AnsweredAssumed Answered

SSL on SPS for VIP not working..

Question asked by barka11 Employee on Oct 22, 2015
Latest reply on Oct 22, 2015 by barka11

Hi,

 

I enabled SSL on SPS for customer environment using un-encrypted private key.. Using the Server name the, am able to hit assertion retriever servlet absolutely fine. However using VIP (mentioned below in Virtual host in server.conf), if I hit assertionretriever servlet, it is saying 404 not found.

 

Here is contents of httpd-ssl conf file -

 

#

# This is the Apache server configuration file providing SSL support.

# It contains the configuration directives to instruct the server how to

# serve pages over an https connection. For detailing information about these

# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>

#

# Do NOT simply read the instructions in here without understanding

# what they do.  They're here only as hints or reminders.  If you are unsure

# consult the online docs. You have been warned.

#

 

 

#

# Pseudo Random Number Generator (PRNG):

# Configure one or more sources to seed the PRNG of the SSL library.

# The seed data should be of good random quality.

# WARNING! On some platforms /dev/random blocks if not enough entropy

# is available. This means you then cannot use the /dev/random device

# because it would lead to very long connection times (as long as

# it requires to make more entropy available). But usually those

# platforms additionally provide a /dev/urandom device which doesn't

# block. So, if available, use this one instead. Read the mod_ssl User

# Manual for more details.

#

#SSLRandomSeed startup file:/dev/random  512

#SSLRandomSeed startup file:/dev/urandom 512

#SSLRandomSeed connect file:/dev/random  512

#SSLRandomSeed connect file:/dev/urandom 512

 

 

<IfDefine SSL>

 

 

#

# When we also provide SSL we have to listen to the

# standard HTTP port (see above) and to the HTTPS port

#

# Listen with HOSTNAME:PORT used for running SPS on

# IPV4 or pure IPV6 or Dual stack machine

# Incase proper HOSTNAME has not be set,

# please substitute SERVERHOSTNAME with hostname

# Other option is to comment the Listen Directive given bellow and

# add Listen <IPV4_IP>:443 for IPV4 or Listen  [::]:443 for IPV6

 

 

Listen 443

 

 

##

##  SSL Global Context

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

 

 

#

#   Some MIME-types for downloading Certificates and CRLs

#

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl    .crl

 

 

#   Pass Phrase Dialog:

#   Configure the pass phrase gathering process.

#   The filtering dialog program (`builtin' is a internal

#   terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog custom

SSLCustomPropertiesFile "/opt/CA/secure-proxy/httpd/conf/spsapachessl.properties"

 

 

#   FIPS Mode Entry:

#   Used by Apache SSL to start the ssl service

#   with the below FIPS Mode.

SSLSpsFipsMode COMPAT

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism

#   to use and second the expiring timeout (in seconds).

#SSLSessionCache         "dbm:logs/ssl_scache"

SSLSessionCache        "shmcb:logs/ssl_scache(512000)"

SSLSessionCacheTimeout  300

 

 

#   Semaphore:

#   Configure the path to the mutual exclusion semaphore the

#   SSL engine uses internally for inter-process synchronization.

 

 

<IfModule mpm_winnt.c>

SSLMutex  default

</IfModule>

 

 

<IfModule worker.c>

SSLMutex  file:logs/ssl_mutex

</IfModule>

 

##

## SSL Virtual Host Context

##

 

 

<VirtualHost _default_:443>

 

 

#   General setup for the virtual host

DocumentRoot "/opt/CA/secure-proxy/httpd/htdocs"

ServerName brn0vmlxwebtst30b

ServerAdmin admin@cxxx.com

 

 

#

# ErrorLog: The location of the error log file.

#

# ErrorLog logs/error_log

ErrorLog "|/opt/CA/secure-proxy/httpd/bin/rotatelogs /opt/CA/secure-proxy/httpd/logs/ssl_error_log.%Y-%m-%d-%H_%M_%S 20M"

