WebSEAL Reverse Proxy Configuration

This section covers the WebSEAL configuration of a Verify Identity Access deployment. This includes configuring the reverse proxy policy server and user registry.

Administrators can also use this section to cover WebSEAL specific functionality such as HTTP transformation rules, client certificate mapping, federated user registries.

Example

webseal:
  runtime:
    policy_server: "ldap"
    user_registry: "ldap"
    ldap:
      host: "openldap"
      port: 636
      dn: !secret default/isva_secrets:ldap_bind_dn
      dn_password: !secret default/isva_secrets:ldap_bind_pw
      key_file: "lmi_trust_store"
    clean_ldap: True
    domain: "Default"
    admin_user: !secret default/isva_secrets:sec_user
    admin_password: !secret default/isva_secrets:sec_pw
    admin_cert_lifetime: 1460
    ssl_compliance: "fips"
  reverse_proxy:
  - name: "default"
    host: "isvaruntime"
    http:
      enabled: "no"
    https:
      enabled: "yes"
      port: "9443"
    domain: "Default"
    ldap:
      ssl: "yes"
      port: 636
      key_file: "lmi_trust_store"
    aac_configuration:
      hostname: "isvaruntime"
      port: 9443
      junction: "/mga"
      user: !secret default/isva_secrets:runtime_user
      password: !secret default/isva_secrets:runtime_pw
      reuse_certs: True
      reuse_acls: True
    stanza_configuration:
    - stanza: "acnt-mgt"
      entry_id: "enable-local-response-redirect"
      value: "yes"
      operation: "update"
    - stanza: "local-response-redirect"
      entry_id: "local-response-redirect-uri"
      value: "/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:password"
      operation: "update"
  pdadmin:
    users:
    - name: "testuser"
      dn: !secret default/isva_secrets:test_dn
      password: !secret default/isva_secrets:test_pw

WebSEAL Reverse Proxy Instances

Schema Docs
Type: array of object

Properties to configure a WebSEAL Reverse Proxy instance. A reverse proxy instance typically defines one or more junctions to protected application servers. This section can also be used to define configuration for the webseal.conf file as well as run the integration wizards for MMFA, AAC and Federation capabilities from the Federated Runtime Server. Configuration to connect to the user registry is read from the webseal.runtime entry.

 No Additional Items

Each item of this array must be:

Type: object

Type: string

Name of the reverse proxy instance.

Type: string

The host name that is used by the Security Verify Identity Access policy server to contact the appliance.

Type: enum (of string)

Specifies whether to use a logical network interface for the instance. Only valid for appliance deployments.

Must be one of:

  • "yes"
  • "no"

Type: stringFormat: ipv4

The IP address for the logical interface. Only valid for appliance deployments where nwinterfaceyn is yes.

Type: integer

This is the listening port through which the instance communicates with the Security Verify Identity Access policy server.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

The Security Verify Identity Access domain.

Type: object

LDAP policy server properties.

Type: enum (of string)

Enable SSL Verification of connections.

Must be one of:

  • "yes"
  • "no"

Type: string

The SSL Database to use to verify connections. Only valid if ssl is yes.

Type: string

The SSL Certificate to use to verify connections. Only valid of ssl is yes.

Type: integer

The network port to communicate with the LDAP server.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: object

HTTP traffic endpoint properties.

Type: boolean

Enable traffic on this endpoint.

Type: integer

Network port that endpoint should listen on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: object

HTTPS traffic endpoint properties.

Same definition as http

Type: array

Junctions to backend resource servers for this reverse proxy instance.

 No Additional Items

Each item of this array must be:

Type: object

For each WebSEAL instance, administrators will typically define one or more standard or virtual junctions. Junctions are how an administrator defines the relationship and behavior between a WebSEAL server and an application server (for whom TCP traffic is being proxied by WebSEAL). Some advanced configuration options cannot be set in this entry and the stanza_configuration configuration must be used to set key/value entries in the reverse proxy config file.

Type: enum (of string)

Type of junction.

Must be one of:

  • "tcp"
  • "ssl"
  • "tcpproxy"
  • "sslproxy"
  • "mutual"

Type: string

Name of the location in the Reverse Proxy namespace where the root of the back-end application server namespace is mounted.

Type: string

An optional description for this junction.

Type: string

The DNS host name or IP address of the target back-end server.

Type: string

TCP port of the back-end third-party server.

Type: enum (of string)

Defines how the Reverse Proxy server passes client identity information in HTTP basic authentication (BA) headers to the back-end server.

Must be one of:

  • "filter"
  • "ignore"
  • "supply"
  • "gso"

Type: boolean

Enables IBM Security Federated Identity Manager single sign-on (SSO) for the junction.

Type: enum (of string)

Specifies whether the junction supports stateful applications.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Specifies whether a transparent path junction is created.

Must be one of:

  • "yes"
  • "no"

Type: boolean

Specifies whether to enforce mutual authentication between a front-end Reverse Proxy server and a back-end Reverse Proxy server over SSL.

Type: enum (of string)

Specifies the encoding to use when the system generates HTTP headers for junctions.

Must be one of:

  • "utf8_bin"
  • "utf8_uri"
  • "lcp_bin"
  • "lcp_uri"

Type: enum (of string)

Specifies whether to use BA header information to authenticate to back-end server.

