Appendix B
Configuration Attributes
This appendix describes attributes that you can configure for Sun Java™ System Portal Server Secure Remote Access through the Access Manager administration console from the Service Configuration for each Portal Server Secure Remote Access component:
Access List Service
Table B-1 lists the Access List service attributes.
Table B-1 Access List Service Attributes
|
Attribute
|
Default Value
|
Description
|
|
Denied URLs
|
|
List of URLs that end-users cannot access through Gateway.
|
|
Allowed URLs
|
*
|
List of URLs that end-users can access through Gateway.
|
|
Single Sign On Disabled Hosts
|
|
Disables single sign-on for a list of hosts.
|
|
Enable Single Sign On per Session
|
|
Enables single sign-on for a session.
|
|
Allowed Authorization Levels
|
*
|
Indicates how much to trust an authentication.Use an asterisk to allow all authentication levels. For information on authentication levels, see the Access Manager Administration Guide.
|
Gateway Service
When you click the Gateway service, the right pane displays a button to create a new profile and a list of any gateway profiles that have been created.
If you click New, the next pane asks you to enter the new gateway profile name. You have the option to use the default template or a previously created gateway profile as the template.
If you click one of the listed gateway profile names, a list of tabs are presented. They are:
Core
Table B-2 lists the Gateway service core attributes.
Table B-2 Gateway Service Core Attributes
|
Attribute
|
Default Value
|
Description
|
|
Enable HTTPS Connections
|
|
Enables HTTPS connections.
|
|
HTTPS Port
|
443
|
Specifies the HTTPS port.
|
|
Enable HTTP Connections
|
*
|
Enables HTTP connections.
|
|
HTTP Port
|
80
|
Specifies the HTTP port.
|
|
Enable Rewriter Proxy
|
*
|
Enables secure HTTP traffic between Gateway and the intranet. Rewriter proxy and Gateway use the same gateway profile.
|
|
Rewriter Proxy List
|
|
List of Rewriter proxies. For multiple instances of Rewriter proxies enter the details for each in the form host-name:port
|
|
Enable Netlet
|
Checked
|
Enables security for TCP/IP (such as Telnet and SMTP), HTTP applications, and fixed port applications.
|
|
Enable Proxylet
|
Checked
|
Enables the download of Proxylet on a client machine.
|
|
Enable Netlet Proxy
|
|
Enhances security for Netlet traffic between Gateway and the intranet by extending the secure tunnel from the client, through Gateway to Netlet proxy residing on the intranet. Disable if you do not want to use applications with Portal Server.
|
|
Netlet Proxy Hosts
|
|
Lists Netlet proxy hosts, in the format: hostname:port
|
|
Enable Cookie Management
|
|
Tracks and manages user sessions for all web sites that the user is permitted to access. (Does not apply to the cookies used by Portal Server to track Portal Server user sessions).
|
|
Enable Persistent HTTP Connections
|
Checked
|
Enables HTTP persistent connections at Gateway to prevent sockets being opened for every object (such as images and style sheets) in the web pages.
|
|
Maximum Number of Requests per Persistent Connection
|
10
|
Specifies the number of requests per persistent connection.
|
|
Timeout for Persistent Socket Connections
|
50
|
Specifies the amount of time that needs to lapse before sockets are closed.
|
|
Grace Timeout to Account for Turnaround Time
|
20
|
Specifies the grace amount of time for the request to reach Gateway after the browser has sent i and the time between gateway sending the response and the browser actually receiving it.
|
|
URLs to which User Session Cookie is Forwarded
|
|
Enables servlets and CGIs to receive Portal Server's cookie and use the APIs to identify the user.
|
|
Maximum Connection Queue Length
|
50
|
Specifies the maximum concurrent connections that Gateway can accept.
|
|
Gateway Timeout (seconds)
|
120
|
Specifies the time interval in seconds before Gateway times out its connection with the browser.
|
|
Maximum Thread Pool Size
|
200
|
Specifies the maximum number of threads that can be pre-created in the Gateway thread pool.
|
|
Cached Socket Timeout
|
200
|
Specifies the time interval in seconds before Gateway times out its connection with Portal Server.
|
|
Portal Servers
|
|
Specifies Portal Servers in the format http://portal server name:port -number. Gateway tries to contact each of the Portal Servers listed in a round robin manner to service the requests.
