The configuration of ICAP support within WebSEAL
is flexible
and allows only those transactions that require the ICAP intervention
to be sent to the ICAP servers.
An Administrator can configure
and control the applications that
require ICAP processing. Configuration of ICAP support within WebSEAL
consists of two parts:
- Configuration file: Used to define
ICAP servers.
- Protected Object Policy (POP): Used to define
the resources that
trigger a call to the ICAP servers.
Configuration file
A
stanza entry called [ICAP: <resource>] is added
to the configuration file. The stanza entry is used to define the
different ICAP resources. Each resource consists of:
- A
URL for the ICAP server
- A transaction list that defines whether
the ICAP server is used
in processing the HTTP request or response
- A timeout value
that defines the maximum length of time (in seconds)
that WebSEAL waits for a response from the ICAP server.
For more information, see the [ICAP:<resource>] stanza
in the IBM Security Web Gateway appliance: Web Reverse Proxy Stanza Reference.
Note: The <resource> in
the stanza name
corresponds to the name of the resource in the POP. Multiple resources
might be specified in the configuration file.
Example
[ICAP:resource_a]
URL = icap://icap_svr.tivoli.com:1344/
transaction = req
timeout = 120
[ICAP:resource_b]
URL = icap:///icap_svr.tivoli.com:1344/
transaction = rsp
timeout = 120
Protected
Object Policy (POP)
A
Protected Object Policy (POP) is used to enable the pre-defined ICAP
resource for appropriate parts of the object space. This mechanism
provides full control over which resources incur the additional impact
of the ICAP processing. The POP must have:
- An extended attribute
created with the name 'ICAP', and
- A value that matches the
name of one of the configured ICAP resources.
Multiple attributes
of the same name can be created if multiple
ICAP servers are required to handle the processing of a particular
object or request.
The following example shows what the POP
might look like:
pdadmin sec_master> pop show ICAPPop attribute ICAP
ICAP
resource_a
resource_b
Note: resource_a and resource_b correspond
to the following configuration stanzas: [ICAP:resource_a] and [ICAP:resource_b].