 

 

#

# TransferLog directive is used to log requests to the server.

#

# TransferLog logs/access_log

TransferLog "|/opt/CA/secure-proxy/httpd/bin/rotatelogs /opt/CA/secure-proxy/httpd/logs/ssl_access_log.%Y-%m-%d-%H_%M_%S 20M"

 

 

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

SSLProtocol -ALL +TLSv1

 

 

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

# SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCipherSuite ALL:!SSLv2:!EXP:!LOW:!DH:!DSS:!RC4:!3DES!IDEA

 

 

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again.  Keep

#   in mind that if you have both an RSA and a DSA certificate you

#   can configure both in parallel (to also allow the use of DSA

#   ciphers, etc.)

#

SSLCertificateFile "/opt/CA/secure-proxy/SSL/certs/ssouat.crt"

#SSLCertificateFile "/opt/CA/secure-proxy/SSL/certs/server-dsa.crt"

 

 

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile "/opt/CA/secure-proxy/SSL/keys/ssouat.key"

#SSLCertificateKeyFile "/opt/CA/secure-proxy/SSL/keys/server-dsa.key"

 

 

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

#SSLCertificateChainFile "/opt/CA/secure-proxy/SSL/certs/ca.crt"

 

 

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

 

 

SSLCACertificatePath "/opt/CA/secure-proxy/SSL/certs"

SSLCACertificateFile "/opt/CA/secure-proxy/SSL/certs/ca-bundle.cert"

 

 

#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded)

#   Note: Inside SSLCARevocationPath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCARevocationPath "/opt/CA/secure-proxy/SSL"

#SSLCARevocationFile "/opt/CA/secure-proxy/SSL/ca-bundle.crl"

 

 

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

SSLVerifyClient none

SSLVerifyDepth  10

 

 

#   Access Control:

#   With SSLRequire you can do per-directory access control based

#   on arbitrary complex boolean expressions containing server

#   variable checks and other lookup directives.  The syntax is a

#   mixture between C and Perl.  See the mod_ssl documentation

#   for more details.

#<Location />

#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#</Location>

 

 

#   SSL Engine Options:

#   Set various options for the SSL engine.

#   o FakeBasicAuth:

#     Translate the client X.509 into a Basic Authorisation.  This means that

#     the standard Auth/DBMAuth methods can be used for access control.  The

#     user name is the `one line' version of the client's X.509 certificate.

#     Note that no password is obtained from the user. Every entry in the user

#     file needs this password: `xxj31ZMTZzkVA'.

#   o ExportCertData:

#     This exports two additional environment variables: SSL_CLIENT_CERT and

#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

#     server (always existing) and the client (only existing when client

#     authentication is used). This can be used to import the certificates

#     into CGI scripts.

#   o StdEnvVars:

#     This exports the standard SSL/TLS related `SSL_*' environment variables.

#     Per default this exportation is switched off for performance reasons,

#     because the extraction step is an expensive operation and is usually

#     useless for serving static content. So one usually enables the

#     exportation for CGI and SSI requests only.

#   o StrictRequire:

#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even

#     under a "Satisfy any" situation, i.e. when it applies access is denied

#     and no other module can change it.

#   o OptRenegotiate:

#     This enables optimized SSL connection renegotiation handling when SSL

#     directives are used in per-directory context.

SSLOptions +StdEnvVars +ExportCertData

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/opt/CA/secure-proxy/httpd/cgi">

    SSLOptions +StdEnvVars

</Directory>

 

 

#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the close notify alert from client. When you need a different shutdown