|
|
Server Retry Interval (seconds)
|
120
|
Specifies the time interval between requests to try to start Portal Server, Rewriter proxy or Netlet proxy after it becomes un-available (such as a crash or it was brought down).
|
|
Store External Server Cookies
|
|
Allows Gateway to store and manage cookies for any third party application or server that is accessed through Gateway.
|
|
Obtain Session Information from URL
|
|
Encodes session information as part of the URL, whether cookies are supported or not. Gateway uses this session information found in the URL for validation rather than using the session cookie that is sent from the client’s browser.
|
Proxies
Table B-3 lists the Gateway service proxies attributes.
Table B-3 Gateway Service Proxies Attributes
|
Attribute
|
Default Value
|
Description
|
|
Use Proxy
|
|
Enables usage of web proxies.
|
|
Use Webproxy URLs
|
|
Lists the URLs that Gateway needs to contact only through the webproxies listed in the Proxies for Domains and Subdomains list, even if the Use Proxy option is disabled.
|
|
Do Not Use Webproxy URLs
|
|
Lists URLs that Gateway can connect directly to.
|
|
Proxies for Domains and Subdomains
|
iportal.com
sun.com
|
Specifies which proxy to use to contact specific subdomains in specific domains.
|
|
Proxy Password List
|
|
Specifies the server name, user name and password required for Gateway to authenticate to a specified proxy server, if the proxy server requires authentication to access some or all the sites.
|
|
Enable Automatic Proxy Configuration Support
|
|
Specifies that the information provided in the Proxies for Domains and Subdomains field is to be ignored.
|
|
Automatic Proxy Configuration File location
|
|
Specifies the location of files to be used for PAC support.
|
|
Enable Netlet Tunneling via Web Proxy
|
|
Extends the secure tunnel from the client, through Gateway to the web proxy that resides in the intranet.
|
Security
Table 13-4 lists the Gateway service security attributes.
Table 13-4 Gateway Service Security Attributes
|
Attribute
|
Default Value
|
Description
|
|
Enable HTTP Basic Authentication
|
Checked
|
Saves the username and password so that users need not re-enter their credentials when they revisit BASIC-protected web sites.
|
|
Non-authenticated URLs
|
/portal/desktop/images
/amserver/login_images
/portal/desktop/css
/amserver/jss
/amconsole/console/css
/portal/searchadmin/console/js
/amconsole/console/js
/amserver/css
|
Specifies URLs that do not need any authentication, such as directories that contain images.
|
|
Certificate-enabled Gateway hosts
|
|
Lists the certificate-enabled Gateway hosts.
|
|
Allow 40-bit Encryption
|
|
Allows 40-bit (weak) Secure Sockets Layer (SSL) connections. If you do not select this option, only 128-bit connections are supported.
|
|
Enable SSL Version 2.0
|
checked
|
Enables SSL version 2.0.
Disabling SSL 2.0 means that browsers that support only the older SSL 2.0 cannot authenticate to SRA.This ensures a greater level of security.
|
|
Enable SSL Cipher Selection
|
|
Enables SSL cipher selection. You have the option of to support all the pre-packaged ciphers, or you can select the required ciphers individually. You can select specific SSL ciphers for each Gateway instance.
|
|
SSL2 Ciphers
|
|
Lists the SSL version 2 ciphers you can choose.
|
|
SSL3 Ciphers
|
|
Lists the SSL version 3 ciphers you can choose.
|
|
TLS Ciphers
|
|
Lists the TLS ciphers.
|
|
Enable SSL Version 3.0
|
checked
|
Enables SSL version 3.0.
Disabling SSL 3.0 means that browsers that support only the SSL 3.0 cannot authenticate to SRA. This ensures a greater level of security.
|
|
Enable Null Ciphers
|
|
Enables null ciphers.
|
|
Trusted SSL Domains
|
|
Lists the trusted SSL domains.
|
|
Mark Cookies as secure
|
|
Marks cookies as secure. The Enable Cookie Management option must be enabled.
|
Rewriter
The Rewriter tab has two subsections:
Basic
Table B-4 lists the Gateway service Rewriter basic attributes.
