|
|
|
The following list shows the configuration parameters for the Web Agent in alphabetical order:
Allows the Web Agent to accept session (SMSESSION) cookies created by third-party (non-SiteMinder) Web Agents. Third-party agents generate and read SMSESSION cookies using the SiteMinder SDK.
Default: No default
Defines the name of an Agent Configuration Object (stored on a policy server) in a local agent configuration file. This parameter is not used in Agent Configuration Objects.
Default: no default
Note: If you change the value of this parameter, you must restart the web server to apply the change.
Defines the identity of the Web Agent. It establishes a mapping between the name and the IP address of each web server instance hosting an Agent.
If a value is not set for this parameter, or if the Web Agent does not find a match among the values listed, the Web Agent uses the value set in the DefaultAgentName parameter instead.
Note: This parameter can have more than one value. Use the multi-value option when setting this parameter in an Agent Configuration Object. For local configuration files, add the parameter name followed by each value to separate lines in the file.
Default: No default
Limits: Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. Not case-sensitive. For example, the names MyAgent and myagent are treated the same.
Example: myagent1,192.168.0.0
Example: myagent, www.sitea.com
Enables the use of fully qualified host names of a target URL as Web Agent names with FCCs and SCCs.
Default: No
Specifies the number of seconds that the Web Agent waits for the Low-level Agent Worker process (LLAWP) to become available. When the interval expires the Web Agent tries to connect to the Policy Server.
Setting this parameter can help to resolve agent start-up errors related to LLAWP connections. We recommend starting with the default value and then increasing the interval by 5 seconds at a time until the agent starts successfully.
If you do not want to set this parameter in the Agent Configuration Object or LocalConfig.conf file, you can also set it in the WebAgent.conf file instead.
Default: 5
Example: If you have primary and secondary policy servers, try starting with value from 30 through 40.
Limit: None
Note: This parameter was originally developed for IIS Web Agents, but you can use it with other Framework Agents (on supported Windows platforms) if you experience network latency issues.
Specifies whether the Web Agent will remove the cache-related headers from requests for protected resources.
The settings of this parameter affect the following parameters:
Default: No
Limits: Yes, No, None
Instructs the Agent Configuration Object on the Policy Server to read the local configuration file to obtain configuration parameters for the Web Agent. This parameter is used only in Agent Configuration Objects.
You can also add multiple values for this parameter in the Agent Configuration Object to control which parameters can be changed in a local configuration file. When multiple values are set for this parameter, they are processed in the following order:
Default: No
Example: yes, EnableAuditing, EnableMonitoring (allows local control of the only the two previous parameters).
Instructs the Web Agent to add the authenticated user name and SiteMinder transaction ID to the IIS server log on a separate line.
Default: No
Note: This parameter applies to IIS 6.0 Web Agents only.
Specifies the URL characters that a Web Agent interprets as a possible cross-site scripting attack.
Default: <,',>
Limits:
Specifies the characters that the Web Agent encodes as literal HTML characters before using them as output on a form.
Default: <, >, &, %22
Limits:
Specifies characters that the Web Agent prohibits in the query string portion (following the '?') in a URL.
Default: Empty (any characters allowed in query strings)
Limits:
Example: %25 blocks URL-encoded characters in queries.
Specifies the character sequences that cannot be used in URL requests. The Web Agent checks the characters in the URL that occur before the "?" character against those specified by this parameter. If any of the specified characters are found, the Web Agent rejects the request.
You can specify the following characters:
Separate multiple characters with commas. Do not use spaces.
You can use the bad URL characters in CGI parameters if the question mark (?) precedes the bad URL characters.
Default: <,>,&,;
Limits:
Specifies if the Web Agent caches anonymous user information. You may want to set this parameter in any of the following situations:
You may want to disable this parameter to keep the anonymous user information from filling the cache and leaving no room for registered users.
Default: No
Note: If you change the value of this parameter, you must restart the web server to apply the change.
Specifies the MIME type for the Cookie Provider credential collector.
This parameter affects the following parameters:
Default: .ccc
Indicates whether the Web Agent conforms to RFC 2047. If this parameter is missing, the Web Agent follows the default behavior.
Default: Yes
Instructs the Web Agent to generate a URL with a fully qualified domain name for redirecting users to the Password Services application. This lets you host the Password Services application on a particular web server. The Web Agent generates a URL that resembles the following example:
HTTP://my.server.com:80/path/to/passwordservices.cgi
If a fully-qualified URL is not used, the Web Agent assumes that the Password Services application is hosted on the same web server and uses a relative URL for redirects.
Default: No
Defines the cookie domain of the Web Agent that you specified during the Web Agent installation. This must be a fully qualified domain name with at least two periods. For example, the .myorg.com cookie domain matches the following servers:
All web servers in this domain can exchange cookies with a user's browser. Servers in the same cookie domain use cookies to verify a user's credentials.
Default: Empty
Example: .mycompany.com
Note: This value is case-sensitive.
Specifies the number of sections (areas separated by a period) in the domain name.
Default: 0
Example: For a domain named server.division.myorg.com, in a cookie domain of division.myorg.com, set the CookieDomainScope to 3.
Specifies the cookie path for the following secondary agent browser cookies:
For example, setting this parameter to /BasicAuth, all of the secondary agents in the previous list are created using /BasicAuth as the path. If not specified, the default value is used.
The CookiePath is not added to credential cookies (such as xxxxCRED) to maintain backwards compatibility with 4.x agents.
The following cookies will always use the root (/) path:
If the CookiePathScope parameter is greater than zero, the CookiePath parameter settings are overriden.
