ebook img

IBM Security Web Gateway Appliance Version 7.0: Configuration Guide for Web Reverse Proxy PDF

720 Pages·2012·3.87 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview IBM Security Web Gateway Appliance Version 7.0: Configuration Guide for Web Reverse Proxy

IBM Security Web Gateway Appliance Version 7.0 Configuration Guide for Web Reverse Proxy (cid:1)(cid:2)(cid:3) SC22-5433-00 IBM Security Web Gateway Appliance Version 7.0 Configuration Guide for Web Reverse Proxy (cid:1)(cid:2)(cid:3) SC22-5433-00 Note Beforeusingthisinformationandtheproductitsupports,readtheinformationin“Notices”onpage675. Editionnotice Note: Thiseditionappliestoversion7,release0,modification0ofIBMSecurityAccessManager(product number5724-C87)andtoallsubsequentreleasesandmodificationsuntilotherwiseindicatedinneweditions. ©CopyrightIBMCorporation2002,2012. USGovernmentUsersRestrictedRights–Use,duplicationordisclosurerestrictedbyGSAADPScheduleContract withIBMCorp. Contents Figures . . . . . . . . . . . . . . xiii Part 2. Configuration. . . . . . . . 29 Tables . . . . . . . . . . . . . . . xv Chapter 3. Web server configuration . . 31 WebSEALserverandhostnamespecification . . . 31 About this publication . . . . . . . xvii WebSEALservernameintheconfigurationfile 31 Intendedaudience . . . . . . . . . . . xvii WebSEALservernamein"pdadminserverlist" 32 Accesstopublicationsandterminology . . . . xviii WebSEALservernameintheprotectedobject Relatedpublications . . . . . . . . . . xx space . . . . . . . . . . . . . . . 32 Accessibility. . . . . . . . . . . . . . xxii SpecifyingtheWebSEALhost(machine)name. . 32 Technicaltraining. . . . . . . . . . . . xxii WebSEALconfigurationfile . . . . . . . . . 33 Supportinformation . . . . . . . . . . . xxii Configurationfileorganization . . . . . . . 33 Configurationfilenameandlocation. . . . . 34 Part 1. Administration. . . . . . . . 1 Modifyingconfigurationfilesettings . . . . . 34 Directoryindexing . . . . . . . . . . . . 35 Configuringdirectoryindexing. . . . . . . 35 Chapter 1. IBM Security Access Manager Configurationofgraphicaliconsforfiletypes. . 35 for Web WebSEAL overview . . . . . . 3 Contentcaching. . . . . . . . . . . . . 36 Introduction . . . . . . . . . . . . . . 3 Contentcachingconcepts. . . . . . . . . 36 WebSEALintroduction . . . . . . . . . . . 4 Configurationofcontentcaching . . . . . . 36 IBMSecurityWebGatewayAppliance. . . . . . 5 ImpactofHTTPheadersonWebSEALcontent WebSEALfunctionalityontheappliance . . . . . 5 caching. . . . . . . . . . . . . . . 37 Securitymodel . . . . . . . . . . . . . 6 Flushingallcaches . . . . . . . . . . . 39 Securitymodelconcepts . . . . . . . . . 6 Cachecontrolforspecificdocuments. . . . . 40 Theprotectedobjectspace. . . . . . . . . 7 Communicationprotocolconfiguration . . . . . 40 Accesscontrollists(ACLs)andprotectedobject WebSEALconfigurationforHTTPrequests. . . 41 policies(POPs) . . . . . . . . . . . . 8 WebSEALconfigurationforHTTPSrequests . . 41 Accesscontrollist(ACL)policies . . . . . . 8 RestrictionsonconnectionsfromspecificSSL Protectedobjectpolicies(POPs) . . . . . . . 9 versions . . . . . . . . . . . . . . 42 Explicitandinheritedpolicy. . . . . . . . 10 PersistentHTTPconnections. . . . . . . . 42 Policyadministration:TheWebPortalManager 10 WebSEALconfigurationforhandlingHTTPOnly Webspaceprotection . . . . . . . . . . . 10 cookies. . . . . . . . . . . . . . . 43 Securitypolicyplanningandimplementation . . . 12 TimeoutsettingsforHTTPandHTTPS Contenttypesandlevelsofprotection . . . . 12 communication . . . . . . . . . . . . 43 WebSEALauthentication . . . . . . . . . . 13 AdditionalWebSEALservertimeoutsettings . . 45 StandardWebSEALjunctions . . . . . . . . 14 SupportforWebDAV . . . . . . . . . . 46 Webspacescalability . . . . . . . . . . . 15 SupportforMicrosoftRPCoverHTTP . . . . 