Table B-4 Gateway Service Rewriter Attributes - Basic
|
Attribute
|
Default Value
|
Description
|
|
Enable Rewriting of All URIs
|
|
Specifies that any URL is rewritten without checking against the entries in the Proxies for Domains and Subdomains list.
|
|
Map URIs to RuleSets
|
*://*.iportal.com*/portal/*|default_gateway_ruleset
*/portal/NetFileOpenFileServlet*|null_ruleset
*|generic_ruleset
REPLACE_WITH_IPLANET_MAIL_SERVER_NAME|iplanet_mail_ruleset
REPLACE_WITH_EXCHANGE_SERVER_NAMEexchange_2000sp3_owa_ruleset
*://*.iportal.com*/amconsole/*|default_gateway_ruleset
REPLACE_WITH_INOTES_SERVER_NAME|inotes_ruleset
http*://*/portal/NetFileController*|null_ruleset
|
Associates a domain with the ruleset using the Map URIs to RuleSets list. Rulesets are created under Portal Server Configuration in the Access Manager administration console.
|
|
Map Parser to MIME Types
|
JAVASCRIPT=application/x-java
XML=text/xml
HTML=text/html;text/htm;text/x-component;text/wml;text/vnd.wap.wml
CSS=text/css
|
Associates new MIME types with HTML, JAVASCRIPT, CSS or XML. Separate multiple entries with a semicolon or a comma.
|
|
URIs Not to Rewrite
|
|
Lists the URIs not to rewrite. Note: Adding #* to this list allows URIs to be rewritten, even when the href rule is part of the ruleset.
|
|
Default Domains
|
|
Resolves a host name to a default domain and subdomain. This is specified during installation
|
Advanced
Table B-5 lists the Gateway service Rewriter advanced attributes.
Table B-5 Gateway Service Rewriter Attributes - Advanced
|
Attribute
|
Default Value
|
Description
|
|
Enable MIME Guessing
|
|
Enables MIME guessing when MIME is not sent. You must add data to the Map Parser to URIs list box.
|
|
Map Parser to URI Mappings
|
|
Maps a parser to the URI. Multiple URIs are separated by a semicolon.
For example HTML=*.html; *.htm;*Servlet
means that Rewriter is used to rewrite the content for any page with a html, htm, or Servlet extension.
|
|
Enable Masking
|
|
Allows Rewriter to rewrite a URI so that the Intranet URL of a page is not seen.
|
|
Seed String for Masking
|
|
Specifies a seed string used for masking a URI. A masking algorithm generates this random string.
|
|
URIs not to Mask
|
|
Specifies Internet URIs not to be mask. This is used when applications (such as an applet) require an Internet URI.
For example if you added
*/Applet/Param*
to the list box, the URL would not be masked if the content URI http://abc.com/Applet/Param1.html is matched in the ruleset rule.
|
|
Make Gateway protocol Same as Original URI Protocol
|
|
Enables Rewriter to use a consistent protocol to access the referred resources in the HTML content.
This applies only to static URIs, not to dynamic URIs generated in Javascript.
|
Logging
Table B-6 lists the Gateway service logging attributes.
Table B-6 Gateway Service Logging Attributes
|
Attribute
|
Default Value
|
Description
|
|
Enable Logging
|
|
Enables logging.
|
|
Enable per Session Logging
|
|
Enables capture of minimum log information such as Client Address, Request Type, and Destination Host.
|
|
Enable Detailed per Session Logging
|
|
Enables capture of detailed log information such as Client, Request Type, Destination Host, Type of Request, Client Requested URL, Client Post Data size, SessionID, Response Result code, and Complete Response size.
Note: Enable per Session Logging must be enabled.
|
|
Enable Netlet Logging
|
|
Specifies if logging is enabled. If so the following information is captured: Start time, Source, Address, Source port, Server address, Server port(s), Stop time, Status (start or stop)
|
NetFile Service
When you click the NetFile Service, the right pane displays tabs. They are:
Hosts
The Hosts tab has two subsections:
Config
Table B-7 lists the NetFile hosts configuration attributes.
