IBM Security Access Manager Version 7.0 WebSEAL Administration Guide SC23-6505-03 IBM Security Access Manager Version 7.0 WebSEAL Administration Guide SC23-6505-03 Note Before using this information and the product it supports, read the information in “Notices” on page 801. Edition notice Note: This edition applies to version 7, release 0, modification 0 of IBM Security Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright IBM Corporation 2002, 2013. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures ..............xv Error message logging ..........29 WebSEAL server activity auditing ......29 Tables ..............xvii Traditional auditing and logging of HTTP events 30 Problem determination resources for WebSEAL . 31 Configuration data log file ........31 About this publication ........xix Statistics ..............33 Intended audience ............xix Application Response Measurement .....33 Access to publications and terminology .....xix Trace utility .............34 Related publications ..........xxii Accessibility .............xxiv Technical training............xxiv Part 2. Configuration........37 Support information ...........xxiv Chapter 3. Web server configuration . 39 Part 1. Administration ........1 WebSEAL server and host name specification . 39 WebSEAL server name in the configuration file 39 WebSEAL server name in "pdadmin server list" 40 Chapter 1. IBM Security Access Manager WebSEAL server name in the protected object for Web WebSEAL overview ......3 space ...............40 Introduction ..............3 Specifying the WebSEAL host (machine) name. 40 WebSEAL introduction ...........4 WebSEAL configuration file .........41 Security model .............5 Configuration file organization .......41 Security model concepts .........5 Configuration file name and location .....42 The protected object space .........5 Modifying configuration file settings .....43 Access control lists (ACLs) and protected object WebSEAL .obf configuration file ......43 policies (POPs) ............6 Default document root directory .......43 Access control list (ACL) policies ......7 Default root junction ...........44 Protected object policies (POPs) .......7 Changing the root junction after WebSEAL Explicit and inherited policy ........8 installation .............44 Policy administration: The Web Portal Manager . 8 Directory indexing ............45 Web space protection ...........9 Configuring directory indexing .......45 Security policy planning and implementation . 10 Configuration of graphical icons for file types . 46 Content types and levels of protection ....11 Content caching .............46 WebSEAL authentication ..........12 Content caching concepts.........47 Standard WebSEAL junctions ........12 Configuration of content caching ......47 Web space scalability ...........14 Impact of HTTP headers on WebSEAL content Replicated front-end WebSEAL servers ....15 caching ...............48 Junctioned back-end servers ........15 Flushing all caches ...........50 Replicated back-end servers ........16 Cache control for specific documents .....50 Communication protocol configuration .....51 Chapter 2. Server administration . 19 WebSEAL configuration for HTTP requests . 51 Server operation .............19 WebSEAL configuration for HTTPS requests . 52 The pdweb command ..........19 Restrictions on connections from specific SSL Starting the WebSEAL server .......19 versions ..............52 Stopping the WebSEAL server .......20 Persistent HTTP connections........53 Restarting the WebSEAL server .......20 WebSEAL configuration for handling HTTPOnly Displaying WebSEAL server status .....21 cookies ...............53 Backup and restore ............21 Timeout settings for HTTP and HTTPS The pdbackup utility ..........21 communication ............54 WebSEAL data backup .........22 Additional WebSEAL server timeout settings . 55 WebSEAL data restoration ........23 Support for WebDAV ..........56 Extraction of archived WebSEAL data ....24 Support for Microsoft RPC over HTTP ....57 Synchronization of WebSEAL data across multiple Support for chunked transfer coding .....58 servers ................24 Internet Protocol version 6 (IPv6) support ....58 Automating synchronization........26 IPv4 and IPv6 overview .........58 Backing up and restoring data .......28 Configuring IPv6 and IPv4 support .....59 Auditing and logging of resources for WebSEAL . 29 IPv6: Compatibility support ........59 © Copyright IBM Corp. 2002, 2013 iii IPv6: Upgrade notes ..........60 Operation for local response redirection . 