Must be one of:

  • "yes"
  • "no"

Type: string

The key label for the client-side certificate that is used when the system authenticates to the junctioned Web server.

Type: string

The name of the GSO resource or resource group.

Type: enum (of string)

Specifies whether to insert the IP address of the incoming request into an HTTP header for transmission to the junctioned Web server.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Specifies whether LTPA version 2 cookies (LtpaToken2) are used.

Must be one of:

  • "yes"
  • "no"

Type: string

Location of the key file that is used to encrypt the LTPA cookie data.

Type: stringFormat: password

Password for the key file that is used to encrypt LTPA cookie data.

Type: enum (of string)

Specifies whether to allow denied requests and failure reason information from authorization rules to be sent in the Boolean Rule header (AMAZNFAILURE) across the junction.

Must be one of:

  • "yes"
  • "no"

Type: string

The name of the configuration file that is used for forms based single sign-on.

Type: string

The Reverse Proxy user name to send BA header information to the back-end server.

Type: stringFormat: password

The Reverse Proxy password to send BA header information to the back-end server.

Type: string

Specifies the UUID that will be used to identify the junctioned Web server.

Type: string

Virtual host name that is used for the junctioned Web server.

Type: string

Specifies the distinguished name of the junctioned Web server.

Type: string

Specifies the common name, or subject alternative name, of the junctioned Web server.

Type: stringFormat: ipv4

Specifies the local IP address that the Reverse Proxy uses when the system communicates with the target back-end server.

Type: string

Provides the Reverse Proxy with the correct name of the query_contents program file and where to find the file.

Type: enum (of string)

Specifies whether the Reverse Proxy server treats URLs as case sensitive.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Specifies whether Windows style URLs are supported.

Must be one of:

  • "yes"
  • "no"

Type: string

The TCP port of the proxy server.

Type: string

Only applicable for virtual junctions. Specifies the replica set that sessions on the virtual junction are managed under.

Type: string

Only applicable for virtual junctions. Causes a second virtual junction to share the protected object space with the initial virtual junction.

Type: boolean

Specifies whether to overwrite an existing junction of the same name.

Type: enum (of string)

This option is valid only with junctions that were created with the type of ssl or sslproxy.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Supplies junction identification in a cookie to handle script-generated server-relative URLs.

Must be one of:

  • "yes"
  • "no"

Type: string

Defines the hard limit percentage for consumption of worker threads.

Type: string

Defines the soft limit percentage for consumption of worker threads.

Type: string

HTTPS port of the back-end third-party server.

Type: string

HTTP port of the back-end third-party server.

Type: string

The TCP port of the proxy server.

Type: array of enum (of string)

Controls the insertion of Security Verify Identity Access specific client identity information in HTTP headers across the junction.

 No Additional Items

Each item of this array must be:

Type: enum (of string)

Must be one of:

  • "iv-user"
  • "iv-user-l"
  • "iv-groups"
  • "iv-creds"
  • "all"

Type: object

Properties for configuring this reverse proxy instance for use with advanced access control authentication and context based access service.

Type: string

Junction to create.

Type: object

Liberty runtime server properties.

Type: string

Hostname or address of server.

Type: integer

Port server is listening on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

Username to use for basic authentication.

Type: stringFormat: password

Password to use for basic authentication.

Type: boolean

Re-use existing Policy Server ACL's

Type: boolean

Re-use existing certificates in the SSL database.

Type: object

Properties for configuring this reverse proxy instance to deliver MMFA capabilities.

Type: enum (of string)

MMFA channel to configure.

Must be one of:

  • "mobile"
  • "browser"
  • "both"

Type: object

Liberty runtime server properties.

Same definition as runtime

Type: object

Liberty LMI server properties.

Same definition as runtime

Type: boolean

Re-use existing Policy Server ACL's

Type: boolean

Re-use existing certificates in the SSL database.

Type: boolean

Re-use existing Policy Server POP's

Type: array

Properties for integrating with a running Federation runtime.

 No Additional Items

Each item of this array must be:

Type: object

Federation runtime integration configuration wizard.

Type: string

Name of the Federation.

Type: object

Liberty runtime server properties.

Type: string

Hostname or address of server.

Type: integer

Port server is listening on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

Username to use for basic authentication.

Type: stringFormat: password

Password to use for basic authentication.

Type: enum (of string) Default: "local"

Type of runtime. Valid values are 'local' for local runtimes (appliance) and 'remote' for external runtime (container).

Must be one of:

  • "local"
  • "remote"

Type: enum (of string) Default: "on"

Read the X.509 Certificate from the runtime server's https endpoint.

Must be one of:

  • "on"
  • "off"

Type: boolean Default: false

Boolean option indicates if mutual TLS (client certificate) authentication should be performed with the runtime server.

Type: boolean

Re-use existing Policy Server ACL's

Type: boolean

Re-use existing certificates in the SSL database.

Type: object

Properties for integrating this reverse proxy with OIDC API Protection Clients.

Type: string

Name of the API Protection Junction.

Type: object

Liberty runtime server properties.

Same definition as runtime

Type: boolean

Re-use existing Policy Server ACL's

Type: boolean

Re-use existing certificates in the SSL database.

Type: boolean Default: false

Should this reverse proxy be configured for API protection.

Type: boolean Default: false

Should this reverse proxy be configured for Browser interaction.

Type: boolean Default: false

Will the client registration endpoint require authentication.