Default: / (root)
Specifies the scope of the cookie path for the following secondary agent cookies:
Using a CookiePathScope greater than zero in this parameter overrides the setting of the CookiePath parameter.
Default: 0
Specifies the URL (using the fully qualified domain name) of the web server where the Web Agent that is acting as the cookie provider resides. The cookie provider name must have a .ccc extension.
http://server.domain:port/siteminderagent/SmMakeCookie.ccc
http://server.domain:port/SmMakeCookie.ccc
This parameter affects the following parameters:
Default: No default
Example: (IIS, Sun Java System and Domino web servers) http://server1.myorg.com:80/siteminderagent/SmMakeCookie.ccc
Example: ( Apache and Apache-based web servers) http://server1.myorg.com:80/SmMakeCookie.ccc
Specifies the time period (in seconds) in which the receiving agent will accept the session cookie. After this time passes, the session cookie will not be accepted. If this field is not used or is set to zero, the session cookie expires when the Idle Timeout and Max Session Timeout values are met.
Default: Empty
Specifies whether the Web Agent checks URLs (including any query string) for escaped and unescaped characters (as defined by the list in the BadCSSChars parameter) that may be part of an executable script.
Default: Yes
Specifies the location of a custom-error message file or URL that you want to display to the users if they try to open a URL that contains possible cross-site scripting characters.
Default: No default
Specifies the customized HTML page to display when users receive a 401 (insufficient privileges) browser error.
Default: No default
Specifies an HTTP header that the Web Agent should look for to find the requestor's IP address. If no value is specified for this parameter, the default is an empty string. No maximum length is enforced and the value may be any string that contains a valid HTTP header value, for example, HTTP_ORIGINAL_IP.
Default: No default
Specifies whether the Web Agent decodes the query data in a URL before calling the Policy Server. Set this parameter to yes if you need do any of the following tasks in your environment:
Default: No
Defines a name that the Web Agent uses when it receives a request on an IP address or interface for which there is no agent name specified in the AgentName parameter.
If you are using virtual servers, you can set up your SiteMinder environment quickly by using a DefaultAgentName instead of defining a separate Web Agent for each virtual server.
Important! If you do not specify a value for the DefaultAgentName parameter, you must list every agent identity in the AgentName parameter. Otherwise, the Policy Server will not be able to tie policies to the Web Agent.
Default: No default
Limits: Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. Not case-sensitive. For example, the names MyAgent and myagent are treated the same.
Specifies a default password for the associated Windows user that is used to access IIS resources as a proxy user.
Important! If you want to encrypt this parameter, set it centrally in the Agent Configuration Object. If this parameter is set in a local configuration file, it will not be encrypted and will be less secure.
Default: No default
Note: This parameter applies to IIS Web Agents only.
Specifies the name of a Windows user that is used to access IIS resources as a proxy user. When users want to access resources on an IIS web server protected by SiteMinder, they may not have the necessary server access privileges. For example, if users are stored in an LDAP user directory on a UNIX system, those users may not have access to the Windows system with the IIS web server.
The Web Agent must use this NT user account, which is assigned by an NT administrator, to act as a proxy user account for users granted access by SiteMinder.
Default: No default
Note: This parameter applies to IIS Web Agents only.
Specifies if the certificates stored on a Stronghold server will be removed when the Web Agent finishes using them.
Default: No
Note: This parameter applies to Apache Web Agents only.
Specifies whether the Web Agent disables the following default SiteMinder authentication source HTTP header variables:
Note: You cannot disable individual variables. You can only disable a category of several variables.
Default: No
Specifies whether the Web Agent allows a user to view or browse the contents of a directory without challenging them first. This occurs when all of the following conditions are true:
Default: No
Note: This parameter applies to Sun Java System Agents only.
Prevents the Web Agent from performing DNS lookups.
Important! Fully qualified domain names must be used for cookie-based functions to work properly when the value of this parameter is set to yes.
Specifies whether the Web Agent blocks access to a URL that contains two periods separated by a slash (/).
The settings of this parameter affect the following parameter:
Default: No (the rule is applied)
Specifies whether a Web Agent observes the 64 KB data-size limit when preserving or filtering POST data. This does not affect the standard POST operation, but it does affect the following:
Default: No (limit enforced)
Important! Change this parameter to yes at your own risk.
Note: This parameter applies to IIS 5.0 Web Agents only.
Specifies whether the Web Agent disables the following default SiteMinder user session HTTP header variables:
Note: You cannot disable individual variables. You can only disable a category of several variables.
Default: No
Specifies whether the Web Agent disables the following default SiteMinder user name HTTP header variables:
Note: You cannot disable individual variables. You can only disable a category of several variables.
Default: No
Specifies the name by which the Domino Web Agent identifies the users that SiteMinder has previously authenticated against another directory to the Domino server.
Important! This parameter must be encrypted if it is stored in a local configuration file. Use the encryptkey tool to encrypt this parameter. Do not change it by editing the local configuration file directly.
Default: No default
Note: This parameter applies to Domino Web Agents only.
Specifies how a Web Agent handles user requests for protected Lotus Notes documents in a Domino environment. Setting this parameter to yes grants users ReadForm permission only for the requested document.
Default: No
Note: This parameter applies to Domino Web Agents only.
Instructs the Domino Web Agent to ask the Domino web Server if the user requesting access to a resource is unique or ambiguous within the Domino user directory. This helps if a user requesting access to a resource has the same name as other users in the user directory.
Default: No
Note: This parameter applies to Domino Web Agents only.
Instructs the Web Agent to map (normalize) the URL from the Domino server representation to a URL-friendly name for the redirect to the Forms Credential Collector (FCC). The FCC can process the request for the requested Domino resource. If this parameter is missing, the default behavior occurs. If this parameter is set to no, the Web Agent does not map the URL, and performs FCC redirects using the original Domino server representation.
