| Back | Next | Contents | Cams Web Agent Guide |
Cams web agents are configured with properties found in each Cams web agent's cams-webagent.conf file. As you work with Cams, you'll become more familiar with the critical values, which are common to all Cams web agents.
This document contains information to help you understand Cams web agent configuration properties and which web agents use them, as shown in Table 1 in the order they appear within the cams-webagent.conf file.
NOTE: Generally, the properties you should focus your attention on are found at the top of the cams-webagent.conf file. Properties with values that must have matching Cams policy server configuration or security domain values are highlighted in bold red in Table 1. If not otherwise noted, the properties are common to all Cams web agents.
WARNING: Properties in cams-webagent.conf that are not documented on this page configure debug, loggers and Cams protocols or services. You should not change these values unless instructed to do so by Cafésoft support.
| Name | Description |
|---|---|
| cams.debug cams.cluster.debug cams.attributes.debug |
Toggle Cams policy server, cluster and attributes debug messages on/off [true|false]. If you enable cams.attributes.debug you must also enable cams.debug for attributes debug messages to appear. Debug messages WARNING: Turning on debug will diminish
Cams web agent performance |
| cams.cluster.name |
The name of the Cams cluster to which this Cams web agent will delegate requests. This value is used by the Cams web agent to identify Cams session cookies originating from a specific Cams cluster. For example, to use a Cams cluster with the default name MyCamsCluster, use:
NOTE: You should change the cluster name as part of a hardening exercise. You might also consider using different cluster names for development, test/qa and production Cams policy servers. This will prevent situations where Cams session cookies for one Cams policy server cluster are submitted by your browser to a Cams web agent associated with a different Cams policy server cluster, which will create a 5100 Cams web agent connection error condition. |
|
cams.server.url.<server-name> |
The URL of a Cams policy server to be used. The name of this property will depend on the Cams policy server name. The property value is the Cams policy server bind IP address or hostname and the port. For example, to connect to a Cams policy server with the default name MyCamsServer on bind IP address 192.168.0.10 with the default port 9191, use:
One property must exist for each Cams policy server in your cluster. For example, the following properties configure a web agent for a two node Cams policy server cluster:
Each URL has the form: cams://host:port, where host is a host name or an IP address. For example:
WARNING: If the Cams web agent and Cams policy server communicate through a firewall, the firewall must be configured to allow general TCP/IP traffic on the configured Cams policy server port. |
| cams.heartbeat.interval | The number of seconds a Cams web agent will wait between requests to check for the availability of a Cams policy server. The default is 5 seconds. |
| cams.response.timeout | The number of seconds before the Cams web agent will timeout waiting for any response from a Cams policy server. |
| connection.authentication.type |
The type of authentication the Cams web agent will use to authenticate connections that it establishes with the Cams policy server. Supported authentication types include:
NOTE: This is NOT the authentication type used to authenticate users, rather it is the authentication type used to authenticate the Cams web agent connections to a Cams policy server. |
| connection.authentication.principal | The principal (or username) the Cams web agent will use to authenticate connections it establishes with the Cams policy server. By default, the system security domain handles web agent authentication with the cams-users.xml user directory configured as the authentication repository. |
| connection.authentication.credential | The credential (or password) the Cams web agent will use to authenticate connections it establishes with the Cams policy server. By default, the system security domain handles Cams web agent authentication with the cams-users.xml user directory configured as the authentication repository. |
| cams.cookie.prefix |
Set the prefix used for all Cams-related cookie names. The Cams session identifier automatic login cookies will use the specified prefix, which may contain any alphanumeric character but must not include punctuation, dash and underscore characters. The default value is CAMS. Cams session identifier cookies have the following naming convention:
Cams automatic login identifier cookies have the following naming convention:
|
| cams.error.url |
The relative or fully qualified URL to redirect to (known as the Cams error page) if an error occurs during authentication or when accessing a protected resource. See Scripts for more information on Cams error page creation and integration. WARNING: The access control policy must ensure that access to the error page is granted. |
| cams.denied.url |
The relative or fully qualified URL to redirect to (known as the Cams access denied page) if access to a protected resource is denied by the Cams policy server. See Scripts for more information on Cams access denied page creation and integration. WARNING: The access control policy must ensure that access to the denied page is granted. |
