IBM WebSeal实例配置文件webseald-实例名.conf

#
# FILENAME
# webseald.conf
#
# DESCRIPTION
# Configuration file for the Access Manager WebSEAL server (webseald)
#


[server]
###############################
# WEBSEAL GENERAL
###############################

#----------------------
# SYSTEM
#----------------------

# WebSEAL instance UNIX user account
unix-user = ivmgr

# WebSEAL instance UNIX group account
unix-group = ivmgr

# PID file
unix-pid-file = /var/pdweb/log/webseald-default.pid

#Root directory for the webserver
server-root = /opt/pdweb/www-default

# WebSEAL server instance name. Typically, this is based on the hostname of the
# machine and the instance name of the server.
server-name = webseal.ah.cmcc-default

# If web-host-name is set WebSEAL will use this for the server's hostname.  If
# left unset WebSEAL will attempt to automatically determine the server's
# hostname.  On systems with many hostnames, interfaces or WebSEAL instances
# the automatic determination may not always be correct requiring this manual
# setting.
# web-host-name = www.webseal.com

#----------------------
# THREADS AND CONNECTIONS
#----------------------

# Number of WebSEAL worker threads
# The number of configured worker threads specifies the number of
# concurrent incoming requests that can be serviced by this server
# instance. Choosing the optimal number depends on the quantity
# and type of traffic on your network. Modifying this value should
# be done carefully to ensure optimal performance. Please consult
# the WebSEAL Administration Guide for further information.
worker-threads = 50

# Initial client connection timeout (seconds)
client-connect-timeout = 120

# HTTP/1.1 persistent connection timeout (seconds)
# This only affects connections to clients, not backend systems.
persistent-con-timeout = 5

# Intra-request timeout (seconds)
# Timeout between data received or sent for a given request,
# but not the first read.  When this value is non-zero, it
# also enables timeouts on http writes to clients and causes
# a TCP RST packet to be sent if a connection timeout occurs
# on the non-first data I/O.  When this value is zero, the
# client-connection-timeout is used instead.
intra-connection-timeout = 60

# Allow WebSEAL to write chunked data to HTTP/1.1 clients.  This can
# improve performance by allowing connections to be reused even when
# exact response length is not known before the response is written.
chunk-responses = yes

#----------------------
# HTTPS CLIENT
#----------------------

# Allow HTTPS access
https = yes

# Port to user for HTTPS requests
https-port = 443

#----------------------
#  HTTP CLIENT
#----------------------

# Allow (unsecure) TCP HTTP access
http = yes

# Port to use for unsecure HTTP requests
http-port = 80

#----------------------
# REQUEST BODIES AND CACHING
#----------------------

# This parameter specifies the maximum number of bytes that
# WebSEAL will read from a client when parsing an HTTP request.
# The total size of the URL and HTTP headers must be less than
# this value.  This parameter cannot be set lower than it's
# default: 32768
max-client-read = 32768

# This parameter specifies the maximum number of bytes to
# read in as content from the body of requests for use in
# dynurl, authentication, and request caching.
#
# 1) This impacts dynurl because the query portion of a
#    POST request URI is contained in the request body.
#
# 2) This impacts forms authentication, because this limits
#    the size of the POST data that will be processed
#    when performing such authentication.  For this reason,
#    WebSEAL sets a hard minimum of 512 bytes on
#    request-body-max-read. If this value is set below
#    that minimum, the setting will be ignored and the
#    minimum will be used.
#
# 3) This affects the amount of data that WebSEAL will cache
#    for users who must authenticate before their request can be
#    fulfilled.  This affects all request that have bodies
#    (POSTs, PUTs, etc.).
#
# This does not limit the max POST size (which is unlimited).
#
request-body-max-read = 4096

# When a user is prompted to authenticate before a request
# can be fulfilled, the data from that request is cached
# for processing after the completion of the authentication.
# The maximum amount of data cached per request is determined
# by request-max-cache.
# If you want to ensure that you will be caching all of
# request-body-max-read worth of the body of requests, you
# must account for the maximum size of all the other request
# components in this value.
# Example: If you want to cache 2048 bytes of request bodies
# and you anticipate that the maximum size of all request headers
# and cookies will be 4096 bytes, you would:
# 1)  set request-body-max-read = 2048
# 2)  set request-max-cache = 2048 + 4096 = 6144
request-max-cache = 8192