47 Replicatedfront-endWebSEALservers . . . . 16 Supportforchunkedtransfercoding . . . . . 48 Junctionedback-endservers. . . . . . . . 16 InternetProtocolversion6(IPv6)support . . . . 48 Replicatedback-endservers . . . . . . . . 17 IPv4andIPv6overview . . . . . . . . . 48 ConfiguringIPv6andIPv4support . . . . . 49 Chapter 2. Server administration . . . 19 IPv6:Compatibilitysupport . . . . . . . . 49 WebSEALinstancemanagement . . . . . . . 19 IPv6:Upgradenotes . . . . . . . . . . 50 SynchronizationofWebSEALdataacrossmultiple IPlevelsforcredentialattributes . . . . . . 50 servers . . . . . . . . . . . . . . . . 20 LDAPdirectoryserverconfiguration . . . . . . 50 Automatingsynchronization. . . . . . . . 21 Workerthreadallocation . . . . . . . . . . 51 AuditingandloggingofresourcesforWebSEAL . . 23 WebSEALworkerthreadconfiguration . . . . 51 Errormessagelogging. . . . . . . . . . 23 Allocationofworkerthreadsforjunctions WebSEALserveractivityauditing . . . . . . 23 (junctionfairness) . . . . . . . . . . . 52 TraditionalauditingandloggingofHTTPevents 24 HTTPdatacompression . . . . . . . . . . 54 ProblemdeterminationresourcesforWebSEAL . . 24 CompressionbasedonMIME-type . . . . . 54 Configurationdatalogfile . . . . . . . . 25 Compressionbasedonuseragenttype . . . . 55 Statistics . . . . . . . . . . . . . . 26 CompressionpolicyinPOPs. . . . . . . . 56 Traceutility . . . . . . . . . . . . . 27 Datacompressionlimitation. . . . . . . . 57 Configuringdatacompressionpolicy. . . . . 57 Multi-localesupportwithUTF-8 . . . . . . . 57 ©CopyrightIBMCorp.2002,2012 iii Multi-localesupportconcepts . . . . . . . 57 Preventionofvulnerabilitycausedbycross-site Configurationofmulti-localesupport. . . . . 61 scripting . . . . . . . . . . . . . . . 104 Validationofcharacterencodinginrequestdata . . 66 PreventionofCross-siteRequestForgery(CSRF) Supportedwildcardpatternmatchingcharacters . . 67 attacks. . . . . . . . . . . . . . . . 105 Settingsystemenvironmentvariables. . . . . . 67 Secrettokenvalidation . . . . . . . . . 105 Referrervalidation . . . . . . . . . . 106 Chapter 4. Web server response Rejectunsolicitedauthenticationrequests . . . 107 configuration . . . . . . . . . . . . 69 SuppressionofWebSEALandback-endserver identity . . . . . . . . . . . . . . . 107 StaticHTMLserverresponsepages . . . . . . 69 SuppressingWebSEALserveridentity . . . . 107 HTMLserverresponsepagelocations . . . . . 74 Suppressingback-endapplicationserver ManagementRoot . . . . . . . . . . . 74 identity . . . . . . . . . . . . . . 108 Accountmanagementpagelocation . . . . . 74 DisablingHTTPmethods . . . . . . . . . 108 Errormessagepagelocation. . . . . . . . 75 PlatformforPrivacyPreferences(P3P) . . . . . 109 Junction-specificstaticserverresponsepages . . 75 Compactpolicyoverview . . . . . . . . 109 HTMLserverresponsepagemodification . . . . 75 Compactpolicydeclaration. . . . . . . . 110 GuidelinesforcustomizingHTMLresponse Junctionheaderpreservation . . . . . . . 111 pages . . . . . . . . . . . . . . . 76 DefaultcompactpolicyintheP3Pheader . . . 112 MacroresourcesforcustomizingHTMLresponse ConfiguringtheP3Pheader . . . . . . . 113 pages . . . . . . . . . . . . . . . 76 SpecifyingacustomP3Pcompactpolicy . . . 119 Macrosembeddedinatemplate . . . . . . 78 P3Pconfigurationtroubleshooting . . . . . 119 Addinganimagetoacustomloginform . . . 81 Accountmanagementpageconfiguration . . . . 82 Chapter 6. Runtime security services Configurationfilestanzaentriesandvalues . . 82 Configurationoftheaccountexpirationerror external authorization service . . . . 121 message . . . . . . . . . . . . . . 82 Abouttheruntimesecurityservicesexternal Configurationofthepasswordpolicyoptions . . 83 authorizationservice . . . . . . . . . . . 121 Errormessagepageconfiguration . . . . . . . 