IBM Security Web Gateway Appliance Version 7.0 Configuration Guide for Web Reverse Proxy (cid:1)(cid:2)(cid:3) SC22-5433-00 IBM Security Web Gateway Appliance Version 7.0 Configuration Guide for Web Reverse Proxy (cid:1)(cid:2)(cid:3) SC22-5433-00 Note Beforeusingthisinformationandtheproductitsupports,readtheinformationin“Notices”onpage675. Editionnotice Note: Thiseditionappliestoversion7,release0,modification0ofIBMSecurityAccessManager(product number5724-C87)andtoallsubsequentreleasesandmodificationsuntilotherwiseindicatedinneweditions. ©CopyrightIBMCorporation2002,2012. USGovernmentUsersRestrictedRights–Use,duplicationordisclosurerestrictedbyGSAADPScheduleContract withIBMCorp. Contents Figures . . . . . . . . . . . . . . xiii Part 2. Configuration. . . . . . . . 29 Tables . . . . . . . . . . . . . . . xv Chapter 3. Web server configuration . . 31 WebSEALserverandhostnamespecification . . . 31 About this publication . . . . . . . xvii WebSEALservernameintheconfigurationfile 31 Intendedaudience . . . . . . . . . . . xvii WebSEALservernamein"pdadminserverlist" 32 Accesstopublicationsandterminology . . . . xviii WebSEALservernameintheprotectedobject Relatedpublications . . . . . . . . . . xx space . . . . . . . . . . . . . . . 32 Accessibility. . . . . . . . . . . . . . xxii SpecifyingtheWebSEALhost(machine)name. . 32 Technicaltraining. . . . . . . . . . . . xxii WebSEALconfigurationfile . . . . . . . . . 33 Supportinformation . . . . . . . . . . . xxii Configurationfileorganization . . . . . . . 33 Configurationfilenameandlocation. . . . . 34 Part 1. Administration. . . . . . . . 1 Modifyingconfigurationfilesettings . . . . . 34 Directoryindexing . . . . . . . . . . . . 35 Configuringdirectoryindexing. . . . . . . 35 Chapter 1. IBM Security Access Manager Configurationofgraphicaliconsforfiletypes. . 35 for Web WebSEAL overview . . . . . . 3 Contentcaching. . . . . . . . . . . . . 36 Introduction . . . . . . . . . . . . . . 3 Contentcachingconcepts. . . . . . . . . 36 WebSEALintroduction . . . . . . . . . . . 4 Configurationofcontentcaching . . . . . . 36 IBMSecurityWebGatewayAppliance. . . . . . 5 ImpactofHTTPheadersonWebSEALcontent WebSEALfunctionalityontheappliance . . . . . 5 caching. . . . . . . . . . . . . . . 37 Securitymodel . . . . . . . . . . . . . 6 Flushingallcaches . . . . . . . . . . . 39 Securitymodelconcepts . . . . . . . . . 6 Cachecontrolforspecificdocuments. . . . . 40 Theprotectedobjectspace. . . . . . . . . 7 Communicationprotocolconfiguration . . . . . 40 Accesscontrollists(ACLs)andprotectedobject WebSEALconfigurationforHTTPrequests. . . 41 policies(POPs) . . . . . . . . . . . . 8 WebSEALconfigurationforHTTPSrequests . . 41 Accesscontrollist(ACL)policies . . . . . . 8 RestrictionsonconnectionsfromspecificSSL Protectedobjectpolicies(POPs) . . . . . . . 9 versions . . . . . . . . . . . . . . 42 Explicitandinheritedpolicy. . . . . . . . 10 PersistentHTTPconnections. . . . . . . . 42 Policyadministration:TheWebPortalManager 10 WebSEALconfigurationforhandlingHTTPOnly Webspaceprotection . . . . . . . . . . . 10 cookies. . . . . . . . . . . . . . . 43 Securitypolicyplanningandimplementation . . . 12 TimeoutsettingsforHTTPandHTTPS Contenttypesandlevelsofprotection . . . . 12 communication . . . . . . . . . . . . 43 WebSEALauthentication . . . . . . . . . . 13 AdditionalWebSEALservertimeoutsettings . . 45 StandardWebSEALjunctions . . . . . . . . 14 SupportforWebDAV . . . . . . . . . . 46 Webspacescalability . . . . . . . . . . . 15 SupportforMicrosoftRPCoverHTTP . . . . 47 Replicatedfront-endWebSEALservers . . . . 16 Supportforchunkedtransfercoding . . . . . 48 Junctionedback-endservers. . . . . . . . 16 InternetProtocolversion6(IPv6)support . . . . 48 Replicatedback-endservers . . . . . . . . 