Type: boolean Default: false

Configures reverse proxy instance to be FAPI Compliant.

Type: object

For each WebSEAL reverse proxy instance, administrators are able to define section/key/value entries to modify the webseal.conf file for that instance. Each stanza modification must also include an operation to either: add an entry, creating duplicate entries if the particular section/key combination already exists; update an entry if it already exists, or add it if it does not; and remove an entry if it exists.

Type: enum (of string)

Operation to perform on configuration file.

Must be one of:

  • "add"
  • "delete"
  • "update"

Type: string

Name of stanza to modify.

Type: string

Optional entry name to modify.

Type: string

Optional entry value to modify.

Type: array of string

List of files to import into WebSEAL hosted pages. Directory structure should be relative to the predefined top-level directories.

 No Additional Items

Each item of this array must be:

Type: string

Example:

reverse_proxy:
- name: default
  host: ibmsec.verify.access
  listening_port: 7234
  domain: Default
  http:
    enabled: 'no'
  https:
    enabled: 'yes'
    port: 443
  junctions:
  - junction_point: /app
    description: Backend Application
    junction_type: ssl
    transparent_path_junction: true
    server_hostname: 1.2.3.4
    server_port: 443
    remote_http_header:
    - iv-user
    - iv-groups
    - iv-creds
  aac_configuration:
    hostname: localhost
    port: 443
    runtime:
      user: runtime_user
      password: runtime_password
    junction: /mga
    reuse_acls: true
    reuse_certs: true


Policy Directory Admin

Schema Docs
Type: object

Administrators can use the pdadmin tool to modify the configured User Registry and Policy Server. This tool isused to: create Access Control Lists (ACL's); create Protected Object Policies (POP's); create users or groups; as well as attaching ACL's or POP's to a reverse proxy instance's object space. Configuration to connect to the user registry is read from the webseal.runtime entry.
Example:

pdadmin:
  users:
  - username: testuser
    password: test_password
    dn: cn=testuser,dc=iswga
  - username: aacuser
    password: aac_user_password
    dn: cn=aacuser,dc=iswga
  reverse_proxies:
  - host: isva-wrp
    instance: default-proxy
    acls:
    - name: isam_mobile_anyauth
      junctions:
      - /mga/sps/authsvc
      - /mga/sps/apiauthsvc
      - /intent/account-requests
    - name: isam_mobile_rest_unauth
      junctions:
      - /mga/websock/mmfa-wss/
      - /mga/sps/ac/info.js
      - /mga/sps/ac/js/info.js
      - /mga/sps/ac
      - /.well-known
      - /CertificateManagement/.well-known
      - /mga/sps/mmfa/user/mgmt/qr_code
      - /intent
    pops:
    - name: oauth-pop
      junctions:
      - /scim

Type: array

List of users to add to the User Registry. These will be created as 'full' Verify Identity Access users.

 No Additional Items

Each item of this array must be:

Type: object

User account configuration.

Type: string

The name the user will authenticate as. By default this is the UID LDAP attribute.

Type: string

The CN LDAP attribute for this user. If not set then username will be used.

Type: string

The SN LDAP attribute for this user. If not set then username will be used.

Type: stringFormat: password

The secret to authenticate as username.

Type: string

The DN LDAP attribute for this user.

Type: array

List of groups to add to the User Registry. These will be created as 'full' Verify Identity Access groups.

 No Additional Items

Each item of this array must be:

Type: object

Group configuration.

Type: string

The CN LDAP attribute for this group.

Type: string

The DN LDAP attribute for this group.

Type: string

Optional description of group.

Type: array of string

Optional list of users to add to group. These users must already exist in the user registry.

 No Additional Items

Each item of this array must be:

Type: string

Type: array

List of ACL's to create in the Policy Server.

 No Additional Items

Each item of this array must be:

Type: object

Access Control List configuration.

Type: string

Name of the ACL.

Type: string

Optional description of the ACL

Type: array

List of extended attributes to add to ACL.

 No Additional Items

Each item of this array must be:

Type: object

ACL extended attribute.

Type: string

Name of the ACL attribute

Type: string

Value of the ACL attribute.

Type: array

List of users and the permissions they are permitted to perform.

 No Additional Items

Each item of this array must be:

Type: object

User or Group entity with permissions.

Type: string

User or Group entity to set permissions for.

Type: string

Permission bit-string, eg. Tcmdbsvarxl

Must match regular expression: ^[Tcmdbsvarxl]*$

Type: array

List of groups and the permissions they are permitted to perform.

 No Additional Items

Each item of this array must be:

Type: object

User or Group entity with permissions.

Same definition as acls_items_users_items

Type: string

Permissions applied to users who do not match any of the defined user/group permissions.

Must match regular expression: ^[Tcmdbsvarxl]*$

Type: string

Permissions applied to unauthenticated users.

Must match regular expression: ^[Tcmdbsvarxl]*$

Type: array

List of POP's to create in the Policy Server.

 No Additional Items

Each item of this array must be:

Type: object

Protected Object Policy configuration.

Type: string

Name of the POP.

Type: string

Optional description of the POP.

Type: array

List of extended attribute to add to POP.

 No Additional Items

Each item of this array must be:

Type: object

POP extended attribute.

Type: string

Name of the POP attribute.

Type: string

value of the POP attribute.

