[junction] stanzaEdit online allow-backend-domain-cookiesUse the allow-backend-domain-cookies stanza entry to control whether WebSEAL sends domain cookies from a back-end server to a client.always-send-kerberos-tokensIndicates whether WebSEAL sends a security token for every HTTP request or whether WebSEAL waits for a 401 response before it adds the security token.basicauth-dummy-passwdUse the basicauth-dummy-passwd stanza entry to specify the global password for WebSEAL to use when it supplies basic authentication data over junctions that were created with the -b supply argument.connect-timeoutcrl-ldap-serverUse the crl-ldap-server stanza entry in the [junction] stanza to specify the LDAP server that WebSEAL can contact for CRL checking during authentication across SSL junctions.crl-ldap-server-portUse the crl-ldap-server-port entry in the [junction] stanza to set the port number for WebSEAL to use when it communicates with the LDAP server specified in crl-ldap-server.crl-ldap-userUse the crl-ldap-user entry in the [junction] stanza to specify an LDAP user who has permissions to retrieve the CRL on the LDAP server that is specified in crl-ldap-server. crl-ldap-user-passwordUse the crl-ldap-user-password entry in the [junction] stanza to provide the password for the LDAP user that is specified in crl-ldap-user.disable-local-junctionsUse the disable-local-junctions stanza entry to control whether WebSEAL serves pages from a local web server through local junctions. disable-on-ping-failureUse the disable-on-ping-failure stanza entry to configure the Web Reverse Proxy to return an error when HTTP requests are received for junctioned servers which are currently failing the 'ping' operation.disable-ssl-v2Use the disable-ssl-v2 entry in the [junction] stanza to control whether WebSEAL supports SSL version 2 for junction connections.disable-ssl-v3Use the disable-ssl-v3 entry in the [junction] stanza to control whether WebSEAL supports SSL version 3 for junction connections.disable-tls-v1Use the disable-tls-v1 entry in the [junction] stanza to control whether WebSEAL supports Transport Layer Security (TLS) version 1 for junction connections.disable-tls-v11Use the disable-tls-v11 entry in the [junction] stanza to control whether WebSEAL supports Transport Layer Security (TLS) version 1.1 for junction connections.disable-tls-v12Use the disable-tls-v12 entry in the [junction] stanza to control whether WebSEAL supports Transport Layer Security (TLS) version 1.2 for junction connections.disable-tls-v13Use the disable-tls-v13 entry in the [junction] stanza to control whether support for TLS version 1.3 is enabled in WebSEAL. dont-reprocess-jct-404sUse the dont-reprocess-jct-404s stanza entry to control whether WebSEAL reprocesses requests that fail with an HTTP 404 error by prepending the junction name to the URL.dynamic-addressesUse the dynamic-addresses stanza entry to control whether the junction server host name is resolved to its IP address immediately before every communication with the junction server. dynamic-addresses-ttlUse the dynamic-addresses-ttl stanza entry to specify the length of time (in seconds) that a resolved IP address will be cached before it is discarded and another name resolution is attempted (time-to-live). expect-hdr-timeoutUse this entry to set a timeout value for requests which contain the ‘expect: 100-continue’ header.failover-on-readUse this entry to specify whether to retry requests to replicated junction servers or junction servers that are configured to use persistent connections when an error occurs on the initial request.flush-cookieUse the flush-cookie stanza entry to specify the browser cookies which should be cleared when a session is first established.persistent-failover-on-readWhen persistent connections are enabled, this entry specifies whether retries on error conditions will also be made to the same server on a different connection if a request on a particular connection fails.gso-credential-learningUse this entry to enable or disable the learning capability for GSO junctions. gso-obfuscation-key Use this stanza entry to set the key for obfuscating any passwords that are managed by the GSO RESTful web service.http2-header-table-sizeUse the http2-header-table-size stanza entry to define the max header table size for an HTTP/2 network connection.http2-initial-window-sizeUse the http2-initial-window-size stanza entry to define the maximum number of unacknowledged bytes WebSEAL can accept per active multiplexed stream.http2-max-concurrent-streamsUse the http2-max-concurrent-streams stanza entry to set the maximum number of simultaneous multiplexed streams WebSEAL will accept per HTTP/2 network connection.http2-max-frame-sizeUse the http2-max-frame-size stanza entry to define the maximum size of the body of a single HTTP/2 protocol frame sent over the HTTP/2 network connection.http2-max-header-list-sizeUse the http2-max-header-list-size stanza entry to define the maximum size of headers that can be sent in a request on an HTTP/2 stream.http-header-attributesUse the http-header-attributes stanza entry to define the credential attributes which will be added as HTTP headers to the request.http-timeouthttps-timeoutignore-svc-unavailableUse ignore-svc-unavailable to control whether WebSEAL handles a 503 'Service Unavailable' from a back-end server or returns it to the client.insert-client-real-ip-for-option-rio-buffer-sizejct-cert-keyfilejct-cert-keyfile-stashjct-nist-complianceUse the jct-nist-compliance stanza entry to enable or disable NIST SP800-131A compliance for junction connections.jct-fips-mode-processingUse the jct-fips-mode-processing stanza entry to enable or disable Federal Information Processing Standards (FIPS) mode for junction connections.jct-ocsp-enablejct-ocsp-max-response-sizejct-ocsp-nonce-check-enablejct-ocsp-nonce-generation-enablejct-ocsp-proxy-server-namejct-ocsp-proxy-server-portjct-ocsp-urljct-ssl-reneg-warning-ratejct-undetermined-revocation-cert-actionjmt-mapjunction-specific-snoopUse the junction-specific-snoop stanza entry to control whether junction specific trace points are enabled for 'snoop' tracing.kerberos-keytab-fileUse the kerberos-keytab-file entry to set the name of the Kerberos key table file for the WebSEAL server. kerberos-principal-nameUse the kerberos-principal-name entry to set the service principal name of the impersonating user when creating a Kerberos token. kerberos-service-nameUse the kerberos-service-name entry to set the service principal name of the target.kerberos-sso-enableUse the kerberos-sso-enable entry to enable or disable SSO for junctions.kerberos-user-identityUse the kerberos-user-identity stanza entry to enable and define a custom user principal name (UPN). The custom UPN can be constructed from either plain text or the contents of credential attributes.managed-cookies-listmangle-domain-cookiesmatch-vhj-firstHelps determine the order in which WebSEAL searches for a request in a standard or a virtual host junction table.max-cached-persistent-connectionsmax-jct-readUse the max-jct-read stanza entry to control the amount of header data WebSEAL will read from responses.max-webseal-header-sizepass-http-only-cookie-attrpersistent-con-timeoutping-methodping-response-code-rulesUse the ping-response-code-rules configuration entry to define the rules that are used to determine whether the HTTP status code of the ping responses indicate a healthy or an unhealthy junctioned Web server.ping-attempt-thresholdUse this entry to define the number of consecutive failed ping requests before the junctioned server will be marked as not running.ping-timeping-timeoutUse this entry to set a different timeout value for the 'ping' operations.ping-urirecovery-ping-timerecovery-ping-attempt-thresholdUse this entry to define the number of consecutive successful recovery ping responses before a stopped junctioned server will be marked as running.reprocess-root-jct-404sreset-cookies-listresponse-code-rulesWhen a response of a client-initiated request is returned from the junctioned server, the optional response-code-rules configuration entry defines the rules that are used to determine from the HTTP status code of the responses whether the junctioned Web server is in a healthy or an unhealthy state.share-cookiesserver-hostname-validationUse the server-hostname-validation stanza entry to control whether WebSEAL performs hostname validation on server certificates presented by Junctioned servers.ssl-extension-signature-algorithmsUse the ssl-extension-signature-algorithms entry in the [junction] stanza to specify the signature and hash algorithm pairs that can be used in digital signatures for TLSv1.2 junction connections.ssl-extension-supported-groupsSpecifies supported groups for TLS key agreements. This entry is used only when ssl-key-agreement is set to custom.ssl-key-agreementSpecifies the TLS key agreement mode.ssl-allow-rsa-key-exchangeUse the ssl-allow-rsa-key-exchange stanza entry to enable or disable the RSA algorithm during TLS key exchange.support-virtual-host-domain-cookiesuse-new-stateful-on-erroruse-legacy-cookiejar-behaviorUse this configuration entry to allow legacy cookie jar behavior.use-legacy-cookiejar-behavior-pdstatefulUse this configuration entry to allow legacy cookie jar behavior.validate-backend-domain-cookiesworker-thread-hard-limitworker-thread-soft-limitParent topic: Stanza reference