Tivoli Access Manager for e-businessVersion 6.1.1

WebSEAL Administration Guide

SC23-6505-01

Tivoli Access Manager for e-businessVersion 6.1.1

WebSEAL Administration Guide

SC23-6505-01

NoteBefore using this information and the product it supports, read the information in Appendix E, Notices, on page 1105.

Edition notice

This edition applies to version 6, release 1, modification 1 of IBM Tivoli Access Manager (product number5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions.

All rights reserved.

Copyright IBM Corporation 2002, 2010.US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this publication . . . . . . . . xixIntended audience . . . . . . . . . . . . xixPublications . . . . . . . . . . . . . . xix

IBM Tivoli Access Manager for e-businesslibrary . . . . . . . . . . . . . . . xixRelated products and publications . . . . . xxiAccessing terminology online . . . . . . . xxiiAccessing publications online . . . . . . . xxiiOrdering publications . . . . . . . . . xxiii

Accessibility . . . . . . . . . . . . . xxiiiTivoli technical training. . . . . . . . . . xxiiiTivoli user groups . . . . . . . . . . . xxiiiSupport information . . . . . . . . . . . xxivConventions used in this publication . . . . . xxiv

Typeface conventions . . . . . . . . . xxivOperating system-dependent variables andpaths . . . . . . . . . . . . . . . xxv

Part 1. Administration . . . . . . . . 1

Chapter 1. IBM Tivoli Access ManagerWebSEAL overview . . . . . . . . . . 3Tivoli Access Manager introduction. . . . . . . 4WebSEAL introduction . . . . . . . . . . . 5Tivoli Access Manager security model . . . . . . 6

Security model concepts . . . . . . . . . 6The protected object space . . . . . . . . 6Access control lists (ACLs) and protected objectpolicies (POPs) . . . . . . . . . . . . 7Access control list (ACL) policies . . . . . . 8Protected object policies (POPs) . . . . . . . 8Explicit and inherited policy . . . . . . . . 9Policy administration: The Web Portal Manager . 9

Web space protection . . . . . . . . . . . 10Security policy planning and implementation . . . 12

Content types and levels of protection . . . . 12WebSEAL authentication . . . . . . . . . . 14Standard WebSEAL junctions . . . . . . . . 15Web space scalability . . . . . . . . . . . 17

Replicated front-end WebSEAL servers . . . . 17Junctioned back-end servers . . . . . . . . 17Replicated back-end servers . . . . . . . . 18

Chapter 2. Server administration . . . 21Server operation . . . . . . . . . . . . . 22

The pdweb command . . . . . . . . . . 22Starting the WebSEAL server . . . . . . . 22Stopping the WebSEAL server . . . . . . . 22Restarting the WebSEAL server . . . . . . . 23Displaying WebSEAL server status . . . . . 23

Backup and restore . . . . . . . . . . . . 24The pdbackup utility . . . . . . . . . . 24Backing up WebSEAL data . . . . . . . . 24Restoring WebSEAL data . . . . . . . . . 25

Extracting archived WebSEAL data . . . . . 26Synchronizing WebSEAL data across multipleservers . . . . . . . . . . . . . . . . 26

Automating synchronization with command files 29Backing up and restoring data . . . . . . . 30

Auditing and logging resources for WebSEAL . . . 31Error message logging . . . . . . . . . . 31Auditing WebSEAL server activity. . . . . . 31Common Auditing and Reporting Services(CARS) . . . . . . . . . . . . . . . 32Traditional auditing and logging of HTTP events 32

Problem determination resources for WebSEAL . . 33Configuration data log file . . . . . . . . 33Statistics . . . . . . . . . . . . . . 35Application Response Measurement . . . . . 35Trace utility . . . . . . . . . . . . . 36

Part 2. Configuration. . . . . . . . 37

Chapter 3. Web server configuration . . 39WebSEAL server and host name specification . . . 40

Specifying the WebSEAL server name in theconfiguration file . . . . . . . . . . . 40Displaying the WebSEAL server name in"pdadmin server list" . . . . . . . . . . 40Displaying the WebSEAL server name in theprotected object space . . . . . . . . . . 41Specifying the WebSEAL host (machine) name. . 41

WebSEAL configuration file . . . . . . . . . 42Configuration file organization . . . . . . . 42Configuration file name and location . . . . . 42Modifying configuration file settings . . . . . 43WebSEAL .obf configuration file . . . . . . 43

Default document root directory . . . . . . . 44Default root junction . . . . . . . . . . . 45

Changing the root junction after WebSEALinstallation . . . . . . . . . . . . . 45

Directory indexing . . . . . . . . . . . . 47Configuring directory indexing . . . . . . . 47Configuring graphical icons for file types . . . 47

Content caching . . . . . . . . . . . . 49Content caching concepts . . . . . . . . . 49Configuring content caching . . . . . . . . 49Impact of HTTP headers on WebSEAL contentcaching . . . . . . . . . . . . . . . 50Flushing all caches . . . . . . . . . . . 52Controlling caching for specific documents . . 52

Communication protocol configuration . . . . . 54Configuring WebSEAL for HTTP requests . . . 54Configuring WebSEAL for HTTPS requests . . . 54Restricting connections from specific SSL versions 55Persistent HTTP connections. . . . . . . . 55Configuring WebSEAL to handle HTTPOnlycookies . . . . . . . . . . . . . . . 55

Copyright IBM Corp. 2002, 2010 iii

Timeout settings for HTTP and HTTPScommunication . . . . . . . . . . . . 56Additional WebSEAL server timeout settings . . 57Support for WebDAV . . . . . . . . . . 58Support for chunked transfer coding . . . . . 59

Internet Protocol version 6 (IPv6) support . . . . 60IPv4 and IPv6 overview . . . . . . . . . 60Configuring IPv6 and IPv4 support . . . . . 60IPv6: Compatibility support . . . . . . . . 61IPv6: Upgrade notes . . . . . . . . . . 61Specifying the IP level for credential attributes . 61

LDAP directory server configuration . . . . . . 63Worker thread allocation . . . . . . . . . . 64

Configuring WebSEAL worker threads . . . . 64Allocating worker threads for junctions (junctionfairness) . . . . . . . . . . . . . . 65

HTTP data compression . . . . . . . . . . 67Compression based on MIME-type . . . . . 67Compression based on user agent type . . . . 68Compression policy in POPs. . . . . . . . 69Data compression limitation . . . . . . . . 69Configuring data compression policy . . . . . 69

Multi-locale support with UTF-8 . . . . . . . 71Multi-locale support concepts . . . . . . . 71Configuring multi-locale support . . . . . . 76

Validating character encoding in request data . . . 81Supported wildcard pattern matching characters . . 82

Chapter 4. Web server responseconfiguration . . . . . . . . . . . . 83Static HTML server response pages . . . . . . 84HTML server response page locations . . . . . 88

Specifying account management page location. . 88Specifying error message page location . . . . 88Creating junction-specific static server responsepages . . . . . . . . . . . . . . . 89

HTML server response page modification . . . . 90Guidelines for customizing HTML responsepages . . . . . . . . . . . . . . . 90Macro resources for customizing HTML responsepages . . . . . . . . . . . . . . . 90Embedding macros in a template . . . . . . 92Adding an image to a custom login form . . . 95Updating response pages from prior versions ofWebSEAL . . . . . . . . . . . . . . 95

Account management page configuration . . . . 98Configuration file stanza entries and values . . 98Configuring the account expiration error message 98Configuring the password policy options . . . 99

Error message page configuration . . . . . . 101Enabling the time of day error page . . . . . 101Creating new HTML error message pages . . . 101Compatibility with previous versions ofWebSEAL . . . . . . . . . . . . . 102

Multi-locale support for server responses . . . . 103The accept-language HTTP header . . . . . 103WebSEAL language packs . . . . . . . . 103Process flow for multi-locale support . . . . 104Conditions affecting multi-locale support onWebSEAL: . . . . . . . . . . . . . 104

Handling the favicon.ico file with Mozilla Firefox 106

Configuring the location URL format in redirectresponses. . . . . . . . . . . . . . . 107Local response redirection . . . . . . . . . 108

Local response redirection overview . . . . . 108Local response redirection process flow. . . . 108Enabling and disabling local responseredirection . . . . . . . . . . . . . 109Contents of a redirected response. . . . . . 109Specifying the URI for local response redirection 109Specifying the operation for local responseredirection . . . . . . . . . . . . . 110Specifying macro support for local responseredirection . . . . . . . . . . . . . 111Local response redirection configurationexample . . . . . . . . . . . . . . 114Technical notes for local response redirection 115Remote response handling with localauthentication . . . . . . . . . . . . 115

Chapter 5. Web server securityconfiguration . . . . . . . . . . . 117Cryptographic hardware for encryption and keystorage . . . . . . . . . . . . . . . 118

Cryptographic hardware concepts . . . . . 118Conditions for using IBM 4758-023 . . . . . 118Configuring Cipher engine and FIPS modeprocessing . . . . . . . . . . . . . 119Configuring WebSEAL for cryptographichardware . . . . . . . . . . . . . . 119

Preventing vulnerability caused by cross-sitescripting . . . . . . . . . . . . . . . 123

Cross-site scripting concepts . . . . . . . 123Configuring URL string filtering . . . . . . 123

Suppressing WebSEAL and back-end serveridentity . . . . . . . . . . . . . . . 125

Suppressing WebSEAL server identity . . . . 125Suppressing back-end application serveridentity . . . . . . . . . . . . . . 125

Enabling HTTP TRACE method . . . . . . . 126Platform for Privacy Preferences (P3P) . . . . . 127

Compact policy overview . . . . . . . . 127Compact policy declaration. . . . . . . . 128Junction header preservation . . . . . . . 128Default compact policy in the P3P header . . . 129Configuring the P3P header . . . . . . . 130Specifying a custom P3P compact policy . . . 136Troubleshooting P3P configuration . . . . . 136

Part 3. Authentication . . . . . . . 137

Chapter 6. Authentication overview 141Definition and purpose of authentication . . . . 142Information in a user request . . . . . . . . 142Client identities and credentials . . . . . . . 143Authentication process flow . . . . . . . . 144Authenticated and unauthenticated access toresources . . . . . . . . . . . . . . 145

Request process for authenticated users: . . . 145Request process for unauthenticated users: . . 145Access conditions over SSL . . . . . . . . 146

iv WebSEAL Administration Guide

Forcing user login . . . . . . . . . . . 146Using unauthenticated HTTPS. . . . . . . 146

Supported authentication methods . . . . . . 147Authentication challenge . . . . . . . . . 147

Chapter 7. Authentication methods 149Authentication configuration overview . . . . . 150

Authentication terminology . . . . . . . 150Supported authentication mechanisms . . . . 151Authentication conversion library . . . . . 152Default configuration for WebSEALauthentication . . . . . . . . . . . . 153Conditions for configuring multipleauthentication methods . . . . . . . . . 153

Logout and password change operations . . . . 154Logging out: pkmslogout . . . . . . . . 154Controlling custom response pages forpkmslogout . . . . . . . . . . . . . 154Changing passwords: pkmspasswd . . . . . 155Password change issue with Active Directory onWindows 2003 . . . . . . . . . . . . 155Post password change processing. . . . . . 155

