Access Manager Appliance: Managing web reverse proxy configuration entries

Manage web reverse proxy configuration entries

To manage the web reverse proxy basic configuration, use the Reverse Proxy management page.
Steps

Select Web > Manage > Reverse Proxy.
Select the instance of interest.
Select Edit.
Make changes to the settings on the Server, SSL, Junction, Authentication, SSO, Session, Response, Logging, and Interfaces tabs.

Server

The Server tab contains entries related to the general server configuration.
Field Description

HTTPS Select this check box to enable the HTTPS port within Reverse Proxy.

HTTPS Port Port over which Reverse Proxy listens for HTTPS requests.

HTTP Select this check box to enable the HTTP port within Reverse Proxy.

HTTP Port Port over which Reverse Proxy listens for HTTP requests.

Interface Address The network interface on which the Reverse Proxy server listens for requests.

Enable HTTP/2 Select this check box to enable HTTP/2 incoming connections on the primary interface from clients (browsers).

Persistent Connection Timeout The maximum number of seconds that a persistent connection with a client can remain inactive before it is closed by the server.

Worker Threads The number of threads allocated to service requests.

Cluster is Master If the Reverse Proxy clustering function is used, this check box controls whether this Reverse Proxy server acts as the cluster master.

Master Instance Name The server name for the Reverse Proxy instance which is acting as the master within the cluster. This option is only enabled if the Cluster is Master check box is not selected.

Message Locale The locale in which the Reverse Proxy runs.

SSL

The SSL tab contains entries related to the general SSL configuration of the server.
Field Description

SSL Certificate Key File The key database used to store the certificates which are presented by Reverse Proxy to the client.

Network HSM Key File The key database that stores the certificates to be used by the network Hardware Security Module (HSM) device.

SSL Server Certificate The name of the SSL certificate, within the key database, which is presented to the client. The drop-down list includes certificates from both the local and network key files. The certificates from the network key file are prefixed with the token label for the network HSM device.

JCT Certificate Key File The key database used to store the certificates which are presented by Reverse Proxy to the junctioned Web servers.

Junction

The Junction tab contains entries related to the general junction configuration.
Field Description

HTTP Timeout Timeout in seconds for sending to and reading from a TCP junction.

HTTPS Timeout Timeout in seconds for sending to and reading from an SSL junction.

Ping Interval The interval in seconds between requests which are sent by Reverse Proxy to junctioned Web servers to determine the state of the junctioned Web server.

Ping Method The HTTP method that Reverse Proxy uses when it sends health check requests to the junctioned Web server.

Ping URI The URI that Reverse Proxy uses when it sends health check requests to the junctioned Web server.

Maximum Cached Persistent Connections The maximum number of connections between Reverse Proxy and a junctioned Web server that will be cached for future use.

Persistent Connection Timeout The maximum length of time, in seconds, that a cached connection with a junctioned Web server can remain idle before it is closed by Reverse Proxy.

Managed Cookie List A pattern-matched and comma-separated list of cookie names for those cookies which are stored in the Reverse Proxy cookie jar. Other cookies are passed by Reverse Proxy back to the client.

Authentication

The Authentication tab contains entries related to the configuration of the authentication mechanisms which are used by the server.

Basic Authentication

Field Description

Transport The transport over which basic authentication is supported.

Realm Name Realm name for basic authentication.

Forms Authentication

Field Description

Forms Authentication The transport over which forms authentication is supported.

Client Certificate Authentication

Field Description

Accept Client Certificates Condition under which client certificates are required by Reverse Proxy.

Certificate EAI URI The resource identifier of the application that is invoked to perform external client certificate authentication.

Certificate Data Client certificate data that are passed to the EAI application.

Kerberos Authentication

Field Description

Transport The transport over which Kerberos authentication is supported.

Keytab File Name of the Kerberos keytab file. The keytab file must contain each of the service principal names used for SPNEGO authentication.

Use Domain Qualified Name Kerberos authentication provides a principal name in the form of shortname@domain.com. By default, only the shortname is used as the ISAM user ID. If this checkbox is selected, then the domain is also included as part of the Security Verify Access user ID.

Kerberos Service Names The list of Kerberos service principal names used for the server.
The first service name in the list is the default service name. To make a service name the default, select the service name and then click Default.

EAI Authentication

Field Description

Transport The transport over which EAI authentication is supported.

Trigger URL A URL pattern used by Reverse Proxy to determine whether a response is examined for EAI authentication headers.

Authentication Levels The designated authentication level for each of the configuration authentication mechanisms.

