Web server configuration

Configure the web server capabilities of WebSEAL such as content caching, communication protocol, LDAP directory server, worker thread, and HTTP data compression.

Specifying the WebSEAL host name
Typically, the name of the WebSEAL host computer is automatically determined when this information is required. There are situations, such as with virtual host junctions, where the WebSEAL host can use several names. On systems with many host names, interfaces, or WebSEAL instances, the automatic determination might not be correct for a specific situation. You can specify the correct one.
Modifying the configuration file settings
The operation of the WebSEAL server is controlled by using the WebSEAL configuration file and a corresponding obfuscated file that is used for sensitive data. Use the local management interface to modify the configuration file.
Content caching
WebSEAL can cache static web contents to increase the response time of a transaction. You must understand the key concepts, configuration variables, and conditions that affect content caching and the impact of HTTP headers. You can flush all caches and set cache control for specific documents.
Communication protocol configuration
You can configure the WebSEAL communication protocols to control how WebSEAL handles requests and creates connections. There are many stanza entries available to configure the communication protocols.
IPv4 and IPv6 overview
Beginning with Tivoli® Access Manager for Web version 6.0, WebSEAL supports Internet Protocol version 6 (IPv6).
Configuring WebSEAL for IPv6 and IPv4 requests
By default Security Access Manager WebSEAL, version 6.0 or later, supports IPv6 networks. You can configure it to support either IPv4 only or both IPv4 and IPv6.
IPv6: Compatibility support
Before you enable IPv6 support, you must understand how IP version compatibility is maintained for previous versions of Verify Identity Access.
IPv6: Upgrade notes
When you upgrade to Security Access Manager WebSEAL version 7.0 from a previous version, IPv6 support is automatically disabled.
IP levels for credential attributes
Network information can be stored as an extended attribute in a user's credential. You can control the amount of network information that is stored in a credential by specifying the required IP level.
LDAP directory server configuration
When Verify Identity Access is configured to use an LDAP-based user registry, such as IBM®Tivoli® Directory Server, WebSEAL must be configured as an LDAP client so it can communicate with the LDAP server.
WebSEAL worker thread configuration
The number of configured worker threads specifies the number of concurrent incoming requests that can be serviced by a server. You can set the number of threads available to service incoming connections to WebSEAL.
WebSEAL worker threads
WebSEAL draws from its pool of worker threads to process multiple requests. Worker threads handle incoming requests to applications on multiple junctioned back-end servers.
Global allocation of worker threads for junctions
You can modify the entries in the [junction] stanza of the WebSEAL configuration file to control the global allocation of worker threads across all junctions for a particular WebSEAL server.
Per-junction allocation of worker threads for junctions
Use the pdadmin command so that you can limit worker thread consumption on a per-junction basis.
Allocation view of worker threads for junctions
Use the allocation view when you want to determine the location of a junction that is absorbing more than its share of worker thread resources.
HTTP data compression
The WebSEAL servers can be configured to compress data that is transferred over HTTP between the WebSEAL server and the client.
WebSEAL data handling by using UTF-8
WebSEAL implements multi-locale support by internally maintaining and handling all data by using UCS Transformation Format 8 byte (UTF-8) encoding. UTF-8 is a multi-byte code page with variable width.
UTF-8 dependency on user registry configuration
For optimal multi-locale support, store all the users in one common user registry, regardless of which language they prefer.
UTF-8 data conversion issues
By default, the appliance will use a UTF-8 code page when running WebSEAL. However, it is possible to configure WebSEAL so that it uses a non-UTF-8 code page. In this environment, WebSEAL needs to convert data upon data input and output.
UTF-8 impact on authentication
The use of UTF-8 for internal data handling has impacts on the processing of authentication requests by WebSEAL.
UTF-8 impact on authorization (dynamic URL)
WebSEAL restricts all requests that require authorization checks to requests that use UTF-8 or the locale setting of the WebSEAL host. All back-end servers are also bound by these settings. WebSEAL must enforce this restriction so it can apply security policy on known protected objects.
Encoding type usage
WebSEAL requires that any URL presented for processing must contain only a single character encoding type such as UTF-8 or ShiftJIS.
UTF-8 support for uniform resource locators
There are a number of different encoding methods for transmitting characters outside the printable ASCII range. WebSEAL, acting as a web proxy, must be able to handle all these cases. The UTF-8 locale support addresses this need.
UTF-8 support in POST body information (forms)
Edit WebSEAL configuration file so that you can configure how WebSEAL processes data in POST bodies that contain information from forms.
UTF-8 support in query strings
You can enable UTF-8 support in query strings by editing the WebSEAL configuration file.
UTF-8 encoding of cookies for failover authentication
You can specify the use of UTF-8 encoding for strings within failover authentication cookies in the WebSEAL configuration file.
UTF-8 encoding of cookies for LTPA authentication
WebSEAL supports LTPA version 2 cookies only for LTPA authentication. The specification for this version of LTPA cookies requires the use of UTF-8 encoding.
UTF-8 encoding in junction requests
By default, WebSEAL adds information to HTTP headers by using a UTF-8 code page. This action prevents any potential data loss that can occur when it converts to a non-UTF-8 code page. This data is sent URI encoded. For compatibility with an earlier version, the format of the header data can be configured to the local code page. In addition, two other formats are supported, raw UTF-8 and URI encoded local code page.
Validation of character encoding in request data
WebSEAL parses requests to ensure that character encoding is compatible with the back-end server requirements. For example, it is possible for the query string of a request to contain character encoding, such as raw binary data, that is unacceptable to WebSEAL, and therefore rejected by WebSEAL.
Supported wildcard pattern matching characters
WebSEAL supports wildcard pattern matching characters.
Setting system environment variables
Use the system-environment-variables stanza to list the system environment variables that the WebSEAL daemon exports during initialization. Include a separate entry for each system environment variable that you want to export.
Cross-Origin Resource Sharing (CORS) Support
The web reverse proxy can be configured to support cross-origin resource sharing.

Parent topic: Configuration