Basic authentication . . . . . . . . . . . 157Enabling and disabling basic authentication . . 157Setting the realm name . . . . . . . . . 157Configuring the basic authentication mechanism 158Multi-byte UTF-8 logins . . . . . . . . . 158

Forms authentication . . . . . . . . . . 159Enabling and disabling forms authentication 159Configuring the forms authenticationmechanism . . . . . . . . . . . . . 159Customizing HTML response forms . . . . 160Submitting login form data directly to WebSEAL 160

Client-side certificate authentication . . . . . 162Client-side certificate authentication modes . . 162Certificate authentication configuration tasksummary . . . . . . . . . . . . . . 165Enabling certificate authentication . . . . . 165Configuring the certificate authenticationmechanism . . . . . . . . . . . . . 166Specifying the certificate login error page . . . 169Specifying the certificate login form . . . . . 169Disabling SSL session IDs for session tracking 169Enabling and configuring the Certificate SSL IDcache . . . . . . . . . . . . . . . 170Setting the timeout for Certificate SSL ID cache 170Specifying an error page for incorrect protocol 171Disabling certificate authentication . . . . . 171Disabling the Certificate SSL ID cache . . . . 171Technical notes for certificate authentication . . 171

HTTP header authentication . . . . . . . . 172HTTP header authentication overview . . . . 172Enabling HTTP header authentication . . . . 173Specifying HTTP cookies . . . . . . . . 173Specifying header types . . . . . . . . . 173Configuring the HTTP header authenticationmechanism . . . . . . . . . . . . . 174Disabling HTTP header authentication . . . . 174

IP address authentication . . . . . . . . . 176Enabling and disabling IP addressauthentication . . . . . . . . . . . . 176

Configuring the IP address authenticationmechanism . . . . . . . . . . . . . 176

Token authentication . . . . . . . . . . . 177Token authentication concepts . . . . . . . 177Token authentication configuration tasksummary . . . . . . . . . . . . . . 181Enabling token authentication . . . . . . . 181Configuring the token authenticationmechanism . . . . . . . . . . . . . 181Enabling access to the RSA ACE/Agent clientlibrary. . . . . . . . . . . . . . . 182Specifying a customized password strengthmodule . . . . . . . . . . . . . . 183Compatibility support for RSA SecurID PINfunctions . . . . . . . . . . . . . . 183Disabling token authentication . . . . . . 184Submitting login form data directly to WebSEAL 184

SPNEGO protocol and Kerberos authentication . . 186LTPA authentication . . . . . . . . . . . 186

LTPA authentication overview . . . . . . . 186Enabling LTPA authentication . . . . . . . 187Supplying the Key File Information . . . . . 187Specifying the cookie name. . . . . . . . 188Controlling the lifetime of the LTPA Token . . 188Configuring the LTPA authentication mechanism 188Disabling LTPA authentication. . . . . . . 189

Chapter 8. Advanced authenticationmethods . . . . . . . . . . . . . 191Multiplexing proxy agents . . . . . . . . . 192

Multiplexing proxy agents overview. . . . . 192Valid session data types and authenticationmethods . . . . . . . . . . . . . . 193Authentication process flow for MPA andmultiple clients . . . . . . . . . . . 194Enabling and disabling MPA authentication . . 194Creating a user account for the MPA . . . . 194Adding the MPA account to thewebseal-mpa-servers group . . . . . . . 195MPA authentication limitations . . . . . . 195

Switch user authentication . . . . . . . . . 196Overview of the switch user function . . . . 196Configuring switch user authentication . . . . 199Using switch user . . . . . . . . . . . 204Additional switch user feature support . . . . 205Developing a custom authentication module forswitch user . . . . . . . . . . . . . 206Configuring a custom authentication module forswitch user . . . . . . . . . . . . . 207

Reauthentication . . . . . . . . . . . . 209Reauthentication concepts . . . . . . . . 209Reauthentication based on security policy . . . 210Creating and applying the reauthentication POP 210Reauthentication based on session inactivity . . 211Enabling reauthentication based on sessioninactivity . . . . . . . . . . . . . . 211Resetting the session cache entry lifetime value 211Extending the session cache entry lifetime value 212Preventing session removal when the sessionlifetime expires . . . . . . . . . . . . 212

Contents v

Removing a user's session at login failure policylimit . . . . . . . . . . . . . . . 213Customizing login forms for reauthentication 214

Authentication strength policy (step-up) . . . . 216Authentication strength concepts . . . . . . 216Authentication strength configuration tasksummary . . . . . . . . . . . . . . 2181. Establishing an authentication strength policy 2182. Specifying authentication levels . . . . . 2183. Specifying the authentication strength loginform . . . . . . . . . . . . . . . 2204. Creating a protected object policy . . . . . 2205. Specifying network-based access restrictions 2226. Attaching a protected object policy to aprotected resource . . . . . . . . . . . 2247. Enforcing user identity match acrossauthentication levels . . . . . . . . . . 2258. Controlling the login response forunauthenticated users . . . . . . . . . 225

External authentication interface . . . . . . . 226Client Certificate User Mapping . . . . . . . 226

Introduction . . . . . . . . . . . . . 226User mapping rules evaluator . . . . . . . 230Managing the CDAS . . . . . . . . . . 233

Chapter 9. Post-authenticationprocessing . . . . . . . . . . . . 237Automatic redirection after authentication . . . . 238

Overview of automatic redirection . . . . . 238Enabling automatic redirection . . . . . . 238Disabling automatic redirection . . . . . . 239Limitations . . . . . . . . . . . . . 239Specifying macro support for automaticredirection . . . . . . . . . . . . . 239

Server-side request caching . . . . . . . . 242Server-side request caching concepts . . . . 242Process flow for server-side request caching . . 242Configuring server-side caching . . . . . . 243

Chapter 10. Password processing . . 247Post password change processing. . . . . . . 248

Post password change processing concepts . . 248Configuring post password change processing 248Post password change processing conditions 248

Login failure policy ("three strikes" login policy) 250Login failure policy concepts . . . . . . . 250Setting the login failure policy. . . . . . . 250Setting the account disable time interval . . . 251Configuring the account disable notificationresponse . . . . . . . . . . . . . . 252Login failure policy with replicated WebSEALservers . . . . . . . . . . . . . . 252

Password strength policy . . . . . . . . . 254Password strength policy concepts . . . . . 254Password strength policies . . . . . . . . 254Syntax for password strength policy commands 255Default password strength policy values . . . 256Valid and not valid password examples . . . 256Specifying user and global settings . . . . . 256

Chapter 11. Credential processing . . 259Extended attributes for credentials . . . . . . 260

Mechanisms for adding registry attributes to acredential. . . . . . . . . . . . . . 260Configuring a registry attribute entitlementservice. . . . . . . . . . . . . . . 261Junction handling of extended credentialattributes . . . . . . . . . . . . . . 263

Credential refresh . . . . . . . . . . . . 266Credential refresh concepts . . . . . . . . 266Configuring credential refresh . . . . . . . 270Credential refresh usage . . . . . . . . . 271

Chapter 12. External authenticationinterface . . . . . . . . . . . . . 273External authentication interface overview. . . . 274External authentication interface process flow . . 275External authentication interface configuration . . 278

Enabling the external authentication interface 278Initiating the authentication process . . . . . 278Configuring the external authentication interfacetrigger URL . . . . . . . . . . . . . 279Specifying HTTP header names forauthentication data . . . . . . . . . . 279Extracting authentication data from specialHTTP headers . . . . . . . . . . . . 280Configuring the external authentication interfacemechanism . . . . . . . . . . . . . 281Generating the credential . . . . . . . . 282External authentication interface credentialreplacement . . . . . . . . . . . . . 282Writing an external authentication application 283

External authentication interface HTTP headerreference . . . . . . . . . . . . . . . 285Use of external authentication interface withexisting WebSEAL features . . . . . . . . . 287

Request caching with external authenticationinterface . . . . . . . . . . . . . . 287Post-authentication redirection with externalauthentication interface . . . . . . . . . 287Session handling with external authenticationinterface . . . . . . . . . . . . . . 288Authentication strength level with externalauthentication interface . . . . . . . . . 288Reauthentication with external authenticationinterface . . . . . . . . . . . . . . 288Login page and macro support with externalauthentication interface . . . . . . . . . 289Setting a client-specific session cache entrylifetime value . . . . . . . . . . . . 289Setting a client-specific session cache entryinactivity timeout value . . . . . . . . . 291

Part 4. Session State . . . . . . . 293

Chapter 13. Session state overview 295Session state concepts . . . . . . . . . . 296Supported session ID data types . . . . . . . 297Information retrieved from a client request . . . 298WebSEAL session cache structure . . . . . . 299

vi WebSEAL Administration Guide

Deployment considerations for clusteredenvironments . . . . . . . . . . . . . 300

Consistent configuration on all WebSEAL replicaservers . . . . . . . . . . . . . . 300Client-to-server session affinity at the loadbalancer . . . . . . . . . . . . . . 300Failover from one WebSEAL server to another 300

Options for handling failover in clusteredenvironments . . . . . . . . . . . . . 301

Option 1: No WebSEAL handling of failoverevents . . . . . . . . . . . . . . . 301Option 2: Authentication data included in eachrequest . . . . . . . . . . . . . . 301Option 3: Failover cookies . . . . . . . . 301Option 4: The Session Management Server . . 302Option 5: LTPA cookie . . . . . . . . . 302

Chapter 14. Session cacheconfiguration . . . . . . . . . . . 305Session cache configuration overview . . . . . 306SSL session ID cache configuration . . . . . . 307

Setting the cache entry timeout value . . . . 307Setting the maximum concurrent SSL sessionsvalue . . . . . . . . . . . . . . . 307

WebSEAL session cache configuration . . . . . 308Setting the maximum session cache entriesvalue . . . . . . . . . . . . . . . 308Setting the cache entry lifetime timeout value 308Setting the cache entry inactivity timeout value 309Session cache limitation . . . . . . . . . 310

Chapter 15. Failover solutions . . . . 311Failover authentication concepts . . . . . . . 312

The failover environment . . . . . . . . 312Failover cookie . . . . . . . . . . . . 313Failover authentication process flow. . . . . 314Failover authentication module . . . . . . 314Example failover configuration . . . . . . 315Addition of data to a failover cookie . . . . 315Extraction of data from a failover cookie . . . 317Domain-wide failover authentication . . . . 319Backward compatibility for failover cookies . . 319Upgrading failover authentication . . . . . 320

Failover authentication configuration . . . . . 321Failover authentication configuration tasksummary . . . . . . . . . . . . . . 322Specifying the protocol for failover cookies . . 323Configuring the failover authenticationmechanism . . . . . . . . . . . . . 323Generating a key pair to encrypt and decryptcookie data . . . . . . . . . . . . . 324Specifying the failover cookie lifetime . . . . 324Specifying UTF-8 encoding on cookie strings 325Adding the authentication strength level . . . 325Reissuing missing failover cookies . . . . . 325Adding the session lifetime timestamp . . . . 326Adding the session activity timestamp . . . . 326Adding an interval for updating the activitytimestamp . . . . . . . . . . . . . 327Adding extended attributes. . . . . . . . 328