| cams.login.uri |
The Cams web agent will interpret HTTP POST requests to this exact URI as a login (authentication) request. Posted parameters (usually hidden fields) MUST include:
and will also usually include callback parameters used by Cams policy server login modules. For example:
The actual callback parameters posted must match those expected by the callback handler login module configured with the specified security domain/login config entry. |
| cams.logout.uri |
The Cams web agent will interpret HTTP GET and POST requests to this exact URI as a logout request. Because a given user may be logged into multiple security domains simultaneously, the web page referencing this URI must specify the security domain name associated with the logout request as a query parameter. For example, if a web agent hosted on web server www.mysite.com has:
then the following request will attempt to logout the user that is logged into security domain system:
|
| cams.after.logout.url | The URL to which a user is directed AFTER successful logout. This might be a web site or portal home page. See Scripts for more information on using this and dynamic Cams after logout URLs in your site's pages. |
| cams.loginconfig.entry | The login-config-entry to use to authenticate clients. This value corresponds to a login-config-entry that is defined in the corresponding security domain's login-config.xml file, which defines the login modules, callback handler and any login parameters to be used. Typically, the default value http is used for web resources. |
| cams.autologin.enabled |
Toggle Cams automatic login handling on/off [true|false]. Automatic login enables a persistent cookie with encrypted user name and password value to be stored in a user's browser. This cookie is detected by the Cams web agent on subsequent visits to automatically and transparently authenticate the user. NOTE: This property requires configuration changes to the associated Cams policy server security domain's security-domain.xml file. See the Cams Administrator's Guide - Configuring Automatic HTTP User Login for more details. |
| cams.access.check.cache |
Toggle access control check caching on/off [true|false]. Access control check caching improves performance by enabling the Cams web agent to remember a previous access control check response from the Cams policy server for a specified period of time. Cams web agents ONLY cache responses associated with unconditionally granted or denied resources. This enables public resources like GIF and JPEG image files, Javascript, style sheets, etc. to avoid repeated access control checks. The Cams policy server unconditionally grants or denies access to a resouce if the permission matching the resource directly references a Cams intrinsic access control rule (e.g. granted, denied or confidential). |
| cams.access.check.cache.size | The maximum number of access control check responses that can be cached at a given time. Once the cache is full, newly cached responses will force removal of the least recently used response in the cache. |
| cams.access.check.cache.max_record_size |
The maximum number of bytes that can be used to cache an access cotnrol response. Currently, the only variable length value returned from an access control response and saved to the cache is the security domain name. Consequently, 20 bytes plus the maximum security domain name length is large enough for a cache record, which is stored in shared memory for access by all child processes. A value of 50 (bytes) should be sufficient for most installations. This property is only available on:
|
| cams.access.check.cache.refreshTime | The number of minutes before an access control request is sent to the Cams policy server to check if the cache should be cleared. This ensures that Cams web agents can detect changes to a Cams access control policy within this period, forcing the cache to be flushed if necessary. |
| cams.session.cache |
Toggle user session caching on/off [true|false]. Cams web agents can retrieve user session information from the Cams policy server to inject into HTTP requests as Cams secure HTTP request headers by enabling the cams.http.headers proptery (see also the Cam's Programmer's Guide - Accessing HTTP Headers). Session caching enables the Cams web agent to remember these values so subsequent requests will not need to get the session information from the Cams policy server for a specified period of time. |
| cams.session.cache.max_sessions |
The maximum number of sessions to cache. After this number is exceeded, addition will force deletion of the least recently accessed session first. The cache size should be made at least as large as the number of concurrently authenticated users that typically access your site. This property is only available on:
|
| cams.session.cache.max_record_size |
The maximum number of bytes used for storing a session. If the maximum is exceeded, a warning message is displayed and data is truncated (e.g. some session attributes may be lost). This property is only available on:
|
| cams.session.hijacking.protection.enable |
