· 7 years ago · Oct 01, 2018, 02:18 PM
1#
2# FILENAME
3# webseald.conf
4#
5# DESCRIPTION
6# Configuration file for the Access Manager WebSEAL server (webseald)
7#
8
9
10###############################
11# WEBSEAL GENERAL
12###############################
13[server]
14
15# WebSEAL server instance name. Typically, this is based on the hostname of the
16# machine and the instance name of the server.
17server-name = iam.ibmemm.edu-rp1
18
19# If web-host-name is set WebSEAL will use this for the server's hostname. If
20# left unset WebSEAL will attempt to automatically determine the server's
21# hostname. On systems with many hostnames, interfaces or WebSEAL instances
22# the automatic determination may not always be correct requiring this manual
23# setting.
24# web-host-name = www.webseal.com
25
26#----------------------
27# THREADS AND CONNECTIONS
28#----------------------
29
30# Number of WebSEAL worker threads
31# The number of configured worker threads specifies the number of
32# concurrent incoming requests that can be serviced by this server
33# instance. Choosing the optimal number depends on the quantity
34# and type of traffic on your network. Modifying this value should
35# be done carefully to ensure optimal performance. Please consult
36# the WebSEAL Administration Guide for further information.
37worker-threads = 300
38
39# Initial client connection timeout (seconds)
40client-connect-timeout = 120
41
42# HTTP/1.1 persistent connection timeout (seconds)
43# This only affects connections to clients, not backend systems.
44persistent-con-timeout = 5
45
46# Intra-request timeout (seconds)
47# Timeout between data received or sent for a given request,
48# but not the first read. When this value is non-zero, it
49# also enables timeouts on http writes to clients and causes
50# a TCP RST packet to be sent if a connection timeout occurs
51# on the non-first data I/O. When this value is zero, the
52# client-connection-timeout is used instead.
53intra-connection-timeout = 60
54
55# The maximum number of requests that will be processed on a single
56# persistent connection.
57connection-request-limit = 100
58
59# The maximum number of idle client persistent connections. This value
60# should be less than the maximum number of connections supported by the
61# WebSEAL server to ensure that the idle connections do not consume all of
62# the available connections.
63max-idle-persistent-connections = 512
64
65# Allow WebSEAL to write chunked data to HTTP/1.1 clients. This can
66# improve performance by allowing connections to be reused even when
67# exact response length is not known before the response is written.
68chunk-responses = yes
69
70#----------------------
71# HTTPS CLIENT
72#----------------------
73
74# Allow HTTPS access
75https = yes
76
77# Port to user for HTTPS requests
78https-port = 443
79
80#----------------------
81# HTTP CLIENT
82#----------------------
83
84# Allow (unsecure) TCP HTTP access
85http = no
86
87# Port to use for unsecure HTTP requests
88http-port = 80
89
90# The following four options can be used to compensate for a protocol or port
91# mismatch between WebSEAL and its clients introduced by an intervening
92# device or application. The http variants are used to control the protocol
93# and port for requests that WebSEAL receives over a TCP interface and the https
94# variants are used to control the protocol and port for requests that WebSEAL
95# receives over an SSL interface.
96#
97# web-http[s]-port should be set to the port the client perceives WebSEAL to be
98# using, as opposed to the actual port WebSEAL is using, which is specified
99# by the http[s]-port parameters.
100# web-http-port and web-https-port is optional.
101#
102# web-http[s]-protocol should be set to the protocol the browser perceives
103# WebSEAL to be using, as opposed to the protocol that the intervening
104# device uses to communicate with WebSEAL.
105# Valid values are "http" or "https".
106# web-http-protocol and web-https-protocol is optional.
107#
108#web-http-port = 80
109#web-http-protocol = http
110#web-https-port = 443
111#web-https-protocol = https
112
113#----------------------
114# REQUEST BODIES AND CACHING
115#----------------------
116
117# This parameter specifies the maximum number of bytes that
118# WebSEAL will read from a client when parsing an HTTP request.
119# The total size of the URL and HTTP headers must be less than
120# this value. This parameter cannot be set lower than it's
121# default: 32768
122max-client-read = 32768
123
124# This parameter specifies the maximum number of bytes to
125# read in as content from the body of requests for use in
126# dynurl, authentication, and request caching.
127#
128# 1) This impacts dynurl because the query portion of a
129# POST request URI is contained in the request body.
130#
131# 2) This impacts forms authentication, because this limits
132# the size of the POST data that will be processed
133# when performing such authentication. For this reason,
134# WebSEAL sets a hard minimum of 512 bytes on
135# request-body-max-read. If this value is set below
136# that minimum, the setting will be ignored and the
137# minimum will be used.
138#
139# 3) This affects the amount of data that WebSEAL will cache
140# for users who must authenticate before their request can be
141# fulfilled. This affects all request that have bodies
142# (POSTs, PUTs, etc.).
143#
144# This does not limit the max POST size (which is unlimited).
145#
146request-body-max-read = 4096
147
148# When a user is prompted to authenticate before a request
149# can be fulfilled, the data from that request is cached
150# for processing after the completion of the authentication.
151# The maximum amount of data cached per request is determined
152# by request-max-cache.
153# If you want to ensure that you will be caching all of
154# request-body-max-read worth of the body of requests, you
155# must account for the maximum size of all the other request
156# components in this value.
157# Example: If you want to cache 2048 bytes of request bodies
158# and you anticipate that the maximum size of all request headers
159# and cookies will be 4096 bytes, you would:
160# 1) set request-body-max-read = 2048
161# 2) set request-max-cache = 2048 + 4096 = 6144
162request-max-cache = 8192
163
164#----------------------
165# DYNURL
166#----------------------
167# Location of the URL -> protected object mapping file
168# This path is relative to the server-root value in the [server] stanza
169
170# The following files are currently available for this configuration entry:
171# - dynurl.conf
172
173dynurl-map = dynurl.conf
174
175# Disallow/Allow POST requests larger than request-body-max-read.
176# This parameter only takes effect if dynurl is enabled.
177#
178# WebSEAL is not able to compare the entire contents of a POST
179# request to the URL mappings inside the dynurl.conf file if the body
180# of the post is larger than request-body-max-read.
181#
182# If this option is set to "no", then WebSEAL will not
183# allow POST requests with a body larger than request-body-max-read.
184#
185# If this option is set to "yes", then WebSEAL will compare only
186# up to request-body-max-read bytes of a POST request to the URL mappings
187# in the dynurl.conf file.
188dynurl-allow-large-posts = no
189
190# When reject-request-transfer-encodings is set to yes all request
191# to WebSEAL with a Transfer-Encoding value of anything other than
192# identity or chunked will be rejected with a status of 501, Not Implemented.
193# It is recomended for secure dynurl environments to set this to yes.
194reject-request-transfer-encodings = yes
195
196# When suppress-dynurl-parsing-of-posts is set to "yes" POST bodies will
197# not be used in dynurl processing, only Query strings will be used.
198# Before enabling this you must be certain that all dynurl checked server
199# applications do not accept arguments from POST bodies so dynurl checks
200# can't be bypassed using a POST instead of a Query string.
201suppress-dynurl-parsing-of-posts = no
202
203#----------------------
204# URI AND POST BODY DECODING
205#----------------------
206
207# If decode-query is set to "yes", WebSEAL will validate the query string
208# in requests according to the utf8-qstring-support-enabled parameter.
209# Otherwise, WebSEAL will not validate the query string. If decode-query
210# is set to "no" then dynurl must be disabled.
211decode-query = yes
212
213# Different portions of HTTP requests may be interpreted as either UTF-8 or
214# local code page according to the configuration items in this section. The
215# options for each portion of the request are either to ensure that the data
216# is UTF-8, ensure that the data is local codepage, or to accept either.
217#
218# If an option in this section is "yes", WebSEAL will ensure that the data
219# in that portion of the request is UTF-8.
220#
221# If an option in this section is "no", WebSEAL will ensure that the data
222# in that portion of the request is local codepage.
223#
224# If an option in this section is "auto", WebSEAL will first attempt to
225# validate the data as UTF-8. If the data is not UTF-8, then WebSEAL will
226# ensure the data is local codepage.
227
228# utf8-url-support-enabled controls how the location portion of the URI
229# (the portion before any question mark character) is intepreted.
230utf8-url-support-enabled = yes
231
232# utf8-qstring-support-enabled controls how the query portion of the URI
233# (the portion after the question mark character) is interpreted. This also
234# applies to the POST bodies of requests to junctions when dynurl is enabled.
235utf8-qstring-support-enabled = no
236
237# utf8-forms-support-enabled option controls how form logins, password change
238# requests, and other WebSEAL specific forms are parsed.
239utf8-form-support-enabled = yes
240
241# When double-byte-encoding is set to 'yes' WebSEAL will assume that URL's
242# which contain encoding characters are always encoded in unicode, and will
243# not contain UTF-8 encoded characters.
244double-byte-encoding = no
245
246
247# When a client URL specifies a directory location that does not end
248# in a trailing '/', the client is redirected to the same URL with a
249# trailing '/' added. This is necessary for ACL checks to work properly.
250# slash-before-query-on-redirect controls where the '/' is added
251# if the orginal URL has a query string.
252#
253# Setting slash-before-query-on-redirect to 'yes' causes the trailing '/'
254# to be added before the query string.
255# For example:
256# /root/directoryname?query becomes /root/directoryname/?query
257#
258# Setting slash-before-query-on-redirect to 'no' causes the trailing '/'
259# to be added after the query string.
260# For example:
261# /root/directoryname?query becomes /root/directoryname?query/
262#
263# A setting of 'no' could cause browser errors and is not recommended. This
264# option exists for backwards compatibility only.
265
266slash-before-query-on-redirect = yes
267
268
269#----------------------
270# SUPPRESSING SERVER IDENTITY
271#----------------------
272
273# WebSEAL writes a Server header with the value "WebSEAL/version.number"
274# with most responses (except those from a junctioned server).
275# Including this header can be suppressed by setting this to "yes".
276suppress-server-identity = no
277
278# For responses that were from a junctioned server, WebSEAL writes the Server
279# header sent in the response from the backend. If the backend response did not
280# include a Server header, then WebSEAL will not write any Server header to the
281# client.
282# Writing this header can be suppressed by setting this to "yes".
283suppress-backend-server-identity = no
284
285#----------------------
286# AUTH TOKEN VERSION
287#----------------------
288
289# Version 8.0.0 tokens use a different cipher than tokens in prior releases.
290# If you are integrating with earlier versions of ISAM you will need to enable
291# this to ensure the integrity of data across [e-community-sso], [failover], and
292# [cdsso].
293pre-800-compatible-tokens = no
294
295#----------------------
296# P3P Compact Policy header
297#----------------------
298# If 'preserve-p3p-policy' is set to 'no' (default), then any P3P headers from
299# junctioned servers will be replaced.
300#
301# If 'preserve-p3p-policy' is set to 'yes', then any P3P headers from junctioned
302# servers will be preserved.
303preserve-p3p-policy = no
304
305#----------------------
306# Network Interface
307#----------------------
308# Specify an alternative I.P. address to be used by this instance of WebSEAL.
309# This allows two or more WebSEAL instances to run on the same machine
310# while using differing I.P. addresses and host names.
311#
312# network-interface = 0.0.0.0
313network-interface = 192.168.42.193
314
315# If always-neg-tls is set to "yes" then any TLS connections on this interface
316# will only process one request. Once the request is complete the connection
317# will be closed and the TLS session will be destroyed. This forces a full
318# TLS session renegotiation every connection. This is a expensive method of
319# using TLS so this option should only be enabled if absolutely necessary.
320# Typically it could be enabled on the interface the secondary-port is referring
321# to so the TLS on that interface always requests a certificate from the client
322# (browser).
323always-neg-tls = no
324
325# Set use-secondary-listener to "yes" to inform webseal that this interface
326# uses the secondary port. Used to improve compatibility with some browsers.
327use-secondary-listener = no
328
329#----------------------
330# Filtering
331#----------------------
332# If preserve-base-href is no, then WebSEAL will remove all BASE HREF tags
333# from filtered HTML documents and prepend the base tag to filtered links.
334# Otherwise, the BASE HREF tag will be filtered.
335preserve-base-href = yes
336
337# If both preserve-base-href and preserve-base-href2 are set to yes, then
338# WebSEAL will only perform the minimum filtering of the BASE HREF tag
339# necessary to insert the WebSEAL host and junction names.
340# If preserve-base-href is no, preserve-base-href2 has no effect.
341preserve-base-href2 = yes
342
343# To enable tag-based filtering of static URLs for new MIME types added
344# to the [filter-content-types] stanza, change filter-nonhtml-as-xhtml to
345# yes. Tag-based URL filtering operates without configuration changes
346# for the text/html and text/vnd.wap.wml MIME types.
347filter-nonhtml-as-xhtml = no
348
349#---------------------
350# Method disablement
351#---------------------
352# Specify the HTTP methods which should be blocked when requesting local or remote
353# resources. Multiple methods should be separated with a comma (','). For example, to
354# block access to the TRACE and PUT methods over local junctions the configuration entry
355# would be:
356# http-method-disabled-local = TRACE,PUT
357#
358http-method-disabled-local = TRACE,PUT,DELETE,CONNECT
359http-method-disabled-remote = TRACE,CONNECT
360
361#---------------------
362# Processing root junction requests
363#---------------------
364# Specify whether WebSEAL will attempt to process requests for resources
365# located at the root ('/') junction before attempting to identify a
366# junction point to send the request via junction mapping mechanisms
367# such as the JMT or IV_JCT cookie.
368#
369# Avoiding root junction processing prevents processing being performed
370# for incorrect resources before the intended resource is identified.
371# This will have performance benefits and prevent false authorization or
372# filetype check failures.
373#
374# Valid choices are:
375# never - Root junction requests are never processed at the root junction.
376# That is, if a junction mapping mechanism is configured, such as
377# the JMT or IV_JCT cookie, WebSEAL will look for this junction
378# mapping information first (and look at the root junction last)
379# and process the request at the mapped junction point.
380#
381# always - Always attempt to process requests for the root junction at the
382# root junction first before looking for a configured junction
383# mapping mechanism, such as the JMT or IV_JCT cookie.
384# This is not recommended unless the root junction serves a large
385# set of resources or no junction mapping mechanisms are configured
386# for the set of junctions served by this WebSEAL server.
387#
388# filter - All root junction requests will be examined to determine whether
389# they start with the patterns specified in the process-root-filter
390# stanza.
391# If yes, the request will be processed at the root junction first.
392# If no, the request will be remapped immediately.
393#
394process-root-requests = always
395
396#---------------------
397# IPv6 support
398#---------------------
399#
400# Specify whether WebSEAL will support IPv6.
401#
402# Upon a new installation, WebSEAL supports IPv6 by default. However, if
403# WebSEAL is upgraded from a release previous to 6.0, then the upgrade
404# process will change this value to 'no'. This is to ensure backwards
405# compatibility.
406#
407# Valid choices are:
408# yes - Support IPv6 and IPv4 networks (default setting).
409#
410# no - Only support IPv4 networks.
411#
412ipv6-support = yes
413
414# ip-support-level determines the network attributes placed in credentials.
415# WebSEAL version 6.0 introduces new improved attributes which displace
416# the older attribute. The new attributes are required when IPv6 support
417# (ipv6-support) is enabled. This entry can be set to one of displaced-only,
418# generic-only, or displaced-and-generic.
419#
420# displaced-only:
421# The default for migrated installations. WebSEAL will only generate the
422# displaced IPv4 attributes when building credentials and when authenticating
423# users through CDAS modules.
424#
425# generic-only:
426# The default for new installations. WebSEAL will only generate the new generic
427# (supports both IPv4 and IPv6) attributes when building credentials and when
428# authenticating users through CDAS modules.
429#
430# displaced-and-generic:
431# Both sets of attributes (displaced and generic) are created.
432#
433ip-support-level = generic-only
434
435#---------------------
436# max-login-failures policy compatibility
437#---------------------
438#
439# When late-lockout-notification = no, WebSEAL will notify clients that their
440# account has been locked out immediately.
441# When late-lockout-notification = yes WebSEAL will operate in a pre-v6.0
442# compatible mode for user registry max-login-failures policy behavior,
443# and not notify users until their next request.
444# The default for new installations is disabled (no). The default for migrated
445# installations is enabled (yes).
446late-lockout-notification = no
447
448# When reject-invalid-host-header is set to yes all requests
449# to WebSEAL with an invalid host header (see RFC2616) will be
450# rejected with a status of 400, Bad Request.
451reject-invalid-host-header = no
452
453#---------------------
454# Adding HttpOnly attribute
455#---------------------
456# When use-http-only-cookies is set to 'yes', WebSEAL will add the "HttpOnly"
457# attribute to the session and failover cookies. This will help defend against
458# cross-site-scripting attacks by informing the browser not to make these
459# cookies available to browser scripts.
460use-http-only-cookies = yes
461
462#---------------------
463# Allow all Shift-JIS Muti-Byte characters
464#---------------------
465# When allow-shift-jis-chars is set to "yes" junctions created using -w will
466# allow all Shift-JIS Muti-Byte characters in junction file and path names.
467# When set to "no" junction file and path names using Shift-JIS Multi-Byte
468# characters containing the single byte character '\' will be rejected.
469allow-shift-jis-chars = no
470
471#---------------------
472# Pipelining
473#---------------------
474# WebSEAL does not support pipelined requests from browsers. When this option
475# is set to "yes" and WebSEAL detects pipelined requests it will close the
476# connection to inform the the browser that is should resend the pipelined
477# requests in a normal manner. This should always be set to "yes" unless the
478# previous WebSEAL behavior is required.
479cope-with-pipelined-request = yes
480
481#---------------------
482# Unauthenticated users and "-b supply"
483#---------------------
484# This parameter determines if unauthenticated users can access junctions
485# created with "-b supply". When set to "no" the default behavior occurs.
486# Default behavior does not allow unauthenticated users to access resources
487# on a junction created using "-b supply", rather it will prompt then to
488# authenticate. When "allow-unauth-ba-supply" is set to "yes" unauthenticated
489# users will be allowed access "-b supply" junctions. The basic authentication
490# header supplied to the junction will contain the user name 'unauthenticated'.
491allow-unauth-ba-supply = no
492
493#---------------------
494# Tag-value label for missing attributes
495#---------------------
496# WebSEAL allows credential attributes to be inserted into the HTTP stream
497# as HTTP headers. In the event that a requested attribute was not located
498# within the credential the HTTP header will still be created with a static
499# string. The tag-value-missing-attr-tag configuration entry defines the
500# contents of the header.
501tag-value-missing-attr-tag = NOT_FOUND
502
503# Each attribute name set in a junction object's HTTP-Tag-Value is
504# automatically prefixed by "tagvalue_" before locating it in the credential.
505# This prohibits access to credential attributes that don't have names
506# beginning with "tagvalue_" such as "AUTHENTICATION_LEVEL". When this option
507# is set to "no", the automatic prefixing of "tagvalue_" will not occur so all
508# credential attributes can be specified in HTTP-Tag-Value.
509force-tag-value-prefix = no
510
511#---------------------
512# URLs and extra consecutive slashes ("/")
513#---------------------
514# WebSEAL does not allow extra consecutive slashes ("/") to be present in URL and
515# silently removes those extra slashes if present, so an URL
516# "/jct/a//b.html" becomes "/jct/a/b.html"
517# or
518# "/jct//a////b.html" becomes "/jct/a/b.html"
519# but with this below option set to "yes|true", extra slashes will not be removed i.e.
520# "/jct/a//b.html" or "/jct//a////b.html" will be sent to backend as it is.
521#
522allow-extra-slashes-in-urls = false
523
524
525#
526# The maximum number of bytes which may be returned from the 'file cat'
527# server task command.
528#
529max-file-cat-command-length = 4096
530
531# The auth-challenge-type contains a comma separated list of
532# authentication types which will be used when challenging a
533# client for authentication information. The supported authentication
534# types include:
535# ba, forms, spnego, token, cert and eai.
536#
537# The corresponding authentication configuration entry (e.g. ba-auth)
538# must be enabled for each specified authentication challenge type.
539#
540# By default the list of authentication challenge types will match that
541# of the list of configured authentication mechanisms.
542#
543# Each authentication type can additionally be configured with a set of rules.
544# These rules are used to determine the user agents for which the
545# authentication type is enabled. Each set of rules must be contained within
546# square brackets and separated by semicolons. Each pattern must begin with
547# a '+' or '-' character to indicate inclusion or exclusion respectively.
548# Patterns can contain alphanumeric characters, spaces, underscores and
549# periods. The wildcard characters '*' # and '?' can also be used.
550#
551# For example:
552#
553# auth-challenge-type = [+*MSIE*]ba, [-*MSIE*;+*]forms
554#
555# This configuration will present a basic authentication challenge to user
556# agents containing 'MSIE' (Internet Explorer browsers) and a forms based
557# challenge to all other user agents. See the WebSEAL administration guide
558# for further information.
559#
560# Do not use authentication challenge types as a security or enforcement
561# measure. If no challenge types can be determined for a given user agent
562# string, WebSEAL will fall back to the list of all configured authentication
563# mechanisms.
564#
565# This configuration item may be customized for a particular junction
566# by adding the adjusted configuration item to a [server:{jct_id}] stanza,
567# where '{jct-id}' refers to the junction point for a standard junction
568# (include the leading '/'), or the virtual host label for a virtual host
569# junction.
570# auth-challenge-type =
571
572#
573# The maximum number of concurrent threads which can be consumed
574# by a single user session before warning messages are generated. WebSEAL
575# will continue to process requests for this session until the corresponding
576# hard-limit is reached.
577#
578# concurrent-session-threads-soft-limit = 5
579
580#
581# The maximum number of concurrent threads which can be consumed
582# by a single user session. Once the thread limit for the user session has
583# been reached the request will not be processed by WebSEAL and an error
584# will be returned to the client.
585#
586# If no value is specified for this configuration item there will be no
587# limit to the number of concurrent threads that a user session can
588# consume.
589#
590# concurrent-session-threads-hard-limit = 10
591
592#
593# WebSEAL normally reduces the timeout for connection I/O based on the
594# number of active worker threads, and how many requests have been processed
595# on the connection. The following configuration item can be used to
596# disable this automatic timeout reduction.
597#
598# disable-timeout-reduction = no
599
600# This configuration option allows you to disable HTTP Keep-Alives for
601# responses >= 2GB sent back to Internet Explorer 6 client browsers. The
602# primary purpose of this is to allow WebSEAL to mimic the IIS workaround
603# published at:
604# http://support.microsoft.com/kb/298618
605#
606# This will enable clients using Microsoft Internet Explorer 6.0 to download
607# files greater than 2GB, but less than 4GB.
608enable-IE6-2GB-downloads = no
609
610#
611# The following configuration entry controls whether the negotiate and ntlm
612# www-authenticate headers will be removed from the responses which are received
613# from junctioned servers.
614#
615strip-www-authenticate-headers = yes
616
617#
618# The following configuration entry is used to control whether unsolicited
619# authentication requests are allowed. If set to 'no' a login will only
620# be allowed if WebSEAL first returns a login form to the client.
621#
622
623allow-unsolicited-logins = yes
624
625# Buffer size for reading from and writing to a client.
626io-buffer-size = 16384
627
628#
629# The maximum number of consecutive 302 redirects that
630# will be followed internally before WebSEAL concedes and
631# passes the response back to the client. A value of 0
632# indicates that all 302 redirects will be sent back to the
633# client for processing.
634#
635maximum-followed-redirects = 0
636
637#
638# WebSEAL is capable of examining 302 responses and processing the redirects
639# internally if they are destined for the current server using the same
640# protocol. This configuration entry controls the requests for which this
641# redirect functionality is enabled. A case-sensitive comparison will be made
642# between the configuration entry and the HTTP request line. Shell-style
643# pattern matching for '*', '?', '\' and '[]' can be used in the comparison
644# (excluding special match strings).
645#
646# Special match strings:
647# - "!LRR!" will match any request resulting in a Local Response Redirect
648# action occurring.
649# - "!REPLAY!" will match any redirection to replay a URL that was interrupted
650# by a successful authentication.
651#
652# Multiple patterns can be specified by including multiple configuration
653# entries of the same name.
654#
655# Example:
656# follow-redirects-for = GET /jct/index.html *
657# follow-redirects-for = !LRR!
658follow-redirects-for =
659
660########
661# HTTP/2 enablement for main (default) interface to browsers.
662#
663# Enable/disable HTTP/2 encoded connections from browsers.
664# This setting only affects the "default" interface defined in this stanza.
665#
666# HTTP/2 supports a reduced set of cipher suites. The minimum cipher is
667# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, and this is not included in the
668# set of ciphers specified by the 'AES-128' cipher alias. In order to add
669# support for this cipher the following entry must be added as the first entry
670# within the ssl-qop-mgmt-default configuration stanza:
671# default = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
672enable-http2 = no
673
674# HTTP/2: maximum number of network connections from HTTP/2 enabled browsers.
675# This is per inteface/port (http and https), so if both http and https
676# are enabled then the total max connections would be double this.
677# This setting only affects the "default" interface defined in this stanza.
678http2-max-connections = 200
679
680# HTTP/2: maximum size in bytes that WebSEAL will accept for header compression
681# table (RFC 7541). There is one table per HTTP/2 network connection.
682http2-header-table-size = 4096
683
684# HTTP/2: maximum number of simultanious multiplexed streams WebSEAL will accept
685# per HTTP/2 network connection. A value of -1 denotes the unlimited setting
686# and is not recomended in a production WebSEAL environment as memory use in
687# WebSEAL would be unbounded.
688# This setting only affects the "default" interface defined in this stanza.
689# Notes:
690# - Each stream will have a 'http2-initial-window-size' byte buffer.
691# - Each stream will need a worker-thread to process the one request/response
692# send over it before it is ended.
693http2-max-concurrent-streams = 100
694
695# HTTP/2: maximum number of unacknowledged bytes WebSEAL can accept per active
696# multiplexed stream. WebSEAL will create an in-memory buffer to hold this
697# many bytes for each active multiplexed stream.
698# This setting only affects the "default" interface defined in this stanza.
699http2-initial-window-size = 65535
700
701# HTTP/2: maximum size of the body of a single HTTP/2 protocol frame send over
702# the HTTP/2 network connection.
703# This setting only affects the "default" interface defined in this stanza.
704http2-max-frame-size = 16384
705
706# HTTP/2: maximum size of headers that can be send in a request on a HTTP/2
707# stream. A value of -1 denotes the unlimited setting and is not recomended in a
708# production WebSEAL environment as memory use in WebSEAL would be unbounded.
709# If not set it will default to the value of [server] max-client-read.
710# This setting only affects the "default" interface defined in this stanza.
711http2-max-header-list-size = 32768
712
713# HTTP/2: maximum duration in seconds for an HTTP/2 connection. The connection
714# will be closed if this limit is reached.
715# This setting applies to HTTP/2 connections for all interfaces.
716http2-max-connection-duration = 120
717
718# HTTP/2: Amount of time the HTTP/2 connection can be idle (not processing any
719# requests). The connection will be closed if it is idle for this time.
720# This setting applies to HTTP/2 connections for all interfaces.
721http2-idle-timeout = 20
722
723
724[process-root-filter]
725# This stanza is only used if process-root-requests = filter
726# Request URLs starting with the following patterns will be processed at the
727# root junction before attempting to remap the requests to a new junction point.
728# Format is
729# root = <pattern>
730# where <pattern> is a standard WebSEAL wildcard pattern.
731#
732root = /index.html
733root = /cgi-bin*
734
735[validate-headers]
736# This stanza is used to list those headers which should be validated
737# on each request. The format of each configuration entry is:
738#
739# <hdr> = <value>
740#
741# For example to ensure all requests are from www.ibm.com set:
742#
743# host = www.ibm.com
744#
745# If multiple headers of the same name are configured, the corresponding
746# header in the request must match one of the configured values.
747
748###############################
749# WEBSEAL INTERFACES
750###############################
751[interfaces]
752# The values from:
753# [server]
754# network-interface
755# always-neg-tls
756# http
757# http-port,
758# web-http-port,
759# web-http-protocol,
760# https,
761# https-port,
762# worker-threads
763# enable-http2
764# http2-max-connections
765# http2-header-table-size
766# http2-max-concurrent-streams
767# http2-initial-window-size
768# http2-max-frame-size
769# http2-max-header-list-size
770# [ssl]
771# webseal-cert-keyfile-label
772# [certificate]
773# accept-client-certs
774# secondary-port
775# are used to create the "default" interface.
776#
777# This stanza allows additional interfaces to be configured.
778#
779# The format of each interfaces entry is:
780#
781# <interfaceName> = <interfaceOptions>
782# <interfacesOptions> = <Option>=<Value>[;<Option>=<Value>[;...]]
783#
784# Leading and Trailing Spaces surrounding <Option>, <Value> are ignored.
785# If leading or trailing spaces are required then the <Value> may be placed
786# in double quotes (").
787# If a double quote ("), semicolon (;), or backslash (\) character is required
788# in the <Value> then this character must be prefixed by a backslash (\).
789#
790# <Option>=<Value> can be selected from:
791# network-interface=<ipAddress>
792# always-neg-tls=yes|no
793# http-port=<port> | "disabled"
794# https-port=<port> | "disabled"
795# web-http-port=<port> | "disabled"
796# web-http-protocol="http" | "https"
797# certificate-label=<keyFileLabel>
798# accept-client-certs="never" | "required" | "optional" |
799# "prompt_as_needed" | "critical"
800# secondary-port=<port>
801# worker-threads=<count> | "default"
802# enable-http2=yes|no
803# http2-max-connections=<number>
804# http2-header-table-size=<number>
805# http2-max-concurrent-streams=<number>
806# http2-initial-window-size=<number>
807# http2-max-frame-size=<number>
808# http2-max-header-list-size=<number>
809#
810# Defaults for <interfaceOptions> if they are not present:
811# network-interface 0.0.0.0
812# always-neg-tls no
813# worker-threads "default"
814# http-port "disabled"
815# web-http-port "disabled"
816# web-http-protocol "http"
817# https-port "disabled"
818# certificate-label Uses key marked as default in key file.
819# accept-client-certs "never"
820# secondary-port 0
821# enable-http2 no
822# http2-max-connections 200
823# http2-header-table-size 4096
824# http2-max-concurrent-streams 100
825# http2-initial-window-size 65535
826# http2-max-frame-size 16384
827# http2-max-header-list-size max-client-read
828#
829# The following example configures an interface that only listens for http
830# requests on address 10.0.0.1 port 81 (the https-port defaulted to "disabled").
831#
832# interface1 = network-interface=10.0.0.1; http-port=81
833
834
835###############################
836# HTTP Header Names
837###############################
838[header-names]
839
840#
841# This stanza controls the addition of HTTP headers into the request which is
842# passed to junctioned applications. Each entry within the stanza will be of
843# the format:
844# <header-data> = [+]<header-name>
845#
846# where:
847# <header-data> : the type of data which will be inserted.
848# <header-name> : the name of the HTTP header which will hold the data. The
849# header-name can be prefixed with the '+' character if you
850# wish to append to any existing header instead of
851# overwriting the existing header.
852#
853# The <header-data> may be one of the following values:
854#
855# server-name : The ISAM authorization server name for the WebSEAL server.
856# This is the name which is used in the "server task"
857# commands.
858# client-ip-v4 : The IPv4 address of the client of this request.
859# client-ip-v6 : The IPv6 address of the client of this request.
860# client-port : The port which is used by the client of this request.
861# Please note that this is the client source port, and not
862# the destination port.
863# host-name : The host name of the WebSEAL server. The host name will
864# be obtained from the web-host-name configuration entry
865# within the [server] stanza (if specified), or the host
866# name of the machine itself.
867# httphdr{<name>} : A HTTP header from the request, as specified by the <name>
868# field. If the HTTP header is not found in the request
869# the value contained within the [server]
870# tag-value-missing-attr-tag configuration entry will be
871# used as the value for the header.
872#
873# For example:
874# client-ip-v4 = +X-Forwarded-For
875# httphdr{host} = X-Forwarded-Host
876# host-name = X-Forwarded-Server
877
878server-name = iv_server_name
879
880[rsp-header-names]
881
882#
883# This stanza is used to define static HTTP headers which will be added
884# to every HTTP response from the WebSEAL server. This will provide the
885# administrator with the ability to insert some standard security headers
886# into the response, such as strict-transport-security,
887# content-security-policy and x-frame-options.
888#
889# Please note that the headers which are defined in this stanza will replace
890# any matching headers which might have been added to the response by a
891# junctioned application.
892#
893# If multiple headers of the same name are specified in this stanza all
894# but the last of the matching entries will be ignored.
895#
896# The format of each entry in this stanza is:
897# <header-name> = <header-value>
898#
899# For example,
900# strict-transport-security = max-age=31536000; includeSubDomains
901#
902# A special <header-value> of '%SESSION_EXPIRY%' can be used to
903# designate a header which will contain the remaining length of time, in
904# seconds, before the current local session expires. This value does not
905# include the overall session timeout for sessions which are managed by
906# the distributed session cache (DSC), but just the length of time before
907# the session expires in the local cache.
