IBM WebSeal实例配置文件webseald-实例名.conf
#
# FILENAME
# webseald.conf
#
# DESCRIPTION
# Configuration file for the Access Manager WebSEAL server (webseald)
#
[server]
###############################
# WEBSEAL GENERAL
###############################
#----------------------
# SYSTEM
#----------------------
# WebSEAL instance UNIX user account
unix-user = ivmgr
# WebSEAL instance UNIX group account
unix-group = ivmgr
# PID file
unix-pid-file = /var/pdweb/log/webseald-default.pid
#Root directory for the webserver
server-root = /opt/pdweb/www-default
# WebSEAL server instance name. Typically, this is based on the hostname of the
# machine and the instance name of the server.
server-name = webseal.ah.cmcc-default
# If web-host-name is set WebSEAL will use this for the server's hostname. If
# left unset WebSEAL will attempt to automatically determine the server's
# hostname. On systems with many hostnames, interfaces or WebSEAL instances
# the automatic determination may not always be correct requiring this manual
# setting.
# web-host-name = www.webseal.com
#----------------------
# THREADS AND CONNECTIONS
#----------------------
# Number of WebSEAL worker threads
# The number of configured worker threads specifies the number of
# concurrent incoming requests that can be serviced by this server
# instance. Choosing the optimal number depends on the quantity
# and type of traffic on your network. Modifying this value should
# be done carefully to ensure optimal performance. Please consult
# the WebSEAL Administration Guide for further information.
worker-threads = 50
# Initial client connection timeout (seconds)
client-connect-timeout = 120
# HTTP/1.1 persistent connection timeout (seconds)
# This only affects connections to clients, not backend systems.
persistent-con-timeout = 5
# Intra-request timeout (seconds)
# Timeout between data received or sent for a given request,
# but not the first read. When this value is non-zero, it
# also enables timeouts on http writes to clients and causes
# a TCP RST packet to be sent if a connection timeout occurs
# on the non-first data I/O. When this value is zero, the
# client-connection-timeout is used instead.
intra-connection-timeout = 60
# Allow WebSEAL to write chunked data to HTTP/1.1 clients. This can
# improve performance by allowing connections to be reused even when
# exact response length is not known before the response is written.
chunk-responses = yes
#----------------------
# HTTPS CLIENT
#----------------------
# Allow HTTPS access
https = yes
# Port to user for HTTPS requests
https-port = 443
#----------------------
# HTTP CLIENT
#----------------------
# Allow (unsecure) TCP HTTP access
http = yes
# Port to use for unsecure HTTP requests
http-port = 80
#----------------------
# REQUEST BODIES AND CACHING
#----------------------
# This parameter specifies the maximum number of bytes that
# WebSEAL will read from a client when parsing an HTTP request.
# The total size of the URL and HTTP headers must be less than
# this value. This parameter cannot be set lower than it's
# default: 32768
max-client-read = 32768
# This parameter specifies the maximum number of bytes to
# read in as content from the body of requests for use in
# dynurl, authentication, and request caching.
#
# 1) This impacts dynurl because the query portion of a
# POST request URI is contained in the request body.
#
# 2) This impacts forms authentication, because this limits
# the size of the POST data that will be processed
# when performing such authentication. For this reason,
# WebSEAL sets a hard minimum of 512 bytes on
# request-body-max-read. If this value is set below
# that minimum, the setting will be ignored and the
# minimum will be used.
#
# 3) This affects the amount of data that WebSEAL will cache
# for users who must authenticate before their request can be
# fulfilled. This affects all request that have bodies
# (POSTs, PUTs, etc.).
#
# This does not limit the max POST size (which is unlimited).
#
request-body-max-read = 4096
# When a user is prompted to authenticate before a request
# can be fulfilled, the data from that request is cached
# for processing after the completion of the authentication.
# The maximum amount of data cached per request is determined
# by request-max-cache.
# If you want to ensure that you will be caching all of
# request-body-max-read worth of the body of requests, you
# must account for the maximum size of all the other request
# components in this value.
# Example: If you want to cache 2048 bytes of request bodies
# and you anticipate that the maximum size of all request headers
# and cookies will be 4096 bytes, you would:
# 1) set request-body-max-read = 2048
# 2) set request-max-cache = 2048 + 4096 = 6144
request-max-cache = 8192
#----------------------
# DYNURL
#----------------------
# Location of the URL -> protected object mapping file
# This path is relative to the server-root value in the [server] stanza
dynurl-map = lib/dynurl.conf
