Configuring the SybSecurityPluginConfig.txt file

Configuring the SybSecurityPluginConfig.txt file

To use the Web server plug-in, you must configure some of the properties that are defined the SybSecurityPluginConfig.txt file. At initialization time, the plug-in reads the parameters defined in Table 11-1 from the SybSecurityPluginConfig.txt configuration file.

Before you start the Web server, set the following environment variables:

JAGUAR_SERVER_IIOP_URL – the URL that represents the location of EAServer. Change the IIOP host to the host where EAServer is installed, and change the port to your EAServer port number.

MISC_INFO_FILE – must point to the default_credential.txt file.

The password for the EPWebServerPlugin user is defined in default_credential.txt and used for credential checks. If you change the password in this file, you must also change the password using Enterprise Security Manager—see “Viewing and updating a user account”.

Set these environment variables to the following values:

SYB_EP_WEB_VALID_LOGIN_PAGE = /syb_ep_web_valid_login.html
SYB_EP_WEB_INVALID_LOGIN_PAGE = /syb_ep_web_invalid_login.html
SYB_EP_WEB_LOGIN_PAGE = /syb_ep_weblogin.html
SYB_EP_WEB_LOGOUT_PAGE = /syb_ep_weblogout.html
SYB_EP_WEB_PLUGIN_ERROR_PAGE = /syb_ep_web_plugin_error.html

SECURITY_PLUGIN_LOG_FILE_PATH – set to the full path of the plugin.log file.

WEBSERVER_IP_ADDRESS – set to the IP address of the Web server.

**Table 11-1: Security plug-in configuration properties**
Property	Value
APACHE_PORT_AVAIL[num]	The number of each port available for the Apache servers. The number of entries for this parameter should match the value entered for MAX_APACHE_PORTS. For example, if MAX_APACHE_PORTS=5, there should be five entries in the plug-in configuration file to specify five different ports; for example: APACHE_PORT_AVAIL1=3001APACHE_PORT_AVAIL2=3002APACHE_PORT_AVAIL3=3003APACHE_PORT_AVAIL4=3004APACHE_PORT_AVAIL5=3005
CONN_CACHE_MAX_ENTRY_TIME	This property specifies how long (in seconds) an idle session can stay in the connection cache. If a session is idle for this amount of time, the session is flushed out of the connection cache. Typically, this value should be equal to the PortalSession bean timeout value. See the PortalSession bean property com.sybase.jaguar.component.timeout.
DEBUG	Set to true to enable debugging.
IPLANET_BIND_PORT	Specifies the port number the Web server could use to open a TCP/IP socket to communicate with EAServer.This TCP/IP socket is opened using the INADDR_ANY system macro (effective for all network cards for which the Web server is configured) in the Internet domain.
JAGUAR_SERVER_IIOP_URL	The URL that represents the location of EAServer.
LOG_UNPROTECTED_URL_CACHE_ACTIVITY	True or false. If true, an event is logged whenever a session is cached or removed. The number of entries in the cache at the moment is logged. If a user cannot connect due to a full connection cache, the failure is logged. Other information is logged as necessary. The default is “false.”
MAX_APACHE_PORTS	The number of ports available for the Apache servers. The Apache server spawns multiple child servers at runtime based on the server load. There should be more ports available if several child servers are spawned. Each child server binds to one port at start time. MAX_APACHE_PORTS must be equal to the value of MaxClients in the Apache configuration file, httpd.conf, which is included in your Apache installation httpd/conf directory. For example, if you increase the value of MaxClients to 250, then you must also set this value to 250, and you must create 250 entries for the APACHE_PORT_AVAIL[num] property.
SECURITY_PLUGIN_LOG_FILE	The location of the log file where statistics are recorded.
SET_COOKIE_MAX_AGE	True or false. If this parameter is set to true, the plug-in sets the Max_Age of the cookie to the value specified by SYB_SESSION_COOKIE_AGE. If this parameter is set to false, the plug-in does not set the Cookie Max_Age value. This leads to the cookie being nonpersistent in the client browser (recommended).
SYB_EP_WEB_LOGIN_PAGE	The login page URL relative to the Web server’s document root location.
SYB_EP_WEB_LOGOUT_PAGE	The logout page URL relative to the Web server’s document root location. The plug-in redirects clients to this page when either: An authenticated session expires, or The client’s browser presents a digital certificate for reauthentication. A subsequent attempt to access a protected URL reauthenticates the user.
SYB_QOP	Specifies the QOP that the plug-in uses. The only QOP currently supported is “sybpks_intl,” which is set as the default value.
SYB_SESSION_COOKIE_AGE	If SET_COOKIE_MAX_AGE is set to true, the plug-in sets the Max_Age value as specified. Value in seconds.
SYB_SESSION_COOKIE_DOMAIN	If “NOT_SPECIFIED”, the plug-in does not set the domain value, or else the domain has to be specified beginning with a period (for example, .sybase.com).
SYB_SESSION_COOKIE_NAME	Specifies the name of the cookie as it will be seen in the client browser if the appropriate browser options are enabled.After the plug-in authenticates the user, it creates an HTTP cookie and sends it back to the Web browser.
SYB_SESSION_COOKIE_PATH	Specifies the cookie path. Recommended value is “/”.
UNPROTECTED_URL_CACHE_FLUSH_SIZE	The number of entries to flush out of the URL cache when the cache is full.
UNPROTECTED_URL_CACHE_MAX_SIZE	The number of entries in the unprotected URL cache.
WEBSERVER_IP_ADDRESS	The IP address EAServer can use to open a TCP/IP client socket to the Web server. The security EJB opens a TCP/IP socket to this server and sends messages to instruct the plug-in to flush the unprotected URL cache when a URL asset is created, updated, or deleted in the ACDB.