Token Authentication

Field Description

Transport The transport over which RSA authentication is supported.

We can also click Go to RSA Configuration to access the RSA Configuration page.

OIDC Authentication

Field Description

Transport Transport for which authentication using the OIDC authentication mechanism is enabled.

Redirect URI The redirect URI which has been registered with the OIDC OP. The redirect URI should correspond to the /pkmsoidc resource of the WebSEAL server (for example: https://isva.ibm.com/pkmsoidc). If no redirect URI is configured it will be automatically constructed from the host header of the request.

Discovery Endpoint The discovery end-point for the OP. The CA certificate for the discovery-endpoint and corresponding authorization and token endpoints must be added to the WebSEAL key database.

Proxy URL The URL of the proxy which will be used when communicating with the OP.

Client Id The Security Verify Access client identity, as registered with the OP.

Client Secret The Security Verify Access client secret, as registered with the OP.

Response Type The required response type for authentication responses. The possible values are:

code

The authorization code flow will be used to retrieve both an access token and identity token.

id_token

The implicit flow will be used to retrieve the identity token.

id_token token

The implicit flow will be used to retrieve both an access token and identity token.

Mapped Identity A formatted string used to construct the ISAM principal name from elements of the ID token. Claims can be added to the identity string, surrounded by '{}'. For example: {iss}/{sub} - would construct a principal name like the following: https://server.example.com/248289761001.

External User Whether the mapped identity should correspond to a known Security Verify Access identity.

Bearer Token Attributes The list of JSON data elements from the bearer token response which should be included in the credential as an extended attribute. The JSON name can contain pattern matching characters: '*','?'. The JSON data name will be evaluated against each rule in sequence until a match is found. The corresponding code (+/-) will then be used to determine whether the JSON data will be added to the credential or not. If the JSON data name does not match a configured rule it will by default be added to the credential.

Id Token Attributes The list of claims from the ID token which should be included in the credential as an extended attribute. The claim name can contain pattern matching characters: '*','?'. The claims will be evaluated against each rule in sequence until a match is found. The corresponding code (+/-) will then be used to determine whether the claim will be added to the credential or not. If the claim does not match a configured rule it will by default be added to the credential.

Click the Load Key button to load the SSL key for the discovery URI into the WebSEAL key file. This will be achieved by retrieving the root certificate from the server. If the CA certificate is not provided by the server it should be loaded manually into the WebSEAL SSL key file. This operation is not supported when a proxy is configured. In this environment the key should be loaded manually into the SSL key file.
Click the Test Endpoint button to see Whether the endpoint can be successfully accessed by WebSEAL and that it returns the expected OIDC meta-data.

Session

The Session tab contains entries related to the general session configuration.
Field Description

Re-authentication for Inactive Whether to prompt users to re-authenticate if their entry in the server credential cache has timed out because of inactivity.

Max Cache Entries The maximum number of concurrent entries in the session cache.

Lifetime Timeout Maximum lifetime in seconds for an entry in the session cache.

Inactivity Timeout The maximum time, in seconds, that a session can remain idle before it is removed from the session cache.

TCP Session Cookie Name The name of the cookie to be used to hold the HTTP session identifier.

SSL Session Cookie Name The name of the cookie to be used to hold HTTPS session identifier.

Use Same Session Check box to use the same session for both HTTP and HTTPS requests.

Enable Distributed Session Cache Check box to enable distributed session cache on this reverse proxy instance. The appliance must be a part of an appliance cluster to enable the distributed session cache. Also, if the cluster configuration changes and a new master is specified, this option must be disabled and then re-enabled. The instance can then pick up the details of the new cluster configuration.

Response

The Response tab contains entries related to response generation.
Field Description

Enable HTML Redirect Check box to enable the HTML redirect function.

Enable Local Response Redirect Check box to enable the local response redirect function.

Local Response Redirect URI When local response redirect is enabled, this field contains the URI to which the client is redirected for Reverse Proxy responses.

Local Response Redirect Macros The macro information which is included in the local response redirect.

SSO

The SSO tab contains entries related to the configuration of the different single-sign-on mechanisms used by the server.

Failover

Field Description

Transport The transport over which failover authentication is supported.

Cookies Lifetime Maximum lifetime in seconds for failover cookies.

Cookies Key File The key file used to encrypt the failover cookie.

LTPA

Field Description

Transport The transport over which LTPA authentication is supported.

Cookie Name The name of the cookie used to transport the LTPA token.

Key File The key file used when accessing LTPA cookies.