# Disallow/Allow POST requests larger than request-body-max-read.
# This parameter only takes effect if dynurl is enabled.
#
# WebSEAL is not able to compare the entire contents of a POST
# request to the URL mappings inside the dynurl.conf file if the body
# of the post is larger than request-body-max-read.
#
# If this option is set to "no", then WebSEAL will not
# allow POST requests with a body larger than request-body-max-read.
#
# If this option is set to "yes", then WebSEAL will compare only
# up to request-body-max-read bytes of a POST request to the URL mappings
# in the dynurl.conf file.
dynurl-allow-large-posts = no
# When reject-request-transfer-encodings is set to yes all request
# to WebSEAL with a Transfer-Encoding value of anything other than
# identity will be rejected with a status of 501, Not Implemented.
# It is recomended for secure dynurl environments to set this to yes.
reject-request-transfer-encodings = yes
#----------------------
# URI AND POST BODY DECODING
#----------------------
# If decode-query is set to "yes", WebSEAL will validate the query string
# in requests according to the utf8-qstring-support-enabled parameter.
# Otherwise, WebSEAL will not validate the query string. If decode-query
# is set to "no" then dynurl must be disabled.
decode-query = yes
# Different portions of HTTP requests may be interpreted as either UTF-8 or
# local code page according to the configuration items in this section. The
# options for each portion of the request are either to ensure that the data
# is UTF-8, ensure that the data is local codepage, or to accept either.
#
# If an option in this section is "yes", WebSEAL will ensure that the data
# in that portion of the request is UTF-8.
#
# If an option in this section is "no", WebSEAL will ensure that the data
# in that portion of the request is local codepage.
#
# If an option in this section is "auto", WebSEAL will first attempt to
# validate the data as UTF-8. If the data is not UTF-8, then WebSEAL will
# ensure the data is local codepage.
# utf8-url-support-enabled controls how the location portion of the URI
# (the portion before any question mark character) is intepreted.
utf8-url-support-enabled = yes
# utf8-qstring-support-enabled controls how the query portion of the URI
# (the portion after the question mark character) is interpreted. This also
# applies to the POST bodies of requests to junctions when dynurl is enabled.
utf8-qstring-support-enabled = no
# utf8-forms-support-enabled option controls how form logins, password change
# requests, and other WebSEAL specific forms are parsed.
utf8-form-support-enabled = yes
# When double-byte-encoding is set to 'yes' WebSEAL will assume that URL's
# which contain encoding characters are always encoded in unicode, and will
# not contain UTF-8 encoded characters.
double-byte-encoding = no
#----------------------
# SUPPRESSING SERVER IDENTITY
#----------------------
# WebSEAL writes a Server header with the value "WebSEAL/version.number"
# with most responses (except those from a junctioned server).
# Including this header can be suppressed by setting this to "yes".
suppress-server-identity = yes
# For responses that were from a junctioned server, WebSEAL writes the Server
# header sent in the response from the backend. If the backend response did not
# include a Server header, then WebSEAL will not write any Server header to the
# client.
# Writing this header can be suppressed by setting this to "yes".
suppress-backend-server-identity = yes
#----------------------
# AUTH TOKEN VERSION
#----------------------
# [e-community-sso], [failover], [cdsso] all use a common method
# for generating tokens. Version 4.1.0 has increased the security
# of these. However, it is not backward compatible. If you are
# integrating with earlier web servers you will need to enable this.
pre-410-compatible-tokens = no
# Version 5.1.0 tokens are formatted differently then tokens in prior releases.
# If you are integrating with earlier web servers you will need to enable this
# to ensure the integrity of data across [e-community-sso], [failover], and
# [cdsso].
pre-510-compatible-tokens = no
#----------------------
# P3P Compact Policy header
#----------------------
# If 'preserve-p3p-policy' is set to 'no' (default), then any P3P headers from
# junctioned servers will be replaced.
#
# If 'preserve-p3p-policy' is set to 'yes', then any P3P headers from junctioned
# servers will be preserved.
preserve-p3p-policy = no
#----------------------
# Network Interface
#----------------------
# Specify an alternative I.P. address to be used by this instance of WebSEAL.
# This allows two or more WebSEAL instances to run on the same machine
# while using differing I.P. addresses and host names.
#
# network-interface = 0.0.0.0
#----------------------
# Filtering
#----------------------
# If preserve-base-href is no, then WebSEAL will remove all BASE HREF tags
# from filtered HTML documents and prepend the base tag to filtered links.
# Otherwise, the BASE HREF tag will be filtered.
preserve-base-href = yes
# To enable tag-based filtering of static URLs for new MIME types added
# to the [filter-content-types] stanza, change filter-nonhtml-as-xhtml to
# yes. Tag-based URL filtering operates without configuration changes
# for the text/html and text/vnd.wap.wml MIME types.
filter-nonhtml-as-xhtml = no