#----------------------
#  DYNURL
#----------------------

# Location of the URL -> protected object mapping file
# This path is relative to the server-root value in the [server] stanza
dynurl-map = lib/dynurl.conf

# Disallow/Allow POST requests larger than request-body-max-read.
# This parameter only takes effect if dynurl is enabled.
#
# WebSEAL is not able to compare the entire contents of a POST
# request to the URL mappings inside the dynurl.conf file if the body
# of the post is larger than request-body-max-read.
#
# If this option is set to "no", then WebSEAL will not
# allow POST requests with a body larger than request-body-max-read.
#
# If this option is set to "yes", then WebSEAL will compare only
# up to request-body-max-read bytes of a POST request to the URL mappings
# in the dynurl.conf file.
dynurl-allow-large-posts = no

# When reject-request-transfer-encodings is set to yes all request
# to WebSEAL with a Transfer-Encoding value of anything other than
# identity will be rejected with a status of 501, Not Implemented.
# It is recomended for secure dynurl environments to set this to yes.
reject-request-transfer-encodings = yes

#----------------------
# URI AND POST BODY DECODING
#----------------------

# If decode-query is set to "yes", WebSEAL will validate the query string
# in requests according to the utf8-qstring-support-enabled parameter.
# Otherwise, WebSEAL will not validate the query string.  If decode-query
# is set to "no" then dynurl must be disabled.
decode-query = yes

# Different portions of HTTP requests may be interpreted as either UTF-8 or
# local code page according to the configuration items in this section.  The
# options for each portion of the request are either to ensure that the data
# is UTF-8, ensure that the data is local codepage, or to accept either.
#
# If an option in this section is "yes", WebSEAL will ensure that the data
# in that portion of the request is UTF-8.
#
# If an option in this section is "no", WebSEAL will ensure that the data
# in that portion of the request is local codepage.
#
# If an option in this section is "auto", WebSEAL will first attempt to
# validate the data as UTF-8.  If the data is not UTF-8, then WebSEAL will
# ensure the data is local codepage.

# utf8-url-support-enabled controls how the location portion of the URI
# (the portion before any question mark character) is intepreted.
utf8-url-support-enabled = yes

# utf8-qstring-support-enabled controls how the query portion of the URI
# (the portion after the question mark character) is interpreted.  This also
# applies to the POST bodies of requests to junctions when dynurl is enabled.
utf8-qstring-support-enabled = no

# utf8-forms-support-enabled option controls how form logins, password change
# requests, and other WebSEAL specific forms are parsed.
utf8-form-support-enabled = yes

# When double-byte-encoding is set to 'yes' WebSEAL will assume that URL's
# which contain encoding characters are always encoded in unicode, and will
# not contain UTF-8 encoded characters.
double-byte-encoding = no

#----------------------
# SUPPRESSING SERVER IDENTITY
#----------------------

# WebSEAL writes a Server header with the value "WebSEAL/version.number"
# with most responses (except those from a junctioned server).
# Including this header can be suppressed by setting this to "yes".
suppress-server-identity = yes

# For responses that were from a junctioned server, WebSEAL writes the Server
# header sent in the response from the backend. If the backend response did not
# include a Server header, then WebSEAL will not write any Server header to the
# client.
# Writing this header can be suppressed by setting this to "yes".
suppress-backend-server-identity = yes

#----------------------
# AUTH TOKEN VERSION
#----------------------

# [e-community-sso], [failover], [cdsso] all use a common method
# for generating tokens.  Version 4.1.0 has increased the security
# of these.  However, it is not backward compatible.  If you are
# integrating with earlier web servers you will need to enable this.
pre-410-compatible-tokens = no

# Version 5.1.0 tokens are formatted differently then tokens in prior releases.
# If you are integrating with earlier web servers you will need to enable this
# to ensure the integrity of data across [e-community-sso], [failover], and
# [cdsso].
pre-510-compatible-tokens = no