84 Configuringtheruntimesecurityservicesexternal Enablingthetimeofdayerrorpage . . . . . 84 authorizationserviceinWebSEAL . . . . . . 122 CreatingnewHTMLerrormessagepages . . . 85 Sampleconfigurationdataforruntimesecurity Compatibilitywithpreviousversionsof servicesexternalauthorizationservice . . . . . 124 WebSEAL . . . . . . . . . . . . . . 85 Multi-localesupportforserverresponses . . . . 86 Part 3. Authentication. . . . . . . 127 Theaccept-languageHTTPheader. . . . . . 86 Processflowformulti-localesupport. . . . . 87 Chapter 7. Authentication overview 129 Conditionsaffectingmulti-localesupporton WebSEAL . . . . . . . . . . . . . . 87 Definitionandpurposeofauthentication . . . . 129 Handlingthefavicon.icofilewithMozillaFirefox . 87 Informationinauserrequest . . . . . . . . 129 Addingcustomheaderstoserverresponsepages. . 88 Clientidentitiesandcredentials . . . . . . . 130 ConfiguringthelocationURLformatinredirect Authenticationprocessflow . . . . . . . . 130 responses . . . . . . . . . . . . . . . 89 Authenticatedandunauthenticatedaccessto Localresponseredirection . . . . . . . . . 90 resources. . . . . . . . . . . . . . . 131 Localresponseredirectionoverview . . . . . 90 Requestprocessforauthenticatedusers . . . 132 Localresponseredirectionprocessflow . . . . 91 Requestprocessforunauthenticatedusers. . . 132 Enablinganddisablinglocalresponseredirection 91 AccessconditionsoverSSL. . . . . . . . 132 Contentsofaredirectedresponse . . . . . . 92 Forcinguserlogin. . . . . . . . . . . 133 URIforlocalresponseredirection . . . . . . 92 UseofunauthenticatedHTTPS . . . . . . 133 Operationforlocalresponseredirection . . . . 93 Supportedauthenticationmethods . . . . . . 133 Macrosupportforlocalresponseredirection . . 94 Authenticationchallengebasedonuseragent . . 134 Localresponseredirectionconfigurationexample 98 Technicalnotesforlocalresponseredirection . . 99 Chapter 8. Authentication methods 137 Remoteresponsehandlingwithlocal Authenticationterminology . . . . . . . . 137 authentication . . . . . . . . . . . . 99 Logoutandpasswordchangeoperations . . . . 137 HTMLredirection. . . . . . . . . . . . 100 Loggingout:pkmslogout . . . . . . . . 138 EnablingHTMLredirection. . . . . . . . 101 Controllingcustomresponsepagesfor PreservingHTMLfragmentsonredirection . . 101 pkmslogout . . . . . . . . . . . . . 138 Changingpasswords:pkmspasswd . . . . . 139 Chapter 5. Web server security PasswordchangeissuewithActiveDirectoryon configuration . . . . . . . . . . . 103 Windows. . . . . . . . . . . . . . 139 Basicauthentication . . . . . . . . . . . 139 ConfiguringWebSEALtosupportonlySuiteB Enablinganddisablingbasicauthentication . . 140 ciphers . . . . . . . . . . . . . . . 103 iv IBMSecurityWebGatewayApplianceVersion7.0: ConfigurationGuideforWebReverseProxy Settingtherealmname . . . . . . . . . 140 Extensionofthesessioncacheentrylifetime Formsauthentication. . . . . . . . . . . 140 value . . . . . . . . . . . . . . . 172 Enablinganddisablingformsauthentication 141 Preventionofsessionremovalwhenthesession CustomizingHTMLresponseforms. . . . . 141 lifetimeexpires. . . . . . . . . . . . 173 SubmittingloginformdatadirectlytoWebSEAL 142 Removalofausersessionatloginfailurepolicy Client-sidecertificateauthentication. . . . . . 143 limit . . . . . . . . . . . . . . . 174 Client-sidecertificateauthenticationmodes . . 143 Customizationofloginformsfor Certificateauthenticationconfigurationtask reauthentication . . . . . . . . . . . 175 summary. . . . . . . . . . . . . . 146 Authenticationstrengthpolicy(step-up) . . . . 176 Enablingcertificateauthentication . . . . . 146 Authenticationstrengthconcepts. . . . . . 176 Configurationofthecertificateauthentication Authenticationstrengthconfigurationtask mechanism . . . . . . . . . . . . . 147 summary. . . . . . . . . . . . . . 177 Certificateloginerrorpage. . . . . . . . 