webseal administration guide

Tivoli Access Manager for e-business

Version 6.1.1

WebSEAL Administration Guide

SC23-6505-01

Tivoli Access Manager for e-business

Version 6.1.1


SC23-6505-01

Note Before using this information and the product it supports, read the information in Appendix E, Notices, on page 1105.

Edition notice This edition applies to version 6, release 1, modification 1 of IBM Tivoli Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. All rights reserved. Copyright IBM Corporation 2002, 2010. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

ContentsAbout this publication . . . . . . . . xixIntended audience . . . . . . . . . . Publications . . . . . . . . . . . . IBM Tivoli Access Manager for e-business library . . . . . . . . . . . . . Related products and publications . . . Accessing terminology online . . . . . Accessing publications online . . . . . Ordering publications . . . . . . . Accessibility . . . . . . . . . . . Tivoli technical training. . . . . . . . Tivoli user groups . . . . . . . . . Support information . . . . . . . . . Conventions used in this publication . . . Typeface conventions . . . . . . . Operating system-dependent variables and paths . . . . . . . . . . . . . . . . . . xix . xix Extracting archived WebSEAL data . . . . . Synchronizing WebSEAL data across multiple servers . . . . . . . . . . . . . . . . Automating synchronization with command files Backing up and restoring data . . . . . . . Auditing and logging resources for WebSEAL . . . Error message logging . . . . . . . . . . Auditing WebSEAL server activity. . . . . . Common Auditing and Reporting Services (CARS) . . . . . . . . . . . . . . . Traditional auditing and logging of HTTP events Problem determination resources for WebSEAL . . Configuration data log file . . . . . . . . Statistics . . . . . . . . . . . . . . Application Response Measurement . . . . . Trace utility . . . . . . . . . . . . . 26 26 29 30 31 31 31 32 32 33 33 35 35 36

. xix . xxi . . xxii . . xxii . . xxiii . . xxiii . . xxiii . . xxiii . . xxiv . . xxiv . . xxiv . . xxv

Part 2. Configuration . . . . . . . . 37 Part 1. Administration . . . . . . . . 1Chapter 3. Web server configuration . . 39 Chapter 1. IBM Tivoli Access Manager WebSEAL overview . . . . . . . . . . 3Tivoli Access Manager introduction . . . . . . WebSEAL introduction . . . . . . . . . . Tivoli Access Manager security model . . . . . Security model concepts . . . . . . . . The protected object space . . . . . . . Access control lists (ACLs) and protected object policies (POPs) . . . . . . . . . . . Access control list (ACL) policies . . . . . Protected object policies (POPs) . . . . . . Explicit and inherited policy . . . . . . . Policy administration: The Web Portal Manager Web space protection . . . . . . . . . . Security policy planning and implementation . . Content types and levels of protection . . . WebSEAL authentication . . . . . . . . . Standard WebSEAL junctions . . . . . . . Web space scalability . . . . . . . . . . Replicated front-end WebSEAL servers . . . Junctioned back-end servers . . . . . . . Replicated back-end servers . . . . . . . . . . . . 4 5 6 6 6 WebSEAL server and host name specification . . . Specifying the WebSEAL server name in the configuration file . . . . . . . . . . . Displaying the WebSEAL server name in "pdadmin server list" . . . . . . . . . . Displaying the WebSEAL server name in the protected object space . . . . . . . . . . Specifying the WebSEAL host (machine) name. . WebSEAL configuration file . . . . . . . . . Configuration file organization . . . . . . . Configuration file name and location . . . . . Modifying configuration file settings . . . . . WebSEAL .obf configuration file . . . . . . Default document root directory . . . . . . . Default root junction . . . . . . . . . . . Changing the root junction after WebSEAL installation . . . . . . . . . . . . . Directory indexing . . . . . . . . . . . . Configuring directory indexing . . . . . . . Configuring graphical icons for file types . . . Content caching . . . . . . . . . . . . Content caching concepts . . . . . . . . . Configuring content caching . . . . . . . . Impact of HTTP headers on WebSEAL content caching . . . . . . . . . . . . . . . Flushing all caches . . . . . . . . . . . Controlling caching for specific documents . . Communication protocol configuration . . . . . Configuring WebSEAL for HTTP requests . . . Configuring WebSEAL for HTTPS requests . . . Restricting connections from specific SSL versions Persistent HTTP connections. . . . . . . . Configuring WebSEAL to handle HTTPOnly cookies . . . . . . . . . . . . . . . 40 40 40 41 41 42 42 42 43 43 44 45 45 47 47 47 49 49 49 50 52 52 54 54 54 55 55 55

. 7 . 8 . 8 . 9 . 9 . 10 . 12 . 12 . 14 . 15 . 17 . 17 . 17 . 18

Chapter 2. Server administrationServer operation . . . . . . . . The pdweb command . . . . . Starting the WebSEAL server . . Stopping the WebSEAL server . . Restarting the WebSEAL server . . Displaying WebSEAL server status Backup and restore . . . . . . . The pdbackup utility . . . . . Backing up WebSEAL data . . . Restoring WebSEAL data . . . . Copyright IBM Corp. 2002, 2010

. . . 21. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 22 22 22 23 23 24 24 24 25

. . . . . . . . . .

iii

Timeout settings for HTTP and HTTPS communication . . . . . . . . . . . . Additional WebSEAL server timeout settings . . Support for WebDAV . . . . . . . . . . Support for chunked transfer coding . . . . . Internet Protocol version 6 (IPv6) support . . . . IPv4 and IPv6 overview . . . . . . . . . Configuring IPv6 and IPv4 support . . . . . IPv6: Compatibility support . . . . . . . . IPv6: Upgrade notes . . . . . . . . . . Specifying the IP level for credential attributes . LDAP directory server configuration . . . . . . Worker thread allocation . . . . . . . . . . Configuring WebSEAL worker threads . . . . Allocating worker threads for junctions (junction fairness) . . . . . . . . . . . . . . HTTP data compression . . . . . . . . . . Compression based on MIME-type . . . . . Compression based on user agent type . . . . Compression policy in POPs. . . . . . . . Data compression limitation . . . . . . . . Configuring data compression policy . . . . . Multi-locale support with UTF-8 . . . . . . . Multi-locale support concepts . . . . . . . Configuring multi-locale support . . . . . . Validating character encoding in request data . . . Supported wildcard pattern matching characters . .

56 57 58 59 60 60 60 61 61 61 63 64 64 65 67 67 68 69 69 69 71 71 76 81 82

Configuring the location URL format in redirect responses. . . . . . . . . . . . . . . Local response redirection . . . . . . . . . Local response redirection overview . . . . . Local response redirection process flow. . . . Enabling and disabling local response redirection . . . . . . . . . . . . . Contents of a redirected response. . . . . . Specifying the URI for local response redirection Specifying the operation for local response redirection . . . . . . . . . . . . . Specifying macro support for local response redirection . . . . . . . . . . . . . Local response redirection configuration example . . . . . . . . . . . . . . Technical notes for local response redirection Remote response handling with local authentication . . . . . . . . . . . .

107 108 108 108 109 109 109 110 111 114 115 115

Chapter 5. Web server security configuration . . . . . . . . . . . 117Cryptographic hardware for encryption and key storage . . . . . . . . . . . . . . Cryptographic hardware concepts . . . . Conditions for using IBM 4758-023 . . . . Configuring Cipher engine and FIPS mode processing . . . . . . . . . . . . Configuring WebSEAL for cryptographic hardware . . . . . . . . . . . . . Preventing vulnerability caused by cross-site scripting . . . . . . . . . . . . . . Cross-site scripting concepts . . . . . . Configuring URL string filtering . . . . . Suppressing WebSEAL and back-end server identity . . . . . . . . . . . . . . Suppressing WebSEAL server identity . . . Suppressing back-end application server identity . . . . . . . . . . . . . Enabling HTTP TRACE method . . . . . . Platform for Privacy Preferences (P3P) . . . . Compact policy overview . . . . . . . Compact policy declaration. . . . . . . Junction header preservation . . . . . . Default compact policy in the P3P header . . Configuring the P3P header . . . . . . Specifying a custom P3P compact policy . . Troubleshooting P3P configuration . . . . . 118 . 118 . 118 . 119 . 119 . 123 . 123 . 123 . 125 . 125 . . . . . . . . . . 125 126 127 127 128 128 129 130 136 136

Chapter 4. Web server response configuration . . . . . . . . . . . . 83Static HTML server response pages . . . . . . 84 HTML server response page locations . . . . . 88 Specifying account management page location. . 88 Specifying error message page location . . . . 88 Creating junction-specific static server response pages . . . . . . . . . . . . . . . 89 HTML server response page modification . . . . 90 Guidelines for customizing HTML response pages . . . . . . . . . . . . . . . 90 Macro resources for customizing HTML response pages . . . . . . . . . . . . . . . 90 Embedding macros in a template . . . . . . 92 Adding an image to a custom login form . . . 95 Updating response pages from prior versions of WebSEAL . . . . . . . . . . . . . . 95 Account management page configuration . . . . 98 Configuration file stanza entries and values . . 98 Configuring the account expiration error message 98 Configuring the password policy options . . . 99 Error message page configuration . . . . . . 101 Enabling the time of day error page . . . . . 101 Creating new HTML error message pages . . . 101 Compatibility with previous versions of WebSEAL . . . . . . . . . . . . . 102 Multi-locale support for server responses . . . . 103 The accept-language HTTP header . . . . . 103 WebSEAL language packs . . . . . . . . 103 Process flow for multi-locale support . . . . 104 Conditions affecting multi-locale support on WebSEAL: . . . . . . . . . . . . . 104 Handling the favicon.ico file with Mozilla Firefox 106

Part 3. Authentication . . . . . . . 137Chapter 6. Authentication overviewDefinition and purpose of authentication . . Information in a user request . . . . . . Client identities and credentials . . . . . Authentication process flow . . . . . . Authenticated and unauthenticated access to resources . . . . . . . . . . . . Request process for authenticated users: . Request process for unauthenticated users: Access conditions over SSL . . . . . . . . . . . . . .