Specifying the authentication strength levelattribute after failover authentication . . . . 328Specifying attributes for extraction . . . . . 328Enabling domain-wide failover cookies . . . 329Requiring validation of a lifetime timestamp 330Requiring validation of an activity timestamp 330Enabling compatibility for cookie encryptionlevel of security . . . . . . . . . . . 330Enabling compatibility for cookie encryptionformat. . . . . . . . . . . . . . . 331

Failover for non-sticky failover environments. . . 332Non-sticky failover concepts . . . . . . . 332Configuring the non-sticky failover solution . . 333Use of failover cookies with existing WebSEALfeatures . . . . . . . . . . . . . . 334

Change password operation in a failoverenvironment. . . . . . . . . . . . . . 335

Chapter 16. Session state innon-clustered environments . . . . . 337Maintain session state in non-clusteredenvironments . . . . . . . . . . . . . 338

Controlling session state information over SSL 338Using the same session key over differenttransports . . . . . . . . . . . . . 338Valid session key data types . . . . . . . 340Determining the effective session timeout value 341Netscape 4.7x limitation for use-same-session 341

Session cookies . . . . . . . . . . . . 343Session cookies concepts. . . . . . . . . 343Conditions for using session cookies . . . . 343Customizing the session cookie name . . . . 343Sending session cookies with each request. . . 344

Customized responses for old session cookies . . 345Session removal and old session cookie concepts 345Enabling customized responses for old sessioncookies . . . . . . . . . . . . . . 346

Maintain session state with HTTP headers. . . . 348HTTP header session key concepts . . . . . 348Configuring HTTP headers to maintain sessionstate . . . . . . . . . . . . . . . 348Requiring requests from an MPA . . . . . . 349Compatibility with previous versions ofWebSEAL . . . . . . . . . . . . . 350

Part 5. Session ManagementServer . . . . . . . . . . . . . . 351

Chapter 17. Session managementserver (SMS) overview . . . . . . . 353The failover environment . . . . . . . . . 354The session management server (SMS) . . . . . 355Server clusters, replica sets, and session realms . . 356SMS process flow . . . . . . . . . . . . 357Sharing sessions across multiple DNS domains . . 358

Chapter 18. Quickstart guide forWebSEAL using SMS . . . . . . . . 361Configuration summary for WebSEAL using SMS 362

Contents vii

1. Information gathering. . . . . . . . . 3622. WebSEAL configuration file settings . . . . 3623. Import the Tivoli Access Manager CACertificate . . . . . . . . . . . . . 3634. Restart the WebSEAL server. . . . . . . 3635. Create junctions for virtual hosts . . . . . 3646. Junction the session management server . . 3647. Set the maximum concurrent sessions policy 3648. Test the configuration . . . . . . . . . 364

Chapter 19. Configuration forWebSEAL using SMS . . . . . . . . 367SMS configuration for WebSEAL . . . . . . . 368

Configuring the session management server(SMS) . . . . . . . . . . . . . . . 368Enabling and disabling SMS for WebSEAL . . 368Specifying session management server clusterand location . . . . . . . . . . . . . 368Retrieving the maximum concurrent sessionspolicy value . . . . . . . . . . . . . 369

Replica set configuration . . . . . . . . . 371Configuring WebSEAL to participate in multiplereplica sets . . . . . . . . . . . . . 371Assigning standard junctions to a replica set 371Assigning virtual hosts to a replica set . . . . 372Example replica set configuration. . . . . . 372

Adjusting the last access time update frequency forSMS . . . . . . . . . . . . . . . . 376SMS communication timeout configuration . . . 377

Configuring SMS response timeout . . . . . 377Configuring connection timeout for broadcastevents . . . . . . . . . . . . . . . 377

SMS performance configuration . . . . . . . 378Maximum pre-allocated session IDs . . . . . 378Configuring the handle pool size . . . . . . 378

SMS Authentication . . . . . . . . . . . 379SSL configuration for WebSEAL and SMS . . . . 379

Configuring the WebSEAL key database . . . 379Specifying the SSL certificate distinguishedname (DN) . . . . . . . . . . . . . 380

Maximum concurrent sessions policy . . . . . 382Setting the maximum concurrent sessions policy 382Enforcing the maximum concurrent sessionspolicy . . . . . . . . . . . . . . . 385Switch user and maximum concurrent sessionspolicy . . . . . . . . . . . . . . . 386

Single signon within a session realm . . . . . 387Session realm and session sharing concepts . . 387Configuring session sharing . . . . . . . 388

Configuring login history . . . . . . . . . 390Enabling login failure notification . . . . . 390Creating a junction to the session managementserver . . . . . . . . . . . . . . . 390Allowing access to the login history JSP . . . 391Customizing the JSP to display login history 391

Part 6. Authorization . . . . . . . 393

Chapter 20. Configuration forauthorization . . . . . . . . . . . 395

WebSEAL-specific ACL policies . . . . . . . 396/WebSEAL/host-instance_name . . . . . . 396/WebSEAL/host-instance_name/file . . . . 396WebSEAL ACL permissions . . . . . . . 396Default /WebSEAL ACL policy . . . . . . 396Valid characters for ACL names . . . . . . 397

Quality of protection POP . . . . . . . . . 398Configuring authorization database updates andpolling . . . . . . . . . . . . . . . 399

Database update and polling concepts . . . . 399Configuring update notification listening . . . 399Configuring authorization database polling . . 400

Configuring quality of protection levels . . . . 401Configuring QOP for individual hosts andnetworks . . . . . . . . . . . . . 402

Authorization decision information . . . . . . 402

Chapter 21. Key management . . . . 405Key management overview. . . . . . . . . 406Client-side and server-side certificate concepts . . 407GSKit key database file types . . . . . . . . 408Configuring the WebSEAL key database file . . . 409

WebSEAL key database file . . . . . . . . 409Key database file password. . . . . . . . 409WebSEAL test certificate . . . . . . . . . 410Inter-server SSL communication for TivoliAccess Manager . . . . . . . . . . . 410

Using the iKeyman certificate management utility 411Configuring CRL checking . . . . . . . . . 412Configuring the CRL cache . . . . . . . . 413

Setting the maximum number of cache entries 413Setting the GSKit cache lifetime timeout value 413

Using the WebSEAL test certificate for SSLconnections . . . . . . . . . . . . . . 414

Chapter 22. Customized authorization 417Custom requests . . . . . . . . . . . . 417Custom responses . . . . . . . . . . . . 417

Part 7. Standard WebSEALJunctions . . . . . . . . . . . . 419

Chapter 23. Standard WebSEALjunctions . . . . . . . . . . . . . 421WebSEAL junctions overview . . . . . . . . 422

Junction types . . . . . . . . . . . . 422Junction database location and format . . . . 422Applying coarse-grained access control:summary . . . . . . . . . . . . . . 423Applying fine-grained access control: summary 423Additional references for WebSEAL junctions 423

Managing junctions with Web Portal Manager . . 424Creating a junction using Web Portal Manager 424Listing junctions using Web Portal Manager . . 424Deleting junctions using Web Portal Manager 424

Managing junctions with the pdadmin utility. . . 426Importing and exporting junction databases . . 426

Standard WebSEAL junction configuration. . . . 428The pdadmin server task create command. . . 428

viii WebSEAL Administration Guide

Creating TCP type standard junctions . . . . 428Creating SSL type standard junctions . . . . 429Creating mutual junctions . . . . . . . . 429SSL-based standard junctions . . . . . . . 430Adding multiple back-end servers to a standardjunction . . . . . . . . . . . . . . 430Creating a local type standard junction . . . . 430

Transparent path junctions . . . . . . . . . 432Filtering concepts in standard WebSEALjunctions . . . . . . . . . . . . . . 432Transparent path junction concepts . . . . . 432Configuring transparent path junctions . . . . 433Example transparent path junction . . . . . 434

Technical notes for using WebSEAL junctions. . . 435Guidelines for creating WebSEAL junctions . . 435Adding multiple back-end servers to the samejunction . . . . . . . . . . . . . . 435Exceptions to enforcing permissions acrossjunctions . . . . . . . . . . . . . . 436Certificate authentication across junctions . . . 436Handling domain cookies . . . . . . . . 436Supported HTTP versions for requests andresponses. . . . . . . . . . . . . . 437Junctioned application with Web PortalManager . . . . . . . . . . . . . . 437

Generating a back-end server Web space(query_contents) . . . . . . . . . . . . 438

query_contents overview . . . . . . . . 438query_contents components . . . . . . . 439Installing and configuring query_contents onUNIX-based Web servers . . . . . . . . 440Installing and configuring query_contents onWindows-based Web servers . . . . . . . 441General process flow for query_contents . . . 442Securing the query_contents program . . . . 443

Chapter 24. Advanced junctionconfiguration . . . . . . . . . . . 445Mutually authenticated SSL junctions . . . . . 446

Mutually authenticated SSL junctions processsummary . . . . . . . . . . . . . . 446Validating the back-end server certificate . . . 446Matching the distinguished name (DN). . . . 447Authenticating with a client certificate . . . . 447Authenticating with a BA header . . . . . . 448

TCP and SSL proxy junctions . . . . . . . . 449WebSEAL-to-WebSEAL junctions over SSL . . . 450Stateful junctions . . . . . . . . . . . . 452

Stateful junction concepts . . . . . . . . 452Configuring stateful junctions . . . . . . . 452Specifying back-end server UUIDs for statefuljunctions . . . . . . . . . . . . . . 453Handling an unavailable stateful server . . . 455

Forcing a new junction . . . . . . . . . . 456Using /pkmslogout with virtual host junctions . . 456Junction throttling . . . . . . . . . . . . 458

Junction throttling concepts. . . . . . . . 458Placing a junctioned server in a throttled state 459Placing a junctioned server in an offline state 460Placing a junctioned server in an online state 462Junction throttle messages . . . . . . . . 464

Use of junction throttling with existingWebSEAL features . . . . . . . . . . . 465

Managing Cookies. . . . . . . . . . . . 465Passing session cookies to junctioned portal servers 468Supporting not case-sensitive URLs . . . . . . 470Junctioning to Windows file systems . . . . . 471

Example: . . . . . . . . . . . . . . 471ACLs and POPs must attach to lower-caseobject names . . . . . . . . . . . . 472

Standard junctioning to virtual hosts . . . . . 473Specifying UTF-8 encoding for HTTP header data 475Bypassing buffering on a per-resource basis . . . 476Single signon solutions across junctions . . . . 477

Chapter 25. Modifying URLs tojunctioned resources . . . . . . . . 479URL modification concepts . . . . . . . . . 480Path types used in URLs . . . . . . . . . 481Modifying URLs in responses . . . . . . . . 482

Filtering tag-based static URLs . . . . . . 482Modifying absolute URLs with script filtering 488Configuring the rewrite-absolute-with-absoluteoption . . . . . . . . . . . . . . . 489Filtering changes the Content-Length header 489Limitation with unfiltered server-relative links 490