Type: string

Sets the time of day range for the specified protected object policy.

Type: enum (of string)

Sets the audit level for the specified POP.

Must be one of:

  • "none"
  • "all"
  • "permit"
  • "deny"
  • "admin"
  • "error"

Type: array

Sets the IP endpoint authentication settings in the specified POP.

 No Additional Items

Each item of this array must be:

Type: object

IP-based authorization configuration.

Type: string

Permissions for IP authentication not explicitly listed in the POP.

Type: array

List of IP addresses to perform IP endpoint authentication.

 No Additional Items

Each item of this array must be:

Type: object

Network IP authorization entry.

Type: stringFormat: ipv4

TCP/IP address to apply to this POP.

Type: string

The corresponding netmask to apply to this POP.

Type: string

Required step-up authentication level.

Type: array

List of objects to attach attributes to.

 No Additional Items

Each item of this array must be:

Type: object

WebSEAL object attribute configuration.

Type: string

Hostname use by the reverse proxy in the Policy Server's namespace.

Type: string

WebSEAL instance name if the Policy Server's namespace.

Type: string

WebSEAL junction to modify.

Type: array

List of attributes to add to junction object.

Must contain a minimum of 1 items

No Additional Items

Each item of this array must be:

Type: object

Attribute to attach to junction object.

Type: string

Name of the attribute to attach to the junction object.

Type: string

Value of the attribute to attach to the junction object.

Type: array

List of ACL's and POP's to attach to a WebSEAL reverse proxy instance.

 No Additional Items

Each item of this array must be:

Type: object

Reverse proxy ACL and POP attachments.

Type: string

Hostname use by the reverse proxy in the Policy Server's namespace.

Type: string

WebSEAL instance name if the Policy Server's namespace.

Type: array

List of ACL's to attach to reverse proxy instance.

 No Additional Items

Each item of this array must be:

Type: object

ACL attachment to reverse proxy junctions.

Type: string

Name of the ACL to attach to resources.

Type: array of string

List of junction paths which use the specified ACL.

Must contain a minimum of 1 items

No Additional Items

Each item of this array must be:

Type: string

Type: array

List of POP's to attach to reverse proxy instance.

 No Additional Items

Each item of this array must be:

Type: object

POP attachment to reverse proxy junctions.

Type: string

Name of the POP to attach to resources.

Type: string

List of junction paths which use the specified POP.


Client Certificate Mapping

Schema Docs
Type: array of string

Configuration for client certificate mapping using XSLT files to match X509 certificates from incoming connections to entities in the User Registry.

 No Additional Items

Each item of this array must be:

Type: string

Path to XSLT file for certificate mapping.

Example:

client_cert_mapping:
- demo.mapping.xslt
- cert_to_uid.xlst


Junction Mapping

Schema Docs
Type: array of string

A Junction mapping table maps specific target resources to junction names. Junction mapping is an alternative to cookie-based solutions for filtering dynamically generated server-relative URLs. A rule is read from a file and uploaded to a Verify Identity Access deployment. The name of the file which contains the junction mapping config is the resulting rule name in Verify Identity Access.

 No Additional Items

Each item of this array must be:

Type: string

Path to junction mapping properties file.

Example:

junction_mapping:
- demo.jct.map
- another.jct.map


URL Mapping

Schema Docs
Type: array of string

A URL mapping table is used to map WebSEAL access control lists (ACLs) and protected object policies (POPs) to dynamically generated URLs, such as URLs with query string parameters. URLs can be matched using a subset of UNIX shell pattern matching (including wildcards). A complete list of supported regex can be found here

 No Additional Items

Each item of this array must be:

Type: string

Path to URL mapping configuration file.

Example:

url_mapping:
- dyn.url.conf
- url.map.conf


User Mapping

Schema Docs
Type: array of string

User mapping can be used to modify or enrich an authenticated user's credential data. This can be used to both switch the identity of a user or add attributes to a user's existing credential. User mapping rules are added to a Verify Identity Access deployment using XLST rules. Detailed information about user mapping XSLT configuration can be found here. The name of the XSLT file will be used as the name of the user mapping rule.

 No Additional Items

Each item of this array must be:

Type: string

Path to XSLT user mapping file.

Example:

user_mapping:
- add_email.xslt
- federated_identity_to_basic_user.xslt


Forms Based Single Sign-On

Schema Docs
Type: array of string

The FSSO (forms single sing-on) module can be used by WebSEAL to authenticate a user to a junctioned application server. The module is capable of intercepting authentication requests from an application server, and then supplying the required identity information (retrieved from either the WebSEAl user registry or a HTTP service) to the application server to complete the authentication challenge. More detailed information about FSSO concepts can be found here. The name of the FSSO configuration file will be used as the name of the resulting FSSO configuration in Verify Identity Access.

 No Additional Items

Each item of this array must be:

Type: string

Path to FSSO configuration file.

Example:

fsso:
- liberty_jsp_fsso.conf
- fsso.conf


HTTP Transformation Rules

Schema Docs
Type: object

HTTP transformation rules allow WebSEAL to inspect and rewrite request and response objects as they pass through the reverse proxy. HTTP transforms can be applied: when the request is received (by WebSEAL); after an authorization decision has been made; and when the response is received (by WebSEAL). Prior to Verify Access 10.0.4.0 only XSLT rules were supported, from 10.0.4.0 onwards, LUA scripts can also be used to write HTTP transforms. Detailed information about HTTP transformation concepts can be found here. The name of the HTTP transform file will be used as the name of the resulting HTTP transformation rule in Verify Identity Access.