#----------------------
# P3P Compact Policy header
#----------------------
# If 'preserve-p3p-policy' is set to 'no' (default), then any P3P headers from
# junctioned servers will be replaced.
#
# If 'preserve-p3p-policy' is set to 'yes', then any P3P headers from junctioned
# servers will be preserved.
preserve-p3p-policy = no

#----------------------
# Network Interface
#----------------------
# Specify an alternative I.P. address to be used by this instance of WebSEAL.
# This allows two or more WebSEAL instances to run on the same machine
# while using differing I.P. addresses and host names.
#
# network-interface = 0.0.0.0

#----------------------
# Filtering
#----------------------
# If preserve-base-href is no, then WebSEAL will remove all BASE HREF tags
# from filtered HTML documents and prepend the base tag to filtered links.
# Otherwise, the BASE HREF tag will be filtered.
preserve-base-href = yes

# To enable tag-based filtering of static URLs for new MIME types added
# to the [filter-content-types] stanza, change filter-nonhtml-as-xhtml to
# yes. Tag-based URL filtering operates without configuration changes
# for the text/html and text/vnd.wap.wml MIME types.
filter-nonhtml-as-xhtml = no

#---------------------
# TRACE method
#---------------------
# WebSEAL blocks the TRACE method by default for all requests
# to prevent a well-publicized security exploit.
#
# To enable TRACE method requests for local resources set
# http-method-trace-enabled = yes
#
# To enable TRACE method requests for junctioned resources set
# http-method-trace-enabled-remote = yes

#---------------------
# Processing root junction requests
#---------------------
# Specify whether WebSEAL will attempt to process requests for resources
# located at the root ('/') junction before attempting to identify a
# junction point to send the request via junction mapping mechanisms
# such as the JMT or IV_JCT cookie.
#
# Avoiding root junction processing prevents processing being performed
# for incorrect resources before the intended resource is identified.
# This will have performance benefits and prevent false authorization or
# filetype check failures.
#
# Valid choices are:
#  never  - Root junction requests are never processed at the root junction.
#           That is, if a junction mapping mechanism is configured, such as
#           the JMT or IV_JCT cookie, WebSEAL will look for this junction
#           mapping information first (and look at the root junction last)
#           and process the request at the mapped junction point.
#
#  always - Always attempt to process requests for the root junction at the
#           root junction first before looking for a configured junction
#           mapping mechanism, such as the JMT or IV_JCT cookie.
#           This is not recommended unless the root junction serves a large
#           set of resources or no junction mapping mechanisms are configured
#           for the set of junctions served by this WebSEAL server.
#
#  filter - All root junction requests will be examined to determine whether
#           they start with the patterns specified in the process-root-filter
#           stanza.
#           If yes, the request will be processed at the root junction first.
#           If no, the request will be remapped immediately.
#
process-root-requests = never

#---------------------
# IPv6 support
#---------------------
#
# Specify whether WebSEAL will support IPv6.
#
# Upon a new installation, WebSEAL supports IPv6 by default.  However, if
# WebSEAL is upgraded from a release previous to 6.0, then the upgrade
# process will change this value to 'no'.  This is to ensure backwards
# compatibility.
#
# Valid choices are:
#  yes - Support IPv6 and IPv4 networks (default setting).
#
#  no  - Only support IPv4 networks.
#
ipv6-support = yes

# ip-support-level determines the network attributes placed in credentials.
# WebSEAL version 6.0 introduces new improved attributes which displace
# the older attribute.  The new attributes are required when IPv6 support
# (ipv6-support) is enabled.  This entry can be set to one of displaced-only,
# generic-only, or displaced-and-generic.
#
# displaced-only:
# The default for migrated installations.  WebSEAL will only generate the
# displaced IPv4 attributes when building credentials and when authenticating
# users through CDAS modules.
#
# generic-only:
# The default for new installations.  WebSEAL will only generate the new generic
# (supports both IPv4 and IPv6) attributes when building credentials and when
# authenticating users through CDAS modules.
#
# displaced-and-generic:
# Both sets of attributes (displaced and generic) are created.
#
ip-support-level = generic-only

