Untitled

#
# FILENAME
#	webseald.conf
#
# DESCRIPTION
#	Configuration file for the Access Manager WebSEAL server (webseald)
#


###############################
# WEBSEAL GENERAL
###############################
[server]

# WebSEAL server instance name. Typically, this is based on the hostname of the
# machine and the instance name of the server.
server-name = iam.ibmemm.edu-sharif

# If web-host-name is set WebSEAL will use this for the server's hostname.  If
# left unset WebSEAL will attempt to automatically determine the server's
# hostname.  On systems with many hostnames, interfaces or WebSEAL instances
# the automatic determination may not always be correct requiring this manual
# setting.
# web-host-name = www.webseal.com

#----------------------
# THREADS AND CONNECTIONS
#----------------------

# Number of WebSEAL worker threads
# The number of configured worker threads specifies the number of
# concurrent incoming requests that can be serviced by this server
# instance. Choosing the optimal number depends on the quantity
# and type of traffic on your network. Modifying this value should
# be done carefully to ensure optimal performance. Please consult
# the WebSEAL Administration Guide for further information.
worker-threads = 300

# Initial client connection timeout (seconds)
client-connect-timeout = 120

# HTTP/1.1 persistent connection timeout (seconds)
# This only affects connections to clients, not backend systems.
persistent-con-timeout = 5

# Intra-request timeout (seconds)
# Timeout between data received or sent for a given request,
# but not the first read.  When this value is non-zero, it
# also enables timeouts on http writes to clients and causes
# a TCP RST packet to be sent if a connection timeout occurs
# on the non-first data I/O.  When this value is zero, the
# client-connection-timeout is used instead.
intra-connection-timeout = 60

# The maximum number of requests that will be processed on a single
# persistent connection.
connection-request-limit = 100

# The maximum number of idle client persistent connections.  This value
# should be less than the maximum number of connections supported by the
# WebSEAL server to ensure that the idle connections do not consume all of
# the available connections.
max-idle-persistent-connections = 512

# Allow WebSEAL to write chunked data to HTTP/1.1 clients.  This can
# improve performance by allowing connections to be reused even when
# exact response length is not known before the response is written.
chunk-responses = yes

#----------------------
# HTTPS CLIENT
#----------------------

# Allow HTTPS access
https = yes

# Port to user for HTTPS requests
https-port = 444

#----------------------
#  HTTP CLIENT
#----------------------

# Allow (unsecure) TCP HTTP access
http = yes

# Port to use for unsecure HTTP requests
http-port = 80

# The following four options can be used to compensate for a protocol or port
# mismatch between WebSEAL and its clients introduced by an intervening
# device or application.  The http variants are used to control the protocol
# and port for requests that WebSEAL receives over a TCP interface and the https
# variants are used to control the protocol and port for requests that WebSEAL
# receives over an SSL interface.
#
# web-http[s]-port should be set to the port the client perceives WebSEAL to be
# using, as opposed to the actual port WebSEAL is using, which is specified
# by the http[s]-port parameters.
# web-http-port and web-https-port is optional.
#
# web-http[s]-protocol should be set to the protocol the browser perceives
# WebSEAL to be using, as opposed to the protocol that the intervening
# device uses to communicate with WebSEAL.
# Valid values are "http" or "https".
# web-http-protocol and web-https-protocol is optional.
#
#web-http-port = 80
#web-http-protocol = http
#web-https-port = 443
#web-https-protocol = https

#----------------------
# REQUEST BODIES AND CACHING
#----------------------

# This parameter specifies the maximum number of bytes that
# WebSEAL will read from a client when parsing an HTTP request.
# The total size of the URL and HTTP headers must be less than
# this value.  This parameter cannot be set lower than it's
# default: 32768
max-client-read = 32768

# This parameter specifies the maximum number of bytes to
# read in as content from the body of requests for use in
# dynurl, authentication, and request caching.
#
# 1) This impacts dynurl because the query portion of a
#    POST request URI is contained in the request body.
#
# 2) This impacts forms authentication, because this limits
#    the size of the POST data that will be processed
#    when performing such authentication.  For this reason,
#    WebSEAL sets a hard minimum of 512 bytes on
#    request-body-max-read. If this value is set below
#    that minimum, the setting will be ignored and the
#    minimum will be used.
#
# 3) This affects the amount of data that WebSEAL will cache
#    for users who must authenticate before their request can be
#    fulfilled.  This affects all request that have bodies
#    (POSTs, PUTs, etc.).
#
# This does not limit the max POST size (which is unlimited).
#
request-body-max-read = 4096

# When a user is prompted to authenticate before a request
# can be fulfilled, the data from that request is cached
# for processing after the completion of the authentication.
# The maximum amount of data cached per request is determined
# by request-max-cache.
# If you want to ensure that you will be caching all of
# request-body-max-read worth of the body of requests, you
# must account for the maximum size of all the other request
# components in this value.
# Example: If you want to cache 2048 bytes of request bodies
# and you anticipate that the maximum size of all request headers
# and cookies will be 4096 bytes, you would:
# 1)  set request-body-max-read = 2048
# 2)  set request-max-cache = 2048 + 4096 = 6144
request-max-cache = 8192

#----------------------
#  DYNURL
#----------------------
# Location of the URL -> protected object mapping file
# This path is relative to the server-root value in the [server] stanza

# The following files are currently available for this configuration entry:
# - dynurl.conf

dynurl-map = dynurl.conf

# Disallow/Allow POST requests larger than request-body-max-read.
# This parameter only takes effect if dynurl is enabled.
#
# WebSEAL is not able to compare the entire contents of a POST
# request to the URL mappings inside the dynurl.conf file if the body
# of the post is larger than request-body-max-read.
#
# If this option is set to "no", then WebSEAL will not
# allow POST requests with a body larger than request-body-max-read.
#
# If this option is set to "yes", then WebSEAL will compare only
# up to request-body-max-read bytes of a POST request to the URL mappings
# in the dynurl.conf file.
dynurl-allow-large-posts = no

# When reject-request-transfer-encodings is set to yes all request
# to WebSEAL with a Transfer-Encoding value of anything other than
# identity or chunked will be rejected with a status of 501, Not Implemented.
# It is recomended for secure dynurl environments to set this to yes.
reject-request-transfer-encodings = yes

# When suppress-dynurl-parsing-of-posts is set to "yes" POST bodies will
# not be used in dynurl processing, only Query strings will be used.
# Before enabling this you must be certain that all dynurl checked server
# applications do not accept arguments from POST bodies so dynurl checks
# can't be bypassed using a POST instead of a Query string.
suppress-dynurl-parsing-of-posts = no

#----------------------
# URI AND POST BODY DECODING
#----------------------

# If decode-query is set to "yes", WebSEAL will validate the query string
# in requests according to the utf8-qstring-support-enabled parameter.
# Otherwise, WebSEAL will not validate the query string.  If decode-query
# is set to "no" then dynurl must be disabled.
decode-query = yes

# Different portions of HTTP requests may be interpreted as either UTF-8 or
# local code page according to the configuration items in this section.  The
# options for each portion of the request are either to ensure that the data
# is UTF-8, ensure that the data is local codepage, or to accept either.
#
# If an option in this section is "yes", WebSEAL will ensure that the data
# in that portion of the request is UTF-8.
#
# If an option in this section is "no", WebSEAL will ensure that the data
# in that portion of the request is local codepage.
#
# If an option in this section is "auto", WebSEAL will first attempt to
# validate the data as UTF-8.  If the data is not UTF-8, then WebSEAL will
# ensure the data is local codepage.

# utf8-url-support-enabled controls how the location portion of the URI
# (the portion before any question mark character) is intepreted.
utf8-url-support-enabled = yes

# utf8-qstring-support-enabled controls how the query portion of the URI
# (the portion after the question mark character) is interpreted.  This also
# applies to the POST bodies of requests to junctions when dynurl is enabled.
utf8-qstring-support-enabled = no

# utf8-forms-support-enabled option controls how form logins, password change
# requests, and other WebSEAL specific forms are parsed.
utf8-form-support-enabled = yes

# When double-byte-encoding is set to 'yes' WebSEAL will assume that URL's
# which contain encoding characters are always encoded in unicode, and will
# not contain UTF-8 encoded characters.
double-byte-encoding = no


# When a client URL specifies a directory location that does not end
# in a trailing '/', the client is redirected to the same URL with a
# trailing '/' added.  This is necessary for ACL checks to work properly.
# slash-before-query-on-redirect controls where the '/' is added
# if the orginal URL has a query string.
#
# Setting slash-before-query-on-redirect to 'yes' causes the trailing '/'
# to be added before the query string.
# For example:
#       /root/directoryname?query becomes /root/directoryname/?query
#
# Setting slash-before-query-on-redirect to 'no' causes the trailing '/'
# to be added after the query string.
# For example:
#       /root/directoryname?query becomes /root/directoryname?query/
#
# A setting of 'no' could cause browser errors and is not recommended.  This
# option exists for backwards compatibility only.

slash-before-query-on-redirect = yes


#----------------------
# SUPPRESSING SERVER IDENTITY
#----------------------

# WebSEAL writes a Server header with the value "WebSEAL/version.number"
# with most responses (except those from a junctioned server).
# Including this header can be suppressed by setting this to "yes".
suppress-server-identity = no

# For responses that were from a junctioned server, WebSEAL writes the Server
# header sent in the response from the backend. If the backend response did not
# include a Server header, then WebSEAL will not write any Server header to the
# client.
# Writing this header can be suppressed by setting this to "yes".
suppress-backend-server-identity = no

#----------------------
# AUTH TOKEN VERSION
#----------------------

# Version 8.0.0 tokens use a different cipher than tokens in prior releases.
# If you are integrating with earlier versions of ISAM you will need to enable
# this to ensure the integrity of data across [e-community-sso], [failover], and
# [cdsso].
pre-800-compatible-tokens = no

#----------------------
# P3P Compact Policy header
#----------------------
# If 'preserve-p3p-policy' is set to 'no' (default), then any P3P headers from
# junctioned servers will be replaced.
#
# If 'preserve-p3p-policy' is set to 'yes', then any P3P headers from junctioned
# servers will be preserved.
preserve-p3p-policy = no

#----------------------
# Network Interface
#----------------------
# Specify an alternative I.P. address to be used by this instance of WebSEAL.
# This allows two or more WebSEAL instances to run on the same machine
# while using differing I.P. addresses and host names.
#
# network-interface = 0.0.0.0
network-interface = 192.168.42.193

# If always-neg-tls is set to "yes" then any TLS connections on this interface
# will only process one request.  Once the request is complete the connection
# will be closed and the TLS session will be destroyed. This forces a full
# TLS session renegotiation every connection.  This is a expensive method of
# using TLS so this option should only be enabled if absolutely necessary.
# Typically it could be enabled on the interface the secondary-port is referring
# to so the TLS on that interface always requests a certificate from the client
# (browser).
always-neg-tls = no

# Set  use-secondary-listener to "yes" to inform webseal that this interface
# uses the secondary port.  Used to improve compatibility with some browsers.
use-secondary-listener = no

#----------------------
# Filtering
#----------------------
# If preserve-base-href is no, then WebSEAL will remove all BASE HREF tags
# from filtered HTML documents and prepend the base tag to filtered links.
# Otherwise, the BASE HREF tag will be filtered.
preserve-base-href = yes

# If both preserve-base-href and preserve-base-href2 are set to yes, then
# WebSEAL will only perform the minimum filtering of the BASE HREF tag
# necessary to insert the WebSEAL host and junction names.
# If preserve-base-href is no, preserve-base-href2 has no effect.
preserve-base-href2 = yes

# To enable tag-based filtering of static URLs for new MIME types added
# to the [filter-content-types] stanza, change filter-nonhtml-as-xhtml to
# yes. Tag-based URL filtering operates without configuration changes
# for the text/html and text/vnd.wap.wml MIME types.
filter-nonhtml-as-xhtml = no

#---------------------
# Method disablement
#---------------------
# Specify the HTTP methods which should be blocked when requesting local or remote
# resources. Multiple methods should be separated with a comma (',').  For example, to
# block access to the TRACE and PUT methods over local junctions the configuration entry
# would be:
# http-method-disabled-local = TRACE,PUT
#
http-method-disabled-local = TRACE,PUT,DELETE,CONNECT
http-method-disabled-remote = TRACE,PUT,DELETE,CONNECT

#---------------------
# Processing root junction requests
#---------------------
# Specify whether WebSEAL will attempt to process requests for resources
# located at the root ('/') junction before attempting to identify a
# junction point to send the request via junction mapping mechanisms
# such as the JMT or IV_JCT cookie.
#
# Avoiding root junction processing prevents processing being performed
# for incorrect resources before the intended resource is identified.
# This will have performance benefits and prevent false authorization or
# filetype check failures.
#
# Valid choices are:
#  never  - Root junction requests are never processed at the root junction.
#           That is, if a junction mapping mechanism is configured, such as
#           the JMT or IV_JCT cookie, WebSEAL will look for this junction
#           mapping information first (and look at the root junction last)
#           and process the request at the mapped junction point.
#
#  always - Always attempt to process requests for the root junction at the
#           root junction first before looking for a configured junction
#           mapping mechanism, such as the JMT or IV_JCT cookie.
#           This is not recommended unless the root junction serves a large
#           set of resources or no junction mapping mechanisms are configured
#           for the set of junctions served by this WebSEAL server.
#
#  filter - All root junction requests will be examined to determine whether
#           they start with the patterns specified in the process-root-filter
#           stanza.
#           If yes, the request will be processed at the root junction first.
#           If no, the request will be remapped immediately.
#
process-root-requests = always

#---------------------
# IPv6 support
#---------------------
#
# Specify whether WebSEAL will support IPv6.
#
# Upon a new installation, WebSEAL supports IPv6 by default.  However, if
# WebSEAL is upgraded from a release previous to 6.0, then the upgrade
# process will change this value to 'no'.  This is to ensure backwards
# compatibility.
#
# Valid choices are:
#  yes - Support IPv6 and IPv4 networks (default setting).
#
#  no  - Only support IPv4 networks.
#
ipv6-support = yes

# ip-support-level determines the network attributes placed in credentials.
# WebSEAL version 6.0 introduces new improved attributes which displace
# the older attribute.  The new attributes are required when IPv6 support
# (ipv6-support) is enabled.  This entry can be set to one of displaced-only,
# generic-only, or displaced-and-generic.
#
# displaced-only:
# The default for migrated installations.  WebSEAL will only generate the
# displaced IPv4 attributes when building credentials and when authenticating
# users through CDAS modules.
#
# generic-only:
# The default for new installations.  WebSEAL will only generate the new generic
# (supports both IPv4 and IPv6) attributes when building credentials and when
# authenticating users through CDAS modules.
#
# displaced-and-generic:
# Both sets of attributes (displaced and generic) are created.
#
ip-support-level = generic-only

#---------------------
# max-login-failures policy compatibility
#---------------------
#
# When late-lockout-notification = no, WebSEAL will notify clients that their
# account has been locked out immediately.
# When late-lockout-notification = yes WebSEAL will operate in a pre-v6.0
# compatible mode for user registry max-login-failures policy behavior,
# and not notify users until their next request.
# The default for new installations is disabled (no).  The default for migrated
# installations is enabled (yes).
late-lockout-notification = no

# When reject-invalid-host-header is set to yes all requests
# to WebSEAL with an invalid host header (see RFC2616) will be
# rejected with a status of 400, Bad Request.
reject-invalid-host-header = no

#---------------------
# Adding HttpOnly attribute
#---------------------
# When use-http-only-cookies is set to 'yes', WebSEAL will add the "HttpOnly"
# attribute to the session and failover cookies.  This will help defend against
# cross-site-scripting attacks by informing the browser not to make these
# cookies available to browser scripts.
use-http-only-cookies = yes

#---------------------
# Allow all Shift-JIS Muti-Byte characters
#---------------------
# When allow-shift-jis-chars is set to "yes" junctions created using -w will
# allow all Shift-JIS Muti-Byte characters in junction file and path names.
# When set to "no" junction file and path names using Shift-JIS Multi-Byte
# characters containing the single byte character '\' will be rejected.
allow-shift-jis-chars = no

#---------------------
# Pipelining
#---------------------
# WebSEAL does not support pipelined requests from browsers.  When this option
# is set to "yes" and WebSEAL detects pipelined requests it will close the
# connection to inform the the browser that is should resend the pipelined
# requests in a normal manner.  This should always be set to "yes" unless the
# previous WebSEAL behavior is required.
cope-with-pipelined-request = yes

#---------------------
# Unauthenticated users and "-b supply"
#---------------------
# This parameter determines if unauthenticated users can access junctions
# created with "-b supply".  When set to "no" the default behavior occurs.
# Default behavior does not allow unauthenticated users to access resources
# on a junction created using "-b supply", rather it will prompt then to
# authenticate.  When "allow-unauth-ba-supply" is set to "yes" unauthenticated
# users will be allowed access "-b supply" junctions.  The basic authentication
# header supplied to the junction will contain the user name 'unauthenticated'.
allow-unauth-ba-supply = no

#---------------------
# Tag-value label for missing attributes
#---------------------
# WebSEAL allows credential attributes to be inserted into the HTTP stream
# as HTTP headers.  In the event that a requested attribute was not located
# within the credential the HTTP header will still be created with a static
# string.  The tag-value-missing-attr-tag configuration entry defines the
# contents of the header.
tag-value-missing-attr-tag = NOT_FOUND

# Each attribute name set in a junction object's HTTP-Tag-Value is
# automatically prefixed by "tagvalue_" before locating it in the credential.
# This prohibits access to credential attributes that don't have names
# beginning with "tagvalue_" such as "AUTHENTICATION_LEVEL".  When this option
# is set to "no", the automatic prefixing of "tagvalue_" will not occur so all
# credential attributes can be specified in HTTP-Tag-Value.
force-tag-value-prefix = yes

#---------------------
# URLs and extra consecutive slashes ("/")
#---------------------
# WebSEAL does not allow extra consecutive slashes ("/") to be present in URL and
# silently removes those extra slashes if present, so an URL
# "/jct/a//b.html" becomes "/jct/a/b.html"
#  or
# "/jct//a////b.html" becomes "/jct/a/b.html"
# but with this below option set to "yes|true", extra slashes will not be removed i.e.
# "/jct/a//b.html" or "/jct//a////b.html" will be sent to backend as it is.
#
allow-extra-slashes-in-urls = false


#
# The maximum number of bytes which may be returned from the 'file cat'
# server task command.
#
max-file-cat-command-length = 4096

# The auth-challenge-type contains a comma separated list of
# authentication types which will be used when challenging a
# client for authentication information.  The supported authentication
# types include:
#   ba, forms, spnego, token, cert and eai.
#
# The corresponding authentication configuration entry (e.g. ba-auth)
# must be enabled for each specified authentication challenge type.
#
# By default the list of authentication challenge types will match that
# of the list of configured authentication mechanisms.
#
# Each authentication type can additionally be configured with a set of rules.
# These rules are used to determine the user agents for which the
# authentication type is enabled. Each set of rules must be contained within
# square brackets and separated by semicolons. Each pattern must begin with
# a '+' or '-' character to indicate inclusion or exclusion respectively.
# Patterns can contain alphanumeric characters, spaces, underscores and
# periods. The wildcard characters '*' # and '?' can also be used.
#
# For example:
#
# auth-challenge-type = [+*MSIE*]ba, [-*MSIE*;+*]forms
#
# This configuration will present a basic authentication challenge to user
# agents containing 'MSIE' (Internet Explorer browsers) and a forms based
# challenge to all other user agents. See the WebSEAL administration guide
# for further information.
#
# Do not use authentication challenge types as a security or enforcement
# measure. If no challenge types can be determined for a given user agent
# string, WebSEAL will fall back to the list of all configured authentication
# mechanisms.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [server:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
# auth-challenge-type =

#
# The maximum number of concurrent threads which can be consumed
# by a single user session before warning messages are generated.  WebSEAL
# will continue to process requests for this session until the corresponding
# hard-limit is reached.
#
# concurrent-session-threads-soft-limit = 5

#
# The maximum number of concurrent threads which can be consumed
# by a single user session.  Once the thread limit for the user session has
# been reached the request will not be processed by WebSEAL and an error
# will be returned to the client.
#
# If no value is specified for this configuration item there will be no
# limit to the number of concurrent threads that a user session can
# consume.
#
# concurrent-session-threads-hard-limit = 10

#
# WebSEAL normally reduces the timeout for connection I/O based on the
# number of active worker threads, and how many requests have been processed
# on the connection.  The following configuration item can be used to
# disable this automatic timeout reduction.
#
# disable-timeout-reduction = no

# This configuration option allows you to disable HTTP Keep-Alives for
# responses >= 2GB sent back to Internet Explorer 6 client browsers.  The
# primary purpose of this is to allow WebSEAL to mimic the IIS workaround
# published at:
#       http://support.microsoft.com/kb/298618
#
# This will enable clients using Microsoft Internet Explorer 6.0 to download
# files greater than 2GB, but less than 4GB.
enable-IE6-2GB-downloads = no

#
# The following configuration entry controls whether the negotiate and ntlm
# www-authenticate headers will be removed from the responses which are received
# from junctioned servers.
#
strip-www-authenticate-headers = yes

#
# The following configuration entry is used to control whether unsolicited
# authentication requests are allowed.  If set to 'no' a login will only
# be allowed if WebSEAL first returns a login form to the client.
#

allow-unsolicited-logins = yes

# Buffer size for reading from and writing to a client.
io-buffer-size = 16384

#
# The maximum number of consecutive 302 redirects that
# will be followed internally before WebSEAL concedes and
# passes the response back to the client.  A value of 0
# indicates that all 302 redirects will be sent back to the
# client for processing.
#
maximum-followed-redirects = 0

#
# WebSEAL is capable of examining 302 responses and processing the redirects
# internally if they are destined for the current server using the same
# protocol.  This configuration entry controls the requests for which this
# redirect functionality is enabled.  A case-sensitive comparison will be made
# between the configuration entry and the HTTP request line.  Shell-style
# pattern matching for '*', '?', '\' and '[]' can be used in the comparison
# (excluding special match strings).
#
# Special match strings:
# - "!LRR!" will match any request resulting in a Local Response Redirect
#   action occurring.
# - "!REPLAY!" will match any redirection to replay a URL that was interrupted
#   by a successful authentication.
#
# Multiple patterns can be specified by including multiple configuration
# entries of the same name.
#
# Example:
#    follow-redirects-for = GET /jct/index.html *
#    follow-redirects-for = !LRR!
follow-redirects-for =

########
# HTTP/2 enablement for main (default) interface to browsers.
#
# Enable/disable HTTP/2 encoded connections from browsers.
# This setting only affects the "default" interface defined in this stanza.
#
# HTTP/2 supports a reduced set of cipher suites.  The minimum cipher is
# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, and this is not included in the
# set of ciphers specified by the 'AES-128' cipher alias.  In order to add
# support for this cipher the following entry must be added as the first entry
# within the ssl-qop-mgmt-default configuration stanza:
#     default = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
enable-http2 = no

# HTTP/2: maximum number of network connections from HTTP/2 enabled browsers.
# This is per inteface/port (http and https), so if both http and https
# are enabled then the total max connections would be double this.
# This setting only affects the "default" interface defined in this stanza.
http2-max-connections = 200

# HTTP/2: maximum size in bytes that WebSEAL will accept for header compression
# table (RFC 7541). There is one table per HTTP/2 network connection.
http2-header-table-size = 4096

# HTTP/2: maximum number of simultanious multiplexed streams WebSEAL will accept
# per HTTP/2 network connection.  A value of -1 denotes the unlimited setting
# and is not recomended in a production WebSEAL environment as memory use in
# WebSEAL would be unbounded.
# This setting only affects the "default" interface defined in this stanza.
# Notes:
# - Each stream will have a 'http2-initial-window-size' byte buffer.
# - Each stream will need a worker-thread to process the one request/response
#   send over it before it is ended.
http2-max-concurrent-streams = 100

# HTTP/2: maximum number of unacknowledged bytes WebSEAL can accept per active
# multiplexed stream.  WebSEAL will create an in-memory buffer to hold this
# many bytes for each active multiplexed stream.
# This setting only affects the "default" interface defined in this stanza.
http2-initial-window-size = 65535

# HTTP/2: maximum size of the body of a single HTTP/2 protocol frame send over
# the HTTP/2 network connection.
# This setting only affects the "default" interface defined in this stanza.
http2-max-frame-size = 16384

# HTTP/2: maximum size of headers that can be send in a request on a HTTP/2
# stream.  A value of -1 denotes the unlimited setting and is not recomended in a
# production WebSEAL environment as memory use in WebSEAL would be unbounded.
# If not set it will default to the value of [server] max-client-read.
# This setting only affects the "default" interface defined in this stanza.
http2-max-header-list-size = 32768

# HTTP/2: maximum duration in seconds for an HTTP/2 connection.  The connection
# will be closed if this limit is reached.
# This setting applies to HTTP/2 connections for all interfaces.
http2-max-connection-duration = 120

# HTTP/2: Amount of time the HTTP/2 connection can be idle (not processing any
# requests).  The connection will be closed if it is idle for this time.
# This setting applies to HTTP/2 connections for all interfaces.
http2-idle-timeout = 20


[process-root-filter]
# This stanza is only used if process-root-requests = filter
# Request URLs starting with the following patterns will be processed at the
# root junction before attempting to remap the requests to a new junction point.
# Format is
#       root = <pattern>
# where <pattern> is a standard WebSEAL wildcard pattern.
#
root = /index.html
root = /cgi-bin*

[validate-headers]
# This stanza is used to list those headers which should be validated
# on each request. The format of each configuration entry is:
#
#       <hdr> = <value>
#
# For example to ensure all requests are from www.ibm.com set:
#
#       host = www.ibm.com
#
# If multiple headers of the same name are configured, the corresponding
# header in the request must match one of the configured values.