17 IPv4andIPv6overview . . . . . . . . . 48 ConfiguringIPv6andIPv4support . . . . . 49 Chapter 2. Server administration . . . 19 IPv6:Compatibilitysupport . . . . . . . . 49 WebSEALinstancemanagement . . . . . . . 19 IPv6:Upgradenotes . . . . . . . . . . 50 SynchronizationofWebSEALdataacrossmultiple IPlevelsforcredentialattributes . . . . . . 50 servers . . . . . . . . . . . . . . . . 20 LDAPdirectoryserverconfiguration . . . . . . 50 Automatingsynchronization. . . . . . . . 21 Workerthreadallocation . . . . . . . . . . 51 AuditingandloggingofresourcesforWebSEAL . . 23 WebSEALworkerthreadconfiguration . . . . 51 Errormessagelogging. . . . . . . . . . 23 Allocationofworkerthreadsforjunctions WebSEALserveractivityauditing . . . . . . 23 (junctionfairness) . . . . . . . . . . . 52 TraditionalauditingandloggingofHTTPevents 24 HTTPdatacompression . . . . . . . . . . 54 ProblemdeterminationresourcesforWebSEAL . . 24 CompressionbasedonMIME-type . . . . . 54 Configurationdatalogfile . . . . . . . . 25 Compressionbasedonuseragenttype . . . . 55 Statistics . . . . . . . . . . . . . . 26 CompressionpolicyinPOPs. . . . . . . . 56 Traceutility . . . . . . . . . . . . . 27 Datacompressionlimitation. . . . . . . . 57 Configuringdatacompressionpolicy. . . . . 57 Multi-localesupportwithUTF-8 . . . . . . . 57 ©CopyrightIBMCorp.2002,2012 iii Multi-localesupportconcepts . . . . . . . 57 Preventionofvulnerabilitycausedbycross-site Configurationofmulti-localesupport. . . . . 61 scripting . . . . . . . . . . . . . . . 104 Validationofcharacterencodinginrequestdata . . 66 PreventionofCross-siteRequestForgery(CSRF) Supportedwildcardpatternmatchingcharacters . . 67 attacks. . . . . . . . . . . . . . . . 105 Settingsystemenvironmentvariables. . . . . . 67 Secrettokenvalidation . . . . . . . . . 105 Referrervalidation . . . . . . . . . . 106 Chapter 4. Web server response Rejectunsolicitedauthenticationrequests . . . 107 configuration . . . . . . . . . . . . 69 SuppressionofWebSEALandback-endserver identity . . . . . . . . . . . . . . . 107 StaticHTMLserverresponsepages . . . . . . 69 SuppressingWebSEALserveridentity . . . . 107 HTMLserverresponsepagelocations . . . . . 74 Suppressingback-endapplicationserver ManagementRoot . . . . . . . . . . . 74 identity . . . . . . . . . . . . . . 108 Accountmanagementpagelocation . . . . . 74 DisablingHTTPmethods . . . . . . . . . 108 Errormessagepagelocation. . . . . . . . 75 PlatformforPrivacyPreferences(P3P) . . . . . 109 Junction-specificstaticserverresponsepages . . 75 Compactpolicyoverview . . . . . . . . 109 HTMLserverresponsepagemodification . . . . 75 Compactpolicydeclaration. . . . . . . . 110 GuidelinesforcustomizingHTMLresponse Junctionheaderpreservation . . . . . . . 111 pages . . . . . . . . . . . . . . . 76 DefaultcompactpolicyintheP3Pheader . . . 112 MacroresourcesforcustomizingHTMLresponse ConfiguringtheP3Pheader . . . . . . . 113 pages . . . . . . . . . . . . . . . 76 SpecifyingacustomP3Pcompactpolicy . . . 119 Macrosembeddedinatemplate . . . . . . 78 P3Pconfigurationtroubleshooting . . . . . 119 Addinganimagetoacustomloginform . . . 81 Accountmanagementpageconfiguration . . . . 82 Chapter 6. Runtime security services Configurationfilestanzaentriesandvalues . . 82 Configurationoftheaccountexpirationerror external authorization service . . . . 121 message . . . . . . . . . . . . . . 82 Abouttheruntimesecurityservicesexternal Configurationofthepasswordpolicyoptions . . 83 authorizationservice . . . . . . . . . . . 121 Errormessagepageconfiguration . . . . . . . 84 Configuringtheruntimesecurityservicesexternal Enablingthetimeofdayerrorpage . . . . . 84 authorizationserviceinWebSEAL . . . . . . 122 CreatingnewHTMLerrormessagepages . . . 