141. . . . . . . . 142 142 143 144 145 145 145 146

iv


Forcing user login . . . . . Using unauthenticated HTTPS. Supported authentication methods Authentication challenge . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

146 146 147 147

Chapter 7. Authentication methods

149150 150 151 152 153 153 154 154 154 155 155 155 157 157 157 158 158 159 159 159 160 160 162 162 165 165 166 169 169 169 170 170 171 171 171 171 172 172 173 173 173 174 174 176 176

Authentication configuration overview . . . . . Authentication terminology . . . . . . . Supported authentication mechanisms . . . . Authentication conversion library . . . . . Default configuration for WebSEAL authentication . . . . . . . . . . . . Conditions for configuring multiple authentication methods . . . . . . . . . Logout and password change operations . . . . Logging out: pkmslogout . . . . . . . . Controlling custom response pages for pkmslogout . . . . . . . . . . . . . Changing passwords: pkmspasswd . . . . . Password change issue with Active Directory on Windows 2003 . . . . . . . . . . . . Post password change processing. . . . . . Basic authentication . . . . . . . . . . . Enabling and disabling basic authentication . . Setting the realm name . . . . . . . . . Configuring the basic authentication mechanism Multi-byte UTF-8 logins . . . . . . . . . Forms authentication . . . . . . . . . . Enabling and disabling forms authentication Configuring the forms authentication mechanism . . . . . . . . . . . . . Customizing HTML response forms . . . . Submitting login form data directly to WebSEAL Client-side certificate authentication . . . . . Client-side certificate authentication modes . . Certificate authentication configuration task summary . . . . . . . . . . . . . . Enabling certificate authentication . . . . . Configuring the certificate authentication mechanism . . . . . . . . . . . . . Specifying the certificate login error page . . . Specifying the certificate login form . . . . . Disabling SSL session IDs for session tracking Enabling and configuring the Certificate SSL ID cache . . . . . . . . . . . . . . . Setting the timeout for Certificate SSL ID cache Specifying an error page for incorrect protocol Disabling certificate authentication . . . . . Disabling the Certificate SSL ID cache . . . . Technical notes for certificate authentication . . HTTP header authentication . . . . . . . . HTTP header authentication overview . . . . Enabling HTTP header authentication . . . . Specifying HTTP cookies . . . . . . . . Specifying header types . . . . . . . . . Configuring the HTTP header authentication mechanism . . . . . . . . . . . . . Disabling HTTP header authentication . . . . IP address authentication . . . . . . . . . Enabling and disabling IP address authentication . . . . . . . . . . . .

Configuring the IP address authentication mechanism . . . . . . . . . . . . . Token authentication . . . . . . . . . . . Token authentication concepts . . . . . . . Token authentication configuration task summary . . . . . . . . . . . . . . Enabling token authentication . . . . . . . Configuring the token authentication mechanism . . . . . . . . . . . . . Enabling access to the RSA ACE/Agent client library . . . . . . . . . . . . . . . Specifying a customized password strength module . . . . . . . . . . . . . . Compatibility support for RSA SecurID PIN functions . . . . . . . . . . . . . . Disabling token authentication . . . . . . Submitting login form data directly to WebSEAL SPNEGO protocol and Kerberos authentication . . LTPA authentication . . . . . . . . . . . LTPA authentication overview . . . . . . . Enabling LTPA authentication . . . . . . . Supplying the Key File Information . . . . . Specifying the cookie name. . . . . . . . Controlling the lifetime of the LTPA Token . . Configuring the LTPA authentication mechanism Disabling LTPA authentication. . . . . . .

176 177 177 181 181 181 182 183 183 184 184 186 186 186 187 187 188 188 188 189

Chapter 8. Advanced authentication methods . . . . . . . . . . . . . 191Multiplexing proxy agents . . . . . . . . . Multiplexing proxy agents overview. . . . . Valid session data types and authentication methods . . . . . . . . . . . . . . Authentication process flow for MPA and multiple clients . . . . . . . . . . . Enabling and disabling MPA authentication . . Creating a user account for the MPA . . . . Adding the MPA account to the webseal-mpa-servers group . . . . . . . MPA authentication limitations . . . . . . Switch user authentication . . . . . . . . . Overview of the switch user function . . . . Configuring switch user authentication . . . . Using switch user . . . . . . . . . . . Additional switch user feature support . . . . Developing a custom authentication module for switch user . . . . . . . . . . . . . Configuring a custom authentication module for switch user . . . . . . . . . . . . . Reauthentication . . . . . . . . . . . . Reauthentication concepts . . . . . . . . Reauthentication based on security policy . . . Creating and applying the reauthentication POP Reauthentication based on session inactivity . . Enabling reauthentication based on session inactivity . . . . . . . . . . . . . . Resetting the session cache entry lifetime value Extending the session cache entry lifetime value Preventing session removal when the session lifetime expires . . . . . . . . . . . .Contents

192 192 193 194 194 194 195 195 196 196 199 204 205 206 207 209 209 210 210 211 211 211 212 212

v

Removing a user's session at login failure policy limit . . . . . . . . . . . . . . . Customizing login forms for reauthentication Authentication strength policy (step-up) . . . . Authentication strength concepts . . . . . . Authentication strength configuration task summary . . . . . . . . . . . . . . 1. Establishing an authentication strength policy 2. Specifying authentication levels . . . . . 3. Specifying the authentication strength login form . . . . . . . . . . . . . . . 4. Creating a protected object policy . . . . . 5. Specifying network-based access restrictions 6. Attaching a protected object policy to a protected resource . . . . . . . . . . . 7. Enforcing user identity match across authentication levels . . . . . . . . . . 8. Controlling the login response for unauthenticated users . . . . . . . . . External authentication interface . . . . . . . Client Certificate User Mapping . . . . . . . Introduction . . . . . . . . . . . . . User mapping rules evaluator . . . . . . . Managing the CDAS . . . . . . . . . .

Chapter 11. Credential processing . . 259213 214 216 216 218 218 218 220 220 222 224 225 225 226 226 226 230 233 Extended attributes for credentials . . . . . Mechanisms for adding registry attributes to a credential. . . . . . . . . . . . . Configuring a registry attribute entitlement service. . . . . . . . . . . . . . Junction handling of extended credential attributes . . . . . . . . . . . . . Credential refresh . . . . . . . . . . . Credential refresh concepts . . . . . . . Configuring credential refresh . . . . . . Credential refresh usage . . . . . . . . . 260 . 260 . 261 . . . . . 263 266 266 270 271

Chapter 12. External authentication interface . . . . . . . . . . . . . 273External authentication interface overview. . . . External authentication interface process flow . . External authentication interface configuration . . Enabling the external authentication interface Initiating the authentication process . . . . . Configuring the external authentication interface trigger URL . . . . . . . . . . . . . Specifying HTTP header names for authentication data . . . . . . . . . . Extracting authentication data from special HTTP headers . . . . . . . . . . . . Configuring the external authentication interface mechanism . . . . . . . . . . . . . Generating the credential . . . . . . . . External authentication interface credential replacement . . . . . . . . . . . . . Writing an external authentication application External authentication interface HTTP header reference . . . . . . . . . . . . . . . Use of external authentication interface with existing WebSEAL features . . . . . . . . . Request caching with external authentication interface . . . . . . . . . . . . . . Post-authentication redirection with external authentication interface . . . . . . . . . Session handling with external authentication interface . . . . . . . . . . . . . . Authentication strength level with external authentication interface . . . . . . . . . Reauthentication with external authentication interface . . . . . . . . . . . . . . Login page and macro support with external authentication interface . . . . . . . . . Setting a client-specific session cache entry lifetime value . . . . . . . . . . . . Setting a client-specific session cache entry inactivity timeout value . . . . . . . . . 274 275 278 278 278 279 279 280 281 282 282 283 285 287 287 287 288 288 288 289 289 291

Chapter 9. Post-authentication processing . . . . . . . . . . . . 237Automatic redirection after authentication . . Overview of automatic redirection . . . Enabling automatic redirection . . . . Disabling automatic redirection . . . . Limitations . . . . . . . . . . . Specifying macro support for automatic redirection . . . . . . . . . . . Server-side request caching . . . . . . Server-side request caching concepts . . Process flow for server-side request caching Configuring server-side caching . . . . . . . . . . . . . . . . . . . . . . . . 238 238 238 239 239 239 242 242 242 243

Chapter 10. Password processing . . 247Post password change processing. . . . . . . Post password change processing concepts . . Configuring post password change processing Post password change processing conditions Login failure policy ("three strikes" login policy) Login failure policy concepts . . . . . . . Setting the login failure policy. . . . . . . Setting the account disable time interval . . . Configuring the account disable notification response . . . . . . . . . . . . . . Login failure policy with replicated WebSEAL servers . . . . . . . . . . . . . . Password strength policy . . . . . . . . . Password strength policy concepts . . . . . Password strength policies . . . . . . . . Syntax for password strength policy commands Default password strength policy values . . . Valid and not valid password examples . . . Specifying user and global settings . . . . . 248 248 248 248 250 250 250 251 252 252 254 254 254 255 256 256 256

Part 4. Session State . . . . . . . 293Chapter 13. Session state overviewSession state concepts . . . . Supported session ID data types . Information retrieved from a client WebSEAL session cache structure . . . . . . request . . . . . . . . . . .

295. . . . 296 297 298 299

vi


Deployment considerations for clustered environments . . . . . . . . . . . . . Consistent configuration on all WebSEAL replica servers . . . . . . . . . . . . . . Client-to-server session affinity at the load balancer . . . . . . . . . . . . . . Failover from one WebSEAL server to another Options for handling failover in clustered environments . . . . . . . . . . . . . Option 1: No WebSEAL handling of failover events . . . . . . . . . . . . . . . Option 2: Authentication data included in each request . . . . . . . . . . . . . . Option 3: Failover cookies . . . . . . . . Option 4: The Session Management Server . . Option 5: LTPA cookie . . . . . . . . .