908#
909# For example:
910# session-timeout = %SESSION_EXPIRY%
911#
912strict-transport-security = max-age=31536000; includeSubDomains
913
914###############################
915# LDAP
916###############################
917[ldap]
918# prefer-readwrite-server - yes|no Indicates whether to select writable
919# LDAP server when available
920# auth-using-compare - yes|no Indicates whether to perform
921# authentication using LDAP bind or comparing password
922# bind-dn - Indicates the Distinguished Name of the daemon
923# (set by configuration)
924# ssl-enabled - yes|no Indicates whether SSL is enabled (set
925# by configuration)
926# ssl-keyfile - Indicates filename of SSL keyfile (set by
927# configuration)
928# ssl-keyfile-dn - Indicates the certificate label in the SSL
929# keyfile, if any (set by configuration)
930# default-policy-override-support
931# - yes|no When "yes", no user Policy will
932# be checked, only the default Policy is checked
933# (saves some LDAP searches)
934# user-and-group-in-same-suffix
935# - yes|no When "yes", indicates that the groups are
936# defined in the same LDAP suffix as the user
937# (saves some LDAP searches)
938# login-failures-persistent
939# - yes|no When "yes", login strikes will be tracked
940# in the registry instead of only in the local
941# process cache. Persistent login strike recording
942# is more expensive but allows consistent login
943# strike counting across multiple servers.
944# cache-enabled - yes|no Indicates whether to enable the local
945# LDAP cache
946#
947# cache-enabled related configuration settings:
948#
949# cache-user-size - (optional) The number of entries in the LDAP user
950# cache. Ignored if the cache is not enabled. If
951# not set, the default is 256.
952# cache-group-size - (optional) The number of entries in the LDAP group
953# cache. Ignored if the cache is not enabled. If
954# not set, the default is 64.
955# cache-policy-size - (optional) The number of entries in the LDAP policy
956# cache. Ignored if the cache is not enabled. If
957# not set, the default is 20.
958# cache-user-expire-time - (optional) The amount of time (in seconds) until a
959# user entry in the cache is considered stale and is
960# discarded. Ignored if the cache is not enabled.
961# If not set, the default is 30 seconds.
962# cache-group-expire-time - (optional) The amount of time (in seconds) until a
963# group entry in the cache is considered stale and is
964# discarded. Ignored if the cache is not enabled.
965# If not set, the default is 300 seconds (5 minutes).
966# cache-policy-expire-time
967# - (optional) The amount of time (in seconds) until a
968# policy entry in the cache is considered stale and is
969# discarded. Ignored if the cache is not enabled.
970# If not set, the default is 30 seconds.
971# cache-group-membership - (optional) Indicates whether group membership
972# information should be cached. Ignored if the cache
973# is not enabled. If not set, the default is yes.
974# cache-use-user-cache - (optional) Indicates whether to use the user cache
975# information or not. Ignored if the cache is not
976# enabled. If not set, the default is yes.
977# cache-return-registry-id -(optional) Indicates whether to cache the user
978# identity as it is stored in the registry or cache
979# the value as entered during authentication.
980# Ignored if the cache is not enabled.
981# If not set, the default is no.
982# enhanced-pwd-policy - (optional) If set to yes then additional status
983# information for the LDAP registries own password
984# policy enforcement is acquired and reported to
985# this TAM application during login and password
986# change operations.
987# This option must be enabled for [acnt-mgt]
988# enable-passwd-warn to function.
989# enable-last-login - (optional) Indicates whether to enable recording
990# of the last time each user logs in to LDAP. If
991# enabled then it must be enabled in all TAM
992# applications to ensure the value is captured in
993# all cases.
994
995prefer-readwrite-server = no
996auth-using-compare = yes
997ssl-enabled = no
998
999# The following files are currently available for this configuration entry:
1000# - pdsrv.kdb
1001# - lmi_trust_store.kdb
1002# - rt_profile_keys.kdb
1003# - embedded_ldap_keys.kdb
1004
1005ssl-keyfile =
1006ssl-keyfile-dn =
1007#default-policy-override-support = no
1008#user-and-group-in-same-suffix = yes
1009#login-failures-persistent = no
1010
1011cache-enabled = yes
1012
1013#cache-user-size = 256
1014#cache-group-size = 64
1015#cache-policy-size = 20
1016#cache-user-expire-time = 30
1017#cache-group-expire-time = 300
1018#cache-policy-expire-time = 30
1019#cache-group-membership = yes
1020#cache-use-user-cache = yes
1021cache-return-registry-id = no
1022
1023enhanced-pwd-policy = no
1024enable-last-login = no
1025
1026# The following configuration item is contained within the obfuscated
1027# database and as such is obfuscated within this file. If the value is
1028# modified within this configuration file the corresponding change will
1029# be applied to the obfuscated database.
1030
1031bind-pwd = **obfuscated**
1032
1033###############################
1034# SSL
1035###############################
1036[ssl]
1037
1038# This section contains entries that affect the behavior of the SSL
1039# components of WebSEAL. These will affect both clients connecting
1040# via SSL as well as SSL junctions to backend systems.
1041# The first five parameters (webseal-cert-*) relate to the certificate
1042# keystore WebSEAL uses for exchanging with browsers when negotiating
1043# SSL sessions.
1044# WebSEAL certificate keyfile
1045
1046# The following files are currently available for this configuration entry:
1047# - pdsrv.kdb
1048# - lmi_trust_store.kdb
1049# - rt_profile_keys.kdb
1050# - embedded_ldap_keys.kdb
1051
1052webseal-cert-keyfile = pdsrv.kdb
1053
1054# The stash file which contains the password user to protect the private
1055# keys in the keyfile.
1056
1057# The following files are currently available for this configuration entry:
1058# - rt_profile_keys.sth
1059# - lmi_trust_store.sth
1060# - embedded_ldap_keys.sth
1061# - pdsrv.sth
1062
1063webseal-cert-keyfile-stash = pdsrv.sth
1064
1065# Label of key to use other than the default
1066webseal-cert-keyfile-label = WebSEAL-Test-Only
1067
1068# Server Name Indication SNI (optional)
1069# If a user connects to webseal via TLS over SSL, and the browser supports
1070# SNI, WebSEAL is capable of sending a server certificate which matches the
1071# host name used by the browser in the request. The webseal-cert-keyfile-sni
1072# configuration entry is used to specify the certificate which should be sent
1073# for a particular host name.
1074#
1075# The configuration entry may be specified multiple times, one for each
1076# host name. The entry should be of the format:
1077# webseal-cert-keyfile-sni = <host name>:<label>
1078#
1079# where:
1080# host name : Is the name of the host which will be used by the browser
1081# label : Is the label of the certificate which will be used.
1082#
1083webseal-cert-keyfile-sni =
1084
1085# Selectively disable SSL version support for browser connections
1086disable-ssl-v2 = yes
1087disable-ssl-v3 = yes
1088disable-tls-v1 = no
1089disable-tls-v11 = no
1090disable-tls-v12 = no
1091
1092# Session timeout for SSL v2 connections (range: 1-100 secs)
1093ssl-v2-timeout = 100
1094
1095# Session timeout for SSL v3 connections (range: 1-86400 secs)
1096ssl-v3-timeout = 7200
1097
1098# The maximum number of concurrent entries in the SSL cache
1099ssl-max-entries = 4096
1100
1101# CRL Cache configuration.
1102# When gsk-crl-cache-size and gsk-crl-cache-entry-lifetime are
1103# both set to zero (which they are by default), CRL Caching will
1104# be disabled.
1105
1106# The maximum number of entries in the GSKit CRL cache
1107# (must be > 0 to initialize CRL Caching)
1108gsk-crl-cache-size = 0
1109
1110# Lifetime timeout for individual entries in the GSKit CRL cache
1111# (range: 0-86400 secs)
1112gsk-crl-cache-entry-lifetime = 0
1113
1114# The following block of entries enables the configuration of an LDAP
1115# server to be referenced for CRL checking during SSL authentication.
1116# A null value for crl-ldap-user indicates that the SSL authenticator
1117# should bind to the LDAP server anonymously.
1118
1119# The CRL LDAP server which is to be used for CRL checking.
1120crl-ldap-server =
1121
1122# The port on which the CRL LDAP server is listening.
1123crl-ldap-server-port =
1124
1125# The DN of the LDAP user which is to be used.
1126crl-ldap-user =
1127
1128# The password of the LDAP user.
1129crl-ldap-user-password =
1130
1131# The following entry allows a pkcs11 key file to be specified. This key file
1132# will contain the configuration information used to identify and access a
1133# Network Hardware Security Module (NetHSM).
1134
1135# The following files are currently available for this configuration entry:
1136# - <none available>
1137
1138pkcs11-keyfile =
1139
1140# To enable PKCS#11 for symmetric algorithms, set
1141# pkcs11-symmetric-cipher-support to 'yes'.
1142# NOTE:
1143# The PCKS#11 symmetric cipher support does not
1144# include removable devices. If a removable device is encountered
1145# it will be ignored even if the support has been requested.
1146# Additionally, not all devices will support symmetric ciphers
1147# please check your vendor documentation before usage.
1148#
1149pkcs11-symmetric-cipher-support = no
1150
1151# Configure FIPS mode processing. GSKit will not allow it to be
1152# enabled (set to yes) if base-crypto-library = RSA.
1153fips-mode-processing = no
1154
1155# Configure NIST SP800-131A compliance mode. This will have the affect of:
1156# - enabling FIPS mode processing (over-riding the value of the
1157# fips-mode-processing configuration entry);
1158# - enabling TLS V1.2 (over-riding the value of the disable-tls-v12
1159# configuration entry);
1160# - enabling the appropriate signature algorithms;
1161# - setting the minimum RSA key size to 2048 bytes.
1162nist-compliance = no
1163
1164# The follow two options are used enable OCSP. Either or both can be used.
1165#ocsp-enable = no
1166#ocsp-url = <Absolute URL for OCSP responder>
1167
1168# The following are OCSP options for interacting with the OCSP Responder.
1169#ocsp-nonce-generation-enable = no
1170#ocsp-nonce-check-enable = no
1171#ocsp-retrieve-via-get = no
1172#ocsp-max-response-size = 20480
1173#ocsp-proxy-server-name = <proxy host name>
1174#ocsp-proxy-server-port = <proxy port number>
1175
1176# If, after OCSP or CRL checking, the revocation status of a browser supplied
1177# certificate is undetermined, WebSEAL can be configured to ignore this, log
1178# the fact, or log the fact and reject the connection by setting
1179# undetermined-revocation-cert-action to "ignore", "log" or "reject"
1180# respectively.
1181undetermined-revocation-cert-action = log
1182
1183# The following configuration item is used to control whether SSL errors
1184# originating from a connection with a client are logged.
1185suppress-client-ssl-errors = false
1186
1187#
1188# Specify any additional GSKit attributes which should be used when
1189# initializing an SSL connection with the client. A complete list of
1190# the available attributes is included in the GSKit SSL API documentation.
1191#
1192# The configuration entry may be specified multiple times, one for each
1193# GSKit attribute. The entry should be of the format:
1194# gsk-attr-name = <type>:<id>:<value>
1195#
1196# - where <type> is one of 'enum', 'string', 'number'
1197# and <id> corresponds to the identity associated with a GSKit attribute
1198# (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
1199#
1200# An example configuration could be:
1201# gsk-attr-name = string:225:proxy.ibm.com
1202#
1203
1204#
1205# Specify any additional GSKit attributes which should be used when
1206# initializing an SSL connection with a junctioned server. A complete list of
1207# the available attributes is included in the GSKit SSL API documentation.
1208#
1209# The configuration entry may be specified multiple times, one for each
1210# GSKit attribute. The entry should be of the format:
1211# jct-gsk-attr-name = <type>:<id>:<value>
1212#
1213# - where <type> is one of 'enum', 'string', 'number'
1214# and <id> corresponds to the identity associated with a GSKit attribute
1215# (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
1216#
1217# This configuration item may be customized for a particular junction by
1218# adding the adjusted configuration item to a [ssl:{jct_id}] stanza, where
1219# '{jct-id}' refers to the junction point for a standard junction (include the
1220# leading '/'), or the virtual host label for a virtual host junction.
1221#
1222# An example configuration could be:
1223# jct-gsk-attr-name = string:225:proxy.ibm.com
1224#
1225
1226# Control whether duplicate SSL warning messages are sent to the WebSEAL
1227# log file. If this option is set to yes, then if a junction is defined
1228# with -K and not -D, a warning will be reported every time a connection is
1229# opened to that junction. This fills up logs, so administrators may want to
1230# set it to no. If it is set to no, then a single warning will be reported
1231# at server start.
1232enable-duplicate-ssl-dn-not-found-msgs = yes
1233ssl-auto-refresh = yes
1234ssl-listening-port = 7234
1235ssl-pwd-life = 183
1236ssl-authn-type = certificate
1237
1238# We only want to listen on our management interfaces.
1239listen-interface = 192.168.42.191
1240
1241###############################
1242# JUNCTION
1243###############################
1244[junction]
1245
1246# Location of the Junction to Request Mapping Table (JMT)
1247# This path is relative to the server-root value in the [server] stanza
1248
1249# The following files are currently available for this configuration entry:
1250# - jmt.conf
1251
1252jmt-map = jmt.conf
1253
1254# Timeout (in seconds) for sending to and reading from a TCP junction.
1255# Must be an integer greater than or equal to zero.
1256# A value of zero will cause WebSEAL to wait indefinitely. This configuration
1257# item may be customized for a particular junction by adding the adjusted
1258# configuration item to a [junction:{jct_id}] stanza, where '{jct-id}' refers
1259# to the junction point for a standard junction (include the leading '/'), or
1260# the virtual host label for a virtual host junction.
1261http-timeout = 120
1262
1263# Timeout (in seconds) for sending to and reading from an SSL junction.
1264# Must be an integer greater than or equal to zero.
1265# A value of zero will cause WebSEAL to wait indefinitely. This configuration
1266# item may be customized for a particular junction by adding the adjusted
1267# configuration item to a [junction:{jct_id}] stanza, where '{jct-id}' refers
1268# to the junction point for a standard junction (include the leading '/'), or
1269# the virtual host label for a virtual host junction.
1270https-timeout = 120
1271
1272# The WebSEAL server performs a periodic background 'ping' of each junctioned
1273# Web server, to determine whether it is running. This entry sets the interval,
1274# in seconds, between pings when the server is determined to be running.
1275# To turn this ping off, set this entry to zero. If this entry is set to zero,
1276# the recovery-ping-time must be set.
1277ping-time = 300
1278
1279# The WebSEAL server performs a periodic background 'ping' of each junctioned
1280# Web server, to determine whether it is running. This entry sets the interval,
1281# in seconds, between pings when the server is determined to be not running.
1282# If this entry is not set, the recovery-ping-time defaults to the ping-time.
1283#recovery-ping-time = 300
1284
1285# The WebSEAL server performs a periodic background 'ping' of each junctioned
1286# Web server, to determine whether it is running. The optional
1287# ping-method entry sets the HTTP request type used in these pings. A valid
1288# ping-method is defined by the HTTP/1.1 protocol. If the ping-method is
1289# invalid or missing, this value defaults to HEAD.
1290#
1291# This configuration item may be customized for a particular junction by adding
1292# the adjusted configuration item to a [junction:{jct_id}] stanza, where
1293# '{jct-id}' refers to the junction point for a standard junction (include the
1294# leading '/'), or the virtual host label for a virtual host junction.
1295ping-method = HEAD
1296
1297# The WebSEAL server performs a periodic background 'ping' of each junctioned
1298# Web server, to determine whether it is running. The optional ping-uri
1299# configuration entry defines the URI which will be accessed by the ping
1300# request. The defined URI should be relative to the root Web space of the
1301# junctioned Web server. If the URI is missing this value defaults to a value
1302# of '/'.
1303#
1304# This configuration item may be customized for a particular junction by adding
1305# the adjusted configuration item to a [junction:{jct_id}] stanza, where
1306# '{jct-id}' refers to the junction point for a standard junction (include the
1307# leading '/'), or the virtual host label for a virtual host junction.
1308ping-uri = /
1309
1310# The WebSEAL server performs a periodic background 'ping' of each junctioned
1311# Web server, to determine whether the junctioned Web server is running. The optional
1312# ping-response-code-rules configuration entry defines the rules which are used to
1313# determine whether the HTTP status code of the responses indicate a healthy or
1314# an unhealthy junctioned Web server.
1315#
1316# If valid values are configured for both ping-response-code-rules and
1317# response-code-rules, the specified ping-response-code-rules will be applied
1318# to the 'ping' requests initiated by WebSEAL,
1319# and other requests will be matched against response-code-rules to
1320# determine the server state.
1321#
1322# If a valid ping-response-code-rules value is configured but
1323# response-code-rules is not, the specified ping-response-code-rules will be applied
1324# to the 'ping' requests initiated by WebSEAL,
1325# and other requests will not be used to determine the server state. In this case,
1326# ping-response-code-rules are the only rules used to determine the server state.
1327#
1328# If the ping-response-code-rules configuration entry is not set, the rules that
1329# are specified by the response-code-rules configuration entry will also apply
1330# to ping requests.
1331#
1332# The configuration entry contains a space separated list of rules. Each rule
1333# has the format:
1334# [+|-]<code> (e.g. -50?)
1335# where:
1336# +: indicates that this is a healthy response code
1337# -: indicates that this is an unhealthy response code
1338# <code>: the corresponding response code, which can also contain pattern
1339# matching characters (i.e. * ?)
1340#
1341# The HTTP response codes will be evaluated against each rule in sequence until
1342# a match is found. The corresponding code (+|-) will then be used to determine
1343# whether the junctioned Web server is healthy or not. If the response code
1344# matches no configured rules the junctioned Web server will be considered to be
1345# healthy.
1346#
1347# This configuration item may be customized for a particular junction by adding
1348# the adjusted configuration item to a [junction:{jct_id}] stanza, where
1349# '{jct-id}' refers to the junction point for a standard junction (include the
1350# leading '/'), or the virtual host label for a virtual host junction.
1351# ping-response-code-rules = +2?? -*
1352ping-response-code-rules =
1353
1354# When a response of a client initiated request is returned from the junctioned server,
1355# the optional response-code-rules configuration entry defines the rules
1356# which are used to determine from the HTTP status code of the responses
1357# whether the junctioned Web server is in a healthy or an unhealthy state.
1358#
1359# This configuration entry will apply to all requests if the ping-response-code-rules
1360# configuration entry has not been set, otherwise it will only apply to all client
1361# initiated requests.
1362#
1363# The configuration entry contains a space separated list of rules. Each rule
1364# has the format:
1365# [+|-]<code> (e.g. -50?)
1366# where:
1367# +: indicates that this is a healthy response code
1368# -: indicates that this is an unhealthy response code
1369# <code>: the corresponding response code, which can also contain pattern
1370# matching characters (i.e. * ?)
1371#
1372# The HTTP response codes will be evaluated against each rule in sequence until
1373# a match is found. The corresponding code (+|-) will then be used to determine
1374# whether the junctioned Web server is healthy or not. If the response code
1375# matches no configured rules the junctioned Web server will be considered to be
1376# healthy.
1377#
1378# This configuration item may be customized for a particular junction by adding
1379# the adjusted configuration item to a [junction:{jct_id}] stanza, where
1380# '{jct-id}' refers to the junction point for a standard junction (include the
1381# leading '/'), or the virtual host label for a virtual host junction.
1382# response-code-rules = +2?? -*
1383response-code-rules =
1384
1385# These values will limit the percentage of total worker threads processing
1386# requests for junctions. The default of 100% means there is no
1387# limit. When the "soft" limit is reached, WebSEAL will generate a warning
1388# message. When the "hard" limit is reached, WebSEAL will generate an error
1389# message and return a 503, "Service Unavailable", result to the client browser
1390# instead of requesting the resource from the junction.
1391# This value can be overridden on a per junction basis using pdadmin.
1392worker-thread-hard-limit = 100
1393worker-thread-soft-limit = 90
1394
1395# Buffer size for reading from and writing to a junction.
1396io-buffer-size = 16384
1397
1398# Maximum size, in bytes, of WebSEAL generated HTTP Headers.
1399# Headers over this size will be split across multiple
1400# HTTP Headers. A value of "0" disables this support.
1401max-webseal-header-size = 0
1402
1403#----------------------
1404# SENDING DOMAIN COOKIES
1405#----------------------
1406
1407# If validate-backend-domain-cookies is set to "no", then all Domain set-cookies
1408# will be forwarded to the user, regardless of their content.
1409#
1410# If set to "yes" then Domain set-cookies will be evaluated to ensure that
1411# they adhere to the cookie specification. Set-cookies with Domains that do not
1412# properly match the domain of the origin server will be removed from the
1413# request. Set-cookies that pass the validation will be forwarded to the client.
1414#
1415# Occasionally applications will send set-cookies with a Domain parameter
1416# that contains the FQHN of the origin server. To ensure proper routing,
1417# WebSEAL will remove the Domain from these set-cookies before forwarding
1418# to the client.
1419#
1420# This configuration item may be customized for a particular junction
1421# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
1422# where '{jct-id}' refers to the junction point for a standard junction
1423# (include the leading '/'), or the virtual host label for a virtual host
1424# junction.
1425validate-backend-domain-cookies = yes
1426
1427# If allow-backend-domain-cookies is set to 'no', and
1428# validate-backend-domain-cookies = 'yes', then WebSEAL will remove
1429# the Domain from the set-cookie before forwarding.
1430#
1431# If allow-backend-domain-cookies = yes, then the Domain will not be removed.
1432# In addition, this will affect how WebSEAL filters the Path of set-cookies.
1433# Under certain circumstances, WebSEAL must modify the Path of set-cookies
1434# sent from junctioned origin servers to include the junction point to ensure
1435# that the user-agent will properly send the cookie with requests.
1436# WebSEAL will not do this for Domain set-cookies, because this might preclude
1437# those cookies from being sent to other systems in the domain, so if
1438# allow-backend-domain-cookies is set to 'yes', this Path modification will
1439# not take place for Domain set-cookies.
1440#
1441# This configuration item may be customized for a particular junction
1442# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
1443# where '{jct-id}' refers to the junction point for a standard junction
1444# (include the leading '/'), or the virtual host label for a virtual host
1445# junction.
1446allow-backend-domain-cookies = no
1447
1448# If validate-backend-domain-cookies is set to "yes", then
1449# support-virtual-host-domain-cookies will modify how WebSEAL validates
1450# the Domain of set-cookies. This option will have no effect if
1451# validate-backend-domain-cookies = no
1452#
1453# If support-virtual-host-domain-cookies is set to "yes" then the domain cookie
1454# will be validated by comparing it with the virtual host specified for a
1455# backend server with the -v junction option.
1456#
1457# If set to "no", or if no virtual host was specified for a junction, then
1458# the FQHN will be compared with the Domain value of a set-cookie for
1459# validation.
1460#
1461# This configuration item may be customized for a particular junction
1462# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
1463# where '{jct-id}' refers to the junction point for a standard junction
1464# (include the leading '/'), or the virtual host label for a virtual host
1465# junction.
1466support-virtual-host-domain-cookies = yes
1467
1468# The following block of entries enables the configuration of an LDAP
1469# server to be referenced for CRL checking during SSL authentication.
1470# A null value for crl-ldap-user indicates that the SSL authenticator
1471# should bind to the LDAP server anonymously.
1472#crl-ldap-server = <server_name>
1473#crl-ldap-server-port = <port>
1474#crl-ldap-user = <user_DN>
1475#crl-ldap-user-password = <user_password>
1476
1477# The follow two options are used enable OCSP for checking the revocation
1478# status of junction server supplied certificates. Either or both can be used.
1479#jct-ocsp-enable = no
1480#jct-ocsp-url = <Absolute URL for OCSP responder>
1481
1482# The following are OCSP options for interacting with the OCSP Responder.
1483#jct-ocsp-nonce-generation-enable = no
1484#jct-ocsp-nonce-check-enable = no
1485#jct-ocsp-max-response-size = 20480
1486#jct-ocsp-proxy-server-name = <proxy host name>
1487#jct-ocsp-proxy-server-port = <proxy port number>
1488
1489# If, after OCSP checking, the revocation status of a junction server supplied
1490# certificate is undetermined, WebSEAL can be configured to ignore this, log
1491# the fact, or log the fact and reject the connection by setting
1492# jct-undetermined-revocation-cert-action to "ignore", "log" or "reject"
1493# respectively.
1494jct-undetermined-revocation-cert-action = log
1495
1496# Selectively disable SSL version support for junction connections
1497disable-ssl-v2 = yes
1498disable-ssl-v3 = yes
1499disable-tls-v1 = no
1500disable-tls-v11 = no
1501disable-tls-v12 = no
1502
1503# Configure NIST SP800-131A compliance mode. This will have the affect of:
1504# - enabling FIPS mode processing (over-riding the value of the
1505# fips-mode-processing configuration entry);
1506# - enabling TLS V1.2 (over-riding the disable-tls-v12 configuration entry);
1507# - enabling the appropriate signature algorithms;
1508# - setting the minimum RSA key size to 2048 bytes.
1509jct-nist-compliance = no
1510
1511# The next configuration options allow a separate keyfile to be used
1512# for Junction SSL operations rather than sharing the one specified in
1513# the [ssl] stanza.
1514# The keyfile database which is to be used for Junction SSL operations.
1515
1516# The following files are currently available for this configuration entry:
1517# - pdsrv.kdb
1518# - lmi_trust_store.kdb
1519# - rt_profile_keys.kdb
1520# - embedded_ldap_keys.kdb
1521
1522jct-cert-keyfile =
1523
1524# The name of the file to which the password for the SSL Junction key file is
1525# stashed.
1526
1527# The following files are currently available for this configuration entry:
1528# - rt_profile_keys.sth
1529# - lmi_trust_store.sth
1530# - embedded_ldap_keys.sth
1531# - pdsrv.sth
1532
1533jct-cert-keyfile-stash =
1534
1535# When jct-ssl-reneg-warning-rate is set to a value greater than zero, WebSEAL
1536# will output a warning message if the SSL session renegotiation rate between
1537# junction servers and WebSEAL reaches this level or greater. The value is
1538# specified as the number of renegotiations per minute.
1539jct-ssl-reneg-warning-rate = 0
1540
1541# When use-new-stateful-on-error is set to yes WebSEAL will choose a new
1542# stateful junction server for a user if the current one fails. When it is
1543# set to no, WebSEAL will not choose a new stateful junction server for a
1544# user, instead it returns an error and future requests by the user will keep
1545# attempting to use this same stateful junction server (until the user
1546# restarts their browser or the junction server is deleted).
1547#
1548# This configuration item may be customized for a particular junction by adding
1549# the adjusted configuration item to a [junction:{jct-id}] stanza, where
1550# '{jct-id}' refers to the junction point for a standard junction (including
1551# the leading '/'), or the virtual host label for a virtual host junction.
1552use-new-stateful-on-error = no
1553
1554# When dont-reprocess-jct-404s = yes, WebSEAL will return 404 responses
1555# from junctions directly to clients. When set to no, WebSEAL will
1556# assume the 404 is due to an unfiltered server relative link and
1557# will try to fix the problem by prepending a junction point to the URL
1558# in the request and sending the request again. Setting this value to
1559# "no" provides backwards compatibility with TAM 5.1.
1560dont-reprocess-jct-404s = yes
1561
1562# The following configuration item can be set to yes to avoid multiple
1563# attempts to prepend a junction point to the beginning of the URL string
1564# when reprocessing requests as a result of a HTTP 404 status code.
1565# To cause requests for root junction resources, that result in an HTTP 404
1566# error, to be reprocessed, set this configuration entry to 'yes'.
1567reprocess-root-jct-404s = no
1568
1569# When pass-http-only-cookie-attr is set to 'yes' it will allow WebSEAL to pass
1570# the HttpOnly attribute from Junction Set-Cookie headers through to clients.
1571# When set to 'no' the HttpOnly attribute will be discarded.
1572pass-http-only-cookie-attr = yes
1573
1574# Compatibility option to also mangle junction names into domain set cookies.
1575# When several junctioned servers set domain cookies with the same name and
1576# same path, the browser will overwrite the values to the last one set. This
1577# is the expected behavior for domain cookies, but before WebSEAL 5.1, it was
1578# possible to use WebSEAL cookie mangling to prevent it. When set to "yes"
1579# the pre-5.1 behavior is enabled.
1580mangle-domain-cookies = no
1581
1582# Option to use the client's current IP address, rather than one cached in
1583# the credentials at authentication time, for the value passed in a header
1584# to junctions created with the -r option.
1585insert-client-real-ip-for-option-r = no
1586
1587# The maximum number of persistent connections which will be stored in the
1588# cache for future use. Connections with junctioned Web servers will be
1589# cached for future use unless the configured limit is reached, or the
1590# 'connection: close' header is received in the HTTP response. Please note
1591# that if enabled there is the potential for different user sessions to use
1592# the same connection when processing requests. To disable the persistent
1593# connection functionality simply specify a max-cached-persistent-connections
1594# value of 0.
1595#
1596# This configuration item may be customized for a particular junction by adding
1597# the adjusted configuration item to a [junction:{jct-id}] stanza, where
1598# {jct-id} refers to the junction point for a standard junction (including
1599# the leading '/'), or the virtual host label for a virtual host junction.
1600max-cached-persistent-connections = 0
1601
1602# The maximum number of seconds a persistent connection can remain idle in our
1603# cache before the connection is cleaned up and closed by WebSEAL. This value
1604# should be lower than the configured maximum connection lifetime for the
1605# junctioned Web server. This behaviour is controlled for the Apache Web
1606# server, as an example only, by the KeepAliveTimeout configuration entry.
1607#
1608# This configuration item may be customized for a particular junction by adding
1609# the adjusted configuration item to a [junction:{jct-id}] stanza, where
1610# {jct-id} refers to the junction point for a standard junction (including
1611# the leading '/'), or the virtual host label for a virtual host junction.
1612persistent-con-timeout = 5
1613
1614# The managed-cookies-list contains patterns that will be matched
1615# against the names of cookies returned by junctioned servers to determine
1616# whether the cookie should be stored in the WebSEAL cookie jar.
1617# Items in the managed-cookies-list should be comma separated and there should
1618# be no white space separating cookie names. The WebSEAL cookie jar is turned
1619# off by not specifying any cookies in the managed-cookies-list.
1620#
1621# This configuration item may be customized for a particular junction
1622# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
1623# where '{jct-id}' refers to the junction point for a standard junction
1624# (include the leading '/'), or the virtual host label for a virtual host
1625# junction.
1626#managed-cookies-list = JSESS*,Ltpa*
1627
1628# The share-cookies item is used to control sending of cookies contained in the
1629# WebSEAL cookie jar between different junctions. If share-cookies = true, all
1630# cookies in the WebSEAL cookie jar which match the request will be sent across
1631# the junction. If share-cookies = false only cookies received from the junction
1632# will be sent in requests to that junction.
1633share-cookies = false
1634
1635# The reset-cookies-list contains patterns that will be matched
1636# against the names of cookies returned by junctioned servers, or provided
1637# by the client, to determine whether the cookie should be reset during a
1638# user session logout. Items in the managed-cookies-list should be comma
1639# separated without any white space.
1640#
1641# This configuration item may be customized for a particular junction
1642# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
1643# where '{jct-id}' refers to the junction point for a standard junction
1644# (include the leading '/'), or the virtual host label for a virtual host
1645# junction.
1646# reset-cookies-list = JSESS*,Ltpa*
1647
1648# If dynamic-addresses is set to "no" the junction server host name will
1649# be resolved to it's corresponding IP address and this address will then
1650# be used for subsequent communication with the junction server.
1651#
1652# If set to "yes" the junction server host name will be resolved to it's
1653# corresponding IP address immediately before any communication with the
1654# junction server.
1655#
1656# This configuration item may be customized for a particular junction
1657# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
1658# where '{jct-id}' refers to the junction point for a standard junction
1659# (include the leading '/'), or the virtual host label for a virtual host
1660# junction.
1661dynamic-addresses = no
1662
1663# If the dynamic-addresses configuration entry has been set to yes this
1664# configuration entry will specify the length of time (in seconds) that
1665# a resolved IP address can be used before it is discarded and another
1666# name resolution is attempted (time-to-live).
1667#
1668# This configuration item may be customized for a particular junction
1669# by adding the adjusted configuration item to a [junction:{jct_id}] stanza,
1670# where '{jct-id}' refers to the junction point for a standard junction
1671# (include the leading '/'), or the virtual host label for a virtual host
1672# junction.
1673dynamic-addresses-ttl = 0
1674
1675#
1676# WebSEAL can be used to serve pages from a local web server via local
1677# junctions. If local junctions are not used, the functionality can be
1678# disabled with this configuration item.
1679#
1680disable-local-junctions = no
1681
1682#
1683# Two separate junction tables are managed by WebSEAL, one for virtual host
1684# junctions, and the other for standard junctions. When a request is
1685# received the VHJ table is searched first, and if no match is found the
1686# table which manages the standard junctions is then searched. The following
1687# configuration item is used to reverse the search order so that the table
1688# which manages the standard junctions is searched before the VHJ table.