#   approach you can use one of the following variables:

#   o ssl-unclean-shutdown:

#     This forces an unclean shutdown when the connection is closed, i.e. no

#     SSL close notify alert is send or allowed to received.  This violates

#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

#     this when you receive I/O errors because of the standard approach where

#     mod_ssl sends the close notify alert.

#   o ssl-accurate-shutdown:

#     This forces an accurate shutdown when the connection is closed, i.e. a

#     SSL close notify alert is send and mod_ssl waits for the close notify

#     alert of the client. This is 100% SSL/TLS standard compliant, but in

#     practice often causes hanging connections with brain-dead browsers. Use

#     this only for browsers where you know that their SSL implementation

#     works correctly.

#   Notice: Most problems of broken clients are also related to the HTTP

#   keep-alive facility, so you usually additionally want to disable

#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

BrowserMatch ".*MSIE.*" \

     ssl-unclean-shutdown

 

#

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

# CustomLog logs/ssl_request_log \

#          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 

</VirtualHost>                                

</IfDefine>

 

Here is contents of Server.conf file -

 

<Server>

  #General Server Information

 

  #Define the listeners between

  #HTTP listner and proxy engine

  worker.ajp13.port=8009

  worker.ajp13.host=localhost

  worker.shutdown.port=8005

 

 

  #Define additional tuning parameters for the connection between HTTP listener and proxy engine

  #These parameters are used by mod_jk and are not used by proxy engine

  #worker.ajp13.reply_timeout - The maximum time (milliseconds) that can elapse between any two packets received from proxy engine

  #after which the connection between HTTP listener and proxy engine is dropped

  #A value of zero makes it to wait indefinitely until response is received (default)

  #worker.ajp13.retries - The maximum number of times that the worker will send a request to proxy engine in case of a communication error

  #Default value for retries is 2

  worker.ajp13.reply_timeout=0

  worker.ajp13.retries=2

 

  #Define AJP13 tuning parameters

  #Number of request waiting in queue (queue length)

  #Number of threads created at initialization time

  #Maximum number of concurrent connections possible

  #Maximum time (seconds) that the idle connections will remain the connection pool before timing out, default value is 0 that means never time out

  ajp13.accept_count=10

  ajp13.min_spare_threads=10

  ajp13.max_threads=410

 

 

  worker.ajp13.connection_pool_timeout=0

 

  #'max_packet_size': This attribute sets the maximum AJP packet size in Bytes. The maximum value is 65536.

  #This same value will be used as 'packetSize' attribute for AJP connector on the Tomcat side.

  worker.ajp13.max_packet_size=16384

 

  singleprocessmode="yes"

 

  # Provide the values for the Federation related parameters here

  #

  # enablefederationgateway - "yes" or "no" - Enable or Disable SPS Federation Gateway

  # fedrootcontext - Name of the Federation root context ("affwebservices" by default)

  # authurlcontext - Path of the Authentication URL (without the jsp file name) (siteminderagent/redirectjsp by default)

  # allowlinking - enables affwebservices app to use symbolic links. This should NOT be enabled on case insensitive platforms, according to Tomcat documentation due to security concerns.

  # protectedbackchannelservices - Names of protected Backchannel services

 

  <federation>

  enablefederationgateway="yes"

  fedrootcontext="affwebservices"

  authurlcontext="siteminderagent/redirectjsp"

  allowlinking="yes"

  protectedbackchannelservices="saml2artifactresolution,saml2certartifactresolution,saml2attributeservice,saml2certattributeservice,assertionretriever,certassertionretriever"

  </federation>

  # Contexts in the root tag (only one) to deploy web applications as new contexts which can be accessed using apache port

  # Context is the child tag - accepts multiple context tags inside root tag

  # No two contexts should have same name & path

  # name – Unique name for the context (Mandatory & Unique).

  # reloadable, privileged attributes are optional and by default "true".

  # docBase - Assumes to be a folder name in the <SPS>\Tomcat\webapps folder (Mandatory).

  # enable – context would be added only when set to YES. (Set to "No" is similar to not to have the entry itself). Default value: "Yes"

  # path – using which application can be accessed. (Mandatory & Unique).

  # Ex: "authws" means application can be accessed as "http(s)://virtualhost:apacheport/authws"

 