Modifying URLs in requests . . . . . . . . 492Modifying server-relative URLs with junctionmapping . . . . . . . . . . . . . . 492Modifying server-relative URLs with junctioncookies . . . . . . . . . . . . . . 493Controlling the junction cookie JavaScript block 495Modifying server-relative URLs using the HTTPReferer header . . . . . . . . . . . . 498Controlling server-relative URL processing inrequests . . . . . . . . . . . . . . 498

Handling cookies from servers across multiple -jjunctions . . . . . . . . . . . . . . . 501

Cookie handling: -j modifies Set-Cookie pathattribute . . . . . . . . . . . . . . 501Cookie handling: -j modifies Set-Cookie nameattribute . . . . . . . . . . . . . . 501Preserving cookie names . . . . . . . . 502Cookie handling: -I ensures unique Set-Cookiename attribute . . . . . . . . . . . . 503

Chapter 26. Command optionsummary: Standard junctions . . . . 505Using pdadmin server task to create junctions . . 506Server task commands for junctions . . . . . . 507Creating a new junction for an initial server . . . 509Adding an additional server to an existing junction 514

Part 8. Virtual Hosting . . . . . . 517

Chapter 27. Virtual host junctions . . 519Virtual host junction concepts . . . . . . . . 520

Standard WebSEAL junctions . . . . . . . 520The challenges of URL filtering . . . . . . 520Virtual hosting . . . . . . . . . . . . 520

Contents ix

The virtual host junction solution. . . . . . 521Stanzas and stanza entries ignored by virtualhost junctions . . . . . . . . . . . . 522Virtual hosts represented in the object space . . 522

Configuring a virtual host junction . . . . . . 524Creating a remote type virtual host junction . . 524Creating a local type virtual host junction . . . 526

Scenario 1: Remote virtual host junctions . . . . 528Defining interfaces for virtual host junctions . . . 530

Default interface specification . . . . . . . 530Defining additional interfaces . . . . . . . 530

Scenario 2: Virtual host junctions with interfaces 533Use of virtual hosts with existing WebSEALfeatures . . . . . . . . . . . . . . . 536

E-community single signon with virtual hosts 536Cross-domain single signon with virtual hosts 537Dynamic URLs with virtual host junctions. . . 538Using domain session cookies for virtual hostsingle signon . . . . . . . . . . . . 538Junction throttling . . . . . . . . . . . 539

Scenario 3: Advanced virtual host configuration 540Virtual host junction limitations . . . . . . . 543

SSL session IDs not usable by virtual hosts . . 543

Chapter 28. Command optionsummary: Virtual host junctions . . . 545Using pdadmin server task to create virtual hostjunctions . . . . . . . . . . . . . . . 546Server task commands for virtual host junctions 547Creating a new virtual host junction. . . . . . 549Adding an additional server to a virtual hostjunction . . . . . . . . . . . . . . . 554

Part 9. Single Signon Solutions 555

Chapter 29. Single signon solutionsacross junctions . . . . . . . . . . 557Single signon using Tivoli Federated IdentityManager . . . . . . . . . . . . . . . 558

Using Kerberos credentials . . . . . . . . 560Single signon using HTTP BA headers . . . . . 560

Single signon (SSO) concepts . . . . . . . 561Supplying client identity in HTTP BA headers 561Supplying client identity and generic password 562Forwarding original client BA headerinformation . . . . . . . . . . . . . 563Removing client BA header information . . . 564Supplying user names and passwords fromGSO . . . . . . . . . . . . . . . 564Handling client identity information acrossjunctions . . . . . . . . . . . . . . 564

Identity information supplied in HTTP headers . . 566Supplying client identity in HTTP headers (c) 566Supplying client IP addresses in HTTP headers(r) . . . . . . . . . . . . . . . . 568Limiting the size of WebSEAL-generated HTTPheaders . . . . . . . . . . . . . . 568

Global signon (GSO) . . . . . . . . . . . 570Global signon overview . . . . . . . . . 570Mapping the authentication information . . . 571

Configuring a GSO-enabled WebSEAL junction 571Configuring the GSO cache . . . . . . . 572

Single signon to IBM WebSphere (LTPA) . . . . 574LTPA overview . . . . . . . . . . . . 574Configuring an LTPA junction . . . . . . 575Configuring the LTPA cache . . . . . . . 575Technical notes for LTPA single signon . . . . 576

Forms single signon authentication . . . . . . 577Forms single signon concepts . . . . . . . 577Forms single signon process flow. . . . . . 577Requirements for application support . . . . 579Creating the configuration file for forms singlesignon. . . . . . . . . . . . . . . 579Enabling forms single signon . . . . . . . 583Forms single signon example . . . . . . . 583

Chapter 30. Windows desktop singlesignon . . . . . . . . . . . . . . 585Windows desktop single signon concepts . . . . 586

SPNEGO protocol and Kerberos authentication 586User registry and platform support for SPNEGO 587SPNEGO compatibility with otherauthentication methods . . . . . . . . . 587Mapping user names from multi-domain ActiveDirectory registries . . . . . . . . . . 588Multiple Active Directory domain support . . 589SPNEGO authentication limitations . . . . . 590

Configuring Windows desktop single signon(Windows) . . . . . . . . . . . . . . 591

1. Create an identity for WebSEAL in an ActiveDirectory domain . . . . . . . . . . . 5912. Map a Kerberos principal to an ActiveDirectory user . . . . . . . . . . . . 5923. Enable SPNEGO for WebSEAL . . . . . . 5934. Restart WebSEAL . . . . . . . . . . 5945. Configure the Internet Explorer client . . . 594Troubleshooting for Windows desktop singlesignon. . . . . . . . . . . . . . . 594

Configuring Windows desktop single signon(UNIX) . . . . . . . . . . . . . . . 595

1. Install the Kerberos runtime client . . . . 5952. Configure the Kerberos client . . . . . . 5963. Create an identity for WebSEAL in an ActiveDirectory domain . . . . . . . . . . . 5974. Map a Kerberos principal to an ActiveDirectory user . . . . . . . . . . . . 5975. Verify the authentication of the Web serverprincipal . . . . . . . . . . . . . . 5996. Verify WebSEAL authentication using thekeytab file . . . . . . . . . . . . . 6007. Enable SPNEGO for WebSEAL . . . . . . 6008. Add service name and keytab file entries . . 6009. Restart WebSEAL . . . . . . . . . . 60110. Configure the Internet Explorer client . . . 601Troubleshooting for Windows desktop singlesignon. . . . . . . . . . . . . . . 601

Configuration notes for a load balancerenvironment. . . . . . . . . . . . . . 602

x WebSEAL Administration Guide

Chapter 31. Cross-domain singlesignon . . . . . . . . . . . . . . 603Cross-domain single signon concepts . . . . . 604

Cross-domain single signon overview . . . . 604Default and custom authentication tokens . . . 604Extended user attributes and identity mapping 604CDSSO process flow with attribute transfer anduser mapping . . . . . . . . . . . . 605

Configuring cross-domain single signon . . . . 607CDSSO configuration summary . . . . . . 607CDSSO conditions and requirements . . . . 6071. Enabling and disabling CDSSO authentication 6082. Configuring the CDSSO authenticationmechanism . . . . . . . . . . . . . 6093. Encrypting the authentication token data . . 6104. Configuring the token time stamp . . . . 6115. Configuring the token label name . . . . . 6126. Creating the CDSSO HTML link . . . . . 612Protecting the authentication token . . . . . 612Using cross-domain single signon with virtualhosts . . . . . . . . . . . . . . . 613

Handling extended attributes for CDSSO . . . . 614Specifying extended attributes to add to token 614Specifying extended attributes to extract from atoken . . . . . . . . . . . . . . . 615

Compatibility issues for CDSSO . . . . . . . 617UTF-8 encoding of tokens for cross domainsingle signon . . . . . . . . . . . . 617Providing compatibility for token security level 617Providing compatibility for token encryptionformat. . . . . . . . . . . . . . . 617

LTPA single signon . . . . . . . . . . . 618LTPA single signon overview . . . . . . . 618Configuring LTPA single signon . . . . . . 618Technical notes for LTPA single signon . . . . 619

Chapter 32. E-community singlesignon . . . . . . . . . . . . . . 621E-community single signon concepts . . . . . 622

E-community overview . . . . . . . . . 622E-community features and requirements . . . 623E-community process flow . . . . . . . . 624The e-community cookie . . . . . . . . 628The vouch-for request and reply . . . . . . 629The vouch-for token . . . . . . . . . . 629

Configuring e-community single signon . . . . 631E-community configuration summary . . . . 631E-community conditions and requirements . . 6321. Enabling and disabling e-communityauthentication . . . . . . . . . . . . 6332. Specifying an e-community name . . . . . 6343. Configuring the single signon authenticationmechanism . . . . . . . . . . . . . 6344. Encrypting the vouch-for token . . . . . 6355. Configuring the vouch-for token label name 6366. Specifying the master authentication server(MAS) . . . . . . . . . . . . . . . 6377. Specifying the vouch-for URL . . . . . . 6388. Configure token and ec-cookie lifetime values 638Enabling unauthenticated access . . . . . . 639

Limiting the ability to generate vouch-for tokens 639Configuring behavior for authentication failure 639Logging out using pkmslogout-nomas . . . . 639Using e-community with virtual hosts . . . . 640

Handling extended attributes for ECSSO . . . . 641Specifying extended attributes to add to token 641Specifying extended attributes to extract fromtoken . . . . . . . . . . . . . . . 642

Compatibility issues for ECSSO . . . . . . . 643UTF-8 encoding of tokens for e-communitysingle signon . . . . . . . . . . . . 643Providing compatibility for token security level 643Providing compatibility for token encryptionformat. . . . . . . . . . . . . . . 643

Part 10. Deployment . . . . . . . 645

Chapter 33. WebSEAL instancedeployment . . . . . . . . . . . . 647WebSEAL instance configuration overview . . . 648

Planning a WebSEAL instance configuration . . 648Example WebSEAL instance configurationvalues . . . . . . . . . . . . . . . 652Unique configuration file for each WebSEALinstance . . . . . . . . . . . . . . 653Interactive configuration overview . . . . . 653Command line configuration overview . . . . 654Silent configuration overview (response file) . . 655

WebSEAL instance configuration tasks . . . . . 657Adding a WebSEAL instance . . . . . . . 657Removing a WebSEAL instance . . . . . . 659

Load balancing environments . . . . . . . . 661Replicating front-end WebSEAL servers . . . 661Controlling the login_success response . . . . 662

Chapter 34. Application integration 663CGI programming support . . . . . . . . . 664

WebSEAL and CGI scripts . . . . . . . . 664Creating a cgi-bin directory. . . . . . . . 664WebSEAL environment variables for CGIprogramming . . . . . . . . . . . . 664Windows environment variables for CGIprograms . . . . . . . . . . . . . . 665UTF-8 environment variables for CGI programs 665Windows: File naming for CGI programs . . . 666UNIX files misinterpreted as CGI scripts overlocal junctions . . . . . . . . . . . . 667