#---------------------
# TRACE method
#---------------------
# WebSEAL blocks the TRACE method by default for all requests
# to prevent a well-publicized security exploit.
#
# To enable TRACE method requests for local resources set
# http-method-trace-enabled = yes
#
# To enable TRACE method requests for junctioned resources set
# http-method-trace-enabled-remote = yes
#---------------------
# Processing root junction requests
#---------------------
# Specify whether WebSEAL will attempt to process requests for resources
# located at the root ('/') junction before attempting to identify a
# junction point to send the request via junction mapping mechanisms
# such as the JMT or IV_JCT cookie.
#
# Avoiding root junction processing prevents processing being performed
# for incorrect resources before the intended resource is identified.
# This will have performance benefits and prevent false authorization or
# filetype check failures.
#
# Valid choices are:
# never - Root junction requests are never processed at the root junction.
# That is, if a junction mapping mechanism is configured, such as
# the JMT or IV_JCT cookie, WebSEAL will look for this junction
# mapping information first (and look at the root junction last)
# and process the request at the mapped junction point.
#
# always - Always attempt to process requests for the root junction at the
# root junction first before looking for a configured junction
# mapping mechanism, such as the JMT or IV_JCT cookie.
# This is not recommended unless the root junction serves a large
# set of resources or no junction mapping mechanisms are configured
# for the set of junctions served by this WebSEAL server.
#
# filter - All root junction requests will be examined to determine whether
# they start with the patterns specified in the process-root-filter
# stanza.
# If yes, the request will be processed at the root junction first.
# If no, the request will be remapped immediately.
#
process-root-requests = never
#---------------------
# IPv6 support
#---------------------
#
# Specify whether WebSEAL will support IPv6.
#
# Upon a new installation, WebSEAL supports IPv6 by default. However, if
# WebSEAL is upgraded from a release previous to 6.0, then the upgrade
# process will change this value to 'no'. This is to ensure backwards
# compatibility.
#
# Valid choices are:
# yes - Support IPv6 and IPv4 networks (default setting).
#
# no - Only support IPv4 networks.
#
ipv6-support = yes
# ip-support-level determines the network attributes placed in credentials.
# WebSEAL version 6.0 introduces new improved attributes which displace
# the older attribute. The new attributes are required when IPv6 support
# (ipv6-support) is enabled. This entry can be set to one of displaced-only,
# generic-only, or displaced-and-generic.
#
# displaced-only:
# The default for migrated installations. WebSEAL will only generate the
# displaced IPv4 attributes when building credentials and when authenticating
# users through CDAS modules.
#
# generic-only:
# The default for new installations. WebSEAL will only generate the new generic
# (supports both IPv4 and IPv6) attributes when building credentials and when
# authenticating users through CDAS modules.
#
# displaced-and-generic:
# Both sets of attributes (displaced and generic) are created.
#
ip-support-level = generic-only
#---------------------
# max-login-failures policy compatibility
#---------------------
#
# When late-lockout-notification = no, WebSEAL will notify clients that their
# account has been locked out immediately.
# When late-lockout-notification = yes WebSEAL will operate in a pre-v6.0
# compatible mode for user registry max-login-failures policy behavior,
# and not notify users until their next request.
# The default for new installations is disabled (no). The default for migrated
# installations is enabled (yes).
late-lockout-notification = no
[process-root-filter]
# This stanza is only used if process-root-requests = filter
# Request URLs starting with the following patterns will be processed at the
# root junction before attempting to remap the requests to a new junction point.
# Format is
# root =
# where
#
root = /index.html
root = /cgi-bin*
[interfaces]
###############################
# WEBSEAL INTERFACES
###############################
# The values from:
# [server]
# network-interface
# http
# http-port,
# https,
# https-port,
# worker-threads
# [ssl]
# webseal-cert-keyfile-label
# [certificate]
# accept-client-certs
# are used to create the "default" interface.
#
# This stanza allows additional interfaces to be configured.
#
# The format of each interfaces entry is:
#
#
#
[header-names]
###############################
# HTTP Header Names
###############################
# server-name - This header can be used to pass the azn-api administration
# server name used with the "server task" command to junctioned applications.
# Leave this entry blank to disable the header.
server-name = iv_server_name
[ldap]
###############################
# LDAP
###############################
# ldap-server-config - Indicates the location of the ldap.conf file
# (set by configuration)
# prefer-readwrite-server - yes|no Indicates whether to select writable
# LDAP server when available
# auth-using-compare - yes|no Indicates whether to perform
# authentication using LDAP bind or comparing password
# bind-dn - Indicates the Distinguished Name of the daemon
# (set by configuration)
# ssl-enabled - yes|no Indicates whether SSL is enabled (set
# by configuration)
# ssl-keyfile - Indicates path/filename of SSL keyfile (set by
# configuration)
# ssl-keyfile-dn - Indicates the certificate label in the SSL
# keyfile, if any (set by configuration)
# default-policy-override-support
# - yes|no When "yes", no user Policy will
# be checked, only the default Policy is checked
# (saves some LDAP searches)
# user-and-group-in-same-suffix
# - yes|no When "yes", indicates that the groups are
# defined in the same LDAP suffix as the user
# (saves some LDAP searches)
# login-failures-persistent
# - yes|no When "yes", login strikes will be tracked
# in the registry instead of only in the local
# process cache. Persistent login strike recording
# is more expensive but allows consistent login
# strike counting across multiple servers.
# cache-enabled - yes|no Indicates whether to enable the local
# LDAP cache
#
# cache-enabled related configuration settings:
#
# cache-user-size - (optional) The number of entries in the LDAP user
# cache. Ignored if the cache is not enabled. If
# not set, the default is 256.
# cache-group-size - (optional) The number of entries in the LDAP group
# cache. Ignored if the cache is not enabled. If
# not set, the default is 64.
# cache-policy-size - (optional) The number of entries in the LDAP policy
# cache. Ignored if the cache is not enabled. If
# not set, the default is 20.
# cache-user-expire-time - (optional) The amount of time (in seconds) until a
# user entry in the cache is considered stale and is
# discarded. Ignored if the cache is not enabled.
# If not set, the default is 30 seconds.
# cache-group-expire-time - (optional) The amount of time (in seconds) until a
# group entry in the cache is considered stale and is
# discarded. Ignored if the cache is not enabled.
# If not set, the default is 300 seconds (5 minutes).
# cache-policy-expire-time
# - (optional) The amount of time (in seconds) until a
# policy entry in the cache is considered stale and is
# discarded. Ignored if the cache is not enabled.
# If not set, the default is 30 seconds.
# cache-group-membership - (optional) Indicates whether group membership
# information should be cached. Ignored if the cache
# is not enabled. If not set, the default is yes.
# cache-use-user-cache - (optional) Indicates whether to use the user cache
# information or not. Ignored if the cache is not
# enabled. If not set, the default is yes.
ldap-server-config = /opt/PolicyDirector/etc/ldap.conf
prefer-readwrite-server = no
auth-using-compare = yes
ssl-enabled = no
ssl-keyfile =
ssl-keyfile-dn =
#default-policy-override-support = no
#user-and-group-in-same-suffix = yes
#login-failures-persistent = no
cache-enabled = yes
bind-dn = cn=default-webseald/webseal.ah.cmcc,cn=SecurityDaemons,secAuthority=Default
enabled = yes
host = emis01.ah.cmcc
port = 10389
#cache-user-size = 256
#cache-group-size = 64
#cache-policy-size = 20
#cache-user-expire-time = 30
#cache-group-expire-time = 300
#cache-policy-expire-time = 30
#cache-group-membership = yes
#cache-use-user-cache = yes
[uraf-registry]
###############################
# DOMINO OR ACTIVE DIRECTORY
###############################
uraf-registry-config =
bind-id =
cache-mode = enabled
cache-size = 251
cache-lifetime = user:30;group:300;resgroup:3600;resource:3600;rescreds:300;
[ssl]
###############################
# SSL
###############################
# This section contains entries that affect the behavior of the SSL
# components of WebSEAL. These will affect both clients connecting
# via SSL as well as SSL junctions to backend systems.
# The first four parameters (webseal-cert-*) relate to the certificate
# keystore WebSEAL keep for exchanging with browsers when negotiating
# SSL sessions.
# WebSEAL certificate keyfile
webseal-cert-keyfile = /var/pdweb/www-default/certs/pdsrv.kdb
# Password used to protect private keys in the keyfile. The password
# can be stored in plain text or encrypted in a "stashfile".
# The stashfile is recommended, as it is more secure.
# If both password and stashfile are specified, the password will be used.
# webseal-cert-keyfile-pwd =
webseal-cert-keyfile-stash = /var/pdweb/www-default/certs/pdsrv.sth
# Label of key to use other than the default;创建ssl联结时需要指定证书标签(-K)
webseal-cert-keyfile-label = WebSEAL-Test-Only
# The next four parameters (ssl-keyfile-*) relate to the keystore WebSEAL
# uses for communicating with other Access Manager servers via SSL. These
# parameters typically do not need to be modified other than by the
# configuration scripts.
ssl-keyfile = /var/pdweb/keytab-default/default-webseald.kdb
# Password used to protect private keys in the keyfile. The password
# can be stored in plain text or encrypted in a "stashfile".
# The stashfile is recommended, as it is more secure.
# If both password and stashfile are specified, the password will be used.
#ssl-keyfile-pwd =
ssl-keyfile-stash = /var/pdweb/keytab-default/default-webseald.sth
# Label of key to use other than the default
# ssl-keyfile-label =
ssl-keyfile-label = PD Server
# Selectively disable SSL version support for browser connections
disable-ssl-v2 = no
disable-ssl-v3 = no
disable-tls-v1 = no
# Session timeout for SSL v2 connections (range: 1-100 secs)
ssl-v2-timeout = 100
# Session timeout for SSL v3 connections (range: 1-86400 secs)
ssl-v3-timeout = 7200
# The maximum number of concurrent entries in the SSL cache
ssl-max-entries = 4096
# CRL Cache configuration.
# When gsk-crl-cache-size and gsk-crl-cache-entry-lifetime are
# both set to zero (which they are by default), CRL Caching will
# be disabled.
# The maximum number of entries in the GSKit CRL cache
# (must be > 0 to initialize CRL Caching)
gsk-crl-cache-size = 0
# Lifetime timeout for individual entries in the GSKit CRL cache
# (range: 0-86400 secs)
gsk-crl-cache-entry-lifetime = 0
# The following block of entries enables the configuration of an LDAP
# server to be referenced for CRL checking during SSL authentication.
# A null value for crl-ldap-user indicates that the SSL authenticator
# should bind to the LDAP server anonymously.
#crl-ldap-server =
#crl-ldap-server-port =
#crl-ldap-user =
#crl-ldap-user-password =
# The following four entries allow configuration of GSKit support
# for external PKCS#11 libraries. For added protection the pkcs11-token-pwd
# can alternatively be specified obfuscated using:
# # pdadmin -l
# pdadmin local> config modify keyvalue set -obfuscate
# Warning: The plaintext value for pkcs11-token-pwd in this file will
# override the obfuscated value.
#
# To enable PKCS#11 for symmetric algorithms, set
# pkcs11-symmetric-cipher-support to 'yes'.
# NOTE:
# The PCKS#11 symmetric cipher support does not
# include removable devices. If a removable device is encountered
# it will be ignored even if the support has been requested.
# Additionally, not all devices will support symmetric ciphers
# please check your vendor documentation before usage.
#
#
#pkcs11-driver-path =
#pkcs11-token-label =
#pkcs11-token-pwd =
#pkcs11-symmetric-cipher-support = no
# The following two entries allow disabling of GSKit's automatic use
# of nCipher nForce/nFast or Rainbow CryptoSwift Hardware Accelerators via
# their RSA BSAFE interface.
disable-ncipher-bsafe = no
disable-rainbow-bsafe = no
# Determine the Cipher engine used by GSKit
# It can be one of Default, RSA, ICC. Setting it to RSA will
# affect the settings possible for fips-mode-processing.
base-crypto-library = Default
# Configure FIPS mode processing. GSKit will not allow it to be
# enabled (set to yes) if base-crypto-library = RSA.
fips-mode-processing = no
#
# local domain name.
#
ssl-local-domain = Default
ssl-auto-refresh = yes
ssl-listening-port = 7234
ssl-pwd-life = 183
ssl-authn-type = certificate
[junction]