  <Contexts>

  <Context name="Authentication/Authorization web services">

  docBase="CA_AuthAZ"

  path="authazws"

  enable="no"

  </Context>

  </Contexts>

 

  #only one localapp tag should be there

  <localapp>

  enablelocalapp="yes"

       

  #Define the http & https listeners for LocalApplications

  #Default Value for local.host=localhost,local.http.port=8080

  local.host=localhost

  local.http.port=8080

 

                       

  #Provide the name of keystore and put it in $$CAKEYPATH folder

  #Provide a password for keystore

  #To enable SSL for localapp uncomment next three parameters

 

  #local.https.port=543

  #local.https.keyStoreFileName="tomcat.keystore"

                       

  #n no of xml can be added in the localapp tag

 

  context_file="conf/ca-corpui.xml, conf/proxyui.xml"

 

    </localapp>

 

  # Root of location that the agent will resolve "/" to for

  # finding forms (fcc) and error files.  Note: If document_root

  # is specified as a relative directory, it will be relative to

  # Tomcat/webapps/

  document_root="../../proxy-engine/examples"

 

 

 

  # Enable disable HTTPClient logging with value "yes" or "no".

  # Recommended to enable the logging for only debug purposes. Not recommended for production environment.

  httpclientlog="no"

 

 

  <sslparams>

  # Set the SSL protocol version to support:SSLv3, TLSv1

  # NOTE: SSL version 2 is no longer supported

  versions="TLSv1"

 

 

  #ciphers="-RSA_With_Null_SHA,+RSA_With_Null_MD5,-RSA_With_RC4_SHA,+RSA_With_RC4_MD5,+RSA_With_DES_CBC_SHA,+RSA_Export_With_RC4_40_MD5,-RSA_Export_With_DES_40_CBC_SHA,+RSA_Export_With_RC2_40_CBC_MD5,-DH_RSA_With_DES_CBC_SHA,-DH_RSA_With_3DES_EDE_CBC_SHA,-DH_RSA_Export_With_DES_40_CBC_SHA,-DH_DSS_With_DES_CBC_SHA,-DH_DSS_Export_With_DES_40_CBC_SHA,-DH_Anon_With_RC4_MD5,-DH_Anon_With_DES_CBC_SHA,-DH_Anon_With_3DES_EDE_CBC_SHA,-DH_Anon_Export_With_DES_40_CBC_SHA,-DH_Anon_Export_With_RC4_40_MD5,-DHE_RSA_With_DES_CBC_SHA,-DHE_RSA_Export_With_DES_40_CBC_SHA,-DHE_DSS_With_DES_CBC_SHA,-DHE_DSS_Export_With_DES_40_CBC_SHA"

 

                ciphers="+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA"

  fipsciphers="+DHE_DSS_With_AES_256_CBC_SHA, +DHE_RSA_With_AES_256_CBC_SHA, +RSA_With_AES_256_CBC_SHA, +DH_DSS_With_AES_256_CBC_SHA, +DH_RSA_With_AES_256_CBC_SHA, +DHE_DSS_With_AES_128_CBC_SHA, +DHE_RSA_With_AES_128_CBC_SHA, +RSA_With_AES_128_CBC_SHA, +DH_DSS_With_AES_128_CBC_SHA, +DH_RSA_With_AES_128_CBC_SHA, +DHE_DSS_With_3DES_EDE_CBC_SHA, +DHE_RSA_With_3DES_EDE_CBC_SHA, +RSA_With_3DES_EDE_CBC_SHA, +DH_DSS_With_3DES_EDE_CBC_SHA"

 

  # Covalent SSL CA certificate bundle and certs path to be converted

  # The bundle and/or certs located at defined location will be converted

  # to binary (DER) format and loaded as SSLParams.

  # NOTE: Only put Base64 (PEM) encoded cert files/bundles in the covalent

  # certificate directory.

  cacertpath="/opt/CA/secure-proxy/SSL/certs"

  cacertfilename="/opt/CA/secure-proxy/SSL/certs/ca-bundle.cert"