1689#
1690match-vhj-first = yes
1691
1692# The following configuration entry is used to control whether the learning
1693# capability is enabled for GSO junctions or not. If learning is enabled,
1694# and existing credential information is not available for the user, the
1695# BA prompt will be returned to the user. The credential information
1696# for the user will then be stored for future use on a subsequent
1697# successful authentication. An authentication is deemed to be
1698# successful if the junctioned Web server does not return a
1699# 4xx or 5xx response.
1700gso-credential-learning = no
1701
1702# The following configuration entry is used to define the key which is used
1703# to obfsucate the credential information which is managed by the GSO Web
1704# service. If no key is defined the credential information will not be
1705# obfuscated by WebSEAL.
1706# gso-obfuscation-key =
1707
1708#----------------------
1709# KERBEROS SSO JUNCTIONS
1710#----------------------
1711
1712# This configuration entry controls whether Kerberos single-sign-on
1713# authentication is enabled on junctions.
1714# This configuration item may be customized for a particular junction by adding
1715# the adjusted configuration item to a [junction:{jct_id}] stanza, where
1716# '{jct-id}' refers to the junction point for a standard junction (include the
1717# leading '/'), or the virtual host label for a virtual host junction.
1718kerberos-sso-enable = false
1719
1720# The name of the Kerberos key table file for the WebSEAL server. This stanza
1721# entry is required when Kerberos SSO authentication for junctions is enabled.
1722# The keytab file must contain the key for the service-principal-name (SPN)
1723# used for Kerberos authentication.
1724
1725# The following files are currently available for this configuration entry:
1726# - <none available>
1727
1728kerberos-keytab-file =
1729
1730# The Kerberos SPN, used as the impersonating user when creating the token. The
1731# service principal name can be determined by executing the Microsoft utility
1732# setspn (that is, setspn -L user, where user is the identity of the WebSEAL
1733# account).
1734#
1735# Format is:
1736# kerberos-principal-name = HTTP/<username>@<realm>
1737#
1738# This stanza entry is required when Kerberos SSO authentication for junctions
1739# is enabled.
1740kerberos-principal-name = <principal-name>
1741
1742# The Kerberos SPN for the back-end Web server. The service principal name can
1743# be determined by executing the Microsoft utility setspn (that is, setspn -L
1744# user, where user is the identity of the back-end Web server's account).
1745# This configuration item may be customized for a particular junction by adding
1746# the adjusted configuration item to a [junction:{jct_id}] stanza, where
1747# '{jct-id}' refers to the junction point for a standard junction (include the
1748# leading '/'), or the virtual host label for a virtual host junction.
1749#
1750# Format is:
1751# kerberos-service-name = HTTP/<username>@<realm>
1752#
1753# This stanza entry is required when Kerberos SSO authentication for junctions
1754# is enabled.
1755kerberos-service-name = <principal-name>
1756
1757# This boolean value is used to indicate whether a security token should be
1758# sent for every HTTP request, or whether WebSEAL should wait for a 401
1759# response from the back-end Web server before adding the security token. This
1760# configuration item is used to avoid the unnecessary overhead of generating
1761# and adding a security token to every request if the back-end Web server is
1762# capable of maintaining user sessions.
1763# This configuration item may be customized for a particular junction by adding
1764# the adjusted configuration item to a [junction:{jct_id}] stanza, where
1765# '{jct-id}' refers to the junction point for a standard junction (include the
1766# leading '/'), or the virtual host label for a virtual host junction.
1767# This stanza entry is required when Kerberos SSO authentication for junctions
1768# is enabled.
1769always-send-kerberos-tokens = false
1770
1771# This entry overwrites the UPN (or sections of the UPN) for Kerberos SSO users.
1772# The replacement information can be direct text or names of credential
1773# attributes.
1774# <text>: directly copied into the UPN sections
1775# attr:<name>: fetches the replacement text from the "name" credential
1776# attribute
1777#
1778# The domain information can also be extracted from the dc elements of the
1779# user's dn via the attribute "attr:dn".
1780# If no user name is defined, the client credential name is used.
1781# If no domain is defined, the WebSEAL service account domain is used.
1782# Defining a domain without a user name must be prepended with '@'. The domain
1783# is case sensitive and must be upper case. The domain must be added as a realm
1784# to the Kerberos Configuration.
1785#
1786# Format is:
1787# kerberos-user-identity = <username>@<realm>
1788# kerberos-user-identity = <username>
1789# kerberos-user-identity = @<realm>
1790# kerberos-user-identity = <upn>
1791#
1792# This configuration item may be customized for a particular junction by adding
1793# the adjusted configuration item to a [junction:{jct_id}] stanza, where
1794# '{jct-id}' refers to the junction point for a standard junction (include the
1795# leading '/'), or the virtual host label for a virtual host junction.
1796kerberos-user-identity =
1797
1798#---------------------
1799# HTTP/2 FOR JUNCTIONS
1800#---------------------
1801#
1802# HTTP/2 protocol settings for connections to junction servers and connections
1803# to proxy servers used to access junction servers. These HTTP/2 configuration
1804# items may be customized for a particular junction by adding the adjusted
1805# configuration item to a [junction:{jct_id}] stanza, where '{jct-id}' refers
1806# to the junction point for a standard junction (include the leading '/'), or
1807# the virtual host label for a virtual host junction.
1808
1809# HTTP/2: maximum size in bytes that WebSEAL will accept in the header compression
1810# table (RFC 7541) from the junction and proxy servers. There is one table per
1811# HTTP/2 network connection.
1812http2-header-table-size = 4096
1813
1814# HTTP/2: maximum number of unacknowledged bytes WebSEAL can accept per active
1815# multiplexed stream to the junction and proxy servers. WebSEAL will create an
1816# in-memory buffer to hold this many bytes for each active multiplexed stream.
1817http2-initial-window-size = 65535
1818
1819# HTTP/2: maximum size of the body of a single HTTP/2 protocol frame sent over
1820# the HTTP/2 network connection.
1821http2-max-frame-size = 16384
1822
1823# HTTP/2: maximum size of headers that can be received in a response over a HTTP/2
1824# stream. A value of -1 denotes the unlimited setting allowing it's memory use in
1825# WebSEAL to be unbounded.
1826http2-max-header-list-size = 32768
1827
1828# The following configuration item is contained within the obfuscated
1829# database and as such is obfuscated within this file. If the value is
1830# modified within this configuration file the corresponding change will
1831# be applied to the obfuscated database.
1832
1833basicauth-dummy-passwd = **obfuscated**
1834
1835
1836[query-contents]
1837#----------------------
1838# QUERY CONTENTS
1839#----------------------
1840
1841# When this option is enabled then the query string sent to the query contents
1842# CGI on junctions will be a uri encoded UTF-8 string. In addition a
1843# x-query-contents-uriencoded header is sent with the value "yes". This
1844# option is to aid in supporting non-ASCII locales.
1845query-contents-uriencoded = no
1846
1847
1848[illegal-url-substrings]
1849#----------------------
1850# ILLEGAL URL SUBSTRINGS
1851#----------------------
1852# WebSEAL will block HTTP requests with any of the substrings from this
1853# list in the URL.
1854#
1855# Format is:
1856# substring = <STRING>
1857#
1858substring = <script
1859
1860
1861[filter-url]
1862#----------------------
1863# DOCUMENT FILTERING
1864#----------------------
1865# URL attributes that the server will filter in responses from
1866# junctioned servers.
1867# Format is <TAG> = <ATTRIBUTE>
1868A = HREF
1869APPLET = CODEBASE
1870AREA = HREF
1871BASE = HREF
1872BGSOUND = SRC
1873BLOCKQUOTE = CITE
1874BODY = BACKGROUND
1875DEL = CITE
1876DIV = EMPTYURL
1877DIV = IMAGEPATH
1878DIV = URL
1879DIV = VIEWCLASS
1880EMBED = PLUGINSPAGE
1881EMBED = SRC
1882FORM = ACTION
1883FRAME = LONGDESC
1884FRAME = SRC
1885HEAD = PROFILE
1886IFRAME = LONGDESC
1887IFRAME = SRC
1888ILAYER = BACKGROUND
1889ILAYER = SRC
1890IMG = SRC
1891IMG = LOWSRC
1892IMG = LONGDESC
1893IMG = USEMAP
1894IMG = DYNSRC
1895INPUT = SRC
1896INPUT = USEMAP
1897INS = CITE
1898ISINDEX = ACTION
1899ISINDEX = HREF
1900LAYER = BACKGROUND
1901LAYER = SRC
1902LINK = HREF
1903LINK = SRC
1904OBJECT = CODEBASE
1905OBJECT = DATA
1906OBJECT = USEMAP
1907Q = CITE
1908SCRIPT = SRC
1909TABLE = BACKGROUND
1910TD = BACKGROUND
1911TH = BACKGROUND
1912TR = BACKGROUND
1913WM:CALENDARPICKER = FOLDERURL
1914WM:CALENDARPICKER = IMAGEPREVARROW
1915WM:CALENDARPICKER = IMAGENEXTARROW
1916WM:CALENDARVIEW = FOLDERURL
1917WM:MESSAGE = DRAFTSURL
1918WM:MESSAGE = URL
1919WM:NOTIFY = FOLDER
1920WM:REMINDER = FOLDER
1921?IMPORT = IMPLEMENTATION
1922
1923[filter-events]
1924#------------------------
1925# EVENT HANDLER FILTERING
1926#------------------------
1927# Specifies (TAG,EVENT-HANDLER) pairs that contain JavaScript requiring
1928# filtering of URL references. Currently, only absolute URLs are
1929# supported.
1930#
1931# Format is <TAG> = <EVENT-HANDLER>
1932A = ONCLICK
1933A = ONDBLCLICK
1934A = ONMOUSEDOWN
1935A = ONMOUSEOUT
1936A = ONMOUSEOVER
1937A = ONMOUSEUP
1938AREA = ONCLICK
1939AREA = ONMOUSEOUT
1940AREA = ONMOUSEOVER
1941BODY = ONBLUR
1942BODY = ONCLICK
1943BODY = ONDRAGDROP
1944BODY = ONFOCUS
1945BODY = ONKEYDOWN
1946BODY = ONKEYPRESS
1947BODY = ONKEYUP
1948BODY = ONLOAD
1949BODY = ONMOUSEDOWN
1950BODY = ONMOUSEUP
1951BODY = ONMOVE
1952BODY = ONRESIZE
1953BODY = ONUNLOAD
1954FORM = ONRESET
1955FORM = ONSUBMIT
1956FRAME = ONBLUR
1957FRAME = ONDRAGDROP
1958FRAME = ONFOCUS
1959FRAME = ONLOAD
1960FRAME = ONMOVE
1961FRAME = ONRESIZE
1962FRAME = ONUNLOAD
1963IMG = ONABORT
1964IMG = ONERROR
1965IMG = ONLOAD
1966INPUT = ONBLUR
1967INPUT = ONCHANGE
1968INPUT = ONCLICK
1969INPUT = ONFOCUS
1970INPUT = ONKEYDOWN
1971INPUT = ONKEYPRESS
1972INPUT = ONKEYUP
1973INPUT = ONMOUSEDOWN
1974INPUT = ONMOUSEUP
1975INPUT = ONSELECT
1976LAYER = ONBLUR
1977LAYER = ONLOAD
1978LAYER = ONMOUSEOUT
1979LAYER = ONMOUSEOVER
1980SELECT = ONBLUR
1981SELECT = ONCHANGE
1982SELECT = ONFOCUS
1983TEXTAREA = ONBLUR
1984TEXTAREA = ONCHANGE
1985TEXTAREA = ONFOCUS
1986TEXTAREA = ONKEYDOWN
1987TEXTAREA = ONKEYPRESS
1988TEXTAREA = ONKEYUP
1989TEXTAREA = ONSELECT
1990
1991[filter-schemes]
1992#
1993# URLs with these schemes are not filtered in responses from junctioned
1994# servers.
1995#
1996# Notes and Exceptions:
1997# - HTTP: and HTTPS: are internally handled and will be ignored if present in
1998# this list.
1999# - Webseald will filter URLs with a scheme matching one in this list if
2000# the response from a junctioned server has a BASE tag HREF URL scheme the
2001# same as the URLs.
2002# - If a URL in the response from a junctioned server does not have a scheme
2003# from this list, and the scheme is not HTTP: or HTTPS:, then webseald will
2004# assume the URL is the same scheme as the junctioned server (HTTP: or
2005# HTTPS:) with it's scheme missing.
2006# - The trailing ':' on scheme-name is optional, and if missing will be assumed.
2007#
2008# Format is:
2009# scheme = <scheme-name>
2010#
2011scheme = file
2012scheme = ftp
2013scheme = mailto
2014scheme = news
2015scheme = telnet
2016
2017[filter-content-types]
2018#
2019# Document content types that the server will filter in responses from
2020# junctioned servers. If types besides text/html and text/vnd.wap.wml
2021# are added to this list then the option [script-filtering]script-filter
2022# should be set to 'yes'.
2023#
2024# Format is:
2025# type = <type-name>
2026#
2027type = text/html
2028type = text/vnd.wap.wml
2029
2030[filter-request-headers]
2031#
2032# HTTP headers to filter from the client request before sending to the
2033# back-end web server. Note that this list is in addition to headers
2034# that WebSEAL will always filter, eg iv-user, iv-groups.
2035#
2036# Format is:
2037# header = <header-name>
2038#
2039# The header name is case insensitive.
2040#
2041# The addition of "accept-encoding" to this list will prevent junctioned
2042# servers from returning compressed data to WebSEAL. WebSEAL cannot
2043# filter compressed data.
2044header = accept-encoding
2045
2046
2047[script-filtering]
2048# When script filtering support is enabled, filtering of
2049# absolute urls between html <script> tags can be enabled.
2050#
2051# Only absolute URLs that exist as a complete string in the
2052# html schema:server format will be filtered.
2053script-filter = no
2054
2055# When script-filter is set to yes, enabling this flag will rewrite
2056# the absolute URLs with new absolute URLs that contain the protocol,
2057# host and port (if necessary) that represent how the user accessed
2058# the WebSEAL server.
2059#rewrite-absolute-with-absolute = no
2060
2061# If another WebSEAL server has created a junction to this WebSEAL
2062# server using a WebSEAL to WebSEAL junction, set this to 'yes'
2063# to uniquely identify the cookie used for resolving unfiltered links.
2064hostname-junction-cookie = no
2065
2066
2067# The following stanza is used to configure parameters associated
2068# with the snippet filter.
2069[snippet-filter]
2070
2071# The maximum size (in bytes) of snippets which will be stored in
2072# memory. If the snippet exceeds the configured maximum size it will
2073# not be cached, but will instead be read from disk during the
2074# construction of each response.
2075max-snippet-size = 1024
2076
2077# The following stanza is used to configure the snippet filter for a
2078# particular resource. This filter will allow snippets to be inserted
2079# into the response for the resource.
2080#
2081# The format of the stanza, and its entries are as follows:
2082# [snippet-filter:<uri>]
2083# <location> = <filename>
2084#
2085# where:
2086# <uri>: The decoded URI for which the snippet substitution will
2087# take place.
2088# <location>: The location at which the snippet should be inserted.
2089# This string will be pattern matched against a line in
2090# the response using the '*.' wildcard characters. The
2091# maximum length of a line in a response which can be
2092# matched by the filter is 8192 bytes. If the line in the
2093# response is longer than this it will simply be streamed
2094# through to the client and cannot be used to identify a
2095# snippet location.
2096# <filename>: The name of the file which contains the snippet which
2097# is to be inserted. The path specified should be
2098# relative to the 'snippet' directory in the management
2099# root directory.
2100#
2101# Multiple resources may be specified, and multiple locations may be
2102# configured for each resource. The entries within the stanza must
2103# appear in the order that they will be inserted within the returned
2104# page.
2105
2106[preserve-cookie-names]
2107#
2108# WebSEAL will, by default, modify the names of cookies returned in
2109# responses from junctions created with the -j flag or listed in the
2110# Junction Mapping Table. This is done to prevent naming conflicts with
2111# cookies returned from other junctions.
2112#
2113# If front end applications depend on the names of certain cookies, you
2114# you may want to disable this behavior for those cookies. To do so, list
2115# the cookies in this stanza.
2116#
2117# Format is:
2118# name = <cookie-name>
2119
2120[credential-refresh-attributes]
2121#
2122# When a user's credential is refreshed, some attributes may be preserved
2123# by copying their values from the original credential into the new
2124# credential. This stanza is used to control which attributes are preserved and
2125# which are refreshed. The attribute name patterns are case-insensitive wild
2126# card patterns that are used to select attributes.
2127#
2128# Order is important. The first pattern which matches a given attribute
2129# will decide whether the attribute is preserved or refreshed. If no
2130# pattern matches an attribute, then the attribute will be refreshed.
2131#
2132# Format is one of:
2133# <attribute-name-pattern> = preserve
2134# <attribute-name-pattern> = refresh
2135#
2136authentication_level = preserve
2137tagvalue_* = preserve
2138
2139[gso-cache]
2140#----------------------
2141# GSO CACHE
2142#----------------------
2143
2144# GSO cache configuration.
2145# gso-cache-enabled must be set to 'yes' before the other parameters
2146# will take effect.
2147gso-cache-enabled = no
2148
2149# Cache size (number of entries)
2150gso-cache-size = 1024
2151
2152# Cache entry lifetime (in seconds)
2153gso-cache-entry-lifetime = 900
2154
2155# Cache entry idle timeout (in seconds)
2156gso-cache-entry-idle-timeout = 120
2157
2158
2159[ltpa-cache]
2160#----------------------
2161# LTPA CACHE
2162#----------------------
2163
2164# LTPA cache configuration.
2165# The ltpa-cache-enabled entry must be set to 'yes' before
2166# the other ltpa parameters will take effect.
2167ltpa-cache-enabled = yes
2168
2169# Cache size (number of entries)
2170ltpa-cache-size = 4096
2171
2172# Cache entry lifetime (in seconds)
2173ltpa-cache-entry-lifetime = 3600
2174
2175# Cache entry idle timeout (in seconds)
2176ltpa-cache-entry-idle-timeout = 600
2177
2178
2179
2180###############################
2181# AUTHENTICATION
2182###############################
2183[ba]
2184#----------------------
2185# BASIC AUTHENTICATION
2186#----------------------
2187
2188# Enable authentication using the Basic Authentication mechanism
2189# One of <http, https, both, none>
2190ba-auth = none
2191
2192# Realm name. This is the text that is displayed in the
2193# browser's dialog box when prompting the user for login data.
2194# By default, the string 'Access Manager' is used.
2195#basic-auth-realm = Access Manager
2196
2197# IMPORTANT:
2198# If forms authentication is enabled for a particular transport,
2199# the basic authentication settings for that transport will be ignored.
2200
2201[forms]
2202#----------------------
2203# FORMS
2204#----------------------
2205
2206# Enable authentication using the forms authentication mechanism
2207# One of <http, https, both, none>
2208forms-auth = https
2209
2210# IMPORTANT:
2211# If forms authentication is enabled for a particular transport,
2212# the basic authentication settings for that transport will be ignored.
2213
2214# If a forms login request is received with either an empty user name or
2215# an empty password, then WebSEAL will return the login form without
2216# stating an error. If it is prefered that an error message is displayed,
2217# then set this value to true. In this case, WebSEAL will attempt to
2218# authenticate the user, and if the values have 0 length, the registry
2219# will return the appropriate error.
2220allow-empty-form-fields = false
2221
2222[spnego]
2223#----------------------
2224# SPNEGO
2225#----------------------
2226
2227# Enable authentication using the SPNEGO authentication mechanism
2228# One of <http, https, both, none>
2229spnego-auth = none
2230
2231# IMPORTANT:
2232# If forms authentication is enabled for a particular transport,
2233# the SPNEGO authentication settings for that transport will be ignored.
2234
2235# SPNEGO authentication provides a principal name of the form
2236# "shortname@domain.com". By default, TAM uses only the shortname
2237# as the TAM user-id. If this parameter is set to yes, then TAM will
2238# include the domain as part of the TAM user-id.
2239#
2240# Example:
2241# SPNEGO authentication provides principal name: user@example.com
2242# If this parameter is no: the TAM user-id is "user"
2243# If this parameter is yes: the TAM user-id is "user@example.com"
2244#
2245# Note that this configuration option has no effect if Active
2246# Directory Multi Domain is being used as the TAM user registry. For
2247# AD MD, the domain name is always included as part of the TAM user-id.
2248use-domain-qualified-name = no
2249
2250#
2251# List of kerberos service-principal-names (SPNs) for the server. This is only
2252# used on UNIX platforms. Each principal name must have the form
2253# HTTP@<hostname>, where hostname is the DNS name browsers will use to contact
2254# the web server.
2255#
2256# The SPN used for SPNEGO authentication depends on the whether the client is
2257# accessing a traditional WebSEAL junction or a transparent junction. For
2258# traditional WebSEAL junctions, the first SPN in the list is always used.
2259# For transparent junctions, WebSEAL first searches for an SPN that matches
2260# the hostname the client used to connect to WebSEAL. If no matching SPN is
2261# found, then the first SPN from the list will be used instead.
2262#
2263# In most cases the hostname used here should be fully qualified.
2264#
2265# Format is:
2266# spnego-krb-service-name = HTTP@<host-one.example.com>
2267# spnego-krb-service-name = HTTP@<host-two.example.com>
2268# ...
2269#
2270spnego-krb-service-name = <service-name>
2271
2272#
2273# The path to the kerberos keytab file for the server. This is only used
2274# on UNIX platforms. The keytab file must contain keys for each of the
2275# SPNs used for SPNEGO authentication.
2276#
2277
2278# The following files are currently available for this configuration entry:
2279# - <none available>
2280
2281spnego-krb-keytab-file =
2282
2283#
2284# During SPNEGO authentication the system can add the SID of the user as an
2285# extended attribute to the credential. This entry specifies the name of the
2286# attribute. This is only used on UNIX platforms.
2287#
2288# If this entry is not present, then the system does not add the SID as an
2289# extended attribute to the credential.
2290#
2291spnego-sid-attr-name =
2292
2293[token]
2294#----------------------
2295# TOKEN
2296#----------------------
2297
2298# Enable authentication using the token authentication mechanism
2299# One of <http, https, both, none>
2300token-auth = none
2301
2302# IMPORTANT:
2303# If token authentication is enabled for a particular transport,
2304# the basic authentication settings for that transport will be ignored.
2305
2306[certificate]
2307#----------------------
2308# CERTIFICATE
2309#----------------------
2310
2311# When to accept a certificate from HTTPS clients. Options are:
2312#
2313# never Never request a client certificate.
2314#
2315# critical Always request a client certificate. If a valid certificate
2316# is not presented the SSL handshake will fail.
2317#
2318# required Always request a client certificate. If a valid certificate
2319# is not presented the SSL handshake will succeed and a
2320# error HTTP response will be sent back to the client.
2321#
2322# optional Always request a client certificate. If presented, use it.
2323#
2324# prompt_as_needed Certificates will only be prompted for and processed when
2325# certificate authentication is necessary (due to an ACL or
2326# POP check failure).
2327#
2328accept-client-certs = never
2329
2330# IMPORTANT
2331# If this is set to 'required', all other authentication
2332# settings are ignored for HTTPS clients
2333
2334#----------------------
2335# CERTIFICATE SSL ID CACHE SETTINGS
2336#----------------------
2337# A cache is necessary to store the SSL IDs of sessions that require a
2338# certificate exchange. This cache is only required when accept-client-certs =
2339# prompt_as_needed.
2340
2341# The maximum number of concurrent entries in the Certificate SSL ID cache
2342# This corresponds to the number of concurrent certificate logins.
2343# Setting this to zero will allow unlimited cache size.
2344cert-cache-max-entries = 1024
2345
2346# Maximum lifetime (in seconds) for an entry in the Certificate SSL ID cache.
2347# Setting this to zero allows entries the cache to fill without expiry until the
2348# cache contains the number of entries specified by cert-cache-max-entries.
2349# After that point, entries are expired according to a least recently used
2350# algorithm.
2351cert-cache-timeout = 120
2352
2353# This controls the number of times WebSEAL will attempt to authenticate
2354# a client using certificates before assuming the client cannot provide
2355# a certificate. A value of 5 is recommended because most browsers will
2356# maintain a maximum of 4 TCP connections to a Web server. (Each attempt
2357# to prompt a client for certificate authentication will cause a TCP
2358# connection to be closed, and if all active TCP connections to a browser
2359# have been closed then the browser is probably unable to provide client
2360# certificate authentication.) Values less than 2 or greater than 15 are
2361# not permitted. This value is not used unless accept-client-certs =
2362# prompt_as_needed.
2363cert-prompt-max-tries = 5
2364
2365# When disable-cert-login-page is set to "yes" the initial login form with
2366# an option to prompt for certificate will not be presented. WebSEAL will
2367# instead bypass this and directly prompt for the certificate.
2368disable-cert-login-page = no
2369
2370# When accept-client-certs is set to "prompt_as_needed" this option causes
2371# the client (browser) to be redirected to another HTTPS port on the WebSEAL
2372# server, using the same host name. The other port must be on an interface
2373# configured with accept-client-certs = "required". The redirection occurs
2374# from certlogin.html and stepuplogin.html when the certificate login button is
2375# pressed. This option also provides the SECONDARY_BASE macro which is
2376# provided for certlogin.html and setuplogin.html to allow redirection to
2377# the secondary port for authentication using certificates. It is of the form
2378# HTTPS://%HOSTNAME%:<secondary-port>
2379# If not set, or set to zero, this feature is disabled and the SECONDARY_BASE
2380# macro is set to the empty string.
2381secondary-port = 0
2382
2383# This option is for when secondary-port and is enabled for prompt_as_needed
2384# and use-secondary-listener is enabled for the interface providing the
2385# secondary-port. When these are enabled and the browser provided certificate
2386# fails to map to a valid user, enabling this option will cause WebSEAL to
2387# redirect the browser back to the original interface (port) to output the
2388# cert-failure error message.
2389secondary-fail-redirect = no
2390
2391#----------------------
2392# External Authentication Interface (EAI) settings
2393#----------------------
2394
2395#
2396# The resource identifier of the application which will be invoked
2397# to perform the certificate authentication. This URI should be relative
2398# to the root web space of the WebSEAL server. If this configuration entry
2399# is not defined the standard CDAS authentication mechanism will be used to
2400# handle the authentication.
2401#
2402# The following additional headers will be made available in the EAI request:
2403# eai_qop: The quality-of-protection settings for the client.
2404# eai_domain: The ISAM domain name.
2405#
2406#eai-uri =
2407
2408#
2409# The client certificate data which will be passed to the EAI application.
2410# The format of the configuration entry will be:
2411# eai-data = <data>:<header-name>
2412#
2413# The <data> component is used to indicate the data which will be included
2414# in the header. It should be one of the following:
2415# * Base64Certificate
2416# * SerialNumber
2417# * SubjectCN
2418# * SubjectLocality
2419# * SubjectState
2420# * SubjectCountry
2421# * SubjectOrganization
2422# * SubjectOrganizationalUnit
2423# * SubjectDN
2424# * SubjectPostalCode
2425# * SubjectEmail
2426# * SubjectUniqueID
2427# * IssuerCN
2428# * IssuerLocality
2429# * IssuerState
2430# * IssuerCountry
2431# * IssuerOrganization
2432# * IssuerOrganizationUnit
2433# * IssuerDN
2434# * IssuerPostalCode
2435# * IssuerEmail
2436# * IssuerUniqueID
2437# * Version
2438# * SignatureAlgorithm
2439# * ValidFrom
2440# * ValidFromEx
2441# * ValidTo
2442# * ValidToEx
2443# * PublicKeyAlgorithm
2444# * PublicKey
2445# * PublicKeySize
2446# * FingerprintAlgorithm
2447# * Fingerprint
2448#
2449# The <header-name> component is used to indicate the name of the HTTP
2450# header which will contain the data.
2451#
2452# Multiple pieces of client certificate data can be passed to the EAI
2453# application by including multiple 'eai-data' configuration entries.
2454#
2455# An example configuration might be:
2456# eai-data = SerialNumber:eai_serial_num
2457#
2458
2459
2460[authentication-levels]
2461#----------------------
2462# STEP UP
2463#----------------------
2464
2465# authentication levels
2466#
2467# Syntax:
2468# level = <method-name>
2469#
2470# Valid method names are:
2471# unauthenticated
2472# password
2473# token-card
2474# ssl
2475# ext-auth-interface
2476# ltpa
2477# kerberosv5
2478# oauth
2479#
2480level = unauthenticated
2481level = password
2482level = ext-auth-interface
2483
2484# IMPORTANT
2485# 1) You cannot step up to an authentication method that is not enabled.
2486# For example, you must enable either BA or forms authentication
2487# before 'level = password' in this list will have any effect.
2488#
2489# 2) POP settings are required to enable step-up authentication.
2490# Please see the administration guide for details.
2491
2492[step-up]
2493#
2494# The following entry determines, in the event of a step-up operation,
2495# whether the new user ID must match the user ID from the previous
2496# authentication. In the situation where verify-step-up-user = yes,
2497# and the user IDs do not match, an error will be presented to the user.
2498#
2499verify-step-up-user = yes
2500
2501#
2502# The following entry allows the administrator to control what login prompts
2503# are shown to users when they request a resource protected by a stepup policy.
2504#
2505# If show-all-auth-prompts = yes, the login prompts for all configured
2506# authentication methods are shown.
2507#
2508# If show-all-auth-prompts = no, only the login prompt for the method matching
2509# the required authentication level is shown.
2510#
2511show-all-auth-prompts = no
2512
2513#
2514# This configuration entry will control whether an authentication
2515# level/mechanism which is higher than the requested step-up level is
2516# allowed during a step-up operation.
2517#
2518# The default value, if no entry is specified, is 'no'.
2519#
2520step-up-at-higher-level = no
2521
2522
2523[mpa]
2524#----------------------
2525# MULTIPLEXING PROXY AGENTS
2526#----------------------
2527
2528# Support Multiplexing Proxy Agents (yes/no)
2529mpa = no
2530
2531[cdsso]
2532#----------------------
2533# CDSSO
2534#----------------------
2535
2536# Accept cdsso tokens
2537# This will require that an authentication module is specified for
2538# 'sso-consume' in the 'authentication-mechanisms' stanza.
2539# One of <http, https, both, none>
2540cdsso-auth = none
2541
2542# Generate cdsso tokens.
2543# This will require that an authentication module is specified for
2544# 'sso-create' in the 'authentication-mechanisms' stanza.
2545# One of <http, https, both, none>
2546cdsso-create = none
2547
2548# Single sign on authentication token lifetime (in seconds)
2549# This mitigates clock skew between separate WebSEAL servers.
2550authtoken-lifetime = 180
2551
2552# cdsso-argument
2553# This is the name of the argument containing the CDSSO token in a query string
2554# of a request. This is used to identify incoming requests containing
2555# CDSSO authentication information.
2556#
2557# Syntax:
2558# cdsso-argument = <argument name>
2559# For standard CDSSO, use PD-ID
2560cdsso-argument = PD-ID
2561
2562# Specify if UTF-8 encoding should be used in the strings within the cdsso
2563# token. UTF-8 should be used when user names or credential attributes in the
2564# token are not encoded in the same code page as the WebSEAL server is using.
2565# Set to "no" if your tokens need to interoperate with environments that
2566# use local code page. This option only affects CDSSO tokens created and
2567# consumed by the default SSO create and consume libraries.
2568use-utf8 = yes
2569
2570# When an SSO token is generated, a call is made to the Cross Domain Mapping
2571# Framework (CDMF) API to determine the extended attributes that must be
2572# encoded into the token so that the user can be correctly mapped across the
2573# SSO authentication. The propagate-cdmf-errors parameter determines
2574# whether the failure of the cdmf_get_usr_attributes call will cause token
2575# creation as a whole to fail. If propagate-cdmf-errors is set to "no"
2576# (default), a default attribute list will be generated if the CDMF fails
2577# and token creation will proceed without error. However, if
2578# propagate-cdmf-errors is set to "yes", token creation will be aborted if
2579# the CDMF fails.
2580propagate-cdmf-errors = no
2581
2582# cdsso-argument (PD-ID) and PD-REFERER query string arguments can be
2583# passed onto junctions. When this option is set to "yes" these will be
2584# removed from the URI before passing the request onto the junction.
2585clean-cdsso-urls = no
2586
2587
2588[cdsso-peers]
2589# Peers that are participating in Cross Domain Single Sign On (CDSSO)
2590#
2591# Syntax:
2592# <fully qualified host name> = <key file location>
2593
2594[cdsso-token-attributes]
2595#
2596# Credential attributes to include in CDSSO authentication tokens.
2597#
2598# This stanza defines the sets of attributes to be included in
2599# CDSSO authentication tokens, specified on a per-peer or
2600# per-domain basis. This processing only takes place if the
2601# default SSO token creation and consumption libraries are
2602# in use.
2603#
2604# Credential attributes matching the patterns specified in this stanza
2605# for a target host or domain are included in CDSSO authentication tokens
2606# constructed for that target host or domain. Only a single value for
2607# each attribute is used, and only string values are supported. Other
2608# types of credential attribute values will be ignored.
2609#
2610# Patterns can be specified using shell-style wildcards.
