Configure the library widget proxy

Configure the library widget proxy

To enable communication between IBM Connections, and ECM servers, add a proxy policy to the proxy-ecm-config.tpl file Configuring the proxy to mirror content from third-party servers may cause the proxy to mirror malicious content from those servers, so be sure to allow access to trusted sites only.
To configure the proxy-ecm-config.tpl file for library widgets.
Check out the proxy-ecm-config.tpl file:

./wsadmin.sh -lang jython
execfile("connectionsConfig.py")
LCConfigService.checkOutProxyEcmConfig("/tmp","cell_name")

To get cell name:print AdminControl.getCell()
Edit /tmp/proxy-ecm-config.tpl
In the policy element, replace the URL attribute with the server address of the ECM server:
<proxy:policy url="http://www.myco.com:8080/*" acf="none" basic-auth-support="true">
        <proxy:actions>
            <proxy:method>GET</proxy:method>
            <proxy:method>HEAD</proxy:method>
            <proxy:method>POST</proxy:method>
            <proxy:method>PUT</proxy:method>
            <proxy:method>DELETE</proxy:method>
        </proxy:actions>
        <proxy:headers>
            <proxy:header>User-Agent</proxy:header>
            <proxy:header>Accept*</proxy:header>
            <proxy:header>Content*</proxy:header>
            <proxy:header>Authorization*</proxy:header>
            <proxy:header>X-Method-Override</proxy:header>
            <proxy:header>Set-Cookie</proxy:header>
            <proxy:header>If-*</proxy:header>
            <proxy:header>Pragma</proxy:header>
            <proxy:header>Cache-Control</proxy:header>
            <proxy:header>X-Server</proxy:header>
            <proxy:header>X-Update-Nonce</proxy:header>
            <proxy:header>X-Passthrough-Basic</proxy:header>
            <proxy:header>X-Requested-With</proxy:header>
            <proxy:header>If-Modified-Since</proxy:header>
            <proxy:header>If-None-Match</proxy:header>
            <proxy:header>com.ibm.lotus.openajax.virtualhost</proxy:header>
            <proxy:header>com.ibm.lotus.openajax.virtualport</proxy:header>
        </proxy:headers>
        <proxy:cookies>
             <proxy:cookie>LtpaToken</proxy:cookie>
             <proxy:cookie>LtpaToken2</proxy:cookie>
             <proxy:cookie>JSESSIONID</proxy:cookie>
       <proxy:cookie>LTPA</proxy:cookie>
       <proxy:cookie>LTPA2</proxy:cookie>
       <proxy:cookie>PD-H-SESSION-ID</proxy:cookie>
       <proxy:cookie>PD-S-SESSION-ID</proxy:cookie>
       <proxy:cookie>SMSESSION</proxy:cookie>
         </proxy:cookies>
    </proxy:policy>
Optionally, specify values for the following proxy:meta-data properties.
Add any custom configurations before these proxy:meta-data elements.

circular_redirects Circular redirects are allowed. true or false. Setting true supports using a proxy for a site that redirects to the same URL, but with different parameters. Such a change is not recognized as a new URL. Default is true.
connection-timeout Amount of time before an attempt to connect to a host times out. Milliseconds. The default is 60,000, which is 1 minute.
max_circular_redirects Maximum number of times a circular redirect is allowed before the proxy rejects it. Integer. Default is 100.
maxconnectionsperhost Maximum number of simultaneous connections between the proxy and a given host. Integer. Default is 5.
maxtotalconnections Maximum number of simultaneous connections between the proxy and all of the hosts together. Integer. Default is 10.
socket-timeout Amount of time before an attempt to use a socket times out. Milliseconds. The default is 60,000, which is 1 minute.
unsigned_ssl_certificate_support Support self-signed SSL certificates. Boolean: true or false. Default is true. Change to false when the system is ready for production.

The purpose of the following three settings is to prevent the proxy from consuming all available container threads while it waits for a response from a target host that is slow or is not responding.

maxconcurrentconnections Limit the number of active threads in the proxy at any one time. When the limit is reached, all subsequent threads immediately return with a HTTP 504 Gateway Timeout error. If the value is 0, no limit is set. Default is 10.
suspend-url-timeout-interval Minimum amount of time, in milliseconds, that a host is on the suspend list. A host is placed on the suspend list when the host times out. When a host is on the suspend list, the proxy rejects all requests to that host and returns a HTTP 504 Gateway Timeout error for that host. After the timeout interval expires, the host remains on the suspend list, but the next request is accepted. If the request succeeds, the host is removed from the suspend list. If the request does not succeed, the host remains on the suspend list and the timeout interval is renewed. The maximum value is 120000 (2 minutes). A value of 0 disables the timeout interval feature. Default is 2000, which is used if the value is missing or not valid.
clean-url-timeout-interval Maximum amount of time, in milliseconds, that a host is on the suspend list. The minimum value is 180000 (30 minutes). Default is 14400000, which is used if the value is missing or not valid.