Supporting back-end server-side applications. . . 668Best practices for standard junction usage . . . . 669

Supplying complete Host header informationwith -v . . . . . . . . . . . . . . 669Supporting standard absolute URL filtering . . 669Hostname aliasing behavior from Tivoli AccessManager 5.1 . . . . . . . . . . . . . 670

Building a custom personalization service . . . 672Personalization service concepts . . . . . . 672Configuring WebSEAL for a personalizationservice . . . . . . . . . . . . . . 672Personalization service example . . . . . . 673

User session management for back-end servers . . 674

Contents xi

User session management concepts . . . . . 674Enabling user session ID management . . . . 675Inserting user session data into HTTP headers 675Terminating user sessions . . . . . . . . 677User event correlation for back-end servers . . 680

Chapter 35. Dynamic URLs . . . . . 681Providing access control to dynamic URLs . . . 682

Dynamic URL components . . . . . . . 682Enabling access control for dynamic URLs:dynurl.conf . . . . . . . . . . . . . 682Converting POST body dynamic data to querystring format . . . . . . . . . . . . 683Mapping ACL and POP objects to dynamicURLs . . . . . . . . . . . . . . . 683Character encoding and query string validation 684Updating WebSEAL for dynamic URLs . . . 685Resolving dynamic URLs in the object space 685Configuring limitations on POST requests . . 685Dynamic URLs summary and technical notes 687

Dynamic URL example: The Travel Kingdom. . . 689The application. . . . . . . . . . . . 689The interface . . . . . . . . . . . . 689The security policy . . . . . . . . . . 690Secure clients . . . . . . . . . . . . 690Access control . . . . . . . . . . . . 690Conclusion . . . . . . . . . . . . . 691

Part 11. Attribute Retrieval Service 693

Chapter 36. Attribute retrieval servicereference . . . . . . . . . . . . . 695Basic configuration . . . . . . . . . . . 696

Configuration files. . . . . . . . . . . 696Descriptions of amwebars.conf configurationstanza entries . . . . . . . . . . . . 696

Editing the data tables . . . . . . . . . . 699ProviderTable . . . . . . . . . . . . 699ContainerDescriptorTable . . . . . . . . 700ProtocolTable . . . . . . . . . . . . 702

Creating custom protocol plug-ins . . . . . . 703Overview. . . . . . . . . . . . . . 703Creating the protocol plug-in . . . . . . . 703

Chapter 37. Authorization decisioninformation retrieval . . . . . . . . 705Overview of ADI retrieval . . . . . . . . . 706Retrieving ADI from the WebSEAL client request 707

Example: Retrieving ADI from the requestheader. . . . . . . . . . . . . . . 708Example: Retrieving ADI from the request querystring . . . . . . . . . . . . . . . 708Example: Retrieving ADI from the request POSTbody . . . . . . . . . . . . . . . 709

Retrieving ADI from the user credential . . . . 710Supplying a failure reason across a junction . . . 711Dynamic ADI retrieval . . . . . . . . . . 712Deploying the attribute retrieval service . . . . 713

Appendix A. Guidelines for changingconfiguring files . . . . . . . . . . 715General guidelines . . . . . . . . . . . 715Default values . . . . . . . . . . . . . 715Strings . . . . . . . . . . . . . . . 715Defined strings . . . . . . . . . . . . . 716File names . . . . . . . . . . . . . . 716Integers . . . . . . . . . . . . . . . 716Boolean values . . . . . . . . . . . . . 717

Appendix B. Stanza reference . . . . 719[acnt-mgt] stanza . . . . . . . . . . . . 720

account-expiry-notification . . . . . . . . 720account-inactivated . . . . . . . . . . 720account-locked . . . . . . . . . . . . 721allow-unauthenticated-logout . . . . . . . 721cert-failure . . . . . . . . . . . . . 721cert-stepup-http . . . . . . . . . . . 722certificate-login . . . . . . . . . . . . 722change-password-auth . . . . . . . . . 723client-notify-tod . . . . . . . . . . . 723enable-local-response-redirect . . . . . . . 724enable-passwd-warn . . . . . . . . . . 724help . . . . . . . . . . . . . . . 725login . . . . . . . . . . . . . . . 725login-redirect-page . . . . . . . . . . 726login-success . . . . . . . . . . . . 727logout . . . . . . . . . . . . . . . 727mgt-pages-root . . . . . . . . . . . . 727next-token . . . . . . . . . . . . . 728passwd-change . . . . . . . . . . . . 728passwd-change-failure . . . . . . . . . 728passwd-change-success . . . . . . . . . 729passwd-expired. . . . . . . . . . . . 729passwd-warn . . . . . . . . . . . . 730passwd-warn-failure . . . . . . . . . . 730redirect-to-root-for-pkms . . . . . . . . 731stepup-login . . . . . . . . . . . . . 731switch-user . . . . . . . . . . . . . 732token-login . . . . . . . . . . . . . 732too-many-sessions . . . . . . . . . . . 732use-restrictive-logout-filenames . . . . . . 733use-filename-for-pkmslogout . . . . . . . 733

[amwebars] stanza. . . . . . . . . . . . 735service-url . . . . . . . . . . . . . 735

[arm] stanza . . . . . . . . . . . . . . 736accept-correlators . . . . . . . . . . . 736app-group . . . . . . . . . . . . . 736app-instance. . . . . . . . . . . . . 736correlator-header . . . . . . . . . . . 737enable-arm . . . . . . . . . . . . . 737library. . . . . . . . . . . . . . . 738report-transactions. . . . . . . . . . . 738

[auth-cookies] stanza . . . . . . . . . . . 739cookie . . . . . . . . . . . . . . . 739

[auth-headers] stanza. . . . . . . . . . . 739header. . . . . . . . . . . . . . . 739

[authentication-levels] stanza . . . . . . . . 741level . . . . . . . . . . . . . . . 741

[authentication-mechanisms] stanza . . . . . . 742

xii WebSEAL Administration Guide

cert-ldap . . . . . . . . . . . . . . 742cert-ssl . . . . . . . . . . . . . . 742cred-ext-attrs . . . . . . . . . . . . 743ext-auth-interface . . . . . . . . . . . 743failover-cdsso . . . . . . . . . . . . 743failover-certificate . . . . . . . . . . . 744failover-ext-auth-interface . . . . . . . . 744failover-http-request . . . . . . . . . . 745failover-kerberosv5 . . . . . . . . . . 745failover-password . . . . . . . . . . . 745failover-token-card . . . . . . . . . . 746http-request . . . . . . . . . . . . . 746kerberosv5 . . . . . . . . . . . . . 747ltpa. . . . . . . . . . . . . . . . 747passwd-cdas. . . . . . . . . . . . . 748passwd-ldap. . . . . . . . . . . . . 748passwd-strength . . . . . . . . . . . 748passwd-uraf . . . . . . . . . . . . . 749post-pwdchg-process . . . . . . . . . . 749sso-consume. . . . . . . . . . . . . 750sso-create. . . . . . . . . . . . . . 750su-cdsso . . . . . . . . . . . . . . 751su-certificate. . . . . . . . . . . . . 751su-http-request . . . . . . . . . . . . 751su-kerberosv5 . . . . . . . . . . . . 752su-passwd . . . . . . . . . . . . . 752su-token-card . . . . . . . . . . . . 753token-cdas . . . . . . . . . . . . . 753

[aznapi-configuration] stanza . . . . . . . . 754audit-attribute . . . . . . . . . . . . 754auditcfg . . . . . . . . . . . . . . 754auditlog . . . . . . . . . . . . . . 755cache-refresh-interval . . . . . . . . . . 755cred-attribute-entitlement-services . . . . . 756db-file . . . . . . . . . . . . . . . 756dynamic-adi-entitlement-services . . . . . . 756input-adi-xml-prolog . . . . . . . . . . 757listen-flags . . . . . . . . . . . . . 757logaudit . . . . . . . . . . . . . . 758logclientid . . . . . . . . . . . . . 758logcfg . . . . . . . . . . . . . . . 759logflush . . . . . . . . . . . . . . 760logsize . . . . . . . . . . . . . . 760permission-info-returned . . . . . . . . 761policy-cache-size . . . . . . . . . . . 761resource-manager-provided-adi . . . . . . 762service-id . . . . . . . . . . . . . . 762xsl-stylesheet-prolog . . . . . . . . . . 763

[aznapi-entitlement-services] stanza . . . . . . 764service-id . . . . . . . . . . . . . . 764

[azn-decision-info] stanza . . . . . . . . . 765azn-decision-info . . . . . . . . . . . . 765

[ba] stanza . . . . . . . . . . . . . . 766ba-auth . . . . . . . . . . . . . . 766basic-auth-realm . . . . . . . . . . . 766

[cdsso] stanza . . . . . . . . . . . . . 767authtoken-lifetime . . . . . . . . . . . 767cdsso-argument . . . . . . . . . . . 767cdsso-auth . . . . . . . . . . . . . 767cdsso-create . . . . . . . . . . . . . 768clean-cdsso-urls . . . . . . . . . . . 768

propagate-cdmf-errors . . . . . . . . . 769use-utf8 . . . . . . . . . . . . . . 769

[cdsso-incoming-attributes] stanza . . . . . . 771attribute_pattern . . . . . . . . . . . . 771

[cdsso-peers] stanza . . . . . . . . . . . 772fully_qualified_hostname . . . . . . . . . 772

[cdsso-token-attributes] stanza. . . . . . . . 773. . . . . . . . . . . . . . 773domain_name . . . . . . . . . . . . . 773

[certificate] stanza . . . . . . . . . . . . 775accept-client-certs . . . . . . . . . . . 775cert-cache-max-entries . . . . . . . . . 775cert-cache-timeout . . . . . . . . . . . 776cert-prompt-max-tries . . . . . . . . . 776disable-cert-login-page . . . . . . . . . 777eai-data . . . . . . . . . . . . . . 778eai-uri . . . . . . . . . . . . . . . 779

[cfg-db-cmd:entries] stanza . . . . . . . . . 780stanza::entry . . . . . . . . . . . . . 780

[cfg-db-cmd:files] stanza. . . . . . . . . . 782files . . . . . . . . . . . . . . . 782

[cgi] stanza . . . . . . . . . . . . . . 783cgi-timeout . . . . . . . . . . . . . 783

[cgi-environment-variables] stanza . . . . . . 784ENV . . . . . . . . . . . . . . . 784

[cgi-types] stanza . . . . . . . . . . . . 785file_extension . . . . . . . . . . . . . 785

[compress-mime-types] stanza . . . . . . . . 786mime_type . . . . . . . . . . . . . 786

[compress-user-agents] stanza . . . . . . . . 787pattern . . . . . . . . . . . . . . . 787

[content] stanza . . . . . . . . . . . . 788delete-trash-dir . . . . . . . . . . . . 788directory-index . . . . . . . . . . . . 788doc-root . . . . . . . . . . . . . . 789error-dir . . . . . . . . . . . . . . 789user-dir . . . . . . . . . . . . . . 790utf8-template-macros-enabled . . . . . . . 790

[content-cache] stanza . . . . . . . . . . 791MIME_type . . . . . . . . . . . . . 791