###############################
# JUNCTION
###############################
# Location of the junction database
# This path is relative to the server-root value in the [server] stanza
junction-db = jct
# Location of the Junction to Request Mapping Table (JMT)
# This path is relative to the server-root value in the [server] stanza
jmt-map = lib/jmt.conf
# Timeout (in seconds) for sending to and reading from a TCP junction.
# Must be an integer greater than or equal to zero.
# A value of zero will cause WebSEAL to wait indefinitely.
http-timeout = 1200
# Timeout (in seconds) for sending to and reading from an SSL junction.
# Must be an integer greater than or equal to zero.
# A value of zero will cause WebSEAL to wait indefinitely.
https-timeout = 1200
# The WebSEAL server performs a periodic background 'ping' of each junctioned
# Web server, to determine whether it is running. This entry sets the interval,
# in seconds, between pings.
# Must be an integer greater than zero.
ping-time = 300
# Global password used when supplying basic authentication
# data over junctions created with the "-b supply" argument.
basicauth-dummy-passwd = password
# These values will limit the percentage of total worker threads processing
# requests for junctions. The default of 100% means there is no
# limit. When the "soft" limit is reached, WebSEAL will generate a warning
# message. When the "hard" limit is reached, WebSEAL will generate an error
# message and return a 503, "Service Unavailable", result to the client browser
# instead of requesting the resource from the junction.
# This value can be overridden on a per junction basis using pdadmin.
worker-thread-hard-limit = 100
worker-thread-soft-limit = 90
# Buffer size for reading from and writing to a junction.
io-buffer-size = 4096
# Maximum size, in bytes, of WebSEAL generated HTTP Headers.
# Headers over this size will be split across multiple
# HTTP Headers. A value of "0" disables this support.
max-webseal-header-size = 0
#----------------------
# SENDING DOMAIN COOKIES
#----------------------
# Allow WebSEAL to send domain cookies from a back-end to a client.
# If set to 'no', then WebSEAL will filter such cookies and only allow
# cookies that tail-match the WebSEAL server FQHN to be sent
# and WebSEAL will remove the Domain attribute from the cookie.
#
# If set to 'yes', domain cookies will be forwarded to the user.
allow-backend-domain-cookies = yes
# If allow-backend-domain-cookies is set to "yes", then this option will
# modify how WebSEAL validates the domain.
#
# If set to "yes" then domain cookies which adhere to the cookie
# specification will be forwarded to the user. If the FQHN of the
# originating backend machine is the domain, then the cookie will be
# forwarded to the user with no domain specified.
#
# If set to "no", then all domain cookies will be forwarded to the user,
# regardless of their content.
validate-backend-domain-cookies = yes
# If allow-backend-domain-cookies is set to "yes", then this option will
# modify how WebSEAL validates the domain. This option will have no effect
# if validate-backend-domain-cookies = no
#
# If set to "yes" then the domain cookie will be validated by comparing it
# with the virtual host specified for a backend server with the -v
# junction option.
#
# If set to "no", or if no virtual host was specified for a junction, then
# the FQHN will be compared with the domain value of a backend cookie for
# validation.
support-virtual-host-domain-cookies = yes
# The following block of entries enables the configuration of an LDAP
# server to be referenced for CRL checking during SSL authentication.
# A null value for crl-ldap-user indicates that the SSL authenticator
# should bind to the LDAP server anonymously.
#crl-ldap-server =
#crl-ldap-server-port =
#crl-ldap-user =
#crl-ldap-user-password =
# Selectively disable SSL version support for junction connections
disable-ssl-v2 = no
disable-ssl-v3 = no
disable-tls-v1 = no
# When use-new-stateful-on-error is set to yes WebSEAL will choose a new
# stateful junction server for a user if the current one fails. When it is
# set to of no, WebSEAL will not choose a new stateful junction server for a
# user, instead it returns an error and future requests by the user will keep
# attempting to use this same stateful junction server (until the user
# restarts their browser or the junction server is deleted).
use-new-stateful-on-error = no
# When dont-reprocess-jct-404s = yes, WebSEAL will return 404 responses
# from junctions directly to clients. When set to no, WebSEAL will
# assume the 404 is due to an unfiltered server relative link and
# will try to fix the problem by prepending a junction point to the URL
# in the request and sending the request again. Setting this value to
# "no" provides backwards compatibility with TAM 5.1.
dont-reprocess-jct-404s = yes
[illegal-url-substrings] [filter-events] [filter-schemes] [filter-content-types] [filter-request-headers]
#----------------------
# ILLEGAL URL SUBSTRINGS
#----------------------
# WebSEAL will block HTTP requests with any of the substrings from this
# list in the URL.
#
# Format is:
# substring =
#
substring =
[filter-url]
#----------------------
# DOCUMENT FILTERING
#----------------------
# URL attributes that the server will filter in responses from
# junctioned servers.
# Format is
A = HREF
APPLET = CODEBASE
AREA = HREF
BASE = HREF
BGSOUND = SRC
BLOCKQUOTE = CITE
BODY = BACKGROUND
DEL = CITE
DIV = EMPTYURL
DIV = IMAGEPATH
DIV = URL
DIV = VIEWCLASS
EMBED = PLUGINSPAGE
EMBED = SRC
FORM = ACTION
FRAME = LONGDESC
FRAME = SRC
HEAD = PROFILE
IFRAME = LONGDESC
IFRAME = SRC
ILAYER = BACKGROUND
ILAYER = SRC
IMG = SRC
IMG = LOWSRC
IMG = LONGDESC
IMG = USEMAP
IMG = DYNSRC
INPUT = SRC
INPUT = USEMAP
INS = CITE
ISINDEX = ACTION
ISINDEX = HREF
LAYER = BACKGROUND
LAYER = SRC
LINK = HREF
LINK = SRC
OBJECT = CODEBASE
OBJECT = DATA
OBJECT = USEMAP
Q = CITE
SCRIPT = SRC
TABLE = BACKGROUND
TD = BACKGROUND
TH = BACKGROUND
TR = BACKGROUND
WM:CALENDARPICKER = FOLDERURL
WM:CALENDARPICKER = IMAGEPREVARROW
WM:CALENDARPICKER = IMAGENEXTARROW
WM:CALENDARVIEW = FOLDERURL
WM:MESSAGE = DRAFTSURL
WM:MESSAGE = URL
WM:NOTIFY = FOLDER
WM:REMINDER = FOLDER
?IMPORT = IMPLEMENTATION
#------------------------
# EVENT HANDLER FILTERING
#------------------------
# Specifies (TAG,EVENT-HANDLER) pairs that contain JavaScript requiring
# filtering of URL references. Currently, only absolute URLs are
# supported.
#
# Format is
A = ONCLICK
A = ONDBLCLICK
A = ONMOUSEDOWN
A = ONMOUSEOUT
A = ONMOUSEOVER
A = ONMOUSEUP
AREA = ONCLICK
AREA = ONMOUSEOUT
AREA = ONMOUSEOVER
BODY = ONBLUR
BODY = ONCLICK
BODY = ONDRAGDROP
BODY = ONFOCUS
BODY = ONKEYDOWN
BODY = ONKEYPRESS
BODY = ONKEYUP
BODY = ONLOAD
BODY = ONMOUSEDOWN
BODY = ONMOUSEUP
BODY = ONMOVE
BODY = ONRESIZE
BODY = ONUNLOAD
FORM = ONRESET
FORM = ONSUBMIT
FRAME = ONBLUR
FRAME = ONDRAGDROP
FRAME = ONFOCUS
FRAME = ONLOAD
FRAME = ONMOVE
FRAME = ONRESIZE
FRAME = ONUNLOAD
IMG = ONABORT
IMG = ONERROR
IMG = ONLOAD
INPUT = ONBLUR
INPUT = ONCHANGE
INPUT = ONCLICK
INPUT = ONFOCUS
INPUT = ONKEYDOWN
INPUT = ONKEYPRESS
INPUT = ONKEYUP
INPUT = ONMOUSEDOWN
INPUT = ONMOUSEUP
INPUT = ONSELECT
LAYER = ONBLUR
LAYER = ONLOAD
LAYER = ONMOUSEOUT
LAYER = ONMOUSEOVER
SELECT = ONBLUR
SELECT = ONCHANGE
SELECT = ONFOCUS
TEXTAREA = ONBLUR
TEXTAREA = ONCHANGE
TEXTAREA = ONFOCUS
TEXTAREA = ONKEYDOWN
TEXTAREA = ONKEYPRESS
TEXTAREA = ONKEYUP
TEXTAREA = ONSELECT
#
# URLs with these schemes are not filtered in responses from junctioned
# servers.
#
# Notes and Exceptions:
# - HTTP: and HTTPS: are internally handled and will be ignored if present in
# this list.
# - Webseald will filter URLs with a scheme matching one in this list if
# the response from a junctioned server has a BASE tag HREF URL scheme the
# same as the URLs.
# - If a URL in the response from a junctioned server does not have a scheme
# from this list, and the scheme is not HTTP: or HTTPS:, then webseald will
# assume the URL is the same scheme as the junctioned server (HTTP: or
# HTTPS:) with it's scheme missing.
# - The trailing ':' on scheme-name is optional, and if missing will be assumed.
#
# Format is:
# scheme =
#
scheme = file
scheme = ftp
scheme = mailto
scheme = news
scheme = telnet
#
# Document content types that the server will filter in responses from
# junctioned servers. If types besides text/html and text/vnd.wap.wml
# are added to this list then the option [script-filtering]script-filter
# should be set to 'yes'.
#
# Format is:
# type =
#
type = text/html
type = text/vnd.wap.wml
#
# HTTP headers to filter from the client request before sending to the
# back-end web server. Note that this list is in addition to headers
# that WebSEAL will always filter, eg iv-user, iv-groups.
#
# Format is:
# header =
#
# The header name is case insensitive.
#
# The addition of "accept-encoding" to this list will prevent junctioned
# servers from returning compressed data to WebSEAL. WebSEAL cannot
# filter compressed data.
header = accept-encoding
[script-filtering]
# When script filtering support is enabled, filtering of
# absolute urls between html