2611#
2612# The format of these entries is:
2613#
2614# <domain-name> = <pattern-1>
2615# <domain-name> = <pattern-2>
2616# <domain-name> = <pattern-n>
2617#
2618# For example:
2619#
2620# [cdsso-token-attributes]
2621# ibm.com = attrprefix_*
2622# ibm.com = *name*
2623# tivoli.com = *_attrsuffix
2624# tivoli.com = some_exact_attribute
2625#
2626# A default set of attributes can be configured with a '<default>'
2627# entry in this stanza. This set of attributes is used when there
2628# is no other entry matching a particular target host. If the '<default>'
2629# entry is not present, then no attributes will be included in tokens
2630# by default.
2631#
2632# For example:
2633#
2634# [cdsso-token-attributes]
2635# <default> = myattr*
2636# ibm.com = attrprefix_*
2637#
2638# If no credential attributes are required in CDSSO authentication tokens,
2639# then this stanza can remain empty.
2640#
2641
2642[cdsso-incoming-attributes]
2643#
2644# Attributes to accept from incoming CDSSO authentication tokens.
2645#
2646# This stanza defines the sets of attributes to be accepted and rejected
2647# from incoming CDSSO authentication tokens. Unlike the outgoing
2648# attributes configuration, incoming attributes cannot be configured
2649# on a per-peer or per-domain basis. Only one set of attribute patterns
2650# can be configured, and these patterns will be applied to incoming
2651# tokens regardless of source. This processing only takes place if the
2652# default SSO token creation and consumption libraries are
2653# in use.
2654#
2655# The format of entries in this stanza is:
2656#
2657# <attribute pattern> = <preserve|refresh>
2658#
2659# Attributes in CDSSO authentication tokens that match a 'refresh' entry
2660# will be removed from the token before the CDMF library is called
2661# to map the remote user into the local domain. Attributes matching
2662# a 'preserve' entry, or matching none of the entries, will be kept.
2663# If no entries are configured, then all attributes will be kept.
2664#
2665
2666[failover]
2667#----------------------
2668# FAILOVER
2669#----------------------
2670
2671# Accept failover cookies
2672# One of <http, https, both, none>
2673failover-auth = none
2674
2675# Key file for failover cookie encryption
2676# The cdsso_key_gen utility must be used to create this file
2677
2678# The following files are currently available for this configuration entry:
2679# - <none available>
2680
2681failover-cookies-keyfile =
2682
2683# The name of the cookie which will be used to house the failover token
2684failover-cookie-name = PD-ID
2685
2686# Number of minutes that failover cookie contents are valid
2687failover-cookie-lifetime = 60
2688
2689# Enable the failover cookie for the domain
2690# This allows the cookie to send back to any server within
2691# the same domain as WebSEAL.
2692enable-failover-cookie-for-domain = no
2693
2694# If failover cookie for the domain is enabled
2695# Webseal determines the domain to use as follows
2696# 1) if the request is for a virtual host junction then the virtual host domain is used.
2697# 2) if failover-cookie-domain-from-host-header is enabled and the request contains a host
2698# header then the domain from the host header is used.
2699# 3) if failover-cookie-domain has specified a domain then it is used.
2700# 4) if web-host-name has been specified (in the [server] section) then the domain from the web-host-name is used.
2701# 5) if none of the above then the domain is retrieved from the operating system
2702#
2703failover-cookie-domain-from-host-header = no
2704
2705# Specify if UTF-8 encoding should be used in the strings within the failover
2706# cookie. UTF-8 should be used when user names or credential attributes in the
2707# cookie are not encoded in the same code page as the WebSEAL server is using.
2708# Set to "no" if your cookies need to interoperate with environments that
2709# use local code page.
2710use-utf8 = yes
2711
2712# The integer number of seconds that pass between updating the failover cookie's
2713# last activity timestamp. With each request, if n seconds have passed since the
2714# last cookie update, and last activity timestamps are configured to be
2715# inserted in failover cookies, another update will occur.
2716# A zero value will cause the last activity timestamp in the failover cookie
2717# to be updated with each request.
2718# Negative values will cause the last activity timestamp in the cookie to never
2719# be updated.
2720failover-update-cookie = -1
2721
2722# Enable validation of session lifetime and activity timestamp attributes of
2723# incoming failover cookies. Settings are:
2724# no: The timestamp is not required, but if it exists and is invalid,
2725# failover authentication will fail.
2726# yes: If the timestamp is invalid or missing, failover authentication
2727# will fail.
2728failover-require-lifetime-timestamp-validation = no
2729failover-require-activity-timestamp-validation = no
2730
2731# Include the user's session ID as an attribute of the failover cookie to
2732# enable non-sticky failover. Non-sticky failover allows users to authenticate
2733# to multiple WebSEAL replicas without being issued new session cookies for
2734# each failover occurrence.
2735#
2736# To enable non-sticky failover functionality, the following options must
2737# be set; WebSEAL will report a startup error and fail to start if any
2738# of the settings below are incorrect.
2739# - In [session], set ssl-id-sessions = no
2740# - Enable the following settings:
2741# - In [failover-add-attributes],
2742# tagvalue_failover_amweb_session_id = add
2743# - In [failover-restore-attributes],
2744# tagvalue_failover_amweb_session_id = preserve
2745# - In [credential-refresh-attributes],
2746# tagvalue_failover_amweb_session_id = preserve
2747# - Wildcard patterns in the above 3 settings are allowed.
2748failover-include-session-id = no
2749
2750# Resend the failover cookie if it is missing from the request
2751# In certain environments clients may "lose" the failover cookie.
2752# If this configuration option is set to yes then WebSEAL will
2753# automatically resend the failover cookie if the client does
2754# not present it.
2755reissue-missing-failover-cookie = no
2756
2757[failover-add-attributes]
2758# Specify which attributes from the credential to store in a failover cookie.
2759#
2760# The format for attributes to add to the failover cookie is:
2761# <attribute pattern> = add
2762# where <attribute pattern> is a case-insensitive wild card pattern.
2763#
2764# The AUTHENTICATION_LEVEL and AZN_CRED_AUTH_METHOD attributes
2765# will always be added to the failover cookie, regardless of the
2766# entries in this stanza.
2767#
2768#tagvalue_failover_amweb_session_id = add
2769
2770[failover-restore-attributes]
2771# Specify which attributes to put in the new credential when recreating a
2772# credential from a failover cookie. This stanza is used to control which
2773# attributes are preserved and which are refreshed.
2774
2775# The attribute name pattern are case-insensitive wild card patterns that are
2776# used to select attributes.
2777#
2778# Order is important. Rules that appear earlier in either failover-attribute
2779# stanza take precedence over those that appear later in the stanza. If an
2780# attribute does not match any of the rules, it will not be considered for
2781# special handling.
2782#
2783# The format for adding attributes from the cookie (if present) to the new
2784# credential is:
2785# <attribute pattern> = preserve
2786#
2787# The format for explicitly ignoring failover cookie attributes (default
2788# behavior) for addition to the new credential is:
2789# <attribute pattern> = refresh
2790#
2791# All failover cookie attributes will be ignored (for the purpose of
2792# adding them to a new credential) unless specified by a 'preserve' line.
2793#
2794#tagvalue_failover_amweb_session_id = preserve
2795
2796[ltpa]
2797
2798#----------------------
2799# LTPA Authentication
2800#----------------------
2801
2802# Accept/generate LTPA cookies
2803# One of <http, https, both, none>
2804ltpa-auth = none
2805
2806# The key file used when accessing LTPA cookies. This must correspond to a
2807# valid LTPA key file, as generated by WebSphere.
2808
2809# The following files are currently available for this configuration entry:
2810# - <none available>
2811
2812keyfile =
2813
2814# The name of the cookie which will contain the LTPA token.
2815cookie-name = Ltpatoken2
2816
2817# The domain of the LTPA cookie. If no cookie domain is specified the LTPA
2818# cookie will be created as a host-only cookie.
2819# cookie-domain = ibm.com
2820
2821# The number of seconds that pass between updates of the LTPA cookie with the
2822# lifetime of the cookie. With each request, if n seconds have passed since
2823# the last cookie update, another update will occur. A zero value will cause
2824# the lifetime timestamp in the LTPA cookie to be updated with each request.
2825# Negative values will cause the lifetime of the cookie to be set to the same
2826# value as the lifetime of the user session. This setting is used in an
2827# attempt to mimic the inactivity timeout of a user session.
2828update-cookie = -1
2829
2830# Should the full DN of the user be inserted into the generated LTPA cookie, or
2831# should the TAM short name of the user be inserted into the generated LTPA
2832# cookie.
2833use-full-dn = true
2834
2835# The name of the cookie sent across a junction containing the LTPA
2836# token can be customized.
2837#
2838# This name must match the configured name in the WebSphere
2839# application on the junction to successfully achieve single signon.
2840#
2841# When not configured, the default values of LtpaToken or LtpaToken2
2842# for LTPA or LTPAv2 respectively are used.
2843#
2844# This configuration item may be customized for a particular junction
2845# by adding the adjusted configuration item to a [ltpa:{jct_id}] stanza,
2846# where '{jct-id}' refers to the junction point for a standard junction
2847# (include the leading '/'), or the virtual host label for a virtual host
2848# junction.
2849#
2850# jct-ltpa-cookie-name = LtpaToken
2851
2852[e-community-sso]
2853#----------------------
2854# e-COMMUNITY SSO
2855#----------------------
2856# Participate in e-community single sign on
2857# One of <http, https, both, none>
2858e-community-sso-auth = none
2859
2860# The e-community name. This needs to match any vouch-for tokens or
2861# e-community cookies that are received.
2862# e-community-name = <name>
2863
2864# Master authentication server settings. If is-master-authn-server
2865# is set to "yes " then this server will accept vouch-for requests from
2866# other WebSEAL instances whose domain keys are listed in the
2867# [e-community-domain-keys] stanza.
2868# is-master-authn-server = <yes/no>
2869
2870# If is-master-authn-server is set to "no" then this value needs
2871# to be specified. If a local domain login has not already been performed then
2872# authentication attempts will be routed through this machine,
2873# which will need to vouch for a users identity.
2874# The domain key for the master-authn-server needs to be listed in the
2875# [e-community-domain-keys] stanza.
2876# master-authn-server = <server name>
2877
2878# If e-community-sso-auth permits use of the HTTP protocol and
2879# the master-authn-server listens for HTTP requests on a port other
2880# than the standard HTTP port (port 80) then this non-standard port
2881# needs to be configured here. This parameter is ignored if this server
2882# is the master authentication server.
2883#
2884# master-http-port = <port>
2885
2886# If e-community-sso-auth permits use of the HTTPS protocol and
2887# the master-authn-server listens for HTTPS requests on a port other
2888# than the standard HTTPS port (port 443) then this non-standard port
2889# needs to be configured here. This parameter is ignored if this server
2890# is the master authentication server.
2891#
2892# master-https-port = <port>
2893
2894
2895# vouch-for token lifetime in seconds. This needs to take into account clock
2896# skew between participants.
2897vf-token-lifetime = 180
2898
2899# vouch-for URL designator
2900# This specifies the start of a URL relative to the server root. This is used
2901# to construct vouch-for requests by participating ECSSO servers, and to
2902# distinguish requests for vouch-for information from other requests by the
2903# MAS.
2904#
2905# '/pkmsvouchfor' is used by default
2906# vf-url = /pkmsvouchfor
2907
2908# vouch-for argument
2909# This is the name of the vouch-for token (as an argument name) contained in
2910# a vouch-for reply.
2911# This is used to construct vouch-for replies by the MAS, and to distinguish
2912# incoming requests as ones with vouch-for information by participating ECSSO
2913# servers.
2914#
2915# 'PD-VF' is used by default
2916# vf-argument = PD-VF
2917
2918# ecommunity cookie domain. If not set WebSEAL will use the domain from the
2919# automatically determined hostname (or web-host-name if specified).
2920# ec-cookie-domain = <domain>
2921
2922# ecommunity cookie lifetime, in minutes.
2923ec-cookie-lifetime = 300
2924
2925# Enable or disable unauthenticated access with ECSSO.
2926# When set to no, every initial ECSSO request will require authentication.
2927# Default value is yes.
2928ecsso-allow-unauth = yes
2929
2930# Specify if UTF-8 encoding should be used in the strings within the vouch-for
2931# token. UTF-8 should be used when user names or credential attributes in the
2932# token are not encoded in the same code page as the WebSEAL server is using.
2933# Set to "no" if your tokens need to interoperate with environments that
2934# use local code page.
2935use-utf8 = yes
2936
2937# When an SSO token is generated, a call is made to the Cross Domain Mapping
2938# Framework (CDMF) API to determine the extended attributes that must be
2939# encoded into the token so that the user can be correctly mapped across the
2940# SSO authentication. The propagate-cdmf-errors parameter determines
2941# whether the failure of the cdmf_get_usr_attributes call will cause token
2942# creation as a whole to fail. If propagate-cdmf-errors is set to "no"
2943# (default), a default attribute list will be generated if the CDMF fails
2944# and token creation will proceed without error. However, if
2945# propagate-cdmf-errors is set to "yes", token creation will be aborted if
2946# the CDMF fails.
2947propagate-cdmf-errors = no
2948
2949# If an unauthenticated request is made with POST data, set to yes,
2950# this option will allow that data to be cached while the e-community
2951# master authenticates the user. If the option is set to no, request
2952# data will be lost.
2953cache-requests-for-ecsso = yes
2954
2955# Authentication errors returned by the master-authn-server in vouch-for
2956# tokens are not propagated to the ERROR_CODE and ERROR_TEXT macros used
2957# by facilities such as local response redirect. Setting this option to
2958# "yes" will propagate the errors.
2959ecsso-propagate-errors = no
2960
2961# When the following option is set to "yes" this WebSEAL instance is stopped
2962# from generating or using eCommunity Cookies. In addition, if this instance
2963# is not acting as the MAS, WebSEAL will not respond to vouch-for requests.
2964# To be effective, all machines participating in the eCommunity should have
2965# this value set the same.
2966disable-ec-cookie = no
2967
2968# When the following option is set to "yes" on the WebSEAL instance acting as
2969# the MAS, the MAS will respond locally to login failures, rather than
2970# redirecting the user back to the requesting slave WebSEAL instance.
2971handle-auth-failure-at-mas = no
2972
2973
2974[e-community-domain-keys]
2975# Keys for any domains that are participating in the e-community, including
2976# the domain in which the WebSEAL server is running. These are shared on a
2977# pair-wise-by-domain basis. The format of these entries is:
2978# <domain name> = <key file>
2979
2980[e-community-domains]
2981# These are the eCommunity cookie domains used by Virtual Host junctions. The
2982# domain used by a particular Virtual Host junction will be chosen by finding
2983# the longest domain in the table that matches the virtual hostname.
2984# Each of these domains must also have a corresponding table of keys defined
2985# by creating a stanza of the format [e-community-domain-keys:<domain>].
2986# The format these entries is:
2987# name = <domain>
2988
2989#[e-community-domain-keys:<domain>]
2990# Keys for any domains that are participating in the e-community, including
2991# the domain in which the Virtual Host junction is running. These are shared
2992# on a pair-wise-by-domain basis. The format of these entires is:
2993# <domain name> = <key file>
2994
2995[ecsso-token-attributes]
2996#
2997# Credential attributes to include in eCSSO vouch-for tokens.
2998#
2999# This stanza defines the sets of attributes to be included in
3000# eCSSO vouch-for tokens, specified on a per-peer or
3001# per-domain basis. This processing only takes place if the
3002# default SSO token creation and consumption libraries are
3003# in use.
3004#
3005#
3006# Credential attributes matching the patterns specified in this stanza
3007# for a target host or domain are included in eCSSO vouch-for tokens
3008# constructed for that target host or domain. Only a single value for
3009# each attribute is used, and only string values are supported. Other
3010# types of credential attribute values will be ignored.
3011#
3012# Patterns can be specified using shell-style wildcards.
3013#
3014# The format of these entries is:
3015#
3016# <domain-name> = <pattern-1>
3017# <domain-name> = <pattern-2>
3018# <domain-name> = <pattern-n>
3019#
3020# For example:
3021#
3022# [ecsso-token-attributes]
3023# ibm.com = attrprefix_*
3024# ibm.com = *name*
3025# tivoli.com = *_attrsuffix
3026# tivoli.com = some_exact_attribute
3027#
3028# A default set of attributes can be configured with a '<default>'
3029# entry in this stanza. This set of attributes is used when there
3030# is no other entry matching a particular target host. If the '<default>'
3031# entry is not present, then no attributes will be included by default.
3032#
3033# For example:
3034#
3035# [ecsso-token-attributes]
3036# <default> = myattr*
3037# ibm.com = attrprefix_*
3038#
3039# If no credential attributes are required in eCSSO vouch-for tokens,
3040# then this stanza can remain empty.
3041#
3042
3043
3044[ecsso-incoming-attributes]
3045#
3046# Attributes to accept from incoming eCSSO vouch-for tokens.
3047#
3048# This stanza defines the sets of attributes to be accepted and rejected
3049# from incoming eCSSO vouch-for tokens. Unlike the outgoing
3050# attributes configuration, incoming attributes cannot be configured
3051# on a per-peer or per-domain basis. Only one set of attribute patterns
3052# can be configured, and these patterns will be applied to incoming
3053# tokens regardless of source. This processing only takes place if the
3054# default SSO token creation and consumption libraries are
3055# in use.
3056#
3057# The format of entries in this stanza is:
3058#
3059# <attribute pattern> = <preserve|refresh>
3060#
3061# Attributes in eCSSO vouch-for tokens that match a 'refresh' entry
3062# will be removed from the token before the CDMF library is called
3063# to map the remote user into the local domain. Attributes matching
3064# a 'preserve' entry, or matching none of the entries, will be kept.
3065# If no entries are configured, then all attributes will be kept.
3066#
3067
3068
3069[reauthentication]
3070#----------------------
3071# REAUTHENTICATION
3072#----------------------
3073
3074# Prompt users to reauthenticate if their entry in the WebSEAL
3075# credential cache has timed out due to inactivity
3076#
3077# If set to 'no', entries in the cache will be deleted when the
3078# inactivity timeout is reached.
3079#
3080# If set to 'yes', entries in the cache will be retained until the
3081# cache lifetime timeout is reached. If the inactivity timeout has
3082# been reached and the client makes another request before the cache
3083# lifetime timeout is reached, they will be prompted to reauthenticate.
3084reauth-for-inactive = no
3085
3086# Should the authenticated credential be replaced with an unauthenticated
3087# credential for the processing of a request when the session becomes
3088# inactive? This configuration entry will control the user identity
3089# information which appears in the log file, and the user identity information
3090# which can be inserted into the HTTP stream, whilst the session is inactive.
3091# It will not affect the single-sign-on information (e.g. iv-creds) whilst
3092# the session is inactive.
3093replace-inactive-cred = yes
3094
3095# Reset the lifetime timer for WebSEAL credential cache entries
3096# following successful reauthentication.
3097# This applies to reauthentication resulting from either inactivity or
3098# from security policy
3099reauth-reset-lifetime = no
3100
3101# Time in seconds that the credential cache entry lifetime timer should
3102# be extended to allow clients to complete a reauthentication.
3103# A value of 0 indicates that the lifetimer timer will not be extended.
3104# This applies to any clients who are required to log in who
3105# already have an existing cache entry, including clients stepping up and
3106# clients performing reauthentication resulting from either inactivity or
3107# from security policy.
3108reauth-extend-lifetime = 0
3109
3110# When the user registry policy setting max-login-failures is set and the
3111# maximum number of reauthentication login failures is reached the login
3112# session will be terminated if this option is enabled.
3113terminate-on-reauth-lockout = yes
3114
3115# This configuration entry will control whether a different authentication
3116# level/mechanism is allowed during a reauthentication operation. Please
3117# note that if the configuration option is set to 'yes' the credential
3118# could change during the lifetime of the session, potentially more than
3119# once.
3120#
3121# The default value, if no entry is specifed, is 'no'.
3122reauth-at-any-level = no
3123
3124[eai]
3125#----------------------
3126# EXTERNAL AUTHENTICATION INTERFACE
3127#----------------------
3128
3129# Enable EAI authentication.
3130#
3131# One of <http, https, both, none>
3132eai-auth = https
3133
3134# EAI HEADER NAMES
3135
3136# If eai-auth is not 'none', and WebSEAL has received a trigger URL
3137# in a request, WebSEAL will examine the corresponding server response for
3138# the following headers. These are the headers that will contain authentication
3139# data used to authenticate the user.
3140
3141# EAI PAC header names
3142eai-pac-header = am-eai-pac
3143eai-pac-svc-header = am-eai-pac-svc
3144
3145# EAI USER ID header names
3146eai-user-id-header = am-eai-user-id
3147eai-auth-level-header = am-eai-auth-level
3148eai-xattrs-header = am-eai-xattrs
3149
3150# EAI external USER ID header names
3151# The eai-ext-user-id-header takes precedence over the eai-user-id-header.
3152# If the authentication data that is presented to WebSEAL includes both headers,
3153# WebSEAL will process it as an authentication for an external user.
3154eai-ext-user-id-header = am-eai-ext-user-id
3155eai-ext-user-groups-header = am-eai-ext-user-groups
3156
3157# EAI COMMON header names
3158eai-redir-url-header = am-eai-redir-url
3159
3160# Determines whether the redirect URL contained within the EAI response takes
3161# priority over all other EAI redirect options. If set to true the redirect
3162# URL contained in the EAI response will take priority.
3163eai-redir-url-priority = yes
3164
3165# The name of the header which is used to 'flag' the authentication
3166# response with extra processing information. The supported flags
3167# (.i.e. header values) include:
3168# - stream: Used to indicate that the authentication response should
3169# be streamed back to the client.
3170eai-flags-header = am-eai-flags
3171
3172# The session identifier from a distributed session can also be supplied
3173# through the EAI interface. Upon receiving a header which contains the
3174# distributed session identifier, WebSEAL will retrieve the corresponding
3175# session and use this session for subsequent requests. This header
3176# provides the mechanism by which distributed sessions (aka DSC sessions)
3177# can be shared across multiple DNS domains.
3178eai-session-id-header = am-eai-session-id
3179
3180# RETAIN EAI SESSION
3181# If an already-authenticated EAI client authenticates via an EAI a second
3182# time, the existing session and cache entry are completely replaced by
3183# default. If retain-eai-session = yes, then the existing session and
3184# cache entry will be retained, and the credential and relevant data will
3185# be updated in the existing cache entry.
3186retain-eai-session = yes
3187
3188#
3189# The following entry determines, in the event of a subsequent EAI
3190# authentication, whether the new user identity must match the user
3191# identity from the previous authentication. In the situation where
3192# eai-verify-user-identity = yes, and the user identities do not
3193# match, an error will be presented to the user.
3194#
3195eai-verify-user-identity = no
3196
3197# The following configuration entry is used to determine whether multiple
3198# extended attribute headers of the same name are added to the credential as
3199# a multi-valued attribute, or a single comma-delimited attribute.
3200eai-create-multi-valued-attributes = no
3201
3202# The following configuration entry is used to determine whether
3203# extended attributes replace credential attributes of the same name
3204# or are appended as additional values.
3205eai-replace-cred-attributes = no
3206
3207# EAI TRIGGER URLS
3208[eai-trigger-urls]
3209# If eai-auth is not 'none', then WebSEAL will examine the URLs of incoming
3210# requests to determine if they match one of the entries in this list.
3211# If they do, then WebSEAL will examine the corresponding server response to
3212# determine if it contains authentication data.
3213#
3214# NOTE: If eai-auth is not 'none', there must be at least one entry in this list
3215#
3216# The URL string patterns are case-sensitive wild card patterns.
3217#
3218# Format for regular WebSEAL junctions is:
3219# trigger = <URL pattern of EAI server response>
3220#
3221# Format for Virtual Host junctions is:
3222# trigger = HTTP[S]://virtual-host-name[:port]/<URL pattern of EAI server response>
3223#
3224# For Virtual Host junctions to match a trigger they must also have the same
3225# protocol (HTTP[S] = TCP/SSL) and have the same virtual-host-name & port as
3226# the trigger. The virtual-host-name match is case-insensitive.
3227#
3228# Regular WebSEAL junction triggers are not used by Virtual Host junctions.
3229# Virtual Host junction triggers are not used by regular WebSEAL junctions.
3230trigger = /mga/sps/oauth/oauth20/session*
3231trigger = /mga/sps/auth*
3232trigger = /mga/sps/authservice/authentication*
3233trigger = /mga/sps/authsvc*
3234trigger = /mga/sps/apiauthsvc*
3235
3236
3237
3238[ssl-qop]
3239#----------------------
3240# SSL QUALITY OF PROTECTION MANAGEMENT
3241#----------------------
3242
3243# Enable/Disable SSL Quality of Protection management
3244ssl-qop-mgmt = yes
3245
3246# Legal cipher values for qop in the following stanzas are:
3247# NONE, ALL, NULL, DES-56, FIPS-DES-56, DES-168, FIPS-DES-168,
3248# RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128, AES-256
3249#
3250# Specific cipher names can also be used. This can be useful when the qop
3251# cipher group aliases above do not include a required cipher. When a cipher
3252# is enabled it will be used with all enabled versions of SSL & TLS that
3253# support the cipher.
3254# The following is a list of available cipher names:
3255# SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA,
3256# TLS_DHE_PSK_WITH_AES_128_CCM_8, TLS_DHE_PSK_WITH_AES_128_CCM,
3257# TLS_DHE_PSK_WITH_AES_256_CCM_8, TLS_DHE_PSK_WITH_AES_256_CCM,
3258# TLS_DHE_RSA_WITH_AES_128_CCM_8, TLS_DHE_RSA_WITH_AES_128_CCM,
3259# TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CCM_8,
3260# TLS_DHE_RSA_WITH_AES_256_CCM, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
3261# TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
3262# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
3263# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
3264# TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
3265# TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
3266# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
3267# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
3268# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
3269# TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_PSK_WITH_AES_128_CCM_8,
3270# TLS_PSK_WITH_AES_128_CCM, TLS_PSK_WITH_AES_256_CCM_8,
3271# TLS_PSK_WITH_AES_256_CCM, TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
3272# TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
3273# TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA,
3274# TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
3275# TLS_RSA_WITH_AES_128_CCM_8, TLS_RSA_WITH_AES_128_CCM,
3276# TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
3277# TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CCM_8,
3278# TLS_RSA_WITH_AES_256_CCM, TLS_RSA_WITH_AES_256_GCM_SHA384,
3279# TLS_RSA_WITH_DES_CBC_SHA, TLS_RSA_WITH_NULL_MD5,
3280# TLS_RSA_WITH_NULL_NULL, TLS_RSA_WITH_NULL_SHA,
3281# TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA,
3282# TLS_RSA_WITH_NULL_SHA256, SSL_CK_RC4_128_WITH_MD5,
3283# SSL_CK_RC4_128_EXPORT40_WITH_MD5, SSL_CK_RC2_128_CBC_WITH_MD5,
3284# SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_CK_DES_64_CBC_WITH_MD5,
3285# SSL_CK_DES_192_EDE3_CBC_WITH_MD5, TLS_ECDHE_ECDSA_WITH_NULL_SHA,
3286# TLS_ECDHE_RSA_WITH_NULL_SHA,
3287#
3288# Notes:
3289# - NONE = No SSL connection allowed.
3290# - NULL = Unencrypted SSL connection allowed.
3291# - ALL = All types of SSL connections allowed.
3292# - There maybe multiple cipher/MAC made available to the connection
3293# for a given qop cipher selection. These will still have the same
3294# encryption bit strength, just different MAC methods (SHA1 or MD5).
3295# - RC2-128 is only available with SSLv2. If it is the only cipher selection
3296# webseald will disable SSLv3 and TLSv1 for the affected connection.
3297# - NULL, FIPS-DES-56, FIPS-DES-168, RC4-56, AES-128, and AES-256 are
3298# only available with SSLv3 and TLSv1. If they are the only ciphers
3299# available to a given connection, SSLv2 will be disabled for the
3300# affected connection.
3301# - AES Support is determined automatically by GSKit based on
3302# the base-crypto-library setting. AES-128 and AES-256 are only
3303# available if AES Support is enabled by GSKit, else they will be
3304# ignored.
3305# - FIPS-DES-56 and FIPS-DES-168 are only available when
3306# fips-mode-processing is enabled (set to yes), otherwise they will
3307# be ignored.
3308
3309# host ssl qop
3310[ssl-qop-mgmt-hosts]
3311
3312# networks ssl qop
3313[ssl-qop-mgmt-networks]
3314
3315# default ssl qop
3316[ssl-qop-mgmt-default]
3317default = AES-128
3318default = AES-256
3319
3320[oauth]
3321
3322# Enable authentication using Open Authorization (OAuth) mechanism.
3323# One of <http, https, both, none>
3324#
3325# The OAuth authentication mechanism should be considered only as part of a
3326# Mobile scenario, where a session can be established based on the Bearer
3327# token in the Authorization Header.
3328oauth-auth = https
3329
3330# The Provider ID of the default OAuth federation. If a Provider ID is not
3331# provided in the request using the fed-id-param option, this provider ID will
3332# be used for OAuth requests. The Provider ID of a federation can be found on
3333# the federation properties page.
3334default-fed-id = https://localhost/sps/oauth/oauth20
3335
3336# The name of the request parameter that can be used to override the
3337# default-fed-id option configured above. By deleting this configuration
3338# option, you can enforce that the default fed id is always used.
3339fed-id-param = FederationId
3340
3341# The name of the TFIM cluster which houses this OAuth service. There should
3342# also be a corresponding [tfim-cluster:<cluster>] stanza which contains the
3343# definition of the cluster.
3344cluster-name = oauth-cluster
3345
3346# The name of the attribute within the RSTR response whose value is to be used
3347# as the user identity when creating the session credential.
3348user-identity-attribute = username
3349
3350# By default the OAuth scope attribute is provided as a single comma separated
3351# string. By enabling this configuration option the scope attribute will instead
3352# be provided as a multivalue attribute.
3353multivalue-scope = false
3354
3355
3356# The following configurations can be used to authenticate the user with an
3357# alternative method. This allows external users to use oauth-auth.
3358
3359# The name of the attribute within the RSTR response which contains a
3360# credential PAC. A PAC will take precedence over all other authentication data.
3361# Remove this configuration entry if you do not want to allow authentication to
3362# occur via a PAC.
3363pac-attribute = am-pac
3364
3365# The name of the attribute within the RSTR response whose value is to be used
3366# as the user identity when creating the session credential. The supplied user
3367# identity is not expected to exist within the ISAM user registry. Remove this
3368# configuration entry if you do not want to allow authentication using an
3369# external user identity.
3370external-user-identity-attribute = am-ext-user-id
3371
3372# The name of the attribute within the RSTR response which will contain group
3373# information for the external user.
3374external-group-attribute = am-ext-user-groups
3375
3376# Should we continue processing the request, and try additional authentication
3377# mechanisms, if an invalid authorization header has been supplied with the request.
3378continue-on-auth-failure = true
3379
3380[tfim-cluster:oauth-cluster]
3381
3382#
3383# This stanza contains definitions for a particular cluster of TFIM
3384# servers.
3385#
3386
3387#
3388# A specification for the server which is used when communicating with a
3389# single TFIM server which is a member of this cluster. Values for this
3390# entry are defined as follows:
3391#
3392# {[0-9],}<URL>
3393#
3394# Where the first digit (if present) represents the priority of the server
3395# within the cluster (9 being the highest, 0 being lowest). If the priority
3396# is not specified, a priority of 9 is assumed. The <URL> can be any
3397# well-formed HTTP or HTTPS URL.
3398#
3399# Multiple server entries can be specified for failover and load balancing
3400# purposes. The complete set of these server entries defines the
3401# membership of the cluster for failover and load balancing.
3402#
3403# server = 9,http://tfim.example.com/TrustServerWST13/services/RequestSecurityToken
3404server = 9,https://192.168.42.194:443/TrustServerWS/SecurityTokenServiceWST13
3405
3406
3407#
3408# The maximum number of cached handles, used when communicating with TFIM.
3409#
3410handle-pool-size = 10
3411
3412#
3413# The length of time, in seconds, before an idle handle will be removed
3414# from the handle pool cache.
3415#
3416handle-idle-timeout = 240
3417
3418#
3419# The length of time, in seconds, to wait for a response from TFIM.
3420#
3421timeout = 240
3422
3423#
3424# The following configuration entries are optional and can be used if the TFIM
3425# server has been configured to require basic authentication. If these
3426# entries are left blank no basic authentication header will be provided when
3427# communicating with the TFIM server.
3428#
3429#
3430# The name of the user for the basic authentication header.
3431#
3432basic-auth-user = easuser
3433
3434#
3435# The following SSL entries are optional and are only required if:
3436# 1. At least one server entry indicates that SSL is to be used (i.e.
3437# starts with https:)
3438# 2. A certificate is required other than that which is used by this server
3439# when communicating with the policy server (details of the
3440# default certificate can be found in the [ssl] stanza of this
3441# configuration file.
3442#
3443# If these entries are required and are not found within this stanza, the
3444# default [ssl] stanza will be searched.
3445#
3446#
3447# The name of the key database file which houses the client certificate to be
3448# used.