###############################
# WEBSEAL INTERFACES
###############################
[interfaces]
# The values from:
#   [server]
#     network-interface
#     always-neg-tls
#     http
#     http-port,
#     web-http-port,
#     web-http-protocol,
#     https,
#     https-port,
#     worker-threads
#     enable-http2
#     http2-max-connections
#     http2-header-table-size
#     http2-max-concurrent-streams
#     http2-initial-window-size
#     http2-max-frame-size
#     http2-max-header-list-size
#   [ssl]
#     webseal-cert-keyfile-label
#   [certificate]
#     accept-client-certs
#     secondary-port
# are used to create the "default" interface.
#
# This stanza allows additional interfaces to be configured.
#
# The format of each interfaces entry is:
#
# <interfaceName> = <interfaceOptions>
# <interfacesOptions> = <Option>=<Value>[;<Option>=<Value>[;...]]
#
# Leading and Trailing Spaces surrounding <Option>, <Value> are ignored.
# If leading or trailing spaces are required then the <Value> may be placed
# in double quotes (").
# If a double quote ("), semicolon (;), or backslash (\) character is required
# in the <Value> then this character must be prefixed by a backslash (\).
#
# <Option>=<Value> can be selected from:
#	network-interface=<ipAddress>
#       always-neg-tls=yes|no
#	http-port=<port> | "disabled"
#	https-port=<port> | "disabled"
#	web-http-port=<port> | "disabled"
#	web-http-protocol="http" | "https"
#	certificate-label=<keyFileLabel>
#	accept-client-certs="never" | "required" | "optional" |
#                           "prompt_as_needed" | "critical"
#	secondary-port=<port>
#	worker-threads=<count> | "default"
#       enable-http2=yes|no
#       http2-max-connections=<number>
#       http2-header-table-size=<number>
#       http2-max-concurrent-streams=<number>
#       http2-initial-window-size=<number>
#       http2-max-frame-size=<number>
#       http2-max-header-list-size=<number>
#
# Defaults for <interfaceOptions> if they are not present:
#	network-interface	0.0.0.0
#	always-neg-tls   	no
#	worker-threads		"default"
#	http-port		"disabled"
#	web-http-port		"disabled"
#	web-http-protocol	"http"
#	https-port		"disabled"
#	certificate-label	Uses key marked as default in key file.
#	accept-client-certs	"never"
#	secondary-port     	0
#       enable-http2		no
#       http2-max-connections	200
#       http2-header-table-size	4096
#       http2-max-concurrent-streams 100
#       http2-initial-window-size 65535
#       http2-max-frame-size	16384
#       http2-max-header-list-size max-client-read
#
# The following example configures an interface that only listens for http
# requests on address 10.0.0.1 port 81 (the https-port defaulted to "disabled").
#
# interface1 = network-interface=10.0.0.1; http-port=81


###############################
# HTTP Header Names
###############################
[header-names]

#
# This stanza controls the addition of HTTP headers into the request which is
# passed to junctioned applications.  Each entry within the stanza will be of
# the format:
#      <header-data> = [+]<header-name>
#
# where:
#    <header-data> : the type of data which will be inserted.
#    <header-name> : the name of the HTTP header which will hold the data.  The
#                    header-name can be prefixed with the '+' character if you
#                    wish to append to any existing header instead of
#                    overwriting the existing header.
#
# The <header-data> may be one of the following values:
#
#  server-name     : The ISAM authorization server name for the WebSEAL server.
#                    This is the name which is used in the "server task"
#                    commands.
#  client-ip-v4    : The IPv4 address of the client of this request.
#  client-ip-v6    : The IPv6 address of the client of this request.
#  client-port     : The port which is used by the client of this request.
#                    Please note that this is the client source port, and not
#                    the destination port.
#  host-name       : The host name of the WebSEAL server.  The host name will
#                    be obtained from the web-host-name configuration entry
#                    within the [server] stanza (if specified), or the host
#                    name of the machine itself.
#  httphdr{<name>} : A HTTP header from the request, as specified by the <name>
#                    field.  If the HTTP header is not found in the request
#                    the value contained within the [server]
#                    tag-value-missing-attr-tag configuration entry will be
#                    used as the value for the header.
#
# For example:
#    client-ip-v4  = +X-Forwarded-For
#    httphdr{host} = X-Forwarded-Host
#    host-name     = X-Forwarded-Server

server-name = iv_server_name

[rsp-header-names]

#
# This stanza is used to define static HTTP headers which will be added
# to every HTTP response from the WebSEAL server.  This will provide the
# administrator with the ability to insert some standard security headers
# into the response, such as strict-transport-security,
# content-security-policy and x-frame-options.
#
# Please note that the headers which are defined in this stanza will replace
# any matching headers which might have been added to the response by a
# junctioned application.
#
# If multiple headers of the same name are specified in this stanza all
# but the last of the matching entries will be ignored.
#
# The format of each entry in this stanza is:
#    <header-name> =  <header-value>
#
# For example,
#   strict-transport-security = max-age=31536000; includeSubDomains
#
# A special <header-value> of '%SESSION_EXPIRY%' can be used to
# designate a header which will contain the remaining length of time, in
# seconds, before the current local session expires.  This value does not
# include the overall session timeout for sessions which are managed by
# the distributed session cache (DSC), but just the length of time before
# the session expires in the local cache.
#
# For example:
#   session-timeout = %SESSION_EXPIRY%
#
strict-transport-security = max-age=31536000; includeSubDomains

###############################
# LDAP
###############################
[ldap]
# prefer-readwrite-server - yes|no Indicates whether to select writable
#                           LDAP server when available
# auth-using-compare      - yes|no Indicates whether to perform
#                           authentication using LDAP bind or comparing password
# bind-dn                 - Indicates the Distinguished Name of the daemon
#                           (set by configuration)
# ssl-enabled             - yes|no Indicates whether SSL is enabled (set
#                           by configuration)
# ssl-keyfile             - Indicates filename of SSL keyfile (set by
#                           configuration)
# ssl-keyfile-dn          - Indicates the certificate label in the SSL
#                           keyfile, if any (set by configuration)
# default-policy-override-support
#                         - yes|no When "yes", no user Policy will
#                           be checked, only the default Policy is checked
#                           (saves some LDAP searches)
# user-and-group-in-same-suffix
#                         - yes|no When "yes", indicates that the groups are
#                           defined in the same LDAP suffix as the user
#                           (saves some LDAP searches)
# login-failures-persistent
#                         - yes|no When "yes", login strikes will be tracked
#                           in the registry instead of only in the local
#                           process cache.  Persistent login strike recording
#                           is more expensive but allows consistent login
#                           strike counting across multiple servers.
# cache-enabled           - yes|no Indicates whether to enable the local
#                           LDAP cache
#
# cache-enabled related configuration settings:
#
# cache-user-size         - (optional) The number of entries in the LDAP user
#                           cache.  Ignored if the cache is not enabled.  If
#                           not set, the default is 256.
# cache-group-size        - (optional) The number of entries in the LDAP group
#                           cache.  Ignored if the cache is not enabled.  If
#                           not set, the default is 64.
# cache-policy-size       - (optional) The number of entries in the LDAP policy
#                           cache.  Ignored if the cache is not enabled.  If
#                           not set, the default is 20.
# cache-user-expire-time  - (optional) The amount of time (in seconds) until a
#                           user entry in the cache is considered stale and is
#                           discarded.  Ignored if the cache is not enabled.
#                           If not set, the default is 30 seconds.
# cache-group-expire-time - (optional) The amount of time (in seconds) until a
#                           group entry in the cache is considered stale and is
#                           discarded.  Ignored if the cache is not enabled.
#                           If not set, the default is 300 seconds (5 minutes).
# cache-policy-expire-time
#                         - (optional) The amount of time (in seconds) until a
#                           policy entry in the cache is considered stale and is
#                           discarded.  Ignored if the cache is not enabled.
#                           If not set, the default is 30 seconds.
# cache-group-membership  - (optional) Indicates whether group membership
#                           information should be cached.  Ignored if the cache
#                           is not enabled.  If not set, the default is yes.
# cache-use-user-cache    - (optional) Indicates whether to use the user cache
#                           information or not.  Ignored if the cache is not
#                           enabled.  If not set, the default is yes.
# cache-return-registry-id -(optional) Indicates whether to cache the user
#                           identity as it is stored in the registry or cache
#                           the value as entered during authentication.
#                           Ignored if the cache is not enabled.
#                           If not set, the default is no.
# enhanced-pwd-policy     - (optional) If set to yes then additional status
#                           information for the LDAP registries own password
#                           policy enforcement is acquired and reported to
#                           this TAM application during login and password
#                           change operations.
#                           This option must be enabled for [acnt-mgt]
#                           enable-passwd-warn to function.
# enable-last-login       - (optional) Indicates whether to enable recording
#                           of the last time each user logs in to LDAP.  If
#                           enabled then it must be enabled in all TAM
#                           applications to ensure the value is captured in
#                           all cases.

prefer-readwrite-server = no
auth-using-compare = yes
ssl-enabled = no

# The following files are currently available for this configuration entry:
# - pdsrv.kdb
# - lmi_trust_store.kdb
# - rt_profile_keys.kdb
# - embedded_ldap_keys.kdb

ssl-keyfile =
ssl-keyfile-dn =
#default-policy-override-support = no
#user-and-group-in-same-suffix = yes
#login-failures-persistent = no

cache-enabled = yes

#cache-user-size = 256
#cache-group-size = 64
#cache-policy-size = 20
#cache-user-expire-time = 30
#cache-group-expire-time = 300
#cache-policy-expire-time = 30
#cache-group-membership = yes
#cache-use-user-cache = yes
cache-return-registry-id = no

enhanced-pwd-policy = no
enable-last-login = no

# The following configuration item is contained within the obfuscated
# database and as such is obfuscated within this file.  If the value is
# modified within this configuration file the corresponding change will
# be applied to the obfuscated database.

bind-pwd = **obfuscated**

###############################
# SSL
###############################
[ssl]

# This section contains entries that affect the behavior of the SSL
# components of WebSEAL.  These will affect both clients connecting
# via SSL as well as SSL junctions to backend systems.
# The first five parameters (webseal-cert-*) relate to the certificate
# keystore WebSEAL uses for exchanging with browsers when negotiating
# SSL sessions.
# WebSEAL certificate keyfile

# The following files are currently available for this configuration entry:
# - pdsrv.kdb
# - lmi_trust_store.kdb
# - rt_profile_keys.kdb
# - embedded_ldap_keys.kdb

webseal-cert-keyfile = pdsrv.kdb

# The stash file which contains the password user to protect the private
# keys in the keyfile.

# The following files are currently available for this configuration entry:
# - rt_profile_keys.sth
# - lmi_trust_store.sth
# - embedded_ldap_keys.sth
# - pdsrv.sth

webseal-cert-keyfile-stash = pdsrv.sth

# Label of key to use other than the default
webseal-cert-keyfile-label = WebSEAL-Test-Only

# Server Name Indication SNI (optional)
# If a user connects to webseal via TLS over SSL, and the browser supports
# SNI, WebSEAL is capable of sending a server certificate which matches the
# host name used by the browser in the request.  The webseal-cert-keyfile-sni
# configuration entry is used to specify the certificate which should be sent
# for a particular host name.
#
# The configuration entry may be specified multiple times, one for each
# host name. The entry should be of the format:
#    webseal-cert-keyfile-sni = <host name>:<label>
#
# where:
#   host name : Is the name of the host which will be used by the browser
#   label     : Is the label of the certificate which will be used.
#
webseal-cert-keyfile-sni =

# Selectively disable SSL version support for browser connections
disable-ssl-v2 = yes
disable-ssl-v3 = yes
disable-tls-v1 = no
disable-tls-v11 = no
disable-tls-v12 = no

# Session timeout for SSL v2 connections (range: 1-100 secs)
ssl-v2-timeout = 100

# Session timeout for SSL v3 connections (range: 1-86400 secs)
ssl-v3-timeout = 7200

# The maximum number of concurrent entries in the SSL cache
ssl-max-entries = 4096

# CRL Cache configuration.
# When gsk-crl-cache-size and gsk-crl-cache-entry-lifetime are
# both set to zero (which they are by default), CRL Caching will
# be disabled.

# The maximum number of entries in the GSKit CRL cache
# (must be > 0 to initialize CRL Caching)
gsk-crl-cache-size = 0

# Lifetime timeout for individual entries in the GSKit CRL cache
# (range: 0-86400 secs)
gsk-crl-cache-entry-lifetime = 0

# The following block of entries enables the configuration of an LDAP
# server to be referenced for CRL checking during SSL authentication.
# A null value for crl-ldap-user indicates that the SSL authenticator
# should bind to the LDAP server anonymously.

# The CRL LDAP server which is to be used for CRL checking.
crl-ldap-server =

# The port on which the CRL LDAP server is listening.
crl-ldap-server-port =

# The DN of the LDAP user which is to be used.
crl-ldap-user =

# The password of the LDAP user.
crl-ldap-user-password =

# The following entry allows a pkcs11 key file to be specified.  This key file
# will contain the configuration information used to identify and access a
# Network Hardware Security Module (NetHSM).

# The following files are currently available for this configuration entry:
# - <none available>

pkcs11-keyfile =

# To enable PKCS#11 for symmetric algorithms, set
# pkcs11-symmetric-cipher-support to 'yes'.
# NOTE:
#   The PCKS#11 symmetric cipher support does not
#   include removable devices. If a removable device is encountered
#   it will be ignored even if the support has been requested.
#   Additionally, not all devices will support symmetric ciphers
#   please check your vendor documentation before usage.
#
pkcs11-symmetric-cipher-support = no

# Configure FIPS mode processing.  GSKit will not allow it to be
# enabled (set to yes) if base-crypto-library = RSA.
fips-mode-processing = no

# Configure NIST SP800-131A compliance mode.  This will have the affect of:
#   - enabling FIPS mode processing (over-riding the value of the
#     fips-mode-processing configuration entry);
#   - enabling TLS V1.2 (over-riding the value of the disable-tls-v12
#     configuration entry);
#   - enabling the appropriate signature algorithms;
#   - setting the minimum RSA key size to 2048 bytes.
nist-compliance = no

# The follow two options are used enable OCSP.  Either or both can be used.
#ocsp-enable = no
#ocsp-url = <Absolute URL for OCSP responder>

# The following are OCSP options for interacting with the OCSP Responder.
#ocsp-nonce-generation-enable = no
#ocsp-nonce-check-enable = no
#ocsp-retrieve-via-get = no
#ocsp-max-response-size = 20480
#ocsp-proxy-server-name = <proxy host name>
#ocsp-proxy-server-port = <proxy port number>

# If, after OCSP or CRL checking, the revocation status of a browser supplied
# certificate is undetermined, WebSEAL can be configured to ignore this, log
# the fact, or log the fact and reject the connection by setting
# undetermined-revocation-cert-action to "ignore", "log" or "reject"
# respectively.
undetermined-revocation-cert-action = log

# The following configuration item is used to control whether SSL errors
# originating from a connection with a client are logged.
suppress-client-ssl-errors = false

#
# Specify any additional GSKit attributes which should be used when
# initializing an SSL connection with the client. A complete list of
# the available attributes is included in the GSKit SSL API documentation.
#
# The configuration entry may be specified multiple times, one for each
# GSKit attribute. The entry should be of the format:
# gsk-attr-name = <type>:<id>:<value>
#
# - where <type> is one of 'enum', 'string', 'number'
#     and <id> corresponds to the identity associated with a GSKit attribute
#       (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
#
# An example configuration could be:
# gsk-attr-name = string:225:proxy.ibm.com
#

#
# Specify any additional GSKit attributes which should be used when
# initializing an SSL connection with a junctioned server. A complete list of
# the available attributes is included in the GSKit SSL API documentation.
#
# The configuration entry may be specified multiple times, one for each
# GSKit attribute. The entry should be of the format:
# jct-gsk-attr-name = <type>:<id>:<value>
#
# - where <type> is one of 'enum', 'string', 'number'
#     and <id> corresponds to the identity associated with a GSKit attribute
#       (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
#
# This configuration item may be customized for a particular junction by
# adding the adjusted configuration item to a [ssl:{jct_id}] stanza, where
# '{jct-id}' refers to the junction point for a standard junction (include the
# leading '/'), or the virtual host label for a virtual host junction.
#
# An example configuration could be:
# jct-gsk-attr-name = string:225:proxy.ibm.com
#

# Control whether duplicate SSL warning messages are sent to the WebSEAL
# log file.  If this option is set to yes, then if a junction is defined
# with -K and not -D, a warning will be reported every time a connection is
# opened to that junction.  This fills up logs, so administrators may want to
# set it to no.  If it is set to no, then a single warning will be reported
# at server start.
enable-duplicate-ssl-dn-not-found-msgs = yes
ssl-auto-refresh = yes
ssl-listening-port = 7235
ssl-pwd-life = 183
ssl-authn-type = certificate

# We only want to listen on our management interfaces.
listen-interface = 192.168.42.191

###############################
# JUNCTION
###############################
[junction]

# Location of the Junction to Request Mapping Table (JMT)
# This path is relative to the server-root value in the [server] stanza

# The following files are currently available for this configuration entry:
# - jmt.conf

jmt-map = jmt.conf

# Timeout (in seconds) for sending to and reading from a TCP junction.
# Must be an integer greater than or equal to zero.
# A value of zero will cause WebSEAL to wait indefinitely.  This configuration
# item may be customized for a particular junction by adding the adjusted
# configuration item to a [junction:{jct_id}] stanza, where '{jct-id}' refers
# to the junction point for a standard junction (include the leading '/'), or
# the virtual host label for a virtual host junction.
http-timeout = 120

# Timeout (in seconds) for sending to and reading from an SSL junction.
# Must be an integer greater than or equal to zero.
# A value of zero will cause WebSEAL to wait indefinitely.  This configuration
# item may be customized for a particular junction by adding the adjusted
# configuration item to a [junction:{jct_id}] stanza, where '{jct-id}' refers
# to the junction point for a standard junction (include the leading '/'), or
# the virtual host label for a virtual host junction.
https-timeout = 120

# The WebSEAL server performs a periodic background 'ping' of each junctioned
# Web server, to determine whether it is running.  This entry sets the interval,
# in seconds, between pings when the server is determined to be running.
# To turn this ping off, set this entry to zero.  If this entry is set to zero,
# the recovery-ping-time must be set.
ping-time = 300

# The WebSEAL server performs a periodic background 'ping' of each junctioned
# Web server, to determine whether it is running.  This entry sets the interval,
# in seconds, between pings when the server is determined to be not running.
# If this entry is not set, the recovery-ping-time defaults to the ping-time.
#recovery-ping-time = 300

# The WebSEAL server performs a periodic background 'ping' of each junctioned
# Web server, to determine whether it is running.  The optional
# ping-method entry sets the HTTP request type used in these pings. A valid
# ping-method is defined by the HTTP/1.1 protocol. If the ping-method is
# invalid or missing, this value defaults to HEAD.
#
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct_id}] stanza, where
# '{jct-id}' refers to the junction point for a standard junction (include the
# leading '/'), or the virtual host label for a virtual host junction.
ping-method = HEAD

# The WebSEAL server performs a periodic background 'ping' of each junctioned
# Web server, to determine whether it is running.  The optional ping-uri
# configuration entry defines the URI which will be accessed by the ping
# request.  The defined URI should be relative to the root Web space of the
# junctioned Web server.  If the URI is missing this value defaults to a value
# of '/'.
#
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct_id}] stanza, where
# '{jct-id}' refers to the junction point for a standard junction (include the
# leading '/'), or the virtual host label for a virtual host junction.
ping-uri = /

# The WebSEAL server performs a periodic background 'ping' of each junctioned
# Web server, to determine whether the junctioned Web server is running. The optional
# ping-response-code-rules configuration entry defines the rules which are used to
# determine whether the HTTP status code of the responses indicate a healthy or
# an unhealthy junctioned Web server.
#
# If valid values are configured for both ping-response-code-rules and
# response-code-rules, the specified ping-response-code-rules will be applied
# to the 'ping' requests initiated by WebSEAL,
# and other requests will be matched against response-code-rules to
# determine the server state.
#
# If a valid ping-response-code-rules value is configured but
# response-code-rules is not, the specified ping-response-code-rules will be applied
# to the 'ping' requests initiated by WebSEAL,
# and other requests will not be used to determine the server state. In this case,
# ping-response-code-rules are the only rules used to determine the server state.
#
# If the ping-response-code-rules configuration entry is not set, the rules that
# are specified by the response-code-rules configuration entry will also apply
# to ping requests.
#
# The configuration entry contains a space separated list of rules. Each rule
# has the format:
#           [+|-]<code>   (e.g. -50?)
# where:
#     +:      indicates that this is a healthy response code
#     -:      indicates that this is an unhealthy response code
#     <code>: the corresponding response code, which can also contain pattern
#             matching characters (i.e. * ?)
#
# The HTTP response codes will be evaluated against each rule in sequence until
# a match is found.  The corresponding code (+|-) will then be used to determine
# whether the junctioned Web server is healthy or not.  If the response code
# matches no configured rules the junctioned Web server will be considered to be
# healthy.
#
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct_id}] stanza, where
# '{jct-id}' refers to the junction point for a standard junction (include the
# leading '/'), or the virtual host label for a virtual host junction.
# ping-response-code-rules = +2?? -*
ping-response-code-rules =

# When a response of a client initiated request is returned from the junctioned server,
# the optional response-code-rules configuration entry defines the rules
# which are used to determine from the HTTP status code of the responses
# whether the junctioned Web server is in a healthy or an unhealthy state.
#
# This configuration entry will apply to all requests if the ping-response-code-rules
# configuration entry has not been set, otherwise it will only apply to all client
# initiated requests.
#
# The configuration entry contains a space separated list of rules. Each rule
# has the format:
#           [+|-]<code>   (e.g. -50?)
# where:
#     +:      indicates that this is a healthy response code
#     -:      indicates that this is an unhealthy response code
#     <code>: the corresponding response code, which can also contain pattern
#             matching characters (i.e. * ?)
#
# The HTTP response codes will be evaluated against each rule in sequence until
# a match is found.  The corresponding code (+|-) will then be used to determine
# whether the junctioned Web server is healthy or not.  If the response code
# matches no configured rules the junctioned Web server will be considered to be
# healthy.
#
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct_id}] stanza, where
# '{jct-id}' refers to the junction point for a standard junction (include the
# leading '/'), or the virtual host label for a virtual host junction.
# response-code-rules = +2?? -*
response-code-rules =

# These values will limit the percentage of total worker threads processing
# requests for junctions.  The default of 100% means there is no
# limit.  When the "soft" limit is reached, WebSEAL will generate a warning
# message.  When the "hard" limit is reached, WebSEAL will generate an error
# message and return a 503, "Service Unavailable", result to the client browser
# instead of requesting the resource from the junction.
# This value can be overridden on a per junction basis using pdadmin.
worker-thread-hard-limit = 100
worker-thread-soft-limit = 90

# Buffer size for reading from and writing to a junction.
io-buffer-size = 16384

# Maximum size, in bytes, of WebSEAL generated HTTP Headers.
# Headers over this size will be split across multiple
# HTTP Headers.  A value of "0" disables this support.
max-webseal-header-size = 0

#----------------------
# SENDING DOMAIN COOKIES
#----------------------

# If validate-backend-domain-cookies is set to "no", then all Domain set-cookies
# will be forwarded to the user, regardless of their content.
#
# If set to "yes" then Domain set-cookies will be evaluated to ensure that
# they adhere to the cookie specification.  Set-cookies with Domains that do not
# properly match the domain of the origin server will be removed from the
# request. Set-cookies that pass the validation will be forwarded to the client.
#
# Occasionally applications will send set-cookies with a Domain parameter
# that contains the FQHN of the origin server.  To ensure proper routing,
# WebSEAL will remove the Domain from these set-cookies before forwarding
# to the client.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
validate-backend-domain-cookies = yes

# If allow-backend-domain-cookies is set to 'no', and
# validate-backend-domain-cookies = 'yes', then WebSEAL will remove
# the Domain from the set-cookie before forwarding.
#
# If allow-backend-domain-cookies = yes, then the Domain will not be removed.
# In addition, this will affect how WebSEAL filters the Path of set-cookies.
# Under certain circumstances, WebSEAL must modify the Path of set-cookies
# sent from junctioned origin servers to include the junction point to ensure
# that the user-agent will properly send the cookie with requests.
# WebSEAL will not do this for Domain set-cookies, because this might preclude
# those cookies from being sent to other systems in the domain, so if
# allow-backend-domain-cookies is set to 'yes', this Path modification will
# not take place for Domain set-cookies.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
allow-backend-domain-cookies = no

# If validate-backend-domain-cookies is set to "yes", then
# support-virtual-host-domain-cookies will modify how WebSEAL validates
# the Domain of set-cookies.  This option will have no effect if
# validate-backend-domain-cookies = no
#
# If support-virtual-host-domain-cookies is set to "yes" then the domain cookie
# will be validated by comparing it with the virtual host specified for a
# backend server with the -v junction option.
#
# If set to "no", or if no virtual host was specified for a junction, then
# the FQHN will be compared with the Domain value of a set-cookie for
# validation.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
support-virtual-host-domain-cookies = yes

# The following block of entries enables the configuration of an LDAP
# server to be referenced for CRL checking during SSL authentication.
# A null value for crl-ldap-user indicates that the SSL authenticator
# should bind to the LDAP server anonymously.
#crl-ldap-server = <server_name>
#crl-ldap-server-port = <port>
#crl-ldap-user = <user_DN>
#crl-ldap-user-password = <user_password>

# The follow two options are used enable OCSP for checking the revocation
# status of junction server supplied certificates.  Either or both can be used.
#jct-ocsp-enable = no
#jct-ocsp-url = <Absolute URL for OCSP responder>

# The following are OCSP options for interacting with the OCSP Responder.
#jct-ocsp-nonce-generation-enable = no
#jct-ocsp-nonce-check-enable = no
#jct-ocsp-max-response-size = 20480
#jct-ocsp-proxy-server-name = <proxy host name>
#jct-ocsp-proxy-server-port = <proxy port number>

# If, after OCSP checking, the revocation status of a junction server supplied
# certificate is undetermined, WebSEAL can be configured to ignore this, log
# the fact, or log the fact and reject the connection by setting
# jct-undetermined-revocation-cert-action to "ignore", "log" or "reject"
# respectively.
jct-undetermined-revocation-cert-action = log

# Selectively disable SSL version support for junction connections
disable-ssl-v2 = yes
disable-ssl-v3 = yes
disable-tls-v1 = no
disable-tls-v11 = no
disable-tls-v12 = no

# Configure NIST SP800-131A compliance mode.  This will have the affect of:
#   - enabling FIPS mode processing (over-riding the value of the
#     fips-mode-processing configuration entry);
#   - enabling TLS V1.2 (over-riding the disable-tls-v12 configuration entry);
#   - enabling the appropriate signature algorithms;
#   - setting the minimum RSA key size to 2048 bytes.
jct-nist-compliance = no

# The next configuration options allow a separate keyfile to be used
# for Junction SSL operations rather than sharing the one specified in
# the [ssl] stanza.
# The keyfile database which is to be used for Junction SSL operations.

