Previous Topic: Configure the SiteMinder WSS Agent to Process Large XML MessagesNext Topic: Dynamic Policy Server Clusters


Apache Web Server Settings

Use any of the following settings to manage your CA SiteMinder® Agent for Apache-based servers:

Use the HttpsPorts Parameter on Apache 2.x Servers

If you use an SSL accelerator or any intermediate device that changes the value of the HTTP_HOST header with an Apache 2.x Web server and use the HttpsPorts parameter, additional web server configuration changes are required.

Follow these steps:

  1. Open the httpd.conf file of your Apache Web server, and then make the following changes:
  2. Modify the following configuration parameter for your Web Agent:
Use Legacy Applications with an Apache Web Agent

If you have legacy applications (that do not support HTTP 1.1), and you want to run them on an Apache Web Server, you can set the following parameter:

LegacyTransferEncodingBehavior

Specifies the type of message encoding used by the Web Agent. When the value of this parameter is set to no, transfer-encoding is supported.

When the value of this parameter is set to yes, content encoding is used. The transfer-encoding header is ignored and only the content-length header is supported.

Default: No

To use legacy applications with an Apache Web Server, set the value of the LegacyTransferEncodingBehavior parameter to yes.

Important! If you set the value of this parameter to yes, these features will not work: Federation; preservation of POST data longer than 4 KB; and large certificates may not be recognized.

Use the HTTP HOST Request for the Port Number

If you have applications that perform load balancing by redirecting traffic to specific web servers without modifying the actual HTTP headers, you should configure the Web Agent to redirect users back to the proper external port (instead of the port used by the load balancer) with the following parameter:

GetPortFromHeaders

Directs the Web Agent to obtain the port number from the HTTP HOST request header instead of obtaining it from the web server service structures.

Default: No

Note: This parameter is required for Apache Web Agents.

To use the port number in the HTTP HOST request header, set the GetPortFromHeaders parameter to yes.

Record the Transaction ID in Apache Web Server Logs

The Web Agent generates a unique transaction ID for each successful user authorization request. The Agent adds the ID to the HTTP header. The ID is also recorded in the following logs:

You can track user activities for a given application using the transaction ID.

Note: For more information, see the Policy Server documentation.

The transaction ID appears in the log as a mock query parameter in the log that is appended to the end of an existing query string. The following example shows transaction ID (in bold) appended to a query string (which ends with STATE=MA):

172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realm/index.html, STATE=MA&SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1

If no query parameters are in the URL, the Agent adds the transaction ID at the end of the web server log entry. For example:

172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realma/index.html, SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1.

Note: Web Agents log user names and access information in native web server log files when users access resources.

You can record the CA SiteMinder® transaction ID in the Apache web server logs SMTRANSACTIONID header variable.

Follow these steps:

  1. Open the httpd.conf file.
  2. Add the SM_TRANSACTIONID header variable to the LogFormat directive.

    For example:

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{SM_TRANSACTIONID}i\"" common
    

    Note: For more information about the httpd.conf file and the LogFormat directive, see your Apache web server documentation.

  3. Restart the server to apply the change.

    The transaction ID is recorded in the Apache web server logs.

Choose How Content Types are Transferred in POST Requests

If you are using an Apache web server, you can control how content is transferred to the server during POST requests with the following parameter:

LegacyStreamingBehavior

Specifies how content will be transferred to the server during POST requests. When the value of this parameter is set to yes, all content types are streamed, except for the following:

When the value of this parameter is set to no, all content types are spooled.

Default: No

To stream most types of content in POST requests, change the value of the LegacyStreamingBehavior parameter to yes.

Restrict IPC Semaphore-Related Message Output to the Apache Error Log

By default the Apache Web Agent logs all levels (informational and error) of IPC semaphore-related messages to the Apache error log, regardless of the configured Apache logging level.

To restrict the verbosity of Web Agent IPC semaphore-related output to the Apache error log, add the following parameter in the trace.conf file located in web _agent_home/config:

nete.stderr.loglevel

Specifies the level of IPC semaphore-related messages the Web Agent logs to the Apache error log. Accepts the following values:

off

The Web Agent logs no IPC semaphore-related messages to the Apache error log.

error

The Web Agent logs only IPC semaphore-related error messages to the Apache error log.

info

(Default) The Web Agent logs IPC semaphore-related error and informational messages to the Apache error log.

Example: Define the nete.stderr.loglevel parameter in trace.conf

In the following snippet from trace.conf, the nete.stderr.loglevel parameter is configured to restrict the Web Agent to log only IPC semaphore-related error messages to the Apache error log:

# CA Web Agent IPC logging levels
# nete.stderr.loglevel=error
Delete Certificates from Stronghold (Apache Agent Only)

Stronghold web servers write client certificates to a local, temporary file, which the Web Agent uses for certificate-based authentication. The Stronghold server uses this file to make information in the client certificate available for authentication. As users visit a website, these certificate files increase, taking up space on your server. You can configure the Web Agent to delete a certificate file after the Agent has finished using it.

To delete certificate files, set the DeleteCerts parameter to yes.