The DominoNormalizeUrls parameter must also be set to yes, otherwise the URL will not be normalized.
Default: Yes
Note: This parameter applies to Domino Web Agents only.
Specifies if the SiteMinder Web Agent converts Domino URLs to a URL-friendly name before redirecting them to a Forms Credential Collector.
The MapUrlsForRedirect parameter must also be set to yes for the Domino URLs to be converted.
If the DominoNormalizeUrls parameter is set to no, URLs will not be normalized, even if the MapUrlsForRedirect parameter is set to yes.
Important! If you set the DominoNormalizeUrls parameter to no, you cannot protect individual documents within a Notes database; you can only protect the entire database or subdirectories of the Domino Web server.
Default: Yes
Note: This parameter applies to Domino Web Agents only.
Identifies a user who has access to all resources on the Domino server, and ensures that all users successfully logged into SiteMinder will be logged into Domino as the Domino SuperUser.
This value can be encrypted.
This parameter affects the following parameters:
Default: No default
Note: This parameter applies to Domino Web Agents only.
Instructs the Domino Web Agent to pass the SiteMinder header value to the Domino web server. The Domino server uses the header data to identify a user in its user directory.
Default: No default
Note: This parameter applies to Domino Web Agents only.
Specifies whether the Web Agent logs all successful authorizations that are stored in the user session cache. When enabled, user authorizations are logged even when the Web Agent uses information from its cache instead of contacting the Policy Server. Web Agents log user names and access information in native web server log files when users access resources.
Default: No
Controls the forms template cache. Setting this parameter to yes, improves the performance of forms authentication. To disable the cache, set this parameter to no.
Default: Yes
Collects information about the SiteMinder Web Agent and sends it to CA Wily Introscope using a plug-in. This parameter uses the following settings:
Default: No.
Limits: Yes, Both, No, None.
Example: (HTTP header) sm-wa-perf-counters = server_name.example.com:6180,86117203,86118343,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1125,0,15,1,1,750,750,
Specifies whether the SiteMinder Web Agent sends monitoring information to the Policy Server.
Default: No
Allows the use of other AuthTrans functions along with SiteMinder.
Default: No
Note: This parameter applies to Sun Java System Agents only.
Activates a Web Agent and allows it to communicate with the Policy server. Set this parameter to yes only after you have finished changing all of the configuration parameters.
Default: No
Note: This parameter is used in local configuration files only.
Controls whether the agent name is encrypted when the Web Agents adds its name to the URL that redirects a user to a forms, SSL, or NTLM credential collector. It also controls whether the credential collector decrypts the name when it receives the URL.
Default: Yes
Determines if the Web Agent overrides the session time-out values from the first realm a user accesses with the session time-out values from a subsequent realm a user accesses using single sign-on. When this parameter is set to yes, the Web Agent looks at the session time-outs returned during an SMSESSION cookie validation and honors the time-out values for the subsequent realm in which the user is being validated. When this parameter is set to no, the Agent honors the time-outs of the original login session. When a user moves to a new realm, the Web Agent enforces the idle or session time-outs from the first realm and not the timeouts from the subsequent realm.
Default: No
(Optional) Specifies a URL that the agent redirects the user to after any session cookie has expired. If neither the born date nor the CookieValidationPeriod are configured, the agent ignores the settings and processes the cookie as usual (backwards compatibility).
Prevents a forward proxy server from caching content (pages and potentially headers or cookies). When this parameter is set to yes (enabled), the Web Agent inserts an Expires or Cache-control header into the HTTP response. If content is not cached, subsequent requests continue to be forwarded.
When the ExpireForProxy parameter is set to yes, the Web Agent inserts the strings specified in the appropriate ProxyHeaderssuffix parameter into the HTTP response based upon what type of request was performed.
The Web Agent adds strings into the HTTP responses as follows:
Default: No
Note: This parameter applies to proxy servers only.
Enable an FCC/NTC to serve up forms for resources protected by 4.x Web Agents or third party applications.
Note: SMUSRMSG is supported for the custom authentication scheme only when FCCCompatMode set to yes.
Default: (traditional agents) Yes
Default: (framework agents) No
Important! Setting this parameter to no removes support for version 4.x of the Netscape browser.
Specifies a MIME value for credential collectors on IIS or Domino web servers.
Default: .fcc
Specifies whether the Web Agent makes an additional IsProtected call to the Policy Server to establish a realm context so that the Web Agent can log a user in to access a protected resource.
When this parameter is set to no, the Web Agent uses the realm information obtained from its initial IsProtected call to the Policy Server instead.
Default: Yes
Forces the Web Agent to append its cookie domain to the host name in a URL request that does not specify a domain or contains only an IP address. This parameter works together with the ForceFQHost parameter for added functionality.
Default: No
Forces a Web Agent to use a fully qualified domain name. This parameter uses configured domain name system (DNS) services to force the appending of the cookie domain to the host name in a URL request through DNS services and not an Agent. If the Web Agent receives a request that contains a partial URL, the Web Agent redirects the request back to the same destination resource specified in the original URI. The redirect request uses the fully qualified host name, which the Web Agent determines using the configured DNS services. Use this parameter with the ForceCookieDomain parameter for added functionality.
Default: No
Example: When the Web Agent receives a request from http://host1/page.html, it responds with http://host1.myorg.com/page.html. If the Web Agent receives a request such as http://123.113.12.1/page.html, it responds with http://host1.myorg.com/page.html.