Table B-7 NetFile Service Hosts Configuration Attributes
|
Attribute
|
Default Value
|
Description
|
|
OS Character Set
|
Unicode(UTF-8)
|
Specifies the character set used as the default encoding for communicating with hosts.
|
|
Host Detection Order
|
WIN, NETWARE, FTP, NFS
|
Specifies the host detection order.
|
|
Common Hosts
|
|
Specifies hosts to be available through NetFile to all remote NetFile users.
|
|
Default Domain
|
|
Specifies the default domain that NetFile needs to use to contact allowed hosts.
|
|
Default Microsoft Windows Domain/Workgroup
|
|
Specifies the default Microsoft Windows domain or workgroup which the users choose to access a Windows host.
|
|
Default WINS/DNS Server
|
|
Specifies the WINS/DNS server that NetFile uses to access windows hosts.
|
Access
Table B-8 lists the NetFile service hosts access attributes.
Table B-8 NetFile Service Hosts Access Attributes
|
Attribute
|
Default Value
|
Description
|
|
Allow Access to Windows Hosts
|
Checked
|
Allows access to Microsoft Windows hosts.
|
|
Allow Access to FTP Hosts
|
Checked
|
Allows access to FTP hosts.
|
|
Allow Access to NFS Hosts
|
Checked
|
Allows access to NFS hosts.
|
|
Allow Access to Netware Hosts
|
Checked
|
Allows access to Netware hosts.
|
|
Allowed Hosts
|
*
|
Specifies hosts that users can access through NetFile.
|
|
Denied Hosts
|
|
Specifies hosts that users cannot access through NetFile.
|
Permissions
If you disable these options after the user has started using NetFile, the change takes effect only if the user logs out of NetFile and logs in again.
Table B-9 lists the NetFile service permission attributes.
Table B-9 NetFile Service Permissions Attributes
|
Attribute
|
Default Value
|
Description
|
|
Allow File Rename
|
Checked
|
Allows users to rename files.
|
|
Allow File/Folder Deletion
|
Checked
|
Allows users to delete files and folders.
|
|
Allow File Upload
|
Checked
|
Allows users to upload files.
|
|
Allow File/Folder Download
|
Checked
|
Allows users to download files and folders.
|
|
Allow File Search
|
Checked
|
Allows users to search.
|
|
Allow File Mail
|
Checked
|
Allows file mailing.
|
|
Allow File Compression
|
Checked
|
Allows file compression.
|
|
Allow Changing User Id
|
Checked
|
Allows user to use a different ID.
|
|
Allow Changing Windows Domains
|
Checked
|
Allows users to change Microsoft Windows domains.
|
View
Table B-10 lists the NetFile Service view attributes.
Table B-10 NetFle Service View Attributes
|
Attribute
|
Default Value
|
Description
|
|
Window Size
|
700|400
|
Specifies the size of the NetFile window in pixels on the user’s desktop. If you enter an invalid value, NetFile uses the default value.
|
|
Window Location
|
100|50
|
Specifies the location where the NetFile window displays on the user’s desktop. If you enter an invalid value, NetFile uses the default value.
|
Operations
The Operations tab has the following subsections:
Traffic
Table B-11 lists the NetFile service operations traffic attributes.
Table B-11 NetFile Service Operations - Traffic Attributes
|
Attribute
|
Default Value
|
Description
|
|
Temporary Directory Location
|
/tmp
|
Specifies a temporary directory for various NetFile file operations.
Ensure that the ID with which the web server is running (such as nobody or noaccess) has rwx permissions for the specified directory. Also ensure that the ID has rx permissions for the entire path to the required temporary directory.
You may want to create a separate temporary directory for NetFile. If you specify a temporary directory that is common to all modules of the Portal Server, the disk may quickly run out of space. NetFile does not work if the temporary directory has no space.
|
|
File Upload Limit (MB)
|
5
|
Specifies the maximum size of the files that can be uploaded. If you enter an invalid value, NetFile resets the value to the default. Ensure that you type an integer value.
You can specify different file upload size limits for different users.
|
Search
Table B-12 lists the NetFile service operations search attributes.
Table B-12 NetFile Service Operations - Search Attributes
|
Attribute
|
Default Value
|
Description
|
|
Search Directories Limit
|
100
|
Specifies the maximum number of directories that can be searched in a single search operation.
|
Compression
Table B-13 lists the NetFile service operations compression attributes.
