Web server plug-in custom properties
If we are using a web server plug-in, we can add one or more of the following custom properties to the configuration settings for that plug-in.
Complete these steps to add a web server plug-ins custom property.
- In the administrative console, select...
Servers > Server Types > Web servers > web_server > Plug-in properties > Custom properties > New
- Under General Properties, specify the name of the custom property in the Name field and a value for this property in the Value field. We can also specify a description of this property in the Description field.
- Click Apply or OK.
- Click Save to save the configuration changes.
- Regenerate and propagate plugin-cfg.xml.
Topology-centric, or global, plug-in configuration is deprecated. Instead, use application-centric configuration as described in Implement a web server plug-in. For any existing topology-centric configuration, we can update the global plugin-cfg.xml file using the administrative console or running the GenPluginCfg command for all of the clusters in a cell. However, we must delete the config/cells/plugin-cfg.xml file before you update the global plugin-cfg.xml file. If we do not delete the config/cells/plugin-cfg.xml file, only the new properties and their values are added to the global plugin-cfg.xml file. Any updates to existing plug-in property values are not added to the global plugin-cfg.xml file.
Because the GenPluginCfg command runs within its own JVM instead of the WebSphere Application Server JVM, the command might not be able to access other class files. If we encounter this problem when running the GenPluginCfg command, we can instead run the httpPluginManagement.py script to generate application-centric plug-in configuration. This script uses wsadmin to initiate the plug-in generation. For more information, see httpPluginManagement.py script.
- CertLabel
- HTTPMaxHeaders
- IgnoreAffinityRequests
- (Windows) IISDisableFlushFlag
- KillWebServerStartUpOnParseErr
- MarkBusyDown
- SSLConsolidate
- SSLPKCSDriver
- SSLPKCSPassword
- StrictSecurity
- TrustedProxyEnable
- TrustedProxyList
- UseInsecure
CertLabel
Label of the certificate within the keyring that the plug-in is to use when the web container requests a client certificate from the plug-in. This custom property does not apply to any client certificate that is coming from the SSL connection with the browser. If we are using an SSL co-processor, and the plug-in is not running on a z/OS or IBM i system, if we specify the token label, followed by a colon, as the value for this custom property the entire CertLabel value is used as the keyring label.
We can only use this custom property if we are running on v7.0.0.3 or later.
Information Value Data type String Default None HTTPMaxHeaders
The maximum number of headers that can be included in a request or response that passes through the web server plug-in. If a request or response contains more than the allowable number of headers, the web server plug-in drops the extra headers.
Information Value Data type Integer Range 1 - 4000 Default 300 If we prefer, instead of adding this custom property, we can manually add the following values to the plugin-cfg.xml file:
HTTPMaxHeaders = "<value>" in the Config tag. Example : <Config ASDisableNagle="false" AcceptAllContent="false" AppServerPortPreference="HostHeader" ChunkedResponse="false" FIPSEnable="false" HTTPMaxHeaders="2500" IISDisableNagle="false" IISPluginPriority="High" IgnoreDNSFailures="false" RefreshInterval="60" ResponseChunkSize="64" VHostMatchingCompat="false">IgnoreAffinityRequests
Determines whether the plug-in counts affinity requests against dynamic round-robin weight countdown. This custom property does not affect how affinity requests are routed. It affects only round-robin load weight counts. If this custom property is set to true, then affinity requests are not counted and only new requests are counted. The plug-in evenly distributes new requests, but total requests that contain affinity and new can seem skewed because of session affinity. If this custom property is set to false, then affinity requests are counted against load balance weights. The plug-in distributes new requests to more available cluster members with fewer total requests. This setting skews the distribution of new requests in favor of better distribution of total requests.
Information Value Data type Boolean Default False IISDisableFlushFlag
Specifies how Microsoft Internet Information Services (IIS) handles chunked responses. If the property's value is true, IIS holds chunked responses until it receives all responses. If the property's value is false, IIS passes chunked responses as it receives them.
Information Value Data type Boolean Default True KillWebServerStartUpOnParseErr
This property is valid only when used with IBM HTTP Server.
If the web server plug-in has a DNS failure and property ignoreDNSFailures is false, IBM HTTP Server starts, but the plug-in does not load. As a result, IBM HTTP Server only serves static requests from its own location. Set KillWebServerStartUpOnParseErr totrue when ignoreDNSFailures is false to prevent IBM HTTP Server from starting.
This property affects only the initial startup of IBM HTTP Server. This property does not affect the plug-in's attempts to reload the XML.
Information Value Data type Boolean Default True MarkBusyDown
If the value is true, the plug-in temporarily marks the server down to give it a chance to complete the restart. The duration of the markdown depends on the RetryInterval specified in the plug-in configuration.
Information Value Data type Boolean Default False SSLConsolidate
Specifies whether the web server plug-in is to compare the setup of each new SSL transport with the setup of other SSL transports that are already defined in the configuration file. When true, and the plug-in determines that the keyring and CertLabel values specified for the new SSL transport match the values specified for an already defined SSL transport, the plug-in uses the existing SSL environment instead of creating a new SSL environment. Creating fewer SSL environments means that the plug-in requires less memory, and the plug-in initialization time decreases, thus optimizing your overall GSkit environment.
Information Value Data type Boolean Default True SSLPKCSDriver
Fully qualified name of the loadable module that interfaces with an optional SSL co-processor. The fully qualified name must include the directory path and the module name.
Information Value Data type String Default None SSLPKCSPassword
Password for the SSL co-processor with which the module, specified for the SSLPKCSDriver custom property, is interfacing.
If we are using an IBM HTTP Server, we can use the sslstash program to create a file containing this password. In this situation, we can specify the fully qualified name of that file, instead of the actual password, as the value for this custom property.
Information Value Data type String Default None StrictSecurity
Indicates to allow the plug-in to enable security compatible with the application server FIPS SP800-131 and TLSv1.2 handshake protocol settings.
Typically, the security library in the web server plug-in does not enable strict security by default. If strict security is enabled on the application server, connections fail unless an insecure connection is also configured.
To enable this property, set the StrictSecurity property to true.
Information Value Data type String Default True TrustedProxyEnable
Permits the web server plug-in to interface with the proxy servers and load balancers listed for the TrustedProxyList custom property. When true, the proxy servers and load balancers in this trusted proxy list can set values for the $WSRA and $WSRH internal headers. The $WSRA internal header is the IP address of the remote host, which is typically the browser, or an internal address that is obtained by Network Address Translation (N.A.T.). The $WSRH internal header is the host name of the remote host. This header information enables the web server plug-in to interface with that specific proxy server or load balancer.
When we use this custom property, we must also use the TrustedProxyList custom property to specify a list of trusted proxy servers and load balancers. Also, we must clear the Remove special headers check box on the Request Routing panel within the administrative console. See documentation on web server plug-in request routing properties.
Information Value Data type Boolean Default False TrustedProxyList
Comma-delimited list of all proxy servers or load balancers that have permission to interface with this web server plug-in. We must use this property with the TrustedProxyEnable=true custom property setting. If the TrustedProxyEnable custom property is set to false, this list is ignored.
Example:
TrustedProxyList = myProxyServer1.myDomain.com,myProxyServer2.com,192.168.0.1
Information Value Data type String Default None UseInsecure
That to allow the plug-in to create unsecured connections when secure connections are defined, as was done in previous versions of WAS, create the custom property UseInsecure=true.
Information Value Data type Boolean Default False
plugin-cfg.xml file Web server plug-in request routing properties