# The following files are currently available for this configuration entry:
# - pdsrv.kdb
# - lmi_trust_store.kdb
# - rt_profile_keys.kdb
# - embedded_ldap_keys.kdb

jct-cert-keyfile =

# The name of the file to which the password for the SSL Junction key file is
# stashed.

# The following files are currently available for this configuration entry:
# - rt_profile_keys.sth
# - lmi_trust_store.sth
# - embedded_ldap_keys.sth
# - pdsrv.sth

jct-cert-keyfile-stash =

# When jct-ssl-reneg-warning-rate is set to a value greater than zero, WebSEAL
# will output a warning message if the SSL session renegotiation rate between
# junction servers and WebSEAL reaches this level or greater.  The value is
# specified as the number of renegotiations per minute.
jct-ssl-reneg-warning-rate = 0

# When use-new-stateful-on-error is set to yes WebSEAL will choose a new
# stateful junction server for a user if the current one fails.  When it is
# set to no, WebSEAL will not choose a new stateful junction server for a
# user, instead it returns an error and future requests by the user will keep
# attempting to use this same stateful junction server (until the user
# restarts their browser or the junction server is deleted).
#
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct-id}] stanza, where
# '{jct-id}' refers to the junction point for a standard junction (including
# the leading '/'), or the virtual host label for a virtual host junction.
use-new-stateful-on-error = no

# When dont-reprocess-jct-404s = yes, WebSEAL will return 404 responses
# from junctions directly to clients.  When set to no, WebSEAL will
# assume the 404 is due to an unfiltered server relative link and
# will try to fix the problem by prepending a junction point to the URL
# in the request and sending the request again.  Setting this value to
# "no" provides backwards compatibility with TAM 5.1.
dont-reprocess-jct-404s = yes

# The following configuration item can be set to yes to avoid multiple
# attempts to prepend a junction point to the beginning of the URL string
# when reprocessing requests as a result of a HTTP 404 status code.
# To cause requests for root junction resources, that result in an HTTP 404
# error, to be reprocessed, set this configuration entry to 'yes'.
reprocess-root-jct-404s = no

# When pass-http-only-cookie-attr is set to 'yes' it will allow WebSEAL to pass
# the HttpOnly attribute from Junction Set-Cookie headers through to clients.
# When set to 'no' the HttpOnly attribute will be discarded.
pass-http-only-cookie-attr = yes

# Compatibility option to also mangle junction names into domain set cookies.
# When several junctioned servers set domain cookies with the same name and
# same path, the browser will overwrite the values to the last one set.  This
# is the expected behavior for domain cookies, but before WebSEAL 5.1, it was
# possible to use WebSEAL cookie mangling to prevent it.  When set to "yes"
# the pre-5.1 behavior is enabled.
mangle-domain-cookies = no

# Option to use the client's current IP address, rather than one cached in
# the credentials at authentication time, for the value passed in a header
# to junctions created with the -r option.
insert-client-real-ip-for-option-r = no

# The maximum number of persistent connections which will be stored in the
# cache for future use.  Connections with junctioned Web servers will be
# cached for future use unless the configured limit is reached, or the
# 'connection: close' header is received in the HTTP response.  Please note
# that if enabled there is the potential for different user sessions to use
# the same connection when processing requests.  To disable the persistent
# connection functionality simply specify a max-cached-persistent-connections
# value of 0.
#
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct-id}] stanza, where
# {jct-id} refers to the junction point for a standard junction (including
# the leading '/'), or the virtual host label for a virtual host junction.
max-cached-persistent-connections = 0

# The maximum number of seconds a persistent connection can remain idle in our
# cache before the connection is cleaned up and closed by WebSEAL.  This value
# should be lower than the configured maximum connection lifetime for the
# junctioned Web server.  This behaviour is controlled for the Apache Web
# server, as an example only, by the KeepAliveTimeout configuration entry.
#
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct-id}] stanza, where
# {jct-id} refers to the junction point for a standard junction (including
# the leading '/'), or the virtual host label for a virtual host junction.
persistent-con-timeout = 5

# The managed-cookies-list contains patterns that will be matched
# against the names of cookies returned by junctioned servers to determine
# whether the cookie should be stored in the WebSEAL cookie jar.
# Items in the managed-cookies-list should be comma separated and there should
# be no white space separating cookie names. The WebSEAL cookie jar is turned
# off by not specifying any cookies in the managed-cookies-list.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
#managed-cookies-list = JSESS*,Ltpa*

# The share-cookies item is used to control sending of cookies contained in the
# WebSEAL cookie jar between different junctions. If share-cookies = true, all
# cookies in the WebSEAL cookie jar which match the request will be sent across
# the junction. If share-cookies = false only cookies received from the junction
# will be sent in requests to that junction.
share-cookies = false

# The reset-cookies-list contains patterns that will be matched
# against the names of cookies returned by junctioned servers, or provided
# by the client, to determine whether the cookie should be reset during a
# user session logout.  Items in the managed-cookies-list should be comma
# separated without any white space.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
# reset-cookies-list = JSESS*,Ltpa*

# If dynamic-addresses is set to "no" the junction server host name will
# be resolved to it's corresponding IP address and this address will then
# be used for subsequent communication with the junction server.
#
# If set to "yes" the junction server host name will be resolved to it's
# corresponding IP address immediately before any communication with the
# junction server.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
dynamic-addresses = no

# If the dynamic-addresses configuration entry has been set to yes this
# configuration entry will specify the length of time (in seconds) that
# a resolved IP address can be used before it is discarded and another
# name resolution is attempted (time-to-live).
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
dynamic-addresses-ttl = 0

#
# WebSEAL can be used to serve pages from a local web server via local
# junctions. If local junctions are not used, the functionality can be
# disabled with this configuration item.
#
disable-local-junctions = no

#
# Two separate junction tables are managed by WebSEAL, one for virtual host
# junctions, and the other for standard junctions.  When a request is
# received the VHJ table is searched first, and if no match is found the
# table which manages the standard junctions is then searched.  The following
# configuration item is used to reverse the search order so that the table
# which manages the standard junctions is searched before the VHJ table.
#
match-vhj-first = yes

# The following configuration entry is used to control whether the learning
# capability is enabled for GSO junctions or not.  If learning is enabled,
# and existing credential information is not available for the user, the
# BA prompt will be returned to the user.  The credential information
# for the user will then be stored for future use on a subsequent
# successful authentication.  An authentication is deemed to be
# successful if the junctioned Web server does not return a
# 4xx or 5xx response.
gso-credential-learning = no

# The following configuration entry is used to define the key which is used
# to obfsucate the credential information which is managed by the GSO Web
# service.  If no key is defined the credential information will not be
# obfuscated by WebSEAL.
# gso-obfuscation-key =

#----------------------
# KERBEROS SSO JUNCTIONS
#----------------------

# This configuration entry controls whether Kerberos single-sign-on
# authentication is enabled on junctions.
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct_id}] stanza, where
# '{jct-id}' refers to the junction point for a standard junction (include the
# leading '/'), or the virtual host label for a virtual host junction.
kerberos-sso-enable = false

# The name of the Kerberos key table file for the WebSEAL server. This stanza
# entry is required when Kerberos SSO authentication for junctions is enabled.
# The keytab file must contain the key for the service-principal-name (SPN)
# used for Kerberos authentication.

# The following files are currently available for this configuration entry:
# - <none available>

kerberos-keytab-file =

# The Kerberos SPN, used as the impersonating user when creating the token. The
# service principal name can be determined by executing the Microsoft utility
# setspn (that is, setspn -L user, where user is the identity of the WebSEAL
# account).
#
# Format is:
#   kerberos-principal-name = HTTP/<username>@<realm>
#
# This stanza entry is required when Kerberos SSO authentication for junctions
# is enabled.
kerberos-principal-name = <principal-name>

# The Kerberos SPN for the back-end Web server. The service principal name can
# be determined by executing the Microsoft utility setspn (that is, setspn -L
# user, where user is the identity of the back-end Web server's account).
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct_id}] stanza, where
# '{jct-id}' refers to the junction point for a standard junction (include the
# leading '/'), or the virtual host label for a virtual host junction.
#
# Format is:
#   kerberos-service-name = HTTP/<username>@<realm>
#
# This stanza entry is required when Kerberos SSO authentication for junctions
# is enabled.
kerberos-service-name = <principal-name>

# This boolean value is used to indicate whether a security token should be
# sent for every HTTP request, or whether WebSEAL should wait for a 401
# response from the back-end Web server before adding the security token.  This
# configuration item is used to avoid the unnecessary overhead of generating
# and adding a security token to every request if the back-end Web server is
# capable of maintaining user sessions.
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct_id}] stanza, where
# '{jct-id}' refers to the junction point for a standard junction (include the
# leading '/'), or the virtual host label for a virtual host junction.
# This stanza entry is required when Kerberos SSO authentication for junctions
# is enabled.
always-send-kerberos-tokens = false

# This entry overwrites the UPN (or sections of the UPN) for Kerberos SSO users.
# The replacement information can be direct text or names of credential
# attributes.
#     <text>: directly copied into the UPN sections
#     attr:<name>: fetches the replacement text from the "name" credential
#                  attribute
#
# The domain information can also be extracted from the dc elements of the
# user's dn via the attribute "attr:dn".
# If no user name is defined, the client credential name is used.
# If no domain is defined, the WebSEAL service account domain is used.
# Defining a domain without a user name must be prepended with '@'. The domain
# is case sensitive and must be upper case. The domain must be added as a realm
# to the Kerberos Configuration.
#
# Format is:
#   kerberos-user-identity = <username>@<realm>
#   kerberos-user-identity = <username>
#   kerberos-user-identity = @<realm>
#   kerberos-user-identity = <upn>
#
# This configuration item may be customized for a particular junction by adding
# the adjusted configuration item to a [junction:{jct_id}] stanza, where
# '{jct-id}' refers to the junction point for a standard junction (include the
# leading '/'), or the virtual host label for a virtual host junction.
kerberos-user-identity =

#---------------------
# HTTP/2 FOR JUNCTIONS
#---------------------
#
# HTTP/2 protocol settings for connections to junction servers and connections
# to proxy servers used to access junction servers.  These HTTP/2 configuration
# items may be customized for a particular junction by adding the adjusted
# configuration item to a [junction:{jct_id}] stanza, where '{jct-id}' refers
# to the junction point for a standard junction (include the leading '/'), or
# the virtual host label for a virtual host junction.

# HTTP/2: maximum size in bytes that WebSEAL will accept in the header compression
# table (RFC 7541) from the junction and proxy servers. There is one table per
# HTTP/2 network connection.
http2-header-table-size = 4096

# HTTP/2: maximum number of unacknowledged bytes WebSEAL can accept per active
# multiplexed stream to the junction and proxy servers.  WebSEAL will create an
# in-memory buffer to hold this many bytes for each active multiplexed stream.
http2-initial-window-size = 65535

# HTTP/2: maximum size of the body of a single HTTP/2 protocol frame sent over
# the HTTP/2 network connection.
http2-max-frame-size = 16384

# HTTP/2: maximum size of headers that can be received in a response over a HTTP/2
# stream.  A value of -1 denotes the unlimited setting allowing it's memory use in
# WebSEAL to be unbounded.
http2-max-header-list-size = 32768

# The following configuration item is contained within the obfuscated
# database and as such is obfuscated within this file.  If the value is
# modified within this configuration file the corresponding change will
# be applied to the obfuscated database.

basicauth-dummy-passwd = **obfuscated**


[query-contents]
#----------------------
# QUERY CONTENTS
#----------------------

# When this option is enabled then the query string sent to the query contents
# CGI on junctions will be a uri encoded UTF-8 string.  In addition a
# x-query-contents-uriencoded header is sent with the value "yes".  This
# option is to aid in supporting non-ASCII locales.
query-contents-uriencoded = no


[illegal-url-substrings]
#----------------------
# ILLEGAL URL SUBSTRINGS
#----------------------
# WebSEAL will block HTTP requests with any of the substrings from this
# list in the URL.
#
# Format is:
#     substring = <STRING>
#
substring = <script


[filter-url]
#----------------------
# DOCUMENT FILTERING
#----------------------
# URL attributes that the server will filter in responses from
# junctioned servers.
# Format is <TAG> = <ATTRIBUTE>
A = HREF
APPLET = CODEBASE
AREA = HREF
BASE = HREF
BGSOUND = SRC
BLOCKQUOTE = CITE
BODY = BACKGROUND
DEL = CITE
DIV = EMPTYURL
DIV = IMAGEPATH
DIV = URL
DIV = VIEWCLASS
EMBED = PLUGINSPAGE
EMBED = SRC
FORM = ACTION
FRAME = LONGDESC
FRAME = SRC
HEAD = PROFILE
IFRAME = LONGDESC
IFRAME = SRC
ILAYER = BACKGROUND
ILAYER = SRC
IMG = SRC
IMG = LOWSRC
IMG = LONGDESC
IMG = USEMAP
IMG = DYNSRC
INPUT = SRC
INPUT = USEMAP
INS = CITE
ISINDEX = ACTION
ISINDEX = HREF
LAYER = BACKGROUND
LAYER = SRC
LINK = HREF
LINK = SRC
OBJECT = CODEBASE
OBJECT = DATA
OBJECT = USEMAP
Q = CITE
SCRIPT = SRC
TABLE = BACKGROUND
TD = BACKGROUND
TH = BACKGROUND
TR = BACKGROUND
WM:CALENDARPICKER = FOLDERURL
WM:CALENDARPICKER = IMAGEPREVARROW
WM:CALENDARPICKER = IMAGENEXTARROW
WM:CALENDARVIEW = FOLDERURL
WM:MESSAGE = DRAFTSURL
WM:MESSAGE = URL
WM:NOTIFY = FOLDER
WM:REMINDER = FOLDER
?IMPORT = IMPLEMENTATION

[filter-events]
#------------------------
# EVENT HANDLER FILTERING
#------------------------
# Specifies (TAG,EVENT-HANDLER) pairs that contain JavaScript requiring
# filtering of URL references.  Currently, only absolute URLs are
# supported.
#
# Format is <TAG> = <EVENT-HANDLER>
A = ONCLICK
A = ONDBLCLICK
A = ONMOUSEDOWN
A = ONMOUSEOUT
A = ONMOUSEOVER
A = ONMOUSEUP
AREA = ONCLICK
AREA = ONMOUSEOUT
AREA = ONMOUSEOVER
BODY = ONBLUR
BODY = ONCLICK
BODY = ONDRAGDROP
BODY = ONFOCUS
BODY = ONKEYDOWN
BODY = ONKEYPRESS
BODY = ONKEYUP
BODY = ONLOAD
BODY = ONMOUSEDOWN
BODY = ONMOUSEUP
BODY = ONMOVE
BODY = ONRESIZE
BODY = ONUNLOAD
FORM = ONRESET
FORM = ONSUBMIT
FRAME = ONBLUR
FRAME = ONDRAGDROP
FRAME = ONFOCUS
FRAME = ONLOAD
FRAME = ONMOVE
FRAME = ONRESIZE
FRAME = ONUNLOAD
IMG = ONABORT
IMG = ONERROR
IMG = ONLOAD
INPUT = ONBLUR
INPUT = ONCHANGE
INPUT = ONCLICK
INPUT = ONFOCUS
INPUT = ONKEYDOWN
INPUT = ONKEYPRESS
INPUT = ONKEYUP
INPUT = ONMOUSEDOWN
INPUT = ONMOUSEUP
INPUT = ONSELECT
LAYER = ONBLUR
LAYER = ONLOAD
LAYER = ONMOUSEOUT
LAYER = ONMOUSEOVER
SELECT = ONBLUR
SELECT = ONCHANGE
SELECT = ONFOCUS
TEXTAREA = ONBLUR
TEXTAREA = ONCHANGE
TEXTAREA = ONFOCUS
TEXTAREA = ONKEYDOWN
TEXTAREA = ONKEYPRESS
TEXTAREA = ONKEYUP
TEXTAREA = ONSELECT

[filter-schemes]
#
# URLs with these schemes are not filtered in responses from junctioned
# servers.
#
# Notes and Exceptions:
# - HTTP: and HTTPS: are internally handled and will be ignored if present in
#   this list.
# - Webseald will filter URLs with a scheme matching one in this list if
#   the response from a junctioned server has a BASE tag HREF URL scheme the
#   same as the URLs.
# - If a URL in the response from a junctioned server does not have a scheme
#   from this list, and the scheme is not HTTP: or HTTPS:, then webseald will
#   assume the URL is the same scheme as the junctioned server (HTTP: or
#   HTTPS:) with it's scheme missing.
# - The trailing ':' on scheme-name is optional, and if missing will be assumed.
#
# Format is:
#    scheme = <scheme-name>
#
scheme = file
scheme = ftp
scheme = mailto
scheme = news
scheme = telnet

[filter-content-types]
#
# Document content types that the server will filter in responses from
# junctioned servers.  If types besides text/html and text/vnd.wap.wml
# are added to this list then the option [script-filtering]script-filter
# should be set to 'yes'.
#
# Format is:
#    type = <type-name>
#
type = text/html
type = text/vnd.wap.wml

[filter-request-headers]
#
# HTTP headers to filter from the client request before sending to the
# back-end web server.  Note that this list is in addition to headers
# that WebSEAL will always filter, eg iv-user, iv-groups.
#
# Format is:
#   header = <header-name>
#
# The header name is case insensitive.
#
# The addition of "accept-encoding" to this list will prevent junctioned
# servers from returning compressed data to WebSEAL.  WebSEAL cannot
# filter compressed data.
header = accept-encoding


[script-filtering]
# When script filtering support is enabled, filtering of
# absolute urls between html <script> tags can be enabled.
#
# Only absolute URLs that exist as a complete string in the
# html schema:server format will be filtered.
script-filter = no

# When script-filter is set to yes, enabling this flag will rewrite
# the absolute URLs with new absolute URLs that contain the protocol,
# host and port (if necessary) that represent how the user accessed
# the WebSEAL server.
#rewrite-absolute-with-absolute = no

# If another WebSEAL server has created a junction to this WebSEAL
# server using a WebSEAL to WebSEAL junction, set this to 'yes'
# to uniquely identify the cookie used for resolving unfiltered links.
hostname-junction-cookie = no


# The following stanza is used to configure parameters associated
# with the snippet filter.
[snippet-filter]

# The maximum size (in bytes) of snippets which will be stored in
# memory.  If the snippet exceeds the configured maximum size it will
# not be cached, but will instead be read from disk during the
# construction of each response.
max-snippet-size = 1024

# The following stanza is used to configure the snippet filter for a
# particular resource.  This filter will allow snippets to be inserted
# into the response for the resource.
#
# The format of the stanza, and its entries are as follows:
# [snippet-filter:<uri>]
# <location> = <filename>
#
# where:
#  <uri>:      The decoded URI for which the snippet substitution will
#              take place.
#  <location>: The location at which the snippet should be inserted.
#              This string will be pattern matched against a line in
#              the response using the '*.' wildcard characters.  The
#              maximum length of a line in a response which can be
#              matched by the filter is 8192 bytes.  If the line in the
#              response is longer than this it will simply be streamed
#              through to the client and cannot be used to identify a
#              snippet location.
#  <filename>: The name of the file which contains the snippet which
#              is to be inserted.  The path specified should be
#              relative to the 'snippet' directory in the management
#              root directory.
#
# Multiple resources may be specified, and multiple locations may be
# configured for each resource.  The entries within the stanza must
# appear in the order that they will be inserted within the returned
# page.

[preserve-cookie-names]
#
# WebSEAL will, by default, modify the names of cookies returned in
# responses from junctions created with the -j flag or listed in the
# Junction Mapping Table.  This is done to prevent naming conflicts with
# cookies returned from other junctions.
#
# If front end applications depend on the names of certain cookies, you
# you may want to disable this behavior for those cookies.  To do so, list
# the cookies in this stanza.
#
# Format is:
#   name = <cookie-name>

[credential-refresh-attributes]
#
# When a user's credential is refreshed, some attributes may be preserved
# by copying their values from the original credential into the new
# credential.  This stanza is used to control which attributes are preserved and
# which are refreshed. The attribute name patterns are case-insensitive wild
# card patterns that are used to select attributes.
#
# Order is important.  The first pattern which matches a given attribute
# will decide whether the attribute is preserved or refreshed.  If no
# pattern matches an attribute, then the attribute will be refreshed.
#
# Format is one of:
#   <attribute-name-pattern> = preserve
#   <attribute-name-pattern> = refresh
#
authentication_level = preserve
tagvalue_* = preserve

[gso-cache]
#----------------------
# GSO CACHE
#----------------------

# GSO cache configuration.
# gso-cache-enabled must be set to 'yes' before the other parameters
# will take effect.
gso-cache-enabled = no

# Cache size (number of entries)
gso-cache-size = 1024

# Cache entry lifetime (in seconds)
gso-cache-entry-lifetime = 900

# Cache entry idle timeout (in seconds)
gso-cache-entry-idle-timeout = 120


[ltpa-cache]
#----------------------
# LTPA CACHE
#----------------------

# LTPA cache configuration.
# The ltpa-cache-enabled entry must be set to 'yes' before
# the other ltpa parameters will take effect.
ltpa-cache-enabled = yes

# Cache size (number of entries)
ltpa-cache-size = 4096

# Cache entry lifetime (in seconds)
ltpa-cache-entry-lifetime = 3600

# Cache entry idle timeout (in seconds)
ltpa-cache-entry-idle-timeout = 600


###############################
# AUTHENTICATION
###############################
[ba]
#----------------------
# BASIC AUTHENTICATION
#----------------------

# Enable authentication using the Basic Authentication mechanism
# One of <http, https, both, none>
ba-auth = none

# Realm name.  This is the text that is displayed in the
# browser's dialog box when prompting the user for login data.
# By default, the string 'Access Manager' is used.
#basic-auth-realm = Access Manager

# IMPORTANT:
# If forms authentication is enabled for a particular transport,
# the basic authentication settings for that transport will be ignored.

[forms]
#----------------------
# FORMS
#----------------------

# Enable authentication using the forms authentication mechanism
# One of <http, https, both, none>
forms-auth = https

# IMPORTANT:
# If forms authentication is enabled for a particular transport,
# the basic authentication settings for that transport will be ignored.

# If a forms login request is received with either an empty user name or
# an empty password, then WebSEAL will return the login form without
# stating an error. If it is prefered that an error message is displayed,
# then set this value to true. In this case, WebSEAL will attempt to
# authenticate the user, and if the values have 0 length, the registry
# will return the appropriate error.
allow-empty-form-fields = false

[spnego]
#----------------------
# SPNEGO
#----------------------

# Enable authentication using the SPNEGO authentication mechanism
# One of <http, https, both, none>
spnego-auth = none

# IMPORTANT:
# If forms authentication is enabled for a particular transport,
# the SPNEGO authentication settings for that transport will be ignored.

# SPNEGO authentication provides a principal name of the form
# "shortname@domain.com".  By default, TAM uses only the shortname
# as the TAM user-id.  If this parameter is set to yes, then TAM will
# include the domain as part of the TAM user-id.
#
# Example:
#   SPNEGO authentication provides principal name: user@example.com
#   If this parameter is no: the TAM user-id is "user"
#   If this parameter is yes: the TAM user-id is "user@example.com"
#
# Note that this configuration option has no effect if Active
# Directory Multi Domain is being used as the TAM user registry.  For
# AD MD, the domain name is always included as part of the TAM user-id.
use-domain-qualified-name = no

#
# List of kerberos service-principal-names (SPNs) for the server.  This is only
# used on UNIX platforms.  Each principal name must have the form
# HTTP@<hostname>, where hostname is the DNS name browsers will use to contact
# the web server.
#
# The SPN used for SPNEGO authentication depends on the whether the client is
# accessing a traditional WebSEAL junction or a transparent junction.  For
# traditional WebSEAL junctions, the first SPN in the list is always used.
# For transparent junctions, WebSEAL first searches for an SPN that matches
# the hostname the client used to connect to WebSEAL.  If no matching SPN is
# found, then the first SPN from the list will be used instead.
#
# In most cases the hostname used here should be fully qualified.
#
# Format is:
#   spnego-krb-service-name = HTTP@<host-one.example.com>
#   spnego-krb-service-name = HTTP@<host-two.example.com>
#   ...
#
spnego-krb-service-name = <service-name>

#
# The path to the kerberos keytab file for the server.  This is only used
# on UNIX platforms.  The keytab file must contain keys for each of the
# SPNs used for SPNEGO authentication.
#

# The following files are currently available for this configuration entry:
# - <none available>

spnego-krb-keytab-file =

#
# During SPNEGO authentication the system can add the SID of the user as an
# extended attribute to the credential. This entry specifies the name of the
# attribute. This is only used on UNIX platforms.
#
# If this entry is not present, then the system does not add the SID as an
# extended attribute to the credential.
#
spnego-sid-attr-name =

[token]
#----------------------
# TOKEN
#----------------------

# Enable authentication using the token authentication mechanism
# One of <http, https, both, none>
token-auth = none

# IMPORTANT:
# If token authentication is enabled for a particular transport,
# the basic authentication settings for that transport will be ignored.

[certificate]
#----------------------
# CERTIFICATE
#----------------------

# When to accept a certificate from HTTPS clients.  Options are:
#
# never            Never request a client certificate.
#
# critical         Always request a client certificate.  If a valid certificate
#                  is not presented the SSL handshake will fail.
#
# required         Always request a client certificate.  If a valid certificate
#                  is not presented the SSL handshake will succeed and a
#                  error HTTP response will be sent back to the client.
#
# optional         Always request a client certificate.  If presented, use it.
#
# prompt_as_needed Certificates will only be prompted for and processed when
#                  certificate authentication is necessary (due to an ACL or
#                  POP check failure).
#
accept-client-certs = never

# IMPORTANT
# If this is set to 'required', all other authentication
# settings are ignored for HTTPS clients

#----------------------
# CERTIFICATE SSL ID CACHE SETTINGS
#----------------------
# A cache is necessary to store the SSL IDs of sessions that require a
# certificate exchange. This cache is only required when accept-client-certs =
# prompt_as_needed.

# The maximum number of concurrent entries in the Certificate SSL ID cache
# This corresponds to the number of concurrent certificate logins.
# Setting this to zero will allow unlimited cache size.
cert-cache-max-entries = 1024

# Maximum lifetime (in seconds) for an entry in the Certificate SSL ID cache.
# Setting this to zero allows entries the cache to fill without expiry until the
# cache contains the number of entries specified by cert-cache-max-entries.
# After that point, entries are expired according to a least recently used
# algorithm.
cert-cache-timeout = 120

# This controls the number of times WebSEAL will attempt to authenticate
# a client using certificates before assuming the client cannot provide
# a certificate.  A value of 5 is recommended because most browsers will
# maintain a maximum of 4 TCP connections to a Web server.  (Each attempt
# to prompt a client for certificate authentication will cause a TCP
# connection to be closed, and if all active TCP connections to a browser
# have been closed then the browser is probably unable to provide client
# certificate authentication.)  Values less than 2 or greater than 15 are
# not permitted.  This value is not used unless accept-client-certs =
# prompt_as_needed.
cert-prompt-max-tries = 5

# When disable-cert-login-page is set to "yes" the initial login form with
# an option to prompt for certificate will not be presented. WebSEAL will
# instead bypass this and directly prompt for the certificate.
disable-cert-login-page = no

# When accept-client-certs is set to "prompt_as_needed" this option causes
# the client (browser) to be redirected to another HTTPS port on the WebSEAL
# server, using the same host name.  The other port must be on an interface
# configured with accept-client-certs = "required".  The redirection occurs
# from certlogin.html and stepuplogin.html when the certificate login button is
# pressed.  This option also provides the SECONDARY_BASE macro which is
# provided for certlogin.html and setuplogin.html to allow redirection to
# the secondary port for authentication using certificates. It is of the form
#   HTTPS://%HOSTNAME%:<secondary-port>
# If not set, or set to zero, this feature is disabled and the SECONDARY_BASE
# macro is set to the empty string.
secondary-port = 0

# This option is for when secondary-port and is enabled for prompt_as_needed
# and use-secondary-listener is enabled for the interface providing the
# secondary-port.  When these are enabled and the browser provided certificate
# fails to map to a valid user, enabling this option will cause WebSEAL to
# redirect the browser back to the original interface (port) to output the
# cert-failure error message.
secondary-fail-redirect = no

#----------------------
# External Authentication Interface (EAI) settings
#----------------------

#
# The resource identifier of the application which will be invoked
# to perform the certificate authentication.  This URI should be relative
# to the root web space of the WebSEAL server.  If this configuration entry
# is not defined the standard CDAS authentication mechanism will be used to
# handle the authentication.
#
# The following additional headers will be made available in the EAI request:
#    eai_qop:    The quality-of-protection settings for the client.
#    eai_domain: The ISAM domain name.
#
#eai-uri =

#
# The client certificate data which will be passed to the EAI application.
# The format of the configuration entry will be:
#      eai-data = <data>:<header-name>
#
# The <data> component is used to indicate the data which will be included
# in the header.  It should be one of the following:
#     * Base64Certificate
#     * SerialNumber
#     * SubjectCN
#     * SubjectLocality
#     * SubjectState
#     * SubjectCountry
#     * SubjectOrganization
#     * SubjectOrganizationalUnit
#     * SubjectDN
#     * SubjectPostalCode
#     * SubjectEmail
#     * SubjectUniqueID
#     * IssuerCN
#     * IssuerLocality
#     * IssuerState
#     * IssuerCountry
#     * IssuerOrganization
#     * IssuerOrganizationUnit
#     * IssuerDN
#     * IssuerPostalCode
#     * IssuerEmail
#     * IssuerUniqueID
#     * Version
#     * SignatureAlgorithm
#     * ValidFrom
#     * ValidFromEx
#     * ValidTo
#     * ValidToEx
#     * PublicKeyAlgorithm
#     * PublicKey
#     * PublicKeySize
#     * FingerprintAlgorithm
#     * Fingerprint
#
# The <header-name> component is used to indicate the name of the HTTP
# header which will contain the data.
#
# Multiple pieces of client certificate data can be passed to the EAI
# application by including multiple 'eai-data' configuration entries.
#
# An example configuration might be:
#     eai-data = SerialNumber:eai_serial_num
#


[authentication-levels]
#----------------------
# STEP UP
#----------------------

# authentication levels
#
# Syntax:
# level = <method-name>
#
# Valid method names are:
#   unauthenticated
#   password
#   token-card
#   ssl
#   ext-auth-interface
#   ltpa
#   kerberosv5
#   oauth
#
level = unauthenticated
level = password

# IMPORTANT
# 1) You cannot step up to an authentication method that is not enabled.
#    For example, you must enable either BA or forms authentication
#    before 'level = password' in this list will have any effect.
#
# 2) POP settings are required to enable step-up authentication.
#    Please see the administration guide for details.

