Why and when to perform this task
These steps are required to use either the WebSEAL trust association interceptor or your own trust association interceptor with a reverse proxy security server.Steps for this task
Note: When you set this property to true, the login ID and header password combination is not verified. It is recommended that you use some form of transport level filtering so that the connections to WebSphere Application Server are Secure Sockets Layer (SSL) connections originating from WebSEAL only.
Default: | False |
Range: | True or false |
Data type: | String |
Data type: | Comma separated list of strings |
Use this property to list any hosts that are trusted. WebSphere Application Server depends upon the value of the com.ibm.websphere.security.webseal.viaDepth and the com.ibm.websphere.security.webseal.ignoreProxy properties to determine whether to trust requests that arrive from hosts listed in this property. If a host is not listed in this property, then WebSphere Application Server might not trust requests arriving from that host. The host names are case-sensitive. This request header also includes the proxy host names (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy interceptor is set to true.
Data type: | Comma separated list of strings |
Use this property to list the port numbers of any hosts that are trusted. WebSphere Application Server depends upon the value of the com.ibm.websphere.security.webseal.viaDepth and the com.ibm.websphere.security.webseal.ignoreProxy properties to determine whether to trust requests that arrive from ports listed in this property. If a port is not listed in this property, then WebSphere Application Server might not trust any requests arriving from that port. This request header also includes the proxy ports (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy interceptor is set to true.
Data type: | Comma separated list of integers |
Use this property to configure the trust association interceptor to check only a specified number of source hosts in the VIA header to ensure that those hosts are trusted sources. By default, every host in the VIA header is checked for trust and if any of the hosts are not trusted, then trust is not established. If all of the hosts in the VIA header are not required to be trusted, then you can set the com.ibm.websphere.security.webseal.viaDepth property to indicate the number of hosts that are required to be trusted.
For example:Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001
If the com.ibm.websphere.security.webseal.viaDepth property is not set, is set to 2, or is set to 0, and a request with the above VIA header is received, then both webseal1:7002 and webseal2:7001 need to be trusted.
If the via depth property is set to 1 and the above request is received, then only the last host in the VIA header needs to be trusted.
If the via depth property is set to 0, then all of the hosts in the VIA header are checked for trust.
If the via depth property is set to a negative value and the check VIA header property is set to true, then the trust association interceptor initialization fails.
Default: | 1 |
Use this property to configure the trust association interceptor so that any hosts in the VIA header that are proxies do not need to be trusted hosts. This property works by checking the comments field of the hosts entry in the VIA header to see if that host is a proxy. This process is not a fail-safe method because not all of the proxies insert comments in the VIA header to indicate that they are proxies.
If this optional property is set to true or yes, it ignores the proxy host names and ports in the VIA header. By default, this property is set to false.Default: | False |
Data type: | String |
Range: | True, false, yes, no |
Results
Enables trust association.Example
What to do next