[content-encodings] stanza . . . . . . . . . 792extension . . . . . . . . . . . . . . 792

[content-index-icons] stanza . . . . . . . . 793type. . . . . . . . . . . . . . . . 793

[content-mime-types] stanza . . . . . . . . 794deftype . . . . . . . . . . . . . . 794extension . . . . . . . . . . . . . . 794

[credential-policy-attributes] stanza . . . . . . 796policy-name . . . . . . . . . . . . . 796

[credential-refresh-attributes] stanza . . . . . . 797attribute_name_pattern . . . . . . . . . . 797authentication_level . . . . . . . . . . 797

[dsess] stanza . . . . . . . . . . . . . 798dsess-sess-id-pool-size . . . . . . . . . 798dsess-cluster-name. . . . . . . . . . . 798

[dsess-cluster] stanza . . . . . . . . . . . 799basic-auth-user . . . . . . . . . . . . 799basic-auth-passwd . . . . . . . . . . . 799handle-idle-timeout . . . . . . . . . . 799handle-pool-size . . . . . . . . . . . 800response-by . . . . . . . . . . . . . 800

Contents xiii

server . . . . . . . . . . . . . . . 801ssl-fips-enabled . . . . . . . . . . . . 801ssl-keyfile . . . . . . . . . . . . . 802ssl-keyfile-label . . . . . . . . . . . . 802ssl-keyfile-stash. . . . . . . . . . . . 803ssl-valid-server-dn. . . . . . . . . . . 803timeout . . . . . . . . . . . . . . 804

[eai] stanza . . . . . . . . . . . . . . 805eai-auth . . . . . . . . . . . . . . 805eai-auth-level-header . . . . . . . . . . 805eai-pac-header . . . . . . . . . . . . 805eai-pac-svc-header . . . . . . . . . . . 806eai-redir-url-header . . . . . . . . . . 806eai-session-id-header . . . . . . . . . . 807eai-user-id-header . . . . . . . . . . . 807eai-xattrs-header . . . . . . . . . . . 808retain-eai-session . . . . . . . . . . . 808

[eai-trigger-urls] stanza . . . . . . . . . . 810trigger. . . . . . . . . . . . . . . 810trigger. . . . . . . . . . . . . . . 810

[e-community-domains] stanza . . . . . . . 811name . . . . . . . . . . . . . . . 811

[e-community-domain-keys] stanza . . . . . . 812domain_name . . . . . . . . . . . . . 812

[e-community-domain-keys:domain] stanza . . . 813domain_name . . . . . . . . . . . . . 813

[e-community-sso] stanza . . . . . . . . . 814cache-requests-for-ecsso . . . . . . . . . 814e-community-name . . . . . . . . . . 814disable-ec-cookie . . . . . . . . . . . 814e-community-sso-auth . . . . . . . . . 815ec-cookie-domain . . . . . . . . . . . 815ec-cookie-lifetime . . . . . . . . . . . 816ecsso-allow-unauth . . . . . . . . . . 816ecsso-propagate-errors . . . . . . . . . 817handle-auth-failure-at-mas . . . . . . . . 817is-master-authn-server . . . . . . . . . 818master-authn-server . . . . . . . . . . 818master-http-port . . . . . . . . . . . 818master-https-port . . . . . . . . . . . 819propagate-cdmf-errors . . . . . . . . . 819use-utf8 . . . . . . . . . . . . . . 820vf-argument . . . . . . . . . . . . . 820vf-token-lifetime . . . . . . . . . . . 821vf-url . . . . . . . . . . . . . . . 821

[ecsso-incoming-attributes] stanza . . . . . . 823attribute_pattern . . . . . . . . . . . . 823

[ecsso-token-attributes] stanza . . . . . . . . 824. . . . . . . . . . . . . . 824domain_name . . . . . . . . . . . . . 824

[enable-redirects] stanza . . . . . . . . . . 825redirect . . . . . . . . . . . . . . 825

[failover] stanza . . . . . . . . . . . . 826enable-failover-cookie-for-domain . . . . . 826failover-auth. . . . . . . . . . . . . 826failover-cookie-lifetime . . . . . . . . . 826failover-cookies-keyfile . . . . . . . . . 827failover-include-session-id . . . . . . . . 827failover-require-activity-timestamp-validation 828failover-require-lifetime-timestamp-validation 828failover-update-cookie . . . . . . . . . 829

reissue-missing-failover-cookie . . . . . . 829use-utf8 . . . . . . . . . . . . . . 830

[failover-add-attributes] stanza . . . . . . . 831attribute_pattern . . . . . . . . . . . . 831session-activity-timestamp . . . . . . . . 831session-lifetime-timestamp . . . . . . . . 832

[failover-restore-attributes] stanza . . . . . . 833attribute_pattern . . . . . . . . . . . . 833attribute_pattern . . . . . . . . . . . . 833

[filter-content-types] stanza . . . . . . . . . 835type . . . . . . . . . . . . . . . 835

[filter-events] stanza . . . . . . . . . . . 836HTML_tag . . . . . . . . . . . . . 836

[filter-request-headers] stanza . . . . . . . . 838header. . . . . . . . . . . . . . . 838

[filter-schemes] stanza . . . . . . . . . . 839scheme . . . . . . . . . . . . . . 839

[filter-url] stanza . . . . . . . . . . . . 840HTML_tag . . . . . . . . . . . . . 840

[forms] stanza . . . . . . . . . . . . . 842allow-empty-form-fields . . . . . . . . . 842forms-auth . . . . . . . . . . . . . 842

[gso-cache] stanza . . . . . . . . . . . . 843gso-cache-enabled . . . . . . . . . . . 843gso-cache-entry-idle-timeout . . . . . . . 843gso-cache-entry-lifetime . . . . . . . . . 843gso-cache-size . . . . . . . . . . . . 844

[header-names] stanza . . . . . . . . . . 845server-name . . . . . . . . . . . . . 845

[http-headers] stanza . . . . . . . . . . . 846http-headers-auth . . . . . . . . . . . 846

[icons] stanza . . . . . . . . . . . . . 847backicon . . . . . . . . . . . . . . 847diricon . . . . . . . . . . . . . . 847unknownicon . . . . . . . . . . . . 847

[illegal-url-substrings] stanza . . . . . . . . 849substring . . . . . . . . . . . . . . 849

[interfaces] stanza . . . . . . . . . . . . 850interface_name . . . . . . . . . . . . 850

[ipaddr] stanza . . . . . . . . . . . . . 851ipaddr-auth . . . . . . . . . . . . . 851

[jdb-cmd:replace] stanza . . . . . . . . . . 851jct-id=search-attr-value|replace-attr-value . . . . 851

[junction] stanza . . . . . . . . . . . . 853allow-backend-domain-cookies . . . . . . 853basicauth-dummy-passwd . . . . . . . . 853crl-ldap-server . . . . . . . . . . . . 854crl-ldap-server-port . . . . . . . . . . 854crl-ldap-user. . . . . . . . . . . . . 855crl-ldap-user-password . . . . . . . . . 855disable-ssl-v2 . . . . . . . . . . . . 856disable-ssl-v3 . . . . . . . . . . . . 856disable-tls-v1 . . . . . . . . . . . . 856dont-reprocess-jct-404s . . . . . . . . . 857dynamic-addresses . . . . . . . . . . 858http-timeout . . . . . . . . . . . . . 859https-timeout . . . . . . . . . . . . 859insert-client-real-ip-for-option-r . . . . . . 860io-buffer-size . . . . . . . . . . . . 860jct-cert-keyfile . . . . . . . . . . . . 861jct-cert-keyfile-stash . . . . . . . . . . 862

xiv WebSEAL Administration Guide

jct-cert-keyfile-pwd . . . . . . . . . . 862jct-ocsp-enable . . . . . . . . . . . . 863jct-ocsp-max-response-size . . . . . . . . 863jct-ocsp-nonce-check-enable. . . . . . . . 864jct-ocsp-nonce-generation-enable . . . . . . 864jct-ocsp-proxy-server-name . . . . . . . . 865jct-ocsp-proxy-server-port . . . . . . . . 865jct-ocsp-url . . . . . . . . . . . . . 865jct-ssl-reneg-warning-rate . . . . . . . . 866jct-undetermined-revocation-cert-action. . . . 866jmt-map . . . . . . . . . . . . . . 867junction-db . . . . . . . . . . . . . 867managed-cookies-list . . . . . . . . . . 868mangle-domain-cookies . . . . . . . . . 868max-cached-persistent-connections . . . . . 869max-webseal-header-size . . . . . . . . 870pass-http-only-cookie-atr . . . . . . . . 870persistent-con-timeout . . . . . . . . . 871ping-method . . . . . . . . . . . . 871ping-time. . . . . . . . . . . . . . 872ping-uri . . . . . . . . . . . . . . 872recovery-ping-time . . . . . . . . . . 873reprocess-root-jct-404s . . . . . . . . . 873reset-cookies-list . . . . . . . . . . . 874response-code-rules . . . . . . . . . . 875share-cookies . . . . . . . . . . . . 875support-virtual-host-domain-cookies. . . . . 876use-new-stateful-on-error . . . . . . . . 876validate-backend-domain-cookies . . . . . . 877worker-thread-hard-limit . . . . . . . . 878worker-thread-soft-limit . . . . . . . . . 878

[junction:junction_name] stanza . . . . . . . 880[ldap] stanza . . . . . . . . . . . . . 881

auth-timeout . . . . . . . . . . . . 881auth-using-compare . . . . . . . . . . 881bind-dn . . . . . . . . . . . . . . 882bind-pwd. . . . . . . . . . . . . . 882cache-enabled . . . . . . . . . . . . 883cache-group-expire-time . . . . . . . . . 883cache-group-membership . . . . . . . . 883cache-group-size . . . . . . . . . . . 884cache-policy-expire-time . . . . . . . . . 884cache-policy-size . . . . . . . . . . . 885cache-return-registry-id . . . . . . . . . 885cache-user-expire-time . . . . . . . . . 886cache-user-size . . . . . . . . . . . . 886cache-use-user-cache . . . . . . . . . . 887default-policy-override-support . . . . . . 887enabled . . . . . . . . . . . . . . 888host . . . . . . . . . . . . . . . 888ldap-server-config . . . . . . . . . . . 889login-failures-persistent . . . . . . . . . 889max-search-size. . . . . . . . . . . . 890prefer-readwrite-server . . . . . . . . . 890port . . . . . . . . . . . . . . . 891replica. . . . . . . . . . . . . . . 891search-timeout . . . . . . . . . . . . 892ssl-enabled . . . . . . . . . . . . . 892ssl-keyfile . . . . . . . . . . . . . 893ssl-keyfile-dn . . . . . . . . . . . . 893ssl-keyfile-pwd . . . . . . . . . . . . 894

ssl-port . . . . . . . . . . . . . . 894timeout . . . . . . . . . . . . . . 895user-and-group-in-same-suffix . . . . . . . 895

[local-response-macros] stanza. . . . . . . . 897macro . . . . . . . . . . . . . . . 897

[local-response-redirect] stanza . . . . . . . 898local-response-redirect-uri . . . . . . . . 898