Example:

http_transforms:
  requests:
  - inject_header.xslt
  lua:
  - eai.lua

Type: array of string

List of files to be uploaded as XSLT request HTTP Transformation Rules.

 No Additional Items

Each item of this array must be:

Type: string

Type: array of string

List of files to be uploaded as XSLT response HTTP Transformation Rules.

 No Additional Items

Each item of this array must be:

Type: string

Type: array of string

List of files to be uploaded as LUA HTTP Transformation Rules.

 No Additional Items

Each item of this array must be:

Type: string


Kerberos

Schema Docs
Type: object

The SPNEGO/Kerberos module can be used to enable SSO solutions to Microsoft (Active Directory) systems via Kerberos delegation. Kerberos is configured by setting properties by id and subsections. There are several top level id's which can be used to configure Kerberos Realms, Local Domain Realms, Certificate Authority paths and key files.
Example:

kerberos:
  libdefault:
    default_realm: test.com
  realms:
  - name: test.com
    properties:
    - kdc: test.com
  domain_realms:
  - name: demo.com
    dns: test.com
  keytabs:
  - admin.keytab
  - user.keytab

Type: array of object

List of key: value properties to configure as defaults.

 No Additional Items

Each item of this array must be:

Type: object

Each additional property must conform to the following schema

Type: string

Type: array

List of Kerberos Realm's to configure.

 No Additional Items

Each item of this array must be:

Type: object

Kerberos realm configuration.

Type: string

Name of the Kerberos realm.

Type: array of object

List of key / value properties to configure for realm.

 No Additional Items

Each item of this array must be:

Type: object

Each additional property must conform to the following schema

Type: string

Type: array

List of Kerberos Domain Realm's to configure.

 No Additional Items

Each item of this array must be:

Type: object

Kerberos domain realm mapping.

Type: string

Name of the Domain Realm.

Type: string

DNS server for the Domain Realm.

Type: array of string

List of files to import as Kerberos Keytab files.

 No Additional Items

Each item of this array must be:

Type: string

Type: object

Kerberos capaths configuration.

Additional Properties of any type are allowed.

Type: object


Password Strength Rules

Schema Docs
Type: array of string

The password strength module can be used to enforce XLST defined password requirements for basic and full Verify Identity Access users. More detailed information about rule syntax can be found here. Rules are uploaded to a deployment from files, the name of the file is used as the resulting password strength rule in Verify Identity Access.

 No Additional Items

Each item of this array must be:

Type: string

Path to XSLT file to be uploaded as password strength check.

Example:

password_strength:
- demo_rule.xlst


RSA SecurID Authentication

Schema Docs
Type: object

The RSA integration module can be used to allow users who are authenticating to WebSEAL's user registry to use a RSA OTP as a second factor. More information about configuring this mechanism and the correcsponding configuration to integrate with WebSEAL login can be found here.
Example:

rsa_config:
  server_config: server.conf
  optional_server_config: optional_server.conf

Type: string

The server configuration file to upload.

Type: string

The server configuration options file to upload.


Runtime Component

Schema Docs
Type: object

The WebSEAL runtime server is the Directory Server which contains the reverse proxy's user registry and policy server. This is typically a LDAP server external to the deployment, however an example LDAP server is made available to deployments for testing.

The Verify Identity Access specific LDAP schemas can be found in the System -> File Downloads section of an appliance/configuration container in the isva directory.

Any PKI required to verify this connection should be imported into a SSL database before the runtime component is configured.
Examples:

runtime:
  policy_server: remote
  user_registry: remote
  ldap:
    host: openldap
    port: 636
    dn: cn=root,secAuthority=Default
    dn_password: ldap-passwd
    key_file: lmi_trust_store
  clean_ldap: true
  domain: Default
  admin_password: secmaster-passwd
  admin_cert_lifetime: 1460
  ssl_compliance: FIPS 140-2
  isam:
    host: iviaconfig
    port: 443
  stanza_configuration:
  - operation: update
    resource: ldap.conf
    stanza: bind-credentials
    entry: bind-dn
    value: cn=root,secAuthority=Default
  - operation: delete
    resource: ldap.conf
    stanza: server:MyFederatedDirectory

runtime:
  password: newEmbeddedLdapPassw0rd
  admin_id: sec_master
  admin_password: newEmbeddedLdapPassw0rd

Type: enum (of string)

The mode for the policy server.

Must be one of:

  • "local"
  • "remote"

Type: enum (of string)

Type of user registry to use.

Must be one of:

  • "local"
  • "ldap"

Type: boolean

Remove any existing user data from registry. Only valid if user_registry is local.

Type: string

The Security Verify Identity Access domain name.

Type: stringFormat: password

The password for the sec_master user.

Type: integer

The lifetime in days for the SSL server certificate.

Value must be greater or equal to 1

Type: enum (of string)

Specifies whether SSL is compliant with any additional computer security standard.

Must be one of:

  • "fips"
  • "sp800-131-transition"
  • "sp800-131-strict"
  • "suite-b-128"
  • "suite-b-192"

Type: object

LDAP server properties.

Type: string

Hostname or address for LDAP server.