Table 11-1: Security plug-in configuration properties

Property

Value

APACHE_PORT_AVAIL[num]

The number of each port available for the Apache servers. The number of entries for this parameter should match the value entered for MAX_APACHE_PORTS.

For example, if MAX_APACHE_PORTS=5, there should be five entries in the plug-in configuration file to specify five different ports; for example:

APACHE_PORT_AVAIL1=3001APACHE_PORT_AVAIL2=3002APACHE_PORT_AVAIL3=3003APACHE_PORT_AVAIL4=3004APACHE_PORT_AVAIL5=3005

CONN_CACHE_MAX_ENTRY_TIME

This property specifies how long (in seconds) an idle session can stay in the connection cache. If a session is idle for this amount of time, the session is flushed out of the connection cache. Typically, this value should be equal to the PortalSession bean timeout value.

See the PortalSession bean property com.sybase.jaguar.component.timeout.

DEBUG

Set to true to enable debugging.

IPLANET_BIND_PORT

Specifies the port number the Web server could use to open a TCP/IP socket to communicate with EAServer.This TCP/IP socket is opened using the INADDR_ANY system macro (effective for all network cards for which the Web server is configured) in the Internet domain.

JAGUAR_SERVER_IIOP_URL

The URL that represents the location of EAServer.

LOG_UNPROTECTED_URL_CACHE_ACTIVITY

True or false. If true, an event is logged whenever a session is cached or removed. The number of entries in the cache at the moment is logged. If a user cannot connect due to a full connection cache, the failure is logged. Other information is logged as necessary. The default is “false.”

MAX_APACHE_PORTS

The number of ports available for the Apache servers. The Apache server spawns multiple child servers at runtime based on the server load. There should be more ports available if several child servers are spawned. Each child server binds to one port at start time.

MAX_APACHE_PORTS must be equal to the value of MaxClients in the Apache configuration file, httpd.conf, which is included in your Apache installation httpd/conf directory. For example, if you increase the value of MaxClients to 250, then you must also set this value to 250, and you must create 250 entries for the APACHE_PORT_AVAIL[num] property.

SECURITY_PLUGIN_LOG_FILE

The location of the log file where statistics are recorded.

SET_COOKIE_MAX_AGE

True or false.

If this parameter is set to true, the plug-in sets the Max_Age of the cookie to the value specified by SYB_SESSION_COOKIE_AGE.

If this parameter is set to false, the plug-in does not set the Cookie Max_Age value. This leads to the cookie being nonpersistent in the client browser (recommended).

SYB_EP_WEB_LOGIN_PAGE

The login page URL relative to the Web server’s document root location.

SYB_EP_WEB_LOGOUT_PAGE

The logout page URL relative to the Web server’s document root location.

The plug-in redirects clients to this page when either:

An authenticated session expires, or
The client’s browser presents a digital certificate for reauthentication. A subsequent attempt to access a protected URL reauthenticates the user.

SYB_QOP

Specifies the QOP that the plug-in uses. The only QOP currently supported is “sybpks_intl,” which is set as the default value.

SYB_SESSION_COOKIE_AGE

If SET_COOKIE_MAX_AGE is set to true, the plug-in sets the Max_Age value as specified. Value in seconds.

SYB_SESSION_COOKIE_DOMAIN

If “NOT_SPECIFIED”, the plug-in does not set the domain value, or else the domain has to be specified beginning with a period (for example, .sybase.com).

SYB_SESSION_COOKIE_NAME

Specifies the name of the cookie as it will be seen in the client browser if the appropriate browser options are enabled.After the plug-in authenticates the user, it creates an HTTP cookie and sends it back to the Web browser.

SYB_SESSION_COOKIE_PATH

Specifies the cookie path. Recommended value is “/”.

UNPROTECTED_URL_CACHE_FLUSH_SIZE

The number of entries to flush out of the URL cache when the cache is full.

UNPROTECTED_URL_CACHE_MAX_SIZE

The number of entries in the unprotected URL cache.

WEBSERVER_IP_ADDRESS

The IP address EAServer can use to open a TCP/IP client socket to the Web server. The security EJB opens a TCP/IP socket to this server and sends messages to instruct the plug-in to flush the unprotected URL cache when a URL asset is created, updated, or deleted in the ACDB.