#---------------------
# max-login-failures policy compatibility
#---------------------
#
# When late-lockout-notification = no, WebSEAL will notify clients that their
# account has been locked out immediately.
# When late-lockout-notification = yes WebSEAL will operate in a pre-v6.0
# compatible mode for user registry max-login-failures policy behavior,
# and not notify users until their next request.
# The default for new installations is disabled (no).  The default for migrated
# installations is enabled (yes).
late-lockout-notification = no


[process-root-filter]
# This stanza is only used if process-root-requests = filter
# Request URLs starting with the following patterns will be processed at the
# root junction before attempting to remap the requests to a new junction point.
# Format is
#       root =
# where is a standard WebSEAL wildcard pattern.
#
root = /index.html
root = /cgi-bin*


[interfaces]
###############################
# WEBSEAL INTERFACES
###############################
# The values from:
#   [server]
#     network-interface
#     http
#     http-port,
#     https,
#     https-port,
#     worker-threads
#   [ssl]
#     webseal-cert-keyfile-label
#   [certificate]
#     accept-client-certs
# are used to create the "default" interface.
#
# This stanza allows additional interfaces to be configured.
#
# The format of each interfaces entry is:
#
# =
# =

[header-names]
###############################
# HTTP Header Names
###############################

# server-name - This header can be used to pass the azn-api administration
# server name used with the "server task" command to junctioned applications.
# Leave this entry blank to disable the header.
server-name = iv_server_name

[ldap]
###############################
# LDAP
###############################
# ldap-server-config      - Indicates the location of the ldap.conf file
#                           (set by configuration)
# prefer-readwrite-server - yes|no Indicates whether to select writable
#                           LDAP server when available
# auth-using-compare      - yes|no Indicates whether to perform
#                           authentication using LDAP bind or comparing password
# bind-dn                 - Indicates the Distinguished Name of the daemon
#                           (set by configuration)
# ssl-enabled             - yes|no Indicates whether SSL is enabled (set
#                           by configuration)
# ssl-keyfile             - Indicates path/filename of SSL keyfile (set by
#                           configuration)
# ssl-keyfile-dn          - Indicates the certificate label in the SSL
#                           keyfile, if any (set by configuration)
# default-policy-override-support
#                         - yes|no When "yes", no user Policy will
#                           be checked, only the default Policy is checked
#                           (saves some LDAP searches)
# user-and-group-in-same-suffix
#                         - yes|no When "yes", indicates that the groups are
#                           defined in the same LDAP suffix as the user
#                           (saves some LDAP searches)
# login-failures-persistent
#                         - yes|no When "yes", login strikes will be tracked
#                           in the registry instead of only in the local
#                           process cache.  Persistent login strike recording
#                           is more expensive but allows consistent login
#                           strike counting across multiple servers.
# cache-enabled           - yes|no Indicates whether to enable the local
#                           LDAP cache
#
# cache-enabled related configuration settings:
#
# cache-user-size         - (optional) The number of entries in the LDAP user
#                           cache.  Ignored if the cache is not enabled.  If
#                           not set, the default is 256.
# cache-group-size        - (optional) The number of entries in the LDAP group
#                           cache.  Ignored if the cache is not enabled.  If
#                           not set, the default is 64.
# cache-policy-size       - (optional) The number of entries in the LDAP policy
#                           cache.  Ignored if the cache is not enabled.  If
#                           not set, the default is 20.
# cache-user-expire-time  - (optional) The amount of time (in seconds) until a
#                           user entry in the cache is considered stale and is
#                           discarded.  Ignored if the cache is not enabled.
#                           If not set, the default is 30 seconds.
# cache-group-expire-time - (optional) The amount of time (in seconds) until a
#                           group entry in the cache is considered stale and is
#                           discarded.  Ignored if the cache is not enabled.
#                           If not set, the default is 300 seconds (5 minutes).
# cache-policy-expire-time
#                         - (optional) The amount of time (in seconds) until a
#                           policy entry in the cache is considered stale and is
#                           discarded.  Ignored if the cache is not enabled.
#                           If not set, the default is 30 seconds.
# cache-group-membership  - (optional) Indicates whether group membership
#                           information should be cached.  Ignored if the cache
#                           is not enabled.  If not set, the default is yes.
# cache-use-user-cache    - (optional) Indicates whether to use the user cache
#                           information or not.  Ignored if the cache is not
#                           enabled.  If not set, the default is yes.