300 300 300 300 301 301 301 301 302 302

Specifying the authentication strength level attribute after failover authentication . . . Specifying attributes for extraction . . . . Enabling domain-wide failover cookies . . Requiring validation of a lifetime timestamp Requiring validation of an activity timestamp Enabling compatibility for cookie encryption level of security . . . . . . . . . . Enabling compatibility for cookie encryption format . . . . . . . . . . . . . . Failover for non-sticky failover environments. . Non-sticky failover concepts . . . . . . Configuring the non-sticky failover solution . Use of failover cookies with existing WebSEAL features . . . . . . . . . . . . . Change password operation in a failover environment. . . . . . . . . . . . .

. 328 . 328 . 329 330 330 . 330 . . . . 331 332 332 333

. 334 . 335

Chapter 14. Session cache configuration . . . . . . . . . . . 305Session cache configuration overview . . . . SSL session ID cache configuration . . . . . Setting the cache entry timeout value . . . Setting the maximum concurrent SSL sessions value . . . . . . . . . . . . . . WebSEAL session cache configuration . . . . Setting the maximum session cache entries value . . . . . . . . . . . . . . Setting the cache entry lifetime timeout value Setting the cache entry inactivity timeout value Session cache limitation . . . . . . . . . 306 . 307 . 307 . 307 . 308 . 308 308 309 . 310

Chapter 16. Session state in non-clustered environments . . . . . 337Maintain session state in non-clustered environments . . . . . . . . . . . . . Controlling session state information over SSL Using the same session key over different transports . . . . . . . . . . . . . Valid session key data types . . . . . . . Determining the effective session timeout value Netscape 4.7x limitation for use-same-session Session cookies . . . . . . . . . . . . Session cookies concepts. . . . . . . . . Conditions for using session cookies . . . . Customizing the session cookie name . . . . Sending session cookies with each request. . . Customized responses for old session cookies . . Session removal and old session cookie concepts Enabling customized responses for old session cookies . . . . . . . . . . . . . . Maintain session state with HTTP headers. . . . HTTP header session key concepts . . . . . Configuring HTTP headers to maintain session state . . . . . . . . . . . . . . . Requiring requests from an MPA . . . . . . Compatibility with previous versions of WebSEAL . . . . . . . . . . . . . 338 338 338 340 341 341 343 343 343 343 344 345 345 346 348 348 348 349 350

Chapter 15. Failover solutions . . . . 311Failover authentication concepts . . . . . . The failover environment . . . . . . . Failover cookie . . . . . . . . . . . Failover authentication process flow . . . . Failover authentication module . . . . . Example failover configuration . . . . . Addition of data to a failover cookie . . . Extraction of data from a failover cookie . . Domain-wide failover authentication . . . Backward compatibility for failover cookies . Upgrading failover authentication . . . . Failover authentication configuration . . . . Failover authentication configuration task summary . . . . . . . . . . . . . Specifying the protocol for failover cookies . Configuring the failover authentication mechanism . . . . . . . . . . . . Generating a key pair to encrypt and decrypt cookie data . . . . . . . . . . . . Specifying the failover cookie lifetime . . . Specifying UTF-8 encoding on cookie strings Adding the authentication strength level . . Reissuing missing failover cookies . . . . Adding the session lifetime timestamp . . . Adding the session activity timestamp . . . Adding an interval for updating the activity timestamp . . . . . . . . . . . . Adding extended attributes. . . . . . . . . . . . . . . . . . . 312 312 313 314 314 315 315 317 319 319 320 321

. 322 . 323 . 323 . 324 . 324 325 . 325 . 325 . 326 . 326 . 327 . 328

Part 5. Session Management Server . . . . . . . . . . . . . . 351Chapter 17. Session management server (SMS) overview . . . . . . . 353The failover environment . . . . . . . The session management server (SMS) . . . Server clusters, replica sets, and session realms SMS process flow . . . . . . . . . . Sharing sessions across multiple DNS domains . . . . . . . . . . 354 355 356 357 358

Chapter 18. Quickstart guide for WebSEAL using SMS . . . . . . . . 361Configuration summary for WebSEAL using SMSContents

362

vii

1. Information gathering. . . . . . . . 2. WebSEAL configuration file settings . . . 3. Import the Tivoli Access Manager CA Certificate . . . . . . . . . . . . 4. Restart the WebSEAL server. . . . . . 5. Create junctions for virtual hosts . . . . 6. Junction the session management server . 7. Set the maximum concurrent sessions policy 8. Test the configuration . . . . . . . .

. 362 . 362 . . . . 363 363 364 364 364 . 364

Chapter 19. Configuration for WebSEAL using SMS . . . . . . . . 367SMS configuration for WebSEAL . . . . . . . Configuring the session management server (SMS) . . . . . . . . . . . . . . . Enabling and disabling SMS for WebSEAL . . Specifying session management server cluster and location . . . . . . . . . . . . . Retrieving the maximum concurrent sessions policy value . . . . . . . . . . . . . Replica set configuration . . . . . . . . . Configuring WebSEAL to participate in multiple replica sets . . . . . . . . . . . . . Assigning standard junctions to a replica set Assigning virtual hosts to a replica set . . . . Example replica set configuration. . . . . . Adjusting the last access time update frequency for SMS . . . . . . . . . . . . . . . . SMS communication timeout configuration . . . Configuring SMS response timeout . . . . . Configuring connection timeout for broadcast events . . . . . . . . . . . . . . . SMS performance configuration . . . . . . . Maximum pre-allocated session IDs . . . . . Configuring the handle pool size . . . . . . SMS Authentication . . . . . . . . . . . SSL configuration for WebSEAL and SMS . . . . Configuring the WebSEAL key database . . . Specifying the SSL certificate distinguished name (DN) . . . . . . . . . . . . . Maximum concurrent sessions policy . . . . . Setting the maximum concurrent sessions policy Enforcing the maximum concurrent sessions policy . . . . . . . . . . . . . . . Switch user and maximum concurrent sessions policy . . . . . . . . . . . . . . . Single signon within a session realm . . . . . Session realm and session sharing concepts . . Configuring session sharing . . . . . . . Configuring login history . . . . . . . . . Enabling login failure notification . . . . . Creating a junction to the session management server . . . . . . . . . . . . . . . Allowing access to the login history JSP . . . Customizing the JSP to display login history 368 368 368 368 369 371 371 371 372 372 376 377 377 377 378 378 378 379 379 379 380 382 382 385 386 387 387 388 390 390 390 391 391

WebSEAL-specific ACL policies . . . . . . /WebSEAL/host-instance_name . . . . . /WebSEAL/host-instance_name/file . . . WebSEAL ACL permissions . . . . . . Default /WebSEAL ACL policy . . . . . Valid characters for ACL names . . . . . Quality of protection POP . . . . . . . . Configuring authorization database updates and polling . . . . . . . . . . . . . . Database update and polling concepts . . . Configuring update notification listening . . Configuring authorization database polling . Configuring quality of protection levels . . . Configuring QOP for individual hosts and networks . . . . . . . . . . . . Authorization decision information . . . . .

. . . . . . . . . . . .

396 396 396 396 396 397 398 399 399 399 400 401

. 402 . 402

Chapter 21. Key management . . . . 405Key management overview. . . . . . . . Client-side and server-side certificate concepts . GSKit key database file types . . . . . . . Configuring the WebSEAL key database file . . WebSEAL key database file . . . . . . . Key database file password. . . . . . . WebSEAL test certificate . . . . . . . . Inter-server SSL communication for Tivoli Access Manager . . . . . . . . . . Using the iKeyman certificate management utility Configuring CRL checking . . . . . . . . Configuring the CRL cache . . . . . . . Setting the maximum number of cache entries Setting the GSKit cache lifetime timeout value Using the WebSEAL test certificate for SSL connections . . . . . . . . . . . . . . . . . . . . 406 407 408 409 409 409 410

. 410 411 . 412 . 413 413 413 . 414

Chapter 22. Customized authorizationCustom requests . Custom responses . . . . . . . . . . . . . . . . . . . . .

417. 417 . 417

Part 7. Standard WebSEAL Junctions . . . . . . . . . . . . 419Chapter 23. Standard WebSEAL junctions . . . . . . . . . . . . . 421WebSEAL junctions overview . . . . . . . Junction types . . . . . . . . . . . Junction database location and format . . . Applying coarse-grained access control: summary . . . . . . . . . . . . . Applying fine-grained access control: summary Additional references for WebSEAL junctions Managing junctions with Web Portal Manager . Creating a junction using Web Portal Manager Listing junctions using Web Portal Manager . Deleting junctions using Web Portal Manager Managing junctions with the pdadmin utility. . Importing and exporting junction databases . Standard WebSEAL junction configuration. . . The pdadmin server task create command. . . 422 . 422 . 422 . 423 423 423 . 424 424 . 424 424 . 426 . 426 . 428 . 428

Part 6. Authorization . . . . . . . 393Chapter 20. Configuration for authorization . . . . . . . . . . . 395 viiiWebSEAL Administration Guide

Creating TCP type standard junctions . . . . Creating SSL type standard junctions . . . . Creating mutual junctions . . . . . . . . SSL-based standard junctions . . . . . . . Adding multiple back-end servers to a standard junction . . . . . . . . . . . . . . Creating a local type standard junction . . . . Transparent path junctions . . . . . . . . . Filtering concepts in standard WebSEAL junctions . . . . . . . . . . . . . . Transparent path junction concepts . . . . . Configuring transparent path junctions . . . . Example transparent path junction . . . . . Technical notes for using WebSEAL junctions. . . Guidelines for creating WebSEAL junctions . . Adding multiple back-end servers to the same junction . . . . . . . . . . . . . . Exceptions to enforcing permissions across junctions . . . . . . . . . . . . . . Certificate authentication across junctions . . . Handling domain cookies . . . . . . . . Supported HTTP versions for requests and responses. . . . . . . . . . . . . . Junctioned application with Web Portal Manager . . . . . . . . . . . . . . Generating a back-end server Web space (query_contents) . . . . . . . . . . . . query_contents overview . . . . . . . . query_contents components . . . . . . . Installing and configuring query_contents on UNIX-based Web servers . . . . . . . . Installing and configuring query_contents on Windows-based Web servers . . . . . . . General process flow for query_contents . . . Securing the query_contents program . . . .