Key File Password Password used to access the LTPA key file.

CDSSO

Field Description

Transport The transport over which CDSSO authentication is supported.

Transport (generation) The transport over which the creation of CDSSO tokens is supported.

Peers The name of the other Reverse Proxy servers that are participating in the CDSSO domain. Along with the name of the keyfile used by the Reverse Proxy servers.

ECSSO

Field Description

Transport The transport over which e-community SSO authentication is supported.

Name Name of the e-community.

Is Master Authentication Server Check box if this Reverse Proxy server is the master for the e-community.

Master Authentication Server The name of the Reverse Proxy server that acts as the master of the e-community. This field is not required if this Reverse Proxy server is designated as the master.

Domain Keys The name of the other Reverse Proxy servers which are participating in the e-community. Along with the name of the keyfile used by the various Reverse Proxy servers.

Log

The Logging tab contains entries related to the logging and auditing configuration.
Field Description

Enable Agent Logging Select the check box to enable the agent log.

Enable Referer Logging Select the check box to enable the referrer log.

Enable Request Logging Check box to enable the request.log.

Request Log Format The format of the entries contained within the request.log.

Maximum Log Size The maximum size of the log file before it is rolled over.

Flush Time Period, in seconds, that Reverse Proxy caches the log entries before the system writes the entries to the log file.

Enable Audit Log Check box to enable the generation of audit events.

Audit Log Type Select the events to be audited.

Audit Log Size The maximum size of the audit log file before it is rolled over.

Audit Log Flush Period, in seconds, that Reverse Proxy caches the audit log entries before the system writes the entries to the log file.

Interfaces

The Interfaces tab contains settings related to WebSEAL secondary interfaces.
To add a new secondary interface, click New. Then, define the settings in the pop-up window containing the following fields:
Field Description

Application Interface IP Address The IP address on which the WebSEAL instance listens for requests.

HTTP Port This field contains the port on which the WebSEAL instance listens for HTTP requests.

HTTPS Port This field contains the port on which the WebSEAL instance listens for HTTPS requests.

Web HTTP Port Port the client perceives WebSEAL to be using.

Web HTTP Protocol Protocol the client perceives WebSEAL to be using.

Certificate Label The label of the SSL server certificate that is presented to the client by the WebSEAL instance.

Accept Client Certificates Condition under which client certificates are required by WebSEAL.

Worker Threads The number of threads that is allocated to service requests.

HTTP/2 Enables HTTP/2 connection.

HTTP/2 Maximum Connections The maximum number of HTTP/2 connections allowed per specified port.

HTTP/2 Header Table Size The size of HTTP/2 header table.

HTTP/2 Maximum Concurrent Streams The maximum concurrent HTTP/2 streams allowed.

HTTP/2 Initial Window Size The initial window size of HTTP/2 connections.

HTTP/2 Maximum Frame Size The maximum frame size of HTTP/2 connections.

HTTP/2 Maximum Header List Size The maximum header list size of HTTP/2 connections.

Click Save to save the settings.
To delete a secondary interface, select the interface and then click Delete.
To edit a secondary interface, select the interface and click Edit. Then, update the settings in the pop-up window containing the fields that described previously.

Click Save to apply the changes.
Commit changes .

Parent topic: Reverse proxy instance management

Field	Description
HTTPS	Select this check box to enable the HTTPS port within Reverse Proxy.
HTTPS Port	Port over which Reverse Proxy listens for HTTPS requests.
HTTP	Select this check box to enable the HTTP port within Reverse Proxy.
HTTP Port	Port over which Reverse Proxy listens for HTTP requests.
Interface Address	The network interface on which the Reverse Proxy server listens for requests.
Enable HTTP/2	Select this check box to enable HTTP/2 incoming connections on the primary interface from clients (browsers).
Persistent Connection Timeout	The maximum number of seconds that a persistent connection with a client can remain inactive before it is closed by the server.
Worker Threads	The number of threads allocated to service requests.
Cluster is Master	If the Reverse Proxy clustering function is used, this check box controls whether this Reverse Proxy server acts as the cluster master.
Master Instance Name	The server name for the Reverse Proxy instance which is acting as the master within the cluster. This option is only enabled if the Cluster is Master check box is not selected.
Message Locale	The locale in which the Reverse Proxy runs.

