com.ibm.websphere.security.
webseal.checkViaHeader
|
You can configure TAI so that the via header
can be ignored when validating trust for a request. Set this property
to false if none of the hosts in the via header need to be
trusted. When set to false you do not need to set the trusted
host names and host ports properties. The only mandatory property
to check when via header is false is com.ibm.websphere.security.webseal.loginId. The
default value of the check via header property is false. When
using Tivoli® Access Manager plug-in for Web servers,
set this property to false.
Note: The via header is part
of the standard HTTP header that records the server names the request
that passed through.
|
com.ibm.websphere.security.
webseal.loginId
|
The WebSEAL trusted user as created in Creating a trusted user account in Tivoli Access Manager The format of the username is the short name representation.
This property is mandatory. If it is not set in WebSphere Application
Server, the TAI initialization fails. |
com.ibm.websphere.security.
webseal.id
|
A comma-separated list of headers that exists
in the request. If all of the configured headers do not exist in the
request, trust cannot be established. The default value for the ID
property is iv-creds. Any other values set in WebSphere Application
Server are added to the list along with iv-creds, separated by commas. |
com.ibm.websphere.security.
webseal.hostnames
|
Do not set this property if using Tivoli Access
Manager Plug-in for Web Servers. The property specifies the host names
(case sensitive) that are trusted and expected in the request header.
Requests arriving from un-listed hosts might not be trusted. If the
checkViaHeader property is not set or is set to false then the trusted
host names property has no influence. If the checkViaHeader property
is set to true, and the trusted host names property is not
set, TAI initialization fails. |
com.ibm.websphere.security.
webseal.ports
|
Do not set this property if using Tivoli Access
Manager plug-in for Web servers. This property is a comma-separated
list of trusted host ports. Requests that arrive from unlisted ports
might not be trusted. If the checkViaHeader property is not set, or
is set to false this property has no influence. If the checkViaHeader
property is set to true, and the trusted host ports property
is not set in WebSphere Application Server, the TAI initialization
fails. |
com.ibm.websphere.security.
webseal.viaDepth
|
A positive integer that specifies the number
of source hosts in the via header to check for trust. By default,
every host in the via header is checked, and if any host is not trusted,
trust cannot be established. The via depth property is used when only
some of the hosts in the via header have to be trusted. The setting
indicates the number of hosts that are required to be trusted. As
an example, consider the following header:
Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001
If
the viaDepth property is not set, is set to 2 or is set to 0, and
a request with the previous via header is received then both webseal1:7002 and webseal2:7001 need
to be trusted. The following configuration applies:
com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
com.ibm.websphere.security.webseal.ports = 7002,7001
If
the via depth property is set to 1, and the previous request is received,
then only the last host in the via header needs to be trusted. The
following configuration applies:
com.ibm.websphere.security.webseal.hostnames = webseal2
com.ibm.websphere.security.webseal.ports = 7001
The viaDepth property is set to 0 by default,
which means all of the hosts in the via header are checked for trust.
|
com.ibm.websphere.security.
webseal.ssoPwdExpiry
|
After trust is established for a request, the
single sign-on user password is cached, eliminating the need to have
the TAI re-authenticate the single sign-on user with Tivoli Access
Manager for every request. You can modify the cache timeout period
by setting the single sign-on password expiry property to the required
time in seconds. If the password expiry property is set to 0,
the cached password never expires. The default value for the password
expiry property is 600. |
com.ibm.websphere.security.
webseal.ignoreProxy
|
This property can be used to tell the TAI to
ignore proxies as trusted hosts. If set to true the comments
field of the hosts entry in the via header is checked to determine
if a host is a proxy. Remember that not all proxies insert comments
in the via header indicating that they are proxies. The default value
of the ignoreProxy property is false. If the checkViaHeader
property is set to false then the ignoreProxy property has
no influence in establishing trust. |
com.ibm.websphere.security.
webseal.configURL
|
Set this property to profile_root/etc/pd/PolicyDirector/PDPerm.properties.
For the TAI to establish trust for a request, it requires that a PDPerm.properties
file exists in each node within the cell. Also, the correct URL of
the properties file must be set in the config URL property. If this
property is not set or the PDPerm.properties file is not
in the specified location, the TAI initialization fails. The PDPerm.properties file
is part of the Tivoli Access Manager configuration for a
node. To create the Tivoli Access Manager configuration,
run the pdjrtecfg script and then the svrsslcfg script
for each node in the cell. The PDPerm.properties file is
created in theprofile_root/etc/pd/PolicyDirector/ directory.
|