85 Sampleconfigurationdataforruntimesecurity Compatibilitywithpreviousversionsof servicesexternalauthorizationservice . . . . . 124 WebSEAL . . . . . . . . . . . . . . 85 Multi-localesupportforserverresponses . . . . 86 Part 3. Authentication. . . . . . . 127 Theaccept-languageHTTPheader. . . . . . 86 Processflowformulti-localesupport. . . . . 87 Chapter 7. Authentication overview 129 Conditionsaffectingmulti-localesupporton WebSEAL . . . . . . . . . . . . . . 87 Definitionandpurposeofauthentication . . . . 129 Handlingthefavicon.icofilewithMozillaFirefox . 87 Informationinauserrequest . . . . . . . . 129 Addingcustomheaderstoserverresponsepages. . 88 Clientidentitiesandcredentials . . . . . . . 130 ConfiguringthelocationURLformatinredirect Authenticationprocessflow . . . . . . . . 130 responses . . . . . . . . . . . . . . . 89 Authenticatedandunauthenticatedaccessto Localresponseredirection . . . . . . . . . 90 resources. . . . . . . . . . . . . . . 131 Localresponseredirectionoverview . . . . . 90 Requestprocessforauthenticatedusers . . . 132 Localresponseredirectionprocessflow . . . . 91 Requestprocessforunauthenticatedusers. . . 132 Enablinganddisablinglocalresponseredirection 91 AccessconditionsoverSSL. . . . . . . . 132 Contentsofaredirectedresponse . . . . . . 92 Forcinguserlogin. . . . . . . . . . . 133 URIforlocalresponseredirection . . . . . . 92 UseofunauthenticatedHTTPS . . . . . . 133 Operationforlocalresponseredirection . . . . 93 Supportedauthenticationmethods . . . . . . 133 Macrosupportforlocalresponseredirection . . 94 Authenticationchallengebasedonuseragent . . 134 Localresponseredirectionconfigurationexample 98 Technicalnotesforlocalresponseredirection . . 99 Chapter 8. Authentication methods 137 Remoteresponsehandlingwithlocal Authenticationterminology . . . . . . . . 137 authentication . . . . . . . . . . . . 99 Logoutandpasswordchangeoperations . . . . 137 HTMLredirection. . . . . . . . . . . . 100 Loggingout:pkmslogout . . . . . . . . 138 EnablingHTMLredirection. . . . . . . . 101 Controllingcustomresponsepagesfor PreservingHTMLfragmentsonredirection . . 101 pkmslogout . . . . . . . . . . . . . 138 Changingpasswords:pkmspasswd . . . . . 139 Chapter 5. Web server security PasswordchangeissuewithActiveDirectoryon configuration . . . . . . . . . . . 103 Windows. . . . . . . . . . . . . . 139 Basicauthentication . . . . . . . . . . . 139 ConfiguringWebSEALtosupportonlySuiteB Enablinganddisablingbasicauthentication . . 140 ciphers . . . . . . . . . . . . . . . 103 iv IBMSecurityWebGatewayApplianceVersion7.0: ConfigurationGuideforWebReverseProxy Settingtherealmname . . . . . . . . . 140 Extensionofthesessioncacheentrylifetime Formsauthentication. . . . . . . . . . . 140 value . . . . . . . . . . . . . . . 172 Enablinganddisablingformsauthentication 141 Preventionofsessionremovalwhenthesession CustomizingHTMLresponseforms. . . . . 141 lifetimeexpires. . . . . . . . . . . . 173 SubmittingloginformdatadirectlytoWebSEAL 142 Removalofausersessionatloginfailurepolicy Client-sidecertificateauthentication. . . . . . 143 limit . . . . . . . . . . . . . . . 174 Client-sidecertificateauthenticationmodes . . 143 Customizationofloginformsfor Certificateauthenticationconfigurationtask reauthentication . . . . . . . . . . . 175 summary. . . . . . . . . . . . . . 146 Authenticationstrengthpolicy(step-up) . . . . 176 Enablingcertificateauthentication . . . . . 146 Authenticationstrengthconcepts. . . . . . 176 Configurationofthecertificateauthentication Authenticationstrengthconfigurationtask mechanism . . . . . . . . . . . . . 147 summary. . . . . . . . . . . . . . 177 Certificateloginerrorpage. . . . . . . . 149 Establishinganauthenticationstrengthpolicy 178 Certificateloginform. . . . . . . . . . 