3449#
3450# ssl-keyfile =
3451
3452# The following files are currently available for this configuration entry:
3453# - pdsrv.kdb
3454# - lmi_trust_store.kdb
3455# - rt_profile_keys.kdb
3456# - embedded_ldap_keys.kdb
3457
3458ssl-keyfile = pdsrv.kdb
3459
3460#
3461# The name of the password stash file for the key database file.
3462#
3463# ssl-keyfile-stash =
3464
3465# The following files are currently available for this configuration entry:
3466# - rt_profile_keys.sth
3467# - lmi_trust_store.sth
3468# - embedded_ldap_keys.sth
3469# - pdsrv.sth
3470
3471ssl-keyfile-stash = pdsrv.sth
3472
3473# The following configuration item is contained within the obfuscated
3474# database and as such is obfuscated within this file. If the value is
3475# modified within this configuration file the corresponding change will
3476# be applied to the obfuscated database.
3477
3478basic-auth-passwd = **obfuscated**
3479
3480#
3481# The label of the client certificate within the key database.
3482#
3483# ssl-keyfile-label =
3484
3485#
3486# This configuration entry specifies the DN of the server (obtained from the
3487# server SSL certificate) which will be accepted. If no entry is configured
3488# all DN's will be considered to be valid. Multiple DN's can be specified by
3489# including multiple configuration entries of this name.
3490#
3491# ssl-valid-server-dn =
3492
3493#
3494# The entry controls whether FIPS communication is enabled with TFIM or
3495# not. If no configuration entry is present the global FIPS setting (as
3496# determined by the TAM policy server) will take effect.
3497#
3498# ssl-fips-enabled =
3499
3500
3501
3502##################################
3503# SESSION
3504##################################
3505[session]
3506
3507#----------------------
3508# SESSION CACHE SETTINGS
3509#----------------------
3510
3511# The maximum number of concurrent entries in the credential cache
3512# This corresponds to the number of concurrent logins. The value
3513# WebSEAL actually uses might be slightly more than what is specified here.
3514# Refer to the WebSEAL Administration Guide for details. To customise this
3515# value for authenticated or unauthenticated sessions simply add an
3516# additional configuration entry, prefixed by 'auth' or 'unauth', e.g.
3517# unauth-max-entries = 1024
3518max-entries = 4096
3519
3520# Maximum lifetime (in seconds) for an entry in the credential cache
3521# Setting this to zero allows entries the cache to fill without expiry until the
3522# cache contains the number of entries specified by max-entries. After that
3523# point, entries are expired according to a least recently used algorithm.
3524# To customise this value for authenticated or unauthenticated sessions
3525# simply add an additional configuration entry, prefixed by 'auth' or
3526# 'unauth', e.g.
3527# unauth-timeout = 600
3528
3529timeout = 3600
3530
3531# Lifetime (in seconds) of inactive entries in the credential cache.
3532# To disable, set to 0. To customise this value for authenticated or
3533# unauthenticated sessions simply add an additional configuration entry,
3534# prefixed by 'auth' or 'unauth', e.g.
3535# unauth-inactive-timeout = 300
3536
3537inactive-timeout = 600
3538
3539# Use the temp-session-max-lifetime entry to set the maximum lifetime (in seconds)
3540# of entries in the temporary session cache.
3541#
3542# The temporary session cache is a short-lived session cache. WebSEAL
3543# uses this cache to create an intermediate session mapping when switching between
3544# different client contexts that share the same persistent cookie jar. For example,
3545# when sharing a session between Internet Explorer and Microsoft Office
3546# applications.
3547#
3548# To disable the use of the temporary session cache, set the value of this entry to 0.
3549# A value of 0 effectively disables session sharing between different client contexts.
3550temp-session-max-lifetime = 0
3551
3552# The temp-session-one-time-use configuration entry controls whether an entry
3553# which is in the temporary session cache can be accessed a single time only,
3554# or whether it can be accessed multiple times. If this configuration entry
3555# is set to false the session will need to time out (based on the
3556# temp-session-max-lifetime configuration entry) before the session entry is
3557# invalidated and removed from the cache.
3558temp-session-one-time-use = false
3559
3560# The temp-session-cookie-name entry is used to identify a temporary session cookie
3561# created for allowing session sharing between different client contexts.
3562#
3563# This temporary cookie name will be set as part of the initial response to a
3564# /pkmstempsession management page request and read subsequently off the next
3565# request coming into WebSEAL.
3566#
3567# This entry should be used in conjunction with a positive value in temp-session-max-lifetime
3568# entry described above.
3569temp-session-cookie-name = PD-H-TMP-SESSION-ID
3570
3571# The temp-session-overrides-unauth-session configuration entry is used to
3572# control the precedence if both a temporary session cookie and a 'real'
3573# session cookie, is provided in a request. A value of yes would mean that
3574# a temporary session would take precedence over an existing unauthenticated
3575# session (but not an authenticated session), and a value of no would mean
3576# that the temporary session cookie would be ignored.
3577temp-session-overrides-unauth-session = no
3578
3579#----------------------
3580# SSL CLIENT SESSIONS
3581#----------------------
3582
3583# Use the SSL ID to maintain a user's HTTPS login session.
3584ssl-id-sessions = no
3585
3586#----------------------
3587# SHARING SESSIONS
3588#----------------------
3589
3590# Use the same session for SSL and HTTP clients. This means that a client
3591# having authenticated via HTTP will still be authenticated when connecting
3592# via HTTPS and vice versa.
3593#
3594# A consequence of setting this to 'yes' is that the ssl-id-sessions
3595# parameter will be ignored, because HTTP clients cannot use the SSL ID
3596# to maintain sessions.
3597use-same-session = no
3598
3599# Enable a cookie based session to be shared across all standard and virtual
3600# host junctions on a single WebSEAL instance. This is achieved through
3601# enabling the WebSEAL instance to store a single session key as an
3602# independent value in a multi-valued domain cookie, indexed by the instance
3603# name. The domain cookie itself is shared across all participating WebSEAL
3604# instances, but the session values are specific to each instance.
3605#
3606# If WebSEAL exists in an environment where the DSC already handles single
3607# sign-on across domains, do not enable this configuration item.
3608# shared-domain-cookie = yes
3609
3610#----------------------
3611# SESSION COOKIE NAMES
3612#----------------------
3613
3614# These parameters control the names of the cookies WebSEAL will use for
3615# session IDs. The names of the cookies should be alphanumeric, and each
3616# cookie must have a different name. To use the same cookie for both TCP
3617# and SSL connections use the [session]use-same-session configuration
3618# option.
3619tcp-session-cookie-name = PD-H-SESSION-ID
3620ssl-session-cookie-name = PD-S-SESSION-ID
3621
3622#----------------------
3623# SENDING SESSION COOKIES
3624#----------------------
3625
3626# Send the WebSEAL cookies with every response. Use in environments where:
3627# 1) Cookies are used to maintain sessions with clients
3628# 2) Applications place many in-memory cookies per domain on client systems.
3629# This helps ensure that the WebSEAL cookies remain in the browser memory in
3630# such environments.
3631resend-webseal-cookies = no
3632
3633# Remove the WebSEAL session cookie on logout
3634logout-remove-cookie = no
3635
3636# Should the original session cookie be sent to junctioned Web servers along
3637# with the current session cookie? This configuration entry will only
3638# take effect if the current session cookie is being sent down the
3639# junction, as defined by the '-k' junction create flag. The name used for
3640# this session cookie will be based on the name of the current session cookie,
3641# appended with '_2'. For example, if tcp-session-cookie-name is set as
3642# 'PD-H-SESSION-ID', the name of the original session cookie will be
3643# 'PD-H-SESSION-ID_2'.
3644send-constant-sess = no
3645
3646#----------------------
3647# USER SESSION IDS
3648#----------------------
3649# Enable/disable the creation and handling of user session ids.
3650user-session-ids = yes
3651
3652# Include the replica set name in the user session ID. If set to "yes"
3653# then the user-session-id will include the replica set. If set to "no"
3654# then WebSEAL will not include the replica set in the user-session-id,
3655# and will assume that all user-sessions specified in the "terminate session"
3656# command belong to the standard junction replica set.
3657user-session-ids-include-replica-set = yes
3658
3659#----------------------
3660# DISTRIBUTED SESSION MANAGEMENT
3661#----------------------
3662# These entries together with the "dsess" stanza control how WebSEAL uses the
3663# DSC to store and manage sessions.
3664
3665# Enable/disable use of the DSC. If this is set to yes the "dsess" stanza
3666# must have information about how to communicate with the DSC.
3667dsess-enabled = no
3668
3669# If set to "yes", then WebSEAL will use the DSC to make sure that users
3670# do not have more sessions than the max-concurrent-web-sessions policy
3671# allows. If set to "no" WebSEAL will not enforce the policy. This
3672# entry is ignored unless WebSEAL is using the DSC for session storage.
3673enforce-max-sessions-policy = yes
3674
3675# If set to "yes" then WebSEAL will prompt users before automatically
3676# displacing old sessions using the same user-id. If set to "no" then
3677# WebSEAL will automatically log out the old sessions. This entry
3678# only applies when the max-concurrent-web-sessions policy for the user
3679# is set to 'displace'.
3680prompt-for-displacement = yes
3681
3682# The frequency with which WebSEAL will update the session last
3683# access time at the DSC. This value is only used if reauth-for-inactive
3684# is set to yes. Smaller values offer more accurate inactivity
3685# timeout tracking, at the expense of sending updates to the DSC
3686# more frequently. Values of less than 1 second are not permitted.
3687#
3688# Example: if inactive-timeout is 600 seconds and
3689# dsess-last-access-update-interval is 60 seconds, the user's session may
3690# be flagged as 'inactive' at the DSC anywhere between 540 seconds and
3691# 600 seconds after their last access to the WebSEAL server.
3692dsess-last-access-update-interval = 60
3693
3694# The DSC replica set to use for sessions created when users access standard
3695# WebSEAL junctions. Virtual host junctions will use the replica set
3696# specified with the "-z" option when the virtual host junction is
3697# created.
3698standard-junction-replica-set = default
3699
3700# Require Multiplexing Proxy Agent for HTTP Header Session Keys and
3701# HTTP Header authentication tokens.
3702#
3703# The use of an HTTP header as a session identifier or as an authentication
3704# token carries a measure of risk that the header can be spoofed or stolen.
3705# It is strongly recommended that headers only be accepted when proxied
3706# through an authenticated channel. A 'yes' setting means that HTTP headers
3707# will not be valid session keys or authentication tokens unless received via
3708# an MPA. Please see the WebSEAL Administration Guide for more details
3709# regarding MPAs.
3710require-mpa = no
3711
3712# Should sessions be established for access to unprotected resources? This
3713# configuration item is useful when a consistent session identifier is
3714# required for clients as they transition from unauthenticated to
3715# authenticated.
3716create-unauth-sessions = no
3717
3718#
3719# In some circumstances, you might not want the requests for a particular
3720# resource to affect the inactivity timeout for a session. For example, you
3721# might want to preserve the inactivity timeout when a server is polled by
3722# an Ajax script running in the background of a client browser.
3723#
3724# The following configuration entry can be used to designate the resources
3725# which, when accessed, should not impact the inactivity timeout for the
3726# session.
3727#
3728# A comparison will be performed against either the full HTTP request line or
3729# the decoded URI (controlled by the preserve-inactivity-timeout-match-uri
3730# configuration entry). If a match is found the inactivity timeout for the
3731# session will not be affected by the request.
3732#
3733# If a pattern has been specified using this configuration entry the legacy
3734# preserve-inactivity-time POP functionality will be disabled.
3735#
3736# Multiple patterns can be specified by including multiple configuration entries
3737# of the same name.
3738#
3739# You also have the option of matching a request using a host header, useful
3740# when selectively enabling this functionality for a particular virtual host
3741# junction. To selectively match an entry based on a particular host header
3742# the configuration entry should be prepended with the string: [<host>].
3743#
3744# Example:
3745# preserve-inactivity-timeout = /jct/robot/*
3746# preserve-inactivity-timeout = [www.ibm.com]/robot/*
3747#
3748preserve-inactivity-timeout =
3749
3750#
3751# The following configuration entry is used to control whether the
3752# patterns specified by the preserve-inactivity-timeout configuration entry
3753# are matched against the decoded URI from the request, or against the full
3754# request line. The match will take place against the decoded URI if this
3755# configuration entry is set to true, otherwise the match will take place
3756# against the full request line.
3757#
3758preserve-inactivity-timeout-match-uri = true
3759
3760#
3761# The following configuration entry is used to designate the
3762# client identifier for the session. This identifier will be
3763# added to the credential as the 'client_identifier' attribute
3764# and will be validated on subsequent requests to ensure that
3765# the client does not change.
3766#
3767# The supported options for this configuration entry include:
3768# CLIENT_IP: The client IP address from the network
3769# connection will be used as the identifier.
3770# HTTPHDR{<name>}: The contents of the HTTP header, identified
3771# by '<name>', will be used as the client
3772# identifier. If the HTTP header is missing on
3773# the initial request no identifier will be added
3774# for the session. For example:
3775# HTTPHDR{X-Forwarded-For}
3776#
3777# Please note that if failover cookies are used the 'client_identifier'
3778# credential attribute should be added to the
3779# [failover-add-attributes] and [failover-restore-attributes] stanzas
3780# so that the client identifier can persist across a failover event.
3781#
3782
3783client-identifier =
3784
3785[session-http-headers]
3786Authorization = https
3787#----------------------
3788# HTTP HEADER SESSION KEYS
3789#----------------------
3790#
3791# List any HTTP headers which will contain a session key on a per-transport
3792# basis. The same header can be listed for both transports if desired.
3793#
3794# Only the first matching header found in a request will be used.
3795#
3796# If ssl-id-sessions = yes, then this stanza will be ignored.
3797# The exception to this is if MPA support is enabled.
3798#
3799# WebSEAL will first look for a session cookie before continuing to look
3800# for HTTP headers from this list.
3801#
3802# The use of http headers as session keys is affected by the setting of
3803# require-mpa, see the comments above the require-mpa entry for more
3804# information.
3805#
3806# This list should contain no more than 20 entries per transport.
3807# Do not include the colon (:)
3808#
3809# Format is one of:
3810# <header> = http
3811# <header> = https
3812
3813##################################
3814# REPLICA SETS
3815##################################
3816[replica-sets]
3817# If WebSEAL is configured to use the DSC for session storage the
3818# WebSEAL server will join each of the replica sets listed in this
3819# stanza. The entries listed here must be replica sets configured
3820# on the DSC.
3821
3822# Example entries:
3823# replica-set = <replica-set-one>
3824# replica-set = <replica-set-two>
3825
3826##################################
3827# DISTRIBUTED SESSIONS
3828##################################
3829[dsess]
3830
3831# The maximum number of session ID's that are pre-allocated within the replica
3832# set. This configuration parameter will not affect WebSEAL performance
3833# and should not be modified.
3834
3835dsess-sess-id-pool-size = 125
3836
3837#
3838# The name of the DSC cluster to which this DSC server belongs.
3839# This field must be defined and reference an existing dsess-cluster stanza
3840# qualified by the value of this entry.
3841#
3842#
3843# dsess-cluster-name = dsess
3844
3845[dsess-cluster]
3846
3847#
3848# The dsess-cluster stanza contains all of the defaults for a definition of
3849# a cluster of DSC (distributed session) servers.
3850#
3851
3852#
3853# A specification for a single DSC server which is a member of this
3854# cluster. Values for this entry are defined as follows:
3855#
3856# {[0-9],}<URL>
3857#
3858# Where the first digit (if present) represents the priority of the server
3859# within the cluster (9 being the highest, 0 being lowest). If the priority
3860# is not specified, a priority of 9 is assumed. The <URL> can be any
3861# well-formed HTTP or HTTPS URL.
3862#
3863# Multiple server entries can be specified for failover and load balancing
3864# purposes. The complete set of these server entries defines the
3865# membership of the cluster.
3866#
3867# server = 9,http://sms.example.com/DSess/services/DSess
3868
3869
3870#
3871# The length of time to maintain a connection to the web service while
3872# waiting for session broadcast events.
3873#
3874
3875response-by = 60
3876
3877#
3878# The maximum number of cached handles, used when communicating with the DSC.
3879#
3880
3881handle-pool-size = 10
3882
3883#
3884# The length of time, in seconds, before an idle handle will be removed
3885# from the handle pool cache.
3886# It should not be larger than the HTTP Transport chain persistent timeout
3887# configured on the server which is running the DSC.
3888#
3889
3890handle-idle-timeout = 30
3891
3892#
3893# The length of time, in seconds, to wait for a response from the DSC.
3894#
3895
3896timeout = 30
3897
3898#
3899# The following configuration entries are optional and can be used if the DSC
3900# has been configured to require basic authentication. If these entries are
3901# left blank no basic authentication header will be provided when communicating
3902# with the DSC.
3903#
3904#
3905# The name of the user for the basic authentication header.
3906#
3907# basic-auth-user = <user>
3908#
3909# The password to be used for the basic authentication header.
3910#
3911# basic-auth-passwd = <user>
3912#
3913# The following SSL entries are optional and are only required if:
3914# 1. At least one server entry indicates that SSL is to be used (i.e.
3915# starts with https:)
3916# 2. A certificate is required other than that which is used by this server
3917# when communicating with the policy server (details of the
3918# default certificate can be found in the [ssl] stanza of this
3919# configuration file.
3920#
3921# If these entries are required and not found within the [dsess-cluster]
3922# stanza, the default [ssl] stanza will be searched.
3923#
3924#
3925# The name of the key database file which houses the client certificate to be
3926# used.
3927#
3928
3929# The following files are currently available for this configuration entry:
3930# - pdsrv.kdb
3931# - lmi_trust_store.kdb
3932# - rt_profile_keys.kdb
3933# - embedded_ldap_keys.kdb
3934
3935ssl-keyfile =
3936
3937#
3938# The name of the password stash file for the key database file.
3939#
3940
3941# The following files are currently available for this configuration entry:
3942# - rt_profile_keys.sth
3943# - lmi_trust_store.sth
3944# - embedded_ldap_keys.sth
3945# - pdsrv.sth
3946
3947ssl-keyfile-stash =
3948
3949#
3950# The label of the client certificate within the key database.
3951#
3952ssl-keyfile-label =
3953
3954#
3955# This configuration entry specifies the DN of the server (obtained from the
3956# server SSL certificate) which will be accepted. If no entry is configured
3957# all DN's will be considered to be valid. Multiple DN's can be specified by
3958# including multiple configuration entries of this name.
3959#
3960# ssl-valid-server-dn =
3961
3962#
3963# The entry controls whether FIPS communication is enabled with the DSC or
3964# not. If no configuration entry is present the global FIPS setting (as
3965# determined by the TAM policy server) will take effect.
3966#
3967# ssl-fips-enabled =
3968
3969# Configure NIST SP800-131A compliance mode. This will have the affect of:
3970# - enabling FIPS mode processing (over-riding the value of the
3971# ssl-fips-enabled configuration entry);
3972# - enabling TLS V1.2;
3973# - enabling the appropriate signature algorithms;
3974# - setting the minimum RSA key size to 2048 bytes.
3975#
3976# If no configuration entry is present the global NIST setting (as found in
3977# the [ssl] stanza) will be used.
3978#
3979# ssl-nist-compliance = no
3980
3981#
3982# Specify any additional GSKit attributes which should be used when
3983# initializing an SSL connection with the DSC. A complete list of
3984# the available attributes is included in the GSKit SSL API documentation.
3985#
3986# The configuration entry may be specified multiple times, one for each
3987# GSKit attribute. The entry should be of the format:
3988# gsk-attr-name = <type>:<id>:<value>
3989#
3990# - where <type> is one of 'enum', 'string', 'number'
3991# and <id> corresponds to the identity associated with a GSKit attribute
3992# (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
3993#
3994# An example configuration could be:
3995# gsk-attr-name = string:225:proxy.ibm.com
3996#
3997
3998
3999[dsess-cluster:dsess]
4000
4001#
4002# This stanza will define the cluster of DSC servers associated with the
4003# configuration defined in the default [dsess] stanza (above).
4004#
4005# See the [dsess-cluster] stanza above for a definition of valid entries
4006# and their associated values.
4007#
4008
4009
4010##################################
4011# SESSION COOKIE DOMAINS
4012##################################
4013[session-cookie-domains]
4014
4015# Normally WebSEAL session cookies are 'host' cookies which browsers
4016# only return to the host that originally set them. This stanza
4017# can be used to configure 'domain' session cookies that may be sent
4018# to any host in a particular DNS domain. Review the WebSEAL
4019# documentation and understand the security implications of domain
4020# session cookies before enabling any entries in this stanza.
4021
4022# Format is:
4023# domain = example.com
4024# domain = otherdomain.com
4025# ...
4026
4027
4028
4029##################################
4030# CONTENT
4031##################################
4032[content]
4033
4034# The utf8-template-macros-enabled option controls how standard WebSEAL files,
4035# such as login.html, have data inserted into them when %MACRO% strings are
4036# encountered. If you have modified your WebSEAL html charset value to be the
4037# local code page, and not UTF-8, then set this option to "no". This affects
4038# files in the error-dir and mgt-pages-root directories, listed below.
4039utf8-template-macros-enabled = yes
4040
4041#----------------------
4042# ACCOUNT MANAGEMENT PAGES
4043#----------------------
4044[acnt-mgt]
4045
4046# Standard login form
4047login = login.html
4048
4049# Page displayed after successful login
4050login-success = login_success.html
4051
4052# Page displayed after successful logout
4053logout = logout.html
4054
4055# Page displayed if user authentication failed due to a locked account
4056account-locked = acct_locked.html
4057
4058# Page displayed if user authentication failed due to the account being
4059# inactivated by the underlying registry policy, rather than TAM policy.
4060account-inactivated = acct_locked.html
4061
4062# Page displayed if user authentication failed due to an expired password
4063passwd-expired = passwd_exp.html
4064
4065# Page displayed if user authentication warns the password is soon to expire
4066passwd-warn = passwd_warn.html
4067
4068# Page displayed if warning password change request failed
4069passwd-warn-failure = passwd_warn.html
4070
4071# Change password form
4072passwd-change = passwd.html
4073
4074# Page displayed if password change request was successful
4075passwd-change-success = passwd_rep.html
4076
4077# Page displayed if password change request failed
4078passwd-change-failure = passwd.html
4079
4080# Page containing links to valid administration pages
4081help = help.html
4082
4083# Token login form
4084token-login = tokenlogin.html
4085
4086# Next-token form
4087next-token = nexttoken.html
4088
4089# Certificate login form.
4090# This is only used if accept-client-certs = prompt_as_needed.
4091certificate-login = certlogin.html
4092
4093# Step-up authentication login form
4094stepup-login = stepuplogin.html
4095
4096# Switch user management form
4097switch-user = switchuser.html
4098
4099# Page displayed if a client fails to authenticate with
4100# a certificate and certificates are necessary.
4101cert-failure = certfailure.html
4102
4103# Page displayed if a client attempts to step up to certificates over http
4104cert-stepup-http = certstepuphttp.html
4105
4106# Page displayed when a user has too many concurrent sessions and
4107# must either cancel their new login or terminate the other sessions.
4108too-many-sessions = too_many_sessions.html
4109
4110# Page displayed to handle HTML redirections.
4111html-redirect = redirect.html
4112
4113# Page displayed if a redirect is not supplied to the pkmstempsession
4114# resource.
4115temp-cache-response = temp_cache_response.html
4116
4117#-----------------------------
4118# ACCOUNT EXPIRY NOTIFICATION
4119#-----------------------------
4120# The following configuration option will determine whether a user with
4121# an invalid/expired account will be notified as such on an attempted login,
4122# or if he/she will receive the same message as if invalid authentication
4123# information (i.e. an invalid username, password, or client certificate)
4124# had been submitted.
4125account-expiry-notification = no
4126
4127#----------------------
4128# AUTHORIZATION ERRORS
4129#----------------------
4130
4131# By default, WebSEAL will return the standard 'Forbidden' page for
4132# all authorization failures.
4133
4134# If client-notify-tod = yes, clients failing a time-of-day
4135# POP access check will be sent a specific error page informing them
4136# of the reason for their authorization failure.
4137client-notify-tod = no
4138
4139#---------------------
4140# Change Password Authentication
4141#---------------------
4142# Enable this option to allow users to authenticate when changing a password.
4143# If a user's password is expired, and this option is on, then WebSEAL will
4144# authenticate the user with the expired password, change the password,
4145# and ensure that the user remains authenticated. This is helpful in failover
4146# situations where the user may be served the password change form from one
4147# WebSEAL replica, but the form posts to another replica where the user's
4148# session does not exist.
4149change-password-auth = no
4150
4151#----------------------
4152# AUTOMATIC REDIRECT
4153#----------------------
4154# Page to which users are automatically redirected after completing a successful
4155# authentication. The configured URL can contain special macro's which will
4156# allow dynamic substitution of information from WebSEAL.
4157#
4158# The supported macro's include:
4159# %AUTHNLEVEL% Level at which the session is currently authenticated.
4160# %HOSTNAME% Fully qualified host name.
4161# %PROTOCOL% The client connection protocol used. Can be HTTP or HTTPS.
4162# %URL% The original URL requested by the client.
4163# %USERNAME% The name of the logged in user.
4164# %HTTPHDR{<name>}% The value of the specified HTTP header.
4165# %CREDATTR{<name>}% The value of the specified credential attribute.
4166#
4167# The format can either be an absolute URL or server relative URL and can
4168# include macro information as listed above:
4169# login-redirect-page = http://www.ibm.com/
4170# login-redirect-page = /jct/page.html
4171# login-redirect-page = /jct/page.html?url=%URL%&hdr=%HTTPHDR{Host}%
4172
4173#--------------------------
4174# HTML REDIRECTION
4175#--------------------------
4176# Enable this option to use HTML to handle redirections.
4177#
4178# WebSEAL typically provides a 302 redirection in cases such as when a user
4179# successfully authenticates. Many AJAX applications do not behave correctly
4180# when this happens as any HTTP fragments are lost.
4181#
4182# Enabling this configuration item will cause WebSEAL to send a 200
4183# response to the client instead of a 302. The page which contains the
4184# HTML redirection is defined by the html-redirect configuration entry
4185# within this stanza.
4186#
4187# This configuration item cannot be used in conjunction with
4188# login-redirect-page.
4189enable-html-redirect = no
4190
4191#--------------------------
4192# LOCAL RESPONSE REDIRECTS
4193#--------------------------
4194# Enable/disable sending a redirect instead of serving management or error
4195# pages from the local system.
4196#
4197# The local-response-redirect-uri parameter must be set in order for this
4198# option to function.
4199#
4200# This configuration item may be customized for a particular junction
4201# by adding the adjusted configuration item to a [acnt-mgt:{jct_id}] stanza,
4202# where '{jct-id}' refers to the junction point for a standard junction
4203# (include the leading '/'), or the virtual host label for a virtual host
4204# junction.
4205enable-local-response-redirect = no
4206
4207#---------------------------
4208# PKMSLOGOUT FILENAME
4209#---------------------------
4210# Set this parameter to 'yes' to allow the specification of a custom
4211# response file to be displayed to users upon logging out in a query string
4212# appended to the pkmslogout URL. e.g. /pkmslogout?filename=<name>
4213# By default, this parameter is set to 'no' to cause any such query string to be
4214# ignored.
4215use-filename-for-pkmslogout = no
4216
4217# The following option can be disabled to loosen the restrictions normally
4218# enforced on the name of the /pkmslogout custom response file. When set to
4219# 'no' only '/', '\', characters outside of the ASCII range 0x20 - 0x7E, and
4220# filenames that begin with '.' will be disallowed.
4221use-restrictive-logout-filenames = yes
4222
4223#-----------------------------
4224# ALLOW UNAUTHENTICATED LOGOUT
4225#-----------------------------
4226# Set this parameter to 'yes' to allow unauthenticated users to be able
4227# to request the pkmslogout resource. If this parameter is set to 'no'
4228# an unauthenticated user will be requested to authenticate before the
4229# pkmslogout resource is returned.
4230allow-unauthenticated-logout = yes
4231
4232# WebSEAL can be enabled to recognise a warning from LDAP user registries
4233# that indicates the password will expire soon. The amount of time left is
4234# placed into the credential as an attribute. If this option is enabled
4235# WebSEAL will look for the expire attribute and, if detected, will present
4236# an optional password change form to the user after a successful login. The
4237# [ldap] option, enhanced-pwd-policy, must also be enabled for this to operate.
4238enable-passwd-warn = no
4239
4240# The following option can be used to insert custom headers whenever
4241# WebSEAL returns a custom response to the client. The format of the
4242# configuration entry should be:
4243# http-rsp-header = <header-name>:<macro>
4244#
4245# Where:
4246# <header-name> is the name of the header which will hold the value;
4247# <macro> is the type of value which is to be inserted, one
4248# of either TAM_OP, AUTHNLEVEL, ERROR_CODE, ERROR_TEXT,
4249# CREDATTR{<name>}, USERNAME, TEXT{<value>}.
4250#
4251# As an example, to include the TAM error code in a response header named
4252# tam-error-code:
4253# http-rsp-header = tam-error-code:ERROR_CODE
4254#
4255# To include a static header in a response header name X-Frame-Options:
4256# http-rsp-header = x-frame-options:TEXT{DENY}
4257#
4258# The configuration entry may be specified multiple times, one for each
4259# header which is be included in the response.
4260#
4261http-rsp-header = x-frame-options:TEXT{DENY}
4262http-rsp-header = content-security-policy:TEXT{frame-ancestors 'none'}
4263http-rsp-header = x-content-type-options:TEXT{nosniff}
4264http-rsp-header = x-xss-protection:TEXT{1}
4265
4266#-----------------------------
4267# BACK-END SERVER SINGLE SIGN-OFF
4268#-----------------------------
4269# When a user's session is terminated in WebSEAL, any sessions that may exist
4270# on back-end application servers are not destroyed. When this item is
4271# configured, WebSEAL will send a request to the configured URI's including
4272# any configured headers and cookies for the junction point on which it resides.
4273# The backend application can use this information to terminate any sessions
4274# for that user.
4275#
4276# Multiple URI's can be specified by including multiple single-signoff-uri
4277# configuration entries.
4278#
4279# The configured URI must reside on a standard junction. For example:
4280# single-signoff-uri = /app/logout.asp
4281#
4282# single-signoff-uri =
4283single-signoff-uri = /mga/sps/oauth/oauth20/logout
4284
4285# It is possible to enforce validation of a secret token for certain account
4286# management pages to protect against CSRF-style attacks. If this functionality
4287# is enabled a secret token will be added to each session, and this token will
4288# be validated against the 'token' query argument for selected management
4289# requests. For example, the request to '/pkmslogout' would change to
4290# '/pkmslogout?token=<value>'. If the token is missing, or does not match
4291# the token contained within the session, an error page will be returned to
4292# the client.
4293#
4294# This configuration option will affect the following management requests:
4295# - /pkmslogin.form
4296# - /pkmslogout
4297# - /pkmslogout_nomas
4298# - /pkmssu.form
4299# - /pkmsskip
4300# - /pkmsdisplace
4301#
4302# In an eCSSO environment it is essential that the tagvalue_session_index
4303# attribute is included in the vouchfor token so that the different sessions
4304# can share the same token. This is required for the redirected logout which
4305# will take place when a session is logged out.
4306#
4307# Change the value of the enable-secret-token-validation configuration to
4308# true in order to enable this validation functionality.
4309enable-secret-token-validation = false
4310
4311# It is also possible to enforce validation of the HTTP Request referer header
4312# for all account management pages to protect against CSRF-style attacks. If
4313# this functionality is enabled, a request for an account management page will
4314# check to see if the referer header is present in the HTTP Request header and
4315# then validate the hostname portion of that referer against a list of "allowed"
4316# referer filters. If there are no allowed-referers entries here, then this
4317# validation is not performed. The values for this allowed-referers keys
4318# provide WebSEAL with a list of referer hostnames that should be considered
4319# "valid".
4320#
4321# The default value for this entry, although originally commented out as to not
4322# enable this functionality by default, is "allowed-referers = %HOST%". This
4323# is a special entry in that it indicates to WebSEAL that a referer is "valid"
4324# if the hostname portion of the referer HTTP Request header entry matches the
4325# host HTTP Request header.
4326#
4327# There can be 0 or more entries set for this key. All entries are used when
4328# validating the referer. Entries can contain wildcard characters:
4329# * - match 0 or more characters
4330# ? - match any single character
4331# \ - Literal match of the following character
4332# So for example, an entry "allowed-referers = ac*me" will match any referer
4333# hostname that begins with the characters "ac", followed by 0 or more
4334# characters, and ends with the characters "me".
4335#
4336#allowed-referers = %HOST%
4337
4338[tfimsso:<jct-id>]
4339
4340#
4341# This stanza is used to hold the TFIM single sign-on configuration information
4342# for a single junction.
4343#
4344# For standard junctions the stanza name will be qualified with the name of the
4345# junction point (including the leading '/'). An example stanza name might be:
4346# [tfimsso:/junction_a]
4347#
4348# For virtual host junctions the stanza name will be qualified with the
4349# virtual host label. An example stanza name might be:
4350# [tfimsso:www.ibm.com]
4351#
4352
4353# The type of token which will be requested from TFIM. This value should
4354# correspond to the 'Token Type URI' field for the corresponding trust chain
4355# within TFIM.
