Chapter 9 Configuring the Gateway

This chapter describes how to configure the Gateway attributes from the Sun Java™ System Access Manager administration console.

After you have created the gateway profile, you need to configure the Gateway attributes.

To Configure the Gateway Attributes


Note	Click Help at the top right corner of the Access Manager administration console, and click SRA Help for a quick reference on all the Sun Java System Portal Server Secure Remote Access (SRA) attributes.

Select the Service Configuration tab from the administration console.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

From here, click the appropriate tab:

The tabs and the attributes that can be configured under each tab are listed below.

The Core Tab

Using the Core tab, in the Gateway service, you can perform the following tasks:

Enable HTTP and HTTPS Connections

The Gateway runs in HTTPS mode after installation if you have chosen to run the Gateway in the HTTPS mode during installation. In the HTTPS mode, the Gateway accepts SSL connections from browsers and rejects non-SSL connections.

However, you can also configure the Gateway to run in HTTP mode. This speeds Gateway performance as the overhead involved in managing SSL sessions and encrypting and decrypting the SSL traffic are not involved.

To Configure the Gateway to Run in HTTP or HTTPS Mode

Select the Service Configuration tab from the administration console.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Do the following under the Core tab.

Select the Enable HTTP Connections, Enable HTTPS Connections, or both checkboxes as required.

Specify the required HTTPS port in the HTTPS Port field.

Specify the required HTTP port in the HTTP Port field.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable and Create a List of Rewriter Proxies

The Rewriter proxy enables secure HTTP traffic between the Gateway and intranet computers. If you do not specify a Rewriter proxy, the Gateway component makes a direct connection to intranet computers when a user tries to access one of those intranet computers.

The Rewriter proxy does not run automatically after installation. You need to enable the Rewriter proxy as described below.

To Enable Rewriter Proxies and Create a List of Rewriter Proxies

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.


Note	Ensure that the Rewriter proxy and the Gateway use the same gateway profile.

Click the Core tab.

Select the Enable the Rewriter Proxies checkbox to enable the Rewriter proxy.

Type the desired host and port in the Rewriter Proxies edit box, in the format hostname:port.



Tip	To determine if the port desired is available and unused, from the command line, enter: netstat -a \| grep port-number \| wc -l port-number is the required port.

Click Add.

Click Save to record the change.

Run portal-server-install-root/SUNWps/bin/certadmin on the server to create a certificate for the Rewriter proxy.

You need to do this step only if you have not chosen to create a certificate while installing the Rewriter proxy.

rewriter-proxy-install-root/SUNWps/bin/rwproxyd -n gateway-profile-name start

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable Netlet

Netlet enables users to securely run common TCP/IP services over insecure networks such as the Internet. You can run TCP/IP applications (such as Telnet and SMTP), HTTP applications, and any fixed port applications.

If Netlet is enabled, the Gateway needs to determine whether the incoming traffic is Netlet traffic or Portal Server traffic. Disabling Netlet reduces this overhead since the Gateway assumes that all incoming traffic is either HTTP or HTTPS traffic. Disable Netlet only if you are sure you do not want to use any application with Portal Server.

To Enable Netlet

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Select the Enable Netlet checkbox. This checkbox is selected by default. Removing the selection disables Netlet.

Select the Enable the Netlet Proxy checkbox to enable the Netlet proxy.

Type the desired host and port in the Netlet Proxy List edit box, in the format hostname:port.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable and Create a List of Netlet Proxies

The Netlet proxy enhances the security of Netlet traffic between the Gateway and the intranet by extending the secure tunnel from the client, through the Gateway to the Netlet proxy that resides in the intranet.

If the Netlet proxy is enabled, the Netlet packets are decrypted by the Netlet proxy and then sent to the destination server. This reduces the number of ports required to be opened in the firewall.

To Enable Netlet Proxies and Create a List of Netlet Proxies

Select the Service Configuration tab.

Click the right arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Select the Enable Netlet Proxy checkbox to enable the Netlet proxy.

Type the desired Netlet proxy host and port in the Netlet Proxy Hosts field, in the format hostname:port.



Tip	To determine if the port desired is available and unused, from the command line, enter: netstat -a \| grep port-number \| wc -l port-number is the required port.

Click Add.

Click Save to save the changes.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable Proxylet

To Enable Proxylet

Select the Service Configuration tab.

Click the right arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Select the Enable Proxylet checkbox.

Click the Proxies tab. Scroll down to the Proxies for Domains and Subdomains field and enter the domains for URLs that are to be directed to the Gateway.

Click Save.

Enable Cookie Management

Many web sites use cookies to track and manage user sessions. When the Gateway routes requests to web sites that set cookies in the HTTP header, the Gateway either discards or passes-through those cookies in the following manner:

Cookies are not rewritten if Enable Cookie Management attribute is not selected in the Gateway service. So, the cookies from the browser might not reach the intranet hosts and vice-versa.

Gateway rewrites cookies if the Enable Cookie Management attribute is selected. Gateway ensures that the cookies from the browser reach the intended intranet hosts and vice-versa.

This setting does not apply to the cookies used by Portal Server to track Portal Server user sessions. The setting is controlled by the configuration of the URLs to which User Session Cookie is Forwarded URL option. See Create List of URLs for Cookie Forwarding.

This setting applies to all web sites that the user is permitted to access (that is, you cannot choose to discard cookies from some sites and retain cookies from others).

To Enable Cookie Management


Note	Do not remove URLs from the Cookie Domain list, even in a Gateway without cookies. See the Access Manager Administration Guide for information on the Cookie Domain list.

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Select the Enable Cookie Management checkbox to enable cookie management.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable HTTP Basic Authentication

Web sites may be protected with HTTP Basic Authentication, requiring visitors to enter a username and password before viewing the site (the HTTP response code is 401 and WWW-authenticate: BASIC). Portal Server can save the username and password so that users need not re-enter their credentials when they revisit BASIC-protected web sites. These credentials are stored in the user profile on the directory server.

This setting does not determine whether or not a user may visit BASIC-protected sites, but only whether the credentials the user enters are saved in the user's profile.

This setting applies to all web sites that the user is permitted to access (that is, HTTP basic authentication caching cannot be enabled for some sites and disabled for others).


Note	Browsing to URLs served by Microsoft's Internet Information Server (IIS) protected by Windows NT challenge/response (HTTP response code 401, WWW-Authenticate: NTLM) instead of BASIC authentication is not supported.

You can also enable single sign-on using the Access List service in the administration console. See Manage Single Sign-On for more information on enabling single sign-on.

To Enable HTTP Basic Authentication

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Select the Enable HTTP Basic Authentication checkbox to enable HTTP basic authentication.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable Persistent HTTP Connections

You can enable HTTP persistent connections at the Gateway to prevent sockets being opened for every object (such as images and style sheets) in the web pages.

To Enable Persistent HTTP Connections

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Select the Enable Persistent HTTP Connections checkbox to enable HTTP connections.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify the Maximum Number of Requests per Persistent Connection

To Specify the Maximum Number of Requests per Persistent Connection

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Scroll to the Maximum Number of Requests per Persistent Connection field and type the required number of requests.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify Timeout for Persistent Socket Connections

To Specify the Timeout for a Persistent Socket Connection

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Scroll to Timeout for Persistent Socket Connections field and type the required timeout in seconds.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify Grace Timeout to Account for Turnaround Time

Time taken for the request to reach the gateway after the browser has sent it

Time between gateway sending the response and the browser actually receiving it

This is dependent on factors such as network conditions and the client’s connection speed.

To Specify Timeout to Account for Turnaround Time

This is the round trip time for the network traffic between the client (browser) and the Gateway.

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Scroll to the Grace Timeout to Account for Turnaround Time field and type the required grace timeout in seconds.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of URLs for Cookie Forwarding

Portal server utilizes a cookie to track user sessions. This cookie is forwarded to the server when the Gateway makes HTTP requests to the server (for example, when the desktop servlet is called to generate the user's desktop page). Applications on the server use the cookie to validate and identify the user.

The Portal Server's cookie is not forwarded to HTTP requests made to machines other than the server, unless URLs on those machines are specified in the URLs to which User Session Cookie is Forwarded list. Adding URLs to this list therefore enables servlets and CGIs to receive the Portal Server's cookie and use the APIs to identify the user.

URLs are matched using an implicit trailing wildcard. For example, the default entry in the list:

For this example, the cookie is not forwarded to any URLs starting with "http://newmachine.eng/subdir", since this string does not start with the exact string in the forward list. To have cookies forwarded to URLs starting with this variation of the machine's name, an additional entry has to be added to the forward list.

Similarly, the cookie is not forwarded to URLs starting with "https://newmachine.eng.siroe.com/subdir" unless an appropriate entry is added to the list.

To Add a Forward Cookie URL

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Scroll to the URLs to which User Session Cookie is Forwarded edit box and type the required URL.

Click Add to add this entry to the URLs to which User Session Cookie is Forwarded list.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify the Maximum Connection Queue Length

You can specify the maximum concurrent connections that the Gateway needs to accept. Any connection attempts beyond this number are not accepted by the Gateway.

To Specify the Maximum Connection Queue Length

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Scroll to the Maximum Connection Queue Length field and specify the required number of connections.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify the Gateway Timeout

You can specify the time interval in seconds after which the Gateway times out its connection with the browser.

To Specify the Gateway Timeout

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Scroll to the Gateway Timeout field and specify the interval required in seconds.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify the Maximum Thread Pool Size

You can specify the maximum number of threads that can be pre-created in the Gateway thread pool.

To Specify the Maximum Thread Pool Size

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Scroll to the Maximum Thread Pool Size field and specify the required number of threads.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify the Cached Socket Timeout

You can specify the time interval in seconds after which the Gateway times out its connection with the Portal Server.

To Specify the Cached Socket Timeout

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Scroll to the Cached Socket Timeout field and specify the interval required in seconds.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of Portal Servers

You can configure multiple Portal Servers for the Gateway to service requests. While installing the Gateway, you would have specified the Portal Server that the Gateway needs to work with. This Portal Server is listed in the Portal Servers field by default. You can add more Portal Servers to the list in the format http://portal- server-name:port number. The Gateway tries to contact each of the Portal Servers listed in a round robin manner to service the requests.

To Specify Portal Servers

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Scroll to the Portal Server fields and specify the Portal Servers.

Specify the Portal Server in the format http://portal-server-name:port-number in the edit field and click Add.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify Server Retry Interval

This attribute specifies the time interval between requests to try to start the Portal Server, Rewriter proxy or Netlet proxy if it becomes unavailable (such as a crash or it was brought down).

To Specify Portal Server Retry Interval

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Scroll to the Portal Server Retry Interval field and specify the number of seconds.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable Storage of External Server Cookies

When the Store External Server Cookies option is enabled, the Gateway stores and manages cookies for any third party application or server that is accessed through the Gateway. Even if the application or server cannot service cookieless devices or depends on cookies for state management (for legacy reasons), the Gateway transparently masks the application or server from knowing that the Gateway is servicing a cookieless device. For information on cookieless devices and client detection, refer to the Access Manager Customization and API Guide.

To Store External Server Cookies

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Select the Store External Server Cookies checkbox to enable storage of external server cookies.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Obtain a Session from a URL

When the Obtain Session from a URL option is selected, session information is encoded as part of the URL, whether cookies are supported or not. This means that the Gateway uses the session information found in the URL for validation rather than using the session cookie that is sent from the client’s browser.

To Obtain a Session from a URL

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Select the Obtain Session from URL checkbox to obtain a session from a URL.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable Marking Cookies as Secure

When a cookie is marked as secure, the browser treats the cookie with additional security. The implementation of security depends on the browser. The Enable Cookie Management attribute must be enabled for this to work.

To Mark Cookies as Secure

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Core tab.

Select the Mark Cookies as secure checkbox to mark cookies as secure.

Ensure that the Enable Cookie Management attribute is enabled.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

The Proxies Tab

Using the Proxies tab, in the Gateway service, you can perform the following tasks:

Enable Usage of Web Proxies

Create List of URLs for Webproxies

Create List of URLs for Proxies Not to be Used

Create List of Proxies for Domains and Subdomains

Create List of Proxy Passwords

Enable Automatic Proxy Configuration Support

Specify Automatic Proxy Configuration File Location

Enable Netlet Tunneling Through Web Proxy

Enable Usage of Web Proxies

To Enable Usage of Web Proxies

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Proxies tab.

Select the Use Proxy checkbox to enable the usage of web proxies.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of URLs for Webproxies

You can specify that the Gateway needs to contact certain URLs only through the webproxies listed in the Proxies for Domains and Subdomains list, even if the Use Proxy option is disabled. You need to specify these URLs in the Use Webproxy URLs field. See Specifying a Proxy to Contact Access Manager for details on how this value affects the usage of proxies.

To Specify URLs for Webproxies

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Proxies tab.

Type the required URL in the Use Webproxy URLs edit box in the format http://host name.subdomain.com. Click Add.

The URL is added to the Use Webproxy URLs list.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of URLs for Proxies Not to be Used

The Gateway tries to connect directly to the URLs listed in the Do Not Use Webproxy URLs list. A webproxy is not used to connect to these URLs.

To Specify URLs Not To Be Used

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Proxies tab.

Type the required URL in the Do Not Use Webproxy URLs edit box and click Add.

The URL is added to the Do Not Use Webproxy URLs list.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of Proxies for Domains and Subdomains

To Specify Proxies for Domains and Subdomains

Select the Service Configuration tab.

Click the right arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Proxies tab.

Scroll to the Proxies for Domains and Subdomains edit box and type the required information. Click Add.

The entry is added to the Proxies for Domains and Subdomains list box.

The format for entering the proxy information is as follows:

domainname proxy1:port1|subdomain1 proxy2:port2|subdomain2 proxy3:port3|* proxy4:port4

* indicates that the proxy defined after the * needs to be used for all domains and subdomains other than those specifically mentioned.

If you do not specify the port for the proxy, port 8080 is used by default.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of Proxy Passwords

You need to specify the user name and password required for the Gateway to authenticate to a specified proxy server, if the proxy server requires authentication to access some or all the sites.

To Specify Proxy Passwords

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Proxies tab.

Scroll to the Proxy Password List field and type the information for each proxy server and click Add.

The format for entering the proxy information is as follows:

proxyserver|username|password

The proxyserver corresponds to the proxy server defined in the Proxies for Domains and Subdomains list.

Repeat step 6 for all the proxies that require authentication.

Click Save to record the changes.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable Automatic Proxy Configuration Support

If you select the option Enable Automatic Proxy Configuration, the information provided in the Proxies for Domains and Subdomains field is ignored. The Gateway uses the Proxy Automatic Configuration (PAC) file only for intranet configuration. See Using Automatic Proxy Configuration for information on PAC files.

To Enable Automatic Proxy Configuration Support

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Proxies tab.

Select the Enable Automatic Proxy Configuration Support checkbox to enable PAC support.

Click Save to record the changes.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify Automatic Proxy Configuration File Location

To Specify Automatic Proxy Configuration File Location

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Proxies tab.

Scroll to the Automatic Proxy Configuration File location field and type the name and location of the PAC file.

Click Save to record the changes.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable Netlet Tunneling Through Web Proxy

To Enable the Tunnel Netlet Through Web Proxy

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Proxies tab.

Select the Enable Netlet Tunneling via Web Proxy checkbox to enable tunneling.

Click Save to record the changes.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

The Security Tab

Using the Security tab, in the Gateway service, you can perform the following tasks:

Create List of Non-authenticated URLs

You can specify that some URLs do not need any authentication. These are normally directories and folders that contain images.

To Specify Non-authenticated URL Paths

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Scroll to the Non-authenticated URLs field and type the required folder path in the format folder/subfolder.

URLs that are not fully-qualified (for example, /images) are treated as portal URLs.

To add a non-portal URL, fully qualify the URL.

Click Add to add this entry to the Non-authenticated URLs list.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of Certificate-Enabled Gateway Hosts

To Add the Gateway to the Certificate-Enabled Gateway Hosts List

Select the Service Configuration tab.

All the services are displayed in the left pane.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed in the right pane.

Select the gateway profile where you want to enable certificate based authentication.

Click the Security tab.

Add the Gateway name to the Certificate-enabled Gateway hosts.

Add the Gateway in the format host1.sesta.com.

Click Add.

Allow 40-bit Encryption Connections

Select this option if you want to allow 40-bit (weak) Secure Sockets Layer (SSL) connections. If you do not select this option, only 128-bit connections are supported.

If you disable this option, the user needs to ensure that the browser is configured to support the required connection type.

To Allow 40-bit Encryption Connections


Note	The user needs to do the following in the case of Netscape Navigator 4.7x: Select Security Info under Tools in the Communicator menu. Click the Navigator link in the left pane. Click Configure SSL v2 or Configure SSL v3 under Advanced Security (SSL) Configuration. Enable the required ciphers.

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Security tab.

Select the Allow 40-bit Encryption checkbox to enable 40-bit browser connections.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable SSL Version 2.0

You can enable or disable SSL version 2.0. Disabling SSL 2.0 means that browsers that support only the older SSL 2.0 cannot authenticate to SRA. This ensures a greater level of security.

To Enable SSL Version 2.0

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Security tab.

Select the Enable SSL Version 2.0 checkbox to enable version 2.0.

This option is enabled by default.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable SSL Cipher Selection

SRA supports a number of standard ciphers. You have the option of supporting all the pre-packaged ciphers, or selecting the required ciphers individually. You can select specific SSL ciphers for each Gateway instance. If any of the selected ciphers is present at the client site, the SSL handshake occurs successfully.

To Enable Individual Cipher Selection

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Scroll to the Enable SSL Cipher Selection checkbox and select the option.

This option enables you to select the required ciphers from the list of SSL2, SSL3 and TLS ciphers.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable SSL Version 3.0

You can enable or disable SSL version 3.0. Disabling SSL 3.0 means that browsers that support only the SSL 3.0 cannot authenticate to SRA software. This ensures a greater level of security.

To Enable SSL Version 3.0

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Select the Enable SSL Version 3.0 checkbox to enable version 3.0.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable Null Ciphers

To Enable Null Ciphers

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Select the Enable Null Ciphers checkbox to enable null ciphers.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of Trusted SSL Domains

To Create List of Trusted SSL Domains

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Security tab.

Scroll to the Trusted SSL Domains field, enter the domain names and click Add.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Configure Personal Digital Certificate (PDC) Authentication

PDCs are issued by a Certification Authority (CA) and signed with the CA's private key. The CA validates the identity of a requesting body before issuing a certificate. Thus the presence of a PDC is a powerful authentication mechanism.

PDCs contain the owner's public key, the owner's name, an expiration date, the name of the Certification Authority that issued the Digital Certificate, a serial number, and maybe some other information.

Users can use PDCs and encoded devices such as Smart Cards and Java Cards for authentication in the Portal Server. The encoded devices carry an electronic equivalent of a PDC stored on the card. If a user logs in using one of these mechanisms, no Log in screen displays and no authentication screen is displayed.

From a browser, the user types a connection request, say https://my.sesta.com.

The response to this request depends on whether the Gateway to my.sesta.com has been configured to accept certificates.



Note	When a Gateway is configured to accept certificates, it accepts only logins with certificates, not any other kind of login.

The Gateway checks that the certificate has been issued by a known Certificate Authority, has not expired, and has not been tampered with. If the certificate is valid, the Gateway lets the user proceed to the next step in the authentication process.

The Gateway passes the certificate to the PDC authentication module in the server.

To Configure PDCs and Encoded Devices

Add the following line in the portal-server-install-root/SUNWam/config/AMConfig-instance-name.properties file on the Portal Server machine:

com.iplanet.authentication.modules.cert.gwAuthEnable=yes

(Add anywhere in the file)

Import the Required Certificates into the certificate database of the Gateway that you want PDC-enabled.

See the Chapter 7, "Certificates" for more information.

Select the Identity Management tab.

Select your Organization.

Click Services from the View drop-down menu.

Click the arrow next to Core.

Select Cert and LDAP in the Organization Authentication Modules list box LDAP.

Choose Dynamic from the User Profile drop-down menu.

Click Save.

Create Trusted Remote Host list.

Click the Service Configuration tab.

Click the arrow next to Certificate under Authentication Configuration.

Scroll to the Trusted Remote Hosts list box.

Highlight 'none' and click Remove.

Type 'any' in the text box

Click Add.

Click Save.

Create the new instance.

Click the Identity Management tab.

Select Services from the View drop-down menu.

Click the arrow next to the Authentication Configuration.

The Service Instance List is displayed.

Click New.

The New Service Instance page is displayed.

Enter the service instance name as gatewaypdc.

Note: You must use this name.

Click Submit.

The gatewaypdc Service Instance List is displayed.

Click gatewaypdc to edit the service.

The gatewaypdc show properties page is displayed.

Click Edit link next to Authentication Configuration in the right pane.

A popup window appears.

Click Add.

The Authentication for Configuration YourOrganization page is displayed.

Click Add.

The Add Authentication Module page is displayed.

Choose Cert from the Module Name field and REQUIRED from the Enforcement Criteria field.

Click OK.

Click OK again and close the popup window.

Associate the certificate with the gateway host.

Select Service Configuration tab.

Click the arrow next to Gateway.

Gateway profiles are displayed in the right pane.

Select your gateway profile.

Click on security Tab.

Add the Gateway name to the Certificate-enabled Gateway hosts list box.

Click Save.

Restart the server.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Install the client certificate issued from CA into the browser from where one has to access the PDC enabled gateway.

Access your gateway profile and organization:

https://gateway:instance-port/YourOrganization

You should be logged in without any prompt for Username and Password with the name of the certificate.

The Rewriter Tab

Using the Rewriter tab, in the Gateway service, you can perform the following tasks:

Enable Rewriting of All URLs

If you enable the Enable Rewriting of All URIs option in the Gateway service, Rewriter rewrites any URL without checking against the entries in the Proxies for Domains and Subdomains list. Entries in the Proxies for Domains and Subdomains list are ignored.

To Enable the Gateway to Rewrite All URLs

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Rewriter tab, Basic subsection.

Select the Enable Rewriting of All URIs checkbox to enable the Gateway to rewrite all URLs.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of URIs to RuleSet Mappings

Rulesets are created in the Rewriter service under Portal Server Configuration in the Access Manager administration console. See the Portal Server Administration Guide for details.

After the ruleset is created, you associate a domain with the ruleset using the Map URIs to RuleSets field. The following two entries are added by default to the Map URIs to RuleSets field:

*://*.Sun.COM/portal/*|default_gateway_ruleset

where sun.com is the install domain of the portal and /portal is the portal install context

*|generic_ruleset

This means that for all pages from the default domain, the default Gateway ruleset is applied. For all other pages, the generic ruleset is applied. The default Gateway ruleset and the generic ruleset are pre-packaged rulesets.

To Map a URI to RuleSet


Note	For all the content appearing on the desktop, the ruleset for the default domain is used, irrespective of where the content is fetched from. For example, assume that the desktop is configured to scrape the content from the URL yahoo.com. The Portal Server is in sesta.com. The ruleset for sesta.com is applied to the fetched content.


Note	The domain for which you specify a ruleset must be listed in the Proxies for Domains and Subdomains list.

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Click the gateway profile for which you want to set the attribute.

The Gateway - gateway-profile-name page is displayed.

Click the Rewriter tab, Basic subsection.

Scroll to the Map URIs to RuleSets field.

Type the required domain or host name and the ruleset in the Map URIs to RuleSets field and click Add.

The entry is added to the Map URIs to RuleSets field.

The format for specifying the domain or host name and the ruleset is as follows:

domain-name|ruleset-name

For example:

eng.sesta.com|default



Note	The order of priority for applying the ruleset is hostname-subdomain-domain. For example, assume that you have the following entries in the Domain-based rulesets list: sesta.com\|ruleset1 eng.sesta.com\|ruleset2 host1.eng.sesta.com\|ruleset3 ruleset3 is applied for all pages on host1. ruleset2 is applied for all pages in the eng subdomain, except for pages retrieved from host1. ruleset1 is applied for all pages in the sesta.com domain, except for pages retrieved from the eng subdomain, and from host1.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Ruleset for Outlook Web Access

SRA software supports MS Exchange 2000 SP3 installation and MS Exchange 2003 of Outlook Web Access (OWA).

To Configure the OWA RuleSet

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Click the gateway profile for which you want to set the attribute.

The Gateway - gateway-profile-name page is displayed.

In the Map URIs to RuleSets field, enter the server name where Exchange 2000 is installed followed by the exchange 2000 Service Pack 4 OWA ruleset.

For example:

exchange.domain.com|exchange_2000sp3_owa_ruleset.

Create List of MIME Types to Parse

Rewriter has four different parsers to parse the web pages based on the content type - HTML, JAVASCRIPT, CSS and XML. Common MIME types are associated with these parsers by default. You can associate new MIME types with these parsers in the Map Parser to MIME Types field of the Gateway service. This extends Rewriter functionality to other MIME types.

means any content with these MIMEs are sent to the HTML Rewriter and HTML Rules would be applied to rewrite the URLs.

To Specify MIME Mappings


Tip	Removing unnecessary parsers from the MIME mappings list can increase the speed of operation. For example, if you are sure that the content from a certain intranet does not have any JavaScript, you can remove the JAVASCRIPT entry from the MIME mappings list.

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Click the gateway profile for which you want to set the attribute.

The Gateway - gateway-profile-name page is displayed.

Click the Rewriter tab, Basic subsection.

Scroll to the Map Parser to MIME Types field, and add the required MIME type in the edit box. Use a semicolon or comma to separate multiple entries.

Specify the entry in the format HTML=text/html;text/htm

Click Add to add the required entry to the list.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of URIs Not to Rewrite

To Specify the URIs Not to Rewrite

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Click the gateway profile for which you want to set the attribute.

The Gateway - gateway-profile-name page is displayed.

Click the Rewriter tab, Basic subsection.

Scroll to the URIs Not to Rewrite field, and add the URI in the edit box.

Note: Adding #* to this list allows URIs to be rewritten, even when the href rule is part of the ruleset.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify the Default Domains

The default domains are useful when URLs contain only the host names without the domain and subdomain. In this case, the Gateway assumes that the host names are in the default domain list, and proceeds accordingly.

For example, if the host name in the URL is host1, and the default domain and subdomain are specified as red.sesta.com, the host name is resolved as host1.red.sesta.com.

To Specify Default Domains

Click the Service Configuration tab.

Click the right arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Rewriter tab, Basic subsection.

Scroll to the Default Domains field and type the required default value in the format subdomain.domain name.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable MIME Guessing

Rewriter depends on the MIME type of the page to choose the parser. Some web servers such as WebLogic and Oracle do not send MIME types. To work around this, you can enable the MIME guessing feature by adding data to the Map Parser to URIs list box.

To Enable MIME Guessing

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Click the gateway profile for which you want to set the attribute.

The Gateway - gateway-profile-name page is displayed.

Click the Rewriter tab, Advanced subsection.

Select the Enable MIME Guessing checkbox to enable MIME Guessing.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of URI Mappings to Parse

If the MIME Guessing checkbox is enabled and the server has not sent a MIME type, use this list box to map the parser to the URI.

means that the HTML Rewriter is used to rewrite the content for any page with a html, htm, or Servlet extension.

To Parse URI Mappings

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Click the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Rewriter tab, Advanced subsection.

Scroll to the Parser to URI Mappings field, and add the data to the edit box.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable Masking

Masking allows Rewriter to rewrite a URI so that the intranet URL of a page is not seen.

To Enable Masking

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Click the gateway profile for which you want to set the attribute.

The Gateway - gateway-profile-name page is displayed.

Click the Rewriter tab, Advanced subsection.

Select the Enable Masking checkbox to enable masking.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Specify the Masking Seed String

A seed string is used for masking a URI. A masking algorithm generates the string.

To Specify the Masking Seed String


Note	Book marking of an masked URI may not work if this seed string has been changed or if the Gateway is restarted.

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Click the gateway profile for which you want to set the attribute.

The Gateway - gateway-profile-name page is displayed.

Click the Rewriter tab, Advanced subsection.

Scroll to the Seed String for Masking field, and add a string to the edit box.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Create List of URIs Not to Mask

Some applications (such as an applet) require an Internet URI and cannot be masked. To specify those applications, add the URI to the list box.

to the list box, the URL would not be masked if the content URI http://abc.com/Applet/Param1.html is matched in the ruleset rule.

To Specify Not to Mask URIs

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Click the gateway profile for which you want to set the attribute.

The Gateway - gateway-profile-name page is displayed.

Click the Rewriter tab, Advanced subsection

Scroll to the URIs Not to Mask list field, and add the URIs to the edit box.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Make a Gateway Protocol the Same as the Original URI Protocol

When a Gateway runs in both HTTP and HTTPS mode, you can enable Rewriter to use a consistent protocol to access the referred resources in the HTML content.

For example, if the original URL is http://intranet.com/Public.html then the http Gateway is added. If the original URL is https://intranet.com/Public.html then the https Gateway is added.

To Make a Gateway Protocol the Same as the Original URI Protocol


Note	This applies only to static URIs, not to dynamic URIs generated in Javascript.

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Click the gateway profile for which you want to set the attribute.

The Gateway - gateway-profile-name page is displayed.

Click the Rewriter tab, Advanced subsection.

Select the Make Gateway protocol Same as Original URI Protocol checkbox.

Click Save to record the change.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

The Logging Tab

Using the Logging tab, in the Gateway service, you can perform the following tasks:

Enable Logging

Enable Netlet Logging

Enable Logging

You can specify the Gateway log file to capture either minimum information or detailed information about each session. The log information is saved in the directory specified in the Log Location attribute as part of the Logging section of the Access Manager Configuration attributes. This log is located on the Portal Server machine.

The log information can be saved as a file or as a database as specified in the Access Manager Configuration. The fields in the log are comma-separated ASCII values, and can be exported to other data analysis tools.

To Enable Gateway Logging

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Logging tab.

Select the Enable Logging checkbox to enable Gateway logging.



Note	Log information is captured only if the Enable Logging field has already been enabled.

Select the Enable per Session Logging checkbox to capture minimum log information such as Client Address, Request Type, and Destination Host.

Select the Enable Detailed per Session Logging for the Gateway to capture detailed log information such as Client, Request Type, Destination Host, Type of Request, Client Requested URL, Client Post Data size, SessionID, Response Result code, and Complete Response size.



Note	Detailed log information is captured only if the Enable per Session Logging checkbox has already been enabled.

Click Save to record the changes.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Enable Netlet Logging

You can enable logging for Netlet related activities by selecting this option. The Netlet log contains the following details about the Netlet sessions:

Start time

Source address

Source port

Server address

Server port(s)

Stop time

Status (start or stop)

To Enable Netlet Logging

Select the Service Configuration tab.

Click the arrow next to Gateway under SRA Configuration.

The Gateway page is displayed.

Select the gateway profile for which you want to set the attribute.

The Edit Gateway Profile page is displayed.

Click the Logging tab.

Select the Enable Netlet Logging checkbox to enable Netlet logging.

Click Save at the bottom of the page to record the changes.

Restart the Gateway from a terminal window:

gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start

Previous Contents Index Next
Sun Java System Portal Server Secure Remote Access 6 2005Q1 Administration Guide