Default value <script

Example

substring = <script substring = <applet substring = <embed

[interfaces] stanza

interface_name

Syntax

interface_name = property=value[;property=value...]

Description

This stanza is used to define additional interfaces on which this WebSEAL instance can receive requests.

A network interface is defined as the combined set of values for a specific group of properties that include HTTP or HTTPS port setting, IP address, worker threads setting, and certificate handling setting.

Options

property

Interface property. Can be selected from: network-interface=<ipAddress>

http-port=<port> | "disabled" https-port=<port> | "disabled" certificate-label=<keyFileLabel>

accept-client-certs="never" | "required" | "optional" | "prompt_as_needed"

worker-threads=<count> | "default"

value Value of the property. Default values, if not present, include: network-interface=0.0.0.0

http-port ="disabled" https-port ="disabled"

certificate-label= (Uses key marked as default in key file.) accept-client-certs="never"

worker-threads="default"

Usage

Entries in this stanza are optional.

Default value

None.

Example

(Entered as one line:)

support = network-interface=9.0.0.8;https-port=444;certificate-label=WS6; worker-threads=16

[itim] stanza

This stanza contains the configuration options for the IBM Security Identity Manager Password Synchronization Plug-in. The Password Synchronization Plug-in synchronizes user passwords from IBM Security Access Manager for Web to IBM Security Identity Manager, previously known as IBM Tivoli Identity Manager.

For more information about this plug-in, see the Password Synchronization Plug-in

for IBM Security Access Manager Installation and Configuration Guide, which you can

find in the IBM Security Identity Manager Information Center:

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/ com.ibm.isim.doc_6.0/ic-homepage.htm.

is-enabled

Syntax

is-enabled = {true|false}

Description

Determines whether the Password Synchronization Plug-in for IBM Security Identity Manager, is enabled.

Options

true Enables the Password Synchronization Plug-in.

false Disables the Password Synchronization Plug-in.

Usage

This stanza entry is optional.

Default value

false

Example

is-enabled = false

itim-server-name

Syntax

itim-server-name = <itim_server>

Description

Specifies the host name or IP address of the server that is running IBM Security Identity Manager.

Note: In a WebSphere Application Server cluster environment, you must configure SSL for the IBM HTTP Server. In a WebSphere Application Server single-server environment, you do not need to configure SSL for the IBM HTTP Server.

Options

<itim_server>

Specifies the host name or IP address of the IBM Security Identity Manager server that communicates with IBM Security Access Manager for Web.

Usage

This stanza entry is required when the is_enabled configuration entry in the

[itim]stanza is set to true.

Default value

None.

Example

itim-server-name = identityMgr01.ibm.com

itim-servlet-context

Syntax

itim-servlet-context = <directory_path>

Description

Indicates the password synchronization context root on the application server.

Options

<directory_path>

Specifies the directory path for the password synchronization context root on the application server.

Usage

This stanza entry is required when the is_enabled configuration entry in the

[itim]stanza is set to true.

Default value

/passwordsynch/synch.

Example

itim-servlet-context = /passwordsynch/synch

keydatabase-file

Syntax

keydatabase-file = <file_name>

Description

Specifies the name of the key database file.

Options

<file_name>

The name of the key database file.

Usage

This stanza entry is required when the is_enabled configuration entry in the

[itim]stanza is set to true.

Default value

None.

Example

keydatabase-file = revpwdsync.kdb

keydatabase-password

Syntax

keydatabase-password = <db_password>

Description

Note: The IBM Security Web Gateway Appliance uses stash files to manage the passwords for key files. As a result, key file passwords are not available to the administrator of the appliance.

If you do not know the password for the key database file, you can use the

keydatabase-password-file entry to specify the name of the password stash file instead. If you configure the keydatabase-password-file entry, you can leave the

keydatabase-passwordentry unconfigured.

