| Stateful Connection |
Specifies that the connection supports stateful applications. By default,
connections are not stateful. |
| Boolean Rule |
Allows denied requests and failure reason information from authorization rules
to be sent in the Boolean Rule header (AM_AZN_FAILURE) across the connection. |
| Thread Limit |
Defines the soft and hard limits for consumption of worker threads. |
| HTTP Basic Authentication Header |
Defines how the WebSEAL reverse proxy server passes client identity
information in HTTP basic authentication (BA) headers to the web application servers. Options for
handling client identity information.
- Filter. Default option. This option is used when WebSEAL authentication
is set to use BA header information.
The WebSEAL BA header is used for all subsequent HTTP
transactions. To the back-end server, WebSEAL appears logged on always.
WebSEAL authentication
that uses a client certificate is allowed with this option.
If the back-end server requires
actual client identity (from the browser), the CGI variables HTTP_IV_USER, HTTP_IV_GROUP, and
HTTP_IV_CREDS can be used. For scripts and servlets, use the corresponding Cloud Identity Service specific HTTP headers.
- iv-user
- iv-groups
- iv-creds
- Ignore. WebSEAL authentication that uses a BA header is not allowed with
this option. This option uses the BA header for the original client user name and password.
WebSEAL authentication that uses a client certificate is allowed with this option.
- Supply. WebSEAL authentication that uses a BA header is not allowed with
this option. This option uses the BA header for the original client user name and a dummy password.
WebSEAL authentication that uses a client certificate is allowed with this option.
|
| Client Headers |
Client headers insert client user identity information specific to Cloud Identity Service in HTTP headers across the host connection. The
header types can include any combination of the following HTTP header types.
- Default headers.
- Short user names. Inserts the user login name into an HTTP header that is
called iv-user and adds it to all back-end requests to the connection hosts.
- Long user names. Inserts the Cloud Identity Service user Distinguished Name into an HTTP header that is
called iv-user-l and adds it to all back-end requests to the connection hosts.
- Group names. Inserts a comma-separated list of the groups the user
belongs to in an HTTP header that is called iv-groups and adds it to all back-end requests to the
connection hosts.
- User credentials. Inserts the Cloud Identity Service user credential in a Base64 encoded string in an
HTTP header that is called iv-creds. Adds it to all back-end requests to the connection hosts.
- Insert client IP Address. Inserts the user IP address into an HTTP header
that is called iv-remote-address and adds it to all back-end requests to the connection hosts.
- Custom headers.
- Custom attributes must be configured and enabled for your setup of Cloud Identity Service for custom headers to be available. Inserts the
attribute that is selected into an HTTP header. A name for the header must be entered.
|
| HTTP Header Encoding |
Specifies the encoding to use when HTTP headers are generated to send to
connection hosts. This encoding prevents any potential data loss that might occur when converted to
a non-UTF-8 code page. Possible values for encoding.
- UTF-8 Binary. Unencoded UTF-8 data. This setting allows data to be
transmitted without data loss, and the customer does not need to URI-decode the data. This setting
must be used with caution because it is not part of the HTTP specification.
- UTF-8 URI Encoded. URI encoded UTF-8 data. All white space and non-ASCII
bytes are encoded %XY, where X and Y are hex values (0-F).
- Local Page Code Binary. Unencoded local code page data. This mode was
used by versions of WebSEAL before Version 5.1. Use of this mode enables migration from previous
versions, and is used in upgrade environments. Use with caution because data loss can potentially
occur with this mode.
- Local Code Page URI Encoded. URI encoded local code page data. Any UTF-8
characters that cannot be converted to a local code page are converted to question marks (?). Use
this option with caution and only in environments where the local code page produces the wanted
strings.
|
| Basic Authentication |
Indicates that the connection host is also a WebSEAL server. If enabled, the
connection between the servers is authenticated by using a proprietary authentication setup.
- WebSEAL username. The user ID that Cloud Identity Service WebSEAL servers use to authenticate to the
connection hosts.
- WebSEAL password. The password that Cloud Identity Service WebSEAL servers use to authenticate to the
connection hosts.
|
| Mutual Authentication |
Enables client authentication for the connection with a certificate.
- Certificate. The certificate to use.
|
| Junction Cookie |
Insert ID via cookie script. |
| Cookie Location |
Applicable only when Junction Cookie is enabled.
Specifies the location in the pages that are served by connection hosts where the ID via cookie
script is inserted.
- None. If None is specified, the script is written by default at the
beginning of the response body.
- Header. Inserts the script between the
<head>
</head> tags for HTML 4.01 compliance.
- Trailer. Appends (instead of adding a prefix to) the script to the HTML
page returned from the back-end server.
- Trailer on Focus. Uses the onfocus event handler in the script to ensure
that the correct connection cookie is used in a multiple-connection/multiple-browser-window
scenario.
- XHTML 1.0. Inserts an XHTML 1.0 (and HTML 4.01) compliant JavaScript
block on the browser that interprets the document.
|
| Cookie Handling |
- Script Cookie . Supplies connection identification in a cookie to handle
script-generated server relative URLs.
- Preserve Cookie Path .Ensures unique Set-Cookie header name attributes
for cookies set by connection hosts, by including each cookie path in the rewritten cookie name.
- Preserve Cookie Name . Ensures that the Set-Cookie header set by a
connection host is not rewritten by Cloud Identity Service to
include the connection name in the cookie name.
|
| Transparent Path Junction |
Non-virtual option. Specifies whether the connection uses a transparent path.
Instead of adding a prefix to all filtered URLs with
/connection_name, it is assumed that all content on the
connection hosts is served from a context root that matches
/connection_name. A transparent path avoids the need for
Cloud Identity Service to filter server
relative URLs. |