#
# FILENAME
# webseald.conf
#
# DESCRIPTION
# Configuration file for the Access Manager WebSEAL server (webseald)
#
[server]
###############################
# WEBSEAL GENERAL
###############################
#----------------------
# SYSTEM
#----------------------
# WebSEAL instance UNIX user account
unix-user = ivmgr
# WebSEAL instance UNIX group account
unix-group = ivmgr
# PID file
unix-pid-file = /var/pdweb/log/webseald-default.pid
#Root directory for the webserver
server-root = /opt/pdweb/www-default
# WebSEAL server instance name. Typically, this is based on the hostname of the
# machine and the instance name of the server.
server-name = webseal.ah.cmcc-default
# If web-host-name is set WebSEAL will use this for the server's hostname. If
# left unset WebSEAL will attempt to automatically determine the server's
# hostname. On systems with many hostnames, interfaces or WebSEAL instances
# the automatic determination may not always be correct requiring this manual
# setting.
# web-host-name = www.webseal.com
#----------------------
# THREADS AND CONNECTIONS
#----------------------
# Number of WebSEAL worker threads
# The number of configured worker threads specifies the number of
# concurrent incoming requests that can be serviced by this server
# instance. Choosing the optimal number depends on the quantity
# and type of traffic on your network. Modifying this value should
# be done carefully to ensure optimal performance. Please consult
# the WebSEAL Administration Guide for further information.
worker-threads = 50
# Initial client connection timeout (seconds)
client-connect-timeout = 120
# HTTP/1.1 persistent connection timeout (seconds)
# This only affects connections to clients, not backend systems.
persistent-con-timeout = 5
# Intra-request timeout (seconds)
# Timeout between data received or sent for a given request,
# but not the first read. When this value is non-zero, it
# also enables timeouts on http writes to clients and causes
# a TCP RST packet to be sent if a connection timeout occurs
# on the non-first data I/O. When this value is zero, the
# client-connection-timeout is used instead.
intra-connection-timeout = 60
# Allow WebSEAL to write chunked data to HTTP/1.1 clients. This can
# improve performance by allowing connections to be reused even when
# exact response length is not known before the response is written.
chunk-responses = yes
#----------------------
# HTTPS CLIENT
#----------------------
# Allow HTTPS access
https = yes
# Port to user for HTTPS requests
https-port = 443
#----------------------
# HTTP CLIENT
#----------------------
# Allow (unsecure) TCP HTTP access
http = yes
# Port to use for unsecure HTTP requests
http-port = 80
#----------------------
# REQUEST BODIES AND CACHING
#----------------------
# This parameter specifies the maximum number of bytes that
# WebSEAL will read from a client when parsing an HTTP request.
# The total size of the URL and HTTP headers must be less than
# this value. This parameter cannot be set lower than it's
# default: 32768
max-client-read = 32768
# This parameter specifies the maximum number of bytes to
# read in as content from the body of requests for use in
# dynurl, authentication, and request caching.
#
# 1) This impacts dynurl because the query portion of a
# POST request URI is contained in the request body.
#
# 2) This impacts forms authentication, because this limits
# the size of the POST data that will be processed
# when performing such authentication. For this reason,
# WebSEAL sets a hard minimum of 512 bytes on
# request-body-max-read. If this value is set below
# that minimum, the setting will be ignored and the
# minimum will be used.
#
# 3) This affects the amount of data that WebSEAL will cache
# for users who must authenticate before their request can be
# fulfilled. This affects all request that have bodies
# (POSTs, PUTs, etc.).
#
# This does not limit the max POST size (which is unlimited).
#
request-body-max-read = 4096
# When a user is prompted to authenticate before a request
# can be fulfilled, the data from that request is cached
# for processing after the completion of the authentication.
# The maximum amount of data cached per request is determined
# by request-max-cache.
# If you want to ensure that you will be caching all of
# request-body-max-read worth of the body of requests, you
# must account for the maximum size of all the other request
# components in this value.
# Example: If you want to cache 2048 bytes of request bodies
# and you anticipate that the maximum size of all request headers
# and cookies will be 4096 bytes, you would:
# 1) set request-body-max-read = 2048
# 2) set request-max-cache = 2048 + 4096 = 6144
request-max-cache = 8192
#----------------------
# DYNURL
#----------------------
# Location of the URL -> protected object mapping file
# This path is relative to the server-root value in the [server] stanza
dynurl-map = lib/dynurl.conf
# Disallow/Allow POST requests larger than request-body-max-read.
# This parameter only takes effect if dynurl is enabled.
#
# WebSEAL is not able to compare the entire contents of a POST
# request to the URL mappings inside the dynurl.conf file if the body
# of the post is larger than request-body-max-read.
#
# If this option is set to "no", then WebSEAL will not
# allow POST requests with a body larger than request-body-max-read.
#
# If this option is set to "yes", then WebSEAL will compare only
# up to request-body-max-read bytes of a POST request to the URL mappings
# in the dynurl.conf file.
dynurl-allow-large-posts = no
# When reject-request-transfer-encodings is set to yes all request
# to WebSEAL with a Transfer-Encoding value of anything other than
# identity will be rejected with a status of 501, Not Implemented.
# It is recomended for secure dynurl environments to set this to yes.
reject-request-transfer-encodings = yes
#----------------------
# URI AND POST BODY DECODING
#----------------------
# If decode-query is set to "yes", WebSEAL will validate the query string
# in requests according to the utf8-qstring-support-enabled parameter.
# Otherwise, WebSEAL will not validate the query string. If decode-query
# is set to "no" then dynurl must be disabled.
decode-query = yes
# Different portions of HTTP requests may be interpreted as either UTF-8 or
# local code page according to the configuration items in this section. The
# options for each portion of the request are either to ensure that the data
# is UTF-8, ensure that the data is local codepage, or to accept either.
#
# If an option in this section is "yes", WebSEAL will ensure that the data
# in that portion of the request is UTF-8.
#
# If an option in this section is "no", WebSEAL will ensure that the data
# in that portion of the request is local codepage.
#
# If an option in this section is "auto", WebSEAL will first attempt to
# validate the data as UTF-8. If the data is not UTF-8, then WebSEAL will
# ensure the data is local codepage.
# utf8-url-support-enabled controls how the location portion of the URI
# (the portion before any question mark character) is intepreted.
utf8-url-support-enabled = yes
# utf8-qstring-support-enabled controls how the query portion of the URI
# (the portion after the question mark character) is interpreted. This also
# applies to the POST bodies of requests to junctions when dynurl is enabled.
utf8-qstring-support-enabled = no
# utf8-forms-support-enabled option controls how form logins, password change
# requests, and other WebSEAL specific forms are parsed.
utf8-form-support-enabled = yes
# When double-byte-encoding is set to 'yes' WebSEAL will assume that URL's
# which contain encoding characters are always encoded in unicode, and will
# not contain UTF-8 encoded characters.
double-byte-encoding = no
#----------------------
# SUPPRESSING SERVER IDENTITY
#----------------------
# WebSEAL writes a Server header with the value "WebSEAL/version.number"
# with most responses (except those from a junctioned server).
# Including this header can be suppressed by setting this to "yes".
suppress-server-identity = yes
# For responses that were from a junctioned server, WebSEAL writes the Server
# header sent in the response from the backend. If the backend response did not
# include a Server header, then WebSEAL will not write any Server header to the
# client.
# Writing this header can be suppressed by setting this to "yes".
suppress-backend-server-identity = yes