The Password Synchronization Plug-in requires knowledge of the database

password. Therefore, if you do not configure the keydatabase-password-file entry, you must configure the keydatabase-password entry. To complete this

configuration, follow this process:

1. Create the key file externally to the appliance. Use a known password to generate the new key file.

2. Import the key file on to the appliance.

3. Configure the keydatabase-password configuration entry with the known password for the Password Synchronization Plug-in.

Options

<db_password>

Specifies the password for the key database file.

Usage

If the is_enabled configuration entry in the [itim] stanza is set to true, you must set one of the following entries for the key database password:

v _{keydatabase-password} v _{keydatabase-password-file}

Note: If there is a value configured for both of these entries, WebSEAL uses the

keydatabase-password.

Default value

None.

Example

keydatabase-password = myPassword1

keydatabase-password-file

Syntax

keydatabase-password-file = <password_stash_file>

Description

Specifies the name of the stash file that stores the password for the key database.

Options

<password_stash_file>

Specifies the name of the stash file that stores the password for the key database.

Usage

If the is_enabled configuration entry in the [itim] stanza is set to true, you must set one of the following entries for the key database password:

v _{keydatabase-password} v _{keydatabase-password-file}

Note: If there is a value configured for both of these entries, WebSEAL uses the

keydatabase-password.

Default value

None.

Example

keydatabase-password-file = dbPassword.sth

principal-name

Syntax

principal-name = <user_name>

Description

Specifies an IBM Security Identity Manager user ID that has the necessary permissions to complete the check and synchronization operations.

Note: Do not use the ITIM manager account for this purpose. Create a separate account on the IBM Security Identity Manager server with the same permissions.

Options

<user_name>

Specifies the name of the IBM Security Identity Manager user that the Password Synchronization Plug-in can use to request synchronization operations.

Usage

This stanza entry is required when the is_enabled configuration entry in the

[itim]stanza is set to true.

Default value

None.

Example

principal-name = admin_userA

principal-password

Syntax

principal-password = <user_password>

Description

Specifies the password of the IBM Security Identity Manager user that is specified by principal-name.

Options

<user_password>

Specifies the password for the IBM Security Identity Manager account.

Usage

This stanza entry is required when the is_enabled configuration entry in the

[itim]stanza is set to true.

Default value

None.

Example

principal-password = myPassword1

service-password-dn

Syntax

service-password-dn = <service_pseudo_dn>

Description

Defines the pseudo–distinguished name of the service that issues the password synchronization request.

The Password Synchronization Plug-in uses the service-password-dn pseudo-distinguished name for requests that use the standard password authentication method. If this configuration entry is specified, it overrides

service-source-dn when using the password authentication method.

Note: You can specify more than one pseudo-distinguished name. Separate the pseudo-distinguished names with a semicolon (;) character. The Password Synchronization Plug-in iterates through the list of service names until it finds an account for one of the services. If the Password Synchronization Plug-in cannot find an account for the specified services, it returns an error message.

Each pseudo-distinguished name is a comma-separated list of the following attributes:

v _{The erservicename attribute of the Security Access Manager service name, as} defined in IBM Security Identity Manager. For example, erservicename=TAM 6.0 Service.

v _{The o attribute of the organization to which the service belongs. For example,} o=International Business Machines.

v _{The ou and dc attributes from the service distinguished name in IBM Security} Identity Manager. For example, ou=IBM,dc=com.

The pseudo-distinguished name that is formed from these example values is: erservicename=TAM 6.0 Service,o=International Business Machines, ou=IBM,dc=com.

Options

<service_pseudo_dn>

Specifies the service pseudo–distinguished name for the standard password authentication method.

Usage

If the is_enabled configuration entry in the [itim] stanza is set to true, then you must configure at least one of the following configuration entries:

v _{service-source-dn} v _{service-password-dn} v _{service-token-card-dn}

Default value

None.

Example

service-password-dn = erservicename=ISAM Employees Service,o=IBM,ou=IBM,dc=com

In document Web Reverse Proxy Stanza Reference (Page 127-134)