cert-prompt-max-tries
Use the cert-prompt-max-tries stanza entry to specify how many times WebSEAL attempts to negotiate the SSL certificate before it assumes the client cannot provide a certificate.
cert-prompt-max-tries = number_of_triesDescription
During certificate authentication, WebSEAL prompts the browser to present the client's certificate. The SSL certificate negotiation process requires the browser open and use a new (not existing) TCP connection.
Browsers typically maintain several open TCP connections to a given server. When WebSEAL tries to prompt the browser for a certificate, the browser often tries to reuse an existing TCP connection instead of opening a new TCP connection. Therefore, the prompting process must be retried. WebSEAL might need to prompt for a certificate several times before the browser opens a new TCP connection and allows the prompting process to succeed.
This configuration option controls how many times WebSEAL attempts to begin the SSL certificate negotiation process with the browser before assuming the client cannot provide a certificate.
Options
number_of_tries Set the value to 5 because most browsers maintain a maximum of four TCP connections to a Web server. As each attempt by the browser to process the certificate prompts on an existing TCP connection fails, that TCP connection is closed. On the fifth attempt, with all TCP connections closed, the browser's only option is to open a new TCP connection.
If the value is set to less to 5, intermittent failures of certificate authentication might occur because the browser reuses existing TCP connections instead of opening a new TCP connection. These failures are more likely to occur in environments where login or other pages contain images that browsers access immediately before triggering the certificate prompts.
Values less than 2 or greater than 15 are not permitted.
This value is not used unless accept-client-certs =prompt_as_needed.
Usage:
This stanza entry is required.
Default:
5
Example:
cert-prompt-max-tries = 5Parent topic: [certificate] stanza