[logging] stanza . . . . . . . . . . . . 899absolute-uri-in-request-log . . . . . . . . 899agents . . . . . . . . . . . . . . . 899agents-file . . . . . . . . . . . . . 899audit-mime-types . . . . . . . . . . . 900audit-response-codes . . . . . . . . . . 900config-data-log . . . . . . . . . . . . 901flush-time . . . . . . . . . . . . . 901gmt-time . . . . . . . . . . . . . . 902host-header-in-request-log . . . . . . . . 902log-invalid-requests . . . . . . . . . . 903max-size . . . . . . . . . . . . . . 903referers . . . . . . . . . . . . . . 904referers-file . . . . . . . . . . . . . 904requests . . . . . . . . . . . . . . 905requests-file . . . . . . . . . . . . . 905request-log-format . . . . . . . . . . . 905server-log . . . . . . . . . . . . . 907

[ltpa] stanza . . . . . . . . . . . . . . 908ltpa-auth . . . . . . . . . . . . . . 908keyfile . . . . . . . . . . . . . . . 908cookie-name. . . . . . . . . . . . . 908cookie-domain . . . . . . . . . . . . 909update-cookie . . . . . . . . . . . . 909

[ltpa-cache] stanza . . . . . . . . . . . . 911ltpa-cache-enabled . . . . . . . . . . . 911ltpa-cache-entry-idle-timeout . . . . . . . 911ltpa-cache-entry-lifetime . . . . . . . . . 911ltpa-cache-size . . . . . . . . . . . . 912

[mpa] stanza . . . . . . . . . . . . . 913mpa . . . . . . . . . . . . . . . 913

[p3p-header] stanza . . . . . . . . . . . 914access . . . . . . . . . . . . . . . 914categories . . . . . . . . . . . . . 914disputes . . . . . . . . . . . . . . 916non-identifiable. . . . . . . . . . . . 916p3p-element . . . . . . . . . . . . . 917purpose . . . . . . . . . . . . . . 917recipient . . . . . . . . . . . . . . 919remedies . . . . . . . . . . . . . . 920retention . . . . . . . . . . . . . . 920

[policy-director] stanza . . . . . . . . . . 922config-file . . . . . . . . . . . . . 922

[preserve-cookie-names] stanza . . . . . . . 923name . . . . . . . . . . . . . . . 923

[process-root-filter] stanza . . . . . . . . . 924root . . . . . . . . . . . . . . . 924

[reauthentication] stanza. . . . . . . . . . 925reauth-at-any-level . . . . . . . . . . 925reauth-extend-lifetime . . . . . . . . . 925reauth-for-inactive . . . . . . . . . . . 926reauth-reset-lifetime . . . . . . . . . . 926terminate-on-reauth-lockout . . . . . . . 926

[replica-sets] stanza . . . . . . . . . . . 928

Contents xv

replica-set . . . . . . . . . . . . . 928[script-filtering] stanza . . . . . . . . . . 929

hostname-junction-cookie . . . . . . . . 929rewrite-absolute-with-absolute. . . . . . . 929script-filter . . . . . . . . . . . . . 929

[server] stanza . . . . . . . . . . . . . 931allow-shift-jis-chars . . . . . . . . . . 931allow-unauth-ba-supply . . . . . . . . . 931auth-challenge-type . . . . . . . . . . 932cache-host-header . . . . . . . . . . . 932capitalize-content-length. . . . . . . . . 933client-connect-timeout . . . . . . . . . 934chunk-responses . . . . . . . . . . . 934connection-request-limit . . . . . . . . . 934cope-with-pipelined-request . . . . . . . 935decode-query . . . . . . . . . . . . 935double-byte-encoding. . . . . . . . . . 936dynurl-allow-large-posts. . . . . . . . . 936dynurl-map . . . . . . . . . . . . . 937enable-IE6-2GB-downloads . . . . . . . . 937filter-nonhtml-as-xhtml . . . . . . . . . 938force-tag-value-prefix . . . . . . . . . . 938http . . . . . . . . . . . . . . . 939http-method-trace-enabled . . . . . . . . 939http-method-trace-enabled-remote . . . . . 940http-port . . . . . . . . . . . . . . 940https . . . . . . . . . . . . . . . 941https-port . . . . . . . . . . . . . 941ignore-missing-last-chunk . . . . . . . . 941intra-connection-timeout. . . . . . . . . 942ip-support-level . . . . . . . . . . . 942ipv6-support . . . . . . . . . . . . 943late-lockout-notification . . . . . . . . . 943max-client-read . . . . . . . . . . . . 944max-file-cat-command-length . . . . . . . 945network-interface . . . . . . . . . . . 945persistent-con-timeout . . . . . . . . . 945pre-410-compatible-tokens . . . . . . . . 946pre-510-compatible-token . . . . . . . . 946preserve-base-href . . . . . . . . . . . 947preserve-base-href2 . . . . . . . . . . 947preserve-p3p-policy . . . . . . . . . . 948process-root-requests . . . . . . . . . . 948redirect-using-relative . . . . . . . . . 949reject-invalid-host-header . . . . . . . . 949reject-request-transfer-encodings . . . . . . 950request-body-max-read . . . . . . . . . 950request-max-cache . . . . . . . . . . . 951server-name . . . . . . . . . . . . . 951server-root . . . . . . . . . . . . . 952slash-before-query-on-redirect . . . . . . . 952suppress-backend-server-identity . . . . . . 953suppress-dynurl-parsing-of-posts . . . . . . 953suppress-server-identity . . . . . . . . . 954tag-value-missing-attr-tag . . . . . . . . 954unix-group . . . . . . . . . . . . . 955unix-pid-file . . . . . . . . . . . . . 955unix-user . . . . . . . . . . . . . . 956use-http-only-cookies . . . . . . . . . . 956utf8-form-support-enabled . . . . . . . . 957utf8-qstring-support-enabled . . . . . . . 957

utf8-url-support-enabled. . . . . . . . . 958validate-query-as-ga . . . . . . . . . . 958web-host-name . . . . . . . . . . . . 958web-http-port . . . . . . . . . . . . 959web-http-protocol . . . . . . . . . . . 959worker-threads . . . . . . . . . . . . 960

[session] stanza. . . . . . . . . . . . . 961dsess-enabled . . . . . . . . . . . . 961dsess-last-access-update-interval . . . . . . 961enforce-max-sessions-policy . . . . . . . 961inactive-timeout . . . . . . . . . . . 962logout-remove-cookie. . . . . . . . . . 962max-entries . . . . . . . . . . . . . 963prompt-for-displacement . . . . . . . . 964register-authentication-failures . . . . . . . 964require-mpa . . . . . . . . . . . . . 965resend-webseal-cookies . . . . . . . . . 965send-constant-sess . . . . . . . . . . . 965ssl-id-sessions . . . . . . . . . . . . 966ssl-session-cookie-name . . . . . . . . . 966standard-junction-replica-set . . . . . . . 967tcp-session-cookie-name . . . . . . . . . 967timeout . . . . . . . . . . . . . . 968update-session-cookie-in-login-request . . . . 968user-session-ids. . . . . . . . . . . . 969user-session-ids-include-replica-set . . . . . 969use-same-session . . . . . . . . . . . 970

[session-cookie-domains] stanza . . . . . . . 971domain . . . . . . . . . . . . . . 971

[session-http-headers] stanza . . . . . . . . 972header_name . . . . . . . . . . . . . 972

[spnego] stanza. . . . . . . . . . . . . 973spnego-auth . . . . . . . . . . . . . 973spnego-krb-keytab-file . . . . . . . . . 973spnego-krb-service-name . . . . . . . . 973use-domain-qualified-name. . . . . . . . 974

[ssl] stanza . . . . . . . . . . . . . . 976base-crypto-library . . . . . . . . . . 976crl-ldap-server . . . . . . . . . . . . 976crl-ldap-server-port . . . . . . . . . . 977crl-ldap-user. . . . . . . . . . . . . 977crl-ldap-user-password . . . . . . . . . 978disable-ncipher-bsafe . . . . . . . . . . 978disable-rainbow-bsafe . . . . . . . . . 978disable-ssl-v2 . . . . . . . . . . . . 979disable-ssl-v3 . . . . . . . . . . . . 979disable-tls-v1 . . . . . . . . . . . . 980fips-mode-processing . . . . . . . . . . 980gsk-crl-cache-entry-lifetime . . . . . . . . 981gsk-crl-cache-size . . . . . . . . . . . 981ocsp-enable . . . . . . . . . . . . . 982ocsp-max-response-size . . . . . . . . . 982ocsp-nonce-check-enable. . . . . . . . . 983ocsp-nonce-generation-enable . . . . . . . 983ocsp-proxy-server-name . . . . . . . . . 983ocsp-proxy-server-port . . . . . . . . . 984ocsp-url . . . . . . . . . . . . . . 984pkcs11-driver-path. . . . . . . . . . . 985pkcs11-token-label . . . . . . . . . . . 985pkcs11-token-pwd . . . . . . . . . . . 986pkcs11-symmetric-cipher-support . . . . . . 986

xvi WebSEAL Administration Guide

ssl-keyfile . . . . . . . . . . . . . 986ssl-keyfile-label . . . . . . . . . . . . 987ssl-keyfile-pwd . . . . . . . . . . . . 987ssl-keyfile-stash. . . . . . . . . . . . 988ssl-local-domain . . . . . . . . . . . 988ssl-max-entries . . . . . . . . . . . . 989ssl-v2-timeout . . . . . . . . . . . . 989ssl-v3-timeout . . . . . . . . . . . . 990suppress-client-ssl-errors . . . . . . . . 990undetermined-revocation-cert-action . . . . . 990webseal-cert-keyfile . . . . . . . . . . 991webseal-cert-keyfile-label . . . . . . . . 991webseal-cert-keyfile-pwd . . . . . . . . 992webseal-cert-keyfile-stash . . . . . . . . 992

[ssl-qop] stanza. . . . . . . . . . . . . 994ssl-qop-mgmt . . . . . . . . . . . . 994

[ssl-qop-mgmt-default] stanza . . . . . . . . 995default . . . . . . . . . . . . . . 995

[ssl-qop-mgmt-hosts] stanza . . . . . . . . 996host-ip . . . . . . . . . . . . . . . 996

[ssl-qop-mgmt-networks] stanza . . . . . . . 997network/netmask . . . . . . . . . . . . 997

[step-up] stanza . . . . . . . . . . . . 998retain-stepup-session . . . . . . . . . . 998show-all-auth-prompts . . . . . . . . . 998verify-step-up-user . . . . . . . . . . 998

[tfimsso:] stanza . . . . . . . . . . 999always-send-tokens . . . . . . . . . . 999applies-to . . . . . . . . . . . . . 1000one-time-token . . . . . . . . . . . 1000preserve-xml-token . . . . . . . . . . 1000renewal-window . . . . . . . . . . . 1001service-name . . . . . . . . . . . . 1001tfim-cluster-name. . . . . . . . . . . 1002token-collection-size . . . . . . . . . . 1002token-type . . . . . . . . . . . . . 1003token-transmit-name . . . . . . . . . 1003token-transmit-type . . . . . . . . . . 1004

