Managing web reverse proxy configuration entries

To manage the web reverse proxy basic configuration, use the Reverse Proxy management page.

Procedure

  1. From the top menu, select Web > Manage > Reverse Proxy.
  2. Select the instance of interest.
  3. Select Edit.
  4. Make your changes to the settings on the Server, SSL, Junction, Authentication, SSO, Session, Response, Logging, and Interfaces tabs.
    Server
    The Server tab contains entries that are related to the general server configuration.
    Field Description
    HTTPS Select this check box to enable the HTTPS port within Reverse Proxy.
    HTTPS Port The port over which Reverse Proxy listens for HTTPS requests.
    HTTP Select this check box to enable the HTTP port within Reverse Proxy.
    HTTP Port The port over which Reverse Proxy listens for HTTP requests.
    Interface Address The network interface on which the Reverse Proxy server listens for requests.
    Enable HTTP/2 Select this check box to enable HTTP/2 incoming connections on the primary interface from clients (browsers).
    Persistent Connection Timeout The maximum number of seconds that a persistent connection with a client can remain inactive before it is closed by the server.
    Worker Threads The number of threads that are allocated to service requests.
    Cluster is Master If the Reverse Proxy clustering function is used, this check box controls whether this Reverse Proxy server acts as the cluster master.
    Master Instance Name The server name for the Reverse Proxy instance which is acting as the master within the cluster. This option is only enabled if the Cluster is Master check box is not selected.
    Message Locale The locale in which the Reverse Proxy runs.
    SSL
    The SSL tab contains entries that are related to the general SSL configuration of the server.
    Field Description
    SSL Certificate Key File The key database that is used to store the certificates which are presented by Reverse Proxy to the client.
    Network HSM Key File The key database that stores the certificates to be used by the network Hardware Security Module (HSM) device.
    SSL Server Certificate The name of the SSL certificate, within the key database, which is presented to the client. The drop-down list includes certificates from both the local and network key files. The certificates from the network key file are prefixed with the token label for the network HSM device.
    JCT Certificate Key File The key database that is used to store the certificates which are presented by Reverse Proxy to the junctioned Web servers.
    Junction
    The Junction tab contains entries that are related to the general junction configuration.
    Field Description
    HTTP Timeout Timeout in seconds for sending to and reading from a TCP junction.
    HTTPS Timeout Timeout in seconds for sending to and reading from an SSL junction.
    Ping Interval The interval in seconds between requests which are sent by Reverse Proxy to junctioned Web servers to determine the state of the junctioned Web server.
    Ping Method The HTTP method that Reverse Proxy uses when it sends health check requests to the junctioned Web server.
    Ping URI The URI that Reverse Proxy uses when it sends health check requests to the junctioned Web server.
    Maximum Cached Persistent Connections The maximum number of connections between Reverse Proxy and a junctioned Web server that will be cached for future use.
    Persistent Connection Timeout The maximum length of time, in seconds, that a cached connection with a junctioned Web server can remain idle before it is closed by Reverse Proxy.
    Managed Cookie List A pattern-matched and comma-separated list of cookie names for those cookies which are stored in the Reverse Proxy cookie jar. Other cookies are passed by Reverse Proxy back to the client.
    Authentication
    The Authentication tab contains entries that are related to the configuration of the authentication mechanisms which are used by the server.
    Basic Authentication
    Field Description
    Transport The transport over which basic authentication is supported.
    Realm Name Realm name for basic authentication.
    Forms Authentication
    Field Description
    Forms Authentication The transport over which forms authentication is supported.
    Client Certificate Authentication
    Field Description
    Accept Client Certificates Defines the condition under which client certificates are required by Reverse Proxy.
    Certificate EAI URI The resource identifier of the application that is invoked to perform external client certificate authentication.
    Certificate Data The client certificate data that are passed to the EAI application.
    Kerberos Authentication
    Field Description
    Transport The transport over which Kerberos authentication is supported.
    Keytab File Name of the Kerberos keytab file. The keytab file must contain each of the service principal names used for SPNEGO authentication.
    Use Domain Qualified Name Kerberos authentication provides a principal name in the form of shortname@domain.com. By default, only the shortname is used as the Security Verify Access user ID. If this checkbox is selected, then the domain is also included as part of the Security Verify Access user ID.
    Kerberos Service Names

    The list of Kerberos service principal names used for the server.