[step-up]
#
# The following entry determines, in the event of a step-up operation,
# whether the new user ID must match the user ID from the previous
# authentication. In the situation where verify-step-up-user = yes,
# and the user IDs do not match, an error will be presented to the user.
#
verify-step-up-user = yes

#
# The following entry allows the administrator to control what login prompts
# are shown to users when they request a resource protected by a stepup policy.
#
# If show-all-auth-prompts = yes, the login prompts for all configured
# authentication methods are shown.
#
# If show-all-auth-prompts = no, only the login prompt for the method matching
# the required authentication level is shown.
#
show-all-auth-prompts = no

#
# This configuration entry will control whether an authentication
# level/mechanism which is higher than the requested step-up level is
# allowed during a step-up operation.
#
# The default value, if no entry is specified, is 'no'.
#
step-up-at-higher-level = no


[mpa]
#----------------------
# MULTIPLEXING PROXY AGENTS
#----------------------

# Support Multiplexing Proxy Agents (yes/no)
mpa = no

[cdsso]
#----------------------
# CDSSO
#----------------------

# Accept cdsso tokens
# This will require that an authentication module is specified for
# 'sso-consume' in the 'authentication-mechanisms' stanza.
# One of <http, https, both, none>
cdsso-auth = none

# Generate cdsso tokens.
# This will require that an authentication module is specified for
# 'sso-create' in the 'authentication-mechanisms' stanza.
# One of <http, https, both, none>
cdsso-create = none

# Single sign on authentication token lifetime (in seconds)
# This mitigates clock skew between separate WebSEAL servers.
authtoken-lifetime = 180

# cdsso-argument
# This is the name of the argument containing the CDSSO token in a query string
# of a request. This is used to identify incoming requests containing
# CDSSO authentication information.
#
# Syntax:
# cdsso-argument = <argument name>
# For standard CDSSO, use PD-ID
cdsso-argument = PD-ID

# Specify if UTF-8 encoding should be used in the strings within the cdsso
# token. UTF-8 should be used when user names or credential attributes in the
# token are not encoded in the same code page as the WebSEAL server is using.
# Set to "no" if your tokens need to interoperate with environments that
# use local code page. This option only affects CDSSO tokens created and
# consumed by the default SSO create and consume libraries.
use-utf8 = yes

# When an SSO token is generated, a call is made to the Cross Domain Mapping
# Framework (CDMF) API to determine the extended attributes that must be
# encoded into the token so that the user can be correctly mapped across the
# SSO authentication.  The propagate-cdmf-errors parameter determines
# whether the failure of the cdmf_get_usr_attributes call will cause token
# creation as a whole to fail.  If propagate-cdmf-errors is set to "no"
# (default), a default attribute list will be generated if the CDMF fails
# and token creation will proceed without error.  However, if
# propagate-cdmf-errors is set to "yes", token creation will be aborted if
# the CDMF fails.
propagate-cdmf-errors = no

# cdsso-argument (PD-ID) and PD-REFERER query string arguments can be
# passed onto junctions.  When this option is set to "yes" these will be
# removed from the URI before passing the request onto the junction.
clean-cdsso-urls = no


[cdsso-peers]
# Peers that are participating in Cross Domain Single Sign On (CDSSO)
#
# Syntax:
# <fully qualified host name> = <key file location>

[cdsso-token-attributes]
#
# Credential attributes to include in CDSSO authentication tokens.
#
# This stanza defines the sets of attributes to be included in
# CDSSO authentication tokens, specified on a per-peer or
# per-domain basis.  This processing only takes place if the
# default SSO token creation and consumption libraries are
# in use.
#
# Credential attributes matching the patterns specified in this stanza
# for a target host or domain are included in CDSSO authentication tokens
# constructed for that target host or domain.  Only a single value for
# each attribute is used, and only string values are supported.  Other
# types of credential attribute values will be ignored.
#
# Patterns can be specified using shell-style wildcards.
#
# The format of these entries is:
#
#    <domain-name> = <pattern-1>
#    <domain-name> = <pattern-2>
#    <domain-name> = <pattern-n>
#
# For example:
#
#    [cdsso-token-attributes]
#    ibm.com    = attrprefix_*
#    ibm.com    = *name*
#    tivoli.com = *_attrsuffix
#    tivoli.com = some_exact_attribute
#
# A default set of attributes can be configured with a '<default>'
# entry in this stanza.  This set of attributes is used when there
# is no other entry matching a particular target host.  If the '<default>'
# entry is not present, then no attributes will be included in tokens
# by default.
#
# For example:
#
#    [cdsso-token-attributes]
#    <default>  = myattr*
#    ibm.com    = attrprefix_*
#
# If no credential attributes are required in CDSSO authentication tokens,
# then this stanza can remain empty.
#

[cdsso-incoming-attributes]
#
# Attributes to accept from incoming CDSSO authentication tokens.
#
# This stanza defines the sets of attributes to be accepted and rejected
# from incoming CDSSO authentication tokens.  Unlike the outgoing
# attributes configuration, incoming attributes cannot be configured
# on a per-peer or per-domain basis.  Only one set of attribute patterns
# can be configured, and these patterns will be applied to incoming
# tokens regardless of source.  This processing only takes place if the
# default SSO token creation and consumption libraries are
# in use.
#
# The format of entries in this stanza is:
#
#  <attribute pattern> = <preserve|refresh>
#
# Attributes in CDSSO authentication tokens that match a 'refresh' entry
# will be removed from the token before the CDMF library is called
# to map the remote user into the local domain.  Attributes matching
# a 'preserve' entry, or matching none of the entries, will be kept.
# If no entries are configured, then all attributes will be kept.
#

[failover]
#----------------------
# FAILOVER
#----------------------

# Accept failover cookies
# One of <http, https, both, none>
failover-auth = none

# Key file for failover cookie encryption
# The cdsso_key_gen utility must be used to create this file

# The following files are currently available for this configuration entry:
# - <none available>

failover-cookies-keyfile =

# The name of the cookie which will be used to house the failover token
failover-cookie-name = PD-ID

# Number of minutes that failover cookie contents are valid
failover-cookie-lifetime = 60

# Enable the failover cookie for the domain
# This allows the cookie to send back to any server within
# the same domain as WebSEAL.
enable-failover-cookie-for-domain = no

# If failover cookie for the domain is enabled
# Webseal determines the domain to use as follows
# 1) if the request is for a virtual host junction then the virtual host domain is used.
# 2) if failover-cookie-domain-from-host-header is enabled and the request contains a host
#    header then the domain from the host header is used.
# 3) if failover-cookie-domain has specified a domain then it is used.
# 4) if web-host-name has been specified (in the [server] section) then the domain from the web-host-name is used.
# 5) if none of the above then the domain is retrieved from the operating system
#
failover-cookie-domain-from-host-header = no

# Specify if UTF-8 encoding should be used in the strings within the failover
# cookie. UTF-8 should be used when user names or credential attributes in the
# cookie are not encoded in the same code page as the WebSEAL server is using.
# Set to "no" if your cookies need to interoperate with environments that
# use local code page.
use-utf8 = yes

# The integer number of seconds that pass between updating the failover cookie's
# last activity timestamp. With each request, if n seconds have passed since the
# last cookie update, and last activity timestamps are configured to be
# inserted in failover cookies, another update will occur.
# A zero value will cause the last activity timestamp in the failover cookie
# to be updated with each request.
# Negative values will cause the last activity timestamp in the cookie to never
# be updated.
failover-update-cookie = -1

# Enable validation of session lifetime and activity timestamp attributes of
# incoming failover cookies. Settings are:
#   no:  The timestamp is not required, but if it exists and is invalid,
#        failover authentication will fail.
#   yes: If the timestamp is invalid or missing, failover authentication
#        will fail.
failover-require-lifetime-timestamp-validation = no
failover-require-activity-timestamp-validation = no

# Include the user's session ID as an attribute of the failover cookie to
# enable non-sticky failover. Non-sticky failover allows users to authenticate
# to multiple WebSEAL replicas without being issued new session cookies for
# each failover occurrence.
#
# To enable non-sticky failover functionality, the following options must
# be set; WebSEAL will report a startup error and fail to start if any
# of the settings below are incorrect.
#   - In [session], set ssl-id-sessions = no
#   - Enable the following settings:
#     - In [failover-add-attributes],
#           tagvalue_failover_amweb_session_id = add
#     - In [failover-restore-attributes],
#           tagvalue_failover_amweb_session_id = preserve
#     - In [credential-refresh-attributes],
#           tagvalue_failover_amweb_session_id = preserve
#     - Wildcard patterns in the above 3 settings are allowed.
failover-include-session-id = no

# Resend the failover cookie if it is missing from the request
# In certain environments clients may "lose" the failover cookie.
# If this configuration option is set to yes then WebSEAL will
# automatically resend the failover cookie if the client does
# not present it.
reissue-missing-failover-cookie = no

[failover-add-attributes]
# Specify which attributes from the credential to store in a failover cookie.
#
# The format for attributes to add to the failover cookie is:
#    <attribute pattern> = add
# where <attribute pattern> is a case-insensitive wild card pattern.
#
# The AUTHENTICATION_LEVEL and AZN_CRED_AUTH_METHOD attributes
# will always be added to the failover cookie, regardless of the
# entries in this stanza.
#
#tagvalue_failover_amweb_session_id = add

[failover-restore-attributes]
# Specify which attributes to put in the new credential when recreating a
# credential from a failover cookie.  This stanza is used to control which
# attributes are preserved and which are refreshed.

# The attribute name pattern are case-insensitive wild card patterns that are
# used to select attributes.
#
# Order is important. Rules that appear earlier in either failover-attribute
# stanza take precedence over those that appear later in the stanza. If an
# attribute does not match any of the rules, it will not be considered for
# special handling.
#
# The format for adding attributes from the cookie (if present) to the new
# credential is:
#   <attribute pattern> = preserve
#
# The format for explicitly ignoring failover cookie attributes (default
# behavior) for addition to the new credential is:
#   <attribute pattern> = refresh
#
# All failover cookie attributes will be ignored (for the purpose of
# adding them to a new credential) unless specified by a 'preserve' line.
#
#tagvalue_failover_amweb_session_id = preserve

[ltpa]

#----------------------
# LTPA Authentication
#----------------------

# Accept/generate LTPA cookies
# One of <http, https, both, none>
ltpa-auth = none

# The key file used when accessing LTPA cookies.  This must correspond to a
# valid LTPA key file, as generated by WebSphere.

# The following files are currently available for this configuration entry:
# - <none available>

keyfile =

# The name of the cookie which will contain the LTPA token.
cookie-name = Ltpatoken2

# The domain of the LTPA cookie.  If no cookie domain is specified the LTPA
# cookie will be created as a host-only cookie.
# cookie-domain = ibm.com

# The number of seconds that pass between updates of the LTPA cookie with the
# lifetime of the cookie.  With each request, if n seconds have passed since
# the last cookie update, another update will occur. A zero value will cause
# the lifetime timestamp in the LTPA cookie to be updated with each request.
# Negative values will cause the lifetime of the cookie to be set to the same
# value as the lifetime of the user session.  This setting is used in an
# attempt to mimic the inactivity timeout of a user session.
update-cookie = -1

# Should the full DN of the user be inserted into the generated LTPA cookie, or
# should the TAM short name of the user be inserted into the generated LTPA
# cookie.
use-full-dn = true

# The name of the cookie sent across a junction containing the LTPA
# token can be customized.
#
# This name must match the configured name in the WebSphere
# application on the junction to successfully achieve single signon.
#
# When not configured, the default values of LtpaToken or LtpaToken2
# for LTPA or LTPAv2 respectively are used.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [ltpa:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
#
# jct-ltpa-cookie-name = LtpaToken

[e-community-sso]
#----------------------
# e-COMMUNITY SSO
#----------------------
# Participate in e-community single sign on
# One of <http, https, both, none>
e-community-sso-auth = none

# The e-community name. This needs to match any vouch-for tokens or
# e-community cookies that are received.
# e-community-name = <name>

# Master authentication server settings. If is-master-authn-server
# is set to "yes " then this server will accept vouch-for requests from
# other WebSEAL instances whose domain keys are listed in the
# [e-community-domain-keys] stanza.
# is-master-authn-server = <yes/no>

# If is-master-authn-server is set to "no" then this value needs
# to be specified. If a local domain login has not already been performed then
# authentication attempts will be routed through this machine,
# which will need to vouch for a users identity.
# The domain key for the master-authn-server needs to be listed in the
# [e-community-domain-keys] stanza.
# master-authn-server = <server name>

# If e-community-sso-auth permits use of the HTTP protocol and
# the master-authn-server listens for HTTP requests on a port other
# than the standard HTTP port (port 80) then this non-standard port
# needs to be configured here. This parameter is ignored if this server
# is the master authentication server.
#
# master-http-port = <port>

# If e-community-sso-auth permits use of the HTTPS protocol and
# the master-authn-server listens for HTTPS requests on a port other
# than the standard HTTPS port (port 443) then this non-standard port
# needs to be configured here. This parameter is ignored if this server
# is the master authentication server.
#
# master-https-port = <port>


# vouch-for token lifetime in seconds. This needs to take into account clock
# skew between participants.
vf-token-lifetime = 180

# vouch-for URL designator
# This specifies the start of a URL relative to the server root. This is used
# to construct vouch-for requests by participating ECSSO servers, and to
# distinguish requests for vouch-for information from other requests by the
# MAS.
#
# '/pkmsvouchfor' is used by default
# vf-url = /pkmsvouchfor

# vouch-for argument
# This is the name of the vouch-for token (as an argument name) contained in
# a vouch-for reply.
# This is used to construct vouch-for replies by the MAS, and to distinguish
# incoming requests as ones with vouch-for information by participating ECSSO
# servers.
#
# 'PD-VF' is used by default
# vf-argument = PD-VF

# ecommunity cookie domain.  If not set WebSEAL will use the domain from the
# automatically determined hostname (or web-host-name if specified).
# ec-cookie-domain = <domain>

# ecommunity cookie lifetime, in minutes.
ec-cookie-lifetime = 300

# Enable or disable unauthenticated access with ECSSO.
# When set to no, every initial ECSSO request will require authentication.
# Default value is yes.
ecsso-allow-unauth = yes

# Specify if UTF-8 encoding should be used in the strings within the vouch-for
# token. UTF-8 should be used when user names or credential attributes in the
# token are not encoded in the same code page as the WebSEAL server is using.
# Set to "no" if your tokens need to interoperate with environments that
# use local code page.
use-utf8 = yes

# When an SSO token is generated, a call is made to the Cross Domain Mapping
# Framework (CDMF) API to determine the extended attributes that must be
# encoded into the token so that the user can be correctly mapped across the
# SSO authentication.  The propagate-cdmf-errors parameter determines
# whether the failure of the cdmf_get_usr_attributes call will cause token
# creation as a whole to fail.  If propagate-cdmf-errors is set to "no"
# (default), a default attribute list will be generated if the CDMF fails
# and token creation will proceed without error.  However, if
# propagate-cdmf-errors is set to "yes", token creation will be aborted if
# the CDMF fails.
propagate-cdmf-errors = no

# If an unauthenticated request is made with POST data, set to yes,
# this option will allow that data to be cached while the e-community
# master authenticates the user. If the option is set to no, request
# data will be lost.
cache-requests-for-ecsso = yes

# Authentication errors returned by the master-authn-server in vouch-for
# tokens are not propagated to the ERROR_CODE and ERROR_TEXT macros used
# by facilities such as local response redirect.  Setting this option to
# "yes" will propagate the errors.
ecsso-propagate-errors = no

# When the following option is set to "yes" this WebSEAL instance is stopped
# from generating or using eCommunity Cookies. In addition, if this instance
# is not acting as the MAS, WebSEAL will not respond to vouch-for requests.
# To be effective, all machines participating in the eCommunity should have
# this value set the same.
disable-ec-cookie = no

# When the following option is set to "yes" on the WebSEAL instance acting as
# the MAS, the MAS will respond locally to login failures, rather than
# redirecting the user back to the requesting slave WebSEAL instance.
handle-auth-failure-at-mas = no


[e-community-domain-keys]
# Keys for any domains that are participating in the e-community, including
# the domain in which the WebSEAL server is running.  These are shared on a
# pair-wise-by-domain basis.  The format of these entries is:
# <domain name> = <key file>

[e-community-domains]
# These are the eCommunity cookie domains used by Virtual Host junctions.  The
# domain used by a particular Virtual Host junction will be chosen by finding
# the longest domain in the table that matches the virtual hostname.
# Each of these domains must also have a corresponding table of keys defined
# by creating a stanza of the format [e-community-domain-keys:<domain>].
# The format these entries is:
# name = <domain>

#[e-community-domain-keys:<domain>]
# Keys for any domains that are participating in the e-community, including
# the domain in which the Virtual Host junction is running.  These are shared
# on a pair-wise-by-domain basis.  The format of these entires is:
# <domain name> = <key file>

[ecsso-token-attributes]
#
# Credential attributes to include in eCSSO vouch-for tokens.
#
# This stanza defines the sets of attributes to be included in
# eCSSO vouch-for tokens, specified on a per-peer or
# per-domain basis.  This processing only takes place if the
# default SSO token creation and consumption libraries are
# in use.
#
#
# Credential attributes matching the patterns specified in this stanza
# for a target host or domain are included in eCSSO vouch-for tokens
# constructed for that target host or domain.  Only a single value for
# each attribute is used, and only string values are supported.  Other
# types of credential attribute values will be ignored.
#
# Patterns can be specified using shell-style wildcards.
#
# The format of these entries is:
#
#    <domain-name> = <pattern-1>
#    <domain-name> = <pattern-2>
#    <domain-name> = <pattern-n>
#
# For example:
#
#    [ecsso-token-attributes]
#    ibm.com    = attrprefix_*
#    ibm.com    = *name*
#    tivoli.com = *_attrsuffix
#    tivoli.com = some_exact_attribute
#
# A default set of attributes can be configured with a '<default>'
# entry in this stanza.  This set of attributes is used when there
# is no other entry matching a particular target host.  If the '<default>'
# entry is not present, then no attributes will be included by default.
#
# For example:
#
#    [ecsso-token-attributes]
#    <default>  = myattr*
#    ibm.com    = attrprefix_*
#
# If no credential attributes are required in eCSSO vouch-for tokens,
# then this stanza can remain empty.
#


[ecsso-incoming-attributes]
#
# Attributes to accept from incoming eCSSO vouch-for tokens.
#
# This stanza defines the sets of attributes to be accepted and rejected
# from incoming eCSSO vouch-for tokens.  Unlike the outgoing
# attributes configuration, incoming attributes cannot be configured
# on a per-peer or per-domain basis.  Only one set of attribute patterns
# can be configured, and these patterns will be applied to incoming
# tokens regardless of source.  This processing only takes place if the
# default SSO token creation and consumption libraries are
# in use.
#
# The format of entries in this stanza is:
#
#  <attribute pattern> = <preserve|refresh>
#
# Attributes in eCSSO vouch-for tokens that match a 'refresh' entry
# will be removed from the token before the CDMF library is called
# to map the remote user into the local domain.  Attributes matching
# a 'preserve' entry, or matching none of the entries, will be kept.
# If no entries are configured, then all attributes will be kept.
#


[reauthentication]
#----------------------
# REAUTHENTICATION
#----------------------

# Prompt users to reauthenticate if their entry in the WebSEAL
# credential cache has timed out due to inactivity
#
# If set to 'no', entries in the cache will be deleted when the
# inactivity timeout is reached.
#
# If set to 'yes', entries in the cache will be retained until the
# cache lifetime timeout is reached.  If the inactivity timeout has
# been reached and the client makes another request before the cache
# lifetime timeout is reached, they will be prompted to reauthenticate.
reauth-for-inactive = no

# Should the authenticated credential be replaced with an unauthenticated
# credential for the processing of a request when the session becomes
# inactive?  This configuration entry will control the user identity
# information which appears in the log file, and the user identity information
# which can be inserted into the HTTP stream, whilst the session is inactive.
# It will not affect the single-sign-on information (e.g. iv-creds) whilst
# the session is inactive.
replace-inactive-cred = yes

# Reset the lifetime timer for WebSEAL credential cache entries
# following successful reauthentication.
# This applies to reauthentication resulting from either inactivity or
# from security policy
reauth-reset-lifetime = no

# Time in seconds that the credential cache entry lifetime timer should
# be extended to allow clients to complete a reauthentication.
# A value of 0 indicates that the lifetimer timer will not be extended.
# This applies to any clients who are required to log in who
# already have an existing cache entry, including clients stepping up and
# clients performing reauthentication resulting from either inactivity or
# from security policy.
reauth-extend-lifetime = 0

# When the user registry policy setting max-login-failures is set and the
# maximum number of reauthentication login failures is reached the login
# session will be terminated if this option is enabled.
terminate-on-reauth-lockout = yes

# This configuration entry will control whether a different authentication
# level/mechanism is allowed during a reauthentication operation.  Please
# note that if the configuration option is set to 'yes' the credential
# could change during the lifetime of the session, potentially more than
# once.
#
# The default value, if no entry is specifed, is 'no'.
reauth-at-any-level = no

[eai]
#----------------------
# EXTERNAL AUTHENTICATION INTERFACE
#----------------------

# Enable EAI authentication.
#
# One of <http, https, both, none>
eai-auth = none

# EAI HEADER NAMES

# If eai-auth is not 'none', and WebSEAL has received a trigger URL
# in a request, WebSEAL will examine the corresponding server response for
# the following headers.  These are the headers that will contain authentication
# data used to authenticate the user.

# EAI PAC header names
eai-pac-header = am-eai-pac
eai-pac-svc-header = am-eai-pac-svc

# EAI USER ID header names
eai-user-id-header = am-eai-user-id
eai-auth-level-header = am-eai-auth-level
eai-xattrs-header = am-eai-xattrs

# EAI external USER ID header names
# The eai-ext-user-id-header takes precedence over the eai-user-id-header.
# If the authentication data that is presented to WebSEAL includes both headers,
# WebSEAL will process it as an authentication for an external user.
eai-ext-user-id-header = am-eai-ext-user-id
eai-ext-user-groups-header = am-eai-ext-user-groups

# EAI COMMON header names
eai-redir-url-header = am-eai-redir-url

# Determines whether the redirect URL contained within the EAI response takes
# priority over all other EAI redirect options.  If set to true the redirect
# URL contained in the EAI response will take priority.
eai-redir-url-priority = false

# The name of the header which is used to 'flag' the authentication
# response with extra processing information.  The supported flags
# (.i.e. header values) include:
#    - stream: Used to indicate that the authentication response should
#              be streamed back to the client.
eai-flags-header = am-eai-flags

# The session identifier from a distributed session can also be supplied
# through the EAI interface.  Upon receiving a header which contains the
# distributed session identifier, WebSEAL will retrieve the corresponding
# session and use this session for subsequent requests.  This header
# provides the mechanism by which distributed sessions (aka DSC sessions)
# can be shared across multiple DNS domains.
eai-session-id-header = am-eai-session-id

# RETAIN EAI SESSION
# If an already-authenticated EAI client authenticates via an EAI a second
# time, the existing session and cache entry are completely replaced by
# default.  If retain-eai-session = yes, then the existing session and
# cache entry will be retained, and the credential and relevant data will
# be updated in the existing cache entry.
retain-eai-session = no

#
# The following entry determines, in the event of a subsequent EAI
# authentication, whether the new user identity must match the user
# identity from the previous authentication. In the situation where
# eai-verify-user-identity = yes, and the user identities do not
# match, an error will be presented to the user.
#
eai-verify-user-identity = no

# The following configuration entry is used to determine whether multiple
# extended attribute headers of the same name are added to the credential as
# a multi-valued attribute, or a single comma-delimited attribute.
eai-create-multi-valued-attributes = no

# The following configuration entry is used to determine whether
# extended attributes replace credential attributes of the same name
# or are appended as additional values.
eai-replace-cred-attributes = no

# EAI TRIGGER URLS
[eai-trigger-urls]
# If eai-auth is not 'none', then WebSEAL will examine the URLs of incoming
# requests to determine if they match one of the entries in this list.
# If they do, then WebSEAL will examine the corresponding server response to
# determine if it contains authentication data.
#
# NOTE: If eai-auth is not 'none', there must be at least one entry in this list
#
# The URL string patterns are case-sensitive wild card patterns.
#
# Format for regular WebSEAL junctions is:
#   trigger = <URL pattern of EAI server response>
#
# Format for Virtual Host junctions is:
#   trigger = HTTP[S]://virtual-host-name[:port]/<URL pattern of EAI server response>
#
# For Virtual Host junctions to match a trigger they must also have the same
# protocol (HTTP[S] = TCP/SSL) and have the same virtual-host-name & port as
# the trigger.  The virtual-host-name match is case-insensitive.
#
# Regular WebSEAL junction triggers are not used by Virtual Host junctions.
# Virtual Host junction triggers are not used by regular WebSEAL junctions.


[ssl-qop]
#----------------------
# SSL QUALITY OF PROTECTION MANAGEMENT
#----------------------

# Enable/Disable SSL Quality of Protection management
ssl-qop-mgmt = yes

# Legal cipher values for qop in the following stanzas are:
# NONE, ALL, NULL, DES-56, FIPS-DES-56, DES-168, FIPS-DES-168,
# RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128, AES-256
#
# Specific cipher names can also be used.  This can be useful when the qop
# cipher group aliases above do not include a required cipher.  When a cipher
# is enabled it will be used with all enabled versions of SSL & TLS that
# support the cipher.
# The following is a list of available cipher names:
#   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA,
#   TLS_DHE_PSK_WITH_AES_128_CCM_8, TLS_DHE_PSK_WITH_AES_128_CCM,
#   TLS_DHE_PSK_WITH_AES_256_CCM_8, TLS_DHE_PSK_WITH_AES_256_CCM,
#   TLS_DHE_RSA_WITH_AES_128_CCM_8, TLS_DHE_RSA_WITH_AES_128_CCM,
#   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CCM_8,
#   TLS_DHE_RSA_WITH_AES_256_CCM, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
#   TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
#   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
#   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
#   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
#   TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
#   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
#   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
#   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
#   TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_PSK_WITH_AES_128_CCM_8,
#   TLS_PSK_WITH_AES_128_CCM, TLS_PSK_WITH_AES_256_CCM_8,
#   TLS_PSK_WITH_AES_256_CCM, TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
#   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
#   TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA,
#   TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
#   TLS_RSA_WITH_AES_128_CCM_8, TLS_RSA_WITH_AES_128_CCM,
#   TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
#   TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CCM_8,
#   TLS_RSA_WITH_AES_256_CCM, TLS_RSA_WITH_AES_256_GCM_SHA384,
#   TLS_RSA_WITH_DES_CBC_SHA, TLS_RSA_WITH_NULL_MD5,
#   TLS_RSA_WITH_NULL_NULL, TLS_RSA_WITH_NULL_SHA,
#   TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA,
#   TLS_RSA_WITH_NULL_SHA256, SSL_CK_RC4_128_WITH_MD5,
#   SSL_CK_RC4_128_EXPORT40_WITH_MD5, SSL_CK_RC2_128_CBC_WITH_MD5,
#   SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_CK_DES_64_CBC_WITH_MD5,
#   SSL_CK_DES_192_EDE3_CBC_WITH_MD5, TLS_ECDHE_ECDSA_WITH_NULL_SHA,
#   TLS_ECDHE_RSA_WITH_NULL_SHA,
#
# Notes:
# - NONE = No SSL connection allowed.
# - NULL = Unencrypted SSL connection allowed.
# - ALL = All types of SSL connections allowed.
# - There maybe multiple cipher/MAC made available to the connection
#   for a given qop cipher selection.  These will still have the same
#   encryption bit strength, just different MAC methods (SHA1 or MD5).
# - RC2-128 is only available with SSLv2. If it is the only cipher selection
#   webseald will disable SSLv3 and TLSv1 for the affected connection.
# - NULL, FIPS-DES-56, FIPS-DES-168, RC4-56, AES-128, and AES-256 are
#   only available with SSLv3 and TLSv1.  If they are the only ciphers
#   available to a given connection, SSLv2 will be disabled for the
#   affected connection.
# - AES Support is determined automatically by GSKit based on
#   the base-crypto-library setting.  AES-128 and AES-256 are only
#   available if AES Support is enabled by GSKit, else they will be
#   ignored.
# - FIPS-DES-56 and FIPS-DES-168 are only available when
#   fips-mode-processing is enabled (set to yes), otherwise they will
#   be ignored.