Note: These examples work only if the proper DNS lookup tables are set up. If a partial domain is entered, the result depends on whether or not the DNS lookup can resolve it. If the request resolves as an invalid host, an error will result. Most likely, such a request would not even reach the web server.
Specifies whether the Web Agent uses an IIS proxy account to grant access to requested resources on IIS web servers to users who normally lack sufficient privileges to access the IIS web server.
This parameter affects the following parameters:
Default: No
Note: This parameter applies to IIS Web Agents only.
Specifies the number of seconds that an object may reside in cache before being considered invalid. When the timeout interval expires, the date and time of the form template file is compared against the time that the cache object was created. If the object in cache is stored more recently than the file on the system's disk, the timeout is reset for another interval; otherwise, the object is removed from cache.
Default: 600
Directs the Web Agent to obtain the port number from the HTTP HOST request header instead of obtaining it from the web server service structures.
Default: No
Note: This parameter is required for Apache Web Agents.
Specifies the path to the SMHost.conf file (in an IIS 6.0 or Apache agent) that is created after a trusted host computer has been successfully registered with a Policy server. All Web Agents on a computer share the SMHost.conf file.
Default: No default
Note: If you change this parameter, you must restart the web server to apply the change.
Selects the specification that the Web Agent uses for encoding the HTTP header values and all custom HTTP-COOKIE responses. The value for this parameter uses the following syntax:
encoding_spec, wrapping_spec
Including the wrapping specification (RFC-2047) is optional, but we recommend using it.
Default: No default (if left blank, the Web Agent uses UTF-8 encoding with no wrapping)
Example: Shift-JIS,RFC-2047
Specifies the secure ports the Web Agent listens on if you are using an SSL connection to the web server. If you specify a value for this parameter, you must include all the ports for all the web servers that serve secure requests. If you do not specify a value, the Web Agent reads the HTTP scheme from the web server's context.
If a server is behind an HTTPS accelerator (which converts HTTPS to HTTP), the requests are treated as SSL connections by your browser.
Default: Empty
Example: 80
Example: (multiple ports) 80,8080,8083
Specifies the URL where the Web Agent should redirect the user when the idle time-out for the session occurs.
Example: http://example.mycompany.com/sessionidletimeoutpage.html
Note: IdleTimeoutURL should only be used for non-persistent sessions; it has no effect if configured for persistent sessions.
Prevents the cookie provider from being queried for unprotected resource requests. When this parameter is set to no, all requests are directed to the cookie provider by the Web Agent. For traditional (non-framework) Agents, a cookie provider must be configured for the value of this parameter to appear in the Web Agent log file.
Default: No
Specifies the types of resources for which the Web Agent passes requests to the web server without checking SiteMinder policies.The Web Agent allows access to the items specified by this parameter even if they exist in a realm that is protected by a SiteMinder policy.
Requests for resources that meet either of the following conditions may be ignored:
For example, if a URI for a requested resource is /my.dir/ the Web Agent passes the request directly to the web server.
Default: .class, .gif, .jpg, .jpeg, .png, .fcc, .scc, .sfcc, .ccc, .ntc
Important! Use caution when setting the IgnoreExt parameter. There are some security issues that you may want to consider.
Specifies the fully qualified domain names of any virtual servers that you want the web Agent to ignore. Resources on such virtual servers will be auto-authorized, and the Web Agent always grants access to them regardless of which client makes the request. The authorization decision is based on the configuration of the Web Agent instead of being based on a policy.
The list of ignored hosts is checked first before any other auto-authorization checks, such as the IgnoreExt and IgnoreURL settings. Therefore, the double-dot rule will not trigger an authorization call to the Policy Server for resources on an ignored host but would not be ignored by extension.
The host portion of the URL entries for the IgnoreHost parameter must exactly match what the Web Agent reads for the host header of the requested resource.
Note: This value is case-sensitive.
If the URL uses a specific port, then the port must specified.
For centrally-managed agents, use a multi-value parameter in the Agent Configuration Object to represent several servers. For agents configured with a local configuration file, list each host on a separate line in the file.
Example: (URL shown with port specified)
IgnoreHost="myserver.example.org:8080"
Example: (local configuration file)
IgnoreHost="my.host.com"
IgnoreHost="your.host.com"
Default: No default
Specifies whether the Web Agent will cache the entire URL (including the query strings) and send the entire URI to the Policy Server for rule processing. A full URL string contains a URI, a hook (?), and some query data, as shown in the following example:
URI?query_data
URLs that have been the subjects of requests are cached by default. Subsequent requests search the cache for a match. If requests for the same URI contain different query data, the match fails. Ignoring the query data improves performance.
When the IgnoreQueryData parameter is set to yes, the following occurs:
/myapp?data=1
/myapp?data=2
When the IgnoreQueryData parameter is set to no, the following occurs:
/myapp?data=1
/myapp?data=2
Default: No
Important! Do not enable this setting if you have policies which depend on URL query data.
Specifies a URI within a URL that will not be protected. Users attempting to access the resource associated with the URI will not be challenged. The Web Agent ignores the URI portion of the string after three forward slashes. For example, if you set this parameter to the following value:
http://www.example.com/directory
The Web Agent ignores the following URI:
directory
The Web Agent ignores the specified URI wherever it occurs, even if it is under a different domain. For example, the Web Agent ignores the URI shown previously in all of the following URLs:
http://www.example.com/directory http://www.example.net/directory http://www.example.org/directory
Note: This value is case-sensitive.
Default: No default.
Example: (multiple URIs in local configuration file)
IgnoreUrl="http://www.example.com/directory"
IgnoreUrl="http://www.example.com/directory2"
Example: (using a URI only, without specifying a domain)
IgnoreUrl="/resource/"
Allows Web Agents for IIS 5 to enforce native IIS security mechanisms by providing a Windows user security context. Add this parameter to the Agent Configuration Object or local configuration file with the value you want.
If this parameter is set to yes, the Web Agent stores encrypted credentials in paged memory, which can be written to the operating system's page file and saved to a hard disk.
Important! If your hard disk is stolen or compromised, confidential data could be exposed.
If this parameter is no, the Web Agent stores encrypted credentials in protected kernel memory. This setting is more secure, but it places more demands on the physical memory of your IIS server.
Default: No
Note: This parameter applies to IIS 5.0 Web Agents only. It is not used in Framework Web Agents.
Controls whether a framework agent sends a POST request to a cookie provider. When framework agents send a POST request to a traditional agent that is acting as a cookie provider, the redirected request becomes a GET instead and fails. When set to no, the framework agent sends the POST request to the cookie provider. When set to yes, the framework agent does not send the POST request to the cookie provider.
If you are using central agent configuration, you must add this parameter to your Agent Configuration Object. This parameter already exists in local configuration files.
Default: No (POST requests sent)
Note: This parameter applies to framework agents only.
Forces the Web Agent to replace any dollar sign ($) characters in legacy URLs with a hyphen (-). This also ensures backwards comparability with MSR, Password Services, and DMS. When this parameter is set to no, a Web Agent converts the string $SM$ to -SM-. When this parameter is set to yes, the Web Agent does not convert the dollar sign ($) character.
Default: (Framework Agents) No
Default: (Traditional Agents) Yes
Specifies the type of message encoding used by the Web Agent. When the value of this parameter is set to no, transfer-encoding is supported.
When the value of this parameter is set to yes, content encoding is used. The transfer-encoding header is ignored and only the content-length header is supported.
Default: No
Note: This parameter applies to Apache Web Agents only.
Specifies if the Web Agent uses underscores in HTTP header names. With some web servers (such as the Sun Java System), using the underscore character in the HTTP headers causes problems with some applications.
When this parameter is set to no, the HTTP headers will not have underscores, as shown in the following example:
SMHeaderName
When this parameter is set to yes, the HTTP headers will use underscores, as shown in the following example:
SM_HeaderName
Default: (traditional agents) Yes
Default: (framework agents) No
Specifies which plug-ins are loaded for IIS 6.0 and Apache 2.0 Web Agents. The plug-ins support different types of Agent functions.
Default: No default
Important! Do not add any other parameters to the WebAgent.conf file.
The following plug-ins are available:
Specifies whether the Web Agent operates as an HTTP agent.
Default: Enabled
Allows communication between the Web Agent and a SAML Affiliate Agent (if you have purchased Federation Security Services).
Default: Disabled
Allows communication between the Web Agent and a 4.x Affiliate Agent. This is not used by the SAML Affiliate Agent.
Default: Disabled
Specifies the location of the LocalConfig.conf file, which contains most of the Agent configuration settings.
Default: No default
Adds new log information to the end of an existing log file. When this parameter is set to no, the entire log file is rewritten each time logging is invoked.
Default: No
Specifies whether the Web Agent records logs. If this parameter is set to yes in a local configuration file, logging is enabled even if the AllowLocalConfig parameter of an Agent Configuration Object is set to no.
Default: No
Specifies the full path (including the file name) of the log file.
Default: No
Example: /export/iPlanet/servers/https-jsmith/logs/WebAgent.log
Specifies the size limit of the log file in megabytes. When the current log file reaches this limit, a new log file is created. The new log file uses one of the following naming conventions:
You must archive or remove the old files manually.
Note: Rolling logs are not supported for Apache 1.x web servers on UNIX systems. Accept the default or leave this setting blank.
Default: 0 (no rollover)
Example: 80
Specifies the number of Web Agent log files that are kept. New log files are created in the following situations:
Changing the value of this parameter does not automatically delete any existing logs files which exceed the number that you want to keep. For example, If your system has 500 log files stored, and you decide to keep only 50 of those files, the Web Agent does not delete the other 450 files.
Setting the value of this parameter to zero retains all the log files.
Default: 0
Specifies whether the logs use Greenwich Mean Time (GMT) or local time. To use GMT, change this setting to no. If this parameter does not exist, the default setting is used.
Default: Yes
Enables full log off and specifies the location of a custom web page on your web server that appears to users after they are successfully logged off. You must configure this page so that it cannot be stored in a browser cache. Otherwise, a browser may display a logoff page from its cache without logging the user off. This may give an unauthorized user an opportunity to assume control of a session.
Note: When the CookiePath parameter is set, the value of the LogOffUri parameter must point to the same cookie path. For example, if the value of your CookiePath parameter is set to example.com, then your LogOffUri must point to example.com/logoff.html
Default: No default
Limits: Do not use a fully qualified URL.You must use a relative URI.
Example: /Web pages/logoff.html
Specifies whether the Web Agent uses uppercase or lowercase HTTP headers. Some web servers may be case-sensitive. Set this parameter to no to specify uppercase headers.
Default: Yes
Note: This parameter does not apply to IIS agents.
Specifies the path for the primary-domain session cookies created by the cookie provider. For example, if this parameter is set to /siteminderagent, all session cookies that the cookie provider creates will have the /siteminderagent path. If this parameter is not set in the Cookie Provider Agent, the default value is used.
Default: / (root)
Specifies the maximum number of entries that the Web Agent keeps in its resource cache. An entry contains the following information:
When the maximum is reached, new resource records replace the oldest resource records.
If you set this value to a high number, be sure that sufficient system memory is available.
If you are viewing Web Agent statistics using the OneView Monitor, you may notice that the value shown for the ResourceCacheCount is greater than the value you specified for the MaxResourceCacheSize parameter. This is not an error. The Web Agent uses the MaxResourceCacheSize parameter as a guideline and the values may at times differ because the MaxResourceCacheSize parameter represents the maximum number of average-sized entries in the resource cache. The actual cache entries are most likely larger or smaller than the pre-determined average size; therefore, the effective maximum number of entries may be more or less than the value specified.
Note: For Web Agents that use shared memory, such as the Agent on Apache 1.x and the framework Agents, the cache is pre-allocated to a constant size based on the MaxResourceCacheSize value and will not grow.
Default: (Domino web servers) 1000
Default: (IIS and Sun Java System web servers) 700
Default: (Apache web servers) 750
Note: If you change the value of this parameter, you must restart the web server to apply the change.
Specifies the maximum number of users the Agent maintains in its session cache. The session cache stores the session IDs of users who authenticate successfully. If those users access another resource in the same realm during the same session, the Agent uses the information from the session cache instead of calling the Policy Server. When the maximum number is reached, the Agent replaces the oldest user records with new user records.
Base the value of this parameter on the number of users that you expect to access and use resources for a sustained period of time. If you set this value to a high number, ensure that sufficient system memory is available.
Default: (Domino web servers) 1000
Default: (IIS and Sun Java System web servers) 700
Default: (Apache web servers) 750
Note: If you change the value of this parameter, you must restart the web server to apply the change.
Specifies the URL where the Web Agent should redirect the user when the maximum time-out for the session occurs.
Example: http://example.mycompany.com/maxtimeoutpage.html
Default: No default
Specifies the maximum size (in bytes) of a URL that a Web Agent can handle. Because different web servers have different limitations on URL length, check the documentation from your web server vendor before setting this parameter.
Default: 4096 B
Specifies the MIME type associated with the NTLM credential collector. This collector gathers NT credentials for resources that are protected by the Windows authentication scheme. This scheme applies to resources on IIS web servers that are accessed by the Internet Explorer browser.
You can have multiple extensions in this parameter. If you are using an Agent Configuration Object, select the multi-value option. If you are using a local configuration file, separate each extension with a comma.
Default: .ntc
Specifies whether the Web Agent compares the request method of all HTTP requests against the methods listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Also, cookie providers (if configured) are not updated for that request.
Default: No default
Specifies whether the Web Agent compares the URI from all HTTP requests against the URI listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Also, cookie providers (if configured) are not updated for that request.
Default: No default.
Specifies whether the Web Agent compares the URLs from all HTTP requests against the URLs listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie. Also, cookie providers (if configured) are not updated for that request.
Default: No default
Example: Use a relative URL, such as /MyDocuments/index.html. Do not use an absolute URL (http://fqdn.host/MyDocuments/index.html)
Specifies a list of strings you want the Web Agent to match against all URIs. This helps you protect resources whose extensions are normally ignored by the Web Agent, or any files or applications that do not have extensions. If the URI matches one of the strings in the list, the Web Agent checks with the Policy Server to determine if the resource is protected.
It is better to specify more general strings instead of exact paths. You can also include a partial string to protect a group of resources. For example, the string /servlet/ protects the following resources:
Default: No default
Determines whether custom responses comply with the Platform for Privacy Preferences Project (P3P) response headers. P3P compact policies use tokens representing the specific elements from the P3P terminology. If you set the P3PCompactPolicy parameter to the appropriate policy syntax, it ensures that custom responses are set with the correct P3P response header when a P3P compact policy is specified for the Web Agent.
Default: No default
Example: NON DSP COR CURa TAI (these represent: none, disputes, correct, current/always, and tailoring, respectively)
Note: This parameter is not supported on Apache 1.3 or Domino Web Agents.
Specifies whether the agent allows single sign-on for multiple browser sessions. When this is enabled, users who authenticate during one browser session will retain single sign-on capabilities for subsequent browser sessions.
If you set the value of the autoauthorizeoptions parameter to yes, set the value of the PersistentCookies parameter to no.
To enable persistent cookies, you must also set the TransientIDCookies parameter to no.
This parameter affects the following parameters:
Default: No
Instructs the Web Agent to compare the IP address from the last request (stored in a persistent cookie) with the IP address in the current request to see if they match. If the IP addresses do not match, the Web Agent rejects the request.
Note: SiteMinder identity cookies are unaffected by IP checking.
This parameter affects the following parameters:
Default: Yes
Enables the transfer of POST preservation data between Traditional and Framework Agents by specifying the path to one of the following POST-preservation-template files:
Default: No default
Example: web_agent_home/samples/forms/fw2tr.pptemplate
Specifies whether the Web Agent saves the existing HTTP headers instead of replacing them when new headers are created. Set this parameter to yes for Sun Java System, Domino, and Apache Web Agents.
Default: No
Specifies whether the Web Agent preserves POST data when redirecting requests. When the user is challenged for advanced authentication, such as forms or certificate authentication, the post data is preserved during the authentication phase.
Default: Yes
Specifies if a Web Agent is acting as a reverse proxy agent.
When the value of this parameter is yes, the SiteMinder Web Agent on the front-end server preserves the original URL requested by the user in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.
Default: No
Note: This parameter applies to Apache Web Agents only.
Specifies the IP address of a proxy (such as a cache device) that requires the use of a custom HTTP header to resolve requester IP addresses.
Default: No default
Limits: The string must contain an IP address. Do not use server names or fully qualified DNS host names.
Specifies the number of seconds the reverse proxy waits for the Web Agent deployed behind it to respond to a request.
Default: No default
Note: This parameter applies to Apache Web Agents only.
Instructs the Web Agent for the destination server to trust the authorizations made by the proxy server. This is more efficient because the Web Agent for the destination server does not need to reauthorize users.
Default: No
Specifies how often (in seconds) the Web Agent contacts the Policy Server to retrieve information about policy changes or dynamically updated keys. Higher numbers (longer intervals) decrease network traffic. Lower numbers (shorter intervals) increase network traffic.
Default: 30
Limit: 1
Example: If the level of traffic in your network is moderate, or your website does not change often, you can increase the interval to reduce network traffic.
Instructs the Web Agent to populate the REMOTE_USER variable based on the value from an HTTP-WebAgent-Header-Variable response attribute. Use this to integrate with legacy applications. Enter only the name of the response variable.
Example: To return an HTTP-WebAgent-Header-Variable such as "user=aperson", set the RemoteUserVar parameter to user.
Default: No default
Specifies a customized error page to which users are redirected if a cookie with basic credentials is not returned by the browser when the RequireCookies parameter is set to yes.
Example: http://yourcompany.com/need_cookies.htm
Specifies whether SiteMinder requires cookies. SiteMinder uses cookies to do the following:
Important! If you configure the Web Agent to require cookies, a user's Web browser must accept HTTP cookies. If the browser does not, the user receives an error message from the Agent denying the user access to all protected resources.
Default: Yes
Specifies the number of seconds that resource entries remain in the cache. If a user tries to access a protected resource after the time interval has been exceeded, the Web Agent removes the cached entries and contacts the Policy server.
Default: 600 (10 minutes)
Note: If you change the value of this parameter, you must restart the web server to apply the change.
Specifies the number of hours that a persistent cookie containing the user credentials will be saved. During this time interval, the Web Agent authenticates the user with the data stored in the cookie. After this time interval expires, the cookie is removed and the Web Agent challenges the user again.
Default: 720 (30 days)
Specifies a MIME type for an SSL Credential Collector.
Default: .scc
Prevents the Agent from authorizing URLs from an unauthorized user. If your Web Agent is configured to ignore requests for files ending with certain extensions, an attacker may attempt to access resources by creating a false URL.
For example, if you have a resource with the following URL:
/scripts/myapp
An attacker may attempt to gain access by creating a false URL like the one in the following example:
/scripts/myapp/junk.jpg
If the value of the SecureApps parameter is set to no, the request for /scripts/myapp/junk.jpg would be automatically authorized if the Web Agent was set to ignore requests for .jpg files.
If the value of the SecureApps parameter is set to yes, the Web Agent attempts to discover if the resource is legitimate or if the URL is false.
Default: No
Specifies whether the Web Agent encrypts the SiteMinder query parameters in a redirect URL. You can use this setting to provide additional security for requested resources protected by an advanced authentication scheme, Password Services, or when a request invokes the Cookie Provider.
Important! The Web Agent only encrypts data sent between SiteMinder components. The data sent for redirects to non-SiteMinder applications is not encrypted.
The following SiteMinder credential collectors and applications support the SecureUrls functionality:
Default: No
Instructs the Web Agent to display a custom error page to users who encounter server errors. Specify a file path or URL for this parameter.
Default: No default
Specifies a unique path to each web server instance when a Web Agent is configured to use multiple instances of a web server. The ServerPath creates a unique identifier for the Web Agent's caching, logging, and health-monitoring resources.
Default: Empty
Example: If there are four web server instances, each loading a Web Agent, then each server's WebAgent.conf file should have the ServerPath parameter set to a unique value. You can set the ServerPath parameter to the directory where the web server's log file is stored, such as server_instance_root/logs.
Note: This parameter applies to Apache and Sun Java System agents only.
Specifies the number of seconds during which a SiteMinder session (SMSESSION) cookie will not be regenerated. Cookies are not regenerated when all of the following conditions are met:
Default: 30
Specifies how often (in seconds) a Web Agent redirects a request to the Cookie Provider to set a new cookie. Refreshing the master cookie decreases the possibility that it will expire due to an idle time-out of the SiteMinder session.
Default: 60
Specifies a value for the REMOTE_USER variable that some legacy applications may require.
Default: No
Specifies the MIME type for the SSL Forms Credential Collector.
Default: .sfcc
Directs the SiteMinder Web Agent to authenticate users instead of using the Domino authentication mechanism. You should also set this parameter to yes when users are not stored in the Domino directory.
This parameter affects the following parameters:
Default: Yes
Note: This parameter applies to Domino Web Agents only.
Defines an ordered (case-sensitive) list of trusted SSOZoneNames of trust for a single sign-on security zone. Use SM to add the default zone if necessary. Agents always trust their own SSOZoneName above all other trusted single sign-on zones.
Default: Empty (SM or the SSOZoneName if provided)
Limits: Multi-valued
Specifies the (case-sensitive) name of the single sign-on security zone a Web Agent supports. The value of this parameter is prepended to the name of the cookie a Web Agent creates. This helps you associate cookies with their respective cookie domains. When this parameter is not empty, SiteMinder generates cookies using the following convention:
ZonenameCookiename.
Default: Empty (uses SM as a zone name, which gives the cookies the following default names):
Limits: Single-valued
Example: Setting the value to Z1 creates the following cookies:
Specifies whether single-use session cookies are used. When the value of the StoreSessioninServer parameter is yes, a single-use session cookie is created and stored on the session server. Cookie providers and Web Agents access the cookie from the session server.
Cookie providers and Web Agents replace the session cookie in a URL with a GUID that corresponds to the single-use session cookie stored on the session server.