[tfim-cluster:] stanza . . . . . . . 1005basic-auth-user . . . . . . . . . . . 1005basic-auth-passwd . . . . . . . . . . 1005handle-idle-timeout . . . . . . . . . . 1005handle-pool-size . . . . . . . . . . . 1006server . . . . . . . . . . . . . . 1006ssl-fips-enabled . . . . . . . . . . . 1007ssl-keyfile . . . . . . . . . . . . . 1007ssl-keyfile-label . . . . . . . . . . . 1008ssl-keyfile-stash . . . . . . . . . . . 1008ssl-valid-server-dn . . . . . . . . . . 1009timeout . . . . . . . . . . . . . . 1009

[token] stanza . . . . . . . . . . . . . 1010token-auth . . . . . . . . . . . . . 1010

[uraf-registry] stanza . . . . . . . . . . 1011bind-id . . . . . . . . . . . . . . 1011cache-lifetime . . . . . . . . . . . . 1011cache-mode . . . . . . . . . . . . 1012cache-size . . . . . . . . . . . . . 1012uraf-registry-config . . . . . . . . . . 1013

[webseal-config] stanza. . . . . . . . . . 1015instance-name . . . . . . . . . . . . 1015orig-version . . . . . . . . . . . . 1015

status . . . . . . . . . . . . . . 1016tivoli_common_dir . . . . . . . . . . 1016version . . . . . . . . . . . . . . 1017

Appendix C. Command reference 1019Reading syntax statements . . . . . . . . 1020help . . . . . . . . . . . . . . . . 1021server list . . . . . . . . . . . . . . 1023server task add . . . . . . . . . . . . 1024server task cache flush all . . . . . . . . . 1027server task cfgdb export . . . . . . . . . 1029server task cfgdb import . . . . . . . . . 1030server task create . . . . . . . . . . . . 1032server task delete. . . . . . . . . . . . 1040server task dynurl update . . . . . . . . . 1042server task file cat . . . . . . . . . . . 1044server task help . . . . . . . . . . . . 1046server task jdb export . . . . . . . . . . 1048server task jdb import . . . . . . . . . . 1049server task jmt . . . . . . . . . . . . 1050server task list. . . . . . . . . . . . . 1052server task offline . . . . . . . . . . . 1054server task online . . . . . . . . . . . 1056server task refresh all_sessions . . . . . . . 1058server task reload . . . . . . . . . . . 1060server task remove . . . . . . . . . . . 1062server task server restart . . . . . . . . . 1064server task show . . . . . . . . . . . . 1065server task server sync . . . . . . . . . . 1067server task terminate all_sessions . . . . . . 1068server task terminate session . . . . . . . . 1070server task throttle . . . . . . . . . . . 1072server task virtualhost add . . . . . . . . 1074server task virtualhost create . . . . . . . . 1077server task virtualhost delete . . . . . . . . 1084server task virtualhost list . . . . . . . . . 1086server task virtualhost offline. . . . . . . . 1088server task virtualhost online. . . . . . . . 1091server task virtualhost remove . . . . . . . 1093server task virtualhost show . . . . . . . . 1095server task virtualhost throttle . . . . . . . 1097

Appendix D. Support information 1099Searching knowledge bases . . . . . . . . 1099

Searching information centers . . . . . . 1099Searching the Internet . . . . . . . . . 1099

Obtaining fixes . . . . . . . . . . . . 1099Registering with IBM Software Support . . . . 1100Receiving weekly software updates. . . . . . 1100Contacting IBM Software Support . . . . . . 1101

Determining the business impact . . . . . 1101Describing problems and gathering information 1102Submitting problems . . . . . . . . . 1102

Appendix E. Notices . . . . . . . . 1105Trademarks. . . . . . . . . . . . . . 1107

Glossary . . . . . . . . . . . . . 1109

Index . . . . . . . . . . . . . . 1119

Contents xvii

xviii WebSEAL Administration Guide

About this publication

Welcome to the IBM Tivoli Access Manager for e-business: WebSEAL AdministrationGuide.

IBM Tivoli Access Manager WebSEAL is the resource manager for Web-basedresources in a Tivoli Access Manager secure domain. WebSEAL is a highperformance, multi-threaded Web server that applies fine-grained security policy tothe protected Web object space. WebSEAL can provide single signon solutions andincorporate back-end Web application server resources into its security policy.

This administration guide provides a comprehensive set of procedures andreference information for managing the resources of your secure Web domain. Thisguide also provides you with valuable background and concept information for thewide range of WebSEAL functionality.

IBM Tivoli Access Manager for e-business provides an access control managementsolution to centralize network and application security policy for e-businessapplications.

Intended audienceThis guide is for system administrators responsible for configuring andmaintaining a Tivoli Access Manager WebSEAL environment.

Readers should be familiar with the following:v PC and UNIX or Linux operating systemsv Database architecture and conceptsv Security managementv Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and

Telnetv Lightweight Directory Access Protocol (LDAP) and directory servicesv A supported user registryv Authentication and authorizationIf you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

PublicationsThis section lists publications in the IBM Tivoli Access Manager for e-businesslibrary and related documents. The section also describes how to access Tivolipublications online and how to order Tivoli publications.

IBM Tivoli Access Manager for e-business libraryThe following documents are in the Tivoli Access Manager for e-business library:v IBM Tivoli Access Manager for e-business: Quick Start Guide, GI11-9333

Provides steps that summarize major installation and configuration tasks.v IBM Tivoli Access Manager for e-business: Release Notes, GC23-6501

Copyright IBM Corp. 2002, 2010 xix

Provides information about installing and getting started, system requirements,and known installation and configuration problems.

v IBM Tivoli Access Manager for e-business: Installation Guide, GC23-6502Explains how to install and configure Tivoli Access Manager for e-business.

v IBM Tivoli Access Manager for e-business: Upgrade Guide, SC23-6503Upgrade from version 5.0, 6.0, or 6.1 to version 6.1.1.

v IBM Tivoli Access Manager for e-business: Administration Guide, SC23-6504Describes the concepts and procedures for using Tivoli Access Manager. Providesinstructions for performing tasks from the Web Portal Manager interface and byusing the pdadmin utility.

v IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide,SC23-6505Provides background material, administrative procedures, and referenceinformation for using WebSEAL to manage the resources of your secure Webdomain.

v IBM Tivoli Access Manager for e-business: Plug-in for Edge Server AdministrationGuide, SC23-6506Provides instructions for integrating Tivoli Access Manager with the IBMWebSphere Edge Server application.

v IBM Tivoli Access Manager for e-business: Plug-in for Web Servers AdministrationGuide, SC23-6507Provides procedures and reference information for securing your Web domainusing a Web server plug-in.

v IBM Tivoli Access Manager for e-business: Shared Session Management AdministrationGuide, SC23-6509Provides deployment considerations and operational instructions for the sessionmanagement server.

v IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide,SC23-6510Provides information for enabling SSL communication in the Tivoli AccessManager environment.

v IBM Tivoli Access Manager for e-business: Auditing Guide, SC23-6511Provides information about configuring and managing audit events using thenative Tivoli Access Manager approach and the Common Auditing andReporting Service. You can also find information about installing andconfiguring the Common Auditing and Reporting Service. Use this service forgenerating and viewing operational reports.

v IBM Tivoli Access Manager for e-business: Command Reference, SC23-6512Provides reference information about the commands, utilities, and scripts thatare provided with Tivoli Access Manager.

v IBM Tivoli Access Manager for e-business: Administration C API Developer Reference,SC23-6513Provides reference information about using the C language implementation ofthe administration API to enable an application to perform Tivoli AccessManager administration tasks.

v IBM Tivoli Access Manager for e-business: Administration Java Classes DeveloperReference, SC23-6514Provides reference information about using the Java language implementationof the administration API to enable an application to perform Tivoli AccessManager administration tasks.

xx WebSEAL Administration Guide

v IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference,SC23-6515Provides reference information about using the C language implementation ofthe authorization API to enable an application to use Tivoli Access Managersecurity.

v IBM Tivoli Access Manager for e-business: Authorization Java Classes DeveloperReference, SC23-6516Provides reference information about using the Java language implementation ofthe authorization API to enable an application to use Tivoli Access Managersecurity.

v IBM Tivoli Access Manager for e-business: Web Security Developer Reference,SC23-6517Provides programming and reference information for developing authenticationmodules.

v IBM Tivoli Access Manager for e-business: Error Message Reference, GI11-8157Provides explanations and recommended actions for the messages and returncode.

v IBM Tivoli Access Manager for e-business: Troubleshooting Guide, GC27-2717Provides problem determination information.

v IBM Tivoli Access Manager for e-business: Performance Tuning Guide, SC23-6518Provides performance tuning information for an environment consisting of TivoliAccess Manager with the IBM Tivoli Directory Server as the user registry.

Related products and publicationsThis section lists the IBM products that are related to and included with a TivoliAccess Manager solution.

IBM Global Security KitTivoli Access Manager provides data encryption through the use of the GlobalSecurity Kit (GSKit), version 7.0. GSKit is included on the IBM Tivoli AccessManager Base CD for your particular platform, as well as on the IBM Tivoli AccessManager Web Security CDs, the IBM Tivoli Access Manager Shared Session ManagementCDs, and the IBM Tivoli Access Manager Directory Server CDs.

The GSKit package provides the iKeyman key management utility, gsk7ikm, whichcreates key databases, public-private key pairs, and certificate requests. The IBMGlobal Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide isavailable on the Tivoli Information Center Web site in the same section as theTivoli Access Manager product documentation.

IBM Tivoli Directory ServerIBM Tivoli Directory Server, version 6.1, is included on the IBM Tivoli AccessManager Directory Server set of CDs for the required operating system.

You can find additional information about Tivoli Directory Server at:

http://www.ibm.com/software/tivoli/products/directory-server/

IBM Tivoli Directory IntegratorIBM Tivoli Directory Integrator, version 6.1.1, is included on the IBM TivoliDirectory Integrator CD for the required operating system.

You can find additional information about IBM Tivoli Directory Integrator at:

About this publication xxi

http://www.ibm.com/software/tivoli/products/directory-server

http://www-306.ibm.com/software/tivoli/products/directory-integrator/

IBM DB2 Universal DatabaseIBM DB2 Universal Database Enterprise Server Edition, version 9.1, is providedon the IBM Tivoli Access Manager Directory Server set of CDs and is installed withthe Tivoli Directory Server software. DB2 is required when using Tivoli DirectoryServer or z/OS LDAP servers as the user registry for Tivoli Access Manager. Forz/OS LDAP servers, you must separately purchase DB2.

You can find additional information about DB2 at:

http://www.ibm.com/software/data/db2

IBM WebSphere Application ServerWebSphere Application Server, version 6.1, is included on the IBM Tivoli AccessManager WebSphere Application Server set of CDs for the required operating system.WebSphere Application Server enables the support of the following applications:v Web Portal Manager interface, which administers Tivoli Access Manager.v Web Administration Tool, which administers Tivoli Directory Server.v Common Auditing and Reporting Service,