150 Specifyingauthenticationlevels . . . . . . 178 DisablingSSLsessionIDsforsessiontracking 150 Specifyingtheauthenticationstrengthlogin EnablingandconfiguringtheCertificateSSLID form . . . . . . . . . . . . . . . 180 cache . . . . . . . . . . . . . . . 150 Creatingaprotectedobjectpolicy . . . . . 181 SettingthetimeoutforCertificateSSLIDcache 151 Specifyingnetwork-basedaccessrestrictions . . 182 Errorpageforincorrectprotocol . . . . . . 151 Attachingaprotectedobjectpolicytoa Disablingcertificateauthentication . . . . . 152 protectedresource. . . . . . . . . . . 184 DisablingtheCertificateSSLIDcache . . . . 152 Enforcinguseridentitymatchacross Technicalnotesforcertificateauthentication . . 152 authenticationlevels . . . . . . . . . . 185 Kerberosauthentication . . . . . . . . . . 153 Controllingtheloginresponsefor ConfiguringKerberosauthentication . . . . 153 unauthenticatedusers . . . . . . . . . 185 Limitations . . . . . . . . . . . . . 154 Steppingupauthenticationathigherlevels . . 186 LTPAauthentication . . . . . . . . . . . 155 Externalauthenticationinterface . . . . . . . 186 LTPAauthenticationoverview. . . . . . . 155 ClientCertificateUserMapping . . . . . . . 187 EnablingLTPAauthentication . . . . . . . 155 Introduction. . . . . . . . . . . . . 187 Keyfileinformation . . . . . . . . . . 156 Usermappingrulesevaluator. . . . . . . 191 Specifyingthecookienameforclients . . . . 156 HowtomanagetheCDAS. . . . . . . . 194 Specifyingthecookienameforjunctions . . . 156 ConfiguringWebSEALtousethecertificate ControllingthelifetimeoftheLTPAToken . . 157 mappingmodule . . . . . . . . . . . 196 DisablingLTPAauthentication. . . . . . . 157 Chapter 10. Post-authentication Chapter 9. Advanced authentication processing . . . . . . . . . . . . 201 methods . . . . . . . . . . . . . 159 Automaticredirectionafterauthentication. . . . 201 Multiplexingproxyagents . . . . . . . . . 159 Overviewofautomaticredirection . . . . . 201 Multiplexingproxyagentsoverview. . . . . 159 Enablingautomaticredirection . . . . . . 202 Validsessiondatatypesandauthentication Disablingautomaticredirection . . . . . . 202 methods . . . . . . . . . . . . . . 160 Limitations . . . . . . . . . . . . . 203 AuthenticationprocessflowforMPAand Macrosupportforautomaticredirection . . . 203 multipleclients. . . . . . . . . . . . 161 Server-siderequestcaching. . . . . . . . . 205 EnablinganddisablingMPAauthentication . . 162 Server-siderequestcachingconcepts . . . . 205 CreationofauseraccountfortheMPA . . . 162 Processflowforserver-siderequestcaching . . 205 AdditionoftheMPAaccounttothe Configurationofserver-sidecaching. . . . . 206 webseal-mpa-serversgroup. . . . . . . . 162 MPAauthenticationlimitations . . . . . . 162 Chapter 11. Password processing . . 209 Switchuserauthentication . . . . . . . . . 162 Loginfailurepolicy("threestrikes"loginpolicy) 209 Overviewoftheswitchuserfunction . . . . 162 Loginfailurepolicyconcepts . . . . . . . 209 Configurationofswitchuserauthentication . . 165 Settingtheloginfailurepolicy. . . . . . . 210 Usingswitchuser. . . . . . . . . . . 168 Settingtheaccountdisabletimeinterval . . . 210 Additionalswitchuserfeaturesupport. . . . 168 Configuringtheaccountdisablenotification Reauthentication . . . . . . . . . . . . 169 response . . . . . . . . . . . . . . 211 Reauthenticationconcepts . . . . . . . . 170 LoginfailurepolicywithreplicatedWebSEAL Reauthenticationbasedonsecuritypolicy. . . 171 servers . . . . . . . . . . . . . . 212 ReauthenticationPOP:creatingandapplying 171 Passwordstrengthpolicy . . . . . . . . . 213 Reauthenticationbasedonsessioninactivity . . 171 Passwordstrengthpolicyconcepts . . . . . 213 Enablingofreauthenticationbasedonsession Passwordstrengthpolicies . . . . . . . . 