149 Establishinganauthenticationstrengthpolicy 178 Certificateloginform. . . . . . . . . . 150 Specifyingauthenticationlevels . . . . . . 178 DisablingSSLsessionIDsforsessiontracking 150 Specifyingtheauthenticationstrengthlogin EnablingandconfiguringtheCertificateSSLID form . . . . . . . . . . . . . . . 180 cache . . . . . . . . . . . . . . . 150 Creatingaprotectedobjectpolicy . . . . . 181 SettingthetimeoutforCertificateSSLIDcache 151 Specifyingnetwork-basedaccessrestrictions . . 182 Errorpageforincorrectprotocol . . . . . . 151 Attachingaprotectedobjectpolicytoa Disablingcertificateauthentication . . . . . 152 protectedresource. . . . . . . . . . . 184 DisablingtheCertificateSSLIDcache . . . . 152 Enforcinguseridentitymatchacross Technicalnotesforcertificateauthentication . . 152 authenticationlevels . . . . . . . . . . 185 Kerberosauthentication . . . . . . . . . . 153 Controllingtheloginresponsefor ConfiguringKerberosauthentication . . . . 153 unauthenticatedusers . . . . . . . . . 185 Limitations . . . . . . . . . . . . . 154 Steppingupauthenticationathigherlevels . . 186 LTPAauthentication . . . . . . . . . . . 155 Externalauthenticationinterface . . . . . . . 186 LTPAauthenticationoverview. . . . . . . 155 ClientCertificateUserMapping . . . . . . . 187 EnablingLTPAauthentication . . . . . . . 155 Introduction. . . . . . . . . . . . . 187 Keyfileinformation . . . . . . . . . . 156 Usermappingrulesevaluator. . . . . . . 191 Specifyingthecookienameforclients . . . . 156 HowtomanagetheCDAS. . . . . . . . 194 Specifyingthecookienameforjunctions . . . 156 ConfiguringWebSEALtousethecertificate ControllingthelifetimeoftheLTPAToken . . 157 mappingmodule . . . . . . . . . . . 196 DisablingLTPAauthentication. . . . . . . 157 Chapter 10. Post-authentication Chapter 9. Advanced authentication processing . . . . . . . . . . . . 201 methods . . . . . . . . . . . . . 159 Automaticredirectionafterauthentication. . . . 201 Multiplexingproxyagents . . . . . . . . . 159 Overviewofautomaticredirection . . . . . 201 Multiplexingproxyagentsoverview. . . . . 159 Enablingautomaticredirection . . . . . . 202 Validsessiondatatypesandauthentication Disablingautomaticredirection . . . . . . 202 methods . . . . . . . . . . . . . . 160 Limitations . . . . . . . . . . . . . 203 AuthenticationprocessflowforMPAand Macrosupportforautomaticredirection . . . 203 multipleclients. . . . . . . . . . . . 161 Server-siderequestcaching. . . . . . . . . 205 EnablinganddisablingMPAauthentication . . 162 Server-siderequestcachingconcepts . . . . 205 CreationofauseraccountfortheMPA . . . 162 Processflowforserver-siderequestcaching . . 205 AdditionoftheMPAaccounttothe Configurationofserver-sidecaching. . . . . 206 webseal-mpa-serversgroup. . . . . . . . 162 MPAauthenticationlimitations . . . . . . 162 Chapter 11. Password processing . . 209 Switchuserauthentication . . . . . . . . . 162 Loginfailurepolicy("threestrikes"loginpolicy) 209 Overviewoftheswitchuserfunction . . . . 162 Loginfailurepolicyconcepts . . . . . . . 209 Configurationofswitchuserauthentication . . 165 Settingtheloginfailurepolicy. . . . . . . 210 Usingswitchuser. . . . . . . . . . . 168 Settingtheaccountdisabletimeinterval . . . 210 Additionalswitchuserfeaturesupport. . . . 168 Configuringtheaccountdisablenotification Reauthentication . . . . . . . . . . . . 169 response . . . . . . . . . . . . . . 211 Reauthenticationconcepts . . . . . . . . 170 LoginfailurepolicywithreplicatedWebSEAL Reauthenticationbasedonsecuritypolicy. . . 171 servers . . . . . . . . . . . . . . 212 ReauthenticationPOP:creatingandapplying 171 Passwordstrengthpolicy . . . . . . . . . 213 Reauthenticationbasedonsessioninactivity . . 171 Passwordstrengthpolicyconcepts . . . . . 213 Enablingofreauthenticationbasedonsession Passwordstrengthpolicies . . . . . . . . 213 inactivity. . . . . . . . . . . . . . 172 Syntaxforpasswordstrengthpolicycommands 213 Resettingofthesessioncacheentrylifetime Defaultpasswordstrengthpolicyvalues . . . 215 value . . . . . . . . . . . . . . . 172 Contents v Validandnotvalidpasswordexamples . . . 215 Informationretrievedfromaclientrequest . . . 252 Specifyinguserandglobalsettings . . . . . 215 WebSEALsessioncachestructure. . . . . . . 252 Deploymentconsiderationsforclustered Chapter 12. Credential processing 217 environments . . . . . . . . . . . . . 253 Extendedattributesforcredentials . . . . . . 217 ConsistentconfigurationonallWebSEALreplica Mechanismsforaddingregistryattributestoa servers . . . . . . . . . . . . . . 254 credential. . . . . . . . . . . . . . 217 Client-to-serversessionaffinityattheload Configurearegistryattributeentitlementservice 218 balancer . . . . . . . . . . . . . . 254 Junctionhandlingofextendedcredential Failovertoanewmaster . . . . . . . . 254 attributes. . . . . . . . . . . . . . 219 FailoverfromoneWebSEALservertoanother 254 Credentialrefresh . . . . . . . . . . . . 221 Optionsforhandlingfailoverinclustered Credentialrefreshconcepts. . . . . . . . 221 environments . . . . . . . . . . . . . 254 Configurecredentialrefresh . . . . . . . 225 Option1:NoWebSEALhandlingoffailover events. . . . . . . . . . . . . . . 255 Credentialrefreshusage. . . . . . . . . 226 Option2:Authenticationdataincludedineach Chapter 13. External authentication request . . . . . . . . . . . . . . 255 Option3:Failovercookies . . . . . . . . 255 interface . . . . . . . . . . . . . 229 Option4:TheSessionManagementServer . . 256 Externalauthenticationinterfaceoverview. . . . 229 Option5:LTPAcookie . . . . . . . . . 256 Externalauthenticationinterfaceprocessflow . . 229 Externalauthenticationinterfaceconfiguration . . 232 Chapter 15. Session cache Enablingtheexternalauthenticationinterface 232 configuration . . . . . . . . . . . 259 Initiatingtheauthenticationprocess. . . . . 233 Configurationoftheexternalauthentication Sessioncacheconfigurationoverview . . . . . 259 interfacetriggerURL. . . . . . . . . . 234 SSLsessionIDcacheconfiguration . . . . . . 260 HTTPheadernamesforauthenticationdata . . 234 Cacheentrytimeoutvalue . . . . . . . . 260 Extractingauthenticationdatafromspecial MaximumconcurrentSSLsessionsvalue . . . 260 HTTPheaders . . . . . . . . . . . . 236 WebSEALsessioncacheconfiguration . . . . . 260 Howtogeneratethecredential . . . . . . 236 Maximumsessioncacheentriesvalue . . . . 261 Externalauthenticationinterfacecredential Cacheentrylifetimetimeoutvalue . . . . . 261 replacement. . . . . . . . . . . . . 237 Settingaclient-specificsessioncacheentry Validatingtheuseridentity. . . . . . . . 238 lifetimevalue . . . . . . . . . . . . 262 Howtowriteanexternalauthentication Cacheentryinactivitytimeoutvalue . . . . 264 application . . . . . . . . . . . . . 238 Concurrentsessionlimits . . . . . . . . 265 ExternalauthenticationinterfaceHTTPheader Sessioncachelimitation . . . . . . . . . 266 reference . . . . . . . . . . . . . . . 240 Useofexternalauthenticationinterfacewith Chapter 16. Failover solutions . . . . 267 existingWebSEALfeatures . . . . . . . . . 241 Failoverauthenticationconcepts . . . . . . . 267 Requestcachingwithexternalauthentication Thefailoverenvironment . . . . . . . . 267 interface . . . . . . . . . . . . . . 241 Failovercookie. . . . . . . . . . . . 268 Post-authenticationredirectionwithexternal Failoverauthenticationprocessflow. . . . . 269 authenticationinterface . . . . . . . . . 242 Examplefailoverconfiguration . . . . . . 269 Sessionhandlingwithexternalauthentication Additionofdatatoafailovercookie . . . . 270 interface . . . . . . . . . . . . . . 242 Extractionofdatafromafailovercookie . . . 272 Authenticationstrengthlevelwithexternal Domain-widefailoverauthentication . . . . 273 authenticationinterface . . . . . . . . . 242 Failoverauthenticationconfiguration . . . . . 274 Reauthenticationwithexternalauthentication Configuringfailoverauthentication . . . . . 274 interface . . . . . . . . . . . . . . 243 Protocolforfailovercookies . . . . . . . 275 Loginpageandmacrosupportwithexternal Generatingakeypairtoencryptanddecrypt authenticationinterface . . . . . . . . . 243 cookiedata . . . . . . . . . . . . . 275 Settingaclient-specificsessioncacheentry Specifyingthefailovercookielifetime . . . . 276 lifetimevalue . . . . . . . . . . . . 244 SpecifyingUTF-8encodingoncookiestrings 276 Settingaclient-specificsessioncacheentry Addingtheauthenticationstrengthlevel . . . 277 inactivitytimeoutvalue . . . . . . . . . 246 Reissueofmissingfailovercookies . . . . . 277 Additionofsessionlifetimetimestamp. . . . 277 Part 4. Session State . . . . . . . 249 Addingthesessionactivitytimestamp . . . . 278 Additionofanintervalforupdatingtheactivity timestamp . . . . . . . . . . . . . 279 Chapter 14. Session state overview 251 Additionofextendedattributes . . . . . . 279 Sessionstateconcepts . . . . . . . . . . 251 Attributesforextraction. . . . . . . . . 280 SupportedsessionIDdatatypes . . . . . . . 251 Enablingdomain-widefailovercookies. . . . 280 vi IBMSecurityWebGatewayApplianceVersion7.0: ConfigurationGuideforWebReverseProxy Validationofalifetimetimestamp . . . . . 281 4.RestarttheWebSEALserver. . . . . . . 315 Validationofanactivitytimestamp . . . . . 281 5.Createjunctionsforvirtualhosts . . . . . 315 Failoverfornon-stickyfailoverenvironments. . . 282 6.Junctionthesessionmanagementserver . . 315 Non-stickyfailoverconcepts . . . . . . . 282 7.Setthemaximumconcurrentsessionspolicy 316 Configuringthenon-stickyfailoversolution . . 283 8.Testtheconfiguration. . . . . . . . . 316 UseoffailovercookieswithexistingWebSEAL features . . . . . . . . . . . . . . 284 Chapter 20. Configuration for Changepasswordoperationinafailover WebSEAL using SMS . . . . . . . . 319 environment. . . . . . . . . . . . . . 284 SMSconfigurationforWebSEAL . . . . . . . 319 Configuringthesessionmanagementserver Chapter 17. Session state in (SMS) . . . . . . . . . . . . . . . 319 non-clustered environments . . . . . 287 EnablinganddisablingSMSforWebSEAL . . 319 Maintainsessionstateinnon-clustered Specifyingsessionmanagementservercluster environments . . . . . . . . . . . . . 287 andlocation. . . . . . . . . . . . . 320 ControlonsessionstateinformationoverSSL 287 Retrievingthemaximumconcurrentsessions Useofthesamesessionkeyoverdifferent policyvalue. . . . . . . . . . . . . 320 transports . . . . . . . . . . . . . 288 Replicasetconfiguration . . . . . . . . . 321 Validsessionkeydatatypes . . . . . . . 288 ConfiguringWebSEALtoparticipateinmultiple Effectivesessiontimeoutvalue . . . . . . 290 replicasets . . . . . . . . . . . . . 321 Netscape4.7xlimitationforuse-same-session 290 Assigningstandardjunctionstoareplicaset 321 Sessioncookies. . . . . . . . . . . . . 291 Virtualhostsassignedtoareplicaset . . . . 322 Sessioncookiesconcepts. . . . . . . . . 291 Examplereplicasetconfiguration. . . . . . 322 Conditionsforusingsessioncookies . . . . 291 Adjustmentofthelastaccesstimeupdate Customizationofthesessioncookiename. . . 292 frequencyforSMS. . . . . . . . . . . . 325 Sendingsessioncookieswitheachrequest. . . 292 SMScommunicationtimeoutconfiguration . . . 325 Customizedresponsesforoldsessioncookies . . 293 ConfiguringSMSresponsetimeout . . . . . 325 Sessionremovalandoldsessioncookieconcepts 293 Configuringconnectiontimeoutforbroadcast Enablingcustomizedresponsesforoldsession events. . . . . . . . . . . . . . . 326 cookies . . . . . . . . . . . . . . 294 SMSperformanceconfiguration . . . . . . . 326 MaintainsessionstatewithHTTPheaders. . . . 