ldap-server-config = /opt/PolicyDirector/etc/ldap.conf
prefer-readwrite-server = no
auth-using-compare = yes
ssl-enabled = no
ssl-keyfile =
ssl-keyfile-dn =
#default-policy-override-support = no
#user-and-group-in-same-suffix = yes
#login-failures-persistent = no

cache-enabled = yes
bind-dn = cn=default-webseald/webseal.ah.cmcc,cn=SecurityDaemons,secAuthority=Default
enabled = yes
host = emis01.ah.cmcc
port = 10389

#cache-user-size = 256
#cache-group-size = 64
#cache-policy-size = 20
#cache-user-expire-time = 30
#cache-group-expire-time = 300
#cache-policy-expire-time = 30
#cache-group-membership = yes
#cache-use-user-cache = yes


[uraf-registry]
###############################
# DOMINO OR ACTIVE DIRECTORY
###############################

uraf-registry-config =
bind-id =
cache-mode = enabled
cache-size = 251
cache-lifetime = user:30;group:300;resgroup:3600;resource:3600;rescreds:300;

[ssl]
###############################
# SSL
###############################

# This section contains entries that affect the behavior of the SSL
# components of WebSEAL.  These will affect both clients connecting
# via SSL as well as SSL junctions to backend systems.

# The first four parameters (webseal-cert-*) relate to the certificate
# keystore WebSEAL keep for exchanging with browsers when negotiating
# SSL sessions.

# WebSEAL certificate keyfile
webseal-cert-keyfile = /var/pdweb/www-default/certs/pdsrv.kdb

# Password used to protect private keys in the keyfile.  The password
# can be stored in plain text or encrypted in a "stashfile".
# The stashfile is recommended, as it is more secure.
# If both password and stashfile are specified, the password will be used.
# webseal-cert-keyfile-pwd =
webseal-cert-keyfile-stash = /var/pdweb/www-default/certs/pdsrv.sth

# Label of key to use other than the default;创建ssl联结时需要指定证书标签(-K)
webseal-cert-keyfile-label = WebSEAL-Test-Only

# The next four parameters (ssl-keyfile-*) relate to the keystore WebSEAL
# uses for communicating with other Access Manager servers via SSL.  These
# parameters typically do not need to be modified other than by the
# configuration scripts.
ssl-keyfile = /var/pdweb/keytab-default/default-webseald.kdb

# Password used to protect private keys in the keyfile.  The password
# can be stored in plain text or encrypted in a "stashfile".
# The stashfile is recommended, as it is more secure.
# If both password and stashfile are specified, the password will be used.
#ssl-keyfile-pwd =
ssl-keyfile-stash = /var/pdweb/keytab-default/default-webseald.sth

# Label of key to use other than the default
# ssl-keyfile-label =
ssl-keyfile-label = PD Server

# Selectively disable SSL version support for browser connections
disable-ssl-v2 = no
disable-ssl-v3 = no
disable-tls-v1 = no

# Session timeout for SSL v2 connections (range: 1-100 secs)
ssl-v2-timeout = 100

# Session timeout for SSL v3 connections (range: 1-86400 secs)
ssl-v3-timeout = 7200

# The maximum number of concurrent entries in the SSL cache
ssl-max-entries = 4096

# CRL Cache configuration.
# When gsk-crl-cache-size and gsk-crl-cache-entry-lifetime are
# both set to zero (which they are by default), CRL Caching will
# be disabled.

# The maximum number of entries in the GSKit CRL cache
# (must be > 0 to initialize CRL Caching)
gsk-crl-cache-size = 0

# Lifetime timeout for individual entries in the GSKit CRL cache
# (range: 0-86400 secs)
gsk-crl-cache-entry-lifetime = 0

# The following block of entries enables the configuration of an LDAP
# server to be referenced for CRL checking during SSL authentication.
# A null value for crl-ldap-user indicates that the SSL authenticator
# should bind to the LDAP server anonymously.