213 inactivity. . . . . . . . . . . . . . 172 Syntaxforpasswordstrengthpolicycommands 213 Resettingofthesessioncacheentrylifetime Defaultpasswordstrengthpolicyvalues . . . 215 value . . . . . . . . . . . . . . . 172 Contents v Validandnotvalidpasswordexamples . . . 215 Informationretrievedfromaclientrequest . . . 252 Specifyinguserandglobalsettings . . . . . 215 WebSEALsessioncachestructure. . . . . . . 252 Deploymentconsiderationsforclustered Chapter 12. Credential processing 217 environments . . . . . . . . . . . . . 253 Extendedattributesforcredentials . . . . . . 217 ConsistentconfigurationonallWebSEALreplica Mechanismsforaddingregistryattributestoa servers . . . . . . . . . . . . . . 254 credential. . . . . . . . . . . . . . 217 Client-to-serversessionaffinityattheload Configurearegistryattributeentitlementservice 218 balancer . . . . . . . . . . . . . . 254 Junctionhandlingofextendedcredential Failovertoanewmaster . . . . . . . . 254 attributes. . . . . . . . . . . . . . 219 FailoverfromoneWebSEALservertoanother 254 Credentialrefresh . . . . . . . . . . . . 221 Optionsforhandlingfailoverinclustered Credentialrefreshconcepts. . . . . . . . 221 environments . . . . . . . . . . . . . 254 Configurecredentialrefresh . . . . . . . 225 Option1:NoWebSEALhandlingoffailover events. . . . . . . . . . . . . . . 255 Credentialrefreshusage. . . . . . . . . 226 Option2:Authenticationdataincludedineach Chapter 13. External authentication request . . . . . . . . . . . . . . 255 Option3:Failovercookies . . . . . . . . 255 interface . . . . . . . . . . . . . 229 Option4:TheSessionManagementServer . . 256 Externalauthenticationinterfaceoverview. . . . 229 Option5:LTPAcookie . . . . . . . . . 256 Externalauthenticationinterfaceprocessflow . . 229 Externalauthenticationinterfaceconfiguration . . 232 Chapter 15. Session cache Enablingtheexternalauthenticationinterface 232 configuration . . . . . . . . . . . 259 Initiatingtheauthenticationprocess. . . . . 233 Configurationoftheexternalauthentication Sessioncacheconfigurationoverview . . . . . 259 interfacetriggerURL. . . . . . . . . . 234 SSLsessionIDcacheconfiguration . . . . . . 260 HTTPheadernamesforauthenticationdata . . 234 Cacheentrytimeoutvalue . . . . . . . . 260 Extractingauthenticationdatafromspecial MaximumconcurrentSSLsessionsvalue . . . 260 HTTPheaders . . . . . . . . . . . . 236 WebSEALsessioncacheconfiguration . . . . . 260 Howtogeneratethecredential . . . . . . 236 Maximumsessioncacheentriesvalue . . . . 261 Externalauthenticationinterfacecredential Cacheentrylifetimetimeoutvalue . . . . . 261 replacement. . . . . . . . . . . . . 237 Settingaclient-specificsessioncacheentry Validatingtheuseridentity. . . . . . . . 238 lifetimevalue . . . . . . . . . . . . 262 Howtowriteanexternalauthentication Cacheentryinactivitytimeoutvalue . . . . 264 application . . . . . . . . . . . . . 238 Concurrentsessionlimits . . . . . . . . 265 ExternalauthenticationinterfaceHTTPheader Sessioncachelimitation . . . . . . . . . 266 reference . . . . . . . . . . . . . . . 240 Useofexternalauthenticationinterfacewith Chapter 16. Failover solutions . . . . 267 existingWebSEALfeatures . . . . . . . . . 241 Failoverauthenticationconcepts . . . . . . . 267 Requestcachingwithexternalauthentication Thefailoverenvironment . . . . . . . . 267 interface . . . . . . . . . . . . . . 241 Failovercookie. . . . . . . . . . . . 268 Post-authenticationredirectionwithexternal Failoverauthenticationprocessflow. . . . . 269 authenticationinterface . . . . . . . . . 242 Examplefailoverconfiguration . . . . . . 269 Sessionhandlingwithexternalauthentication Additionofdatatoafailovercookie . . . . 270 interface . . . . . . . . . . . . . . 242 Extractionofdatafromafailovercookie . . . 