# host ssl qop
[ssl-qop-mgmt-hosts]

# networks ssl qop
[ssl-qop-mgmt-networks]

# default ssl qop
[ssl-qop-mgmt-default]
default = AES-128
default = AES-256

[oauth]

# Enable authentication using Open Authorization (OAuth) mechanism.
# One of <http, https, both, none>
#
# The OAuth authentication mechanism should be considered only as part of a
# Mobile scenario, where a session can be established based on the Bearer
# token in the Authorization Header.
oauth-auth = none

# The Provider ID of the default OAuth federation. If a Provider ID is not
# provided in the request using the fed-id-param option, this provider ID will
# be used for OAuth requests. The Provider ID of a federation can be found on
# the federation properties page.
default-fed-id = https://localhost/sps/oauthfed/oauth10

# The name of the request parameter that can be used to override the
# default-fed-id option configured above. By deleting this configuration
# option, you can enforce that the default fed id is always used.
fed-id-param = FederationId

# The name of the TFIM cluster which houses this OAuth service.  There should
# also be a corresponding [tfim-cluster:<cluster>] stanza which contains the
# definition of the cluster.
cluster-name = oauth-cluster

# The name of the attribute within the RSTR response whose value is to be used
# as the user identity when creating the session credential.
user-identity-attribute = username

# By default the OAuth scope attribute is provided as a single comma separated
# string. By enabling this configuration option the scope attribute will instead
# be provided as a multivalue attribute.
multivalue-scope = false


# The following configurations can be used to authenticate the user with an
# alternative method.  This allows external users to use oauth-auth.

# The name of the attribute within the RSTR response which contains a
# credential PAC. A PAC will take precedence over all other authentication data.
# Remove this configuration entry if you do not want to allow authentication to
# occur via a PAC.
pac-attribute = am-pac

# The name of the attribute within the RSTR response whose value is to be used
# as the user identity when creating the session credential.  The supplied user
# identity is not expected to exist within the ISAM user registry.  Remove this
# configuration entry if you do not want to allow authentication using an
# external user identity.
external-user-identity-attribute = am-ext-user-id

# The name of the attribute within the RSTR response which will contain group
# information for the external user.
external-group-attribute = am-ext-user-groups

# Should we continue processing the request, and try additional authentication
# mechanisms, if an invalid authorization header has been supplied with the request.
continue-on-auth-failure = false

[tfim-cluster:oauth-cluster]

#
# This stanza contains definitions for a particular cluster of TFIM
# servers.
#

#
# A specification for the server which is used when communicating with a
# single TFIM server which is a member of this cluster.  Values for this
# entry are defined as follows:
#
#       {[0-9],}<URL>
#
# Where the first digit (if present) represents the priority of the server
# within the cluster (9 being the highest, 0 being lowest).  If the priority
# is not specified, a priority of 9 is assumed.  The <URL> can be any
# well-formed HTTP or HTTPS URL.
#
# Multiple server entries can be specified for failover and load balancing
# purposes.  The complete set of these server entries defines the
# membership of the cluster for failover and load balancing.
#
# server = 9,http://tfim.example.com/TrustServerWST13/services/RequestSecurityToken


#
# The maximum number of cached handles, used when communicating with TFIM.
#
handle-pool-size = 10

#
# The length of time, in seconds, before an idle handle will be removed
# from the handle pool cache.
#
handle-idle-timeout = 240

#
# The length of time, in seconds, to wait for a response from TFIM.
#
timeout = 240

#
# The following configuration entries are optional and can be used if the TFIM
# server has been configured to require basic authentication.  If these
# entries are left blank no basic authentication header will be provided when
# communicating with the TFIM server.
#
#
# The name of the user for the basic authentication header.
#
basic-auth-user =

#
# The following SSL entries are optional and are only required if:
#    1. At least one server entry indicates that SSL is to be used (i.e.
#       starts with https:)
#    2. A certificate is required other than that which is used by this server
#       when communicating with the policy server (details of the
#       default certificate can be found in the [ssl] stanza of this
#       configuration file.
#
# If these entries are required and are not found within this stanza, the
# default [ssl] stanza will be searched.
#
#
# The name of the key database file which houses the client certificate to be
# used.
#
# ssl-keyfile =

#
# The name of the password stash file for the key database file.
#
# ssl-keyfile-stash =

#
# The label of the client certificate within the key database.
#
# ssl-keyfile-label =

#
# This configuration entry specifies the DN of the server (obtained from the
# server SSL certificate) which will be accepted.  If no entry is configured
# all DN's will be considered to be valid.  Multiple DN's can be specified by
# including multiple configuration entries of this name.
#
# ssl-valid-server-dn =

#
# The entry controls whether FIPS communication is enabled with TFIM or
# not.  If no configuration entry is present the global FIPS setting (as
# determined by the TAM policy server) will take effect.
#
# ssl-fips-enabled =


##################################
# SESSION
##################################
[session]

#----------------------
# SESSION CACHE SETTINGS
#----------------------

# The maximum number of concurrent entries in the credential cache
# This corresponds to the number of concurrent logins.  The value
# WebSEAL actually uses might be slightly more than what is specified here.
# Refer to the WebSEAL Administration Guide for details.  To customise this
# value for authenticated or unauthenticated sessions simply add an
# additional configuration entry, prefixed by 'auth' or 'unauth', e.g.
#   unauth-max-entries = 1024
max-entries = 4096

# Maximum lifetime (in seconds) for an entry in the credential cache
# Setting this to zero allows entries the cache to fill without expiry until the
# cache contains the number of entries specified by max-entries. After that
# point, entries are expired according to a least recently used algorithm.
# To customise this value for authenticated or unauthenticated sessions
# simply add an additional configuration entry, prefixed by 'auth' or
# 'unauth', e.g.
#   unauth-timeout = 600

timeout = 3600

# Lifetime (in seconds) of inactive entries in the credential cache.
# To disable, set to 0.   To customise this value for authenticated or
# unauthenticated sessions simply add an additional configuration entry,
# prefixed by 'auth' or 'unauth', e.g.
#   unauth-inactive-timeout = 300

inactive-timeout = 600

# Use the temp-session-max-lifetime entry to set the maximum lifetime (in seconds)
# of entries in the temporary session cache.
#
# The temporary session cache is a short-lived session cache. WebSEAL
# uses this cache to create an intermediate session mapping when switching between
# different client contexts that share the same persistent cookie jar. For example,
# when sharing a session between Internet Explorer and Microsoft Office
# applications.
#
# To disable the use of the temporary session cache, set the value of this entry to 0.
# A value of 0 effectively disables session sharing between different client contexts.
temp-session-max-lifetime = 0

# The temp-session-one-time-use configuration entry controls whether an entry
# which is in the temporary session cache can be accessed a single time only,
# or whether it can be accessed multiple times.  If this configuration entry
# is set to false the session will need to time out (based on the
# temp-session-max-lifetime configuration entry) before the session entry is
# invalidated and removed from the cache.
temp-session-one-time-use = false

# The temp-session-cookie-name entry is used to identify a temporary session cookie
# created for allowing session sharing between different client contexts.
#
# This temporary cookie name will be set as part of the initial response to a
# /pkmstempsession management page request and read subsequently off the next
# request coming into WebSEAL.
#
# This entry should be used in conjunction with a positive value in temp-session-max-lifetime
# entry described above.
temp-session-cookie-name = PD-H-TMP-SESSION-ID

# The temp-session-overrides-unauth-session configuration entry is used to
# control the precedence if both a temporary session cookie and a 'real'
# session cookie, is provided in a request.  A value of yes would mean that
# a temporary session would take precedence over an existing unauthenticated
# session (but not an authenticated session), and a value of no would mean
# that the temporary session cookie would be ignored.
temp-session-overrides-unauth-session = no

#----------------------
# SSL CLIENT SESSIONS
#----------------------

# Use the SSL ID to maintain a user's HTTPS login session.
ssl-id-sessions = no

#----------------------
# SHARING SESSIONS
#----------------------

# Use the same session for SSL and HTTP clients.  This means that a client
# having authenticated via HTTP will still be authenticated when connecting
# via HTTPS and vice versa.
#
# A consequence of setting this to 'yes' is that the ssl-id-sessions
# parameter will be ignored, because HTTP clients cannot use the SSL ID
# to maintain sessions.
use-same-session = no

# Enable a cookie based session to be shared across all standard and virtual
# host junctions on a single WebSEAL instance.  This is achieved through
# enabling the WebSEAL instance to store a single session key as an
# independent value in a multi-valued domain cookie, indexed by the instance
# name. The domain cookie itself is shared across all participating WebSEAL
# instances, but the session values are specific to each instance.
#
# If WebSEAL exists in an environment where the DSC already handles single
# sign-on across domains, do not enable this configuration item.
# shared-domain-cookie = yes

#----------------------
# SESSION COOKIE NAMES
#----------------------

# These parameters control the names of the cookies WebSEAL will use for
# session IDs.  The names of the cookies should be alphanumeric, and each
# cookie must have a different name.  To use the same cookie for both TCP
# and SSL connections use the [session]use-same-session configuration
# option.
tcp-session-cookie-name = PD-H-SESSION-ID
ssl-session-cookie-name = PD-S-SESSION-ID

#----------------------
# SENDING SESSION COOKIES
#----------------------

# Send the WebSEAL cookies with every response.  Use in environments where:
#   1) Cookies are used to maintain sessions with clients
#   2) Applications place many in-memory cookies per domain on client systems.
# This helps ensure that the WebSEAL cookies remain in the browser memory in
# such environments.
resend-webseal-cookies = no

# Remove the WebSEAL session cookie on logout
logout-remove-cookie = no

# Should the original session cookie be sent to junctioned Web servers along
# with the current session cookie?  This configuration entry will only
# take effect if the current session cookie is being sent down the
# junction, as defined by the '-k' junction create flag.  The name used for
# this session cookie will be based on the name of the current session cookie,
# appended with '_2'.  For example, if tcp-session-cookie-name is set as
# 'PD-H-SESSION-ID', the name of the original session cookie will be
# 'PD-H-SESSION-ID_2'.
send-constant-sess = no

#----------------------
# USER SESSION IDS
#----------------------
# Enable/disable the creation and handling of user session ids.
user-session-ids = no

# Include the replica set name in the user session ID.  If set to "yes"
# then the user-session-id will include the replica set.  If set to "no"
# then WebSEAL will not include the replica set in the user-session-id,
# and will assume that all user-sessions specified in the "terminate session"
# command belong to the standard junction replica set.
user-session-ids-include-replica-set = yes

#----------------------
# DISTRIBUTED SESSION MANAGEMENT
#----------------------
# These entries together with the "dsess" stanza control how WebSEAL uses the
# DSC to store and manage sessions.

# Enable/disable use of the DSC.  If this is set to yes the "dsess" stanza
# must have information about how to communicate with the DSC.
dsess-enabled = no

# If set to "yes", then WebSEAL will use the DSC to make sure that users
# do not have more sessions than the max-concurrent-web-sessions policy
# allows.  If set to "no" WebSEAL will not enforce the policy.  This
# entry is ignored unless WebSEAL is using the DSC for session storage.
enforce-max-sessions-policy = yes

# If set to "yes" then WebSEAL will prompt users before automatically
# displacing old sessions using the same user-id.  If set to "no" then
# WebSEAL will automatically log out the old sessions.  This entry
# only applies when the max-concurrent-web-sessions policy for the user
# is set to 'displace'.
prompt-for-displacement = yes

# The frequency with which WebSEAL will update the session last
# access time at the DSC.  This value is only used if reauth-for-inactive
# is set to yes.  Smaller values offer more accurate inactivity
# timeout tracking, at the expense of sending updates to the DSC
# more frequently.  Values of less than 1 second are not permitted.
#
# Example: if inactive-timeout is 600 seconds and
# dsess-last-access-update-interval is 60 seconds, the user's session may
# be flagged as 'inactive' at the DSC anywhere between 540 seconds and
# 600 seconds after their last access to the WebSEAL server.
dsess-last-access-update-interval = 60

# The DSC replica set to use for sessions created when users access standard
# WebSEAL junctions.  Virtual host junctions will use the replica set
# specified with the "-z" option when the virtual host junction is
# created.
standard-junction-replica-set = default

# Require Multiplexing Proxy Agent for HTTP Header Session Keys and
# HTTP Header authentication tokens.
#
# The use of an HTTP header as a session identifier or as an authentication
# token carries a measure of risk that the header can be spoofed or stolen.
# It is strongly recommended that headers only be accepted when proxied
# through an authenticated channel.  A 'yes' setting means that HTTP headers
# will not be valid session keys or authentication tokens unless received via
# an MPA.  Please see the WebSEAL Administration Guide for more details
# regarding MPAs.
require-mpa = yes

# Should sessions be established for access to unprotected resources?  This
# configuration item is useful when a consistent session identifier is
# required for clients as they transition from unauthenticated to
# authenticated.
create-unauth-sessions = no

#
# In some circumstances, you might not want the requests for a particular
# resource to affect the inactivity timeout for a session. For example, you
# might want to preserve the inactivity timeout when a server is polled by
# an Ajax script running in the background of a client browser.
#
# The following configuration entry can be used to designate the resources
# which, when accessed, should not impact the inactivity timeout for the
# session.
#
# A comparison will be performed against either the full HTTP request line or
# the decoded URI (controlled by the preserve-inactivity-timeout-match-uri
# configuration entry). If a match is found the inactivity timeout for the
# session will not be affected by the request.
#
# If a pattern has been specified using this configuration entry the legacy
# preserve-inactivity-time POP functionality will be disabled.
#
# Multiple patterns can be specified by including multiple configuration entries
# of the same name.
#
# You also have the option of matching a request using a host header, useful
# when selectively enabling this functionality for  a particular virtual host
# junction.  To selectively match an entry based on a particular host header
# the configuration entry should be prepended with the string: [<host>].
#
# Example:
#    preserve-inactivity-timeout = /jct/robot/*
#    preserve-inactivity-timeout = [www.ibm.com]/robot/*
#
preserve-inactivity-timeout =

#
# The following configuration entry is used to control whether the
# patterns specified by the preserve-inactivity-timeout configuration entry
# are matched against the decoded URI from the request, or against the full
# request line.  The match will take place against the decoded URI if this
# configuration entry is set to true, otherwise the match will take place
# against the full request line.
#
preserve-inactivity-timeout-match-uri = true

#
# The following configuration entry is used to designate the
# client identifier for the session.  This identifier will be
# added to the credential as the 'client_identifier' attribute
# and will be validated on subsequent requests to ensure that
# the client does not change.
#
# The supported options for this configuration entry include:
#   CLIENT_IP:       The client IP address from the network
#                    connection will be used as the identifier.
#   HTTPHDR{<name>}: The contents of the HTTP header, identified
#                    by '<name>', will be used as the client
#                    identifier.  If the HTTP header is missing on
#                    the initial request no identifier will be added
#                    for the session.  For example:
#                      HTTPHDR{X-Forwarded-For}
#
# Please note that if failover cookies are used the 'client_identifier'
# credential attribute should be added to the
# [failover-add-attributes] and [failover-restore-attributes] stanzas
# so that the client identifier can persist across a failover event.
#

client-identifier =

[session-http-headers]
#----------------------
# HTTP HEADER SESSION KEYS
#----------------------
#
# List any HTTP headers which will contain a session key on a per-transport
# basis.  The same header can be listed for both transports if desired.
#
# Only the first matching header found in a request will be used.
#
# If ssl-id-sessions = yes, then this stanza will be ignored.
# The exception to this is if MPA support is enabled.
#
# WebSEAL will first look for a session cookie before continuing to look
# for HTTP headers from this list.
#
# The use of http headers as session keys is affected by the setting of
# require-mpa, see the comments above the require-mpa entry for more
# information.
#
# This list should contain no more than 20 entries per transport.
# Do not include the colon (:)
#
# Format is one of:
#   <header> = http
#   <header> = https

##################################
# REPLICA SETS
##################################
[replica-sets]
# If WebSEAL is configured to use the DSC for session storage the
# WebSEAL server will join each of the replica sets listed in this
# stanza.  The entries listed here must be replica sets configured
# on the DSC.

# Example entries:
# replica-set = <replica-set-one>
# replica-set = <replica-set-two>

##################################
# DISTRIBUTED SESSIONS
##################################
[dsess]

# The maximum number of session ID's that are pre-allocated within the replica
# set.  This configuration parameter will not affect WebSEAL performance
# and should not be modified.

dsess-sess-id-pool-size = 125

#
# The name of the DSC cluster to which this DSC server belongs.
# This field must be defined and reference an existing dsess-cluster stanza
# qualified by the value of this entry.
#
#
# dsess-cluster-name = dsess

[dsess-cluster]

#
# The dsess-cluster stanza contains all of the defaults for a definition of
# a cluster of DSC (distributed session) servers.
#

#
# A specification for a single DSC server which is a member of this
# cluster.  Values for this entry are defined as follows:
#
#       {[0-9],}<URL>
#
# Where the first digit (if present) represents the priority of the server
# within the cluster (9 being the highest, 0 being lowest).  If the priority
# is not specified, a priority of 9 is assumed.  The <URL> can be any
# well-formed HTTP or HTTPS URL.
#
# Multiple server entries can be specified for failover and load balancing
# purposes.  The complete set of these server entries defines the
# membership of the cluster.
#
# server = 9,http://sms.example.com/DSess/services/DSess


#
# The length of time to maintain a connection to the web service while
# waiting for session broadcast events.
#

response-by = 60

#
# The maximum number of cached handles, used when communicating with the DSC.
#

handle-pool-size = 10

#
# The length of time, in seconds, before an idle handle will be removed
# from the handle pool cache.
# It should not be larger than the HTTP Transport chain persistent timeout
# configured on the server which is running the DSC.
#

handle-idle-timeout = 30

#
# The length of time, in seconds, to wait for a response from the DSC.
#

timeout = 30

#
# The following configuration entries are optional and can be used if the DSC
# has been configured to require basic authentication.  If these entries are
# left blank no basic authentication header will be provided when communicating
# with the DSC.
#
#
# The name of the user for the basic authentication header.
#
# basic-auth-user = <user>
#
# The password to be used for the basic authentication header.
#
# basic-auth-passwd = <user>
#
# The following SSL entries are optional and are only required if:
#    1. At least one server entry indicates that SSL is to be used (i.e.
#       starts with https:)
#    2. A certificate is required other than that which is used by this server
#       when communicating with the policy server (details of the
#       default certificate can be found in the [ssl] stanza of this
#       configuration file.
#
# If these entries are required and not found within the [dsess-cluster]
# stanza, the default [ssl] stanza will be searched.
#
#
# The name of the key database file which houses the client certificate to be
# used.
#

# The following files are currently available for this configuration entry:
# - pdsrv.kdb
# - lmi_trust_store.kdb
# - rt_profile_keys.kdb
# - embedded_ldap_keys.kdb

ssl-keyfile =

#
# The name of the password stash file for the key database file.
#

# The following files are currently available for this configuration entry:
# - rt_profile_keys.sth
# - lmi_trust_store.sth
# - embedded_ldap_keys.sth
# - pdsrv.sth

ssl-keyfile-stash =

#
# The label of the client certificate within the key database.
#
ssl-keyfile-label =

#
# This configuration entry specifies the DN of the server (obtained from the
# server SSL certificate) which will be accepted.  If no entry is configured
# all DN's will be considered to be valid.  Multiple DN's can be specified by
# including multiple configuration entries of this name.
#
# ssl-valid-server-dn =

#
# The entry controls whether FIPS communication is enabled with the DSC or
# not.  If no configuration entry is present the global FIPS setting (as
# determined by the TAM policy server) will take effect.
#
# ssl-fips-enabled =

# Configure NIST SP800-131A compliance mode.  This will have the affect of:
#   - enabling FIPS mode processing (over-riding the value of the
#     ssl-fips-enabled configuration entry);
#   - enabling TLS V1.2;
#   - enabling the appropriate signature algorithms;
#   - setting the minimum RSA key size to 2048 bytes.
#
# If no configuration entry is present the global NIST setting (as found in
# the [ssl] stanza) will be used.
#
# ssl-nist-compliance = no

#
# Specify any additional GSKit attributes which should be used when
# initializing an SSL connection with the DSC. A complete list of
# the available attributes is included in the GSKit SSL API documentation.
#
# The configuration entry may be specified multiple times, one for each
# GSKit attribute. The entry should be of the format:
# gsk-attr-name = <type>:<id>:<value>
#
# - where <type> is one of 'enum', 'string', 'number'
#     and <id> corresponds to the identity associated with a GSKit attribute
#       (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
#
# An example configuration could be:
# gsk-attr-name = string:225:proxy.ibm.com
#


[dsess-cluster:dsess]

#
# This stanza will define the cluster of DSC servers associated with the
# configuration defined in the default [dsess] stanza (above).
#
# See the [dsess-cluster] stanza above for a definition of valid entries
# and their associated values.
#


##################################
# SESSION COOKIE DOMAINS
##################################
[session-cookie-domains]

# Normally WebSEAL session cookies are 'host' cookies which browsers
# only return to the host that originally set them.  This stanza
# can be used to configure 'domain' session cookies that may be sent
# to any host in a particular DNS domain.  Review the WebSEAL
# documentation and understand the security implications of domain
# session cookies before enabling any entries in this stanza.

# Format is:
#    domain = example.com
#    domain = otherdomain.com
#    ...


##################################
# CONTENT
##################################
[content]

# The utf8-template-macros-enabled option controls how standard WebSEAL files,
# such as login.html, have data inserted into them when %MACRO% strings are
# encountered.  If you have modified your WebSEAL html charset value to be the
# local code page, and not UTF-8, then set this option to "no".  This affects
# files in the error-dir and mgt-pages-root directories, listed below.
utf8-template-macros-enabled = yes

#----------------------
# ACCOUNT MANAGEMENT PAGES
#----------------------
[acnt-mgt]

# Standard login form
login = login.html

# Page displayed after successful login
login-success = login_success.html

# Page displayed after successful logout
logout = logout.html

# Page displayed if user authentication failed due to a locked account
account-locked = acct_locked.html

# Page displayed if user authentication failed due to the account being
# inactivated by the underlying registry policy, rather than TAM policy.
account-inactivated = acct_locked.html

# Page displayed if user authentication failed due to an expired password
passwd-expired = passwd_exp.html

# Page displayed if user authentication warns the password is soon to expire
passwd-warn = passwd_warn.html

# Page displayed if warning password change request failed
passwd-warn-failure = passwd_warn.html

# Change password form
passwd-change = passwd.html

# Page displayed if password change request was successful
passwd-change-success = passwd_rep.html

# Page displayed if password change request failed
passwd-change-failure = passwd.html

# Page containing links to valid administration pages
help = help.html

# Token login form
token-login = tokenlogin.html

# Next-token form
next-token = nexttoken.html

# Certificate login form.
# This is only used if accept-client-certs = prompt_as_needed.
certificate-login = certlogin.html

# Step-up authentication login form
stepup-login = stepuplogin.html

# Switch user management form
switch-user = switchuser.html

# Page displayed if a client fails to authenticate with
# a certificate and certificates are necessary.
cert-failure = certfailure.html

# Page displayed if a client attempts to step up to certificates over http
cert-stepup-http = certstepuphttp.html

# Page displayed when a user has too many concurrent sessions and
# must either cancel their new login or terminate the other sessions.
too-many-sessions = too_many_sessions.html

# Page displayed to handle HTML redirections.
html-redirect = redirect.html

# Page displayed if a redirect is not supplied to the pkmstempsession
# resource.
temp-cache-response = temp_cache_response.html

#-----------------------------
# ACCOUNT EXPIRY NOTIFICATION
#-----------------------------
# The following configuration option will determine whether a user with
# an invalid/expired account will be notified as such on an attempted login,
# or if he/she will receive the same message as if invalid authentication
# information (i.e. an invalid username, password, or client certificate)
# had been submitted.
account-expiry-notification = no

#----------------------
# AUTHORIZATION ERRORS
#----------------------

# By default, WebSEAL will return the standard 'Forbidden' page for
# all authorization failures.

# If client-notify-tod = yes, clients failing a time-of-day
# POP access check will be sent a specific error page informing them
# of the reason for their authorization failure.
client-notify-tod = no

#---------------------
# Change Password Authentication
#---------------------
# Enable this option to allow users to authenticate when changing a password.
# If a user's password is expired, and this option is on, then WebSEAL will
# authenticate the user with the expired password, change the password,
# and ensure that the user remains authenticated. This is helpful in failover
# situations where the user may be served the password change form from one
# WebSEAL replica, but the form posts to another replica where the user's
# session does not exist.
change-password-auth = no

#----------------------
# AUTOMATIC REDIRECT
#----------------------
# Page to which users are automatically redirected after completing a successful
# authentication. The configured URL can contain special macro's which will
# allow dynamic substitution of information from WebSEAL.
#
# The supported macro's include:
#  %AUTHNLEVEL%       Level at which the session is currently authenticated.
#  %HOSTNAME%         Fully qualified host name.
#  %PROTOCOL%         The client connection protocol used. Can be HTTP or HTTPS.
#  %URL%              The original URL requested by the client.
#  %USERNAME%         The name of the logged in user.
#  %HTTPHDR{<name>}%  The value of the specified HTTP header.
#  %CREDATTR{<name>}% The value of the specified credential attribute.
#
# The format can either be an absolute URL or server relative URL and can
# include macro information as listed above:
#       login-redirect-page = http://www.ibm.com/
#       login-redirect-page = /jct/page.html
#       login-redirect-page = /jct/page.html?url=%URL%&hdr=%HTTPHDR{Host}%

#--------------------------
# HTML REDIRECTION
#--------------------------
# Enable this option to use HTML to handle redirections.
#
# WebSEAL typically provides a 302 redirection in cases such as when a user
# successfully authenticates. Many AJAX applications do not behave correctly
# when this happens as any HTTP fragments are lost.
#
# Enabling this configuration item will cause WebSEAL to send a 200
# response to the client instead of a 302.  The page which contains the
# HTML redirection is defined by the html-redirect configuration entry
# within this stanza.
#
# This configuration item cannot be used in conjunction with
# login-redirect-page.
enable-html-redirect = no

#--------------------------
# LOCAL RESPONSE REDIRECTS
#--------------------------
# Enable/disable sending a redirect instead of serving management or error
# pages from the local system.
#
# The local-response-redirect-uri parameter must be set in order for this
# option to function.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [acnt-mgt:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
enable-local-response-redirect = no

#---------------------------
# PKMSLOGOUT FILENAME
#---------------------------
# Set this parameter to 'yes' to allow the specification of a custom
# response file to be displayed to users upon logging out in a query string
# appended to the pkmslogout URL.  e.g.  /pkmslogout?filename=<name>
# By default, this parameter is set to 'no' to cause any such query string to be
# ignored.
use-filename-for-pkmslogout = no

# The following option can be disabled to loosen the restrictions normally
# enforced on the name of the /pkmslogout custom response file. When set to
# 'no' only '/', '\', characters outside of the ASCII range 0x20 - 0x7E, and
# filenames that begin with '.' will be disallowed.
use-restrictive-logout-filenames = yes

#-----------------------------
# ALLOW UNAUTHENTICATED LOGOUT
#-----------------------------
# Set this parameter to 'yes' to allow unauthenticated users to be able
# to request the pkmslogout resource.  If this parameter is set to 'no'
# an unauthenticated user will be requested to authenticate before the
# pkmslogout resource is returned.
allow-unauthenticated-logout = no

# WebSEAL can be enabled to recognise a warning from LDAP user registries
# that indicates the password will expire soon.  The amount of time left is
# placed into the credential as an attribute.  If this option is enabled
# WebSEAL will look for the expire attribute and, if detected, will present
# an optional password change form to the user after a successful login.  The
# [ldap] option, enhanced-pwd-policy, must also be enabled for this to operate.
enable-passwd-warn = no