When the value of the StoreSessioninServer parameter is no, the session cookie is passed directly in the URL
Default: No
Prevents an IIS Web Agent from returning the Server HTTP Header in its responses. When the value of this parameter is set to no, the Web Agent sends the Server header with its responses and the IIS Web server passes it along to the client. When the value of this parameter is set to yes, the web agent does not send the Server header in its responses.
Default: No
Note: This parameter applies to IIS Web Agents only.
Instructs the Web Agent to use a relative URI instead of a fully qualified URL when directing requests to a credential collector and target resource. Using a relative URI prevents requests from being processed by credential collectors on other systems installed with Web Agents. Enabling this parameter also causes the Web Agent to reject any target that does not begin with a forward slash (/).
Note: This setting applies to all credential collectors except the cookie credential collector (CCC). The CCC must use a fully-qualified domain name for this parameter. OnAuthAccept responses will not work properly with a CCC if a relative URI is used.
Default: No
Adds new logging information to the end of an existing log file instead of rewriting the entire file each time logging is invoked.
Default: No
Specifies the location of the WebAgentTrace.conf configuration file that determines which components and events to monitor.
Default: No default
Example: C:\Program Files\ca\webagent\config\WebAgentTrace.conf
Specifies the custom character that separates the fields in the trace.conf file.
Default: No default
Example: |
Enables trace logging.
Default: No
Instructs the Web Agent to compare the IP address from the last request (stored in a transient cookie) with the IP address in the current request to see if they match. If the IP addresses do not match, the Web Agent rejects the request.
Note: SiteMinder identity cookies are unaffected by IP checking.
This parameter affects the following parameters:
Default: No
Specifies the full path to the trace log file.
Default: No default
Example: C:\Program Files\ca\webagent\log\trace.log
Specifies (in megabytes) the maximum size of a trace file. The Web Agent creates a new file when this limit is reached.
Note: This feature is not supported for Apache 1.x and Sun Java System on UNIX systems. Use the default or leave this setting blank.
Default: 0 (a new log file is not created)
Example: 20 (MB)
Specifies the number of Web Agent trace log files that are kept. New trace logs are created in the following situations:
Changing the value of this parameter does not automatically delete any existing trace logs which exceed the number that you want to keep. For example, If your system has 500 trace logs stored, and you decide to keep only 50 of those files, the Web Agent does not delete the other 450 trace logs.
Setting the value of this parameter to zero retains all the trace logs.
Default: 0
Specifies how the trace.conf file displays the messages. Choose one of the following options:
Default: default (square brackets)
Instructs the Web Agent to encrypt and store the intended domain of a session cookie within the session cookie itself. When the session cookie is presented for subsequent requests, The Web Agent compares the intended domain stored within the session cookie against the domain of the requested resource. If the domains do not match, the Web Agent rejects the request.
For example, when the value of this parameter is set to yes, session cookies intended for use with operations.example.com would be rejected by the Web Agent if they were presented at finance.example.com.
Default: No
Specifies whether the Agent Identity (SMIDENTITY) cookie is transient or persistent. Use persistent cookies to give users single sign-on capability across multiple browser sessions. As long as the SiteMinder session has not expired, users will not have to reauthenticate.
Use transient cookies if you want users to reauthenticate to a single sign-on environment for each separate browser session.
This parameter affects the following parameters:
Default: No
Instructs the IIS Web Agent to execute the web application as an anonymous user, instead of using credentials of the proxy user.
Default: No
Note: This parameter applies to IIS Web Agents only.
Instructs the Web Agent to set the HTTP-only attribute on the cookies it creates. When a Web Agent returns a cookie with this attribute to a user's browser, the contents of the cookie cannot be read by a script, even a script from the web site which originally set the cookie. This helps prevent any sensitive information in the cookie from being sent to an unauthorized third party through a script.
Default: No
Specifies whether the IIS 6.0 Web Agent sends the user principal name (UPN) or the NetBIOS name to the IIS 6.0 web server for IIS user authentication.
Note: This parameter is valid only if an Active Directory user store is associated with the Policy Server.
If you enable this parameter, the Policy Server extracts the UserDN, the UPN, and the NetBIOS name from the Active Directory during SiteMinder authentication, and sends this data back to the IIS 6.0 Web Agent.
Depending on whether or not you selected the Use Authenticated User's Security Context option for the user directory with the Administrative UI and how you set the UseNetBIOSforIIAuth parameter, a user's logon credentials are sent as follows:
The IIS web server authenticates the user with the credentials it receives from the Web Agent.
Default: No
Note: This parameter applies to IIS Web Agents only.
Sends cookies to web servers using secure (HTTPS) connections. Enable this parameter to increase security between browsers and web servers.
When this setting is enabled, users in single sign-on environments who move from an SSL web server to a non-SSL web server will have to reauthenticate. Secure cookies cannot be passed over traditional HTTP connections.
Default: No
Instructs the Web Agent to resolve the AgentName according to the physical IP address of a virtual web server. Use this parameter to increase security if a web server uses IP addresses for virtual server mappings. If this parameter is set to no, the Web Agent resolves the AgentName according to the host name in the HTTP Host header of the client's request.
For Domino servers, this parameter is supported only for Domino 6.x. If this parameter is enabled for an Agent on other Domino versions, the Web Agent uses the default Agent name.
For IIS Web Agents configured for SSL communication and virtual hosts, you must set this parameter to yes. IIS does not allow virtual host mappings using host names with SSL enabled.
Default: No
Specifies the domains to which a credential collector is allowed to redirect users. If the domain in the URL does not match the domains set in this parameter, the redirect is denied.
Default: No default
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |