Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # FILENAME
- # webseald.conf
- #
- # DESCRIPTION
- # Configuration file for the Access Manager WebSEAL server (webseald)
- #
- ###############################
- # WEBSEAL GENERAL
- ###############################
- [server]
- # WebSEAL server instance name. Typically, this is based on the hostname of the
- # machine and the instance name of the server.
- server-name = iam.ibmemm.edu-sharif
- # If web-host-name is set WebSEAL will use this for the server's hostname. If
- # left unset WebSEAL will attempt to automatically determine the server's
- # hostname. On systems with many hostnames, interfaces or WebSEAL instances
- # the automatic determination may not always be correct requiring this manual
- # setting.
- # web-host-name = www.webseal.com
- #----------------------
- # THREADS AND CONNECTIONS
- #----------------------
- # Number of WebSEAL worker threads
- # The number of configured worker threads specifies the number of
- # concurrent incoming requests that can be serviced by this server
- # instance. Choosing the optimal number depends on the quantity
- # and type of traffic on your network. Modifying this value should
- # be done carefully to ensure optimal performance. Please consult
- # the WebSEAL Administration Guide for further information.
- worker-threads = 300
- # Initial client connection timeout (seconds)
- client-connect-timeout = 120
- # HTTP/1.1 persistent connection timeout (seconds)
- # This only affects connections to clients, not backend systems.
- persistent-con-timeout = 5
- # Intra-request timeout (seconds)
- # Timeout between data received or sent for a given request,
- # but not the first read. When this value is non-zero, it
- # also enables timeouts on http writes to clients and causes
- # a TCP RST packet to be sent if a connection timeout occurs
- # on the non-first data I/O. When this value is zero, the
- # client-connection-timeout is used instead.
- intra-connection-timeout = 60
- # The maximum number of requests that will be processed on a single
- # persistent connection.
- connection-request-limit = 100
- # The maximum number of idle client persistent connections. This value
- # should be less than the maximum number of connections supported by the
- # WebSEAL server to ensure that the idle connections do not consume all of
- # the available connections.
- max-idle-persistent-connections = 512
- # Allow WebSEAL to write chunked data to HTTP/1.1 clients. This can
- # improve performance by allowing connections to be reused even when
- # exact response length is not known before the response is written.
- chunk-responses = yes
- #----------------------
- # HTTPS CLIENT
- #----------------------
- # Allow HTTPS access
- https = yes
- # Port to user for HTTPS requests
- https-port = 444
- #----------------------
- # HTTP CLIENT
- #----------------------
- # Allow (unsecure) TCP HTTP access
- http = yes
- # Port to use for unsecure HTTP requests
- http-port = 80
- # The following four options can be used to compensate for a protocol or port
- # mismatch between WebSEAL and its clients introduced by an intervening
- # device or application. The http variants are used to control the protocol
- # and port for requests that WebSEAL receives over a TCP interface and the https
- # variants are used to control the protocol and port for requests that WebSEAL
- # receives over an SSL interface.
- #
- # web-http[s]-port should be set to the port the client perceives WebSEAL to be
- # using, as opposed to the actual port WebSEAL is using, which is specified
- # by the http[s]-port parameters.
- # web-http-port and web-https-port is optional.
- #
- # web-http[s]-protocol should be set to the protocol the browser perceives
- # WebSEAL to be using, as opposed to the protocol that the intervening
- # device uses to communicate with WebSEAL.
- # Valid values are "http" or "https".
- # web-http-protocol and web-https-protocol is optional.
- #
- #web-http-port = 80
- #web-http-protocol = http
- #web-https-port = 443
- #web-https-protocol = https
- #----------------------
- # REQUEST BODIES AND CACHING
- #----------------------
- # This parameter specifies the maximum number of bytes that
- # WebSEAL will read from a client when parsing an HTTP request.
- # The total size of the URL and HTTP headers must be less than
- # this value. This parameter cannot be set lower than it's
- # default: 32768
- max-client-read = 32768
- # This parameter specifies the maximum number of bytes to
- # read in as content from the body of requests for use in
- # dynurl, authentication, and request caching.
- #
- # 1) This impacts dynurl because the query portion of a
- # POST request URI is contained in the request body.
- #
- # 2) This impacts forms authentication, because this limits
- # the size of the POST data that will be processed
- # when performing such authentication. For this reason,
- # WebSEAL sets a hard minimum of 512 bytes on
- # request-body-max-read. If this value is set below
- # that minimum, the setting will be ignored and the
- # minimum will be used.
- #
- # 3) This affects the amount of data that WebSEAL will cache
- # for users who must authenticate before their request can be
- # fulfilled. This affects all request that have bodies
- # (POSTs, PUTs, etc.).
- #
- # This does not limit the max POST size (which is unlimited).
- #
- request-body-max-read = 4096
- # When a user is prompted to authenticate before a request
- # can be fulfilled, the data from that request is cached
- # for processing after the completion of the authentication.
- # The maximum amount of data cached per request is determined
- # by request-max-cache.
- # If you want to ensure that you will be caching all of
- # request-body-max-read worth of the body of requests, you
- # must account for the maximum size of all the other request
- # components in this value.
- # Example: If you want to cache 2048 bytes of request bodies
- # and you anticipate that the maximum size of all request headers
- # and cookies will be 4096 bytes, you would:
- # 1) set request-body-max-read = 2048
- # 2) set request-max-cache = 2048 + 4096 = 6144
- request-max-cache = 8192
- #----------------------
- # DYNURL
- #----------------------
- # Location of the URL -> protected object mapping file
- # This path is relative to the server-root value in the [server] stanza
- # The following files are currently available for this configuration entry:
- # - dynurl.conf
- dynurl-map = dynurl.conf
- # Disallow/Allow POST requests larger than request-body-max-read.
- # This parameter only takes effect if dynurl is enabled.
- #
- # WebSEAL is not able to compare the entire contents of a POST
- # request to the URL mappings inside the dynurl.conf file if the body
- # of the post is larger than request-body-max-read.
- #
- # If this option is set to "no", then WebSEAL will not
- # allow POST requests with a body larger than request-body-max-read.
- #
- # If this option is set to "yes", then WebSEAL will compare only
- # up to request-body-max-read bytes of a POST request to the URL mappings
- # in the dynurl.conf file.
- dynurl-allow-large-posts = no
- # When reject-request-transfer-encodings is set to yes all request
- # to WebSEAL with a Transfer-Encoding value of anything other than
- # identity or chunked will be rejected with a status of 501, Not Implemented.
- # It is recomended for secure dynurl environments to set this to yes.
- reject-request-transfer-encodings = yes
- # When suppress-dynurl-parsing-of-posts is set to "yes" POST bodies will
- # not be used in dynurl processing, only Query strings will be used.
- # Before enabling this you must be certain that all dynurl checked server
- # applications do not accept arguments from POST bodies so dynurl checks
- # can't be bypassed using a POST instead of a Query string.
- suppress-dynurl-parsing-of-posts = no
- #----------------------
- # URI AND POST BODY DECODING
- #----------------------
- # If decode-query is set to "yes", WebSEAL will validate the query string
- # in requests according to the utf8-qstring-support-enabled parameter.
- # Otherwise, WebSEAL will not validate the query string. If decode-query
- # is set to "no" then dynurl must be disabled.
- decode-query = yes
- # Different portions of HTTP requests may be interpreted as either UTF-8 or
- # local code page according to the configuration items in this section. The
- # options for each portion of the request are either to ensure that the data
- # is UTF-8, ensure that the data is local codepage, or to accept either.
- #
- # If an option in this section is "yes", WebSEAL will ensure that the data
- # in that portion of the request is UTF-8.
- #
- # If an option in this section is "no", WebSEAL will ensure that the data
- # in that portion of the request is local codepage.
- #
- # If an option in this section is "auto", WebSEAL will first attempt to
- # validate the data as UTF-8. If the data is not UTF-8, then WebSEAL will
- # ensure the data is local codepage.
- # utf8-url-support-enabled controls how the location portion of the URI
- # (the portion before any question mark character) is intepreted.
- utf8-url-support-enabled = yes
- # utf8-qstring-support-enabled controls how the query portion of the URI
- # (the portion after the question mark character) is interpreted. This also
- # applies to the POST bodies of requests to junctions when dynurl is enabled.
- utf8-qstring-support-enabled = no
- # utf8-forms-support-enabled option controls how form logins, password change
- # requests, and other WebSEAL specific forms are parsed.
- utf8-form-support-enabled = yes
- # When double-byte-encoding is set to 'yes' WebSEAL will assume that URL's
- # which contain encoding characters are always encoded in unicode, and will
- # not contain UTF-8 encoded characters.
- double-byte-encoding = no
- # When a client URL specifies a directory location that does not end
- # in a trailing '/', the client is redirected to the same URL with a
- # trailing '/' added. This is necessary for ACL checks to work properly.
- # slash-before-query-on-redirect controls where the '/' is added
- # if the orginal URL has a query string.
- #
- # Setting slash-before-query-on-redirect to 'yes' causes the trailing '/'
- # to be added before the query string.
- # For example:
- # /root/directoryname?query becomes /root/directoryname/?query
- #
- # Setting slash-before-query-on-redirect to 'no' causes the trailing '/'
- # to be added after the query string.
- # For example:
- # /root/directoryname?query becomes /root/directoryname?query/
- #
- # A setting of 'no' could cause browser errors and is not recommended. This
- # option exists for backwards compatibility only.
- slash-before-query-on-redirect = yes
- #----------------------
- # SUPPRESSING SERVER IDENTITY
- #----------------------
- # WebSEAL writes a Server header with the value "WebSEAL/version.number"
- # with most responses (except those from a junctioned server).
- # Including this header can be suppressed by setting this to "yes".
- suppress-server-identity = no
- # For responses that were from a junctioned server, WebSEAL writes the Server
- # header sent in the response from the backend. If the backend response did not
- # include a Server header, then WebSEAL will not write any Server header to the
- # client.
- # Writing this header can be suppressed by setting this to "yes".
- suppress-backend-server-identity = no
- #----------------------
- # AUTH TOKEN VERSION
- #----------------------
- # Version 8.0.0 tokens use a different cipher than tokens in prior releases.
- # If you are integrating with earlier versions of ISAM you will need to enable
- # this to ensure the integrity of data across [e-community-sso], [failover], and
- # [cdsso].
- pre-800-compatible-tokens = no
- #----------------------
- # P3P Compact Policy header
- #----------------------
- # If 'preserve-p3p-policy' is set to 'no' (default), then any P3P headers from
- # junctioned servers will be replaced.
- #
- # If 'preserve-p3p-policy' is set to 'yes', then any P3P headers from junctioned
- # servers will be preserved.
- preserve-p3p-policy = no
- #----------------------
- # Network Interface
- #----------------------
- # Specify an alternative I.P. address to be used by this instance of WebSEAL.
- # This allows two or more WebSEAL instances to run on the same machine
- # while using differing I.P. addresses and host names.
- #
- # network-interface = 0.0.0.0
- network-interface = 192.168.42.193
- # If always-neg-tls is set to "yes" then any TLS connections on this interface
- # will only process one request. Once the request is complete the connection
- # will be closed and the TLS session will be destroyed. This forces a full
- # TLS session renegotiation every connection. This is a expensive method of
- # using TLS so this option should only be enabled if absolutely necessary.
- # Typically it could be enabled on the interface the secondary-port is referring
- # to so the TLS on that interface always requests a certificate from the client
- # (browser).
- always-neg-tls = no
- # Set use-secondary-listener to "yes" to inform webseal that this interface
- # uses the secondary port. Used to improve compatibility with some browsers.
- use-secondary-listener = no
- #----------------------
- # Filtering
- #----------------------
- # If preserve-base-href is no, then WebSEAL will remove all BASE HREF tags
- # from filtered HTML documents and prepend the base tag to filtered links.
- # Otherwise, the BASE HREF tag will be filtered.
- preserve-base-href = yes
- # If both preserve-base-href and preserve-base-href2 are set to yes, then
- # WebSEAL will only perform the minimum filtering of the BASE HREF tag
- # necessary to insert the WebSEAL host and junction names.
- # If preserve-base-href is no, preserve-base-href2 has no effect.
- preserve-base-href2 = yes
- # To enable tag-based filtering of static URLs for new MIME types added
- # to the [filter-content-types] stanza, change filter-nonhtml-as-xhtml to
- # yes. Tag-based URL filtering operates without configuration changes
- # for the text/html and text/vnd.wap.wml MIME types.
- filter-nonhtml-as-xhtml = no
- #---------------------
- # Method disablement
- #---------------------
- # Specify the HTTP methods which should be blocked when requesting local or remote
- # resources. Multiple methods should be separated with a comma (','). For example, to
- # block access to the TRACE and PUT methods over local junctions the configuration entry
- # would be:
- # http-method-disabled-local = TRACE,PUT
- #
- http-method-disabled-local = TRACE,PUT,DELETE,CONNECT
- http-method-disabled-remote = TRACE,PUT,DELETE,CONNECT
- #---------------------
- # Processing root junction requests
- #---------------------
- # Specify whether WebSEAL will attempt to process requests for resources
- # located at the root ('/') junction before attempting to identify a
- # junction point to send the request via junction mapping mechanisms
- # such as the JMT or IV_JCT cookie.
- #
- # Avoiding root junction processing prevents processing being performed
- # for incorrect resources before the intended resource is identified.
- # This will have performance benefits and prevent false authorization or
- # filetype check failures.
- #
- # Valid choices are:
- # never - Root junction requests are never processed at the root junction.
- # That is, if a junction mapping mechanism is configured, such as
- # the JMT or IV_JCT cookie, WebSEAL will look for this junction
- # mapping information first (and look at the root junction last)
- # and process the request at the mapped junction point.
- #
- # always - Always attempt to process requests for the root junction at the
- # root junction first before looking for a configured junction
- # mapping mechanism, such as the JMT or IV_JCT cookie.
- # This is not recommended unless the root junction serves a large
- # set of resources or no junction mapping mechanisms are configured
- # for the set of junctions served by this WebSEAL server.
- #
- # filter - All root junction requests will be examined to determine whether
- # they start with the patterns specified in the process-root-filter
- # stanza.
- # If yes, the request will be processed at the root junction first.
- # If no, the request will be remapped immediately.
- #
- process-root-requests = always
- #---------------------
- # IPv6 support
- #---------------------
- #
- # Specify whether WebSEAL will support IPv6.
- #
- # Upon a new installation, WebSEAL supports IPv6 by default. However, if
- # WebSEAL is upgraded from a release previous to 6.0, then the upgrade
- # process will change this value to 'no'. This is to ensure backwards
- # compatibility.
- #
- # Valid choices are:
- # yes - Support IPv6 and IPv4 networks (default setting).
- #
- # no - Only support IPv4 networks.
- #
- ipv6-support = yes
- # ip-support-level determines the network attributes placed in credentials.
- # WebSEAL version 6.0 introduces new improved attributes which displace
- # the older attribute. The new attributes are required when IPv6 support
- # (ipv6-support) is enabled. This entry can be set to one of displaced-only,
- # generic-only, or displaced-and-generic.
- #
- # displaced-only:
- # The default for migrated installations. WebSEAL will only generate the
- # displaced IPv4 attributes when building credentials and when authenticating
- # users through CDAS modules.
- #
- # generic-only:
- # The default for new installations. WebSEAL will only generate the new generic
- # (supports both IPv4 and IPv6) attributes when building credentials and when
- # authenticating users through CDAS modules.
- #
- # displaced-and-generic:
- # Both sets of attributes (displaced and generic) are created.
- #
- ip-support-level = generic-only
- #---------------------
- # max-login-failures policy compatibility
- #---------------------
- #
- # When late-lockout-notification = no, WebSEAL will notify clients that their
- # account has been locked out immediately.
- # When late-lockout-notification = yes WebSEAL will operate in a pre-v6.0
- # compatible mode for user registry max-login-failures policy behavior,
- # and not notify users until their next request.
- # The default for new installations is disabled (no). The default for migrated
- # installations is enabled (yes).
- late-lockout-notification = no
- # When reject-invalid-host-header is set to yes all requests
- # to WebSEAL with an invalid host header (see RFC2616) will be
- # rejected with a status of 400, Bad Request.
- reject-invalid-host-header = no
- #---------------------
- # Adding HttpOnly attribute
- #---------------------
- # When use-http-only-cookies is set to 'yes', WebSEAL will add the "HttpOnly"
- # attribute to the session and failover cookies. This will help defend against
- # cross-site-scripting attacks by informing the browser not to make these
- # cookies available to browser scripts.
- use-http-only-cookies = yes
- #---------------------
- # Allow all Shift-JIS Muti-Byte characters
- #---------------------
- # When allow-shift-jis-chars is set to "yes" junctions created using -w will
- # allow all Shift-JIS Muti-Byte characters in junction file and path names.
- # When set to "no" junction file and path names using Shift-JIS Multi-Byte
- # characters containing the single byte character '\' will be rejected.
- allow-shift-jis-chars = no
- #---------------------
- # Pipelining
- #---------------------
- # WebSEAL does not support pipelined requests from browsers. When this option
- # is set to "yes" and WebSEAL detects pipelined requests it will close the
- # connection to inform the the browser that is should resend the pipelined
- # requests in a normal manner. This should always be set to "yes" unless the
- # previous WebSEAL behavior is required.
- cope-with-pipelined-request = yes
- #---------------------
- # Unauthenticated users and "-b supply"
- #---------------------
- # This parameter determines if unauthenticated users can access junctions
- # created with "-b supply". When set to "no" the default behavior occurs.
- # Default behavior does not allow unauthenticated users to access resources
- # on a junction created using "-b supply", rather it will prompt then to
- # authenticate. When "allow-unauth-ba-supply" is set to "yes" unauthenticated
- # users will be allowed access "-b supply" junctions. The basic authentication
- # header supplied to the junction will contain the user name 'unauthenticated'.
- allow-unauth-ba-supply = no
- #---------------------
- # Tag-value label for missing attributes
- #---------------------
- # WebSEAL allows credential attributes to be inserted into the HTTP stream
- # as HTTP headers. In the event that a requested attribute was not located
- # within the credential the HTTP header will still be created with a static
- # string. The tag-value-missing-attr-tag configuration entry defines the
- # contents of the header.
- tag-value-missing-attr-tag = NOT_FOUND
- # Each attribute name set in a junction object's HTTP-Tag-Value is
- # automatically prefixed by "tagvalue_" before locating it in the credential.
- # This prohibits access to credential attributes that don't have names
- # beginning with "tagvalue_" such as "AUTHENTICATION_LEVEL". When this option
- # is set to "no", the automatic prefixing of "tagvalue_" will not occur so all
- # credential attributes can be specified in HTTP-Tag-Value.
- force-tag-value-prefix = yes
- #---------------------
- # URLs and extra consecutive slashes ("/")
- #---------------------
- # WebSEAL does not allow extra consecutive slashes ("/") to be present in URL and
- # silently removes those extra slashes if present, so an URL
- # "/jct/a//b.html" becomes "/jct/a/b.html"
- # or
- # "/jct//a////b.html" becomes "/jct/a/b.html"
- # but with this below option set to "yes|true", extra slashes will not be removed i.e.
- # "/jct/a//b.html" or "/jct//a////b.html" will be sent to backend as it is.
- #
- allow-extra-slashes-in-urls = false
- #
- # The maximum number of bytes which may be returned from the 'file cat'
- # server task command.
- #
- max-file-cat-command-length = 4096
- # The auth-challenge-type contains a comma separated list of
- # authentication types which will be used when challenging a
- # client for authentication information. The supported authentication
- # types include:
- # ba, forms, spnego, token, cert and eai.
- #
- # The corresponding authentication configuration entry (e.g. ba-auth)
- # must be enabled for each specified authentication challenge type.
- #
- # By default the list of authentication challenge types will match that
- # of the list of configured authentication mechanisms.
- #
- # Each authentication type can additionally be configured with a set of rules.
- # These rules are used to determine the user agents for which the
- # authentication type is enabled. Each set of rules must be contained within
- # square brackets and separated by semicolons. Each pattern must begin with
- # a '+' or '-' character to indicate inclusion or exclusion respectively.
- # Patterns can contain alphanumeric characters, spaces, underscores and
- # periods. The wildcard characters '*' # and '?' can also be used.
- #
- # For example:
- #
- # auth-challenge-type = [+*MSIE*]ba, [-*MSIE*;+*]forms
- #
- # This configuration will present a basic authentication challenge to user
- # agents containing 'MSIE' (Internet Explorer browsers) and a forms based
- # challenge to all other user agents. See the WebSEAL administration guide
- # for further information.
- #
- # Do not use authentication challenge types as a security or enforcement
- # measure. If no challenge types can be determined for a given user agent
- # string, WebSEAL will fall back to the list of all configured authentication
- # mechanisms.
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a [server:{jct_id}] stanza,
- # where '{jct-id}' refers to the junction point for a standard junction
- # (include the leading '/'), or the virtual host label for a virtual host
- # junction.
- # auth-challenge-type =
- #
- # The maximum number of concurrent threads which can be consumed
- # by a single user session before warning messages are generated. WebSEAL
- # will continue to process requests for this session until the corresponding
- # hard-limit is reached.
- #
- # concurrent-session-threads-soft-limit = 5
- #
- # The maximum number of concurrent threads which can be consumed
- # by a single user session. Once the thread limit for the user session has
- # been reached the request will not be processed by WebSEAL and an error
- # will be returned to the client.
- #
- # If no value is specified for this configuration item there will be no
- # limit to the number of concurrent threads that a user session can
- # consume.
- #
- # concurrent-session-threads-hard-limit = 10
- #
- # WebSEAL normally reduces the timeout for connection I/O based on the
- # number of active worker threads, and how many requests have been processed
- # on the connection. The following configuration item can be used to
- # disable this automatic timeout reduction.
- #
- # disable-timeout-reduction = no
- # This configuration option allows you to disable HTTP Keep-Alives for
- # responses >= 2GB sent back to Internet Explorer 6 client browsers. The
- # primary purpose of this is to allow WebSEAL to mimic the IIS workaround
- # published at:
- # http://support.microsoft.com/kb/298618
- #
- # This will enable clients using Microsoft Internet Explorer 6.0 to download
- # files greater than 2GB, but less than 4GB.
- enable-IE6-2GB-downloads = no
- #
- # The following configuration entry controls whether the negotiate and ntlm
- # www-authenticate headers will be removed from the responses which are received
- # from junctioned servers.
- #
- strip-www-authenticate-headers = yes
- #
- # The following configuration entry is used to control whether unsolicited
- # authentication requests are allowed. If set to 'no' a login will only
- # be allowed if WebSEAL first returns a login form to the client.
- #
- allow-unsolicited-logins = yes
- # Buffer size for reading from and writing to a client.
- io-buffer-size = 16384
- #
- # The maximum number of consecutive 302 redirects that
- # will be followed internally before WebSEAL concedes and
- # passes the response back to the client. A value of 0
- # indicates that all 302 redirects will be sent back to the
- # client for processing.
- #
- maximum-followed-redirects = 0
- #
- # WebSEAL is capable of examining 302 responses and processing the redirects
- # internally if they are destined for the current server using the same
- # protocol. This configuration entry controls the requests for which this
- # redirect functionality is enabled. A case-sensitive comparison will be made
- # between the configuration entry and the HTTP request line. Shell-style
- # pattern matching for '*', '?', '\' and '[]' can be used in the comparison
- # (excluding special match strings).
- #
- # Special match strings:
- # - "!LRR!" will match any request resulting in a Local Response Redirect
- # action occurring.
- # - "!REPLAY!" will match any redirection to replay a URL that was interrupted
- # by a successful authentication.
- #
- # Multiple patterns can be specified by including multiple configuration
- # entries of the same name.
- #
- # Example:
- # follow-redirects-for = GET /jct/index.html *
- # follow-redirects-for = !LRR!
- follow-redirects-for =
- ########
- # HTTP/2 enablement for main (default) interface to browsers.
- #
- # Enable/disable HTTP/2 encoded connections from browsers.
- # This setting only affects the "default" interface defined in this stanza.
- #
- # HTTP/2 supports a reduced set of cipher suites. The minimum cipher is
- # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, and this is not included in the
- # set of ciphers specified by the 'AES-128' cipher alias. In order to add
- # support for this cipher the following entry must be added as the first entry
- # within the ssl-qop-mgmt-default configuration stanza:
- # default = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- enable-http2 = no
- # HTTP/2: maximum number of network connections from HTTP/2 enabled browsers.
- # This is per inteface/port (http and https), so if both http and https
- # are enabled then the total max connections would be double this.
- # This setting only affects the "default" interface defined in this stanza.
- http2-max-connections = 200
- # HTTP/2: maximum size in bytes that WebSEAL will accept for header compression
- # table (RFC 7541). There is one table per HTTP/2 network connection.
- http2-header-table-size = 4096
- # HTTP/2: maximum number of simultanious multiplexed streams WebSEAL will accept
- # per HTTP/2 network connection. A value of -1 denotes the unlimited setting
- # and is not recomended in a production WebSEAL environment as memory use in
- # WebSEAL would be unbounded.
- # This setting only affects the "default" interface defined in this stanza.
- # Notes:
- # - Each stream will have a 'http2-initial-window-size' byte buffer.
- # - Each stream will need a worker-thread to process the one request/response
- # send over it before it is ended.
- http2-max-concurrent-streams = 100
- # HTTP/2: maximum number of unacknowledged bytes WebSEAL can accept per active
- # multiplexed stream. WebSEAL will create an in-memory buffer to hold this
- # many bytes for each active multiplexed stream.
- # This setting only affects the "default" interface defined in this stanza.
- http2-initial-window-size = 65535
- # HTTP/2: maximum size of the body of a single HTTP/2 protocol frame send over
- # the HTTP/2 network connection.
- # This setting only affects the "default" interface defined in this stanza.
- http2-max-frame-size = 16384
- # HTTP/2: maximum size of headers that can be send in a request on a HTTP/2
- # stream. A value of -1 denotes the unlimited setting and is not recomended in a
- # production WebSEAL environment as memory use in WebSEAL would be unbounded.
- # If not set it will default to the value of [server] max-client-read.
- # This setting only affects the "default" interface defined in this stanza.
- http2-max-header-list-size = 32768
- # HTTP/2: maximum duration in seconds for an HTTP/2 connection. The connection
- # will be closed if this limit is reached.
- # This setting applies to HTTP/2 connections for all interfaces.
- http2-max-connection-duration = 120
- # HTTP/2: Amount of time the HTTP/2 connection can be idle (not processing any
- # requests). The connection will be closed if it is idle for this time.
- # This setting applies to HTTP/2 connections for all interfaces.
- http2-idle-timeout = 20
- [process-root-filter]
- # This stanza is only used if process-root-requests = filter
- # Request URLs starting with the following patterns will be processed at the
- # root junction before attempting to remap the requests to a new junction point.
- # Format is
- # root = <pattern>
- # where <pattern> is a standard WebSEAL wildcard pattern.
- #
- root = /index.html
- root = /cgi-bin*
- [validate-headers]
- # This stanza is used to list those headers which should be validated
- # on each request. The format of each configuration entry is:
- #
- # <hdr> = <value>
- #
- # For example to ensure all requests are from www.ibm.com set:
- #
- # host = www.ibm.com
- #
- # If multiple headers of the same name are configured, the corresponding
- # header in the request must match one of the configured values.
- ###############################
- # WEBSEAL INTERFACES
- ###############################
- [interfaces]
- # The values from:
- # [server]
- # network-interface
- # always-neg-tls
- # http
- # http-port,
- # web-http-port,
- # web-http-protocol,
- # https,
- # https-port,
- # worker-threads
- # enable-http2
- # http2-max-connections
- # http2-header-table-size
- # http2-max-concurrent-streams
- # http2-initial-window-size
- # http2-max-frame-size
- # http2-max-header-list-size
- # [ssl]
- # webseal-cert-keyfile-label
- # [certificate]
- # accept-client-certs
- # secondary-port
- # are used to create the "default" interface.
- #
- # This stanza allows additional interfaces to be configured.
- #
- # The format of each interfaces entry is:
- #
- # <interfaceName> = <interfaceOptions>
- # <interfacesOptions> = <Option>=<Value>[;<Option>=<Value>[;...]]
- #
- # Leading and Trailing Spaces surrounding <Option>, <Value> are ignored.
- # If leading or trailing spaces are required then the <Value> may be placed
- # in double quotes (").
- # If a double quote ("), semicolon (;), or backslash (\) character is required
- # in the <Value> then this character must be prefixed by a backslash (\).
- #
- # <Option>=<Value> can be selected from:
- # network-interface=<ipAddress>
- # always-neg-tls=yes|no
- # http-port=<port> | "disabled"
- # https-port=<port> | "disabled"
- # web-http-port=<port> | "disabled"
- # web-http-protocol="http" | "https"
- # certificate-label=<keyFileLabel>
- # accept-client-certs="never" | "required" | "optional" |
- # "prompt_as_needed" | "critical"
- # secondary-port=<port>
- # worker-threads=<count> | "default"
- # enable-http2=yes|no
- # http2-max-connections=<number>
- # http2-header-table-size=<number>
- # http2-max-concurrent-streams=<number>
- # http2-initial-window-size=<number>
- # http2-max-frame-size=<number>
- # http2-max-header-list-size=<number>
- #
- # Defaults for <interfaceOptions> if they are not present:
- # network-interface 0.0.0.0
- # always-neg-tls no
- # worker-threads "default"
- # http-port "disabled"
- # web-http-port "disabled"
- # web-http-protocol "http"
- # https-port "disabled"
- # certificate-label Uses key marked as default in key file.