Table B-13 NetFile Service Operations - Compression Attributes
|
Attribute
|
Default Value
|
Description
|
|
Default Compression Type
|
Zip
|
Specifies either Zip or Gzip compression type.
|
|
Default Compression Level
|
6
|
Specifies the compression level, a number between 1 and 9.
|
General
Table B-14 lists the Netfile service general attributes.
Table B-14 NetFile Service - General Attribute
|
Attribute
|
Default Value
|
Description
|
|
MIME-types Configuration File Location
|
/opt/S1PS62/SUNWps/samples/config/netfile
|
Specifies the response content type to send to the client browser.
|
Netlet Service
Table B-15 lists the Netlet service attributes.
Table B-15 Netlet Service Attributes
|
Attribute
|
Default Value
|
Description
|
|
Netlet Rules
|
|
Choose to add or delete a rule.
|
|
If you add a rule, the following nine attributes are necessary:
|
|
--Rule Name
|
|
Specifies a unique name for the rule.
|
|
--Encryption Ciphers
|
|
Specifies the required ciphers.
|
|
--URL
|
|
Specifies the URL to the application to be invoked.
|
|
--Download Applet
|
|
Specifies if an applet needs to be downloaded. If an applet is used, the syntax in the associated edit box is:
local-port:server-host:server-port
|
|
--Extend Session
|
|
Ensures that the Portal Server session time is extended while the Netlet session corresponding to this rule is running.
|
|
--Map Local Port to Destination Server Port
|
|
Specifies local port, target host and target ports. After entering those values (in the next three rows of this table), click add to make them appear in the list.
|
|
--Local Port
|
|
Specifies the local port on which Netlet listens. For an FTP rule, the local port value must be 30021.
|
|
--Destination Hosts
|
|
Static rules contain the host name of the destination machine for the Netlet connection.
Dynamic rules contain the word "TARGET".
|
|
-- Destination Ports
|
|
Specifies the port on the destination host.
|
|
Default Native VM Cipher
|
|
Specifies the default cipher for the Netlet rules. This is useful when using existing rules that did not include the cipher as a part of the rule.
|
|
Default Java™ Plugin Cipher
|
|
Specifies the default cipher for the Netlet rules. This is useful when using existing rules that did not include the cipher as a part of the rule.
|
|
Default Loopback Port
|
58000
|
Specifies the port to be used on the client when applets are downloaded through Netlet. The default value can be overridden in the Netlet rules.
|
|
Reauthenticate for Connections
|
|
Ensures that users enter the Netlet password each time a Netlet connection needs to be established.
|
|
Display Warning Popup for Connections
|
Checked
|
Displays a message when the user runs the application over Netlet, and also when an intruder tries to gain access to the desktop through the listen port.
|
|
Display Checkbox in Port Warning Dialog
|
Checked
|
Provides the user with the option to suppress the Warning Dialog Popup when Netlet tries to connect to the destination host on the user's standard Portal Desktop.
|
|
Keep Alive Interval (minutes)
|
0
|
If the client is connecting to the Gateway through a web proxy, then idle Netlet connections are disconnected due to proxy timeout. To prevent this, give a value less than the proxy timeout for this parameter.
|
|
Terminate Netlet at Portal Logout
|
Checked
|
Ensures that all connections are terminated when a user logs out of the Portal Server.
|
|
Access to Netlet Rules
|
*
|
Define access to specific Netlet rules for certain organizations, roles or users.
|
|
Deny Netlet Rules
|
|
Denies access to specific Netlet rules for certain organizations, roles or users.
|
|
Allowed Hosts
|
*
|
Defines access to specific hosts for certain organizations, roles or users.
|
|
Denied Hosts
|
|
Denies access to specific hosts within an organization.
|
Proxylet Service
Table B-16 lists the Proxylet service attributes.
Table B-16 Proxylet Service Attributes
|
Attribute
|
Default Values
|
Description
|
|
Download Proxylet Applet Automatically
|
|
When the checkbox is checked, Proxylet is downloaded to the client machine when the user logs on.
|
|
Default Proxylet Applet Bind IP
|
127.0.0.1
|
The IP address where the Proxylet Applet resides.
|
|
Default Proxylet Applet Port
|
58080
|
This is the port where Proxylet listens.
|
