Use any of the following settings to manage your CA SiteMinder® Agent for Apache-based servers:
If you use an SSL accelerator or any intermediate device that changes the value of the HTTP_HOST header with an Apache 2.x Web server and use the HttpsPorts parameter, additional web server configuration changes are required.
Follow these steps:
server_name:port_number
Specifies the host name of the SSL accelerator.
If you have legacy applications (that do not support HTTP 1.1), and you want to run them on an Apache Web Server, you can set the following parameter:
Specifies the type of message encoding used by the Web Agent. When the value of this parameter is set to no, transfer-encoding is supported.
When the value of this parameter is set to yes, content encoding is used. The transfer-encoding header is ignored and only the content-length header is supported.
Default: No
To use legacy applications with an Apache Web Server, set the value of the LegacyTransferEncodingBehavior parameter to yes.
Important! If you set the value of this parameter to yes, these features will not work: Federation; preservation of POST data longer than 4 KB; and large certificates may not be recognized.
If you have applications that perform load balancing by redirecting traffic to specific web servers without modifying the actual HTTP headers, you should configure the Web Agent to redirect users back to the proper external port (instead of the port used by the load balancer) with the following parameter:
Directs the Web Agent to obtain the port number from the HTTP HOST request header instead of obtaining it from the web server service structures.
Default: No
Note: This parameter is required for Apache Web Agents.
To use the port number in the HTTP HOST request header, set the GetPortFromHeaders parameter to yes.
The Web Agent generates a unique transaction ID for each successful user authorization request. The Agent adds the ID to the HTTP header. The ID is also recorded in the following logs:
You can track user activities for a given application using the transaction ID.
Note: For more information, see the Policy Server documentation.
The transaction ID appears in the log as a mock query parameter in the log that is appended to the end of an existing query string. The following example shows transaction ID (in bold) appended to a query string (which ends with STATE=MA):
172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realm/index.html, STATE=MA&SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1
If no query parameters are in the URL, the Agent adds the transaction ID at the end of the web server log entry. For example:
172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realma/index.html, SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1.
Note: Web Agents log user names and access information in native web server log files when users access resources.
You can record the CA SiteMinder® transaction ID in the Apache web server logs SMTRANSACTIONID header variable.
Follow these steps:
For example:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{SM_TRANSACTIONID}i\"" common
Note: For more information about the httpd.conf file and the LogFormat directive, see your Apache web server documentation.
The transaction ID is recorded in the Apache web server logs.
If you are using an Apache web server, you can control how content is transferred to the server during POST requests with the following parameter:
Specifies how content will be transferred to the server during POST requests. When the value of this parameter is set to yes, all content types are streamed, except for the following:
When the value of this parameter is set to no, all content types are spooled.
Default: No
To stream most types of content in POST requests, change the value of the LegacyStreamingBehavior parameter to yes.
By default the Apache Web Agent logs all levels (informational and error) of IPC semaphore-related messages to the Apache error log, regardless of the configured Apache logging level.
To restrict the verbosity of Web Agent IPC semaphore-related output to the Apache error log, add the following parameter in the trace.conf file located in web _agent_home/config:
Specifies the level of IPC semaphore-related messages the Web Agent logs to the Apache error log. Accepts the following values:
The Web Agent logs no IPC semaphore-related messages to the Apache error log.
The Web Agent logs only IPC semaphore-related error messages to the Apache error log.
(Default) The Web Agent logs IPC semaphore-related error and informational messages to the Apache error log.
Example: Define the nete.stderr.loglevel parameter in trace.conf
In the following snippet from trace.conf, the nete.stderr.loglevel parameter is configured to restrict the Web Agent to log only IPC semaphore-related error messages to the Apache error log:
# CA Web Agent IPC logging levels # nete.stderr.loglevel=error
Stronghold web servers write client certificates to a local, temporary file, which the Web Agent uses for certificate-based authentication. The Stronghold server uses this file to make information in the client certificate available for authentication. As users visit a website, these certificate files increase, taking up space on your server. You can configure the Web Agent to delete a certificate file after the Agent has finished using it.
To delete certificate files, set the DeleteCerts parameter to yes.
|
Copyright © 2013 CA.
All rights reserved.
|
|