- # accept-client-certs "never"
- # secondary-port 0
- # enable-http2 no
- # http2-max-connections 200
- # http2-header-table-size 4096
- # http2-max-concurrent-streams 100
- # http2-initial-window-size 65535
- # http2-max-frame-size 16384
- # http2-max-header-list-size max-client-read
- #
- # The following example configures an interface that only listens for http
- # requests on address 10.0.0.1 port 81 (the https-port defaulted to "disabled").
- #
- # interface1 = network-interface=10.0.0.1; http-port=81
- ###############################
- # HTTP Header Names
- ###############################
- [header-names]
- #
- # This stanza controls the addition of HTTP headers into the request which is
- # passed to junctioned applications. Each entry within the stanza will be of
- # the format:
- # <header-data> = [+]<header-name>
- #
- # where:
- # <header-data> : the type of data which will be inserted.
- # <header-name> : the name of the HTTP header which will hold the data. The
- # header-name can be prefixed with the '+' character if you
- # wish to append to any existing header instead of
- # overwriting the existing header.
- #
- # The <header-data> may be one of the following values:
- #
- # server-name : The ISAM authorization server name for the WebSEAL server.
- # This is the name which is used in the "server task"
- # commands.
- # client-ip-v4 : The IPv4 address of the client of this request.
- # client-ip-v6 : The IPv6 address of the client of this request.
- # client-port : The port which is used by the client of this request.
- # Please note that this is the client source port, and not
- # the destination port.
- # host-name : The host name of the WebSEAL server. The host name will
- # be obtained from the web-host-name configuration entry
- # within the [server] stanza (if specified), or the host
- # name of the machine itself.
- # httphdr{<name>} : A HTTP header from the request, as specified by the <name>
- # field. If the HTTP header is not found in the request
- # the value contained within the [server]
- # tag-value-missing-attr-tag configuration entry will be
- # used as the value for the header.
- #
- # For example:
- # client-ip-v4 = +X-Forwarded-For
- # httphdr{host} = X-Forwarded-Host
- # host-name = X-Forwarded-Server
- server-name = iv_server_name
- [rsp-header-names]
- #
- # This stanza is used to define static HTTP headers which will be added
- # to every HTTP response from the WebSEAL server. This will provide the
- # administrator with the ability to insert some standard security headers
- # into the response, such as strict-transport-security,
- # content-security-policy and x-frame-options.
- #
- # Please note that the headers which are defined in this stanza will replace
- # any matching headers which might have been added to the response by a
- # junctioned application.
- #
- # If multiple headers of the same name are specified in this stanza all
- # but the last of the matching entries will be ignored.
- #
- # The format of each entry in this stanza is:
- # <header-name> = <header-value>
- #
- # For example,
- # strict-transport-security = max-age=31536000; includeSubDomains
- #
- # A special <header-value> of '%SESSION_EXPIRY%' can be used to
- # designate a header which will contain the remaining length of time, in
- # seconds, before the current local session expires. This value does not
- # include the overall session timeout for sessions which are managed by
- # the distributed session cache (DSC), but just the length of time before
- # the session expires in the local cache.
- #
- # For example:
- # session-timeout = %SESSION_EXPIRY%
- #
- strict-transport-security = max-age=31536000; includeSubDomains
- ###############################
- # LDAP
- ###############################
- [ldap]
- # prefer-readwrite-server - yes|no Indicates whether to select writable
- # LDAP server when available
- # auth-using-compare - yes|no Indicates whether to perform
- # authentication using LDAP bind or comparing password
- # bind-dn - Indicates the Distinguished Name of the daemon
- # (set by configuration)
- # ssl-enabled - yes|no Indicates whether SSL is enabled (set
- # by configuration)
- # ssl-keyfile - Indicates filename of SSL keyfile (set by
- # configuration)
- # ssl-keyfile-dn - Indicates the certificate label in the SSL
- # keyfile, if any (set by configuration)
- # default-policy-override-support
- # - yes|no When "yes", no user Policy will
- # be checked, only the default Policy is checked
- # (saves some LDAP searches)
- # user-and-group-in-same-suffix
- # - yes|no When "yes", indicates that the groups are
- # defined in the same LDAP suffix as the user
- # (saves some LDAP searches)
- # login-failures-persistent
- # - yes|no When "yes", login strikes will be tracked
- # in the registry instead of only in the local
- # process cache. Persistent login strike recording
- # is more expensive but allows consistent login
- # strike counting across multiple servers.
- # cache-enabled - yes|no Indicates whether to enable the local
- # LDAP cache
- #
- # cache-enabled related configuration settings:
- #
- # cache-user-size - (optional) The number of entries in the LDAP user
- # cache. Ignored if the cache is not enabled. If
- # not set, the default is 256.
- # cache-group-size - (optional) The number of entries in the LDAP group
- # cache. Ignored if the cache is not enabled. If
- # not set, the default is 64.
- # cache-policy-size - (optional) The number of entries in the LDAP policy
- # cache. Ignored if the cache is not enabled. If
- # not set, the default is 20.
- # cache-user-expire-time - (optional) The amount of time (in seconds) until a
- # user entry in the cache is considered stale and is
- # discarded. Ignored if the cache is not enabled.
- # If not set, the default is 30 seconds.
- # cache-group-expire-time - (optional) The amount of time (in seconds) until a
- # group entry in the cache is considered stale and is
- # discarded. Ignored if the cache is not enabled.
- # If not set, the default is 300 seconds (5 minutes).
- # cache-policy-expire-time
- # - (optional) The amount of time (in seconds) until a
- # policy entry in the cache is considered stale and is
- # discarded. Ignored if the cache is not enabled.
- # If not set, the default is 30 seconds.
- # cache-group-membership - (optional) Indicates whether group membership
- # information should be cached. Ignored if the cache
- # is not enabled. If not set, the default is yes.
- # cache-use-user-cache - (optional) Indicates whether to use the user cache
- # information or not. Ignored if the cache is not
- # enabled. If not set, the default is yes.
- # cache-return-registry-id -(optional) Indicates whether to cache the user
- # identity as it is stored in the registry or cache
- # the value as entered during authentication.
- # Ignored if the cache is not enabled.
- # If not set, the default is no.
- # enhanced-pwd-policy - (optional) If set to yes then additional status
- # information for the LDAP registries own password
- # policy enforcement is acquired and reported to
- # this TAM application during login and password
- # change operations.
- # This option must be enabled for [acnt-mgt]
- # enable-passwd-warn to function.
- # enable-last-login - (optional) Indicates whether to enable recording
- # of the last time each user logs in to LDAP. If
- # enabled then it must be enabled in all TAM
- # applications to ensure the value is captured in
- # all cases.
- prefer-readwrite-server = no
- auth-using-compare = yes
- ssl-enabled = no
- # The following files are currently available for this configuration entry:
- # - pdsrv.kdb
- # - lmi_trust_store.kdb
- # - rt_profile_keys.kdb
- # - embedded_ldap_keys.kdb
- ssl-keyfile =
- ssl-keyfile-dn =
- #default-policy-override-support = no
- #user-and-group-in-same-suffix = yes
- #login-failures-persistent = no
- cache-enabled = yes
- #cache-user-size = 256
- #cache-group-size = 64
- #cache-policy-size = 20
- #cache-user-expire-time = 30
- #cache-group-expire-time = 300
- #cache-policy-expire-time = 30
- #cache-group-membership = yes
- #cache-use-user-cache = yes
- cache-return-registry-id = no
- enhanced-pwd-policy = no
- enable-last-login = no
- # The following configuration item is contained within the obfuscated
- # database and as such is obfuscated within this file. If the value is
- # modified within this configuration file the corresponding change will
- # be applied to the obfuscated database.
- bind-pwd = **obfuscated**
- ###############################
- # SSL
- ###############################
- [ssl]
- # This section contains entries that affect the behavior of the SSL
- # components of WebSEAL. These will affect both clients connecting
- # via SSL as well as SSL junctions to backend systems.
- # The first five parameters (webseal-cert-*) relate to the certificate
- # keystore WebSEAL uses for exchanging with browsers when negotiating
- # SSL sessions.
- # WebSEAL certificate keyfile
- # The following files are currently available for this configuration entry:
- # - pdsrv.kdb
- # - lmi_trust_store.kdb
- # - rt_profile_keys.kdb
- # - embedded_ldap_keys.kdb
- webseal-cert-keyfile = pdsrv.kdb
- # The stash file which contains the password user to protect the private
- # keys in the keyfile.
- # The following files are currently available for this configuration entry:
- # - rt_profile_keys.sth
- # - lmi_trust_store.sth
- # - embedded_ldap_keys.sth
- # - pdsrv.sth
- webseal-cert-keyfile-stash = pdsrv.sth
- # Label of key to use other than the default
- webseal-cert-keyfile-label = WebSEAL-Test-Only
- # Server Name Indication SNI (optional)
- # If a user connects to webseal via TLS over SSL, and the browser supports
- # SNI, WebSEAL is capable of sending a server certificate which matches the
- # host name used by the browser in the request. The webseal-cert-keyfile-sni
- # configuration entry is used to specify the certificate which should be sent
- # for a particular host name.
- #
- # The configuration entry may be specified multiple times, one for each
- # host name. The entry should be of the format:
- # webseal-cert-keyfile-sni = <host name>:<label>
- #
- # where:
- # host name : Is the name of the host which will be used by the browser
- # label : Is the label of the certificate which will be used.
- #
- webseal-cert-keyfile-sni =
- # Selectively disable SSL version support for browser connections
- disable-ssl-v2 = yes
- disable-ssl-v3 = yes
- disable-tls-v1 = no
- disable-tls-v11 = no
- disable-tls-v12 = no
- # Session timeout for SSL v2 connections (range: 1-100 secs)
- ssl-v2-timeout = 100
- # Session timeout for SSL v3 connections (range: 1-86400 secs)
- ssl-v3-timeout = 7200
- # The maximum number of concurrent entries in the SSL cache
- ssl-max-entries = 4096
- # CRL Cache configuration.
- # When gsk-crl-cache-size and gsk-crl-cache-entry-lifetime are
- # both set to zero (which they are by default), CRL Caching will
- # be disabled.
- # The maximum number of entries in the GSKit CRL cache
- # (must be > 0 to initialize CRL Caching)
- gsk-crl-cache-size = 0
- # Lifetime timeout for individual entries in the GSKit CRL cache
- # (range: 0-86400 secs)
- gsk-crl-cache-entry-lifetime = 0
- # The following block of entries enables the configuration of an LDAP
- # server to be referenced for CRL checking during SSL authentication.
- # A null value for crl-ldap-user indicates that the SSL authenticator
- # should bind to the LDAP server anonymously.
- # The CRL LDAP server which is to be used for CRL checking.
- crl-ldap-server =
- # The port on which the CRL LDAP server is listening.
- crl-ldap-server-port =
- # The DN of the LDAP user which is to be used.
- crl-ldap-user =
- # The password of the LDAP user.
- crl-ldap-user-password =
- # The following entry allows a pkcs11 key file to be specified. This key file
- # will contain the configuration information used to identify and access a
- # Network Hardware Security Module (NetHSM).
- # The following files are currently available for this configuration entry:
- # - <none available>
- pkcs11-keyfile =
- # To enable PKCS#11 for symmetric algorithms, set
- # pkcs11-symmetric-cipher-support to 'yes'.
- # NOTE:
- # The PCKS#11 symmetric cipher support does not
- # include removable devices. If a removable device is encountered
- # it will be ignored even if the support has been requested.
- # Additionally, not all devices will support symmetric ciphers
- # please check your vendor documentation before usage.
- #
- pkcs11-symmetric-cipher-support = no
- # Configure FIPS mode processing. GSKit will not allow it to be
- # enabled (set to yes) if base-crypto-library = RSA.
- fips-mode-processing = no
- # Configure NIST SP800-131A compliance mode. This will have the affect of:
- # - enabling FIPS mode processing (over-riding the value of the
- # fips-mode-processing configuration entry);
- # - enabling TLS V1.2 (over-riding the value of the disable-tls-v12
- # configuration entry);
- # - enabling the appropriate signature algorithms;
- # - setting the minimum RSA key size to 2048 bytes.
- nist-compliance = no
- # The follow two options are used enable OCSP. Either or both can be used.
- #ocsp-enable = no
- #ocsp-url = <Absolute URL for OCSP responder>
- # The following are OCSP options for interacting with the OCSP Responder.
- #ocsp-nonce-generation-enable = no
- #ocsp-nonce-check-enable = no
- #ocsp-retrieve-via-get = no
- #ocsp-max-response-size = 20480
- #ocsp-proxy-server-name = <proxy host name>
- #ocsp-proxy-server-port = <proxy port number>
- # If, after OCSP or CRL checking, the revocation status of a browser supplied
- # certificate is undetermined, WebSEAL can be configured to ignore this, log
- # the fact, or log the fact and reject the connection by setting
- # undetermined-revocation-cert-action to "ignore", "log" or "reject"
- # respectively.
- undetermined-revocation-cert-action = log
- # The following configuration item is used to control whether SSL errors
- # originating from a connection with a client are logged.
- suppress-client-ssl-errors = false
- #
- # Specify any additional GSKit attributes which should be used when
- # initializing an SSL connection with the client. A complete list of
- # the available attributes is included in the GSKit SSL API documentation.
- #
- # The configuration entry may be specified multiple times, one for each
- # GSKit attribute. The entry should be of the format:
- # gsk-attr-name = <type>:<id>:<value>
- #
- # - where <type> is one of 'enum', 'string', 'number'
- # and <id> corresponds to the identity associated with a GSKit attribute
- # (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
- #
- # An example configuration could be:
- # gsk-attr-name = string:225:proxy.ibm.com
- #
- #
- # Specify any additional GSKit attributes which should be used when
- # initializing an SSL connection with a junctioned server. A complete list of
- # the available attributes is included in the GSKit SSL API documentation.
- #
- # The configuration entry may be specified multiple times, one for each
- # GSKit attribute. The entry should be of the format:
- # jct-gsk-attr-name = <type>:<id>:<value>
- #
- # - where <type> is one of 'enum', 'string', 'number'
- # and <id> corresponds to the identity associated with a GSKit attribute
- # (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
- #
- # This configuration item may be customized for a particular junction by
- # adding the adjusted configuration item to a [ssl:{jct_id}] stanza, where
- # '{jct-id}' refers to the junction point for a standard junction (include the
- # leading '/'), or the virtual host label for a virtual host junction.
- #
- # An example configuration could be:
- # jct-gsk-attr-name = string:225:proxy.ibm.com
- #
- # Control whether duplicate SSL warning messages are sent to the WebSEAL
- # log file. If this option is set to yes, then if a junction is defined
- # with -K and not -D, a warning will be reported every time a connection is
- # opened to that junction. This fills up logs, so administrators may want to
- # set it to no. If it is set to no, then a single warning will be reported
- # at server start.
- enable-duplicate-ssl-dn-not-found-msgs = yes
- ssl-auto-refresh = yes
- ssl-listening-port = 7235
- ssl-pwd-life = 183
- ssl-authn-type = certificate
- # We only want to listen on our management interfaces.
- listen-interface = 192.168.42.191
- ###############################
- # JUNCTION
- ###############################
- [junction]
- # Location of the Junction to Request Mapping Table (JMT)
- # This path is relative to the server-root value in the [server] stanza
- # The following files are currently available for this configuration entry:
- # - jmt.conf
- jmt-map = jmt.conf
- # Timeout (in seconds) for sending to and reading from a TCP junction.
- # Must be an integer greater than or equal to zero.
- # A value of zero will cause WebSEAL to wait indefinitely. This configuration
- # item may be customized for a particular junction by adding the adjusted
- # configuration item to a [junction:{jct_id}] stanza, where '{jct-id}' refers
- # to the junction point for a standard junction (include the leading '/'), or
- # the virtual host label for a virtual host junction.
- http-timeout = 120
- # Timeout (in seconds) for sending to and reading from an SSL junction.
- # Must be an integer greater than or equal to zero.
- # A value of zero will cause WebSEAL to wait indefinitely. This configuration
- # item may be customized for a particular junction by adding the adjusted
- # configuration item to a [junction:{jct_id}] stanza, where '{jct-id}' refers
- # to the junction point for a standard junction (include the leading '/'), or
- # the virtual host label for a virtual host junction.
- https-timeout = 120
- # The WebSEAL server performs a periodic background 'ping' of each junctioned
- # Web server, to determine whether it is running. This entry sets the interval,
- # in seconds, between pings when the server is determined to be running.
- # To turn this ping off, set this entry to zero. If this entry is set to zero,
- # the recovery-ping-time must be set.
- ping-time = 300
- # The WebSEAL server performs a periodic background 'ping' of each junctioned
- # Web server, to determine whether it is running. This entry sets the interval,
- # in seconds, between pings when the server is determined to be not running.
- # If this entry is not set, the recovery-ping-time defaults to the ping-time.
- #recovery-ping-time = 300
- # The WebSEAL server performs a periodic background 'ping' of each junctioned
- # Web server, to determine whether it is running. The optional
- # ping-method entry sets the HTTP request type used in these pings. A valid
- # ping-method is defined by the HTTP/1.1 protocol. If the ping-method is
- # invalid or missing, this value defaults to HEAD.
- #
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct_id}] stanza, where
- # '{jct-id}' refers to the junction point for a standard junction (include the
- # leading '/'), or the virtual host label for a virtual host junction.
- ping-method = HEAD
- # The WebSEAL server performs a periodic background 'ping' of each junctioned
- # Web server, to determine whether it is running. The optional ping-uri
- # configuration entry defines the URI which will be accessed by the ping
- # request. The defined URI should be relative to the root Web space of the
- # junctioned Web server. If the URI is missing this value defaults to a value
- # of '/'.
- #
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct_id}] stanza, where
- # '{jct-id}' refers to the junction point for a standard junction (include the
- # leading '/'), or the virtual host label for a virtual host junction.
- ping-uri = /
- # The WebSEAL server performs a periodic background 'ping' of each junctioned
- # Web server, to determine whether the junctioned Web server is running. The optional
- # ping-response-code-rules configuration entry defines the rules which are used to
- # determine whether the HTTP status code of the responses indicate a healthy or
- # an unhealthy junctioned Web server.
- #
- # If valid values are configured for both ping-response-code-rules and
- # response-code-rules, the specified ping-response-code-rules will be applied
- # to the 'ping' requests initiated by WebSEAL,
- # and other requests will be matched against response-code-rules to
- # determine the server state.
- #
- # If a valid ping-response-code-rules value is configured but
- # response-code-rules is not, the specified ping-response-code-rules will be applied
- # to the 'ping' requests initiated by WebSEAL,
- # and other requests will not be used to determine the server state. In this case,
- # ping-response-code-rules are the only rules used to determine the server state.
- #
- # If the ping-response-code-rules configuration entry is not set, the rules that
- # are specified by the response-code-rules configuration entry will also apply
- # to ping requests.
- #
- # The configuration entry contains a space separated list of rules. Each rule
- # has the format:
- # [+|-]<code> (e.g. -50?)
- # where:
- # +: indicates that this is a healthy response code
- # -: indicates that this is an unhealthy response code
- # <code>: the corresponding response code, which can also contain pattern
- # matching characters (i.e. * ?)
- #
- # The HTTP response codes will be evaluated against each rule in sequence until
- # a match is found. The corresponding code (+|-) will then be used to determine
- # whether the junctioned Web server is healthy or not. If the response code
- # matches no configured rules the junctioned Web server will be considered to be
- # healthy.
- #
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct_id}] stanza, where
- # '{jct-id}' refers to the junction point for a standard junction (include the
- # leading '/'), or the virtual host label for a virtual host junction.
- # ping-response-code-rules = +2?? -*
- ping-response-code-rules =
- # When a response of a client initiated request is returned from the junctioned server,
- # the optional response-code-rules configuration entry defines the rules
- # which are used to determine from the HTTP status code of the responses
- # whether the junctioned Web server is in a healthy or an unhealthy state.
- #
- # This configuration entry will apply to all requests if the ping-response-code-rules
- # configuration entry has not been set, otherwise it will only apply to all client
- # initiated requests.
- #
- # The configuration entry contains a space separated list of rules. Each rule
- # has the format:
- # [+|-]<code> (e.g. -50?)
- # where:
- # +: indicates that this is a healthy response code
- # -: indicates that this is an unhealthy response code
- # <code>: the corresponding response code, which can also contain pattern
- # matching characters (i.e. * ?)
- #
- # The HTTP response codes will be evaluated against each rule in sequence until
- # a match is found. The corresponding code (+|-) will then be used to determine
- # whether the junctioned Web server is healthy or not. If the response code
- # matches no configured rules the junctioned Web server will be considered to be
- # healthy.
- #
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct_id}] stanza, where
- # '{jct-id}' refers to the junction point for a standard junction (include the
- # leading '/'), or the virtual host label for a virtual host junction.
- # response-code-rules = +2?? -*
- response-code-rules =
- # These values will limit the percentage of total worker threads processing
- # requests for junctions. The default of 100% means there is no
- # limit. When the "soft" limit is reached, WebSEAL will generate a warning
- # message. When the "hard" limit is reached, WebSEAL will generate an error
- # message and return a 503, "Service Unavailable", result to the client browser
- # instead of requesting the resource from the junction.
- # This value can be overridden on a per junction basis using pdadmin.
- worker-thread-hard-limit = 100
- worker-thread-soft-limit = 90
- # Buffer size for reading from and writing to a junction.
- io-buffer-size = 16384
- # Maximum size, in bytes, of WebSEAL generated HTTP Headers.
- # Headers over this size will be split across multiple
- # HTTP Headers. A value of "0" disables this support.
- max-webseal-header-size = 0
- #----------------------
- # SENDING DOMAIN COOKIES
- #----------------------
- # If validate-backend-domain-cookies is set to "no", then all Domain set-cookies
- # will be forwarded to the user, regardless of their content.
- #
- # If set to "yes" then Domain set-cookies will be evaluated to ensure that
- # they adhere to the cookie specification. Set-cookies with Domains that do not
- # properly match the domain of the origin server will be removed from the
- # request. Set-cookies that pass the validation will be forwarded to the client.
- #
- # Occasionally applications will send set-cookies with a Domain parameter
- # that contains the FQHN of the origin server. To ensure proper routing,
- # WebSEAL will remove the Domain from these set-cookies before forwarding
- # to the client.
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
- # where '{jct-id}' refers to the junction point for a standard junction
- # (include the leading '/'), or the virtual host label for a virtual host
- # junction.
- validate-backend-domain-cookies = yes
- # If allow-backend-domain-cookies is set to 'no', and
- # validate-backend-domain-cookies = 'yes', then WebSEAL will remove
- # the Domain from the set-cookie before forwarding.
- #
- # If allow-backend-domain-cookies = yes, then the Domain will not be removed.
- # In addition, this will affect how WebSEAL filters the Path of set-cookies.
- # Under certain circumstances, WebSEAL must modify the Path of set-cookies
- # sent from junctioned origin servers to include the junction point to ensure
- # that the user-agent will properly send the cookie with requests.
- # WebSEAL will not do this for Domain set-cookies, because this might preclude
- # those cookies from being sent to other systems in the domain, so if
- # allow-backend-domain-cookies is set to 'yes', this Path modification will
- # not take place for Domain set-cookies.
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
- # where '{jct-id}' refers to the junction point for a standard junction
- # (include the leading '/'), or the virtual host label for a virtual host
- # junction.
- allow-backend-domain-cookies = no
- # If validate-backend-domain-cookies is set to "yes", then
- # support-virtual-host-domain-cookies will modify how WebSEAL validates
- # the Domain of set-cookies. This option will have no effect if
- # validate-backend-domain-cookies = no
- #
- # If support-virtual-host-domain-cookies is set to "yes" then the domain cookie
- # will be validated by comparing it with the virtual host specified for a
- # backend server with the -v junction option.
- #
- # If set to "no", or if no virtual host was specified for a junction, then
- # the FQHN will be compared with the Domain value of a set-cookie for
- # validation.
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
- # where '{jct-id}' refers to the junction point for a standard junction
- # (include the leading '/'), or the virtual host label for a virtual host
- # junction.
- support-virtual-host-domain-cookies = yes
- # The following block of entries enables the configuration of an LDAP
- # server to be referenced for CRL checking during SSL authentication.
- # A null value for crl-ldap-user indicates that the SSL authenticator
- # should bind to the LDAP server anonymously.
- #crl-ldap-server = <server_name>
- #crl-ldap-server-port = <port>
- #crl-ldap-user = <user_DN>
- #crl-ldap-user-password = <user_password>
- # The follow two options are used enable OCSP for checking the revocation
- # status of junction server supplied certificates. Either or both can be used.
- #jct-ocsp-enable = no
- #jct-ocsp-url = <Absolute URL for OCSP responder>
- # The following are OCSP options for interacting with the OCSP Responder.
- #jct-ocsp-nonce-generation-enable = no
- #jct-ocsp-nonce-check-enable = no
- #jct-ocsp-max-response-size = 20480
- #jct-ocsp-proxy-server-name = <proxy host name>
- #jct-ocsp-proxy-server-port = <proxy port number>
- # If, after OCSP checking, the revocation status of a junction server supplied
- # certificate is undetermined, WebSEAL can be configured to ignore this, log
- # the fact, or log the fact and reject the connection by setting
- # jct-undetermined-revocation-cert-action to "ignore", "log" or "reject"
- # respectively.
- jct-undetermined-revocation-cert-action = log
- # Selectively disable SSL version support for junction connections
- disable-ssl-v2 = yes
- disable-ssl-v3 = yes
- disable-tls-v1 = no
- disable-tls-v11 = no
- disable-tls-v12 = no
- # Configure NIST SP800-131A compliance mode. This will have the affect of:
- # - enabling FIPS mode processing (over-riding the value of the
- # fips-mode-processing configuration entry);
- # - enabling TLS V1.2 (over-riding the disable-tls-v12 configuration entry);
- # - enabling the appropriate signature algorithms;
- # - setting the minimum RSA key size to 2048 bytes.
- jct-nist-compliance = no
- # The next configuration options allow a separate keyfile to be used
- # for Junction SSL operations rather than sharing the one specified in
- # the [ssl] stanza.
- # The keyfile database which is to be used for Junction SSL operations.
- # The following files are currently available for this configuration entry:
- # - pdsrv.kdb
- # - lmi_trust_store.kdb
- # - rt_profile_keys.kdb
- # - embedded_ldap_keys.kdb
- jct-cert-keyfile =
- # The name of the file to which the password for the SSL Junction key file is
- # stashed.
- # The following files are currently available for this configuration entry:
- # - rt_profile_keys.sth
- # - lmi_trust_store.sth
- # - embedded_ldap_keys.sth
- # - pdsrv.sth
- jct-cert-keyfile-stash =
- # When jct-ssl-reneg-warning-rate is set to a value greater than zero, WebSEAL
- # will output a warning message if the SSL session renegotiation rate between
- # junction servers and WebSEAL reaches this level or greater. The value is
- # specified as the number of renegotiations per minute.
- jct-ssl-reneg-warning-rate = 0
- # When use-new-stateful-on-error is set to yes WebSEAL will choose a new
- # stateful junction server for a user if the current one fails. When it is
- # set to no, WebSEAL will not choose a new stateful junction server for a
- # user, instead it returns an error and future requests by the user will keep
- # attempting to use this same stateful junction server (until the user
- # restarts their browser or the junction server is deleted).
- #
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct-id}] stanza, where
- # '{jct-id}' refers to the junction point for a standard junction (including
- # the leading '/'), or the virtual host label for a virtual host junction.
- use-new-stateful-on-error = no
- # When dont-reprocess-jct-404s = yes, WebSEAL will return 404 responses
- # from junctions directly to clients. When set to no, WebSEAL will
- # assume the 404 is due to an unfiltered server relative link and
- # will try to fix the problem by prepending a junction point to the URL
- # in the request and sending the request again. Setting this value to
- # "no" provides backwards compatibility with TAM 5.1.
- dont-reprocess-jct-404s = yes
- # The following configuration item can be set to yes to avoid multiple
- # attempts to prepend a junction point to the beginning of the URL string
- # when reprocessing requests as a result of a HTTP 404 status code.
- # To cause requests for root junction resources, that result in an HTTP 404
- # error, to be reprocessed, set this configuration entry to 'yes'.
- reprocess-root-jct-404s = no
- # When pass-http-only-cookie-attr is set to 'yes' it will allow WebSEAL to pass
- # the HttpOnly attribute from Junction Set-Cookie headers through to clients.
- # When set to 'no' the HttpOnly attribute will be discarded.
- pass-http-only-cookie-attr = yes
- # Compatibility option to also mangle junction names into domain set cookies.
- # When several junctioned servers set domain cookies with the same name and
- # same path, the browser will overwrite the values to the last one set. This
- # is the expected behavior for domain cookies, but before WebSEAL 5.1, it was
- # possible to use WebSEAL cookie mangling to prevent it. When set to "yes"
- # the pre-5.1 behavior is enabled.
- mangle-domain-cookies = no
- # Option to use the client's current IP address, rather than one cached in
- # the credentials at authentication time, for the value passed in a header
- # to junctions created with the -r option.
- insert-client-real-ip-for-option-r = no
- # The maximum number of persistent connections which will be stored in the
- # cache for future use. Connections with junctioned Web servers will be
- # cached for future use unless the configured limit is reached, or the
- # 'connection: close' header is received in the HTTP response. Please note
- # that if enabled there is the potential for different user sessions to use
- # the same connection when processing requests. To disable the persistent
- # connection functionality simply specify a max-cached-persistent-connections
- # value of 0.
- #
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct-id}] stanza, where
- # {jct-id} refers to the junction point for a standard junction (including
- # the leading '/'), or the virtual host label for a virtual host junction.
