Appendix C
Configuration Attributes
This appendix describes attributes that you can configure for Sun™ ONE Portal Server, Secure Remote Access through the Sun ONE Identity Server administration console from the Service Configuration tab.
Access List Service
Table C-1 lists the Access List service attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-1 Access List Service Attributes
|
Attribute
|
Default Value
|
Description
|
|
URL Deny List
|
|
List of URLs that end-users cannot access through the gateway.
|
|
URL Allow List:
|
*
|
List of URLs that end-users can access through the gateway.
|
|
Hosts for Which SSO is Disabled
|
|
Disables single sign-on for a list of hosts.
|
|
Enable SSO per Session
|
|
Enables single sign-on for a session.
|
|
Allowed Auth levels
|
*
|
Indicates how much to trust an authentication.Use an asterisk to allow all authentication levels. For information on authentication levels, see the Sun ONE Identity Server Administration Guide.
|
Gateway Service
When you click the Gateway service, the right pane displays a button to create a new profile and a list of any gateway profiles that have been created.
If you click New, the next pane asks you to enter the new gateway profile name. You have the option to use the default template or a previously created gateway profile as the template.
If you click one of the listed gateway profile names, a list of tabs are presented. They are:
Core
Table C-2 lists the Gateway service core attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-2 Gateway Service Core Attributes
|
Attribute
|
Default Value
|
Description
|
|
Enable HTTPS Connections
|
Checked
|
Enables HTTPS connections.
|
|
HTTPS Port
|
443
|
Specifies the HTTPS port.
|
|
Enable HTTP Connections
|
Unchecked
|
Enables HTTP connections.
|
|
HTTP Port
|
80
|
Specifies the HTTP port.
|
|
Enable Rewriter Proxy
|
Unchecked
|
Enables secure HTTP traffic between the Gateway and the intranet. The Rewriter Proxy and the Gateway use the same gateway profile.
|
|
Rewriter Proxy List
|
|
Lists the Rewriter Proxies.
|
|
Enable Netlet
|
Checked
|
Enables security for TCP/IP (such as Telnet and SMTP), HTTP applications, and fixed port applications.
|
|
Enable Netlet Proxy
|
Unchecked
|
Enhances security for Netlet traffic between the Gateway and the intranet by extending the secure tunnel from the client, through the Gateway to the Netlet Proxy residing on the intranet. Disable if you do not want to use applications with Portal Server.
|
|
Netlet Proxy Hosts
|
|
Lists Netlet Proxy Hosts, in the format: host hostname:port
|
|
Enable Cookie Management
|
Unchecked
|
Tracks and manages user sessions for all web sites that the user is permitted to access. (Does not apply to the cookies used by the Portal Server to track Portal Server user sessions).
|
|
Enable HTTP Basic Authentication
|
Unchecked
|
Saves the username and password so that users need not re-enter their credentials when they revisit BASIC-protected web sites.
|
|
Enable Persistent HTTP Connections
|
Checked
|
Enables HTTP persistent connections at the Gateway to prevent sockets being opened for every object (such as images and style sheets) in the web pages.
|
|
Maximum Number of Requests per Persistent Connection
|
10
|
Specifies the number of requests per persistent connection.
|
|
Timeout after which Persistent Socket gets Closed
|
50
|
Specifies the amount of time that needs to lapse before sockets are closed.
|
|
Grace Timeout to Account for Turnaround Time
|
20
|
Specifies the grace amount of time for the request to reach the gateway after the browser has sent i and the time between gateway sending the response and the browser actually recieving it.
|
|
Forward Cookie URLs
|
List of Portal Server URLs that can be accessed through the gateway
|
Enables servlets and CGIs to receive the Portal Server's cookie and use the APIs to identify the user.
|
|
Maximum Connection Queue Length
|
50
|
Specifies the maximum concurrent connections that the Gateway can accept.
|
|
Gateway Timeout (milliseconds)
|
120000
|
Specifies the time interval in millisecondsbefore the Gateway times out its connection with the browser.
|
|
Maximum Thread Pool Size
|
200
|
Specifies the maximum number of threads that can be pre-created in the Gateway thread pool.
|
|
Cached Socket Timeout
|
200000
|
Specifies the time interval in milliseconds before the Gateway times out its connection with the Portal Server.
|
|
Portal Server List
|
List of Portal Server URLs that can be accessed through the gateway
|
Specifies Portal Servers in the format http://portal-server-name:port -number. The Gateway tries to contact each of the Portal Servers listed in a round robin manner to service the requests.
|
|
Server Retry Interval
|
2
|
Specifies the time interval between requests to try to start the Portal Server, Rewriter Proxy or Netlet Proxy after it becomes un-available (such as a crash or it was brought down).
|
|
Store External Server Cookies
|
Unchecked
|
Allows the Gateway to store and manage cookies for any third party application or server that is accessed through the Gateway.
|
|
Obtain Session from URL
|
Unchecked
|
Encodes session information as part of the URL, whether cookies are supported or not. The Gateway uses this session information found in the URL for validation rather than using the session cookie that is sent from the client’s browser.
|
|
Mark Cookies as secure
|
Unchecked
|
Marks cookies as secure. The Enbale Cookie Management option must be enabled.
|
Proxies
Table C-3 lists the Gateway service proxies attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-3 Gateway Service Proxies Attributes
|
Attribute
|
Default Value
|
Description
|
|
Use Proxy
|
Unchecked
|
Enables usage of web proxies.
|
|
Use Webproxy URLs
|
|
Lists the URLs that the Gateway needs to contact only through the webproxies listed in the Proxies for Domains and Subdomains list, even if the Use Proxy option is disabled.
|
|
Do Not Use Webproxy URLs
|
|
Lists URLs that the Gateway can connect directly to.
|
|
Proxies for Domains and Subdomains
|
The domain of the portal server (For example, sesta.com)
|
Specifies which proxy to use to contact specific subdomains in specific domains.
|
|
Proxy Password List
|
|
Specifies the user name and password required for the Gateway to authenticate to a specified proxy server, if the proxy server requires authentication to access some or all the sites.
|
|
Enable PAC support
|
Unchecked
|
Specifies that the information provided in the Proxies for Domains and Subdomains field is to be ignored.
|
|
PAC File location
|
|
Specifies the location of files to be used for PAC support.
|
|
Tunnel Netlet via Web Proxy
|
Unchecked
|
Extends the secure tunnel from the client, through the Gateway to the web proxy that resides in the intranet.
|
Security
Table C-4 lists the Gateway service security attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-4 Gateway Service Security Attributes
|
Attribute
|
Default Value
|
Description
|
|
Non-authenticated URLs
|
/portal/desktop/images
/amserver/login_images
/portal/desktop/css
/amserver/jss
/amconsole/console/css
/portal/searchadmin/console/js
/amconsole/console/js
/amserver/css
|
Specifies URLs that do not need any authentication, such as directories that contain images.
|
|
Certificate-enabled Gateway hosts
|
|
Lists the certificate-enabled Gateway hosts.
|
|
Allow 40-bit Browse
|
Checked
|
Allows 40-bit (weak) Secure Sockets Layer (SSL) connections. If you do not select this option, only 128-bit connections are supported.
|
|
Enable SSL Version 2.0
|
Checked
|
Enables SSL version 2.0.
Disabling SSL 2.0 means that browsers that support only the older SSL 2.0 will not be able to authenticate to Secure Remote Access..
|
|
Enable SSL Cipher Selection
|
Unchecked
|
Enables SSL cipher selection. You have the option of to support all the pre-packaged ciphers, or you can select the required ciphers individually. You can select specific SSL ciphers for each Gateway instance.
|
|
SSL2 Ciphers
|
All the available SSL2 Ciphers are selected
|
Lists the SSL version 2 ciphers you can choose.
|
|
SSL3 Ciphers
|
All the available SSL3 Ciphers are selected
|
Lists the SSL version 3 ciphers you can choose.
|
|
TLS Ciphers
|
All the available TLS Ciphers are selected
|
Lists the TLS ciphers.
|
|
Enable SSL Version 3.0
|
Checked
|
Enables SSL version 3.0.
Disabling SSL 3.0 means that browsers that support only the SSL 3.0 will not be able to authenticate to Secure Remote Access. This ensures a greater level of security.
|
|
Disable Null Ciphers
|
Unchecked
|
Disables null ciphers.
|
|
Trusted SSL Domain List
|
|
Lists the trusted SSL domains.
|
Rewriter
The Rewriter tab has two subsections:
Basic
Table C-5 lists the Gateway service Rewriter basic attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-5 Gateway Service Rewriter Attributes - Basic
|
Attribute
|
Default Value
|
Description
|
|
Enable Rewriting of All URIs
|
Unchecked
|
Specifies that any URL is rewritten without checking against the entries in the Proxies for Domains and Subdomains list.
|
|
URI to RuleSet Mappings
|
*://*.<Portal Server Domain>*/portal/*|default_gateway_ruleset
*/portal/NetFileOpenFileServlet*|null_ruleset
*|generic_ruleset
REPLACE_WITH_IPLANET_MAIL_SERVER_NAME|iplanet_mail_ruleset
REPLACE_WITH_EXCHANGE_SERVER_NAME|exchange_2000sp3_owa_ruleset
*://*.<Portal Server Domain>*/amconsole/*|default_gateway_ruleset
REPLACE_WITH_INOTES_SERVER_NAME|inotes_ruleset
http*://*/portal/NetFileController*|null_ruleset
|
Associates a domain with the ruleset using the URI to RuleSet Mappings list. Rulesets are created under Portal Server Configuration in the Identity Server administration console.
|
|
Parser to MIME Mappings
|
JAVASCRIPT=application/x-java
XML=text/xml
HTML=text/html;text/htm;text/x-component;text/wml;text/vnd.wap.wml
CSS=text/css
|
Associates new MIME types with HTML, JAVASCRIPT, CSS or XML. Separate multiple entries with a semicolon or a comma.
|
|
Default Domain Subdomain
|
The domain of the Portal Server installation
|
Resolves a host name to a default domain and subdomain.
|
Advanced
Table C-6 lists the Gateway service Rewriter advanced attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-6 Gateway Service Rewriter Attributes - Advanced
|
Attribute
|
Default
|
Description
|
|
Not to Rewrite URI List
|
|
Lists the URIs not to rewrite. Note: Adding #* to this list allows URIs to be rewritten, even when the href rule is part of the ruleset.
|
|
Enable MIME Guessing
|
Unchecked
|
Enables MIME guessing when MIME is not sent. You must add data to the Parser to URI Mappings list box.
|
|
Parser to URI Mappings
|
HTML=*.html;*.htm;*.htc;*.cgi;
XML=*.xml
CSS=*.css
JAVASCRIPT=*.js
|
Maps a parser to the URI. Multiple URIs are separated by a semicolon.
For example HTML=*.html; *.htm;*Servlet
means that the HTML The Rewriter is used to rewrite the content for any page with a html, htm, or Servlet extension.
|
|
Enable Obfuscation
|
|
Allows the Rewriter to rewrite a URI so that the Intranet URL of a page is not seen.
|
|
Obfuscator Seed String
|
SECRET_KEY
|
Specifies a seed string used for obfuscation of a URI. It is a random string generated by an obfuscation algorithm.
|
|
Not to Obscure URI List
|
|
Specifies Internet URIs not to be obscured. This is used when applications (such as an applet) require an Internet URI
For example if you added
*/Applet/Param*
to the list box, the URL would not be obfuscated if the content URI http://abc.com/Applet/Param1.html is matched in the ruleset rule.
|
|
Make Gateway protocol same as Original URI Protocol
|
|
Enables the Rewriter to use a consistent protocol to access the referred resources in the HTML content.
This applies only to static URIs, not to dynamic URIs generated in Javascript.
|
Logging
Table C-7 lists the Gateway service logging attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-7 Gateway Service Logging Attributes
|
Attribute
|
Default Value
|
Description
|
|
Enable Logging
|
Unchecked
|
Enables logging.
|
|
Enable per Session Logging
|
Unchecked
|
Enables capture of minimum log information such as Client Address, Request Type, and Destination Host.
|
|
Enable Detailed per Session Logging
|
Unchecked
|
Enables capture of detailed log information such as Client, Request Type, Destination Host, Type of Request, Client Requested URL, Client Post Data size, SessionID, Response Result code, and Complete Response size.
Note: Enable per Session Logging must be enabled.
|
|
Enable Netlet Logging
|
Unchecked
|
Specifies if logging is enabled. If so the following information is captured: Start time, Source, Address, Source port, Server address, Server port(s), Stop time, Status (start or stop)
|
NetFile Service
When you click the NetFile Service, the right pane displays tabs.They are:
Hosts
The Hosts tab has two subsections:
Config
Table C-8 lists the NetFile hosts configuration attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-8 NetFile Service Hosts Config Attributes
|
Attribute
|
Default Value
|
Description
|
|
OS Character Set
|
Unicode(UTF-8)
|
Specifies the character set used as the default encoding for communicating with hosts.
|
|
Host Detection Order
|
WIN,NETWARE,FTP,NFS
|
Specifies the host detection order.
|
|
Common Hosts
|
|
Specifies hosts to be available through the NetFile to all remote NetFile users.
|
|
Default Domain
|
Domain of the Portal Server
|
Specifies the default domain that the NetFile needs to use to contact allowed hosts.
|
|
Default Windows Domain/Workgroup
|
|
Specifies the default Windows domain or workgroup which the users choose to access a Windows host.
|
|
Default WINS/DNS Server
|
|
Specifies the WINS/DNS server that NetFile uses to access windows hosts.
|
Access
Table C-9 lists the NetFile service hosts access attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-9 NetFile Service Hosts Access Attributes
|
Attribute
|
Default Value
|
Description
|
|
Allow Access to Windows Hosts
|
Checked
|
Allows access to windows hosts.
|
|
Allow Access to FTP Hosts
|
Checked
|
Allows access to FTP hosts.
|
|
Allow Access to NFS Hosts
|
Checked
|
Allows access to NFS hosts.
|
|
Allow Access to Netware Hosts
|
Checked
|
Allows access to Netware hosts.
|
|
Allowed Hosts
|
*
|
Specifies hosts that users can access through the NetFile.
|
|
Denied Hosts
|
|
Specifies hosts that users cannot access through the NetFile.
|
Permissions
If you disable these options after the user has started using the NetFile, the change takes effect only if the user logs out of the NetFile and logs in again.
Table C-10 lists the NetFile service permission attributes.The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
.
Table C-10 NetFile Service Permissions Attributes
|
Attribute
|
Default Value
|
Description
|
|
Allow File Rename
|
Checked
|
Allows users to rename files.
|
|
Allow File/Folder Deletion
|
Checked
|
Allows users to delete files and folders.
|
|
Allow File Upload
|
Checked
|
Allows users to upload files.
|
|
Allow File/Folder Download
|
Checked
|
Allows users to download files and folders.
|
|
Allow File Search
|
Checked
|
Allows users to search.
|
|
Allow File Mail
|
Checked
|
Allows file mailing.
|
|
Allow File Compression
|
Checked
|
Allows file compression.
|
|
Allow Changing User Id
|
Checked
|
Allows user to use a different ID.
|
|
Allow Changing Windows Domains
|
Checked
|
Allows users to change windows domains.
|
.
View
Table C-11 lists the NetFile Service view attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-11 NetFile Service View Attributes
|
Attribute
|
Default Value
|
Description
|
|
Window Size (in pixels)
|
700|400
|
Specifies the size of the NetFile window in pixels on the user’s desktop. If you enter an invalid value, the NetFile uses the default value.
|
|
Window Location
|
100|50
|
Specifies the location where the NetFile window displays on the user’s desktop. If you enter an invalid value, the NetFile uses the default value.
|
Operations
The Operations tab has the following subsections:
Traffic
Table C-12 lists the NetFile service operations traffic attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-12 NetFile Service Operations - Traffic Attributes
|
Attribute
|
Default Value
|
Description
|
|
Temporary Directory Location
|
/tmp
|
Specifies a temporary directory for various NetFile file operations.
Ensure that the ID with which the web server is running (such as nobody or noaccess) has rwx permissions for the specified directory. Also ensure that the ID has rx permissions for the entire path to the required temporary directory.
You may want to create a separate temporary directory for the NetFile. If you specify a temporary directory that is common to all modules of the Portal Server, the disk may quickly run out of space. The NetFile will not work if the temporary directory has no space.
|
|
File Upload Limit (in MB)
|
5
|
Specifies the maximum size of the files that can be uploaded. If you enter an invalid value, the NetFile resets the value to the default. Ensure that you type an integer value.
You can specify different file upload size limits for different users.
|
Search
Table C-13 lists the NetFile service operations search attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-13 NetFile Service Operations - Search Attributes
|
Attribute
|
Default Value
|
Description
|
|
Search Directories Limit:
|
100
|
Specifies the maximum number of directories that will be searched in a single search operation.
|
Compression
Table C-14 lists the NetFile service operations compression attributes.The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-14 NetFile Service Operations - Compression Attributes
|
Attribute
|
Default Value
|
Description
|
|
Default Compression Type
|
Zip
|
Specifies either Zip or Gzip compression type.
|
|
Default Compression Level
|
6
|
Specifies the compression level, a number between 1 and 9.
|
General
Table C-15 lists the Netfile service general attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-15 NetFile Service - General Attribute
|
Attribute
|
Default Value
|
Description
|
|
MIME-types Configuration File Location
|
portal-server-Install-root/SUNWps/samples/config/netfile
|
Specifies the response content type to send to the client browser.
|
Netlet Service
Table C-16 lists the Netlet service attributes. The first column contains the attribute, the second column contains the default value, if there is one, and the third column contains the description for that attribute.
Table C-16 Netlet Service Attributes
|
Attribute
|
Default Value
|
Description
|
|
Netlet Rules
|
IMAP,FTP,Telnet
|
Choose to add or delete a rule.
|
|
If you add a rule, the following nine attributes are necessary:
|
|
--Rule Name
|
|
Specifies a unique name for the rule.
|
|
--Encryption Algorithms
|
|
Specifies the required ciphers.
|
|
--URL
|
|
Specifies the URL to the application to be invoked.
|
|
--Download Applet
|
|
Specifies if an applet needs to be downloaded. If an applet is used, the syntax in the associated edit box is:
client port:server host:server port
|
|
--Extend Session
|
|
Ensures that the Portal Server session time is extended while the Netlet session corresponding to this rule is running.
|
|
--Port-Host-Port List
|
|
Specifies client port, target host and target ports. After entering those values (in the next three rows of this table), click add to make them appear in the list.
|
|
--Client Port
|
|
Specifies the client port on which the Netlet listens. For an FTP rule, the client port value must be 30021.
|
|
--Target Host(s)
|
|
Static rules contain the host name of the target machine for the Netlet connection.
Dynamic rules contain the word "TARGET".
|
|
--Target Port(s)
|
|
Specifies the port on the target host.
|
|
Default Native VM Cipher
|
KSSL_SSL3_RSA_WITH_RC4_128_MD5
|
Specifies the default cipher for the Netlet rules. This is useful when using existing rules that did not include the cipher as a part of the rule. .
|
|
Default Java Plugin Cipher
|
SSL_RSA_WITH_RC4_128_MD5
|
Specifies the default cipher for the Netlet rules. This is useful when using existing rules that did not include the cipher as a part of the rule.
|
|
Default Loopback Port
|
58000
|
Specifies the port to be used on the client when applets are downloaded through the Netlet. The default value can be overridden in the Netlet rules.
|
|
Reauthentication For Connections
|
Unchecked
|
Ensures that users enter the Netlet password each time a Netlet connection needs to be established.
|
|
Warning Popup for Connections
|
Checked
|
Displays a message when the user runs the application over the Netlet, and also when an intruder tries to gain access to the desktop through the listen port.
|
|
Show Checkbox in Port Warning Dialog
|
Checked
|
Allows the user to suppress the warning popup..
|
|
Keep Alive Interval (in minutes)
|
0
|
Sets the time interval for which a Netlet connection is kept alive even if there is no operation.
If you do not specify a value for this attribute, the idle Netlet connection times out with all other Portal Server idle connections per the "Max idle time (minutes)" value specified in the Session Attributes section of the Identity Server Configuration.
|
|
Terminate Netlet at Portal Logout
|
Checked
|
Ensures that all connections are terminated when a user logs out of the Portal Server.
|
|
Access to Netlet Rules
|
*
|
Define access to specific Netlet rules for certain organizations, roles or users.
|
|
Deny Netlet Rules
|
|
Denies access to specific Netlet rules for certain organizations, roles or users.
|
|
Allowed Hosts
|
*
|
Defines access to specific hosts for certain organizations, roles or users.
|
|
Denied Hosts
|
|
Denies access to specific hosts within an organization.
|