428 429 429 430 430 430 432 432 432 433 434 435 435 435 436 436 436 437 437 438 438 439 440 441 442 443

Use of junction throttling with existing WebSEAL features . . . . . . . . . . . Managing Cookies. . . . . . . . . . . . Passing session cookies to junctioned portal servers Supporting not case-sensitive URLs . . . . . . Junctioning to Windows file systems . . . . . Example: . . . . . . . . . . . . . . ACLs and POPs must attach to lower-case object names . . . . . . . . . . . . Standard junctioning to virtual hosts . . . . . Specifying UTF-8 encoding for HTTP header data Bypassing buffering on a per-resource basis . . . Single signon solutions across junctions . . . .

465 465 468 470 471 471 472 473 475 476 477

Chapter 25. Modifying URLs to junctioned resources . . . . . . . . 479URL modification concepts . . . . . . . . . Path types used in URLs . . . . . . . . . Modifying URLs in responses . . . . . . . . Filtering tag-based static URLs . . . . . . Modifying absolute URLs with script filtering Configuring the rewrite-absolute-with-absolute option . . . . . . . . . . . . . . . Filtering changes the Content-Length header Limitation with unfiltered server-relative links Modifying URLs in requests . . . . . . . . Modifying server-relative URLs with junction mapping . . . . . . . . . . . . . . Modifying server-relative URLs with junction cookies . . . . . . . . . . . . . . Controlling the junction cookie JavaScript block Modifying server-relative URLs using the HTTP Referer header . . . . . . . . . . . . Controlling server-relative URL processing in requests . . . . . . . . . . . . . . Handling cookies from servers across multiple -j junctions . . . . . . . . . . . . . . . Cookie handling: -j modifies Set-Cookie path attribute . . . . . . . . . . . . . . Cookie handling: -j modifies Set-Cookie name attribute . . . . . . . . . . . . . . Preserving cookie names . . . . . . . . Cookie handling: -I ensures unique Set-Cookie name attribute . . . . . . . . . . . . 480 481 482 482 488 489 489 490 492 492 493 495 498 498 501 501 501 502 503

Chapter 24. Advanced junction configuration . . . . . . . . . . . 445Mutually authenticated SSL junctions . . . . Mutually authenticated SSL junctions process summary . . . . . . . . . . . . . Validating the back-end server certificate . . Matching the distinguished name (DN). . . Authenticating with a client certificate . . . Authenticating with a BA header . . . . . TCP and SSL proxy junctions . . . . . . . WebSEAL-to-WebSEAL junctions over SSL . . Stateful junctions . . . . . . . . . . . Stateful junction concepts . . . . . . . Configuring stateful junctions . . . . . . Specifying back-end server UUIDs for stateful junctions . . . . . . . . . . . . . Handling an unavailable stateful server . . Forcing a new junction . . . . . . . . . Using /pkmslogout with virtual host junctions . Junction throttling . . . . . . . . . . . Junction throttling concepts. . . . . . . Placing a junctioned server in a throttled state Placing a junctioned server in an offline state Placing a junctioned server in an online state Junction throttle messages . . . . . . . . 446 . . . . . . . . . . . . . . . . 446 446 447 447 448 449 450 452 452 452

Chapter 26. Command option summary: Standard junctions . . . . 505Using pdadmin server task to create junctions . . Server task commands for junctions . . . . . . Creating a new junction for an initial server . . . Adding an additional server to an existing junction 506 507 509 514

453 455 456 456 458 458 459 460 462 . 464

Part 8. Virtual Hosting . . . . . . 517Chapter 27. Virtual host junctionsVirtual host junction concepts . . Standard WebSEAL junctions . The challenges of URL filtering Virtual hosting . . . . . . . . . . . . . . . . . . . . . .

. . 519. . . . . . . . 520 520 520 520

Contents

ix

The virtual host junction solution. . . . . Stanzas and stanza entries ignored by virtual host junctions . . . . . . . . . . . Virtual hosts represented in the object space . Configuring a virtual host junction . . . . . Creating a remote type virtual host junction . Creating a local type virtual host junction . . Scenario 1: Remote virtual host junctions . . . Defining interfaces for virtual host junctions . . Default interface specification . . . . . . Defining additional interfaces . . . . . . Scenario 2: Virtual host junctions with interfaces Use of virtual hosts with existing WebSEAL features . . . . . . . . . . . . . . E-community single signon with virtual hosts Cross-domain single signon with virtual hosts Dynamic URLs with virtual host junctions. . Using domain session cookies for virtual host single signon . . . . . . . . . . . Junction throttling . . . . . . . . . . Scenario 3: Advanced virtual host configuration Virtual host junction limitations . . . . . . SSL session IDs not usable by virtual hosts .

. 521 . . . . . . . . . 522 522 524 524 526 528 530 530 530 533

. 536 536 537 . 538 . 538 . 539 540 . 543 . 543

Configuring a GSO-enabled WebSEAL junction Configuring the GSO cache . . . . . . Single signon to IBM WebSphere (LTPA) . . . LTPA overview . . . . . . . . . . . Configuring an LTPA junction . . . . . Configuring the LTPA cache . . . . . . Technical notes for LTPA single signon . . . Forms single signon authentication . . . . . Forms single signon concepts . . . . . . Forms single signon process flow. . . . . Requirements for application support . . . Creating the configuration file for forms single signon . . . . . . . . . . . . . . Enabling forms single signon . . . . . . Forms single signon example . . . . . .

. . . . . . . . . .

571 572 574 574 575 575 576 577 577 577 579

. 579 . 583 . 583

Chapter 30. Windows desktop single signon . . . . . . . . . . . . . . 585Windows desktop single signon concepts . . . . SPNEGO protocol and Kerberos authentication User registry and platform support for SPNEGO SPNEGO compatibility with other authentication methods . . . . . . . . . Mapping user names from multi-domain Active Directory registries . . . . . . . . . . Multiple Active Directory domain support . . SPNEGO authentication limitations . . . . . Configuring Windows desktop single signon (Windows) . . . . . . . . . . . . . . 1. Create an identity for WebSEAL in an Active Directory domain . . . . . . . . . . . 2. Map a Kerberos principal to an Active Directory user . . . . . . . . . . . . 3. Enable SPNEGO for WebSEAL . . . . . . 4. Restart WebSEAL . . . . . . . . . . 5. Configure the Internet Explorer client . . . Troubleshooting for Windows desktop single signon . . . . . . . . . . . . . . . Configuring Windows desktop single signon (UNIX) . . . . . . . . . . . . . . . 1. Install the Kerberos runtime client . . . . 2. Configure the Kerberos client . . . . . . 3. Create an identity for WebSEAL in an Active Directory domain . . . . . . . . . . . 4. Map a Kerberos principal to an Active Directory user . . . . . . . . . . . . 5. Verify the authentication of the Web server principal . . . . . . . . . . . . . . 6. Verify WebSEAL authentication using the keytab file . . . . . . . . . . . . . 7. Enable SPNEGO for WebSEAL . . . . . . 8. Add service name and keytab file entries . . 9. Restart WebSEAL . . . . . . . . . . 10. Configure the Internet Explorer client . . . Troubleshooting for Windows desktop single signon . . . . . . . . . . . . . . . Configuration notes for a load balancer environment. . . . . . . . . . . . . . 586 586 587 587 588 589 590 591 591 592 593 594 594 594 595 595 596 597 597 599 600 600 600 601 601 601 602

Chapter 28. Command option summary: Virtual host junctions . . . 545Using pdadmin server task to create virtual host junctions . . . . . . . . . . . . . . Server task commands for virtual host junctions Creating a new virtual host junction. . . . . Adding an additional server to a virtual host junction . . . . . . . . . . . . . . . 546 547 . 549 . 554

Part 9. Single Signon Solutions

555

Chapter 29. Single signon solutions across junctions . . . . . . . . . . 557Single signon using Tivoli Federated Identity Manager . . . . . . . . . . . . . . Using Kerberos credentials . . . . . . . Single signon using HTTP BA headers . . . . Single signon (SSO) concepts . . . . . . Supplying client identity in HTTP BA headers Supplying client identity and generic password Forwarding original client BA header information . . . . . . . . . . . . Removing client BA header information . . Supplying user names and passwords from GSO . . . . . . . . . . . . . . Handling client identity information across junctions . . . . . . . . . . . . . Identity information supplied in HTTP headers . Supplying client identity in HTTP headers (c) Supplying client IP addresses in HTTP headers (r) . . . . . . . . . . . . . . . Limiting the size of WebSEAL-generated HTTP headers . . . . . . . . . . . . . Global signon (GSO) . . . . . . . . . . Global signon overview . . . . . . . . Mapping the authentication information . . . . . . 558 560 560 561 561 562

. 563 . 564 . 564 . 564 . 566 566 . 568 . . . . 568 570 570 571

x


Chapter 31. Cross-domain single signon . . . . . . . . . . . . . . 603Cross-domain single signon concepts . . . . . Cross-domain single signon overview . . . . Default and custom authentication tokens . . . Extended user attributes and identity mapping CDSSO process flow with attribute transfer and user mapping . . . . . . . . . . . . Configuring cross-domain single signon . . . . CDSSO configuration summary . . . . . . CDSSO conditions and requirements . . . . 1. Enabling and disabling CDSSO authentication 2. Configuring the CDSSO authentication mechanism . . . . . . . . . . . . . 3. Encrypting the authentication token data . . 4. Configuring the token time stamp . . . . 5. Configuring the token label name . . . . . 6. Creating the CDSSO HTML link . . . . . Protecting the authentication token . . . . . Using cross-domain single signon with virtual hosts . . . . . . . . . . . . . . . Handling extended attributes for CDSSO . . . . Specifying extended attributes to add to token Specifying extended attributes to extract from a token . . . . . . . . . . . . . . . Compatibility issues for CDSSO . . . . . . . UTF-8 encoding of tokens for cross domain single signon . . . . . . . . . . . . Providing compatibility for token security level Providing compatibility for token encryption format . . . . . . . . . . . . . . . LTPA single signon . . . . . . . . . . . LTPA single signon overview . . . . . . . Configuring LTPA single signon . . . . . . Technical notes for LTPA single signon . . . . 604 604 604 604 605 607 607 607 608 609 610 611 612 612 612 613 614 614 615 617 617 617 617 618 618 618 619

Limiting the ability to generate vouch-for tokens Configuring behavior for authentication failure Logging out using pkmslogout-nomas . . . . Using e-community with virtual hosts . . . . Handling extended attributes for ECSSO . . . . Specifying extended attributes to add to token Specifying extended attributes to extract from token . . . . . . . . . . . . . . . Compatibility issues for ECSSO . . . . . . . UTF-8 encoding of tokens for e-community single signon . . . . . . . . . . . . Providing compatibility for token security level Providing compatibility for token encryption format . . . . . . . . . . . . . . .