- max-cached-persistent-connections = 0
- # The maximum number of seconds a persistent connection can remain idle in our
- # cache before the connection is cleaned up and closed by WebSEAL. This value
- # should be lower than the configured maximum connection lifetime for the
- # junctioned Web server. This behaviour is controlled for the Apache Web
- # server, as an example only, by the KeepAliveTimeout configuration entry.
- #
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct-id}] stanza, where
- # {jct-id} refers to the junction point for a standard junction (including
- # the leading '/'), or the virtual host label for a virtual host junction.
- persistent-con-timeout = 5
- # The managed-cookies-list contains patterns that will be matched
- # against the names of cookies returned by junctioned servers to determine
- # whether the cookie should be stored in the WebSEAL cookie jar.
- # Items in the managed-cookies-list should be comma separated and there should
- # be no white space separating cookie names. The WebSEAL cookie jar is turned
- # off by not specifying any cookies in the managed-cookies-list.
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
- # where '{jct-id}' refers to the junction point for a standard junction
- # (include the leading '/'), or the virtual host label for a virtual host
- # junction.
- #managed-cookies-list = JSESS*,Ltpa*
- # The share-cookies item is used to control sending of cookies contained in the
- # WebSEAL cookie jar between different junctions. If share-cookies = true, all
- # cookies in the WebSEAL cookie jar which match the request will be sent across
- # the junction. If share-cookies = false only cookies received from the junction
- # will be sent in requests to that junction.
- share-cookies = false
- # The reset-cookies-list contains patterns that will be matched
- # against the names of cookies returned by junctioned servers, or provided
- # by the client, to determine whether the cookie should be reset during a
- # user session logout. Items in the managed-cookies-list should be comma
- # separated without any white space.
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
- # where '{jct-id}' refers to the junction point for a standard junction
- # (include the leading '/'), or the virtual host label for a virtual host
- # junction.
- # reset-cookies-list = JSESS*,Ltpa*
- # If dynamic-addresses is set to "no" the junction server host name will
- # be resolved to it's corresponding IP address and this address will then
- # be used for subsequent communication with the junction server.
- #
- # If set to "yes" the junction server host name will be resolved to it's
- # corresponding IP address immediately before any communication with the
- # junction server.
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
- # where '{jct-id}' refers to the junction point for a standard junction
- # (include the leading '/'), or the virtual host label for a virtual host
- # junction.
- dynamic-addresses = no
- # If the dynamic-addresses configuration entry has been set to yes this
- # configuration entry will specify the length of time (in seconds) that
- # a resolved IP address can be used before it is discarded and another
- # name resolution is attempted (time-to-live).
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
- # where '{jct-id}' refers to the junction point for a standard junction
- # (include the leading '/'), or the virtual host label for a virtual host
- # junction.
- dynamic-addresses-ttl = 0
- #
- # WebSEAL can be used to serve pages from a local web server via local
- # junctions. If local junctions are not used, the functionality can be
- # disabled with this configuration item.
- #
- disable-local-junctions = no
- #
- # Two separate junction tables are managed by WebSEAL, one for virtual host
- # junctions, and the other for standard junctions. When a request is
- # received the VHJ table is searched first, and if no match is found the
- # table which manages the standard junctions is then searched. The following
- # configuration item is used to reverse the search order so that the table
- # which manages the standard junctions is searched before the VHJ table.
- #
- match-vhj-first = yes
- # The following configuration entry is used to control whether the learning
- # capability is enabled for GSO junctions or not. If learning is enabled,
- # and existing credential information is not available for the user, the
- # BA prompt will be returned to the user. The credential information
- # for the user will then be stored for future use on a subsequent
- # successful authentication. An authentication is deemed to be
- # successful if the junctioned Web server does not return a
- # 4xx or 5xx response.
- gso-credential-learning = no
- # The following configuration entry is used to define the key which is used
- # to obfsucate the credential information which is managed by the GSO Web
- # service. If no key is defined the credential information will not be
- # obfuscated by WebSEAL.
- # gso-obfuscation-key =
- #----------------------
- # KERBEROS SSO JUNCTIONS
- #----------------------
- # This configuration entry controls whether Kerberos single-sign-on
- # authentication is enabled on junctions.
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct_id}] stanza, where
- # '{jct-id}' refers to the junction point for a standard junction (include the
- # leading '/'), or the virtual host label for a virtual host junction.
- kerberos-sso-enable = false
- # The name of the Kerberos key table file for the WebSEAL server. This stanza
- # entry is required when Kerberos SSO authentication for junctions is enabled.
- # The keytab file must contain the key for the service-principal-name (SPN)
- # used for Kerberos authentication.
- # The following files are currently available for this configuration entry:
- # - <none available>
- kerberos-keytab-file =
- # The Kerberos SPN, used as the impersonating user when creating the token. The
- # service principal name can be determined by executing the Microsoft utility
- # setspn (that is, setspn -L user, where user is the identity of the WebSEAL
- # account).
- #
- # Format is:
- # kerberos-principal-name = HTTP/<username>@<realm>
- #
- # This stanza entry is required when Kerberos SSO authentication for junctions
- # is enabled.
- kerberos-principal-name = <principal-name>
- # The Kerberos SPN for the back-end Web server. The service principal name can
- # be determined by executing the Microsoft utility setspn (that is, setspn -L
- # user, where user is the identity of the back-end Web server's account).
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct_id}] stanza, where
- # '{jct-id}' refers to the junction point for a standard junction (include the
- # leading '/'), or the virtual host label for a virtual host junction.
- #
- # Format is:
- # kerberos-service-name = HTTP/<username>@<realm>
- #
- # This stanza entry is required when Kerberos SSO authentication for junctions
- # is enabled.
- kerberos-service-name = <principal-name>
- # This boolean value is used to indicate whether a security token should be
- # sent for every HTTP request, or whether WebSEAL should wait for a 401
- # response from the back-end Web server before adding the security token. This
- # configuration item is used to avoid the unnecessary overhead of generating
- # and adding a security token to every request if the back-end Web server is
- # capable of maintaining user sessions.
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct_id}] stanza, where
- # '{jct-id}' refers to the junction point for a standard junction (include the
- # leading '/'), or the virtual host label for a virtual host junction.
- # This stanza entry is required when Kerberos SSO authentication for junctions
- # is enabled.
- always-send-kerberos-tokens = false
- # This entry overwrites the UPN (or sections of the UPN) for Kerberos SSO users.
- # The replacement information can be direct text or names of credential
- # attributes.
- # <text>: directly copied into the UPN sections
- # attr:<name>: fetches the replacement text from the "name" credential
- # attribute
- #
- # The domain information can also be extracted from the dc elements of the
- # user's dn via the attribute "attr:dn".
- # If no user name is defined, the client credential name is used.
- # If no domain is defined, the WebSEAL service account domain is used.
- # Defining a domain without a user name must be prepended with '@'. The domain
- # is case sensitive and must be upper case. The domain must be added as a realm
- # to the Kerberos Configuration.
- #
- # Format is:
- # kerberos-user-identity = <username>@<realm>
- # kerberos-user-identity = <username>
- # kerberos-user-identity = @<realm>
- # kerberos-user-identity = <upn>
- #
- # This configuration item may be customized for a particular junction by adding
- # the adjusted configuration item to a [junction:{jct_id}] stanza, where
- # '{jct-id}' refers to the junction point for a standard junction (include the
- # leading '/'), or the virtual host label for a virtual host junction.
- kerberos-user-identity =
- #---------------------
- # HTTP/2 FOR JUNCTIONS
- #---------------------
- #
- # HTTP/2 protocol settings for connections to junction servers and connections
- # to proxy servers used to access junction servers. These HTTP/2 configuration
- # items may be customized for a particular junction by adding the adjusted
- # configuration item to a [junction:{jct_id}] stanza, where '{jct-id}' refers
- # to the junction point for a standard junction (include the leading '/'), or
- # the virtual host label for a virtual host junction.
- # HTTP/2: maximum size in bytes that WebSEAL will accept in the header compression
- # table (RFC 7541) from the junction and proxy servers. There is one table per
- # HTTP/2 network connection.
- http2-header-table-size = 4096
- # HTTP/2: maximum number of unacknowledged bytes WebSEAL can accept per active
- # multiplexed stream to the junction and proxy servers. WebSEAL will create an
- # in-memory buffer to hold this many bytes for each active multiplexed stream.
- http2-initial-window-size = 65535
- # HTTP/2: maximum size of the body of a single HTTP/2 protocol frame sent over
- # the HTTP/2 network connection.
- http2-max-frame-size = 16384
- # HTTP/2: maximum size of headers that can be received in a response over a HTTP/2
- # stream. A value of -1 denotes the unlimited setting allowing it's memory use in
- # WebSEAL to be unbounded.
- http2-max-header-list-size = 32768
- # The following configuration item is contained within the obfuscated
- # database and as such is obfuscated within this file. If the value is
- # modified within this configuration file the corresponding change will
- # be applied to the obfuscated database.
- basicauth-dummy-passwd = **obfuscated**
- [query-contents]
- #----------------------
- # QUERY CONTENTS
- #----------------------
- # When this option is enabled then the query string sent to the query contents
- # CGI on junctions will be a uri encoded UTF-8 string. In addition a
- # x-query-contents-uriencoded header is sent with the value "yes". This
- # option is to aid in supporting non-ASCII locales.
- query-contents-uriencoded = no
- [illegal-url-substrings]
- #----------------------
- # ILLEGAL URL SUBSTRINGS
- #----------------------
- # WebSEAL will block HTTP requests with any of the substrings from this
- # list in the URL.
- #
- # Format is:
- # substring = <STRING>
- #
- substring = <script
- [filter-url]
- #----------------------
- # DOCUMENT FILTERING
- #----------------------
- # URL attributes that the server will filter in responses from
- # junctioned servers.
- # Format is <TAG> = <ATTRIBUTE>
- A = HREF
- APPLET = CODEBASE
- AREA = HREF
- BASE = HREF
- BGSOUND = SRC
- BLOCKQUOTE = CITE
- BODY = BACKGROUND
- DEL = CITE
- DIV = EMPTYURL
- DIV = IMAGEPATH
- DIV = URL
- DIV = VIEWCLASS
- EMBED = PLUGINSPAGE
- EMBED = SRC
- FORM = ACTION
- FRAME = LONGDESC
- FRAME = SRC
- HEAD = PROFILE
- IFRAME = LONGDESC
- IFRAME = SRC
- ILAYER = BACKGROUND
- ILAYER = SRC
- IMG = SRC
- IMG = LOWSRC
- IMG = LONGDESC
- IMG = USEMAP
- IMG = DYNSRC
- INPUT = SRC
- INPUT = USEMAP
- INS = CITE
- ISINDEX = ACTION
- ISINDEX = HREF
- LAYER = BACKGROUND
- LAYER = SRC
- LINK = HREF
- LINK = SRC
- OBJECT = CODEBASE
- OBJECT = DATA
- OBJECT = USEMAP
- Q = CITE
- SCRIPT = SRC
- TABLE = BACKGROUND
- TD = BACKGROUND
- TH = BACKGROUND
- TR = BACKGROUND
- WM:CALENDARPICKER = FOLDERURL
- WM:CALENDARPICKER = IMAGEPREVARROW
- WM:CALENDARPICKER = IMAGENEXTARROW
- WM:CALENDARVIEW = FOLDERURL
- WM:MESSAGE = DRAFTSURL
- WM:MESSAGE = URL
- WM:NOTIFY = FOLDER
- WM:REMINDER = FOLDER
- ?IMPORT = IMPLEMENTATION
- [filter-events]
- #------------------------
- # EVENT HANDLER FILTERING
- #------------------------
- # Specifies (TAG,EVENT-HANDLER) pairs that contain JavaScript requiring
- # filtering of URL references. Currently, only absolute URLs are
- # supported.
- #
- # Format is <TAG> = <EVENT-HANDLER>
- A = ONCLICK
- A = ONDBLCLICK
- A = ONMOUSEDOWN
- A = ONMOUSEOUT
- A = ONMOUSEOVER
- A = ONMOUSEUP
- AREA = ONCLICK
- AREA = ONMOUSEOUT
- AREA = ONMOUSEOVER
- BODY = ONBLUR
- BODY = ONCLICK
- BODY = ONDRAGDROP
- BODY = ONFOCUS
- BODY = ONKEYDOWN
- BODY = ONKEYPRESS
- BODY = ONKEYUP
- BODY = ONLOAD
- BODY = ONMOUSEDOWN
- BODY = ONMOUSEUP
- BODY = ONMOVE
- BODY = ONRESIZE
- BODY = ONUNLOAD
- FORM = ONRESET
- FORM = ONSUBMIT
- FRAME = ONBLUR
- FRAME = ONDRAGDROP
- FRAME = ONFOCUS
- FRAME = ONLOAD
- FRAME = ONMOVE
- FRAME = ONRESIZE
- FRAME = ONUNLOAD
- IMG = ONABORT
- IMG = ONERROR
- IMG = ONLOAD
- INPUT = ONBLUR
- INPUT = ONCHANGE
- INPUT = ONCLICK
- INPUT = ONFOCUS
- INPUT = ONKEYDOWN
- INPUT = ONKEYPRESS
- INPUT = ONKEYUP
- INPUT = ONMOUSEDOWN
- INPUT = ONMOUSEUP
- INPUT = ONSELECT
- LAYER = ONBLUR
- LAYER = ONLOAD
- LAYER = ONMOUSEOUT
- LAYER = ONMOUSEOVER
- SELECT = ONBLUR
- SELECT = ONCHANGE
- SELECT = ONFOCUS
- TEXTAREA = ONBLUR
- TEXTAREA = ONCHANGE
- TEXTAREA = ONFOCUS
- TEXTAREA = ONKEYDOWN
- TEXTAREA = ONKEYPRESS
- TEXTAREA = ONKEYUP
- TEXTAREA = ONSELECT
- [filter-schemes]
- #
- # URLs with these schemes are not filtered in responses from junctioned
- # servers.
- #
- # Notes and Exceptions:
- # - HTTP: and HTTPS: are internally handled and will be ignored if present in
- # this list.
- # - Webseald will filter URLs with a scheme matching one in this list if
- # the response from a junctioned server has a BASE tag HREF URL scheme the
- # same as the URLs.
- # - If a URL in the response from a junctioned server does not have a scheme
- # from this list, and the scheme is not HTTP: or HTTPS:, then webseald will
- # assume the URL is the same scheme as the junctioned server (HTTP: or
- # HTTPS:) with it's scheme missing.
- # - The trailing ':' on scheme-name is optional, and if missing will be assumed.
- #
- # Format is:
- # scheme = <scheme-name>
- #
- scheme = file
- scheme = ftp
- scheme = mailto
- scheme = news
- scheme = telnet
- [filter-content-types]
- #
- # Document content types that the server will filter in responses from
- # junctioned servers. If types besides text/html and text/vnd.wap.wml
- # are added to this list then the option [script-filtering]script-filter
- # should be set to 'yes'.
- #
- # Format is:
- # type = <type-name>
- #
- type = text/html
- type = text/vnd.wap.wml
- [filter-request-headers]
- #
- # HTTP headers to filter from the client request before sending to the
- # back-end web server. Note that this list is in addition to headers
- # that WebSEAL will always filter, eg iv-user, iv-groups.
- #
- # Format is:
- # header = <header-name>
- #
- # The header name is case insensitive.
- #
- # The addition of "accept-encoding" to this list will prevent junctioned
- # servers from returning compressed data to WebSEAL. WebSEAL cannot
- # filter compressed data.
- header = accept-encoding
- [script-filtering]
- # When script filtering support is enabled, filtering of
- # absolute urls between html <script> tags can be enabled.
- #
- # Only absolute URLs that exist as a complete string in the
- # html schema:server format will be filtered.
- script-filter = no
- # When script-filter is set to yes, enabling this flag will rewrite
- # the absolute URLs with new absolute URLs that contain the protocol,
- # host and port (if necessary) that represent how the user accessed
- # the WebSEAL server.
- #rewrite-absolute-with-absolute = no
- # If another WebSEAL server has created a junction to this WebSEAL
- # server using a WebSEAL to WebSEAL junction, set this to 'yes'
- # to uniquely identify the cookie used for resolving unfiltered links.
- hostname-junction-cookie = no
- # The following stanza is used to configure parameters associated
- # with the snippet filter.
- [snippet-filter]
- # The maximum size (in bytes) of snippets which will be stored in
- # memory. If the snippet exceeds the configured maximum size it will
- # not be cached, but will instead be read from disk during the
- # construction of each response.
- max-snippet-size = 1024
- # The following stanza is used to configure the snippet filter for a
- # particular resource. This filter will allow snippets to be inserted
- # into the response for the resource.
- #
- # The format of the stanza, and its entries are as follows:
- # [snippet-filter:<uri>]
- # <location> = <filename>
- #
- # where:
- # <uri>: The decoded URI for which the snippet substitution will
- # take place.
- # <location>: The location at which the snippet should be inserted.
- # This string will be pattern matched against a line in
- # the response using the '*.' wildcard characters. The
- # maximum length of a line in a response which can be
- # matched by the filter is 8192 bytes. If the line in the
- # response is longer than this it will simply be streamed
- # through to the client and cannot be used to identify a
- # snippet location.
- # <filename>: The name of the file which contains the snippet which
- # is to be inserted. The path specified should be
- # relative to the 'snippet' directory in the management
- # root directory.
- #
- # Multiple resources may be specified, and multiple locations may be
- # configured for each resource. The entries within the stanza must
- # appear in the order that they will be inserted within the returned
- # page.
- [preserve-cookie-names]
- #
- # WebSEAL will, by default, modify the names of cookies returned in
- # responses from junctions created with the -j flag or listed in the
- # Junction Mapping Table. This is done to prevent naming conflicts with
- # cookies returned from other junctions.
- #
- # If front end applications depend on the names of certain cookies, you
- # you may want to disable this behavior for those cookies. To do so, list
- # the cookies in this stanza.
- #
- # Format is:
- # name = <cookie-name>
- [credential-refresh-attributes]
- #
- # When a user's credential is refreshed, some attributes may be preserved
- # by copying their values from the original credential into the new
- # credential. This stanza is used to control which attributes are preserved and
- # which are refreshed. The attribute name patterns are case-insensitive wild
- # card patterns that are used to select attributes.
- #
- # Order is important. The first pattern which matches a given attribute
- # will decide whether the attribute is preserved or refreshed. If no
- # pattern matches an attribute, then the attribute will be refreshed.
- #
- # Format is one of:
- # <attribute-name-pattern> = preserve
- # <attribute-name-pattern> = refresh
- #
- authentication_level = preserve
- tagvalue_* = preserve
- [gso-cache]
- #----------------------
- # GSO CACHE
- #----------------------
- # GSO cache configuration.
- # gso-cache-enabled must be set to 'yes' before the other parameters
- # will take effect.
- gso-cache-enabled = no
- # Cache size (number of entries)
- gso-cache-size = 1024
- # Cache entry lifetime (in seconds)
- gso-cache-entry-lifetime = 900
- # Cache entry idle timeout (in seconds)
- gso-cache-entry-idle-timeout = 120
- [ltpa-cache]
- #----------------------
- # LTPA CACHE
- #----------------------
- # LTPA cache configuration.
- # The ltpa-cache-enabled entry must be set to 'yes' before
- # the other ltpa parameters will take effect.
- ltpa-cache-enabled = yes
- # Cache size (number of entries)
- ltpa-cache-size = 4096
- # Cache entry lifetime (in seconds)
- ltpa-cache-entry-lifetime = 3600
- # Cache entry idle timeout (in seconds)
- ltpa-cache-entry-idle-timeout = 600
- ###############################
- # AUTHENTICATION
- ###############################
- [ba]
- #----------------------
- # BASIC AUTHENTICATION
- #----------------------
- # Enable authentication using the Basic Authentication mechanism
- # One of <http, https, both, none>
- ba-auth = none
- # Realm name. This is the text that is displayed in the
- # browser's dialog box when prompting the user for login data.
- # By default, the string 'Access Manager' is used.
- #basic-auth-realm = Access Manager
- # IMPORTANT:
- # If forms authentication is enabled for a particular transport,
- # the basic authentication settings for that transport will be ignored.
- [forms]
- #----------------------
- # FORMS
- #----------------------
- # Enable authentication using the forms authentication mechanism
- # One of <http, https, both, none>
- forms-auth = https
- # IMPORTANT:
- # If forms authentication is enabled for a particular transport,
- # the basic authentication settings for that transport will be ignored.
- # If a forms login request is received with either an empty user name or
- # an empty password, then WebSEAL will return the login form without
- # stating an error. If it is prefered that an error message is displayed,
- # then set this value to true. In this case, WebSEAL will attempt to
- # authenticate the user, and if the values have 0 length, the registry
- # will return the appropriate error.
- allow-empty-form-fields = false
- [spnego]
- #----------------------
- # SPNEGO
- #----------------------
- # Enable authentication using the SPNEGO authentication mechanism
- # One of <http, https, both, none>
- spnego-auth = none
- # IMPORTANT:
- # If forms authentication is enabled for a particular transport,
- # the SPNEGO authentication settings for that transport will be ignored.
- # SPNEGO authentication provides a principal name of the form
- # "shortname@domain.com". By default, TAM uses only the shortname
- # as the TAM user-id. If this parameter is set to yes, then TAM will
- # include the domain as part of the TAM user-id.
- #
- # Example:
- # SPNEGO authentication provides principal name: user@example.com
- # If this parameter is no: the TAM user-id is "user"
- # If this parameter is yes: the TAM user-id is "user@example.com"
- #
- # Note that this configuration option has no effect if Active
- # Directory Multi Domain is being used as the TAM user registry. For
- # AD MD, the domain name is always included as part of the TAM user-id.
- use-domain-qualified-name = no
- #
- # List of kerberos service-principal-names (SPNs) for the server. This is only
- # used on UNIX platforms. Each principal name must have the form
- # HTTP@<hostname>, where hostname is the DNS name browsers will use to contact
- # the web server.
- #
- # The SPN used for SPNEGO authentication depends on the whether the client is
- # accessing a traditional WebSEAL junction or a transparent junction. For
- # traditional WebSEAL junctions, the first SPN in the list is always used.
- # For transparent junctions, WebSEAL first searches for an SPN that matches
- # the hostname the client used to connect to WebSEAL. If no matching SPN is
- # found, then the first SPN from the list will be used instead.
- #
- # In most cases the hostname used here should be fully qualified.
- #
- # Format is:
- # spnego-krb-service-name = HTTP@<host-one.example.com>
- # spnego-krb-service-name = HTTP@<host-two.example.com>
- # ...
- #
- spnego-krb-service-name = <service-name>
- #
- # The path to the kerberos keytab file for the server. This is only used
- # on UNIX platforms. The keytab file must contain keys for each of the
- # SPNs used for SPNEGO authentication.
- #
- # The following files are currently available for this configuration entry:
- # - <none available>
- spnego-krb-keytab-file =
- #
- # During SPNEGO authentication the system can add the SID of the user as an
- # extended attribute to the credential. This entry specifies the name of the
- # attribute. This is only used on UNIX platforms.
- #
- # If this entry is not present, then the system does not add the SID as an
- # extended attribute to the credential.
- #
- spnego-sid-attr-name =
- [token]
- #----------------------
- # TOKEN
- #----------------------
- # Enable authentication using the token authentication mechanism
- # One of <http, https, both, none>
- token-auth = none
- # IMPORTANT:
- # If token authentication is enabled for a particular transport,
- # the basic authentication settings for that transport will be ignored.
- [certificate]
- #----------------------
- # CERTIFICATE
- #----------------------
- # When to accept a certificate from HTTPS clients. Options are:
- #
- # never Never request a client certificate.
- #
- # critical Always request a client certificate. If a valid certificate
- # is not presented the SSL handshake will fail.
- #
- # required Always request a client certificate. If a valid certificate
- # is not presented the SSL handshake will succeed and a
- # error HTTP response will be sent back to the client.
- #
- # optional Always request a client certificate. If presented, use it.
- #
- # prompt_as_needed Certificates will only be prompted for and processed when
- # certificate authentication is necessary (due to an ACL or
- # POP check failure).
- #
- accept-client-certs = never
- # IMPORTANT
- # If this is set to 'required', all other authentication
- # settings are ignored for HTTPS clients
- #----------------------
- # CERTIFICATE SSL ID CACHE SETTINGS
- #----------------------
- # A cache is necessary to store the SSL IDs of sessions that require a
- # certificate exchange. This cache is only required when accept-client-certs =
- # prompt_as_needed.
- # The maximum number of concurrent entries in the Certificate SSL ID cache
- # This corresponds to the number of concurrent certificate logins.
- # Setting this to zero will allow unlimited cache size.
- cert-cache-max-entries = 1024
- # Maximum lifetime (in seconds) for an entry in the Certificate SSL ID cache.
- # Setting this to zero allows entries the cache to fill without expiry until the
- # cache contains the number of entries specified by cert-cache-max-entries.
- # After that point, entries are expired according to a least recently used
- # algorithm.
- cert-cache-timeout = 120
- # This controls the number of times WebSEAL will attempt to authenticate
- # a client using certificates before assuming the client cannot provide
- # a certificate. A value of 5 is recommended because most browsers will
- # maintain a maximum of 4 TCP connections to a Web server. (Each attempt
- # to prompt a client for certificate authentication will cause a TCP
- # connection to be closed, and if all active TCP connections to a browser
- # have been closed then the browser is probably unable to provide client
- # certificate authentication.) Values less than 2 or greater than 15 are
- # not permitted. This value is not used unless accept-client-certs =
- # prompt_as_needed.
- cert-prompt-max-tries = 5
- # When disable-cert-login-page is set to "yes" the initial login form with
- # an option to prompt for certificate will not be presented. WebSEAL will
- # instead bypass this and directly prompt for the certificate.
- disable-cert-login-page = no
- # When accept-client-certs is set to "prompt_as_needed" this option causes
- # the client (browser) to be redirected to another HTTPS port on the WebSEAL
- # server, using the same host name. The other port must be on an interface
- # configured with accept-client-certs = "required". The redirection occurs
- # from certlogin.html and stepuplogin.html when the certificate login button is
- # pressed. This option also provides the SECONDARY_BASE macro which is
- # provided for certlogin.html and setuplogin.html to allow redirection to
- # the secondary port for authentication using certificates. It is of the form
- # HTTPS://%HOSTNAME%:<secondary-port>
- # If not set, or set to zero, this feature is disabled and the SECONDARY_BASE
- # macro is set to the empty string.
- secondary-port = 0
- # This option is for when secondary-port and is enabled for prompt_as_needed
- # and use-secondary-listener is enabled for the interface providing the
- # secondary-port. When these are enabled and the browser provided certificate
- # fails to map to a valid user, enabling this option will cause WebSEAL to
- # redirect the browser back to the original interface (port) to output the
- # cert-failure error message.
- secondary-fail-redirect = no
- #----------------------
- # External Authentication Interface (EAI) settings
- #----------------------
- #
- # The resource identifier of the application which will be invoked
- # to perform the certificate authentication. This URI should be relative
- # to the root web space of the WebSEAL server. If this configuration entry
- # is not defined the standard CDAS authentication mechanism will be used to
- # handle the authentication.
- #
- # The following additional headers will be made available in the EAI request:
- # eai_qop: The quality-of-protection settings for the client.
- # eai_domain: The ISAM domain name.
- #
- #eai-uri =
- #
- # The client certificate data which will be passed to the EAI application.
- # The format of the configuration entry will be:
- # eai-data = <data>:<header-name>
- #
- # The <data> component is used to indicate the data which will be included
- # in the header. It should be one of the following:
- # * Base64Certificate
- # * SerialNumber
- # * SubjectCN
- # * SubjectLocality
- # * SubjectState
- # * SubjectCountry
- # * SubjectOrganization
- # * SubjectOrganizationalUnit
- # * SubjectDN
- # * SubjectPostalCode
- # * SubjectEmail
- # * SubjectUniqueID
- # * IssuerCN
- # * IssuerLocality
- # * IssuerState
- # * IssuerCountry
- # * IssuerOrganization
- # * IssuerOrganizationUnit
- # * IssuerDN
- # * IssuerPostalCode
- # * IssuerEmail
- # * IssuerUniqueID
- # * Version
- # * SignatureAlgorithm
- # * ValidFrom
- # * ValidFromEx
- # * ValidTo
- # * ValidToEx
- # * PublicKeyAlgorithm
- # * PublicKey
- # * PublicKeySize
- # * FingerprintAlgorithm
- # * Fingerprint
- #
- # The <header-name> component is used to indicate the name of the HTTP
- # header which will contain the data.
- #
- # Multiple pieces of client certificate data can be passed to the EAI
- # application by including multiple 'eai-data' configuration entries.
- #
- # An example configuration might be:
- # eai-data = SerialNumber:eai_serial_num
- #
- [authentication-levels]
- #----------------------
- # STEP UP
- #----------------------
- # authentication levels
- #
- # Syntax:
- # level = <method-name>
- #
- # Valid method names are:
- # unauthenticated
- # password
- # token-card
- # ssl
- # ext-auth-interface
- # ltpa
- # kerberosv5
- # oauth
- #
- level = unauthenticated
- level = password
- # IMPORTANT
- # 1) You cannot step up to an authentication method that is not enabled.
- # For example, you must enable either BA or forms authentication
- # before 'level = password' in this list will have any effect.
- #
- # 2) POP settings are required to enable step-up authentication.
- # Please see the administration guide for details.
- [step-up]
- #
- # The following entry determines, in the event of a step-up operation,
- # whether the new user ID must match the user ID from the previous
- # authentication. In the situation where verify-step-up-user = yes,
- # and the user IDs do not match, an error will be presented to the user.