272 Authenticationstrengthlevelwithexternal Domain-widefailoverauthentication . . . . 273 authenticationinterface . . . . . . . . . 242 Failoverauthenticationconfiguration . . . . . 274 Reauthenticationwithexternalauthentication Configuringfailoverauthentication . . . . . 274 interface . . . . . . . . . . . . . . 243 Protocolforfailovercookies . . . . . . . 275 Loginpageandmacrosupportwithexternal Generatingakeypairtoencryptanddecrypt authenticationinterface . . . . . . . . . 243 cookiedata . . . . . . . . . . . . . 275 Settingaclient-specificsessioncacheentry Specifyingthefailovercookielifetime . . . . 276 lifetimevalue . . . . . . . . . . . . 244 SpecifyingUTF-8encodingoncookiestrings 276 Settingaclient-specificsessioncacheentry Addingtheauthenticationstrengthlevel . . . 277 inactivitytimeoutvalue . . . . . . . . . 246 Reissueofmissingfailovercookies . . . . . 277 Additionofsessionlifetimetimestamp. . . . 277 Part 4. Session State . . . . . . . 249 Addingthesessionactivitytimestamp . . . . 278 Additionofanintervalforupdatingtheactivity timestamp . . . . . . . . . . . . . 279 Chapter 14. Session state overview 251 Additionofextendedattributes . . . . . . 279 Sessionstateconcepts . . . . . . . . . . 251 Attributesforextraction. . . . . . . . . 280 SupportedsessionIDdatatypes . . . . . . . 251 Enablingdomain-widefailovercookies. . . . 280 vi IBMSecurityWebGatewayApplianceVersion7.0: ConfigurationGuideforWebReverseProxy Validationofalifetimetimestamp . . . . . 281 4.RestarttheWebSEALserver. . . . . . . 315 Validationofanactivitytimestamp . . . . . 281 5.Createjunctionsforvirtualhosts . . . . . 315 Failoverfornon-stickyfailoverenvironments. . . 282 6.Junctionthesessionmanagementserver . . 315 Non-stickyfailoverconcepts . . . . . . . 282 7.Setthemaximumconcurrentsessionspolicy 316 Configuringthenon-stickyfailoversolution . . 283 8.Testtheconfiguration. . . . . . . . . 316 UseoffailovercookieswithexistingWebSEAL features . . . . . . . . . . . . . . 284 Chapter 20. Configuration for Changepasswordoperationinafailover WebSEAL using SMS . . . . . . . . 319 environment. . . . . . . . . . . . . . 284 SMSconfigurationforWebSEAL . . . . . . . 319 Configuringthesessionmanagementserver Chapter 17. Session state in (SMS) . . . . . . . . . . . . . . . 319 non-clustered environments . . . . . 287 EnablinganddisablingSMSforWebSEAL . . 319 Maintainsessionstateinnon-clustered Specifyingsessionmanagementservercluster environments . . . . . . . . . . . . . 287 andlocation. . . . . . . . . . . . . 320 ControlonsessionstateinformationoverSSL 287 Retrievingthemaximumconcurrentsessions Useofthesamesessionkeyoverdifferent policyvalue. . . . . . . . . . . . . 320 transports . . . . . . . . . . . . . 288 Replicasetconfiguration . . . . . . . . . 321 Validsessionkeydatatypes . . . . . . . 288 ConfiguringWebSEALtoparticipateinmultiple Effectivesessiontimeoutvalue . . . . . . 290 replicasets . . . . . . . . . . . . . 321 Netscape4.7xlimitationforuse-same-session 290 Assigningstandardjunctionstoareplicaset 321 Sessioncookies. . . . . . . . . . . . . 291 Virtualhostsassignedtoareplicaset . . . . 322 Sessioncookiesconcepts. . . . . . . . . 291 Examplereplicasetconfiguration. . . . . . 322 Conditionsforusingsessioncookies . . . . 291 Adjustmentofthelastaccesstimeupdate Customizationofthesessioncookiename. . . 292 frequencyforSMS. . . . . . . . . . . . 325 Sendingsessioncookieswitheachrequest. . . 292 SMScommunicationtimeoutconfiguration . . . 325 Customizedresponsesforoldsessioncookies . . 293 ConfiguringSMSresponsetimeout . . . . . 325 Sessionremovalandoldsessioncookieconcepts 293 Configuringconnectiontimeoutforbroadcast Enablingcustomizedresponsesforoldsession events. . . . . . . . . . . . . . . 326 cookies . . . . . . . . . . . . . . 294 SMSperformanceconfiguration . . . . . . . 326 MaintainsessionstatewithHTTPheaders. . . . 295 Maximumpre-allocatedsessionIDs. . . . . 326 HTTPheadersessionkeyconcepts . . . . . 295 Configurationofthehandlepoolsize . . . . 327 ConfiguringHTTPheaderstomaintainsession SMSAuthentication . . . . . . . . . . . 327 state . . . . . . . . . . . . . . . 295 SSLconfigurationforWebSEALandSMS . . . . 327 SetupforrequiringrequestsfromanMPA. . . 297 ConfiguringtheWebSEALkeydatabase . . . 328 SharesessionswithMicrosoftOfficeapplications 297 SpecifyingtheSSLcertificatedistinguished OverviewofsessionsharingwithMicrosoft name(DN) . . . . . . . . . . . . . 328 Officeapplications. . . . . . . . . . . 298 GSKitconfigurationforSMSconnections . . . 329 Configurethetemporarysessioncache. . . . 298 Maximumconcurrentsessionspolicy . . . . . 330 ConfiguresharedsessionswithMicrosoftOffice Settingthemaximumconcurrentsessionspolicy 330 applications . . . . . . . . . . . . . 300 Enforcingthemaximumconcurrentsessions policy . . . . . . . . . . . . . . . 333 Part 5. Session Management Switchuserandmaximumconcurrentsessions policy . . . . . . . . . . . . . . . 334 Server . . . . . . . . . . . . . . 305 Singlesignonwithinasessionrealm . . . . . 334 Sessionrealmandsessionsharingconcepts . . 334 Chapter 18. Session management Configuringsessionsharing . . . . . . . 335 server (SMS) overview . . . . . . . 307 Configuringloginhistory . . . . . . . . . 337 Thefailoverenvironment . . . . . . . . . 307 Enablingloginfailurenotification . . . . . 338 Thesessionmanagementserver(SMS) . . . . . 308 Creatingajunctiontothesessionmanagement Serverclusters,replicasets,andsessionrealms . . 308 server . . . . . . . . . . . . . . . 338 SMSprocessflow . . . . . . . . . . . . 309 AllowingaccesstotheloginhistoryJSP . . . 339 SharingsessionsacrossmultipleDNSdomains . . 310 CustomizingtheJSPtodisplayloginhistory 339 Chapter 19. Quickstart guide for Part 6. Authorization . . . . . . . 341 WebSEAL using SMS . . . . . . . . 313 ConfigurationsummaryforWebSEALusingSMS 313 Chapter 21. Configuration for 1.Informationgathering. . . . . . . . . 313 authorization . . . . . . . . . . . 343 2.WebSEALconfigurationfilesettings . . . . 314 WebSEAL-specificACLpolicies . . . . . . . 343 3.ImporttheSecurityAccessManagerCA /WebSEAL/host-instance_name . . . . . . 343 Certificate . . . . . . . . . . . . . 314 /WebSEAL/host-instance_name/file . . . . 343 Contents vii WebSEALACLpermissions . . . . . . . 343 Localtypestandardjunction . . . . . . . 371 Default/WebSEALACLpolicy . . . . . . 344 Disablelocaljunctions . . . . . . . . . 371 ValidcharactersforACLnames . . . . . . 344 Transparentpathjunctions . . . . . . . . . 371 QualityofprotectionPOP . . . . . . . . 344 FilteringconceptsinstandardWebSEAL Configurationofauthorizationdatabaseupdates junctions . . . . . . . . . . . . . . 372 andpolling . . . . . . . . . . . . . 345 Transparentpathjunctionconcepts . . . . . 372 Configuringqualityofprotectionlevels . . . 346 Configuringtransparentpathjunctions. . . . 373 Authorizationdecisioninformation . . . . . 348 Exampletransparentpathjunction . . . . . 374 SupportforOAuthauthorizationdecisions . . 348 TechnicalnotesforusingWebSEALjunctions. . . 374 GuidelinesforcreatingWebSEALjunctions . . 375 Chapter 22. Key management . . . . 353 Addingmultipleback-endserverstothesame junction . . . . . . . . . . . . . . 375 Keymanagementoverview. . . . . . . . . 353 Exceptionstoenforcingpermissionsacross KeymanagementintheLocalManagement junctions . . . . . . . . . . . . . . 376 Interface . . . . . . . . . . . . . . . 353 Certificateauthenticationacrossjunctions . . . 376 Client-sideandserver-sidecertificateconcepts . . 354 Handlingdomaincookies . . . . . . . . 376 ConfigurationoftheWebSEALkeydatabasefile 355 SupportedHTTPversionsforrequestsand WebSEALkeydatabasefile. . . . . . . . 355 responses. . . . . . . . . . . . . . 377 Keydatabasefilepassword. . . . . . . . 356 JunctionedapplicationwithWebPortal WebSEALtestcertificate. . . . . . . . . 356 Manager . . . . . . . . . . . . . . 377 Inter-serverSSLcommunicationforSecurity Howtogenerateaback-endserverWebspace AccessManager . . . . . . . . . . . 357 (query_contents) . . . . . . . . . . . . 377 CertificaterevocationinWebSEAL . . . . . . 357 query_contentsoverview . . . . . . . . 378 Certificaterevocationlist(CRL) . . . . . . 357 query_contentscomponents . . . . . . . 379 ConfigurationofCRLchecking . . . . . . 357 Installingandconfiguringquery_contentson Certificatedistributionpoints . . . . . . . . 358 UNIX-basedWebservers . . . . . . . . 380 ConfigurationoftheCRLcache . . . . . . . 358 Installingandconfiguringquery_contentson Setthemaximumnumberofcacheentries. . . 358 Windows-basedWebservers . . . . . . . 381 SettheGSKitcachelifetimetimeoutvalue. . . 359 Generalprocessflowforquery_contents . . . 382 EnabletheCRLcache . . . . . . . . . 359 Securingthequery_contentsprogram . . . . 383 UseoftheWebSEALtestcertificateforSSL connections . . . . . . . . . . . . . . 359 Chapter 24. Advanced junction Part 7. Standard WebSEAL configuration . . . . . . . . . . . 385 Junctions . . . . . . . . . . . . 361 MutuallyauthenticatedSSLjunctions . . . . . 385 MutuallyauthenticatedSSLjunctionsprocess summary. . . . . . . . . . . . . . 385 Chapter 23. Standard WebSEAL Validationoftheback-endservercertificate . . 386 junctions . . . . . . . . . . . . . 363 Matchingthedistinguishedname(DN). . . . 386 WebSEALjunctionsoverview . . . . . . . . 363 Authenticationwithaclientcertificate . . . . 387 Junctiontypes . . . . . . . . . . . . 363 AuthenticationwithaBAheader. . . . . . 387 Applyingcoarse-grainedaccesscontrol: TCPandSSLproxyjunctions . . . . . . . . 388 summary. . . . . . . . . . . . . . 364 WebSEAL-to-WebSEALjunctionsoverSSL . . . 388 Applyingfine-grainedaccesscontrol:summary 364 Statefuljunctions . . . . . . . . . . . . 390 AdditionalreferencesforWebSEALjunctions 364 Statefuljunctionconcepts . . . . . . . . 390 ManagementofjunctionswithWebPortalManager 365 Configurationofstatefuljunctions . . . . . 390 CreatingajunctionusingWebPortalManager 365 Specifyingback-endserverUUIDsforstateful ListingjunctionsusingWebPortalManager . . 365 junctions . . . . . . . . . . . . . . 391 DeletingjunctionsusingWebPortalManager 366 Handlinganunavailablestatefulserver . . . 393 JunctionmanagementintheLocalManagement Forcinganewjunction . . . . . . . . . . 394 Interface . . . . . . . . . . . . . . . 366 Useof/pkmslogoutwithvirtualhostjunctions 395 Managingjunctionswiththepdadminutility. . . 366 Junctionthrottling. . . . . . . . . . . . 395 Importandexportofjunctiondatabases . . . 367 Junctionthrottlingconcepts. . . . . . . . 395 StandardWebSEALjunctionconfiguration. . . . 367 Placingajunctionedserverinathrottledstate 396 Thepdadminservertaskcreatecommand. . . 368 Junctionedserverinanofflinestate . . . . . 398 CreatingTCPtypestandardjunctions . . . . 368 Junctionedserverinanonlinestate . . . . . 400 CreatingSSLtypestandardjunctions . . . . 369 Junctionthrottlemessages . . . . . . . . 401 Creatingmutualjunctions . . . . . . . . 369 Useofjunctionthrottlingwithexisting SSL-basedstandardjunctions . . . . . . . 370 WebSEALfeatures. . . . . . . . . . . 402 Addingmultipleback-endserverstoastandard Managementofcookies . . . . . . . . . . 403 junction . . . . . . . . . . . . . . 371 Passingofsessioncookiestojunctionedportal servers . . . . . . . . . . . . . . . 404 viii IBMSecurityWebGatewayApplianceVersion7.0: ConfigurationGuideforWebReverseProxy
Description: