Previous Topic: Apache Web Server SettingsNext Topic: Domino Web Server Settings


Oracle iPlanet Web Server Settings

Use any of the following settings to manage your CA SiteMinder® Agent Oracle iPlanet servers:

Restrict Directory Browsing on an Oracle iPlanet Web Server

To help ensure that users who try to browse the directories of a Oracle iPlanet web server are challenged by CA SiteMinder®, you can set the following parameter:

DisableDirectoryList

Specifies whether the Web Agent allows a user to view or browse the contents of a directory without challenging them first. This occurs when all of the following conditions are true:

Default: No

To restrict directory browsing on a Oracle iPlanet server

  1. Add the DisableDirectoryList parameter to your Agent Configuration object or your local configuration file.
  2. Set the value of the DisableDirectoryList parameter to yes.

    Directory browsing is restricted. CA SiteMinder® challenges users who try to browse directories.

Handle Multiple AuthTrans Functions for Oracle iPlanet Web Servers

AuthTrans functions are directives that initialize the Oracle iPlanet web server. The Oracle iPlanet web server executes AuthTrans functions in the order that they are listed in the obj.conf file. The Oracle iPlanet server reads through the AuthTrans functions until it finds a function that returns a REQ_PROCEED command. Once a REQ_PROCEED command executes, no other AuthTrans functions are executed.

By default, CA SiteMinder® is the first AuthTrans function and it returns a REQ_PROCEED. To allow other AuthTrans functions to execute, you need to add the EnableOtherAuthTrans parameter and set the value to yes.

The default value for this parameter is no. To enable multiple AuthTrans functions set the EnableOtherAuthTrans parameter to yes.

By adding this parameter, you permit the CA SiteMinder® Web Agent to exist with other functions.

Be sure the CA SiteMinder® Agent function is the first entry in the obj.conf file for the AuthTrans directive. The entry should read:

AuthTrans fn="SiteMinderAgent"

Record the Transaction ID in Oracle iPlanet Web Server Logs

Valid on Solaris

The Web Agent generates a unique transaction ID for each successful user authorization request. The Agent adds the ID to the HTTP header. The ID is also recorded in the following logs:

You can track user activities for a given application using the transaction ID.

Note: For more information, see the Policy Server documentation.

The transaction ID appears in the log as a mock query parameter in the log that is appended to the end of an existing query string. The following example shows transaction ID (in bold) appended to a query string (which ends with STATE=MA):

172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realm/index.html, STATE=MA&SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1

If no query parameters are in the URL, the Agent adds the transaction ID at the end of the web server log entry. For example:

172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realma/index.html, SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1.

Note: Web Agents log user names and access information in native web server log files when users access resources.

You can record the CA SiteMinder® transaction ID in the Oracle iPlanet web server logs.

Follow these steps:

  1. Open the magnus.conf file.
  2. Add the following header variable to the existing list of HTTP server variables that you want to log when the web server initializes:
    %Req->headers.SM_TRANSACTIONID%"
    

    Note: Enter the header variable in uppercase unless the value of the LowerCaseHTTP parameter is set to yes in your Agent Configuration Object or local configuration file.

    The following example shows the SMTRANSACTIONID header variable in bold at the end of an existing entry. However, you can place it anywhere in the list of variables.

    Init fn="flex-init" access="D:/iPlanet/server4/https-orion/logs/access" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \" %Req->srvhdrs.clf-status% %Req-srvhdrs.content-length% %Req->headers.- SM_TRANSACTIONID%"
    
  3. Restart the Oracle iPlanet Server to apply the change.

    The transaction ID appears in the Oracle iPlanet web server logs. The following example shows a web server log entry with the transaction ID in bold:

    11.22.33.44 - user1 [21/Nov/2003:16:12:24 -0500] "GET /Anon/index.html HTTP/1.0" 200 748 3890b4b9-58f8-4a74df53-07f6-0002df88
    

More information:

Use Lower Case HTTP in Headers (for Oracle iPlanet, Apache, and Domino web servers)