- #
- verify-step-up-user = yes
- #
- # The following entry allows the administrator to control what login prompts
- # are shown to users when they request a resource protected by a stepup policy.
- #
- # If show-all-auth-prompts = yes, the login prompts for all configured
- # authentication methods are shown.
- #
- # If show-all-auth-prompts = no, only the login prompt for the method matching
- # the required authentication level is shown.
- #
- show-all-auth-prompts = no
- #
- # This configuration entry will control whether an authentication
- # level/mechanism which is higher than the requested step-up level is
- # allowed during a step-up operation.
- #
- # The default value, if no entry is specified, is 'no'.
- #
- step-up-at-higher-level = no
- [mpa]
- #----------------------
- # MULTIPLEXING PROXY AGENTS
- #----------------------
- # Support Multiplexing Proxy Agents (yes/no)
- mpa = no
- [cdsso]
- #----------------------
- # CDSSO
- #----------------------
- # Accept cdsso tokens
- # This will require that an authentication module is specified for
- # 'sso-consume' in the 'authentication-mechanisms' stanza.
- # One of <http, https, both, none>
- cdsso-auth = none
- # Generate cdsso tokens.
- # This will require that an authentication module is specified for
- # 'sso-create' in the 'authentication-mechanisms' stanza.
- # One of <http, https, both, none>
- cdsso-create = none
- # Single sign on authentication token lifetime (in seconds)
- # This mitigates clock skew between separate WebSEAL servers.
- authtoken-lifetime = 180
- # cdsso-argument
- # This is the name of the argument containing the CDSSO token in a query string
- # of a request. This is used to identify incoming requests containing
- # CDSSO authentication information.
- #
- # Syntax:
- # cdsso-argument = <argument name>
- # For standard CDSSO, use PD-ID
- cdsso-argument = PD-ID
- # Specify if UTF-8 encoding should be used in the strings within the cdsso
- # token. UTF-8 should be used when user names or credential attributes in the
- # token are not encoded in the same code page as the WebSEAL server is using.
- # Set to "no" if your tokens need to interoperate with environments that
- # use local code page. This option only affects CDSSO tokens created and
- # consumed by the default SSO create and consume libraries.
- use-utf8 = yes
- # When an SSO token is generated, a call is made to the Cross Domain Mapping
- # Framework (CDMF) API to determine the extended attributes that must be
- # encoded into the token so that the user can be correctly mapped across the
- # SSO authentication. The propagate-cdmf-errors parameter determines
- # whether the failure of the cdmf_get_usr_attributes call will cause token
- # creation as a whole to fail. If propagate-cdmf-errors is set to "no"
- # (default), a default attribute list will be generated if the CDMF fails
- # and token creation will proceed without error. However, if
- # propagate-cdmf-errors is set to "yes", token creation will be aborted if
- # the CDMF fails.
- propagate-cdmf-errors = no
- # cdsso-argument (PD-ID) and PD-REFERER query string arguments can be
- # passed onto junctions. When this option is set to "yes" these will be
- # removed from the URI before passing the request onto the junction.
- clean-cdsso-urls = no
- [cdsso-peers]
- # Peers that are participating in Cross Domain Single Sign On (CDSSO)
- #
- # Syntax:
- # <fully qualified host name> = <key file location>
- [cdsso-token-attributes]
- #
- # Credential attributes to include in CDSSO authentication tokens.
- #
- # This stanza defines the sets of attributes to be included in
- # CDSSO authentication tokens, specified on a per-peer or
- # per-domain basis. This processing only takes place if the
- # default SSO token creation and consumption libraries are
- # in use.
- #
- # Credential attributes matching the patterns specified in this stanza
- # for a target host or domain are included in CDSSO authentication tokens
- # constructed for that target host or domain. Only a single value for
- # each attribute is used, and only string values are supported. Other
- # types of credential attribute values will be ignored.
- #
- # Patterns can be specified using shell-style wildcards.
- #
- # The format of these entries is:
- #
- # <domain-name> = <pattern-1>
- # <domain-name> = <pattern-2>
- # <domain-name> = <pattern-n>
- #
- # For example:
- #
- # [cdsso-token-attributes]
- # ibm.com = attrprefix_*
- # ibm.com = *name*
- # tivoli.com = *_attrsuffix
- # tivoli.com = some_exact_attribute
- #
- # A default set of attributes can be configured with a '<default>'
- # entry in this stanza. This set of attributes is used when there
- # is no other entry matching a particular target host. If the '<default>'
- # entry is not present, then no attributes will be included in tokens
- # by default.
- #
- # For example:
- #
- # [cdsso-token-attributes]
- # <default> = myattr*
- # ibm.com = attrprefix_*
- #
- # If no credential attributes are required in CDSSO authentication tokens,
- # then this stanza can remain empty.
- #
- [cdsso-incoming-attributes]
- #
- # Attributes to accept from incoming CDSSO authentication tokens.
- #
- # This stanza defines the sets of attributes to be accepted and rejected
- # from incoming CDSSO authentication tokens. Unlike the outgoing
- # attributes configuration, incoming attributes cannot be configured
- # on a per-peer or per-domain basis. Only one set of attribute patterns
- # can be configured, and these patterns will be applied to incoming
- # tokens regardless of source. This processing only takes place if the
- # default SSO token creation and consumption libraries are
- # in use.
- #
- # The format of entries in this stanza is:
- #
- # <attribute pattern> = <preserve|refresh>
- #
- # Attributes in CDSSO authentication tokens that match a 'refresh' entry
- # will be removed from the token before the CDMF library is called
- # to map the remote user into the local domain. Attributes matching
- # a 'preserve' entry, or matching none of the entries, will be kept.
- # If no entries are configured, then all attributes will be kept.
- #
- [failover]
- #----------------------
- # FAILOVER
- #----------------------
- # Accept failover cookies
- # One of <http, https, both, none>
- failover-auth = none
- # Key file for failover cookie encryption
- # The cdsso_key_gen utility must be used to create this file
- # The following files are currently available for this configuration entry:
- # - <none available>
- failover-cookies-keyfile =
- # The name of the cookie which will be used to house the failover token
- failover-cookie-name = PD-ID
- # Number of minutes that failover cookie contents are valid
- failover-cookie-lifetime = 60
- # Enable the failover cookie for the domain
- # This allows the cookie to send back to any server within
- # the same domain as WebSEAL.
- enable-failover-cookie-for-domain = no
- # If failover cookie for the domain is enabled
- # Webseal determines the domain to use as follows
- # 1) if the request is for a virtual host junction then the virtual host domain is used.
- # 2) if failover-cookie-domain-from-host-header is enabled and the request contains a host
- # header then the domain from the host header is used.
- # 3) if failover-cookie-domain has specified a domain then it is used.
- # 4) if web-host-name has been specified (in the [server] section) then the domain from the web-host-name is used.
- # 5) if none of the above then the domain is retrieved from the operating system
- #
- failover-cookie-domain-from-host-header = no
- # Specify if UTF-8 encoding should be used in the strings within the failover
- # cookie. UTF-8 should be used when user names or credential attributes in the
- # cookie are not encoded in the same code page as the WebSEAL server is using.
- # Set to "no" if your cookies need to interoperate with environments that
- # use local code page.
- use-utf8 = yes
- # The integer number of seconds that pass between updating the failover cookie's
- # last activity timestamp. With each request, if n seconds have passed since the
- # last cookie update, and last activity timestamps are configured to be
- # inserted in failover cookies, another update will occur.
- # A zero value will cause the last activity timestamp in the failover cookie
- # to be updated with each request.
- # Negative values will cause the last activity timestamp in the cookie to never
- # be updated.
- failover-update-cookie = -1
- # Enable validation of session lifetime and activity timestamp attributes of
- # incoming failover cookies. Settings are:
- # no: The timestamp is not required, but if it exists and is invalid,
- # failover authentication will fail.
- # yes: If the timestamp is invalid or missing, failover authentication
- # will fail.
- failover-require-lifetime-timestamp-validation = no
- failover-require-activity-timestamp-validation = no
- # Include the user's session ID as an attribute of the failover cookie to
- # enable non-sticky failover. Non-sticky failover allows users to authenticate
- # to multiple WebSEAL replicas without being issued new session cookies for
- # each failover occurrence.
- #
- # To enable non-sticky failover functionality, the following options must
- # be set; WebSEAL will report a startup error and fail to start if any
- # of the settings below are incorrect.
- # - In [session], set ssl-id-sessions = no
- # - Enable the following settings:
- # - In [failover-add-attributes],
- # tagvalue_failover_amweb_session_id = add
- # - In [failover-restore-attributes],
- # tagvalue_failover_amweb_session_id = preserve
- # - In [credential-refresh-attributes],
- # tagvalue_failover_amweb_session_id = preserve
- # - Wildcard patterns in the above 3 settings are allowed.
- failover-include-session-id = no
- # Resend the failover cookie if it is missing from the request
- # In certain environments clients may "lose" the failover cookie.
- # If this configuration option is set to yes then WebSEAL will
- # automatically resend the failover cookie if the client does
- # not present it.
- reissue-missing-failover-cookie = no
- [failover-add-attributes]
- # Specify which attributes from the credential to store in a failover cookie.
- #
- # The format for attributes to add to the failover cookie is:
- # <attribute pattern> = add
- # where <attribute pattern> is a case-insensitive wild card pattern.
- #
- # The AUTHENTICATION_LEVEL and AZN_CRED_AUTH_METHOD attributes
- # will always be added to the failover cookie, regardless of the
- # entries in this stanza.
- #
- #tagvalue_failover_amweb_session_id = add
- [failover-restore-attributes]
- # Specify which attributes to put in the new credential when recreating a
- # credential from a failover cookie. This stanza is used to control which
- # attributes are preserved and which are refreshed.
- # The attribute name pattern are case-insensitive wild card patterns that are
- # used to select attributes.
- #
- # Order is important. Rules that appear earlier in either failover-attribute
- # stanza take precedence over those that appear later in the stanza. If an
- # attribute does not match any of the rules, it will not be considered for
- # special handling.
- #
- # The format for adding attributes from the cookie (if present) to the new
- # credential is:
- # <attribute pattern> = preserve
- #
- # The format for explicitly ignoring failover cookie attributes (default
- # behavior) for addition to the new credential is:
- # <attribute pattern> = refresh
- #
- # All failover cookie attributes will be ignored (for the purpose of
- # adding them to a new credential) unless specified by a 'preserve' line.
- #
- #tagvalue_failover_amweb_session_id = preserve
- [ltpa]
- #----------------------
- # LTPA Authentication
- #----------------------
- # Accept/generate LTPA cookies
- # One of <http, https, both, none>
- ltpa-auth = none
- # The key file used when accessing LTPA cookies. This must correspond to a
- # valid LTPA key file, as generated by WebSphere.
- # The following files are currently available for this configuration entry:
- # - <none available>
- keyfile =
- # The name of the cookie which will contain the LTPA token.
- cookie-name = Ltpatoken2
- # The domain of the LTPA cookie. If no cookie domain is specified the LTPA
- # cookie will be created as a host-only cookie.
- # cookie-domain = ibm.com
- # The number of seconds that pass between updates of the LTPA cookie with the
- # lifetime of the cookie. With each request, if n seconds have passed since
- # the last cookie update, another update will occur. A zero value will cause
- # the lifetime timestamp in the LTPA cookie to be updated with each request.
- # Negative values will cause the lifetime of the cookie to be set to the same
- # value as the lifetime of the user session. This setting is used in an
- # attempt to mimic the inactivity timeout of a user session.
- update-cookie = -1
- # Should the full DN of the user be inserted into the generated LTPA cookie, or
- # should the TAM short name of the user be inserted into the generated LTPA
- # cookie.
- use-full-dn = true
- # The name of the cookie sent across a junction containing the LTPA
- # token can be customized.
- #
- # This name must match the configured name in the WebSphere
- # application on the junction to successfully achieve single signon.
- #
- # When not configured, the default values of LtpaToken or LtpaToken2
- # for LTPA or LTPAv2 respectively are used.
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a [ltpa:{jct_id}] stanza,
- # where '{jct-id}' refers to the junction point for a standard junction
- # (include the leading '/'), or the virtual host label for a virtual host
- # junction.
- #
- # jct-ltpa-cookie-name = LtpaToken
- [e-community-sso]
- #----------------------
- # e-COMMUNITY SSO
- #----------------------
- # Participate in e-community single sign on
- # One of <http, https, both, none>
- e-community-sso-auth = none
- # The e-community name. This needs to match any vouch-for tokens or
- # e-community cookies that are received.
- # e-community-name = <name>
- # Master authentication server settings. If is-master-authn-server
- # is set to "yes " then this server will accept vouch-for requests from
- # other WebSEAL instances whose domain keys are listed in the
- # [e-community-domain-keys] stanza.
- # is-master-authn-server = <yes/no>
- # If is-master-authn-server is set to "no" then this value needs
- # to be specified. If a local domain login has not already been performed then
- # authentication attempts will be routed through this machine,
- # which will need to vouch for a users identity.
- # The domain key for the master-authn-server needs to be listed in the
- # [e-community-domain-keys] stanza.
- # master-authn-server = <server name>
- # If e-community-sso-auth permits use of the HTTP protocol and
- # the master-authn-server listens for HTTP requests on a port other
- # than the standard HTTP port (port 80) then this non-standard port
- # needs to be configured here. This parameter is ignored if this server
- # is the master authentication server.
- #
- # master-http-port = <port>
- # If e-community-sso-auth permits use of the HTTPS protocol and
- # the master-authn-server listens for HTTPS requests on a port other
- # than the standard HTTPS port (port 443) then this non-standard port
- # needs to be configured here. This parameter is ignored if this server
- # is the master authentication server.
- #
- # master-https-port = <port>
- # vouch-for token lifetime in seconds. This needs to take into account clock
- # skew between participants.
- vf-token-lifetime = 180
- # vouch-for URL designator
- # This specifies the start of a URL relative to the server root. This is used
- # to construct vouch-for requests by participating ECSSO servers, and to
- # distinguish requests for vouch-for information from other requests by the
- # MAS.
- #
- # '/pkmsvouchfor' is used by default
- # vf-url = /pkmsvouchfor
- # vouch-for argument
- # This is the name of the vouch-for token (as an argument name) contained in
- # a vouch-for reply.
- # This is used to construct vouch-for replies by the MAS, and to distinguish
- # incoming requests as ones with vouch-for information by participating ECSSO
- # servers.
- #
- # 'PD-VF' is used by default
- # vf-argument = PD-VF
- # ecommunity cookie domain. If not set WebSEAL will use the domain from the
- # automatically determined hostname (or web-host-name if specified).
- # ec-cookie-domain = <domain>
- # ecommunity cookie lifetime, in minutes.
- ec-cookie-lifetime = 300
- # Enable or disable unauthenticated access with ECSSO.
- # When set to no, every initial ECSSO request will require authentication.
- # Default value is yes.
- ecsso-allow-unauth = yes
- # Specify if UTF-8 encoding should be used in the strings within the vouch-for
- # token. UTF-8 should be used when user names or credential attributes in the
- # token are not encoded in the same code page as the WebSEAL server is using.
- # Set to "no" if your tokens need to interoperate with environments that
- # use local code page.
- use-utf8 = yes
- # When an SSO token is generated, a call is made to the Cross Domain Mapping
- # Framework (CDMF) API to determine the extended attributes that must be
- # encoded into the token so that the user can be correctly mapped across the
- # SSO authentication. The propagate-cdmf-errors parameter determines
- # whether the failure of the cdmf_get_usr_attributes call will cause token
- # creation as a whole to fail. If propagate-cdmf-errors is set to "no"
- # (default), a default attribute list will be generated if the CDMF fails
- # and token creation will proceed without error. However, if
- # propagate-cdmf-errors is set to "yes", token creation will be aborted if
- # the CDMF fails.
- propagate-cdmf-errors = no
- # If an unauthenticated request is made with POST data, set to yes,
- # this option will allow that data to be cached while the e-community
- # master authenticates the user. If the option is set to no, request
- # data will be lost.
- cache-requests-for-ecsso = yes
- # Authentication errors returned by the master-authn-server in vouch-for
- # tokens are not propagated to the ERROR_CODE and ERROR_TEXT macros used
- # by facilities such as local response redirect. Setting this option to
- # "yes" will propagate the errors.
- ecsso-propagate-errors = no
- # When the following option is set to "yes" this WebSEAL instance is stopped
- # from generating or using eCommunity Cookies. In addition, if this instance
- # is not acting as the MAS, WebSEAL will not respond to vouch-for requests.
- # To be effective, all machines participating in the eCommunity should have
- # this value set the same.
- disable-ec-cookie = no
- # When the following option is set to "yes" on the WebSEAL instance acting as
- # the MAS, the MAS will respond locally to login failures, rather than
- # redirecting the user back to the requesting slave WebSEAL instance.
- handle-auth-failure-at-mas = no
- [e-community-domain-keys]
- # Keys for any domains that are participating in the e-community, including
- # the domain in which the WebSEAL server is running. These are shared on a
- # pair-wise-by-domain basis. The format of these entries is:
- # <domain name> = <key file>
- [e-community-domains]
- # These are the eCommunity cookie domains used by Virtual Host junctions. The
- # domain used by a particular Virtual Host junction will be chosen by finding
- # the longest domain in the table that matches the virtual hostname.
- # Each of these domains must also have a corresponding table of keys defined
- # by creating a stanza of the format [e-community-domain-keys:<domain>].
- # The format these entries is:
- # name = <domain>
- #[e-community-domain-keys:<domain>]
- # Keys for any domains that are participating in the e-community, including
- # the domain in which the Virtual Host junction is running. These are shared
- # on a pair-wise-by-domain basis. The format of these entires is:
- # <domain name> = <key file>
- [ecsso-token-attributes]
- #
- # Credential attributes to include in eCSSO vouch-for tokens.
- #
- # This stanza defines the sets of attributes to be included in
- # eCSSO vouch-for tokens, specified on a per-peer or
- # per-domain basis. This processing only takes place if the
- # default SSO token creation and consumption libraries are
- # in use.
- #
- #
- # Credential attributes matching the patterns specified in this stanza
- # for a target host or domain are included in eCSSO vouch-for tokens
- # constructed for that target host or domain. Only a single value for
- # each attribute is used, and only string values are supported. Other
- # types of credential attribute values will be ignored.
- #
- # Patterns can be specified using shell-style wildcards.
- #
- # The format of these entries is:
- #
- # <domain-name> = <pattern-1>
- # <domain-name> = <pattern-2>
- # <domain-name> = <pattern-n>
- #
- # For example:
- #
- # [ecsso-token-attributes]
- # ibm.com = attrprefix_*
- # ibm.com = *name*
- # tivoli.com = *_attrsuffix
- # tivoli.com = some_exact_attribute
- #
- # A default set of attributes can be configured with a '<default>'
- # entry in this stanza. This set of attributes is used when there
- # is no other entry matching a particular target host. If the '<default>'
- # entry is not present, then no attributes will be included by default.
- #
- # For example:
- #
- # [ecsso-token-attributes]
- # <default> = myattr*
- # ibm.com = attrprefix_*
- #
- # If no credential attributes are required in eCSSO vouch-for tokens,
- # then this stanza can remain empty.
- #
- [ecsso-incoming-attributes]
- #
- # Attributes to accept from incoming eCSSO vouch-for tokens.
- #
- # This stanza defines the sets of attributes to be accepted and rejected
- # from incoming eCSSO vouch-for tokens. Unlike the outgoing
- # attributes configuration, incoming attributes cannot be configured
- # on a per-peer or per-domain basis. Only one set of attribute patterns
- # can be configured, and these patterns will be applied to incoming
- # tokens regardless of source. This processing only takes place if the
- # default SSO token creation and consumption libraries are
- # in use.
- #
- # The format of entries in this stanza is:
- #
- # <attribute pattern> = <preserve|refresh>
- #
- # Attributes in eCSSO vouch-for tokens that match a 'refresh' entry
- # will be removed from the token before the CDMF library is called
- # to map the remote user into the local domain. Attributes matching
- # a 'preserve' entry, or matching none of the entries, will be kept.
- # If no entries are configured, then all attributes will be kept.
- #
- [reauthentication]
- #----------------------
- # REAUTHENTICATION
- #----------------------
- # Prompt users to reauthenticate if their entry in the WebSEAL
- # credential cache has timed out due to inactivity
- #
- # If set to 'no', entries in the cache will be deleted when the
- # inactivity timeout is reached.
- #
- # If set to 'yes', entries in the cache will be retained until the
- # cache lifetime timeout is reached. If the inactivity timeout has
- # been reached and the client makes another request before the cache
- # lifetime timeout is reached, they will be prompted to reauthenticate.
- reauth-for-inactive = no
- # Should the authenticated credential be replaced with an unauthenticated
- # credential for the processing of a request when the session becomes
- # inactive? This configuration entry will control the user identity
- # information which appears in the log file, and the user identity information
- # which can be inserted into the HTTP stream, whilst the session is inactive.
- # It will not affect the single-sign-on information (e.g. iv-creds) whilst
- # the session is inactive.
- replace-inactive-cred = yes
- # Reset the lifetime timer for WebSEAL credential cache entries
- # following successful reauthentication.
- # This applies to reauthentication resulting from either inactivity or
- # from security policy
- reauth-reset-lifetime = no
- # Time in seconds that the credential cache entry lifetime timer should
- # be extended to allow clients to complete a reauthentication.
- # A value of 0 indicates that the lifetimer timer will not be extended.
- # This applies to any clients who are required to log in who
- # already have an existing cache entry, including clients stepping up and
- # clients performing reauthentication resulting from either inactivity or
- # from security policy.
- reauth-extend-lifetime = 0
- # When the user registry policy setting max-login-failures is set and the
- # maximum number of reauthentication login failures is reached the login
- # session will be terminated if this option is enabled.
- terminate-on-reauth-lockout = yes
- # This configuration entry will control whether a different authentication
- # level/mechanism is allowed during a reauthentication operation. Please
- # note that if the configuration option is set to 'yes' the credential
- # could change during the lifetime of the session, potentially more than
- # once.
- #
- # The default value, if no entry is specifed, is 'no'.
- reauth-at-any-level = no
- [eai]
- #----------------------
- # EXTERNAL AUTHENTICATION INTERFACE
- #----------------------
- # Enable EAI authentication.
- #
- # One of <http, https, both, none>
- eai-auth = none
- # EAI HEADER NAMES
- # If eai-auth is not 'none', and WebSEAL has received a trigger URL
- # in a request, WebSEAL will examine the corresponding server response for
- # the following headers. These are the headers that will contain authentication
- # data used to authenticate the user.
- # EAI PAC header names
- eai-pac-header = am-eai-pac
- eai-pac-svc-header = am-eai-pac-svc
- # EAI USER ID header names
- eai-user-id-header = am-eai-user-id
- eai-auth-level-header = am-eai-auth-level
- eai-xattrs-header = am-eai-xattrs
- # EAI external USER ID header names
- # The eai-ext-user-id-header takes precedence over the eai-user-id-header.
- # If the authentication data that is presented to WebSEAL includes both headers,
- # WebSEAL will process it as an authentication for an external user.
- eai-ext-user-id-header = am-eai-ext-user-id
- eai-ext-user-groups-header = am-eai-ext-user-groups
- # EAI COMMON header names
- eai-redir-url-header = am-eai-redir-url
- # Determines whether the redirect URL contained within the EAI response takes
- # priority over all other EAI redirect options. If set to true the redirect
- # URL contained in the EAI response will take priority.
- eai-redir-url-priority = false
- # The name of the header which is used to 'flag' the authentication
- # response with extra processing information. The supported flags
- # (.i.e. header values) include:
- # - stream: Used to indicate that the authentication response should
- # be streamed back to the client.
- eai-flags-header = am-eai-flags
- # The session identifier from a distributed session can also be supplied
- # through the EAI interface. Upon receiving a header which contains the
- # distributed session identifier, WebSEAL will retrieve the corresponding
- # session and use this session for subsequent requests. This header
- # provides the mechanism by which distributed sessions (aka DSC sessions)
- # can be shared across multiple DNS domains.
- eai-session-id-header = am-eai-session-id
- # RETAIN EAI SESSION
- # If an already-authenticated EAI client authenticates via an EAI a second
- # time, the existing session and cache entry are completely replaced by
- # default. If retain-eai-session = yes, then the existing session and
- # cache entry will be retained, and the credential and relevant data will
- # be updated in the existing cache entry.
- retain-eai-session = no
- #
- # The following entry determines, in the event of a subsequent EAI
- # authentication, whether the new user identity must match the user
- # identity from the previous authentication. In the situation where
- # eai-verify-user-identity = yes, and the user identities do not
- # match, an error will be presented to the user.
- #
- eai-verify-user-identity = no
- # The following configuration entry is used to determine whether multiple
- # extended attribute headers of the same name are added to the credential as
- # a multi-valued attribute, or a single comma-delimited attribute.
- eai-create-multi-valued-attributes = no
- # The following configuration entry is used to determine whether
- # extended attributes replace credential attributes of the same name
- # or are appended as additional values.
- eai-replace-cred-attributes = no
- # EAI TRIGGER URLS
- [eai-trigger-urls]
- # If eai-auth is not 'none', then WebSEAL will examine the URLs of incoming
- # requests to determine if they match one of the entries in this list.
- # If they do, then WebSEAL will examine the corresponding server response to
- # determine if it contains authentication data.
- #
- # NOTE: If eai-auth is not 'none', there must be at least one entry in this list
- #
- # The URL string patterns are case-sensitive wild card patterns.
- #
- # Format for regular WebSEAL junctions is:
- # trigger = <URL pattern of EAI server response>
- #
- # Format for Virtual Host junctions is:
- # trigger = HTTP[S]://virtual-host-name[:port]/<URL pattern of EAI server response>
- #
- # For Virtual Host junctions to match a trigger they must also have the same
- # protocol (HTTP[S] = TCP/SSL) and have the same virtual-host-name & port as
- # the trigger. The virtual-host-name match is case-insensitive.
- #
- # Regular WebSEAL junction triggers are not used by Virtual Host junctions.
- # Virtual Host junction triggers are not used by regular WebSEAL junctions.
- [ssl-qop]
- #----------------------
- # SSL QUALITY OF PROTECTION MANAGEMENT
- #----------------------
- # Enable/Disable SSL Quality of Protection management
- ssl-qop-mgmt = yes
- # Legal cipher values for qop in the following stanzas are:
- # NONE, ALL, NULL, DES-56, FIPS-DES-56, DES-168, FIPS-DES-168,
- # RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128, AES-256
- #
- # Specific cipher names can also be used. This can be useful when the qop
- # cipher group aliases above do not include a required cipher. When a cipher
- # is enabled it will be used with all enabled versions of SSL & TLS that
- # support the cipher.
- # The following is a list of available cipher names:
- # SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA,
- # TLS_DHE_PSK_WITH_AES_128_CCM_8, TLS_DHE_PSK_WITH_AES_128_CCM,
- # TLS_DHE_PSK_WITH_AES_256_CCM_8, TLS_DHE_PSK_WITH_AES_256_CCM,
- # TLS_DHE_RSA_WITH_AES_128_CCM_8, TLS_DHE_RSA_WITH_AES_128_CCM,
- # TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CCM_8,
- # TLS_DHE_RSA_WITH_AES_256_CCM, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
- # TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
- # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
- # TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
- # TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- # TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
- # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- # TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_PSK_WITH_AES_128_CCM_8,
- # TLS_PSK_WITH_AES_128_CCM, TLS_PSK_WITH_AES_256_CCM_8,
- # TLS_PSK_WITH_AES_256_CCM, TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
- # TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
- # TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA,
- # TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
- # TLS_RSA_WITH_AES_128_CCM_8, TLS_RSA_WITH_AES_128_CCM,
- # TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
- # TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CCM_8,
- # TLS_RSA_WITH_AES_256_CCM, TLS_RSA_WITH_AES_256_GCM_SHA384,
- # TLS_RSA_WITH_DES_CBC_SHA, TLS_RSA_WITH_NULL_MD5,
- # TLS_RSA_WITH_NULL_NULL, TLS_RSA_WITH_NULL_SHA,
- # TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA,
- # TLS_RSA_WITH_NULL_SHA256, SSL_CK_RC4_128_WITH_MD5,
- # SSL_CK_RC4_128_EXPORT40_WITH_MD5, SSL_CK_RC2_128_CBC_WITH_MD5,
- # SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_CK_DES_64_CBC_WITH_MD5,
- # SSL_CK_DES_192_EDE3_CBC_WITH_MD5, TLS_ECDHE_ECDSA_WITH_NULL_SHA,
- # TLS_ECDHE_RSA_WITH_NULL_SHA,
- #
- # Notes:
- # - NONE = No SSL connection allowed.
- # - NULL = Unencrypted SSL connection allowed.
- # - ALL = All types of SSL connections allowed.
- # - There maybe multiple cipher/MAC made available to the connection
- # for a given qop cipher selection. These will still have the same
- # encryption bit strength, just different MAC methods (SHA1 or MD5).
- # - RC2-128 is only available with SSLv2. If it is the only cipher selection
- # webseald will disable SSLv3 and TLSv1 for the affected connection.
- # - NULL, FIPS-DES-56, FIPS-DES-168, RC4-56, AES-128, and AES-256 are
- # only available with SSLv3 and TLSv1. If they are the only ciphers
- # available to a given connection, SSLv2 will be disabled for the
- # affected connection.
- # - AES Support is determined automatically by GSKit based on
- # the base-crypto-library setting. AES-128 and AES-256 are only
- # available if AES Support is enabled by GSKit, else they will be
- # ignored.
- # - FIPS-DES-56 and FIPS-DES-168 are only available when
- # fips-mode-processing is enabled (set to yes), otherwise they will
- # be ignored.
- # host ssl qop
- [ssl-qop-mgmt-hosts]
- # networks ssl qop
- [ssl-qop-mgmt-networks]
- # default ssl qop
- [ssl-qop-mgmt-default]
- default = AES-128
- default = AES-256
- [oauth]
- # Enable authentication using Open Authorization (OAuth) mechanism.
- # One of <http, https, both, none>
- #
- # The OAuth authentication mechanism should be considered only as part of a
- # Mobile scenario, where a session can be established based on the Bearer
- # token in the Authorization Header.
- oauth-auth = none
- # The Provider ID of the default OAuth federation. If a Provider ID is not
- # provided in the request using the fed-id-param option, this provider ID will
- # be used for OAuth requests. The Provider ID of a federation can be found on
- # the federation properties page.
- default-fed-id = https://localhost/sps/oauthfed/oauth10
- # The name of the request parameter that can be used to override the
- # default-fed-id option configured above. By deleting this configuration
- # option, you can enforce that the default fed id is always used.
- fed-id-param = FederationId
- # The name of the TFIM cluster which houses this OAuth service. There should
- # also be a corresponding [tfim-cluster:<cluster>] stanza which contains the
- # definition of the cluster.
- cluster-name = oauth-cluster
- # The name of the attribute within the RSTR response whose value is to be used
- # as the user identity when creating the session credential.
- user-identity-attribute = username
- # By default the OAuth scope attribute is provided as a single comma separated
- # string. By enabling this configuration option the scope attribute will instead
- # be provided as a multivalue attribute.
- multivalue-scope = false
- # The following configurations can be used to authenticate the user with an
- # alternative method. This allows external users to use oauth-auth.
- # The name of the attribute within the RSTR response which contains a
- # credential PAC. A PAC will take precedence over all other authentication data.
- # Remove this configuration entry if you do not want to allow authentication to
- # occur via a PAC.
- pac-attribute = am-pac
- # The name of the attribute within the RSTR response whose value is to be used
- # as the user identity when creating the session credential. The supplied user
- # identity is not expected to exist within the ISAM user registry. Remove this
- # configuration entry if you do not want to allow authentication using an
- # external user identity.
- external-user-identity-attribute = am-ext-user-id
- # The name of the attribute within the RSTR response which will contain group
- # information for the external user.
- external-group-attribute = am-ext-user-groups
- # Should we continue processing the request, and try additional authentication
- # mechanisms, if an invalid authorization header has been supplied with the request.
- continue-on-auth-failure = false
- [tfim-cluster:oauth-cluster]
- #
- # This stanza contains definitions for a particular cluster of TFIM
- # servers.
- #
- #
- # A specification for the server which is used when communicating with a
- # single TFIM server which is a member of this cluster. Values for this
- # entry are defined as follows:
- #
- # {[0-9],}<URL>
- #
- # Where the first digit (if present) represents the priority of the server
- # within the cluster (9 being the highest, 0 being lowest). If the priority
- # is not specified, a priority of 9 is assumed. The <URL> can be any
- # well-formed HTTP or HTTPS URL.
- #
- # Multiple server entries can be specified for failover and load balancing
- # purposes. The complete set of these server entries defines the
- # membership of the cluster for failover and load balancing.
- #
- # server = 9,http://tfim.example.com/TrustServerWST13/services/RequestSecurityToken
- #
- # The maximum number of cached handles, used when communicating with TFIM.
- #
- handle-pool-size = 10
- #
- # The length of time, in seconds, before an idle handle will be removed
- # from the handle pool cache.
- #
- handle-idle-timeout = 240
- #
- # The length of time, in seconds, to wait for a response from TFIM.
- #
- timeout = 240
- #
- # The following configuration entries are optional and can be used if the TFIM
- # server has been configured to require basic authentication. If these
- # entries are left blank no basic authentication header will be provided when
- # communicating with the TFIM server.
- #
- #
- # The name of the user for the basic authentication header.
- #
- basic-auth-user =
- #
- # The following SSL entries are optional and are only required if:
- # 1. At least one server entry indicates that SSL is to be used (i.e.
- # starts with https:)
- # 2. A certificate is required other than that which is used by this server
- # when communicating with the policy server (details of the
- # default certificate can be found in the [ssl] stanza of this
- # configuration file.
- #
- # If these entries are required and are not found within this stanza, the
- # default [ssl] stanza will be searched.
- #
- #
- # The name of the key database file which houses the client certificate to be
- # used.
- #
- # ssl-keyfile =
- #
- # The name of the password stash file for the key database file.
- #
- # ssl-keyfile-stash =
- #
- # The label of the client certificate within the key database.
- #
- # ssl-keyfile-label =
- #
- # This configuration entry specifies the DN of the server (obtained from the
- # server SSL certificate) which will be accepted. If no entry is configured
- # all DN's will be considered to be valid. Multiple DN's can be specified by
- # including multiple configuration entries of this name.
- #
- # ssl-valid-server-dn =
- #
- # The entry controls whether FIPS communication is enabled with TFIM or
- # not. If no configuration entry is present the global FIPS setting (as
- # determined by the TAM policy server) will take effect.
- #
- # ssl-fips-enabled =
- ##################################
- # SESSION
- ##################################
- [session]
- #----------------------
- # SESSION CACHE SETTINGS
- #----------------------
- # The maximum number of concurrent entries in the credential cache
- # This corresponds to the number of concurrent logins. The value
- # WebSEAL actually uses might be slightly more than what is specified here.
- # Refer to the WebSEAL Administration Guide for details. To customise this
- # value for authenticated or unauthenticated sessions simply add an
- # additional configuration entry, prefixed by 'auth' or 'unauth', e.g.
- # unauth-max-entries = 1024
- max-entries = 4096
- # Maximum lifetime (in seconds) for an entry in the credential cache
- # Setting this to zero allows entries the cache to fill without expiry until the
- # cache contains the number of entries specified by max-entries. After that
- # point, entries are expired according to a least recently used algorithm.
- # To customise this value for authenticated or unauthenticated sessions
- # simply add an additional configuration entry, prefixed by 'auth' or
- # 'unauth', e.g.
- # unauth-timeout = 600
- timeout = 3600
- # Lifetime (in seconds) of inactive entries in the credential cache.
- # To disable, set to 0. To customise this value for authenticated or
- # unauthenticated sessions simply add an additional configuration entry,
- # prefixed by 'auth' or 'unauth', e.g.
- # unauth-inactive-timeout = 300
- inactive-timeout = 600
- # Use the temp-session-max-lifetime entry to set the maximum lifetime (in seconds)
- # of entries in the temporary session cache.
- #
- # The temporary session cache is a short-lived session cache. WebSEAL
- # uses this cache to create an intermediate session mapping when switching between
- # different client contexts that share the same persistent cookie jar. For example,
- # when sharing a session between Internet Explorer and Microsoft Office
- # applications.
- #
- # To disable the use of the temporary session cache, set the value of this entry to 0.
- # A value of 0 effectively disables session sharing between different client contexts.
- temp-session-max-lifetime = 0
- # The temp-session-one-time-use configuration entry controls whether an entry
- # which is in the temporary session cache can be accessed a single time only,
- # or whether it can be accessed multiple times. If this configuration entry
- # is set to false the session will need to time out (based on the
- # temp-session-max-lifetime configuration entry) before the session entry is
- # invalidated and removed from the cache.
- temp-session-one-time-use = false
- # The temp-session-cookie-name entry is used to identify a temporary session cookie
- # created for allowing session sharing between different client contexts.
- #
- # This temporary cookie name will be set as part of the initial response to a
- # /pkmstempsession management page request and read subsequently off the next
- # request coming into WebSEAL.
- #
- # This entry should be used in conjunction with a positive value in temp-session-max-lifetime
- # entry described above.
- temp-session-cookie-name = PD-H-TMP-SESSION-ID
- # The temp-session-overrides-unauth-session configuration entry is used to
- # control the precedence if both a temporary session cookie and a 'real'
- # session cookie, is provided in a request. A value of yes would mean that
- # a temporary session would take precedence over an existing unauthenticated
- # session (but not an authenticated session), and a value of no would mean
- # that the temporary session cookie would be ignored.
- temp-session-overrides-unauth-session = no
- #----------------------
- # SSL CLIENT SESSIONS
- #----------------------
- # Use the SSL ID to maintain a user's HTTPS login session.
- ssl-id-sessions = no
- #----------------------
- # SHARING SESSIONS
- #----------------------
- # Use the same session for SSL and HTTP clients. This means that a client
- # having authenticated via HTTP will still be authenticated when connecting
- # via HTTPS and vice versa.
- #
- # A consequence of setting this to 'yes' is that the ssl-id-sessions
- # parameter will be ignored, because HTTP clients cannot use the SSL ID
- # to maintain sessions.
- use-same-session = no
- # Enable a cookie based session to be shared across all standard and virtual
- # host junctions on a single WebSEAL instance. This is achieved through
- # enabling the WebSEAL instance to store a single session key as an
- # independent value in a multi-valued domain cookie, indexed by the instance
- # name. The domain cookie itself is shared across all participating WebSEAL
- # instances, but the session values are specific to each instance.
- #
- # If WebSEAL exists in an environment where the DSC already handles single
- # sign-on across domains, do not enable this configuration item.
- # shared-domain-cookie = yes
- #----------------------
- # SESSION COOKIE NAMES
- #----------------------
- # These parameters control the names of the cookies WebSEAL will use for
- # session IDs. The names of the cookies should be alphanumeric, and each
- # cookie must have a different name. To use the same cookie for both TCP
- # and SSL connections use the [session]use-same-session configuration
- # option.
- tcp-session-cookie-name = PD-H-SESSION-ID
- ssl-session-cookie-name = PD-S-SESSION-ID
- #----------------------
- # SENDING SESSION COOKIES
- #----------------------
- # Send the WebSEAL cookies with every response. Use in environments where:
- # 1) Cookies are used to maintain sessions with clients
- # 2) Applications place many in-memory cookies per domain on client systems.
- # This helps ensure that the WebSEAL cookies remain in the browser memory in
- # such environments.
- resend-webseal-cookies = no
- # Remove the WebSEAL session cookie on logout
- logout-remove-cookie = no
- # Should the original session cookie be sent to junctioned Web servers along
- # with the current session cookie? This configuration entry will only
- # take effect if the current session cookie is being sent down the
- # junction, as defined by the '-k' junction create flag. The name used for
- # this session cookie will be based on the name of the current session cookie,
- # appended with '_2'. For example, if tcp-session-cookie-name is set as
- # 'PD-H-SESSION-ID', the name of the original session cookie will be
- # 'PD-H-SESSION-ID_2'.
- send-constant-sess = no
- #----------------------
- # USER SESSION IDS
- #----------------------
- # Enable/disable the creation and handling of user session ids.
- user-session-ids = no
- # Include the replica set name in the user session ID. If set to "yes"
- # then the user-session-id will include the replica set. If set to "no"
- # then WebSEAL will not include the replica set in the user-session-id,
- # and will assume that all user-sessions specified in the "terminate session"
- # command belong to the standard junction replica set.
- user-session-ids-include-replica-set = yes
- #----------------------
- # DISTRIBUTED SESSION MANAGEMENT
- #----------------------
- # These entries together with the "dsess" stanza control how WebSEAL uses the
- # DSC to store and manage sessions.
- # Enable/disable use of the DSC. If this is set to yes the "dsess" stanza
- # must have information about how to communicate with the DSC.
- dsess-enabled = no
- # If set to "yes", then WebSEAL will use the DSC to make sure that users
- # do not have more sessions than the max-concurrent-web-sessions policy
- # allows. If set to "no" WebSEAL will not enforce the policy. This
- # entry is ignored unless WebSEAL is using the DSC for session storage.
- enforce-max-sessions-policy = yes
- # If set to "yes" then WebSEAL will prompt users before automatically
- # displacing old sessions using the same user-id. If set to "no" then
- # WebSEAL will automatically log out the old sessions. This entry
- # only applies when the max-concurrent-web-sessions policy for the user
- # is set to 'displace'.
- prompt-for-displacement = yes
- # The frequency with which WebSEAL will update the session last
- # access time at the DSC. This value is only used if reauth-for-inactive
- # is set to yes. Smaller values offer more accurate inactivity
- # timeout tracking, at the expense of sending updates to the DSC
- # more frequently. Values of less than 1 second are not permitted.
- #
- # Example: if inactive-timeout is 600 seconds and
- # dsess-last-access-update-interval is 60 seconds, the user's session may
- # be flagged as 'inactive' at the DSC anywhere between 540 seconds and
- # 600 seconds after their last access to the WebSEAL server.
- dsess-last-access-update-interval = 60
- # The DSC replica set to use for sessions created when users access standard
- # WebSEAL junctions. Virtual host junctions will use the replica set
- # specified with the "-z" option when the virtual host junction is
- # created.
- standard-junction-replica-set = default
- # Require Multiplexing Proxy Agent for HTTP Header Session Keys and
- # HTTP Header authentication tokens.
- #
- # The use of an HTTP header as a session identifier or as an authentication
- # token carries a measure of risk that the header can be spoofed or stolen.
- # It is strongly recommended that headers only be accepted when proxied
- # through an authenticated channel. A 'yes' setting means that HTTP headers
- # will not be valid session keys or authentication tokens unless received via
- # an MPA. Please see the WebSEAL Administration Guide for more details
- # regarding MPAs.
- require-mpa = yes
- # Should sessions be established for access to unprotected resources? This
- # configuration item is useful when a consistent session identifier is
- # required for clients as they transition from unauthenticated to
- # authenticated.
- create-unauth-sessions = no
- #
- # In some circumstances, you might not want the requests for a particular
- # resource to affect the inactivity timeout for a session. For example, you
- # might want to preserve the inactivity timeout when a server is polled by
- # an Ajax script running in the background of a client browser.
- #
- # The following configuration entry can be used to designate the resources
- # which, when accessed, should not impact the inactivity timeout for the
- # session.
- #
- # A comparison will be performed against either the full HTTP request line or
- # the decoded URI (controlled by the preserve-inactivity-timeout-match-uri
- # configuration entry). If a match is found the inactivity timeout for the
- # session will not be affected by the request.
- #
- # If a pattern has been specified using this configuration entry the legacy
- # preserve-inactivity-time POP functionality will be disabled.
- #
- # Multiple patterns can be specified by including multiple configuration entries
- # of the same name.
- #
- # You also have the option of matching a request using a host header, useful
- # when selectively enabling this functionality for a particular virtual host
- # junction. To selectively match an entry based on a particular host header
- # the configuration entry should be prepended with the string: [<host>].
- #
- # Example:
- # preserve-inactivity-timeout = /jct/robot/*
- # preserve-inactivity-timeout = [www.ibm.com]/robot/*
- #
- preserve-inactivity-timeout =
- #
- # The following configuration entry is used to control whether the
- # patterns specified by the preserve-inactivity-timeout configuration entry
- # are matched against the decoded URI from the request, or against the full
- # request line. The match will take place against the decoded URI if this
- # configuration entry is set to true, otherwise the match will take place
- # against the full request line.
- #
- preserve-inactivity-timeout-match-uri = true
- #
- # The following configuration entry is used to designate the
- # client identifier for the session. This identifier will be
- # added to the credential as the 'client_identifier' attribute
- # and will be validated on subsequent requests to ensure that
- # the client does not change.
- #
- # The supported options for this configuration entry include:
- # CLIENT_IP: The client IP address from the network
- # connection will be used as the identifier.
- # HTTPHDR{<name>}: The contents of the HTTP header, identified
- # by '<name>', will be used as the client
- # identifier. If the HTTP header is missing on
- # the initial request no identifier will be added
- # for the session. For example:
- # HTTPHDR{X-Forwarded-For}
- #
- # Please note that if failover cookies are used the 'client_identifier'
- # credential attribute should be added to the
- # [failover-add-attributes] and [failover-restore-attributes] stanzas
- # so that the client identifier can persist across a failover event.
- #
- client-identifier =
- [session-http-headers]
- #----------------------
- # HTTP HEADER SESSION KEYS
- #----------------------
- #
- # List any HTTP headers which will contain a session key on a per-transport
- # basis. The same header can be listed for both transports if desired.
- #
- # Only the first matching header found in a request will be used.
- #
- # If ssl-id-sessions = yes, then this stanza will be ignored.
- # The exception to this is if MPA support is enabled.
- #
- # WebSEAL will first look for a session cookie before continuing to look
- # for HTTP headers from this list.
- #
- # The use of http headers as session keys is affected by the setting of
- # require-mpa, see the comments above the require-mpa entry for more
- # information.
- #
- # This list should contain no more than 20 entries per transport.
- # Do not include the colon (:)
- #
- # Format is one of:
- # <header> = http
- # <header> = https
- ##################################
- # REPLICA SETS
- ##################################
- [replica-sets]
- # If WebSEAL is configured to use the DSC for session storage the
- # WebSEAL server will join each of the replica sets listed in this
- # stanza. The entries listed here must be replica sets configured
- # on the DSC.
- # Example entries:
- # replica-set = <replica-set-one>
- # replica-set = <replica-set-two>
- ##################################
- # DISTRIBUTED SESSIONS
- ##################################
- [dsess]
- # The maximum number of session ID's that are pre-allocated within the replica
- # set. This configuration parameter will not affect WebSEAL performance
- # and should not be modified.
- dsess-sess-id-pool-size = 125
- #
- # The name of the DSC cluster to which this DSC server belongs.
- # This field must be defined and reference an existing dsess-cluster stanza
- # qualified by the value of this entry.
- #
- #
- # dsess-cluster-name = dsess
- [dsess-cluster]
- #
- # The dsess-cluster stanza contains all of the defaults for a definition of
- # a cluster of DSC (distributed session) servers.
- #
- #
- # A specification for a single DSC server which is a member of this
- # cluster. Values for this entry are defined as follows:
- #
- # {[0-9],}<URL>
- #
- # Where the first digit (if present) represents the priority of the server
- # within the cluster (9 being the highest, 0 being lowest). If the priority
- # is not specified, a priority of 9 is assumed. The <URL> can be any
- # well-formed HTTP or HTTPS URL.
- #
- # Multiple server entries can be specified for failover and load balancing
- # purposes. The complete set of these server entries defines the
- # membership of the cluster.
- #
- # server = 9,http://sms.example.com/DSess/services/DSess
- #
- # The length of time to maintain a connection to the web service while
- # waiting for session broadcast events.
- #
- response-by = 60
- #
- # The maximum number of cached handles, used when communicating with the DSC.
- #
- handle-pool-size = 10
- #
- # The length of time, in seconds, before an idle handle will be removed
- # from the handle pool cache.
- # It should not be larger than the HTTP Transport chain persistent timeout
- # configured on the server which is running the DSC.
- #
- handle-idle-timeout = 30
- #
- # The length of time, in seconds, to wait for a response from the DSC.
- #
- timeout = 30
- #
- # The following configuration entries are optional and can be used if the DSC
- # has been configured to require basic authentication. If these entries are
- # left blank no basic authentication header will be provided when communicating
- # with the DSC.
- #
- #
- # The name of the user for the basic authentication header.
- #
- # basic-auth-user = <user>
- #
- # The password to be used for the basic authentication header.
- #
- # basic-auth-passwd = <user>
- #
- # The following SSL entries are optional and are only required if:
- # 1. At least one server entry indicates that SSL is to be used (i.e.
- # starts with https:)
- # 2. A certificate is required other than that which is used by this server
- # when communicating with the policy server (details of the
- # default certificate can be found in the [ssl] stanza of this
- # configuration file.
- #
- # If these entries are required and not found within the [dsess-cluster]
- # stanza, the default [ssl] stanza will be searched.
- #
- #
- # The name of the key database file which houses the client certificate to be
- # used.
- #
- # The following files are currently available for this configuration entry:
- # - pdsrv.kdb
- # - lmi_trust_store.kdb
- # - rt_profile_keys.kdb
- # - embedded_ldap_keys.kdb
- ssl-keyfile =
- #
- # The name of the password stash file for the key database file.
- #
- # The following files are currently available for this configuration entry:
- # - rt_profile_keys.sth
- # - lmi_trust_store.sth
- # - embedded_ldap_keys.sth
- # - pdsrv.sth
- ssl-keyfile-stash =
- #
- # The label of the client certificate within the key database.
- #
- ssl-keyfile-label =
- #
- # This configuration entry specifies the DN of the server (obtained from the
- # server SSL certificate) which will be accepted. If no entry is configured
- # all DN's will be considered to be valid. Multiple DN's can be specified by
- # including multiple configuration entries of this name.
- #
- # ssl-valid-server-dn =
- #
- # The entry controls whether FIPS communication is enabled with the DSC or
- # not. If no configuration entry is present the global FIPS setting (as
- # determined by the TAM policy server) will take effect.
- #
- # ssl-fips-enabled =
- # Configure NIST SP800-131A compliance mode. This will have the affect of:
- # - enabling FIPS mode processing (over-riding the value of the
- # ssl-fips-enabled configuration entry);
- # - enabling TLS V1.2;
- # - enabling the appropriate signature algorithms;
- # - setting the minimum RSA key size to 2048 bytes.
- #
- # If no configuration entry is present the global NIST setting (as found in
- # the [ssl] stanza) will be used.
- #
- # ssl-nist-compliance = no
- #
- # Specify any additional GSKit attributes which should be used when
- # initializing an SSL connection with the DSC. A complete list of
- # the available attributes is included in the GSKit SSL API documentation.
- #
- # The configuration entry may be specified multiple times, one for each
- # GSKit attribute. The entry should be of the format:
- # gsk-attr-name = <type>:<id>:<value>
- #
- # - where <type> is one of 'enum', 'string', 'number'
- # and <id> corresponds to the identity associated with a GSKit attribute
- # (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
- #
- # An example configuration could be:
- # gsk-attr-name = string:225:proxy.ibm.com
- #
- [dsess-cluster:dsess]
- #
- # This stanza will define the cluster of DSC servers associated with the
- # configuration defined in the default [dsess] stanza (above).
- #
- # See the [dsess-cluster] stanza above for a definition of valid entries
- # and their associated values.
- #
- ##################################
- # SESSION COOKIE DOMAINS
- ##################################
- [session-cookie-domains]
- # Normally WebSEAL session cookies are 'host' cookies which browsers
- # only return to the host that originally set them. This stanza
- # can be used to configure 'domain' session cookies that may be sent
- # to any host in a particular DNS domain. Review the WebSEAL
- # documentation and understand the security implications of domain
- # session cookies before enabling any entries in this stanza.
- # Format is:
- # domain = example.com
- # domain = otherdomain.com
- # ...
- ##################################
- # CONTENT
- ##################################
- [content]
- # The utf8-template-macros-enabled option controls how standard WebSEAL files,
- # such as login.html, have data inserted into them when %MACRO% strings are
- # encountered. If you have modified your WebSEAL html charset value to be the
- # local code page, and not UTF-8, then set this option to "no". This affects
- # files in the error-dir and mgt-pages-root directories, listed below.
- utf8-template-macros-enabled = yes
- #----------------------
- # ACCOUNT MANAGEMENT PAGES
- #----------------------
- [acnt-mgt]
- # Standard login form
- login = login.html
- # Page displayed after successful login
- login-success = login_success.html
- # Page displayed after successful logout
- logout = logout.html
- # Page displayed if user authentication failed due to a locked account
- account-locked = acct_locked.html
- # Page displayed if user authentication failed due to the account being
- # inactivated by the underlying registry policy, rather than TAM policy.
- account-inactivated = acct_locked.html
- # Page displayed if user authentication failed due to an expired password
- passwd-expired = passwd_exp.html
- # Page displayed if user authentication warns the password is soon to expire
- passwd-warn = passwd_warn.html
- # Page displayed if warning password change request failed
- passwd-warn-failure = passwd_warn.html
- # Change password form
- passwd-change = passwd.html
- # Page displayed if password change request was successful
- passwd-change-success = passwd_rep.html
- # Page displayed if password change request failed
- passwd-change-failure = passwd.html
- # Page containing links to valid administration pages
- help = help.html
- # Token login form
- token-login = tokenlogin.html
- # Next-token form
- next-token = nexttoken.html
- # Certificate login form.
- # This is only used if accept-client-certs = prompt_as_needed.
- certificate-login = certlogin.html
- # Step-up authentication login form
- stepup-login = stepuplogin.html
- # Switch user management form
- switch-user = switchuser.html
- # Page displayed if a client fails to authenticate with
- # a certificate and certificates are necessary.
- cert-failure = certfailure.html
- # Page displayed if a client attempts to step up to certificates over http
- cert-stepup-http = certstepuphttp.html
- # Page displayed when a user has too many concurrent sessions and
- # must either cancel their new login or terminate the other sessions.
- too-many-sessions = too_many_sessions.html
- # Page displayed to handle HTML redirections.
- html-redirect = redirect.html
- # Page displayed if a redirect is not supplied to the pkmstempsession
- # resource.
- temp-cache-response = temp_cache_response.html
- #-----------------------------
- # ACCOUNT EXPIRY NOTIFICATION
- #-----------------------------
- # The following configuration option will determine whether a user with
- # an invalid/expired account will be notified as such on an attempted login,
- # or if he/she will receive the same message as if invalid authentication
- # information (i.e. an invalid username, password, or client certificate)
- # had been submitted.
- account-expiry-notification = no
- #----------------------
- # AUTHORIZATION ERRORS
- #----------------------
- # By default, WebSEAL will return the standard 'Forbidden' page for
- # all authorization failures.
- # If client-notify-tod = yes, clients failing a time-of-day
- # POP access check will be sent a specific error page informing them
- # of the reason for their authorization failure.
- client-notify-tod = no
- #---------------------
- # Change Password Authentication
- #---------------------
- # Enable this option to allow users to authenticate when changing a password.
- # If a user's password is expired, and this option is on, then WebSEAL will
- # authenticate the user with the expired password, change the password,
- # and ensure that the user remains authenticated. This is helpful in failover
- # situations where the user may be served the password change form from one
- # WebSEAL replica, but the form posts to another replica where the user's
- # session does not exist.
- change-password-auth = no
- #----------------------
- # AUTOMATIC REDIRECT
- #----------------------
- # Page to which users are automatically redirected after completing a successful
- # authentication. The configured URL can contain special macro's which will
- # allow dynamic substitution of information from WebSEAL.
- #
- # The supported macro's include:
- # %AUTHNLEVEL% Level at which the session is currently authenticated.
- # %HOSTNAME% Fully qualified host name.
- # %PROTOCOL% The client connection protocol used. Can be HTTP or HTTPS.
- # %URL% The original URL requested by the client.
- # %USERNAME% The name of the logged in user.
- # %HTTPHDR{<name>}% The value of the specified HTTP header.
- # %CREDATTR{<name>}% The value of the specified credential attribute.
- #
- # The format can either be an absolute URL or server relative URL and can
- # include macro information as listed above:
- # login-redirect-page = http://www.ibm.com/
- # login-redirect-page = /jct/page.html
- # login-redirect-page = /jct/page.html?url=%URL%&hdr=%HTTPHDR{Host}%
- #--------------------------
- # HTML REDIRECTION
- #--------------------------
- # Enable this option to use HTML to handle redirections.
- #
- # WebSEAL typically provides a 302 redirection in cases such as when a user
- # successfully authenticates. Many AJAX applications do not behave correctly
- # when this happens as any HTTP fragments are lost.
- #
- # Enabling this configuration item will cause WebSEAL to send a 200
- # response to the client instead of a 302. The page which contains the
- # HTML redirection is defined by the html-redirect configuration entry
- # within this stanza.
- #
- # This configuration item cannot be used in conjunction with
- # login-redirect-page.
- enable-html-redirect = no
- #--------------------------
- # LOCAL RESPONSE REDIRECTS
- #--------------------------
- # Enable/disable sending a redirect instead of serving management or error
- # pages from the local system.
- #
- # The local-response-redirect-uri parameter must be set in order for this
- # option to function.
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a [acnt-mgt:{jct_id}] stanza,
- # where '{jct-id}' refers to the junction point for a standard junction
- # (include the leading '/'), or the virtual host label for a virtual host
- # junction.
- enable-local-response-redirect = no
- #---------------------------
- # PKMSLOGOUT FILENAME
- #---------------------------
- # Set this parameter to 'yes' to allow the specification of a custom
- # response file to be displayed to users upon logging out in a query string
- # appended to the pkmslogout URL. e.g. /pkmslogout?filename=<name>
- # By default, this parameter is set to 'no' to cause any such query string to be
- # ignored.
- use-filename-for-pkmslogout = no
- # The following option can be disabled to loosen the restrictions normally
- # enforced on the name of the /pkmslogout custom response file. When set to
- # 'no' only '/', '\', characters outside of the ASCII range 0x20 - 0x7E, and
- # filenames that begin with '.' will be disallowed.
- use-restrictive-logout-filenames = yes
- #-----------------------------
- # ALLOW UNAUTHENTICATED LOGOUT
- #-----------------------------
- # Set this parameter to 'yes' to allow unauthenticated users to be able
- # to request the pkmslogout resource. If this parameter is set to 'no'
- # an unauthenticated user will be requested to authenticate before the
- # pkmslogout resource is returned.
- allow-unauthenticated-logout = no
- # WebSEAL can be enabled to recognise a warning from LDAP user registries
- # that indicates the password will expire soon. The amount of time left is
- # placed into the credential as an attribute. If this option is enabled
- # WebSEAL will look for the expire attribute and, if detected, will present
- # an optional password change form to the user after a successful login. The
- # [ldap] option, enhanced-pwd-policy, must also be enabled for this to operate.
- enable-passwd-warn = no
- # The following option can be used to insert custom headers whenever
- # WebSEAL returns a custom response to the client. The format of the
- # configuration entry should be:
- # http-rsp-header = <header-name>:<macro>
- #
- # Where:
- # <header-name> is the name of the header which will hold the value;
- # <macro> is the type of value which is to be inserted, one
- # of either TAM_OP, AUTHNLEVEL, ERROR_CODE, ERROR_TEXT,
- # CREDATTR{<name>}, USERNAME, TEXT{<value>}.
- #
- # As an example, to include the TAM error code in a response header named
- # tam-error-code:
- # http-rsp-header = tam-error-code:ERROR_CODE
- #
- # To include a static header in a response header name X-Frame-Options:
- # http-rsp-header = x-frame-options:TEXT{DENY}
- #
- # The configuration entry may be specified multiple times, one for each
- # header which is be included in the response.
- #
- http-rsp-header = x-frame-options:TEXT{DENY}
- http-rsp-header = content-security-policy:TEXT{frame-ancestors 'none'}
- http-rsp-header = x-content-type-options:TEXT{nosniff}
- http-rsp-header = x-xss-protection:TEXT{1}
- #-----------------------------
- # BACK-END SERVER SINGLE SIGN-OFF
- #-----------------------------
- # When a user's session is terminated in WebSEAL, any sessions that may exist
- # on back-end application servers are not destroyed. When this item is
- # configured, WebSEAL will send a request to the configured URI's including
- # any configured headers and cookies for the junction point on which it resides.
- # The backend application can use this information to terminate any sessions
- # for that user.
- #
- # Multiple URI's can be specified by including multiple single-signoff-uri
- # configuration entries.
- #
- # The configured URI must reside on a standard junction. For example:
- # single-signoff-uri = /app/logout.asp
- #
- # single-signoff-uri =
- # It is possible to enforce validation of a secret token for certain account
- # management pages to protect against CSRF-style attacks. If this functionality
- # is enabled a secret token will be added to each session, and this token will
- # be validated against the 'token' query argument for selected management
- # requests. For example, the request to '/pkmslogout' would change to
- # '/pkmslogout?token=<value>'. If the token is missing, or does not match
- # the token contained within the session, an error page will be returned to
- # the client.
- #
- # This configuration option will affect the following management requests:
- # - /pkmslogin.form
- # - /pkmslogout
- # - /pkmslogout_nomas
- # - /pkmssu.form
- # - /pkmsskip
- # - /pkmsdisplace
- #
- # In an eCSSO environment it is essential that the tagvalue_session_index
- # attribute is included in the vouchfor token so that the different sessions
- # can share the same token. This is required for the redirected logout which
- # will take place when a session is logged out.
- #
- # Change the value of the enable-secret-token-validation configuration to
- # true in order to enable this validation functionality.
- enable-secret-token-validation = false
- # It is also possible to enforce validation of the HTTP Request referer header
- # for all account management pages to protect against CSRF-style attacks. If
- # this functionality is enabled, a request for an account management page will
- # check to see if the referer header is present in the HTTP Request header and
- # then validate the hostname portion of that referer against a list of "allowed"
- # referer filters. If there are no allowed-referers entries here, then this
- # validation is not performed. The values for this allowed-referers keys
- # provide WebSEAL with a list of referer hostnames that should be considered
- # "valid".
- #
- # The default value for this entry, although originally commented out as to not
- # enable this functionality by default, is "allowed-referers = %HOST%". This
- # is a special entry in that it indicates to WebSEAL that a referer is "valid"
- # if the hostname portion of the referer HTTP Request header entry matches the
- # host HTTP Request header.
- #
- # There can be 0 or more entries set for this key. All entries are used when
- # validating the referer. Entries can contain wildcard characters:
- # * - match 0 or more characters
- # ? - match any single character
- # \ - Literal match of the following character
- # So for example, an entry "allowed-referers = ac*me" will match any referer
- # hostname that begins with the characters "ac", followed by 0 or more
- # characters, and ends with the characters "me".
- #
- #allowed-referers = %HOST%
- [tfimsso:<jct-id>]
- #
- # This stanza is used to hold the TFIM single sign-on configuration information
- # for a single junction.
- #
- # For standard junctions the stanza name will be qualified with the name of the
- # junction point (including the leading '/'). An example stanza name might be:
- # [tfimsso:/junction_a]
- #
- # For virtual host junctions the stanza name will be qualified with the
- # virtual host label. An example stanza name might be:
- # [tfimsso:www.ibm.com]
- #
- # The type of token which will be requested from TFIM. This value should
- # correspond to the 'Token Type URI' field for the corresponding trust chain
- # within TFIM.
- token-type = http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
- # The 'applies-to' search criteria used when locating the appropriate STS
- # module within TFIM. Generally this entry should be of the format:
- # http://<webseal-server>/<junction> (similar to the URL which is used to
- # access the junction).
- applies-to = http://<webseal-server>/<junction>
- # The service-name configuration entry will be used:
- # 1. By TFIM when searching for a matching trust chain. This configuration
- # entry will be compared against the configured 'AppliesTo' service name
- # value for each trust chain. The second field within the 'AppliesTo'
- # service name configuration entry should be set to either '*' to match
- # all service names, or it should be set to the value defined by this
- # configuration item. Refer to the TFIM documentation for further
- # details on configuring Trust Chains.
- # 2. As the service principal name of the delegating user when creating a
- # Kerberos token. The service principal name can be determined by
- # executing the Microsoft utility 'setspn', i.e. setspn -L <user>,
- # where <user> is the identity of the user which the junctioned Web server
- # is running as.
- service-name = <spn>
- # The length of time, in seconds, by which the expiry time of a security token
- # will be reduced. This entry is used to make allowances for differences in
- # system times and transmission times for the security tokens.
- renewal-window = 15
- # This boolean value is used to indicate whether the security token which is
- # produced by TFIM is only valid for a single transaction. An example of a
- # one-time-token is a Kerberos token, which can only be used for a single
- # authentication operation.
- one-time-token = true
- # This boolean value is used to control whether the requested
- # BinarySecurityToken XML structure should be used in it's entirety, or whether
- # only the encapsulated token should be used. This configuration entry should
- # only be set to true if the junctioned Web server understands and expects the
- # BinarySecurityToken XML structure.
- preserve-xml-token = false
- # The number of security tokens which should be retrieved from TFIM in a single
- # request. This option is only valid for one-time-tokens where the
- # corresponding TFIM module has also been coded to handle requests for multiple
- # tokens via the 'Claims' construct. The resultant security tokens will be
- # cached by WebSEAL and then used on subsequent requests. Tuning of this
- # parameter will be important for performance of one-time-tokens. If the
- # value is large there will be fewer requests to TFIM, but the responses to
- # these requests will be larger.
- token-collection-size = 10
- # The type of mechanism which will be used to transmit the security token to
- # the junctioned Web server. Possible values for this configuration entry
- # are:
- # header - The security token will be included in a header;
- # cookie - The security token will be included in a cookie;
- token-transmit-type = header
- # The name given to the security token within the junctioned Web server
- # request.
- token-transmit-name = Authorization
- # This boolean value is used to indicate whether a security token should be
- # sent for every HTTP request, or whether WebSEAL should wait for a 401
- # response from the back-end Web server before adding the security token. This
- # configuration item is used to avoid the unnecessary overhead of generating
- # and adding a security token to every request if the back-end Web server is
- # capable of maintaining user sessions.
- always-send-tokens = false
- # The name of the WAS cluster which houses this TFIM service. There should
- # also be a corresponding [tfim-cluster:<cluster>] stanza which contains the
- # definition of the cluster.
- tfim-cluster-name = my-cluster
- [tfim-cluster:my-cluster]
- #
- # This stanza contains definitions for a particular cluster of TFIM
- # servers.
- #
- #
- # A specification for the server which is used when communicating with a
- # single TFIM server which is a member of this cluster. Values for this
- # entry are defined as follows:
- #
- # {[0-9],}<URL>
- #
- # Where the first digit (if present) represents the priority of the server
- # within the cluster (9 being the highest, 0 being lowest). If the priority
- # is not specified, a priority of 9 is assumed. The <URL> can be any
- # well-formed HTTP or HTTPS URL.
- #
- # Multiple server entries can be specified for failover and load balancing
- # purposes. The complete set of these server entries defines the
- # membership of the cluster for failover and load balancing.
- #
- # server = 9,http://tfim.example.com/TrustServerWST13/services/RequestSecurityToken
- #
- # The maximum number of cached handles, used when communicating with TFIM.
- #
- handle-pool-size = 10
- #
- # The length of time, in seconds, before an idle handle will be removed
- # from the handle pool cache.
- # It should not be larger than the HTTP Transport chain persistent timeout
- # configured on the Websphere server(s) running TFIM
- #
- handle-idle-timeout = 30
- #
- # The length of time, in seconds, to wait for a response from TFIM.
- #
- timeout = 30
- #
- # The following configuration entries are optional and can be used if the TFIM
- # server has been configured to require basic authentication. If these
- # entries are left blank no basic authentication header will be provided when
- # communicating with the TFIM server.
- #
- #
- # The name of the user for the basic authentication header.
- #
- # basic-auth-user = <user>
- #
- # The password to be used for the basic authentication header.
- #
- # basic-auth-passwd = <user>
- #
- # The following SSL entries are optional and are only required if:
- # 1. At least one server entry indicates that SSL is to be used (i.e.
- # starts with https:)
- # 2. A certificate is required other than that which is used by this server
- # when communicating with the policy server (details of the
- # default certificate can be found in the [ssl] stanza of this
- # configuration file.
- #
- # If these entries are required and are not found within this stanza, the
- # default [ssl] stanza will be searched.
- #
- #
- # The name of the key database file which houses the client certificate to be
- # used.
- #
- # The following files are currently available for this configuration entry:
- # - pdsrv.kdb
- # - lmi_trust_store.kdb
- # - rt_profile_keys.kdb
- # - embedded_ldap_keys.kdb
- ssl-keyfile =
- #
- # The name of the password stash file for the key database file.
- #
- # The following files are currently available for this configuration entry:
- # - rt_profile_keys.sth
- # - lmi_trust_store.sth
- # - embedded_ldap_keys.sth
- # - pdsrv.sth
- ssl-keyfile-stash =
- #
- # The label of the client certificate within the key database.
- #
- ssl-keyfile-label =
- #
- # This configuration entry specifies the DN of the server (obtained from the
- # server SSL certificate) which will be accepted. If no entry is configured
- # all DN's will be considered to be valid. Multiple DN's can be specified by
- # including multiple configuration entries of this name.
- #
- # ssl-valid-server-dn =
- #
- # The entry controls whether FIPS communication is enabled with TFIM or
- # not. If no configuration entry is present the global FIPS setting (as
- # determined by the TAM policy server) will take effect.
- #
- # ssl-fips-enabled =
- # Configure NIST SP800-131A compliance mode. This will have the affect of:
- # - enabling FIPS mode processing (over-riding the value of the
- # ssl-fips-enabled configuration entry);
- # - enabling TLS V1.2;
- # - enabling the appropriate signature algorithms;
- # - setting the minimum RSA key size to 2048 bytes.
- #
- # If no configuration entry is present the global NIST setting (as found in
- # the [ssl] stanza) will be used.
- #
- # ssl-nist-compliance = no
- #
- # Specify any additional GSKit attributes which should be used when
- # initializing an SSL connection with TFIM. A complete list of
- # the available attributes is included in the GSKit SSL API documentation.
- #
- # The configuration entry may be specified multiple times, one for each
- # GSKit attribute. The entry should be of the format:
- # gsk-attr-name = <type>:<id>:<value>
- #
- # - where <type> is one of 'enum', 'string', 'number'
- # and <id> corresponds to the identity associated with a GSKit attribute
- # (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
- #
- # An example configuration could be:
- # gsk-attr-name = string:225:proxy.ibm.com
- #
- [local-response-redirect]
- # URLs to which management page requests are redirected. All management
- # requests will be redirected to the URLs with a query string indicating
- # the operation requested, along with any macros (as configured in the
- # [local-response-macros] stanza). See the WebSEAL Admin Guide for the
- # specific format of the query string, and how the receiving handler should
- # treat the requests.
- #
- # The URL may be absolute or server-relative. Only use an absolute URL if
- # the destination server is not accessed via WebSEAL.
- #
- # Valid formats are:
- # http[s]://<server>/<path>
- # /<path>
- #
- # To define the URI for specific operations, prefix the URI in the entry with
- # the operation name in the form [<operation>]. The '[' and ']' chars are
- # required. Valid values for <operation> are:
- #
- # logout passwd passwd_warn passwd_warn_failure acct_inactivated
- # acct_locked passwd_exp passwd_rep_success passwd_rep_failure
- # help login login_success token_login cert_login next_token
- # switch_user failed_cert cert_stepup_http stepup,error
- # too_many_sessions tempsession
- #
- # An operation specific example:
- # local-response-redirect-uri = [login] /jct/cgi-bin/eai
- #
- # If an entry that does not specify an operation is present then any
- # operation that does not have a specific entry will use it.
- # If an entry that does not specify an operation is NOT present then any
- # operation that does not have a specific entry will not use local response
- # redirection and instead will use regular WebSEAL behavior.
- #
- # This configuration item may be customized for a particular junction
- # by adding the adjusted configuration item to a
- # [local-response-redirect:{jct_id}] stanza, where '{jct-id}' refers to
- # the junction point for a standard junction (include the leading '/'),
- # or the virtual host label for a virtual host junction.
- #local-response-redirect-uri = /jct/redirect/handler
- [local-response-macros]
- # URL-encoded macros to include in the query string for all management
- # page requests.
- #
- # These will increase the length of the local response redirect URI. Certain
- # user-agents, such as WAP browsers, may have URI length limitations, so
- # add macros sparingly and cautiously. Note that any special characters will
- # be URI-encoded, further increasing the length of the local response URI.
- #
- # Do not modify the macro strings or add new ones; all supported macros are
- # listed below. Comment/uncomment desired macros for inclusion in the local
- # response URI. See the WebSEAL Admin Guide for definitions of the content
- # corresponding to each macro.
- #
- # The field names used in the query string can be customized by placing a
- # colon and a custom name after the macro definition as demonstrated below.
- # macro = USERNAME:customerId
- #
- # If no name or a blank name is provided after the colon, the default value
- # will be used. The default value is the macro name. For the HTTPHDR macro,
- # the default value is HTTPHDR_<name>, where name is the name of the HTTP
- # header defined in that macro. For the CREDATTR macro, the default value
- # is CREDATTR_<name>, where name is the name of the attributed defined in
- # that macro.
- #
- # Note that at a minimum the TAM_OP macro must be included in any response.
- # Even if the TAM_OP macro is not included or customized below, it will
- # still be present in all response URIs.
- macro = TAM_OP
- #macro = USERNAME
- #macro = METHOD
- #macro = URL
- #macro = REFERER
- #macro = HOSTNAME
- #macro = AUTHNLEVEL
- #macro = FAILREASON
- #macro = PROTOCOL
- #macro = ERROR_CODE
- #macro = ERROR_TEXT
- #macro = OLDSESSION
- #macro = EXPIRE_SECS
- #macro = HTTPHDR{<name>}
- #macro = CREDATTR{<name>}
- #macro = SECONDARY_BASE
- [enable-redirects]
- # This stanza contains a list of authentication mechanisms
- # for which automatic redirects are enabled.
- # Valid choices are forms-auth, token-auth, basic-auth, cert-auth,
- # and ext-auth-interface
- # Any or all of them may be enabled.
- #redirect = forms-auth
- #redirect = basic-auth
- #redirect = token-auth
- #redirect = cert-auth
- #redirect = ext-auth-interface
- #----------------------
- # ICONS
- #----------------------
- [content-cache]
- #----------------------
- # DOCUMENT CACHING
- #----------------------
- # The entries below define the caches which the Web Server uses to store
- # documents in memory.
- #
- # Syntax:
- # <MIME-Type> = <Cache-Type>:<Cache-Size>{:<Def-Max-Age>}
- #
- # Where:
- #
- # <MIME-Type>
- # Represents any valid MIME type conveyed in an HTTP "Content-Type:"
- # response header. This value may contain a wildcard (*). A value
- # of */* represents a default object cache that will hold any object
- # that does not correspond to an explicitly configured cache.
- #
- # <Cache-Type>
- # Defines the type of backing store to use for the cache. Currently
- # only "memory" caches are supported.
- #
- # <Cache-Size>
- # Represents the maximum size to which the given cache may grow before
- # objects are removed according to a LRU algorithm. This value is
- # defined in Kbytes.
- #
- # <Def-Max-Age>
- # Represents the maximum age of a session cache entry if expiration
- # information is missing from the original response. This value is
- # defined in seconds. If no value is supplied a default maximum age
- # of 3600 (i.e. 1 hour) will be applied.
- #
- # No Caching is performed if no caches are defined. If no default cache
- # is specified, documents which do not match any cache are not cached.
- #
- # text/html = memory:2000
- # image/* = memory:5000
- # */* = memory:1000
- [compress-mime-types]
- #----------------------
- # HTTP COMPRESSION MIME-TYPE CONFIGURATION
- #----------------------
- # This stanza allows HTTP compression to be enabled or disabled based
- # on the mime-type of the response and the size of the returned document.
- # Order is important. The first entry that matches a returned document
- # will be used for that document.
- #
- # Syntax:
- # <MIME-type> = <Min-Doc-Size>[:<Compress-Level>]
- #
- # Where:
- #
- # <MIME-Type>
- # Represents any valid MIME type conveyed in an HTTP "Content-Type:"
- # response header. This value may contain a wildcard (*). A value
- # of */* will match all mime-types.
- #
- # <Min-Doc-Size>
- # The minimum document size to be compressed. A size of -1 means never
- # to compress this mime-type. A size of 0 means to compress the
- # document regardless of its size. A size greater than 0 means that the
- # document will only be compressed if its initial size is greater than
- # or equal to Min-Doc-Size.
- #
- # <Compress-Level>
- # The compression level to be used for documents of this MIME type.
- # The compression level must be between 1 and 9, inclusive. Higher
- # compression levels decrease the size of the compressed data at the
- # expense of additional CPU utilization. This value is optional; if it
- # is not specified a compression level of 1 is used.
- #
- # These example configuration lines will:
- # - disable compression for images.
- # - enable compression for HTML documents larger than 1000 bytes.
- # - enable compression for all other text documents regardless of size.
- # - enable compression of PDF documents of all sizes at compression level 5.
- # - disable compression for any other documents.
- #
- # image/* = -1
- # text/html = 1000
- # text/* = 0
- # application/pdf = 0:5
- # */* = -1
- */* = -1
- [compress-user-agents]
- #----------------------
- # HTTP COMPRESSION USER-AGENT CONFIGURATION
- #----------------------
- # This stanza allows HTTP compression to be enabled or disabled based
- # on the user-agent header sent by clients. This stanza should be used
- # to disable compression for clients which send an "accept-encoding: gzip"
- # HTTP header but don't actually handle gzipped content-encodings properly
- #
- # Syntax:
- # <Pattern> = <Compression>
- #
- # Where:
- #
- # <Pattern>
- # A wild card pattern to match a particular user-agent header
- #
- # <Compression>
- # Is yes if the user-agent can handle compressed data, no otherwise.
- #
- # The first matching entry is used when determining whether a user-agent
- # can handle compression content-encodings. If no entry matches the
- # user-agent's accept-encoding header is assumed to be correct. User-agents
- # that do not send an "accept-encoding: gzip" header will never receive
- # compressed data.
- [content-mime-types]
- #----------------------
- # MIME TYPES
- #----------------------
- # This stanza defines the MIME type for particular document extensions.
- #
- # Syntax:
- # <extension> = <type>
- #
- # where
- # extension is the extension of documents of this MIME type
- # type is a MIME type
- #
- # The first matching entry is used when determining the type of a particular
- # document.
- #
- html = text/html
- htm = text/html
- gif = image/gif
- jpeg = image/jpeg
- ps = application/postscript
- shtml = text/x-server-parsed-html
- jpg = image/jpeg
- jpe = image/jpeg
- mpeg = video/mpeg
- mpe = video/mpeg
- mpg = video/mpeg
- bin = application/octet-stream
- exe = application/octet-stream
- Z = application/octet-stream
- EXE = application/octet-stream
- dll = application/octet-stream
- DLL = application/octet-stream
- ivsrv = application/octet-stream
- pdf = application/pdf
- au = audio/basic
- snd = audio/basic
- aiff = audio/x-aiff
- aifc = audio/x-aiff
- aif = audio/x-aiff
- wav = audio/x-wav
- ai = application/postscript
- eps = application/postscript
- rtf = application/rtf
- zip = application/zip
- ief = image/ief
- tiff = image/tiff
- tif = image/tiff
- ras = image/x-cmu-raster
- pnm = image/x-portable-anymap
- pbm = image/x-portable-bitmap
- pgm = image/x-portable-graymap
- ppm = image/x-portable-pixmap
- rgb = image/x-rgb
- xbm = image/x-xbitmap
- xpm = image/x-xpixmap
- xwd = image/x-xwindowdump
- txt = text/plain
- rtx = text/richtext
- tsv = text/tab-separated-values
- etx = text/x-setext
- qt = video/quicktime
- mov = video/quicktime
- avi = video/x-msvideo
- movie = video/x-sgi-movie
- js = application/x-javascript
- ls = application/x-javascript
- mocha = application/x-javascript
- wrl = x-world/x-vrml
- dir = application/x-director
- dxr = application/x-director
- dcr = application/x-director
- crt = application/x-x509-ca-cert
- tar = application/x-tar
- css = text/css
- # default type to assign to pages that don't match any of the above
- deftype = text/plain
- ico = image/x-icon
- [content-encodings]
- #----------------------
- # CONTENT ENCODINGS
- #----------------------
- # Some browsers support content encodings. These entries map a document
- # extension to an encoding type.
- gz = x-gzip
- Z = x-compress
- ##################################
- # LOGGING
- ##################################
- [logging]
- #
- # The server-log-cfg configuration entry is used to configure the server
- # for logging. The format of the configuration entry is:
- # server-log-cfg = agent [parameter=value],[parameter=value]....
- #
- # Where:
- # agent: The logging agent. The agent is used to control the destination
- # of the logging event. Valid agents include:
- # stdout, stderr, file, remote, rsyslog.
- #
- # Different configuration parameters and values are also required/supported
- # by the different agents. Some of the available parameters include:
- #
- # Parameter Supported Agents:
- # --------- -----------------
- # buffer_size remote
- # compress remote, file
- # dn remote
- # error_retry remote, rsyslog
- # flush_interval all
- # hi_water all
- # log_id file, rsyslog
- # max_event_len rsyslog
- # max_rollover_files file
- # mode file
- # path all
- # port remote, rsyslog
- # queue_size all
- # rebind_retry remote, rsyslog
- # rollover_size file
- # server remote, rsyslog
- # ssl_keyfile rsyslog
- # ssl_label rsyslog
- # ssl_stashfile rsyslog
- #
- # As an example, to send server events to a remote syslog server:
- # server-log-cfg = rsyslog server=timelord,port=514,log_id=webseal-instance
- #
- # For a complete description of the different available logging agents, and
- # the supported configuration parameters, please refer to the IBM Security
- # Access Manager Auditing Guide.
- #
- server-log-cfg = file path=msg__webseald-sharif.log,hi_water=1,flush_interval=1
- # Log files' size limit
- # Applies to the request, referer, and agent logs
- # Negative values will cause the logs to be rolled over daily.
- # A value of zero will cause no rollover file to be created.
- max-size = 2000000
- # Frequency in seconds to force a flush of log buffers
- flush-time = 20
- # Enable the request log
- requests = yes
- # Enable the the referer log
- referers = no
- # Enable the user agent log
- agents = no
- # Log requests with time in GMT instead of local TZ
- gmt-time = no
- # If log-invalid-requests is set to 'yes', WebSEAL will log every
- # request, even if a request is malformed or for some other reason
- # is not processed to completion.
- log-invalid-requests = yes
- # The request-log-format to be written to the request log.
- # The following directives can be used to customize the log format.
- #
- # %a: Client IP Address
- # %A: Local IP Address
- # %b: Bytes in the response excluding HTTP headers in CLF format: '-' instead
- # of 0 when no bytes are returned.
- # %B: Bytes in the response excluding HTTP headers
- # %{attribute}C:
- # Attribute from the TAM credential named 'Attribute'
- # %{cookie}e:
- # Contents of the Cookie 'cookie' in the request
- # %{cookie}E:
- # Contents of the Cookie 'cookie' in the response
- # %d: Transaction identifier, or session sequence number.
- # %F: Time taken to serve the request in microseconds
- # %h: Client host
- # %H: Request protocol
- # %{header}i:
- # Contents of the Header 'header' in the request
- # %j: The name of the junction servicing the request
- # %l: Client logname (RFC 1314) (default -)
- # %m: Request method (i.e. GET, POST, HEAD)
- # %{header}o:
- # Contents of the Header 'header' in the response
- # %p: Port over which the request was received
- # %q: The decoded query string (prepended with '?' or empty)
- # %Q: The raw query string (prepended with '?' or empty).
- # %r: First line of the request with decoded URL
- # %R: First line of the request with decoded URL including HTTP://HOSTNAME
- # %s: Response status
- # %t: Time in Common Log Format format
- # %{format}t:
- # The time in the given format
- # %T Time taken to serve the request in seconds, or part thereof
- # %u: Remote user
- # %U: The URL requested
- # %v: Canonical ServerName of the server servicing the request
- # %z: The decoded path string
- # %Z: The raw path string
- request-log-format = %h %l %u %t "%r" %s %b
- [audit-mime-types]
- # WebSEAL can be configured to decide whether an audit event should be
- # generated for a particular HTTP request based on the content-type of the
- # return document. The format of the audit-mime-types stanza is:
- #<MIME-pattern> = <yes|no>
- # For example:
- #text/html = yes
- #*/* = no
- [audit-response-codes]
- # WebSEAL can be configured to decide whether an audit event should be
- # generated for a particular HTTP request based on the response code of the
- # returned document. The format of the audit-response-codes stanza is:
- #<code> = <yes|no>
- # For example:
- #304 = no
- #302 = no
- ###############################
- # AUTHORIZATION API
- ###############################
- [aznapi-configuration]
- # Update poll interval. This is the interval, in seconds, between checks
- # for updates to the master authzn server. The local cache is only rebuilt
- # if an update is detected. Values can be "disable", "default" or a time
- # in seconds.
- cache-refresh-interval = disable
- # Flags to enable the reception of policy cache update notifications.
- # Values can be one of: "disable", "enable"
- # A "disable" value disables the notification listener.
- #
- # This parameter is set by the svrsslcfg utility.
- listen-flags = enable
- #----------------------
- # POLICY CACHE TUNING
- #----------------------
- # The maximum size of the in-memory policy cache is configurable.
- # The cache consists of policy and the relationships between policy
- # and resources. The knowledge that a resource has no directly
- # associated policy is also cached.
- #
- # The maximum cache size should be relative to the number
- # of policy objects defined and the number of resources
- # protected and the available memory.
- #
- # A reasonable algorithm to begin with is:
- # (number of policy objects * 3) + (number of protected resources * 3)
- #
- # This value controls how much information is cached. A larger
- # cache will potentially improve the application performance but use
- # addditional memory as well.
- #
- # Size is specifed as the number of entries.
- #
- # policy-cache-size = 32768
- #----------------------
- # AUTHORIZATION API LOGGING (traditional)
- # NB: The following authorization logging configuration entries are supported
- # for historical purposes only. The logcfg configuration entry should be
- # used to configure the logging in favour of these legacy configuration
- # items.
- #----------------------
- # Audit Trail
- # Enable/Disable audit event recording
- logaudit = no
- # Name of daemon whose activities are audited
- logclientid = webseald
- # To selectively capture audit events from specific components, uncomment the
- # appropriate auditcfg lines.
- #auditcfg = azn
- #auditcfg = authn
- #auditcfg = http
- # Log file size limit
- # Negative values will cause the logs to be rolled over daily.
- # A value of zero will cause no rollover file to be created.
- logsize = 2000000
- # Frequency, in seconds, to flush the log buffers
- logflush = 20
- # Attributes to be audited.
- # tagvalue_su-admin is audited by default.
- audit-attribute = tagvalue_su-admin
- # Option to enable adjustment of the authentication auditing data to accurately
- # reflect the operation result. This slightly changes the the audit record
- # contents so any automated tools examining audit logs may need to be adjusted
- # to match.
- adjust-audit = no
- #----------------------
- # AUTHORIZATION API LOGGING
- #----------------------
- #
- # The logcfg configuration entry is used to configure the system for logging.
- # The format of the configuration entry is:
- # logcfg = category:agent [parameter=value],[parameter=value]....
- #
- # Where:
- # category: The name of the logging component. Valid logging components
- # include: audit.azn, audit.authn, http, http.clf, http.ref,
- # http.agent
- # agent: The logging agent. The agent is used to control the
- # destination of the logging event. Valid agents include:
- # stdout, stderr, file, pipe, remote, rsyslog (although the
- # pipe agent is not supported on the appliance).
- #
- # Different configuration parameters and values are also required/supported by
- # the different agents. Some of the available parameters include:
- #
- # Parameter Supported Agents Details
- # --------- ---------------- -------
- # buffer_size remote
- # compress remote, file
- # dn remote
- # error_retry remote, rsyslog
- # flush_interval all
- # hi_water all
- # log_id file, rsyslog
- # max_event_len rsyslog
- # max_rollover_files file
- # mode file
- # path all
- # port remote, rsyslog
- # queue_size all
- # rebind_retry remote, rsyslog
- # rollover_size file
- # server remote, rsyslog
- # ssl_keyfile rsyslog
- # ssl_label rsyslog
- # ssl_stashfile rsyslog
- # ssl_protocols rsyslog A colon separated list of SSL
- # protocols to be enabled. Valid
- # protocols include:
- # sslv3,tlsv10,tlsv11,tlsv12.
- #
- # As an example, to send authorization events to a remote syslog server:
- # logcfg = audit.azn:rsyslog server=timelord,port=514,log_id=webseal-instance
- #
- # For a complete description of the different available logging agents, and
- # the supported configuration parameters, please refer to the IBM Security
- # Access Manager Auditing Guide.
- #
- #---------------------------------------------------
- # BOOLEAN AUTHORIZATION RULES CONFIGURATION ENTRIES.
- #---------------------------------------------------
- #
- # A list of string prefixes that identify Access Decision Information (ADI)
- # to be supplied by the resource manager (in this case, WebSEAL). The
- # default setting below tell the authorization engine that when it requires
- # ADI with the prefixes "AMWS_hd_", "AMWS_qs_" or "AMWS_pb_" to evaluate a
- # boolean authorization rule, and the ADI is not available in the credential
- # or application context passed in with the access decision call, that the
- # engine should fail the access decision and request that the resource manager
- # retry the request and provide the required data in the application context
- # of the next request. The prefixes given below represent special values
- # for WebSEAL:
- # AMWS_hd_ - Indicates that the ADI can be found within the HTTP Environment
- # (Headers) of the request that WebSEAL is currently serving.
- # AMWS_qs_ - Indicates that the ADI can be found within the Query String of
- # the request that WebSEAL is currently serving.
- # AMWS_pb_ - Indicates that the ADI can be found within the POST Body of the
- # request that WebSEAL is currently serving.
- #
- resource-manager-provided-adi = AMWS_hd_
- resource-manager-provided-adi = AMWS_pb_
- resource-manager-provided-adi = AMWS_qs_
- # To enable certain Boolean Authorization Rules options, it is necessary
- # to set the permission information that the authorization engine will
- # return to WebSEAL.
- # The permission attribute that will enable the authorization engine to
- # request ADI from the current WebSEAL request is
- # "azn_perminfo_rules_adi_request".
- # To use the "-R" junction option, the "azn_perminfo_reason_rule_failed"
- # attribute must be included.
- # To enable the Privacy Redirection capabilities of the AMWebARS Web Service,
- # the "azn_perminfo_amwebars_redirect_url" must be included.
- permission-info-returned = azn_perminfo_rules_adi_request azn_perminfo_reason_rule_failed
- # The prolog to be added to the top of the XML document that is created
- # using the Access Decision Information (ADI) needed to evaluate a boolean
- # authorization rule. If not specified then the default XML prolog is:
- #
- # <?xml version='1.0' encoding='UTF-8'?>
- #
- # It is strongly suggested that you read and thoroughly understand the
- # boolean authorization rules documentation before attempting to change
- # this setting from the default provided.
- #
- ## input-adi-xml-prolog = <?xml version='1.0' encoding='UTF-8'?>
- # The prolog to be added to the top of the XSL styleheet that is created
- # using the XSL text that defines a boolean authorization rule. If not
- # specified then the default XSL stylesheet prolog is:
- #
- # <?xml version='1.0' encoding='UTF-8'?> <xsl:stylesheet xmlns:xsl=\
- # 'http://www.w3.org/1999/XSL/Transform' version='1.0'> \
- # <xsl:output method = 'text' omit-xml-declaration='yes' \
- # indent='no'/> <xsl:template match='text()'> </xsl:template>
- #
- # It is strongly suggested that you read and thoroughly understand
- # the boolean authorization rules documentation before attempting
- # to change this setting from the default provided.
- #
- ## xsl-stylesheet-prolog = <?xml version='1.0' encoding='UTF-8'?> <xsl:stylesheet xmlns:xsl='http://www.w3.org/1999/XSL/Transform' version='1.0'> <xsl:output method = 'text' omit-xml-declaration='yes' indent='no'/> <xsl:template match='text()'> </xsl:template>
- # In previous versions of WebSEAL, a user might not be unable to work with an
- # existing junction (i.e. show, delete) when the junction was protected by an
- # EAS, even if the user's effective ACL had the bypassPOP ACL flag turned on.
- # To remove this limitation, the following entry was created. The default
- # setting of no, causes the product to work as it did in previous versions. If
- # this entry is set to yes and the user accessing the protected resource does
- # not have the bypassPOP ACL flag turned on, the product will work as it did in
- # previous versions also. Changing this entry's value to yes will remove the
- # limitation described above.
- #
- # NOTE: The sec_master user has the bypassPOP ACL flag turned on by default.
- # If this setting is set to yes, sec_master will NOT call out to the EAS when
- # accessing a protected resource. Consider this fact when deciding whether to
- # set this entry to yes.
- skip-eas-on-bypass-pop = no
- # This option applies to the entitlement service: azn_ent_registry_svc. It
- # defines the separator character for policy attributes. If not explicitly set
- # here then it defaults to the ':' character. If set to the '\' character then
- # a character escaping method is enabled in combination with the default ':'
- # separator character. Escaping ensures that the ':' character separator
- # character is uniquely identified from any occurances in the user name (or DN)
- # and their policy names.
- policy-attr-separator = \
- mode = local
- # The following configuration is read only and cannot be modified.
- azn-server-name = sharif-webseald-iam.ibmemm.edu
- # The following configuration item is contained within the obfuscated
- # database and as such is obfuscated within this file. If the value is
- # modified within this configuration file the corresponding change will
- # be applied to the obfuscated database.
- pd-user-pwd = **obfuscated**
- [TAM_CRED_ATTRS_SVC]
- #
- # This stanza is used to configure the credential attributes entitlement
- # service. This entitlement service can be used to add attributes to the
- # credential which are based on LDAP attributes of the authenticated user.
- #
- # Entries in this stanza are used to define the sources of attributes to be
- # retrieved. The source names, such as user and group, are used to identify
- # the source location in the registry. You need to define these. The values
- # for these sources are registry identifiers that exist in the registry. The
- # values can be existing credential attribute names. If this is the case,
- # the service automatically finds and uses the respective values.
- #
- # For example:
- # eperson = azn_cred_registry_id
- # organisationalPerson = azn_cred_registry_id
- #
- # Each entry should then have a corresponding stanza which maps the LDAP
- # attribute into a credential attribute.
- #
- # For example:
- # [TAM_CRED_ATTRS_SVC:eperson]
- # emailAddress = mail
- # mobileNumber = mobile
- #
- # [TAM_CRED_ATTRS_SVC:organisationalPerson]
- # emailAddress = mail
- # mobileNumber = mobile
- #
- [azn-decision-info]
- #
- # This stanza is used to define any extra information which should
- # be made available to the authorization framework when making
- # authorization decisions. This extra information can be obtained
- # from various elements of the HTTP request, namely:
- # - HTTP method
- # - HTTP scheme
- # - Request URI
- # - HTTP headers
- # - HTTP cookies
- # - POST data
- #
- # You can also include the name of the WebSEAL server in the
- # authorization request.
- #
- # If the requested element is not present in the HTTP request no
- # corresponding attribute will be added to the authorization
- # decision information.
- #
- # The format of the entries contained within this stanza is:
- # <attr-name> = <http-info>
- #
- # Where:
- # <attr-name>: The name of the attribute which will contain the
- # HTTP information.
- # <http-info>: The source of the information, one of:
- # - 'method'
- # - 'scheme'
- # - 'uri'
- # - 'client_ip'
- # - 'header:<header-name>'
- # - 'cookie:<cookie-name>'
- # - 'post-data:<post-data-name>'
- # - 'query-arg:<query-arg-name>'
- # - 'server_name'
- #
- # The 'post-data-name' field will be handled differently based on the content
- # type of the request, as defined by the ContentType header. The following
- # content types are supported:
- #
- # application/x-www-form-urlencoded
- # The 'post-data-name' field corresponds to the name of the form data field
- # within the request. The corresponding value for this field will be added
- # to the authorization decision information.
- #
- # application/json
- # The 'post-data-name' field corresponds to a hierarchical representation of
- # the name within the JSON data. For example, assume that the following
- # POST data exists with a request which has the content-type of
- # application/json:
- #
- # {
- # "userid": "jdoe",
- # "transactionValue": "146.67",
- # "accountBalances": {
- # "chequing": "4345.45",
- # "savings": "12432.23",
- # "creditLine": "19999.12"
- # }
- # }
- #
- # To have the value of userid, at the root level, added to the authorization
- # decision information, create an entry in this stanza like:
- # POST_USERID = /"userid"
- #
- # The leading / character indicates that the top level JSON object should be
- # searched for a name-value pair with the name of userid. In our example,
- # this would add "POST_USERID=jdoe" to the decision information.
- #
- # To have the savings value within the accountBalances "node" present in the
- # decision information, create an entry in this stanza like:
- # SAVINGS_BAL = /"accountBalances"/"savings"
- #
- # The initial / character indicates that the top level JSON object should be
- # searched for a name-value pair with the name of accountBalances. If found,
- # and that value is another JSON object, it should then be searched for a
- # name-value pair with the name of savings. In our example, this would add
- # "SAVINGS_BAL=12432.23" to the decision information
- #
- # JSON also has the notion of Arrays. Consider the following POST data
- #
- # {
- # "userid": "pwald",
- # "transactionValue": "200.00",
- # "accounts": [
- # {"name": "chequing": , "balanace": "4345.45"},
- # {"name": "savings": , "balanace": "1234.56"}
- # ]
- # }
- #
- # Notice in this example that the top level accounts field has a value that
- # is a JSON array. To identify which array element to include in the search,
- # provide the array index, starting with a base of 0. For example, to add
- # the value of the "balance" field from the first element of the accounts
- # array, create an entry in this stanza like:
- # CHEQUING_BAL = /"accounts"/0/"balance"
- #
- # The initial / indicates the "accounts" field in the top level JSON object.
- # The /0 indicates the first element of the array value. Finally the
- # /"balance" indicates the field with a name of balance within that first
- # array element. In our example, this would add "CHEQUING_BAL=4345.45" to the
- # decision information.
- #
- # Only "leaf" nodes of the String, Number, true, false or null types can be
- # specified.
- #
- # The 'query-arg-name' field corresponds to the key name of a query string
- # parameter of the request. The corresponding value for this field, if found,
- # will be added to the authorization decision information.
- #
- #
- # Other examples include:
- # HTTP_REQUEST_METHOD = method
- # HTTP_HOST_HEADER = header:Host
- #
- #
- # Configuration stanza for the TAM transaction logging framework. This
- # framework can be used by support to record transactional information.
- #
- [translog]
- #
- # The maximum file size (in KB) for a transactional log.
- #
- # 262144 = 256 MB
- max-file-size = 262144
- ###############################
- # CREDENTIAL POLICY ATTRIBUTES
- ###############################
- [credential-policy-attributes]
- # This stanza controls which TAM policy values are stored in credentials
- # during authentication. In order for this stanza to take effect you must
- # also enable the TAM credential policy entitlements service in the aznapi
- # stanzas above this one.
- #
- # Format is:
- # <policy-name> = <credential-attribute-name>
- #
- # Supported policies are listed here. Uncomment the policies you wish
- # to add to credentials.
- #AZN_POLICY_MAX_FAILED_LOGIN = tagvalue_max_failed_login
- #AZN_POLICY_DISABLE_TIME = tagvalue_disable_time
- #AZN_POLICY_ACCOUNT_EXPIRY_DATE = tagvalue_account_expiry_date
- #AZN_POLICY_MAX_PASSWORD_AGE = tagvalue_max_password_age
- #AZN_POLICY_MAX_PASSWORD_REPEATED_CHARS = tagvalue_max_password_repeated_chars
- #AZN_POLICY_MIN_PASSWORD_ALPHAS = tagvalue_min_password_alphas
- #AZN_POLICY_MIN_PASSWORD_NON_ALPHAS = tagvalue_min_password_non_alphas
- #AZN_POLICY_PASSWORD_SPACES_ALLOWED = tagvalue_password_spaces_allowed
- #AZN_POLICY_MIN_PASSWORD_LENGTH = tagvalue_min_password_length
- #AZN_POLICY_TOD = tagvalue_tod
- #AZN_POLICY_MAX_CONCURRENT_WEB_SESSIONS = tagvalue_max_concurrent_web_sessions
- AZN_POLICY_MAX_CONCURRENT_WEB_SESSIONS = tagvalue_max_concurrent_web_sessions
- ###############################
- # POLICY DIRECTOR
- ###############################
- [p3p-header]
- #
- # This stanza specifies the P3P compact policy that applies
- # to all HTTP cookies set. See the W3C P3P Specification
- # for more information about P3P: http://www.w3c.org/TR/P3P/
- #
- # The default configured policy allows cookies to be accepted
- # by the default privacy settings for Microsoft Internet Explorer
- # version 6.
- #
- # Before configuring any P3P policy, consult the P3P Technical
- # Recommendation Specification to ensure that the values configured
- # match your organization's privacy policy.
- #
- # If a junction server sets a P3P header in it's response, a
- # decision must be as to whether it should be preserved as it is,
- # or replaced by the WebSEAL policy. This determination will be
- # made based on the value of the 'preserve-p3p-policy' item
- # in the [server] stanza.
- #
- # The 'p3p-element' item can be used to specify any elements
- # to add to the P3P header besides the compact policy configured
- # with the other configuration items in this stanza. This can
- # be used to supply a reference to a full XML policy:
- #
- # p3p-element = policyref="/w3c/p3p.xml"
- #
- #
- # The 'access' item specifies the access the user has to the
- # information contained within and linked to the cookie.
- #
- # Possible values are 'none', 'all', 'nonident', 'contact-and-other',
- # 'ident-contact', 'other-ident'.
- #
- access = none
- #
- # The 'disputes' item, if yes, specifies that the full P3P policy
- # contains some information regarding disputes over the information
- # contained within the cookie.
- #
- # The default value is 'no'.
- #
- # disputes = no
- #
- # The 'remedies' item specifies the possible remedies for disputes.
- # Possible values are: 'correct', 'money', and 'law'.
- # If not specified, no remedy information is included in the policy.
- #
- # remedies = correct
- #
- # The 'non-identifiable' item, if yes, specifies that no information
- # in the cookie, or linked to by the cookie, personally identifies the
- # user in any way.
- #
- non-identifiable = no
- #
- # The 'purpose' item specifies the purpose of the information in the
- # cookie and linked to by the cookie.
- #
- # Possible values are 'current', 'admin', 'develop', 'tailoring',
- # 'pseudo-analysis', 'pseudo-decision', 'individual-analysis',
- # 'individual-decision', 'contact', 'historical', 'telemarketing',
- # and 'other-purpose'.
- #
- # For all values except 'current', an additional specifier may be
- # configured. The possible values are 'always', 'opt-in', 'opt-out'.
- # If no value is specified, 'always' will be used.
- # This value is specified after the purpose and separated from it by a
- # colon, for example:
- # purpose = contact:opt-in
- #
- purpose = current
- purpose = other-purpose:opt-in
- #
- # The 'recipient' item specifies the recipients of the information in
- # the cookie, and linked to by the cookie.
- #
- # Possible values are 'ours', 'delivery', 'same', 'unrelated',
- # 'public', 'other-recipient'.
- #
- recipient = ours
- #
- # The 'retention' item specifies how long the information in the cookie
- # or linked to by the cookie will be retained.
- #
- # Possible values are 'no-retention', 'stated-purpose',
- # 'legal-requirement', 'business-practices', 'indefinitely'.
- #
- retention = no-retention
- #
- # The 'categories' item specifies the type of information stored in the
- # cookie or linked to by the cookie. If the 'non-identifiable' item
- # is yes, then no categories need be configured.
- #
- # Possible values are: 'physical', 'online', 'uniqueid', 'purchase',
- # 'financial', 'computer', 'navigation', 'interactive',
- # 'demographic', 'content', 'state', 'political', 'health',
- # 'preference', 'location', 'government', 'other-category'.
- #
- categories = uniqueid
- #
- # The cfg-db-cmd:entries stanza is used to specify the configuration entries
- # which will be exported or imported via the 'cfgdb' server task commands. Each
- # configuration entry will be checked sequentially against each item in
- # the [cfg-db-cmd:entries] stanza until the first match is found. This first
- # match will then control whether the configuration entry is included, or
- # excluded, from the configuration database. If no match is found the
- # configuration entry will be excluded from the configuration database.
- #
- # The format for entries contained within this stanza will be:
- # {stanza}::{entry} = [include|exclude]
- #
- # The 'stanza' and 'entry' fields may contain pattern matching characters.
- #
- # Examples entries for this stanza include:
- # server::unix-root = include
- # ldap::* = exclude
- # *::* = include
- #
- [cfg-db-cmd:entries]
- # Exclude some configuration entries which are specific to the appliance.
- # The following entries should NOT be modified.
- server::server-name = exclude
- server::jctdb-base-path = exclude
- server::cfgdb-base-path = exclude
- junction::local-junction-file-path = exclude
- authentication-mechanisms::* = exclude
- aznapi-configuration::trace-admin-args = exclude
- system-environment-variables::PD_SVC_ROUTING_FILE = exclude
- oauth-eas::*rsp-file = exclude
- PAM::pam-log-cfg = exclude
- PAM::pam-statistics-db-path = exclude
- flow-data::flow-data-db-path = exclude
- translog:pd.webseal::file-path = exclude
- audit-configuration::base-cache-path = exclude
- aznapi-external-authzn-services::* = exclude
- # Exclude a number of server specific entries from the server stanza
- server::unix-pid-file = exclude
- server::http-port = exclude
- server::https-port = exclude
- server::server-root = exclude
- server::network-interface = exclude
- # Exclude the LDAP bind DN and password as this should be specified to
- # each server.
- ldap::bind-dn = exclude
- ldap::bind-pwd = exclude
- # Exclude the SSL keyfiles, but include the actual label which is used.
- ssl::webseal-cert-keyfile-label = include
- ssl::*keyfile* = exclude
- # Exclude the port on which we listen for requests from the policy server.
- ssl::ssl-listening-port = exclude
- ssl::listen-interface = exclude
- # Exclude various authentication mechanisms as these should also be configured
- # by default.
- authentication-mechanisms::passwd-ldap = exclude
- authentication-mechanisms::cert-ldap = exclude
- # Exclude the WebSEAL document root.
- content::doc-root = exclude
- # Exclude the various log files as these should be server specific.
- logging::*log = exclude
- logging::server-log* = exclude
- logging::*file = exclude
- # Exclude various server specific configuration entries for the authorization
- # framework (e.g. log files, server identities, etc).
- aznapi-configuration::db-file = exclude
- aznapi-configuration::auditlog = exclude
- aznapi-configuration::azn-app-host = exclude
- aznapi-configuration::azn-server-name = exclude
- aznapi-configuration::pd-user-name = exclude
- # Exclude everything from the webseal-config stanza.
- webseal-config::* = exclude
- # Exclude the name of our obfuscated configuration file.
- configuration-database::* = exclude
- # Exclude the cluster settings as these are server specific.
- cluster::* = exclude
- # Exclude the interface specific settings as these shouldn't, in a normal
- # environment, need to be replicated. The [interfaces] stanza contains the
- # definitions which are specific to a particular interface.
- interfaces::* = exclude
- # Exclude the appliance-preset listen-interface
- appliance-preset::listen-interface = exclude
- # We want to include everything else.
- *::* = include
- #
- # The cfg-db-cmd:files stanza is used to specify the files which
- # will be exported or imported via the 'cfgdb' server task commands.
- #
- # The format for entries contained within this stanza will be:
- # file = <file-path>, or
- # file = cfg(<stanza>::<entry>)
- #
- # The '<file-path>' entry should contain either a fully qualified file name,
- # a file name which is relative to the WebSEAL installation root, or a file
- # name which is relative to the WebSEAL server root (as defined by the
- # server-root configuration entry).
- #
- # The 'cfg(<stanza>::<entry>)' entry is used to define the configuration entry
- # which will contain the name of the file which is to be included.
- #
- # Examples entries for this stanza include:
- # file = /opt/pdwebrte/etc/cert-rules.txt
- # file = www-default/lib/jmt.conf
- # file = cfg(junction::jmt-map)
- #
- # The template configuration file will contain entries for the most commonly
- # used files. Files which are not included in the default configuration
- # include:
- #
- # stanza configuration entry
- # ------ -------------------
- # spnego spnego-krb-keytab-file
- # cdsso-peers <full qualified host name>
- # e-community-domain-keys <domain name>
- # e-community-domain-keys:<domain> <domain name>
- # dsess-cluster:<name> ssl-keyfile and ssl-keyfile-stash
- # tfim-cluster:<name> ssl-keyfile and ssl-keyfile-stash
- # http-transformations <resource name>
- #
- [cfg-db-cmd:files]
- # Include the key file which is used when communicating with browsers
- file = cfg(ssl::webseal-cert-keyfile)
- file = cfg(ssl::webseal-cert-keyfile-stash)
- file = cfg(junction::jct-cert-keyfile)
- file = cfg(junction::jct-cert-keyfile-stash)
- file = cfg(failover::failover-cookies-keyfile)
- file = cfg(ltpa::keyfile)
- file = cfg(junction::jmt-map)
- file = cfg(server::dynurl-map)
- file = cfg(dsess-cluster::ssl-keyfile)
- file = cfg(dsess-cluster::ssl-keyfile-stash)
- file = cfg(tfim-cluster:my-cluster::ssl-keyfile)
- file = cfg(tfim-cluster:my-cluster::ssl-keyfile-stash)
- # Include the key file which is used when communicating with junctioned
- # Web servers.
- # Include the failover cookie key file.
- # Include the LTPA keyfile used during authentication
- # Include the junction mapping table.
- # Include the Dynamic URL map.
- # Standard key files for the DSess and TFIM clusters
- #
- # The jdb-cmd:replace stanza is used to define the mapping rules
- # for the jdb import command. These mapping rules will be applied
- # to each attribute within the junction archive file prior to
- # importing the new junction database.
- #
- # The format for entries contained within this stanza will be:
- # {jct-id} = {search-attr-value}|{replace-attr-value}
- #
- # Where:
- # {jct-id}: Refers to the junction point for a standard junction
- # (including the leading '/'), or the virtual host
- # label for a virtual host junction
- # {search-attr-value}: The attribute value which is to be searched for
- # within the junction definition.
- # {replace-attr-value}: The attribute value which is to be used within the
- # new junction definition.
- #
- # An example entry for this stanza could be:
- # /test-jct = webseal.au.ibm.com|webseal.gc.au.ibm.com
- #
- [jdb-cmd:replace]
- # The following stanza is used to house configuration information
- # which is necessary for the support of WebSEAL clusters. WebSEAL
- # clusters are used to automate the syncrhonization of data between
- # different WebSEAL servers.
- [cluster]
- # Is this machine a master for the cluster? There should only ever
- # be a single master for each cluster. Any modifications to the
- # configuration of a cluster should only ever be made to the
- # master.
- #is-master = <yes/no>
- # If is-master is set to 'no' then the following value needs to
- # be specified. It is used to define the authorization server
- # name of the master,
- # e.g. default-webseald-server.ibm.com
- # master-name = <azn-name>
- # The maximum amount of time to wait, in seconds, for a slave
- # server to be restarted. This configuration entry is only
- # applicable to the master server.
- max-wait-time = 60
- [http-transformations]
- # The http-transformations stanza is used to house configuration information
- # which is necessary for the support of WebSEAL HTTP transformations.
- # WebSEAL HTTP transformations are used to modify HTTP requests and
- # HTTP responses (excluding the HTTP body) using XSLT.
- # To enable the HTTP transformations for a particular object a POP should
- # be attached to the appropriate part of the object space. This POP
- # should contain an extended attribute(s) with name of 'HTTPTransformation'
- # and a value of 'Request=<resource-name>' and/or 'Response=<resource-name>'.
- #
- # HTTP transformation resources can be defined by specifying the resource name
- # and the path to the resource file.
- #
- # Format is:
- # <resource-name> = <resource-xsl-file>
- # The following files are currently available for this configuration entry:
- # - <none available>
- resource-name =
- #
- # The [http-transformations:<resource-name>] stanza is used to house
- # configuration which is specific to a particular HTTP transformation resource.
- #
- [http-transformations:<resource-name>]
- #
- # The cred-attr-name configuration entry is used to define the
- # credential attributes which will be included in the XML input
- # document, used when evaluating the HTTP transformation rule.
- #
- # The credential attributes will be stored in a new XML
- # element within the top level XML container: <Credential>.
- # For example:
- # <HTTPResponse>
- # <Credential>
- # <Attributes>
- # <Attribute name=AZN_CRED_PRINCIPAL_NAME>testuser</Attribute>
- # </Attributes>
- # </Credential>
- #
- # </HTTPResponse>
- #
- # The configuration entry may be specified multiple times if
- # multiple credential attributes are required in the XML input
- # document.
- #
- # Some of the more common attributes include:
- # AZN_CRED_PRINCIPAL_NAME
- # AZN_CRED_AUTHZN_ID
- # AZN_CRED_PRINCIPAL_UUID
- # AUTHENTICATION_LEVEL
- # tagvalue_session_index
- #
- # For a complete list of attributes the pdweb.wan.azn trace point can be
- # set to level 9, and then a request sent to WebSEAL. The output trace will
- # contain a list of all attributes associated with the user credential.
- #
- cred-attr-name =
- #
- # The request-match configuration entry is used to define the pattern to be
- # matched against the HTTP request line, which includes method, URI, and
- # protocol. If a match is successful, then a HTTP transformation is triggered.
- #
- # Format is:
- # request-match = {request|response}:<request-line>
- #
- # The entry must begin with either request or response, which indicates whether
- # the processing is conducted on the HTTP request or response.
- # <request-line> contains the request line to be matched against. The pattern
- # matching is case-sensitive. Wildcard characters * and ? can be used.
- # This entry is optional. Multiple entries can be specified if needed.
- #
- # You also have the option of matching a request using a host header, useful
- # when selectively enabling this functionality for a particular virtual host
- # junction. To selectively match an entry based on a particular host header
- # the <request-line> should be prepended with the string: [<host>].
- #
- # Please note that if you use this mechanism to match the request to a rule
- # the evaluation of the rule will occur early in the request processing which
- # means that credential attributes will not be available in the evaluation of
- # the rule. If you need to use credential attributes in your request
- # transformation you should use the alternative POP mechanism for invoking the
- # rule.
- #
- # For example:
- # request-match = request:GET /index.html HTTP/1.1
- # request-match = response:GET /jct/*
- # request-match = response:[www.ibm.com]GET /login/*
- #
- request-match =
- #[ICAP:<resource>]
- #
- #
- # The [ICAP:<resource>] stanza is used to define a single ICAP
- # resource. The '<resource>' component of the stanza name should
- # be changed to the actual name of the resource.
- #
- # To enable the ICAP resource for a particular object a POP should
- # be attached to the appropriate part of the object space. This POP
- # should contain an extended attribute with a name of 'ICAP' and
- # a value which is equal to the name of the configured ICAP resource.
- #
- #
- # The complete URL on which the ICAP server is expecting requests.
- # An example might be:
- # URL = icap://icap.example.net:1344/filter?mode=strict
- #
- # An SSL connection to the ICAP server is also supported. When
- # using an SSL connection, the keystore used is that which is defined
- # in the [junction] stanza of this file. To identify an SSL connection
- # to an ICAP server, use the string 'icaps' for this entry. An
- # example might be:
- # URL = icaps://icap.example.net:1345/filter?mode=strict
- #
- # URL =
- #
- # The list of transactions for which this resource will be invoked.
- #
- # Possible values are:
- # 'req': The ICAP server will be invoked on the HTTP request;
- # 'rsp': The ICAP server will be invoked on the HTTP response;
- #
- # transaction = req
- #
- #
- # The maximum length of time (in seconds) that WebSEAL will wait for
- # a response from the ICAP server.
- #
- # timeout = 120
- #
- # If the connection to the ICAP server is SSL (see above) then an
- # optional entry can be provided to identify the label of the
- # certificate to use from the keystore. This entry is only required
- # if client certificate authentication is needed.
- #
- # ssl-keyfile-label = <label>
- [system-environment-variables]
- KRB5_CONFIG = /var/PolicyDirector/etc/krb5.conf
- KRB5RCACHEDIR = /var/PolicyDirector/log
- VAR_ACE = /var/ace/
- #
- # Environment variables which are exported by the WebSEAL daemon.
- # The environment variable names are case sensitive. The format
- # of each entry is:
- # <env-name> = <env-value>
- #
- # For example:
- # LANG = de
- #
- # NB: This functionality is not available on Windows platforms, and
- # as such the system-environment-variables stanza will be ignored on
- # Windows.
- [cert-map-authn]
- #
- # The name of the rules file which will be used by the certificate mapping
- # CDAS.
- #
- # The following files are currently available for this configuration entry:
- # - <none available>
- rules-file =
- #
- # The initial tracing level of the authentication module. The level
- # variable indicates the trace level, with 1 designating a minimal
- # amount of tracing and 9 designating the maximum amount of tracing.
- # The trace level can also be modified using the Tivoli Access Manager
- # pdadmin trace commands, supplying the trace component name of
- # pd.cas.certmap. This trace component is only available after the
- # first HTTP request has been processed.
- #
- debug-level = 0
- #
- # The following stanza is used to configure WebSEAL so that it can
- # communicate with a HTTP Server to retrieve updates to files.
- #
- [user-map-authn]
- #
- # The name of the rules file which will be used by the authenticated
- # user mapping module.
- #
- # The following files are currently available for this configuration entry:
- # - <none available>
- rules-file =
- #
- # The initial tracing level of the mapping module. The level
- # variable indicates the trace level, with 1 designating a minimal
- # amount of tracing and 9 designating the maximum amount of tracing.
- # The trace level can also be modified using the Tivoli Access Manager
- # pdadmin trace commands, supplying the trace component name of
- # pd.cas.usermap. This trace component is only available after the
- # first HTTP request has been processed.
- #
- debug-level = 0
- [password-strength]
- #
- # The name of the rules file which will be used by the password
- # strength module.
- #
- # The following files are currently available for this configuration entry:
- # - <none available>
- rules-file =
- #
- # The initial tracing level of the password strength module. The level
- # variable indicates the trace level, with 1 designating a minimal
- # amount of tracing and 9 designating the maximum amount of tracing.
- # The trace level can also be modified using the Tivoli Access Manager
- # pdadmin trace commands, supplying the trace component name of
- # pd.cas.pwdstrength. This trace component is only available after the
- # first change password operation has been processed.
- #
- debug-level = 0
- [http-updates]
- #
- # The URL which contains the HTTP file, for example:
- # https://99.n.trusteer.com/74767/api/snippets
- #
- update-url =
- #
- # The proxy server which will be used when connecting to the HTTP server.
- # The configuration entry should be of the form: <server>:<port>.
- #
- proxy =
- #
- # The label of the certificate which will be used for authentication
- # to the HTTP server. This certificate must be present in the
- # certificate database which is used for junction communication.
- #
- ssl-keyfile-label =
- #
- # The DN of the server. This configuration entry is only used if an
- # SSL connection is established with the server and an SSL key file
- # label has been specified.
- #
- ssl-server-dn =
- #
- # The frequency, in seconds, that the update server will be polled
- # for updates.
- #
- poll-period = 3600
- #
- # The following configuration entry can be used to perform a search and
- # replace on text which is contained within the updated files. The format
- # of the configuration entry will be:
- # replace = <search-pattern>|<replace-text>
- #
- # where:
- # search-pattern = the regular expression pattern which is to be matched
- # replace-text = the text which will replace the matched text
- #
- # The '|' character cannot be used in the search-pattern text.
- #
- # Multiple instances of this configuration entry can be used if multiple
- # substitutions are required.
- #
- #
- # The following 'itim' stanza is used to configure the Password Synchronization
- # Adapter for Tiovli Identity Manager.
- #
- [itim]
- #
- # Is the adapter enabled?
- #
- is_enabled = false
- #
- # This is the hostname or IP address of the Tivoli Identity Manager
- # server that hosts the Tivoli Identity Manager Adapter for Tivoli Access
- # Manager. In a WebSphere Application Server cluster environment, you
- # need to configure SSL for the IBM HTTP Server. If you are using a WebSphere
- # Application Server single-server environment, you do not need to configure
- # SSL for the IBM HTTP Server.
- # * This entry is mandatory.
- #
- itim-server-name = <TIM Server IP address>
- #
- # The port associated with the itim-server-name URL above. The default
- # HTTPS port is 9443 for a single server configuration and 443 for a
- # Tivoli Identity Manager cluster with HTTP SSL configured.
- #
- #servlet-port=9443
- #
- # The password synchronization context root on the application server.
- #
- #servlet-context=/passwordsynch/synch
- #
- # An ID which has the necessary permission(s) to request the check and
- # synchronization operations. The best practice is to create a separate
- # account with appropriate permissions and use this account instead of
- # the ITIM manager account.
- # * This entry is mandatory.
- #
- principal-name = <Principal Name>
- #
- # The password for the Tivoli Identity Manager Principal Name.
- # * This entry is mandatory.
- #
- principal-password = <Principal Password>
- #
- # The following three items hold the pseudo-distinguished names of the
- # services (resources) issuing the password synchronization request. This
- # pseudo-distinguised name consists of the attributes o, ou and dc from
- # the Tivoli Identity Manager LDAP organization context, and the
- # erservicename attribute of the Tivoli Access Manager service name, as
- # defined in Tivoli Identity Manager.
- #
- # If there are more than one pseudo-distinguished names specified, they
- # must be separated with a semicolon (;) character. The adapter iterates
- # through the list of service names until an account is found for one of
- # the services. If no account is found on the specified services, an error is
- # reported.
- # * It is mandatory to specify at least on of the following three entries.
- #
- #
- # service-source-dn is used to define the service pseudo-distinguished
- # name for all authentication methods.
- #
- service-source-dn = <service pseudo DN>
- #
- # service-password-dn is used to define the service pseudo-distinguished
- # name if using standard password as the authentication method. If this is
- # specified, it will override the password authentication method that is
- # defined under service-source-dn.
- #
- #service-password-dn = <service pseudo DN>
- #
- # service-token-card-dn is used to define the service pseudo-distinguished
- # name if using token card as the authentication method. If this is specified,
- # it will override the token card authentication method that is defined under
- # service-source-dn.
- #
- #service-token-card-dn = <service pseudo DN>
- #
- # The location and name of the Key Database file.
- # * This entry is mandatory.
- #
- # The following files are currently available for this configuration entry:
- # - pdsrv.kdb
- # - lmi_trust_store.kdb
- # - rt_profile_keys.kdb
- # - embedded_ldap_keys.kdb
- keydatabase-file =
- #
- # The password for the Key Database file.
- # * Either this entry, or the keydatabase-password-file entry is
- # mandatory.
- #
- #keydatabase-password = <kdb password>
- #
- # The password stash-file for the Key Database file.
- # * Either this entry, or the keydatabase-password entry is
- # mandatory.
- #
- # The following files are currently available for this configuration entry:
- # - rt_profile_keys.sth
- # - lmi_trust_store.sth
- # - embedded_ldap_keys.sth
- # - pdsrv.sth
- keydatabase-password-file =
- # Enable and configure Web Socket support.
- [websocket]
- # The maximum number of threads which will be used used to proxy
- # WebSocket connections through WebSEAL. A value of zero will cause WebSockets
- # to be blocked. Each WebSocket connection will require two worker threads.
- # If more than max-worker-threads are in use WebSEAL will immediately close the
- # WebSocket even if the WebSocket upgrade request to the Junction succeeded. The
- # WebSocket threads operate independently from the [server] worker-threads.
- max-worker-threads = 0
- # To avoid the overhead of starting and stopping WebSocket worker threads
- # a number of threads can be left running idle. This will consume memory
- # resources to keep them alive and idle when not in use, but will save CPU and
- # thread start-up time when a new WebSocket requires threads.
- # This option specifies the maximum count of cached idle worker threads. A value
- # of zero will disable the caching of idle threads.
- idle-worker-threads = 0
- # The number of seconds to wait for data to be received from the junctioned WebSocket
- # server. If the timeout is reached the WebSocket connection will be closed.
- jct-read-inactive-timeout = 120
- # The number of seconds to wait for data to be received from the WebSocket client (browser).
- # If the timeout is reached the WebSocket connection will be closed.
- clt-read-inactive-timeout = 120
- # The number of seconds to wait if WebSEAL is blocked while sending data to the
- # junctioned WebSocket server. If the timeout is reached the WebSocket
- # connection will be closed.
- jct-write-blocked-timeout = 20
- # The number of seconds to wait if WebSEAL is blocked while sending data to the
- # WebSocket client (browser). If the timeout is reached the WebSocket
- # connection will be closed.
- clt-write-blocked-timeout = 20
- [http-method-perms]
- #
- # This stanza defines the ACL permission bits required to perform a
- # request using a particular HTTP method.
- #
- # The "<default>" entry defines the permissions required for any
- # methods not explicitly specified in the stanza.
- #
- # The "<default>" entry itself has no default value and must be
- # specified as a non-empty string in the stanza.
- #
- # This stanza may be overridden on a per-junction basis by qualifying
- # the stanza name with the junction name. When overridden in this way
- # only the entries in the qualified stanza will apply to the junction.
- #
- # For example:
- #
- # [http-method-perms]
- # <default> = r
- # POST = rx
- #
- # [http-method-perms:/myJunction]
- # <default> = r
- #
- # In this scenario:
- # - A POST request to /myJunction will require 'r' permission (from <default>)
- # - A POST request to any other junction will require the 'rx' permissions
- # Note that /myJunction does not inherit the "POST" entry from the global
- # [http-method-perms] stanza.
- #
- # If this stanza is empty, WebSEAL will operate with the legacy behavior.
- # The legacy behaviour is equivalent to:
- #
- # [http-method-perms]
- # <default> = r
- # PUT = m
- # DELETE = d
- #
- #
- # The oauth-eas configuration stanza is used to configure the EAS which
- # communicates with TFIM to handle OAuth authorization. The EAS itself will
- # be invoked for a particular object if the effective POP for the object has
- # an attribute entitled "eas-trigger", with an associated value of
- # "trigger_oauth_eas".
- #
- [oauth-eas]
- # Should the EAS be enabled?
- eas-enabled = false
- # A majority of the OAuth settings exist in the [oauth] stanza. These are
- # specific to the OAuth EAS implementation.
- # The maximum number of OAuth 2.0 bearer token authorization decisions to cache.
- # This EAS has a built in cache for storing authorization decisions so that
- # repeated use of the same OAuth 2.0 bearer token does not require repeated
- # authorization requests. Bearer token decisions can be cached because they do not
- # require signing of the request, unlike OAuth 1.0 requests. The lifetime of the
- # cache entry is based on the Expires attribute returned in the STS. If this
- # attribute is not returned, the decision will not be cached.
- #
- # This EAS implements a Least Recently Used cache, meaning the decision
- # associated with the least recently used bearer token will be forgotten when a
- # new bearer token decision is cached. A cache-size of 0 will disable caching of
- # authorization decisions
- cache-size = 0
- # The default OAuth mode that this EAS will operate under. It affects the
- # validation of request parameters, as well as the construction of the RST. The
- # default mode can be overriden for an individual request by providing a valid
- # mode value [OAuth10|OAuth20Bearer] in a request parameter with the name
- # specified in the mode-param option below.
- default-mode = OAuth10
- # The name of the request parameter that can be used to override the
- # default-mode option configured above. By deleting this configuration
- # option, you can enforce that the default mode is always used.
- mode-param = mode
- # The name of the OAuth realm which will be used in a 401 request
- # for OAuth data.
- realm-name = ISAM
- # The name of the file which contains the body used when constructing a
- # '400 Bad Request' response. This response will be generated when
- # required OAuth elements are missing from a request.
- # The following files are currently available for this configuration entry:
- # - oauth_template_rsp_400_bad_request.html
- # - oauth_template_rsp_502_bad_gateway.html
- # - oauth_template_rsp_401_unauthorized.html
- bad-request-rsp-file = oauth_template_rsp_400_bad_request.html
- # The name of the file which contains the body used when constructing a
- # '401 Unauthorized' response. This response will be generated when:
- # - all OAuth data is missing from a request, or
- # - the OAuth data fails validation.
- # The following files are currently available for this configuration entry:
- # - oauth_template_rsp_400_bad_request.html
- # - oauth_template_rsp_502_bad_gateway.html
- # - oauth_template_rsp_401_unauthorized.html
- unauthorized-rsp-file = oauth_template_rsp_401_unauthorized.html
- # The name of the file which contains the body used when constructing a
- # '502 Bad Gateway' response. This response will be generated when the
- # processing of the request fails.
- # The following files are currently available for this configuration entry:
- # - oauth_template_rsp_400_bad_request.html
- # - oauth_template_rsp_502_bad_gateway.html
- # - oauth_template_rsp_401_unauthorized.html
- bad-gateway-rsp-file = oauth_template_rsp_502_bad_gateway.html
- # The name of the TAM trace component which is used by the EAS.
- trace-component = pdweb.oauth
- # Should the native TAM ACL policy still take affect, in addition to the
- # OAuth authorization?
- apply-tam-native-policy = false
- #
- # The rtss-eas configuration stanza is used to configure the EAS which
- # communicates with the RBA server. The EAS itself will be invoked for a
- # particular object if the effective POP for the object has an attribute
- # entitled "eas-trigger", with an associated value of "trigger_rba_eas".
- #
- ################################################################################
- # Risk Based Access (RBA) External Authorization Service (EAS) Settings
- #
- # BEGIN
- #
- ################################################################################
- [rtss-eas]
- # Specify the name of the IBM Security Access Manager trace component that the
- # EAS uses
- trace-component = pdweb.rtss
- # Set this property to true if you want the EAS to first check with IBM(r)
- # Security Access Manager whether the user has permission to access the
- # resource based on the ACL set.
- apply-tam-native-policy = true
- # Defines the context-id (Policy ID) that is used in the XACML requests that are
- # sent by the EAS to the RTSS. Set this entry to one of the following values:
- #
- # context-server-name
- # to use the WebSEAL server-name for all requests.
- #
- # context-inherited-pop
- # to use the location of the inherited POP for all requests. Use
- # this value if you require multiple policies for different
- # portions of the protected resource tree.
- #
- # <other-policy-id>
- # Use this value as the Policy ID for all requests.
- #
- # If the context-id parameter is not set, the WebSEAL server-name is used as
- # the default value.
- # context-id =
- # The audit logging configuration. This entry consists
- # of an agent identifier, followed by attributes which are
- # associated with the agent. Each attribute consists of a
- # name/value pair, separated by '=', and each attribute is
- # separated by ','.
- #
- # For example, to configure the auditing of records to a file:
- # audit-log-cfg = file path=/tmp/rtss-audit.log,flush=20,rollover=2000000,buffer_size=8192,queue_size=48
- # To send audit logs to STDOUT:
- # audit-log-cfg = STDOUT
- #
- # If this attribute is missing or not configured, no audit
- # events will be logged.
- # audit-log-cfg =
- # Specify the name of the runtime security services SOAP cluster
- # that contains this runtime security services SOAP service.
- # Also specify a corresponding [rtss-cluster:<cluster>]
- # stanza with the definition of the cluster.
- cluster-name = cluster1
- # ISAM for Mobile receives a credential from the RBA EAS that contains
- # attributes for use in performing a risk assessment. This is called the
- # "RBA EAS credential" and is not the same as the WebSEAL credential, though it
- # may contain attributes with the same names.
- #
- # The client IP address is passed to the RBA EAS in the
- # AZN_CRED_NETWORK_ADDRESS_STR RBA EAS credential attribute. In previous
- # versions, this contained the client IP that was used when the WebSEAL
- # credential was built, regardless of whether the client IP changed during the
- # session.
- #
- # That default behavior changes if WebSEAL is configured to pass the current
- # client IP address to the EAS in the [azn-decision-info] stanza. In order to
- # ensure that risk assessment is being performed using the most current
- # information, the AZN_CRED_NETWORK_ADDRESS_STR RBA EAS credential attribute
- # will contain the client IP address used for the current request. Setting
- # use_real_client_ip to 'false' provides backwards compatibility and enables
- # the previous behavior.
- #
- # use_real_client_ip = false
- # Previous versions of RBA used the "value" of an [azn-decision-info] stanza
- # entry (i.e. the "right side") as it's attribute ID. This version of RBA
- # uses the "key" of an [azn-decision-info] stanza entry (i.e. the "left side")
- # as the attribute ID. To enable the behavior with previous releases, use
- # the following setting:
- #
- # provide_700_attribute_ids = true
- # The EAS contacts the runtime security services servers to make an access
- # decision. The [rtss-cluster] stanza below determines which servers to contact.
- # If none of the specified servers are available, an error is returned and no
- # access is permitted. If you do not want this behavior, you can use the
- # following permit-when-no-rtss-available entry to permit all requests when no
- # servers are available. The default value is false.
- #
- # permit-when-no-rtss-available = true
- #
- # Caution: With this setting, every single request will be permitted only when
- # none of the runtime security services servers are available. This includes
- # access that might not be permitted if the server was available.
- # Size of the RTSS decision cache.
- # Decision caching is enabled by setting the attribute "CBACacheResult" to a
- # non-zero value on the protected object that has the RTSS EAS enabled POP
- # attached to it. The enablement applies to all child protected objects unless
- # overridden by an RTSS EAS enabled POP attached to one of the children.
- # When the cache is full it will discard the least recently used entry to make
- # room for a new entry. Please read the documentation for this configuration
- # entry to understand the limitations of using the decision cache.
- #
- # Notes:
- # 1) The permitted values for the protected object attribute CBACacheResult are:
- # -1 : Cache decision for lifetime of user's session.
- # 0 : Disable caching
- # >0 : Number of seconds to cache decision.
- # 2) If cba_cache-size is set to a value less than 512 it will use a value of 512.
- #
- # cba-cache-size = 16384
- [rtss-cluster:cluster1]
- # Specify the definitions for a cluster of runtime security services
- # SOAP servers in this stanza.
- # Define the specifications of the server that you use to communicate
- # with a single runtime security services SOAP server,
- # which is a member of this cluster.
- # Values for this entry are defined as:
- # {[0-9],}<URL>
- # where the first digit (if present) represents the priority of the server
- # in the cluster (9 being the highest, 0 being lowest). A priority of 9 is
- # assumed if you do not specify a priority. The <URL> can be any
- # well-formed HTTP or HTTPS URL.
- # You can specify multiple server entries for failover and load balancing
- # purposes. The complete set of these server entries defines the
- # membership of the cluster for failover and load balancing.
- # The following is an example of an HTTP URL
- # server = 9,http://localhost:9080/rtss/authz/services/AuthzService
- # The following is an example of an HTTPS URL. You will also need to ensure that
- # your SSL configuration below is correct.
- #server = 9,https://localhost:9443/rtss/authz/services/AuthzService
- # Specify the maximum number of cached handles that are used when
- # communicating with runtime security services SOAP.
- handle-pool-size = 10
- # Specify the length of time, in seconds, before an idle handle is removed
- # from the handle pool cache.
- handle-idle-timeout = 240
- # Specify the length of time, in seconds, to wait for a response from
- # runtime security services SOAP.
- timeout = 240
- # You can use the following optional configuration entries if
- # the runtime security services SOAP server is configured to require
- # basic authentication. If you leave these entries blank,
- # the basic authentication header is not provided when communicating
- # with the runtime security services SOAP server.
- # Specify the name of the user for the basic authentication header.
- basic-auth-user =
- #
- # The following SSL entries are optional and are only required if:
- # 1. At least one server entry indicates that SSL is to be used (i.e.
- # starts with https:)
- # 2. A certificate is required other than that which is used by this server
- # when communicating with the policy server (details of the
- # default certificate can be found in the [ssl] stanza of this
- # configuration file.
- #
- # If these entries are required and are not found within this stanza, the
- # default [ssl] stanza will be searched.
- #
- #
- # The name of the key database file which houses the client certificate to be
- # used.
- #
- # ssl-keyfile =
- #
- # The name of the password stash file for the key database file.
- #
- # ssl-keyfile-stash =
- #
- # The label of the client certificate within the key database.
- #
- # ssl-keyfile-label =
- #
- # This configuration entry specifies the DN of the server (obtained from the
- # server SSL certificate) which will be accepted. If no entry is configured
- # all DN's will be considered to be valid. Multiple DN's can be specified by
- # including multiple configuration entries of this name.
- #
- # ssl-valid-server-dn =
- #
- # The entry controls whether FIPS communication is enabled with RTSS/SOAP or
- # not. If no configuration entry is present the global FIPS setting (as
- # determined by the TAM policy server) will take effect.
- #
- # ssl-fips-enabled =
- # Configure NIST SP800-131A compliance mode. This will have the affect of:
- # - enabling FIPS mode processing (over-riding the value of the
- # ssl-fips-enabled configuration entry);
- # - enabling TLS V1.2;
- # - enabling the appropriate signature algorithms;
- # - setting the minimum RSA key size to 2048 bytes.
- #
- # If no configuration entry is present the global NIST setting (as found in
- # the [ssl] stanza) will be used.
- #
- # ssl-nist-compliance = no
- # Define the mappings between the obligation levels that the policy decision
- # point (PDP) returns and the WebSEAL step-up authentication levels.
- # The mapping must be one-to-one and the user must be permitted to authenticate
- # only through the appropriate obligation mechanisms. These entries ensure that
- # the EAS maps the obligations to the authentication levels and vice versa
- # correctly.
- [obligations-levels-mapping]
- life_questions = 2
- otp = 3
- email = 4
- voice = 5
- # Define the mappings between the obligation that the policy decision point
- # (PDP) returns and a URL that will attempt to satisfy the obligation.
- # The mapping must be one-to-one and the user must be permitted to authenticate
- # only through the appropriate obligation mechanisms. When the EAS receives
- # this obligation, the user is redirected to the URL provided.
- # Entries in this stanza must be unique with regard to the entries in the
- # [obligations-levels-mapping] stanza.
- #
- # You can also use wildcard obligations in this stanza. Add an asterisk at the
- # end of an obligation to indicate that all obligations found that match this
- # entry, up to but not including the asterisk, are redirected to the URL value.
- # Exact matches are used first. Then, if no match is found, wildcard matches
- # are used.
- #
- # For example, to redirect all obligations that start with urn:example to
- # http://www.example.com, add the following entry:
- #
- # urn:example:* = http://www.example.com
- #
- [obligations-urls-mapping]
- # obligation1 = https://example.com/FIM/sps/xauth?AuthenticationLevel=1
- # Provide the data type for any entry in the [azn-decision-info] stanza that is
- # not a string. For each entry in the [azn-decision-info] stanza, risk-based
- # access must know its data type. By default, all entries are of data type
- # string. If an entry is not of data type string, you must create an entry
- # in this stanza to define the data type. Valid data types are: string, integer,
- # boolean, double, x500name, time and date.
- # For example, if the following entry exists in the [azn-decision-info] stanza:
- #
- # urn:example:company:txn:value = post-data:/"accountBalances"/"savings"
- #
- # and its data type is double, you must create an entry to define this.
- # Append .datatype to the attribute ID (urn:example:company:txn:value) and
- # specify double, as follows:
- #
- # urn:example:company:txn:value.datatype = double
- #
- # Also, provide the category for any entry in the [azn-decision-info] stanza
- # that is not Environment. For each entry in the [azn-decision-info] stanza,
- # risk-based access must know its category. By default, all entries are of
- # category Environment. If an entry is not of category Environment, you must
- # create an entry in this stanza to define the category. Valid categories are:
- # Environment, Action, Subject and Resource.
- # For example, if the following entry exists in the [azn-decision-info] stanza:
- #
- # urn:example:company:txn:userid = post-data:/"userid"
- #
- # and its category is Subject, you must create an entry to define this.
- # Append .category to the attribute ID (urn:example:company:txn:userid) and
- # specify Subject, as follows:
- #
- # urn:example:company:txn:userid.category = Subject
- #
- [user-attribute-definitions]
- ################################################################################
- # Risk Based Access (RBA) External Authorization Service (EAS) Settings
- #
- # END
- #
- ################################################################################
- #
- # The PAM stanza is used to house the configuration data which
- # is required for the PAM integration. The PAM functionality
- # is used to provide deep content packet inspection on selected
- # requests, checking for potential security vulnerabilities.
- #
- [PAM]
- #
- # Whether PAM analysis is enabled.
- #
- pam-enabled = false
- #
- # If simulation mode is enabled any issues which are detected will be
- # audited and then ignored. This provides a mechanism for allowing the
- # administrator to see what issues are being detected without having an
- # impact on the client traffic.
- #
- pam-simulation-mode-enabled = false
- #
- # The amount of memory, in bytes, which can be consumed by
- # PAM. This allows PAM to tune the size of its caches for the
- # amount of available memory.
- #
- pam-max-memory = 16777216
- #
- # The following item controls whether the X-Forwarded-For header
- # is used to identify the client. This configuration item is useful
- # if a network terminating proxy is sitting between the server and the
- # client. If the value is set to false the client will be identified
- # based on the socket connection information.
- #
- pam-use-proxy-header = false
- #
- # Any specific parameters which should be passed to the PAM
- # HTTP interface during initialization. Refer to the PAM
- # documentation for a list of valid PAM parameters.
- #
- # The configuration entry may be specified multiple times,
- # one for each PAM parameter. The entry should be of the
- # format:
- # pam-http-parameter = <parameter>:<value>
- #
- # Any specific parameters which should be passed to the PAM
- # coalescer interface. This interface is used to combine
- # related PAM issues into a single event. Refer to the PAM
- # documentation for a list of valid parameters.
- #
- # The configuration entry may be specified multiple times,
- # one for each coalescer parameter. The entry should be of
- # the format:
- # pam-coalescer-parameter = <parameter>:<value>
- #
- # For example:
- pam-coalescer-parameter = combine:on
- #
- # The logging configuration. The logging configuration consists
- # of an agent identifier, followed by attributes which are
- # associated with the agent. Each attribute consists of a
- # name/value pair, separated by '=', and each attribute is
- # separated by ','.
- #
- # For example, to configure the auditing of records to a file:
- # file path=pam.log,flush_interval=20,rollover_size=2000000
- #
- pam-log-cfg = file path=pam.log,flush_interval=20,rollover_size=2000000
- #
- # Should the audit events be sent to the PAM log file?
- # It is worth noting that the number of logged events
- # will increase dramatically if this option is enabled.
- #
- pam-log-audit-events = false
- #
- # PAM statistics can be enabled to provide a dashboard widget
- # on the Web Gateway Appliance which displays a 30 day
- # historical summary of the actions taken by PAM. This
- # functionality records how many times WebSEAL has performed
- # an action based on this instance's PAM configuration.
- #
- enable-pam-statistics = true
- #
- # The pam-statistics-bucket-interval item controls the granularity
- # of the buckets which the actions are stored in. The default
- # value is 600, or ten minutes. This data is stored in buckets
- # of the defined size for the first seven days. All records are
- # also coalesced into daily buckets for the first 30 days.
- #
- pam-statistics-bucket-interval = 600
- #
- # Define which PAM issues will be disabled (by default all PAM
- # issues are enabled). The configuration entry is a comma
- # separated list. Each issue contained within the
- # list will be disabled.
- #
- # For example:
- # to disable Ace_Filename_Overflow and HTTPS_Apache_ClearText_DoS:
- # pam-disabled-issues = 2121050,2114033
- #
- pam-disabled-issues =
- # The rules which should be applied to determine whether
- # a particular resource should be passed down to the PAM
- # layer or not. Each rule will be examined in sequence
- # until a match is found. The first successful match
- # will determine whether the request is passed to the
- # PAM layer or not. The request will not be passed to
- # the PAM layer if no match is found.
- #
- # Multiple entries may be specified, and each entry
- # should be of the format:
- # pam-resource-rule = [+-]{uri}
- #
- # where:
- # + : Indicates that matching requests should be
- # passed to the PAM layer.
- # - : Indicates that matching requests should not
- # be passed to the PAM layer.
- # {uri} : Contains a pattern which is used to match
- # against the URI which is found in the
- # request. The wildcard characters '*'
- # and '?' may be used.
- #
- # For example:
- # pam-resource-rule = -*.gif
- # pam-resource-rule = +*.html
- #
- #
- # The following stanza can be used to customize the
- # PAM processing for individual resources and events.
- # The name of the stanza should be of the format:
- # [pam-resource:{uri}]
- #
- # where:
- # {uri} : Contains a pattern which is used to match
- # against the URI which is found in the
- # request. The wildcard characters '*' and
- # '?' may be used.
- #
- # For example:
- # [pam-resource:*.js]
- #
- [pam-resource:test.html]
- #
- # The entries contained within this stanza are used
- # to control the processing of certain PAM related
- # events. Each entry will be of the format:
- # {pam-issue} = {action}
- #
- # where:
- # {pam-issue} : Contains a pattern which is used to
- # match a PAM issue. The wildcard
- # characters '*' and '?' may be
- # used.
- # {action} : The action which is to be undertaken
- # for the issue. The action can be
- # one of the following:
- # - block: Blocks the connection for
- # a specified number of seconds,
- # e.g. block:30;
- # - ignore: Ignore the issue and
- # continue to process the request;
- #
- # For example:
- # 212105? = block:0
- # 2119002 = block:20
- [flow-data]
- #
- # WebSEAL on the Web Gateway Appliance can record performance data to be
- # viewed using the LMI. This mechanism records the number of requests
- # received by this WebSEAL instance along with the user-agent and junction
- # which processed the request.
- #
- # User-agent strings are stored based on the configuration of the
- # [user-agents] stanza. The [user-agents] stanza must be configured in
- # order to use this functionality.
- #
- # This data is stored at a fine granularity for the first seven days, and
- # as daily aggregations for the first thirty. Any data older than thirty
- # days is discarded.
- #
- flow-data-enabled = true
- #
- # The interval defined here is the granularity of the data recorded.
- # WebSEAL will aggregate the collected data into buckets of this size and
- # will perform database commit operations each time this interval is
- # complete.
- #
- # Note that after seven days, data is only kept in the daily (24 hour)
- # buckets.
- #
- # This interval is given in seconds.
- #
- flow-data-db-interval = 600
- [user-agents]
- #
- # This stanza allows WebSEAL to map arbitrary user-agent strings to defined
- # categories for logging purposes. Each entry should be of the following
- # format: <category> = <pattern>
- #
- # The category is the string that will be recorded for user-agent strings
- # which match the pattern. The pattern supports the wildcard characters
- # '*' and '?'.
- #
- # A category can be defined multiple times if more than one pattern will
- # match a category.
- #
- # Note: This stanza must include one entry with the match-all pattern '*'.
- #
- CHROME = *chrome*
- FIREFOX = *firefox*
- SAFARI = *safari*
- OPERA = *opera*
- IE = *msie*
- MSOFFICE = *office*
- MSOFFICE = *outlook*
- ANDROID = *android*
- IOS = *ios*
- SUNDRY = *
- [manager]
- master-host = iam
Add Comment
Please, Sign In to add comment