# The following option can be used to insert custom headers whenever
# WebSEAL returns a custom response to the client. The format of the
# configuration entry should be:
#    http-rsp-header = <header-name>:<macro>
#
# Where:
#    <header-name> is the name of the header which will hold the value;
#    <macro>       is the type of value which is to be inserted, one
#                  of either TAM_OP, AUTHNLEVEL, ERROR_CODE, ERROR_TEXT,
#                  CREDATTR{<name>}, USERNAME, TEXT{<value>}.
#
# As an example, to include the TAM error code in a response header named
# tam-error-code:
#    http-rsp-header = tam-error-code:ERROR_CODE
#
# To include a static header in a response header name X-Frame-Options:
#    http-rsp-header = x-frame-options:TEXT{DENY}
#
# The configuration entry may be specified multiple times, one for each
# header which is be included in the response.
#
http-rsp-header = x-frame-options:TEXT{DENY}
http-rsp-header = content-security-policy:TEXT{frame-ancestors 'none'}
http-rsp-header = x-content-type-options:TEXT{nosniff}
http-rsp-header = x-xss-protection:TEXT{1}

#-----------------------------
# BACK-END SERVER SINGLE SIGN-OFF
#-----------------------------
# When a user's session is terminated in WebSEAL, any sessions that may exist
# on back-end application servers are not destroyed. When this item is
# configured, WebSEAL will send a request to the configured URI's including
# any configured headers and cookies for the junction point on which it resides.
# The backend application can use this information to terminate any sessions
# for that user.
#
# Multiple URI's can be specified by including multiple single-signoff-uri
# configuration entries.
#
# The configured URI must reside on a standard junction. For example:
# single-signoff-uri = /app/logout.asp
#
# single-signoff-uri =

# It is possible to enforce validation of a secret token for certain account
# management pages to protect against CSRF-style attacks. If this functionality
# is enabled a secret token will be added to each session, and this token will
# be validated against the 'token' query argument for selected management
# requests. For example, the request to '/pkmslogout' would change to
# '/pkmslogout?token=<value>'.  If the token is missing, or does not match
# the token contained within the session, an error page will be returned to
# the client.
#
# This configuration option will affect the following management requests:
#   - /pkmslogin.form
#   - /pkmslogout
#   - /pkmslogout_nomas
#   - /pkmssu.form
#   - /pkmsskip
#   - /pkmsdisplace
#
# In an eCSSO environment it is essential that the tagvalue_session_index
# attribute is included in the vouchfor token so that the different sessions
# can share the same token.  This is required for the redirected logout which
# will take place when a session is logged out.
#
# Change the value of the enable-secret-token-validation configuration to
# true in order to enable this validation functionality.
enable-secret-token-validation = false

# It is also possible to enforce validation of the HTTP Request referer header
# for all account management pages to protect against CSRF-style attacks.  If
# this functionality is enabled, a request for an account management page will
# check to see if the referer header is present in the HTTP Request header and
# then validate the hostname portion of that referer against a list of "allowed"
# referer filters.  If there are no allowed-referers entries here, then this
# validation is not performed.  The values for this allowed-referers keys
# provide WebSEAL with a list of referer hostnames that should be considered
# "valid".
#
# The default value for this entry, although originally commented out as to not
# enable this functionality by default, is "allowed-referers = %HOST%".  This
# is a special entry in that it indicates to WebSEAL that a referer is "valid"
# if the hostname portion of the referer HTTP Request header entry matches the
# host HTTP Request header.
#
# There can be 0 or more entries set for this key.  All entries are used when
# validating the referer.  Entries can contain wildcard characters:
#    * - match 0 or more characters
#    ? - match any single character
#    \ - Literal match of the following character
# So for example, an entry "allowed-referers = ac*me" will match any referer
# hostname that begins with the characters "ac", followed by 0 or more
# characters, and ends with the characters "me".
#
#allowed-referers = %HOST%

[tfimsso:<jct-id>]

#
# This stanza is used to hold the TFIM single sign-on configuration information
# for a single junction.
#
# For standard junctions the stanza name will be qualified with the name of the
# junction point (including the leading '/').  An example stanza name might be:
# [tfimsso:/junction_a]
#
# For virtual host junctions the stanza name will be qualified with the
# virtual host label.  An example stanza name might be:
# [tfimsso:www.ibm.com]
#

# The type of token which will be requested from TFIM.  This value should
# correspond to the 'Token Type URI' field for the corresponding trust chain
# within TFIM.
token-type = http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ

# The 'applies-to' search criteria used when locating the appropriate STS
# module within TFIM.  Generally this entry should be of the format:
# http://<webseal-server>/<junction> (similar to the URL which is used to
# access the junction).
applies-to = http://<webseal-server>/<junction>

# The service-name configuration entry will be used:
#   1. By TFIM when searching for a matching trust chain.  This configuration
#      entry will be compared against the configured 'AppliesTo' service name
#      value for each trust chain.  The second field within the 'AppliesTo'
#      service name configuration entry should be set to either '*' to match
#      all service names, or it should be set to the value defined by this
#      configuration item.  Refer to the TFIM documentation for further
#      details on configuring Trust Chains.
#   2. As the service principal name of the delegating user when creating a
#      Kerberos token.  The service principal name can be determined by
#      executing the Microsoft utility 'setspn', i.e. setspn -L <user>,
#      where <user> is the identity of the user which the junctioned Web server
#      is running as.
service-name = <spn>

# The length of time, in seconds, by which the expiry time of a security token
# will be reduced.  This entry is used to make allowances for differences in
# system times and transmission times for the security tokens.
renewal-window = 15

# This boolean value is used to indicate whether the security token which is
# produced by TFIM is only valid for a single transaction.  An example of a
# one-time-token is a Kerberos token, which can only be used for a single
# authentication operation.
one-time-token = true

# This boolean value is used to control whether the requested
# BinarySecurityToken XML structure should be used in it's entirety, or whether
# only the encapsulated token should be used.  This configuration entry should
# only be set to true if the junctioned Web server understands and expects the
# BinarySecurityToken XML structure.
preserve-xml-token = false

# The number of security tokens which should be retrieved from TFIM in a single
# request.  This option is only valid for one-time-tokens where the
# corresponding TFIM module has also been coded to handle requests for multiple
# tokens via the 'Claims' construct. The resultant security tokens will be
# cached by WebSEAL and then used on subsequent requests.  Tuning of this
# parameter will be important for performance of one-time-tokens.  If the
# value is large there will be fewer requests to TFIM, but the responses to
# these requests will be larger.
token-collection-size = 10

# The type of mechanism which will be used to transmit the security token to
# the junctioned Web server.  Possible values for this configuration entry
# are:
#    header - The security token will be included in a header;
#    cookie - The security token will be included in a cookie;
token-transmit-type = header

# The name given to the security token within the junctioned Web server
# request.
token-transmit-name = Authorization

# This boolean value is used to indicate whether a security token should be
# sent for every HTTP request, or whether WebSEAL should wait for a 401
# response from the back-end Web server before adding the security token.  This
# configuration item is used to avoid the unnecessary overhead of generating
# and adding a security token to every request if the back-end Web server is
# capable of maintaining user sessions.
always-send-tokens = false

# The name of the WAS cluster which houses this TFIM service.  There should
# also be a corresponding [tfim-cluster:<cluster>] stanza which contains the
# definition of the cluster.
tfim-cluster-name = my-cluster

[tfim-cluster:my-cluster]

#
# This stanza contains definitions for a particular cluster of TFIM
# servers.
#

#
# A specification for the server which is used when communicating with a
# single TFIM server which is a member of this cluster.  Values for this
# entry are defined as follows:
#
#       {[0-9],}<URL>
#
# Where the first digit (if present) represents the priority of the server
# within the cluster (9 being the highest, 0 being lowest).  If the priority
# is not specified, a priority of 9 is assumed.  The <URL> can be any
# well-formed HTTP or HTTPS URL.
#
# Multiple server entries can be specified for failover and load balancing
# purposes.  The complete set of these server entries defines the
# membership of the cluster for failover and load balancing.
#
# server = 9,http://tfim.example.com/TrustServerWST13/services/RequestSecurityToken


#
# The maximum number of cached handles, used when communicating with TFIM.
#

handle-pool-size = 10

#
# The length of time, in seconds, before an idle handle will be removed
# from the handle pool cache.
# It should not be larger than the HTTP Transport chain persistent timeout
# configured on the Websphere server(s) running TFIM
#

handle-idle-timeout = 30

#
# The length of time, in seconds, to wait for a response from TFIM.
#

timeout = 30

#
# The following configuration entries are optional and can be used if the TFIM
# server has been configured to require basic authentication.  If these
# entries are left blank no basic authentication header will be provided when
# communicating with the TFIM server.
#
#
# The name of the user for the basic authentication header.
#
# basic-auth-user = <user>
#
# The password to be used for the basic authentication header.
#
# basic-auth-passwd = <user>
#
# The following SSL entries are optional and are only required if:
#    1. At least one server entry indicates that SSL is to be used (i.e.
#       starts with https:)
#    2. A certificate is required other than that which is used by this server
#       when communicating with the policy server (details of the
#       default certificate can be found in the [ssl] stanza of this
#       configuration file.
#
# If these entries are required and are not found within this stanza, the
# default [ssl] stanza will be searched.
#
#
# The name of the key database file which houses the client certificate to be
# used.
#

# The following files are currently available for this configuration entry:
# - pdsrv.kdb
# - lmi_trust_store.kdb
# - rt_profile_keys.kdb
# - embedded_ldap_keys.kdb

ssl-keyfile =

#
# The name of the password stash file for the key database file.
#

# The following files are currently available for this configuration entry:
# - rt_profile_keys.sth
# - lmi_trust_store.sth
# - embedded_ldap_keys.sth
# - pdsrv.sth

ssl-keyfile-stash =

#
# The label of the client certificate within the key database.
#
ssl-keyfile-label =

#
# This configuration entry specifies the DN of the server (obtained from the
# server SSL certificate) which will be accepted.  If no entry is configured
# all DN's will be considered to be valid.  Multiple DN's can be specified by
# including multiple configuration entries of this name.
#
# ssl-valid-server-dn =

#
# The entry controls whether FIPS communication is enabled with TFIM or
# not.  If no configuration entry is present the global FIPS setting (as
# determined by the TAM policy server) will take effect.
#
# ssl-fips-enabled =

# Configure NIST SP800-131A compliance mode.  This will have the affect of:
#   - enabling FIPS mode processing (over-riding the value of the
#     ssl-fips-enabled configuration entry);
#   - enabling TLS V1.2;
#   - enabling the appropriate signature algorithms;
#   - setting the minimum RSA key size to 2048 bytes.
#
# If no configuration entry is present the global NIST setting (as found in
# the [ssl] stanza) will be used.
#
# ssl-nist-compliance = no

#
# Specify any additional GSKit attributes which should be used when
# initializing an SSL connection with TFIM. A complete list of
# the available attributes is included in the GSKit SSL API documentation.
#
# The configuration entry may be specified multiple times, one for each
# GSKit attribute. The entry should be of the format:
# gsk-attr-name = <type>:<id>:<value>
#
# - where <type> is one of 'enum', 'string', 'number'
#     and <id> corresponds to the identity associated with a GSKit attribute
#       (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
#
# An example configuration could be:
# gsk-attr-name = string:225:proxy.ibm.com
#

[local-response-redirect]
# URLs to which management page requests are redirected. All management
# requests will be redirected to the URLs with a query string indicating
# the operation requested, along with any macros (as configured in the
# [local-response-macros] stanza). See the WebSEAL Admin Guide for the
# specific format of the query string, and how the receiving handler should
# treat the requests.
#
# The URL may be absolute or server-relative. Only use an absolute URL if
# the destination server is not accessed via WebSEAL.
#
# Valid formats are:
#  http[s]://<server>/<path>
#  /<path>
#
# To define the URI for specific operations, prefix the URI in the entry with
# the operation name in the form [<operation>].  The '[' and ']' chars are
# required.  Valid values for <operation> are:
#
#   logout passwd passwd_warn passwd_warn_failure acct_inactivated
#   acct_locked passwd_exp passwd_rep_success passwd_rep_failure
#   help login login_success token_login cert_login next_token
#   switch_user failed_cert cert_stepup_http stepup,error
#   too_many_sessions tempsession
#
# An operation specific example:
#   local-response-redirect-uri = [login] /jct/cgi-bin/eai
#
# If an entry that does not specify an operation is present then any
# operation that does not have a specific entry will use it.
# If an entry that does not specify an operation is NOT present then any
# operation that does not have a specific entry will not use local response
# redirection and instead will use regular WebSEAL behavior.
#
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a
# [local-response-redirect:{jct_id}] stanza, where '{jct-id}' refers to
# the junction point for a standard junction (include the leading '/'),
# or the virtual host label for a virtual host junction.

#local-response-redirect-uri = /jct/redirect/handler

[local-response-macros]
# URL-encoded macros to include in the query string for all management
# page requests.
#
# These will increase the length of the local response redirect URI. Certain
# user-agents, such as WAP browsers, may have URI length limitations, so
# add macros sparingly and cautiously. Note that any special characters will
# be URI-encoded, further increasing the length of the local response URI.
#
# Do not modify the macro strings or add new ones; all supported macros are
# listed below. Comment/uncomment desired macros for inclusion in the local
# response URI. See the WebSEAL Admin Guide for definitions of the content
# corresponding to each macro.
#
# The field names used in the query string can be customized by placing a
# colon and a custom name after the macro definition as demonstrated below.
# macro = USERNAME:customerId
#
# If no name or a blank name is provided after the colon, the default value
# will be used. The default value is the macro name. For the HTTPHDR macro,
# the default value is HTTPHDR_<name>, where name is the name of the HTTP
# header defined in that macro.  For the CREDATTR macro, the default value
# is CREDATTR_<name>, where name is the name of the attributed defined in
# that macro.
#
# Note that at a minimum the TAM_OP macro must be included in any response.
# Even if the TAM_OP macro is not included or customized below, it will
# still be present in all response URIs.

macro = TAM_OP
#macro = USERNAME
#macro = METHOD
#macro = URL
#macro = REFERER
#macro = HOSTNAME
#macro = AUTHNLEVEL
#macro = FAILREASON
#macro = PROTOCOL
#macro = ERROR_CODE
#macro = ERROR_TEXT
#macro = OLDSESSION
#macro = EXPIRE_SECS
#macro = HTTPHDR{<name>}
#macro = CREDATTR{<name>}
#macro = SECONDARY_BASE

[enable-redirects]
# This stanza contains a list of authentication mechanisms
# for which automatic redirects are enabled.
# Valid choices are forms-auth, token-auth, basic-auth, cert-auth,
# and ext-auth-interface
# Any or all of them may be enabled.
#redirect = forms-auth
#redirect = basic-auth
#redirect = token-auth
#redirect = cert-auth
#redirect = ext-auth-interface

#----------------------
# ICONS
#----------------------
[content-cache]
#----------------------
# DOCUMENT CACHING
#----------------------

# The entries below define the caches which the Web Server uses to store
# documents in memory.
#
# Syntax:
# <MIME-Type> = <Cache-Type>:<Cache-Size>{:<Def-Max-Age>}
#
# Where:
#
#   <MIME-Type>
#       Represents any valid MIME type conveyed in an HTTP "Content-Type:"
#       response header.  This value may contain a wildcard (*).  A value
#       of */* represents a default object cache that will hold any object
#       that does not correspond to an explicitly configured cache.
#
#   <Cache-Type>
#       Defines the type of backing store to use for the cache.  Currently
#       only "memory" caches are supported.
#
#   <Cache-Size>
#       Represents the maximum size to which the given cache may grow before
#       objects are removed according to a LRU algorithm.  This value is
#       defined in Kbytes.
#
#   <Def-Max-Age>
#       Represents the maximum age of a session cache entry if expiration
#       information is missing from the original response.  This value is
#       defined in seconds.  If no value is supplied a default maximum age
#       of 3600 (i.e. 1 hour) will be applied.
#
# No Caching is performed if no caches are defined.  If no default cache
# is specified, documents which do not match any cache are not cached.
#
# text/html = memory:2000
# image/* = memory:5000
# */* = memory:1000


[compress-mime-types]
#----------------------
# HTTP COMPRESSION MIME-TYPE CONFIGURATION
#----------------------

# This stanza allows HTTP compression to be enabled or disabled based
# on the mime-type of the response and the size of the returned document.
# Order is important.  The first entry that matches a returned document
# will be used for that document.
#
# Syntax:
# <MIME-type> = <Min-Doc-Size>[:<Compress-Level>]
#
# Where:
#
#   <MIME-Type>
#       Represents any valid MIME type conveyed in an HTTP "Content-Type:"
#       response header.  This value may contain a wildcard (*).  A value
#       of */* will match all mime-types.
#
#   <Min-Doc-Size>
#       The minimum document size to be compressed.  A size of -1 means never
#       to compress this mime-type.  A size of 0 means to compress the
#       document regardless of its size.  A size greater than 0 means that the
#       document will only be compressed if its initial size is greater than
#       or equal to Min-Doc-Size.
#
#   <Compress-Level>
#       The compression level to be used for documents of this MIME type.
#       The compression level must be between 1 and 9, inclusive.  Higher
#       compression levels decrease the size of the compressed data at the
#       expense of additional CPU utilization.  This value is optional; if it
#       is not specified a compression level of 1 is used.
#
# These example configuration lines will:
# - disable compression for images.
# - enable compression for HTML documents larger than 1000 bytes.
# - enable compression for all other text documents regardless of size.
# - enable compression of PDF documents of all sizes at compression level 5.
# - disable compression for any other documents.
#
# image/* = -1
# text/html = 1000
# text/* = 0
# application/pdf = 0:5
# */* = -1

*/* = -1


[compress-user-agents]
#----------------------
# HTTP COMPRESSION USER-AGENT CONFIGURATION
#----------------------

# This stanza allows HTTP compression to be enabled or disabled based
# on the user-agent header sent by clients.  This stanza should be used
# to disable compression for clients which send an "accept-encoding: gzip"
# HTTP header but don't actually handle gzipped content-encodings properly
#
# Syntax:
# <Pattern> = <Compression>
#
# Where:
#
#   <Pattern>
#       A wild card pattern to match a particular user-agent header
#
#   <Compression>
#       Is yes if the user-agent can handle compressed data, no otherwise.
#
# The first matching entry is used when determining whether a user-agent
# can handle compression content-encodings.  If no entry matches the
# user-agent's accept-encoding header is assumed to be correct.  User-agents
# that do not send an "accept-encoding: gzip" header will never receive
# compressed data.


[content-mime-types]
#----------------------
# MIME TYPES
#----------------------

# This stanza defines the MIME type for particular document extensions.
#
# Syntax:
#       <extension> = <type>
#
# where
#       extension       is the extension of documents of this MIME type
#       type            is a MIME type
#
# The first matching entry is used when determining the type of a particular
# document.
#
html = text/html
htm = text/html
gif = image/gif
jpeg = image/jpeg
ps = application/postscript
shtml = text/x-server-parsed-html
jpg = image/jpeg
jpe = image/jpeg
mpeg = video/mpeg
mpe = video/mpeg
mpg = video/mpeg
bin = application/octet-stream
exe = application/octet-stream
Z = application/octet-stream
EXE = application/octet-stream
dll = application/octet-stream
DLL = application/octet-stream
ivsrv = application/octet-stream
pdf = application/pdf
au = audio/basic
snd = audio/basic
aiff = audio/x-aiff
aifc = audio/x-aiff
aif = audio/x-aiff
wav = audio/x-wav
ai = application/postscript
eps = application/postscript
rtf = application/rtf
zip = application/zip
ief = image/ief
tiff = image/tiff
tif = image/tiff
ras = image/x-cmu-raster
pnm = image/x-portable-anymap
pbm = image/x-portable-bitmap
pgm = image/x-portable-graymap
ppm = image/x-portable-pixmap
rgb = image/x-rgb
xbm = image/x-xbitmap
xpm = image/x-xpixmap
xwd = image/x-xwindowdump
txt = text/plain
rtx = text/richtext
tsv = text/tab-separated-values
etx = text/x-setext
qt = video/quicktime
mov = video/quicktime
avi = video/x-msvideo
movie = video/x-sgi-movie
js = application/x-javascript
ls = application/x-javascript
mocha = application/x-javascript
wrl = x-world/x-vrml
dir = application/x-director
dxr = application/x-director
dcr = application/x-director
crt = application/x-x509-ca-cert
tar = application/x-tar
css = text/css

# default type to assign to pages that don't match any of the above
deftype = text/plain
ico = image/x-icon

[content-encodings]
#----------------------
# CONTENT ENCODINGS
#----------------------

# Some browsers support content encodings.  These entries map a document
# extension to an encoding type.
gz = x-gzip
Z = x-compress

##################################
#  LOGGING
##################################
[logging]

#
# The server-log-cfg configuration entry is used to configure the server
# for logging. The format of the configuration entry is:
# server-log-cfg = agent [parameter=value],[parameter=value]....
#
# Where:
# agent:   The logging agent. The agent is used to control the destination
#          of the logging event. Valid agents include:
#          stdout, stderr, file, remote, rsyslog.
#
# Different configuration parameters and values are also required/supported
# by the different agents. Some of the available parameters include:
#
# Parameter      Supported Agents:
# ---------      -----------------
# buffer_size         remote
# compress            remote, file
# dn                  remote
# error_retry         remote, rsyslog
# flush_interval      all
# hi_water            all
# log_id              file, rsyslog
# max_event_len       rsyslog
# max_rollover_files  file
# mode                file
# path                all
# port                remote, rsyslog
# queue_size          all
# rebind_retry        remote, rsyslog
# rollover_size       file
# server              remote, rsyslog
# ssl_keyfile         rsyslog
# ssl_label           rsyslog
# ssl_stashfile       rsyslog
#
# As an example, to send server events to a remote syslog server:
# server-log-cfg = rsyslog server=timelord,port=514,log_id=webseal-instance
#
# For a complete description of the different available logging agents, and
# the supported configuration parameters, please refer to the IBM Security
# Access Manager Auditing Guide.
#
server-log-cfg = file path=msg__webseald-sharif.log,hi_water=1,flush_interval=1

# Log files' size limit
# Applies to the request, referer, and agent logs
# Negative values will cause the logs to be rolled over daily.
# A value of zero will cause no rollover file to be created.
max-size = 2000000

# Frequency in seconds to force a flush of log buffers
flush-time = 20

# Enable the request log
requests = yes

# Enable the the referer log
referers = no

# Enable the user agent log
agents = no

# Log requests with time in GMT instead of local TZ
gmt-time = no

# If log-invalid-requests is set to 'yes', WebSEAL will log every
# request, even if a request is malformed or for some other reason
# is not processed to completion.
log-invalid-requests = yes

# The request-log-format to be written to the request log.
# The following directives can be used to customize the log format.
#
# %a: Client IP Address
# %A: Local IP Address
# %b: Bytes in the response excluding HTTP headers in CLF format: '-' instead
#      of 0 when no bytes are returned.
# %B: Bytes in the response excluding HTTP headers
# %{attribute}C:
#     Attribute from the TAM credential named 'Attribute'
# %{cookie}e:
#     Contents of the Cookie 'cookie' in the request
# %{cookie}E:
#     Contents of the Cookie 'cookie' in the response
# %d: Transaction identifier, or session sequence number.
# %F: Time taken to serve the request in microseconds
# %h: Client host
# %H: Request protocol
# %{header}i:
#     Contents of the Header 'header' in the request
# %j: The name of the junction servicing the request
# %l: Client logname (RFC 1314) (default -)
# %m: Request method (i.e. GET, POST, HEAD)
# %{header}o:
#     Contents of the Header 'header' in the response
# %p: Port over which the request was received
# %q: The decoded query string (prepended with '?' or empty)
# %Q: The raw query string (prepended with '?' or empty).
# %r: First line of the request with decoded URL
# %R: First line of the request with decoded URL including HTTP://HOSTNAME
# %s: Response status
# %t: Time in Common Log Format format
# %{format}t:
#     The time in the given format
# %T  Time taken to serve the request in seconds, or part thereof
# %u: Remote user
# %U: The URL requested
# %v: Canonical ServerName of the server servicing the request
# %z: The decoded path string
# %Z: The raw path string
request-log-format = %h %l %u %t "%r" %s %b

[audit-mime-types]
# WebSEAL can be configured to decide whether an audit event should be
# generated for a particular HTTP request based on the content-type of the
# return document.  The format of the audit-mime-types stanza is:
#<MIME-pattern> = <yes|no>
# For example:
#text/html = yes
#*/* = no


[audit-response-codes]
# WebSEAL can be configured to decide whether an audit event should be
# generated for a particular HTTP request based on the response code of the
# returned document.  The format of the audit-response-codes stanza is:
#<code> = <yes|no>
# For example:
#304 = no
#302 = no


###############################
# AUTHORIZATION API
###############################
[aznapi-configuration]

# Update poll interval. This is the interval, in seconds, between checks
# for updates to the master authzn server. The local cache is only rebuilt
# if an update is detected. Values can be "disable", "default" or a time
# in seconds.
cache-refresh-interval = disable

# Flags to enable the reception of policy cache update notifications.
# Values can be one of: "disable", "enable"
# A "disable" value disables the notification listener.
#
# This parameter is set by the svrsslcfg utility.
listen-flags = enable

#----------------------
# POLICY CACHE TUNING
#----------------------
# The maximum size of the in-memory policy cache is configurable.
# The cache consists of policy and the relationships between policy
# and resources.  The knowledge that a resource has no directly
# associated policy is also cached.
#
# The maximum cache size should be relative to the number
# of policy objects defined and the number of resources
# protected and the available memory.
#
# A reasonable algorithm to begin with is:
# (number of policy objects * 3) + (number of protected resources * 3)
#
# This value controls how much information is cached.   A larger
# cache will  potentially improve the application performance but use
# addditional memory as well.
#
# Size is specifed as the number of entries.
#
# policy-cache-size = 32768


#----------------------
# AUTHORIZATION API LOGGING (traditional)
#   NB: The following authorization logging configuration entries are supported
#       for historical purposes only.  The logcfg configuration entry should be
#       used to configure the logging in favour of these legacy configuration
#       items.
#----------------------
# Audit Trail
# Enable/Disable audit event recording
logaudit = no

# Name of daemon whose activities are audited
logclientid = webseald

# To selectively capture audit events from specific components, uncomment the
# appropriate auditcfg lines.
#auditcfg = azn
#auditcfg = authn
#auditcfg = http

# Log file size limit
# Negative values will cause the logs to be rolled over daily.
# A value of zero will cause no rollover file to be created.
logsize = 2000000

# Frequency, in seconds, to flush the log buffers
logflush = 20

# Attributes to be audited.
# tagvalue_su-admin is audited by default.
audit-attribute = tagvalue_su-admin

# Option to enable adjustment of the authentication auditing data to accurately
# reflect the operation result.  This slightly changes the the audit record
# contents so any automated tools examining audit logs may need to be adjusted
# to match.
adjust-audit = no

#----------------------
# AUTHORIZATION API LOGGING
#----------------------

#
# The logcfg configuration entry is used to configure the system for logging.
# The format of the configuration entry is:
#   logcfg = category:agent [parameter=value],[parameter=value]....
#
# Where:
#     category:    The name of the logging component. Valid logging components
#                  include: audit.azn, audit.authn, http, http.clf, http.ref,
#                  http.agent
#     agent:       The logging agent.  The agent is used to control the
#                  destination of the logging event.  Valid agents include:
#                  stdout, stderr, file, pipe, remote, rsyslog (although the
#                  pipe agent is not supported on the appliance).
#
# Different configuration parameters and values are also required/supported by
# the different agents.  Some of the available parameters include:
#
#     Parameter          Supported Agents   Details
#     ---------          ----------------   -------
#     buffer_size        remote
#     compress           remote, file
#     dn                 remote
#     error_retry        remote, rsyslog
#     flush_interval     all
#     hi_water           all
#     log_id             file, rsyslog
#     max_event_len      rsyslog
#     max_rollover_files file
#     mode               file
#     path               all
#     port               remote, rsyslog
#     queue_size         all
#     rebind_retry       remote, rsyslog
#     rollover_size      file
#     server             remote, rsyslog
#     ssl_keyfile        rsyslog
#     ssl_label          rsyslog
#     ssl_stashfile      rsyslog
#     ssl_protocols      rsyslog            A colon separated list of SSL
#                                           protocols to be enabled.  Valid
#                                           protocols include:
#                                           sslv3,tlsv10,tlsv11,tlsv12.
#
# As an example, to send authorization events to a remote syslog server:
# logcfg = audit.azn:rsyslog server=timelord,port=514,log_id=webseal-instance
#
# For a complete description of the different available logging agents, and
# the supported configuration parameters, please refer to the IBM Security
# Access Manager Auditing Guide.
#