639 639 639 640 641 641 642 643 643 643 643

Part 10. Deployment . . . . . . . 645Chapter 33. WebSEAL instance deployment . . . . . . . . . . . . 647WebSEAL instance configuration overview . Planning a WebSEAL instance configuration Example WebSEAL instance configuration values . . . . . . . . . . . . . Unique configuration file for each WebSEAL instance . . . . . . . . . . . . Interactive configuration overview . . . Command line configuration overview . . Silent configuration overview (response file) WebSEAL instance configuration tasks . . . Adding a WebSEAL instance . . . . . Removing a WebSEAL instance . . . . Load balancing environments . . . . . . Replicating front-end WebSEAL servers . Controlling the login_success response . . . . . . . . . . . . . . . . 648 . 648 . 652 . . . . . . . . . . 653 653 654 655 657 657 659 661 661 662

Chapter 32. E-community single signon . . . . . . . . . . . . . . 621E-community single signon concepts . . . . . E-community overview . . . . . . . . . E-community features and requirements . . . E-community process flow . . . . . . . . The e-community cookie . . . . . . . . The vouch-for request and reply . . . . . . The vouch-for token . . . . . . . . . . Configuring e-community single signon . . . . E-community configuration summary . . . . E-community conditions and requirements . . 1. Enabling and disabling e-community authentication . . . . . . . . . . . . 2. Specifying an e-community name . . . . . 3. Configuring the single signon authentication mechanism . . . . . . . . . . . . . 4. Encrypting the vouch-for token . . . . . 5. Configuring the vouch-for token label name 6. Specifying the master authentication server (MAS) . . . . . . . . . . . . . . . 7. Specifying the vouch-for URL . . . . . . 8. Configure token and ec-cookie lifetime values Enabling unauthenticated access . . . . . . 622 622 623 624 628 629 629 631 631 632 633 634 634 635 636 637 638 638 639

Chapter 34. Application integration

663664 664 664 664 665 665 666 667 668 669 669 669 670 672 672 672 673 674

CGI programming support . . . . . . . . . WebSEAL and CGI scripts . . . . . . . . Creating a cgi-bin directory. . . . . . . . WebSEAL environment variables for CGI programming . . . . . . . . . . . . Windows environment variables for CGI programs . . . . . . . . . . . . . . UTF-8 environment variables for CGI programs Windows: File naming for CGI programs . . . UNIX files misinterpreted as CGI scripts over local junctions . . . . . . . . . . . . Supporting back-end server-side applications. . . Best practices for standard junction usage . . . . Supplying complete Host header information with -v . . . . . . . . . . . . . . Supporting standard absolute URL filtering . . Hostname aliasing behavior from Tivoli Access Manager 5.1 . . . . . . . . . . . . . Building a custom personalization service . . . Personalization service concepts . . . . . . Configuring WebSEAL for a personalization service . . . . . . . . . . . . . . Personalization service example . . . . . . User session management for back-end servers . .Contents

xi

User session management concepts . . . . Enabling user session ID management . . . Inserting user session data into HTTP headers Terminating user sessions . . . . . . . User event correlation for back-end servers .

. 674 . 675 675 . 677 . 680

Appendix A. Guidelines for changing configuring files . . . . . . . . . . 715General guidelines Default values . . Strings . . . . Defined strings . . File names . . . Integers . . . . Boolean values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715 715 715 716 716 716 717

Chapter 35. Dynamic URLs . . . . . 681Providing access control to dynamic URLs . . Dynamic URL components . . . . . . Enabling access control for dynamic URLs: dynurl.conf . . . . . . . . . . . . Converting POST body dynamic data to query string format . . . . . . . . . . . Mapping ACL and POP objects to dynamic URLs . . . . . . . . . . . . . . Character encoding and query string validation Updating WebSEAL for dynamic URLs . . Resolving dynamic URLs in the object space Configuring limitations on POST requests . Dynamic URLs summary and technical notes Dynamic URL example: The Travel Kingdom. . The application . . . . . . . . . . . The interface . . . . . . . . . . . The security policy . . . . . . . . . Secure clients . . . . . . . . . . . Access control . . . . . . . . . . . Conclusion . . . . . . . . . . . . . 682 . 682 . 682 . 683 . 683 684 . 685 685 . 685 687 . 689 . 689 . 689 . 690 . 690 . 690 . 691

Appendix B. Stanza reference . . . . 719[acnt-mgt] stanza . . . . . . account-expiry-notification . . account-inactivated . . . . account-locked . . . . . . allow-unauthenticated-logout . cert-failure . . . . . . . cert-stepup-http . . . . . certificate-login . . . . . . change-password-auth . . . client-notify-tod . . . . . enable-local-response-redirect . enable-passwd-warn . . . . help . . . . . . . . . login . . . . . . . . . login-redirect-page . . . . login-success . . . . . . logout . . . . . . . . . mgt-pages-root . . . . . . next-token . . . . . . . passwd-change . . . . . . passwd-change-failure . . . passwd-change-success . . . passwd-expired. . . . . . passwd-warn . . . . . . passwd-warn-failure . . . . redirect-to-root-for-pkms . . stepup-login . . . . . . . switch-user . . . . . . . token-login . . . . . . . too-many-sessions . . . . . use-restrictive-logout-filenames use-filename-for-pkmslogout . [amwebars] stanza. . . . . . service-url . . . . . . . [arm] stanza . . . . . . . . accept-correlators . . . . . app-group . . . . . . . app-instance. . . . . . . correlator-header . . . . . enable-arm . . . . . . . library . . . . . . . . . report-transactions. . . . . [auth-cookies] stanza . . . . . cookie . . . . . . . . . [auth-headers] stanza . . . . . header. . . . . . . . . [authentication-levels] stanza . . level . . . . . . . . . [authentication-mechanisms] stanza . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720 720 720 721 721 721 722 722 723 723 724 724 725 725 726 727 727 727 728 728 728 729 729 730 730 731 731 732 732 732 733 733 735 735 736 736 736 736 737 737 738 738 739 739 739 739 741 741 742

Part 11. Attribute Retrieval Service 693Chapter 36. Attribute retrieval service reference . . . . . . . . . . . . . 695Basic configuration . . . . . . . . . . Configuration files. . . . . . . . . . Descriptions of amwebars.conf configuration stanza entries . . . . . . . . . . . Editing the data tables . . . . . . . . . ProviderTable . . . . . . . . . . . ContainerDescriptorTable . . . . . . . ProtocolTable . . . . . . . . . . . Creating custom protocol plug-ins . . . . . Overview. . . . . . . . . . . . . Creating the protocol plug-in . . . . . . . 696 . 696 . . . . . . . . 696 699 699 700 702 703 703 703

Chapter 37. Authorization decision information retrieval . . . . . . . . 705Overview of ADI retrieval . . . . . . . . . Retrieving ADI from the WebSEAL client request Example: Retrieving ADI from the request header. . . . . . . . . . . . . . . Example: Retrieving ADI from the request query string . . . . . . . . . . . . . . . Example: Retrieving ADI from the request POST body . . . . . . . . . . . . . . . Retrieving ADI from the user credential . . . . Supplying a failure reason across a junction . . . Dynamic ADI retrieval . . . . . . . . . . Deploying the attribute retrieval service . . . . 706 707 708 708 709 710 711 712 713

xii


cert-ldap . . . . . . . . . cert-ssl . . . . . . . . . cred-ext-attrs . . . . . . . ext-auth-interface . . . . . . failover-cdsso . . . . . . . failover-certificate . . . . . . failover-ext-auth-interface . . . failover-http-request . . . . . failover-kerberosv5 . . . . . failover-password . . . . . . failover-token-card . . . . . http-request . . . . . . . . kerberosv5 . . . . . . . . ltpa. . . . . . . . . . . passwd-cdas. . . . . . . . passwd-ldap. . . . . . . . passwd-strength . . . . . . passwd-uraf . . . . . . . . post-pwdchg-process . . . . . sso-consume. . . . . . . . sso-create. . . . . . . . . su-cdsso . . . . . . . . . su-certificate. . . . . . . . su-http-request . . . . . . . su-kerberosv5 . . . . . . . su-passwd . . . . . . . . su-token-card . . . . . . . token-cdas . . . . . . . . [aznapi-configuration] stanza . . . audit-attribute . . . . . . . auditcfg . . . . . . . . . auditlog . . . . . . . . . cache-refresh-interval . . . . . cred-attribute-entitlement-services db-file . . . . . . . . . . dynamic-adi-entitlement-services . input-adi-xml-prolog . . . . . listen-flags . . . . . . . . logaudit . . . . . . . . . logclientid . . . . . . . . logcfg . . . . . . . . . . logflush . . . . . . . . . logsize . . . . . . . . . permission-info-returned . . . policy-cache-size . . . . . . resource-manager-provided-adi . service-id . . . . . . . . . xsl-stylesheet-prolog . . . . . [aznapi-entitlement-services] stanza . service-id . . . . . . . . . [azn-decision-info] stanza . . . . azn-decision-info . . . . . . . [ba] stanza . . . . . . . . . ba-auth . . . . . . . . . basic-auth-realm . . . . . . [cdsso] stanza . . . . . . . . authtoken-lifetime . . . . . . cdsso-argument . . . . . . cdsso-auth . . . . . . . . cdsso-create . . . . . . . . clean-cdsso-urls . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