Field	Description
SSL Certificate Key File	The key database used to store the certificates which are presented by Reverse Proxy to the client.
Network HSM Key File	The key database that stores the certificates to be used by the network Hardware Security Module (HSM) device.
SSL Server Certificate	The name of the SSL certificate, within the key database, which is presented to the client. The drop-down list includes certificates from both the local and network key files. The certificates from the network key file are prefixed with the token label for the network HSM device.
JCT Certificate Key File	The key database used to store the certificates which are presented by Reverse Proxy to the junctioned Web servers.

Field	Description
HTTP Timeout	Timeout in seconds for sending to and reading from a TCP junction.
HTTPS Timeout	Timeout in seconds for sending to and reading from an SSL junction.
Ping Interval	The interval in seconds between requests which are sent by Reverse Proxy to junctioned Web servers to determine the state of the junctioned Web server.
Ping Method	The HTTP method that Reverse Proxy uses when it sends health check requests to the junctioned Web server.
Ping URI	The URI that Reverse Proxy uses when it sends health check requests to the junctioned Web server.
Maximum Cached Persistent Connections	The maximum number of connections between Reverse Proxy and a junctioned Web server that will be cached for future use.
Persistent Connection Timeout	The maximum length of time, in seconds, that a cached connection with a junctioned Web server can remain idle before it is closed by Reverse Proxy.
Managed Cookie List	A pattern-matched and comma-separated list of cookie names for those cookies which are stored in the Reverse Proxy cookie jar. Other cookies are passed by Reverse Proxy back to the client.

Field	Description
Transport	The transport over which basic authentication is supported.
Realm Name	Realm name for basic authentication.

Field	Description
Accept Client Certificates	Condition under which client certificates are required by Reverse Proxy.
Certificate EAI URI	The resource identifier of the application that is invoked to perform external client certificate authentication.
Certificate Data	Client certificate data that are passed to the EAI application.

Field	Description
Transport	The transport over which Kerberos authentication is supported.
Keytab File	Name of the Kerberos keytab file. The keytab file must contain each of the service principal names used for SPNEGO authentication.
Use Domain Qualified Name	Kerberos authentication provides a principal name in the form of shortname@domain.com. By default, only the shortname is used as the ISAM user ID. If this checkbox is selected, then the domain is also included as part of the Security Verify Access user ID.
Kerberos Service Names	The list of Kerberos service principal names used for the server. The first service name in the list is the default service name. To make a service name the default, select the service name and then click Default.

Field	Description
Transport	The transport over which EAI authentication is supported.
Trigger URL	A URL pattern used by Reverse Proxy to determine whether a response is examined for EAI authentication headers.
Authentication Levels	The designated authentication level for each of the configuration authentication mechanisms.

Field	Description
Transport	Transport for which authentication using the OIDC authentication mechanism is enabled.
Redirect URI	The redirect URI which has been registered with the OIDC OP. The redirect URI should correspond to the /pkmsoidc resource of the WebSEAL server (for example: https://isva.ibm.com/pkmsoidc). If no redirect URI is configured it will be automatically constructed from the host header of the request.
Discovery Endpoint	The discovery end-point for the OP. The CA certificate for the discovery-endpoint and corresponding authorization and token endpoints must be added to the WebSEAL key database.
Proxy URL	The URL of the proxy which will be used when communicating with the OP.
Client Id	The Security Verify Access client identity, as registered with the OP.
Client Secret	The Security Verify Access client secret, as registered with the OP.
Response Type	The required response type for authentication responses. The possible values are: code The authorization code flow will be used to retrieve both an access token and identity token. id_token The implicit flow will be used to retrieve the identity token. id_token token The implicit flow will be used to retrieve both an access token and identity token.
Mapped Identity	A formatted string used to construct the ISAM principal name from elements of the ID token. Claims can be added to the identity string, surrounded by '{}'. For example: {iss}/{sub} - would construct a principal name like the following: https://server.example.com/248289761001.
External User	Whether the mapped identity should correspond to a known Security Verify Access identity.
Bearer Token Attributes	The list of JSON data elements from the bearer token response which should be included in the credential as an extended attribute. The JSON name can contain pattern matching characters: '*','?'. The JSON data name will be evaluated against each rule in sequence until a match is found. The corresponding code (+/-) will then be used to determine whether the JSON data will be added to the credential or not. If the JSON data name does not match a configured rule it will by default be added to the credential.
Id Token Attributes	The list of claims from the ID token which should be included in the credential as an extended attribute. The claim name can contain pattern matching characters: '*','?'. The claims will be evaluated against each rule in sequence until a match is found. The corresponding code (+/-) will then be used to determine whether the claim will be added to the credential or not. If the claim does not match a configured rule it will by default be added to the credential.

Field	Description
Re-authentication for Inactive	Whether to prompt users to re-authenticate if their entry in the server credential cache has timed out because of inactivity.
Max Cache Entries	The maximum number of concurrent entries in the session cache.
Lifetime Timeout	Maximum lifetime in seconds for an entry in the session cache.
Inactivity Timeout	The maximum time, in seconds, that a session can remain idle before it is removed from the session cache.
TCP Session Cookie Name	The name of the cookie to be used to hold the HTTP session identifier.
SSL Session Cookie Name	The name of the cookie to be used to hold HTTPS session identifier.
Use Same Session	Check box to use the same session for both HTTP and HTTPS requests.
Enable Distributed Session Cache	Check box to enable distributed session cache on this reverse proxy instance. The appliance must be a part of an appliance cluster to enable the distributed session cache. Also, if the cluster configuration changes and a new master is specified, this option must be disabled and then re-enabled. The instance can then pick up the details of the new cluster configuration.

Field	Description
Enable HTML Redirect	Check box to enable the HTML redirect function.
Enable Local Response Redirect	Check box to enable the local response redirect function.
Local Response Redirect URI	When local response redirect is enabled, this field contains the URI to which the client is redirected for Reverse Proxy responses.
Local Response Redirect Macros	The macro information which is included in the local response redirect.

Field	Description
Transport	The transport over which failover authentication is supported.
Cookies Lifetime	Maximum lifetime in seconds for failover cookies.
Cookies Key File	The key file used to encrypt the failover cookie.

Field	Description
Transport	The transport over which LTPA authentication is supported.
Cookie Name	The name of the cookie used to transport the LTPA token.
Key File	The key file used when accessing LTPA cookies.
Key File Password	Password used to access the LTPA key file.

Field	Description
Transport	The transport over which CDSSO authentication is supported.
Transport (generation)	The transport over which the creation of CDSSO tokens is supported.
Peers	The name of the other Reverse Proxy servers that are participating in the CDSSO domain. Along with the name of the keyfile used by the Reverse Proxy servers.

Field	Description
Transport	The transport over which e-community SSO authentication is supported.
Name	Name of the e-community.
Is Master Authentication Server	Check box if this Reverse Proxy server is the master for the e-community.
Master Authentication Server	The name of the Reverse Proxy server that acts as the master of the e-community. This field is not required if this Reverse Proxy server is designated as the master.
Domain Keys	The name of the other Reverse Proxy servers which are participating in the e-community. Along with the name of the keyfile used by the various Reverse Proxy servers.

Field	Description
Enable Agent Logging	Select the check box to enable the agent log.
Enable Referer Logging	Select the check box to enable the referrer log.
Enable Request Logging	Check box to enable the request.log.
Request Log Format	The format of the entries contained within the request.log.
Maximum Log Size	The maximum size of the log file before it is rolled over.
Flush Time	Period, in seconds, that Reverse Proxy caches the log entries before the system writes the entries to the log file.
Enable Audit Log	Check box to enable the generation of audit events.
Audit Log Type	Select the events to be audited.
Audit Log Size	The maximum size of the audit log file before it is rolled over.
Audit Log Flush	Period, in seconds, that Reverse Proxy caches the audit log entries before the system writes the entries to the log file.

Field	Description
Application Interface IP Address	The IP address on which the WebSEAL instance listens for requests.
HTTP Port	This field contains the port on which the WebSEAL instance listens for HTTP requests.
HTTPS Port	This field contains the port on which the WebSEAL instance listens for HTTPS requests.
Web HTTP Port	Port the client perceives WebSEAL to be using.
Web HTTP Protocol	Protocol the client perceives WebSEAL to be using.
Certificate Label	The label of the SSL server certificate that is presented to the client by the WebSEAL instance.
Accept Client Certificates	Condition under which client certificates are required by WebSEAL.
Worker Threads	The number of threads that is allocated to service requests.
HTTP/2	Enables HTTP/2 connection.
HTTP/2 Maximum Connections	The maximum number of HTTP/2 connections allowed per specified port.
HTTP/2 Header Table Size	The size of HTTP/2 header table.
HTTP/2 Maximum Concurrent Streams	The maximum concurrent HTTP/2 streams allowed.
HTTP/2 Initial Window Size	The initial window size of HTTP/2 connections.
HTTP/2 Maximum Frame Size	The maximum frame size of HTTP/2 connections.
HTTP/2 Maximum Header List Size	The maximum header list size of HTTP/2 connections.