#---------------------------------------------------
# BOOLEAN AUTHORIZATION RULES CONFIGURATION ENTRIES.
#---------------------------------------------------
#
# A list of string prefixes that identify Access Decision Information (ADI)
# to be supplied by the resource manager (in this case, WebSEAL). The
# default setting below tell the authorization engine that when it requires
# ADI with the prefixes "AMWS_hd_", "AMWS_qs_" or "AMWS_pb_" to evaluate a
# boolean authorization rule, and the ADI is not available in the credential
# or application context passed in with the access decision call, that the
# engine should fail the access decision and request that the resource manager
# retry the request and provide the required data in the application context
# of the next request.  The prefixes given below represent special values
# for WebSEAL:
# AMWS_hd_ - Indicates that the ADI can be found within the HTTP Environment
#	     (Headers) of the request that WebSEAL is currently serving.
# AMWS_qs_ - Indicates that the ADI can be found within the Query String of
#	     the request that WebSEAL is currently serving.
# AMWS_pb_ - Indicates that the ADI can be found within the POST Body of the
#	     request that WebSEAL is currently serving.
#
resource-manager-provided-adi = AMWS_hd_
resource-manager-provided-adi = AMWS_pb_
resource-manager-provided-adi = AMWS_qs_


# To enable certain Boolean Authorization Rules options, it is necessary
# to set the permission information that the authorization engine will
# return to WebSEAL.
# The permission attribute that will enable the authorization engine to
# request ADI from the current WebSEAL request is
# "azn_perminfo_rules_adi_request".
# To use the "-R" junction option, the "azn_perminfo_reason_rule_failed"
# attribute must be included.
# To enable the Privacy Redirection capabilities of the AMWebARS Web Service,
# the "azn_perminfo_amwebars_redirect_url" must be included.
permission-info-returned = azn_perminfo_rules_adi_request azn_perminfo_reason_rule_failed


# The prolog to be added to the top of the XML document that is created
# using the Access Decision Information (ADI) needed to evaluate a boolean
# authorization rule. If not specified then the default XML prolog is:
#
#       <?xml version='1.0' encoding='UTF-8'?>
#
# It is strongly suggested that you read and thoroughly understand the
# boolean authorization rules documentation before attempting to change
# this setting from the default provided.
#
## input-adi-xml-prolog = <?xml version='1.0' encoding='UTF-8'?>


# The prolog to be added to the top of the XSL styleheet that is created
# using the XSL text that defines a boolean authorization rule.  If not
# specified then the default XSL stylesheet prolog is:
#
#       <?xml version='1.0' encoding='UTF-8'?> <xsl:stylesheet xmlns:xsl=\
#               'http://www.w3.org/1999/XSL/Transform' version='1.0'> \
#           <xsl:output method = 'text' omit-xml-declaration='yes' \
#           indent='no'/> <xsl:template match='text()'> </xsl:template>
#
# It is strongly suggested that you read and thoroughly understand
# the boolean authorization rules documentation before attempting
# to change this setting from the default provided.
#
## xsl-stylesheet-prolog = <?xml version='1.0' encoding='UTF-8'?> <xsl:stylesheet xmlns:xsl='http://www.w3.org/1999/XSL/Transform' version='1.0'> <xsl:output method = 'text' omit-xml-declaration='yes' indent='no'/> <xsl:template match='text()'> </xsl:template>

# In previous versions of WebSEAL, a user might not be unable to work with an
# existing junction (i.e. show, delete) when the junction was protected by an
# EAS, even if the user's effective ACL had the bypassPOP ACL flag turned on.
# To remove this limitation, the following entry was created.  The default
# setting of no, causes the product to work as it did in previous versions.  If
# this entry is set to yes and the user accessing the protected resource does
# not have the bypassPOP ACL flag turned on, the product will work as it did in
# previous versions also.  Changing this entry's value to yes will remove the
# limitation described above.
#
# NOTE: The sec_master user has the bypassPOP ACL flag turned on by default.
# If this setting is set to yes, sec_master will NOT call out to the EAS when
# accessing a protected resource.  Consider this fact when deciding whether to
# set this entry to yes.
skip-eas-on-bypass-pop = no

# This option applies to the entitlement service: azn_ent_registry_svc. It
# defines the separator character for policy attributes.  If not explicitly set
# here then it defaults to the ':' character.  If set to the '\' character then
# a character escaping method is enabled in combination with the default ':'
# separator character.  Escaping ensures that the ':' character separator
# character is uniquely identified from any occurances in the user name (or DN)
# and their policy names.
policy-attr-separator = \
mode = local

# The following configuration is read only and cannot be modified.
azn-server-name = sharif-webseald-iam.ibmemm.edu

# The following configuration item is contained within the obfuscated
# database and as such is obfuscated within this file.  If the value is
# modified within this configuration file the corresponding change will
# be applied to the obfuscated database.

pd-user-pwd = **obfuscated**

[TAM_CRED_ATTRS_SVC]

#
# This stanza is used to configure the credential attributes entitlement
# service.   This entitlement service can be used to add attributes to the
# credential which are based on LDAP attributes of the authenticated user.
#
# Entries in this stanza are used to define the sources of attributes to be
# retrieved. The source names, such as user and group, are used to identify
# the source location in the registry. You need to define these. The values
# for these sources are registry identifiers that exist in the registry. The
# values can be existing credential attribute names.  If this is the case,
# the service automatically finds and uses the respective values.
#
# For example:
#   eperson = azn_cred_registry_id
#   organisationalPerson = azn_cred_registry_id
#
# Each entry should then have a corresponding stanza which maps the LDAP
# attribute into a credential attribute.
#
# For example:
#  [TAM_CRED_ATTRS_SVC:eperson]
#  emailAddress = mail
#  mobileNumber = mobile
#
#  [TAM_CRED_ATTRS_SVC:organisationalPerson]
#  emailAddress = mail
#  mobileNumber = mobile
#

[azn-decision-info]

#
# This stanza is used to define any extra information which should
# be made available to the authorization framework when making
# authorization decisions.  This extra information can be obtained
# from various elements of the HTTP request, namely:
#    - HTTP method
#    - HTTP scheme
#    - Request URI
#    - HTTP headers
#    - HTTP cookies
#    - POST data
#
# You can also include the name of the WebSEAL server in the
# authorization request.
#
# If the requested element is not present in the HTTP request no
# corresponding attribute will be added to the authorization
# decision information.
#
# The format of the entries contained within this stanza is:
#   <attr-name> = <http-info>
#
# Where:
#   <attr-name>:   The name of the attribute which will contain the
#                  HTTP information.
#   <http-info>:   The source of the information, one of:
#                    - 'method'
#                    - 'scheme'
#                    - 'uri'
#                    - 'client_ip'
#                    - 'header:<header-name>'
#                    - 'cookie:<cookie-name>'
#                    - 'post-data:<post-data-name>'
#                    - 'query-arg:<query-arg-name>'
#                    - 'server_name'
#
# The 'post-data-name' field will be handled differently based on the content
# type of the request, as defined by the ContentType header.  The following
# content types are supported:
#
# application/x-www-form-urlencoded
#   The 'post-data-name' field corresponds to the name of the form data field
#   within the request.  The corresponding value for this field will be added
#   to the authorization decision information.
#
# application/json
#   The 'post-data-name' field corresponds to a hierarchical representation of
#   the name within the JSON data.  For example, assume that the following
#   POST data exists with a request which has the content-type of
#   application/json:
#
#   {
#     "userid": "jdoe",
#     "transactionValue": "146.67",
#     "accountBalances": {
#           "chequing": "4345.45",
#           "savings": "12432.23",
#           "creditLine": "19999.12"
#     }
#   }
#
#   To have the value of userid, at the root level, added to the authorization
#   decision information, create an entry in this stanza like:
#     POST_USERID = /"userid"
#
#   The leading / character indicates that the top level JSON object should be
#   searched for a name-value pair with the name of userid.  In our example,
#   this would add "POST_USERID=jdoe" to the decision information.
#
#   To have the savings value within the accountBalances "node" present in the
#   decision information, create an entry in this stanza like:
#     SAVINGS_BAL = /"accountBalances"/"savings"
#
#   The initial / character indicates that the top level JSON object should be
#   searched for a name-value pair with the name of accountBalances.  If found,
#   and that value is another JSON object, it should then be searched for a
#   name-value pair with the name of savings.  In our example, this would add
#   "SAVINGS_BAL=12432.23" to the decision information
#
#   JSON also has the notion of Arrays.  Consider the following POST data
#
#   {
#     "userid": "pwald",
#     "transactionValue": "200.00",
#     "accounts": [
#       {"name": "chequing": , "balanace": "4345.45"},
#       {"name": "savings": , "balanace": "1234.56"}
#     ]
#   }
#
#   Notice in this example that the top level accounts field has a value that
#   is a JSON array.  To identify which array element to include in the search,
#   provide the array index, starting with a base of 0.  For example, to add
#   the value of the "balance" field from the first element of the accounts
#   array, create an entry in this stanza like:
#     CHEQUING_BAL = /"accounts"/0/"balance"
#
#   The initial / indicates the "accounts" field in the top level JSON object.
#   The /0 indicates the first element of the array value.  Finally the
#   /"balance" indicates the field with a name of balance within that first
#   array element.  In our example, this would add "CHEQUING_BAL=4345.45" to the
#   decision information.
#
#   Only "leaf" nodes of the String, Number, true, false or null types can be
#   specified.
#
# The 'query-arg-name' field corresponds to the key name of a query string
# parameter of the request.  The corresponding value for this field, if found,
# will be added to the authorization decision information.
#
#
# Other examples include:
#   HTTP_REQUEST_METHOD = method
#   HTTP_HOST_HEADER    = header:Host
#

#
# Configuration stanza for the TAM transaction logging framework.  This
# framework can be used by support to record transactional information.
#

[translog]

#
# The maximum file size (in KB) for a transactional log.
#

# 262144 = 256 MB
max-file-size = 262144

###############################
# CREDENTIAL POLICY ATTRIBUTES
###############################
[credential-policy-attributes]
# This stanza controls which TAM policy values are stored in credentials
# during authentication.  In order for this stanza to take effect you must
# also enable the TAM credential policy entitlements service in the aznapi
# stanzas above this one.
#
# Format is:
#    <policy-name> = <credential-attribute-name>
#
# Supported policies are listed here.  Uncomment the policies you wish
# to add to credentials.

#AZN_POLICY_MAX_FAILED_LOGIN = tagvalue_max_failed_login
#AZN_POLICY_DISABLE_TIME = tagvalue_disable_time
#AZN_POLICY_ACCOUNT_EXPIRY_DATE = tagvalue_account_expiry_date
#AZN_POLICY_MAX_PASSWORD_AGE = tagvalue_max_password_age
#AZN_POLICY_MAX_PASSWORD_REPEATED_CHARS = tagvalue_max_password_repeated_chars
#AZN_POLICY_MIN_PASSWORD_ALPHAS = tagvalue_min_password_alphas
#AZN_POLICY_MIN_PASSWORD_NON_ALPHAS = tagvalue_min_password_non_alphas
#AZN_POLICY_PASSWORD_SPACES_ALLOWED = tagvalue_password_spaces_allowed
#AZN_POLICY_MIN_PASSWORD_LENGTH = tagvalue_min_password_length
#AZN_POLICY_TOD = tagvalue_tod
#AZN_POLICY_MAX_CONCURRENT_WEB_SESSIONS = tagvalue_max_concurrent_web_sessions
AZN_POLICY_MAX_CONCURRENT_WEB_SESSIONS = tagvalue_max_concurrent_web_sessions

###############################
# POLICY DIRECTOR
###############################
[p3p-header]
#
# This stanza specifies the P3P compact policy that applies
# to all HTTP cookies set.  See the W3C P3P Specification
# for more information about P3P:  http://www.w3c.org/TR/P3P/
#
# The default configured policy allows cookies to be accepted
# by the default privacy settings for Microsoft Internet Explorer
# version 6.
#
# Before configuring any P3P policy, consult the P3P Technical
# Recommendation Specification to ensure that the values configured
# match your organization's privacy policy.
#
# If a junction server sets a P3P header in it's response, a
# decision must be as to whether it should be preserved as it is,
# or replaced by the WebSEAL policy.  This determination will be
# made based on the value of the 'preserve-p3p-policy' item
# in the [server] stanza.

#
# The 'p3p-element' item can be used to specify any elements
# to add to the P3P header besides the compact policy configured
# with the other configuration items in this stanza.  This can
# be used to supply a reference to a full XML policy:
#
# p3p-element = policyref="/w3c/p3p.xml"
#

#
# The 'access' item specifies the access the user has to the
# information contained within and linked to the cookie.
#
# Possible values are 'none', 'all', 'nonident', 'contact-and-other',
# 'ident-contact', 'other-ident'.
#
access = none

#
# The 'disputes' item, if yes, specifies that the full P3P policy
# contains some information regarding disputes over the information
# contained within the cookie.
#
# The default value is 'no'.
#
# disputes = no

#
# The 'remedies' item specifies the possible remedies for disputes.
# Possible values are:  'correct', 'money', and 'law'.
# If not specified, no remedy information is included in the policy.
#
# remedies = correct

#
# The 'non-identifiable' item, if yes, specifies that no information
# in the cookie, or linked to by the cookie, personally identifies the
# user in any way.
#
non-identifiable = no

#
# The 'purpose' item specifies the purpose of the information in the
# cookie and linked to by the cookie.
#
# Possible values are 'current', 'admin', 'develop', 'tailoring',
# 'pseudo-analysis', 'pseudo-decision', 'individual-analysis',
# 'individual-decision', 'contact', 'historical', 'telemarketing',
# and 'other-purpose'.
#
# For all values except 'current', an additional specifier may be
# configured.  The possible values are 'always', 'opt-in', 'opt-out'.
# If no value is specified, 'always' will be used.
# This value is specified after the purpose and separated from it by a
# colon, for example:
#    purpose = contact:opt-in
#
purpose = current
purpose = other-purpose:opt-in

#
# The 'recipient' item specifies the recipients of the information in
# the cookie, and linked to by the cookie.
#
# Possible values are 'ours', 'delivery', 'same', 'unrelated',
#   'public', 'other-recipient'.
#
recipient = ours

#
# The 'retention' item specifies how long the information in the cookie
# or linked to by the cookie will be retained.
#
# Possible values are 'no-retention', 'stated-purpose',
#   'legal-requirement', 'business-practices', 'indefinitely'.
#
retention = no-retention

#
# The 'categories' item specifies the type of information stored in the
# cookie or linked to by the cookie.  If the 'non-identifiable' item
# is yes, then no categories need be configured.
#
# Possible values are: 'physical', 'online', 'uniqueid', 'purchase',
#   'financial', 'computer', 'navigation', 'interactive',
#   'demographic', 'content', 'state', 'political', 'health',
#   'preference', 'location', 'government', 'other-category'.
#
categories = uniqueid

#
# The cfg-db-cmd:entries stanza is used to specify the configuration entries
# which will be exported or imported via the 'cfgdb' server task commands.  Each
# configuration entry will be checked sequentially against each item in
# the [cfg-db-cmd:entries] stanza until the first match is found.  This first
# match will then control whether the configuration entry is included, or
# excluded, from the configuration database.  If no match is found the
# configuration entry will be excluded from the configuration database.
#
# The format for entries contained within this stanza will be:
#   {stanza}::{entry} = [include|exclude]
#
# The 'stanza' and 'entry' fields may contain pattern matching characters.
#
# Examples entries for this stanza include:
#   server::unix-root = include
#   ldap::*           = exclude
#   *::*              = include
#


[cfg-db-cmd:entries]

# Exclude some configuration entries which are specific to the appliance.
# The following entries should NOT be modified.
server::server-name = exclude
server::jctdb-base-path = exclude
server::cfgdb-base-path = exclude
junction::local-junction-file-path = exclude
authentication-mechanisms::* = exclude
aznapi-configuration::trace-admin-args = exclude
system-environment-variables::PD_SVC_ROUTING_FILE = exclude
oauth-eas::*rsp-file = exclude
PAM::pam-log-cfg = exclude
PAM::pam-statistics-db-path = exclude
flow-data::flow-data-db-path = exclude
translog:pd.webseal::file-path = exclude
audit-configuration::base-cache-path = exclude
aznapi-external-authzn-services::* = exclude

# Exclude a number of server specific entries from the server stanza
server::unix-pid-file = exclude
server::http-port = exclude
server::https-port = exclude
server::server-root = exclude
server::network-interface = exclude

# Exclude the LDAP bind DN and password as this should be specified to
# each server.
ldap::bind-dn = exclude
ldap::bind-pwd = exclude

# Exclude the SSL keyfiles, but include the actual label which is used.
ssl::webseal-cert-keyfile-label = include
ssl::*keyfile* = exclude

# Exclude the port on which we listen for requests from the policy server.
ssl::ssl-listening-port = exclude
ssl::listen-interface = exclude

# Exclude various authentication mechanisms as these should also be configured
# by default.
authentication-mechanisms::passwd-ldap = exclude
authentication-mechanisms::cert-ldap = exclude

# Exclude the WebSEAL document root.
content::doc-root = exclude

# Exclude the various log files as these should be server specific.
logging::*log = exclude
logging::server-log* = exclude
logging::*file = exclude

# Exclude various server specific configuration entries for the authorization
# framework (e.g. log files, server identities, etc).
aznapi-configuration::db-file = exclude
aznapi-configuration::auditlog = exclude
aznapi-configuration::azn-app-host = exclude
aznapi-configuration::azn-server-name = exclude
aznapi-configuration::pd-user-name = exclude

# Exclude everything from the webseal-config stanza.
webseal-config::* = exclude

# Exclude the name of our obfuscated configuration file.
configuration-database::* = exclude

# Exclude the cluster settings as these are server specific.
cluster::* = exclude

# Exclude the interface specific settings as these shouldn't, in a normal
# environment, need to be replicated.  The [interfaces] stanza contains the
# definitions which are specific to a particular interface.
interfaces::* = exclude

# Exclude the appliance-preset listen-interface
appliance-preset::listen-interface = exclude

# We want to include everything else.
*::* = include

#
# The cfg-db-cmd:files stanza is used to specify the files which
# will be exported or imported via the 'cfgdb' server task commands.
#
# The format for entries contained within this stanza will be:
#   file = <file-path>, or
#   file = cfg(<stanza>::<entry>)
#
# The '<file-path>' entry should contain either a fully qualified file name,
# a file name which is relative to the WebSEAL installation root, or a file
# name which is relative to the WebSEAL server root (as defined by the
# server-root configuration entry).
#
# The 'cfg(<stanza>::<entry>)' entry is used to define the configuration entry
# which will contain the name of the file which is to be included.
#
# Examples entries for this stanza include:
#   file = /opt/pdwebrte/etc/cert-rules.txt
#   file = www-default/lib/jmt.conf
#   file = cfg(junction::jmt-map)
#
# The template configuration file will contain entries for the most commonly
# used files.  Files which are not included in the default configuration
# include:
#
#      stanza                            configuration entry
#      ------                            -------------------
#      spnego                            spnego-krb-keytab-file
#      cdsso-peers                       <full qualified host name>
#      e-community-domain-keys           <domain name>
#      e-community-domain-keys:<domain>  <domain name>
#      dsess-cluster:<name>              ssl-keyfile and ssl-keyfile-stash
#      tfim-cluster:<name>               ssl-keyfile and ssl-keyfile-stash
#      http-transformations              <resource name>
#

[cfg-db-cmd:files]

# Include the key file which is used when communicating with browsers
file = cfg(ssl::webseal-cert-keyfile)
file = cfg(ssl::webseal-cert-keyfile-stash)
file = cfg(junction::jct-cert-keyfile)
file = cfg(junction::jct-cert-keyfile-stash)
file = cfg(failover::failover-cookies-keyfile)
file = cfg(ltpa::keyfile)
file = cfg(junction::jmt-map)
file = cfg(server::dynurl-map)
file = cfg(dsess-cluster::ssl-keyfile)
file = cfg(dsess-cluster::ssl-keyfile-stash)
file = cfg(tfim-cluster:my-cluster::ssl-keyfile)
file = cfg(tfim-cluster:my-cluster::ssl-keyfile-stash)

# Include the key file which is used when communicating with junctioned
# Web servers.

# Include the failover cookie key file.

# Include the LTPA keyfile used during authentication

# Include the junction mapping table.

# Include the Dynamic URL map.

# Standard key files for the DSess and TFIM clusters

#
# The jdb-cmd:replace stanza is used to define the mapping rules
# for the jdb import command.  These mapping rules will be applied
# to each attribute within the junction archive file prior to
# importing the new junction database.
#
# The format for entries contained within this stanza will be:
#   {jct-id} = {search-attr-value}|{replace-attr-value}
#
# Where:
#   {jct-id}:             Refers to the junction point for a standard junction
#                         (including the leading '/'), or the virtual host
#                         label for a virtual host junction
#   {search-attr-value}:  The attribute value which is to be searched for
#                         within the junction definition.
#   {replace-attr-value}: The attribute value which is to be used within the
#                         new junction definition.
#
# An example entry for this stanza could be:
#  /test-jct = webseal.au.ibm.com|webseal.gc.au.ibm.com
#

[jdb-cmd:replace]

# The following stanza is used to house configuration information
# which is necessary for the support of WebSEAL clusters.  WebSEAL
# clusters are used to automate the syncrhonization of data between
# different WebSEAL servers.

[cluster]

# Is this machine a master for the cluster?  There should only ever
# be a single master for each cluster.  Any modifications to the
# configuration of a cluster should only ever be made to the
# master.
#is-master = <yes/no>

# If is-master is set to 'no' then the following value needs to
# be specified.  It is used to define the authorization server
# name of the master,
#  e.g. default-webseald-server.ibm.com
# master-name = <azn-name>

# The maximum amount of time to wait, in seconds, for a slave
# server to be restarted.  This configuration entry is only
# applicable to the master server.
max-wait-time = 60

[http-transformations]

# The http-transformations stanza is used to house configuration information
# which is necessary for the support of WebSEAL HTTP transformations.
# WebSEAL HTTP transformations are used to modify HTTP requests and
# HTTP responses (excluding the HTTP body) using XSLT.
# To enable the HTTP transformations for a particular object a POP should
# be attached to the appropriate part of the object space.  This POP
# should contain an extended attribute(s) with name of 'HTTPTransformation'
# and a value of 'Request=<resource-name>' and/or 'Response=<resource-name>'.
#
# HTTP transformation resources can be defined by specifying the resource name
# and the path to the resource file.
#
# Format is:
#    <resource-name> = <resource-xsl-file>

# The following files are currently available for this configuration entry:
# - <none available>

resource-name =

#
# The [http-transformations:<resource-name>] stanza is used to house
# configuration which is specific to a particular HTTP transformation resource.
#

[http-transformations:<resource-name>]

#
# The cred-attr-name configuration entry is used to define the
# credential attributes which will be included in the XML input
# document, used when evaluating the HTTP transformation rule.
#
# The credential attributes will be stored in a new XML
# element within the top level XML container: <Credential>.
# For example:
#     <HTTPResponse>
#       <Credential>
#         <Attributes>
#           <Attribute name=AZN_CRED_PRINCIPAL_NAME>testuser</Attribute>
#         </Attributes>
#       </Credential>
#
#     </HTTPResponse>
#
# The configuration entry may be specified multiple times if
# multiple credential attributes are required in the XML input
# document.
#
# Some of the more common attributes include:
#   AZN_CRED_PRINCIPAL_NAME
#   AZN_CRED_AUTHZN_ID
#   AZN_CRED_PRINCIPAL_UUID
#   AUTHENTICATION_LEVEL
#   tagvalue_session_index
#
# For a complete list of attributes the pdweb.wan.azn trace point can be
# set to level 9, and then a request sent to WebSEAL.  The output trace will
# contain a list of all attributes associated with the user credential.
#
cred-attr-name =

#
# The request-match configuration entry is used to define the pattern to be
# matched against the HTTP request line, which includes method, URI, and
# protocol. If a match is successful, then a HTTP transformation is triggered.
#
# Format is:
#   request-match = {request|response}:<request-line>
#
# The entry must begin with either request or response, which indicates whether
# the processing is conducted on the HTTP request or response.
# <request-line> contains the request line to be matched against. The pattern
# matching is case-sensitive. Wildcard characters * and ? can be used.
# This entry is optional. Multiple entries can be specified if needed.
#
# You also have the option of matching a request using a host header, useful
# when selectively enabling this functionality for a particular virtual host
# junction.  To selectively match an entry based on a particular host header
# the <request-line> should be prepended with the string: [<host>].
#
# Please note that if you use this mechanism to match the request to a rule
# the evaluation of the rule will occur early in the request processing which
# means that credential attributes will not be available in the evaluation of
# the rule.  If you need to use credential attributes in your request
# transformation you should use the alternative POP mechanism for invoking the
# rule.
#
# For example:
#   request-match = request:GET /index.html HTTP/1.1
#   request-match = response:GET /jct/*
#   request-match = response:[www.ibm.com]GET /login/*
#
request-match =

#[ICAP:<resource>]
#
#
# The [ICAP:<resource>] stanza is used to define a single ICAP
# resource.  The '<resource>' component of the stanza name should
# be changed to the actual name of the resource.
#
# To enable the ICAP resource for a particular object a POP should
# be attached to the appropriate part of the object space.  This POP
# should contain an extended attribute with a name of 'ICAP' and
# a value which is equal to the name of the configured ICAP resource.
#
#
# The complete URL on which the ICAP server is expecting requests.
# An example might be:
#    URL = icap://icap.example.net:1344/filter?mode=strict
#
# An SSL connection to the ICAP server is also supported.  When
# using an SSL connection, the keystore used is that which is defined
# in the [junction] stanza of this file.  To identify an SSL connection
# to an ICAP server, use the string 'icaps' for this entry.  An
# example might be:
#    URL = icaps://icap.example.net:1345/filter?mode=strict
#
# URL =
#
# The list of transactions for which this resource will be invoked.
#
# Possible values are:
#      'req':  The ICAP server will be invoked on the HTTP request;
#      'rsp':  The ICAP server will be invoked on the HTTP response;
#
# transaction = req
#
#
# The maximum length of time (in seconds) that WebSEAL will wait for
# a response from the ICAP server.
#
# timeout = 120
#
# If the connection to the ICAP server is SSL (see above) then an
# optional entry can be provided to identify the label of the
# certificate to use from the keystore.  This entry is only required
# if client certificate authentication is needed.
#
# ssl-keyfile-label = <label>


[system-environment-variables]
KRB5_CONFIG = /var/PolicyDirector/etc/krb5.conf
KRB5RCACHEDIR = /var/PolicyDirector/log
VAR_ACE = /var/ace/

#
# Environment variables which are exported by the WebSEAL daemon.
# The environment variable names are case sensitive.  The format
# of each entry is:
#    <env-name> = <env-value>
#
# For example:
#    LANG = de
#
# NB: This functionality is not available on Windows platforms, and
#     as such the system-environment-variables stanza will be ignored on
#     Windows.