106 IP levels for credential attributes ......60 Macro support for local response redirection 107 LDAP directory server configuration ......60 Local response redirection configuration Worker thread allocation ..........61 example ..............111 WebSEAL worker thread configuration ....62 Technical notes for local response redirection 112 Allocation of worker threads for junctions Remote response handling with local (junction fairness) ...........63 authentication ............112 HTTP data compression ..........65 HTML redirection ............114 Compression based on MIME-type .....65 Enabling HTML redirection........114 Compression based on user agent type ....66 Preserving HTML fragments on redirection . 114 Compression policy in POPs........67 Data compression limitation ........67 Chapter 5. Web server security Configuring data compression policy .....67 configuration ...........117 Multi-locale support with UTF-8 .......68 Cryptographic hardware for encryption and key Multi-locale support concepts .......68 storage ...............117 Configuration of multi-locale support.....73 Cryptographic hardware concepts .....117 Validation of character encoding in request data . 78 Conditions for using IBM 4758-023 .....118 Supported wildcard pattern matching characters . 79 Configuration of the Cipher engine and FIPS Setting system environment variables......79 mode processing ...........118 Configuring WebSEAL for cryptographic Chapter 4. Web server response hardware ..............119 configuration ............81 Configuring WebSEAL to support only Suite B Static HTML server response pages ......81 ciphers ...............122 HTML server response page locations .....86 Prevention of vulnerability caused by cross-site Account management page location .....86 scripting ...............123 Error message page location ........87 Prevention of Cross-site Request Forgery (CSRF) Junction-specific static server response pages . 87 attacks................124 HTML server response page modification ....88 Secret token validation .........124 Guidelines for customizing HTML response Referrer validation ..........125 pages ...............88 Reject unsolicited authentication requests . 126 Macro resources for customizing HTML response Suppression of WebSEAL and back-end server pages ...............88 identity ...............126 Macros embedded in a template ......91 Suppressing WebSEAL server identity ....126 Adding an image to a custom login form . 93 Suppressing back-end application server Account management page configuration ....94 identity ..............127 Configuration file stanza entries and values . 94 Disabling HTTP methods .........127 Configuration of the account expiration error Platform for Privacy Preferences (P3P) .....128 message ..............95 Compact policy overview ........129 Configuration of the password policy options . 95 Compact policy declaration........130 Error message page configuration .......96 Junction header preservation .......130 Enabling the time of day error page .....97 Default compact policy in the P3P header . 131 Creating new HTML error message pages . 97 Configuring the P3P header .......132 Compatibility with previous versions of Specifying a custom P3P compact policy . 138 WebSEAL ..............98 P3P configuration troubleshooting .....138 Multi-locale support for server responses ....98 The accept-language HTTP header......98 Chapter 6. Runtime security services WebSEAL language packs ........99 external authorization service ....141 Process flow for multi-locale support ....100 About the runtime security services external Conditions affecting multi-locale support on authorization service ...........141 WebSEAL .............100 Configuring the runtime security services external Handling the favicon.ico file with Mozilla Firefox 100 authorization service in WebSEAL ......142 Adding custom headers to server response pages 101 Sample configuration data for runtime security Configuring the location URL format in redirect services external authorization service .....145 responses...............103 Local response redirection .........103 Local response redirection overview .....104 Part 3. Authentication .......149 Local response redirection process flow....104 Enabling and disabling local response Chapter 7. Authentication overview 151 redirection .............105 Definition and purpose of authentication ....151 Contents of a redirected response......105 Information in a user request ........151 URI for local response redirection .....105 iv IBM Security Access Manager Version 7.0: WebSEAL Administration Guide Client identities and credentials .......152 Specifying header types .........183 Authentication process flow ........152 Configuring the HTTP header authentication Authenticated and unauthenticated access to mechanism .............184 resources