#----------------------
# AUTH TOKEN VERSION
#----------------------
# [e-community-sso], [failover], [cdsso] all use a common method
# for generating tokens. Version 4.1.0 has increased the security
# of these. However, it is not backward compatible. If you are
# integrating with earlier web servers you will need to enable this.
pre-410-compatible-tokens = no
# Version 5.1.0 tokens are formatted differently then tokens in prior releases.
# If you are integrating with earlier web servers you will need to enable this
# to ensure the integrity of data across [e-community-sso], [failover], and
# [cdsso].
pre-510-compatible-tokens = no
#----------------------
# P3P Compact Policy header
#----------------------
# If 'preserve-p3p-policy' is set to 'no' (default), then any P3P headers from
# junctioned servers will be replaced.
#
# If 'preserve-p3p-policy' is set to 'yes', then any P3P headers from junctioned
# servers will be preserved.
preserve-p3p-policy = no
#----------------------
# Network Interface
#----------------------
# Specify an alternative I.P. address to be used by this instance of WebSEAL.
# This allows two or more WebSEAL instances to run on the same machine
# while using differing I.P. addresses and host names.
#
# network-interface = 0.0.0.0
#----------------------
# Filtering
#----------------------
# If preserve-base-href is no, then WebSEAL will remove all BASE HREF tags
# from filtered HTML documents and prepend the base tag to filtered links.
# Otherwise, the BASE HREF tag will be filtered.
preserve-base-href = yes
# To enable tag-based filtering of static URLs for new MIME types added
# to the [filter-content-types] stanza, change filter-nonhtml-as-xhtml to
# yes. Tag-based URL filtering operates without configuration changes
# for the text/html and text/vnd.wap.wml MIME types.
filter-nonhtml-as-xhtml = no
#---------------------
# TRACE method
#---------------------
# WebSEAL blocks the TRACE method by default for all requests
# to prevent a well-publicized security exploit.
#
# To enable TRACE method requests for local resources set
# http-method-trace-enabled = yes
#
# To enable TRACE method requests for junctioned resources set
# http-method-trace-enabled-remote = yes
#---------------------
# Processing root junction requests
#---------------------
# Specify whether WebSEAL will attempt to process requests for resources
# located at the root ('/') junction before attempting to identify a
# junction point to send the request via junction mapping mechanisms
# such as the JMT or IV_JCT cookie.
#
# Avoiding root junction processing prevents processing being performed
# for incorrect resources before the intended resource is identified.
# This will have performance benefits and prevent false authorization or
# filetype check failures.
#
# Valid choices are:
# never - Root junction requests are never processed at the root junction.
# That is, if a junction mapping mechanism is configured, such as
# the JMT or IV_JCT cookie, WebSEAL will look for this junction
# mapping information first (and look at the root junction last)
# and process the request at the mapped junction point.
#
# always - Always attempt to process requests for the root junction at the
# root junction first before looking for a configured junction
# mapping mechanism, such as the JMT or IV_JCT cookie.
# This is not recommended unless the root junction serves a large
# set of resources or no junction mapping mechanisms are configured
# for the set of junctions served by this WebSEAL server.
#
# filter - All root junction requests will be examined to determine whether
# they start with the patterns specified in the process-root-filter
# stanza.
# If yes, the request will be processed at the root junction first.
# If no, the request will be remapped immediately.
#
process-root-requests = never
#---------------------
# IPv6 support
#---------------------