[cert-map-authn]

#
# The name of the rules file which will be used by the certificate mapping
# CDAS.
#

# The following files are currently available for this configuration entry:
# - <none available>

rules-file =

#
# The initial tracing level of the authentication module.  The level
# variable indicates the trace level, with 1 designating a minimal
# amount of tracing and 9 designating the maximum amount of tracing.
# The trace level can also be modified using the Tivoli Access Manager
# pdadmin trace commands, supplying the trace component name of
# pd.cas.certmap. This trace component is only available after the
# first HTTP request has been processed.
#
debug-level = 0

#
# The following stanza is used to configure WebSEAL so that it can
# communicate with a HTTP Server to retrieve updates to files.
#

[user-map-authn]

#
# The name of the rules file which will be used by the authenticated
# user mapping module.
#

# The following files are currently available for this configuration entry:
# - <none available>

rules-file =

#
# The initial tracing level of the mapping module.  The level
# variable indicates the trace level, with 1 designating a minimal
# amount of tracing and 9 designating the maximum amount of tracing.
# The trace level can also be modified using the Tivoli Access Manager
# pdadmin trace commands, supplying the trace component name of
# pd.cas.usermap. This trace component is only available after the
# first HTTP request has been processed.
#
debug-level = 0

[password-strength]

#
# The name of the rules file which will be used by the password
# strength module.
#

# The following files are currently available for this configuration entry:
# - <none available>

rules-file =

#
# The initial tracing level of the password strength module.  The level
# variable indicates the trace level, with 1 designating a minimal
# amount of tracing and 9 designating the maximum amount of tracing.
# The trace level can also be modified using the Tivoli Access Manager
# pdadmin trace commands, supplying the trace component name of
# pd.cas.pwdstrength. This trace component is only available after the
# first change password operation has been processed.
#
debug-level = 0

[http-updates]

#
# The URL which contains the HTTP file, for example:
#  https://99.n.trusteer.com/74767/api/snippets
#

update-url =

#
# The proxy server which will be used when connecting to the HTTP server.
# The configuration entry should be of the form: <server>:<port>.
#

proxy =

#
# The label of the certificate which will be used for authentication
# to the HTTP server.  This certificate must be present in the
# certificate database which is used for junction communication.
#

ssl-keyfile-label =

#
# The DN of the server.  This configuration entry is only used if an
# SSL connection is established with the server and an SSL key file
# label has been specified.
#

ssl-server-dn =

#
# The frequency, in seconds, that the update server will be polled
# for updates.
#

poll-period = 3600

#
# The following configuration entry can be used to perform a search and
# replace on text which is contained within the updated files.  The format
# of the configuration entry will be:
#   replace = <search-pattern>|<replace-text>
#
# where:
#   search-pattern = the regular expression pattern which is to be matched
#   replace-text   = the text which will replace the matched text
#
# The '|' character cannot be used in the search-pattern text.
#
# Multiple instances of this configuration entry can be used if multiple
# substitutions are required.
#

#
# The following 'itim' stanza is used to configure the Password Synchronization
# Adapter for Tiovli Identity Manager.
#
[itim]

#
# Is the adapter enabled?
#
is_enabled = false

#
# This is the hostname or IP address of the Tivoli Identity Manager
# server that hosts the Tivoli Identity Manager Adapter for Tivoli Access
# Manager.  In a WebSphere Application Server cluster environment, you
# need to configure SSL for the IBM HTTP Server.  If you are using a WebSphere
# Application Server single-server environment, you do not need to configure
# SSL for the IBM HTTP Server.
#   * This entry is mandatory.
#
itim-server-name = <TIM Server IP address>

#
# The port associated with the itim-server-name URL above. The default
# HTTPS port is 9443 for a single server configuration and 443 for a
# Tivoli Identity Manager cluster with HTTP SSL configured.
#
#servlet-port=9443

#
# The password synchronization context root on the application server.
#
#servlet-context=/passwordsynch/synch

#
# An ID which has the necessary permission(s) to request the check and
# synchronization operations. The best practice is to create a separate
# account with appropriate permissions and use this account instead of
# the ITIM manager account.
#   * This entry is mandatory.
#
principal-name = <Principal Name>

#
# The password for the Tivoli Identity Manager Principal Name.
#   * This entry is mandatory.
#
principal-password = <Principal Password>

#
# The following three items hold the pseudo-distinguished names of the
# services (resources) issuing the password synchronization request. This
# pseudo-distinguised name consists of the attributes o, ou and dc from
# the Tivoli Identity Manager LDAP organization context, and the
# erservicename attribute of the Tivoli Access Manager service name, as
# defined in Tivoli Identity Manager.
#
# If there are more than one pseudo-distinguished names specified, they
# must be separated with a semicolon (;) character. The adapter iterates
# through the list of service names until an account is found for one of
# the services. If no account is found on the specified services, an error is
# reported.
#   * It is mandatory to specify at least on of the following three entries.
#

#
# service-source-dn is used to define the service pseudo-distinguished
# name for all authentication methods.
#
service-source-dn = <service pseudo DN>

#
# service-password-dn is used to define the service pseudo-distinguished
# name if using standard password as the authentication method. If this is
# specified, it will override the password authentication method that is
# defined under service-source-dn.
#
#service-password-dn = <service pseudo DN>
#
# service-token-card-dn is used to define the service pseudo-distinguished
# name if using token card as the authentication method. If this is specified,
# it will override the token card authentication method that is defined under
# service-source-dn.
#
#service-token-card-dn = <service pseudo DN>
#
# The location and name of the Key Database file.
#    * This entry is mandatory.
#

# The following files are currently available for this configuration entry:
# - pdsrv.kdb
# - lmi_trust_store.kdb
# - rt_profile_keys.kdb
# - embedded_ldap_keys.kdb

keydatabase-file =

#
# The password for the Key Database file.
#    * Either this entry, or the keydatabase-password-file entry is
#      mandatory.
#
#keydatabase-password = <kdb password>
#
# The password stash-file for the Key Database file.
#    * Either this entry, or the keydatabase-password entry is
#      mandatory.
#

# The following files are currently available for this configuration entry:
# - rt_profile_keys.sth
# - lmi_trust_store.sth
# - embedded_ldap_keys.sth
# - pdsrv.sth

keydatabase-password-file =


# Enable and configure Web Socket support.
[websocket]

# The maximum number of threads which will be used used to proxy
# WebSocket connections through WebSEAL.  A value of zero will cause WebSockets
# to be blocked. Each WebSocket connection will require two worker threads.
# If more than max-worker-threads are in use WebSEAL will immediately close the
# WebSocket even if the WebSocket upgrade request to the Junction succeeded.  The
# WebSocket threads operate independently from the [server] worker-threads.
max-worker-threads = 0

# To avoid the overhead of starting and stopping WebSocket worker threads
# a number of threads can be left running idle.  This will consume memory
# resources to keep them alive and idle when not in use, but will save CPU and
# thread start-up time when a new WebSocket requires threads.
# This option specifies the maximum count of cached idle worker threads. A value
# of zero will disable the caching of idle threads.
idle-worker-threads = 0

# The number of seconds to wait for data to be received from the junctioned WebSocket
# server.  If the timeout is reached the WebSocket connection will be closed.
jct-read-inactive-timeout = 120

# The number of seconds to wait for data to be received from the WebSocket client (browser).
#  If the timeout is reached the WebSocket connection will be closed.
clt-read-inactive-timeout = 120

# The number of seconds to wait if WebSEAL is blocked while sending data to the
# junctioned WebSocket server.  If the timeout is reached the WebSocket
# connection will be closed.
jct-write-blocked-timeout = 20

# The number of seconds to wait if WebSEAL is blocked while sending data to the
# WebSocket client (browser).  If the timeout is reached the WebSocket
# connection will be closed.
clt-write-blocked-timeout = 20


[http-method-perms]

#
# This stanza defines the ACL permission bits required to perform a
# request using a particular HTTP method.
#
# The "<default>" entry defines the permissions required for any
# methods not explicitly specified in the stanza.
#
# The "<default>" entry itself has no default value and must be
# specified as a non-empty string in the stanza.
#
# This stanza may be overridden on a per-junction basis by qualifying
# the stanza name with the junction name. When overridden in this way
# only the entries in the qualified stanza will apply to the junction.
#
# For example:
#
# [http-method-perms]
# <default> = r
# POST = rx
#
# [http-method-perms:/myJunction]
# <default> = r
#
# In this scenario:
# - A POST request to /myJunction will require 'r' permission (from <default>)
# - A POST request to any other junction will require the 'rx' permissions
# Note that /myJunction does not inherit the "POST" entry from the  global
# [http-method-perms] stanza.
#
# If this stanza is empty, WebSEAL will operate with the legacy behavior.
# The legacy behaviour is equivalent to:
#
# [http-method-perms]
# <default> = r
# PUT = m
# DELETE = d
#

#
# The oauth-eas configuration stanza is used to configure the EAS which
# communicates with TFIM to handle OAuth authorization.  The EAS itself will
# be invoked for a particular object if the effective POP for the object has
# an attribute entitled "eas-trigger", with an associated value of
# "trigger_oauth_eas".
#

[oauth-eas]

# Should the EAS be enabled?
eas-enabled = false

# A majority of the OAuth settings exist in the [oauth] stanza.  These are
# specific to the OAuth EAS implementation.

# The maximum number of OAuth 2.0 bearer token authorization decisions to cache.
# This EAS has a built in cache for storing authorization decisions so that
# repeated use of the same OAuth 2.0 bearer token does not require repeated
# authorization requests. Bearer token decisions can be cached because they do not
# require signing of the request, unlike OAuth 1.0 requests. The lifetime of the
# cache entry is based on the Expires attribute returned in the STS. If this
# attribute is not returned, the decision will not be cached.
#
# This EAS implements a Least Recently Used cache, meaning the decision
# associated with the least recently used bearer token will be forgotten when a
# new bearer token decision is cached. A cache-size of 0 will disable caching of
# authorization decisions
cache-size = 0

# The default OAuth mode that this EAS will operate under. It affects the
# validation of request parameters, as well as the construction of the RST. The
# default mode can be overriden for an individual request by providing a valid
# mode value [OAuth10|OAuth20Bearer] in a request parameter with the name
# specified in the mode-param option below.
default-mode = OAuth10

# The name of the request parameter that can be used to override the
# default-mode option configured above. By deleting this configuration
# option, you can enforce that the default mode is always used.
mode-param = mode

# The name of the OAuth realm which will be used in a 401 request
# for OAuth data.
realm-name = ISAM

# The name of the file which contains the body used when constructing a
# '400 Bad Request' response.  This response will be generated when
# required OAuth elements are missing from a request.

# The following files are currently available for this configuration entry:
# - oauth_template_rsp_400_bad_request.html
# - oauth_template_rsp_502_bad_gateway.html
# - oauth_template_rsp_401_unauthorized.html

bad-request-rsp-file = oauth_template_rsp_400_bad_request.html

# The name of the file which contains the body used when constructing a
# '401 Unauthorized' response.  This response will be generated when:
#     - all OAuth data is missing from a request, or
#     - the OAuth data fails validation.

# The following files are currently available for this configuration entry:
# - oauth_template_rsp_400_bad_request.html
# - oauth_template_rsp_502_bad_gateway.html
# - oauth_template_rsp_401_unauthorized.html

unauthorized-rsp-file = oauth_template_rsp_401_unauthorized.html

# The name of the file which contains the body used when constructing a
# '502 Bad Gateway' response.  This response will be generated when the
# processing of the request fails.

# The following files are currently available for this configuration entry:
# - oauth_template_rsp_400_bad_request.html
# - oauth_template_rsp_502_bad_gateway.html
# - oauth_template_rsp_401_unauthorized.html

bad-gateway-rsp-file = oauth_template_rsp_502_bad_gateway.html

# The name of the TAM trace component which is used by the EAS.
trace-component = pdweb.oauth

# Should the native TAM ACL policy still take affect, in addition to the
# OAuth authorization?
apply-tam-native-policy = false


#
# The rtss-eas configuration stanza is used to configure the EAS which
# communicates with the RBA server.  The EAS itself will be invoked for a
# particular object if the effective POP for the object has an attribute
# entitled "eas-trigger", with an associated value of "trigger_rba_eas".
#

################################################################################
# Risk Based Access (RBA) External Authorization Service (EAS) Settings
#
#                                BEGIN
#
################################################################################
[rtss-eas]
# Specify the name of the IBM Security Access Manager trace component that the
# EAS uses

trace-component = pdweb.rtss

# Set this property to true if you want the EAS to first check with IBM(r)
# Security Access Manager whether the user has permission to access the
# resource based on the ACL set.

apply-tam-native-policy = true

# Defines the context-id (Policy ID) that is used in the XACML requests that are
# sent by the EAS to the RTSS.  Set this entry to one of the following values:
#
#        context-server-name
#                to use the WebSEAL server-name for all requests.
#
#        context-inherited-pop
#             to use the location of the inherited POP for all requests.  Use
#             this value if you require multiple policies for different
#             portions of the protected resource tree.
#
#        <other-policy-id>
#                Use this value as the Policy ID for all requests.
#
# If the context-id parameter is not set, the WebSEAL server-name is used as
# the default value.

# context-id =

# The audit logging configuration.  This entry consists
# of an agent identifier, followed by attributes which are
# associated with the agent.  Each attribute consists of a
# name/value pair, separated by '=', and each attribute is
# separated by ','.
#
# For example, to configure the auditing of records to a file:
# audit-log-cfg = file path=/tmp/rtss-audit.log,flush=20,rollover=2000000,buffer_size=8192,queue_size=48
# To send audit logs to STDOUT:
# audit-log-cfg = STDOUT
#
# If this attribute is missing or not configured, no audit
# events will be logged.

# audit-log-cfg =


# Specify the name of the runtime security services SOAP cluster
# that contains this runtime security services SOAP service.
# Also specify a corresponding [rtss-cluster:<cluster>]
# stanza with the definition of the cluster.

cluster-name = cluster1

# ISAM for Mobile receives a credential from the RBA EAS that contains
# attributes for use in performing a risk assessment.  This is called the
# "RBA EAS credential" and is not the same as the WebSEAL credential, though it
# may contain attributes with the same names.
#
# The client IP address is passed to the RBA EAS in the
# AZN_CRED_NETWORK_ADDRESS_STR RBA EAS credential attribute.  In previous
# versions, this contained the client IP that was used when the WebSEAL
# credential was built, regardless of whether the client IP changed during the
# session.
#
# That default behavior changes if WebSEAL is configured to pass the current
# client IP address to the EAS in the [azn-decision-info] stanza.  In order to
# ensure that risk assessment is being performed using the most current
# information, the AZN_CRED_NETWORK_ADDRESS_STR RBA EAS credential attribute
# will contain the client IP address used for the current request.  Setting
# use_real_client_ip to 'false' provides backwards compatibility and enables
# the previous behavior.
#
# use_real_client_ip = false


# Previous versions of RBA used the "value" of an [azn-decision-info] stanza
# entry (i.e. the "right side") as it's attribute ID.  This version of RBA
# uses the "key" of an [azn-decision-info] stanza entry (i.e. the "left side")
# as the attribute ID.  To enable the behavior with previous releases, use
# the following setting:
#
# provide_700_attribute_ids  = true


# The EAS contacts the runtime security services servers to make an access
# decision. The [rtss-cluster] stanza below determines which servers to contact.
# If none of the specified servers are available, an error is returned and no
# access is permitted.  If you do not want this behavior, you can use the
# following permit-when-no-rtss-available entry to permit all requests when no
# servers are available. The default value is false.
#
# permit-when-no-rtss-available = true
#
# Caution: With this setting, every single request will be permitted only when
# none of the runtime security services servers are available. This includes
# access that might not be permitted if the server was available.

# Size of the RTSS decision cache.
# Decision caching is enabled by setting the attribute "CBACacheResult" to a
# non-zero value on the protected object that has the RTSS EAS enabled POP
# attached to it.  The enablement applies to all child protected objects unless
# overridden by an RTSS EAS enabled POP attached to one of the children.
# When the cache is full it will discard the least recently used entry to make
# room for a new entry.  Please read the documentation for this configuration
# entry to understand the limitations of using the decision cache.
#
# Notes:
# 1) The permitted values for the protected object attribute CBACacheResult are:
#    -1  : Cache decision for lifetime of user's session.
#     0  : Disable caching
#    >0  : Number of seconds to cache decision.
# 2) If cba_cache-size is set to a value less than 512 it will use a value of 512.
#
# cba-cache-size = 16384


[rtss-cluster:cluster1]
# Specify the definitions for a cluster of runtime security services
# SOAP servers in this stanza.

# Define the specifications of the server that you use to communicate
# with a single runtime security services SOAP server,
# which is a member of this cluster.
# Values for this entry are defined as:
#       {[0-9],}<URL>
# where the first digit (if present) represents the priority of the server
# in the cluster (9 being the highest, 0 being lowest). A priority of 9 is
# assumed if you do not specify a priority.  The <URL> can be any
# well-formed HTTP or HTTPS URL.

# You can specify multiple server entries for failover and load balancing
# purposes.  The complete set of these server entries defines the
# membership of the cluster for failover and load balancing.

# The following is an example of an HTTP URL
# server = 9,http://localhost:9080/rtss/authz/services/AuthzService

# The following is an example of an HTTPS URL. You will also need to ensure that
# your SSL configuration below is correct.
#server = 9,https://localhost:9443/rtss/authz/services/AuthzService

# Specify the maximum number of cached handles that are used when
# communicating with runtime security services SOAP.

handle-pool-size = 10

# Specify the length of time, in seconds, before an idle handle is removed
# from the handle pool cache.

handle-idle-timeout = 240

# Specify the length of time, in seconds, to wait for a response from
# runtime security services SOAP.

timeout = 240

# You can use the following optional configuration entries if
# the runtime security services SOAP server is configured to require
# basic authentication. If you leave these entries blank,
# the basic authentication header is not provided when communicating
# with the runtime security services SOAP server.

# Specify the name of the user for the basic authentication header.

basic-auth-user =

#
# The following SSL entries are optional and are only required if:
#    1. At least one server entry indicates that SSL is to be used (i.e.
#       starts with https:)
#    2. A certificate is required other than that which is used by this server
#       when communicating with the policy server (details of the
#       default certificate can be found in the [ssl] stanza of this
#       configuration file.
#
# If these entries are required and are not found within this stanza, the
# default [ssl] stanza will be searched.
#
#
# The name of the key database file which houses the client certificate to be
# used.
#
# ssl-keyfile =

#
# The name of the password stash file for the key database file.
#
# ssl-keyfile-stash =

#
# The label of the client certificate within the key database.
#
# ssl-keyfile-label =

#
# This configuration entry specifies the DN of the server (obtained from the
# server SSL certificate) which will be accepted.  If no entry is configured
# all DN's will be considered to be valid.  Multiple DN's can be specified by
# including multiple configuration entries of this name.
#
# ssl-valid-server-dn =

#
# The entry controls whether FIPS communication is enabled with RTSS/SOAP or
# not.  If no configuration entry is present the global FIPS setting (as
# determined by the TAM policy server) will take effect.
#
# ssl-fips-enabled =

# Configure NIST SP800-131A compliance mode.  This will have the affect of:
#   - enabling FIPS mode processing (over-riding the value of the
#     ssl-fips-enabled configuration entry);
#   - enabling TLS V1.2;
#   - enabling the appropriate signature algorithms;
#   - setting the minimum RSA key size to 2048 bytes.
#
# If no configuration entry is present the global NIST setting (as found in
# the [ssl] stanza) will be used.
#
# ssl-nist-compliance = no

# Define the mappings between the obligation levels that the policy decision
# point (PDP) returns and the WebSEAL step-up authentication levels.
# The mapping must be one-to-one and the user must be permitted to authenticate
# only through the appropriate obligation mechanisms. These entries ensure that
# the EAS maps the obligations to the authentication levels and vice versa
# correctly.

[obligations-levels-mapping]
life_questions = 2
otp = 3
email = 4
voice = 5


# Define the mappings between the obligation that the policy decision point
# (PDP) returns and a URL that will attempt to satisfy the obligation.
# The mapping must be one-to-one and the user must be permitted to authenticate
# only through the appropriate obligation mechanisms.  When the EAS receives
# this obligation, the user is redirected to the URL provided.
# Entries in this stanza must be unique with regard to the entries in the
# [obligations-levels-mapping] stanza.
#
# You can also use wildcard obligations in this stanza.  Add an asterisk at the
# end of an obligation to indicate that all obligations found that match this
# entry, up to but not including the asterisk, are redirected to the URL value.
# Exact matches are used first. Then, if no match is found, wildcard matches
# are used.
#
# For example, to redirect all obligations that start with urn:example to
# http://www.example.com, add the following entry:
#
# urn:example:* = http://www.example.com
#
[obligations-urls-mapping]
# obligation1 = https://example.com/FIM/sps/xauth?AuthenticationLevel=1


# Provide the data type for any entry in the [azn-decision-info] stanza that is
# not a string. For each entry in the [azn-decision-info] stanza, risk-based
# access must know its data type. By default, all entries are of data type
# string.  If an entry is not of data type string, you must create an entry
# in this stanza to define the data type. Valid data types are: string, integer,
# boolean, double, x500name, time and date.
# For example, if the following entry exists in the [azn-decision-info] stanza:
#
#        urn:example:company:txn:value = post-data:/"accountBalances"/"savings"
#
# and its data type is double, you must create an entry to define this.
# Append .datatype to the attribute ID (urn:example:company:txn:value) and
# specify double, as follows:
#
#        urn:example:company:txn:value.datatype = double
#
# Also, provide the category for any entry in the [azn-decision-info] stanza
# that is not Environment. For each entry in the [azn-decision-info] stanza,
# risk-based access must know its category.  By default, all entries are of
# category Environment.  If an entry is not of category Environment, you must
# create an entry in this stanza to define the category. Valid categories are:
# Environment, Action, Subject and Resource.
# For example, if the following entry exists in the [azn-decision-info] stanza:
#
#        urn:example:company:txn:userid = post-data:/"userid"
#
# and its category is Subject, you must create an entry to define this.
# Append .category to the attribute ID (urn:example:company:txn:userid) and
# specify Subject, as follows:
#
#        urn:example:company:txn:userid.category = Subject
#
[user-attribute-definitions]


################################################################################
# Risk Based Access (RBA) External Authorization Service (EAS) Settings
#
#                                END
#
################################################################################


#
# The PAM stanza is used to house the configuration data which
# is required for the PAM integration. The PAM functionality
# is used to provide deep content packet inspection on selected
# requests, checking for potential security vulnerabilities.
#

[PAM]

#
# Whether PAM analysis is enabled.
#
pam-enabled = false

#
# If simulation mode is enabled any issues which are detected will be
# audited and then ignored.  This provides a mechanism for allowing the
# administrator to see what issues are being detected without having an
# impact on the client traffic.
#
pam-simulation-mode-enabled = false

#
# The amount of memory, in bytes, which can be consumed by
# PAM. This allows PAM to tune the size of its caches for the
# amount of available memory.
#
pam-max-memory = 16777216

#
# The following item controls whether the X-Forwarded-For header
# is used to identify the client.  This configuration item is useful
# if a network terminating proxy is sitting between the server and the
# client.  If the value is set to false the client will be identified
# based on the socket connection information.
#
pam-use-proxy-header = false

#
# Any specific parameters which should be passed to the PAM
# HTTP interface during initialization. Refer to the PAM
# documentation for a list of valid PAM parameters.
#
# The configuration entry may be specified multiple times,
# one for each PAM parameter. The entry should be of the
# format:
# pam-http-parameter = <parameter>:<value>

#
# Any specific parameters which should be passed to the PAM
# coalescer interface. This interface is used to combine
# related PAM issues into a single event. Refer to the PAM
# documentation for a list of valid parameters.
#
# The configuration entry may be specified multiple times,
# one for each coalescer parameter. The entry should be of
# the format:
# pam-coalescer-parameter = <parameter>:<value>
#
# For example:
pam-coalescer-parameter = combine:on

#
# The logging configuration.  The logging configuration consists
# of an agent identifier, followed by attributes which are
# associated with the agent.  Each attribute consists of a
# name/value pair, separated by '=', and each attribute is
# separated by ','.
#
# For example, to configure the auditing of records to a file:
#     file path=pam.log,flush_interval=20,rollover_size=2000000
#
pam-log-cfg = file path=pam.log,flush_interval=20,rollover_size=2000000

#
# Should the audit events be sent to the PAM log file?
# It is worth noting that the number of logged events
# will increase dramatically if this option is enabled.
#
pam-log-audit-events = false

#
# PAM statistics can be enabled to provide a dashboard widget
# on the Web Gateway Appliance which displays a 30 day
# historical summary of the actions taken by PAM. This
# functionality records how many times WebSEAL has performed
# an action based on this instance's PAM configuration.
#
enable-pam-statistics = true

#
# The pam-statistics-bucket-interval item controls the granularity
# of the buckets which the actions are stored in. The default
# value is 600, or ten minutes. This data is stored in buckets
# of the defined size for the first seven days. All records are
# also coalesced into daily buckets for the first 30 days.
#
pam-statistics-bucket-interval = 600

#
# Define which PAM issues will be disabled (by default all PAM
# issues are enabled).  The configuration entry is a comma
# separated list.  Each issue contained within the
# list will be disabled.
#
# For example:
#   to disable Ace_Filename_Overflow and HTTPS_Apache_ClearText_DoS:
#     pam-disabled-issues = 2121050,2114033
#
pam-disabled-issues =

# The rules which should be applied to determine whether
# a particular resource should be passed down to the PAM
# layer or not. Each rule will be examined in sequence
# until a match is found. The first successful match
# will determine whether the request is passed to the
# PAM layer or not. The request will not be passed to
# the PAM layer if no match is found.
#
# Multiple entries may be specified, and each entry
# should be of the format:
# pam-resource-rule = [+-]{uri}
#
# where:
#   +    : Indicates that matching requests should be
#          passed to the PAM layer.
#   -    : Indicates that matching requests should not
#          be passed to the PAM layer.
#  {uri} : Contains a pattern which is used to match
#          against the URI which is found in the
#          request. The wildcard characters '*'
#          and '?' may be used.
#
# For example:
# pam-resource-rule = -*.gif
# pam-resource-rule = +*.html
#

#
# The following stanza can be used to customize the
# PAM processing for individual resources and events.
# The name of the stanza should be of the format:
# [pam-resource:{uri}]
#
# where:
#   {uri} : Contains a pattern which is used to match
#           against the URI which is found in the
#           request. The wildcard characters '*' and
#           '?' may be used.
#
# For example:
# [pam-resource:*.js]
#

[pam-resource:test.html]

#
# The entries contained within this stanza are used
# to control the processing of certain PAM related
# events. Each entry will be of the format:
# {pam-issue} = {action}
#
# where:
#   {pam-issue} : Contains a pattern which is used to
#                 match a PAM issue. The wildcard
#                 characters '*' and '?' may be
#                 used.
#   {action}    : The action which is to be undertaken
#                 for the issue. The action can be
#                 one of the following:
#                 - block: Blocks the connection for
#                   a specified number of seconds,
#                   e.g. block:30;
#                 - ignore: Ignore the issue and
#                   continue to process the request;
#
# For example:
# 212105? = block:0
# 2119002 = block:20


[flow-data]

#
# WebSEAL on the Web Gateway Appliance can record performance data to be
# viewed using the LMI. This mechanism records the number of requests
# received by this WebSEAL instance along with the user-agent and junction
# which processed the request.
#
# User-agent strings are stored based on the configuration of the
# [user-agents] stanza. The [user-agents] stanza must be configured in
# order to use this functionality.
#
# This data is stored at a fine granularity for the first seven days, and
# as daily aggregations for the first thirty. Any data older than thirty
# days is discarded.
#

flow-data-enabled = true

#
# The interval defined here is the granularity of the data recorded.
# WebSEAL will aggregate the collected data into buckets of this size and
# will perform database commit operations each time this interval is
# complete.
#
# Note that after seven days, data is only kept in the daily (24 hour)
# buckets.
#
# This interval is given in seconds.
#

flow-data-db-interval = 600

[user-agents]

#
# This stanza allows WebSEAL to map arbitrary user-agent strings to defined
# categories for logging purposes. Each entry should be of the following
# format: <category> = <pattern>
#
# The category is the string that will be recorded for user-agent strings
# which match the pattern. The pattern supports the wildcard characters
# '*' and '?'.
#
# A category can be defined multiple times if more than one pattern will
# match a category.
#
# Note: This stanza must include one entry with the match-all pattern '*'.
#

CHROME = *chrome*
FIREFOX = *firefox*
SAFARI = *safari*
OPERA = *opera*
IE = *msie*
MSOFFICE = *office*
MSOFFICE = *outlook*
ANDROID = *android*
IOS = *ios*
SUNDRY = *


[manager]
master-host = iam