742 742 743 743 743 744 744 745 745 745 746 746 747 747 748 748 748 749 749 750 750 751 751 751 752 752 753 753 754 754 754 755 755 756 756 756 757 757 758 758 759 760 760 761 761 762 762 763 764 764 765 765 766 766 766 767 767 767 767 768 768

propagate-cdmf-errors . . . . use-utf8 . . . . . . . . . [cdsso-incoming-attributes] stanza . attribute_pattern . . . . . . . [cdsso-peers] stanza . . . . . . fully_qualified_hostname . . . . [cdsso-token-attributes] stanza. . . . . . . . . . . . domain_name. . . . . . . . [certificate] stanza . . . . . . . accept-client-certs . . . . . . cert-cache-max-entries . . . . cert-cache-timeout . . . . . . cert-prompt-max-tries . . . . disable-cert-login-page . . . . eai-data . . . . . . . . . eai-uri . . . . . . . . . . [cfg-db-cmd:entries] stanza . . . . stanza::entry . . . . . . . . [cfg-db-cmd:files] stanza. . . . . files . . . . . . . . . . [cgi] stanza . . . . . . . . . cgi-timeout . . . . . . . . [cgi-environment-variables] stanza . ENV . . . . . . . . . . [cgi-types] stanza . . . . . . . file_extension . . . . . . . . [compress-mime-types] stanza . . . mime_type . . . . . . . . [compress-user-agents] stanza . . . pattern . . . . . . . . . . [content] stanza . . . . . . . delete-trash-dir . . . . . . . directory-index . . . . . . . doc-root . . . . . . . . . error-dir . . . . . . . . . user-dir . . . . . . . . . utf8-template-macros-enabled . . [content-cache] stanza . . . . . MIME_type . . . . . . . . [content-encodings] stanza . . . . extension . . . . . . . . . [content-index-icons] stanza . . . type. . . . . . . . . . . [content-mime-types] stanza . . . deftype . . . . . . . . . extension . . . . . . . . . [credential-policy-attributes] stanza . policy-name . . . . . . . . [credential-refresh-attributes] stanza . attribute_name_pattern . . . . . authentication_level . . . . . [dsess] stanza . . . . . . . . dsess-sess-id-pool-size . . . . dsess-cluster-name. . . . . . [dsess-cluster] stanza . . . . . . basic-auth-user . . . . . . . basic-auth-passwd . . . . . . handle-idle-timeout . . . . . handle-pool-size . . . . . . response-by . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

769 769 771 771 772 772 773 773 773 775 775 775 776 776 777 778 779 780 780 782 782 783 783 784 784 785 785 786 786 787 787 788 788 788 789 789 790 790 791 791 792 792 793 793 794 794 794 796 796 797 797 797 798 798 798 799 799 799 799 800 800

Contents

xiii

server . . . . . . . . . . . . . . ssl-fips-enabled . . . . . . . . . . . ssl-keyfile . . . . . . . . . . . . ssl-keyfile-label . . . . . . . . . . . ssl-keyfile-stash. . . . . . . . . . . ssl-valid-server-dn . . . . . . . . . . timeout . . . . . . . . . . . . . [eai] stanza . . . . . . . . . . . . . eai-auth . . . . . . . . . . . . . eai-auth-level-header . . . . . . . . . eai-pac-header . . . . . . . . . . . eai-pac-svc-header . . . . . . . . . . eai-redir-url-header . . . . . . . . . eai-session-id-header . . . . . . . . . eai-user-id-header . . . . . . . . . . eai-xattrs-header . . . . . . . . . . retain-eai-session . . . . . . . . . . [eai-trigger-urls] stanza . . . . . . . . . trigger. . . . . . . . . . . . . . trigger. . . . . . . . . . . . . . [e-community-domains] stanza . . . . . . name . . . . . . . . . . . . . . [e-community-domain-keys] stanza . . . . . domain_name. . . . . . . . . . . . [e-community-domain-keys:domain] stanza . . domain_name. . . . . . . . . . . . [e-community-sso] stanza . . . . . . . . cache-requests-for-ecsso . . . . . . . . e-community-name . . . . . . . . . disable-ec-cookie . . . . . . . . . . e-community-sso-auth . . . . . . . . ec-cookie-domain . . . . . . . . . . ec-cookie-lifetime . . . . . . . . . . ecsso-allow-unauth . . . . . . . . . ecsso-propagate-errors . . . . . . . . handle-auth-failure-at-mas . . . . . . . is-master-authn-server . . . . . . . . master-authn-server . . . . . . . . . master-http-port . . . . . . . . . . master-https-port . . . . . . . . . . propagate-cdmf-errors . . . . . . . . use-utf8 . . . . . . . . . . . . . vf-argument . . . . . . . . . . . . vf-token-lifetime . . . . . . . . . . vf-url . . . . . . . . . . . . . . [ecsso-incoming-attributes] stanza . . . . . attribute_pattern . . . . . . . . . . . [ecsso-token-attributes] stanza . . . . . . . . . . . . . . . . . . . . domain_name. . . . . . . . . . . . [enable-redirects] stanza . . . . . . . . . redirect . . . . . . . . . . . . . [failover] stanza . . . . . . . . . . . enable-failover-cookie-for-domain . . . . failover-auth. . . . . . . . . . . . failover-cookie-lifetime . . . . . . . . failover-cookies-keyfile . . . . . . . . failover-include-session-id . . . . . . . failover-require-activity-timestamp-validation failover-require-lifetime-timestamp-validation failover-update-cookie . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

801 801 802 802 803 803 804 805 805 805 805 806 806 807 807 808 808 810 810 810 811 811 812 812 813 813 814 814 814 814 815 815 816 816 817 817 818 818 818 819 819 820 820 821 821 823 823 824 824 824 825 825 826 826 826 826 827 827 828 828 . 829

reissue-missing-failover-cookie . . use-utf8 . . . . . . . . . . [failover-add-attributes] stanza . . . attribute_pattern . . . . . . . . session-activity-timestamp . . . . session-lifetime-timestamp . . . . [failover-restore-attributes] stanza . . attribute_pattern . . . . . . . . attribute_pattern . . . . . . . . [filter-content-types] stanza . . . . . type . . . . . . . . . . . [filter-events] stanza . . . . . . . HTML_tag . . . . . . . . . [filter-request-headers] stanza . . . . header. . . . . . . . . . . [filter-schemes] stanza . . . . . . scheme . . . . . . . . . . [filter-url] stanza . . . . . . . . HTML_tag . . . . . . . . . [forms] stanza . . . . . . . . . allow-empty-form-fields . . . . . forms-auth . . . . . . . . . [gso-cache] stanza . . . . . . . . gso-cache-enabled . . . . . . . gso-cache-entry-idle-timeout . . . gso-cache-entry-lifetime . . . . . gso-cache-size . . . . . . . . [header-names] stanza . . . . . . server-name . . . . . . . . . [http-headers] stanza . . . . . . . http-headers-auth . . . . . . . [icons] stanza . . . . . . . . . backicon . . . . . . . . . . diricon . . . . . . . . . . unknownicon . . . . . . . . [illegal-url-substrings] stanza . . . . substring . . . . . . . . . . [interfaces] stanza . . . . . . . . interface_name . . . . . . . . [ipaddr] stanza . . . . . . . . . ipaddr-auth . . . . . . . . . [jdb-cmd:replace] stanza . . . . . . jct-id=search-attr-value|replace-attr-value [junction] stanza . . . . . . . . allow-backend-domain-cookies . . basicauth-dummy-passwd . . . . crl-ldap-server . . . . . . . . crl-ldap-server-port . . . . . . crl-ldap-user. . . . . . . . . crl-ldap-user-password . . . . . disable-ssl-v2 . . . . . . . . disable-ssl-v3 . . . . . . . . disable-tls-v1 . . . . . . . . dont-reprocess-jct-404s . . . . . dynamic-addresses . . . . . . http-timeout . . . . . . . . . https-timeout . . . . . . . . insert-client-real-ip-for-option-r . . io-buffer-size . . . . . . . . jct-cert-keyfile . . . . . . . . jct-cert-keyfile-stash . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