Type: integer

Port LDAP server is listening on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

Distinguished name to bind to LDAP server for admin operations.

Type: stringFormat: password

Password to authenticate as dn.

Type: string

SecAuthority suffix.

Type: string

SSL Database to use to verify connections to LDAP server.

Type: string

SSL Certificate label to verify connections to LDAP server.

Type: object

Verify Identity Access policy server properties.

Type: string

Hostname or address of Verify Identity Access policy server.

Type: integer

Port that Verify Identity Access policy server is listening on.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: array

Optional list of modifications to configuration files.

 No Additional Items

Each item of this array must be:

Type: object

Configuration file stanza modification.

Type: enum (of string)

Operation to perform on configuration file.

Must be one of:

  • "add"
  • "delete"
  • "update"

Type: enum (of string)

Filename to be modified.

Must be one of:

  • "ldap.conf"
  • "pd.conf"
  • "instance.conf"

Type: string

Name of stanza to modify.

Type: string

Optional entry_id to modify.

Type: string

Optional value to modify.

Type: boolean Default: false

Optional property to attempt to force a reconfiguration of the runtime component if it is already configured. This is not possible if there are reverse proxy objects.

Type: stringFormat: password

The password to update the embedded LDAP server's root user secret. If provided and the runtime component is in the Available state, this property can be used to modify the embedded LDAP root user cn=root,secAuthority=Default secret.


API Access Control

Schema Docs
Type: object

Configuration for API Access Control including authorization servers, resource servers, policies, and CORS settings. Properties to configure an API Authorization Server. An API authorization server typically defines one or more resource servers which have authentication requirements to permit access. This section can also be used to configure Cross-Origin Resource Sharing (CORS) policies. Configuration to connect to the user registry is read from the webseal.runtime entry.
Example:

api_access_control:
  authorization_servers:
  - name: api_server
    hostname: localhost
    auth_port: 9443
    admin_port: 7138
    domain: Default
    addresses:
    - 192.168.42.102
    ssl: 'yes'
    ssl_port: '636'
    key_file: pdsrv.kdb
    key_alias: webseal-cert
  cors:
  - name: cors_policy
    allowed_origins:
    - https://webseal.ibm.com
    - https://webseal.ibm.com:9443
    - http://static.webseal.ibm.com
    - http://static.webseal.ibm.com:9080
    allowed_credentials: true
    exposed_headers:
    - X-ISAM-VERSION
    - X-ISAM-KEY
    handle_preflight: true
    allowed_methods:
    - retry
    - IBMPost
    - Remove
    allowed_headers:
    - X-ISAM-MODE
    - Content-type
    max_age: 86400

Type: array

List of API Authorization servers to create.

 No Additional Items

Each item of this array must be:

Type: object

API Authorization Server configuration. Authorization servers are the points of contact for external traffic to access protected resource servers. Each server has its own object space in the Verify Identity Access policy server.

Type: string

This is the new instance name, which is a unique name that identifies the instance.

Type: string

The host name of the local host. This name is used when constructing the authorization server name.

Type: integer

The port on which authorization requests will be received.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: integer

The port on which Security Verify Identity Access administration requests will be received.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

The Security Verify Identity Access domain.

Type: array of string

A json array containing a list of local addresses on which the authorization server will listen for requests.

 No Additional Items

Each item of this array must be:

Type: stringFormat: ipv4

Type: enum (of string)

Whether or not to enable SSL between the Security Verify Identity Access authorization server and the LDAP server.

Must be one of:

  • "yes"
  • "no"

Type: string

The SSL port on which the LDAP server will be contacted. Only valid if ssl set to yes.

Type: string

The name of the keyfile that will be used when communicating with the LDAP server over SSL.

Type: string

The label of the certificate within the keyfile to use.

Type: array

List of API Resource servers to create.

 No Additional Items

Each item of this array must be:

Type: object

API Resource Server configuration with junction and authentication settings. Resource servers are third party application servers / microservices that are being protected by the Authorization server.

Type: string

Name of the WebSEAL Reverse Proxy instance this resource server is attached to.

Type: string

The DNS host name or IP address of the target back-end server.

Type: integer

TCP port of the back-end third-party server. Default is 80 for TCP junctions and 443 for SSL junctions.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

Virtual host name that is used for the junctioned Web server.

Type: string

Specifies the distinguished name of the junctioned Web server.

Type: string

Specifies the common name, or subject alternative name, of the junctioned Web server.

Type: string

An optional description for this junction.

Type: string

Name of the location in the Reverse Proxy namespace where the root of the back-end application server namespace is mounted.

Type: enum (of string)

Type of junction.

Must be one of:

  • "tcp"
  • "ssl"
  • "tcpproxy"
  • "sslproxy"
  • "mutual"

Type: enum (of string)

Specifies whether the junction supports stateful applications. By default, junctions are not stateful.

Must be one of:

  • "yes"
  • "no"

Type: object

The Policy that is associated with this Resource Server.

Type: enum (of string)

The type of Policy.

Must be one of:

  • "unauthenticated"
  • "anyauthenticated"
  • "none"
  • "default"
  • "custom"

Type: string

The name of the custom policy if the type is custom.

Type: enum (of string)

The type of Oauth authentication.

Must be one of:

  • "default"
  • "oauth"

Type: enum (of string)

The transport type.