For example:
<proxy:meta-data>
  <proxy:name>maxconcurrentconnections</proxy:name>
  <proxy:value>20</proxy:value>
</proxy:meta-data> 
If the environment uses a pass-through proxy, add a <proxy:meta-data> element containing each of the following parameters:

passthru_host Address the proxy is listening. In most cases, accessing the host and port from a browser causes an authentication request popup to be displayed. Required.
passthru_username User name for authenticating with the pass-through proxy. In the example that follows, any username with read access to the subversion server will be sufficient when a GET request is sent to get authorization.
passthru_password Password that corresponds with passthru_username. Required. If we do not provide a user name and password, all other parameters are ignored.
passthru_port The port at which the proxy is listening. If not specified, then a default value of port 80 is used. Required.
passthru_realm User credential pairs are associated with realms, not URLs. This allows the same authorization information to be used for multiple URLs or whole URL trees. When a server sends back an unauthorized error, it includes the name of the realm the requested URL belongs to. The client can then look and see whether it has stored a username and password for the realm, and if so, it supplies that information without having to prompt the user again. If a user name and password are needed for the proxy, we can specify the realm for the proxy so the credentials do not get sent to any proxy. If we do not specify this parameter, then the credentials are sent for all authentication attempts. In the example that follows, Subversion User Authentication is specified as the passthru_realm. As a result, all authentication requests from this realm on the SVN server will be provided the given username and password. Specify the passthru_realm parameter in a production environment to prevent the user name and password information from being presented for all authentication requests. Required. If we do not provide a user name and password, all other parameters are ignored.

Configuration for a fictitious proxy firewall...
<proxy:meta-data>
 <proxy:name>passthru_host</proxy:name>
 <proxy:value>9.17.237.132</proxy:value>
</proxy:meta-data>

<proxy:meta-data>
 <proxy:name>passthru_port</proxy:name>
 <proxy:value>3128</proxy:value>
</proxy:meta-data>

<proxy:meta-data>
 <proxy:name>passthru_realm</proxy:name>
 <proxy:value>Subversion User Authentication</proxy:value>
</proxy:meta-data>

<proxy:meta-data>
 <proxy:name>passthru_username</proxy:name>
 <proxy:value>adamsmith</proxy:value>
</proxy:meta-data>

<proxy:meta-data>
 <proxy:name>passthru_password</proxy:name>
 <proxy:value>password123</proxy:value>
</proxy:meta-data>
Enter the following command to check in the changes: LCConfigService.checkInProxyEcmConfig("/tmp","cell_name")

Restart the Connections server.
What to do next

To enable communication with more ECM servers, add a new copy of the current policy for each ECM server. In each new policy change the server name in the URL attribute.

Parent topic:
Configure the AJAX proxy

Related:

Configure Library widget options and defaults
Enable linked libraries

circular_redirects	Circular redirects are allowed. true or false. Setting true supports using a proxy for a site that redirects to the same URL, but with different parameters. Such a change is not recognized as a new URL. Default is true.
connection-timeout	Amount of time before an attempt to connect to a host times out. Milliseconds. The default is 60,000, which is 1 minute.
max_circular_redirects	Maximum number of times a circular redirect is allowed before the proxy rejects it. Integer. Default is 100.
maxconnectionsperhost	Maximum number of simultaneous connections between the proxy and a given host. Integer. Default is 5.
maxtotalconnections	Maximum number of simultaneous connections between the proxy and all of the hosts together. Integer. Default is 10.
socket-timeout	Amount of time before an attempt to use a socket times out. Milliseconds. The default is 60,000, which is 1 minute.
unsigned_ssl_certificate_support	Support self-signed SSL certificates. Boolean: true or false. Default is true. Change to false when the system is ready for production.

maxconcurrentconnections	Limit the number of active threads in the proxy at any one time. When the limit is reached, all subsequent threads immediately return with a HTTP 504 Gateway Timeout error. If the value is 0, no limit is set. Default is 10.
suspend-url-timeout-interval	Minimum amount of time, in milliseconds, that a host is on the suspend list. A host is placed on the suspend list when the host times out. When a host is on the suspend list, the proxy rejects all requests to that host and returns a HTTP 504 Gateway Timeout error for that host. After the timeout interval expires, the host remains on the suspend list, but the next request is accepted. If the request succeeds, the host is removed from the suspend list. If the request does not succeed, the host remains on the suspend list and the timeout interval is renewed. The maximum value is 120000 (2 minutes). A value of 0 disables the timeout interval feature. Default is 2000, which is used if the value is missing or not valid.
clean-url-timeout-interval	Maximum amount of time, in milliseconds, that a host is on the suspend list. The minimum value is 180000 (30 minutes). Default is 14400000, which is used if the value is missing or not valid.

passthru_host	Address the proxy is listening. In most cases, accessing the host and port from a browser causes an authentication request popup to be displayed. Required.
passthru_username	User name for authenticating with the pass-through proxy. In the example that follows, any username with read access to the subversion server will be sufficient when a GET request is sent to get authorization.
passthru_password	Password that corresponds with passthru_username. Required. If we do not provide a user name and password, all other parameters are ignored.
passthru_port	The port at which the proxy is listening. If not specified, then a default value of port 80 is used. Required.
passthru_realm	User credential pairs are associated with realms, not URLs. This allows the same authorization information to be used for multiple URLs or whole URL trees. When a server sends back an unauthorized error, it includes the name of the realm the requested URL belongs to. The client can then look and see whether it has stored a username and password for the realm, and if so, it supplies that information without having to prompt the user again. If a user name and password are needed for the proxy, we can specify the realm for the proxy so the credentials do not get sent to any proxy. If we do not specify this parameter, then the credentials are sent for all authentication attempts. In the example that follows, Subversion User Authentication is specified as the passthru_realm. As a result, all authentication requests from this realm on the SVN server will be provided the given username and password. Specify the passthru_realm parameter in a production environment to prevent the user name and password information from being presented for all authentication requests. Required. If we do not provide a user name and password, all other parameters are ignored.