage


Default value

preserve

Exampleauthentication_level = preserve

[dsess] stanza

dsess-sess-id-pool-size

Syntaxdsess-sess-id-pool-size = number

Description

The maximum number of session IDs that are pre-allocated within the replica set.

Note: This option is used by the [dsess-cluster] stanza.


Options

numberThe maximum number of session IDs that are pre-allocated within thereplica set.

Usage

This stanza entry is required when:[session]dsess-enabled = yes

Default value

125

Exampledsess-sess-id-pool-size = 125

dsess-cluster-name

Syntaxdsess-cluster-name = SMS cluster name

Description

Specifies the name of the SMS cluster to which this SMS server belongs.

Options

SMS cluster nameThe name of the SMS cluster to which this SMS server belongs. This fieldmust be defined and reference an existing dsess-cluster stanza qualified bythe value of this entry.

Usage


Default value

dsess

Exampledsess-cluster-name = dsess

[dsess-cluster] stanza

basic-auth-user

Syntaxbasic-auth-user = user_name

Stanza reference 89

Description

Specifies the name of the user that is included in the basic authentication header.

Options

user_nameThe user name to be included in the basic authentication header.

Usage

This stanza entry is optional

Default value

None

Examplebasic-auth-user = user_name

basic-auth-passwd

Syntaxbasic-auth-passwd = password

Description

Specifies the password that is included in the basic authentication header.

Options

passwordThe password to be included in the basic authentication header.

Usage


Default value

None

Examplebasic-auth-passwd = password

gsk-attr-name

Syntaxgsk-attr-name = {enum | string | number}:id:value

Description

Specify additional GSKit attributes to use when initializing an SSL connection withthe Session Management Server (SMS). A complete list of the available attributes isincluded in the GSKit SSL API documentation. This configuration entry can bespecified multiple times. Configure a separate entry for each GSKit attribute.


Options

{enum | string | number}The GSKit attribute type.

id The identity associated with the GSKit attribute.

value The value for the GSKit attribute.

Usage


You cannot configure the following restricted GSKit attributes:GSK_KEYRING_FILEGSK_KEYRING_STASH_FILEGSK_KEYRING_LABELGSK_CIPHER_V2GSK_V3_CIPHER_SPECSGSK_PROTOCOL_TLSV1GSK_FIPS_MODE_PROCESSING

If you attempt to modify any of these attributes then an error message will begenerated.

Default value

None.

Example

The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, whichhas an identity value of 225:gsk-attr-name = string:225:proxy.ibm.com

See also

“gsk-attr-name” on page 311“jct-gsk-attr-name” on page 314“gsk-attr-name” on page 344

handle-idle-timeout

Syntaxhandle-idle-timeout = number

Description

Limits the length of time that a handle remains idle before it is removed from thehandle pool cache.

Options

numberThe length of time, in seconds, before an idle handle will be removed fromthe handle pool cache.

Stanza reference 91

Usage


Default value

240

Examplehandle-idle-timeout = 240

handle-pool-size

Syntaxhandle-pool-size = number

Description

The maximum number of idle Simple Access Object Protocol (SOAP) handles thatthe dsess client will maintain at any given time.

Options

numberThe maximum number of idle SOAP handles that the dsess client willmaintain at any given time.

Usage


Default value

10

Examplehandle-pool-size = 10

response-by

Syntaxresponse-by = seconds

Description

The length of time (in seconds) that the dsess client will block to wait for updatesfrom the Session Management Server (SMS).


Options

secondsThe length of time (in seconds) that the dsess client will block to wait forupdates from the SMS.

Usage


Default value

60

Exampleresponse-by = 60

server

Syntaxserver = {[0-9],}<URL>

Description

Specifies a priority level and URL for each SMS server that is a member of thiscluster. Multiple server entries can be specified for a given cluster.

Options

0-9 A digit, 0-9, that represents the priority of the server within the cluster (9being the highest, 0 being the lowest). If the priority is not specified, apriority of 9 is assumed.

Note: There can be no space between the comma (,) and the URL. If nopriority is specified, the comma is omitted.

URL A well-formed HTTP or HTTPS uniform resource locator for the server.

Usage


Default value

This entry is disabled by default.

Exampleserver = 9,http://sms.example.com/DSess/services/DSess

Stanza reference 93

ssl-fips-enabled

Syntaxssl-fips-enabled = {yes|no}

Description

Determines whether Federal Information Process Standards (FIPS) mode is enabledon the session management server. If no configuration entry is present, the settingfrom the global setting—as determined by the ssl-fips-enabled entry in the [ssl]stanza of the policy server—takes effect. When set to "yes" or the setting in thepolicy server configuration file is set to "yes", Transport Layer Security (TLS)version 1 (TLSv1) is the secure communication protocol used. When set to "no" orthe setting in the policy server configuration file is set to "no", SSL version 3(SSLv3) is the secure communication protocol used.

Options

yes Indicates that TLSv1 is the secure communication protocol.

no Indicates that SSLv3 is the secure communication protocol.

Usage


Default value

None.

If a different FIPS level than that of the policy server is required, it is theresponsibility of the administrator to edit the configuration file, uncomment thestanza entry, and specify this value.

Examplessl-fips-enabled = yes

ssl-keyfile

Syntaxssl-keyfile = fully_qualified_path

Description

The name of the key database file, which houses the client certificate to be used.

Options

fully_qualified_pathThe path to the key database file that houses the client certificate forWebSEAL to use.

Usage

This stanza entry is only required if one or more of the cluster server URLsspecified in the server entries uses SSL (that is, contains an HTTPS protocol


specification in the URL). If no cluster server uses the HTTPS protocol, this entry isnot required. If this entry is required but is not specified in the [dsess-cluster]stanza, the value will be taken from the global [ssl] stanza.[session]dsess-enabled = yes

Default value

None.

Examplessl-keyfile = fully_qualified_path

ssl-keyfile-label

Syntaxssl-keyfile-label = label_name

Description

The label of the client certificate within the key database.

Options

label_nameClient certificate label name.

Usage


Note: If this entry is required but is not specified in the [dsess-cluster] stanza, thevalue will be taken from the global [ssl] stanza.

Default value

None.

Examplessl-keyfile-label = label_name

ssl-keyfile-stash

Syntaxssl-keyfile-stash = fully_qualified_path

Description

The name of the password stash file for the key database file.

Options

fully_qualified_pathThe password stash file.

Stanza reference 95

Usage


Note: If this entry is required but is not specified in the [dsess-cluster] stanza,the value will be taken from the global [ssl] stanza.

Default value

None.

Examplessl-keyfile-stash = fully_qualified_path

ssl-valid-server-dn

Syntaxssl-valid-server-dn = certificate_DN

Description

Specifies the DN of the server (obtained from the server SSL certificate) that isaccepted. If no entry is configured, any valid certificate signed by a CA in the keyfile is accepted.

Options

value Specifies the DN of the server (obtained from the server SSL certificate)that is accepted. If no entry is configured, any valid certificate signed by aCA in the key file is accepted.

Usage


Default value

None.

Examplessl-valid-server-dn = value

timeout

Syntaxtimeout = seconds

Description

The length of time (in seconds) to wait for a response to be received back from theSMS.


Options

secondsThe length of time (in seconds) to wait for a response to be received backfrom the SMS.

Usage


Default value

30

Exampletimeout = 30

[eai] stanza

eai-auth

Syntaxeai-auth = {none|http|https|both}

Description

Enables the external authentication interface.

Options

{none|http|https|both}Enables the external authentication interface. No other externalauthentication interface parameters will take effect if set to "none".

Usage


Default value

none

Exampleeai-auth = none

eai-auth-level-header

Syntaxeai-auth-level-header = header-name

Stanza reference 97

Description

Specifies the name of the header that contains the authentication strength level forthe generated credential.

Options

header-nameThe name of the header that contains the authentication strength level forthe generated credential.

Usage


Default value

am-eai-auth-level

Exampleeai-auth-level-header = am-eai-auth-level

eai-flags-header

Syntaxeai-flags-header = header-name

Description

Specifies the name of the header that 'flags' the authentication response with extraprocessing information. WebSEAL supports the following header values as flags:

streamCauses WebSEAL to stream the EAI authentication response back to theclient.

For more details, see the information about external authentication interfaceauthentication flags in the IBM Security Access Manager: WebSEAL AdministrationGuide.

Options

header-nameThe name of EAI flags header.

Usage


Default value

am-eai-flags

Exampleeai-flags-header = am-eai-flags


eai-pac-header

Syntaxeai-pac-header = header-name

Description

Specifies the name of Privilege Attribute Certificate (PAC) header that containsauthentication data returned from the external authentication interface server.

Options

header-nameThe name of privilege attribute certificate (PAC) header that containsauthentication data returned from the external authentication interfaceserver.

Usage


Default value

am-eai-pac

Exampleeai-pac-header = am-eai-pac

eai-pac-svc-header

Syntaxeai-pac-svc-header = header-name

Description

Specifies the name of the header that contains the service ID that is used to convertthe PAC into a credential.

Options

header-nameThe name of the header that contains the service ID that is used to convertthe PAC into a credential.

Usage


Default value

am-eai-pac-svc

Exampleeai-pac-svc-header = am-eai-pac-svc

Stanza reference 99

eai-redir-url-header

Syntaxeai-redir-url-header = header-name

Description

Specifies the name of the header that contains the URL a client is redirected toupon successful authentication.

Options

header-nameThe name of the header that contains the URL a client is redirected toupon successful authentication.

Usage


Default value

am-eai-redir-url

Exampleeai-redir-url-header = am-eai-redir-url

eai-session-id-header

Syntaxeai-session-id-header = header-name

Description

The name of the header that contains the session identifier of the distributedsession to be shared across multiple DNS domains.

Options

header-nameThe session identifier of the distributed session to be shared acrossmultiple DNS domains.

Usage


Default value

am-eai-session-id

Exampleeai-session-id-header = am-eai-session-id


eai-user-id-header

Syntaxeai-user-id-header = header-name

Description

Specifies the name of the header that contains the ID of the user used whengenerating a credential.

Options

header-nameThe name of the header that contains the ID of the user used whengenerating a credential.

Usage


Default value

am-eai-user-id

Exampleeai-user-id-header = am-eai-user-id

eai-verify-user-identity

Syntaxeai-verify-user-identity = {yes|no}

Description

During the EAI re-authentication process, this configuration entry determineswhether the new user identity must match the user identity from the previousauthentication.

Options

yes During EAI authentication, the new user identity is compared with theuser identity from the previous authentication. If the user identities do notmatch, an error is returned.

no EAI authentication proceeds without verifying the new user identity.

Usage


Default value

no

Exampleeai-verify-user-identity = yes

Stanza reference 101

eai-xattrs-header

Syntaxeai-xattrs-header = header-name[,header-name...]

Description

Specifies a comma-delimited list of header names. WebSEAL examines the responsefor headers with the specified names and creates extended attributes using thename of the header as the attribute name and the value of the header as theattribute value.

For example, if the following headers are returned in the HTTP response:am-eai-xattrs: creditcardexpiry, streetaddresscreditcardexpiry: 090812streetaddress: 555 homewood lane

WebSEAL will:1. Examine the am-eai-xattrs header2. Detect two headers to look for in the response3. Find those headers and their values4. Add the two specified attributes to the credential

Options

header-name[,header-name...]One or more (comma delimited) header names that are added to thecredential as extended attributes.

Usage


Default value

am-eai-xattrs

Exampleeai-xattrs-header = am-eai-xattrs

retain-eai-session

Syntaxretain-eai-session = {yes|no}

Description

Specifies whether the existing session and session cache entry for a client areretained or replaced when an already-authenticated EAI client authenticatesthrough an EAI a second time.

Options

yes If an already-authenticated EAI client authenticates through an EAI a


second time, the existing session and session cache entry for the client areretained, and the new credential is stored in the existing cache entry.

no If an already-authenticated EAI client authenticates through an EAI asecond time, the existing session and session cache entry for the client arecompletely replaced and the new credential is stored in the new cacheentry.

Usage


Default value

no

Exampleretain-eai-session = no

[eai-trigger-urls] stanza

trigger

Syntaxtrigger = url-pattern

Description

Format for standard WebSEAL junctions. Specifies the trigger URL that causesWebSEAL to set a special flag on the request. Responses to this request alsocontain the flag, which causes WebSEAL to intercept and examine the response forauthentication data located in special HTTP headers.

Options

url-patternThe trigger URL (format for standard WebSEAL junctions) that causesWebSEAL to set a special flag on the request.

Usage

There must be at least one entry when eai-auth is not "none".

Default value

None.

Exampletrigger = /jct/cgi-bin/eaitest/*

trigger

Syntaxtrigger = HTTP[S]://virtual-host-name[:port_number]/url-pattern


Description

Format for virtual host junctions. Specifies the trigger URL that causes WebSEAL toset a special flag on the request. Responses to this request also contain the flag,which causes WebSEAL to intercept and examine the response for authenticationdata located in special HTTP headers.

For virtual host junctions to match a trigger, they must use the same protocol andthe same virtual-host-name and port number as the trigger.

Options

HTTP[S]://virtual-host-name[:port_number]/url-patternThe trigger URL (format for virtual host junctions) that causes WebSEAL toset a special flag on the request.

Usage

There must be at least one entry when eai-auth is not "none".

Default value

None.

Exampletrigger = HTTPS://vhost1.example.com:4344/jct/cgi-bin/eaitest/*

[e-community-domains] stanza

name

Syntaxname = domain

Description

The e-community cookie domains used by virtual host junctions. The domain usedby a particular virtual host junction is chosen by finding the longest domain in thetable that matches the virtual host name. Each of these domains must also have acorresponding table of keys defined by creating a stanza of the format[e-community-domain-keys:domain].

Options

domain The e-community cookie domain used by virtual host junctions.

Usage


Default value

None.


Example

name = www.example.com

[e-community-domain-keys] stanza

domain_name

Syntaxdomain_name = key_file

Description

File names for keys for any domains that are participating in the e-community.This includes the domain in which the WebSEAL server is running. These areshared on a pair-wise-by-domain basis.

Options

domain_nameA domain that is participating in the e-community.

key_fileFile name for key for any domain that is participating in the e-community.

Usage


Default value

None.

Exampleecssoserver.subnet.example.com = /tmp/ecsso.key

[e-community-domain-keys:domain] stanza

domain_name

Syntaxdomain_name = key_file

Description

Keys for any domains that are participating in the e-community, including thedomain in which the virtual host junction is running. These are shared on apair-wise-by-domain basis.

Options

domain_nameDomain that is participating in the e-community, including the domain inwhich the virtual host junction is running.


key_fileKey for any domain that is participating in the e-community, including thedomain in which the virtual host junction is running.

Usage


Default value

None.

Example[e-community-domain-keys:www.example.com]ecssoserver.subnet.example.com = /tmp/ecsso.key

[e-community-sso] stanza

cache-requests-for-ecsso

Syntaxcache-requests-for-ecsso = {yes|no}

Description

Specifies whether or not to cache request data from an unauthenticated requestwhile the e-community master authentication server (MAS) authenticates the user.

Options

yes If an unauthenticated request is made, the request data is cached while thee-community master authentication server (MAS) authenticates the user.

no If an unauthenticated request is made, the request data is not cached whilethe e-community master authentication server (MAS) authenticates theuser. The original request data will be lost.

Usage


Default value

yes

Examplecache-requests-for-ecsso = yes

e-community-name

Syntaxe-community-name = name


Description

String value that specifies an e-community name. When e-community singlesignon is supported, this name must match any vouch-for tokens or e-communitycookies that are received.

Options

name String value that specifies an e-community name. The string must notcontain the equals sign ( = ) or ampersand ( & ).

Usage


Default value

None.

Examplee-community-name = company1

disable-ec-cookie

Syntaxdisable-ec-cookie = {yes|no}

Description

Provides an option to override default e-Community Single Sign-On (eCSSO)behavior and prohibit WebSEAL from using e-community-cookies.

Options

yes Prohibits WebSEAL from using the e-community-cookie; only the masterauthentication server (MAS) will be permitted to generate vouch-fortokens.

no The default eCSSO behavior in WebSEAL is left unchanged.

Usage


Default value

no

Exampledisable-ec-cookie = no

e-community-sso-auth

Syntaxe-community-sso-auth = {none|http|https|both}


Description

Enables participation in e-community single signon.

Options


Usage


Default value

none

Examplee-community-sso-auth = none

ec-cookie-domain

Syntaxec-cookie-domain = domain

Description

If not set, WebSEAL uses the domain from the automatically determined host name(or web-host-name if specified).

Options

domain If not set, WebSEAL uses the domain from the automatically determinedhost name (or web-host-name if specified).

Usage

If not set, WebSEAL uses the domain from the automatically determined host name(or web-host-name if specified).

Default value

None.

Exampleec-cookie-domain = www.example.com

ec-cookie-lifetime

Syntaxec-cookie-lifetime = number_of_minutes

Description

Positive integer value indicating the lifetime of an e-community cookie.


Options

number_of_minutesPositive integer value indicating the lifetime, in minutes, of ane-community cookie. Minimum value is 1. There is no maximum value.

Usage


Default value

300

Exampleec-cookie-lifetime = 300

ecsso-allow-unauth

Syntaxecsso-allow-unauth = {yes|no}

Description

Enables or disables unauthenticated access to unprotected resources on ane-community SSO slave server.

Options

yes The value yes enables unauthenticated access.

no The value no disables access. For compatibility with versions of WebSEALprior to version 5.1 set this value to no.

Usage


Default value

yes

Exampleecsso-allow-unauth = yes

ecsso-propagate-errors

Syntaxecsso-propagate-errors = {yes|no}

Description

Specifies whether authentication errors returned by the master-authn-server invouch-for tokens are propagated to the ERROR_CODE and ERROR_TEXT macrosused by facilities such as local response redirect.


Options

yes Authentication errors are propagated to ERROR_CODE and ERROR_TEXTmacros.

no Authentication errors are not propagated to ERROR_CODE andERROR_TEXT macros.

Usage


Default value

no

Exampleecsso-propagate-errors = no

handle-auth-failure-at-mas

Syntaxhandle-auth-failure-at-mas = {yes|no}

Description

Provides an option to override default eCSSO behavior and allow the MAS tohandle login failures without redirecting the Web browser back to the requestinghost.

Options

yes Enables the MAS to handle login failures directly without redirecting theWeb browser back to the requesting host.

no The default eCSSO behavior in WebSEAL is left unchanged. On a loginfailure, the MAS will generate a vouch-for token and redirect the Webbrowser back to the requesting host.

Usage


Default value

no

Examplehandle-auth-failure-at-mas = no

is-master-authn-server

Syntaxis-master-authn-server = {yes|no}


Description

Specifies whether this WebSEAL server accepts vouch-for requests from otherWebSEAL instances. The WebSEAL instances must have domain keys listed in the[e-community-domain-keys] stanza.

Options

yes This WebSEAL server accepts vouch-for requests from other WebSEALinstances. When this value is yes, this WebSEAL server is the masterauthentication server.

no This WebSEAL server does not accept vouch-for requests from otherWebSEAL instances.

Usage


Default value

None.

Exampleis-master-authn-server = no

master-authn-server

Syntaxmaster-authn-server = fully_qualified_hostname

Description

Location of the master authentication server. This value must be specified whenis-master-authn-server is set to no. If a local domain login has not been performedthen authentication attempts are routed through the master machine. The mastermachine will vouch for the user identity. The domain key for themaster-authn-server needs to be listed in the [e-community-domain-keys] stanza.

Options

fully_qualified_hostnameLocation of the master authentication server.

Usage


Default value

None.

Examplemaster-authn-server = diamond.dev.example.com


master-http-port

Syntaxmaster-http-port = port_number

Description

Integer value specifying the port number on which the master-authn-server listensfor HTTP request. The setting is necessary when e-community-sso-auth permitsuse of the HTTP protocol, and the master-authn-server listens for HTTP requestson a port other than the standard HTTP port (port 80). This stanza entry is ignoredif this WebSEAL server is the master authentication server.

Options

port_numberInteger value specifying the port number on which themaster-authn-server listens for HTTP request.

Usage


Default value

None.

Examplemaster-http-port = 81

master-https-port

Syntaxmaster-https-port = port_number

Description

Integer value specifying the port number on which the master-authn-server listensfor HTTPS requests. The setting is necessary when e-community-sso-auth permitsuse of the HTTPS protocol, and the master-authn-server listens for HTTPS requestson a port other than the standard HTTPS port (port 443). This stanza entry isignored if this WebSEAL server is the master authentication server.

Options

port_numberInteger value specifying the port number on which themaster-authn-server listens for HTTPS requests.

Usage


Default value

None.


Examplemaster-https-port = 444

propagate-cdmf-errors

Syntaxpropagate-cdmf-errors = {yes|no}

Description

Controls subsequent behavior of the token creation process when thecdmf_get_usr_attributes call fails to obtain the required extended attributeinformation and returns an error.

Options

yes A "yes" value forces the token creation process to abort when CDMF failsto obtain attributes and returns an error.

no A "no" value (default) allows the token creation process to proceed evenwhen CDMF fails to obtain attributes and returns an error.

Usage


Default value

no

Examplepropagate-cdmf-errors = no

use-utf8

Syntaxuse-utf8 = {yes|no}

Description

Use UTF–8 encoding for tokens used in e-community single signon.

Options

yes Beginning with version 5.1, WebSEAL servers use UTF-8 encoding bydefault. When this stanza entry is set to yes, tokens can be exchanged withother WebSEAL servers that use UTF-8 encoding. This enables tokens toused across different code pages (such as for a different language).

no For backward compatibility with tokens created by WebSEAL servers fromversion prior to 5.1, set this stanza entry to no.

Usage



Default value

yes

Exampleuse-utf8 = yes

vf-argument

Syntaxvf-argument = vouch-for_token_name

Description

String value containing the name of the vouch-for token contained in a vouch-forreply. This is used to construct the vouch-for replies by the master authenticationserver, and to distinguish incoming requests as ones with vouch-for information byparticipating e-community single signon servers.

Options

vouch-for_token_nameValid characters for the string are ASCII characters except for ampersand (& ), equals sign ( = ), and question mark ( ? ).

Usage


Default value

PD-VF

Examplevf-argument = PD-VF

vf-token-lifetime

Syntaxvf-token-lifetime = number_of_seconds

Description

Positive integer indicating the lifetime, in seconds, of the vouch-for token. This isset to account for clock skew between participant servers.

Options

number_of_secondsPositive integer indicating the lifetime, in seconds, of the vouch-for token.The minimum value is 1 second. There is no maximum value.

Usage



Default value

180

Examplevf-token-lifetime = 180

vf-url

Syntaxvf-url = URL_designation

Description

Designator for vouch-for URL. This specifies the start of a URL relative to theserver root. This is used to construct vouch-for requests for participatinge-community single signon servers, and to distinguish requests for vouch-forinformation from other requests by the master authentication server.

Options

URL_designationThe URL_designation string can contain alphanumeric characters and thefollowing special characters: dollar sign ( $ ), hyphen ( - ), underscore ( _ ),period ( . ), plus sign ( + ), exclamation point ( ! ), asterisk ( * ), singlequote ( ' ), parentheses " ( ) " and comma ( , ). Questions marks ( ? ) arenot allowed.

Usage


Default value

When the stanza entry is not present in the configuration file, the default value is/pkmsvouchfor.

Examplevf-url = /pkmsvouchfor

[ecsso-incoming-attributes] stanza

attribute_patternUse the attribute_pattern stanza entry to specify whether attributes are preservedor refreshed during an eCSSO authentication operation.

Syntaxattribute_pattern = {preserve|refresh}

Description

Extended attributes to extract from incoming eCSSO authentication tokens.


The attributes typically match those attributes declared in the [cdsso-token-attributes] stanza for the WebSEAL server in the source domain.

The attribute_pattern can be either a specific value or can be a pattern that usesstandard Security Access Manager wildcard characters (*, [], ^, \,?).

The order of attribute_pattern entries is important. The first entry that matches theattribute is used. Other entries are ignored.

Options

preserveAttributes in eCSSO vouch-for tokens that match a "preserve" entry, ormatching none of the entires, are kept. If no entries are configured, then allattributes are kept.

refreshAttributes in eCSSO vouch-for tokens that match a "refresh" entry areremoved from the token. WebSEAL removes these attributes before theCDMF library is called to map the remote user into the local domain.

Usage


Default value

None.

Examplemy_cred_attr1 = preserve

[ecsso-token-attributes] stanza

<default>

Syntax<default> = pattern1[<default> = pattern2]...[<default> = patternN]

Description

Credential attributes to include in eCSSO authentication tokens. When WebSEALcannot find a domain_name entry to match the domain, the entries in "<default>"are used. The word <default> is a key word and must not be modified.

Options

pattern The pattern can either be a specific value or a pattern that uses standardSecurity Access Manager wildcard characters ( *, [], ^, \, ?).

Usage



Default value

None.

Example<default> = my_cdas_attr_*

domain_name

Syntaxdomain_name = pattern1[domain_name = pattern2]...[domain_name = patternN]

Description

Credential attributes to include in eCSSO authentication tokens.

Options

domain_nameThe domain_name specifies the destination domain containing the serverthat will consume the token.

pattern The pattern for each entry can either a specific value or can be a patternthat uses standard Security Access Manager wildcard characters ( *, [], ^, \,?).

Usage


Default value

None.

Exampleexample1.com = my_cdas_attr_*example1.com = some_exact_attribute

[enable-redirects] stanza

redirect

Syntaxredirect = {forms-auth|basic-auth|cert-auth|token-auth|ext-auth-interface}

Description

Enables redirection for use with one or more authentication mechanism.

Options

{forms-auth|basic-auth|cert-auth|token-auth|ext-auth-interface}Redirection is supported for:


v Forms authenticationv Basic authenticationv Certificate authenticationv Token authenticationv External authentication interface

The configuration file must contain a separate entry for each authenticationmechanism for which redirection is enabled.

Usage


Default value

None.

Example

Example entries that enables redirection for forms authentication and basicauthentication:redirect = forms-authredirect = basic-auth

[failover] stanza

clean-ecsso-urls-for-failover

Syntaxclean-ecsso-urls-for-failover = {yes|no}

Description

You can enable Failover Authentication and eCSSO in your environment. Duringfailover authentication, if a user was originally authenticated using eCSSO,WebSEAL updates the URL that it sends to the back-end server. WebSEAL sendsPD-VFHOST and PD-VF tokens as query arguments, along with the original URL.

Use the clean-ecsso-urls-for-failover configuration entry to control whetherthese tokens are removed from the URL.

Options

yes The query arguments that contain the PD-VFHOST and PD-VF tokens areremoved from the URL.

no The query arguments that contain the PD-VFHOST and PD-VF tokens arenot removed from the URL.

Usage



Default value

no

Exampleclean-ecsso-urls-for-failover = no

enable-failover-cookie-for-domain

Syntaxenable-failover-cookie-for-domain = {yes|no}

Description

Enables the failover cookie for the domain.

Options

yes Enables the failover cookie for the domain.

no Disables the failover cookie for the domain.

Usage


Default value

no

Exampleenable-failover-cookie-for-domain = no

failover-auth

Syntaxfailover-auth = {none|http|https|both}

Description

Enables WebSEAL to accept failover cookies.

Options


Usage


Default value

none


Examplefailover-auth = none

failover-cookie-lifetime

Syntaxfailover-cookie-lifetime = number_of_minutes

Description

An integer value specifying the number of minutes that failover cookie contentsare valid.

Options

number_of_minutesAn integer value specifying the number of minutes that failover cookiecontents are valid. Must be a positive integer. There is no maximum value.

Usage


Default value

60

Examplefailover-cookie-lifetime = 60

failover-cookies-keyfile

Syntaxfailover-cookies-keyfile = fully_qualified_path

Description

A key file for failover cookie encryption. Use the cdsso_key_gen utility to generatethis file.

Options

fully_qualified_pathPath to the key file for failover cookie encryption.

Usage


Default value

None.

Examplefailover-cookies-keyfile = /tmp/failover.key


failover-include-session-id

Syntaxfailover-include-session-id = {yes|no}

Description

Enable or disable WebSEAL to reuse a client's original session ID to improvefailover authentication response and performance in a non-sticky load-balancingenvironment. WebSEAL reuses the original session ID by storing the ID as anextended attribute to the failover cookie.

Options

yes Enable WebSEAL to reuse a client's original session ID to improve failoverauthentication response and performance in a non-sticky load-balancingenvironment.

no Disable WebSEAL to reuse a client's original session ID to improve failoverauthentication response and performance in a non-sticky load-balancingenvironment.

Usage


Default value

no

Examplefailover-include-session-id = no

failover-require-activity-timestamp-validation

Syntaxfailover-require-activity-timestamp-validation = {yes|no}

Description

Enables or disables the requirement of a session activity timestamp validation inthe failover cookie.

Options

yes Enables the requirement of a session activity timestamp validation in thefailover cookie.

no Disables the requirement of a session activity timestamp validation in thefailover cookie. For backward compatibility with versions of WebSEALserver prior to version 5.1, set this stanza entry to no. Versions prior toversion 5.1 did not create the session activity timestamp in the failovercookie.

Usage



Default value

no

Examplefailover-require-activity-timestamp-validation = no

failover-require-lifetime-timestamp-validation

Syntaxfailover-require-lifetime-timestamp-validation = {yes|no}

Description

Enables or disables the requirement of a session lifetime timestamp validation inthe failover cookie.

Options

yes Enables the requirement of a session lifetime timestamp validation in thefailover cookie.

no Disables the requirement of a session lifetime timestamp validation in thefailover cookie. For backward compatibility with versions of WebSEALserver prior to version 5.1, set this stanza entry to no. Versions prior toversion 5.1 did not create the session lifetime timestamp in the failovercookie.

Usage


Default value

no

Examplefailover-require-lifetime-timestamp-validation = no

failover-update-cookie

Syntaxfailover-update-cookie = number_of_seconds

Description

The maximum interval, in number of seconds, allowed between updates of thesession activity timestamp in the failover cookies. The value is an integer. Whenthe server receives a request, if the number of seconds specified for this parameterhas passed, the session activity timestamp is updated.

Options

number_of_secondsWhen the value is 0, the session activity timestamp is updated on every


request. When the value is less than zero (negative number), the sessionactivity timestamp is never updated. There is no maximum value.

Usage


Default value

-1

Examplefailover-cookie-update = 60

reissue-missing-failover-cookie

Syntaxreissue-missing-failover-cookie = {yes|no}

Description

Allows WebSEAL to reissue a cached original failover cookie in the response to aclient, if the client makes a request that does not include the failover cookie.

Options

yes Enables the failover cookie reissue mechanism.

no Disables the failover cookie reissue mechanism.

Usage


Default value

no

Examplereissue-missing-failover-cookie = no

use-utf8

Syntaxuse-utf8 = {yes|no}

Description

Use UTF–8 encoding for strings in the failover authentication cookie.

Options

yes Beginning with version 5.1, WebSEAL servers use UTF-8 encoding bydefault. When this stanza entry is set to yes, cookies can be exchangedwith other WebSEAL servers that use UTF-8 encoding. This enables cookiesto used across different code pages (such as for a different language).


no For backward compatibility with cookies created by WebSEAL servers fromversion prior to 5.1, set this stanza entry to no.

Usage


Default value

yes

Exampleuse-utf8 = yes

[failover-add-attributes] stanza

attribute_patternUse the attribute_pattern stanza entry to specify the credential attributes thatWebSEAL preserves in the failover cookie.

Syntaxattribute_pattern = add

Description

List of attributes from the original credential that must be preserved in the failovercookie.

The order of entries in the stanza is important. Rules (patterns) that are listedearlier in the stanza take precedence over those entries that are listed later in thestanza. Attributes that do not match any pattern are not added to the failovercookie.

Options

attribute_patternThe attribute pattern is a not case-sensitive wildcard pattern.

add Add attribute.

Usage

Entries in this stanza are optional.

Default value

There are no default entries in this stanza. However, the attributesAUTHENTICATION_LEVEL and AZN_CRED_AUTH_METHOD are added to the failover cookieby default. You do not need to include these attributes in the configuration stanza.

Exampletagvalue_failover_amweb_session_id = add


session-activity-timestamp

Syntaxsession-activity-timestamp = add

Description

This entry specifies that the timestamp for the last user activity be taken from thefailover cookie and added to the new session on the replicated server.

This attribute cannot be specified by pattern matching. This entry must be addedexactly as it is written.

Options

add Add attribute.

Usage

This stanza entry is optional and must be manually added to the configuration file.

Default value

None.

Examplesession-activity-timestamp = add

session-lifetime-timestamp

Syntaxsession-lifetime-timestamp = add

Description

This entry specifies that the timestamp for creation of the original session be takenfrom the failover cookie and added to the new session on the replicated server.

This attribute cannot be specified by pattern matching. This entry must be addedexactly as it is written.

Options

add Add attribute.

Usage

This stanza entry is optional and must be manually added to the configuration file.

Default value

None.

Examplesession-lifetime-timestamp = add


[failover-restore-attributes] stanza

attribute_patternUse the attribute_pattern stanza entry with a value of preserve to specify thefailover cookie attributes that WebSEAL adds to the re-created user credential.

Syntaxattribute_pattern = preserve

Description

List of attributes to put in the new credential when re-creating a credential from afailover cookie.

The order of entries in the stanza is important. Rules (patterns) that are listedearlier in the stanza take precedence the entries that are listed later in the stanza.Attributes that do not match any pattern are not added to the credential.

Options


preserveWhen WebSEAL recreates a credential, all failover cookie attributes areignored unless specified by an entry with the value preserve.

Usage


Default value

None.

Exampletagvalue_failover_amweb_session_id = preserve

attribute_patternUse the attribute_pattern stanza entry with a value of refresh to specify failovercookie attributes that WebSEAL must refresh rather than preserve.

Syntaxattribute_pattern = refresh

Description

A list of failover cookie attributes to omit from the re-created user credential.

This list is not needed in all configurations. The default behavior when WebSEALre-creates a user credential is to omit all attributes that are not specified with avalue of preserve.

In some cases, it might be necessary to specify an exception to a wildcard patternmatching to ensure that a specific attribute gets refreshed, not preserved. To do so,


configure the pattern with the value refresh. This specification might be necessary,for example, when you are using a custom external authentication C API module.

The order of entries in the stanza is important. Rules (patterns) that are listedearlier in the stanza take precedence over the entries that are listed later in thestanza.

Options


refreshSpecifies an exception to a wildcard pattern matching to ensure that aspecific attribute gets refreshed, not preserved.

Usage


Default value

None.

Exampletagvalue_failover_amweb_session_id = refresh

[filter-content-types] stanza

type

Syntaxtype = type_name

Description

List of entries that specify MIME types to be filtered by WebSEAL when receivedfrom junctioned servers.

Administrators can add additional MIME types that refer to a document thatcontains HTML or HTML-like content.

Options

type_nameMIME type.

Usage

This list of stanza entries is required.

Default value

Do not remove the default entries.type = text/htmltype = text/vnd.wap.wml


Exampletype = text/htmltype = text/vnd.wap.wml

[filter-events] stanza

HTML_tag

SyntaxHTML_tag = event_handler

Description

List of HTML tags used by WebSEAL to identify and filter absolute URLsembedded in JavaScript. JavaScript allows HTML tags to contain event handlers thatare invoked when certain events occur. For example, the HTML tag:<form onsubmit="javascript:doSomething()">

causes the JavaScript function doSomething() to be called when the form issubmitted.

The entries in this stanza are used to identify HTML tags that may containJavaScript code. When such a tag is discovered, WebSEAL searches the tag to filterany absolute URLs embedded in the JavaScript. For example, if the "formonsubmit" example looked like:<form onsubmit="javaScript:doSomething(’http://junction.server.com’)">

WebSEAL HTML filtering would modify the tag to look like:<form onsubmit="javaScript:doSomething(’/junction’)">

Administrators can add additional entries when necessary. New entries mustconsist of valid HTML tags that are built into JavaScript. When adding newentries, maintain alphabetical order.

Options

HTML_tagHTML tag.

event_handlerJavaScript event handler.

Usage

This list is required. Although not all tags are required by all applications, theunused tags do no harm. Leave the default entries in this list.

Default value

Default HTML tags and event handlers:A = ONCLICKA = ONDBLCLICKA = ONMOUSEDOWNA = ONMOUSEOUTA = ONMOUSEOVERA = ONMOUSEUP


AREA = ONCLICKAREA = ONMOUSEOUTAREA = ONMOUSEOVERBODY = ONBLURBODY = ONCLICKBODY = ONDRAGDROPBODY = ONFOCUSBODY = ONKEYDOWNBODY = ONKEYPRESSBODY = ONKEYUPBODY = ONLOADBODY = ONMOUSEDOWNBODY = ONMOUSEUPBODY = ONMOVEBODY = ONRESIZEBODY = ONUNLOADFORM = ONRESETFORM = ONSUBMITFRAME = ONBLURFRAME = ONDRAGDROPFRAME = ONFOCUSFRAME = ONLOADFRAME = ONMOVE

FRAME = ONRESIZEFRAME = ONUNLOADIMG = ONABORTIMG = ONERRORIMG = ONLOADINPUT = ONBLURINPUT = ONCHANGEINPUT = ONCLICKINPUT = ONFOCUSINPUT = ONKEYDOWNINPUT = ONKEYPRESSINPUT = ONKEYUPINPUT = ONMOUSEDOWNINPUT = ONMOUSEUPINPUT = ONSELECTLAYER = ONBLURLAYER = ONLOADLAYER = ONMOUSEOUTLAYER = ONMOUSEOVERSELECT = ONBLURSELECT = ONCHANGESELECT = ONFOCUSTEXTAREA = ONBLURTEXTAREA = ONCHANGETEXTAREA = ONFOCUSTEXTAREA = ONKEYDOWNTEXTAREA = ONKEYPRESSTEXTAREA = ONKEYUPTEXTAREA = ONSELECT

ExampleIMG = ONABORT

[filter-request-headers] stanza

header

Syntaxheader = header_name


Description

List of HTTP headers that WebSEAL filters before sending the request to ajunctioned server. A default list is built-in to WebSEAL. The default entries are notincluded in the configuration file.

The addition of new entries in this stanza is optional. For example, anadministrator could add the accept-encoding header. This would instructWebSEAL to remove any accept-encoding headers from requests before forwardingthe request to the junction. The removal of the accept-encoding header wouldcause the junction server to return the document in an unencoded form, allowingWebSEAL to filter the document if necessary.

New entries must consist of valid HTTP headers.

Options

header_nameHTTP header name.

Usage

The addition of new entries in this stanza is optional.

Default value

Default built-in header list:hostconnectionproxy-connectionexpectteiv-ssl-jctiv-useriv_useriv-groupsiv_groupsiv-credsiv_credsiv_remote_addressiv-remote-address

Exampleheader = accept-encoding

[filter-schemes] stanza

scheme

Syntaxscheme = scheme_name

Description

List of URL schemes that are not to be filtered by WebSEAL. A scheme is a protocolidentifier.


This list is utilized when WebSEAL encounters a document containing a base URL.For example:<head><base href="http://www.foo.com"></head><a href="mailto:[email protected]>Send me mail",/a>

WebSEAL identifies the scheme mailto because this scheme is included by defaultin the [filter-schemes] stanza. If mailto was not identified as a scheme, WebSEALwould interpret it as document and perform normal filtering. WebSEAL wouldthen rewrite the link as:<a href="http://www.foo.com/mailto:[email protected]"

This would be incorrect.

Options

scheme_nameScheme name.

Usage

WebSEAL provides a set of default schemes. The administrator can extend the listif additional protocols are used. Do not delete entries from the list.

Default value

Default list entries:scheme = filescheme = ftpscheme = httpsscheme = mailtoscheme = newsscheme = telnet

Examplescheme = telnet

[filter-url] stanza

HTML_tag

SyntaxHTML_tag = URL_attribute

Description

List of URL attributes that WebSEAL server filters in responses from junctionedservers.

Administrators can add additional entries when necessary. New entries mustconsist of valid HTML tags and attributes. When adding new entries, maintainalphabetical order.


Options

URL_attributeURL attribute.

Usage

This list is required. Although not all tags are required by all applications, theunused tags do no harm. Leave the default entries in this list.

Default value

Default HTML tags and attributes:A = HREFAPPLET = CODEBASEAREA = HREFBASE = HREFBGSOUND = SRCBLOCKQUOTE = CITEBODY = BACKGROUNDDEL = CITEDIV = EMPTYURLDIV = IMAGEPATHDIV = URLDIV = VIEWCLASSEMBED = PLUGINSPAGEEMBED = SRCFORM = ACTIONFRAME = LONGDESCFRAME = SRCHEAD = PROFILEIFRAME = LONGDESCIFRAME = SRCILAYER = BACKGROUNDILAYER = SRCIMG = SRCIMG = LOWSRCIMG = LONGDESCIMG = USEMAPIMG = DYNSRC

INPUT = SRCINPUT = USEMAPINS = CITEISINDEX = ACTIONISINDEX = HREFLAYER = BACKGROUNDLAYER = SRCLINK = HREFLINK = SRCOBJECT = CODEBASEOBJECT = DATAOBJECT = USEMAPQ = CITESCRIPT = SRCTABLE = BACKGROUNDTD = BACKGROUNDTH = BACKGROUNDTR = BACKGROUNDWM:CALENDARPICKER = FOLDERURLWM:CALENDARPICKER = IMAGEPREVARROWWM:CALENDARPICKER = IMAGENEXTARROWWM:CALENDARVIEW = FOLDERURLWM:MESSAGE = DRAFTSURL


WM:MESSAGE = URLWM:NOTIFY = FOLDERWM:REMINDER = FOLDER?IMPORT = IMPLEMENTATION

ExampleIMG = SRC

[forms] stanza

allow-empty-form-fieldsUse the allow-empty-form-fields stanza entry to determine whether WebSEALreturns an error for login requests that contain an empty user name or an emptypassword.