4356token-type = http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
4357
4358# The 'applies-to' search criteria used when locating the appropriate STS
4359# module within TFIM. Generally this entry should be of the format:
4360# http://<webseal-server>/<junction> (similar to the URL which is used to
4361# access the junction).
4362applies-to = http://<webseal-server>/<junction>
4363
4364# The service-name configuration entry will be used:
4365# 1. By TFIM when searching for a matching trust chain. This configuration
4366# entry will be compared against the configured 'AppliesTo' service name
4367# value for each trust chain. The second field within the 'AppliesTo'
4368# service name configuration entry should be set to either '*' to match
4369# all service names, or it should be set to the value defined by this
4370# configuration item. Refer to the TFIM documentation for further
4371# details on configuring Trust Chains.
4372# 2. As the service principal name of the delegating user when creating a
4373# Kerberos token. The service principal name can be determined by
4374# executing the Microsoft utility 'setspn', i.e. setspn -L <user>,
4375# where <user> is the identity of the user which the junctioned Web server
4376# is running as.
4377service-name = <spn>
4378
4379# The length of time, in seconds, by which the expiry time of a security token
4380# will be reduced. This entry is used to make allowances for differences in
4381# system times and transmission times for the security tokens.
4382renewal-window = 15
4383
4384# This boolean value is used to indicate whether the security token which is
4385# produced by TFIM is only valid for a single transaction. An example of a
4386# one-time-token is a Kerberos token, which can only be used for a single
4387# authentication operation.
4388one-time-token = true
4389
4390# This boolean value is used to control whether the requested
4391# BinarySecurityToken XML structure should be used in it's entirety, or whether
4392# only the encapsulated token should be used. This configuration entry should
4393# only be set to true if the junctioned Web server understands and expects the
4394# BinarySecurityToken XML structure.
4395preserve-xml-token = false
4396
4397# The number of security tokens which should be retrieved from TFIM in a single
4398# request. This option is only valid for one-time-tokens where the
4399# corresponding TFIM module has also been coded to handle requests for multiple
4400# tokens via the 'Claims' construct. The resultant security tokens will be
4401# cached by WebSEAL and then used on subsequent requests. Tuning of this
4402# parameter will be important for performance of one-time-tokens. If the
4403# value is large there will be fewer requests to TFIM, but the responses to
4404# these requests will be larger.
4405token-collection-size = 10
4406
4407# The type of mechanism which will be used to transmit the security token to
4408# the junctioned Web server. Possible values for this configuration entry
4409# are:
4410# header - The security token will be included in a header;
4411# cookie - The security token will be included in a cookie;
4412token-transmit-type = header
4413
4414# The name given to the security token within the junctioned Web server
4415# request.
4416token-transmit-name = Authorization
4417
4418# This boolean value is used to indicate whether a security token should be
4419# sent for every HTTP request, or whether WebSEAL should wait for a 401
4420# response from the back-end Web server before adding the security token. This
4421# configuration item is used to avoid the unnecessary overhead of generating
4422# and adding a security token to every request if the back-end Web server is
4423# capable of maintaining user sessions.
4424always-send-tokens = false
4425
4426# The name of the WAS cluster which houses this TFIM service. There should
4427# also be a corresponding [tfim-cluster:<cluster>] stanza which contains the
4428# definition of the cluster.
4429tfim-cluster-name = my-cluster
4430
4431[tfim-cluster:my-cluster]
4432
4433#
4434# This stanza contains definitions for a particular cluster of TFIM
4435# servers.
4436#
4437
4438#
4439# A specification for the server which is used when communicating with a
4440# single TFIM server which is a member of this cluster. Values for this
4441# entry are defined as follows:
4442#
4443# {[0-9],}<URL>
4444#
4445# Where the first digit (if present) represents the priority of the server
4446# within the cluster (9 being the highest, 0 being lowest). If the priority
4447# is not specified, a priority of 9 is assumed. The <URL> can be any
4448# well-formed HTTP or HTTPS URL.
4449#
4450# Multiple server entries can be specified for failover and load balancing
4451# purposes. The complete set of these server entries defines the
4452# membership of the cluster for failover and load balancing.
4453#
4454# server = 9,http://tfim.example.com/TrustServerWST13/services/RequestSecurityToken
4455
4456
4457#
4458# The maximum number of cached handles, used when communicating with TFIM.
4459#
4460
4461handle-pool-size = 10
4462
4463#
4464# The length of time, in seconds, before an idle handle will be removed
4465# from the handle pool cache.
4466# It should not be larger than the HTTP Transport chain persistent timeout
4467# configured on the Websphere server(s) running TFIM
4468#
4469
4470handle-idle-timeout = 30
4471
4472#
4473# The length of time, in seconds, to wait for a response from TFIM.
4474#
4475
4476timeout = 30
4477
4478#
4479# The following configuration entries are optional and can be used if the TFIM
4480# server has been configured to require basic authentication. If these
4481# entries are left blank no basic authentication header will be provided when
4482# communicating with the TFIM server.
4483#
4484#
4485# The name of the user for the basic authentication header.
4486#
4487# basic-auth-user = <user>
4488#
4489# The password to be used for the basic authentication header.
4490#
4491# basic-auth-passwd = <user>
4492#
4493# The following SSL entries are optional and are only required if:
4494# 1. At least one server entry indicates that SSL is to be used (i.e.
4495# starts with https:)
4496# 2. A certificate is required other than that which is used by this server
4497# when communicating with the policy server (details of the
4498# default certificate can be found in the [ssl] stanza of this
4499# configuration file.
4500#
4501# If these entries are required and are not found within this stanza, the
4502# default [ssl] stanza will be searched.
4503#
4504#
4505# The name of the key database file which houses the client certificate to be
4506# used.
4507#
4508
4509# The following files are currently available for this configuration entry:
4510# - pdsrv.kdb
4511# - lmi_trust_store.kdb
4512# - rt_profile_keys.kdb
4513# - embedded_ldap_keys.kdb
4514
4515ssl-keyfile =
4516
4517#
4518# The name of the password stash file for the key database file.
4519#
4520
4521# The following files are currently available for this configuration entry:
4522# - rt_profile_keys.sth
4523# - lmi_trust_store.sth
4524# - embedded_ldap_keys.sth
4525# - pdsrv.sth
4526
4527ssl-keyfile-stash =
4528
4529#
4530# The label of the client certificate within the key database.
4531#
4532ssl-keyfile-label =
4533
4534#
4535# This configuration entry specifies the DN of the server (obtained from the
4536# server SSL certificate) which will be accepted. If no entry is configured
4537# all DN's will be considered to be valid. Multiple DN's can be specified by
4538# including multiple configuration entries of this name.
4539#
4540# ssl-valid-server-dn =
4541
4542#
4543# The entry controls whether FIPS communication is enabled with TFIM or
4544# not. If no configuration entry is present the global FIPS setting (as
4545# determined by the TAM policy server) will take effect.
4546#
4547# ssl-fips-enabled =
4548
4549# Configure NIST SP800-131A compliance mode. This will have the affect of:
4550# - enabling FIPS mode processing (over-riding the value of the
4551# ssl-fips-enabled configuration entry);
4552# - enabling TLS V1.2;
4553# - enabling the appropriate signature algorithms;
4554# - setting the minimum RSA key size to 2048 bytes.
4555#
4556# If no configuration entry is present the global NIST setting (as found in
4557# the [ssl] stanza) will be used.
4558#
4559# ssl-nist-compliance = no
4560
4561#
4562# Specify any additional GSKit attributes which should be used when
4563# initializing an SSL connection with TFIM. A complete list of
4564# the available attributes is included in the GSKit SSL API documentation.
4565#
4566# The configuration entry may be specified multiple times, one for each
4567# GSKit attribute. The entry should be of the format:
4568# gsk-attr-name = <type>:<id>:<value>
4569#
4570# - where <type> is one of 'enum', 'string', 'number'
4571# and <id> corresponds to the identity associated with a GSKit attribute
4572# (e.g. GSK_HTTP_PROXY_SERVER_NAME = 225)
4573#
4574# An example configuration could be:
4575# gsk-attr-name = string:225:proxy.ibm.com
4576#
4577
4578[local-response-redirect]
4579# URLs to which management page requests are redirected. All management
4580# requests will be redirected to the URLs with a query string indicating
4581# the operation requested, along with any macros (as configured in the
4582# [local-response-macros] stanza). See the WebSEAL Admin Guide for the
4583# specific format of the query string, and how the receiving handler should
4584# treat the requests.
4585#
4586# The URL may be absolute or server-relative. Only use an absolute URL if
4587# the destination server is not accessed via WebSEAL.
4588#
4589# Valid formats are:
4590# http[s]://<server>/<path>
4591# /<path>
4592#
4593# To define the URI for specific operations, prefix the URI in the entry with
4594# the operation name in the form [<operation>]. The '[' and ']' chars are
4595# required. Valid values for <operation> are:
4596#
4597# logout passwd passwd_warn passwd_warn_failure acct_inactivated
4598# acct_locked passwd_exp passwd_rep_success passwd_rep_failure
4599# help login login_success token_login cert_login next_token
4600# switch_user failed_cert cert_stepup_http stepup,error
4601# too_many_sessions tempsession
4602#
4603# An operation specific example:
4604# local-response-redirect-uri = [login] /jct/cgi-bin/eai
4605#
4606# If an entry that does not specify an operation is present then any
4607# operation that does not have a specific entry will use it.
4608# If an entry that does not specify an operation is NOT present then any
4609# operation that does not have a specific entry will not use local response
4610# redirection and instead will use regular WebSEAL behavior.
4611#
4612# This configuration item may be customized for a particular junction
4613# by adding the adjusted configuration item to a
4614# [local-response-redirect:{jct_id}] stanza, where '{jct-id}' refers to
4615# the junction point for a standard junction (include the leading '/'),
4616# or the virtual host label for a virtual host junction.
4617
4618#local-response-redirect-uri = /jct/redirect/handler
4619
4620[local-response-macros]
4621# URL-encoded macros to include in the query string for all management
4622# page requests.
4623#
4624# These will increase the length of the local response redirect URI. Certain
4625# user-agents, such as WAP browsers, may have URI length limitations, so
4626# add macros sparingly and cautiously. Note that any special characters will
4627# be URI-encoded, further increasing the length of the local response URI.
4628#
4629# Do not modify the macro strings or add new ones; all supported macros are
4630# listed below. Comment/uncomment desired macros for inclusion in the local
4631# response URI. See the WebSEAL Admin Guide for definitions of the content
4632# corresponding to each macro.
4633#
4634# The field names used in the query string can be customized by placing a
4635# colon and a custom name after the macro definition as demonstrated below.
4636# macro = USERNAME:customerId
4637#
4638# If no name or a blank name is provided after the colon, the default value
4639# will be used. The default value is the macro name. For the HTTPHDR macro,
4640# the default value is HTTPHDR_<name>, where name is the name of the HTTP
4641# header defined in that macro. For the CREDATTR macro, the default value
4642# is CREDATTR_<name>, where name is the name of the attributed defined in
4643# that macro.
4644#
4645# Note that at a minimum the TAM_OP macro must be included in any response.
4646# Even if the TAM_OP macro is not included or customized below, it will
4647# still be present in all response URIs.
4648
4649macro = TAM_OP
4650#macro = USERNAME
4651#macro = METHOD
4652#macro = URL
4653#macro = REFERER
4654#macro = HOSTNAME
4655#macro = AUTHNLEVEL
4656#macro = FAILREASON
4657#macro = PROTOCOL
4658#macro = ERROR_CODE
4659#macro = ERROR_TEXT
4660#macro = OLDSESSION
4661#macro = EXPIRE_SECS
4662#macro = HTTPHDR{<name>}
4663#macro = CREDATTR{<name>}
4664#macro = SECONDARY_BASE
4665
4666[enable-redirects]
4667# This stanza contains a list of authentication mechanisms
4668# for which automatic redirects are enabled.
4669# Valid choices are forms-auth, token-auth, basic-auth, cert-auth,
4670# and ext-auth-interface
4671# Any or all of them may be enabled.
4672#redirect = forms-auth
4673#redirect = basic-auth
4674#redirect = token-auth
4675#redirect = cert-auth
4676#redirect = ext-auth-interface
4677
4678#----------------------
4679# ICONS
4680#----------------------
4681[content-cache]
4682#----------------------
4683# DOCUMENT CACHING
4684#----------------------
4685
4686# The entries below define the caches which the Web Server uses to store
4687# documents in memory.
4688#
4689# Syntax:
4690# <MIME-Type> = <Cache-Type>:<Cache-Size>{:<Def-Max-Age>}
4691#
4692# Where:
4693#
4694# <MIME-Type>
4695# Represents any valid MIME type conveyed in an HTTP "Content-Type:"
4696# response header. This value may contain a wildcard (*). A value
4697# of */* represents a default object cache that will hold any object
4698# that does not correspond to an explicitly configured cache.
4699#
4700# <Cache-Type>
4701# Defines the type of backing store to use for the cache. Currently
4702# only "memory" caches are supported.
4703#
4704# <Cache-Size>
4705# Represents the maximum size to which the given cache may grow before
4706# objects are removed according to a LRU algorithm. This value is
4707# defined in Kbytes.
4708#
4709# <Def-Max-Age>
4710# Represents the maximum age of a session cache entry if expiration
4711# information is missing from the original response. This value is
4712# defined in seconds. If no value is supplied a default maximum age
4713# of 3600 (i.e. 1 hour) will be applied.
4714#
4715# No Caching is performed if no caches are defined. If no default cache
4716# is specified, documents which do not match any cache are not cached.
4717#
4718# text/html = memory:2000
4719# image/* = memory:5000
4720# */* = memory:1000
4721
4722
4723[compress-mime-types]
4724#----------------------
4725# HTTP COMPRESSION MIME-TYPE CONFIGURATION
4726#----------------------
4727
4728# This stanza allows HTTP compression to be enabled or disabled based
4729# on the mime-type of the response and the size of the returned document.
4730# Order is important. The first entry that matches a returned document
4731# will be used for that document.
4732#
4733# Syntax:
4734# <MIME-type> = <Min-Doc-Size>[:<Compress-Level>]
4735#
4736# Where:
4737#
4738# <MIME-Type>
4739# Represents any valid MIME type conveyed in an HTTP "Content-Type:"
4740# response header. This value may contain a wildcard (*). A value
4741# of */* will match all mime-types.
4742#
4743# <Min-Doc-Size>
4744# The minimum document size to be compressed. A size of -1 means never
4745# to compress this mime-type. A size of 0 means to compress the
4746# document regardless of its size. A size greater than 0 means that the
4747# document will only be compressed if its initial size is greater than
4748# or equal to Min-Doc-Size.
4749#
4750# <Compress-Level>
4751# The compression level to be used for documents of this MIME type.
4752# The compression level must be between 1 and 9, inclusive. Higher
4753# compression levels decrease the size of the compressed data at the
4754# expense of additional CPU utilization. This value is optional; if it
4755# is not specified a compression level of 1 is used.
4756#
4757# These example configuration lines will:
4758# - disable compression for images.
4759# - enable compression for HTML documents larger than 1000 bytes.
4760# - enable compression for all other text documents regardless of size.
4761# - enable compression of PDF documents of all sizes at compression level 5.
4762# - disable compression for any other documents.
4763#
4764# image/* = -1
4765# text/html = 1000
4766# text/* = 0
4767# application/pdf = 0:5
4768# */* = -1
4769
4770*/* = -1
4771
4772
4773[compress-user-agents]
4774#----------------------
4775# HTTP COMPRESSION USER-AGENT CONFIGURATION
4776#----------------------
4777
4778# This stanza allows HTTP compression to be enabled or disabled based
4779# on the user-agent header sent by clients. This stanza should be used
4780# to disable compression for clients which send an "accept-encoding: gzip"
4781# HTTP header but don't actually handle gzipped content-encodings properly
4782#
4783# Syntax:
4784# <Pattern> = <Compression>
4785#
4786# Where:
4787#
4788# <Pattern>
4789# A wild card pattern to match a particular user-agent header
4790#
4791# <Compression>
4792# Is yes if the user-agent can handle compressed data, no otherwise.
4793#
4794# The first matching entry is used when determining whether a user-agent
4795# can handle compression content-encodings. If no entry matches the
4796# user-agent's accept-encoding header is assumed to be correct. User-agents
4797# that do not send an "accept-encoding: gzip" header will never receive
4798# compressed data.
4799
4800
4801[content-mime-types]
4802#----------------------
4803# MIME TYPES
4804#----------------------
4805
4806# This stanza defines the MIME type for particular document extensions.
4807#
4808# Syntax:
4809# <extension> = <type>
4810#
4811# where
4812# extension is the extension of documents of this MIME type
4813# type is a MIME type
4814#
4815# The first matching entry is used when determining the type of a particular
4816# document.
4817#
4818html = text/html
4819htm = text/html
4820gif = image/gif
4821jpeg = image/jpeg
4822ps = application/postscript
4823shtml = text/x-server-parsed-html
4824jpg = image/jpeg
4825jpe = image/jpeg
4826mpeg = video/mpeg
4827mpe = video/mpeg
4828mpg = video/mpeg
4829bin = application/octet-stream
4830exe = application/octet-stream
4831Z = application/octet-stream
4832EXE = application/octet-stream
4833dll = application/octet-stream
4834DLL = application/octet-stream
4835ivsrv = application/octet-stream
4836pdf = application/pdf
4837au = audio/basic
4838snd = audio/basic
4839aiff = audio/x-aiff
4840aifc = audio/x-aiff
4841aif = audio/x-aiff
4842wav = audio/x-wav
4843ai = application/postscript
4844eps = application/postscript
4845rtf = application/rtf
4846zip = application/zip
4847ief = image/ief
4848tiff = image/tiff
4849tif = image/tiff
4850ras = image/x-cmu-raster
4851pnm = image/x-portable-anymap
4852pbm = image/x-portable-bitmap
4853pgm = image/x-portable-graymap
4854ppm = image/x-portable-pixmap
4855rgb = image/x-rgb
4856xbm = image/x-xbitmap
4857xpm = image/x-xpixmap
4858xwd = image/x-xwindowdump
4859txt = text/plain
4860rtx = text/richtext
4861tsv = text/tab-separated-values
4862etx = text/x-setext
4863qt = video/quicktime
4864mov = video/quicktime
4865avi = video/x-msvideo
4866movie = video/x-sgi-movie
4867js = application/x-javascript
4868ls = application/x-javascript
4869mocha = application/x-javascript
4870wrl = x-world/x-vrml
4871dir = application/x-director
4872dxr = application/x-director
4873dcr = application/x-director
4874crt = application/x-x509-ca-cert
4875tar = application/x-tar
4876css = text/css
4877
4878# default type to assign to pages that don't match any of the above
4879deftype = text/plain
4880ico = image/x-icon
4881
4882[content-encodings]
4883#----------------------
4884# CONTENT ENCODINGS
4885#----------------------
4886
4887# Some browsers support content encodings. These entries map a document
4888# extension to an encoding type.
4889gz = x-gzip
4890Z = x-compress
4891
4892##################################
4893# LOGGING
4894##################################
4895[logging]
4896
4897#
4898# The server-log-cfg configuration entry is used to configure the server
4899# for logging. The format of the configuration entry is:
4900# server-log-cfg = agent [parameter=value],[parameter=value]....
4901#
4902# Where:
4903# agent: The logging agent. The agent is used to control the destination
4904# of the logging event. Valid agents include:
4905# stdout, stderr, file, remote, rsyslog.
4906#
4907# Different configuration parameters and values are also required/supported
4908# by the different agents. Some of the available parameters include:
4909#
4910# Parameter Supported Agents:
4911# --------- -----------------
4912# buffer_size remote
4913# compress remote, file
4914# dn remote
4915# error_retry remote, rsyslog
4916# flush_interval all
4917# hi_water all
4918# log_id file, rsyslog
4919# max_event_len rsyslog
4920# max_rollover_files file
4921# mode file
4922# path all
4923# port remote, rsyslog
4924# queue_size all
4925# rebind_retry remote, rsyslog
4926# rollover_size file
4927# server remote, rsyslog
4928# ssl_keyfile rsyslog
4929# ssl_label rsyslog
4930# ssl_stashfile rsyslog
4931#
4932# As an example, to send server events to a remote syslog server:
4933# server-log-cfg = rsyslog server=timelord,port=514,log_id=webseal-instance
4934#
4935# For a complete description of the different available logging agents, and
4936# the supported configuration parameters, please refer to the IBM Security
4937# Access Manager Auditing Guide.
4938#
4939server-log-cfg = file path=msg__webseald-rp1.log,hi_water=1,flush_interval=1
4940
4941# Log files' size limit
4942# Applies to the request, referer, and agent logs
4943# Negative values will cause the logs to be rolled over daily.
4944# A value of zero will cause no rollover file to be created.
4945max-size = 2000000
4946
4947# Frequency in seconds to force a flush of log buffers
4948flush-time = 20
4949
4950# Enable the request log
4951requests = yes
4952
4953# Enable the the referer log
4954referers = no
4955
4956# Enable the user agent log
4957agents = no
4958
4959# Log requests with time in GMT instead of local TZ
4960gmt-time = no
4961
4962# If log-invalid-requests is set to 'yes', WebSEAL will log every
4963# request, even if a request is malformed or for some other reason
4964# is not processed to completion.
4965log-invalid-requests = yes
4966
4967# The request-log-format to be written to the request log.
4968# The following directives can be used to customize the log format.
4969#
4970# %a: Client IP Address
4971# %A: Local IP Address
4972# %b: Bytes in the response excluding HTTP headers in CLF format: '-' instead
4973# of 0 when no bytes are returned.
4974# %B: Bytes in the response excluding HTTP headers
4975# %{attribute}C:
4976# Attribute from the TAM credential named 'Attribute'
4977# %{cookie}e:
4978# Contents of the Cookie 'cookie' in the request
4979# %{cookie}E:
4980# Contents of the Cookie 'cookie' in the response
4981# %d: Transaction identifier, or session sequence number.
4982# %F: Time taken to serve the request in microseconds
4983# %h: Client host
4984# %H: Request protocol
4985# %{header}i:
4986# Contents of the Header 'header' in the request
4987# %j: The name of the junction servicing the request
4988# %l: Client logname (RFC 1314) (default -)
4989# %m: Request method (i.e. GET, POST, HEAD)
4990# %{header}o:
4991# Contents of the Header 'header' in the response
4992# %p: Port over which the request was received
4993# %q: The decoded query string (prepended with '?' or empty)
4994# %Q: The raw query string (prepended with '?' or empty).
4995# %r: First line of the request with decoded URL
4996# %R: First line of the request with decoded URL including HTTP://HOSTNAME
4997# %s: Response status
4998# %t: Time in Common Log Format format
4999# %{format}t:
5000# The time in the given format
5001# %T Time taken to serve the request in seconds, or part thereof
5002# %u: Remote user
5003# %U: The URL requested
5004# %v: Canonical ServerName of the server servicing the request
5005# %z: The decoded path string
5006# %Z: The raw path string
5007request-log-format = %h %l %u %t "%r" %s %b
5008
5009[audit-mime-types]
5010# WebSEAL can be configured to decide whether an audit event should be
5011# generated for a particular HTTP request based on the content-type of the
5012# return document. The format of the audit-mime-types stanza is:
5013#<MIME-pattern> = <yes|no>
5014# For example:
5015#text/html = yes
5016#*/* = no
5017
5018
5019[audit-response-codes]
5020# WebSEAL can be configured to decide whether an audit event should be
5021# generated for a particular HTTP request based on the response code of the
5022# returned document. The format of the audit-response-codes stanza is:
5023#<code> = <yes|no>
5024# For example:
5025#304 = no
5026#302 = no
5027
5028
5029###############################
5030# AUTHORIZATION API
5031###############################
5032[aznapi-configuration]
5033
5034# Update poll interval. This is the interval, in seconds, between checks
5035# for updates to the master authzn server. The local cache is only rebuilt
5036# if an update is detected. Values can be "disable", "default" or a time
5037# in seconds.
5038cache-refresh-interval = disable
5039
5040# Flags to enable the reception of policy cache update notifications.
5041# Values can be one of: "disable", "enable"
5042# A "disable" value disables the notification listener.
5043#
5044# This parameter is set by the svrsslcfg utility.
5045listen-flags = enable
5046
5047#----------------------
5048# POLICY CACHE TUNING
5049#----------------------
5050# The maximum size of the in-memory policy cache is configurable.
5051# The cache consists of policy and the relationships between policy
5052# and resources. The knowledge that a resource has no directly
5053# associated policy is also cached.
5054#
5055# The maximum cache size should be relative to the number
5056# of policy objects defined and the number of resources
5057# protected and the available memory.
5058#
5059# A reasonable algorithm to begin with is:
5060# (number of policy objects * 3) + (number of protected resources * 3)
5061#
5062# This value controls how much information is cached. A larger
5063# cache will potentially improve the application performance but use
5064# addditional memory as well.
5065#
5066# Size is specifed as the number of entries.
5067#
5068# policy-cache-size = 32768
5069
5070
5071#----------------------
5072# AUTHORIZATION API LOGGING (traditional)
5073# NB: The following authorization logging configuration entries are supported
5074# for historical purposes only. The logcfg configuration entry should be
5075# used to configure the logging in favour of these legacy configuration
5076# items.
5077#----------------------
5078# Audit Trail
5079# Enable/Disable audit event recording
5080logaudit = no
5081
5082# Name of daemon whose activities are audited
5083logclientid = webseald
5084
5085# To selectively capture audit events from specific components, uncomment the
5086# appropriate auditcfg lines.
5087#auditcfg = azn
5088#auditcfg = authn
5089#auditcfg = http
5090
5091# Log file size limit
5092# Negative values will cause the logs to be rolled over daily.
5093# A value of zero will cause no rollover file to be created.
5094logsize = 2000000
5095
5096# Frequency, in seconds, to flush the log buffers
5097logflush = 20
5098
5099# Attributes to be audited.
5100# tagvalue_su-admin is audited by default.
5101audit-attribute = tagvalue_su-admin
5102
5103# Option to enable adjustment of the authentication auditing data to accurately
5104# reflect the operation result. This slightly changes the the audit record
5105# contents so any automated tools examining audit logs may need to be adjusted
5106# to match.
5107adjust-audit = no
5108
5109#----------------------
5110# AUTHORIZATION API LOGGING
5111#----------------------
5112
5113#
5114# The logcfg configuration entry is used to configure the system for logging.
5115# The format of the configuration entry is:
5116# logcfg = category:agent [parameter=value],[parameter=value]....
5117#
5118# Where:
5119# category: The name of the logging component. Valid logging components
5120# include: audit.azn, audit.authn, http, http.clf, http.ref,
5121# http.agent
5122# agent: The logging agent. The agent is used to control the
5123# destination of the logging event. Valid agents include:
5124# stdout, stderr, file, pipe, remote, rsyslog (although the
5125# pipe agent is not supported on the appliance).
5126#
5127# Different configuration parameters and values are also required/supported by
5128# the different agents. Some of the available parameters include:
5129#
5130# Parameter Supported Agents Details
5131# --------- ---------------- -------
5132# buffer_size remote
5133# compress remote, file
5134# dn remote
5135# error_retry remote, rsyslog
5136# flush_interval all
5137# hi_water all
5138# log_id file, rsyslog
5139# max_event_len rsyslog
5140# max_rollover_files file
5141# mode file
5142# path all
5143# port remote, rsyslog
5144# queue_size all
5145# rebind_retry remote, rsyslog
5146# rollover_size file
5147# server remote, rsyslog
5148# ssl_keyfile rsyslog
5149# ssl_label rsyslog
5150# ssl_stashfile rsyslog
5151# ssl_protocols rsyslog A colon separated list of SSL
5152# protocols to be enabled. Valid
5153# protocols include:
5154# sslv3,tlsv10,tlsv11,tlsv12.
5155#
5156# As an example, to send authorization events to a remote syslog server:
5157# logcfg = audit.azn:rsyslog server=timelord,port=514,log_id=webseal-instance
5158#
5159# For a complete description of the different available logging agents, and
5160# the supported configuration parameters, please refer to the IBM Security
5161# Access Manager Auditing Guide.
5162#
5163
5164#---------------------------------------------------
5165# BOOLEAN AUTHORIZATION RULES CONFIGURATION ENTRIES.
5166#---------------------------------------------------
5167#
5168# A list of string prefixes that identify Access Decision Information (ADI)
5169# to be supplied by the resource manager (in this case, WebSEAL). The
5170# default setting below tell the authorization engine that when it requires
5171# ADI with the prefixes "AMWS_hd_", "AMWS_qs_" or "AMWS_pb_" to evaluate a
5172# boolean authorization rule, and the ADI is not available in the credential
5173# or application context passed in with the access decision call, that the
5174# engine should fail the access decision and request that the resource manager
5175# retry the request and provide the required data in the application context
5176# of the next request. The prefixes given below represent special values
5177# for WebSEAL:
5178# AMWS_hd_ - Indicates that the ADI can be found within the HTTP Environment
5179# (Headers) of the request that WebSEAL is currently serving.
5180# AMWS_qs_ - Indicates that the ADI can be found within the Query String of
5181# the request that WebSEAL is currently serving.
5182# AMWS_pb_ - Indicates that the ADI can be found within the POST Body of the
5183# request that WebSEAL is currently serving.
5184#
5185resource-manager-provided-adi = AMWS_hd_
5186resource-manager-provided-adi = AMWS_pb_
5187resource-manager-provided-adi = AMWS_qs_
5188
5189
5190# To enable certain Boolean Authorization Rules options, it is necessary
5191# to set the permission information that the authorization engine will
5192# return to WebSEAL.
5193# The permission attribute that will enable the authorization engine to
5194# request ADI from the current WebSEAL request is
5195# "azn_perminfo_rules_adi_request".
5196# To use the "-R" junction option, the "azn_perminfo_reason_rule_failed"
5197# attribute must be included.
5198# To enable the Privacy Redirection capabilities of the AMWebARS Web Service,
5199# the "azn_perminfo_amwebars_redirect_url" must be included.
5200permission-info-returned = azn_perminfo_rules_adi_request azn_perminfo_reason_rule_failed
5201
5202
5203# The prolog to be added to the top of the XML document that is created
5204# using the Access Decision Information (ADI) needed to evaluate a boolean
5205# authorization rule. If not specified then the default XML prolog is:
5206#
5207# <?xml version='1.0' encoding='UTF-8'?>
5208#
5209# It is strongly suggested that you read and thoroughly understand the
5210# boolean authorization rules documentation before attempting to change
5211# this setting from the default provided.
5212#
5213## input-adi-xml-prolog = <?xml version='1.0' encoding='UTF-8'?>
5214
5215
5216# The prolog to be added to the top of the XSL styleheet that is created
5217# using the XSL text that defines a boolean authorization rule. If not
5218# specified then the default XSL stylesheet prolog is:
5219#
5220# <?xml version='1.0' encoding='UTF-8'?> <xsl:stylesheet xmlns:xsl=\
5221# 'http://www.w3.org/1999/XSL/Transform' version='1.0'> \
5222# <xsl:output method = 'text' omit-xml-declaration='yes' \
5223# indent='no'/> <xsl:template match='text()'> </xsl:template>
5224#
5225# It is strongly suggested that you read and thoroughly understand
5226# the boolean authorization rules documentation before attempting
5227# to change this setting from the default provided.
5228#
5229## xsl-stylesheet-prolog = <?xml version='1.0' encoding='UTF-8'?> <xsl:stylesheet xmlns:xsl='http://www.w3.org/1999/XSL/Transform' version='1.0'> <xsl:output method = 'text' omit-xml-declaration='yes' indent='no'/> <xsl:template match='text()'> </xsl:template>
5230
5231# In previous versions of WebSEAL, a user might not be unable to work with an
5232# existing junction (i.e. show, delete) when the junction was protected by an
5233# EAS, even if the user's effective ACL had the bypassPOP ACL flag turned on.
5234# To remove this limitation, the following entry was created. The default
5235# setting of no, causes the product to work as it did in previous versions. If
5236# this entry is set to yes and the user accessing the protected resource does
5237# not have the bypassPOP ACL flag turned on, the product will work as it did in
5238# previous versions also. Changing this entry's value to yes will remove the
5239# limitation described above.
5240#
5241# NOTE: The sec_master user has the bypassPOP ACL flag turned on by default.
5242# If this setting is set to yes, sec_master will NOT call out to the EAS when
5243# accessing a protected resource. Consider this fact when deciding whether to
5244# set this entry to yes.
5245skip-eas-on-bypass-pop = no
5246
5247# This option applies to the entitlement service: azn_ent_registry_svc. It
5248# defines the separator character for policy attributes. If not explicitly set
5249# here then it defaults to the ':' character. If set to the '\' character then
5250# a character escaping method is enabled in combination with the default ':'
5251# separator character. Escaping ensures that the ':' character separator
5252# character is uniquely identified from any occurances in the user name (or DN)
5253# and their policy names.
5254policy-attr-separator = \
5255mode = local
5256
5257# The following configuration is read only and cannot be modified.
5258azn-server-name = rp1-webseald-iam.ibmemm.edu
5259special-eas = trigger_rba_eas
5260
5261# The following configuration item is contained within the obfuscated
5262# database and as such is obfuscated within this file. If the value is
5263# modified within this configuration file the corresponding change will
5264# be applied to the obfuscated database.
5265
5266pd-user-pwd = **obfuscated**
5267
5268[TAM_CRED_ATTRS_SVC]
5269
5270#
5271# This stanza is used to configure the credential attributes entitlement
5272# service. This entitlement service can be used to add attributes to the
5273# credential which are based on LDAP attributes of the authenticated user.
5274#
5275# Entries in this stanza are used to define the sources of attributes to be
5276# retrieved. The source names, such as user and group, are used to identify
5277# the source location in the registry. You need to define these. The values
5278# for these sources are registry identifiers that exist in the registry. The
5279# values can be existing credential attribute names. If this is the case,
5280# the service automatically finds and uses the respective values.
5281#
5282# For example:
5283# eperson = azn_cred_registry_id
5284# organisationalPerson = azn_cred_registry_id
5285#
5286# Each entry should then have a corresponding stanza which maps the LDAP
5287# attribute into a credential attribute.
5288#
5289# For example:
5290# [TAM_CRED_ATTRS_SVC:eperson]
5291# emailAddress = mail
5292# mobileNumber = mobile
5293#
5294# [TAM_CRED_ATTRS_SVC:organisationalPerson]
5295# emailAddress = mail
5296# mobileNumber = mobile
5297#
5298eperson = azn_cred_registry_id
5299
5300[azn-decision-info]
5301urn:ibm:security:trusteer:header:rapport-extra = header:x-trusteer-rapport-extra
5302scheme = scheme
5303urn:ibm:security:worklight:adapter:parameters = post-data:parameters
5304urn:ibm:security:trusteer:pinpoint:csid = cookie:PD-S-SESSION-ID
5305User-Agent = header:User-Agent
5306urn:ibm:security:trusteer:header:rapport = header:x-trusteer-rapport
5307Accept-Encoding = header:Accept-Encoding
5308urn:ibm:security:worklight:device:id = header:x-wl-device-id
5309Authorization = header:Authorization
5310urn:ibm:security:worklight:version:app = header:x-wl-app-version
5311Content-Type = header:Content-Type
5312Accept-Charset = header:Accept-Charset
5313rspcode = header:rspcode
5314Transfer-Encoding = header:Transfer-Encoding
5315Accept = header:Accept
5316X-Requested-With = header:X-Requested-With
5317method = method
5318urn:ibm:security:worklight:version:platform = header:x-wl-platform-version
5319Connection = header:Connection
5320Host = header:Host
5321Pragma = header:Pragma
5322ac.uuid = cookie:ac.uuid
5323uri = uri
5324urn:ibm:security:subject:ipAddress = client_ip
5325Missing = header:Missing
5326Cache-Control = header:Cache-Control
5327urn:ibm:security:worklight:adapter:adapter = post-data:adapter
5328urn:ibm:security:worklight:adapter:procedure = post-data:procedure
5329Accept-Language = header:Accept-Language
5330urn:ibm:security:worklight:version:native = header:x-wl-native-version
5331HTTP_HOST_HDR = header:host
5332HTTP_REQUEST_SCHEME = scheme
5333
5334#
5335# This stanza is used to define any extra information which should
5336# be made available to the authorization framework when making
5337# authorization decisions. This extra information can be obtained
5338# from various elements of the HTTP request, namely:
5339# - HTTP method
5340# - HTTP scheme
5341# - Request URI
5342# - HTTP headers
5343# - HTTP cookies
5344# - POST data
5345#
5346# You can also include the name of the WebSEAL server in the
5347# authorization request.
5348#
5349# If the requested element is not present in the HTTP request no
5350# corresponding attribute will be added to the authorization
5351# decision information.
5352#
5353# The format of the entries contained within this stanza is:
5354# <attr-name> = <http-info>
5355#
5356# Where:
5357# <attr-name>: The name of the attribute which will contain the
5358# HTTP information.
5359# <http-info>: The source of the information, one of:
5360# - 'method'
5361# - 'scheme'
5362# - 'uri'
5363# - 'client_ip'
5364# - 'header:<header-name>'
5365# - 'cookie:<cookie-name>'
5366# - 'post-data:<post-data-name>'
5367# - 'query-arg:<query-arg-name>'
5368# - 'server_name'
5369#
5370# The 'post-data-name' field will be handled differently based on the content
5371# type of the request, as defined by the ContentType header. The following
5372# content types are supported:
5373#
5374# application/x-www-form-urlencoded
5375# The 'post-data-name' field corresponds to the name of the form data field
5376# within the request. The corresponding value for this field will be added
5377# to the authorization decision information.
5378#
5379# application/json
5380# The 'post-data-name' field corresponds to a hierarchical representation of
5381# the name within the JSON data. For example, assume that the following
5382# POST data exists with a request which has the content-type of
5383# application/json:
5384#
5385# {
5386# "userid": "jdoe",
5387# "transactionValue": "146.67",
5388# "accountBalances": {
5389# "chequing": "4345.45",
5390# "savings": "12432.23",
5391# "creditLine": "19999.12"
5392# }
5393# }
5394#
5395# To have the value of userid, at the root level, added to the authorization
5396# decision information, create an entry in this stanza like:
5397# POST_USERID = /"userid"
5398#
5399# The leading / character indicates that the top level JSON object should be
5400# searched for a name-value pair with the name of userid. In our example,
5401# this would add "POST_USERID=jdoe" to the decision information.
5402#
5403# To have the savings value within the accountBalances "node" present in the
5404# decision information, create an entry in this stanza like:
5405# SAVINGS_BAL = /"accountBalances"/"savings"
5406#
5407# The initial / character indicates that the top level JSON object should be
5408# searched for a name-value pair with the name of accountBalances. If found,
5409# and that value is another JSON object, it should then be searched for a
5410# name-value pair with the name of savings. In our example, this would add
5411# "SAVINGS_BAL=12432.23" to the decision information
5412#
5413# JSON also has the notion of Arrays. Consider the following POST data
5414#
5415# {
5416# "userid": "pwald",
5417# "transactionValue": "200.00",
5418# "accounts": [
5419# {"name": "chequing": , "balanace": "4345.45"},
5420# {"name": "savings": , "balanace": "1234.56"}
5421# ]
5422# }
5423#
5424# Notice in this example that the top level accounts field has a value that
5425# is a JSON array. To identify which array element to include in the search,
5426# provide the array index, starting with a base of 0. For example, to add
5427# the value of the "balance" field from the first element of the accounts
5428# array, create an entry in this stanza like:
5429# CHEQUING_BAL = /"accounts"/0/"balance"
5430#
5431# The initial / indicates the "accounts" field in the top level JSON object.
5432# The /0 indicates the first element of the array value. Finally the
5433# /"balance" indicates the field with a name of balance within that first
5434# array element. In our example, this would add "CHEQUING_BAL=4345.45" to the
5435# decision information.
5436#
5437# Only "leaf" nodes of the String, Number, true, false or null types can be
5438# specified.
5439#
5440# The 'query-arg-name' field corresponds to the key name of a query string
5441# parameter of the request. The corresponding value for this field, if found,
5442# will be added to the authorization decision information.
5443#
5444#
5445# Other examples include:
5446# HTTP_REQUEST_METHOD = method
5447# HTTP_HOST_HEADER = header:Host
5448#
5449HTTP_REQUEST_METHOD = method
5450HTTP_REQUEST_URI = uri
5451HTTP_AZN_HDR = header:authorization
5452HTTP_CONTENT_TYPE_HDR = header:content-type
5453HTTP_TRANSFER_ENCODING_HDR = header:transfer-encoding
5454
5455#
5456# Configuration stanza for the TAM transaction logging framework. This
5457# framework can be used by support to record transactional information.
5458#
5459
5460[translog]
5461
5462#
5463# The maximum file size (in KB) for a transactional log.
5464#
5465
5466# 262144 = 256 MB
5467max-file-size = 262144
5468
5469###############################
5470# CREDENTIAL POLICY ATTRIBUTES
5471###############################
5472[credential-policy-attributes]
5473# This stanza controls which TAM policy values are stored in credentials
5474# during authentication. In order for this stanza to take effect you must
5475# also enable the TAM credential policy entitlements service in the aznapi
5476# stanzas above this one.
5477#
5478# Format is:
5479# <policy-name> = <credential-attribute-name>
5480#
5481# Supported policies are listed here. Uncomment the policies you wish
5482# to add to credentials.
5483
5484#AZN_POLICY_MAX_FAILED_LOGIN = tagvalue_max_failed_login
5485#AZN_POLICY_DISABLE_TIME = tagvalue_disable_time
5486#AZN_POLICY_ACCOUNT_EXPIRY_DATE = tagvalue_account_expiry_date
5487#AZN_POLICY_MAX_PASSWORD_AGE = tagvalue_max_password_age
5488#AZN_POLICY_MAX_PASSWORD_REPEATED_CHARS = tagvalue_max_password_repeated_chars
5489#AZN_POLICY_MIN_PASSWORD_ALPHAS = tagvalue_min_password_alphas
5490#AZN_POLICY_MIN_PASSWORD_NON_ALPHAS = tagvalue_min_password_non_alphas
5491#AZN_POLICY_PASSWORD_SPACES_ALLOWED = tagvalue_password_spaces_allowed
5492#AZN_POLICY_MIN_PASSWORD_LENGTH = tagvalue_min_password_length
5493#AZN_POLICY_TOD = tagvalue_tod
5494#AZN_POLICY_MAX_CONCURRENT_WEB_SESSIONS = tagvalue_max_concurrent_web_sessions
5495AZN_POLICY_MAX_CONCURRENT_WEB_SESSIONS = tagvalue_max_concurrent_web_sessions
5496
5497###############################
5498# POLICY DIRECTOR
5499###############################
5500[p3p-header]
5501#
5502# This stanza specifies the P3P compact policy that applies
5503# to all HTTP cookies set. See the W3C P3P Specification
5504# for more information about P3P: http://www.w3c.org/TR/P3P/
5505#
5506# The default configured policy allows cookies to be accepted
5507# by the default privacy settings for Microsoft Internet Explorer
5508# version 6.
5509#
5510# Before configuring any P3P policy, consult the P3P Technical
5511# Recommendation Specification to ensure that the values configured
5512# match your organization's privacy policy.
5513#
5514# If a junction server sets a P3P header in it's response, a
5515# decision must be as to whether it should be preserved as it is,
5516# or replaced by the WebSEAL policy. This determination will be
5517# made based on the value of the 'preserve-p3p-policy' item
5518# in the [server] stanza.
5519
5520#
5521# The 'p3p-element' item can be used to specify any elements
5522# to add to the P3P header besides the compact policy configured
5523# with the other configuration items in this stanza. This can
5524# be used to supply a reference to a full XML policy:
5525#
5526# p3p-element = policyref="/w3c/p3p.xml"
5527#
5528
5529#
5530# The 'access' item specifies the access the user has to the
5531# information contained within and linked to the cookie.
5532#
5533# Possible values are 'none', 'all', 'nonident', 'contact-and-other',
5534# 'ident-contact', 'other-ident'.
5535#
5536access = none
5537
5538#
5539# The 'disputes' item, if yes, specifies that the full P3P policy
5540# contains some information regarding disputes over the information
5541# contained within the cookie.
5542#
5543# The default value is 'no'.
5544#
5545# disputes = no
5546
5547#
5548# The 'remedies' item specifies the possible remedies for disputes.
5549# Possible values are: 'correct', 'money', and 'law'.
5550# If not specified, no remedy information is included in the policy.
5551#
5552# remedies = correct
5553
5554#
5555# The 'non-identifiable' item, if yes, specifies that no information
5556# in the cookie, or linked to by the cookie, personally identifies the
5557# user in any way.
5558#
5559non-identifiable = no
5560
5561#
5562# The 'purpose' item specifies the purpose of the information in the
5563# cookie and linked to by the cookie.
5564#
5565# Possible values are 'current', 'admin', 'develop', 'tailoring',
5566# 'pseudo-analysis', 'pseudo-decision', 'individual-analysis',
5567# 'individual-decision', 'contact', 'historical', 'telemarketing',
5568# and 'other-purpose'.
5569#
5570# For all values except 'current', an additional specifier may be
5571# configured. The possible values are 'always', 'opt-in', 'opt-out'.
5572# If no value is specified, 'always' will be used.
5573# This value is specified after the purpose and separated from it by a
5574# colon, for example:
5575# purpose = contact:opt-in
5576#
5577purpose = current
5578purpose = other-purpose:opt-in
5579
5580#
5581# The 'recipient' item specifies the recipients of the information in
5582# the cookie, and linked to by the cookie.
5583#
5584# Possible values are 'ours', 'delivery', 'same', 'unrelated',
5585# 'public', 'other-recipient'.
5586#
5587recipient = ours
5588
5589#
5590# The 'retention' item specifies how long the information in the cookie
5591# or linked to by the cookie will be retained.
5592#
5593# Possible values are 'no-retention', 'stated-purpose',
5594# 'legal-requirement', 'business-practices', 'indefinitely'.
5595#
5596retention = no-retention
5597
5598#
5599# The 'categories' item specifies the type of information stored in the
5600# cookie or linked to by the cookie. If the 'non-identifiable' item
5601# is yes, then no categories need be configured.
5602#
5603# Possible values are: 'physical', 'online', 'uniqueid', 'purchase',
5604# 'financial', 'computer', 'navigation', 'interactive',
5605# 'demographic', 'content', 'state', 'political', 'health',
5606# 'preference', 'location', 'government', 'other-category'.
5607#
5608categories = uniqueid
5609
5610#
5611# The cfg-db-cmd:entries stanza is used to specify the configuration entries
5612# which will be exported or imported via the 'cfgdb' server task commands. Each
5613# configuration entry will be checked sequentially against each item in
5614# the [cfg-db-cmd:entries] stanza until the first match is found. This first
5615# match will then control whether the configuration entry is included, or
5616# excluded, from the configuration database. If no match is found the
5617# configuration entry will be excluded from the configuration database.
5618#
5619# The format for entries contained within this stanza will be:
5620# {stanza}::{entry} = [include|exclude]
5621#
5622# The 'stanza' and 'entry' fields may contain pattern matching characters.
5623#
5624# Examples entries for this stanza include:
5625# server::unix-root = include
5626# ldap::* = exclude
5627# *::* = include
5628#
5629
5630
5631[cfg-db-cmd:entries]
5632
5633# Exclude some configuration entries which are specific to the appliance.
5634# The following entries should NOT be modified.
5635server::server-name = exclude
5636server::jctdb-base-path = exclude
5637server::cfgdb-base-path = exclude
5638junction::local-junction-file-path = exclude
5639authentication-mechanisms::* = exclude
5640aznapi-configuration::trace-admin-args = exclude
5641system-environment-variables::PD_SVC_ROUTING_FILE = exclude
5642oauth-eas::*rsp-file = exclude
5643PAM::pam-log-cfg = exclude
5644PAM::pam-statistics-db-path = exclude
5645flow-data::flow-data-db-path = exclude
5646translog:pd.webseal::file-path = exclude
5647audit-configuration::base-cache-path = exclude
5648aznapi-external-authzn-services::* = exclude
5649
5650# Exclude a number of server specific entries from the server stanza
5651server::unix-pid-file = exclude
5652server::http-port = exclude
5653server::https-port = exclude
5654server::server-root = exclude
5655server::network-interface = exclude
5656
5657# Exclude the LDAP bind DN and password as this should be specified to
5658# each server.
5659ldap::bind-dn = exclude
5660ldap::bind-pwd = exclude
5661
5662# Exclude the SSL keyfiles, but include the actual label which is used.
5663ssl::webseal-cert-keyfile-label = include
5664ssl::*keyfile* = exclude
5665
5666# Exclude the port on which we listen for requests from the policy server.
5667ssl::ssl-listening-port = exclude
5668ssl::listen-interface = exclude
5669
5670# Exclude various authentication mechanisms as these should also be configured
5671# by default.
5672authentication-mechanisms::passwd-ldap = exclude
5673authentication-mechanisms::cert-ldap = exclude
5674
5675# Exclude the WebSEAL document root.
5676content::doc-root = exclude
5677
5678# Exclude the various log files as these should be server specific.
5679logging::*log = exclude
5680logging::server-log* = exclude
5681logging::*file = exclude
5682
5683# Exclude various server specific configuration entries for the authorization
5684# framework (e.g. log files, server identities, etc).
5685aznapi-configuration::db-file = exclude
5686aznapi-configuration::auditlog = exclude
5687aznapi-configuration::azn-app-host = exclude
5688aznapi-configuration::azn-server-name = exclude
5689aznapi-configuration::pd-user-name = exclude
5690
5691# Exclude everything from the webseal-config stanza.
5692webseal-config::* = exclude
5693
5694# Exclude the name of our obfuscated configuration file.
5695configuration-database::* = exclude
5696
5697# Exclude the cluster settings as these are server specific.
5698cluster::* = exclude
5699
5700# Exclude the interface specific settings as these shouldn't, in a normal
5701# environment, need to be replicated. The [interfaces] stanza contains the
5702# definitions which are specific to a particular interface.
5703interfaces::* = exclude
5704
5705# Exclude the appliance-preset listen-interface
5706appliance-preset::listen-interface = exclude
5707
5708# We want to include everything else.
5709*::* = include
5710
5711#
5712# The cfg-db-cmd:files stanza is used to specify the files which
5713# will be exported or imported via the 'cfgdb' server task commands.
5714#
5715# The format for entries contained within this stanza will be:
5716# file = <file-path>, or
5717# file = cfg(<stanza>::<entry>)
5718#
5719# The '<file-path>' entry should contain either a fully qualified file name,
5720# a file name which is relative to the WebSEAL installation root, or a file
5721# name which is relative to the WebSEAL server root (as defined by the
5722# server-root configuration entry).
5723#
5724# The 'cfg(<stanza>::<entry>)' entry is used to define the configuration entry
5725# which will contain the name of the file which is to be included.
5726#
5727# Examples entries for this stanza include:
5728# file = /opt/pdwebrte/etc/cert-rules.txt
5729# file = www-default/lib/jmt.conf
5730# file = cfg(junction::jmt-map)
5731#
5732# The template configuration file will contain entries for the most commonly
5733# used files. Files which are not included in the default configuration
5734# include:
5735#
5736# stanza configuration entry
5737# ------ -------------------
5738# spnego spnego-krb-keytab-file
5739# cdsso-peers <full qualified host name>
5740# e-community-domain-keys <domain name>
5741# e-community-domain-keys:<domain> <domain name>
5742# dsess-cluster:<name> ssl-keyfile and ssl-keyfile-stash
5743# tfim-cluster:<name> ssl-keyfile and ssl-keyfile-stash
5744# http-transformations <resource name>
5745#
5746
5747[cfg-db-cmd:files]
5748
5749# Include the key file which is used when communicating with browsers
5750file = cfg(ssl::webseal-cert-keyfile)
5751file = cfg(ssl::webseal-cert-keyfile-stash)
5752file = cfg(junction::jct-cert-keyfile)
5753file = cfg(junction::jct-cert-keyfile-stash)
5754file = cfg(failover::failover-cookies-keyfile)
5755file = cfg(ltpa::keyfile)
5756file = cfg(junction::jmt-map)
5757file = cfg(server::dynurl-map)
5758file = cfg(dsess-cluster::ssl-keyfile)
5759file = cfg(dsess-cluster::ssl-keyfile-stash)
5760file = cfg(tfim-cluster:my-cluster::ssl-keyfile)
5761file = cfg(tfim-cluster:my-cluster::ssl-keyfile-stash)
5762
5763# Include the key file which is used when communicating with junctioned
5764# Web servers.
5765
5766# Include the failover cookie key file.
5767
5768# Include the LTPA keyfile used during authentication
5769
5770# Include the junction mapping table.
5771
5772# Include the Dynamic URL map.
5773
5774# Standard key files for the DSess and TFIM clusters
5775
5776#
5777# The jdb-cmd:replace stanza is used to define the mapping rules
5778# for the jdb import command. These mapping rules will be applied
5779# to each attribute within the junction archive file prior to
5780# importing the new junction database.
5781#
5782# The format for entries contained within this stanza will be:
5783# {jct-id} = {search-attr-value}|{replace-attr-value}
5784#
5785# Where:
5786# {jct-id}: Refers to the junction point for a standard junction
5787# (including the leading '/'), or the virtual host
5788# label for a virtual host junction
5789# {search-attr-value}: The attribute value which is to be searched for
5790# within the junction definition.
5791# {replace-attr-value}: The attribute value which is to be used within the
5792# new junction definition.
5793#
5794# An example entry for this stanza could be:
5795# /test-jct = webseal.au.ibm.com|webseal.gc.au.ibm.com
5796#
5797
5798[jdb-cmd:replace]
5799
5800# The following stanza is used to house configuration information
5801# which is necessary for the support of WebSEAL clusters. WebSEAL
5802# clusters are used to automate the syncrhonization of data between
5803# different WebSEAL servers.
5804
5805[cluster]
5806
5807# Is this machine a master for the cluster? There should only ever
5808# be a single master for each cluster. Any modifications to the
5809# configuration of a cluster should only ever be made to the
5810# master.
5811#is-master = <yes/no>
5812
5813# If is-master is set to 'no' then the following value needs to
5814# be specified. It is used to define the authorization server
5815# name of the master,
5816# e.g. default-webseald-server.ibm.com
5817# master-name = <azn-name>
5818
5819# The maximum amount of time to wait, in seconds, for a slave
5820# server to be restarted. This configuration entry is only
5821# applicable to the master server.
5822max-wait-time = 60
5823
5824[http-transformations]
5825
5826# The http-transformations stanza is used to house configuration information
5827# which is necessary for the support of WebSEAL HTTP transformations.
5828# WebSEAL HTTP transformations are used to modify HTTP requests and
5829# HTTP responses (excluding the HTTP body) using XSLT.
5830# To enable the HTTP transformations for a particular object a POP should
5831# be attached to the appropriate part of the object space. This POP
5832# should contain an extended attribute(s) with name of 'HTTPTransformation'
5833# and a value of 'Request=<resource-name>' and/or 'Response=<resource-name>'.
5834#
5835# HTTP transformation resources can be defined by specifying the resource name
5836# and the path to the resource file.
5837#
5838# Format is:
5839# <resource-name> = <resource-xsl-file>
5840
5841# The following files are currently available for this configuration entry:
5842# - <none available>
5843
5844resource-name =
5845
5846#
5847# The [http-transformations:<resource-name>] stanza is used to house
5848# configuration which is specific to a particular HTTP transformation resource.
5849#
5850
5851[http-transformations:<resource-name>]
5852
5853#
5854# The cred-attr-name configuration entry is used to define the
5855# credential attributes which will be included in the XML input
5856# document, used when evaluating the HTTP transformation rule.
5857#
5858# The credential attributes will be stored in a new XML
5859# element within the top level XML container: <Credential>.
5860# For example:
5861# <HTTPResponse>
5862# <Credential>
5863# <Attributes>
5864# <Attribute name=AZN_CRED_PRINCIPAL_NAME>testuser</Attribute>
5865# </Attributes>
5866# </Credential>
5867#
5868# </HTTPResponse>
5869#
5870# The configuration entry may be specified multiple times if
5871# multiple credential attributes are required in the XML input
5872# document.
5873#
5874# Some of the more common attributes include:
5875# AZN_CRED_PRINCIPAL_NAME
5876# AZN_CRED_AUTHZN_ID
5877# AZN_CRED_PRINCIPAL_UUID
5878# AUTHENTICATION_LEVEL
5879# tagvalue_session_index
5880#
5881# For a complete list of attributes the pdweb.wan.azn trace point can be
5882# set to level 9, and then a request sent to WebSEAL. The output trace will
5883# contain a list of all attributes associated with the user credential.
5884#
5885cred-attr-name =
5886
5887#
5888# The request-match configuration entry is used to define the pattern to be
5889# matched against the HTTP request line, which includes method, URI, and
5890# protocol. If a match is successful, then a HTTP transformation is triggered.
5891#
5892# Format is:
5893# request-match = {request|response}:<request-line>
5894#
5895# The entry must begin with either request or response, which indicates whether
5896# the processing is conducted on the HTTP request or response.
5897# <request-line> contains the request line to be matched against. The pattern
5898# matching is case-sensitive. Wildcard characters * and ? can be used.
5899# This entry is optional. Multiple entries can be specified if needed.
5900#
5901# You also have the option of matching a request using a host header, useful
5902# when selectively enabling this functionality for a particular virtual host
5903# junction. To selectively match an entry based on a particular host header
5904# the <request-line> should be prepended with the string: [<host>].
5905#
5906# Please note that if you use this mechanism to match the request to a rule
5907# the evaluation of the rule will occur early in the request processing which
5908# means that credential attributes will not be available in the evaluation of
5909# the rule. If you need to use credential attributes in your request
5910# transformation you should use the alternative POP mechanism for invoking the
5911# rule.
5912#
5913# For example:
5914# request-match = request:GET /index.html HTTP/1.1
5915# request-match = response:GET /jct/*
5916# request-match = response:[www.ibm.com]GET /login/*
5917#
5918request-match =
5919
5920#[ICAP:<resource>]
5921#
5922#
5923# The [ICAP:<resource>] stanza is used to define a single ICAP
5924# resource. The '<resource>' component of the stanza name should
5925# be changed to the actual name of the resource.
5926#
5927# To enable the ICAP resource for a particular object a POP should
5928# be attached to the appropriate part of the object space. This POP
5929# should contain an extended attribute with a name of 'ICAP' and
5930# a value which is equal to the name of the configured ICAP resource.
5931#
5932#
5933# The complete URL on which the ICAP server is expecting requests.
5934# An example might be:
5935# URL = icap://icap.example.net:1344/filter?mode=strict
5936#
5937# An SSL connection to the ICAP server is also supported. When
5938# using an SSL connection, the keystore used is that which is defined
5939# in the [junction] stanza of this file. To identify an SSL connection
5940# to an ICAP server, use the string 'icaps' for this entry. An
5941# example might be:
5942# URL = icaps://icap.example.net:1345/filter?mode=strict
5943#
5944# URL =
5945#
5946# The list of transactions for which this resource will be invoked.
5947#
5948# Possible values are:
5949# 'req': The ICAP server will be invoked on the HTTP request;
5950# 'rsp': The ICAP server will be invoked on the HTTP response;
5951#
5952# transaction = req
5953#
5954#
5955# The maximum length of time (in seconds) that WebSEAL will wait for
5956# a response from the ICAP server.
5957#
5958# timeout = 120
5959#
5960# If the connection to the ICAP server is SSL (see above) then an
5961# optional entry can be provided to identify the label of the
5962# certificate to use from the keystore. This entry is only required
5963# if client certificate authentication is needed.
5964#
5965# ssl-keyfile-label = <label>
5966
5967
5968[system-environment-variables]
5969KRB5_CONFIG = /var/PolicyDirector/etc/krb5.conf
5970KRB5RCACHEDIR = /var/PolicyDirector/log
5971VAR_ACE = /var/ace/
5972
5973#
5974# Environment variables which are exported by the WebSEAL daemon.
5975# The environment variable names are case sensitive. The format
5976# of each entry is:
5977# <env-name> = <env-value>
5978#
5979# For example:
5980# LANG = de
5981#
5982# NB: This functionality is not available on Windows platforms, and
5983# as such the system-environment-variables stanza will be ignored on
5984# Windows.
5985
5986[cert-map-authn]
5987
5988#
5989# The name of the rules file which will be used by the certificate mapping
5990# CDAS.
5991#
5992
5993# The following files are currently available for this configuration entry:
5994# - <none available>
5995
5996rules-file =
5997
5998#
5999# The initial tracing level of the authentication module. The level
6000# variable indicates the trace level, with 1 designating a minimal
6001# amount of tracing and 9 designating the maximum amount of tracing.
6002# The trace level can also be modified using the Tivoli Access Manager
6003# pdadmin trace commands, supplying the trace component name of
6004# pd.cas.certmap. This trace component is only available after the
6005# first HTTP request has been processed.
6006#
6007debug-level = 0
6008
6009#
6010# The following stanza is used to configure WebSEAL so that it can
6011# communicate with a HTTP Server to retrieve updates to files.
6012#
6013
6014[user-map-authn]
6015
6016#
6017# The name of the rules file which will be used by the authenticated
6018# user mapping module.
6019#
6020
6021# The following files are currently available for this configuration entry:
6022# - <none available>
6023
6024rules-file =
6025
6026#
6027# The initial tracing level of the mapping module. The level
6028# variable indicates the trace level, with 1 designating a minimal
6029# amount of tracing and 9 designating the maximum amount of tracing.
6030# The trace level can also be modified using the Tivoli Access Manager
6031# pdadmin trace commands, supplying the trace component name of
6032# pd.cas.usermap. This trace component is only available after the
6033# first HTTP request has been processed.
6034#
6035debug-level = 0
6036
6037[password-strength]
6038
6039#
6040# The name of the rules file which will be used by the password
6041# strength module.
6042#
6043
6044# The following files are currently available for this configuration entry:
6045# - <none available>
6046
6047rules-file =
6048
6049#
6050# The initial tracing level of the password strength module. The level
6051# variable indicates the trace level, with 1 designating a minimal
6052# amount of tracing and 9 designating the maximum amount of tracing.
6053# The trace level can also be modified using the Tivoli Access Manager
6054# pdadmin trace commands, supplying the trace component name of
6055# pd.cas.pwdstrength. This trace component is only available after the
6056# first change password operation has been processed.
6057#
6058debug-level = 0
6059
6060[http-updates]
6061
6062#
6063# The URL which contains the HTTP file, for example:
6064# https://99.n.trusteer.com/74767/api/snippets
6065#
6066
6067update-url =
6068
6069#
6070# The proxy server which will be used when connecting to the HTTP server.
6071# The configuration entry should be of the form: <server>:<port>.
6072#
6073
6074proxy =
6075
6076#
6077# The label of the certificate which will be used for authentication
6078# to the HTTP server. This certificate must be present in the
6079# certificate database which is used for junction communication.
6080#
6081
6082ssl-keyfile-label =
6083
6084#
6085# The DN of the server. This configuration entry is only used if an
6086# SSL connection is established with the server and an SSL key file
6087# label has been specified.
6088#
6089
6090ssl-server-dn =
6091
6092#
6093# The frequency, in seconds, that the update server will be polled
6094# for updates.
6095#
6096
6097poll-period = 3600
6098
6099#
6100# The following configuration entry can be used to perform a search and
6101# replace on text which is contained within the updated files. The format
6102# of the configuration entry will be:
6103# replace = <search-pattern>|<replace-text>
6104#
6105# where:
6106# search-pattern = the regular expression pattern which is to be matched
6107# replace-text = the text which will replace the matched text
6108#
6109# The '|' character cannot be used in the search-pattern text.
6110#
6111# Multiple instances of this configuration entry can be used if multiple
6112# substitutions are required.
6113#
6114
6115#
6116# The following 'itim' stanza is used to configure the Password Synchronization
6117# Adapter for Tiovli Identity Manager.
6118#
6119[itim]
6120
6121#
6122# Is the adapter enabled?
6123#
6124is_enabled = false
6125
6126#
6127# This is the hostname or IP address of the Tivoli Identity Manager
6128# server that hosts the Tivoli Identity Manager Adapter for Tivoli Access
6129# Manager. In a WebSphere Application Server cluster environment, you
6130# need to configure SSL for the IBM HTTP Server. If you are using a WebSphere
6131# Application Server single-server environment, you do not need to configure
6132# SSL for the IBM HTTP Server.
6133# * This entry is mandatory.
6134#
6135itim-server-name = <TIM Server IP address>
6136
6137#
6138# The port associated with the itim-server-name URL above. The default
6139# HTTPS port is 9443 for a single server configuration and 443 for a
6140# Tivoli Identity Manager cluster with HTTP SSL configured.
6141#
6142#servlet-port=9443
6143
6144#
6145# The password synchronization context root on the application server.
6146#
6147#servlet-context=/passwordsynch/synch
6148
6149#
6150# An ID which has the necessary permission(s) to request the check and
6151# synchronization operations. The best practice is to create a separate
6152# account with appropriate permissions and use this account instead of
6153# the ITIM manager account.
6154# * This entry is mandatory.
6155#
6156principal-name = <Principal Name>
6157
6158#
6159# The password for the Tivoli Identity Manager Principal Name.
6160# * This entry is mandatory.
6161#
6162principal-password = <Principal Password>
6163
6164#
6165# The following three items hold the pseudo-distinguished names of the
6166# services (resources) issuing the password synchronization request. This
6167# pseudo-distinguised name consists of the attributes o, ou and dc from
6168# the Tivoli Identity Manager LDAP organization context, and the
6169# erservicename attribute of the Tivoli Access Manager service name, as
6170# defined in Tivoli Identity Manager.
6171#
6172# If there are more than one pseudo-distinguished names specified, they
6173# must be separated with a semicolon (;) character. The adapter iterates
6174# through the list of service names until an account is found for one of
6175# the services. If no account is found on the specified services, an error is
6176# reported.
6177# * It is mandatory to specify at least on of the following three entries.
6178#
6179
6180#
6181# service-source-dn is used to define the service pseudo-distinguished
6182# name for all authentication methods.