295 Maximumpre-allocatedsessionIDs. . . . . 326 HTTPheadersessionkeyconcepts . . . . . 295 Configurationofthehandlepoolsize . . . . 327 ConfiguringHTTPheaderstomaintainsession SMSAuthentication . . . . . . . . . . . 327 state . . . . . . . . . . . . . . . 295 SSLconfigurationforWebSEALandSMS . . . . 327 SetupforrequiringrequestsfromanMPA. . . 297 ConfiguringtheWebSEALkeydatabase . . . 328 SharesessionswithMicrosoftOfficeapplications 297 SpecifyingtheSSLcertificatedistinguished OverviewofsessionsharingwithMicrosoft name(DN) . . . . . . . . . . . . . 328 Officeapplications. . . . . . . . . . . 298 GSKitconfigurationforSMSconnections . . . 329 Configurethetemporarysessioncache. . . . 298 Maximumconcurrentsessionspolicy . . . . . 330 ConfiguresharedsessionswithMicrosoftOffice Settingthemaximumconcurrentsessionspolicy 330 applications . . . . . . . . . . . . . 300 Enforcingthemaximumconcurrentsessions policy . . . . . . . . . . . . . . . 333 Part 5. Session Management Switchuserandmaximumconcurrentsessions policy . . . . . . . . . . . . . . . 334 Server . . . . . . . . . . . . . . 305 Singlesignonwithinasessionrealm . . . . . 334 Sessionrealmandsessionsharingconcepts . . 334 Chapter 18. Session management Configuringsessionsharing . . . . . . . 335 server (SMS) overview . . . . . . . 307 Configuringloginhistory . . . . . . . . . 337 Thefailoverenvironment . . . . . . . . . 307 Enablingloginfailurenotification . . . . . 338 Thesessionmanagementserver(SMS) . . . . . 308 Creatingajunctiontothesessionmanagement Serverclusters,replicasets,andsessionrealms . . 308 server . . . . . . . . . . . . . . . 338 SMSprocessflow . . . . . . . . . . . . 309 AllowingaccesstotheloginhistoryJSP . . . 339 SharingsessionsacrossmultipleDNSdomains . . 310 CustomizingtheJSPtodisplayloginhistory 339 Chapter 19. Quickstart guide for Part 6. Authorization . . . . . . . 341 WebSEAL using SMS . . . . . . . . 313 ConfigurationsummaryforWebSEALusingSMS 313 Chapter 21. Configuration for 1.Informationgathering. . . . . . . . . 313 authorization . . . . . . . . . . . 343 2.WebSEALconfigurationfilesettings . . . . 314 WebSEAL-specificACLpolicies . . . . . . . 343 3.ImporttheSecurityAccessManagerCA /WebSEAL/host-instance_name . . . . . . 343 Certificate . . . . . . . . . . . . . 314 /WebSEAL/host-instance_name/file . . . . 343 Contents vii WebSEALACLpermissions . . . . . . . 343 Localtypestandardjunction . . . . . . . 371 Default/WebSEALACLpolicy . . . . . . 344 Disablelocaljunctions . . . . . . . . . 371 ValidcharactersforACLnames . . . . . . 344 Transparentpathjunctions . . . . . . . . . 371 QualityofprotectionPOP . . . . . . . . 344 FilteringconceptsinstandardWebSEAL Configurationofauthorizationdatabaseupdates junctions . . . . . . . . . . . . . . 372 andpolling . . . . . . . . . . . . . 345 Transparentpathjunctionconcepts . . . . . 372 Configuringqualityofprotectionlevels . . . 346 Configuringtransparentpathjunctions. . . . 373 Authorizationdecisioninformation . . . . . 348 Exampletransparentpathjunction . . . . . 374 SupportforOAuthauthorizationdecisions . . 348 TechnicalnotesforusingWebSEALjunctions. . . 374 GuidelinesforcreatingWebSEALjunctions . . 375 Chapter 22. Key management . . . . 353 Addingmultipleback-endserverstothesame junction . . . . . . . . . . . . . . 375 Keymanagementoverview. . . . . . . . . 353 Exceptionstoenforcingpermissionsacross KeymanagementintheLocalManagement junctions . . . . . . . . . . . . . . 376 Interface . . . . . . . . . . . . . . . 353 Certificateauthenticationacrossjunctions . . . 376 Client-sideandserver-sidecertificateconcepts . . 354 Handlingdomaincookies . . . . . . . . 376 ConfigurationoftheWebSEALkeydatabasefile 355 SupportedHTTPversionsforrequestsand WebSEALkeydatabasefile. . . . . . . . 355 responses. . . . . . . . . . . . . . 