#
# Specify whether WebSEAL will support IPv6.
#
# Upon a new installation, WebSEAL supports IPv6 by default. However, if
# WebSEAL is upgraded from a release previous to 6.0, then the upgrade
# process will change this value to 'no'. This is to ensure backwards
# compatibility.
#
# Valid choices are:
# yes - Support IPv6 and IPv4 networks (default setting).
#
# no - Only support IPv4 networks.
#
ipv6-support = yes
# ip-support-level determines the network attributes placed in credentials.
# WebSEAL version 6.0 introduces new improved attributes which displace
# the older attribute. The new attributes are required when IPv6 support
# (ipv6-support) is enabled. This entry can be set to one of displaced-only,
# generic-only, or displaced-and-generic.
#
# displaced-only:
# The default for migrated installations. WebSEAL will only generate the
# displaced IPv4 attributes when building credentials and when authenticating
# users through CDAS modules.
#
# generic-only:
# The default for new installations. WebSEAL will only generate the new generic
# (supports both IPv4 and IPv6) attributes when building credentials and when
# authenticating users through CDAS modules.
#
# displaced-and-generic:
# Both sets of attributes (displaced and generic) are created.
#
ip-support-level = generic-only
#---------------------
# max-login-failures policy compatibility
#---------------------
#
# When late-lockout-notification = no, WebSEAL will notify clients that their
# account has been locked out immediately.
# When late-lockout-notification = yes WebSEAL will operate in a pre-v6.0
# compatible mode for user registry max-login-failures policy behavior,
# and not notify users until their next request.
# The default for new installations is disabled (no). The default for migrated
# installations is enabled (yes).
late-lockout-notification = no
[process-root-filter]
# This stanza is only used if process-root-requests = filter
# Request URLs starting with the following patterns will be processed at the
# root junction before attempting to remap the requests to a new junction point.
# Format is
# root = <pattern>
# where <pattern> is a standard WebSEAL wildcard pattern.
#
root = /index.html
root = /cgi-bin*
[interfaces]
###############################
# WEBSEAL INTERFACES
###############################
# The values from:
# [server]
# network-interface
# http
# http-port,
# https,
# https-port,
# worker-threads
# [ssl]
# webseal-cert-keyfile-label
# [certificate]
# accept-client-certs
# are used to create the "default" interface.
#
# This stanza allows additional interfaces to be configured.
#
# The format of each interfaces entry is:
#
# <interfaceName> = <interfaceOptions>
# <interfacesOptions> = <Option>=<Value>[;<Option>=<Value>[;...]]
#
# Leading and Trailing Spaces surrounding <Option>, <Value> are ignored.
# If leading or trailing spaces are required then the <Value> may be placed
# in double quotes (").
# If a double quote ("), semicolon (;), or backslash (/) character is required
# in the <Value> then this character must be prefixed by a backslash (/).
#
# <Option>=<Value> can be selected from:
# network-interface=<ipAddress>
# http-port=<port> | "disabled"
# https-port=<port> | "disabled"
# certificate-label=<keyFileLabel>
# accept-client-certs="never" | "required" | "optional" |
# "prompt_as_needed"
# worker-threads=<count> | "default"
#
# Defaults for <interfaceOptions> if they are not present:
# network-interface 0.0.0.0
# worker-threads "default"
# http-port "disabled"
# https-port "disabled"
# certificate-label Uses key marked as default in key file.
# accept-client-certs "never"
#
# The following example configures an interface that only listens for http
# requests on address 10.0.0.1 port 81 (the https-port defaulted to "disabled").
#
# interface1 = network-interface=10.0.0.1; http-port=81
interface10000 = http-port=10000
interface11900 = http-port=11900
interface11906 = http-port=11906
[header-names]
###############################
# HTTP Header Names
###############################
# server-name - This header can be used to pass the azn-api administration
# server name used with the "server task" command to junctioned applications.
# Leave this entry blank to disable the header.
server-name = iv_server_name
[ldap]