6183#
6184service-source-dn = <service pseudo DN>
6185
6186#
6187# service-password-dn is used to define the service pseudo-distinguished
6188# name if using standard password as the authentication method. If this is
6189# specified, it will override the password authentication method that is
6190# defined under service-source-dn.
6191#
6192#service-password-dn = <service pseudo DN>
6193#
6194# service-token-card-dn is used to define the service pseudo-distinguished
6195# name if using token card as the authentication method. If this is specified,
6196# it will override the token card authentication method that is defined under
6197# service-source-dn.
6198#
6199#service-token-card-dn = <service pseudo DN>
6200#
6201# The location and name of the Key Database file.
6202# * This entry is mandatory.
6203#
6204
6205# The following files are currently available for this configuration entry:
6206# - pdsrv.kdb
6207# - lmi_trust_store.kdb
6208# - rt_profile_keys.kdb
6209# - embedded_ldap_keys.kdb
6210
6211keydatabase-file =
6212
6213#
6214# The password for the Key Database file.
6215# * Either this entry, or the keydatabase-password-file entry is
6216# mandatory.
6217#
6218#keydatabase-password = <kdb password>
6219#
6220# The password stash-file for the Key Database file.
6221# * Either this entry, or the keydatabase-password entry is
6222# mandatory.
6223#
6224
6225# The following files are currently available for this configuration entry:
6226# - rt_profile_keys.sth
6227# - lmi_trust_store.sth
6228# - embedded_ldap_keys.sth
6229# - pdsrv.sth
6230
6231keydatabase-password-file =
6232
6233
6234
6235# Enable and configure Web Socket support.
6236[websocket]
6237
6238# The maximum number of threads which will be used used to proxy
6239# WebSocket connections through WebSEAL. A value of zero will cause WebSockets
6240# to be blocked. Each WebSocket connection will require two worker threads.
6241# If more than max-worker-threads are in use WebSEAL will immediately close the
6242# WebSocket even if the WebSocket upgrade request to the Junction succeeded. The
6243# WebSocket threads operate independently from the [server] worker-threads.
6244max-worker-threads = 0
6245
6246# To avoid the overhead of starting and stopping WebSocket worker threads
6247# a number of threads can be left running idle. This will consume memory
6248# resources to keep them alive and idle when not in use, but will save CPU and
6249# thread start-up time when a new WebSocket requires threads.
6250# This option specifies the maximum count of cached idle worker threads. A value
6251# of zero will disable the caching of idle threads.
6252idle-worker-threads = 0
6253
6254# The number of seconds to wait for data to be received from the junctioned WebSocket
6255# server. If the timeout is reached the WebSocket connection will be closed.
6256jct-read-inactive-timeout = 120
6257
6258# The number of seconds to wait for data to be received from the WebSocket client (browser).
6259# If the timeout is reached the WebSocket connection will be closed.
6260clt-read-inactive-timeout = 120
6261
6262# The number of seconds to wait if WebSEAL is blocked while sending data to the
6263# junctioned WebSocket server. If the timeout is reached the WebSocket
6264# connection will be closed.
6265jct-write-blocked-timeout = 20
6266
6267# The number of seconds to wait if WebSEAL is blocked while sending data to the
6268# WebSocket client (browser). If the timeout is reached the WebSocket
6269# connection will be closed.
6270clt-write-blocked-timeout = 20
6271
6272
6273[http-method-perms]
6274
6275#
6276# This stanza defines the ACL permission bits required to perform a
6277# request using a particular HTTP method.
6278#
6279# The "<default>" entry defines the permissions required for any
6280# methods not explicitly specified in the stanza.
6281#
6282# The "<default>" entry itself has no default value and must be
6283# specified as a non-empty string in the stanza.
6284#
6285# This stanza may be overridden on a per-junction basis by qualifying
6286# the stanza name with the junction name. When overridden in this way
6287# only the entries in the qualified stanza will apply to the junction.
6288#
6289# For example:
6290#
6291# [http-method-perms]
6292# <default> = r
6293# POST = rx
6294#
6295# [http-method-perms:/myJunction]
6296# <default> = r
6297#
6298# In this scenario:
6299# - A POST request to /myJunction will require 'r' permission (from <default>)
6300# - A POST request to any other junction will require the 'rx' permissions
6301# Note that /myJunction does not inherit the "POST" entry from the global
6302# [http-method-perms] stanza.
6303#
6304# If this stanza is empty, WebSEAL will operate with the legacy behavior.
6305# The legacy behaviour is equivalent to:
6306#
6307# [http-method-perms]
6308# <default> = r
6309# PUT = m
6310# DELETE = d
6311#
6312
6313#
6314# The oauth-eas configuration stanza is used to configure the EAS which
6315# communicates with TFIM to handle OAuth authorization. The EAS itself will
6316# be invoked for a particular object if the effective POP for the object has
6317# an attribute entitled "eas-trigger", with an associated value of
6318# "trigger_oauth_eas".
6319#
6320
6321[oauth-eas]
6322
6323# Should the EAS be enabled?
6324eas-enabled = false
6325
6326# A majority of the OAuth settings exist in the [oauth] stanza. These are
6327# specific to the OAuth EAS implementation.
6328
6329# The maximum number of OAuth 2.0 bearer token authorization decisions to cache.
6330# This EAS has a built in cache for storing authorization decisions so that
6331# repeated use of the same OAuth 2.0 bearer token does not require repeated
6332# authorization requests. Bearer token decisions can be cached because they do not
6333# require signing of the request, unlike OAuth 1.0 requests. The lifetime of the
6334# cache entry is based on the Expires attribute returned in the STS. If this
6335# attribute is not returned, the decision will not be cached.
6336#
6337# This EAS implements a Least Recently Used cache, meaning the decision
6338# associated with the least recently used bearer token will be forgotten when a
6339# new bearer token decision is cached. A cache-size of 0 will disable caching of
6340# authorization decisions
6341cache-size = 0
6342
6343# The default OAuth mode that this EAS will operate under. It affects the
6344# validation of request parameters, as well as the construction of the RST. The
6345# default mode can be overriden for an individual request by providing a valid
6346# mode value [OAuth10|OAuth20Bearer] in a request parameter with the name
6347# specified in the mode-param option below.
6348default-mode = OAuth20Bearer
6349
6350# The name of the request parameter that can be used to override the
6351# default-mode option configured above. By deleting this configuration
6352# option, you can enforce that the default mode is always used.
6353mode-param = mode
6354
6355# The name of the OAuth realm which will be used in a 401 request
6356# for OAuth data.
6357realm-name = ISAM
6358
6359# The name of the file which contains the body used when constructing a
6360# '400 Bad Request' response. This response will be generated when
6361# required OAuth elements are missing from a request.
6362
6363# The following files are currently available for this configuration entry:
6364# - oauth_template_rsp_400_bad_request.html
6365# - oauth_template_rsp_502_bad_gateway.html
6366# - oauth_template_rsp_401_unauthorized.html
6367
6368bad-request-rsp-file = oauth_template_rsp_400_bad_request.html
6369
6370# The name of the file which contains the body used when constructing a
6371# '401 Unauthorized' response. This response will be generated when:
6372# - all OAuth data is missing from a request, or
6373# - the OAuth data fails validation.
6374
6375# The following files are currently available for this configuration entry:
6376# - oauth_template_rsp_400_bad_request.html
6377# - oauth_template_rsp_502_bad_gateway.html
6378# - oauth_template_rsp_401_unauthorized.html
6379
6380unauthorized-rsp-file = oauth_template_rsp_401_unauthorized.html
6381
6382# The name of the file which contains the body used when constructing a
6383# '502 Bad Gateway' response. This response will be generated when the
6384# processing of the request fails.
6385
6386# The following files are currently available for this configuration entry:
6387# - oauth_template_rsp_400_bad_request.html
6388# - oauth_template_rsp_502_bad_gateway.html
6389# - oauth_template_rsp_401_unauthorized.html
6390
6391bad-gateway-rsp-file = oauth_template_rsp_502_bad_gateway.html
6392
6393# The name of the TAM trace component which is used by the EAS.
6394trace-component = pdweb.oauth
6395
6396# Should the native TAM ACL policy still take affect, in addition to the
6397# OAuth authorization?
6398apply-tam-native-policy = false
6399
6400
6401#
6402# The rtss-eas configuration stanza is used to configure the EAS which
6403# communicates with the RBA server. The EAS itself will be invoked for a
6404# particular object if the effective POP for the object has an attribute
6405# entitled "eas-trigger", with an associated value of "trigger_rba_eas".
6406#
6407
6408################################################################################
6409# Risk Based Access (RBA) External Authorization Service (EAS) Settings
6410#
6411# BEGIN
6412#
6413################################################################################
6414[rtss-eas]
6415# Specify the name of the IBM Security Access Manager trace component that the
6416# EAS uses
6417
6418trace-component = pdweb.rtss
6419
6420# Set this property to true if you want the EAS to first check with IBM(r)
6421# Security Access Manager whether the user has permission to access the
6422# resource based on the ACL set.
6423
6424apply-tam-native-policy = true
6425
6426# Defines the context-id (Policy ID) that is used in the XACML requests that are
6427# sent by the EAS to the RTSS. Set this entry to one of the following values:
6428#
6429# context-server-name
6430# to use the WebSEAL server-name for all requests.
6431#
6432# context-inherited-pop
6433# to use the location of the inherited POP for all requests. Use
6434# this value if you require multiple policies for different
6435# portions of the protected resource tree.
6436#
6437# <other-policy-id>
6438# Use this value as the Policy ID for all requests.
6439#
6440# If the context-id parameter is not set, the WebSEAL server-name is used as
6441# the default value.
6442
6443# context-id =
6444context-id = context-inherited-pop
6445
6446# The audit logging configuration. This entry consists
6447# of an agent identifier, followed by attributes which are
6448# associated with the agent. Each attribute consists of a
6449# name/value pair, separated by '=', and each attribute is
6450# separated by ','.
6451#
6452# For example, to configure the auditing of records to a file:
6453# audit-log-cfg = file path=/tmp/rtss-audit.log,flush=20,rollover=2000000,buffer_size=8192,queue_size=48
6454# To send audit logs to STDOUT:
6455# audit-log-cfg = STDOUT
6456#
6457# If this attribute is missing or not configured, no audit
6458# events will be logged.
6459
6460# audit-log-cfg =
6461
6462
6463
6464# Specify the name of the runtime security services SOAP cluster
6465# that contains this runtime security services SOAP service.
6466# Also specify a corresponding [rtss-cluster:<cluster>]
6467# stanza with the definition of the cluster.
6468
6469cluster-name = cluster1
6470
6471# ISAM for Mobile receives a credential from the RBA EAS that contains
6472# attributes for use in performing a risk assessment. This is called the
6473# "RBA EAS credential" and is not the same as the WebSEAL credential, though it
6474# may contain attributes with the same names.
6475#
6476# The client IP address is passed to the RBA EAS in the
6477# AZN_CRED_NETWORK_ADDRESS_STR RBA EAS credential attribute. In previous
6478# versions, this contained the client IP that was used when the WebSEAL
6479# credential was built, regardless of whether the client IP changed during the
6480# session.
6481#
6482# That default behavior changes if WebSEAL is configured to pass the current
6483# client IP address to the EAS in the [azn-decision-info] stanza. In order to
6484# ensure that risk assessment is being performed using the most current
6485# information, the AZN_CRED_NETWORK_ADDRESS_STR RBA EAS credential attribute
6486# will contain the client IP address used for the current request. Setting
6487# use_real_client_ip to 'false' provides backwards compatibility and enables
6488# the previous behavior.
6489#
6490# use_real_client_ip = false
6491
6492
6493# Previous versions of RBA used the "value" of an [azn-decision-info] stanza
6494# entry (i.e. the "right side") as it's attribute ID. This version of RBA
6495# uses the "key" of an [azn-decision-info] stanza entry (i.e. the "left side")
6496# as the attribute ID. To enable the behavior with previous releases, use
6497# the following setting:
6498#
6499# provide_700_attribute_ids = true
6500
6501
6502# The EAS contacts the runtime security services servers to make an access
6503# decision. The [rtss-cluster] stanza below determines which servers to contact.
6504# If none of the specified servers are available, an error is returned and no
6505# access is permitted. If you do not want this behavior, you can use the
6506# following permit-when-no-rtss-available entry to permit all requests when no
6507# servers are available. The default value is false.
6508#
6509# permit-when-no-rtss-available = true
6510#
6511# Caution: With this setting, every single request will be permitted only when
6512# none of the runtime security services servers are available. This includes
6513# access that might not be permitted if the server was available.
6514
6515# Size of the RTSS decision cache.
6516# Decision caching is enabled by setting the attribute "CBACacheResult" to a
6517# non-zero value on the protected object that has the RTSS EAS enabled POP
6518# attached to it. The enablement applies to all child protected objects unless
6519# overridden by an RTSS EAS enabled POP attached to one of the children.
6520# When the cache is full it will discard the least recently used entry to make
6521# room for a new entry. Please read the documentation for this configuration
6522# entry to understand the limitations of using the decision cache.
6523#
6524# Notes:
6525# 1) The permitted values for the protected object attribute CBACacheResult are:
6526# -1 : Cache decision for lifetime of user's session.
6527# 0 : Disable caching
6528# >0 : Number of seconds to cache decision.
6529# 2) If cba_cache-size is set to a value less than 512 it will use a value of 512.
6530#
6531# cba-cache-size = 16384
6532
6533
6534[rtss-cluster:cluster1]
6535# Specify the definitions for a cluster of runtime security services
6536# SOAP servers in this stanza.
6537
6538# Define the specifications of the server that you use to communicate
6539# with a single runtime security services SOAP server,
6540# which is a member of this cluster.
6541# Values for this entry are defined as:
6542# {[0-9],}<URL>
6543# where the first digit (if present) represents the priority of the server
6544# in the cluster (9 being the highest, 0 being lowest). A priority of 9 is
6545# assumed if you do not specify a priority. The <URL> can be any
6546# well-formed HTTP or HTTPS URL.
6547
6548# You can specify multiple server entries for failover and load balancing
6549# purposes. The complete set of these server entries defines the
6550# membership of the cluster for failover and load balancing.
6551
6552# The following is an example of an HTTP URL
6553# server = 9,http://localhost:9080/rtss/authz/services/AuthzService
6554server = 9,https://iamrt.ibmemm.edu:443/rtss/authz/services/AuthzService
6555
6556# The following is an example of an HTTPS URL. You will also need to ensure that
6557# your SSL configuration below is correct.
6558#server = 9,https://localhost:9443/rtss/authz/services/AuthzService
6559
6560# Specify the maximum number of cached handles that are used when
6561# communicating with runtime security services SOAP.
6562
6563handle-pool-size = 10
6564
6565# Specify the length of time, in seconds, before an idle handle is removed
6566# from the handle pool cache.
6567
6568handle-idle-timeout = 240
6569
6570# Specify the length of time, in seconds, to wait for a response from
6571# runtime security services SOAP.
6572
6573timeout = 240
6574
6575# You can use the following optional configuration entries if
6576# the runtime security services SOAP server is configured to require
6577# basic authentication. If you leave these entries blank,
6578# the basic authentication header is not provided when communicating
6579# with the runtime security services SOAP server.
6580
6581# Specify the name of the user for the basic authentication header.
6582
6583basic-auth-user = easuser
6584
6585#
6586# The following SSL entries are optional and are only required if:
6587# 1. At least one server entry indicates that SSL is to be used (i.e.
6588# starts with https:)
6589# 2. A certificate is required other than that which is used by this server
6590# when communicating with the policy server (details of the
6591# default certificate can be found in the [ssl] stanza of this
6592# configuration file.
6593#
6594# If these entries are required and are not found within this stanza, the
6595# default [ssl] stanza will be searched.
6596#
6597#
6598# The name of the key database file which houses the client certificate to be
6599# used.
6600#
6601# ssl-keyfile =
6602
6603# The following files are currently available for this configuration entry:
6604# - pdsrv.kdb
6605# - lmi_trust_store.kdb
6606# - rt_profile_keys.kdb
6607# - embedded_ldap_keys.kdb
6608
6609ssl-keyfile = pdsrv.kdb
6610
6611#
6612# The name of the password stash file for the key database file.
6613#
6614# ssl-keyfile-stash =
6615
6616# The following files are currently available for this configuration entry:
6617# - rt_profile_keys.sth
6618# - lmi_trust_store.sth
6619# - embedded_ldap_keys.sth
6620# - pdsrv.sth
6621
6622ssl-keyfile-stash = pdsrv.sth
6623
6624# The following configuration item is contained within the obfuscated
6625# database and as such is obfuscated within this file. If the value is
6626# modified within this configuration file the corresponding change will
6627# be applied to the obfuscated database.
6628
6629basic-auth-passwd = **obfuscated**
6630
6631#
6632# The label of the client certificate within the key database.
6633#
6634# ssl-keyfile-label =
6635
6636#
6637# This configuration entry specifies the DN of the server (obtained from the
6638# server SSL certificate) which will be accepted. If no entry is configured
6639# all DN's will be considered to be valid. Multiple DN's can be specified by
6640# including multiple configuration entries of this name.
6641#
6642# ssl-valid-server-dn =
6643
6644#
6645# The entry controls whether FIPS communication is enabled with RTSS/SOAP or
6646# not. If no configuration entry is present the global FIPS setting (as
6647# determined by the TAM policy server) will take effect.
6648#
6649# ssl-fips-enabled =
6650
6651# Configure NIST SP800-131A compliance mode. This will have the affect of:
6652# - enabling FIPS mode processing (over-riding the value of the
6653# ssl-fips-enabled configuration entry);
6654# - enabling TLS V1.2;
6655# - enabling the appropriate signature algorithms;
6656# - setting the minimum RSA key size to 2048 bytes.
6657#
6658# If no configuration entry is present the global NIST setting (as found in
6659# the [ssl] stanza) will be used.
6660#
6661# ssl-nist-compliance = no
6662
6663# Define the mappings between the obligation levels that the policy decision
6664# point (PDP) returns and the WebSEAL step-up authentication levels.
6665# The mapping must be one-to-one and the user must be permitted to authenticate
6666# only through the appropriate obligation mechanisms. These entries ensure that
6667# the EAS maps the obligations to the authentication levels and vice versa
6668# correctly.
6669
6670[obligations-levels-mapping]
6671life_questions = 2
6672otp = 3
6673email = 4
6674voice = 5
6675
6676
6677# Define the mappings between the obligation that the policy decision point
6678# (PDP) returns and a URL that will attempt to satisfy the obligation.
6679# The mapping must be one-to-one and the user must be permitted to authenticate
6680# only through the appropriate obligation mechanisms. When the EAS receives
6681# this obligation, the user is redirected to the URL provided.
6682# Entries in this stanza must be unique with regard to the entries in the
6683# [obligations-levels-mapping] stanza.
6684#
6685# You can also use wildcard obligations in this stanza. Add an asterisk at the
6686# end of an obligation to indicate that all obligations found that match this
6687# entry, up to but not including the asterisk, are redirected to the URL value.
6688# Exact matches are used first. Then, if no match is found, wildcard matches
6689# are used.
6690#
6691# For example, to redirect all obligations that start with urn:example to
6692# http://www.example.com, add the following entry:
6693#
6694# urn:example:* = http://www.example.com
6695#
6696[obligations-urls-mapping]
6697urn:ibm:security:authentication:asf:totp = /mga/sps/authsvc
6698urn:ibm:security:authentication:asf:* = /mga/sps/authsvc
6699urn:ibm:security:authentication:asf:otp = /mga/sps/authsvc
6700urn:ibm:security:authentication:asf:password_hotp = /mga/sps/authsvc
6701urn:ibm:security:authentication:asf:password_eula = /mga/sps/authsvc
6702urn:ibm:security:authentication:asf:password_knowledge_questions = /mga/sps/authsvc
6703urn:ibm:security:authentication:asf:password_macotp = /mga/sps/authsvc
6704urn:ibm:security:authentication:asf:password_rsa = /mga/sps/authsvc
6705urn:ibm:security:authentication:asf:password_smsotp = /mga/sps/authsvc
6706urn:ibm:security:authentication:asf:eula = /mga/sps/authsvc
6707urn:ibm:security:authentication:asf:macotp = /mga/sps/authsvc
6708urn:ibm:security:authentication:asf:password_emailotp = /mga/sps/authsvc
6709urn:ibm:security:authentication:asf:rsa = /mga/sps/authsvc
6710urn:ibm:security:authentication:asf:hotp = /mga/sps/authsvc
6711urn:ibm:security:authentication:asf:sms = /mga/sps/authsvc
6712urn:ibm:security:authentication:asf:consent_register_device = /mga/sps/authsvc
6713urn:ibm:security:authentication:asf:knowledge_questions = /mga/sps/authsvc
6714urn:ibm:security:authentication:asf:password_totp = /mga/sps/authsvc
6715urn:ibm:security:authentication:asf:http_redirect = /mga/sps/authsvc
6716urn:ibm:security:authentication:asf:password_otp = /mga/sps/authsvc
6717urn:ibm:security:authentication:asf:password = /mga/sps/authsvc
6718urn:ibm:security:authentication:asf:email = /mga/sps/authsvc
6719# obligation1 = https://example.com/FIM/sps/xauth?AuthenticationLevel=1
6720
6721
6722# Provide the data type for any entry in the [azn-decision-info] stanza that is
6723# not a string. For each entry in the [azn-decision-info] stanza, risk-based
6724# access must know its data type. By default, all entries are of data type
6725# string. If an entry is not of data type string, you must create an entry
6726# in this stanza to define the data type. Valid data types are: string, integer,
6727# boolean, double, x500name, time and date.
6728# For example, if the following entry exists in the [azn-decision-info] stanza:
6729#
6730# urn:example:company:txn:value = post-data:/"accountBalances"/"savings"
6731#
6732# and its data type is double, you must create an entry to define this.
6733# Append .datatype to the attribute ID (urn:example:company:txn:value) and
6734# specify double, as follows:
6735#
6736# urn:example:company:txn:value.datatype = double
6737#
6738# Also, provide the category for any entry in the [azn-decision-info] stanza
6739# that is not Environment. For each entry in the [azn-decision-info] stanza,
6740# risk-based access must know its category. By default, all entries are of
6741# category Environment. If an entry is not of category Environment, you must
6742# create an entry in this stanza to define the category. Valid categories are:
6743# Environment, Action, Subject and Resource.
6744# For example, if the following entry exists in the [azn-decision-info] stanza:
6745#
6746# urn:example:company:txn:userid = post-data:/"userid"
6747#
6748# and its category is Subject, you must create an entry to define this.
6749# Append .category to the attribute ID (urn:example:company:txn:userid) and
6750# specify Subject, as follows:
6751#
6752# urn:example:company:txn:userid.category = Subject
6753#
6754[user-attribute-definitions]
6755urn:ibm:security:worklight:adapter:adapter.datatype = string
6756urn:ibm:security:worklight:version:app.category = Environment
6757urn:ibm:security:worklight:version:platform.datatype = string
6758urn:ibm:security:trusteer:header:rapport.category = Environment
6759urn:ibm:security:worklight:version:native.datatype = string
6760urn:ibm:security:trusteer:header:rapport.datatype = string
6761urn:ibm:security:worklight:version:app.datatype = string
6762urn:ibm:security:worklight:adapter:procedure.datatype = string
6763urn:ibm:security:trusteer:pinpoint:csid.datatype = string
6764urn:ibm:security:worklight:adapter:parameters.category = Environment
6765urn:ibm:security:worklight:device:id.datatype = string
6766urn:ibm:security:worklight:adapter:procedure.category = Environment
6767urn:ibm:security:trusteer:pinpoint:csid.category = Subject
6768urn:ibm:security:trusteer:header:rapport-extra.datatype = string
6769urn:ibm:security:worklight:adapter:adapter.category = Environment
6770urn:ibm:security:worklight:device:id.category = Environment
6771urn:ibm:security:worklight:adapter:parameters.datatype = string
6772urn:ibm:security:worklight:version:platform.category = Environment
6773urn:ibm:security:trusteer:header:rapport-extra.category = Environment
6774urn:ibm:security:worklight:version:native.category = Environment
6775
6776
6777
6778################################################################################
6779# Risk Based Access (RBA) External Authorization Service (EAS) Settings
6780#
6781# END
6782#
6783################################################################################
6784
6785
6786#
6787# The PAM stanza is used to house the configuration data which
6788# is required for the PAM integration. The PAM functionality
6789# is used to provide deep content packet inspection on selected
6790# requests, checking for potential security vulnerabilities.
6791#
6792
6793[PAM]
6794
6795#
6796# Whether PAM analysis is enabled.
6797#
6798pam-enabled = false
6799
6800#
6801# If simulation mode is enabled any issues which are detected will be
6802# audited and then ignored. This provides a mechanism for allowing the
6803# administrator to see what issues are being detected without having an
6804# impact on the client traffic.
6805#
6806pam-simulation-mode-enabled = false
6807
6808#
6809# The amount of memory, in bytes, which can be consumed by
6810# PAM. This allows PAM to tune the size of its caches for the
6811# amount of available memory.
6812#
6813pam-max-memory = 16777216
6814
6815#
6816# The following item controls whether the X-Forwarded-For header
6817# is used to identify the client. This configuration item is useful
6818# if a network terminating proxy is sitting between the server and the
6819# client. If the value is set to false the client will be identified
6820# based on the socket connection information.
6821#
6822pam-use-proxy-header = false
6823
6824#
6825# Any specific parameters which should be passed to the PAM
6826# HTTP interface during initialization. Refer to the PAM
6827# documentation for a list of valid PAM parameters.
6828#
6829# The configuration entry may be specified multiple times,
6830# one for each PAM parameter. The entry should be of the
6831# format:
6832# pam-http-parameter = <parameter>:<value>
6833
6834#
6835# Any specific parameters which should be passed to the PAM
6836# coalescer interface. This interface is used to combine
6837# related PAM issues into a single event. Refer to the PAM
6838# documentation for a list of valid parameters.
6839#
6840# The configuration entry may be specified multiple times,
6841# one for each coalescer parameter. The entry should be of
6842# the format:
6843# pam-coalescer-parameter = <parameter>:<value>
6844#
6845# For example:
6846pam-coalescer-parameter = combine:on
6847
6848#
6849# The logging configuration. The logging configuration consists
6850# of an agent identifier, followed by attributes which are
6851# associated with the agent. Each attribute consists of a
6852# name/value pair, separated by '=', and each attribute is
6853# separated by ','.
6854#
6855# For example, to configure the auditing of records to a file:
6856# file path=pam.log,flush_interval=20,rollover_size=2000000
6857#
6858pam-log-cfg = file path=pam.log,flush_interval=20,rollover_size=2000000
6859
6860#
6861# Should the audit events be sent to the PAM log file?
6862# It is worth noting that the number of logged events
6863# will increase dramatically if this option is enabled.
6864#
6865pam-log-audit-events = false
6866
6867#
6868# PAM statistics can be enabled to provide a dashboard widget
6869# on the Web Gateway Appliance which displays a 30 day
6870# historical summary of the actions taken by PAM. This
6871# functionality records how many times WebSEAL has performed
6872# an action based on this instance's PAM configuration.
6873#
6874enable-pam-statistics = true
6875
6876#
6877# The pam-statistics-bucket-interval item controls the granularity
6878# of the buckets which the actions are stored in. The default
6879# value is 600, or ten minutes. This data is stored in buckets
6880# of the defined size for the first seven days. All records are
6881# also coalesced into daily buckets for the first 30 days.
6882#
6883pam-statistics-bucket-interval = 600
6884
6885#
6886# Define which PAM issues will be disabled (by default all PAM
6887# issues are enabled). The configuration entry is a comma
6888# separated list. Each issue contained within the
6889# list will be disabled.
6890#
6891# For example:
6892# to disable Ace_Filename_Overflow and HTTPS_Apache_ClearText_DoS:
6893# pam-disabled-issues = 2121050,2114033
6894#
6895pam-disabled-issues =
6896
6897# The rules which should be applied to determine whether
6898# a particular resource should be passed down to the PAM
6899# layer or not. Each rule will be examined in sequence
6900# until a match is found. The first successful match
6901# will determine whether the request is passed to the
6902# PAM layer or not. The request will not be passed to
6903# the PAM layer if no match is found.
6904#
6905# Multiple entries may be specified, and each entry
6906# should be of the format:
6907# pam-resource-rule = [+-]{uri}
6908#
6909# where:
6910# + : Indicates that matching requests should be
6911# passed to the PAM layer.
6912# - : Indicates that matching requests should not
6913# be passed to the PAM layer.
6914# {uri} : Contains a pattern which is used to match
6915# against the URI which is found in the
6916# request. The wildcard characters '*'
6917# and '?' may be used.
6918#
6919# For example:
6920# pam-resource-rule = -*.gif
6921# pam-resource-rule = +*.html
6922#
6923
6924#
6925# The following stanza can be used to customize the
6926# PAM processing for individual resources and events.
6927# The name of the stanza should be of the format:
6928# [pam-resource:{uri}]
6929#
6930# where:
6931# {uri} : Contains a pattern which is used to match
6932# against the URI which is found in the
6933# request. The wildcard characters '*' and
6934# '?' may be used.
6935#
6936# For example:
6937# [pam-resource:*.js]
6938#
6939
6940[pam-resource:test.html]
6941
6942#
6943# The entries contained within this stanza are used
6944# to control the processing of certain PAM related
6945# events. Each entry will be of the format:
6946# {pam-issue} = {action}
6947#
6948# where:
6949# {pam-issue} : Contains a pattern which is used to
6950# match a PAM issue. The wildcard
6951# characters '*' and '?' may be
6952# used.
6953# {action} : The action which is to be undertaken
6954# for the issue. The action can be
6955# one of the following:
6956# - block: Blocks the connection for
6957# a specified number of seconds,
6958# e.g. block:30;
6959# - ignore: Ignore the issue and
6960# continue to process the request;
6961#
6962# For example:
6963# 212105? = block:0
6964# 2119002 = block:20
6965
6966
6967
6968[flow-data]
6969
6970#
6971# WebSEAL on the Web Gateway Appliance can record performance data to be
6972# viewed using the LMI. This mechanism records the number of requests
6973# received by this WebSEAL instance along with the user-agent and junction
6974# which processed the request.
6975#
6976# User-agent strings are stored based on the configuration of the
6977# [user-agents] stanza. The [user-agents] stanza must be configured in
6978# order to use this functionality.
6979#
6980# This data is stored at a fine granularity for the first seven days, and
6981# as daily aggregations for the first thirty. Any data older than thirty
6982# days is discarded.
6983#
6984
6985flow-data-enabled = true
6986
6987#
6988# The interval defined here is the granularity of the data recorded.
6989# WebSEAL will aggregate the collected data into buckets of this size and
6990# will perform database commit operations each time this interval is
6991# complete.
6992#
6993# Note that after seven days, data is only kept in the daily (24 hour)
6994# buckets.
6995#
6996# This interval is given in seconds.
6997#
6998
6999flow-data-db-interval = 600
7000
7001[user-agents]
7002
7003#
7004# This stanza allows WebSEAL to map arbitrary user-agent strings to defined
7005# categories for logging purposes. Each entry should be of the following
7006# format: <category> = <pattern>
7007#
7008# The category is the string that will be recorded for user-agent strings
7009# which match the pattern. The pattern supports the wildcard characters
7010# '*' and '?'.
7011#
7012# A category can be defined multiple times if more than one pattern will
7013# match a category.
7014#
7015# Note: This stanza must include one entry with the match-all pattern '*'.
7016#
7017
7018CHROME = *chrome*
7019FIREFOX = *firefox*
7020SAFARI = *safari*
7021OPERA = *opera*
7022IE = *msie*
7023MSOFFICE = *office*
7024MSOFFICE = *outlook*
7025ANDROID = *android*
7026IOS = *ios*
7027SUNDRY = *
7028
7029
7030[manager]
7031master-host = iam
7032
7033[TAM_CRED_ATTRS_SVC:eperson]
7034emailAddress = mail
7035mobileNumber = mobile
7036
7037[isam-config-info]
7038federation = mobile
7039
7040[isam-config-info:mobile]
7041junction = /mga
7042object = /WebSEAL/iam.ibmemm.edu-rp1/mga
7043object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/authsvc
7044object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/xauth
7045object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/authservice/authentication
7046object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/oauth/oauth20/authorize
7047object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/oauth/oauth20/introspect
7048object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/static
7049object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/oauth/oauth20/session
7050object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/oauth/oauth20/token
7051object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/mga/user/mgmt/questions
7052object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/mga/user/mgmt/otp
7053object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/mga/user/mgmt/device
7054object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/mga/user/mgmt/grant
7055object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/auth
7056object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/ac
7057object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/xauth
7058object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/mga/user/mgmt/html
7059object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/oauth/oauth20/clients
7060object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/oauth/oauth20/logout
7061object = /WebSEAL/iam.ibmemm.edu-rp1/mga/sps/common/qr
7062trigger = /mga/sps/oauth/oauth20/session*
7063trigger = /mga/sps/auth*
7064trigger = /mga/sps/authservice/authentication*
7065trigger = /mga/sps/authsvc*
7066trigger = /mga/sps/apiauthsvc*
7067
7068[junction:/mga]
7069reset-cookies-list = *ac.uuid,*JSESSIONID