com.ibm.websphere.security.
webseal.checkViaHeader
|
You can configure TAI so that the via header can be
ignored when validating trust for a request. Set this property to false if
none of the hosts in the via header need to be trusted. When set to false you
do not need to set the trusted host names and host ports properties. The only
mandatory property to check when via header is false is com.ibm.websphere.security.webseal.loginId. The
default value of the check via header property is false. When using
Tivoli Access Manager plug-in for Web servers, set this property to false.
Note: The
via header is part of the standard HTTP header that records the server names
the request that passed through.
|
com.ibm.websphere.security.
webseal.loginId
|
The WebSEAL trusted user as created in Creating a trusted user account in Tivoli Access Manager The format of the username
is the short name representation. This property is mandatory. If it is not
set in WebSphere Application Server, the TAI initialization fails. |
com.ibm.websphere.security.
webseal.id
|
A comma-separated list of headers that exists in the
request. If all of the configured headers do not exist in the request, trust
cannot be established. The default value for the ID property is iv-creds.
Any other values set in WebSphere Application Server are added to the list
along with iv-creds, separated by commas. |
com.ibm.websphere.security.
webseal.hostnames
|
Do not set this property if using Tivoli Access Manager
Plug-in for Web Servers. The property specifies the host names (case sensitive)
that are trusted and expected in the request header. Requests arriving from
un-listed hosts might not be trusted. If the checkViaHeader property is not
set or is set to false then the trusted host names property has no influence.
If the checkViaHeader property is set to true, and the trusted host
names property is not set, TAI initialization fails. |
com.ibm.websphere.security.
webseal.ports
|
Do not set this property if using Tivoli Access Manager
plug-in for Web servers. This property is a comma-separated list of trusted
host ports. Requests that arrive from unlisted ports might not be trusted.
If the checkViaHeader property is not set, or is set to false this
property has no influence. If the checkViaHeader property is set to true,
and the trusted host ports property is not set in WebSphere Application Server,
the TAI initialization fails. |
com.ibm.websphere.security.
webseal.viaDepth
|
A positive integer that specifies the number of source
hosts in the via header to check for trust. By default, every host in the
via header is checked, and if any host is not trusted, trust cannot be established.
The via depth property is used when only some of the hosts in the via header
have to be trusted. The setting indicates the number of hosts that are required
to be trusted. As an example, consider the following header:
Via: HTTP/1.1 webseal1:7002, 1.1 webseal2:7001
If
the viaDepth property is not set, is set to 2 or is set to 0, and a request
with the previous via header is received then both webseal1:7002 and webseal2:7001 need
to be trusted. The following configuration applies:
com.ibm.websphere.security.webseal.hostnames = webseal1,webseal2
com.ibm.websphere.security.webseal.ports = 7002,7001
If the
via depth property is set to 1, and the previous request is received, then
only the last host in the via header needs to be trusted. The following configuration
applies:
com.ibm.websphere.security.webseal.hostnames = webseal2
com.ibm.websphere.security.webseal.ports = 7001
The viaDepth property is set to 0 by default, which
means all of the hosts in the via header are checked for trust.
|
com.ibm.websphere.security.
webseal.ssoPwdExpiry
|
After trust is established for a request, the single
sign-on user password is cached, eliminating the need to have the TAI re-authenticate
the single sign-on user with Tivoli Access Manager for every request. You
can modify the cache timeout period by setting the single sign-on password
expiry property to the required time in seconds. If the password expiry property
is set to 0, the cached password never expires. The default value
for the password expiry property is 600. |
com.ibm.websphere.security.
webseal.ignoreProxy
|
This property can be used to tell the TAI to ignore
proxies as trusted hosts. If set to true the comments field of the
hosts entry in the via header is checked to determine if a host is a proxy.
Remember that not all proxies insert comments in the via header indicating
that they are proxies. The default value of the ignoreProxy property is false.
If the checkViaHeader property is set to false then the ignoreProxy
property has no influence in establishing trust. |
com.ibm.websphere.security.
webseal.configURL
|
Set this property to ${USER_INSTALL_ROOT}/etc/pd/PolicyDirector/PDPerm.properties.
For the TAI to establish trust for a request, it requires that a PDPerm.properties
file exists in each node within the cell. Also, the correct URL of the properties
file must be set in the config URL property. If this property is not set or
the PDPerm.properties file is not in the specified location, the
TAI initialization fails. The PDPerm.properties file is part of the
Tivoli Access Manager configuration for a node. To create the Tivoli Access
Manager configuration, run the pdjrtecfg script and then the svrsslcfg script
for each node in the cell. The PDPerm.properties file is created
in the ${USER_INSTALL_ROOT}/etc/pd/PolicyDirector/ directory.
|