Must be one of:

  • "none"
  • "http"
  • "https"
  • "both"

Type: string

The proxy, if any, used to reach the introspection endpoint.

Type: enum (of string)

The method for passing the authentication data to the introspection endpoint.

Must be one of:

  • "client_secret_basic"
  • "client_secret_post"

Type: stringFormat: uri

This is the introspection endpoint which will be called to handle the token introspection.

Type: string

The client identifier which is used for authentication with the external OAuth introspection endpoint.

Type: stringFormat: password

The client secret which is used for authentication with the external OAuth introspection endpoint.

Type: string

The name of the HTTP header which contains the client identifier which is used to authenticate to the introspection endpoint. Only valid if client_id has not been set.

Type: string

A hint about the type of the token submitted for introspection.

Type: string

A formatted string which is used to construct the Verify Identity Access principal name from elements of the introspection response. Claims can be added to the identity string, surrounded by {}.

Type: enum (of string)

A boolean which is used to indicate whether the mapped identity should correspond to a known Verify Identity Access identity or not.

Must be one of:

  • "true"
  • "false"

Type: array

A list of rules indicating which parts of the json response should be added to the credential.

 No Additional Items

Each item of this array must be:

Type: object

Credential attribute configuration.

Type: string

The position of this attribute in the ordered list of all attributes.

Type: enum (of string)

The action to perform for this attribute.

Must be one of:

  • "put"
  • "remove"

Type: string

The name of the attribute.

Type: array

A list of header names and values that should be added to the HTTP response.

 No Additional Items

Each item of this array must be:

Type: object

HTTP response header configuration.

Type: string

The name of the response header.

Type: string

The value of the response header.

Type: string

The name of the HTTP header that will contain the JWT.

Type: string

The label of the personal certificate that will sign the JWT.

Type: object

The list of claims to add to the JWT.

Type: enum (of string)

The type of claim to add to the JWT.

Must be one of:

  • "text"
  • "attr"

Type: string

The value for the claim. If the type is text this will be the literal text that is added to the JWT. If the type is attr this will be the name of the credential attribute to add to the JWT.

Type: string

The name of the claim that is added to the JWT. For attr type claims this is optional and if not specified the claim name will be set as the name of the credential attribute. If the type is attr and the value contains a wildcard this field is invalid and if specified will result in an error.

Type: string

Defines the hard limit percentage for consumption of worker threads. Valid value is an integer from 0 to 100.

Must match regular expression: ^([0-9]|[1-9][0-9]|100)$

Type: string

Defines the soft limit percentage for consumption of worker threads. Valid value is an integer from 0 to 100.

Must match regular expression: ^([0-9]|[1-9][0-9]|100)$

Type: enum (of string)

Defines how the Reverse Proxy server passes client identity information in HTTP basic authentication (BA) headers to the back-end server.

Must be one of:

  • "filter"
  • "ignore"
  • "supply"
  • "gso"

Type: enum (of string)

Enables IBM Security Federated Identity Manager single sign-on (SSO) for the junction.

Must be one of:

  • "yes"
  • "no"

Type: array of enum (of string)

Controls the insertion of Security Verify Identity Access specific client identity information in HTTP headers across the junction.

 No Additional Items

Each item of this array must be:

Type: enum (of string)

Must be one of:

  • "iv-user"
  • "iv-user-l"
  • "iv-groups"
  • "iv-creds"
  • "all"

Type: enum (of string)

Specifies whether the junction supports the HTTP/2 protocol. By default, junctions do not support the HTTP/2 protocol.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Specifies whether the junction proxy support the HTTP/2 protocol. By default, junction proxies do not support the HTTP/2 protocol.

Must be one of:

  • "yes"
  • "no"

Type: string

The server name indicator (SNI) to send to TLS junction servers. By default, no SNI is sent.

Type: enum (of string)

Specifies whether a transparent path junction is created.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Specifies whether to enforce mutual authentication between a front-end Reverse Proxy server and a back-end Reverse Proxy server over SSL.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Controls whether LTPA cookies are passed to the junctioned Web server.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Controls whether to send the session cookie to the junctioned Web server.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Specifies the encoding to use when the system generates HTTP headers for junctions.

Must be one of:

  • "utf8_bin"
  • "utf8_uri"
  • "lcp_bin"
  • "lcp_uri"

Type: enum (of string)

Specifies whether to use BA header information to authenticate to back-end server.

Must be one of:

  • "yes"
  • "no"

Type: string

The key label for the client-side certificate that is used when the system authenticates to the junctioned Web server.

Type: string

The name of the GSO resource or resource group.

Type: enum (of string)

Specifies whether to insert the IP address of the incoming request into an HTTP header for transmission to the junctioned Web server.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Specifies whether LTPA version 2 cookies (LtpaToken2) are used.

Must be one of:

  • "yes"
  • "no"

Type: string

Location of the key file that is used to encrypt the LTPA cookie data.

Type: enum (of string)

Specifies whether to allow denied requests and failure reason information from authorization rules to be sent in the Boolean Rule header (AMAZNFAILURE) across the junction.

Must be one of:

  • "yes"
  • "no"

Type: string

The name of the configuration file that is used for forms based single sign-on.

Type: string

The Reverse Proxy user name. Used to send BA header information to the back-end server.

Type: stringFormat: password

The Reverse Proxy password. Used to send BA header information to the back-end server.