###############################
# LDAP
###############################
# ldap-server-config - Indicates the location of the ldap.conf file
# (set by configuration)
# prefer-readwrite-server - yes|no Indicates whether to select writable
# LDAP server when available
# auth-using-compare - yes|no Indicates whether to perform
# authentication using LDAP bind or comparing password
# bind-dn - Indicates the Distinguished Name of the daemon
# (set by configuration)
# ssl-enabled - yes|no Indicates whether SSL is enabled (set
# by configuration)
# ssl-keyfile - Indicates path/filename of SSL keyfile (set by
# configuration)
# ssl-keyfile-dn - Indicates the certificate label in the SSL
# keyfile, if any (set by configuration)
# default-policy-override-support
# - yes|no When "yes", no user Policy will
# be checked, only the default Policy is checked
# (saves some LDAP searches)
# user-and-group-in-same-suffix
# - yes|no When "yes", indicates that the groups are
# defined in the same LDAP suffix as the user
# (saves some LDAP searches)
# login-failures-persistent
# - yes|no When "yes", login strikes will be tracked
# in the registry instead of only in the local
# process cache. Persistent login strike recording
# is more expensive but allows consistent login
# strike counting across multiple servers.
# cache-enabled - yes|no Indicates whether to enable the local
# LDAP cache
#
# cache-enabled related configuration settings:
#
# cache-user-size - (optional) The number of entries in the LDAP user
# cache. Ignored if the cache is not enabled. If
# not set, the default is 256.
# cache-group-size - (optional) The number of entries in the LDAP group
# cache. Ignored if the cache is not enabled. If
# not set, the default is 64.
# cache-policy-size - (optional) The number of entries in the LDAP policy
# cache. Ignored if the cache is not enabled. If
# not set, the default is 20.
# cache-user-expire-time - (optional) The amount of time (in seconds) until a
# user entry in the cache is considered stale and is
# discarded. Ignored if the cache is not enabled.
# If not set, the default is 30 seconds.
# cache-group-expire-time - (optional) The amount of time (in seconds) until a
# group entry in the cache is considered stale and is
# discarded. Ignored if the cache is not enabled.
# If not set, the default is 300 seconds (5 minutes).
# cache-policy-expire-time
# - (optional) The amount of time (in seconds) until a
# policy entry in the cache is considered stale and is
# discarded. Ignored if the cache is not enabled.
# If not set, the default is 30 seconds.
# cache-group-membership - (optional) Indicates whether group membership
# information should be cached. Ignored if the cache
# is not enabled. If not set, the default is yes.
# cache-use-user-cache - (optional) Indicates whether to use the user cache
# information or not. Ignored if the cache is not
# enabled. If not set, the default is yes.
ldap-server-config = /opt/PolicyDirector/etc/ldap.conf
prefer-readwrite-server = no
auth-using-compare = yes
ssl-enabled = no
ssl-keyfile = <ldap-ssl-keyfile>
ssl-keyfile-dn = <ldap-ssl-keyfile-dn>
#default-policy-override-support = no
#user-and-group-in-same-suffix = yes
#login-failures-persistent = no
cache-enabled = yes
bind-dn = cn=default-webseald/webseal.ah.cmcc,cn=SecurityDaemons,secAuthority=Default
enabled = yes
host = emis01.ah.cmcc
port = 10389
#cache-user-size = 256
#cache-group-size = 64
#cache-policy-size = 20
#cache-user-expire-time = 30
#cache-group-expire-time = 300
#cache-policy-expire-time = 30
#cache-group-membership = yes
#cache-use-user-cache = yes
[uraf-registry]
###############################
# DOMINO OR ACTIVE DIRECTORY
###############################
uraf-registry-config =
bind-id =
cache-mode = enabled
cache-size = 251
cache-lifetime = user:30;group:300;resgroup:3600;resource:3600;rescreds:300;
[ssl]
###############################
# SSL
###############################
# This section contains entries that affect the behavior of the SSL
# components of WebSEAL. These will affect both clients connecting
# via SSL as well as SSL junctions to backend systems.
# The first four parameters (webseal-cert-*) relate to the certificate
# keystore WebSEAL keep for exchanging with browsers when negotiating
# SSL sessions.
# WebSEAL certificate keyfile
webseal-cert-keyfile = /var/pdweb/www-default/certs/pdsrv.kdb
# Password used to protect private keys in the keyfile. The password
# can be stored in plain text or encrypted in a "stashfile".
# The stashfile is recommended, as it is more secure.
# If both password and stashfile are specified, the password will be used.
# webseal-cert-keyfile-pwd = <password>
webseal-cert-keyfile-stash = /var/pdweb/www-default/certs/pdsrv.sth
# Label of key to use other than the default;创建ssl联结时需要指定证书标签(-K)
webseal-cert-keyfile-label = WebSEAL-Test-Only
# The next four parameters (ssl-keyfile-*) relate to the keystore WebSEAL
# uses for communicating with other Access Manager servers via SSL. These
# parameters typically do not need to be modified other than by the
# configuration scripts.
ssl-keyfile = /var/pdweb/keytab-default/default-webseald.kdb
# Password used to protect private keys in the keyfile. The password
# can be stored in plain text or encrypted in a "stashfile".
# The stashfile is recommended, as it is more secure.
# If both password and stashfile are specified, the password will be used.
#ssl-keyfile-pwd = <password>
ssl-keyfile-stash = /var/pdweb/keytab-default/default-webseald.sth
# Label of key to use other than the default
# ssl-keyfile-label =
ssl-keyfile-label = PD Server
# Selectively disable SSL version support for browser connections
disable-ssl-v2 = no
disable-ssl-v3 = no
disable-tls-v1 =
最低0.47元/天 解锁文章
3017
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
