gso-cache-entry-lifetime
Syntax
gso-cache-entry-lifetime = number_of_secondsDescription
Integer value that specifies the lifetime, in seconds, of a GSO cache entry.
Options
number_of_seconds
The value must be greater than or equal to zero (0). A value of 0 means that entries are not removed from the GSO cache due to their entry lifetime being exceeded. However, they may still be removed due to either the
gso-cache-size being exceeded or the gso-cache-entry-idle-timeout stanza entry being exceeded. WebSEAL does not impose a maximum value.
Usage
This stanza entry is required, but is ignored when GSO caching is disabled.
Default value
900Example
gso-cache-entry-lifetime = 900gso-cache-size
Syntax
gso-cache-size = number_of_entriesDescription
Integer value indicating the number of entries allowed in the GSO cache.
Options
number_of_entries
The value must be greater than or equal to zero (0). Zero means that there is no limit on the size of the GSO cache. This is not recommended.
WebSEAL does not impose a maximum value. Choose your maximum value to stay safely within the bounds of your available system memory.
Usage
Default value
1024Example
gso-cache-size = 1024[header-names] stanza
header-data
Use the header-data stanza entry to add HTTP headers to the request that WebSEAL sends to junctioned applications.
Syntax
<header-data> = <header-name>
Description
Controls the addition of HTTP headers into the request that is passed to junctioned applications.
To include the same <header-data> in different headers, specify multiple entries with the same <header-data> value.
Note: Do not include more than one entry with the same <header-name> value. The
<header-name> values must be unique. If there is more than one entry for a
particular <header-name>, WebSEAL processes the last entry for that <header-name>. Any preceding entries are disregarded.
Options
<header-data>
The type of data that WebSEAL adds to the <header-name> header of the request. The valid values for this entry are as follows:
server-name
The Security Access Manager authorization server name for the WebSEAL server. This name is the name of the authorization API administration server that is used in the server task commands.
client-ip-v4
The IPv4 address of the client of this request.
client-ip-v6
The IPv6 address of the client of this request.
host-name
The host name of the WebSEAL server. WebSEAL obtains this host name from the web-host-name configuration entry in the [server] stanza if specified. Otherwise, WebSEAL returns the host name of the server itself.
httphdr{<name>}
An HTTP header from the request as specified by the <name> field. If the HTTP header is not found in the request, WebSEAL uses the value in the [server] tag-value-missing-attr-tag configuration entry as the value for the header.
<header-name>
The name of the HTTP header that holds the data. Valid strings are limited to the following characters: A-Z, a-z, 0–9, hyphen ( - ), or underscore ( _ ).
Usage
This stanza entry is required.
Default value
server-name = iv_server_name
Example
server-name = iv_server_name
In this example, WebSEAL passes the following header and value to the junction if the WebSEAL instance is default-webseald-diamond.example.com:
iv_server_name:default-webseald-diamond.example.com Other example entries:
client-ip-v4 = X-Forwarded-For client-ip-v4 = X-Header httphdr{host} = X-Forwarded-Host host-name = X-Forwarded-Server
[http-transformations] stanza
resource-name
Syntax
resource-name = resource-fileDescription
Defines HTTP transformation resources. This configuration information is necessary to support WebSEAL HTTP transformations. You can use WebSEAL HTTP transformations to modify HTTP requests and HTTP responses (excluding the HTTP body) using XSLT.
Note: To enable the HTTP transformations for a particular resource, attach a POP to the appropriate part of the object space. This POP must contain an extended attribute with the name HTTPTransformation and one of the following values: v Request = resource-name
v Response = resource-name
For more details, see the information about HTTP transformations in the IBM
Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.
Options
resource-name
The name of the HTTP transformation resource.
resource-file
Note: You must restart WebSEAL for changes to an XSL rules file to take effect.
Usage
This stanza entry is optional.
Comments
If an HTTP transformation rule modifies the URI or host header of the request, WebSEAL reprocesses the transformed request. This reprocessing ensures that the transformation does not bypass WebSEAL authorization. This behavior also means that administrators can define HTTP transformations rules to send requests to different junctions.
Note: WebSEAL performs reprocessing (and authorization) on the first HTTP transformation only. Transformed requests undergo HTTP transformation again if there is an appropriate POP attached to the associated object space. However, WebSEAL does not reprocess the new requests that result from these subsequent transformations.
Default value
None.Example
resourceOne = resourceOne.xsl[ICAP:<resource>] stanza
The [ICAP:<resource>] stanza is used to define a single ICAP resource. The <resource>component of the stanza name must be changed to the actual name of the resource. To enable the ICAP resource for a particular object, a POP must be attached to the appropriate part of the object space. This POP must contain an extended attribute with the name ICAP, and a value that is equal to the name of the configured ICAP resource.
URL
Syntax
URL = URL string
Description
The complete URL on which the ICAP server is expecting requests.
Options
URL URL string
Usage
Default value
NoneExample
URL = icap://icap.example.net:1344/filter?mode=strict
Note: In the example, icap is the protocol being used.
transaction
Syntax
transaction = {req | rsp}
Description
The transaction for which the resource is invoked.
Options
req The ICAP server is invoked on the HTTP request.
rsp The ICAP server is invoked on the HTTP response.