829 830 831 831 831 832 833 833 833 835 835 836 836 838 838 839 839 840 840 842 842 842 843 843 843 843 844 845 845 846 846 847 847 847 847 849 849 850 850 851 851 851 851 853 853 853 854 854 855 855 856 856 856 857 858 859 859 860 860 861 862

xiv


jct-cert-keyfile-pwd . . . . . . . jct-ocsp-enable . . . . . . . . . jct-ocsp-max-response-size . . . . . jct-ocsp-nonce-check-enable. . . . . jct-ocsp-nonce-generation-enable . . . jct-ocsp-proxy-server-name . . . . . jct-ocsp-proxy-server-port . . . . . jct-ocsp-url . . . . . . . . . . jct-ssl-reneg-warning-rate . . . . . jct-undetermined-revocation-cert-action . jmt-map . . . . . . . . . . . junction-db . . . . . . . . . . managed-cookies-list . . . . . . . mangle-domain-cookies . . . . . . max-cached-persistent-connections . . max-webseal-header-size . . . . . pass-http-only-cookie-atr . . . . . persistent-con-timeout . . . . . . ping-method . . . . . . . . . ping-time. . . . . . . . . . . ping-uri . . . . . . . . . . . recovery-ping-time . . . . . . . reprocess-root-jct-404s . . . . . . reset-cookies-list . . . . . . . . response-code-rules . . . . . . . share-cookies . . . . . . . . . support-virtual-host-domain-cookies. . use-new-stateful-on-error . . . . . validate-backend-domain-cookies . . . worker-thread-hard-limit . . . . . worker-thread-soft-limit . . . . . . [junction:junction_name] stanza . . . . [ldap] stanza . . . . . . . . . . auth-timeout . . . . . . . . . auth-using-compare . . . . . . . bind-dn . . . . . . . . . . . bind-pwd. . . . . . . . . . . cache-enabled . . . . . . . . . cache-group-expire-time . . . . . . cache-group-membership . . . . . cache-group-size . . . . . . . . cache-policy-expire-time . . . . . . cache-policy-size . . . . . . . . cache-return-registry-id . . . . . . cache-user-expire-time . . . . . . cache-user-size . . . . . . . . . cache-use-user-cache . . . . . . . default-policy-override-support . . . enabled . . . . . . . . . . . host . . . . . . . . . . . . ldap-server-config . . . . . . . . login-failures-persistent . . . . . . max-search-size. . . . . . . . . prefer-readwrite-server . . . . . . port . . . . . . . . . . . . replica . . . . . . . . . . . . search-timeout . . . . . . . . . ssl-enabled . . . . . . . . . . ssl-keyfile . . . . . . . . . . ssl-keyfile-dn . . . . . . . . . ssl-keyfile-pwd . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

862 863 863 864 864 865 865 865 866 866 867 867 868 868 869 870 870 871 871 872 872 873 873 874 875 875 876 876 877 878 878 880 881 881 881 882 882 883 883 883 884 884 885 885 886 886 887 887 888 888 889 889 890 890 891 891 892 892 893 893 894

ssl-port . . . . . . . . timeout . . . . . . . . user-and-group-in-same-suffix . [local-response-macros] stanza . . macro . . . . . . . . . [local-response-redirect] stanza . local-response-redirect-uri . . [logging] stanza . . . . . . absolute-uri-in-request-log . . agents . . . . . . . . . agents-file . . . . . . . audit-mime-types . . . . . audit-response-codes . . . . config-data-log . . . . . . flush-time . . . . . . . gmt-time . . . . . . . . host-header-in-request-log . . log-invalid-requests . . . . max-size . . . . . . . . referers . . . . . . . . referers-file . . . . . . . requests . . . . . . . . requests-file . . . . . . . request-log-format . . . . . server-log . . . . . . . [ltpa] stanza . . . . . . . . ltpa-auth . . . . . . . . keyfile. . . . . . . . . cookie-name . . . . . . . cookie-domain . . . . . . update-cookie . . . . . . [ltpa-cache] stanza . . . . . . ltpa-cache-enabled . . . . . ltpa-cache-entry-idle-timeout . ltpa-cache-entry-lifetime . . . ltpa-cache-size . . . . . . [mpa] stanza . . . . . . . mpa . . . . . . . . . [p3p-header] stanza . . . . . access . . . . . . . . . categories . . . . . . . disputes . . . . . . . . non-identifiable. . . . . . p3p-element . . . . . . . purpose . . . . . . . . recipient . . . . . . . . remedies . . . . . . . . retention . . . . . . . . [policy-director] stanza . . . . config-file . . . . . . . [preserve-cookie-names] stanza . name . . . . . . . . . [process-root-filter] stanza . . . root . . . . . . . . . [reauthentication] stanza. . . . reauth-at-any-level . . . . reauth-extend-lifetime . . . reauth-for-inactive . . . . . reauth-reset-lifetime . . . . terminate-on-reauth-lockout . [replica-sets] stanza . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

894 895 895 897 897 898 898 899 899 899 899 900 900 901 901 902 902 903 903 904 904 905 905 905 907 908 908 908 908 909 909 911 911 911 911 912 913 913 914 914 914 916 916 917 917 919 920 920 922 922 923 923 924 924 925 925 925 926 926 926 928

Contents

xv

replica-set . . . . . . . . [script-filtering] stanza . . . . . hostname-junction-cookie . . . rewrite-absolute-with-absolute. . script-filter . . . . . . . . [server] stanza . . . . . . . . allow-shift-jis-chars . . . . . allow-unauth-ba-supply . . . . auth-challenge-type . . . . . cache-host-header . . . . . . capitalize-content-length. . . . client-connect-timeout . . . . chunk-responses . . . . . . connection-request-limit . . . . cope-with-pipelined-request . . decode-query . . . . . . . double-byte-encoding. . . . . dynurl-allow-large-posts. . . . dynurl-map . . . . . . . . enable-IE6-2GB-downloads . . . filter-nonhtml-as-xhtml . . . . force-tag-value-prefix . . . . . http . . . . . . . . . . http-method-trace-enabled . . . http-method-trace-enabled-remote http-port . . . . . . . . . https . . . . . . . . . . https-port . . . . . . . . ignore-missing-last-chunk . . . intra-connection-timeout. . . . ip-support-level . . . . . . ipv6-support . . . . . . . late-lockout-notification . . . . max-client-read . . . . . . . max-file-cat-command-length . . network-interface . . . . . . persistent-con-timeout . . . . pre-410-compatible-tokens . . . pre-510-compatible-token . . . preserve-base-href . . . . . . preserve-base-href2 . . . . . preserve-p3p-policy . . . . . process-root-requests . . . . . redirect-using-relative . . . . reject-invalid-host-header . . . reject-request-transfer-encodings . request-body-max-read . . . . request-max-cache . . . . . . server-name . . . . . . . . server-root . . . . . . . . slash-before-query-on-redirect . . suppress-backend-server-identity . suppress-dynurl-parsing-of-posts . suppress-server-identity . . . . tag-value-missing-attr-tag . . . unix-group . . . . . . . . unix-pid-file . . . . . . . . unix-user . . . . . . . . . use-http-only-cookies . . . . . utf8-form-support-enabled . . . utf8-qstring-support-enabled . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

928 929 929 929 929 931 931 931 932 932 933 934 934 934 935 935 936 936 937 937 938 938 939 939 940 940 941 941 941 942 942 943 943 944 945 945 945 946 946 947 947 948 948 949 949 950 950 951 951 952 952 953 953 954 954 955 955 956 956 957 957

utf8-url-support-enabled. . . . . validate-query-as-ga . . . . . . web-host-name . . . . . . . . web-http-port . . . . . . . . web-http-protocol . . . . . . . worker-threads . . . . . . . . [session] stanza. . . . . . . . . dsess-enabled . . . . . . . . dsess-last-access-update-interval . . enforce-max-sessions-policy . . . inactive-timeout . . . . . . . logout-remove-cookie. . . . . . max-entries . . . . . . . . . prompt-for-displacement . . . . register-authentication-failures . . . require-mpa . . . . . . . . . resend-webseal-cookies . . . . . send-constant-sess . . . . . . . ssl-id-sessions . . . . . . . . ssl-session-cookie-name . . . . . standard-junction-replica-set . . . tcp-session-cookie-name . . . . . timeout . . . . . . . . . . update-session-cookie-in-login-request user-session-ids. . . . . . . . user-session-ids-include-replica-set . use-same-session . . . . . . . [session-cookie-domains] stanza . . . domain . . . . . . . . . . [session-http-headers] stanza . . . . header_name . . . . . . . . . [spnego] stanza. . . . . . . . . spnego-auth . . . . . . . . . spnego-krb-keytab-file . . . . . spnego-krb-service-name . . . . use-domain-qualified-name . . . . [ssl] stanza . . . . . . . . . . base-crypto-library . . . . . . crl-ldap-server . . . . . . . . crl-ldap-server-port . . . . . . crl-ldap-user. . . . . . . . . crl-ldap-user-password . . . . . disable-ncipher-bsafe . . . . . . disable-rainbow-bsafe . . . . . disable-ssl-v2 . . . . . . . . disable-ssl-v3 . . . . . . . . disable-tls-v1 . . . . . . . . fips-mode-processing . . . . . . gsk-crl-cache-entry-lifetime . . . . gsk-crl-cache-size . . . . . . . ocsp-enable . . . . . . . . . ocsp-max-response-size . . . . . ocsp-nonce-check-enable. . . . . ocsp-nonce-generation-enable . . . ocsp-proxy-server-name . . . . . ocsp-proxy-server-port . . . . . ocsp-url . . . . . . . . . . pkcs11-driver-path. . . . . . . pkcs11-token-label . . . . . . . pkcs11-token-pwd . . . . . . . pkcs11-symmetric-cipher-support . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

958 958 958 959 959 960 961 961 961 961 962 962 963 964 964 965 965 965 966 966 967 967 968 968 969 969 970 971 971 972 972 973 973 973 973 974 976 976 976 977 977 978 978 978 979 979 980 980 981 981 982 982 983 983 983 984 984 985 985 986 986

xvi


ssl-keyfile . . . . . . . . . ssl-keyfile-label . . . . . . . . ssl-keyfile-pwd . . . . . . . . ssl-keyfile-stash. . . . . . . . ssl-local-domain . . . . . . . ssl-max-entries . . . . . . . . ssl-v2-timeout . . . . . . . . ssl-v3-timeout . . . . . . . . suppress-client-ssl-errors . . . . undetermined-revocation-cert-action . webseal-cert-keyfile . . . . . . webseal-cert-keyfile-label . . . . webseal-cert-keyfile-pwd . . . . webseal-cert-keyfile-stash . . . . [ssl-qop] stanza. . . . . . . . . ssl-qop-mgmt . . . . . . . . [ssl-qop-mgmt-default] stanza . . . . default . . . . . . . . . . [ssl-qop-mgmt-hosts] stanza . . . . host-ip . . . . . . . . . . . [ssl-qop-mgmt-networks] stanza . . . network/netmask . . . . . . . . [step-up] stanza . . . . . . . . retain-stepup-session . . . . . . show-all-auth-prompts . . . . . verify-step-up-user . . . . . . [tfimsso:] stanza . . . . . . always-send-tokens . . . . . . applies-to . . . . . . . . . one-time-token . . . . . . . preserve-xml-token . . . . . . renewal-window . . . . . . . service-name . . . . . . . . tfim-cluster-name. . . . . . . token-collection-size . . . . . . token-type . . . . . . . . . token-transmit-name . . . . . token-transmit-type . . . . . . [tfim-cluster:] stanza . . . basic-auth-user . . . . . . . basic-auth-passwd . . . . . . handle-idle-timeout . . . . . . handle-pool-size . . . . . . . server . . . . . . . . . . ssl-fips-enabled . . . . . . . ssl-keyfile . . . . . . . . . ssl-keyfile-label . . . . . . . ssl-keyfile-stash . . . . . . . ssl-valid-server-dn . . . . . . timeout . . . . . . . . . . [token] stanza . . . . . . . . . token-auth . . . . . . . . . [uraf-registry] stanza . . . . . . bind-id . . . . . . . . . . cache-lifetime . . . . . . . . cache-mode . . . . . . . . cache-size . . . . . . . . . uraf-registry-config . . . . . . [webseal-config] stanza . . . . . . instance-name . . . . . . . . orig-version . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. 986 . 987 . 987 . 988 . 988 . 989 . 989 . 990 . 990 . 990 . 991 . 991 . 992 . 992 . 994 . 994 . 995 . 995 . 996 . 996 . 997 . 997 . 998 . 998 . 998 . 998 . 999 . 999 . 1000 . 1000 . 1000 . 1001 . 1001 . 1002 . 1002 . 1003 . 1003 . 1004 . 1005 . 1005 . 1005 . 1005 . 1006 . 1006 . 1007 . 1007 . 1008 . 1008 . 1009 . 1009 . 1010 . 1010 . 1011 . 1011 . 1011 . 1012 . 1012 . 1013 . 1015 . 1015 . 1015

status . . . . . tivoli_common_dir . version . . . . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. 1016 . 1016 . 1017

Appendix C. Command referenceReading syntax statements . . help . . . . . . . . . . server list . . . . . . . . server task add . . . . . . server task cache flush all . . . server task cfgdb export . . . server task cfgdb import . . . server task create . . . . . . server task delete. . . . . . server task dynurl update . . . server task file cat . . . . . server task help . . . . . . server task jdb export . . . . server task jdb import . . . . server task jmt . . . . . . server task list. . . . . . . server task offline . . . . . server task online . . . . . server task refresh all_sessions . server task reload . . . . . server task remove . . . . . server task server restart . . . server task show . . . . . . server task server sync . . . . server task terminate all_sessions server task terminate session . . server task throttle . . . . . server task virtualhost add . . server task virtualhost create . . server task virtualhost delete . . server task virtualhost list . . . server task virtualhost offline. . server task virtualhost online. . server task virtualhost remove . server task virtualhost show . . server task virtualhost throttle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1019. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020 1021 1023 1024 1027 1029 1030 1032 1040 1042 1044 1046 1048 1049 1050 1052 1054 1056 1058 1060 1062 1064 1065 1067 1068 1070 1072 1074 1077 1084 1086 1088 1091 1093 1095 1097

Appendix D. Support information

10991099 1099 1099 1099 1100 1100 1101 1101 1102 1102

Searching knowledge bases . . . . . . . . Searching information centers . . . . . . Searching the Internet . . . . . . . . . Obtaining fixes . . . . . . . . . . . . Registering with IBM Software Support . . . . Receiving weekly software updates. . . . . . Contacting IBM Software Support . . . . . . Determining the business impact . . . . . Describing problems and gathering information Submitting problems . . . . . . . . .

Appendix E. Notices . . . . . . . . 1105Trademarks. . . . . . . . . . . . . . 1107

Glossary . . . . . . . . . . . . . 1109 Index . . . . . . . . . . . . . . 1119Contents

xvii

xviii


About this publicationWelcome to the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. IBM Tivoli Access Manager WebSEAL is the resource manager for Web-based resources in a Tivoli Access Manager secure domain. WebSEAL is a high performance, multi-threaded Web server that applies fine-grained security policy to the protected Web object space. WebSEAL can provide single signon solutions and incorporate back-end Web application server resources into its security policy. This administration guide provides a comprehensive set of procedures and reference information for managing the resources of your secure Web domain. This guide also provides you with valuable background and concept information for the wide range of WebSEAL functionality. IBM Tivoli Access Manager for e-business provides an access control management solution to centralize network and application security policy for e-business applications.

Intended audienceThis guide is for system administrators responsible for configuring and maintaining a Tivoli Access Manager WebSEAL environment. Readers should be familiar with the following: v PC and UNIX or Linux operating systems v Database architecture and concepts v Security management v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and Telnet v Lightweight Directory Access Protocol (LDAP) and directory services v A supported user registry v Authentication and authorization If you are enabling Secure Sockets Layer (SSL) communication, you also should be familiar with SSL protocol, key exchange (public and private), digital signatures, cryptographic algorithms, and certificate authorities.

PublicationsThis section lists publications in the IBM Tivoli Access Manager for e-business library and related documents. The section also describes how to access Tivoli publications online and how to order Tivoli publications.

IBM Tivoli Access Manager for e-business libraryThe following documents are in the Tivoli Access Manager for e-business library: v IBM Tivoli Access Manager for e-business: Quick Start Guide, GI11-9333 Provides steps that summarize major installation and configuration tasks. v IBM Tivoli Access Manager for e-business: Release Notes, GC23-6501 Copyright IBM Corp. 2002, 2010

xix

v v v

v

Provides information about installing and getting started, system requirements, and known installation and configuration problems. IBM Tivoli Access Manager for e-business: Installation Guide, GC23-6502 Explains how to install and configure Tivoli Access Manager for e-business. IBM Tivoli Access Manager for e-business: Upgrade Guide, SC23-6503 Upgrade from version 5.0, 6.0, or 6.1 to version 6.1.1. IBM Tivoli Access Manager for e-business: Administration Guide, SC23-6504 Describes the concepts and procedures for using Tivoli Access Manager. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide, SC23-6505

Provides background material, administrative procedures, and reference information for using WebSEAL to manage the resources of your secure Web domain. v IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide, SC23-6506 Provides instructions for integrating Tivoli Access Manager with the IBM WebSphere Edge Server application. v IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide, SC23-6507 Provides procedures and reference information for securing your Web domain using a Web server plug-in. v IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide, SC23-6509 Provides deployment considerations and operational instructions for the session management server. v IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide, SC23-6510 Provides information for enabling SSL communication in the Tivoli Access Manager environment. v IBM Tivoli Access Manager for e-business: Auditing Guide, SC23-6511 Provides information about configuring and managing audit events using the native Tivoli Access Manager approach and the Common Auditing and Reporting Service. You can also find information about installing and configuring the Common Auditing and Reporting Service. Use this service for generating and viewing operational reports. v IBM Tivoli Access Manager for e-business: Command Reference, SC23-6512 Provides reference information about the commands, utilities, and scripts that are provided with Tivoli Access Manager. v IBM Tivoli Access Manager for e-business: Administration C API Developer Reference, SC23-6513 Provides reference information about using the C language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. v IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference, SC23-6514 Provides reference information about using the Java language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks.

xx


v IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference, SC23-6515 Provides reference information about using the C language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference, SC23-6516 Provides reference information about using the Java language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business: Web Security Developer Reference, SC23-6517 Provides programming and reference information for developing authentication modules. v IBM Tivoli Access Manager for e-business: Error Message Reference, GI11-8157 Provides explanations and recommended actions for the messages and return code. v IBM Tivoli Access Manager for e-business: Troubleshooting Guide, GC27-2717 Provides problem determination information. v IBM Tivoli Access Manager for e-business: Performance Tuning Guide, SC23-6518 Provides performance tuning information for an environment consisting of Tivoli Access Manager with the IBM Tivoli Directory Server as the user registry.

Related products and publicationsThis section lists the IBM products that are related to and included with a Tivoli Access Manager solution.

IBM Global Security KitTivoli Access Manager provides data encryption through the use of the Global Security Kit (GSKit), version 7.0. GSKit is included on the IBM Tivoli Access Manager Base CD for your particular platform, as well as on the IBM Tivoli Access Manager Web Security CDs, the IBM Tivoli Access Manager Shared Session Management CDs, and the IBM Tivoli Access Manager Directory Server CDs. The GSKit package provides the iKeyman key management utility, gsk7ikm, which creates key databases, public-private key pairs, and certificate requests. The IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide is available on the Tivoli Information Center Web site in the same section as the Tivoli Access Manager product documentation.

IBM Tivoli Directory ServerIBM Tivoli Directory Server, version 6.1, is included on the IBM Tivoli Access Manager Directory Server set of CDs for the required operating system. You can find additional information about Tivoli Directory Server at: http://www.ibm.com/software/tivoli/products/directory-server/

IBM Tivoli Directory IntegratorIBM Tivoli Directory Integrator, version 6.1.1, is included on the IBM Tivoli Directory Integrator CD for the required operating system. You can find additional information about IBM Tivoli Directory Integrator at:About this publication

xxi

http://www-306.ibm.com/software/tivoli/products/directory-integrator/

IBM DB2 Universal DatabaseIBM DB2 Universal Database Enterprise Server Edition, version 9.1, is provided on the IBM Tivoli Access Manager Directory Server set of CDs and is installed with the Tivoli Directory Server software. DB2 is required when using Tivoli Directory Server or z/OS LDAP servers as the user registry for Tivoli Access Manager. For z/OS LDAP servers, you must separately purchase DB2. You can find additional information about DB2 at: http://www.ibm.com/software/data/db2

IBM WebSphere Application ServerWebSphere Application Server, version 6.1, is included on the IBM Tivoli Access Manager WebSphere Application Server set of CDs for the required operating system. WebSphere Application Server enables the support of the following applications: v Web Portal Manager interface, which administers Tivoli Access Manager. v Web Administration Tool, which admin

webseal administration guide

Documents