    The first service name in the list is the default service name. To make a service name the default, select the service name and then click Default.
    EAI Authentication
    Field Description
    Transport The transport over which EAI authentication is supported.
    Trigger URL A URL pattern that is used by Reverse Proxy to determine whether a response is examined for EAI authentication headers.
    Authentication Levels The designated authentication level for each of the configuration authentication mechanisms.
    Token Authentication
    Field Description
    Transport The transport over which RSA authentication is supported.
    You can also click Go to RSA Configuration to access the RSA Configuration page.
    OIDC Authentication
    Field Description
    Transport Specifies the transport for which authentication using the OIDC authentication mechanism is enabled.
    Redirect URI The redirect URI which has been registered with the OIDC OP. The redirect URI should correspond to the /pkmsoidc resource of the WebSEAL server (for example: https://isva.ibm.com/pkmsoidc). If no redirect URI is configured it will be automatically constructed from the host header of the request.
    Discovery Endpoint The discovery end-point for the OP. The CA certificate for the discovery-endpoint and corresponding authorization and token endpoints must be added to the WebSEAL key database.
    Proxy URL The URL of the proxy which will be used when communicating with the OP.
    Client Id The Security Verify Access client identity, as registered with the OP.
    Client Secret The Security Verify Access client secret, as registered with the OP.
    Response Type The required response type for authentication responses. The possible values are:
    code
    The authorization code flow will be used to retrieve both an access token and identity token.
    id_token
    The implicit flow will be used to retrieve the identity token.
    id_token token
    The implicit flow will be used to retrieve both an access token and identity token.
    Mapped Identity A formatted string which is used to construct the Security Verify Access principal name from elements of the ID token. Claims can be added to the identity string, surrounded by '{}'. For example: {iss}/{sub} - would construct a principal name like the following: https://server.example.com/248289761001.
    External User Whether the mapped identity should correspond to a known Security Verify Access identity.
    Bearer Token Attributes The list of JSON data elements from the bearer token response which should be included in the credential as an extended attribute. The JSON name can contain pattern matching characters: '*','?'. The JSON data name will be evaluated against each rule in sequence until a match is found. The corresponding code (+/-) will then be used to determine whether the JSON data will be added to the credential or not. If the JSON data name does not match a configured rule it will by default be added to the credential.
    Id Token Attributes The list of claims from the ID token which should be included in the credential as an extended attribute. The claim name can contain pattern matching characters: '*','?'. The claims will be evaluated against each rule in sequence until a match is found. The corresponding code (+/-) will then be used to determine whether the claim will be added to the credential or not. If the claim does not match a configured rule it will by default be added to the credential.

    Click the Load Key button to load the SSL key for the discovery URI into the WebSEAL key file. This will be achieved by retrieving the root certificate from the server. If the CA certificate is not provided by the server it should be loaded manually into the WebSEAL SSL key file. This operation is not supported when a proxy is configured. In this environment the key should be loaded manually into the SSL key file.

    Click the Test Endpoint button to see whether the endpoint can be successfully accessed by WebSEAL and that it returns the expected OIDC meta-data.

    Session
    The Session tab contains entries that are related to the general session configuration.
    Field Description
    Re-authentication for Inactive Whether to prompt users to re-authenticate if their entry in the server credential cache has timed out because of inactivity.
    Max Cache Entries The maximum number of concurrent entries in the session cache.
    Lifetime Timeout Maximum lifetime in seconds for an entry in the session cache.
    Inactivity Timeout The maximum time, in seconds, that a session can remain idle before it is removed from the session cache.
    TCP Session Cookie Name The name of the cookie to be used to hold the HTTP session identifier.
    SSL Session Cookie Name The name of the cookie to be used to hold HTTPS session identifier.
    Use Same Session Select the check box to use the same session for both HTTP and HTTPS requests.
    Session Cache
    Field Description
    Enable Distributed Sessions Select the check box to enable distributed sessions on this reverse proxy instance.
    Session cache type
    Select the type of session cache to be used, either Redis session cache or Distributed session cache.
    Note: The appliance must be a part of an appliance cluster to enable the distributed session cache. Also, if the cluster configuration changes and a new master is specified, this option must be disabled and then re-enabled. The instance can then pick up the details of the new cluster configuration.
    Redis Collections Specify which of the pre-defined Redis collections (see Managing the Redis configuration) will be used by this Reverse Proxy. The first collection in the list will be set as the default collection.
    Response
    The Response tab contains entries that are related to response generation.
    Field Description
    Enable HTML Redirect Select the check box to enable the HTML redirect function.
    Enable Local Response Redirect Select the check box to enable the local response redirect function.
    Local Response Redirect URI When local response redirect is enabled, this field contains the URI to which the client is redirected for Reverse Proxy responses.
    Local Response Redirect Macros The macro information which is included in the local response redirect.
    SSO
    The SSO tab contains entries that are related to the configuration of the different single-sign-on mechanisms that are used by the server.
    Failover
    Field Description
    Transport The transport over which failover authentication is supported.
    Cookies Lifetime Maximum lifetime in seconds for failover cookies.
    Cookies Key File The key file which is used to encrypt the failover cookie.
    LTPA
    Field Description
    Transport The transport over which LTPA authentication is supported.
    Cookie Name The name of the cookie which is used to transport the LTPA token.
    Key File The key file that is used when accessing LTPA cookies.
    Key File Password The password that is used to access the LTPA key file.
    CDSSO
    Field Description
    Transport The transport over which CDSSO authentication is supported.
    Transport (generation) The transport over which the creation of CDSSO tokens is supported.
    Peers The name of the other Reverse Proxy servers that are participating in the CDSSO domain. Along with the name of the keyfile that are used by the Reverse Proxy servers.
    ECSSO
    Field Description
    Transport The transport over which e-community SSO authentication is supported.
    Name Name of the e-community.
    Is Master Authentication Server Select the check box if this Reverse Proxy server is the master for the e-community.
    Master Authentication Server The name of the Reverse Proxy server that acts as the master of the e-community. This field is not required if this Reverse Proxy server is designated as the master.
    Domain Keys The name of the other Reverse Proxy servers which are participating in the e-community. Along with the name of the keyfile that is used by the various Reverse Proxy servers.
    Logging
    The Logging tab contains entries that are related to the logging and auditing configuration.
    Field Description
    Enable Agent Logging Select the check box to enable the agent log.
    Enable Referer Logging Select the check box to enable the referrer log.
    Enable Request Logging Select the check box to enable the request log.
    Request Log Format The format of the entries that are contained within the request log.
    Maximum Log Size The maximum size of the log file before it is rolled over.
    Flush Time The period, in seconds, that Reverse Proxy caches the log entries before the system writes the entries to the log file.
    Enable Audit Log Select the check box to enable the generation of audit events.
    Audit Log Type Select the events to be audited.
    Audit Log Size The maximum size of the audit log file before it is rolled over.
    Audit Log Flush The period, in seconds, that Reverse Proxy caches the audit log entries before the system writes the entries to the log file.
    Interfaces
    The Interfaces tab contains settings that are related to WebSEAL secondary interfaces.
    • To add a new secondary interface, click New. Then, define your settings in the pop-up window that contains the following fields:
      Field Description
      Application Interface IP Address The IP address on which the WebSEAL instance listens for requests.
      HTTP Port This field contains the port on which the WebSEAL instance listens for HTTP requests.
      HTTPS Port This field contains the port on which the WebSEAL instance listens for HTTPS requests.
      Web HTTP Port This is the port that the client perceives WebSEAL to be using.
      Web HTTP Protocol This is the protocol that the client perceives WebSEAL to be using.
      Certificate Label The label of the SSL server certificate that is presented to the client by the WebSEAL instance.
      Accept Client Certificates Defines the condition under which client certificates are required by WebSEAL.
      Worker Threads The number of threads that is allocated to service requests.
      HTTP/2 Enables HTTP/2 connection.
      HTTP/2 Maximum Connections The maximum number of HTTP/2 connections allowed per specified port.
      HTTP/2 Header Table Size The size of HTTP/2 header table.
      HTTP/2 Maximum Concurrent Streams The maximum concurrent HTTP/2 streams allowed.
      HTTP/2 Initial Window Size The initial window size of HTTP/2 connections.
      HTTP/2 Maximum Frame Size The maximum frame size of HTTP/2 connections.
      HTTP/2 Maximum Header List Size The maximum header list size of HTTP/2 connections.

      Click Save to save the settings.

    • To delete a secondary interface, select the interface and then click Delete.
    • To edit a secondary interface, select the interface and click Edit. Then, update your settings in the pop-up window that contains the fields that described previously.
  5. Click Save to apply the changes.
    Note: For the changes to take effect, they must be deployed as described in Configuration changes commit process.