#crl-ldap-server =
#crl-ldap-server-port =
#crl-ldap-user =
#crl-ldap-user-password =

# The following four entries allow configuration of GSKit support
# for external PKCS#11 libraries.  For added protection the pkcs11-token-pwd
# can alternatively be specified obfuscated using:
# # pdadmin -l
# pdadmin local> config modify keyvalue set -obfuscate ssl pkcs11-token-pwd
# Warning: The plaintext value for pkcs11-token-pwd in this file will
#          override the obfuscated value.
#
# To enable PKCS#11 for symmetric algorithms, set
# pkcs11-symmetric-cipher-support to 'yes'.
# NOTE:
#   The PCKS#11 symmetric cipher support does not
#   include removable devices. If a removable device is encountered
#   it will be ignored even if the support has been requested.
#   Additionally, not all devices will support symmetric ciphers
#   please check your vendor documentation before usage.
#
#
#pkcs11-driver-path =
#pkcs11-token-label =
#pkcs11-token-pwd =
#pkcs11-symmetric-cipher-support = no

 

# The following two entries allow disabling of GSKit's automatic use
# of nCipher nForce/nFast or Rainbow CryptoSwift Hardware Accelerators via
# their RSA BSAFE interface.
disable-ncipher-bsafe = no
disable-rainbow-bsafe = no

# Determine the Cipher engine used by GSKit
# It can be one of Default, RSA, ICC.  Setting it to RSA will
# affect the settings possible for fips-mode-processing.
base-crypto-library = Default

# Configure FIPS mode processing.  GSKit will not allow it to be
# enabled (set to yes) if base-crypto-library = RSA.
fips-mode-processing = no

#
# local domain name.
#
ssl-local-domain = Default
ssl-auto-refresh = yes
ssl-listening-port = 7234
ssl-pwd-life = 183
ssl-authn-type = certificate


[junction]
###############################
# JUNCTION
###############################

# Location of the junction database
# This path is relative to the server-root value in the [server] stanza
junction-db = jct

# Location of the Junction to Request Mapping Table (JMT)
# This path is relative to the server-root value in the [server] stanza
jmt-map = lib/jmt.conf

# Timeout (in seconds) for sending to and reading from a TCP junction.
# Must be an integer greater than or equal to zero.
# A value of zero will cause WebSEAL to wait indefinitely.
http-timeout = 1200

# Timeout (in seconds) for sending to and reading from an SSL junction.
# Must be an integer greater than or equal to zero.
# A value of zero will cause WebSEAL to wait indefinitely.
https-timeout = 1200

# The WebSEAL server performs a periodic background 'ping' of each junctioned
# Web server, to determine whether it is running.  This entry sets the interval,
# in seconds, between pings.
# Must be an integer greater than zero.
ping-time = 300

# Global password used when supplying basic authentication
# data over junctions created with the "-b supply" argument.
basicauth-dummy-passwd = password

# These values will limit the percentage of total worker threads processing
# requests for junctions.  The default of 100% means there is no
# limit.  When the "soft" limit is reached, WebSEAL will generate a warning
# message.  When the "hard" limit is reached, WebSEAL will generate an error
# message and return a 503, "Service Unavailable", result to the client browser
# instead of requesting the resource from the junction.
# This value can be overridden on a per junction basis using pdadmin.
worker-thread-hard-limit = 100
worker-thread-soft-limit = 90

# Buffer size for reading from and writing to a junction.
io-buffer-size = 4096

# Maximum size, in bytes, of WebSEAL generated HTTP Headers.
# Headers over this size will be split across multiple
# HTTP Headers.  A value of "0" disables this support.
max-webseal-header-size = 0

#----------------------
# SENDING DOMAIN COOKIES
#----------------------

# Allow WebSEAL to send domain cookies from a back-end to a client.
# If set to 'no', then WebSEAL will filter such cookies and only allow
# cookies that tail-match the WebSEAL server FQHN to be sent
# and WebSEAL will remove the Domain attribute from the cookie.
#
# If set to 'yes', domain cookies will be forwarded to the user.
allow-backend-domain-cookies = yes

# If allow-backend-domain-cookies is set to "yes", then this option will
# modify how WebSEAL validates the domain.
#
# If set to "yes" then domain cookies which adhere to the cookie
# specification will be forwarded to the user. If the FQHN of the
# originating backend machine is the domain, then the cookie will be
# forwarded to the user with no domain specified.
#
# If set to "no", then all domain cookies will be forwarded to the user,
# regardless of their content.
validate-backend-domain-cookies = yes

# If allow-backend-domain-cookies is set to "yes", then this option will
# modify how WebSEAL validates the domain. This option will have no effect
# if validate-backend-domain-cookies = no
#
# If set to "yes" then the domain cookie will be validated by comparing it
# with the virtual host specified for a backend server with the -v
# junction option.
#
# If set to "no", or if no virtual host was specified for a junction, then
# the FQHN will be compared with the domain value of a backend cookie for
# validation.
support-virtual-host-domain-cookies = yes

# The following block of entries enables the configuration of an LDAP
# server to be referenced for CRL checking during SSL authentication.
# A null value for crl-ldap-user indicates that the SSL authenticator
# should bind to the LDAP server anonymously.

#crl-ldap-server =
#crl-ldap-server-port =
#crl-ldap-user =
#crl-ldap-user-password =

# Selectively disable SSL version support for junction connections
disable-ssl-v2 = no
disable-ssl-v3 = no
disable-tls-v1 = no

# When use-new-stateful-on-error is set to yes WebSEAL will choose a new
# stateful junction server for a user if the current one fails.  When it is
# set to of no, WebSEAL will not choose a new stateful junction server for a
# user, instead it returns an error and future requests by the user will keep
# attempting to use this same stateful junction server (until the user
# restarts their browser or the junction server is deleted).
use-new-stateful-on-error = no

# When dont-reprocess-jct-404s = yes, WebSEAL will return 404 responses
# from junctions directly to clients.  When set to no, WebSEAL will
# assume the 404 is due to an unfiltered server relative link and
# will try to fix the problem by prepending a junction point to the URL
# in the request and sending the request again.  Setting this value to
# "no" provides backwards compatibility with TAM 5.1.
dont-reprocess-jct-404s = yes

[illegal-url-substrings]
#----------------------
# ILLEGAL URL SUBSTRINGS
#----------------------
# WebSEAL will block HTTP requests with any of the substrings from this
# list in the URL.
#
# Format is:
#     substring =
#
substring =


[filter-url]
#----------------------
# DOCUMENT FILTERING
#----------------------
# URL attributes that the server will filter in responses from
# junctioned servers.
# Format is =
A = HREF
APPLET = CODEBASE
AREA = HREF
BASE = HREF
BGSOUND = SRC
BLOCKQUOTE = CITE
BODY = BACKGROUND
DEL = CITE
DIV = EMPTYURL
DIV = IMAGEPATH
DIV = URL
DIV = VIEWCLASS
EMBED = PLUGINSPAGE
EMBED = SRC
FORM = ACTION
FRAME = LONGDESC
FRAME = SRC
HEAD = PROFILE
IFRAME = LONGDESC
IFRAME = SRC
ILAYER = BACKGROUND
ILAYER = SRC
IMG = SRC
IMG = LOWSRC
IMG = LONGDESC
IMG = USEMAP
IMG = DYNSRC
INPUT = SRC
INPUT = USEMAP
INS = CITE
ISINDEX = ACTION
ISINDEX = HREF
LAYER = BACKGROUND
LAYER = SRC
LINK = HREF
LINK = SRC
OBJECT = CODEBASE
OBJECT = DATA
OBJECT = USEMAP
Q = CITE
SCRIPT = SRC
TABLE = BACKGROUND
TD = BACKGROUND
TH = BACKGROUND
TR = BACKGROUND
WM:CALENDARPICKER = FOLDERURL
WM:CALENDARPICKER = IMAGEPREVARROW
WM:CALENDARPICKER = IMAGENEXTARROW
WM:CALENDARVIEW = FOLDERURL
WM:MESSAGE = DRAFTSURL
WM:MESSAGE = URL
WM:NOTIFY = FOLDER
WM:REMINDER = FOLDER
?IMPORT = IMPLEMENTATION

[filter-events]
#------------------------
# EVENT HANDLER FILTERING
#------------------------
# Specifies (TAG,EVENT-HANDLER) pairs that contain JavaScript requiring
# filtering of URL references.  Currently, only absolute URLs are
# supported.
#
# Format is =
A = ONCLICK
A = ONDBLCLICK
A = ONMOUSEDOWN
A = ONMOUSEOUT
A = ONMOUSEOVER
A = ONMOUSEUP
AREA = ONCLICK
AREA = ONMOUSEOUT
AREA = ONMOUSEOVER
BODY = ONBLUR
BODY = ONCLICK
BODY = ONDRAGDROP
BODY = ONFOCUS
BODY = ONKEYDOWN
BODY = ONKEYPRESS
BODY = ONKEYUP
BODY = ONLOAD
BODY = ONMOUSEDOWN
BODY = ONMOUSEUP
BODY = ONMOVE
BODY = ONRESIZE
BODY = ONUNLOAD
FORM = ONRESET
FORM = ONSUBMIT
FRAME = ONBLUR
FRAME = ONDRAGDROP
FRAME = ONFOCUS
FRAME = ONLOAD
FRAME = ONMOVE
FRAME = ONRESIZE
FRAME = ONUNLOAD
IMG = ONABORT
IMG = ONERROR
IMG = ONLOAD
INPUT = ONBLUR
INPUT = ONCHANGE
INPUT = ONCLICK
INPUT = ONFOCUS
INPUT = ONKEYDOWN
INPUT = ONKEYPRESS
INPUT = ONKEYUP
INPUT = ONMOUSEDOWN
INPUT = ONMOUSEUP
INPUT = ONSELECT
LAYER = ONBLUR
LAYER = ONLOAD
LAYER = ONMOUSEOUT
LAYER = ONMOUSEOVER
SELECT = ONBLUR
SELECT = ONCHANGE
SELECT = ONFOCUS
TEXTAREA = ONBLUR
TEXTAREA = ONCHANGE
TEXTAREA = ONFOCUS
TEXTAREA = ONKEYDOWN
TEXTAREA = ONKEYPRESS
TEXTAREA = ONKEYUP
TEXTAREA = ONSELECT

[filter-schemes]
#
# URLs with these schemes are not filtered in responses from junctioned
# servers.
#
# Notes and Exceptions:
# - HTTP: and HTTPS: are internally handled and will be ignored if present in
#   this list.
# - Webseald will filter URLs with a scheme matching one in this list if
#   the response from a junctioned server has a BASE tag HREF URL scheme the
#   same as the URLs.
# - If a URL in the response from a junctioned server does not have a scheme
#   from this list, and the scheme is not HTTP: or HTTPS:, then webseald will
#   assume the URL is the same scheme as the junctioned server (HTTP: or
#   HTTPS:) with it's scheme missing.
# - The trailing ':' on scheme-name is optional, and if missing will be assumed.
#
# Format is:
#    scheme =
#
scheme = file
scheme = ftp
scheme = mailto
scheme = news
scheme = telnet

[filter-content-types]
#
# Document content types that the server will filter in responses from
# junctioned servers.  If types besides text/html and text/vnd.wap.wml
# are added to this list then the option [script-filtering]script-filter
# should be set to 'yes'.
#
# Format is:
#    type =
#
type = text/html
type = text/vnd.wap.wml

[filter-request-headers]
#
# HTTP headers to filter from the client request before sending to the
# back-end web server.  Note that this list is in addition to headers
# that WebSEAL will always filter, eg iv-user, iv-groups.
#
# Format is:
#   header =
#
# The header name is case insensitive.
#
# The addition of "accept-encoding" to this list will prevent junctioned
# servers from returning compressed data to WebSEAL.  WebSEAL cannot
# filter compressed data.
header = accept-encoding


[script-filtering]
# When script filtering support is enabled, filtering of
# absolute urls between html

你可能感兴趣的:(系统技术,应用服务器)