• No results found

Default value dummy

In document Web Reverse Proxy Stanza Reference (Page 138-144)

Global password used when supplying basic authentication data over junctions that were created with the -b supply argument. Passwords must consist of ASCII characters.

Usage

This stanza entry is required.

Default value

dummy

Example

basicauth-dummy-passwd = dummy

crl-ldap-server

Syntax

crl-ldap-server = server_name

Description

Options

server_name

This parameter can be set to one of two types of values:

1. The name of the LDAP server to be referenced as a source for Certificate Revocation Lists (CRL) during authentication across SSL junctions. If this is used, you may also need to set the following parameters:

v crl-ldap-server-port v crl-ldap-user

v crl-ldap-user-password

2. The literal string “URI”. In the case where no direct LDAP Server is available, this allows GSKit to obtain revocation information from LDAP or the HTTP Servers as specified by the CA in the Certificate Distribution Point (CDP) extension of the certificate.

Note: In addition to specifying the string "URI", it is also possible to specify an HTTP server for crl-ldap-server. However, WebSEAL does not currently support the ability to specify an HTTP proxy server, which can provide performance improvements when HTTP servers are used.

Usage

This stanza entry is optional.

Default value

None.

Example

crl-ldap-server = diamond.example.com

crl-ldap-server-port

Syntax

crl-ldap-server-port = port_number

Description

Port number for communication with the LDAP server specified in crl-ldap-server. The LDAP server is referenced for Certificate Revocation List (CRL) checking during authentication across SSL junctions.

Options

port_number

Port number for communication with the LDAP server specified in

crl-ldap-server.

Usage

This stanza entry is optional. When crl-ldap-server is specified, this stanza entry is required.

Default value

None.

Example

crl-ldap-server-port = 389

crl-ldap-user

Syntax

crl-ldap-user = user_DN

Description

Fully qualified distinguished name (DN) of an LDAP user who has permissions to retrieve the Certificate Revocation List.

Options

user_DN

Fully qualified distinguished name (DN) of an LDAP user who has permissions to retrieve the Certificate Revocation List. A null value for

crl-ldap-serverindicates that the SSL authenticator should bind to the LDAP server anonymously.

Usage

This stanza entry is optional.

Default value

None.

Example

crl-ldap-user = user_DN

crl-ldap-user-password

Syntax

crl-ldap-user-password = password

Description

The password for the LDAP user specified in the crl-ldap-user stanza entry.

Options

password

The password for the LDAP user specified in the crl-ldap-user stanza entry.

Usage

This stanza entry is optional. When crl-ldap-user is specified, this stanza entry is required.

Default value

None.

Example

crl-ldap-user-password = mypassw0rd

disable-ssl-v2

Syntax

disable-ssl-v2 = {yes|no}

Description

Disables support for SSL Version 2 for junction connections. Support for SSL v2 is disabled by default.

Options

yes The value yes means support is disabled.

no The value no means the support is enabled.

Usage

This stanza entry is optional. When not specified, the default is yes. The WebSEAL configuration sets this value.

Default value

yes

Example

disable-ssl-v2 = yes

disable-ssl-v3

Syntax

disable-ssl-v3 = {yes|no}

Description

Disables support for SSL Version 3 for junction connections. Support for SSL V3 is enabled by default.

Options

yes The value yes means support is disabled.

no The value no means the support is enabled

Usage

This stanza entry is optional. When not specified, the default is no. The WebSEAL configuration sets this value.

Default value

no

Example

disable-ssl-v3 = no

disable-tls-v1

Syntax

disable-tls-v1 = {yes|no}

Description

Disables support for TLS Version 1 for junction connections. Support for TLS V1 is enabled by default.

Options

yes The value yes means support is disabled.

no The value no means the support is enabled.

Usage

This stanza entry is optional. When not specified, the default is no. The WebSEAL configuration sets this value.

Default value

no

Example

disable-tls-v1 = no

disable-tls-v11

Syntax

disable-tls-v11 = {yes|no}

Description

Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.1 for junction connections. Support for TLS v1.1 is enabled by default.

Options

yes The value yes disables support for TLS version 1.1.

no The value no enables support for TLS version 1.1.

Usage

Default value

no

Example

disable-tls-v11 = no

disable-tls-v12

Syntax

disable-tls-v12 = {yes|no}

Description

Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.2 for junction connections. Support for TLS v1.2 is enabled by default.

Options

yes The value yes disables support for TLS version 1.2.

no The value no enables support for TLS version 1.2.

Usage

This stanza entry is optional. If this entry is not specified, the default is no.

Default value

no

Example

disable-tls-v12 = no

dont-reprocess-jct-404s

Syntax

dont-reprocess-jct-404s = {yes|no}

Description

If a resource cannot be found on a back-end server, that server returns an HTTP 404 error. The dont-reprocess-jct-404s stanza entry controls whether or not WebSEAL processes the request again by prepending the junction name to the URL.

You should never need to enable this stanza entry if you follow this best practice for junctions: The junction name should not match any directory name used in

the Web space of the back-end server if HTML pages from that server contain programs (such as JavaScript or applets) with server-relative URLs to that directory.

The following scenario can occur when one does not adhere to this best practice for junctions:

1. A resource is located in the following subdirectory (using the same name as the junction) on the back-end server: /jct/page.html.

2. A page received by the client from this back-end server contains the following URL: /jct/page.html

3. When the link is followed, WebSEAL can immediately process the request because it recognizes what it thinks is the junction name in the URL. No configured URL modification technique is required.

4. At the time the request is forwarded to the back-end server, the junction name (/jct) removed from the URL. The resource (/page.html) is not found at the root of the back-end server file system. The server returns a 404 error. 5. If WebSEAL is configured for dont-reprocess-jct-404s=no, it reprocesses the

URL and prepends the junction name to the original URL: /jct/jct/page.html 6. Now the resource is successfully located at /jct/page.html on the back-end

server.

NOTE:

v The default behavior in WebSEAL is to reprocess a request URL after an HTTP 404 error is returned from the back-end server. You can set the value of

dont-reprocess-jct-404sto yes to override this default behavior.

v If the reprocess-root-jct-404s entry (also in the [junction] stanza) has been set to yesthen root junction resource requests that result in a HTTP 404 error will be reprocessed regardless of the setting of this dont-reprocess-jct-404s stanza entry.

Options

yes When the back-end server returns an HTTP 404 error, do not reprocess the request URL.

no When the back-end server returns an HTTP 404 error, reprocess the request URL by prepending the junction name to the existing URL.

Usage

This stanza entry is required.

Default value

The default value in the template configuration file is yes.

Example

In document Web Reverse Proxy Stanza Reference (Page 138-144)
Download now "Web Reverse Proxy Stan..."

Outline

Related documents