 

  # This certificate configured below is used as SPS client certificate for the backend servers when

  # SSL client authentication is enabled.

  # Location of the Key file : <install-dir>\SSL\clientcert\key\

  # Location of public certs : <install-dir>\SSL\clientcert\certs\

  # NOTE: Only put DER encoded, password encrypted pkcs8 keyfile.

  # Client pass phrase should be encrypted using EncryptUtil tool.

 

  #ClientKeyFile=

  #ClientPassPhrase=

  # max cache time in milliseconds (Default: 120000 milliseconds)

  maxcachetime="120000"

  </sslparams>

 

 

  #This parameter is applicable to the cookie added by backend.

  #"yes"--- Default Value. Quotes will be added to the cookie parameter value

  #which contains special characters if the cookie version is other than "0"

  #"no" --- Quotes will not be added to the cookie.

 

 

  addquotestocookie="yes"

 

 

 

 

  # This parameter is applicable to the cookie sent to browser

  # Tomcat 5.5 and higher adds quotes to the cookie. Parameter "addquotestobrowsercookie" changes the default behavior of Tomcat.

  # "no" --- Default Value. Quotes will not be added to the cookie parameter value

  # "yes" --- Quotes will be added to the cookie.

 

 

  addquotestobrowsercookie="no"

 

 

  # This parameter is applicable to the equal (=) sign in the cookie.

  # Tomcat will allow = characters when parsing unquoted cookie values.

  # Tomcat 5.5 and higher adds quotes to the cookie. Parameter "allowequalsincookievalue" changes the default behavior of Tomcat.

  # "yes" --- Default Value. Cookie values are allowed to contain an equals character.

  # "no"  --- Cookie values containing = will be terminated when the = is encountered and the remainder of the cookie value will be dropped.

 

 

  allowequalsincookievalue="yes"

 

 

  # This parameter needs to be set to the appropriate char-set based upon the locale of the users

  # This parameter is used by the HttpClient inside SPS to appropriately encode the headers that

  # will be sent to the backend server

  # For Example -

  # "US-ASCII"--- Default value, which is appropriate for default US English Locale

  # "Shift_JIS" --- Should be set for supporting Japanese locale and for supporting login using Japanese usernames

  requestheadercharset="US-ASCII"

 

 

  #This parameter is applicable to the caching of POST data.

  #"no"--- Post data ia not cached by SPS.

  #"yes"---  Default Value. POST data Caching enabled

  enablecachepostdata="yes"

  #This parameter defines that maximum size of POST data that is to be cached.

  #Size in Kb

  maxcachedpostdata="1024"

 

 

  # This parameter needs to be set to "yes" if request URL needs to be URLEncoded before sending the request to backend web server.

  # "no" --- The request URL will not be URLEncoded before sending the request to backend web server.

  # "yes" ---Default value.

  encodeurl="yes"

 

 

  #some backend will not return disconnect notification back to SPS

  #this option will ignore a benign ssl exception

  ignoresslbackendexception="yes"

 

 

  #Configurations related to custom error pages

  <customerrorpages>

  #possible values are: "yes", "no"

  #default value is "no"

  enable="no"

 

 

  #custom error pages implementation class

  class="com.netegrity.proxy.errorpages.ErrorPageImpl"

 

 

  #defines type of locale.

  #possible values are: "0" (for Server specific), "1" (for Browser specific)

  #default value is "0"

  locale_type="0"

 

 

  #this value should be the language code that will be understood by the java

  #locale object, say "zh" for Chinese, "fr" for French, "es" for Spanish, "en" for

  #english, etc.

  #default value is "en"

  locale_language="en"

 

 

  #this value should be the country/region code that will be understood by the

  #java locale object, say "CN" for China, "CH" for Switzerland, "AR" for

  #Argentina, "US" for United States.

  #default value is "US"

  locale_country="US"

  </customerrorpages>

  #Custom error pages configuration end

 

  # MAX buffer size for monitoring feature buffer size. Used only atleast on metric-reporter tag is enabled.

  # default value 1000 entries

  monitor_data_buffer_size="1000"

 

 

 

 

 

 

</Server>

 

 

#

# Default metric reporter to monitor SPS with Wily

# enabled - yes to enable and no to disable, default: no

# endpoint - format: protocol://hostname:port/

# hostname should be the hostname where Wily EPAgent is started

# port network data port/HTTP port configured in Wily EPAgent based on protocol given

# protocol - tcp, if network data port & http, if http port is configured on Wily EPAgent side

#

<metric-reporter name="WilyMetricReporter">

  class="com.ca.proxy.monitor.wily.WilyMetricReporter"

  enabled="no"

  endpoint="http://localhost:8886"

</metric-reporter>

 

 

<SessionStore>

  # Session Store Information

  class="com.netegrity.proxy.session.SimpleSessionStore"

  max_size="10000"

  clean_up_frequency="60"

</SessionStore>

 

 

# Service Dispatcher

# This is new since proxy 6.0

# Service Dispatcher is now a global server configuration parameter and is no longer

# configured on a per virtual host basis.

<ServiceDispatcher>

  class="com.netegrity.proxy.service.SmProxyRules"

  rules_file="/opt/CA/secure-proxy/proxy-engine/conf/proxyrules.xml"

</ServiceDispatcher>

 

 

 

 

# Proxy Service

<Service name="forward">

  class="org.tigris.noodle.Noodle"

 

 

  # Enables support for multiple protocols if set to true. Currently only

  # http and https is supported.  If set to false only http is supported.

  protocol.multiple="true"

  http_connection_pool_min_size="2"

  http_connection_pool_max_size="420"

  http_connection_pool_incremental_factor="2"

 

 

  # Timeout to be used to close idle connections in the pool. If no units are specified,

    # the default units are minutes

  http_connection_pool_connection_timeout="1 minute"

 

  # Timeout (in milliseconds) to be used to wait for an available connection.

  # A timeout of zero:

  # 1. causes the pool to wait for a connection until notified

  # 2. invalidates the use of max retries

  http_connection_pool_wait_timeout="0"

 

 

  # Number of attempts to obtain a connection.

  # A value of zero causes pool to attempt indefinetly.

  # Only applicable if wait timeout is not zero.

  http_connection_pool_max_attempts="3"

 

 

  # Timeout (in milliseconds) to be used for creating connections and reading

  # responses. The timeout will limit the time spent doing the host name

  # translation and establishing the connection with the server when creating

  # sockets.

  # A timeout of zero means wait indefinetly.

  http_connection_timeout="3 minutes"

 

 

  http_connection_stalecheck="true"

 

  # Pool configuraiton for connection oriented authentication backend

  # connections eg: NTLM.

  <connection-pool name="connection oriented authentication">

  connection-timeout="10 seconds"

  max-size="200"

  enabled="yes"

  </connection-pool>

  # Proxy filters may be defined here to perform pre/post processing tasks.

  # The following format must be used to configure filters:

  #

  # filter.<filter name>.class=<fully qualified filter class name>  (required)

  # filter.<filter name>.init-param.<param name1>=<param value1> (optional)

  # filter.<filter name>.init-param.<param name2>=<param value2>

  # filter.<filter name>.init-param.<param name3>=<param value3>

  #

  # The filter name is used by the proxy rules to trigger a specific filter.

  # Filter names should be unique.

  # Filter jar files should be dropped in the <SPS_HOME>/Tomcat/lib directory

  # See the documentation for more details.

  #

  # The following are examples for use with the provided sample filters:

  # Defines a filter with name "filter1" whose class is "SamplePreFilter"

  #filter.filter1.class=SamplePreFilter

  #filter.filter1.init-param.header1="Header1"

  #filter.filter1.init-param.header2="header2"

  #filter.filter1.init-param.newheader="FILTER_GENERATED_HEADER"

  #

  # Defines a filter with name "filter2" whose class is "SamplePostFilter"

  #filter.filter2.class=SamplePostFilter

  #filter.filter2.init-param.oldStr="foo"

  #filter.filter2.init-param.newStr="bar"

 

 

  ##filter.myfilter.class=MyFilter

  ##filter.myfilter.init-param.oldStr="CA"

  ##filter.myfilter.init-param.newStr="Oracle"

  #

  # The following example illustrates the use of custom filters in a group

  # Defines filter groups with valid Custom filter names.

  # Defines a filter group with name "group1" by grouping Custom filters "filter1" and "filter2"

  #groupfilter.group1="filter1,filter2"

 

  # Defines a filter group with name "group2" by grouping Custom filters "myfilter" and "filter1"

  #groupfilter.group2="myfilter,filter1"

 

 

 

 

 

</Service>

 

 

# Redirect Service

<Service name="redirect">

  class=com.netegrity.proxy.service.RedirectService

</Service>

 

 

#Session Schemes

<SessionScheme name="default">

  class="com.netegrity.proxy.session.SessionCookieScheme"

  accepts_smsession_cookies="true"

</SessionScheme>

 

 

<SessionScheme name="ssl_id">

  class="com.netegrity.proxy.session.SSLIdSessionScheme"

  accepts_smsession_cookies="false"

</SessionScheme>

 

 

<SessionScheme name="simple_url">

  class="com.netegrity.proxy.session.SimpleURLSessionScheme"

  accepts_smsession_cookies="false"

  session_key_name="SMID"

</SessionScheme>

 

 

<SessionScheme name="minicookie">

  class="com.netegrity.proxy.session.MiniCookieSessionScheme"

  accepts_smsession_cookies="false"

 

 

  # The name of the small cookie to be stored in the client.

  cookie_name="SMID"

</SessionScheme>

 

 

<SessionScheme name="device_id">

  class="com.netegrity.proxy.session.DeviceIdSessionScheme"

  accepts_smsession_cookies="false"

 

 

  # The header name containing the device id of the wireless devices

  device_id_header_name="vendor_device_id_header_name"

</SessionScheme>

 

 

# TO-DO: Define Any User Agents, if you want to

# use a different session scheme based on

# the type of client accessing the server.

#

# NOTE:  UserAgent matching is done in the order

# in which the user agents are defined in this file.

# <UserAgent name="user_agent_name_1">

#     header_name_1=some regular expression

# </UserAgent>

# <UserAgent name="user_agent_name_2">

#     header_name_1=some other regular expression

# </UserAgent>

 

 

<VirtualHostDefaults>

  # default session scheme

  defaultsessionscheme="default"

  enablerewritecookiepath="no"

  enablerewritecookiedomain="no"

  enableproxypreservehost="no"

  filteroverridepreservehost="no"

 

  policyserverversion=12.5

 

  # specify the block size for request and response in KBs

  requestblocksize="4"

  responseblocksize="4"

 

 

  #TO-DO:  Define any session scheme mappings

  #<SessionSchemeMappings>

  #    user_agent_name=session_scheme_name

  #</SessionSchemeMappings>

 

 

  # Web Agent.conf

  <WebAgent>

  sminitfile="/opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf"

  </WebAgent>

 

 

</VirtualHostDefaults>

 

 

# Default Virtual Host

<VirtualHost name="default">

  addresses="xx.***.***.***"

  hostnames="brn0vmlxwebtst30b,ssouat.***.com"

  defaultsessionscheme="default"

 

  # specify the block size for request and response in KBs

  requestblocksize="4"

  responseblocksize="8"

 

 

  #The defaults can be overriden

  #not only for the Virtual Host

  #but for the WebAgent for that

  #virtual host as well

  #<WebAgent>

  #</WebAgent>

</VirtualHost>

 

Message was edited by: Kapil Bareja

Outcomes