Toggle Cams session hijacking protection on/off [true|false]. Session hijacking is where a hacker steals a session identifier and uses it in another client to gain access to a site. When a user first authenticates and a Cams session is created, a unique hash is computed from using standard browser HTTP request headers (Accept-Language and User-Agent) and unique site values. If a hacker somehow intercepts the Cams session cookie, he would also need to provide the exact HTTP request headers used by the original user's browser to gain access when session hijacking is enabled. A session that is considered hijacked is invalidated by the Cams web agent and a WARNING is written to cams-webagent.log. NOTE: Cams session hijacking is disabled by default to prevent situations where false positives will cause Cams to ALWAYS deny access to resources that are displayed by browser plugins. You should enable session hijacking as part of a hardening exercise and thoroughly test your site before deploying in a production environment. WARNING: All Cams web agents in a Cams policy server cluster must be configured with the exact same session hijacking properties. If not, Cams session cookies will not work consistently across all Cams web agents and access to some resources will ALWAYS be denied. |
| cams.session.hijacking.protection.algorithm |
The algorithm used to compute a unique hash value for session hijacking protection. The following algorithms are supported:
|
| cams.session.hijacking.protection.salt |
A unique, site-specific value that is combined with the other session hijacking protection values to further prevent decoding of the hash. The default value is epsom. NOTE: You should change this value as part of a hardening exercise. |
| cams.http.headers |
Toggle Cams secure HTTP request headers on/off [true|false]. If enabled then dynamic web page scripts will have access to secure Cams HTTP request headers. See the Cams Programmer's Guide - Webapp Programming for a full list of the Cams secure HTTP request header names and site-specific user attribute values that can be made available to web applications. Disabling Cams request headers when not used improves performance. NOTE: To improve performance, Cams user session information can be cached by the Cams web agent using the cams.session.cache property. If Cams secure HTTP request headers are disabled, then you should also disable session caching. |
| cams.http.headers.accept.proxied | Toggle proxied Cams secure HTTP request headers on/off [true|false]. If true, then Cams web agents accept Cams secure HTTP request headers that have been proxied to this web agent via another Cams web agent. For example, it is quite common to configure a web server to proxy requests to a J2EE server (e.g. Apache/IIS with Tomcat using mod_jk). If a Cams web agent is configured in both, then you'll need to enable this value in the proxied to web server (e.g. Tomcat in this example) to prevent the Cams web agent from indentifying Cams secure HTTP request headers as spoofed by a client. The default value is false. |
| cams.attributes.http-param.enable | Toggle sending of HTTP query parameter attributes with access control checks on/off [true|false]. Sending HTTP query parameter attributes allows a Cams access control policy to use them for access control rule decisions. The default value is false. |
| cams.attributes.agent.enable |
Toggle sending of Cams web agent attributes with access control checks on/off [true|false]. Cams web agent-specific attributes include:
A Cams access control policy can use these values for access control rule decisions. The default value is false. |
| cams.agent.id |
An optional value that can be used in conjunction with the property cams.attributes.agent.enable to uniquely identify Cams web agents. If specified, and cams.attributes.agent.enable=true, the value of this property is used to populate the value of attribute:
This can be used to distinguish requests from and customize access control rules based on a unique Cams web agent identity. If not specified, cams.agent.id defaults to MyCamsAgent. |
|
cams.skey.algorithm |
The algorithm, secret key and initialization vector for encrypting and decrypting selected values sent to/received from the Cams policy server. Valid algorithms are Blowfish, DES and DESede (triple DES). Blowfish uses a 16 byte encryption key, DES uses an 8 byte key and DESede uses a 24 byte key. Blowfish is recommended. The number of secret key bytes used depends on the algorithm, although it is legal to supply more key bytes than needed. The initialization vector should be an 8 byte (16 hex digit) value. For more information, see: Cams Administrator's Guide - Securing Cams Communications using Secret Keys. NOTE: Use CAMS_HOME/bin/camsSecretKeyGen.bat/.sh
or the web application |
| logger.file.path |
The fully-qualified path to the Cams web agent log file. If the directory or log file is missing, it will be created. This property is required on most Cams web agents, but not those listed below, where the log file is written to a default location (usually relative to where the Cams web agent binaries are installed). This property is required for all Cams web agents EXCEPT:
|
| logger.file.append | If true new log messages will be appended to the current log file. If false the current log file will be deleted and a new log file will be created. The default value is true. |
Table 1 - Values you may need to edit in cams-webagent.conf
© Copyright 1996-2005 Cafésoft LLC. All rights reserved.