Type: stringFormat: ipv4

Specifies the local IP address that the Reverse Proxy uses when the system communicates with the target back-end server.

Type: string

Provides the Reverse Proxy with the correct name of the querycontents program file and where to find the file. By default, the Windows file is called querycontents.exe and the UNIX file is called query_contents.sh.

Type: enum (of string)

Specifies whether the Reverse Proxy server treats URLs as case sensitive.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Specifies whether Windows style URLs are supported.

Must be one of:

  • "yes"
  • "no"

Type: stringFormat: password

Password for the key file that is used to encrypt LTPA cookie data.

Type: integer

HTTPS port of the back-end third-party server. Applicable when the junction type is ssl.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: integer

HTTP port of the back-end third-party server. Applicable when the junction type is tcp.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

The DNS host name or IP address of the proxy server. Applicable when the junction type is sslproxy.

Type: integer

The TCP port of the proxy server. Applicable when the junction type is tcpproxy.

Value must be greater or equal to 1 and lesser or equal to 65535

Type: string

Only applicable for virtual junctions. Specifies the replica set that sessions on the virtual junction are managed under.

Type: string

Only applicable for virtual junctions. Causes a second virtual junction to share the protected object space with the initial virtual junction.

Type: enum (of string)

This option is valid only with junctions that were created with the type of ssl or sslproxy. Indicates single sign-on from a front-end Reverse Proxy server to a back-end Reverse Proxy server.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Supplies junction identification in a cookie to handle script-generated server-relative URLs.

Must be one of:

  • "yes"
  • "no"

Type: enum (of string)

Specifies whether to overwrite an existing junction of the same name.

Must be one of:

  • "yes"
  • "no"

Type: array

List of resources to add to resource server.

 No Additional Items

Each item of this array must be:

Type: object

API resource configuration.

Type: enum (of string)

The HTTP action for this resource.

Must be one of:

  • "GET"
  • "POST"
  • "PUT"
  • "DELETE"
  • "PATCH"
  • "HEAD"
  • "OPTIONS"

Type: string

The URI path for this resource. This is a full server relative path including the junction point.

Type: string

A description for this resource.

Type: string

The name of the custom policy if the type is custom.

Type: enum (of string)

The type of Policy.

Must be one of:

  • "unauthenticated"
  • "anyauthenticated"
  • "none"
  • "default"
  • "custom"

Type: array

A list of header names and values that should be added to the HTTP response.

 No Additional Items

Each item of this array must be:

Type: object

HTTP response header configuration.

Same definition as resource_servers_items_static_response_headers_items

Type: string

The name of the rate limiting policy that has been set for this resource.

Type: array of string

A list of aliases that all map to the path of this resource.

 No Additional Items

Each item of this array must be:

Type: string

Type: string

The value of the accept header that will trigger a documentation response.

Type: string

The name and path of the documentation file to respond with, relative to the junction root.

Type: array of string

The document root defines a static set of web files (HTML, JS, CSS, ect.) which can be served by the Authorization server.

 No Additional Items

Each item of this array must be:

Type: string

Type: array

List of API access control policies to create.

 No Additional Items

Each item of this array must be:

Type: object

API access control policy configuration.

Type: string

The name of the policy.

Type: array of string

The groups referenced by this policy. User must be a member of at least one group for this policy to be authorized. The default is no groups if not specified.

 No Additional Items

Each item of this array must be:

Type: string

Type: array of string

The attribute matches referenced by this policy. Each attribute must be matched for this policy to be authorized. The default is no attributes if not specified.

 No Additional Items

Each item of this array must be:

Type: string

Type: array

List of Cross-Origin Resource Sharing policies to create.

 No Additional Items

Each item of this array must be:

Type: object

CORS policy configuration. CORS policy can be used to configure the URI’s which are permitted to make cross-origin resource requests as well as the types of resources which are permitted to be shared.

Type: string

The name of the CORS policy.

Type: array of string

An array of origins which are allowed to make cross origin requests to this resource. Each origin must contain the schema and any non-default port information. A value of * indicates that any origin will be allowed.

 No Additional Items

Each item of this array must be:

Type: string

Type: boolean Default: false

Controls whether or not the Access-Control-Allow-Credentials header will be set. If not present, this value will default to false.

Type: array of string

Controls the values populated in the Access-Control-Expose-Headers header.

 No Additional Items

Each item of this array must be:

Type: string

Type: boolean Default: false

Controls whether or not the Reverse Proxy will handle pre-flight requests. If not present, this value will default to false.

Type: array of string

Controls the methods permitted in pre-flight requests and the subsequent Access-Control-Allow-Methods header. This option only relates to pre-flight requests handled by the Reverse Proxy and will be ignored if handle_preflight is set to false. Methods are case sensitive and simple methods (ie. GET, HEAD and POST) are always implicitly allowed.

 No Additional Items

Each item of this array must be:

Type: string

Type: array of string

Controls the headers permitted in pre-flight requests and the subsequent Access-Control-Allow-Headers header. This option only relates to pre-flight requests handled by the Reverse Proxy and will be ignored if handle_preflight is set to false.

 No Additional Items

Each item of this array must be:

Type: string

Type: integer Default: 0

Controls the Access-Control-Max-Age header added to pre-flight requests. If set to zero, the header will not be added to pre-flight responses. If set to -1, clients will be told not to cache at all. If not present, this value will default to 0.