Syntax
name = domain
Description
The e-community cookie domains used by virtual host junctions. The domain used by a particular virtual host junction is chosen by finding the longest domain in the table that matches the virtual host name. Each of these domains must also have a corresponding table of keys defined by creating a stanza of the format
[e-community-domain-keys:domain].
Options
domain The e-community cookie domain used by virtual host junctions.
Usage
This stanza entry is optional.
Default value
None.Example
name = www.example.com[e-community-domain-keys] stanza
domain_name
Syntax
domain_name = key_fileDescription
File names for keys for any domains that are participating in the e-community. This includes the domain in which the WebSEAL server is running. These are shared on a pair-wise-by-domain basis.
Options
domain_name
A domain that is participating in the e-community.
key_file
File name for key for any domain that is participating in the e-community.
Usage
Default value
None.Example
ecssoserver.subnet.example.com = ecsso.key[e-community-domain-keys:domain] stanza
domain_name
Syntax
domain_name = key_fileDescription
Keys for any domains that are participating in the e-community, including the domain in which the virtual host junction is running. These are shared on a pair-wise-by-domain basis.
Options
domain_name
Domain that is participating in the e-community, including the domain in which the virtual host junction is running.
key_file
Key for any domain that is participating in the e-community, including the domain in which the virtual host junction is running.
Usage
This stanza entry is optional.
Default value
None.Example
[e-community-domain-keys:www.example.com] ecssoserver.subnet.example.com = ecsso.key[e-community-sso] stanza
cache-requests-for-ecsso
Syntax
cache-requests-for-ecsso = {yes|no}Description
Specifies whether or not to cache request data from an unauthenticated request while the e-community master authentication server (MAS) authenticates the user.
Options
yes If an unauthenticated request is made, the request data is cached while the e-community master authentication server (MAS) authenticates the user.
no If an unauthenticated request is made, the request data is not cached while the e-community master authentication server (MAS) authenticates the user. The original request data will be lost.
Usage
This stanza entry is required.
Default value
yesExample
cache-requests-for-ecsso = yese-community-name
Syntax
e-community-name = nameDescription
String value that specifies an e-community name. When e-community single signon is supported, this name must match any vouch-for tokens or e-community cookies that are received.
Options
name String value that specifies an e-community name. The string must not contain the equals sign ( = ) or ampersand ( & ).
Usage
This stanza entry is optional.
Default value
None.Example
e-community-name = company1disable-ec-cookie
Syntax
disable-ec-cookie = {yes|no}Description
Provides an option to override default e-Community Single Sign-On (eCSSO) behavior and prohibit WebSEAL from using e-community-cookies.
Options
yes Prohibits WebSEAL from using the e-community-cookie; only the master authentication server (MAS) will be permitted to generate vouch-for tokens.
no The default eCSSO behavior in WebSEAL is left unchanged.
Usage
This stanza entry is optional.
Default value
noExample
disable-ec-cookie = noe-community-sso-auth
Syntax
e-community-sso-auth = {none|http|https|both}Description
Enables participation in e-community single signon.
Options
{none|http|https|both}
Specifies which protocols are supported. The value both means both HTTP and HTTPS.
Usage
This stanza entry is required.
Default value
noneExample
e-community-sso-auth = noneec-cookie-domain
Syntax
ec-cookie-domain = domainDescription
If not set, WebSEAL uses the domain from the automatically determined host name (or web-host-name if specified).
Options
domain If not set, WebSEAL uses the domain from the automatically determined
host name (or web-host-name if specified).
Usage
If not set, WebSEAL uses the domain from the automatically determined host name (or web-host-name if specified).
Default value
None.Example
ec-cookie-domain = www.example.comec-cookie-lifetime
Syntax
ec-cookie-lifetime = number_of_minutesDescription
Positive integer value indicating the lifetime of an e-community cookie.
Options
number_of_minutes
Positive integer value indicating the lifetime, in minutes, of an
e-community cookie. Minimum value is 1. There is no maximum value.
Usage
This stanza entry is required.
Default value
300Example
ec-cookie-lifetime = 300ecsso-allow-unauth
Syntax
ecsso-allow-unauth = {yes|no}Description
Enables or disables unauthenticated access to unprotected resources on an e-community SSO slave server.
Options
no The value no disables access. For compatibility with versions of WebSEAL prior to version 5.1 set this value to no.
Usage
This stanza entry is required.
Default value
yesExample
ecsso-allow-unauth = yesecsso-propagate-errors
Syntax
ecsso-propagate-errors = {yes|no}Description
Specifies whether authentication errors returned by the master-authn-server in vouch-for tokens are propagated to the ERROR_CODE and ERROR_TEXT macros used by facilities such as local response redirect.
Options
yes Authentication errors are propagated to ERROR_CODE and ERROR_TEXT macros.
no Authentication errors are not propagated to ERROR_CODE and ERROR_TEXT macros.
Usage
This stanza entry is required.
Default value
noExample
ecsso-propagate-errors = nohandle-auth-failure-at-mas
Syntax
handle-auth-failure-at-mas = {yes|no}Description
Provides an option to override default eCSSO behavior and allow the MAS to handle login failures without redirecting the Web browser back to the requesting host.
Options
yes Enables the MAS to handle login failures directly without redirecting the Web browser back to the requesting host.
no The default eCSSO behavior in WebSEAL is left unchanged. On a login failure, the MAS will generate a vouch-for token and redirect the Web browser back to the requesting host.
Usage
This stanza entry is optional.
Default value
noExample
handle-auth-failure-at-mas = nois-master-authn-server
Syntax
is-master-authn-server = {yes|no}Description
Specifies whether this WebSEAL server accepts vouch-for requests from other WebSEAL instances. The WebSEAL instances must have domain keys listed in the
[e-community-domain-keys]stanza.
Options
yes This WebSEAL server accepts vouch-for requests from other WebSEAL instances. When this value is yes, this WebSEAL server is the master authentication server.
no This WebSEAL server does not accept vouch-for requests from other WebSEAL instances.
Usage
This stanza entry is optional.
Default value
None.Example
is-master-authn-server = nomaster-authn-server
Syntax
master-authn-server = fully_qualified_hostnameDescription
Location of the master authentication server. This value must be specified when
is-master-authn-serveris set to no. If a local domain login has not been performed then authentication attempts are routed through the master machine. The master machine will vouch for the user identity. The domain key for the
master-authn-serverneeds to be listed in the [e-community-domain-keys] stanza.
Options
fully_qualified_hostname
Location of the master authentication server.
Usage
This stanza entry is optional.
Default value
None.Example
master-authn-server = diamond.dev.example.commaster-http-port
Syntax
master-http-port = port_numberDescription
Integer value specifying the port number on which the master-authn-server listens for HTTP request. The setting is necessary when e-community-sso-auth permits use of the HTTP protocol, and the master-authn-server listens for HTTP requests on a port other than the standard HTTP port (port 80). This stanza entry is ignored if this WebSEAL server is the master authentication server.
Options
port_number
Integer value specifying the port number on which the
master-authn-serverlistens for HTTP request.
Usage
This stanza entry is optional.