377 Keydatabasefilepassword. . . . . . . . 356 JunctionedapplicationwithWebPortal WebSEALtestcertificate. . . . . . . . . 356 Manager . . . . . . . . . . . . . . 377 Inter-serverSSLcommunicationforSecurity Howtogenerateaback-endserverWebspace AccessManager . . . . . . . . . . . 357 (query_contents) . . . . . . . . . . . . 377 CertificaterevocationinWebSEAL . . . . . . 357 query_contentsoverview . . . . . . . . 378 Certificaterevocationlist(CRL) . . . . . . 357 query_contentscomponents . . . . . . . 379 ConfigurationofCRLchecking . . . . . . 357 Installingandconfiguringquery_contentson Certificatedistributionpoints . . . . . . . . 358 UNIX-basedWebservers . . . . . . . . 380 ConfigurationoftheCRLcache . . . . . . . 358 Installingandconfiguringquery_contentson Setthemaximumnumberofcacheentries. . . 358 Windows-basedWebservers . . . . . . . 381 SettheGSKitcachelifetimetimeoutvalue. . . 359 Generalprocessflowforquery_contents . . . 382 EnabletheCRLcache . . . . . . . . . 359 Securingthequery_contentsprogram . . . . 383 UseoftheWebSEALtestcertificateforSSL connections . . . . . . . . . . . . . . 359 Chapter 24. Advanced junction Part 7. Standard WebSEAL configuration . . . . . . . . . . . 385 Junctions . . . . . . . . . . . . 361 MutuallyauthenticatedSSLjunctions . . . . . 385 MutuallyauthenticatedSSLjunctionsprocess summary. . . . . . . . . . . . . . 385 Chapter 23. Standard WebSEAL Validationoftheback-endservercertificate . . 386 junctions . . . . . . . . . . . . . 363 Matchingthedistinguishedname(DN). . . . 386 WebSEALjunctionsoverview . . . . . . . . 363 Authenticationwithaclientcertificate . . . . 387 Junctiontypes . . . . . . . . . . . . 363 AuthenticationwithaBAheader. . . . . . 387 Applyingcoarse-grainedaccesscontrol: TCPandSSLproxyjunctions . . . . . . . . 388 summary. . . . . . . . . . . . . . 364 WebSEAL-to-WebSEALjunctionsoverSSL . . . 388 Applyingfine-grainedaccesscontrol:summary 364 Statefuljunctions . . . . . . . . . . . . 390 AdditionalreferencesforWebSEALjunctions 364 Statefuljunctionconcepts . . . . . . . . 390 ManagementofjunctionswithWebPortalManager 365 Configurationofstatefuljunctions . . . . . 390 CreatingajunctionusingWebPortalManager 365 Specifyingback-endserverUUIDsforstateful ListingjunctionsusingWebPortalManager . . 365 junctions . . . . . . . . . . . . . . 391 DeletingjunctionsusingWebPortalManager 366 Handlinganunavailablestatefulserver . . . 393 JunctionmanagementintheLocalManagement Forcinganewjunction . . . . . . . . . . 394 Interface . . . . . . . . . . . . . . . 366 Useof/pkmslogoutwithvirtualhostjunctions 395 Managingjunctionswiththepdadminutility. . . 366 Junctionthrottling. . . . . . . . . . . . 395 Importandexportofjunctiondatabases . . . 367 Junctionthrottlingconcepts. . . . . . . . 395 StandardWebSEALjunctionconfiguration. . . . 367 Placingajunctionedserverinathrottledstate 396 Thepdadminservertaskcreatecommand. . . 368 Junctionedserverinanofflinestate . . . . . 398 CreatingTCPtypestandardjunctions . . . . 368 Junctionedserverinanonlinestate . . . . . 400 CreatingSSLtypestandardjunctions . . . . 369 Junctionthrottlemessages . . . . . . . . 401 Creatingmutualjunctions . . . . . . . . 369 Useofjunctionthrottlingwithexisting SSL-basedstandardjunctions . . . . . . . 370 WebSEALfeatures. . . . . . . . . . . 402 Addingmultipleback-endserverstoastandard Managementofcookies . . . . . . . . . . 403 junction . . . . . . . . . . . . . . 371 Passingofsessioncookiestojunctionedportal servers . . . . . . . . . . . . . . . 404 viii IBMSecurityWebGatewayApplianceVersion7.0: ConfigurationGuideforWebReverseProxy

Description:
solutions and incorporate back-end web application server resources into its security policy. This configuration guide provides a comprehensive set of
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.