Syntaxallow-empty-form-fields = {true|false}

Description

If a forms login request is received with either an empty user name or an emptypassword, WebSEAL returns the login form without stating an error.

If you prefer that an error message is displayed with the returned login form, setthis value to true. In this case, WebSEAL attempts to authenticate the user and ifthe values have zero length, the registry returns the appropriate error.

Options

true Error message is displayed with the returned login form.

false Error message is not displayed with the returned login form.

Usage


Default value

false

Exampleallow-empty-form-fields = false

forms-auth

Syntaxforms-auth = {none|http|https|both}

Description

Enables authentication using the Forms Authentication mechanism.


When forms authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.

Options


Usage


Default value

none

Exampleforms-auth = none

[gso-cache] stanza

gso-cache-enabled

Syntaxgso-cache-enabled = {yes|no}

Description

Enables or disables the Global Signon (GSO) cache.

Options

yes Enables the Global Signon (GSO) cache.

no Disables the Global Signon (GSO) cache.

Usage


Default value

no

Examplegso-cache-enabled = no

gso-cache-entry-idle-timeout

Syntaxgso-cache-entry-idle-timeout = number_of_seconds


Description

Integer value that specifies the timeout, in seconds, for cache entries that are idle.

Options

number_of_secondsThe value must be greater than or equal to zero (0). A value of 0 meansthat entries are not removed from the GSO cache due to inactivity.However, they may still be removed due to either the gso-cache-size beingexceeded or the gso-cache-entry-lifetime stanza entry being exceeded.WebSEAL does not impose a maximum value.

Usage

This stanza entry is required, but is ignored when GSO caching is disabled.

Default value

120

Examplegso-cache-entry-idle-timeout = 120

gso-cache-entry-lifetime

Syntaxgso-cache-entry-lifetime = number_of_seconds

Description

Integer value that specifies the lifetime, in seconds, of a GSO cache entry.

Options

number_of_secondsThe value must be greater than or equal to zero (0). A value of 0 meansthat entries are not removed from the GSO cache due to their entry lifetimebeing exceeded. However, they may still be removed due to either thegso-cache-size being exceeded or the gso-cache-entry-idle-timeout stanzaentry being exceeded. WebSEAL does not impose a maximum value.

Usage


Default value

900

Examplegso-cache-entry-lifetime = 900


gso-cache-size

Syntaxgso-cache-size = number_of_entries

Description

Integer value indicating the number of entries allowed in the GSO cache.

Options

number_of_entriesThe value must be greater than or equal to zero (0). Zero means that thereis no limit on the size of the GSO cache. This is not recommended.

WebSEAL does not impose a maximum value. Choose your maximumvalue to stay safely within the bounds of your available system memory.

Usage


Default value

1024

Examplegso-cache-size = 1024

[header-names] stanza

header-dataUse the header-data stanza entry to add HTTP headers to the request that WebSEALsends to junctioned applications.

Syntax<header-data> = <header-name>

Description

Controls the addition of HTTP headers into the request that is passed to junctionedapplications.

To include the same <header-data> in different headers, specify multiple entrieswith the same <header-data> value.

Note: Do not include more than one entry with the same <header-name> value. The<header-name> values must be unique. If there is more than one entry for aparticular <header-name>, WebSEAL processes the last entry for that <header-name>.Any preceding entries are disregarded.


Options

<header-data>The type of data that WebSEAL adds to the <header-name> header of therequest. The valid values for this entry are as follows:

server-nameThe Security Access Manager authorization server name for theWebSEAL server. This name is the name of the authorization APIadministration server that is used in the server task commands.

client-ip-v4The IPv4 address of the client of this request.

client-ip-v6The IPv6 address of the client of this request.

host-nameThe host name of the WebSEAL server. WebSEAL obtains this hostname from the web-host-name configuration entry in the [server]stanza if specified. Otherwise, WebSEAL returns the host name ofthe server itself.

httphdr{<name>}An HTTP header from the request as specified by the <name> field.If the HTTP header is not found in the request, WebSEAL uses thevalue in the [server] tag-value-missing-attr-tag configurationentry as the value for the header.

<header-name>The name of the HTTP header that holds the data. Valid strings are limitedto the following characters: A-Z, a-z, 0–9, hyphen ( - ), or underscore ( _ ).

Usage


Default value

server-name = iv_server_name

Exampleserver-name = iv_server_name

In this example, WebSEAL passes the following header and value to the junction ifthe WebSEAL instance is default-webseald-diamond.example.com:iv_server_name:default-webseald-diamond.example.com

Other example entries:client-ip-v4 = X-Forwarded-Forclient-ip-v4 = X-Headerhttphdr{host} = X-Forwarded-Hosthost-name = X-Forwarded-Server


[http-headers] stanza

http-headers-auth

Syntaxhttp-headers-auth = {none|http|https|both}

Description

Enables authentication using an HTTP header authentication mechanism.

When HTTP header authentication is enabled, you must also configure anappropriate authentication library by setting a key=value pair in the[authentication-mechanisms] stanza.

Options


Usage


Default value

none

Examplehttp-headers-auth = none

[http-transformations] stanza

resource-name

Syntaxresource-name = path-to-resource-xsl-file

Description

Defines HTTP transformation resources. This configuration information isnecessary to support WebSEAL HTTP transformations. You can use WebSEALHTTP transformations to modify HTTP requests and HTTP responses (excludingthe HTTP body) using XSLT.

Note: To enable the HTTP transformations for a particular resource, attach a POPto the appropriate part of the object space. This POP must contain an extendedattribute with the name HTTPTransformation and one of the following values:v Request = resource-name

v Response = resource-name


For more details, see the information about HTTP transformations in the IBMSecurity Access Manager: WebSEAL Administration Guide.

Options

resource-nameThe name of the HTTP transformation resource.

path-to-resource-xsl-fileThe path to the resource file.

Note: You must restart WebSEAL for changes to an XSL rules file to takeeffect.

Usage


Comments

If an HTTP transformation rule modifies the URI or host header of the request,WebSEAL reprocesses the transformed request. This reprocessing ensures that thetransformation does not bypass WebSEAL authorization. This behavior also meansthat administrators can define HTTP transformations rules to send requests todifferent junctions.

Note: WebSEAL performs reprocessing (and authorization) on the first HTTPtransformation only. Transformed requests undergo HTTP transformation again ifthere is an appropriate POP attached to the associated object space. However,WebSEAL does not reprocess the new requests that result from these subsequenttransformations.

Default value

None.

ExampleresourceOne = /tmp/resourceOne.xsl

[ICAP:<resource>] stanzaThe [ICAP:<resource>] stanza is used to define a single ICAP resource. The<resource> component of the stanza name must be changed to the actual name ofthe resource. To enable the ICAP resource for a particular object, a POP must beattached to the appropriate part of the object space. This POP must contain anextended attribute with the name ICAP, and a value that is equal to the name of theconfigured ICAP resource.

URL

SyntaxURL = URL string

Description

The complete URL on which the ICAP server is expecting requests.


Options

URL URL string

Usage

Required

Default value

None

ExampleURL = icap://icap.example.net:1344/filter?mode=strict

Note: In the example, icap is the protocol being used.

transaction

Syntaxtransaction = {req | rsp}

Description

The transaction for which the resource is invoked.

Options

req The ICAP server is invoked on the HTTP request.

rsp The ICAP server is invoked on the HTTP response.

Usage

Required

Default value

None

Exampletransaction = req

timeout

Syntaxtimeout = seconds

Description

The maximum length of time (in seconds) that WebSEAL waits for a response fromthe ICAP server.


Options

timeoutThe time in seconds, that WebSEAL waits for a response from the ICAPserver.

Usage

Required

Default value

None

Exampletimeout = 120

[icons] stanza

backicon

Syntaxbackicon = relative_pathname

Description

Relative path name to a graphics file used to indicate the parent directory. This isused when displaying a directory index.

Options

relative_pathnameThe relative_pathname can be any valid URI within the WebSEAL protectedobject space, as defined by doc-root.

Usage

This stanza entry is required. If the value is not specified, the value of unknowniconis used.

Default value

/icons/back.gif

Examplebackicon = /icons/back.gif

diricon

Syntaxdiricon = relative_pathname


Description

Relative path name to a graphics file to display to indicate a subdirectory. This isused when displaying a directory index.

Options


Usage

This stanza entry is required. If the value is not specified, the value of unknowniconis used.

Default value

/icons/folder2.gif

Examplediricon = /icons/folder2.gif

unknownicon

Syntaxunknownicon = relative_pathname

Description

Relative path name to a graphics file used to indicate an unknown file type. This isused when displaying a directory index.

Options


Usage

This stanza entry is required. If this value is not specified, a broken link GIF imageis displayed.

Default value

/icons/unknown.gif

Exampleunknownicon = /icons/unknown.gif

[illegal-url-substrings] stanza

Note: The [illegal-url-substrings] feature is deprecated. IBM might remove thisfeature in a subsequent release of the product.


substring

Syntaxsubstring= string

Description

WebSEAL blocks HTTP requests containing any of the substrings specified by theseentries. Used to help mitigate the problems of cross-site scripting.

Options

string Character string.

Usage


Default value

<script

Examplesubstring = <scriptsubstring = <appletsubstring = <embed

[interfaces] stanza

interface_name

Syntaxinterface_name = property=value[;property=value...]

Description

This stanza is used to define additional interfaces on which this WebSEAL instancecan receive requests.

A network interface is defined as the combined set of values for a specific group ofproperties that include HTTP or HTTPS port setting, IP address, worker threadssetting, and certificate handling setting.

Options

propertyInterface property. Can be selected from:network-interface=<ipAddress>http-port=<port> | "disabled"https-port=<port> | "disabled"certificate-label=<keyFileLabel>accept-client-certs="never" | "required" | "optional" |"prompt_as_needed"worker-threads=<count> | "default"

value Value of the property. Default values, if not present, include:


network-interface=0.0.0.0http-port ="disabled"https-port ="disabled"certificate-label= (Uses key marked as default in key file.)accept-client-certs="never"worker-threads="default"

Usage


Default value

None.

Example

(Entered as one line:)support = network-interface=9.0.0.8;https-port=444;certificate-label=WS6;worker-threads=16

[ipaddr] stanza

ipaddr-auth

Syntaxipaddr-auth = {none|http|https|both}

Description

Enables authentication using a client's IP address.

When IP address authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.

Options


Usage


Default value

none

Exampleipaddr-auth = none


[jdb-cmd:replace] stanza

jct-id=search-attr-value|replace-attr-value

Syntaxjct-id=search-attr-value|replace-attr-value

Description

Defines the mapping rules for the jdb import command. These mapping rules areapplied to each attribute in the junction archive file before you import the newjunction database.

Options

jct-id Refers to the junction point for a standard junction which includes theleading ’/’ (slash) or the virtual host label for a virtual host junction.

search-attr-valueSpecifies the attribute value in the junction definition for which you wantto search and replace.

replace-attr-valueSpecifies the new attribute value in the junction definition for which youwant to search and replace.

Usage


Default value

None.

Example/test-jct = webseal.au.ibm.com|webseal.gc.au.ibm.com

[junction] stanza

allow-backend-domain-cookiesUse the allow-backend-domain-cookies stanza entry to control whether WebSEALsends domain cookies from a back-end server to a client.

Syntaxallow-backend-domain-cookies = {yes|no}

Description

Indicates whether WebSEAL can send domain cookies from a back-end server to aclient.

You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.



Options

yes WebSEAL is able to send domain cookies from a back-end server to aclient.

no WebSEAL is not able to send domain cookies from a back-end server to aclient.

Usage


Default value

no

Exampleallow-backend-domain-cookies = no

basicauth-dummy-passwd

Syntaxbasicauth-dummy-passwd = dummy_password

Description

Global password used when supplying basic authentication data over junctionsthat were created with the -b supply argument.

Options

dummy_passwordGlobal password used when supplying basic authentication data overjunctions that were created with the -b supply argument. Passwords mustconsist of ASCII characters.

Usage


Default value

dummy

Examplebasicauth-dummy-passwd = dummy

crl-ldap-server

Syntaxcrl-ldap-server = server_name


Description

Specifies the Server to be contacted to obtain Certificate Revocation Lists (CRL).

Options

server_nameThis parameter can be set to one of two types of values:1. The name of the LDAP server to be referenced as a source for

Certificate Revocation Lists (CRL) during authentication across SSLjunctions. If this is used, you may also need to set the followingparameters:v crl-ldap-server-portv crl-ldap-userv crl-ldap-user-password

2. The literal string “URI”. In the case where no direct LDAP Server isavailable, this allows GSKit to obtain revocation information fromLDAP or the HTTP Servers as specified by the CA in the CertificateDistribution Point (CDP) extension of the certificate.

Note: In addition to specifying the string "URI", it is also possible tospecify an HTTP server for crl-ldap-server. However, WebSEAL does notcurrently support the ability to specify an HTTP proxy server, which canprovide performance improvements when HTTP servers are used.

Usage


Default value

None.

Examplecrl-ldap-server = diamond.example.com

crl-ldap-server-port

Syntaxcrl-ldap-server-port = port_number

Description

Port number for communication with the LDAP server specified in crl-ldap-server.The LDAP server is referenced for Certificate Revocation List (CRL) checkingduring authentication across SSL junctions.

Options

port_numberPort number for communication with the LDAP server specified incrl-ldap-server.


Usage

This stanza entry is optional. When crl-ldap-server is specified, this stanza entry isrequired.

Default value

None.

Examplecrl-ldap-server-port = 389

crl-ldap-user

Syntaxcrl-ldap-user = user_DN

Description

Fully qualified distinguished name (DN) of an LDAP user who has permissions toretrieve the Certificate Revocation List.

Options

user_DNFully qualified distinguished name (DN) of an LDAP user who haspermissions to retrieve the Certificate Revocation List. A null value forcrl-ldap-server indicates that the SSL authenticator should bind to theLDAP server anonymously.

Usage


Default value

None.

Examplecrl-ldap-user = user_DN

crl-ldap-user-password

Syntaxcrl-ldap-user-password = password

Description

The password for the LDAP user specified in the crl-ldap-user stanza entry.

Options

passwordThe password for the LDAP user specified in the crl-ldap-user stanzaentry.


Usage

This stanza entry is optional. When crl-ldap-user is specified, this stanza entry isrequired.

Default value

None.

Examplecrl-ldap-user-password = mypassw0rd

disable-ssl-v2

Syntaxdisable-ssl-v2 = {yes|no}

Description

Disables support for SSL Version 2 for junction connections. Support for SSL v2 isdisabled by default.

Options

yes The value yes means support is disabled.

no The value no means the support is enabled.

Usage

This stanza entry is optional. When not specified, the default is yes. The WebSEALconfiguration sets this value.

Default value

yes

Exampledisable-ssl-v2 = yes

disable-ssl-v3


Description

Disables support for SSL Version 3 for junction connections. Support for SSL V3 isenabled by default.

Options


no The value no means the support is enabled


Usage

This stanza entry is optional. When not specified, the default is no. The WebSEALconfiguration sets this value.

Default value

no

Exampledisable-ssl-v3 = no

disable-tls-v1

Syntaxdisable-tls-v1 = {yes|no}

Description

Disables support for TLS Version 1 for junction connections. Support for TLS V1 isenabled by default.

Options



Usage

This stanza entry is optional. When not specified, the default is no. The WebSEALconfiguration sets this value.

Default value

no

Exampledisable-tls-v1 = no

disable-tls-v11


Description

Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.1for junction connections. Support for TLS v1.1 is enabled by default.

Options

yes The value yes disables support for TLS version 1.1.

no The value no enables support for TLS version 1.1.


Usage

This stanza entry is optional. If this entry is not specified, the default is no.

Default value

no


disable-tls-v12


Description

Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.2for junction connections. Support for TLS v1.2 is enabled by default.

Options



Usage


Default value

no


dont-reprocess-jct-404s

Syntaxdont-reprocess-jct-404s = {yes|no}

Description

If a resource cannot be found on a back-end server, that server returns an HTTP404 error. The dont-reprocess-jct-404s stanza entry controls whether or notWebSEAL processes the request again by prepending the junction name to theURL.

You should never need to enable this stanza entry if you follow this best practicefor junctions: The junction name should not match any directory name used inthe Web space of the back-end server if HTML pages from that server containprograms (such as JavaScript or applets) with server-relative URLs to thatdirectory.


The following scenario can occur when one does not adhere to this best practicefor junctions:1. A resource is located in the following subdirectory (using the same name as the

junction) on the back-end server: /jct/page.html.2. A page received by the client from this back-end server contains the following

URL: /jct/page.html3. When the link is followed, WebSEAL can immediately process the request

because it recognizes what it thinks is the junction name in the URL. Noconfigured URL modification technique is required.

4. At the time the request is forwarded to the back-end server, the junction name(/jct) removed from the URL. The resource (/page.html) is not found at theroot of the back-end server file system. The server returns a 404 error.

5. If WebSEAL is configured for dont-reprocess-jct-404s=no, it reprocesses theURL and prepends the junction name to the original URL: /jct/jct/page.html

6. Now the resource is successfully located at /jct/page.html on the back-endserver.

NOTE:

v The default behavior in WebSEAL is to reprocess a request URL after an HTTP404 error is returned from the back-end server. You can set the value ofdont-reprocess-jct-404s to yes to override this default behavior.

v If the reprocess-root-jct-404s entry (also in the [junction] stanza) has been set toyes then root junction resource requests that result in a HTTP 404 error will bereprocessed regardless of the setting of this dont-reprocess-jct-404s stanza entry.

Options

yes When the back-end server returns an HTTP 404 error, do not reprocess therequest URL.

no When the back-end server returns an HTTP 404 error, reprocess the requestURL by prepending the junction name to the existing URL.

Usage


Default value

The default value in the template configuration file is yes.

Exampledont-reprocess-jct-404s = yes

dynamic-addresses

Syntaxdynamic-addresses = {yes|no}

Description

Indicates when the junction server host name is resolved to its corresponding IPaddress and used in communication with the junction server.




Options

yes The junction server host name is resolved to its corresponding IP addressimmediately before any communication with the junction server.

no The junction server host name is resolved to its corresponding IP addressand this address is used for subsequent communication with the junctionserver.

Usage


Default value

no

Exampledynamic-addresses = no

http-timeout

Syntaxhttp-timeout = number_of_seconds

Description

Integer value indicating the timeout, in seconds, for sending to and reading from aTCP junction.



Options

number_of_secondsInteger value indicating the timeout, in seconds, for sending to andreading from a TCP junction. The minimum value is 0. When the value is0, there is no timeout. WebSEAL does not impose a maximum value.

Usage


Default value

120

http-timeout = 120


https-timeout

Syntaxhttps-timeout = number_of_seconds

Description

Integer value indicating the timeout, in seconds, for sending to and reading from aSecure Socket Layer (SSL) junction.



Options

number_of_secondsInteger value indicating the timeout, in seconds, for sending to andreading from a Secure Socket Layer (SSL) junction. The minimum value is0. When the value is 0, there is no timeout. WebSEAL does not impose amaximum value.

Usage


Default value

120

https-timeout = 120

insert-client-real-ip-for-option-r

Syntaxinsert-client-real-ip-for-option-r = {yes|no}

Description

Determines whether to use the current IP address of the client or the one cached inthe credentials at authentication time for the value passed in a header to junctionscreated with the -r option.

Options

yes Use the current IP address of the client for the value passed in a header tojunctions created with the -r option.

no Use the client IP address cached in the credentials at authentication timefor the value passed in a header to junctions created with the -r option.

Usage



Default value

no

Exampleinsert-client-real-ip-for-option-r = no

io-buffer-size

Syntaxio-buffer-size = number_of_bytes

Description

Positive integer value indicating the buffer size, in bytes, for low-level reads fromand writes to a junction.

Options

number_of_bytes

Positive integer value indicating the buffer size, in bytes, for low-levelreads from and writes to a junction.

The minimum value is 1. WebSEAL does not impose a maximum value.

A very small value (for instance, 10 bytes) can hurt performance bycausing very frequent calls to the low-level read/write APIs. Up to acertain point, larger values improve performance because theycorrespondingly reduce the calls to the low-level I/O functions.

However, the low-level I/O functions may have their own internal buffers,such as the TCP send and receive buffers. Once io-buffer-size exceeds thesize of those buffers (which are typically not large), there is no longer anyperformance improvement at all because those functions only read part ofthe buffer at the time.

Reasonable values for io-buffer-size range between 1 kB and 8 kB. Valuessmaller than this range causes calling the low-level I/O functions toofrequently. Values larger than this range wastes memory. A 2 MB I/Obuffer size uses 4 MB for each worker thread communicating with thejunctioned server, since there is both an input and output buffer.

Usage


Default value

4096

Exampleio-buffer-size = 4096

jct-cert-keyfile

Syntaxjct-cert-keyfile = pathname_for_separate_key_file


Description

WebSEAL provides an option to configure a separate certificate key database forjunction SSL operations rather than sharing the one used for client certificatesspecified in the [ssl] stanza. The jct-cert-keyfile parameter specifies thejunction certificate keyfile. If this option is enabled, this is the keyfile used for CAand client certificates when negotiating SSL sessions with junctions.

Note: This stanza entry is commented out in the WebSEAL configuration file. Toenable the option of using a separate certificate key database for junctionedservers, create the /var/pdweb/www-default/certs/pdjct.kdb keyfile (and optionalstash file) using iKeyman, and uncomment the options jct-cert-keyfile andeither jct-cert-keyfile-stash or jct-cert-keyfile-pwd in the configuration file.

Options

pathname_for_separate_key_fileThe path name to the optional, separate junction certificate keyfile.

Note: If jct-cert-keyfile is defined, then either jct-cert-keyfile-pwd orjct-cert-keyfile-stash must also be defined.

Usage


Default value

/var/pdweb/www-default/certs/pdjct.kdb

Examplejct-cert-keyfile = /var/pdweb/www-default/certs/pdjct.kdb

jct-cert-keyfile-stash

Syntaxjct-cert-keyfile-stash = pathname_for_stash_file

Description

WebSEAL provides an option to configure a separate certificate key database forjunction SSL operations rather than sharing the one used for client certificatesspecified in the [ssl] stanza. The jct-cert-keyfile-stash parameter specifies thestash file for the optional, separate junction certificate database.

Note: This stanza entry is commented out in the WebSEAL configuration file. Toenable the option of using a separate certificate key database for junctionedservers, create the /var/pdweb/www-default/certs/pdjct.kdb keyfile (and optionalstash file) using iKeyman, and uncomment the options jct-cert-keyfile andeither jct-cert-keyfile-stash or jct-cert-keyfile-pwd in the configuration file.

Options

pathname_for_stash_fileThe path name to the stash file for the optional, separate junctioncertificate database.



Usage


Default value

/var/pdweb/www-default/certs/pdjct.sth

Examplejct-cert-keyfile-stash = /var/pdweb/www-default/certs/pdjct.sth

jct-cert-keyfile-pwd

Syntaxjct-cert-keyfile-pwd = password

Description

WebSEAL provides an option to configure a separate certificate key database forjunction SSL operations rather than sharing the one used for client certificatesspecified in the [ssl] stanza. When this stanza entry is assigned a value, that valueis used instead of any password that is contained in the stash file specified byjct-cert-keyfile-stash. This stanza entry stores the password in plain text. Use thestash file for optimum security.

Note: This stanza entry is commented out in the WebSEAL configuration file. Toenable the option of using a separate certificate key database for junctionedservers, create the /var/pdweb/www-default/certs/pdjct.kdb keyfile (and optionalstash file) using iKeyman, and uncomment the options jct-cert-keyfile and eitherjct-cert-keyfile-stash or jct-cert-keyfile-pwd in the configuration file.

Options

passwordPassword used to protect private keys in the optional, separate junctionkey certificate database.


Usage


Default value

none

Examplejct-cert-keyfile-pwd = J73R45huu


jct-ocsp-enable

Syntaxjct-ocsp-enable = {yes|no}

Description

Enable Online Certificate Status Protocol (OCSP) for checking the revocation statusof certificates supplied by a junction server using the OCSP URL embedded in thecertificate using an Authority Info Access (AIA) extension.

Options

yes Enable OCSP to check the revocation status of junction server suppliedcertificates.

no Disable OCSP checking of junction server supplied certificates.

Usage


Note: This option can be used as an alternative to, or in conjunction with, thejct-ocsp-url option.

Default value

no

Examplejct-ocsp-enable = no

jct-ocsp-max-response-size

Syntaxjct-ocsp-max-response-size = number of bytes

Description

Sets the maximum response size (in bytes) that will be accepted as a response froman OCSP responder. This limit helps protect against a denial of service attack.

Options

Maximum response size, in bytes.

Usage


Default value

204080

Examplejct-ocsp-max-response-size = 20480


jct-ocsp-nonce-check-enable

Syntaxjct-ocsp-nonce-check-enable = {yes|no}

Description

Determines whether WebSEAL checks the nonce in the OCSP response. Enablingthis option improves security but can cause OCSP Response validation to fail ifthere is a caching proxy between WebSEAL and the OCSP Responder. Note thatenabling this option automatically enables the jct-ocsp-nonce-generation-enableoption.

Options

yes WebSEAL checks the nonce in the OCSP response to verify that it matchesthe nonce from the request.

no WebSEAL does not check the nonce in the OCSP response.

Usage


Default value

no

Examplejct-ocsp-nonce-check-enable = no

jct-ocsp-nonce-generation-enable

Syntaxjct-ocsp-nonce-generation-enable = {yes|no}

Description

Determines whether WebSEAL generates a nonce as part of the OCSP request.Enabling this option can improve security by preventing replay attacks onWebSEAL but may cause an excessive load on an OCSP Responder appliance asthe responder cannot use cached responses and must sign each response.

Options

yes WebSEAL generates a nonce as part of the OCSP request.

no WebSEAL does not generate a nonce as part of the OCSP request.

Usage


Default value

no


Examplejct-ocsp-nonce-generation-enable = no

jct-ocsp-proxy-server-name

Syntaxjct-ocsp-proxy-server-name = <proxy host name>

Description

Specifies the name of the proxy server that provides access to the OCSP responder.

Options

proxy host nameFully qualified name of the proxy server.

Usage


Default value

None

Examplejct-ocsp-proxy-server-name = proxy.ibm.com

jct-ocsp-proxy-server-port

Syntaxjct-ocsp-proxy-server-port = <proxy host port number>

Description

Specifies the port number of the proxy server that provides access to the OCSPResponder.

Options

proxy host port numberPort number used by the proxy server to route OCSP requests andresponses.

Usage


Default value

None

Examplejct-ocsp-proxy-server-port = 8888


jct-ocsp-url

Syntaxjct-ocsp-url = <OCSP Responder URL>

Description

Specifies the URL for the OCSP Responder. If a URL is provided, WebSEAL willuse OCSP for all revocation status checking regardless of whether the certificatehas an Authority Info Access (AIA) extension, which means that OCSP will workwith existing certificates. WebSEAL will first try the OCSP Responder that isconfigured by this method rather than using a location specified by AIAextension.If revocation status is undetermined, and if jct-ocsp-enable is set to yes,then WebSEAL will try to obtain revocation status using the access method in theAIA extension.

Options

OCSP Responder URLURL of the OCSP Responder.

Usage


Default value

None

Examplejct-ocsp-url = http://responder.ibm.com/

jct-ssl-reneg-warning-rate

Syntaxjct-ssl-reneg-warning-rate = number_renegotiations/minute

Description

When this option is set to a value greater than zero (0), WebSEAL produces awarning message if the SSL session renegotiation rate between junction servers andWebSEAL reaches this level or greater. The value is specified as the number ofrenegotiations per minute.

Options

number_renegotiations/minuteRate of session renegotiations between junction servers and WebSEAL.

Usage


Default value

0


Examplejct-ssl-reneg-warning-rate = 0

jct-undetermined-revocation-cert-action

Syntaxjct-undetermined-revocation-cert-action = {ignore | log | reject}

Description

Controls the action that WebSEAL takes if OCSP or CRL is enabled but theresponder cannot determine the revocation status of a certificate (that is, therevocation status is unknown). The appropriate values for this entry should beprovided by the OCSP or CRL Responder owner.

Options

ignore WebSEAL ignores the undetermined revocation status and permits use ofthe certificate.

log WebSEAL logs the fact that the certificate status is undetermined andpermits use of the certificate.

reject WebSEAL logs the fact that the certificate status is undetermined andrejects the certificate.

Usage


Default value

log

Examplejct-undetermined-revocation-cert-action = log

jmt-map

Syntaxjmt-map = relative_pathname

Description

The relative path name of the file that contains the location of the Junction-to-Request Mapping Table (JMT).

The administrator can rename this file if necessary. The file name can be any filename valid for the operating system file system.

Options

relative_pathnameRelative path name of the file that contains the location of the Junction-to-Request Mapping Table (JMT). This value is relative to the value set inserver-root key in the [server] stanza.


Usage


Default value

lib/jmt.conf

Examplejmt-map = lib/jmt.conf

junction-db

Syntaxjunction-db = relative_pathname

Description

Relative path name containing the location of the junction database.

Options

relative_pathnameRelative path name containing the location of the junction database. Thisvalue is relative to the value set in server-root key in the [server] stanza.

Usage


Default value

jct

Examplejunction-db = jct

managed-cookies-list

Syntaxmanaged-cookies-list = list

Description

The managed-cookies-list contains a comma-separated list of patterns that will bematched against the names of cookies returned by junctioned servers. Cookies withnames that match the patterns in this list are stored in the WebSEAL cookie jar andnot returned to the client. Cookies that do not match these patterns are returned tothe client browser.

The WebSEAL cookie jar is turned off by not specifying any cookies in themanaged-cookies-list.




Options

list A comma-separated list of pattern-matched cookie names.

Usage


Default value

This option is empty by default.managed-cookies-list = JSESS*,Ltpa*

mangle-domain-cookies

Syntaxmangle-domain-cookies = {yes | no}

Description

Enables or disables WebSEAL domain cookie name mangling behavior.

Note:

1. This option enables domain cookie mangling on a server-wide basis. The optioncannot be configured on a per-junction basis.

2. This option is relevant only for junctions that use a reprocessing solution suchas -j or JMT.

3. This option does not affect cookies listed in preserve-cookie-names.

Options

yes Enables WebSEAL to mangle the names of domain cookies. Informationidentifying the junction is added to the cookie name, and the cookie is onlyassociated with that junction. If mangle-path-into-cookie-name is set toyes, then the backend path attribute information is also mangled into thecookie name.

no WebSEAL will not mangle the names of domain cookies.

Usage


Default value

This option is disabled by default.

Examplemangle-domain-cookies = yes


match-vhj-firstHelps determine the order in which WebSEAL searches for a request in a standardor a virtual host junction table.

Syntaxmatch-vhj-first = {yes|no}

Description

WebSEAL manages separate junction tables for standard and virtual host junctions.When a request comes in, WebSEAL searches the virtual host junction table first. IfWebSEAL does not find a match, it searches the table that manages standardjunctions. The match-vhj-first configuration can reverse the search order so thatWebSEAL searches the standard junction table before searching the virtual hostjunction table.

Options

yes WebSEAL searches the virtual host junction table first.

no WebSEAL searches the standard junction table first.

Usage

This stanza entry is not optional.

Default value

yes

Example

The following example tells WebSEAL to search the standard junction table first:match-vhj-first = no

max-cached-persistent-connections

Syntaxmax-cached-persistent-connections = number_of_connections

Description

The maximum number of persistent connections that will be stored in the cache forfuture use. Connections with junctioned Web servers will be cached for future useunless the configured limit (as defined by this configuration entry) is reached, orunless the connection:close header is received in the HTTP response.

Note: If this setting is enabled, there is the potential for different user sessions touse the same connection when processing junction requests. To disable thepersistent connection functionality, specify a max-cached-persistent-connectionsvalue of zero (0).




Options

number_of_connectionsInteger value indicating the maximum number of persistent connectionsthat will be stored in the cache for future use. A value of zero (0) disablesthis support. WebSEAL imposes no maximum on this value.

Usage


Default value

0

max-cached-persistent-connections = 0

max-webseal-header-size

Syntaxmax-webseal-header-size = number_of_bytes

Description

Integer value indicating the maximum size, in bytes, of HTTP headers generatedby the WebSEAL server. Headers greater in size that this value are split acrossmultiple HTTP Headers.

Note: The max-webseal-header-size entry does not limit the maximum size ofHTTP-Tag-Value headers.

Options

number_of_bytesInteger value indicating the maximum size, in bytes, of HTTP headersgenerated by the WebSEAL server. A value of zero (0) disables thissupport. WebSEAL imposes no maximum on this value.

Usage


Default value

0

Examplemax-webseal-header-size = 0

pass-http-only-cookie-atr

Syntaxpass-http-only-cookie-atr = {yes|no}


Description

Indicates whether WebSEAL will pass or remove the HTTPOnly attribute from theSet-Cookie headers sent by junctioned servers.

Options

yes Enables WebSEAL to pass the HTTPOnly attribute from Set-Cookie headerssent by junctioned servers.

no Enables WebSEAL to remove the HTTPOnly attribute from Set-Cookieheaders sent by junctioned servers.

Usage


Default value

no

Examplepass-http-only-cookie-atr = no

persistent-con-timeout

Syntaxpersistent-con-timeout = number_of_seconds

Description

Indicates the maximum number of seconds a persistent connection can remain idlein a cache before the connection is cleaned up and closed by WebSEAL.

Use an integer value lower than the configured maximum connection lifetime forthe junctioned web server. For example, the connection lifetime for a junctionedApache web server is controlled by the KeepAliveTimeout configuration entry.

You can customize the persistent-con-timeout configuration item for a particularjunction by adding the adjusted configuration item to a [junction:{junction_id}]stanza.

where {junction_id} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.

Note: If you do not use an integer value lower than the connection lifetime on thejunctioned web server, you might encounter the following problem.

If the [junction] max-cached-persistent-connections configuration entry is set toa value greater than zero, WebSEAL reuses its TCP/IP session with the junctionedback-end server. If the junctioned back-end server closes the socket at the sametime that WebSEAL starts to use this session to send a request, the request fails.

To send the request again, WebSEAL opens a new TCP/IP session. If the requestbody is larger than the size that WebSEAL can cache, WebSEAL fails to resend therequest and generates a 500 error.


Options

number_of_secondsInteger value that indicates the maximum number of seconds a persistentconnection can remain idle in a cache before the connection is closed byWebSEAL. The minimum value is 1. WebSEAL does not impose amaximum value.

Usage


Default value

5

Examplepersistent-con-timeout = 5

ping-method

Syntaxping-method = method

Description

The WebSEAL server performs a periodic background ping of each junctioned Webserver, to determine whether it is running. The optional ping-method entry setsthe HTTP request type used in these pings. The valid options include any validHTTP request method (for example, HEAD or GET, for HTTP HEAD and HTTPGET requests respectively).

This configuration item may be customized for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.


Options

method Perform a HTTP request using the specified method to determine the stateof the junctioned server.

Usage

None.

Default value

HEAD

ping-method = GET

ping-time

Syntaxping-time = number_of_seconds


Description

Integer value indicating the number of seconds between pings issued by theWebSEAL server. The pings are issued periodically in the background to verify thatjunctioned WebSEAL servers are running.

If the server is deemed not running, the recovery-ping-time value determines theinterval at which pings are sent until the server is running. The type of ping usedis determined by the ping-method value. HTTP response code rules can be definedusing the response-code-rules configuration entry.

Options

number_of_secondsInteger value indicating the number of seconds between pings issued bythe WebSEAL server. The minimum value is 1. WebSEAL does not imposea maximum value.

Usage

To turn this ping off, set this entry to zero. If this entry is set to zero, therecovery-ping-time must be set.

Default value

300

Exampleping-time = 300

ping-uri

Syntaxping-uri = uri

Description

The WebSEAL server performs a periodic background ping of each junctioned Webserver to determine whether it is running. The optional ping-uri configurationentry defines the URI that is accessed by the ping request. The defined URI isrelative to the root Web space of the junctioned Web server. If the URI is missing,this value defaults to a /.



Options

uri The URI that is accessed by the ping request.

Usage



Default value

/

ping-uri = /apps/status

recovery-ping-time

Syntaxrecovery-ping-time = 300

Description

The WebSEAL server performs a periodic background ping of each junctioned Webserver, to determine whether it is running. This entry sets the interval, in seconds,between pings when the server is determined to be not running.

Options

number_of_secondsInteger value indicating the number of seconds between pings issued bythe WebSEAL server to a junctioned server that is determined to be notrunning. The minimum value is 1. WebSEAL does not impose a maximumvalue.

Usage

If this entry is not set, the recovery-ping-time defaults to the ping-time value.

Default value

300

Examplerecovery-ping-time = 300

reprocess-root-jct-404s

Syntaxreprocess-root-jct-404s = {yes|no}

Description

Used to reprocess requests for root junction resources that result in an HTTP 404error.

The dont-reprocess-jct-404s entry (also in the [junction] stanza) can be set to yesto avoid multiple attempts to prepend a junction point to the beginning of the URLstring when reprocessing requests that have resulted in an HTTP 404 status code.

WebSEAL determines whether the request is already known to be for a non-localjunction.However, WebSEAL fails to add a junction point when requests have beenmade for a root junction created at "/". To modify this behavior and cause requestsfor root junction resources that result in an HTTP 404 error to be reprocessed, youcan use this reprocess-root-jct-404s stanza entry.


Options

yes Cause requests for root junction resources that result in an HTTP 404 errorto be reprocessed regardless of the setting of the dont-reprocess-jct-404sentry (also in the [junction] stanza).

no The value for the dont-reprocess-jct-404s entry (also in the [junction]stanza) will determine whether root junction requests that result in anHTTP 404 error are reprocessed. That is, if the value fordont-reprocess-jct-404s is no then the HTTP 404 errors will still bereprocessed.

Usage


Default value

no

Examplereprocess-root-jct-404s = yes

reset-cookies-list

Syntaxreset-cookies-list = list

Description

Determines which cookies are reset when the user session is logged out. Therequest received from the client and the response sent back to the client are bothexamined for matching cookies.



Options

list A comma-separated list of patterns. WebSEAL will reset any cookies withnames that match the patterns in this list.

Usage


Default value

nil

reset-cookies-list = JSESS*,Ltpa*


response-code-rules

Syntaxresponse-code-rules = list

Description

The WebSEAL server performs a periodic background ping of each junctioned Webserver to determine whether it is running. The optional response-code-rulesconfiguration entry defines the rules that are used to determine whether HTTPresponses indicate a healthy or an unhealthy junctioned Web server.

The configuration entry contains a space separated list of rules. Each rule has theformat: [+|-]<code> (e.g. -50?)

where:

+ Indicates that this is a healthy response code.

- Indicates that this is an unhealthy response code.

<code>The corresponding response code, which can also contain pattern matchingcharacters such as * and ?

The HTTP response codes are evaluated against each rule in sequence until amatch is found. The corresponding code (+|-) determines whether the junctionedWeb server is healthy or not.If the response code matches no configured rules, thejunctioned Web server is considered healthy.



Options

list A space separated list of response code rules. These rules determinewhether the response from a junctioned Web server indicates a healthy oran unhealthy server.

Usage


Default value

nil

response-code-rules = +2?? -*

share-cookies

Syntaxshare-cookies = {yes|no}


Description

The share-cookies item is used to control whether the cookie jar will be sharedacross different junctions or whether each junction will have a dedicated cookie jar.

Options

yes If this entry is set to yes, cookies will be sent over all junctions, regardlessof the junction from which the cookie originated.

no If this entry is set to no, only cookies received from the junction will besent in requests to that junction.

Usage


Default value

no

Exampleshare-cookies = yes

support-virtual-host-domain-cookies

Syntaxsupport-virtual-host-domain-cookies = {yes|no}

Description

If allow-backend-domain-cookies is set to yes, then this option modifies howWebSEAL validates the domain. This option has no effect if validate-backend-domain-cookies = no.



Options

yes If set to "yes" then the domain cookie is validated by comparing it with thevirtual host specified for a backend server with the -v junction option.

no If set to "no", or if no virtual host was specified for a junction, then thefully qualified host name is compared with the domain value of a backendcookie for validation.

Usage



Default value

yes

support-virtual-host-domain-cookies = yes

use-new-stateful-on-error

Syntaxuse-new-stateful-on-error = {yes|no}

Description

Control how WebSEAL responds to a stateful server that becomes unavailable.

This configuration item may be customized for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.

where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction. Forexample:[junction:/WebApp]

Options

yes When set to "yes" and the original server becomes unavailable during asession, WebSEAL directs the user's next request (containing the originalstateful cookie) to a new replica server on the same stateful junction. If anew replica server is found on that stateful junction, and is responsive tothe request, WebSEAL sets a new stateful cookie on the user's browser.Subsequent requests during this same session (and containing the newstateful cookie) are directed to this same new server.

no When set to "no" and the original server becomes unavailable during asession, WebSEAL does not direct the user's subsequent requests to a newreplica server on the same stateful junction. Instead, WebSEAL returns anerror and attempts to access the same server for subsequent requests bythe user during this session.

Usage


Default value

no

Exampleuse-new-stateful-on-error = yes

validate-backend-domain-cookies

Syntaxvalidate-backend-domain-cookies = {yes|no}


Description

Specifies how WebSEAL validates the domain.



Options

yes If set to "yes" then domain cookies that adhere to the cookie specificationare forwarded to the user. If the fully qualified host name of theoriginating back-end machine is the domain, then the cookie is forwardedto the user with no domain specified.

no If set to "no", then all domain cookies are forwarded to the user, regardlessof their content.

Usage


Default value

yes

validate-backend-domain-cookies = yes

worker-thread-hard-limit

Syntaxworker-thread-hard-limit = number_of_threads

Description

Integer value indicating the limit, expressed as a percentage, of the total workerthreads that are to be used for processing requests for junctions.

Options

number_of_threads

Integer value indicating the limit, expressed as a percentage, of the totalworker threads that are to be used for processing requests for junctions.The default value of 100 means that there is no limit.

When the value of worker-thread-hard-limit is less than 100, and the limitis exceeded, WebSEAL generates an error message.

Usage


Default value

100


Exampleworker-thread-hard-limit = 100

worker-thread-soft-limit

Syntaxworker-thread-soft-limit = number_of_threads

Description

Integer value indicating the limit, expressed as a percentage, of the total workerthreads that are to be used for processing requests for junctions.

Options

number_of_threads

Integer value indicating the limit, expressed as a percentage, of the totalworker threads that are to be used for processing requests for junctions.

When the value of worker-thread-soft-limit is less than 100, and the limitis exceeded, WebSEAL generates a warning message.

Usage


Default value

90

Exampleworker-thread-soft-limit = 90

disable-local-junctionsWebSEAL can serve pages from a local web server through local junctions.

Syntax

disable-local-junctions = {yes|no}

Description

If local junctions are not used, you can disable the functionality with thedisable-local-junctions configuration item.

Options

yes Disables local junction functionality.

no Enables local junction functionality.

Usage

Optional.

The following example enables local junction functionality:


disable-local-junctions=no

[junction:junction_name] stanza

Note: This stanza is optional and must be manually inserted into the WebSEALconfiguration file. The junction_name in the stanza name is the junction point for astandard junction (including the leading / character) or the virtual host label for avirtual host junction. For details about the configuration entries supported in thisjunction specific stanza, see the description of the corresponding configurationentry in the [junction] stanza.

[ldap] stanza

auth-timeout

Syntaxauth-timeout = value{0|number_seconds}

Description

Amount of time (in seconds) that will be allowed for authentication operationsbefore the LDAP server is considered to be down. If specified, this value overridesany value of timeout for authentication operations.

Note: Do not specify this parameter in the ldap.conf server configuration file.

Options

0 No timeout is allowed.

number_secondsThe specified number of seconds allowed for authentication operations,specified as an integer positive whole number. There is no range limitationfor timeout values.

Usage


Default value

0

Exampleauth-timeout = 0

auth-using-compare

Syntaxauth-using-compare = {yes|true|no|false}

Description

Enables or disables authentication using password comparison. When disabled,authentication using LDAP bind is performed.


For those LDAP servers that allow it, a compare operation might perform fasterthan a bind operation.

Options

yes|trueA password compare operation is used to authenticate LDAP users.

no|falseA bind operation is used to authenticate LDAP users.

Usage


Default value

The default value, when LDAP is enabled, is yes.

Exampleauth-using-compare = yes

bind-dn

Syntaxbind-dn = LDAP_DN

Description

LDAP user distinguished name (DN) that is used when binding (or signing on) tothe LDAP server. This is the name that represents the WebSEAL server daemon.

Options

LDAP_DNLDAP user distinguished name (DN) that is used when binding (or signingon) to the LDAP server.

Usage

This stanza entry is required when LDAP is enabled.

Default value

The default value is built by combining the daemon name webseald with thehost_name that was specified by the administrator during the configuration of theSecurity Access Manager runtime component.

Examplebind-dn = cn=webseald/surf,cn=SecurityDaemons,secAuthority=Default

bind-pwd

Syntaxbind-pwd = LDAP_password


Description

Password for the LDAP user distinguished name declared in the bind-dn stanzaentry.

Options

LDAP_passwordPassword for the LDAP user distinguished name declared in the bind-dnstanza entry.

Usage


Default value

The default value of this stanza entry is set during WebSEAL configuration. TheWebSEAL configuration reads the LDAP_password that was specified by theadministrator during the configuration of the Security Access Manager runtimecomponent. This value is read from the Security Access Manager configuration file,pd.conf.

Examplebind-pwd = zs77WVoLSZn1rKrL

cache-enabled

Syntaxcache-enabled = {yes|true|no|false}

Description

Enable and disable LDAP client-side caching.

Options

yes|trueEnable LDAP client-side caching.

no|falseDisable LDAP client-side caching. Anything other than yes|true, includinga blank value, is interpreted as no|false.

Usage


Default value

yes

Examplecache-enabled = yes


cache-group-expire-time

Syntaxcache-group-expire-time = number_of_seconds

Description

Specifies the amount of time to elapse before a group entry in the cache isdiscarded.

This entry is used only when cache-enabled = {yes|true}.

Options

number_of_secondsSpecifies the amount of time to elapse before a group entry in the cache isdiscarded.

Usage


Default value

There is no default value, but when not set the default value used is 300 seconds.

Examplecache-group-expire-time = 300

cache-group-membership

Syntaxcache-group-membership = {yes|no}

Description

Indicates whether group membership information should be cached.

This entry is used only when cache-enabled = {yes|true}

Options

yes Cache group membership information.

no Do not cache group membership information.

Usage


Default value

There is no default value, but when not set the group information is cached.

Examplecache-group-membership = yes


cache-group-size

Syntaxcache-group-size = number

Description

Specifies the number of entries in the LDAP group cache.


Options

numberSpecifies the number of entries in the LDAP group cache.

Usage


Default value

There is no default value, but when not set the default value used is 64.

Examplecache-group-size = 64

cache-policy-expire-time

Syntaxcache-policy-expire-time = number_of_seconds

Description

Specifies the amount of time to elapse before a policy entry in the cache isdiscarded.


Options

number_of_secondsSpecifies the amount of time to elapse before a policy entry in the cache isdiscarded.

Usage


Default value


Examplecache-policy-expire-time = 30


cache-policy-size

Syntaxcache-policy-size = number

Description

Specifies the number of entries in the LDAP policy cache.


Options

numberSpecifies the number of entries in the LDAP policy cache.

Usage


Default value


Examplecache-policy-size = 20

cache-return-registry-id

Syntaxcache-return-registry-id = no

Description

Indicates whether to cache the user identity as it is stored in the registry or cachethe value as entered during authentication. Ignored if the cache is not enabled. Ifnot set, the default is no.

Options

yes Cache the user identity as it is stored in the registry.

no cache the user identity as it was entered during authentication.

Usage


Default value

no

Examplecache-return-registry-id = no


cache-user-expire-time

Syntaxcache-user-expire-time = number_of_seconds

Description

Specifies the amount of time to elapse before a user entry in the cache is discarded.


Options

number_of_secondsSpecifies the amount of time to elapse before a user entry in the cache isdiscarded.

Usage


Default value


Examplecache-user-expire-time = 30

cache-user-size

Syntaxcache-user-size = number

Description

Specifies the number of entries in the LDAP user cache.


Options

number

Specifies the number of entries in the LDAP user cache.

Usage


Default value


Examplecache-user-size = 256


cache-use-user-cache

Syntaxcache-use-user-cache = {yes|no}

Description

Indicates whether to use the user cache information or not.

This entry is used only when cache-enabled = {yes|true}

Options

yes Use the user cache information.

no Do not use the user cache information.

Usage


Default value

There is no default value, but when not set the user cache information is used.

Examplecache-use-user-cache = yes

default-policy-override-support

Syntaxdefault-policy-override-support = {yes|true|no|false}

Description

Indicates whether default policy overrides user level policy during LDAP searches.When this stanza entry is set to yes, only the default policy is checked.

Options

yes|trueUser policy support is disabled and only the global (default) policy ischecked. This option allows the user policy to be ignored, even when it isspecified.

no|falseUser policy support is enabled. When a user policy is specified by theadministrator, it overrides the global policy.

Usage


Default value

By default, the value is not specified during WebSEAL configuration. When thevalue is not specified, the default behavior is enable user policy support. This is


equivalent to setting this stanza entry to no.

Exampledefault-policy-override-support = yes

enabled

Syntaxenabled = {yes|true|no|false}

Description

Indicates whether or not LDAP is being used as the user registry.

Options

yes|trueEnable LDAP user registry support.

no|falseDisables LDAP user registry support and indicates that LDAP is not theuser registry being used. Anything other than yes|true, including a blankvalue, is interpreted as no|false,

Usage

This stanza entry is required when LDAP is the user registry.

Default value

The default value is always taken (during WebSEAL initialization) from thecorresponding parameter in the [ldap] stanza of the ldap.conf configuration filefor the LDAP server.

Exampleenabled = yes

host

Syntaxhost = host_name

Description

Host name of the LDAP server.

Options

host_nameValid values for host_name include any valid IP host name. The host_namedoes not have to be a fully qualified domain name.

Usage



Default value


Examplehost = diamondhost = diamond.example.com

ldap-server-config

Syntaxldap-server-config = fully_qualified_path

Description

Location of the ldap.conf configuration file, represented as a fully qualified path.

Because the ldap-server-config parameter is required in webseald.conf, the valuesfor enabled, host, port, ssl-port, max-search-size, and replica are obtained fromthe ldap.conf file. If any of these parameters exist in webseald.conf, their valuesare overridden by the values from ldap.conf.

Options

fully_qualified_pathLocation of the ldap.conf configuration file, represented as a fullyqualified path. The fully_qualified_path value must be an alphanumericstring.

Usage


Default value

Default value is based on the operating system type.

Example

Example (UNIX):ldap-server-config = /opt/PolicyDirector/etc/ldap.conf

login-failures-persistent

Syntaxlogin-failures-persistent = {yes|true|no|false}

Description

When set to "yes", login hits are tracked in the registry instead of only in the localprocess cache.


Persistent login hit recording impacts performance but allows consistent login hitcounting across multiple servers.

Options

yes|trueWhen set to "yes", login hits are tracked in the registry instead of only inthe local process cache.

no|falseWhen set to "no", login hits are not tracked in the registry instead of onlyin the local process cache.

Usage


Default value

The value is not specified by default during WebSEAL configuration. When thevalue is not specified, the default value is no.

Examplelogin-failures-persistent = yes

max-search-size

Syntaxmax-search-size = {0|number_entries}

Description

Limit for the maximum search size, specified as the number of entries, that can bereturned from the LDAP server. The value for each server can be different,depending on how the server was configured.

Options

0 The number is unlimited; there is no limit to the maximum search size.

number_entriesThe maximum number of entries for search, specified as an integer wholenumber. This value can be limited by the LDAP server itself.

Usage


Default value


Examplemax-search-size = 2048


prefer-readwrite-server

Syntaxprefer-readwrite-server = {yes|true|no|false}

Description

Allows or disallows the client to question the Read/Write LDAP server beforequerying any replica Read-only servers configured in the domain.

Options

yes|trueEnable the choice.

no|falseDisable the choice. Anything other than yes|true, including a blank value,is interpreted as no|false.

Usage


Default value

no

Exampleprefer-readwrite-server = no

port

Syntaxport = port_number

Description

Number of the TCP/IP port used for communicating with the LDAP server. Notethat this is not for SSL communication.

Options

port_numberA valid port number is any positive integer that is allowed by TCP/IP andthat is not currently being used by another application.

Usage


Default value



Exampleport = 389

replica

Syntaxreplica = ldap-server, port, type, pref

Description

Definition of the LDAP user registry replicas in the domain.

Security Access Manager supports a maximum of one host and nine LDAP replicaservers, which are listed in the ldap.conf file. If more than nine LDAP replicaentries are listed, the Security Access Manager servers cannot start.

Options

ldap-serverThe network name of the server.

port The port number for the LDAP server. A valid port number is any positivenumber that is allowed by TCP/IP and that is not currently being used byanother application.

type One of read-only or read/write.

pref A number from 1 to 10 (10 is the highest preference).

Usage


Default value

Default value is that no replicas are specified.

Any value is always taken during WebSEAL initialization from the correspondingparameter in the [ldap] stanza of the ldap.conf configuration file for the LDAPserver.

Example

Example of one replica specified and two replicas commented out:replica = rep1,390,readonly,1#replica = rep2,391,readwrite,2#replica = rep3,392,readwrite,3

search-timeout

Syntaxsearch-timeout = {0|number_seconds}


Description

Amount of time (in seconds) that will be allowed for search operations before theLDAP server is considered to be down. If specified, this value overrides any valueof timeout for search operations.


Options


number_secondsThe specified number of seconds allowed for search operations, specifiedas an integer positive whole number. There is no range limitation fortimeout values.

Usage


Default value

0

Examplesearch-timeout = 0

ssl-enabled

Syntaxssl-enabled = {yes|true|no|false}

Description

Enables or disables SSL communication between WebSEAL and the LDAP server.

Options

yes|trueEnable SSL communication.

no|falseDisable SSL communication.

Usage


Default value

SSL communication is disabled by default. During WebSEAL server configuration,the WebSEAL administrator can choose to enable it.

Examplessl-enabled = yes


ssl-keyfile


Description

SSL key file name and location. The SSL key file handles certificates that are usedin LDAP communication.

Options

fully_qualified_pathThe WebSEAL administrator specifies this file name during WebSEALconfiguration. The file name must be a fully qualified path. The file namecan be any arbitrary choice, but the extension is usually .kdb.

Usage

This stanza entry is required when SSL communication is enabled, as specified inthe ssl-enabled stanza entry.

Default value

None.

Example

Example for UNIX or Linux:ssl-keyfile = /var/pdweb/keytabs/webseald.kdb

Example for Windows:ssl-keyfile = c:\keytabs\pd_ldapkey.kdb

ssl-keyfile-dn

Syntaxssl-keyfile-dn = key_label

Description

String that specifies the key label of the client personal certificate within the SSLkey file. This key label is used to identify the client certificate that is presented tothe LDAP server.

Options

key_labelString that specifies the key label of the client personal certificate withinthe SSL key file.

Usage

This stanza entry is optional. A label is not required when one of the certificates inthe keyfile has been identified as the default certificate. The decision whether toidentify a certificate as the default was made previously by the LDAP


administrator when configuring the LDAP server. The WebSEAL configurationutility prompts the WebSEAL administrator to supply a label. When theadministrator knows that the certificate contained in the keyfile is the defaultcertificate, the administrator does not have to specify a label.

Default value

None.

Examplessl-keyfile-dn = "PD_LDAP"

ssl-keyfile-pwd

Syntaxssl-keyfile-pwd = password

Description

Password to access the SSL key file.

Options

passwordPassword to access the SSL key file. The WebSEAL administrator specifiesthis password during WebSEAL configuration. The password associatedwith the default SSL keyfile is gsk4ikm

Usage

Deprecated: The ssl-keyfile-pwd entry is deprecated in the [ldap] stanza. Althoughthis entry might exist in a configuration file, it will be ignored.

Default value

None.

Examplessl-keyfile-pwd = gsk4ikm

ssl-port

Syntaxssl-port = port_number

Description

SSL IP port that is used to connect to the LDAP server. Note that this is for SSLcommunication.

Options

port_numberA valid port number is any positive number that is allowed by TCP/IPand that is not currently being used by another application.


Usage

This stanza entry is required only when LDAP is enabled and the LDAP server isconfigured to perform client authentication (ssl-enabled = yes).

Default value


Examplessl-port = 636

timeout

Syntaxtimeout = {0|number_seconds}

Description

Amount of time (in seconds) that is allowed for authentication or search operationsbefore the LDAP server is considered to not available. If specified, a value for thestanza entries authn-timeout or search-timeout overrides the value of this stanzaentry.


Options


number_secondsThe number of seconds allowed for authentication or search, specified as apositive integer whole number. There is no range limitation for timeoutvalues.

Usage


Default value

0

Exampletimeout = 0

user-and-group-in-same-suffix

Syntaxuser-and-group-in-same-suffix = {yes|true|no|false}


Description

Indicates whether the groups, in which a user is a member, are defined in the sameLDAP suffix as the user definition.

When a user is authenticated, the groups in which the user is a member must bedetermined in order to build a credential. Normally, all LDAP suffixes are searchedto locate the groups of which the user is a member.

Options

yes|trueThe groups are assumed to be defined in same LDAP suffix as the userdefinition. Only that suffix is searched for group membership. Thisbehavior can improve the performance of group lookup because only asingle suffix is searched for group membership. This option should only bespecified if group definitions are restricted to the same suffix as the userdefinition.

no|falseThe groups might be defined in any LDAP suffix.

Usage


Default value

The value is not specified by default during WebSEAL configuration. When thevalue is not specified, the default value is no.

Exampleuser-and-group-in-same-suffix = yes

[local-response-macros] stanza

macro

Syntaxmacro = macro[:name]

Description

URL-encoded macros to include in the query string for all redirected managementpage requests. WebSEAL provides a default set of macros.

By default, WebSEAL uses the macro values as arguments in the generated querystring. Alternatively, you can customize the name of the arguments used in thequery string by adding a colon followed by a name value.

Options

macro URL-encoded macro.

name WebSEAL uses this custom name as an argument in the response URI. Ifyou do not provide a value for this custom name then WebSEAL defaults tousing the macro value as an argument in the response URI.


Note: For the HTTPHDR macro, the default value is HTTPHDR_<name>,where <name> is the name of the HTTP header defined in the macro. Forthe CREDATTR macro, the default value is CREDATTR_<name>, where<name> is the name of the attribute defined in the macro.

Usage


Default value

None.

Example

The following entry causes WebSEAL to use the default value USERNAME as anargument in the query string.macro = USERNAME

The following entry causes WebSEAL to use the custom value myUserName as anargument in the query string.macro = USERNAME:myUserName

[local-response-redirect] stanza

local-response-redirect-uri

Syntaxlocal-response-redirect-uri = URI

Description

URL to which management page requests are redirected.

All requests for management pages are redirected to this URL with a query stringindicating the operation requested, along with any macros (as configured in the[local-response-macros] stanza).

You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [local-response-redirect:{junction_name}] stanza.


Options

URI URL to which management page requests are redirected.

Usage



Default value

None.

Example of a server relative URL:local-response-redirect-uri = /jct/page.html

Example of an absolute URL:local-response-redirect-uri = http://www.example.com/

[logging] stanza

absolute-uri-in-request-logUse the absolute-uri-in-request-log stanza entry to log the absolute URI in therequest log, combined log, and HTTP audit records.

Syntaxabsolute-uri-in-request-log = {yes|no}

Description

Log the absolute URI in the request log, combined log, and HTTP audit records.Adds protocol and host to the path.

Options

yes Log the absolute URI.

no Do not log the absolute URI.

Usage


Default value

no

Exampleabsolute-uri-in-request-log = no

agentsUse the agents stanza entry to enable or disable the agents log.

Syntaxagents = {yes|no}

Description

Enables or disables the agents log. This log records the contents of the User_Agent:header of each HTTP request.

Options

yes The value yes enables the agents log.


no The value no disables the agents log.

Usage


Default value

yes

Exampleagents = yes

agents-fileUse the agents-file stanza entry to specify the agents log file.

Syntaxagents-file = fully_qualified_path

Description

Fully qualified path to the agents log file.

Options

fully_qualified_pathFully qualified path to the agents log file.

Usage


Default value

The default location is www-instance/log/agent.log, located under the WebSEALinstallation directory.

Example

Example on UNIX or Linux:agents-file = /var/pdweb/www-web1/log/agent.log

audit-mime-typesUse the audit-mime-types stanza entry to configure WebSEAL to use the mimetype to determine whether to generate an audit event for a particular HTTPrequest.

Syntaxmime-pattern = {yes|no}


Description

WebSEAL determines whether the content-type of the HTTP response matches anyof the configured MIME patterns. If the HTTP response does match one of theMIME patterns, WebSEAL uses this entry to determine whether to generate anaudit event.

Note:

1. More specific MIME patterns take precedence over less specific MIME patterns.For example, if image/* = yes (general), but image/jpeg = no (more specific),then an HTTP response with an image MIME-type other than JPEG generatesan audit event; a response with a JPEG MIME-type does not generate an auditevent.

2. If an HTTP response does not match any of the MIME patterns that are listedin this stanza, WebSEAL does generate an audit event.

Options

yes WebSEAL generates an audit event for a response that contains thecorresponding content MIME-type.

no WebSEAL does not generate an audit event for a response that contains thecorresponding content MIME-type.

Usage


Default value

None.

Exampleimage/jpeg = noimage/* = no*/* = no

audit-response-codes

Syntaxcode = {yes|no}

Description

Determines whether WebSEAL will generate an audit event for an HTTP requestbased on the response code of the HTTP response.

Options

yes WebSEAL will generate an audit event for an HTTP response that matchesthe corresponding response code.

no WebSEAL will notgenerate an audit event for an HTTP response thatmatches the corresponding response code.


Usage


Default value

None.

Example200 = no304 = no401 = yes

config-data-log

Syntaxconfig-data-log = fully_qualified_path

Description

Fully qualified path to the configuration data log file.

Options

fully_qualified_pathFully qualified path to the configuration data log file.

Usage


Default value

The default location is log/config_data.log, located under the WebSEALinstallation directory.

Example

Example on UNIX or Linux:config-data-log = /var/pdweb/log/config_data.log

flush-time

Syntaxflush-time = number_of_seconds

Description

Integer value indicating the frequency, in seconds, to force a flush of log buffers.

Options

number_of_secondsInteger value indicating the frequency, in seconds, to force a flush of logbuffers. The minimum value is 1 second. The maximum value is 600seconds.


Usage


Default value

20

Exampleflush-time = 20

gmt-time

Syntaxgmt-time = {yes|no}

Description

Enables or disables logging requests using Greenwich Mean Time (GMT) instead ofthe local timezone.

Options

yes A value of yes means to use GMT

no A value of no means to use the local timezone.

Usage


Default value

no

Examplegmt-time = no

host-header-in-request-log

Syntaxhost-header-in-request-log = {yes|no}

Description

Log the Host header at the front of each line in the request log and the combinedlog.

Options

yes Log the Host header.

no Do not log the Host header.

Usage



Default value

no

Examplehost-header-in-request-log = no

log-invalid-requests

Syntaxlog-invalid-requests = {yes|no}

Description

Specifies whether or not WebSEAL logs all requests that are malformed or forsome other reason is not processed to completion.

Options

yes WebSEAL logs every request, even if a request is malformed or for someother reason is not processed to completion.

no WebSEAL logs most requests. In some cases, requests that are malformedor for some other reason are not processed to completion will not belogged. This option exists for compatibility with versions of WebSEALprior to version 6.0.

Usage


Default value

yes

Examplelog-invalid-requests = yes

max-size

Syntaxmax-size = number_of_bytes

Description

Integer value indicating the size limit of the log files. This value applies to therequest, referer, and agent logs. The size limit is also referred to as the rolloverthreshold. When the log file reaches this threshold, the original log file is renamedand a new log file with the original name is created.

Options

number_of_bytes

When the value is zero (0), no rollover log file is created.


When the value is a negative integer, the logs are rolled over daily,regardless of the size.

When the value is a positive integer, the value indicates the maximum size,in bytes, of the log file before the rollover occurs. The allowable range isfrom 1 byte to 2 gigabytes.

Usage


Default value

2000000

Examplemax-size = 2000000

referers

Syntaxreferers = {yes|no}

Description

Enables or disables the referers log. This log records the Referer: header of eachHTTP request.

Options

yes The value yes enables referers logging.

no The value no disables referers logging.

Usage


Default value

yes

Examplereferers = yes

referers-file

Syntaxreferers-file = fully_qualified_path

Description

Fully qualified path to the referers log file.


Options

fully_qualified_pathFully qualified path to the referers log file.

Usage


Default value

The default location is www-instance/log/referer.log, located under the WebSEALinstallation directory.

Example

Example on UNIX or Linux:referers-file = /var/pdweb/www-web1/log/referer.log

requests

Syntaxrequests = {yes|no}

Description

Enables or disables the requests log. This log records standard logging of HTTPrequests.

Options

yes The value yes enables requests logging.

no The value no disables requests logging.

Usage


Default value

yes

Examplerequests = yes

requests-file

Syntaxrequests-file = fully_qualified_path

Description

Fully qualified path to the request log file.


Options

fully_qualified_pathFully qualified path to the request log file.

Usage


Default value

The default location is www-instance/log/request.log, located under the WebSEALinstallation directory.

Example

Example on UNIX or Linux:requests-file = /var/pdweb/www-web1/log/request.log

request-log-format

Syntaxrequest-log-format = directives

Description

Contains the format in which a customized request log is created. For moreinformation, see the IBM Security Access Manager for Web Auditing Guide.

Options

You can use the following directives:

%a Remote IP address.

%A Local IP address.

%b Bytes in the reply that exclude HTTP headers in CLF format: '-' instead of0 when no bytes are returned.

%B Bytes in the reply that exclude HTTP headers.

%{Attribute}CAttribute from the Security Access Manager credential named 'Attribute'.

%d Transaction identifier, or session sequence number.

%F Time that is taken to serve the request in microseconds.

%h Remote host.

%H Request protocol.

%{header-name}iContents of the Header header-name in the request.

%j The name of the junction in the request.

%l Remote logname.

%m Request method (that is, GET, POST, HEAD).


%{header-name}oContents of the Header header-name in the reply.

%p Port of the WebSEAL server the request was served on.

%q The query string (add a prefix with "?" or empty).

%Q Logs raw query strings that the user must decode manually.

%r First line of the request.

%R First line of the request that includes HTTP://HOSTNAME.

%s Status.

%t Time and date in CLF format.

%{format}tThe time and date in the specified format.

%T Time that is taken to serve the request in seconds. The request is the initialrequest processed by the WebSEAL worker thread. The value result caninclude inactivity time of the client browser in the format of rounded upseconds. No request can be below 1 second. Time is shown in wholeseconds, and adds 1 second.

%u Remote user.

%U The URL requested.

%v Canonical ServerName of the server that is serving the request.

%z The path portion of the URL in decoded form.

%Z The path portion of the URL in raw form.

Usage

The request-log-format string must not contain the # character.

Default value

The default of this parameter is equivalent to the normal default log output. It iscommented out by default.

Example

Example on AIX, Linux, or Solaris:request-log-format = %h %l %u %t "%r" %s %b

server-log

Syntaxserver-log = fully_qualified_path

Description

Fully qualified path to the server error log file.

Options

fully_qualified_pathFully qualified path to the server error log file.


Usage


Default value

The default location is log/webseald.log, located under the WebSEAL installationdirectory.

Example

Example on UNIX or Linux:server-log = /var/pdweb/log/msg__webseald.log

[ltpa] stanza

Accept and generate LTPA cookies for authentication.

ltpa-auth

Syntaxltpa-auth = {https|https|both|none}

Description

Enables support for LTPA cookie generation and authentication.

Options

http Enables support for http cookies.

https Disables support for https cookies.

both Enables support for both http and https cookies.

none Disables support for both http and https cookies.

Usage


Default value

none

Exampleltpa-auth = https

cookie-name

Syntaxcookie-name = cookie_name

Description

The name of the LTPA cookie that WebSEAL issues to clients.


Options

cookie_nameThis must be Ltpatoken2 as only LTPA version 2 cookies are supported.

Usage


Default value

Ltpatoken2

Examplecookie-name = Ltpatoken2

cookie-domain

Syntaxcookie-domain = domain_name

Description

The domain of the LTPA cookie that WebSEAL issues to clients. If you do notspecify a cookie domain, WebSEAL creates the LTPA cookie as a host-only cookie.

Options

domain_nameThe domain of the LTPA cookie.

Usage


Default value

none

Examplecookie-domain = ibm.com

jct-ltpa-cookie-name

Syntaxjct-ltpa-cookie-name = cookie_name

Description

The name of the cookie containing the LTPA token that WebSEAL sends across thejunction to the backend server. If you do not specify a value for this item,WebSEAL uses the following default values:v LtpaToken for cookies containing LTPA tokens.v LtpaToken2 for cookies containing LTPA version 2 tokens.


WebSphere also uses these default values.

Options

cookie_nameThis name must match the LTPA cookie name that the WebSphereapplication uses on this junction.

Usage


Default value

The default value for LTPA tokens is LtpaToken.

The default value for LTPA2 tokens is LtpaToken2.

Examplejct-ltpa-cookie-name = myCookieName

keyfile

Syntaxkeyfile = keyfile_name

Description

The key file used when accessing LTPA cookies. The value must correspond to avalid LTPA key file, as generated by WebSphere.

Options

keyfile_nameName of a valid LTPA key file, as generated by WebSphere.

Usage


Default value

none

Examplekeyfile = keyfile123

update-cookie

Syntaxupdate-cookie = number_of_seconds

Description

The number of seconds that pass between updates of the LTPA cookie with thelifetime of the cookie.With each request, if n seconds have passed since the last


cookie update, another update will occur. A zero value will cause the lifetimetimestamp in the LTPA cookie to be updated with each request.Negative valueswill cause the lifetime of the cookie to be set to the same value as the lifetime ofthe user session.This setting is used in an attempt to mimic the inactivity timeoutof a user session.

Note: This configuration entry affects the LTPA cookie that WebSEAL issues toclients. It is the lifetime of the cookie specified by the cookie-name configurationentry in the [ltpa] stanza.

Options

number_of_secondsThe number of seconds that pass between updates of the LTPA cookie withthe lifetime of the cookie.

Usage


Default value

-1

Exampleupdate-cookie = 0

use-full-dn

Syntaxuse-full-dn = {true|false}

Description

Controls whether the generated LTPA cookie contains the full DN of the user, orthe Security Access Manager short name of the user.

Options

true WebSEAL inserts the full DN of the user into the LTPA cookie.

false WebSEAL inserts the Security Access Manager short name of the user intothe LTPA cookie.

Usage


Default value

true

Exampleuse-full-dn = true


[ltpa-cache] stanza

ltpa-cache-enabled

Syntaxltpa-cache-enabled = {yes|no}

Description

Enables or disables the Lightweight Third Party Authentication cache.

Options

yes A value of yes enables caching.

no A value of no disables caching.

Usage


Default value

yes

Exampleltpa-cache-enabled = yes

ltpa-cache-entry-idle-timeout

Syntaxltpa-cache-entry-idle-timeout = number_of_seconds

Description

Integer value that specifies the timeout, in seconds, for cache entries that are idle.

Options

number_of_secondsInteger value that specifies the timeout, in seconds, for cache entries thatare idle. The value must be greater than or equal to zero (0). A value ofzero means that entries are not removed from the LTPA cache due toinactivity. However, they may still be removed due to either theltpa-cache-size being exceeded or the ltpa-cache-entry-lifetime stanzaentry being exceeded. WebSEAL does not impose a maximum value.

Usage

This stanza entry is required, but is ignored when LTPA caching is disabled.

Default value

600


Examplegso-cache-entry-idle-timeout = 600

ltpa-cache-entry-lifetime

Syntaxltpa-cache-entry-lifetime = number_of_seconds

Description

Integer value that specifies the lifetime, in seconds, of a LTPA cache entry.

Options

number_of_secondsInteger value that specifies the lifetime, in seconds, of a LTPA cache entry.The value must be greater than or equal to zero (0). A value of zero meansthat entries are not removed from the LTPA cache due to their entrylifetime being exceeded. However, they may still be removed due to eitherthe ltpa-cache-size being exceeded or the ltpa-cache-entry-idle-timeoutstanza entry being exceeded. WebSEAL does not impose a maximumvalue.

Usage


Default value

3600

Exampleltpa-cache-entry-lifetime = 3600

ltpa-cache-size

Syntaxltpa-cache-size = number_of_entries

Description

Integer value indicating the number of entries allowed in the LTPA cache.

Options

number_of_entries

Integer value indicating the number of entries allowed in the LTPA cache.The value must be greater than or equal to zero (0). A value of zero meansthat there is no limit on the size of the LTPA cache. This is notrecommended.

WebSEAL does not impose a maximum value. Choose your maximumvalue to stay safely within the bounds of your available system memory.


Usage


Default value

4096

Exampleltpa-cache-size = 4096

[mpa] stanza

mpa

Syntaxmpa = {yes|no}

Description

Enables support for multiplexing proxy agents.

Options

yes Enables support for multiplexing proxy agents.

no Disables support for multiplexing proxy agents.

Usage


Default value

no

Examplempa = no

[oauth-eas] stanza

Note: You can configure this stanza to support OAuth authorization decisions aspart of WebSEAL requests. This stanza can be included in a separate configurationfile that is specified for amwoautheas in the [aznapi-external-authzn-services]stanza. For more information about OAuth authorization decisions support, see theIBM Security Access Manager: WebSEAL Administration Guide.

apply-tam-native-policyUse the apply-tam-native-policy stanza entry to control whether the OAuth EASuses the native Security Access Manager policy when it is determining the accesspermissions for the resource.

Syntaxapply-tam-native-policy = {true | false}


Description

Determines whether the Security Access Manager ACL policy still takes effect, inaddition to the OAuth authorization.

Options

true The OAuth EAS checks the Security Access Manager ACL policy todetermine whether the user has permission to access the resource.

false The OAuth EAS does not check the Security Access Manager ACL policyto determine whether the user has permission to access the resource.

Usage

This stanza entry is required when you are configuring OAuth EAS authentication.

Default value

None.

Exampleapply-tam-native-policy = false

bad-gateway-rsp-file

Syntaxbad-gateway-rsp-file = <file_name>

Description

Specifies the file that contains the body that is used when constructing a 502 BadGateway response. This response is generated when Tivoli Federated IdentityManager fails to process the request.

Options

<file_name>The fully qualified name of the 502 Bad Gateway response file.

Usage


Default value

None.

Examplebad-gateway-rsp-file = /tmp/bad_gateway.html

bad-request-rsp-file

Syntaxbad-request-rsp-file = <file_name>


Description

Specifies the file that contains the body that is used when constructing a 400 BadRequest response. This response is generated when required OAuth elements aremissing from a request.

Options

<file_name>The fully qualified name of the 400 Bad Request response file.

Usage


Default value

None.

Examplebad-request-rsp-file = /tmp/bad_rqst.html

cache-size

Syntaxcache-size = <number_decisions>

Description

Specifies the maximum number of OAuth 2.0 bearer token authorization decisionsto cache. This EAS has a built-in cache for storing authorization decisions so thatWebSEAL can repeatedly use the same OAuth 2.0 bearer token without sendingrepeated requests to Tivoli Federated Identity Manager.

WebSEAL can cache bearer token decisions because they do not require signing ofthe request, unlike OAuth 1.0 requests. The lifetime of the cache entry depends onthe Expires attribute that Tivoli Federated Identity Manager returns. If TivoliFederated Identity Manager does not return this attribute, WebSEAL does notcache the decision.

This EAS implements a Least Recently Used cache. The decision associated withthe least recently used bearer token is forgotten when a new bearer token decisionis cached. A cache-size of 0 disables caching of authorization decisions.

Options

<number_decisions>The maximum number of OAuth 2.0 bearer token authorization decisionsthat WebSEAL caches.

Usage



Default value

The default value is 0, which disables caching of authorization decisions.

Examplecache-size = 0

cluster-name

Syntaxcluster-name = <cluster>

Description

The name of the Tivoli Federated Identity Manager cluster that hosts this OAuthservice. You must also specify a corresponding [tfim-cluster:<cluster>]stanza,which contains the definition of the cluster.

Options

<cluster>The name of the Tivoli Federated Identity Manager cluster where theOAuth service is hosted.

Usage


Default value

None.

Examplecluster-name = oauth-cluster

For this example, there needs to be a corresponding [tfim-cluster:oauth-cluster]stanza to define the cluster.

default-fed-id

Syntaxdefault-fed-id = <provider_url>

Description

The Provider ID of the default OAuth federation in Tivoli Federated IdentityManager. By default, WebSEAL uses this provider ID for OAuth requests.

You can override this default provider for an individual request by including arequest parameter that has the name specified by the fed-id-param configurationentry.


Options

<provider_url>The IP address for the federation provider that WebSEAL uses for OAuthrequests. You can find the Provider ID of a federation on the federationproperties page.

Usage


Default value

None

Exampledefault-fed-id = https://localhost/sps/oauthfed/oauth10

default-mode

Syntaxdefault-mode = <oauth_mode>

Description

The default OAuth mode that this EAS uses. The mode affects the validation ofrequest parameters and the construction of the RequestSecurityToken (RST) sent toTivoli Federated Identity Manager.

You can override this default mode for an individual request by providing a validmode value [OAuth10|OAuth20Bearer] in a request parameter. The requestparameter must have the name that is specified by the mode-param configurationentry.

Options

<oauth_mode>The OAuth mode that the OAuth EAS uses by default.

Usage


Default value

None.

Exampledefault-mode = OAuth10

fed-id-param

Syntaxfed-id-param = <request_param_name>


Description

The name of the parameter that you can include in a request to override theProvider ID that is specified by the default-fed-id configuration entry. If thisfed-id-param configuration entry is set, WebSEAL checks incoming requests for aparameter with the specified name. If this request parameter exists, WebSEAL usesthe Provider ID contained in the request rather than the default-fed-id ProviderID.

Note: You can delete this configuration entry to ensure that WebSEAL always usesthe default provider that is specified by default-fed-id.

Options

<request_param_name>The name of the request parameter whose value specifies the Provider IDfor WebSEAL to include in OAuth requests. If no such parameter exists inthe request, WebSEAL uses the Provider ID specified by default-fed-id.

Usage


Note: If you do not configure this stanza entry, WebSEAL always uses theprovider that is configured as the default-fed-id.

Default value

None.

Examplefed-id-param = FederationId

mode-param

Syntaxmode-param = <mode_name>

Description

The name of the parameter that you can include in a request to override the modethat is specified by the default-mode configuration entry. If this mode-paramconfiguration entry is set, WebSEAL checks incoming requests for a parameter withthe specified name. If this request parameter exists, WebSEAL uses the modecontained in the request rather than the mode specified by default-mode.

Note: You can delete this configuration entry to ensure that WebSEAL always usesthe default mode that is specified by default-mode.

Options

<mode_name>The name of the request parameter whose value specifies the mode for theOAuth EAS to use. If no such parameter exists in the request, WebSEALuses the mode specified by default-mode.


Usage


Note: If you do not configure this stanza entry, WebSEAL always uses the modethat is configured as the default-mode.

Default value

None.

Examplemode-param = mode

realm-name

Syntaxrealm-name = <realm_name>

Description

The name of the OAuth realm that is used in a 401 request for OAuth data.

Options

<realm_name>The name of the OAuth realm.

Usage


Default value

None.

Examplerealm-name = realmOne

trace-component

Syntaxtrace-component = <component_name>

Description

The name of the Security Access Manager trace component that the OAuth EASuses.

Options

<component_name>The name of the Security Access Manager trace component.


Usage


Note: The pdweb.oauth component traces the data that passes into the OAuth EAS,which is governed by the [azn-decision-info] stanza. This trace might containsensitive information.

Default value

None.

Exampletrace-component = pdweb.oauth

unauthorized-rsp-file

Syntaxunauthorized-rsp-file = <file_name>

Description

Specifies the file that contains the body that is used when constructing a 401Unauthorized response. This response is generated when either of the followingscenarios occur:v All OAuth data is missing from a request.v The OAuth data fails validation.

Options

<file_name>The fully qualified name of the 401 Unauthorized response file.

Usage


Default value

None.

Exampleunauthorized-rsp-file = /tmp/unauth_response.html

[obligations-levels-mapping] stanza

Note: This stanza is not included in the WebSEAL configuration file by default.You can manually add this stanza and the associated entries if you want toconfigure runtime security services.

obligation

Syntax<obligation> = <authentication-level>


Description

Defines the mappings between the obligation levels that the policy decision point(PDP) returns and the WebSEAL step-up authentication levels. Include a separateentry for each obligation that runtime security services (RTSS) returns to theruntime security services EAS.

The mapping between the obligation levels and the WebSEAL authentication levelsmust be one-to-one. The user must authenticate only through the appropriateobligation mechanisms.

The runtime security services EAS maps the obligation to the authentication levelspecified in this stanza and requests WebSEAL to authenticate the user at thatlevel.

Options

<obligation>The name of the obligation that RTSS returns to the runtime securityservices EAS.

<authentication-level>The WebSEAL authentication level that the runtime security services EASincludes in the WebSEAL request. This value is a number that representsthe authentication level in the [authentication-levels] stanza. Each entryin the [authentication-levels] is assigned a number based on its positionin the list; the first entry is level 0. For more information, see the IBMSecurity Access Manager: WebSEAL Administration Guide and search forspecifying authentication levels.

Usage


Default value

None.

Examplelife_questions=2otp=3email=4voice=5

[p3p-header] stanza

accessUse the access stanza entry to specify the type of cookie information that a usercan access.

Syntaxaccess = {none|all|nonident|contact-and-other|ident-contact|other-ident}

Description

Specifies the user access to the information contained in and linked to the cookie.


Options

none No access to identified data is given.

all Access is given to all identified data.

contact-and-otherAccess is given to identified online and physical contact information, inaddition to certain other identified data.

ident-contactAccess is given to identified online and physical contact information. Forexample, users can access things such as a postal address.

nonidentWebsite does not collect identified data.

other-identAccess is given to certain other identified data. For example, users canaccess things such as their online account charges.

Usage


Default value

none

Exampleaccess = none

categories

Syntaxcategories = {physical|online|uniqueid|purchase|financial|computer|navigation|interactive|demographic|content|state|political|health|preference|location|government|other-category}

Description

Specifies the type of information stored in the cookie or linked to by the cookie.When the non-identifiable stanza entry is set to yes, then no categories need beconfigured.

Options

physicalInformation that allows an individual to be contacted or located in thephysical world. For example, telephone number or address.

online Information that allows an individual to be contacted or located on theInternet.

uniqueidNon-financial identifiers, excluding government-issued identifiers, issuedfor purposes of consistently identifying or recognizing the individual.

purchaseInformation actively generated by the purchase of a product or service,including information about the method of payment.


financialInformation about an individual's finances including account status andactivity information such as account balance, payment or overdraft history,and information about an individual's purchase or use of financialinstruments including credit or debit card information.

computerInformation about the computer system that the individual is using toaccess the network. For example, IP number, domain name, browser typeor operating system.

navigationData passively generated by browsing the Web site. For example, whichpages are visited, and how long users stay on each page.

interactiveData actively generated from or reflecting explicit interactions with a serviceprovider through its site. For example, queries to a search engine, or logsof account activity.

demographicData about an individual's characteristics. For example, gender, age, andincome.

contentThe words and expressions contained in the body of a communication. Forexample, the text of email, bulletin board postings, or chat roomcommunications.

state Mechanisms for maintaining a stateful session with a user or automaticallyrecognizing users who have visited a particular site or accessed particularcontent previously. For example, HTTP cookies.

politicalMembership in or affiliation with groups such as religious organizations,trade unions, professional associations and political parties.

health Information about an individual's physical or mental health, sexualorientation, use or inquiry into health care services or products, andpurchase of health care services or products

preferenceData about an individual's likes and dislikes. For example, favorite color ormusical tastes.

locationInformation that can be used to identify an individual's current physicallocation and track them as their location changes. For example, GlobalPositioning System position data.

governmentIdentifiers issued by a government for purposes of consistently identifyingthe individual.

other-categoryOther types of data not captured by the above definitions.

Usage



Default value

uniqueid

Examplecategories = uniqueid

disputes

Syntaxdisputes = {yes|no}

Description

Specifies whether the full P3P policy contains some information regarding disputesover the information contained within the cookie.

Options

yes The value yes means that information about disputes is contained in thefull P3P policy.

no The value no means that no information about disputes is contained in thepolicy.

Usage


Default value

no

Exampledisputes = no

non-identifiable

Syntaxnon-identifiable = {yes|no}

Description

Specifies that no information in the cookie, or linked to by the cookie, personallyidentifies the user.

Options

yes Data that is collected identifies the user.

no No data is collected (including Web logs), or the information collected doesnot identify the user.

Usage



Default value

no

Examplenon-identifiable = no

p3p-element

Syntaxp3p-element = policyref=location_of_policy_reference

Description

Specifies elements to add to the P3P header in addition to the elements specifiedby the other configuration items in this stanza. Typically this is done by referringto the location of a full XML policy.

Options

policyref=location_of_policy_referenceThe default entry points to a default policy reference located on the WorldWide Web Consortium Web site.

Usage


Default value

The default entry points to a default policy reference located on the World WideWeb Consortium Web site.policyref="/w3c/p3p.xml"

Examplep3p-element = policyref="/w3c/p3p.xml"

purpose

Syntaxpurpose = {current|admin|develop|tailoring|pseudo-analysis|pseudo-decision|individual-analysis|individual-decision|contact|historical|telemarketing|other-purpose}[:[opt-in|opt-out|always]]

Description

Specifies the purpose of the information in the cookie and linked to by the cookie.

Options

currentInformation can be used by the service provider to complete the activityfor which it was provided.


admin Information can be used for the technical support of the Web site and itscomputer system.

developInformation can be used to enhance, evaluate, or otherwise review the site,service, product, or market.

tailoringInformation can be used to tailor or modify content or design of the sitewhere the information is used only for a single visit to the site.

pseudo-analysisInformation can be used to create or build a record of a particularindividual or computer that is tied to a pseudonymous identifier, withouttying identified data (such as name, address, phone number, or emailaddress) to the record. This profile will be used to determine the habits,interests, or other characteristics of individuals for purpose of research,analysis and reporting, but it will not be used to attempt to identify specificindividuals.

pseudo-decisionInformation can be used to create or build a record of a particularindividual or computer that is tied to a pseudonymous identifier, withouttying identified data (such as name, address, phone number, or emailaddress) to the record. This profile will be used to determine the habits,interests, or other characteristics of individuals to make a decision thatdirectly affects that individual, but it will not be used to attempt to identifyspecific individuals.

individual-analysisInformation can be used to determine the habits, interests, or othercharacteristics of individuals and combine it with identified data for thepurpose of research, analysis and reporting.

individual-decisionInformation can be used to determine the habits, interests, or othercharacteristics of individuals and combine it with identified data to make adecision that directly affects that individual.

contactInformation can be used to contact the individual, through acommunications channel other than voice telephone, for the promotion of aproduct or service.

historicalInformation can be archived or stored for the purpose of preserving socialhistory as governed by an existing law or policy.

telemarketingInformation can be used to contact the individual though a voice telephonecall for promotion of a product or service.

other-purposeInformation may be used in other ways not captured by the abovedefinitions.

For all values except current, an additional option can be specified. The possiblevalues are:

alwaysUsers cannot opt-in or opt-out of this use of their data.


opt-in Data may be used for this purpose only when the user affirmativelyrequests this use.

opt-outData may be used for this purpose unless the user requests that it not beused in this way.

When no additional option is specified, the default value is always.

Usage


Default value

The default values are current and other-purpose:opt-in.

Examplepurpose = currentpurpose = other-purpose:opt-in

recipient

Syntaxrecipient = {ours|delivery|same|unrelated|public|other-recipient}[:[opt-in|opt-out|always]]

Description

Specifies the recipients of the information in the cookie, and linked to by thecookie.

Options

ours Ourselves and/or entities acting as our agents, or entities for whom we areacting as an agent. An agent is a third party that processes data only onbehalf of the service provider.

deliveryLegal entities performing delivery services that may use data for purposesother than completion of the stated purpose.

same Legal entities following our practices. These are legal entities who use thedata on their own behalf under equable practices.

unrelatedUnrelated third parties. These are legal entities whose data usage practicesare not known by the original service provider.

public Public forums. These are public forums such as bulletin boards, publicdirectories, or commercial CD-ROM directories.

other-recipientLegal entities following different practices. These are legal entities that areconstrained by and accountable to the original service provider, but mayuse the data in a way not specified in the service provider's practices.

For all values an additional option can be specified. The possible values are:


alwaysUsers cannot opt-in or opt-out of this use of their data.

opt-in Data may be used for this purpose only when the user affirmativelyrequests this use.

opt-outData may be used for this purpose unless the user requests that it not beused in this way.

When no additional option is specified, the default value is always.

Usage


Default value

ours

Examplerecipient = oursrecipient = public:opt-in

remedies

Syntaxremedies = {correct|money|law}

Description

Specifies the types of remedies in case a policy breach occurs. When this entry hasno value, there is no remedy information in the P3P compact policy.

Options

correctErrors or wrongful actions arising in connection with the privacy policywill be remedied by the service.

moneyIf the service provider violates its privacy policy it will pay the individualan amount specified in the human readable privacy policy or the amountof damages.

law Remedies for breaches of the policy statement will be determined based onthe law referenced in the human readable description.

Usage


Default value

correct

Exampleremedies = correct


retention

Syntaxretention = {no-retention|stated-purpose|legal-requirement|business-practices|indefinitely}

Description

Specifies how long the information in the cookie or linked to by the cookie isretained.

Options

no-retentionInformation is not retained for more than a brief period of time necessaryto make use of it during the course of a single online interaction.

stated-purposeInformation is retained to meet the stated purpose, and is to be discardedat the earliest time possible.

legal-requirementInformation is retained to meet a stated purpose, but the retention periodis longer because of a legal requirement or liability.

business-practicesInformation is retained under a service provider's stated business practices.

indefinitelyInformation is retained for an indeterminate period of time.

Usage


Default value

no-retention

Exampleretention = no-retention

[policy-director] stanza

config-file

Syntaxconfig-file = path

Description

Path name to the configuration file for the Security Access Manager policy serverfor the domain in which the WebSEAL server is configured. This stanza entry is setby WebSEAL configuration and should not be modified.


Options

path Path name to the configuration file for the Security Access Manager policyserver for the domain in which the WebSEAL server is configured. Thisstanza entry is set by WebSEAL configuration and should not be modified.

Usage


Default value

Default value of the configuration file path consists of the etc/pd.conf appendedto the Security Access Manager installation directory.

Example

Example on UNIX or Linux:config-file = /opt/PolicyDirector/etc/pd.conf

[preserve-cookie-names] stanza

name

Syntaxname = cookie_name

Description

List of specific cookie names that WebSEAL must not modify.

WebSEAL, by default, modifies the names of cookies returned in responses fromjunctions created with pdadmin using –j flag. WebSEAL also by default modifiesthe name of cookies listed in the junction mapping table (JMT). This defaultmodification is done to prevent naming conflicts with cookies returned by otherjunctions.

When a front-end application depends on the names of specific cookies, theadministrator can disable the modification of cookie names for those specificcookies. The administrator does this by listing the cookies in this stanza.

Options

cookie_nameWhen entering a value for cookie_name, use ASCII characters.

Usage


Default value

There are no cookie names set by default.


ExampleName = JSESSIONID

[process-root-filter] stanza

root

Syntaxroot = pattern

Description

Specifies the patterns for which you want root junction requests processed at theroot junction when process-root-requests = filter.

Options

pattern Values for pattern must be standard WebSEAL wildcard patterns.

Usage

Entries in this stanza are required when process-root-requests = filter.

Default valueroot = /index.htmlroot = /cgi-bin*

Exampleroot = /index.htmlroot = /cgi-bin*

[reauthentication] stanza

reauth-at-any-level

Syntaxreauth-at-any-level = {yes|no}

Description

Controls whether a different authentication level or mechanism is permitted duringa reauthentication operation.

Options

yes During a reauthentication operation, a user can be authenticated using adifferent authentication level or mechanism from that which is currentlyheld by the user. The user's new credential replaces the old one.

Note: If this configuration option is set to yes, the credential can changeone or more times during the lifetime of the session. Also, the credentialwill always be updated upon a successful reauthentication regardless ofthe existing authentication level of the credential.


no During a reauthentication operation, a user can only be authenticated atthe same authentication level or mechanism as the user's current credential.

Usage


Default value

no

Examplereauth-at-any-level = no

reauth-extend-lifetime

Syntaxreauth-extend-lifetime = number_of_seconds

Description

Integer value expressing the time in seconds that the credential cache timer shouldbe extended to allow clients to complete a reauthentication.

Options

number_of_secondsWhen the value is zero (0), the lifetime timer is not extended. WebSEALimposes no maximum. The maximum value is limited only by the integerdata type.

Usage


Default value

0

Examplereauth-extend-lifetime = 0

reauth-for-inactive

Syntaxreauth-for-inactive = {yes|no}

Description

Enables WebSEAL to prompt users to reauthenticate when their entry in theWebSEAL credential cache has timed out due to inactivity.

Options

yes Enable reauthentication.


no Disable reauthentication.

Usage


Default value

no

Examplereauth-for-inactive = no

reauth-reset-lifetime

Syntaxreauth-reset-lifetime = {yes|no}

Description

Enables WebSEAL to reset the lifetime timer for WebSEAL credential cache entriesfollowing successful reauthentication.

Options

yes Enable.

no Disable.

Usage


Default value

no

Examplereauth-reset-lifetime = no

terminate-on-reauth-lockout

Syntaxterminate-on-reauth-lockout = {yes|no}

Description

Specifies whether or not to remove the session cache entry of a user who reachesthe max-login-failures policy limit during reauthentication.

Options

yes When the maximum number of failed login attempts (specified by themax-login-failures policy) is reached during reauthentication, the user islogged out and the user's session is removed.

no


When the maximum number of failed login attempts (specified by themax-login-failures policy) is reached during reauthentication, the user islocked out as specified by the disable-time-interval setting, and notified ofthe lockout as specified by the late-lockout-notification setting. The user isnot logged out and the initial login session is still valid. The user can stillaccess other resources that are not protected by a reauthn POP.

Usage


Default value

yes

Exampleterminate-on-reauth-lockout = yes

[replica-sets] stanza

replica-set

Syntaxreplica-set = replica_set_name

Description

If WebSEAL is configured to use the SMS for session storage, the WebSEAL serverjoins each of the replica sets listed in this stanza. The entries listed here must bereplica sets configured on the SMS.

Options

replica_set_nameReplica set name.

Usage


Default value

None.

Examplereplica-set = setA

[rtss-eas] stanza

You can use the rtss-eas configuration stanza to configure the EAS thatcommunicates with the RBA server. The runtime security services EAS is used fora particular object if the effective POP for the object has an attribute calledeas-trigger with an associated value of trigger_rba_eas.



apply-tam-native-policy

Syntaxapply-tam-native-policy = {true | false}

Description

Determines whether the IBM Security Access Manager for Web ACL policy takeseffect.

Options

true Runtime security services EAS checks with Security Access Managerwhether the user has permission to access the resource based on the ACLpolicy.

false Runtime security services EAS does not check the Security Access ManagerACL policy to determine whether the user has permission to access theresource.

Usage


Default value

None.

Exampleapply-tam-native-policy = true

audit-log-cfg

Syntaxaudit-log-cfg = <agent>[<parameter>=<value>],[<parameter>=<value>],...

Description

Configures audit logging for the runtime security service. You can use the availableparameters to configure the logging agents.

Options

<agent>Specifies the logging agent. The agent controls the logging destination forserver events. Valid agents include:v stdout

v stderr

v file

v remote

v rsyslog


<parameter>The different agents support the following configuration parameters:

Table 1. Logging agent configuration parameters

Parameter Supporting agents

buffer_size remote

compress remote

dn remote

error_retry remote, rsyslog

flush_interval all

hi_water all

log_id file, rsyslog

max_event_len rsyslog

mode file

path all

port remote, rsyslog

queue_size all

rebind_retry remote, rsyslog

rollover_size file

server remote, rsyslog

ssl_keyfile rsyslog

ssl_label rsyslog

ssl_stashfile rsyslog

Note: For a complete description of the available logging agents and thesupported configuration parameters, see the Security Access Manager: AuditingGuide.

Usage


Note: You must configure this attribute if you want WebSEAL to log runtimesecurity audit events. If there is no value set, then WebSEAL does not log anyaudit events for the runtime security service.

Default value

None.

Example

To log audit events in a file called rtss-audit.log:audit-log-cfg = file path=/tmp/rtss-audit.log,flush_interval=20,rollover_size=2000000,queue_size=48

To send audit logs to STDOUT:audit-log-cfg = stdout


cluster-name

Syntaxcluster-name = <cluster_name>

Description

The name of the runtime security services SOAP cluster that hosts this runtimesecurity SOAP service. You must also specify a corresponding[rtss-cluster:<cluster>] stanza, which contains the definition of the cluster.

Options

<cluster_name>The name of the runtime security services SOAP cluster where the runtimesecurity SOAP service is hosted.

Usage


Default value

None.

Examplecluster-name = cluster1

For this example, there needs to be a corresponding [rtss-cluster:cluster1] stanza todefine the cluster.

context-id

Syntaxcontext-id = <service_name>

Description

Specifies the context-id that the runtime security services EAS uses when sendingXACML requests to runtime security services (RTSS). This value must match theservice name of the deployed policy.

Note: If the context-id parameter is not set, it defaults to the WebSEAL servername.

Options

<service_name>The context-id that EAS uses to send XACML requests to RTSS.

Usage



Default value

If there is no value provided for this parameter, it defaults to the WebSEAL servername.

Examplecontext-id = webseal.ibm.com

trace-component

Syntaxtrace-component = <component_name>

Description

Specifies the name of the Security Access Manager trace component that the EASuses.

Options

<component_name>The name of the Security Access Manager trace component.

Usage


Note: The configured component traces the data that passes into the runtimesecurity services EAS, which is governed by the [azn-decision-info] stanza. Thistrace might contain sensitive information.

Default value

None.

Exampletrace-component = pdweb.rtss

[rtss-cluster:<cluster>] stanza

This stanza contains the configuration entries for the runtime security servicesSOAP servers.


basic-auth-user

Syntaxbasic-auth-user = <user_name>


Description

Specifies the name of the user for WebSEAL to include in the basic authenticationheader when communicating with the runtime security services SOAP server.

Options

<user_name>The user name for WebSEAL to include in the basic authentication header.

Usage


Note: Configure this entry if the runtime security services SOAP server isconfigured to require basic authentication.

Default value

None.

Examplebasic-auth-user = userA

basic-auth-passwd

Syntaxbasic-auth-passwd = <password>

Description

Specifies the password for WebSEAL to include in the basic authentication headerwhen communicating with the runtime security services SOAP server.

Options

<password>The password that WebSEAL includes in the basic authentication header.

Usage


Note: Configure this entry if the runtime security services SOAP server isconfigured to require basic authentication.

Default value

None.



handle-idle-timeout

Syntaxhandle-idle-timeout = <number>

Description

Specifies the length of time, in seconds, before an idle handle is removed from thehandle pool cache.

Options

<number>Length of time, in seconds, before an idle handle is removed from thehandle pool cache.

Usage


Default value

None.


handle-pool-size

Syntaxhandle-pool-size = <number>

Description

The maximum number of cached handles that WebSEAL uses to communicate withruntime security services SOAP.

Options

<number>The maximum number of handles that WebSEAL uses for runtime securityservices SOAP communication.

Usage


Default value

None.



server


Description

Specifies a priority level and URL for each runtime security services SOAP serverthat is a member of this cluster. Multiple server entries can be specified for a givencluster for failover and load balancing.

Options

[0-9] A digit, 0-9, that represents the priority of the server in the cluster (9 beingthe highest, 0 being the lowest). If the priority is not specified, a priority of9 is assumed.


<URL>A well-formed HTTP or HTTPS uniform resource locator for the runtimesecurity services (RTSS).

Usage


Default value

None.

Exampleserver = 9,http://localhost:9080/rtss/authz/services/AuthzService

ssl-fips-enabled


Description

Determines whether Federal Information Process Standards (FIPS) mode is enabledwith runtime security services SOAP.

Note: If no configuration entry is present, the setting from the global setting,determined by the Access Manager policy server, takes effect.

Options

yes FIPS mode is enabled.

no FIPS mode is disabled.

Usage

This stanza entry is required if both of the following conditions are true:


v One or more of the cluster server entries use SSL. That is, at least one serverentry specifies a URL that uses the HTTPS protocol.

v A certificate is required other than the default certificate used by WebSEALwhen communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.

Note: If this entry is required, but it is not specified in the [rtss-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.

Default value

None.

Note: If you want to use a FIPS level that is different to the Access Manager policyserver, edit the configuration file and specify a value for this entry.


ssl-keyfile

Syntaxssl-keyfile = <fully_qualified_path>

Description

The name of the key database file that houses the client certificate for WebSEAL touse.

Options

<fully_qualified_path>The path to the key database file that houses the client certificate forWebSEAL to use.

Usage

This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL. That is, at least one server

entry specifies a URL that uses the HTTPS protocol.v A certificate is required other than the default certificate used by WebSEAL

when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.


Default value

None.

Examplessl-keyfile = fully_qualified_path


ssl-keyfile-label

Syntaxssl-keyfile-label = <label_name>

Description

The label of the client certificate in the key database.

Options

<label_name>Client certificate label name.

Usage





Default value

None.

Examplessl-keyfile-label = label_name

ssl-keyfile-stash

Syntaxssl-keyfile-stash = <fully_qualified_path>

Description

The name of the password stash file for the key database file.

Options

<fully_qualified_path>The fully qualified name of the password stash file for the key databasefile.

Usage


entry specifies a URL that uses the HTTPS protocol.


v A certificate is required other than the default certificate used by WebSEALwhen communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.


Default value

None.

Examplessl-keyfile-stash = fully_qualified_path

ssl-valid-server-dn

Syntaxssl-valid-server-dn = <DN-value>

Description

Specifies the distinguished name of the server (obtained from the server SSLcertificate) that WebSEAL can accept.

Options

<DN-value>The distinguished name of the server (obtained from the server SSLcertificate) that WebSEAL accepts. If no value is specified, then WebSEALconsiders all domain names valid. You can specify multiple domain namesby including multiple ssl-valid-server-dn configuration entries.

Usage





Default value

None.

Examplessl-valid-server-dn = CN=Access Manager,OU=SecureWay,O=Tivoli,C=US

timeout

Syntaxtimeout = <seconds>


Description

The length of time (in seconds) to wait for a response from runtime securityservices SOAP.

Options

<seconds>The length of time (in seconds) to wait for a response from runtimesecurity services SOAP.

Usage


Default value

None.


[script-filtering] stanza

hostname-junction-cookie

Syntaxhostname-junction-cookie = {yes|no}

Description

Enables WebSEAL to uniquely identify the cookie used for resolving unfilteredlinks. This is used when another WebSEAL server has created a junction to thisWebSEAL server, using a WebSEAL to WebSEAL junction.

Options

yes Enable.

no Disable.

Usage

This stanza entry is optional, but it is included by default in the configuration file.

Default value

no

Examplehostname-junction-cookie = no


rewrite-absolute-with-absolute

Syntaxrewrite-absolute-with-absolute = {yes|no}

Description

Enables WebSEAL to rewrite absolute URLs with new absolute URLs that containthe protocol, host, and port (optionally) that represent how the user accessed theWebSEAL server.

Options

yes Enable.

no Disable.

Usage


Default value

There is no default value, but if the entry is not specified in this configuration file,WebSEAL assumes the value is no.

Examplerewrite-absolute-with-absolute = no

script-filter

Syntaxscript-filter = {yes|no}

Description

Enables or disables script filtering support. When enabled, WebSEAL can filterabsolute URLs encountered in scripts such as JavaScript.

Options

yes A value of yes means enabled.

no A value of no means disabled.

Usage

This stanza entry is optional, but is included by default.

Default value

When it is not declared, the value for the script-filter functionality is no by default.

Examplescript-filter = no


[server] stanza

allow-shift-jis-chars

Syntaxallow-shift-jis-chars = {yes|no}

Description

Specifies whether junctions created using -w will allow all Shift-JIS multibytecharacters in junction file and path names.

Options

yes Junctions created using -w will allow all Shift-JIS multibyte characters injunction file and path names.

no Junction file and path names using Shift-JIS multibyte characters containingthe single byte character '\' will be rejected.

Usage


Default value

no

Exampleallow-shift-jis-chars = no

allow-unauth-ba-supplyUse the allow-unauth-ba-supply stanza entry to control whether unauthenticatedusers can access junctions that were created with the -b supply option.

Syntaxallow-unauth-ba-supply = {yes|no}

Description

This parameter determines access to -b supply junctions by unauthenticated users.By default, unauthenticated users are required to log in before they can access anyresource on a junctioned server, where that junction was created with the -bsupply argument.

Options

yes When allow-unauth-ba-supply is set to yes, unauthenticated users canaccess -b supply junctions. The basic authentication header that is suppliedby WebSEAL in the forwarded request contains the string unauthenticatedfor the value of the header.

no When allow-unauth-ba-supply is set to no, unauthenticated users cannotaccess -b supply junctions. Users receive a login prompt.


Usage


Default value

no

Exampleallow-unauth-ba-supply = no

allow-unsolicited-loginsUse the allow-unsolicited-logins stanza entry to control whether WebSEALaccepts unsolicited login requests.

Syntaxallow-unsolicited-logins = {yes | no}

Description

This parameter controls whether WebSEAL accepts unsolicited authenticationrequests. If this parameter is set to no, WebSEAL accepts a login request only ifWebSEAL sent the login form to the client to prompt authentication.

Options

yes When allow-unsolicited-logins is set to yes, WebSEAL acceptsunsolicited logins.

no When allow-unsolicited-logins is set to no, WebSEAL does not acceptunsolicited logins. This setting ensures that WebSEAL always issues a loginform to the client as part of the authentication process.

Usage


Default value

yes

Exampleallow-unsolicited-logins = yes

auth-challenge-type

Syntaxauth-challenge-type = list

Description

Contains a comma-separated list of authentication types that is used whenchallenging a client for authentication information.


Each authentication type can be customized for particular user agent strings. Formore information about authentication challenges based on the user agent, see theIBM Security Access Manager: WebSEAL Administration Guide.

You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [server:{jct_id}] stanza.

where {jct-id} refers to the junction point for a standard junction (including theleading / character) or the virtual host label for a virtual host junction.

Options

list A comma-separated list of authentication types that is used whenchallenging a client for authentication information. The supportedauthentication types include:v bav formsv spnegov tokenv certv eai

The corresponding authentication configuration entry (for example,ba-auth) must be enabled for each specified authentication challenge type.

Each authentication type can also be qualified with a set of rules to specify theuser agents that receive a given challenge type. These rules are separated bysemicolons and placed inside square brackets preceding the authentication type.Each rule consists of a plus (+) or minus (-) symbol to indicate inclusion orexclusion, and the pattern to match on. The pattern can include:v Alphanumeric charactersv Spacesv Periods (.)v Wildcard characters, such as, question mark (?) and asterisk (*)

Usage


Default value

By default, the list of authentication challenge types matches the list of configuredauthentication mechanisms.auth-challenge-type = baauth-challenge-type = forms,token

Exampleauth-challenge-type = ba, forms, tokenauth-challenge-type = [-msie;+ms]ba, [+mozilla*;+*explorer*]forms, token

cache-host-header

Syntaxcache-host-header = {yes|no}


Description

This configuration option determines whether WebSEAL caches the host andprotocol of the original request.

By default, when caching an original request, WebSEAL only caches the URL. Thatis, WebSEAL does not cache the host and protocol of the original request. In thiscase, when returning a redirect to the original URL, WebSEAL simply redirects tothe current host. This causes problems if a request for a protected resource on onevirtual host, hostA, results in an authentication operation being processed on adifferent virtual host, hostB. In this case, the client is incorrectly redirected to hostBrather than hostA. This behavior can be corrected by enabling this stanza entry sothat WebSEAL can cache the host and protocol of the original request to be usedfor redirection.

Options

yes WebSEAL caches the host and protocol of the original request in additionto the URL. In this case:v Both the host and protocol are cached and used in redirects. They cannot

be separately managed.v The protocol is not cached if the host header is not present.v Requests will only be recovered from the cache if the protocol, the host

and the URL all match the original request.

Limitations associated with this caching behavior:v The contents of the existing URL macro will not include the protocol and

host. No new macros have been added to represent these elements.v It is not possible to specify a protocol and host when a switch user

administrator specifies a URL.

no WebSEAL only caches the URL associated with the original request andredirects to the current host.

Usage


Default value

no

Examplecache-host-header = yes

capitalize-content-length

Syntaxcapitalize-content-length = {yes|no}

Description

This parameter determines whether WebSEAL uses capitalized first letters in thecontent-length header. That is, whether the name of the HTTP content-lengthheader is Content-Length or content-length.


NOTE: The Documentum client application expects the name of the HTTPcontent-length header to be Content-Length, with a capitalized "C" and "L".

Options

yes WebSEAL uses the Documentum-compliant header name Content-Length.

no WebSEAL used all lower case for the content-length header. That is,content-length.

Usage


Default value

no

Examplecapitalize-content-length = yes

client-connect-timeout

Syntaxclient-connect-timeout = number_of_seconds

Description

After the initial connection handshake has occurred, this parameter dictates howlong ( in seconds) WebSEAL holds the connection open for the initial HTTP orHTTPS request.

Options

number_of_secondsMust be a positive integer. Other values have unpredictable results andshould not be used. Maximum allowed value: 2147483647.

Usage


Default value

120

Exampleclient-connect-timeout = 120

chunk-responses

Syntaxchunk-responses = {yes|no}


Description

Enables WebSEAL to write chunked data to HTTP/1.1 clients. his can improveperformance by allowing connections to be reused even when the exact responselength is not known before the response is written.

Options

yes Enable.

no Disable.

Usage


Default value

yes

Examplechunk-responses = yes

concurrent-session-threads-hard-limit

Syntaxconcurrent-session-threads-hard-limit = number_of_threads

Description

The maximum number of concurrent threads that a single user session canconsume. When a user session reaches its thread limit, WebSEAL stops processingany new requests for the user session and returns an error to the client.

If you do not specify a value for this entry, there is no limit to the number ofconcurrent threads that a user session can consume.

Options

number_of_threads

The maximum number of concurrent threads that a single user session canconsume before WebSEAL returns an error.

Usage


Default value

Unlimited.

Exampleconcurrent-session-threads-hard-limit = 10


concurrent-session-threads-soft-limit

Syntaxconcurrent-session-threads-soft-limit = number_of_threads

Description

The maximum number of concurrent threads that a single user session canconsume before WebSEAL generates warning messages. WebSEAL continuesprocessing requests for this session until it reaches the configuredconcurrent-session-threads-hard-limit (also in the [server] stanza).

Options

number_of_threads

Integer value representing the maximum number of concurrent threadsthat a single session can consume before WebSEAL generates warningmessages.

Usage


Default value

Unlimited.

Exampleconcurrent-session-threads-soft-limit = 5

connection-request-limit

Syntaxconnection-request-limit = number_of_requests

Description

Specifies the maximum number of requests that will be processed on a singlepersistent connection.

Options

number_of_requestsThe maximum number of requests that will be processed on a singlepersistent connection.

Usage


Default value

100


Exampleconnection-request-limit = 100

cope-with-pipelined-request

Syntaxcope-with-pipelined-request = {yes|no}

Description

WebSEAL does not support pipelined requests from browsers. If this option is setto yes, when WebSEAL detects pipelined requests it will close the connection andinform the browser that is should re-send the pipelined requests in a normalmanner. This parameter should always be set to yes unless the previous WebSEALbehavior is required.

Options

yes Enable.

no Disable.

Usage


Default value

yes

Examplecope-with-pipelined-request = yes

decode-query

Syntaxdecode-query = {yes|no}

Description

Validates the query string in requests according to the utf8-qstring-support-enabled parameter.

Options

yes When decode-query is set to yes WebSEAL validates the query string inrequests according to the utf8-qstring-support-enabled parameter.Otherwise, WebSEAL does not validate the query string.

no When decode-query is set to no, then dynurl must be disabled.

Usage



Default value

yes

Exampledecode-query = yes

disable-timeout-reduction

Syntaxdisable-timeout-reduction = {yes|no}

Description

By default, WebSEAL automatically reduces the timeout duration for threads as thenumber of in-use worker threads increases. The timeout duration is the maximumlength of time that a persistent connection with the client can remain inactivebefore WebSEAL terminates the connection.

This configuration option determines whether WebSEAL reduces the timeoutduration to help control the number of active worker threads. This option isavailable on all platforms.

Options

yes Disables the timeout reduction done by WebSEAL as the number of workerthreads in-use increases.

no WebSEAL performs timeout reduction as the number of worker threadsin-use increases.

Usage


Default value

no

Exampledisable-timeout-reduction = yes

See also

“max-file-descriptors” on page 266

double-byte-encoding

Syntaxdouble-byte-encoding = {yes|no}

Description

Specifies whether WebSEAL assumes that encoded characters within URLs arealways encoded in Unicode, and do not contain UTF-8 characters.


Options

yes WebSEAL assumes that encoded characters within URLs are alwaysencoded in Unicode, and do not contain UTF-8 characters.

no WebSEAL does not assume that encoded characters within URLs arealways encoded in Unicode, and do not contain UTF-8 characters.

Usage


Default value

no

Exampledouble-byte-encoding = no

dynurl-allow-large-posts

Syntaxdynurl-allow-large-posts = {yes|no}

Description

Allows or disallows POST requests larger than the current value for the stanzaentry request-body-max-read in the [server] stanza.

Options

yes When set to yes, WebSEAL compares only up to request-body-max-readbytes of POST request to the URL mappings contained in dynurlconfiguration file (dynurl.conf).

no When set to no, WebSEAL disallows POST requests with a body largerthan request-body-max-read.

Usage


Default value

no

Exampledynurl-allow-large-posts = no

dynurl-map

Syntaxdynurl-map = relative_pathname

Description

Specifies the file that contains mappings for URLs to protected objects.


Options

relative_pathname

Location of the file that contains mappings for URLs to protected objects.The path is relative to the value of the server-root key in the [server]stanza.

The administrator can specify an alternate file name, and an alternatedirectory location. The file name can be any file name that is valid for theoperating system file system. On Windows systems, both backslashes (\)and forward slashes (/) are supported in the directory path.

Usage


Default value

None, but this entry is usually configured to lib/dynurl.conf.

Exampledynurl-map = lib/dynurl.conf

enable-IE6-2GB-downloads

Syntaxenable-IE6-2GB-downloads = {yes|no}

Description

Allows you to disable the HTTP Keep-Alives Enabled option for responses sentback to Internet Explorer, version 6, client browsers. The primary purpose of this isto allow WebSEAL to mimic the Internet Information Services workaroundpublished at http://support.microsoft.com/kb/298618. This will allow clientsusing Microsoft Internet Explorer, version 6.0, to download files greater than 2GB,but less than 4GB.

NOTE:

v This stanza entry is not necessary for Internet Explorer 7 or for othernon-Microsoft browsers.

v Enabling this workaround will cause WebSEAL to not use persistent connectionsfor Internet Explorer, version 6, client connections when the data to be returnedin the response is >= 2GB in length.

Options

yes Disables the HTTP Keep-Alives Enabled option, allowing clients usingInternet Explorer, version 6, to download files greater than 2GB, but lessthan 4GB.

no The HTTP Keep-Alives Enabled is not disabled.

Usage



Default value

no

Exampleenable-IE6-2GB-downloads = yes

filter-nonhtml-as-xhtml

Syntaxfilter-nonhtml-as-xhtml = {yes|no}

Description

Enable tag-based filtering of static URLs for new MIME types added to the[filter-content-types] stanza.

Options

yes Enable tag-based filtering of static URLs for new MIME types added to the[filter-content-types] stanza

no Disable tag-based filtering of static URLs for new MIME types added tothe [filter-content-types] stanza

Usage


Default value

no

Examplefilter-nonhtml-as-xhtml = no

force-tag-value-prefix

Syntaxforce-tag-value-prefix = {yes|no}

Description

Determines whether each attribute name set in a junction object's HTTP-Tag-Valueis automatically prefixed with "tagvalue_" before it is placed in the credential. Thisprohibits access to credential attributes that do not have names beginning with"tagvalue_" such as AUTHENTICATION_LEVEL. When this options set to no, theautomatic prefixing of "tagvalue_" will not occur so that all credential attributescan be specified in HTTP-Tag-Value.

Options

yes Enable the automatic prefixing of "tagvalue_" to each attribute name set ina junction object's HTTP-Tag-Value.

no Disable the automatic prefixing of "tagvalue_" so that all credentialattributes can be specified in HTTP-Tag-Value.


Usage


Default value

yes

Exampleforce-tag-value-prefix = yes

http

Syntaxhttp = {yes|no}

Description

Specifies whether HTTP requests will be accepted by the WebSEAL server. Thisvalue is set by the administrator during WebSEAL server configuration.

Options

yes Accept HTTP requests.

no Do not accept HTTP requests.

Usage


Default value

no

Examplehttp = yes

http-method-disabled-local

Syntaxhttp-method-disabled-local = [HTTP_methods]

Description

Specifies the HTTP methods that WebSEAL blocks when processing HTTP requestsfor local resources. By default, WebSEAL blocks the TRACE HTTP method.

Options

HTTP_methodsA comma-separated list of HTTP methods that are blocked whenrequesting local resources.


Usage


Default value

TRACE

Examplehttp-method-disabled-local = TRACE

http-method-disabled-remote

Syntaxhttp-method-disabled-remote = [HTTP_methods]

Description

Specifies the HTTP methods that WebSEAL blocks when processing HTTP requestsfor junctioned resources. By default, WebSEAL blocks the TRACE HTTP method.

Options

HTTP_methodsA comma-separated list of HTTP methods that are blocked whenrequesting remote resources.

Usage


Default value

TRACE

Examplehttp-method-disabled-remote = TRACE

http-port

Syntaxhttp-port = port_number

Description

Port on which WebSEAL listens for HTTPS requests. This value is set duringWebSEAL configuration. When the default HTTP port is already in use, WebSEALconfiguration suggests the next available (unused) port number.

Options

port_numberThe administrator can modify this number. Valid values include any portnumber not already in use on the host.


Usage


Default value

80

Examplehttp-port = 80

https

Syntaxhttps = {yes|no}

Description

Specifies whether HTTPS requests will be accepted by the WebSEAL server. Thisvalue is set by the administrator during WebSEAL server configuration.

Options

yes Accept HTTPS requests.

no Do not accept HTTPS requests.

Usage


Default value

no

Examplehttps = yes

https-port

Syntaxhttps-port = port_number

Description

Port on which WebSEAL listens for HTTPS requests. This value is set duringWebSEAL configuration. When the default port is already in use, WebSEALconfiguration suggests the next available (unused) port number.

Options

port_numberThe administrator can modify this number. Valid values include any portnumber not already in use on the host.


Usage


Default value

443

Examplehttps-port = 443

ignore-missing-last-chunk

Syntaxignore-missing-last-chunk = {yes|no}

Description

Controls whether WebSEAL ignores a missing last chunk in a data-stream from abackend server that is using chunked transfer-encoding.

Options

yes WebSEAL will ignore a missing last-chunk in a data-stream from abackend server that is using chunked transfer-encoding. This matches thebehavior in prior releases of WebSEAL.

no WebSEAL will RST (reset) the connection to the front-end browser if thelast-chunk is not present.

Usage


Default value

no

Exampleignore-missing-last-chunk = yes

intra-connection-timeout

Syntaxintra-connection-timeout = number_of_seconds

Description

This parameter affects request and response data sent as two or more fragments.The parameter specifies the timeout (in seconds) between each request datafragment after the first data fragment is received by WebSEAL. The parameter alsogoverns the timeout between response data fragments after the first data fragmentis returned by WebSEAL.


Options

number_of_secondsIf the value of this parameter is set to 0 (or not set), connection timeoutsbetween data fragments are governed instead by the client-connect-timeout parameter. The exception to this rule occurs for responses returnedover HTTP (TCP). In this case, there is no timeout between responsefragments. If a connection timeout occurs on a non-first data fragment dueto the intra-connection-timeout setting, a TCP RST (reset) packet is sent.

Usage


Default value

60

Exampleintra-connection-timeout = 60

io-buffer-size

Syntaxio-buffer-size = number_of_bytes

Description

Positive integer value that indicates the buffer size, in bytes, for low-level readsfrom and writes to a client.

Options

number_of_bytes

Positive integer value that indicates the buffer size, in bytes, for low-levelreads from and writes to a client.

The minimum value is 1. WebSEAL does not impose a maximum value.

A small value (for instance, 10 bytes) can hurt performance by causingfrequent calls to the low-level read/write APIs. Up to a certain point,larger values improve performance because they correspondingly reducethe calls to the low-level I/O functions.

However, the low-level I/O functions might have their own internalbuffers, such as the TCP send and receive buffers. When io-buffer-sizeexceeds the size of those buffers, there is no longer any performanceimprovement because those functions read only part of the buffer at thetime.

Reasonable values for io-buffer-size range from 1 - 16 kB. Values smallerthan this range causes calling the low-level I/O functions too frequently.Values larger than this range wastes memory. A 2 MB I/O buffer size uses4 MB for each worker thread that communicates with the client, since thereis an input and output buffer.


Usage


Default value

4096

Exampleio-buffer-size = 4096

ip-support-level

Syntaxip-support-level = {displaced-only|generic-only|displaced-and-generic}

Description

Controls the amount of network information stored in a credential by specifyingthe required IP level.

Options

displaced-onlyWebSEAL only generates the IPv4 attribute when building user credentialsand when authenticating users through external authentication C APImodules.

generic-onlyWebSEAL only generates new generic attributes that support both IPv4and IPv6 when building user credentials and when authenticating usersthrough external authentication C API modules.

displaced-and-genericBoth sets of attribute types (produced by displaced-only and generic-only)are used when building user credentials and when authenticating usersthrough external authentication C API modules.

Usage


Default value

generic-only

Exampleip-support-level = generic-only

ipv6-support

Syntaxipv6-support = {yes|no}


Description

Enable/disable WebSEAL support for IPv6 format.

Options

yes Enable WebSEAL support for IPv6 format.

no Disable WebSEAL support for IPv6 format.

Usage


Default value

yes

Exampleipv6-support = yes

late-lockout-notification

Syntaxlate-lockout-notification = {yes|no}

Description

WebSEAL returns a server response error page (acct_locked.html) that notifies theuser of the penalty for reaching or exceeding the maximum value set by themax-login-failures policy. This stanza entry specifies whether this notificationoccurs when the user reaches the max-login-failures limit, or at the next loginattempt after reaching the limit.

Options

yes Upon reaching the maximum value set by the max-login-failures policy,WebSEAL returns another login prompt to the user. WebSEAL does notsend the account disabled error page to the user until the next loginattempt. This response represents pre-version 6.0 behavior for themax-login-failures policy.

no Upon reaching the maximum value set by the max-login-failures policy,WebSEAL immediately sends the account disabled error page to the user.

Usage

Required

Default value

The default for new installations is no. The default for migrated installations is yes.

Examplelate-lockout-notification = yes


max-client-read

Syntaxmax-client-read = number_of_bytes

Description

Specifies the maximum number of bytes of request line and header informationthat WebSEAL holds in internal buffers when reading an HTTP request from aclient. One purpose for max-client-read is to help protect WebSEAL fromdenial-of-service attacks.

As of Security Access Manager WebSEAL 6.0, the max-client-read stanza entry nolonger impacts the request-body-max-read and request-max-cache stanza entries.

Options

number_of_bytes

The minimum value for this parameter is 32678 bytes. If the total size ofthe request line and headers is greater than the value specified for thisparameter, WebSEAL closes the connection without reading any more dataor sending any response to the client.

If the value is set to a number below 32768, the value is ignored and avalue of 32768 is used. There is no maximum value. URL and headerinformation in a typical request rarely exceeds 2048 bytes.

Usage


Default value

32768

Examplemax-client-read = 32768

max-file-cat-command-length

Syntaxmax-file-cat-command-length = number_of_bytes

Description

Specifies the maximum size of the file, specified in bytes, which may be returnedfrom the file cat server task command.

If the value of this parameter is less than the size of the file specified in the file catcommand, the returned file will be truncated. This parameter takes precedenceover the optional -max bytes value in the file cat command.

Options

number_of_bytes


The maximum size of the file, specified in bytes, which may be returnedfrom the file cat command.

Usage


Default value

1024

Examplemax-file-cat-command-length = 512

max-file-descriptors

Syntaxmax-file-descriptors = number_of_descriptors

Description

Sets the maximum number of sockets that WebSEAL uses in a Windowsenvironment. This setting directly affects the number of worker threads available.

Note: You can use connection-request-limit option, which is also in the [server]stanza, to increase the number of requests that WebSEAL processes on a persistentconnection.

Options

number_of_descriptors

Integer value representing the maximum number of file descriptors(sockets) that WebSEAL uses. This setting directly affects the number ofworker threads available to WebSEAL. The minimum value, and default, isthe compiled FD_SETSIZE, which is 2048 for Windows.

Usage


Note: This configuration option is available only on Windows. WebSEAL ignoresthis setting on all other platforms.

Default value

The default value is the compiled FD_SETSIZE, which is 2048 for Windows.

Examplemax-file-descriptors = 2048

See also

“disable-timeout-reduction” on page 254“connection-request-limit” on page 252


max-idle-persistent-connections

Syntaxmax-idle-persistent-connections = number_of_connections

Description

The maximum number of idle client persistent connections. Use a value less thanthe maximum number of connections supported by WebSEAL to ensure that theidle connections do not consume all the available connections.

Options

number_of_connectionsInteger value indicating the maximum number of idle client persistentconnections.

Usage


Default value

512

Examplemax-idle-persistent-connections = 512

network-interface

Syntaxnetwork-interface = ip-address

Description

Specify an alternative IP address to be used by this instance of WebSEAL. Thisallows two or more WebSEAL instances to use different IP addresses and hostnames when running on the same machine .

Options

ip-addressIP address.

Usage


Default value

0.0.0.0

Examplenetwork-interface = 9.0.0.9


persistent-con-timeout

Syntaxpersistent-con-timeout = number_of_seconds

Description

HTTP/1.1 connection timeout, in seconds. This setting affects connections toclients, not to backend server systems.

Options

number_of_secondsHTTP/1.1 connection timeout, in seconds. Must be a positive integer.Other values have unpredictable results and should not be used. Maximumallowed value: 2147483647.

A value of 0 causes WebSEAL to set the 'Connection: close' header andthen close the connection on every response. If the value of this stanzaentry is set to 0, the connection does not remain open for future requests.

Usage


Default value

5

Examplepersistent-con-timeout = 5

pre-410-compatible-tokens

Syntaxpre-410-compatible-tokens = {yes|no}

Description

WebSEAL supports a common method of generating tokens for cross-domainsingle signon, failover, and e-community single signon. The security of thesetokens was increased for version 4.1. This increase is not backward compatiblewith previous versions of WebSEAL. When the Security Access Managerdeployment includes multiple WebSEAL servers, and some of the WebSEALservers are version 3.9 or prior, set this value to yes.

Options

yes Support pre-410-compatible tokens.

no Do not support pre-410-compatible tokens.

Usage



Default value

no

Examplepre-410-compatible-tokens = no

pre-510-compatible-token

Syntaxpre-510-compatible-token = {yes|no}

Description

WebSEAL supports a common method of generating tokens for cross-domainsingle signon, failover, and e-community single signon. The format of these tokenschanged for version 5.1. This change is not backward compatible with previousversions of WebSEAL. When the Security Access Manager deployment includesmultiple WebSEAL servers, and some of the WebSEAL servers are version 4.1 orprior, set this value to yes.

Options

yes Support pre-510-compatible tokens.

no Do not support pre-510-compatible tokens.

Usage


Default value

no

Examplepre-510-compatible-tokens = no

preserve-base-href

Syntaxpreserve-base-href = {yes|no}

Description

Specifies whether WebSEAL will remove all BASE HREF tags from filtered HTMLdocuments and prepend the base tag to filtered links.

Options

yes When set to yes, WebSEAL filters the BASE HREF tag.

no When set to no, WebSEAL removes BASE HREF tags.

Usage



Default value

no

Examplepreserve-base-href = no

preserve-base-href2

Syntaxpreserve-base-href2 = {yes|no}

Description

Used in conjunction with the preserve-base-href option to specify the level offiltering on the BASE HREF tags.

NOTE: This option has no effect unless preserve-base-href (also in the [server]stanza) is set to yes.

Options

yes When set to yes, WebSEAL only performs the minimum filtering of theBASE HREF tag necessary to insert the WebSEAL host and junction names.

no When set to no, WebSEAL completely filters the BASE HREF tags. ForBASE tags that do not contain a trailing slash WebSEAL strips the lastcomponent.

Usage


Default value

yes

Examplepreserve-base-href2 = yes

preserve-p3p-policy

Syntaxpreserve-p3p-policy = {yes|no}

Description

Specifies whether to replace or preserve p3p headers from junctioned servers.

Options

yes The value yes means that headers are preserved.

no A value of no means that headers are replaced.


Usage


Default value

no

Examplepreserve-p3p-policy = no

process-root-requests

Syntaxprocess-root-requests = {never|always|filter}

Description

Specifies how WebSEAL responds to requests for resources located at the root ("/")junction.

Options

never Root junction requests are never processed at the root junction.

alwaysAlways attempt to process requests for the root junction at the rootjunction first before attempting to use a junction mapping mechanism.

filter Examine all root junction requests to determine whether they start with thepatterns specified in the [process-root-filter] stanza.

Usage


Default value

always

Exampleprocess-root-requests = always

redirect-using-relative

Syntaxredirect-using-relative = {true|false}

Description

Specifies that WebSEAL use a server-relative format for the URL in the Locationheader of an HTTP 302 redirect response.

This configuration change affects all redirect responses generated by WebSEAL.These redirect situations include:v Redirect after authentication


v Redirect after logoutv Redirect after changing passwordv Redirects during the e-community single signon authentication processv Redirects during the cross-domain single signon authentication processv Switch user processingv Certificate authentication (prompt-as-needed only)v Session displacement

Options

true Use a server-relative format for the URL in the Location header of anHTTP 302 redirect response.

false Use an absolute format for the URL in the Location header of an HTTP 302redirect response.

Usage

This stanza entry is not required and is a hidden entry.

Default value

false

Exampleredirect-using-relative = true

reject-invalid-host-header

Syntaxreject-invalid-host-header = {yes|no}

Description

Determines whether requests to WebSEAL that have an invalid host header (seeRFC2616) are rejected with a status of 400, "Bad Request."

Options

yes All requests to WebSEAL with an invalid host header will be rejected witha status of 400, "Bad Request."

no Requests with an invalid host header are not rejected.

Usage


Default value

no

Examplereject-invalid-host-header = no


reject-request-transfer-encodings

Syntaxreject-request-transfer-encodings = {yes|no}

Description

Specifies the WebSEAL response to requests containing the Transfer-Encodingheader.

Options

yes WebSEAL rejects (with error status of 501, Not Implemented) any requestwith a Transfer-Encoding header value of anything other than "identity" or"chunked".

no WebSEAL may reject the request, or may forward it on the junctionedserver in a corrupted state. This setting is available for compatibility withversions of WebSEAL prior to version 6.0.

Usage


Default value

yes

Examplereject-request-transfer-encodings = yes

request-body-max-read

Syntaxrequest-body-max-read = number_of_bytes

Description

Maximum number of bytes to read in as content from the body of POST requests.The request-body-max-read stanza entry affects the request body only. It does notimpose limits on other components of a request, such as request line and headers.Used for dynurl, authentication, and request caching.

Options

number_of_bytesMaximum number of bytes to read in as content from the body of POSTrequests. Used for dynurl, authentication, and request caching. Minimumnumber of bytes: 512.

Usage



Default value

4096

Examplerequest-body-max-read = 4096

request-max-cache

Syntaxrequest-max-cache = number_of_bytes

Description

Maximum amount of data to cache. This is used to cache request data when a useris prompted to authenticate before a request can be fulfilled.

Options

number_of_bytesThis value should be a positive integer. If set to zero (0), the user loginsucceeds but the request fails because WebSEAL cannot cache the requestdata. There is no maximum value.

Usage


Default value

8192

Examplerequest-max-cache = 8192

send-header-ba-first

Syntaxsend-header-ba-first = {yes|no}

Description

By default, WebSEAL selects the authentication challenge to return to the client bysequentially searching the available authentication mechanisms until it finds onethat is enabled. You can use the send-header-ba-first entry to ensure thatWebSEAL selects the BA header before any of the other configured authenticationmechanisms.

Options

yes WebSEAL sends the header first.

no WebSEAL searches sequentially through the available authenticationmechanisms and sends the first one that is enabled.


Usage


Default value

no

Examplesend-header-ba-first = yes

See also

“send-header-spnego-first”

send-header-spnego-first

Syntaxsend-header-spnego-first = {yes|no}

Description

By default, WebSEAL selects the authentication challenge to return to the client bysequentially searching the available authentication mechanisms until it finds onethat is enabled. You can use the send-header-spnego-first entry to ensure thatWebSEAL selects SPNEGO header first before any of the other configuredauthentication mechanisms.

SPNEGO authentication can use either forms login or a header.

Note: If send-header-ba-first is set to yes and send-header-spnego-first is set tono, WebSEAL sends a BA header first, but uses the default search for an SPNEGOforms login.

Options

yes WebSEAL sends the header first.

no WebSEAL searches sequentially through the available authenticationmechanisms and sends the first one that is enabled.

Usage


Default value

no

Examplesend-header-spnego-first = yes

See also

“send-header-ba-first” on page 274


server-name

Syntaxserver-name = host_name-instance_name

Description

The WebSEAL instance name.

Options

host_name-instance_nameThe WebSEAL instance name, based on the host name of the machine andthe instance name of the WebSEAL server. This value is set by theadministrator during WebSEAL configuration. WebSEAL instance namesmust be alphanumeric. The maximum number of characters allowed is 20.

Usage


Default value

None.

Example

Example initial WebSEAL server with the default instance name accepted, on ahost named diamond:server-name = diamond-default

Example instance WebSEAL instance, specified as web2, on a host named diamond:server-name = diamond-web2

server-root

Syntaxserver-root = fully_qualified_path

Description

Root directory for the WebSEAL server. This value is set during WebSEALconfiguration.

Options

fully_qualified_pathRoot directory for the WebSEAL server. This value is set during WebSEALconfiguration.

Usage



Default value

UNIX or Linux:/opt/pdweb/www-instance_name

Windows:C:/Program Files/Tivoli/PDWeb/www-instance_name

Exampleserver-root = /opt/pdweb/www-default

slash-before-query-on-redirect

Syntaxslash-before-query-on-redirect = {yes|no}

Description

When a client URL specifies a directory location that does not end in a trailingslash (/), the client is redirected to the same URL with a trailing slash added.Thisis necessary for ACL checks to work properly.

This stanza entry controls where the slash is added if the original URL contains aquery string.

Options

yes Setting this value to yes causes the trailing slash to be added before thequery string.

For example: /root/directoryname?querybecomes /root/directoryname/?query

no Setting this value to no causes the trailing slash to be added after the querystring.

For example: /root/directoryname?querybecomes /root/directoryname?query/

NOTE: A setting of no could cause browser errors. This option exists forbackwards compatibility only.

Usage


Default value

no

Exampleslash-before-query-on-redirect = yes


strip-www-authenticate-headers

Syntaxstrip-www-authenticate-headers = {yes|no}

Description

Controls whether WebSEAL removes the following headers from the responses thatit receives from junctioned servers:v Negotiate www-authenticate header.v NTLM www-authenticate header.

Options

yes When set to yes, WebSEAL removes these www-authenticate headers fromjunctioned server responses.

no When set to no, WebSEAL does not remove these www-authenticateheaders from junctioned server responses.

Usage


Default value

yes

Examplestrip-www-authenticate-headers = yes

suppress-backend-server-identity

Syntaxsuppress-backend-server-identity = {yes|no}

Description

Suppresses the identity of the back-end application server from HTTP responses.These responses normally include the line:Server: IBM_HTTP_SERVER/version_number Apache/version_number (Win32)

Options

yes Setting this value to yes deletes the above header line from the serverresponse.

no Setting this value to no leaves the above header line in the server response.

Usage


Default value

no


Examplesuppress-backend-server-identity = no

suppress-dynurl-parsing-of-posts

Syntaxsuppress-dynurl-parsing-of-posts = {yes|no}

Description

Determines whether POST bodies are used in dynurl processing.

Note: Before enabling this option, make certain that no dynurl checked serverapplications accept arguments from POST bodies so that dynurl checks cannot bebypassed using a POST instead of a Query string.

Options

yes POST bodies will not be used in dynurl processing, only Query strings willbe used.

no POST bodies can be used in dynurl processing.

Usage


Default value

no

Examplesuppress-dynurl-parsing-of-posts = no

suppress-server-identity

Syntaxsuppress-server-identity = {yes|no}

Description

Suppresses the identity of the WebSEAL server from HTTP responses. Theseresponses normally include the line:Server: WebSEAL/version_number

Options

yes Setting this value to yes deletes the above header line from the serverresponse.

no Setting this value to no leaves the above header line in the server response.

Usage



Default value

no

Examplesuppress-server-identity = no

tag-value-missing-attr-tag

Syntaxtag-value-missing-attr-tag = tag_for_missing_attribute

Description

WebSEAL allows credential attributes to be inserted into the HTTP stream as HTTPheaders. In the event that a requested attribute is not found in the credential, theHTTP header is still created with a static string. The tag-value-missing-attr-tagconfiguration entry defines the contents of the header.

Options

tag_for_missing_attributeTag inserted in the HTTP header in place of a missing attribute.

Usage


Default value

NOT_FOUND

Exampletag-value-missing-attr-tag = NOT_FOUND

unix-group

Syntaxunix-group = group_name

Description

UNIX group account for the WebSEAL server. This must be a valid UNIX groupname.It is possible for a UNIX user account and a UNIX group to have the samename.

The validity of the group name specified depends on the requirements of theUNIX platform. Leading and trailing spaces are removed.

Options

group_nameName of UNIX group account for the WebSEAL server.


Usage


Default value

ivmgr

Exampleunix-group = ivmgr

unix-pid-file

Syntaxunix-pid-file = fully_qualified_path

Description

Location and name of a file into which WebSEAL places its process ID (PID).Applies to UNIX and Windows systems. This value is set automatically duringWebSEAL configuration. Typically there is no need to change this file name.

Options

fully_qualified_pathLocation and name of a file into which WebSEAL places its process ID(PID). Applies to UNIX and Windows systems. This value is setautomatically during WebSEAL configuration. Typically there is no need tochange this file name.

Usage


Default value

UNIX or Linux:/var/pdweb/log/webseald.pid

Windows:C:/Program Files/Tivoli/PDWeb/log/webseald.pid

Example

UNIX or Linux:unix-pid-file = /var/pdweb/log/webseald.pid

Windows:unix-pid-file = C:/Program Files/Tivoli/PDWeb/log/webseald.pid

unix-user

Syntaxunix-user = user_name


Description

UNIX user account for the WebSEAL server. This must be a valid UNIX username.It is possible for a UNIX user account and a UNIX group to have the samename.

The validity of the user name specified depends on the requirements of the UNIXplatform. Leading and trailing spaces are removed.

Options

user_nameA valid UNIX user name.

Usage


Default value

ivmgr

Exampleunix-user = ivmgr

use-existing-username-macro-in-custom-redirects

Syntaxuse-existing-username-macro-in-custom-redirects = {yes|no}

Description

When using Local Response Redirection, you can use this configuration option tocontrol how WebSEAL processes the USERNAME macro. By default, WebSEALsets the USERNAME macro value to the string "unauthenticated" after an inactivitytimeout. This processing does not match the behavior when WebSEAL serves staticpages.

Use this option to override the default behavior and configure WebSEAL to set theUSERNAME macro value to the authenticated username. That is, with this optionset to yes, WebSEAL processes the USERNAME macro the same when using LocalResponse Redirection as it does when serving static pages.

Options

yes When using Local Response Redirection, the USERNAME macro value isset to the authenticated username after an inactivity timeout.

no When using Local Response Redirection, the USERNAME macro value isset to the string "unauthenticated" after an inactivity timeout.

Usage



Default value

no

Exampleuse-existing-username-macro-in-custom-redirects = yes

use-http-only-cookies

Syntaxuse-http-only-cookies = {yes|no}

Description

Indicates whether WebSEAL will add the HTTP-only attribute to the Session, LTPAand Failover Set-Cookie headers sent by WebSeal.

Options

yes Enables WebSEAL to add the HTTP-only attribute to Session, LTPA andFailover Set-Cookie headers.

no Prevents WebSEAL from adding the HTTP-only attribute to Session, LTPAand Failover Set-Cookie headers.

Usage


Default value

no

Exampleuse-http-only-cookies = no

utf8-form-support-enabled

Syntaxutf8-form-support-enabled = {yes|no|auto}

Description

UTF-8 encoding support.

Options

yes WebSEAL only recognizes UTF-8 encoding in forms and the data is usedwithout modification.

no WebSEAL does not recognize UTF-8 encoding in forms. Used for local codepage only.

auto When set to auto, WebSEAL attempts to distinguish between UTF-8 andother forms of language character encoding. When encoding is notrecognized as UTF-8, WebSEAL processes the coding as non-UTF-8.


Usage


Default value

yes

Exampleutf8-url-support-enabled = yes

utf8-qstring-support-enabled

Syntaxutf8-qstring-support-enabled = {yes|no|auto}

Description

UTF-8 encoding support.

Options

yes WebSEAL only recognizes UTF-8 encoding in strings and the data is usedwithout modification.

no WebSEAL does not recognize UTF-8 encoding in strings. Used for localcode page only.


Usage


Default value

no

Exampleutf8-qstring-support-enabled = no

utf8-url-support-enabled

Syntaxutf8-url-support-enabled = {yes|no|auto}

Description

Enable or disable support for UTF-8 encoded characters in URLs.

Options

yes WebSEAL only recognizes UTF-8 encoding in URLs and the data is usedwithout modification.


no WebSEAL does not recognize UTF-8 encoding in URLs. Used for local codepage only.


Usage


Default value

yes

Exampleutf8-url-support-enabled = yes

validate-query-as-ga

Syntaxvalidate-query-as-ga = {yes|no}

Description

Determines whether WebSEAL returns a "Bad Request" error when there is aninvalid character present in the query portion of the URL.

Options

yes WebSEAL does not return a "Bad request" error when there is an invalidcharacter present in the query portion of the URL.

no WebSEAL returns a "Bad Request" error when there is an invalid characterpresent in the query portion of the URL.

Usage


Default value

no

Examplevalidate-query-as-ga = yes

web-host-name

Syntaxweb-host-name = manually-set-webseal-hostname

Description

The manual setting for the WebSEAL server's host name.If left unset, WebSEALattempts to automatically determine the server's host name. On systems with many


hostnames, interfaces, or WebSEAL instances, the automatic determination may notalways be correct. The manual setting for web-host-name resolves any conflicts.

Options

manually-set-webseal-hostnameThe manual setting for the WebSEAL server's host name, based on the fullyqualified machine name.

Usage


Default value

www.webseal.com

Exampleweb-host-name = abc.example.com

web-http-port

Syntaxweb-http-port = port for web-http-protocol

Description

Defines the port that the client Web browser uses to connect to WebSEAL forrequests that WebSEAL receives on a TCP interface.

Options

port for web-http-protocol

Usage


Default value

same as HTTP port

Exampleweb-http-port = 443

web-http-protocol

Syntaxweb-http-protocol = {http | https}

Description

Defines the protocol that the client Web browser uses to connect to WebSEAL forrequests that WebSEAL receives on a TCP interface.


Options

http WebSEAL functions will behave as if the client is connected to WebSEAL inan HTTP environment (not HTTPS).

https Most WebSEAL functions will behave as if the client is connected toWebSEAL in an HTTPS environment. There are exceptions and limitationsto this rule. You cannot obtain SSL IDs or SSL client certificates using thisparameter; therefore, [session] ssl-id-sessions cannot be used as asession key and [certificate] accept-client-certs cannot be used forauthentication.

Usage


Default value

http

Exampleweb-http-protocol = http

worker-threads

Syntaxworker-threads = number_of_threads

Description

Number of WebSEAL worker threads.

Options

number_of_threadsNumber of WebSEAL worker threads. The minimum value is 1. Themaximum number of threads is based on the number of file descriptors setfor WebSEAL at compile time. Note that this number varies per operatingsystem. If the value is set to a number larger than theWebSEAL-determined limit, WebSEAL reduces the value to the acceptablelimit and issues a warning message.

Usage


Default value

300

Exampleworker-threads = 300


[session] stanza

dsess-enabled

Syntaxdsess-enabled = {yes|no}

Description

Enable or disable use of the Session Management Server (SMS).

Options

yes Enable use of the Session Management Server (SMS). If this is set to "yes"the [dsess] stanza must have information about how to communicate withthe SMS.

no Disable use of the Session Management Server (SMS).

Usage


Default value

no

Exampledsess-enabled = no

dsess-last-access-update-interval

Syntaxdsess-last-access-update-interval = seconds

Description

Specifies the frequency at which WebSEAL updates the session last access time atthe SMS.

Options

secondsSmaller values offer more accurate inactivity timeout tracking, at theexpense of sending updates to the SMS more frequently. Values of less than1 second are not permitted.

Usage

requiredOptional

Default value

60


Exampledsess-last-access-update-interval = 60

enforce-max-sessions-policy

Syntaxenforce-max-sessions-policy = {yes|no}

Description

Control whether or not a specific WebSEAL instance enforces themax-concurrent-web-sessions policy.

Options

yes Enforce the max-concurrent-web-sessions policy.

no Do not enforce the max-concurrent-web-sessions policy.

Usage

This stanza entry is ignored unless WebSEAL is using the SMS for session storage.

Default value

yes

Exampleenforce-max-sessions-policy = yes

inactive-timeout

Syntaxinactive-timeout = number_of_seconds

Description

Integer value for lifetime, in seconds, of inactive entries in the credential cache.

The value can be configured for a specific session cache (authenticated orunauthenticated) by adding an additional entry, prefixedby auth or unauth.

Options

number_of_secondsThe minimum number for this value is 0. WebSEAL does not impose amaximum value.

A stanza entry value of "0" disables this inactivity timeout feature(inactivity timeout value is unlimited). The control of cache entries is thengoverned by the timeout and max-entries stanza entries.

When a cache is full, the entries are cleared based on a least-recently-usedalgorithm.


Usage


Default value

600

Exampleinactive-timeout = 600unauth-inactive-timeout = 300

logout-remove-cookie

Syntaxlogout-remove-cookie = {yes|no}

Description

Specifies whether or not to remove the session cookie from a user's browser whenthe user logs out from the WebSEAL domain. Setting this stanza entry to yes isnecessary for the correct operation and use of the %OLDSESSION% macro.

Options

yes Remove the session cookie from a user's browser when the user logs outfrom the WebSEAL domain.

no Do not remove the session cookie from a user's browser when the userlogs out from the WebSEAL domain.

Usage


Default value

no

Examplelogout-remove-cookie = no

max-entries

Syntaxmax-entries = number_of_entries

Description

Maximum number of concurrent entries in the credentials cache. When the cachesize reaches this value, entries are removed from the cache according to a leastrecently used algorithm to allow new incoming logins.



Options

number_of_entries

The following conditions affect the specified value:v If the specified value is less than or equal to 0, the cache size becomes

unlimited.v If the specified value is between 0 and 8192, the actual number of entries

allowed is rounded up to the next multiple of 32.v Any specified value greater than 8192 is accepted as given.

WebSEAL does not impose a maximum value.

Usage


Default value

4096

Examplemax-entries = 4096unauth-max-entries = 1024

prompt-for-displacement

Syntaxprompt-for-displacement = {yes|no}

Description

Determines whether or not a user is prompted for appropriate action when themax-concurrent-web-sessions displace policy has been exceeded.

Options

yes Enables the interactive option, where the user is prompted for appropriateaction. When a second login is attempted, the user receives thetoo_many_sessions.html response page.

no Enables the non-interactive option, where the user is not prompted forappropriate action. When a second login is attempted, the original (older)login session is automatically terminated with no prompt. A new session iscreated for the user and the user is logged in to this new sessiontransparently. The original (older) session is no longer valid.

Usage


Default value

yes

Exampleprompt-for-displacement = yes


register-authentication-failures

Syntaxregister-authentication-failures = {yes|no}

Description

Configure WebSEAL to notify the SMS when login failures occur. SMS can generatea login history based on this information.

Options

yes If set to yes, WebSEAL notifies the SMS when login failures occur so thatusers can be shown a history of their last successful and failed logins.

no If set to no, WebSEAL does not notify the SMS when login failures occur.

Usage


Default value

no

Exampleregister-authentication-failures = no

require-mpa

Syntaxrequire-mpa = {yes|no}

Description

Controls whether WebSEAL accepts HTTP headers from requests that are proxiedthrough an authenticated multiplexing proxy agent (MPA).

Options

yes WebSEAL only accepts HTTP headers from requests that are proxiedthrough an authenticated multiplexing proxy agent (MPA).

no WebSEAL accepts HTTP headers under any condition.

Usage


Default value

yes

Examplerequire-mpa = yes


resend-webseal-cookies

Syntaxresend-webseal-cookies = {yes|no}

Description

When you configure WebSEAL to use session cookies, specifies whether or notWebSEAL sends the session cookie to the browser with every response.

Options

yes Specifies that WebSEAL sends the session cookie to the browser with everyresponse. This action helps to ensure that the session cookie remains in thebrowser memory.

no Specifies that WebSEAL does not send the session cookie to the browserwith every response.

Usage


Default value

no

Exampleresend-webseal-cookies = no

send-constant-sess

Syntaxsend-constant-sess = {yes|no}

Description

Determines whether a session cookie containing a separate, constant identifier isissued during step-up operations to enable tracking for each authenticated session.The identifier remains constant across a single session, regardless of whether thesession key changes. The name of the cookie is that of the actual session codeappended with the suffix -2, for example, PD_S_SESSION_ID_2. This feature isintended to augment the -k junction option.

Options

yes A session cookie containing a separate, constant identifier is issued duringstep-up operations to allow tracking for each authenticated session.

no No session cookie is issued during step-up operations.

Usage



Default value

no

Examplesend-constant-sess = no

shared-domain-cookie

Syntaxshared-domain-cookie = {yes | no}

Description

Enables a cookie-based session to be shared across all standard and virtual hostjunctions on a single WebSEAL instance. To share a session in this manner, theWebSEAL instance must store a single session key as an independent value in amulti-valued domain cookie. The multi-valued domain cookie must be indexed bythe instance name.

The domain cookie itself is shared across all participating WebSEAL instances, butthe session values are specific to each instance.

If WebSEAL exists in an environment where SMS already handles single sign-onacross domains, do not enable this configuration item.

Options

yes Enables single sign-on across virtual host junctions in the same WebSEALinstance.

no Disables single sign-on across virtual host junctions in WebSEAL.

Usage


Default value

no

Exampleshared-domain-cookie = yes

ssl-id-sessions

Syntaxssl-id-sessions = {yes|no}

Description

Indicates whether to use the SSL ID to maintain a user's HTTP login session.

Options

yes Use the SSL ID to maintain a user's HTTP login session.


no Do not use the SSL ID to maintain a user's HTTP login session. This valuemust be set to no when the following key = value pair is set:[certificate]accept-client-certs = prompt_as_needed

Usage


Default value

yes

Examplessl-id-sessions = yes

ssl-session-cookie-name

Syntaxssl-session-cookie-name = name

Description

Specifies the default or custom name of WebSEAL session cookies.

Options

name Specifies the default or custom name of WebSEAL session cookies.

Usage


Default value

PD-S-SESSION-ID

Examplessl-session-cookie-names = PD-S-SESSION-ID

standard-junction-replica-set

Syntaxstandard-junction-replica-set = replica_set_name

Description

The replica set to use for sessions created when users access standard WebSEALjunctions. Virtual host junctions either use the replica set specified with thevirtualhost create -z option or the virtual host name for the junction.

If using the SMS for session storage, the replica set specified here must also bespecified in the [replica-sets] stanza.


Options

value Replica set name.

Usage


Default value

default

Examplestandard-junction-replica-set = default

tcp-session-cookie-name

Syntaxtcp-session-cookie-name = name

Description

Specifies the default or custom name of WebSEAL session cookies.

Options

name Specifies the default or custom name of WebSEAL session cookies.

Usage


Default value

PD-H-SESSION-ID

Exampletcp-session-cookie-names = PD-H-SESSION-ID

temp-session-cookie-name

Syntaxtemp-session-cookie-name = cookie_name

Description

Sets the name of the temporary session cookie that is created for session sharingwith Microsoft Office applications. WebSEAL creates a temporary cookie with thisname when it responds to a /pkmstempsession management page request.

Options

cookie_nameA string value that represents the name of the single-use cookie thatWebSEAL uses to store session information.


Note: This configuration entry must be used in conjunction with anon-zero value for the temp-session-max-lifetime entry, which is also inthe [session] stanza. For more information about sharing sessions withMicrosoft Office applications, see the IBM Security Access Manager:WebSEAL Administration Guide.

Usage


Default value

None.

Exampletemp-session-cookie-name = PD-TEMP-SESSION-ID

temp-session-max-lifetime

Syntaxtemp-session-max-lifetime = number_of_seconds

Description

Positive integer that expresses the maximum lifetime (in seconds) of entries in thetemporary session cache.

Options

number_of_secondsA positive integer that represents the maximum lifetime in seconds. Specifya value of 0 to disable the temporary session cache.

Note: A non-zero value must be configured to enable session sharing withMicrosoft Office applications. For more information about sharing sessionswith Microsoft Office applications, see the IBM Security Access Manager:WebSEAL Administration Guide.

Usage


Default value

None.

Exampletemp-session-max-lifetime = 10

timeout

Syntaxtimeout = number_of_seconds


Description

Integer value for maximum lifetime, in seconds, for an entry in the credentialcache.


Options

number_of_secondsThe minimum number for this value is 0. WebSEAL does not impose amaximum value.

A stanza entry value of "0" disables this timeout feature (lifetime value isunlimited). The control of cache entries is then governed by theinactive-timeout and max-entries stanza entries.

When the cache is full, the entries are cleared based on aleast-recently-used algorithm.

Usage


Default value

3600

Exampletimeout = 3600unauth-timeout = 600

update-session-cookie-in-login-request

Syntaxupdate-session-cookie-in-login-request = {yes|no}

Description

Controls whether the existing session cookie, found in the HTTP request, isupdated if the session ID is modified during the processing of the request.

Options

yes

The existing session cookie is updated if the session ID is modified duringthe processing of the request.

no

The existing session cookie is not updated if the session ID is modifiedduring the processing of the request.

Usage



Default value

no

Exampleupdate-session-cookie-in-login-request = no

user-session-ids

Syntaxuser-session-ids = {yes|no}

Description

Enables or disables the creation and handling of user session IDs.

Options

yes

Enables the creation and handling of user session IDs.

no

Disables the creation and handling of user session IDs.

Usage


Default value

no

Exampleuser-session-ids = yes

user-session-ids-include-replica-set

Syntaxuser-session-ids-include-replica-set = {yes|no}

Description

Include the replica set in the user session ID.

Options

yes If set to "yes", then user-session-ids = yes includes the replica set.

no If set to "no", then WebSEAL does not include the replica set foruser-session-ids = yes and assumes that any user session specified in thepdadmin terminate session command belongs to the default replica set.

Usage



Default value

yes

Exampleuser-session-ids-include-replica-set = yes

use-same-session

Syntaxuse-same-session = {yes|no}

Description

Indicates whether to use the same session for SSL and HTTP clients.

Options

yes When set to yes, a user who has authenticated over HTTP will beauthenticated when connecting over HTTPS. Likewise, the user who hasauthenticated over HTTPS will be authenticated when connecting overHTTP. Using yes will override ssl-id-sessions = yes, because HTTPclients do not read an SSL ID to maintain sessions.

no Do not use the same session for SSL and HTTP clients.

Usage


Default value

no

Exampleuse-same-session = no

[session-cookie-domains] stanza

domain

Syntaxdomain = url

Description

Normally WebSEAL session cookies are host cookies that browsers only return tothe host that originally set them.

This stanza is used to configure domain session cookies that are sent to any host ina particular DNS domain.

Options

url Domains that share the domain cookie.


Usage


Default value

None.

Exampledomain = example.com

[session-http-headers] stanza

header_name

Syntaxheader_name = {http|https}

Description

Configures HTTP headers to maintain session state.

Options

http

Configures HTTP headers to maintain session state over the HTTPtransport.

https

Configures HTTP headers to maintain session state over the HTTPStransport.

Usage


Default value

None.

Exampleentrust-client = https

[spnego] stanza

spnego-auth

Syntaxspnego-auth = {none|http|https|both}

Description

Enables authentication using the SPNEGO authentication mechanism.


When SPNEGO authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.

Options


Usage


Default value

none

Examplespnego-auth = none

spnego-krb-keytab-file

Syntaxspnego-krb-keytab-file = fully_qualified_path

Description

The path to the Kerberos keytab file for the WebSEAL server.

Options

fully_qualified_pathThe path to the Kerberos keytab file for the WebSEAL server.

Usage

This stanza entry is required on UNIX platforms only.

Default value

None.

Examplespnego-krb-keytab-file = /opt/pdweb/etc/diamond_HTTP.keytab

spnego-krb-service-name

Syntaxspnego-krb-service-name = kerberos_server_principal_name

Description

Specifies the Kerberos service-principal-name (SPN) for the server.


Options

kerberos_server_principal_name

This name is created by combining the string HTTP with the hostname.The syntax is:HTTP@host_name

The host name is the DNS name by which browsers contact the Webserver. In most cases, host name should be fully qualified.

Usage

This stanza entry is required on UNIX platforms only.

Default value

None.

Examplespnego-auth = [email protected]

use-domain-qualified-name

Syntaxuse-domain-qualified-name = {yes|no}

Description

SPNEGO authentication provides a principal name of the [email protected]. By default, Security Access Manager uses only the shortname as the Access Manager user ID.If this parameter is set to yes, then AccessManager will include the domain as part of the Access Manager user ID.

Note: The use-domain-qualified-name stanza entry has no effect ifmultiple-domain Active Directory is used as the Security Access Manager userregistry. In this case, the domain name is always included as part of the SecurityAccess Manager user name.

Options

yes

Security Access Manager includes the domain portion of the principalname as part of the Access Manager user ID. For example, say thatSPNEGO authentication provides a principal name of [email protected]. Ifuse-domain-qualified-name is no, then the Access Manager user ID isuser. If use-domain-qualified-name is yes, then the Access Manager nameis [email protected].

no

Security Access Manager uses only the short name as the Access Manageruser ID, and does not include the domain portion of the principal name.

Usage



Default value

no

Exampleuse-domain-qualified-name = yes

[ssl] stanza

base-crypto-library

Syntaxbase-crypto-library = {Default|RSA|ICC}

Description

Specifies the cipher engine used by GSKit.

Options

DefaultThe value Default tells GSKit to use the optimal cryptographic base.

RSA Use RSA. Note that setting it to RSA affects the settings possible forfips-mode-processing.

ICC Use ICC.

Usage


Default value

Default

Examplebase-crypto-library = Default

crl-ldap-server

Syntaxcrl-ldap-server = server_name

Description

Specifies the Server to be contacted to obtain Certificate Revocation Lists (CRL).

Options

server_nameThis parameter can be set to one of two types of values:1. The name of the LDAP server to be referenced as a source for

Certificate Revocation Lists (CRL) during authentication across SSLjunctions. If this is used, you may also need to set the followingparameters:


v crl-ldap-server-portv crl-ldap-userv crl-ldap-user-password

2. The literal string “URI”. In the case where no direct LDAP Server isavailable, this allows GSKit to obtain revocation information fromLDAP or the HTTP Servers as specified by the CA in the CertificateDistribution Point (CDP) extension of the certificate.

NOTE:In addition to specifying the string "URI", it is also possible tospecify an HTTP server for crl-ldap-server. However, WebSEAL does notcurrently support the ability to specify an HTTP proxy server, which canprovide performance improvements when HTTP servers are used.

Usage


Default value

None.

Examplecrl-ldap-server = diamond.example.com

crl-ldap-server-port

Syntaxcrl-ldap-server-port = port_number

Description

Port number for communication with the LDAP server specified in crl-ldap-server.The LDAP server is referenced for Certificate Revocation List (CRL) checkingduring SSL authentication.

Options

port_numberPort number for communication with the LDAP server specified incrl-ldap-server.

Usage

This stanza entry is optional. When crl-ldap-server is set, this stanza entry isrequired.

Default value

None.

Examplecrl-ldap-server-port = 389


crl-ldap-user

Syntaxcrl-ldap-user = user_DN

Description

Fully qualified distinguished name (DN) of an LDAP user that has access to theCertificate Revocation List.

Options

user_DNFully qualified distinguished name (DN) of an LDAP user that has accessto the Certificate Revocation List.

Usage

This stanza entry is optional. A null value for crl-ldap-user indicates that the SSLauthenticator should bind to the LDAP server anonymously.

Default value

None.

Examplecrl-ldap-user =cn=webseald/diamond,cn=SecurityDaemons,secAuthority=Default

crl-ldap-user-password

Syntaxcrl-ldap-user-password = password

Description

Password for the user specified in crl-ldap-user.

Options

passwordPassword for the user specified in crl-ldap-user.

Usage


Default value

None.

Examplecrl-ldap-user-password = mypassw0rd


disable-ncipher-bsafe

Syntaxdisable-ncipher-bsafe = {yes|no}

Description

Disables or permits the automatic use by WebSEAL of nCipher hardware cards forSSL acceleration over BHAPI (Bsafe). WebSEAL detects this hardware whenpresent, and uses it unless this stanza entry is set to yes.

Options

yes Enable the automatic use by WebSEAL of nCipher hardware cards for SSLacceleration over BHAPI (Bsafe).

no Disable the automatic use by WebSEAL of nCipher hardware cards for SSLacceleration over BHAPI (Bsafe).

Usage


Default value

no

Exampledisable-ncipher-bsafe = no

disable-rainbow-bsafe

Syntaxdisable-rainbow-bsafe = {yes|no}

Description

Disables or permits the automatic use by WebSEAL of Rainbow Cryptoswifthardware cards for SSL acceleration over BHAPI (Bsafe). WebSEAL detects thishardware when present, and uses it unless this stanza entry is set to yes.

Options

yes Enable the automatic use by WebSEAL of Rainbow Cryptoswift hardwarecards for SSL acceleration over BHAPI (Bsafe).

no Disable the automatic use by WebSEAL of Rainbow Cryptoswift hardwarecards for SSL acceleration over BHAPI (Bsafe).

Usage


Default value

no


Exampledisable-rainbow-bsafe = no

disable-ssl-v2


Description

Disables support for SSL version 2. Support for SSL v2 is disabled by default. TheWebSEAL configuration sets this value.

Options

yes Support is disabled.

no Support is enabled.

Usage

This stanza entry is optional. When not specified, the default is yes.

Default value

yes

Exampledisable-ssl-v2 = yes

disable-ssl-v3


Description

Disables support for SSL Version 3. Support for SSL V3 is enabled by default. TheWebSEAL configuration sets this value.

Options



Usage

This stanza entry is optional. When not specified, the default is no.

Default value

no

Exampledisable-ssl-v3 = no


disable-tls-v1


Description

Disables support for TLS Version 1. Support for TLS V1 is enabled by default. TheWebSEAL configuration sets this value.

Options

yes The value yes means support is disabled


Usage

This stanza entry is optional. When not specified, the default is no.

Default value

no


disable-tls-v11


Description

Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.1.WebSEAL supports TLS version 1.1 by default.

Options



Usage


Default value

no



disable-tls-v12


Description

Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.2.WebSEAL supports TLS version 1.2 by default.

Options



Usage


Default value

no


enable-duplicate-ssl-dn-not-found-msgs

Syntaxenable-duplicate-ssl-dn-not-found-msgs = {yes | no}

Description

Determines whether WebSEAL logs a warning message every time you open aconnection to a junction that has:v Either the -K or the -B flag set, butv The -D flag is not set.

By default, WebSEAL logs duplicate messages whenever it opens anotherconnection to the junction. These messages appear in the following format:DPWIV1212W No server DN is defined for ’server.ibm.com’.

The junctioned server DN verification is not performed."

Options

yes Duplicate messages are created. Every time a connection is opened to ajunction that has the -K or -B flags specified without the -D option,WebSEAL logs a warning.

no When the server starts, WebSEAL logs a single warning only for eachaffected junction.

Usage



Default value

yes

Exampleenable-duplicate-ssl-dn-not-found-msgs = no

fips-mode-processing

Syntaxfips-mode-processing = {yes|no}

Description

Enables or disables FIPS mode processing.

Options

yes A value of yes enables FIPS mode processing.

no A value of no disables FIPS mode processing. When base-crypto-library= RSA, this value must be no.

Usage


Default value

no

Examplefips-mode-processing = no

gsk-attr-name


Description

Specify additional GSKit attributes to use when initializing an SSL connection withthe client. A complete list of the available attributes is included in the GSKit SSLAPI documentation. This configuration entry can be specified multiple times.Configure a separate entry for each GSKit attribute.

Options





Usage


You cannot configure the following restricted GSKit attributes:GSK_BASE_CRYPTO_LIBRARYGSK_SSL_FIPS_MODE_PROCESSINGGSK_FIPS_MODE_PROCESSINGGSK_OCSP_ENABLEGSK_OCSP_URLGSK_OCSP_NONCE_GENERATION_ENABLEGSK_OCSP_NONCE_CHECK_ENABLEGSK_OCSP_REQUEST_SIGKEYLABELGSK_OCSP_REQUEST_SIGALGGSK_OCSP_PROXY_SERVER_NAMEGSK_OCSP_PROXY_SERVER_PORTGSK_OCSP_RETRIEVE_VIA_GETGSK_OCSP_MAX_RESPONSE_SIZEGSK_KEYRING_FILEGSK_KEYRING_PWGSK_CRL_CACHE_SIZEGSK_CRL_CACHE_ENTRY_LIFETIMEGSK_KEYRING_STASH_FILEGSK_KEYRING_LABELGSK_LDAP_SERVERGSK_LDAP_SERVER_PORTGSK_LDAP_USERGSK_LDAP_USER_PWGSK_ACCELERATOR_NCIPHER_NFGSK_ACCELERATOR_RAINBOW_CSGSK_PKCS11_DRIVER_PATHGSK_PKCS11_TOKEN_LABELGSK_PKCS11_TOKEN_PWDGSK_PKCS11_ACCELERATOR_MODEGSK_V2_SESSION_TIMEOUTGSK_V3_SESSION_TIMEOUTGSK_PROTOCOL_SSLV2GSK_PROTOCOL_SSLV3GSK_PROTOCOL_TLSV1GSK_CLIENT_AUTH_TYPEGSK_SESSION_TYPEGSK_IO_CALLBACKGSK_RESET_SESSION_TYPE_CALLBACKGSK_RESET_SESSION_TYPE_CALLBACKGSK_NO_RENEGOTIATIONGSK_ALLOW_ABBREVIATED_RENEGOTIATION


Default value

None.

Example



See also

“gsk-attr-name” on page 90“gsk-attr-name” on page 344“jct-gsk-attr-name” on page 314

gsk-crl-cache-entry-lifetime

Syntaxgsk-crl-cache-entry-lifetime = number_of_seconds

Description

Integer value specifying the lifetime timeout, in seconds, for individual entries inthe GSKit CRL cache.

See also the standards documents for SSL V3 and TLS V1 (RFC 2246) for moreinformation on CRLs.

Options

number_of_secondsInteger value specifying the lifetime timeout, in seconds, for individualentries in the GSKit CRL cache. The minimum value is 0. The maximumvalue is 86400. Neither WebSEAL nor GSKit impose a maximum value onthe cache entry lifetime.

Usage


Default value

0

Examplegsk-crl-cache-entry-lifetime = 0

gsk-crl-cache-size

Syntaxgsk-crl-cache-size = number_of_entries

Description

Integer value indicating the maximum number of entries in the GSKit CRL cache.

See the standards documents for SSL V3 and TLS V1 (RFC 2246) for moreinformation on CRLs.

Options

number_of_entriesInteger value indicating the maximum number of entries in the GSKit CRLcache. Minimum value is 0. A value of 0 means that no entries are cached.Neither WebSEAL nor GSKit impose a maximum value on this cache.


Usage


Default value

0

Examplegsk-crl-cache-size = 0

jct-gsk-attr-name

Syntaxjct-gsk-attr-name = {enum | string | number}:id:value

Description

Specify additional GSKit attributes to use when initializing an SSL connection witha junctioned server. A complete list of the available attributes is included in theGSKit SSL API documentation. This configuration entry can be specified multipletimes. Configure a separate entry for each GSKit attribute.

Options




Usage


You cannot configure the following restricted GSKit attributes:GSK_KEYRING_FILEGSK_KEYRING_PWGSK_KEYRING_STASH_FILEGSK_V2_SIDCACHE_SIZEGSK_V3_SIDCACHE_SIZEGSK_V2_SESSION_TIMEOUTGSK_V3_SESSION_TIMEOUTGSK_PROTOCOL_SSLV2GSK_PROTOCOL_SSLV3GSK_PROTOCOL_TLSV1GSK_LDAP_SERVERGSK_LDAP_SERVER_PORTGSK_LDAP_USERGSK_LDAP_USER_PWGSK_CRL_CACHE_SIZEGSK_CRL_CACHE_ENTRY_LIFETIMEGSK_ACCELERATOR_NCIPHER_NFGSK_ACCELERATOR_RAINBOW_CSGSK_PKCS11_DRIVER_PATHGSK_PKCS11_TOKEN_LABELGSK_PKCS11_TOKEN_PWDGSK_PKCS11_ACCELERATOR_MODEGSK_BASE_CRYPTO_LIBRARY


GSK_OCSP_ENABLEGSK_OCSP_URLGSK_OCSP_NONCE_GENERATION_ENABLEGSK_OCSP_NONCE_CHECK_ENABLEGSK_OCSP_REQUEST_SIGKEYLABELGSK_OCSP_REQUEST_SIGALGGSK_OCSP_PROXY_SERVER_NAMEGSK_OCSP_PROXY_SERVER_PORTGSK_OCSP_RETRIEVE_VIA_GETGSK_OCSP_MAX_RESPONSE_SIZE


Default value

None.

Example

The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, whichhas an identity value of 225:jct-gsk-attr-name = string:225:proxy.ibm.com

See also

“gsk-attr-name” on page 90“gsk-attr-name” on page 311“gsk-attr-name” on page 344

neg-delay-fix-disable

Syntaxneg-delay-fix-disable = {true | false}

Description

By default, WebSEAL enables the Nagle algorithm during the SSL handshake. Tochange this behavior, add the neg-delay-fix-disable entry to the webseald.confconfiguration file, and set the value to true.

Options

true After setting this option to true and restarting WebSEAL, Nagle is disabledduring the SSL handshake.

false Reverts to the default of enabling the Nagle algorithm. Alternatively, youcan delete this line from the stanza. You must restart WebSEAL for thechange to take effect.

Usage


Default value

None.


Example

The following entry disables the Nagle algorithm during the SSL handshake.neg-delay-fix-disable = true

ocsp-enable

Syntaxocsp-enable = {yes|no}

Description

Enable Online Certificate Status Protocol (OCSP) for checking the revocation statusof certificates supplied by a server using the OCSP URL embedded in thecertificate using an Authority Info Access (AIA) extension.

Options

yes Enable OCSP to check the revocation status of server supplied certificates.

no Disable OCSP checking of server supplied certificates.

Usage


Note: This option can be used as an alternative to, or in conjunction with, theocsp-url option.

Default value

no

Exampleocsp-enable = no

ocsp-max-response-size

Syntaxocsp-max-response-size = number of bytes

Description

Sets the maximum response size (in bytes) that will be accepted as a response froman OCSP responder. This limit helps protect against a denial of service attack.

Options

number of bytesMaximum response size, in bytes.

Note: A value of zero (0) indicates that the value is not set in theconfiguration file and no call to GSKit will be made to adjust its value; inthis case, the option will assume the GSKit default of 20480 bytes.Non-zerovalues will be passed on to GSKit.


Usage


Default value

204080

Exampleocsp-max-response-size = 20480

ocsp-nonce-check-enable

Syntaxocsp-nonce-check-enable = {yes|no}

Description

Determines whether WebSEAL checks the nonce in the OCSP response. Enablingthis option improves security but can cause OCSP Response validation to fail ifthere is a caching proxy between WebSEAL and the OCSP Responder. Note thatenabling this option automatically enables the jct-ocsp-nonce-generation-enableoption.

Options

yes WebSEAL checks the nonce in the OCSP response to verify that it matchesthe nonce from the request.

no WebSEAL does not check the nonce in the OCSP response.

Usage


Default value

no

Exampleocsp-nonce-check-enable = no

ocsp-nonce-generation-enable

Syntaxocsp-nonce-generation-enable = {yes|no}

Description

Determines whether WebSEAL generates a nonce as part of the OCSP request.Enabling this option can improve security by preventing replay attacks onWebSEAL but may cause an excessive load on an OCSP Responder appliance asthe responder cannot use cached responses and must sign each response.


Options

yes WebSEAL generates a nonce as part of the OCSP request.

no WebSEAL does not generate a nonce as part of the OCSP request.

Usage


Default value

no

Exampleocsp-nonce-generation-enable = no

ocsp-proxy-server-name

Syntaxocsp-proxy-server-name = <proxy host name>

Description

Specifies the name of the proxy server that provides access to the OCSP responder.

Options

proxy host nameFully qualified name of the proxy server.

Usage


Default value

None

Exampleocsp-proxy-server-name = proxy.ibm.com

ocsp-proxy-server-port

Syntaxocsp-proxy-server-port = <proxy host port number>

Description

Specifies the port number of the proxy server that provides access to the OCSPResponder.

Options

proxy host port numberPort number used by the proxy server to route OCSP requests andresponses.


Usage


Default value

None

Exampleocsp-proxy-server-port = 8888

ocsp-url

Syntaxocsp-url = <OCSP Responder URL>

Description

Specifies the URL for the OCSP Responder. If a URL is provided, WebSEAL willuse OCSP for all revocation status checking regardless of whether the certificatehas an Authority Info Access (AIA) extension, which means that OCSP will workwith existing certificates. WebSEAL will first try the OCSP Responder that isconfigured by this method rather than using a location specified by AIAextension.If revocation status is undetermined, and if ocsp-enable is set to yes, thenWebSEAL will try to obtain revocation status using the access method in the AIAextension.

Options

OCSP Responder URLURL of the OCSP Responder.

Usage


Default value

None

Exampleocsp-url = http://responder.ibm.com/

pkcs11-driver-path

Syntaxpkcs11-driver-path = fully_qualified_path

Description

Path to a shared library that provides GSKit support for external PKCS#11 devicedrivers.


Options

fully_qualified_pathPath to a shared library that provides GSKit support for external PKCS#11device drivers.

Usage


Default value

None.

Examplepkcs11-driver-path = /usr/lib/pkcs11/PKCS11_API.so

pkcs11-token-label

Syntaxpkcs11-token-label = name_of_label

Description

Label for the token device that stores the WebSEAL public/private key pair.

Options

name_of_labelLabel for the token device that stores the WebSEAL public/private keypair.

Usage


Default value

None.

Examplepkcs11-token-label = websealToken

pkcs11-token-pwd

Syntaxpkcs11-token-pwd = password

Description

String containing the password to protect the private keys in the token keyfile.


Options

passwordString containing the password to protect the private keys in the tokenkeyfile.

Usage


Default value

None.

Examplepkcs11-token-pwd = secret

pkcs11-symmetric-cipher-support

Syntaxpkcs11-symmetric-cipher-support = yes|no

Description

Configure WebSEAL to support the GSKit option for using PKCS#11 for symmetricalgorithms.

Options

yes Enable PKCS#11 for symmetric algorithms.

no Disable PKCS#11 for symmetric algorithms.

Usage


Default value

None.

Examplepkcs11-symmetric-cipher-support = yes

ssl-keyfile


Description

Specifies the keystore that WebSEAL uses for communicating with other SecurityAccess Manager servers over SSL.


Options

fully_qualified_pathString specifying the path to the keystore that WebSEAL uses tocommunicate with other Security Access Manager servers over SSL.

Usage


Default value

The default value is set during WebSEAL configuration. The WebSEAL installationdirectory path is combined with the following path: keytab-<instance_name>/<instance_name>-webseald.kdb, where <instance_name> is the name of theWebSEAL instance.

Examplessl-keyfile = C:/Program Files/Tivoli/PDWeb/keytab-default/default-webseald.kdb

ssl-keyfile-label

Syntaxssl-keyfile-label = label_name

Description

String containing a label for the SSL certificate keyfile. When this label is notspecified, the default label is used.

This stanza entry is typically modified only by the WebSEAL configuration utility.

Options

label_nameString containing a label for the SSL certificate keyfile.

Usage

This stanza entry is optional, but is assigned during WebSEAL configuration.

Default value

PD Server

Examplessl-keyfile-label = PD Server

ssl-keyfile-pwd

Syntaxssl-keyfile-pwd = password


Description

String containing the password to protect the private keys in the SSL keyfile.


Options

passwordWhen this stanza entry is assigned a value, that value is used instead ofany password that is contained in the stash file specified byssl-keyfile-stash. This stanza entry stores the password in plain text. Usethe ssl-keyfile-stash for optimum security.

Usage


Default value

None.

Examplessl-keyfile-pwd = myPassw0rd

ssl-keyfile-stash

Syntaxssl-keyfile-stash = fully_qualified_path

Description

Name of the file containing an obfuscated version of the password used to protectprivate keys in the SSL keyfile.


Options

fully_qualified_pathFully qualified name of the file containing an obfuscated version of thepassword used to protect private keys in the SSL keyfile.

Usage


Default value

This path is set during WebSEAL configuration. The path consists of the WebSEALinstallation directory plus: keytab-instance_name/instance_name-webseald.sth,where instance_name is the name of the WebSEAL instance.

Examplessl-keyfile-stash =C:/Program Files/Tivoli/PDWeb/keytab-default/default-webseald.sth


ssl-local-domain

Syntaxssl-local-domain = local domain name

Description

This option specifies the local domain for a particular instance of WebSEAL, whichallows a single server to host multiple WebSEAL instances, each of which couldaccess a separate domain.

Options

local domain nameThe local domain for which this instance of WebSEAL is configured. Thelocal domain is provided during WebSEAL configuration and set by thesvrsslcfg utility.

Usage


Default value

Default

Examplessl-local-domain = abc.ibm.com

ssl-max-entries

Syntaxssl-max-entries = number_of_entries

Description

Integer value indicating the maximum number of concurrent entries in the SSLcache.

Options

number_of_entriesInteger value indicating the maximum number of concurrent entries in theSSL cache. The minimum value is zero (0), which means that caching isunlimited. Entries between 0 and 256 are set to 256. There is no maximumlimit.

Usage


Default value

When the stanza entry is not assigned a value, WebSEAL uses a default value of 0.The WebSEAL configuration utility, however, assigns a default value of 4096.


Examplessl-max-entries = 4096

ssl-v2-timeout

Syntaxssl-v2-timeout = number_of_seconds

Description

Session timeout in seconds for SSL v2 connections between clients and servers.This timeout value controls how often a full SSL handshake is completed betweenclients and WebSEAL.

This value is set by the WebSEAL configuration utility.

Options

number_of_secondsValid range of values for number_of_seconds is from 1-100 seconds.

Usage

This stanza entry is required when SSL is enabled.

Default value

100

Examplessl-v2-timeout = 100

ssl-v3-timeout

Syntaxssl-v3-timeout = number_of_seconds

Description

Session timeout in seconds for SSL v3 connections between clients and servers.This timeout value controls how often a full SSL handshake is completed betweenclients and WebSEAL.

This value is set by the WebSEAL configuration utility.

Options

number_of_secondsValid range of values for number_of_seconds is from 1-86400 seconds, where86400 seconds is equal to 1 day. If you specify a number outside this range,the default number of 7200 seconds will be used.

Usage



Default value

7200

Examplessl-v3-timeout = 7200

suppress-client-ssl-errors

Syntaxsuppress-client-ssl-errors = {true|false}

Description

This stanza entry suppresses error messages that originate from SSLcommunication problems with the client.

Options

true Suppress error messages that originate from SSL communication problemswith the client.

false Do not suppress error messages that originate from SSL communicationproblems with the client.

Usage


Default value

false

Examplesuppress-client-ssl-errors = false

undetermined-revocation-cert-action

Syntaxundetermined-revocation-cert-action = {ignore | log | reject}

Description

Controls the action that WebSEAL takes if OCSP or CRL is enabled but theresponder cannot determine the revocation status of a certificate (that is, therevocation status is unknown). The appropriate values for this entry should beprovided by the OCSP or CRL Responder owner.

Options

ignore WebSEAL ignores the undetermined revocation status and permits use ofthe certificate.

log WebSEAL logs the fact that the certificate status is undetermined andpermits use of the certificate.


reject WebSEAL logs the fact that the certificate status is undetermined andrejects the certificate.

Usage


Default value

The option defaults to ignore if it is not specified in the configuration file.

Note: The value for this option in the template configuration file is log.

Exampleundetermined-revocation-cert-action = log

webseal-cert-keyfile

Syntaxwebseal-cert-keyfile = fully_qualified_path

Description

Specifies the WebSEAL certificate keyfile. This is the server certificate thatWebSEAL exchanges with browsers when negotiating SSL sessions.

Options

fully_qualified_pathPath name to the WebSEAL certificate keyfile.

Usage


Default value

This path is set during WebSEAL configuration. The path consists of the WebSEALinstallation directory plus: www-instance_name/certs/pdsrv.kdb.

Examplewebseal-cert-keyfile =C:/Program Files/Tivoli/PDWeb/www-default/certs/pdsrv.kdb

webseal-cert-keyfile-label

Syntaxwebseal-cert-keyfile-label = label_name

Description

String specifying a label to use for WebSEAL certificate keyfile. When this is notspecified, the default label is used.


Options

label_nameString specifying a label to use for WebSEAL certificate keyfile.

Usage

This stanza entry is optional, but is set by default during WebSEAL configuration.

Default value

WebSEAL-Test-Only

Examplewebseal-cert-keyfile-label = WebSEAL-Test-Only

webseal-cert-keyfile-pwd

Syntaxwebseal-cert-keyfile-pwd = password

Description

Password used to protect private keys in WebSEAL certificate file.

Options

passwordWhen this stanza entry is assigned a value, that value is used instead ofany password that is contained in the stash file specified bywebseal-cert-keyfile-stash. This stanza entry stores the password in plaintext. Use the stash file for optimum security.

Usage


Default value

None.

Examplewebseal-cert-keyfile-pwd = j73R45huu

webseal-cert-keyfile-sniUse the webseal-cert-keyfile-sni stanza entry to configure WebSEAL to send aserver certificate that contains a host name, which matches the host name in theinitial browser request.

Syntaxwebseal-cert-keyfile-sni = <host_name>:<label>

Description

This configuration has the following requirements:


v The user uses TLS over SSL to connect to WebSEAL. SSLv2 and SSLv3 are notsupported.

v The browser supports Server Name Indication.

Use the webseal-cert-keyfile-sni configuration entry to specify the certificatethat WebSEAL sends for a particular host name.

You can specify this configuration entry multiple times. Specify a separate entry foreach server certificate.

If WebSEAL does not find an entry for the host name in the browser request,WebSEAL sends the default certificate that is specified by the webseal-cert-keyfile-label entry. WebSEAL also uses the default certificate if the request doesnot meet the Server Name Indication requirements. For example, if the browserdoes not support Server Name Indication.

Options

<host_name>The name of the host to which WebSEAL returns the certificate.

<label>The label of the certificate for WebSEAL to use.

Note: Specify the certificate that contains a dn value of cn=<host_name>.

Usage


Default value

None.

Examplewebseal-cert-keyfile-sni = hostA.abc.ibm.com:hostAcertwebseal-cert-keyfile-sni = vhostB.abc.ibm.com:vhostBcert

webseal-cert-keyfile-stash

Syntaxwebseal-cert-keyfile-stash = fully_qualified_path

Description

Name of the file containing an obfuscated version of the password used to protectprivate keys in the keyfile.

Options

fully_qualified_pathName of the file containing an obfuscated version of the password used toprotect private keys in the keyfile.

Usage



Default value

This path is set during WebSEAL configuration. The path consists of the WebSEALinstallation directory plus: www-instance_name/certs/pdsrv.sth.

Examplewebseal-cert-keyfile-stash =C:/Program Files/Tivoli/PDWeb/www-default/certs/pdsrv.sth

[ssl-qop] stanza

ssl-qop-mgmt

Syntaxssl-qop-mgmt = {yes|no}

Description

Enables or disables SSL quality of protection management.

Options

yes The value yes enables SSL quality of protection management.

no The value no disables SSL quality of protection management.

Usage


Default value

no

Examplessl-qop-mgmt = no

[ssl-qop-mgmt-default] stanza

default

Syntaxdefault = {ALL|NONE|cipher_level}

Description

List of string values to specify the allowed encryption levels for HTTPS access.

Values specified in this stanza entry are used for all IP addresses that are notmatched in either the [ssl-qop-mgmt-hosts] stanza entries or the[ssl-qop-mgmt-networks] stanza entries.

Options

ALL The value ALL allows all ciphers.


NONEThe value NONE disables all ciphers and uses an MD5 MAC check sum.

cipher_levelLegal cipher values are: NULL, DES-56, FIPS-DES-56, DES-168,FIPS-DES-168, RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128,AES-256

Value Cipher name in GSKit

NULL TLS_RSA_WITH_NULL_MD5

DES-56 TLS_RSA_WITH_DES_CBC_SHA

FIPS-DES-56 SSL_RSA_FIPS_WITH_DES_CBC_SHA

DES-168 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

FIPS-DES-168 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

RC2-40 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

RC2-128 TLS_RC2_CBC_128_CBC_WITH_MD5

RC4-40 TLS_RSA_EXPORT_WITH_RC4_40_MD5

RC4-56 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

RC4-128 TLS_RSA_WITH_RC4_128_MD5

AES-128 TLS_RSA_WITH_AES_128_CBC_SHA


Usage


Default value

ALL

Example

To specify a selected group of ciphers, create a separate entry for each cipher. Forexample:default = RC4-128default = RC2-128default = DES-168

[ssl-qop-mgmt-hosts] stanza

host-ip

Syntaxhost-ip = {ALL|NONE|cipher_level}

Description

List of string values to specify the allowed encryption levels for HTTPS access fora specific IP address.


Note that this stanza has been deprecated and is retained only for backwardcompatibility.

Options

















Usage


Default value

None.

Example

To specify allowable ciphers for a selected group of IP addresses, create a separateentry for each address. For example:111.222.333.444 = RC4-128222.666.333.111 = RC2-128

[ssl-qop-mgmt-networks] stanza

network/netmask

Syntaxnetwork/netmask = {ALL|NONE|cipher_level}


Description

List of string values to specify the allowed encryption levels for HTTPS access fora specific combination of IP address and netmask.

Note that this stanza has been deprecated and is retained only for backwardcompatibility.

Options

















Usage


Default value

None.

Example

To specify allowable ciphers for a selected group of IP addresses and netmasks,create a separate entry for each address/netmask combination. For example:111.222.333.444/255.255.255.0 = RC4-128222.666.333.111/255.255.0.0 = RC2-128


[step-up] stanza

retain-stepup-session

Syntaxretain-stepup-session = {yes|no}

Description

Determines whether a session cookie issued during a step-up operation is allowedto be reused or not. This option is only in effect if the verify-step-up-user option isset to yes.

Options

yes Enables session cookie to be reused during a step-up operation.

no Prevents session cookie from being reused during a step-up operation.

Usage


Default value

no

Exampleretain-stepup-session = no

show-all-auth-prompts

Syntaxshow-all-auth-prompts = {yes|no}

Description

Controls login prompt response for an unauthenticated user who requests an objectprotected by a step-up authentication POP attribute.

Options

yes A value of "yes" provides multiple login prompts—one for each enabledauthentication method—on each login page.

no A value of "no" provides only the login prompt for the specificauthentication level required by the POP(default).

Usage


Default value

no


Exampleshow-all-auth-prompts = no

step-up-at-higher-level

Syntaxstep-up-at-higher-level = {yes|no}

Description

This configuration entry controls whether an authentication mechanism that ishigher than the requested step-up level is accepted during a step-up operation.

Options

yes Authentication levels higher than the level specified in the POP areaccepted during step-up operations.

no Higher authentication levels are disallowed during step-up operations.

Usage


Default value

no

Examplestep-up-at-higher-level = no

verify-step-up-user

Syntaxverify-step-up-user = {yes|no}

Description

Determines whether the identity of the user performing a step-up operation mustmatch the identity of the user that performed the previous authentication.

Options

yes The identity of the user performing the step-up operation must match theidentity of the user that performed the previous authentication. In thiscase, the existing session key will be retained during step-upauthentication. The value of the retain-stepup-session option controlswhether the existing session key will be retained during step-upauthentication.

no The identity of the user performing the step-up operation need not matchthe identity of the user that performed the previous authenticationoperation. In this case, the session key must change during step-upauthentication.


Usage


Default value

yes

Exampleverify-step-up-user = yes

[system-environment-variables] stanza

env-name

Syntaxenv-name = env-value

Description

Defines system environment variables that are exported by WebSEAL.

During initialization, the WebSEAL daemon exports the environment variables thatare defined as entries in the [system-environment-variables] stanza. You mustinclude a separate entry for each system environment variable that you want toexport.

Options

env-nameThe name of the system environment variable.

env-valueThe value of the system environment variable.

Usage


Note:

v This functionality is not supported on Windows platforms.v The environment variable names are case-sensitive.

Default value

None.

Example

The following example sets the LANG and GSK_TRACE_FILE environment variables.LANG = deGSK_TRACE_FILE = /tmp/gsk.trace


[tfimsso:<jct-id>] stanza

always-send-tokensUse the always-send-tokens stanza entry to control whether WebSEAL sends asecurity token for every HTTP request.

Syntaxalways-send-tokens = {yes|true|no|false}

Description

Indicates whether WebSEAL sends a security token for every HTTP request orwhether WebSEAL waits for a 401 response before it adds the security token.

You can use this configuration item to avoid generating and adding a securitytoken to every request if the back-end web server can maintain user sessions. Thisconfiguration item is only useful if the request for authentication involves a 401response, which currently applies to Tivoli® Federated Identity Manager singlesign-on only.

Options

yes WebSEAL sends a security token for every HTTP request.

no WebSEAL waits for a 401 response before it sends a security token for anHTTP request.

Usage

This stanza entry is required when Tivoli Federated Identity Manager singlesign-on authentication is used over junctions.

Default value

None

Examplealways-send-tokens = false

applies-toUse the applies-to stanza entry to specify the location of the Security TokenService module if you are using Tivoli Federated Identity Manager SSOauthentication.

Syntaxapplies-to = http://<webseal-server>/<junction>

Description

Path to specify the location to search for the appropriate Security Token Service(STS) module in Tivoli Federated Identity Manager.


Options

http://<webseal-server>/<junction>The host name or IP address of the WebSEAL server, along with thejunction name. This address is similar to the URL that is used to access thejunction.

Usage

This stanza entry is required when Tivoli Federated Identity Manager SSOauthentication is used over junctions.

Default value

None

Exampleapplies-to = http://webseal-server/jct

one-time-token

Syntaxone-time-token = {true | false}

Description

This boolean value is used to indicate whether the security token that is producedby TFIM is only valid for a single transaction. An example of a one-time-token is aKerberos token, which can only be used for a single authentication operation.

Usage

This stanza entry is required when TFIM SSO authentication is used overjunctions.

Default value

True.

Exampleone-time-token = false

preserve-xml-token

Syntaxpreserve-xml-token = {true | false}

Description

This value controls whether to use the requested BinarySecurityToken XMLstructure in its entirety or whether only the encapsulated token should be used. Setthis configuration entry to true only if the junctioned Web server understands andexpects the BinarySecurityToken XML structure.


Usage


Default value

True.

Examplepreserve-xml-token = false

renewal-window

Syntaxrenewal-window = number of seconds

Description

The length of time, in seconds, by which the expiration of security tokens will bereduced. This entry is used to make allowances for differences in system times andtransmission times for the security tokens.

Options

number of secondsNumber of seconds by which the expiration of security tokens will bereduced to make allowances for differences between system times andtransmission times for security tokens.

Usage


Default value

None

Examplerenewal-window = 15

service-name

Syntaxservice-name = <servicename>

Description1. Used by TFIM when searching for a matching trust chain. This configuration

entry will be compared against the configured AppliesTo service name valuefor each trust chain. The second field within the AppliesTo service nameconfiguration entry should be set to either asterisk (*) to match all servicenames, or it should be set to the value defined by this configuration item. Seethe TFIM documentation for further details on configuring Trust Chains.


2. Used as the service principal name of the delegating user when creating aKerberos token. The service principal name can be determined by executing theMicrosoft utility setspn (that is, setspn -L user, where user is the identity of theuser on the junctioned Web server).

Options

<service name>The service name which is used to locate the trust chain within TFIM.

Usage


Default value

Noneservice-name = HTTP/bigblue.wma.ibm.com

tfim-cluster-name

Syntaxtfim-cluster-name = name of cluster

Description

The name of the WebSphere cluster for the Tivoli Federated Identity Managerservice. The cluster is defined by this stanza entry along with a corresponding[tfim-cluster:<cluster>] stanza.

Options

name of clusterThe name of the WebSphere cluster that contains the Tivoli FederatedIdentity Manager service.

Usage


Default value

Nonetfim-cluster-name = wascluster01

token-collection-size

Syntaxtoken-collection-size = number


Description

Specifies the number of security tokens for WebSEAL to retrieve from TivoliFederated Identity Manager in a single request. This construct is currently onlysupported for the Kerberos STS module.

Note: The number value for this stanza entry should be relatively low. Each tokenretrieved from Tivoli Federated Identity Manager (TFIM) is quite large; specifyinga large number dramatically increases the size of the packets received from TFIM,which in turn increases the size of the session and the amount of memory used byWebSEAL.

Options

numberThe number of security tokens that WebSEAL will retrieve from TivoliFederated Identity Manager and cache for subsequent requests.

Usage


Default value

None

Exampletoken-collection-size = 10

token-type

Syntaxtoken-type = token_type

Description

Specifies the type of token to be requested from Tivoli Federated Identity Manager.This value should correspond to the 'Token Type URI' field for the correspondingtrust chain within TFIM.

Options

token_typeIndicates that the type of token to be requested from Tivoli FederatedIdentity Manager. Available options are Kerberos, SAML and LDAP.

Usage


Default value

None


Exampletoken-type = http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ

token-transmit-name

Syntaxtoken-transmit-name = text

Description

The name given to the security token within the junctioned Web server request.

Options

text This is a free text field.

Usage


Default value

None

Exampletoken-transmit-name = Authorization

token-transmit-type

Syntaxtoken-transmit-type = {header | cookie}

Description

The type of mechanism which will be used to transmit the security token to thejunctioned Web server.

Options

header The security token will be included in a header.

cookie The security token will be included in a cookie.

Usage


Default value

None

Exampletoken-transmit-type = header


[tfim-cluster:<cluster>] stanzaThis stanza contains definitions for a particular cluster of Tivoli Federated IdentityManager servers.

basic-auth-user

Syntaxbasic-auth-user = <user_name>

Description

Specifies the name of the user for WebSEAL to include in the basic authenticationheader when communicating with the Tivoli Federated Identity Manager server.

Options

<user_name>The user name that WebSEAL includes in the basic authentication header.

Usage


Note: Configure this entry if the Tivoli Federated Identity Manager server isconfigured to require basic authentication.

Default value

None.

Examplebasic-auth-user = user_name

basic-auth-passwd

Syntaxbasic-auth-passwd = <password>

Description

Specifies the password for WebSEAL to include in the basic authentication headerwhen communicating with the Tivoli Federated Identity Manager server.

Options

<password>The password that WebSEAL includes in the basic authentication header.

Usage


Note: Configure this entry if the Tivoli Federated Identity Manager server isconfigured to require basic authentication.


Default value

None.


gsk-attr-name


Description

Specify additional GSKit attributes to use when initializing an SSL connection withTivoli Federated Identity Manager. A complete list of the available attributes isincluded in the GSKit SSL API documentation. This configuration entry can bespecified multiple times. Configure a separate entry for each GSKit attribute.

Options




Usage


You cannot configure the following restricted GSKit attributes:GSK_KEYRING_FILEGSK_KEYRING_STASH_FILEGSK_KEYRING_LABELGSK_CIPHER_V2GSK_V3_CIPHER_SPECSGSK_PROTOCOL_TLSV1GSK_FIPS_MODE_PROCESSING


Default value

None.

Example



See also

“gsk-attr-name” on page 90“gsk-attr-name” on page 311“jct-gsk-attr-name” on page 314

handle-idle-timeout

Syntaxhandle-idle-timeout = <number>

Description

Specifies the length of time, in seconds, before an idle handle is removed from thehandle pool cache.

Options

<number>Length of time, in seconds, before an idle handle is removed from thehandle pool cache.

Usage

This stanza entry is required when Kerberos authentication is used over junctions.

Default value

None


handle-pool-size

Syntaxhandle-pool-size = <number>

Description

Specifies the maximum number of cached handles that WebSEAL uses whencommunicating with Tivoli Federated Identity Manager.

Options

<number>Maximum number of handles that WebSEAL caches to communicate withTivoli Federated Identity Manager.

Usage


Default value

10



server


Description

Specifies the priority level and URL for a single Tivoli Federated Identity Managerserver that is a member of the cluster identified for this [tfim-cluster:<cluster>]stanza.

Options

[0-9] A digit, 0-9, that represents the priority of this server within the cluster (9is the highest, 0 is the lowest). If the priority is not specified, a priority of 9is assumed.


<URL>A well-formed HTTP or HTTPS uniform resource locator for the server.

Usage


Note: You can specify multiple server entries for a particular cluster for failoverand load balancing.

Default value

None

Exampleserver = 9,http://tfim-server.example.com/TrustServerWST13/services/RequestSecurityToken

ssl-fips-enabled


Description

Determines whether Federal Information Process Standards (FIPS) mode is enabledwith Tivoli Federated Identity Manager.

Note: If no configuration entry is present, the setting from the global setting,determined by the Access Manager policy server, takes effect.


Options

yes FIPS mode is enabled.

no FIPS mode is disabled.

Usage

This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL (that is, contains an HTTPS

protocol specification in the URL).v A certificate is required other than the default certificate used by WebSEAL


Note: If this entry is required, but it is not specified in the [tfim-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.

Default value

None.

Note: If you want to use a FIPS level that is different to the Access Manager policyserver, edit the configuration file and specify a value for this entry.


ssl-keyfile

Syntaxssl-keyfile = <fully_qualified_name>

Description

Specifies the name of the key database file that houses the client certificate forWebSEAL to use.

Options

<fully_qualified_name>Name of the key database file that contains the client-side certificate forWebSEAL to use when Tivoli Federated Identity Manager single sign-on isenabled for the junction.

Usage






Default value

None.

Examplessl-keyfile = default-webseald.kdb

ssl-keyfile-label

Syntaxssl-keyfile-label = <label-name>

Description

Specifies the label of the client-side certificate in the key database.

Options

<label-name>Label of the client-side certificate in the key database.

Usage





Default value

None.

Examplessl-keyfile-label = WebSEAL-Test

ssl-keyfile-stash

Syntaxssl-keyfile-stash = <filename.sth>

Description

Specifies the name of the password stash file for the key database file.

Options

<filename.sth>The name of the password stash file for the key database file.


Usage





Default value

None.

Examplessl-keyfile-stash = default-webseald.sth

ssl-valid-server-dn

Syntaxssl-valid-server-dn = <DN-value>

Description

Specifies the distinguished name of the server, which is obtained from the serverSSL certificate, that WebSEAL can accept.

Options

<DN-value>The distinguished name of the server, which is obtained from the serverSSL certificate, that WebSEAL accepts. If no value is specified, thenWebSEAL considers all domain names valid. You can specify multipledomain names by including multiple ssl-valid-server-dn configurationentries.

Usage





Default value

None.


Examplessl-valid-server-dn = CN=Access Manager,OU=SecureWay,O=Tivoli,C=US

timeout

Syntaxtimeout = <number of seconds>

Description

Specifies the length of time, in seconds, to wait for a response from TivoliFederated Identity Manager.

Options

<number of seconds>The length of time, in seconds, to wait for a response from Tivoli FederatedIdentity Manager.

Usage


Default value

None.


[token] stanza

token-auth

Syntaxtoken-auth = {none|http|https|both}

Description

Enables authentication using the token authentication mechanism. Specifies whichprotocols are supported.

When token authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the[authentication-mechanisms] stanza.

Options

{none|http|https|both}The value both means both HTTP and HTTPS.

Usage



Default value

none

Exampletoken-auth = none

[uraf-registry] stanza

bind-id

Syntaxbind-id = server_id

Description

An administrator or user login identity for the registry server that WebSEAL canuse to bind (sign on) to the registry server.

If the ID belongs to a user rather than an administrator, the user must haveprivileges to update and modify data in the user registry.

The WebSEAL configuration process generates this value. Do not change it.

Options

server_id

The server_id is an alphanumeric string that is not case-sensitive. Stringvalues must contain characters that are part of the local code set.

The underlying registry determines whether there are any limits on theminimum and maximum lengths of the ID. For Active Directory, themaximum length is 256 alphanumeric characters.

Usage

This stanza entry is required if you are not using an LDAP registry.

Default value

The default value is server-specific.

Examplebind-id = MySvrAdminID

cache-lifetime

Syntaxcache-lifetime = number_seconds

Description

Number of seconds that the objects are allowed to stay in the cache.


This stanza entry does not appear in the ivmgrd.conf configuration file becauseyou do not want the policy server object to be cached.

Options

number_secondsThe timeout specified in number of seconds. Use a number within therange of 1 to 86400. For performance tuning, the longer the time specified,the longer the repetitive Read advantage is held. A smaller number ofseconds negates the cache advantage for user-initiated Reads.

Usage


If cache-mode = enabled and this stanza entry is not used, the default value of 30seconds will be used.

Default value

30

Examplecache-lifetime = 63200

cache-mode

Syntaxcache-mode = {enabled|disabled}

Description

Mode for caching that represents the cache being either turned on or turned off.


Options

enabledTurns the cache on. You would enable the cache mode to improve theperformance of repetitive Read actions on a specified object, such as: loginperformance that is done more than once a day. Performance for Writeactions would not be improved.

disabledTurns the cache off. You would disable the cache mode for better security.Caching opens a small window for users to go from server to server inorder to bypass the maximum number of failed login attempts.

Usage

This stanza entry is optional. This stanza entry is normally provided for allSecurity Access Manager servers, except for the policy server pdmgrd.


Default value

enabled

Examplecache-mode = enabled

cache-size

Syntaxcache-size = {number_objects|object type:cache count value

Description

Maximum number of objects for a particular type of object that can be in the cacheat one time without hash table collisions. Or, if it is not numeric, it is a list of oneor more object types and their cache count values.


Options

number_objectsMaximum number of objects must be a prime number for the cache countvalues. Range value is from 3 to a maximum number that is logical for thetask and that does not affect performance. Non-prime numbers areautomatically rounded up to the next higher prime number. If the numberfails, the default value will be used.

object type:cache count valueList of one or more object types and their cache count values. Examples:cache-size = user:251;group:251;resgroup:251;resource:251;rescreds:251;

orcache-size = user:251;group:251;

The second example sets the user and group cache sizes to 251 and doesnot use any cache for the others.

Performance tuning depends on how much memory space is dedicated to a cacheor how many objects you typically have repetitive Read actions on (such as howmany users you have logging in a day). For example, a setting of 251 might not begood if you have 1000 users logging in and out several times a day. However, ifonly 200 of those users log in and out repetitively during the day, 251 might workwell.

Usage


If cache-mode = enabled and this stanza entry is not used, the default value forcache size will be used.


Default value

The default value is server-specific.

Examplecache-size = 251

uraf-registry-config

Syntaxuraf-registry-config= fully_qualified_path

Description

File name and location of the URAF registry configuration file for Security AccessManager.

Options

fully_qualified_pathThe fully_qualified_path value represents an alphanumeric string. Stringvalues must contain only characters that are part of the local code set. Thefile system and local code set determine the set of characters that the filename can contain. For Windows, file names cannot have these characters: abackward slash (\), a colon (:), a question mark (?), or double quotationmarks ("). For UNIX, path and file names are case-sensitive.

Usage

This stanza entry is required if the configured registry type is not LDAP.

Default value

The default value is server-specific. The default URAF registry configuration file isset to one of the following values:v activedir.conf

v activedir_ldap.conf

Example

Windows example for using Microsoft Active Directory user registry:uraf-registry-config =c:\Program Files\Tivoli\Policy Director\etc\activedir_ldap.conf

Example for using Microsoft Active Directory as the registry from a UNIX client:uraf-registry-config = /opt/PolicyDirector/etc/activedir_ldap.conf

[webseal-config] stanza

instance-name

Syntaxinstance-name = instance_name


Description

Name of the configured WebSEAL instance.

Options

instance_nameName of the configured WebSEAL instance.

Usage


Default value

default

Exampleinstance-name = default

orig-version

Syntaxorig-version = version_number

Description

Version number of the previous WebSEAL version during an upgrade to a newversion of WebSEAL.

If the installation is a new installation (not an upgrade from a previous version),the value is set to the version number of the new installation. The value oforig-version is now the same value as version.

If the installation is an upgrade from a previous version of WebSEAL, value oforig-version is set to the version number of the version being upgraded. The valueof orig-version is now different from the value of version. This version differencetriggers the current configuration file to modify many stanza entries to containbackward compatible default values (for example, [server] late-lockout-notification = yes).

Options

version_numberVersion number of the previous WebSEAL version during an upgrade to anew version of WebSEAL. If the installation is a new installation (not anupgrade from a previous version), the value is set to the version number ofthe new installation.

Usage


Default value

6.0.0


Exampleorig-version = 6.0.0

status

Syntaxstatus = {config|unconfig|partial}

Description

Configuration status of the current WebSEAL installation. The value of this stanzaentry triggers the appropriate message for the "Display configuration status" menuin the WebSEAL configuration utility (amwebcfg) .

Options

config The current WebSEAL installation has been successfully configured. TheWebSEAL server can be started. stopped, and restarted.

unconfigThe current WebSEAL installation has not been configured. You must runthe WebSEAL configuration utility (amwebcfg) to configure WebSEAL.

partial The current WebSEAL installation was previously configured with an error.You must use the amwebcfg configuration utility to unconfigureWebSEAL, and then reconfigure WebSEAL.

Usage


Default value

unconfig

Examplestatus = unconfig

tivoli_common_dir

Syntaxtivoli_common_dir = location

Description

Path location to the Tivoli Common Directory, which is used for storing server logfiles.

Options

locationPath location to the Tivoli Common Directory, which is used for storingserver log files. The value of tivoli_common_dir is obtained, duringWebSEAL installation, from the pd.conf configuration file. If the TivoliCommon Directory is not enabled, the value for tivoli_common_dir in bothconfiguration files is left blank.


Usage

This stanza entry is required only when Tivoli Common Directory is enabled.

Default value

None.

Exampletivoli_common_dir =

version

Syntaxversion = version_number

Description

Version number of the current WebSEAL installation.

If the installation is a new installation (not an upgrade from a previous version),the value of orig-version is similarly set to the version number of the newinstallation. The value of orig-version is now the same value as version.

If the installation is an upgrade from a previous version of WebSEAL, value oforig-version is set to the version number of the version being upgraded. The valueof orig-version is now different from the value of version. This version differencetriggers the current configuration file to modify many stanza entries to containbackward compatible default values (for example, [server] late-lockout-notification = yes).

Options

version_numberVersion number of the current WebSEAL installation.

Usage


Default value

6.0.0

Exampleversion = 6.0.0



Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to


IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Notices 361

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.


Index

Special charactersresource-name stanza entry

http-transformations stanza 138

Aabsolute-uri-in-request-log stanza entry

logging stanza 196accept-client-certs stanza entry

certificate stanza 65accept-correlators stanza entry

arm stanza 23access stanza entry

p3p-header stanza 220accessibility xivaccount-expiry-notification stanza entry

acnt-mgt stanza 1account-inactivated stanza entry

acnt-mgt stanza 1account-locked stanza entry

acnt-mgt stanza 2acnt-mgt stanza 1

account-expiry-notification entry 1account-inactivated entry 1account-locked entry 2allow-unauthenticated-logout entry 3allowed-referers entry 3cert-failure entry 4cert-stepup-http entry 5certificate-login entry 5change-password-auth entry 6client-notify-tod entry 6enable-html-redirect entry 7enable-local-response-redirect entry 8enable-passwd-warn entry 8enable-secret-token-validation

entry 9help entry 10html-redirect entry 11http-rsp-header entry 10login entry 11login-redirect-page entry 12login-success entry 13logout entry 14mgt-pages-root entry 14next-token entry 15passwd-change entry 15passwd-change-failure entry 15passwd-change-success entry 16passwd-expired entry 16passwd-warn entry 17passwd-warn-failure entry 17redirect-to-root-for-pkms entry 18single-signoff-uri entry 19stepup-login entry 19switch-user entry 20temp-cache-response entry 20token-login entry 21too-many-sessions entry 21

acnt-mgt stanza (continued)use-filename-for-pkmslogout

entry 22use-restrictive-logout-filenames

entry 22agents stanza entry

logging stanza 196agents-file stanza entry

logging stanza 197allow-backend-domain-cookies stanza

entryjunction stanza 145, 152

allow-empty-form-fields stanza entryforms stanza 133

allow-shift-jis-chars stanza entryserver stanza 246

allow-unauth-ba-supply stanza entryserver stanza 246

allow-unauthenticated-logout stanzaentry

acnt-mgt stanza 3allow-unsolicited-logins stanza entry

server stanza 247allowed-referers stanza entry

acnt-mgt stanza 3always-send-tokens stanza entry

tfimsso: stanza 337amwebars stanza 23

service-url entry 23app-group stanza entry

arm stanza 24app-instance stanza entry

arm stanza 25applies-to stanza entry

tfimsso: stanza 337apply-tam-native-policy stanza entry

oauth-eas stanza 212rtss-eas stanza 234

arm stanza 23accept-correlators entry 23app-group entry 24app-instance entry 25correlator-header entry 25enable-arm entry 26library entry 26report-transactions entry 27

attribute_name_pattern stanza entrycredential-refresh-attributes stanza 87

attribute_pattern stanza entrycdsso-incoming-attributes stanza 63ecsso-incoming-attributes stanza 115failover-add-attributes stanza 124failover-restore-attributes stanza 126

audit-attribute stanza entryaznapi-configuration stanza 43

audit-log-cfg stanza entryrtss-eas stanza 234

audit-mime-types stanza entrylogging stanza 197

audit-response-codes stanza entrylogging stanza 198

auditcfg stanza entryaznapi-configuration stanza 43

auditlog stanza entryaznapi-configuration stanza 44

auth-challenge-type stanza entryserver stanza 247

auth-cookies stanza 27cookie entry 27

auth-headers stanza 28header entry 28

auth-timeout stanza entryldap stanza 177

auth-using-compare stanza entryldap stanza 177

authentication_level stanza entrycredential-refresh-attributes stanza 88

authentication-levels stanza 28level entry 28

authentication-mechanisms stanza 29cert-ldap entry 29cert-ssl entry 30cred-ext-attrs entry 31ext-auth-interface entry 31failover-cdsso entry 32failover-certificate entry 32failover-ext-auth-interface entry 33failover-http-request entry 33failover-kerberosv5 entry 33failover-password entry 34failover-token-card entry 34http-request entry 35kerberosv5 entry 35ltpa entry 36passwd-cdas entry 36passwd-ldap entry 37passwd-strength entry 37passwd-uraf entry 38post-pwdchg-process entry 38sso-consume entry 39sso-create entry 39su-cdsso entry 40su-certificate entry 40su-http-request entry 40su-kerberosv5 entry 41su-passwd entry 41su-token-card entry 42token-cdas entry 42

authtoken-lifetime stanza entrycdsso stanza 59

azn-decision-info stanza 57azn-decision-info stanza entry

azn-decision-info stanza 57aznapi-configuration stanza 43

audit-attribute entry 43auditcfg entry 43auditlog entry 44cache-refresh-interval entry 45cred-attribute-entitlement-services

entry 45db-file entry 46


aznapi-configuration stanza (continued)dynamic-adi-entitlement-services

entry 46input-adi-xml-prolog entry 47listen-flags entry 47logaudit entry 48logcfg entry 49logclientid entry 48logflush entry 50logsize entry 50permission-info-returned entry 51policy-attr-separator entry 51policy-cache-size entry 52resource-manager-provided-adi

entry 53service-id entry 53xsl-stylesheet-prolog entry 54

aznapi-entitlement-services stanza 54service-id entry 54

aznapi-external-authzn-servicesstanza 55

policy-trigger entry 55

Bba stanza 58

ba-auth entry 58basic-auth-realm entry 59

ba-auth stanza entryba stanza 58

backicon stanza entryicons stanza 141

bad-gateway-rsp-file stanza entryoauth-eas stanza 213

bad-request-rsp-file stanza entryoauth-eas stanza 213

base-crypto-library stanza entryssl stanza 304

basic-auth-passwd stanza entrydsess-cluster stanza 90tfim-cluster: stanza 343xacml-cluster:cluster stanzacluster>]

stanza 238basic-auth-realm stanza entry

ba stanza 59basic-auth-user stanza entry

dsess-cluster stanza 89tfim-cluster: stanza 343xacml-cluster: stanza 237

basicauth-dummy-passwd stanza entryjunction stanza 146

bind-dn stanza entryldap stanza 178

bind-id stanza entryuraf-registry stanza 351

bind-pwd stanza entryldap stanza 178

Ccache-enabled stanza entry

ldap stanza 179cache-group-expire-time stanza entry

ldap stanza 180cache-group-membership stanza entry

ldap stanza 180

cache-group-size stanza entryldap stanza 181

cache-host-header stanza entryserver stanza 248

cache-lifetime stanza entryuraf-registry stanza 351

cache-mode stanza entryuraf-registry stanza 352

cache-policy-expire-time stanza entryldap stanza 181

cache-policy-size stanza entryldap stanza 182

cache-refresh-interval stanza entryaznapi-configuration stanza 45

cache-requests-for-ecsso stanza entrye-community-sso stanza 106

cache-return-registry-id stanza entryldap stanza 182

cache-size stanza entryoauth-eas stanza 214uraf-registry stanza 353

cache-use-user-cache stanza entryldap stanza 184

cache-user-expire-time stanza entryldap stanza 183

cache-user-size stanza entryldap stanza 183

capitalize-content-length stanza entryserver stanza 249

categories stanza entryp3p-header stanza 221

cdsso stanza 59authtoken-lifetime entry 59cdsso-argument entry 60cdsso-auth entry 60cdsso-create entry 61clean-cdsso-urls entry 61propagate-cdmf-errors entry 62use-utf8 entry 62

cdsso-argument stanza entrycdsso stanza 60

cdsso-auth stanza entrycdsso stanza 60

cdsso-create stanza entrycdsso stanza 61

cdsso-incoming-attributes stanza 63attribute_pattern entry 63

cdsso-peers stanza 64fully_qualified_hostname entry 64

cdsso-token-attributes stanza 64domain_name entry 65entry 64

cert-cache-max-entries stanza entrycertificate stanza 66

cert-cache-timeout stanza entrycertificate stanza 67

cert-failure stanza entryacnt-mgt stanza 4

cert-ldap stanza entryauthentication-mechanisms stanza 29

cert-map-authn stanza 70debug-level entry 70rules-file entry 71

cert-prompt-max-tries stanza entrycertificate stanza 67

cert-ssl stanza entryauthentication-mechanisms stanza 30

cert-stepup-http stanza entryacnt-mgt stanza 5

certificate stanza 65accept-client-certs entry 65cert-cache-max-entries entry 66cert-cache-timeout entry 67cert-prompt-max-tries entry 67disable-cert-login-page entry 68, 70eai-data 69

certificate-login stanza entryacnt-mgt stanza 5

cfg-db-cmd:entries stanza 71cfg-db-cmd:files stanza 72

include entry 72cgi stanza 73

cgi-timeout entry 73cgi-environment-variables stanza 74

ENV entry 74cgi-timeout stanza entry

cgi stanza 73cgi-types stanza 75

file_extension entry 75change-password-auth stanza entry

acnt-mgt stanza 6chunk-responses stanza entry

server stanza 250clean-cdsso-urls stanza entry

cdsso stanza 61clean-ecsso-urls-for-failover stanza entry

failover stanza 118client-connect-timeout stanza entry

server stanza 250client-notify-tod stanza entry

acnt-mgt stanza 6cluster stanza 75

is-master entry 76master-name entry 76max-wait-time entry 77

cluster-name stanza entryoauth-eas stanza 215rtss-eas stanza 236

compress-mime-types stanza 77mime_type entry 77

compress-user-agents stanza 78pattern entry 78

concurrent-session-threads-hard-limitstanza entry

server stanza 251concurrent-session-threads-soft-limit

stanza entryserver stanza 252

config-data-log stanza entrylogging stanza 199

config-file stanza entrypolicy-director stanza 228

connection-request-limit stanza entryserver stanza 252

content stanza 79delete-trash-dir entry 79directory-index entry 79doc-root entry 80error-dir entry 80user-dir entry 81utf8-template-macros-enabled

entry 81content-cache stanza 82

MIME_type entry 82


content-encodings stanza 83extension entry 83

content-index-icons stanza 84type entry 84

content-mime-types stanza 85deftype entry 85extension entry 85

context-id stanza entryrtss-eas stanza 236

cookie stanza entryauth-cookies stanza 27

cookie-domain stanza entryltpa stanza 207

cookie-name stanza entryltpa stanza 206

cope-with-pipelined-request stanza entryserver stanza 253

correlator-header stanza entryarm stanza 25

cred-attribute-entitlement-services stanzaentry

aznapi-configuration stanza 45cred-ext-attrs stanza entry

authentication-mechanisms stanza 31credential-policy-attributes stanza 87

policy-name entry 87credential-refresh-attributes stanza 87

attribute_name_pattern entry 87authentication_level entry 88

crl-ldap-server stanza entryjunction stanza 146ssl stanza 304

crl-ldap-server-port stanza entryjunction stanza 147ssl stanza 305

crl-ldap-user stanza entryjunction stanza 148ssl stanza 306

crl-ldap-user-password stanza entryjunction stanza 148ssl stanza 306

Ddb-file stanza entry

aznapi-configuration stanza 46DB2 xiidebug-level stanza entry

cert-map-authn stanza 70decode-query stanza entry

server stanza 253default stanza entry

ssl-qop-mgmt-default stanza 330default-fed-id stanza entry

oauth-eas stanza 215default-mode stanza entry

oauth-eas stanza 216default-policy-override-support stanza

entryldap stanza 184

deftype stanza entrycontent-mime-types stanza 85

delete-trash-dir stanza entrycontent stanza 79

directory-index stanza entrycontent stanza 79

diricon stanza entryicons stanza 141

Disable local junctions 176disable-cert-login-page stanza entry

certificate stanza 68, 70disable-ec-cookie stanza entry

e-community-sso stanza 107disable-local-junctions 176disable-ncipher-bsafe stanza entry

ssl stanza 307disable-rainbow-bsafe stanza entry

ssl stanza 307disable-ssl-v2 stanza entry

junction stanza 149ssl stanza 308

disable-ssl-v3 stanza entryjunction stanza 149ssl stanza 308

disable-timeout-reduction stanza entryserver stanza 254

disable-tls-v1 stanza entryjunction stanza 150ssl stanza 309



disputes stanza entryp3p-header stanza 223

doc-root stanza entrycontent stanza 80

domain stanza entrysession-cookie-domains stanza 300

domain_name stanza entrycdsso-token-attributes stanza 65e-community-domain-keys

stanza 105e-community-domain-keys:domain

stanza 105ecsso-token-attributes stanza 117

dont-reprocess-jct-404s stanza entryjunction stanza 151

double-byte-encoding stanza entryserver stanza 254

dsess stanza 88dsess-cluster-name entry 89dsess-sess-id-pool-size entry 88

dsess-cluster stanza 89basic-auth-passwd entry 90basic-auth-user entry 89gsk-attr-name entry 90handle-idle-timeout entry 91handle-pool-size entry 92response-by entry 92server entry 93ssl-fips-enabled entry 94ssl-keyfile entry 94ssl-keyfile-label entry 95ssl-keyfile-stash entry 95ssl-valid-server-dn entry 96timeout entry 96

dsess-cluster-name stanza entrydsess stanza 89

dsess-enabled stanza entrysession stanza 288

dsess-last-access-update-interval stanzaentry

session stanza 288dsess-sess-id-pool-size stanza entry

dsess stanza 88dynamic-adi-entitlement-services stanza

entryaznapi-configuration stanza 46

dynurl-allow-large-posts stanza entryserver stanza 255

dynurl-map stanza entryserver stanza 255

Ee-community-domain-keys stanza 105

domain_name entry 105e-community-domain-keys:domain

stanza 105domain_name entry 105

e-community-domains stanza 104name entry 104

e-community-name stanza entrye-community-sso stanza 106

e-community-sso stanza 106cache-requests-for-ecsso entry 106disable-ec-cookie entry 107e-community-name entry 106e-community-sso-auth entry 107ec-cookie-domain entry 108ec-cookie-lifetime entry 108ecsso-allow-unauth entry 109ecsso-propagate-errors entry 109handle-auth-failure-at-mas entry 110is-master-authn-server entry 110master-authn-server entry 111master-http-port entry 112master-https-port entry 112propagate-cdmf-errors entry 113use-utf8 entry 113vf-argument entry 114vf-token-lifetime entry 114vf-url entry 115

e-community-sso-auth stanza entrye-community-sso stanza 107

eai stanza 97eai-auth entry 97eai-auth-level-header entry 97eai-flags-header entry 98eai-pac-header entry 99eai-pac-svc-header entry 99eai-redir-url-header entry 100eai-session-id-header entry 100eai-user-id-header entry 101eai-verify-user-identity entry 101eai-xattrs-header entry 102retain-eai-session entry 102

eai-auth stanza entryeai stanza 97

eai-auth-level-header stanza entryeai stanza 97

eai-datacertificate stanza 69

eai-flags-header stanza entryeai stanza 98

eai-pac-header stanza entryeai stanza 99

Index 365

eai-pac-svc-header stanza entryeai stanza 99

eai-redir-url-header stanza entryeai stanza 100

eai-session-id-header stanza entryeai stanza 100

eai-trigger-urls stanza 103trigger entry 103

eai-user-id-header stanza entryeai stanza 101

eai-verify-user-identity stanza entryeai stanza 101

eai-xattrs-header stanza entryeai stanza 102

ec-cookie-domain stanza entrye-community-sso stanza 108

ec-cookie-lifetime stanza entrye-community-sso stanza 108

ecsso-allow-unauth stanza entrye-community-sso stanza 109

ecsso-incoming-attributes stanza 115attribute_pattern entry 115

ecsso-propagate-errors stanza entrye-community-sso stanza 109

ecsso-token-attributes stanza 116domain_name entry 117entry 116

education xivenable-arm stanza entry

arm stanza 26enable-duplicate-ssl-dn-not-found-msgs

stanza entryssl stanza 310

enable-failover-cookie-for-domain stanzaentry

failover stanza 119enable-html-redirect stanza entry

acnt-mgt stanza 7enable-IE6-2GB-downloads stanza entry

server stanza 256enable-local-response-redirect stanza

entryacnt-mgt stanza 8

enable-passwd-warn stanza entryacnt-mgt stanza 8

enable-redirects stanza 117redirect entry 117

enable-secret-token-validation stanzaentry

acnt-mgt stanza 9enabled stanza entry

ldap stanza 185enforce-max-sessions-policy stanza entry

session stanza 289entries 116

resource-namehttp-transformations stanza 138

absolute-uri-in-request-loglogging stanza 196

accept-client-certscertificate stanza 65

accept-correlatorsarm stanza 23

accessp3p-header stanza 220

account-expiry-notificationacnt-mgt stanza 1

entries (continued)account-inactivated

acnt-mgt stanza 1account-locked

acnt-mgt stanza 2agents

logging stanza 196agents-file

logging stanza 197allow-backend-domain-cookies

junction stanza 145, 152allow-empty-form-fields

forms stanza 133allow-shift-jis-chars

server stanza 246allow-unauth-ba-supply

server stanza 246allow-unauthenticated-logout

acnt-mgt stanza 3allow-unsolicited-logins

server stanza 247allowed-referers

acnt-mgt stanza 3always-send-tokens

tfimsso: jct-id stanza 337app-group

arm stanza 24app-instance

arm stanza 25applies-to

tfimsso: jct-id stanza 337apply-tam-native-policy


attribute_name_patterncredential-refresh-attributes

stanza 87attribute_pattern

cdsso-incoming-attributesstanza 63

ecsso-incoming-attributesstanza 115

failover-add-attributes stanza 124failover-restore-attributes

stanza 126audit-attribute

aznapi-configuration stanza 43audit-log-cfg

rtss-eas stanza 234audit-mime-types

logging stanza 197audit-response-codes

logging stanza 198auditcfg

aznapi-configuration stanza 43auditlog

aznapi-configuration stanza 44auth-challenge-type

server stanza 247auth-timeout

ldap stanza 177auth-using-compare

ldap stanza 177authentication_level

credential-refresh-attributesstanza 88

entries (continued)authtoken-lifetime

cdsso stanza 59azn-decision-info

azn-decision-info stanza 57ba-auth

ba stanza 58backicon

icons stanza 141bad-gateway-rsp-file

oauth-eas stanza 213bad-request-rsp-file

oauth-eas stanza 213base-crypto-library

ssl stanza 304basic-auth-passwd

[rtss-cluster:<cluster>] stanza 238dsess-cluster stanza 90tfim-cluster: cluster stanza 343

basic-auth-realmba stanza 59

basic-auth-userdsess-cluster stanza 89rtss-clustercluster stanza 237tfim-cluster: cluster stanza 343

basicauth-dummy-passwdjunction stanza 146

bind-dnldap stanza 178

bind-iduraf-registry stanza 351

bind-pwdldap stanza 178

cache-enabledldap stanza 179

cache-group-expire-timeldap stanza 180

cache-group-membershipldap stanza 180

cache-group-sizeldap stanza 181

cache-host-headerserver stanza 248

cache-lifetimeuraf-registry stanza 351

cache-modeuraf-registry stanza 352

cache-policy-expire-timeldap stanza 181

cache-policy-sizeldap stanza 182

cache-refresh-intervalaznapi-configuration stanza 45

cache-requests-for-ecssoe-community-sso stanza 106

cache-return-registry-idldap stanza 182

cache-sizeoauth-eas stanza 214uraf-registry stanza 353

cache-use-user-cacheldap stanza 184

cache-user-expire-timeldap stanza 183

cache-user-sizeldap stanza 183


entries (continued)capitalize-content-length

server stanza 249categories

p3p-header stanza 221cdsso-argument

cdsso stanza 60cdsso-auth

cdsso stanza 60cdsso-create

cdsso stanza 61cdsso-token-attributes stanza 64cert-cache-max-entries

certificate stanza 66cert-cache-timeout

certificate stanza 67cert-failure

acnt-mgt stanza 4cert-ldap

authentication-mechanismsstanza 29

cert-prompt-max-triescertificate stanza 67

cert-sslauthentication-mechanisms

stanza 30cert-stepup-http

acnt-mgt stanza 5certificate-login

acnt-mgt stanza 5cgi-timeout

cgi stanza 73change-password-auth

acnt-mgt stanza 6chunk-responses

server stanza 250clean-cdsso-urls

cdsso stanza 61clean-ecsso-urls-for-failover

failover stanza 118client-connect-timeout

server stanza 250client-notify-tod

acnt-mgt stanza 6cluster-name


concurrent-session-threads-hard-limitserver stanza 251

concurrent-session-threads-soft-limitserver stanza 252

config-data-loglogging stanza 199

config-filepolicy-director stanza 228

connection-request-limitserver stanza 252

context-idrtss-eas stanza 236

cookieauth-cookies stanza 27

cookie-domainltpa stanza 207

cookie-nameltpa stanza 206

cope-with-pipelined-requestserver stanza 253

entries (continued)correlator-header

arm stanza 25cred-attribute-entitlement-services

aznapi-configuration stanza 45cred-ext-attrs


crl-ldap-serverjunction stanza 146ssl stanza 304

crl-ldap-server-portjunction stanza 147ssl stanza 305

crl-ldap-userjunction stanza 148ssl stanza 306

crl-ldap-user-passwordjunction stanza 148ssl stanza 306

db-fileaznapi-configuration stanza 46

debug-levelcert-map-authn stanza 70

decode-queryserver stanza 253

defaultssl-qop-mgmt-default stanza 330

default-fed-idoauth-eas stanza 215

default-modeoauth-eas stanza 216

default-policy-override-supportldap stanza 184

deftypecontent-mime-types stanza 85

delete-trash-dircontent stanza 79

directory-indexcontent stanza 79

diriconicons stanza 141

disable-cert-login-pagecertificate stanza 68, 70

disable-ec-cookiee-community-sso stanza 107

disable-ncipher-bsafessl stanza 307

disable-rainbow-bsafessl stanza 307

disable-ssl-v2junction stanza 149ssl stanza 308

disable-ssl-v3junction stanza 149ssl stanza 308

disable-timeout-reductionserver stanza 254

disable-tls-v1junction stanza 150ssl stanza 309



entries (continued)disputes

p3p-header stanza 223doc-root

content stanza 80domain

session-cookie-domainsstanza 300

domain_namecdsso-token-attributes stanza 65e-community-domain-keys

stanza 105e-community-domain-keys:domain

stanza 105ecsso-token-attributes stanza 117

dont-reprocess-jct-404sjunction stanza 151

double-byte-encodingserver stanza 254

dsess-cluster-namedsess stanza 89

dsess-enabledsession stanza 288

dsess-last-access-update-intervalsession stanza 288

dsess-sess-id-pool-sizedsess stanza 88

dynamic-adi-entitlement-servicesaznapi-configuration stanza 46

dynurl-allow-large-postsserver stanza 255

dynurl-mapserver stanza 255

e-community-namee-community-sso stanza 106

e-community-sso-authe-community-sso stanza 107

eai-autheai stanza 97

eai-auth-level-headereai stanza 97

eai-datacertificate stanza 69

eai-flags-headereai stanza 98

eai-pac-headereai stanza 99

eai-pac-svc-headereai stanza 99

eai-redir-url-headereai stanza 100

eai-session-id-headereai stanza 100

eai-user-id-headereai stanza 101

eai-verify-user-identityeai stanza 101

eai-xattrs-headereai stanza 102

ec-cookie-domaine-community-sso stanza 108

ec-cookie-lifetimee-community-sso stanza 108

ecsso-allow-unauthe-community-sso stanza 109

ecsso-propagate-errorse-community-sso stanza 109

Index 367

entries (continued)ecsso-token-attributes stanza 116enable-arm

arm stanza 26enable-duplicate-ssl-dn-not-found-

msgsssl stanza 310

enable-failover-cookie-for-domainfailover stanza 119

enable-html-redirectacnt-mgt stanza 7

enable-IE6-2GB-downloadsserver stanza 256

enable-local-response-redirectacnt-mgt stanza 8

enable-passwd-warnacnt-mgt stanza 8

enable-secret-token-validationacnt-mgt stanza 9

enabledldap stanza 185

enforce-max-sessions-policysession stanza 289

ENVcgi-environment-variables

stanza 74env-name

system-environment-variablesstanza 336

error-dircontent stanza 80

ext-auth-interfaceauthentication-mechanisms

stanza 31extension

content-encodings stanza 83content-mime-types stanza 85

failover-authfailover stanza 119

failover-cdssoauthentication-mechanisms

stanza 32failover-certificate


failover-cookie-lifetimefailover stanza 120

failover-cookies-keyfilefailover stanza 120

failover-ext-auth-interfaceauthentication-mechanisms

stanza 33failover-http-request


failover-include-session-idfailover stanza 121

failover-kerberosv5authentication-mechanisms

stanza 33failover-password


failover-require-activity-timestamp-validation

failover stanza 121

entries (continued)failover-require-lifetime-timestamp-

validationfailover stanza 122

failover-token-cardauthentication-mechanisms

stanza 34failover-update-cookie

failover stanza 122fed-id-param

oauth-eas stanza 216file_extension

cgi-types stanza 75filter-nonhtml-as-xhtml

server stanza 257fips-mode-processing

ssl stanza 311flush-time

logging stanza 199force-tag-value-prefix

server stanza 257forms-auth

forms stanza 133fully_qualified_hostname

cdsso-peers stanza 64gmt-time

logging stanza 200gsk-attr-name

dsess-cluster stanza 90ssl stanza 311tfim-cluster: cluster stanza 344

gsk-crl-cache-entry-lifetimessl stanza 313

gsk-crl-cache-sizessl stanza 313

gso-cache-enabledgso-cache stanza 134

gso-cache-entry-idle-timeoutgso-cache stanza 134

gso-cache-entry-lifetimegso-cache stanza 135

gso-cache-sizegso-cache stanza 136

handle-auth-failure-at-mase-community-sso stanza 110

handle-idle-timeoutrtss-cluster:<cluster> stanza 239tfim-cluster: cluster stanza 345

handle-pool-size[rtss-cluster:<cluster>] stanza 239dsess-cluster stanza 92tfim-cluster: cluster stanza 345

headerauth-headers stanza 28filter-request-headers stanza 129

header_namesession-http-headers stanza 301

header-dataheader-names stanza 136

helpacnt-mgt stanza 10

hostldap stanza 185

host-header-in-request-loglogging stanza 200

host-ipssl-qop-mgmt-hosts stanza 331

entries (continued)hostname-junction-cookie

script-filtering stanza 244HTML_tag

filter-events stanza 128filter-url stanza 131

html-redirectacnt-mgt stanza 11

httpserver stanza 258

http-headers-authhttp-headers stanza 138

http-method-disabled-localserver stanza 258

http-method-disabled-remoteserver stanza 259

http-portserver stanza 259

http-requestauthentication-mechanisms

stanza 35http-rsp-header

acnt-mgt stanza 10http-timeout

junction stanza 153https

server stanza 260https-port

server stanza 260https-timeout

junction stanza 154ignore-missing-last-chunk

server stanza 261inactive-timeout

session stanza 289input-adi-xml-prolog

aznapi-configuration stanza 47insert-client-real-ip-for-option-r

junction stanza 154instance-name

webseal-config stanza 354interface_name

interfaces stanza 143intra-connection-timeout

server stanza 261io-buffer-size

junction stanza 155server stanza 262

ip-support-levelserver stanza 263

ipaddr-authipaddr stanza 144, 145

ipv6-supportserver stanza 263

is-mastercluster stanza 76

is-master-authn-servere-community-sso stanza 110

jct-cert-keyfilejunction stanza 155

jct-cert-keyfile-pwdjunction stanza 157

jct-cert-keyfile-stashjunction stanza 156

jct-gsk-attr-namessl stanza 314


entries (continued)jct-ltpa-cookie-name

ltpa stanza 207jct-ocsp-enable

junction stanza 158jct-ocsp-max-response-size

junction stanza 158jct-ocsp-nonce-check-enable

junction stanza 159jct-ocsp-nonce-generation-enable

junction stanza 159jct-ocsp-proxy-server-name

junction stanza 160jct-ocsp-proxy-server-port

junction stanza 160jct-ocsp-url

junction stanza 161jct-ssl-reneg-warning-rate

junction stanza 161jct-undetermined-revocation-cert-

actionjunction stanza 162

jmt-mapjunction stanza 162

junction-dbjunction stanza 163

kerberosv5authentication-mechanisms

stanza 35keyfile

ltpa stanza 208late-lockout-notification

server stanza 264ldap-server-config

ldap stanza 186level

authentication-levels stanza 28library

arm stanza 26listen-flags

aznapi-configuration stanza 47local-response-redirect-uri

local-response-redirect stanza 195log-invalid-requests

logging stanza 201logaudit

aznapi-configuration stanza 48logcfg

aznapi-configuration stanza 49logclientid

aznapi-configuration stanza 48logflush

aznapi-configuration stanza 50login

acnt-mgt stanza 11login-failures-persistent

ldap stanza 186login-redirect-page

acnt-mgt stanza 12login-success

acnt-mgt stanza 13logout

acnt-mgt stanza 14logout-remove-cookie

session stanza 290logsize

aznapi-configuration stanza 50

entries (continued)ltpa


ltpa-authltpa stanza 206, 208

ltpa-cache-enabledltpa-cache stanza 210

ltpa-cache-entry-idle-timeoutltpa-cache stanza 210

ltpa-cache-entry-lifetimeltpa-cache stanza 211

ltpa-cache-sizeltpa-cache stanza 211

macrolocal-response-macros stanza 194

managed-cookies-listjunction stanza 163

mangle-domain-cookiesjunction stanza 164

master-authn-servere-community-sso stanza 111

master-http-porte-community-sso stanza 112

master-https-porte-community-sso stanza 112

master-namecluster stanza 76

match-vhj-firstjunction stanza 165

max-cached-persistent-connectionsjunction stanza 165

max-client-readserver stanza 265

max-entriessession stanza 290

max-file-cat-command-lengthserver stanza 265

max-file-descriptorsserver stanza 266

max-idle-persistent-connectionsserver stanza 267

max-search-sizeldap stanza 187

max-sizelogging stanza 201

max-wait-timecluster stanza 77

max-webseal-header-sizejunction stanza 166

mgt-pages-rootacnt-mgt stanza 14

mime_typecompress-mime-types stanza 77

MIME_typecontent-cache stanza 82

mode-paramoauth-eas stanza 217

mpampa stanza 212

namee-community-domains stanza 104preserve-cookie-names stanza 229

neg-delay-fix-disablessl stanza 315

network-interfaceserver stanza 267

entries (continued)network/netmask

ssl-qop-mgmt-networksstanza 332

next-tokenacnt-mgt stanza 15

non-identifiablep3p-header stanza 223

obligationobligations-levels-mapping

stanza 219ocsp-enable

ssl stanza 316ocsp-max-response-size

ssl stanza 316ocsp-nonce-check-enable

ssl stanza 317ocsp-nonce-generation-enable

ssl stanza 317ocsp-proxy-server-name

ssl stanza 318ocsp-proxy-server-port

ssl stanza 318ocsp-url

ssl stanza 319one-time-token

tfimsso: jct-id stanza 338orig-version

webseal-config stanza 355p3p-element

p3p-header stanza 224pass-http-only-cookie-atr

junction stanza 166passwd-cdas


passwd-changeacnt-mgt stanza 15

passwd-change-failureacnt-mgt stanza 15

passwd-change-successacnt-mgt stanza 16

passwd-expiredacnt-mgt stanza 16

passwd-ldapauthentication-mechanisms

stanza 37passwd-strength


passwd-urafauthentication-mechanisms

stanza 38passwd-warn

acnt-mgt stanza 17passwd-warn-failure

acnt-mgt stanza 17pattern

compress-user-agents stanza 78permission-info-returned

aznapi-configuration stanza 51persistent-con-timeout

junction stanza 167server stanza 268

ping-methodjunction stanza 168

Index 369

entries (continued)ping-time

junction stanza 168ping-uri

junction stanza 169pkcs11-driver-path

ssl stanza 319pkcs11-symmetric-cipher-support

ssl stanza 321pkcs11-token-label

ssl stanza 320pkcs11-token-pwd

ssl stanza 320policy-attr-separator

aznapi-configuration stanza 51policy-cache-size

aznapi-configuration stanza 52policy-name

credential-policy-attributesstanza 87

policy-triggeraznapi-external-authzn-services

stanza 55port

ldap stanza 188post-pwdchg-process


pre-410-compatible-tokensserver stanza 268

pre-510-compatible-tokenserver stanza 269

prefer-readwrite-serverldap stanza 188

preserve-base-hrefserver stanza 269

preserve-base-href2server stanza 270

preserve-p3p-policyserver stanza 270

preserve-xml-tokentfimsso:jct-id stanza 338

process-root-requestsserver stanza 271

prompt-for-displacementsession stanza 291

propagate-cdmf-errorscdsso stanza 62e-community-sso stanza 113

purposep3p-header stanza 224

realm-nameoauth-eas stanza 218

reauth-at-any-levelreauthentication stanza 230

reauth-extend-lifetimereauthentication stanza 231

reauth-for-inactivereauthentication stanza 231

reauth-reset-lifetimereauthentication stanza 232

recipientp3p-header stanza 226

recovery-ping-timejunction stanza 170

redirectenable-redirects stanza 117

entries (continued)redirect-to-root-for-pkms

acnt-mgt stanza 18redirect-using-relative

server stanza 271referers

logging stanza 202referers-file

logging stanza 202register-authentication-failures

session stanza 292reissue-missing-failover-cookie

failover stanza 123reject-invalid-host-header

server stanza 272reject-request-transfer-encodings

server stanza 273remedies

p3p-header stanza 227renewal-window

tfimsso: jct-id stanza 339replica

ldap stanza 189replica-set

replica-sets stanza 233report-transactions

arm stanza 27reprocess-root-jct-404s

junction stanza 170request-body-max-read

server stanza 273request-log-format

logging stanza 204request-max-cache

server stanza 274requests

logging stanza 203requests-file

logging stanza 203require-mpa

session stanza 292resend-webseal-cookies

session stanza 293reset-cookies-list

junction stanza 171resource-manager-provided-adi

aznapi-configuration stanza 53response-by

dsess-cluster stanza 92response-code-rules

junction stanza 172retain-eai-session

eai stanza 102retain-stepup-session

step-up stanza 334retention

p3p-header stanza 228rewrite-absolute-with-absolute

script-filtering stanza 245root

process-root-filter stanza 230rules-file

cert-map-authn stanza 71scheme

filter-schemes stanza 130script-filter

script-filtering stanza 245

entries (continued)search-timeout

ldap stanza 189send-constant-sess

session stanza 293send-header-ba-first

server stanza 274send-header-spnego-first

server stanza 275server

[rtss-cluster:<cluster>] stanza 240dsess-cluster stanza 93tfim-cluster: cluster stanza 346

server-loglogging stanza 205

server-nameserver stanza 276

server-rootserver stanza 276

service-idaznapi-configuration stanza 53aznapi-entitlement-services

stanza 54service-name

tfimsso: jct-id stanza 339service-url

amwebars stanza 23session-activity-timestamp

failover-add-attributes stanza 125session-lifetime-timestamp

failover-add-attributes stanza 125share-cookies

junction stanza 172shared-domain-cookie

session stanza 294show-all-auth-prompts

step-up stanza 334single-signoff-uri

acnt-mgt stanza 19slash-before-query-on-redirect

server stanza 277spnego-auth

spnego stanza 301spnego-krb-keytab-file

spnego stanza 302spnego-krb-service-name

spnego stanza 302ssl-enabled

ldap stanza 190ssl-fips-enabled

dsess-cluster stanza 94rtss-cluster:<cluster> stanza 240tfim-cluster:<cluster> stanza 346

ssl-id-sessionssession stanza 294

ssl-keyfile[rtss-cluster:<cluster>] stanza 241dsess-cluster stanza 94ldap stanza 191ssl stanza 321tfim-cluster: cluster stanza 347

ssl-keyfile-dnldap stanza 191

ssl-keyfile-label[rtss-cluster:<cluster>] stanza 242dsess-cluster stanza 95ssl stanza 322


entries (continued)ssl-keyfile-label (continued)

tfim-cluster:cluster stanza 348ssl-keyfile-pwd

ldap stanza 192ssl stanza 322

ssl-keyfile-stash[rtss-cluster:<cluster>] stanza 242ssl stanza 323tfim-cluster: cluster stanza 348

ssl-local-domainssl stanza 324

ssl-max-entriesssl stanza 324

ssl-portldap stanza 192

ssl-qop-mgmtssl-qop stanza 330

ssl-session-cookie-namesession stanza 295

ssl-v2-timeoutssl stanza 325

ssl-v3-timeoutssl stanza 325

ssl-valid-server-dndsess-cluster stanza 96rtss-cluster:<cluster> stanza 243tfim-cluster:cluster stanza 349

sso-consumeauthentication-mechanisms

stanza 39sso-create


standard-junction-replica-setsession stanza 295

statuswebseal-config stanza 356

step-up-at-higher-levelstep-up stanza 335

stepup-loginacnt-mgt stanza 19

strip-www-authenticate-headersserver stanza 278

su-cdssoauthentication-mechanisms

stanza 40su-certificate


su-http-requestauthentication-mechanisms

stanza 40su-kerberosv5


su-passwdauthentication-mechanisms

stanza 41su-token-card


substringillegal-url-substrings stanza 143

support-virtual-host-domain-cookiesjunction stanza 173

entries (continued)suppress-backend-server-identity

server stanza 278suppress-client-ssl-errors

ssl stanza 326suppress-dynurl-parsing-of-posts

server stanza 279suppress-server-identity

server stanza 279switch-user

acnt-mgt stanza 20tag-value-missing-attr-tag

server stanza 280tcp-session-cookie-name

session stanza 296temp-cache-response

acnt-mgt stanza 20temp-session-cookie-name

session stanza 296temp-session-max-lifetime

session stanza 297terminate-on-reauth-lockout

reauthentication stanza 232tfim-cluster-name

tfimsso: jct-id stanza 340timeout

[rtss-cluster:<cluster>] stanza 243dsess-cluster stanza 96ldap stanza 193session stanza 297tfim-cluster: cluster stanza 350

tivoli_common_dirwebseal-config stanza 356

token-authtoken stanza 350

token-cdasauthentication-mechanisms

stanza 42token-collection-size

tfimsso: jct-id stanza 340token-login

acnt-mgt stanza 21token-transmit-name

tfimsso: jct-id stanza 342token-transmit-type

tfimsso: jct-id stanza 342token-type

tfimsso: jct-id stanza 341too-many-sessions

acnt-mgt stanza 21trace-component


triggereai-trigger-urls stanza 103

typecontent-index-icons stanza 84filter-content-types stanza 127

unauthorized-rsp-fileoauth-eas stanza 219

undetermined-revocation-cert-actionssl stanza 326

unix-groupserver stanza 280

unix-pid-fileserver stanza 281

entries (continued)unix-user

server stanza 281unknownicon

icons stanza 142update-session-cookie-in-login-request

session stanza 298uraf-registry-config

uraf-registry stanza 354use-domain-qualified-name

spnego stanza 303use-existing-username-macro-in-

custom-redirectsserver stanza 282

use-filename-for-pkmslogoutacnt-mgt stanza 22

use-full-dnltpa stanza 209

use-http-only-cookiesserver stanza 283

use-new-stateful-on-errorjunction stanza 174

use-restrictive-logout-filenamesacnt-mgt stanza 22

use-same-sessionsession stanza 300

use-utf8cdsso stanza 62e-community-sso stanza 113failover stanza 123

user-and-group-in-same-suffixldap stanza 193

user-dircontent stanza 81

user-session-idssession stanza 299

user-session-ids-include-replica-setsession stanza 299

utf8-form-support-enabledserver stanza 283

utf8-qstring-support-enabledserver stanza 284

utf8-template-macros-enabledcontent stanza 81

utf8-url-support-enabledserver stanza 284

validate-backend-domain-cookiesjunction stanza 174

validate-query-as-gaserver stanza 285

verify-step-up-userstep-up stanza 335

versionwebseal-config stanza 357

vf-argumente-community-sso stanza 114

vf-token-lifetimee-community-sso stanza 114

vf-urle-community-sso stanza 115

web-host-nameserver stanza 285

web-http-portserver stanza 286

web-http-protocolserver stanza 286

Index 371

entries (continued)webseal-cert-keyfile

ssl stanza 327webseal-cert-keyfile-label

ssl stanza 327webseal-cert-keyfile-pwd

ssl stanza 328webseal-cert-keyfile-sni

ssl stanza 328webseal-cert-keyfile-stash

ssl stanza 329worker-thread-hard-limit

junction stanza 175worker-thread-soft-limit

junction stanza 176worker-threads

server stanza 287xsl-stylesheet-prolog

aznapi-configuration stanza 54entries dsess-cluster stanza

handle-idle-timeout 91ssl-keyfile-stash 95

ENV stanza entrycgi-environment-variables stanza 74

env-name stanza entrysystem-environment-variables

stanza 336error-dir stanza entry

content stanza 80exclude stanza entry

cfg-db-cmd:entries stanza 71ext-auth-interface stanza entry

authentication-mechanisms stanza 31extension stanza entry

content-encodings stanza 83content-mime-types stanza 85

Ffailover stanza 118

clean-ecsso-urls-for-failover entry 118enable-failover-cookie-for-domain

entry 119failover-auth entry 119failover-cookie-lifetime entry 120failover-cookies-keyfile entry 120failover-include-session-id entry 121failover-require-activity-timestamp-

validation entry 121failover-require-lifetime-timestamp-

validation entry 122failover-update-cookie entry 122reissue-missing-failover-cookie

entry 123use-utf8 entry 123

failover-add-attributes stanza 124attribute_pattern entry 124session-activity-timestamp entry 125session-lifetime-timestamp entry 125

failover-auth stanza entryfailover stanza 119

failover-cdsso stanza entryauthentication-mechanisms stanza 32

failover-certificate stanza entryauthentication-mechanisms stanza 32

failover-cookie-lifetime stanza entryfailover stanza 120

failover-cookies-keyfile stanza entryfailover stanza 120

failover-ext-auth-interface stanza entryauthentication-mechanisms stanza 33

failover-http-request stanza entryauthentication-mechanisms stanza 33

failover-include-session-id stanza entryfailover stanza 121

failover-kerberosv5 stanza entryauthentication-mechanisms stanza 33

failover-password stanza entryauthentication-mechanisms stanza 34

failover-require-activity-timestamp-validation stanza entry

failover stanza 121failover-require-lifetime-timestamp-

validation stanza entryfailover stanza 122

failover-restore-attributes stanza 126attribute_pattern entry 126

failover-token-card stanza entryauthentication-mechanisms stanza 34

failover-update-cookie stanza entryfailover stanza 122

fed-id-param stanza entryoauth-eas stanza 216

Federal Information Process Standards(FIPS)

ssl-fips-enabled stanza entry 94file_extension stanza entry

cgi-types stanza 75files

includecfg-db-cmd:files stanza 72

filter-content-types stanza 127type entry 127

filter-events stanza 128HTML_tag entry 128

filter-nonhtml-as-xhtml stanza entryserver stanza 257

filter-request-headers stanza 129header entry 129

filter-schemes stanza 130scheme entry 130

filter-url stanza 131HTML_tag entry 131

FIPS (Federal Information ProcessStandards )

ssl-fips-enabled stanza entry 94fips-mode-processing stanza entry

ssl stanza 311flush-time stanza entry

logging stanza 199force-tag-value-prefixstanza entry

server stanza 257forms stanza 133

allow-empty-form-fields entry 133forms-auth entry 133

forms-auth stanza entryforms stanza 133

fully_qualified_hostname stanza entrycdsso-peers stanza 64

Ggmt-time stanza entry

logging stanza 200

gsk-attr-name stanza entrydsess-cluster stanza 90ssl stanza 311tfim-cluster: cluster stanza 344

gsk-crl-cache-entry-lifetime stanza entryssl stanza 313

gsk-crl-cache-size stanza entryssl stanza 313

gskcapicmd xiigskikm.jar xiiGSKit documentation xiigso-cache stanza 134

gso-cache-enabled entry 134gso-cache-entry-idle-timeout

entry 134gso-cache-entry-lifetime entry 135gso-cache-size entry 136

gso-cache-enabled stanza entrygso-cache stanza 134

gso-cache-entry-idle-timeout stanza entrygso-cache stanza 134

gso-cache-entry-lifetime stanza entrygso-cache stanza 135

gso-cache-size stanza entrygso-cache stanza 136

Hhandle-auth-failure-at-mas stanza entry

e-community-sso stanza 110handle-idle-timeout stanza entry

dsess-cluster stanza 91tfim-cluster: stanza 345xacml-cluster: stanza 239

handle-pool-size stanza entrydsess-cluster stanza 92tfim-cluster: cluster stanza 345xacml-cluster: cluster stanzacluster>]

stanza 239header stanza entry

auth-headers stanza 28filter-request-headers stanza 129

header_name stanza entrysession-http-headers stanza 301

header-data stanza entryheader-names stanza 136

header-names stanza 136header-data entry 136

help stanza entryacnt-mgt stanza 10

host stanza entryldap stanza 185

host-header-in-request-log stanza entrylogging stanza 200

host-ip stanza entryssl-qop-mgmt-hosts stanza 331

hostname-junction-cookie stanza entryscript-filtering stanza 244

HTML_tag stanza entryfilter-events stanza 128filter-url stanza 131

html-redirect stanza entryacnt-mgt stanza 11

http stanza entryserver stanza 258

http-headers stanza 138http-headers-auth entry 138


http-headers-auth stanza entryhttp-headers stanza 138

http-method-disabled-local stanza entryserver stanza 258

http-method-disabled-remote stanza entryserver stanza 259

http-port stanza entryserver stanza 259

http-request stanza entryauthentication-mechanisms stanza 35

http-rsp-header stanza entryacnt-mgt stanza 10

http-timeout stanza entryjunction stanza 153

http-transformations stanza 138resource-name entry 138

https stanza entryserver stanza 260

https-port stanza entryserver stanza 260

https-timeout stanza entryjunction stanza 154

IIBM

Software Support xivSupport Assistant xiv

icap stanza 139ICAP stanza 139, 140ICAP: resource 140ICAP:resource 139icons stanza 141

backicon entry 141diricon entry 141unknownicon entry 142

ignore-missing-last-chunk stanza entryserver stanza 261

iKeyman xiiillegal-url-substrings stanza 142

substring entry 143inactive-timeout stanza entry

session stanza 289include stanza entry

cfg-db-cmd:files stanza 72input-adi-xml-prolog stanza entry

aznapi-configuration stanza 47insert-client-real-ip-for-option-r stanza

entryjunction stanza 154

instance-name stanza entrywebseal-config stanza 354

interface_name stanza entryinterfaces stanza 143

interfaces stanza 143interface_name entry 143

internet content adaptation protocol 139,140

intra-connection-timeout stanza entryserver stanza 261

io-buffer-size stanza entryjunction stanza 155server stanza 262

ip-support-level stanza entryserver stanza 263

ipaddr stanza 144ipaddr-auth entry 144, 145

ipaddr-auth stanza entryipaddr stanza 144, 145

ipv6-support stanza entryserver stanza 263

is-master stanza entrycluster stanza 76

is-master-authn-server stanza entrye-community-sso stanza 110

Jjct-cert-keyfile stanza entry

junction stanza 155jct-cert-keyfile-pwd stanza entry

junction stanza 157jct-cert-keyfile-stash stanza entry

junction stanza 156jct-gsk-attr-name stanza entry

ssl stanza 314jct-ltpa-cookie-name stanza entry

ltpa stanza 207jct-ocsp-enable stanza entry

junction stanza 158jct-ocsp-max-response-size stanza entry

junction stanza 158jct-ocsp-nonce-check-enable stanza entry

junction stanza 159jct-ocsp-nonce-generation-enable stanza


jct-ocsp-proxy-server-name stanza entryjunction stanza 160

jct-ocsp-proxy-server-port stanza entryjunction stanza 160

jct-ocsp-url stanza entryjunction stanza 161

jct-ssl-reneg-warning-rate stanza entryjunction stanza 161

jct-undetermined-revocation-cert-actionstanza entry

junction stanza 162jdb-cmd:replace stanza 145jmt-map stanza entry

junction stanza 162junction stanza 145

allow-backend-domain-cookiesentry 145, 152

basicauth-dummy-passwd entry 146crl-ldap-server entry 146crl-ldap-server-port entry 147crl-ldap-user entry 148crl-ldap-user-password entry 148disable-ssl-v2 entry 149disable-ssl-v3 entry 149disable-tls-v1 entry 150disable-tls-v11 entry 150disable-tls-v12 entry 151dont-reprocess-jct-404s entry 151http-timeout entry 153https-timeout entry 154insert-client-real-ip-for-option-r

entry 154io-buffer-size entry 155jct-cert-keyfile entry 155jct-cert-keyfile-pwd entry 157jct-cert-keyfile-stash entry 156jct-ocsp-enable entry 158

junction stanza (continued)jct-ocsp-max-response-size entry 158jct-ocsp-nonce-check-enable

entry 159jct-ocsp-nonce-generation-enable

entry 159jct-ocsp-proxy-server-name entry 160jct-ocsp-proxy-server-port entry 160jct-ocsp-url entry 161jct-ssl-reneg-warning-rate entry 161jct-undetermined-revocation-cert-

action entry 162jmt-map entry 162junction-db entry 163managed-cookies-list entry 163mangle-domain-cookies entry 164match-vhj-first entry 165max-cached-persistent-connections

entry 165max-webseal-header-size entry 166pass-http-only-cookie-atr entry 166persistent-con-timeout entry 167ping-method entry 168ping-time entry 168ping-uri entry 169recovery-ping-time entry 170reprocess-root-jct-404s entry 170reset-cookies-list entry 171response-code-rules entry 172share-cookies entry 172support-virtual-host-domain-cookies

entry 173use-new-stateful-on-error entry 174validate-backend-domain-cookies

entry 174worker-thread-hard-limit entry 175worker-thread-soft-limit entry 176

junction-db stanza entryjunction stanza 163

junction:junction_name stanza 177

Kkerberosv5 stanza entry

authentication-mechanisms stanza 35key management, GSKit xiikeyfile stanza entry

ltpa stanza 208

Llate-lockout-notification stanza entry

server stanza 264LDAP server on z/OS xiildap stanza 177

auth-timeout entry 177auth-using-compare entry 177bind-dn entry 178bind-pwd entry 178cache-enabled entry 179cache-group-expire-time entry 180cache-group-membership entry 180cache-group-size entry 181cache-policy-expire-time entry 181cache-policy-size entry 182cache-return-registry-id entry 182

Index 373

ldap stanza (continued)cache-use-user-cache entry 184cache-user-expire-time entry 183cache-user-size entry 183default-policy-override-support

entry 184enabled entry 185host entry 185ldap-server-config entry 186login-failures-persistent entry 186max-search-size entry 187port entry 188prefer-readwrite-server entry 188replica entry 189search-timeout entry 189ssl-enabled entry 190ssl-keyfile entry 191ssl-keyfile-dn entry 191ssl-keyfile-pwd entry 192ssl-port entry 192timeout entry 193user-and-group-in-same-suffix

entry 193ldap-server-config stanza entry

ldap stanza 186level stanza entry

authentication-levels stanza 28library stanza entry

arm stanza 26listen-flags stanza entry

aznapi-configuration stanza 47local junctions

disable 176local-response-macros stanza 194

macro entry 194local-response-redirect stanza 195

local-response-redirect-uri entry 195local-response-redirect-uri stanza entry

local-response-redirect stanza 195log-invalid-requests stanza entry

logging stanza 201logaudit stanza entry

aznapi-configuration stanza 48logcfg stanza entry

aznapi-configuration stanza 49logclientid stanza entry

aznapi-configuration stanza 48logflush stanza entry

aznapi-configuration stanza 50logging stanza 196

absolute-uri-in-request-log entry 196agents entry 196agents-file entry 197audit-mime-types entry 197audit-response-codes entry 198config-data-log entry 199flush-time entry 199gmt-time entry 200host-header-in-request-log entry 200log-invalid-requests entry 201max-size entry 201referers entry 202referers-file entry 202request-log-format entry 204requests entry 203requests-file entry 203server-log entry 205

login stanza entryacnt-mgt stanza 11

login-failures-persistent stanza entryldap stanza 186

login-redirect-page stanza entryacnt-mgt stanza 12

login-success stanza entryacnt-mgt stanza 13

logout stanza entryacnt-mgt stanza 14

logout-remove-cookie stanza entrysession stanza 290

logsize stanza entryaznapi-configuration stanza 50

ltpa stanza 206cookie-domain entry 207cookie-name entry 206jct-ltpa-cookie-name entry 207keyfile entry 208ltpa-auth entry 206, 208use-full-dn entry 209

ltpa stanza entryauthentication-mechanisms stanza 36

ltpa-auth stanza entryltpa stanza 206, 208

ltpa-cache stanza 210ltpa-cache-enabled entry 210ltpa-cache-entry-idle-timeout

entry 210ltpa-cache-entry-lifetime entry 211ltpa-cache-size entry 211

ltpa-cache-enabled stanza entryltpa-cache stanza 210

ltpa-cache-entry-idle-timeout stanza entryltpa-cache stanza 210

ltpa-cache-entry-lifetime stanza entryltpa-cache stanza 211

ltpa-cache-size stanza entryltpa-cache stanza 211

Mmacro stanza entry

local-response-macros stanza 194managed-cookies-list stanza entry

junction stanza 163mangle-domain-cookies stanza entry

junction stanza 164master-authn-server stanza entry

e-community-sso stanza 111master-http-port stanza entry

e-community-sso stanza 112master-https-port stanza entry

e-community-sso stanza 112master-name stanza entry

cluster stanza 76match-vhj-first stanza entry

junction stanza 165max-cached-persistent-connectionse

stanza entryjunction stanza 165

max-client-read stanza entryserver stanza 265

max-entries stanza entrysession stanza 290

max-file-cat-command-length stanza entryserver stanza 265

max-file-descriptors stanza entryserver stanza 266

max-idle-persistent-connections stanzaentry

server stanza 267max-search-size stanza entry

ldap stanza 187max-size stanza entry

logging stanza 201max-wait-time stanza entry

cluster stanza 77max-webseal-header-size stanza entry

junction stanza 166mgt-pages-root stanza entry

acnt-mgt stanza 14mime_type stanza entry

compress-mime-types stanza 77MIME_type stanza entry

content-cache stanza 82mode-param stanza entry

oauth-eas stanza 217mpa stanza 212

mpa entry 212mpa stanza entry

mpa stanza 212

Nname stanza entry

e-community-domains stanza 104preserve-cookie-names stanza 229

neg-delay-fix-disable stanza entryssl stanza 315

network-interface stanza entryserver stanza 267

network/netmask stanza entryssl-qop-mgmt-networks stanza 332

next-token stanza entryacnt-mgt stanza 15

non-identifiable stanza entryp3p-header stanza 223

Ooauth-eas stanza 212

apply-tam-native-policy entry 212bad-gateway-rsp-file entry 213bad-request-rsp-file entry 213cache-size entry 214cluster-name entry 215default-fed-id entry 215default-mode entry 216fed-id-param entry 216mode-param entry 217realm-name entry 218trace-component entry 218unauthorized-rsp-file entry 219

obligation stanza entryobligations-levels-mapping

stanza 219obligations-levels-mapping stanza 219

obligation entry 219ocsp-enable stanza entry

ssl stanza 316ocsp-max-response-size stanza entry

ssl stanza 316


ocsp-nonce-check-enable stanza entryssl stanza 317

ocsp-nonce-generation-enable stanzaentry

ssl stanza 317ocsp-proxy-server-name stanza entry

ssl stanza 318ocsp-proxy-server-port stanza entry

ssl stanza 318ocsp-url stanza entry

ssl stanza 319one-time-token stanza entry

tfimsso: stanza 338online

publications ixterminology ix

orig-version stanza entrywebseal-config stanza 355

Pp3p-element stanza entry

p3p-header stanza 224p3p-header stanza 220

access entry 220categories entry 221disputes entry 223non-identifiable entry 223p3p-element entry 224purpose entry 224recipient entry 226remedies entry 227retention entry 228

pass-http-only-cookie-atr stanza entryjunction stanza 166

passwd-cdas stanza entryauthentication-mechanisms stanza 36

passwd-change stanza entryacnt-mgt stanza 15

passwd-change-failure stanza entryacnt-mgt stanza 15

passwd-change-success stanza entryacnt-mgt stanza 16

passwd-expired stanza entryacnt-mgt stanza 16

passwd-ldap stanza entryauthentication-mechanisms stanza 37

passwd-strength stanza entryauthentication-mechanisms stanza 37

passwd-uraf stanza entryauthentication-mechanisms stanza 38

passwd-warn stanza entryacnt-mgt stanza 17

passwd-warn-failure stanza entryacnt-mgt stanza 17

pattern stanza entrycompress-user-agents stanza 78

permission-info-returned stanza entryaznapi-configuration stanza 51

persistent-con-timeout stanza entryjunction stanza 167server stanza 268

ping-method stanza entryjunction stanza 168

ping-time stanza entryjunction stanza 168

ping-uri stanza entryjunction stanza 169

pkcs11-driver-path stanza entryssl stanza 319

pkcs11-symmetric-cipher-support stanzaentry

ssl stanza 321pkcs11-token-label stanza entry

ssl stanza 320pkcs11-token-pwd stanza entry

ssl stanza 320policy-attr-separator stanza entry

aznapi-configuration stanza 51policy-cache-size stanza entry

aznapi-configuration stanza 52policy-director stanza 228

config-file entry 228policy-name stanza entry

credential-policy-attributes stanza 87policy-trigger stanza entry

aznapi-external-authzn-servicesstanza 55

port stanza entryldap stanza 188

post-pwdchg-process stanza entryauthentication-mechanisms stanza 38

pre-410-compatible-tokens stanza entryserver stanza 268

pre-510-compatible-token stanza entryserver stanza 269

prefer-readwrite-server stanza entryldap stanza 188

preserve-base-href stanza entryserver stanza 269

preserve-base-href2 stanza entryserver stanza 270

preserve-cookie-names stanza 229name entry 229

preserve-p3p-policy stanza entryserver stanza 270

preserve-xml-token stanza entrytfimsso: stanza 338

problem-determination xivprocess-root-filter stanza 230

root entry 230process-root-requests stanza entry

server stanza 271prompt-for-displacement stanza entry

session stanza 291propagate-cdmf-errors stanza entry

cdsso stanza 62e-community-sso stanza 113

publicationsaccessing online ixlist of for this product ix

purpose stanza entryp3p-header stanza 224

Rrealm-name stanza entry

oauth-eas stanza 218reauth-at-any-level stanza entry

reauthentication stanza 230reauth-extend-lifetime stanza entry

reauthentication stanza 231

reauth-for-inactive stanza entryreauthentication stanza 231

reauth-reset-lifetime stanza entryreauthentication stanza 232

reauthentication stanza 230reauth-at-any-level entry 230reauth-extend-lifetime entry 231reauth-for-inactive entry 231reauth-reset-lifetime entry 232terminate-on-reauth-lockout

entry 232recipient stanza entry

p3p-header stanza 226recovery-ping-time stanza entry

junction stanza 170redirect stanza entry

enable-redirects stanza 117redirect-to-root-for-pkms stanza entry

acnt-mgt stanza 18redirect-using-relative stanza entry

server stanza 271referers stanza entry

logging stanza 202referers-file stanza entry

logging stanza 202register-authentication-failures stanza

entrysession stanza 292

reissue-missing-failover-cookie stanzaentry

failover stanza 123reject-invalid-host-header stanza entry

server stanza 272reject-request-transfer-encodings stanza

entryserver stanza 273

remedies stanza entryp3p-header stanza 227

renewal-window stanza entrytfimsso: stanza 339

replica stanza entryldap stanza 189

replica-set stanza entryreplica-sets stanza 233

replica-sets stanza 233replica-set entry 233

report-transactions stanza entryarm stanza 27

reprocess-root-jct-404s stanza entryjunction stanza 170

request-body-max-read stanza entryserver stanza 273

request-log-format stanza entrylogging stanza 204

request-max-cache stanza entryserver stanza 274

requests stanza entrylogging stanza 203

requests-file stanza entrylogging stanza 203

require-mpa stanza entrysession stanza 292

resend-webseal-cookies stanza entrysession stanza 293

reset-cookies-list stanza entryjunction stanza 171

Index 375

resource-manager-provided-adi stanzaentry

aznapi-configuration stanza 53response-by stanza entry

dsess-cluster stanza 92response-code-rules entry

junction stanza 172retain-eai-session stanza entry

eai stanza 102retain-stepup-session stanza entry

step-up stanza 334retention stanza entry

p3p-header stanza 228rewrite-absolute-with-absolute stanza

entryscript-filtering stanza 245

root stanza entryprocess-root-filter stanza 230

rtss-eas stanzaapply-tam-native-policy entry 234audit-log-cfg entry 234cluster-name entry 236context-id entry 236trace-component entry 237

rtss-eas stanza rtss-easstanzas 233

rules-file stanza entrycert-map-authn stanza 71

Sscheme stanza entry

filter-schemes stanza 130script-filter stanza entry

script-filtering stanza 245script-filtering stanza 244

hostname-junction-cookie entry 244rewrite-absolute-with-absolute

entry 245script-filter entry 245

search-timeout stanza entryldap stanza 189

send-constant-sess stanza entrysession stanza 293

send-header-ba-first stanza entryserver stanza 274

send-header-spnego-first stanza entryserver stanza 275

server stanza 246allow-shift-jis-chars entry 246allow-unauth-ba-supply 246allow-unsolicited-logins 247auth-challenge-type entry 247cache-host-header entry 248capitalize-content-length entry 249chunk-responses entry 250client-connect-timeout entry 250concurrent-session-threads-hard-limit

entry 251concurrent-session-threads-soft-limit

entry 252connection-request-limit entry 252cope-with-pipelined-request

entry 253decode-query entry 253disable-timeout-reduction entry 254double-byte-encoding entry 254

server stanza (continued)dynurl-allow-large-posts entry 255dynurl-map entry 255enable-IE6-2GB-downloads entry 256filter-nonhtml-as-xhtml entry 257force-tag-value-prefix entry 257http entry 258http-method-disabled-local entry 258http-method-disabled-remote

entry 259http-port entry 259https entry 260https-port entry 260ignore-missing-last-chunk entry 261intra-connection-timeout entry 261io-buffer-size entry 262ip-support-level entry 263ipv6-support entry 263late-lockout-notification entry 264max-client-read entry 265max-file-cat-command-length

entry 265max-file-descriptors entry 266max-idle-persistent-connections

entry 267network-interface entry 267persistent-con-timeout entry 268pre-410-compatible-tokens entry 268pre-510-compatible-token entry 269preserve-base-href entry 269preserve-base-href2 entry 270preserve-p3p-policy entry 270process-root-requests entry 271redirect-using-relative entry 271reject-invalid-host-header entry 272reject-request-transfer-encodings

entry 273request-body-max-read entry 273request-max-cache entry 274send-header-ba-first 274send-header-spnego-first 275server-name entry 276server-root entry 276slash-before-query-on-redirect

entry 277strip-www-authenticate-headers

entry 278suppress-backend-server-identity

entry 278suppress-dynurl-parsing-of-posts

entry 279suppress-server-identity entry 279tag-value-missing-attr-tag entry 280unix-group entry 280unix-pid-file entry 281unix-user entry 281use-existing-username-macro-in-

custom-redirects entry 282use-http-only-cookies entry 283utf8-form-support-enabled entry 283utf8-qstring-support-enabled

entry 284utf8-url-support-enabled entry 284validate-query-as-ga entry 285web-host-name entry 285web-http-port entry 286web-http-protocol entry 286

server stanza (continued)worker-threads entry 287

server stanza entrydsess-cluster stanza 93tfim-cluster: cluster stanzacluster

stanza 346xacml-cluster: cluster stanzacluster>]

stanza 240server-log stanza entry

logging stanza 205server-name stanza entry

server stanza 276server-root stanza entry

server stanza 276service-id stanza entry

aznapi-configuration stanza 53aznapi-entitlement-services stanza 54

service-name stanza entrytfimsso: jct-id stanza 339

service-url stanza entryamwebars stanza 23

session stanza 288dsess-enabled entry 288dsess-last-access-update-interval

entry 288enforce-max-sessions-policy

entry 289inactive-timeout entry 289logout-remove-cookie entry 290max-entries entry 290prompt-for-displacement entry 291register-authentication-failures

entry 292require-mpa entry 292resend-webseal-cookies entry 293send-constant-sess entry 293shared-domain-cookie entry 294ssl-id-sessions entry 294ssl-session-cookie-name entry 295standard-junction-replica-set

entry 295tcp-session-cookie-name entry 296temp-session-cookie-name entry 296temp-session-max-lifetime entry 297timeout entry 297update-session-cookie-in-login-request

entry 298use-same-session entry 300user-session-ids entry 299user-session-ids-include-replica-set

entry 299session-activity-timestamp stanza entry

failover-add-attributes stanza 125session-cookie-domains stanza 300

domain entry 300session-http-headers stanza 301

header_name entry 301session-lifetime-timestamp stanza entry

failover-add-attributes stanza 125share-cookies stanza entry

junction stanza 172shared-domain-cookie stanza entry

session stanza 294show-all-auth-prompts stanza entry

step-up stanza 334single-signoff-uri stanza entry

acnt-mgt stanza 19


slash-before-query-on-redirect stanzaentry

server stanza 277spnego stanza 301

spnego-auth entry 301spnego-krb-keytab-file entry 302spnego-krb-service-name entry 302use-domain-qualified-name entry 303

spnego-auth stanza entryspnego stanza 301

spnego-krb-keytab-file stanza entryspnego stanza 302

spnego-krb-service-name stanza entryspnego stanza 302

ssl stanza 304base-crypto-library entry 304crl-ldap-server entry 304crl-ldap-server-port entry 305crl-ldap-user entry 306crl-ldap-user-password entry 306disable-ncipher-bsafe entry 307disable-rainbow-bsafe entry 307disable-ssl-v2 entry 308disable-ssl-v3 entry 308disable-tls-v1 entry 309disable-tls-v11 entry 309disable-tls-v12 entry 310enable-duplicate-ssl-dn-not-found-

msgs entry 310fips-mode-processing entry 311gsk-attr-name entry 311gsk-crl-cache-entry-lifetime entry 313gsk-crl-cache-size entry 313jct-gsk-attr-name entry 314neg-delay-fix-disable entry 315ocsp-enable entry 316ocsp-max-response-size entry 316ocsp-nonce-check-enable entry 317ocsp-nonce-generation-enable

entry 317ocsp-proxy-server-name entry 318ocsp-proxy-server-port entry 318ocsp-url entry 319pkcs11-driver-path entry 319pkcs11-symmetric-cipher-support

entry 321pkcs11-token-label entry 320pkcs11-token-pwd entry 320ssl-keyfile entry 321ssl-keyfile-label entry 322ssl-keyfile-pwd entry 322ssl-keyfile-stash entry 323ssl-local-domain entry 324ssl-max-entries entry 324ssl-v2-timeout entry 325ssl-v3-timeout entry 325suppress-client-ssl-errors entry 326undetermined-revocation-cert-action

entry 326webseal-cert-keyfile entry 327webseal-cert-keyfile-label entry 327webseal-cert-keyfile-pwd entry 328webseal-cert-keyfile-sni entry 328webseal-cert-keyfile-stash entry 329

ssl-enabled stanza entryldap stanza 190

ssl-fips-enabled stanza entrydsess-cluster stanza 94tfim-cluster:cluster stanzacluster>

stanza 346xacml-cluster:cluster stanzacluster>

stanza 240ssl-id-sessions stanza entry

session stanza 294ssl-keyfile stanza entry

dsess-cluster stanza 94ldap stanza 191ssl stanza 321tfim-cluster: stanza 347xacml-cluster:cluster stanzacluster>]

stanza 241ssl-keyfile-dn stanza entry

ldap stanza 191ssl-keyfile-label stanza entry

dsess-cluster stanza 95ssl stanza 322tfim-cluster: stanza 348xacml-cluster:cluster stanzacluster>]

stanza 242ssl-keyfile-pwd stanza entry

ldap stanza 192ssl stanza 322

ssl-keyfile-stash stanza entrydsess-cluster stanza 95ssl stanza 323xacml-cluster:cluster stanzacluster>]

stanza 242ssl-keyfile-stash stanza entry cluster

stanzatfim-cluster: stanza 348

ssl-local-domain stanza entryssl stanza 324

ssl-max-entries stanza entryssl stanza 324

ssl-port stanza entryldap stanza 192

ssl-qop stanza 330ssl-qop-mgmt entry 330

ssl-qop-mgmt stanza entryssl-qop stanza 330

ssl-qop-mgmt-default stanza 330default entry 330

ssl-qop-mgmt-hosts stanza 331host-ip entry 331

ssl-qop-mgmt-networks stanza 332network/netmask entry 332

ssl-session-cookie-name stanza entrysession stanza 295

ssl-v2-timeout stanza entryssl stanza 325

ssl-v3-timeout stanza entryssl stanza 325

ssl-valid-server-dn stanza entrydsess-cluster stanza 96tfim-cluster:cluster stanzacluster

stanza 349xacml-cluster:cluster stanzacluster>

stanza 243sso-consume stanza entry

authentication-mechanisms stanza 39sso-create stanza entry

authentication-mechanisms stanza 39

standard-junction-replica-set stanza entrysession stanza 295

stanzaICAP: resource 140tfim-cluster: cluster 343xacml-cluster: 237

StanzaICAP:resource 139

stanza cluster 239stanza entry 64, 71, 116stanza reference 1stanzas

acnt-mgt 1amwebars 23arm 23auth-cookies 27auth-headers 28authentication-levels 28authentication-mechanisms 29azn-decision-info 57aznapi-configuration 43aznapi-entitlement-services 54aznapi-external-authzn-services 55ba 58cdsso 59cdsso-incoming-attributes 63cdsso-peers 64cdsso-token-attributes 64cert-map-authn 70certificate 65cfg-db-cmd:entries 71cfg-db-cmd:files 72cgi 73cgi-environment-variables 74cgi-types 75cluster 75compress-mime-types 77compress-user-agents 78content 79content-cache 82content-encodings 83content-index-icons 84content-mime-types 85credential-policy-attributes 87credential-refresh-attributes 87dsess 88dsess-cluster 89e-community-domain-keys 105e-community-domain-

keys:domain 105e-community-domains 104e-community-sso 106eai 97eai-trigger-urls 103ecsso-incoming-attributes 115ecsso-token-attributes 116enable-redirects 117failover 118failover-add-attributes 124failover-restore-attributes 126filter-content-types 127filter-events 128filter-request-headers 129filter-schemes 130filter-url 131forms 133gso-cache 134

Index 377

stanzas (continued)header-names 136http-headers 138http-transformations 138icap 139icons 141illegal-url-substrings 142interfaces 143ipaddr 144junction 145junction:junction_name 177ldap 177local-response-macros 194local-response-redirect 195logging 196ltpa 206ltpa-cache 210mpa 212oauth-eas 212obligations-levels-mapping 219p3p-header 220policy-director 228preserve-cookie-names 229process-root-filter 230reauthentication 230replica-sets 233script-filtering 244server 246session 288session-cookie-domains 300session-http-headers 301spnego 301ssl 304ssl-qop 330ssl-qop-mgmt-default 330ssl-qop-mgmt-hosts 331ssl-qop-mgmt-networks 332step-up 334system-environment-variables 336tfimsso: 337token 350uraf-registry 351webseal-config 354

status stanza entrywebseal-config stanza 356

step-up stanza 334retain-stepup-session entry 334show-all-auth-prompts entry 334step-up-at-higher-level entry 335verify-step-up-user entry 335

step-up-at-higher-level stanza entrystep-up stanza 335

stepup-login stanza entryacnt-mgt stanza 19

strip-www-authenticate-headers stanzaentry

server stanza 278su-cdsso stanza entry

authentication-mechanisms stanza 40su-certificate stanza entry

authentication-mechanisms stanza 40su-http-request stanza entry

authentication-mechanisms stanza 40su-kerberosv5 stanza entry

authentication-mechanisms stanza 41su-passwd stanza entry

authentication-mechanisms stanza 41

su-token-card stanza entryauthentication-mechanisms stanza 42

substring stanza entryillegal-url-substrings stanza 143

support-virtual-host-domain-cookiesstanza entry

junction stanza 173suppress-backend-server-identity stanza

entryserver stanza 278

suppress-client-ssl-errors stanza entryssl stanza 326

suppress-dynurl-parsing-of-posts stanzaentry

server stanza 279suppress-server-identity stanza entry

server stanza 279switch-user stanza entry

acnt-mgt stanza 20system-environment-variables

stanza 336env-name entry 336

Ttag-value-missing-attr-tag stanza entry

server stanza 280tcp-session-cookie-name stanza entry

session stanza 296temp-cache-response stanza entry

acnt-mgt stanza 20temp-session-cookie-name stanza entry

session stanza 296temp-session-max-lifetime stanza entry

session stanza 297terminate-on-reauth-lockout stanza entry

reauthentication stanza 232terminology ixtfim-cluster-name stanza entry

tfimsso: stanza 340tfim-cluster: cluster stanza

basic-auth-passwd entry 343basic-auth-user entry 343gsk-attr-name entry 344handle-idle-timeout entry 345handle-pool-size entry 345ssl-keyfile entry 347timeout entry 350

tfim-cluster: cluster stanzaclusterstanza 343

server entry 346ssl-keyfile-label entry 348ssl-keyfile-stash entry 348ssl-valid-server-dn entry 349

tfim-cluster: cluster stanzacluster> stanzassl-fips-enabled entry 346

tfimsso: jct-id stanza 337always-send-tokens entry 337applies-to entry 337one-time-token entry 338preserve-xml-token entry 338renewal-window entry 339service-name entry 339tfim-cluster-name entry 340token-collection-size entry 340token-transmit-name entry 342token-transmit-type entry 342

tfimsso: jct-id stanza (continued)token-type entry 341

timeout stanza entrydsess-cluster stanza 96ldap stanza 193session stanza 297tfim-cluster: stanza 350xacml-cluster: cluster stanzacluster>]

stanza 243Tivoli Directory Integrator xiiTivoli Directory Server

related publication xiitivoli_common_dir stanza entry

webseal-config stanza 356token stanza 350

token-auth entry 350token-auth stanza entry

token stanza 350token-cdas stanza entry

authentication-mechanisms stanza 42token-collection-size stanza entry

tfimsso: stanza 340token-login stanza entry

acnt-mgt stanza 21token-transmit-name stanza entry

tfimsso: stanza 342token-transmit-type stanza entry

tfimsso: stanza 342token-type stanza entry

tfimsso: stanza 341too-many-sessions stanza entry

acnt-mgt stanza 21trace-component stanza entry


training xivtrigger stanza entry

eai-trigger-urls stanza 103troubleshooting xivtstanza

ICAP:resource 140type stanza entry

content-index-icons stanza 84filter-content-types stanza 127

Uunauthorized-rsp-file stanza entry

oauth-eas stanza 219undetermined-revocation-cert-action

stanza entryssl stanza 326

unix-group stanza entryserver stanza 280

unix-pid-file stanza entryserver stanza 281

unix-user stanza entryserver stanza 281

unknownicon stanza entryicons stanza 142

update-session-cookie-in-login-requeststanza entry

session stanza 298uraf-registry stanza 351

bind-id entry 351cache-lifetime entry 351cache-mode entry 352


uraf-registry stanza (continued)cache-size entry 353uraf-registry-config entry 354

uraf-registry-configstanza entryuraf-registry stanza 354

use-domain-qualified-name stanza entryspnego stanza 303

use-existing-username-macro-in-custom-redirects stanza entry

server stanza 282use-filename-for-pkmslogout stanza entry

acnt-mgt stanza 22use-full-dn stanza entry

ltpa stanza 209use-http-only-cookies stanza entry

server stanza 283use-new-stateful-on-error stanza entry

junction stanza 174use-restrictive-logout-filenames stanza

entryacnt-mgt stanza 22

use-same-session stanza entrysession stanza 300

use-utf8 stanza entrycdsso stanza 62e-community-sso stanza 113failover stanza 123

user-and-group-in-same-suffix stanzaentry

ldap stanza 193user-dir stanza entry

content stanza 81user-session-ids stanza entry

session stanza 299user-session-ids-include-replica-set stanza

entrysession stanza 299

utf8-form-support-enabled stanza entryserver stanza 283

utf8-qstring-support-enabled stanza entryserver stanza 284

utf8-template-macros-enabled stanzaentry

content stanza 81utf8-url-support-enabled stanza entry

server stanza 284

Vvalidate-backend-domain-cookies stanza


validate-query-as-ga stanza entryserver stanza 285

verify-step-up-user stanza entrystep-up stanza 335

version stanza entrywebseal-config stanza 357

vf-argument stanza entrye-community-sso stanza 114

vf-token-lifetime stanza entrye-community-sso stanza 114

vf-url stanza entrye-community-sso stanza 115

Wweb-host-name stanza entry

server stanza 285web-http-port stanza entry

server stanza 286web-http-protocol stanza entry

server stanza 286webseal-cert-keyfile stanza entry

ssl stanza 327webseal-cert-keyfile-label stanza entry

ssl stanza 327webseal-cert-keyfile-pwd stanza entry

ssl stanza 328webseal-cert-keyfile-sni stanza entry

ssl stanza 328webseal-cert-keyfile-stash stanza entry

ssl stanza 329webseal-config stanza 354

instance-name entry 354orig-version entry 355status entry 356tivoli_common_dir entry 356version entry 357

WebSphere Application Server NetworkDeployment xii

WebSphere eXtreme Scale xiiworker-thread-hard-limit stanza entry

junction stanza 175worker-thread-soft-limit stanza entry

junction stanza 176worker-threads stanza entry

server stanza 287

Xxacml-cluster: cluster stanza 237xacml-cluster: cluster stanzacluster stanza

handle-idle-timeout entry 239xacml-cluster: cluster stanzacluster>

stanzabasic-auth-user entry 237ssl-fips-enabled entry 240ssl-valid-server-dn entry 243

xacml-cluster:cluster stanzacluster>]stanza

basic-auth-passwd entry 238handle-pool-size entry 239server entry 240ssl-keyfile entry 241ssl-keyfile-label entry 242ssl-keyfile-stash entry 242timeout entry 243

xsl-stylesheet-prolog stanza entryaznapi-configuration stanza 54

Index 379


��

Printed in USA

SC27-4442-01

Date post:	05-Jun-2020
Category:	Documents
Upload:	others
View:	11 times
Download:	0 times

WebSEAL Configuration Stanza Reference - IBM · IBM SecurityAccess Manager Version 7.0 WebSEAL...

Documents