List of Agent Configuration Parameters

This content provides quick reference information for all agent configuration parameters.
sm1252sp1
This content provides quick reference information for all agent configuration parameters.
To create a PDF of this material for reference, select
PDF
in the upper-right corner.
Quick Access Links:
2,1,4
Parameter Name
Default
Usage
4xCompatMode
No
Allows compatibility with 4.x-based custom agents used as Credential Collectors. See Using Credential Collectors Between 4.x Type and Newer Type Agents.
AcceptTPCookie
No
Determines if the agent accepts cookies created by the
CA Single Sign-On
SDK. See Configure Support for SDK Third-Party Cookies.
AgentConfigObject
N/A
(In WebAgent.conf) Determines which Agent Configuration Object that the agent should use. See Parameters Found Only in Local Configuration Files.
AgentName
Defines the identity of the agent. See Set the AgentName and DefaultAgentName Values
AgentNamesAreFQHostNames
No
Instructs an FCC or SCC to use the fully qualified host name in the target URL as the Agent name. See Configure Credential Collectors in a Mixed Environment.
AgentWaitTime
5
Determines how long to wait for the Policy Server when attaining the Host Configuration Object and Agent Configuration Object. See Accommodate Network Latency.
AllowCacheHeaders
No
Determines if the agent removes cache headers such as “if-modified-since” and “if-none-match.” See Control How HTTP Header Resources are Cached.
AllowLocalConfig
No
AppendIISServerLog
No
Determines whether the the agent adds the Transaction ID to the IIS log. See Record the User Name and Transaction ID in IIS Server Logs.
AutoAuthorizeHttpMethods
Specifies HTTP methods that, if included in a request, that request is authorized without being challenging for credentials. See Configure Web Agent Single Sign-On Settings.
AutoAuthorizeOptions
No
Enables automatic authorization of requests for resources which use the HTTP OPTIONS method. See Allow Automatic Access to Resources that use the OPTIONS Method.
BadCSSChars
<,',>
A comma-separated list of characters to block due to use in XSS attacks. See Protect Web Sites Against Cross-Site Scripting.
BadFormChars
<,>,&,%22
A comma-separated list of characters to block from use in forms. See Enable Bad Form Characters.
BadQueryChars
A comma-separated list of characters to block from use after the ? character. See Specify Bad Query Characters.
BadUrlChars
//,./,/.,/*, *.,~,\,%00-%1f,%7f
A comma-separated list of character sequences to block from use in URL requests to prevent exploitation by malicious web clients. See Specify Bad URL Characters.
CacheAnonymous
No
Specifies whether anonymous user information should be cached. See Cache Anonymous Users.
CCCExt
.ccc
Specifies the extension of the Cookie Credential Collector. See Specify the Cookie Provider.
ClientLocalePreferrred
Specifies the preference order for localization. See Define the Configuration Modes Order of Precedence
compatRealmtimeouts
No
Specifies whether the Policy Server challenges users for their credentials after a realm timeout occurs. See Prevent Re-Challenges After Realm Timeouts When Multiple Valid Sessions Exist.
ConformToRFC2047
Yes
Specifies whether the agent conforms to RFC 2047.  See Default HTTP Headers Used by the Product.
ConformToRFC6265
No
Specifies whether a leading dot must be appended to a domain name when the value of CookieDomain is empty. See Configure Web Agent Single Sign-On Settings.
ConstructFullPwsvcUrl
No
Specifies whether the FQDN is used in Password Services redirect URLs. See Use a Fully Qualified URL for Password Services Redirects.
CookieDomain
Specifies the cookie domain of the agent. See Configure Web Agent Single Sign-On Settings.
CookieDomainScope
0
Specifies the number of sections (characters with periods between them) in the domain name. See Implement Cookie Domain Resolution.
CookiePath
/ (root)
Specifies the path for the primary-domain session cookies created by the cookie provider when CookiePathScope is not specified. See Specify the Cookie Path for Agent Cookies.
CookiePathScope
Specifies the scope of the cookie path for secondary agent cookies. See Specify the Cookie Path for Agent Cookies.
CookieProvider
Specifies the URL of the web server where the agent that is acting as the cookie provider resides. See Configure Web Agent Single Sign-On Settings.
CookieValidationPeriod
Specifies the time period (in seconds) in which the receiving agent accepts the session cookie. After this time passes, the session cookie will not be accepted. If this field is not used or is set to zero, the session cookie expires when the Idle Timeout and Max Session Timeout values are met. See Protect Session Cookies from Misuse with Validation Periods and Expired Cookie URLs.
CslCertUniqueAttribute
Lists the attributes of the certificate by which it is uniquely identified. See How to Link a Client Certificate to a Session (Windows).
CslMaxCacheEntries
Specifies the maximum number of entries that the agent cache contains. How to Link a Client Certificate to a Session (Windows).
CSSChecking
Yes
Specifies whether the agent checks for Cross-Site Scripting. See Configure the Web Agent to Check For Cross-Site Scripting.
CSSErrorFile
Specifies the error file to use for error pages that result from HTTP 403 cross-site scripting errors. See How to Set Up Error Handling.
Custom401ErrorFile
Specifies the error file to use for error pages that result from HTTP 401 errors. See How to Set Up Error Handling.
CustomIpHeader
Specifies an HTTP header for which the agent searches to find the IP address of the requestor. See Configure IP Address Validation.
DecodeQueryData
No
Specifies whether the agent decodes query data before calling Policy Server. See URL Settings.
DefaultAgentName
Specifies a name that the agent uses to process requests when no name is defined in the AgentName parameter. For more information, see Set the AgentName and DefaultAgentName Values.
DefaultHostName
Specifies the hostname to use when no host header is sent in the request. See Accommodate Testing Tools that do not send HOST Headers.
DefaultLocale
Specifies the language in which HTML pages for login, basic password services, and error responses are displayed. See FCC Internationalization.
DefaultPassword
(IIS only) Specifies the IIS Proxy Password to use. See Use an IIS Proxy User Account.
DefaultUsername
(IIS only) Specifies the IIS Proxy Account to use. See Use an IIS Proxy User Account.
DeleteCerts
No
(Apache only) Specifies whether the agent deletes certificates from Apache servers that use local files. See Delete Certificates from Stronghold Servers.
DisableAuthSrcVars
No
Specifies whether the agent should save HTTP header space by removing the following default header variables:
  • SM_AUTHDIRNAME
  • SM_AUTHDIRSERVER
  • SM_AUTHDIRNAMESPACE
  • SM_AUTHDIROID
DisableDirectoryList
No
(Oracle iPlanet Web Server only) Specifies whether to disable directory listing. See Restrict Directory Browsing on a Oracle iPlanet Web Server.
DisableDNSLookup
No
Specifies whether to disable DNS lookups to help prevent DNS denial of service attacks. See Help Prevent DNS DOS Attacks.
DisableDotDotRule
No
Specifies whether the agent uses IgnoreExt on a URI where two periods (".") have a slash ("/") between them. See Handle Complex URIs.
DisableI18N
No
(IIS only) If set, the NTC Credential Collector encodes URLs during redirects to protected resources. See How to Allow the NTC to Encode URLs During Redirects to Protected Resources.
DisablePostDataLimit
No
Specifies whether an agent observes the 64 KB data-size limit when preserving or filtering POST data. See (Optional) Disable the POST Preservation Data Size Limit.
DisableSessionVars
No.
Specifies whether the agent should save HTTP header space by removing the following default header variables:
  • SM_SERVERSESSIONID
  • SM_SERVERSESSIONSPEC
  • SM_SERVERIDENTITYSPEC
  • SM_SESSIONDRIFT
  • SM_TIMETOEXPIRE
DisableUserNameVars
No
Specifies whether the agent should save HTTP header space by removing the following default header variables:
  • SM_USER
  • SM_USERDN
  • SM_DOMINOCN
DisableWindowsSecurityContext
False/No
(IIS Only) If set, the agent ignores the following Windows security context of the user:
DisallowUTF8NonCanonical
No
If set. [Prevents attackers from sending noncanonical (overlong) Unicode (utf-8) characters in requests and attempting to bypass cross-site scripting protection. See Protect J2EE Applications against Cross-Site Scripting Attacks.
DLPErrorFile
Specifies the full path (including the file name) of the DLP error file. See CA Data Protection Content Classification Service Integration.
DLPExclusionList
Specifies a set of default resources that the Policy Server excludes from CA DataMinder CCS content classifications. See Exclude Resources from the DLP Content Classifications.
DLPSupportEnabled
If set, configures the agent to extract DLP resource information from the protected document. See Modify the SharePoint Agent Configuration Object.
DominoDefaultUser
(Domino agents only) Identifies a user with default access to the Notes database, which means this person has general access privileges. See Authenticate Users with the Domino Server
DominoLegacyDocumentSupport
No
(Domino agents only) Specifies how an agent handles user requests for protected Lotus Notes documents in a Domino environment. Setting this parameter to yes grants users ReadForm permission only for the requested document. See Handle User-Requested Actions on Lotus Notes Documents
DominoLookUpHeaderForLogin
Yes
(Domino agents only) If set, instructs a Domino Web Agent to ask the Domino Web Server if the user requesting access to a resource is unique or ambiguous within the Domino user directory. See Use a CA Single Sign-On Header for Authentication.
DominoMapUrlForRedirect
No
(Domino agents only) If set, for Domino view (.nsf) resources with a forms authentication scheme, map the URLs before they are redirected to the forms credential collector. See Map URLs for FCC Redirects with a Domino Web Agent.
DominoNormalizeUrls
No
(Domino agents only) If set, for Domino view (.nsf) resources with a forms authentication scheme, map the URLs before they are redirected to the forms credential collector. See Map URLs for FCC Redirects with a Domino Web Agent.
DominoSuperUser
(Domino agents only) Identifies a user who has access to all resources on the Domino server. See Authenticate as the Domino Super User.
DominoUseHeaderForLogin
(Domino agents only) Instructs a Domino Web Agent to pass the specified header value to the Domino Web Server. The Domino server uses the header data to identify a user in its user directory. See Use a CA Single Sign-On Header for Authentication.
DominoUserForAnonAuth
(Domino agents only) Specifies a value for anonymous users. This value is sent to the Domino server when users access Domino resources that are protected with an anonymous authentication scheme. See Use an Anonymous CA Single Sign-On Authentication Scheme with Domino.
EarlyCookieCommit
No
(IIS only) Specifies if cookies are set at an early point during processing (as needed for IIS ARR) or later during the “OnSendResponse request notification”. See
EnableAccounting
Replaced by EnableAuditing. Maintained for backward compatibility.
EnableAuditing
No.
Specifies whether the agent logs all successful authorizations that are stored in the user session cache. When enabled, user authorizations are logged even when the agent uses information from its cache instead of contacting the Policy Server. See Configure Auditing to Track User Activity.
EnableAuthorization
Yes
If set to No, the user is authenticated and granted access to the protected resource but
CA Single Sign-On
does not authorize the user.Ignored when used with CA Data Protection or a cookie provider. See Manage Web Agent Authorization.
EnableCookieProvider
Yes
Specifies whether an agent processes requests form the cookie provider. See Disable Cookie Providers.
EnableFCCWindowsAuth
No
Specifies whether an agent, acting as an FCC, can authenticate users against resources that the Windows authentication scheme protects. See Configure the FCC to allow Windows authentication.
EnableFormCache
Yes
Specifies whether to use the forms template cache. See Enable the Form Cache.
EnableIntrostrocopeAgentSupport
No
Specifies whether to collect information about the agent and sends it to CA Introscope® using a plug-in. See Monitoring Web Agents.
EnableIntroscopeApiSupport
No
Specifies whether the agent uses the CA Introscope® API to send more information to CA Introscope®. See Use CA Introscope to Monitor Web Agents.
EnableMonitoring
Yes
Specifies whether the agent sends monitoring information to the Policy Server. See Monitor Web Agents with the OneView Monitor.
EnableOtherAuthTrans
No
(Oracle iPlanet Web Server only) If set, allows additional Oracle Java AuthTrans functions to execute. See Handle Multiple AuthTrans Functions.
EnableWebAgent
No
Specifies whether an agent actively protects resources. See Enable a Web Agent.
EncryptAgentName
Yes
By default, an agent adds its name to the URL that redirects a user to a forms, SSL, or NTLM credential collector. This parameter specifies whether the agent encrypts its name in the URL and whether the credential collector decrypts the name when it receives the URL with the EncryptAgentName parameter. See Encrypt the Agent Name.
EnforceFQResponseRedirectUrl
No
If set, instructs an agent to use fully qualified domain names (FQDNs) in responses that redirect the user to another URL. See How Response Attributes Work with Web Agents.
EnforcePolicies
No
(Domino and IIS 5.x Agents only) Specifies whether an agent actively protects resources.See Starting and Stopping Web Agents.
EnforceRealmTimeouts
No
If set, the agent uses WebAgent-OnAuthAccept-Session-Max-Timeout and WebAgent-OnAuthAccept-Session-Idle-Timeout tied to an OnAuthAccept rule to have the realm timeouts change by realm. See How to Enforce Timeouts across Multiple Realms
ExpiredCookieURL
Specifies a URL to which the agent redirects the user after any session cookie has expired.See Protect Session Cookies from Misuse with Validation Periods and Expired Cookie URLs.
ExpireForProxy
No
Prevents a client from caching content (pages and potentially headers or cookies). See Agents and Proxy Servers.
FCCCompatMode
No
Allows compatibility with 4.x based Custom Agents used as Credential Collectors (previously named 4xCompatMode). See Use FCCs and NTCs in a Mixed Environment.
FCCExt
.fcc
Specifies the default MIME type for the Forms Credential Collector. See Configure MIME Types for Credential Collectors.
FCCForceIsProtected
Yes
Specifies whether the agent makes an additional IsProtected call to the Policy Server to establish a realm context so that the agent can log a user in to access a protected resource. See Force an FCC to Establish Realm Context for Forms Authentication.
Fcchtmlencoding
No
Specifies whether the HTML encoding is enabled to prevent Cross-Site Scripting attacks against web agent FCC pages. This parameter does not block any characters. See Prevent Cross-Site Scripting Attacks in Web Agent FCC Pages.
ForceCookieDomain
No
If set, forces an agent to append its cookie domain to the host name in a URL request that does not specify a domain or contains only an IP address. This parameter works together with the ForceFQHost parameter for added functionality. See Force the Cookie Domain.
ForceFQHost
No
If set, forces an agent to use a fully qualified domain name. See Force the Cookie Domain.
ForceGetSessionData
No
(Domino agents only) If set, the agent stores user credentials in the session store to enable user authentication with the web server during single sign-on. This is only required when a web server or application requires an authenticated user context and not a simple user identity.
ForceIISProxyUser
No
(IIS agents only) If set, the Agent uses an IIS Proxy User. See Use an IIS Proxy User Account.
FormCacheTimeout
600
Specifies the number of seconds that an object may reside in the form cache before being considered invalid. See Configure the Form Cache.
GetPortFromHeaders
No
(non-framework Domino agents only) Directs an agent to obtain the port number from the HTTP HOST request header instead of obtaining it from the web server service structures. See Redirect Users to the Correct Port Using the HTTP HOST Request
HostConfigFile
(Host Configuration File only) Specifies the path to the SMHost.conf file (in an IIS 6.0 or Apache agent) that is created after a trusted host computer has been successfully registered with a Policy server. See Parameters Found Only in Local Configuration Files.
HTTPHeaderEncodingSpec
Affects the encoding of all HTTP header values and all custom HTTP-COOKIE responses. Use this parameter to support the web applications expecting localized text in specific encodings. See Set the HTTP Header Encoding Specification.
HTTPServicePrincipal
Specifies the web server principal name for Kerberos authentication. See Policy Server Configuration for Kerberos Authentication.
HttpsPorts
Specifies the ports to treat as SSL even if coming through as HTTP. See Define HTTPS Ports.
IdleTimeoutURL
Specifies the URL where the agent should redirect the user when the idle time-out for the session occurs. See Redirect a User after a Session Time-out.
IgnoreCPForNotprotected
No
If set, prevents the cookie provider from being queried for unprotected resource requests. By default, the agent directs all requests to the cookie provider. See Ignore the Cookie Provider for Unprotected Resources.
IgnoreExt
class, .gif, .jpg, .jpeg, .png, .fcc, .scc, .sfcc, .ccc, .ntc
Specifies the types of resource requests that the agent passes to the web server without checking access policies. The agent allows access to the items with extensions specified by this parameter even if they exist in a realm that is protected by a policy. See Reduce Overhead by Ignoring File Extensions of Unprotected Resources.
IgnoreHost
Specifies the fully qualified domain names of any virtual servers that you want the agent to ignore. Resources on such virtual servers will be automatically authorized, and the agent always grants access to them regardless of which client makes the request. The authorization decision is based on the configuration of the agent instead of being based on a policy. See Specify Virtual Servers to be Ignored by the Web Agent.
IgnoreQueryData
No
If set, the agent caches the entire URL (including the query strings) and sends the entire URI to the Policy Server for rule processing. See Ignore Query Data.
IgnoreRichStateInURI
No
When protecting WebSphere Portal, set this option to configure the Web Agent to ignore the rich state URL suffix (which begins with “!ut/”) that is generated when friendly URLs are configured. Enable this option to improve Web Agent cache performance.
Example:
When you enable IgnoreRichStateInURI option, Web Agent checks if the URL contains “!ut/”.
Sample URLs:
  1. /sample!ut/sdd
  2. /sample!ut/abc
  3. /sample!ut/one
These URLs are trimmed to "/sample" as they contain "!ut/". Agent caches one URL "/sample" instead of all the three URLs. This option improves Web Agent cache performance as fewer URLs are cached.
IgnoreUrl
Specifies a URI within a URL that is not protected. Users attempting to access the resource associated with the URI will not be challenged. The agent ignores the URI portion of the string after three forward slashes.See Allow Unrestricted Access to URIs.
IISCacheDisable
Yes
(IIS Agents only) Specifies whether the IIS web server stores responses containing cookies in an output cache. See Prevent Caching of Server Responses Containing Cookies.
IISEnableChildRequest
No
(IIS Agents only) Use only if directed by CA Support to corrects issues with IIS 7 Web Agents.
InlineCredentials
No
(IIS Agents only) Specifies how the agent handles user credentials. If set, the agent reads the credentials directly from the HTTP request. By default, the agent redirects to an NTC credential collector. See IIS Web Server Settings.
InsecureServer
No
(IIS Agents only) Allows Agents for IIS to enforce native IIS security mechanisms by providing a Windows user security context. See Windows User Security Context.
KCCExt
Specifies the default MIME type for the Kerberos Credential Collector. See Configure MIME Types for Credential Collectors.
LegacyCookieProvider
No
Prevents POST requests from going to a cookie provider
LegacyEncoding
Domino and IIS 5.0 agents: Yes
Other agents: No
Forces the agent to replace any dollar sign ($) characters in legacy URLs with a hyphen (-). Doing this also ensures backwards comparability with MSR, Password Services, and DMS. When this parameter is set to no, the agent converts the string $SM$ to -SM-. When this parameter is set to yes, the agent does not convert the dollar sign ($) character. See Accommodate Legacy URL Encoding.
LegacyPostPreservationEncoding
No
If set (Yes), the agent encodes any POST preservation data in a way that is compatible with Traditional (Domino and IIS 5.0) agents. See Configure POST Preservation.
LegacyStreamingBehavior
No
Specifies how content is transferred to the server during POST requests. See Choose How Content Types are Transferred in POST Requests.
LegacyTransferEncoding
No
(Apache agents only) Specifies the type of message encoding that the agent uses. Set this parameter (Yes) to configure the agent to use content encoding to support legacy applications that do not support HTTP 1.1 or later. See Apache Web Server Settings.
LegacyVariables
Domino and IIS 5.0 agents: Yes
Other agents: No
If set, the agent uses underscores in HTTP header names. See Enable Legacy Variables for HTTP Headers.
LegalHostNameChars
Instructs the agent to verify that host names contain only the characters set in this parameter. The agent rejects requests for host names containing any characters that are not specified. See Restrict Host Name Characters.
LimitCookieProvider
No
Specifies how the agent acting as a cookie provider handles cookie provider SET requests. See Restrict Cookie Provider Functions.
LoadPlugin
(WebAgent.conf only) Specifies which plug-ins are loaded for Framework Agents. The plug-ins support different types of Agent functions. See WebAgent.conf file for Framework Agents.
LocalConfigfile
(WebAgent.conf only) Specifies the location of the LocalConfig.conf file, where most of Agent configuration settings reside. See WebAgent.conf file for Framework Agents.
Localization
Yes
Specifies whether agent internationalization is enabled. Disable to customized FCCs created for use with agent versions prior to 12.51. See FCC Internationalization.
LogAppend
No
Adds new log information to the end of an existing log file. By default, the entire log file is rewritten each time logging is invoked. See Set Up and Enable Error Logging.
LogFile
No
Turns Error (High Level) Logging on or off. See Set Up and Enable Error Logging.
LogFileName
Specifies the full path (including the file name) of the log file.See Set Up and Enable Error Logging
LogFileName32
(IIS only) Specifies the full path (including the file name) of the log file for 32 bit on 64 bit Windows; default is to add _32 before .log. See Set Up and Enable Error Logging.
LogFileSize
Specifies the size limit of the log file in megabytes. See Set Up and Enable Error Logging.
LogFilesToKeep
Specifies how many old log files to keep. See Limit the Number of Log Files Saved.
LogLocalTime
Yes
Specifies whether the logs use Greenwich Mean Time (GMT) or local time. See Set Up and Enable Error Logging.
LogoffUri
Enables the full log-out function by specifying the URI of a custom web page. See How to Configure Full Logoff for Single Sign-On.
LowerCaseHTTP
Yes
(Oracle iPlanet and Domino Agents only) Specifies the case for agent HTTP headers. See Use Lower Case HTTP in Headers.
LowerCaseProtocolSpecifier
No
Specifies whether the scheme (protocol) portion of a redirect URL uses only lowercase characters. This configuration parameter accommodates legacy applications that do not conform to RFC 2396. See Specify URL Protocols with Lowercase Characters.
MasterCookiePath
/
Specifies the path for the primary-domain session cookies created by the cookie provider. See Specify the Cookie Path for Agent Cookies.
MaxResourceCacheSize
Varies by server type
Specifies the maximum number of entries that Web Agent keeps in its resource cache. An entry contains the following information:
  • A Policy Server response about whether a resource is protected
  • Any additional attributes returned with the response
When the maximum is reached, new resource records replace the least recently used resource records.
MaxSessionCacheSize
Varies by server type
Specifies the maximum number of users the Agent maintains in its session cache. See Set the Maximum User Session Cache Size.
MaxTimeoutURL
Specifies the URL where the agent redirects the user when the maximum time-out for the session occurs. See Redirect a User after a Session Time-out.
MaxUrlSize
4097
Specifies the maximum size (in bytes) of a URL that an agent can handle. See URL Settings.
NTCExt
.ntc
Specifies the default extension for the NT Credential Collector. See Specify an NTLM Credential Collector.
OverlookSessionAsPattern
No
If enabled, the agent does not create cookies for any of the URLs under the directory that is specified in OverlookSessionForUrls. See Prevent Session Cookie Creation or Updates.
OverlookSessionForMethods
Specifies a list of methods against which the agent compares the request method of all HTTP requests. If a match occurs, the agent does not create or update an SMSESSION cookie. See Prevent Session Cookie Creation or Updates.
OverlookSessionForMethodUri
Specifies whether the agent compares the method and the URI from all HTTP requests against the method and URI listed in this parameter. If a match occurs, the gent does not create or update an SMSESSION cookie. See Prevent Session Cookie Creation or Updates Based on Method and URI.
OverlookSessionForUrls
Specifies a list of URLs against which the agent compares the URLs from all HTTP requests. If a match occurs, the agent does not create or update an SMSESSION cookie. See Prevent Session Cookie Creation or Updates.
OverrideIgnoreExtFilter
Specifies a list of strings you want the agent to match against all URIs. This helps you protect resources whose extensions are normally ignored by the agent, or any files or applications that do not have extensions. If the URI matches one of the strings in the list, the agent checks with the Policy Server to determine if the resource is protected. See Protect Resources Without Extensions.
Overridezonesessioncookie
No   
Determines whether Agent honors a local cookie or trusted zone cookie. See Security Zones for Single Sign-On.
P3PCompactPolicy
Determines whether custom responses comply with the Platform for Privacy Preferences Project (P3P) response headers. See Configure your Web Agent to Accommodate P3P Compact Policies.
PersistentCookies
No
Specifies whether the agent sets persistent cookies. See Set Persistent Cookies.
PersistentIPCheck
Yes
Enables IP checking for persistent cookies. See Compare IP Addresses to Prevent Security Breaches
PostPreservationFile
Enables the transfer of POST preservation data between Traditional and Framework Agents. See Enable Post Preservation between Framework and Traditional Agents.
PreserveHeaders
No
Specifies whether the agent preserves headers. See Preserve HTTP Headers. Default HTTP Headers Used by the Product
PreservePostData
Yes
Specifies whether the agent preserves POST data when redirecting requests. See Enable or Disable POST Preservation.
ProxyAgent
Specifies whether an agent acts as a reverse proxy agent. See CA Single Sign-On Reverse Proxy Deployment Considerations.
ProxyDefinition
Specifies the IP address of a proxy (such as a cache device) that requires the use of a custom HTTP header. This custom header helps the agent resolve the IP addresses of the requester. See Default HTTP Headers Used by the Product.
ProxyHeadersAutoAuth
No
Specifies the value of an HTTP 1.1 header that the agent inserts into an HTTP response to a client. See Customize the Cache-Control and ExpireForProxy Header Settings.
ProxyHeadersAutoAuth10
No
Specifies the value of an HTTP 1.0 header that the agent inserts into an HTTP response to a client. See Customize the Cache-Control and ExpireForProxy Header Settings.
ProxyHeadersDefaultTime
60
Sets the max-age cache header parameter when a value hasn't been provided via the other cache header parameters, such as ProxyHeadersAutoAuth. See Customize the Cache-Control and ExpireForProxy Header Settings.
ProxyHeadersTimeoutPercentage
10
Percent of session timeout value to be used as cache header timeout (max-age). If a session or idle timeout is not set, this will be a percentage of the ProxyHeadersDefaultTime value. See Customize the Cache-Control and ExpireForProxy Header Settings
ProxyHeadersProtected
No
Specifies the value of an HTTP 1.1 header that the agent inserts into an HTTP response to a client. See Customize the Cache-Control and ExpireForProxy Header Settings.
ProxyHeadersProtected10
No
Specifies the value of an HTTP 1.0 header that the agent inserts into an HTTP response to a client. See Customize the Cache-Control and ExpireForProxy Header Settings.
ProxyHeadersUnprotected
No
Specifies the value of an HTTP 1.1 header that the agent inserts into an HTTP response to a client. See Customize the Cache-Control and ExpireForProxy Header Settings.
ProxyHeadersUnprotected10
No
Specifies the value of an HTTP 1.0 header that the agent inserts into an HTTP response to a client. See Customize the Cache-Control and ExpireForProxy Header Settings.
ProxyTimeout
120
Specifies the number of seconds the reverse proxy server waits for the agent that is deployed behind it to respond to a request. See How to Configure an Apache Reverse Proxy Server.
ProxyTrust
No
Instructs the agent on a destination server to trust authorizations received from an agent on a proxy server. A destination server is a server that is behind a reverse proxy server. See How to Configure an Apache Reverse Proxy Server and Agents and Proxy Servers.
PSPollInterval
30
Specifies how often (in seconds) the agent contacts the Policy Server to retrieve information about policy changes or dynamically updated keys. See Change How Often an Agent Checks for Policy or Key Updates.
preserveuniversalID
Specifies the Universal ID set to non-protected resources when a valid SMSESSION cookie is available.
Note
: This parameter is available from 12.52 SP1 CR08 onwards.
RemoteUserVar
Instructs the agent to use a non-default (SMUSER or SM_USER) variable for REMOTE_USER. See Configure the Web Agent to set the REMOTE_USER Variable.
ReqCookieErrorFile
Specifies the file to use when cookies are not enabled and required. See Set Up Error Handling.
RequireClientIP
No
If set, forces the client to have an IP Address that is found for IP Checking.  See Configure IP Address Validation.
RequireCookies
Yes
Specifies whether
CA Single Sign-On
requires cookies. See Require Cookies for Basic Authentication.
ResourceCacheTimeout
600
Specifies the number of seconds that resource entries remain in the cache. See Control How Long Resource Entries Remain Cached.
SaveCredsTimeout
720
Specifies the number of hours that a persistent cookie containing the user credentials will be saved. See Set a Timeout for Saved Credentials.
SCCExt
.scc
Specifies the extension of the Secure Credential Collectore (SCC). See Configure MIME Types for Credential Collectors.
SecureApps
No
If set, prevents the agent from authorizing URLs from an unauthorized user via fake URLs. See Secure Applications.
SecureURLs
No
If set, secures URLs by encrypting the query string. See Configure SecureUrls with Single Sign-on.
ServerErrorFile
Specifies the file to use if there is a server error. See Set Up Error Handling.
SessionGracePeriod
30
Specifies the number of seconds before the agent regenerates a session cookie. See Modify the Session Grace Period.
SessionUpdatePeriod
60
Specifies how often (in seconds) an agent redirects a request to the Cookie Provider to set a new cookie. See Modify the Session Update Period.
SetRemoteUser
No
If set, Instructs the agent to set the REMOTE_USER variable. See Configure the Web Agent to set the REMOTE_USER Variable.
SFCCExt
.sfcc
Specifies the extension of the Secure Forms Credential Collector (SFCC). See Configure MIME Types for Credential Collectors.
SharedSecret
(SmHost.conf) Maintained for backwards compatibility only.
SkipDominoAuth
(Domino and IIS 5.x Agents only) If set, configures
CA Single Sign-On
(and not Domino) to authenticate users. See Authenticate Users with the Domino Server.
SmpsServicePrincipal
Specifies the Policy Server principal name for Kerberos authentication. See Policy Server Configuration for Kerberos Authentication.
SSOTrustedZone
Specifies an ordered list of all trusted SSO zones by name. Enter the zone names in the order that the agent must search for session cookies. See The Order of Trust and Failover..
SSOZoneName
Specifies the name of an SSO zone. See Security Zones for Single Sign-On.
StoreSessioninServer
No
If set, configures agents and cookie providers to store the session temporarily and pass a GUID that identifies the stored session instead of the session cookie in the redirect URL. See Enable Single Use Session Cookies.
SuppressServerHeader
No
(IIS Agent only) Prevents an agent from returning the Server HTTP Header in its responses. See Remove the Server HTTP Header if Using the URLScan Utility.
TargetAsRelativeURI
No
If set, the target parameter that is appended to the credential collector URL is a relative target. In turn, when the credential collector redirects back to the Web Agent protecting the target resource, it is a relative redirect. See Use a Relative Target for Credential Collector Redirects.
TraceAppend
No
If set, the agent adds new logging information to the end of an existing log file instead of rewriting the entire file each time logging is invoked. See Configure Trace Logging.
TraceConfigFile
Specifies the location of the WebAgentTrace.conf configuration file that determines which components and events to monitor. See Configure Trace Logging.
TraceConfigFile32
(IIS Agent only) Specifies the location of the WebAgentTrace.conf configuration file that determines which components and events to monitor. Set this parameter if you have an Agent for IIS installed on a 64-bit Windows operating environment and protecting a 32-bit Windows application. See Configure Trace Logging
TraceDelimiter
Specifies a custom character that separates the fields in the trace file. See Configure Trace Logging.
TraceFile
No
Specifies whether the agent writes a trace (Low Level) file. See Configure Trace Logging.
TraceFileName
Specifies the full path to the trace log file. See Configure Trace Logging.
TraceFileName32
(IIS Agent Only) Specifies the full path to the trace file for an Agent for IIS that is running on a 64-bit Windows operating environment and protecting 32-bit applications. See Configure Trace Logging.
TraceFileSize
0 (a new log file is not created)
Specifies (in megabytes) the maximum size of a trace file. See Configure Trace Logging.
TraceFilesToKeep
0
Specifies the number of old trace files to keep. See Limit the Number of Trace Log Files Saved.
TraceFormat
Specifies how the trace file displays the messages. See Configure Trace Logging.
TrackCPSessionDomain
No
If set, the agent validates that the cookie domain of the session cookie matches the cookie domain of the cookie provider. See Prevent Cookie Provider Replay Attacks.
TrackSessionDomain
No
If set, the agent encrypts and stores the intended domain of a session cookie within the session cookie itself. See Validate a Session Cookie Domain.
TransientIDCookies
No
If set, the agent identity cookie (SMIDENTITY) is transient. See Control Identity Cookies.
TransientIPCheck
No
If set, compare the IP address stored in a transient cookie from the last request against the IP address contained in the current request. See Compare IP Addresses to Prevent Security Breaches.
UseAnonAccess
No
(IIS Agent only) If set, the agent executes the web application as an anonymous user, instead of using credentials of the proxy user. See Enable Anonymous User Access.
UseDominoUserForUnprotected
No
(Domino Agents only) If set, the Domino server authenticates requests with a Domino user for resources that only the Domino server (not
CA Single Sign-On
) protects. See Force the Domino server to authenticate unprotected resources.
UseHTTPOnlyCookies
No
If set, the agent sets the HTTP-only attribute on the cookies it creates. See Safeguard Information in Cookies with HTTP-Only Attribute.
UseNetBIOSforIISAuth
No
(IIS 6.0 Agent only) Specifies whether the agent sends the user principal name (UPN) or the NetBIOS name to the IIS 6.0 web server for IIS user authentication. SeeUse the NetBIOS Name or UPN for IIS Authentication.
UseSecureCookies
No
If set, the agent sets the HTTPS-only attribute on the cookies it creates. See Set Secure Cookies.
UseSecureCPCookies
No
If set, the cookie provider will only send a cookie to an agent in another cookie domain that is also configured to use secure cookies (that is, for which UseSecureCookies is enabled). See Set Secure Cookies Across Multiple Domains.
UseServerRequestIp
No
If set, the agent resolves the AgentName according to the physical IP address of a virtual web server. See Resolve Agent Identity by IP Address.
UseSessionForAnonymous
Yes
Specifies whether an agent uses the session from an available SMSESSION cookie when accessing a resource protected by anonymous authentication. See User Identity and Activity Tracking and URL Monitoring.
ValidFedTargetDomain
Defines valid domains for your federated environment See Agent Setting for Federation Domains.
ValidTargetDomain
Defines the domains to which a credential collector is allowed to redirect users. If the domain in the URL does not match the domains set in this parameter, the redirect is denied. See Define Valid Target Domains
WebAppClientResponse
Configures responses to web service clients. See Apply CA Single Sign-On Behavior to a Web Application Client.
XFrameOptions
Instructs the agent to preserve the X-Frame-Options header when it matches. See Ensure Custom Responses Comply with X-Frame Options.
4xCompatMode
No
Allows compatibility with 4.x-based custom agents used as Credential Collectors. See Using Credential Collectors Between 4.x Type and Newer Type Agents.
AcceptTPCookie
No
Determines if the agent accepts cookies created by the
CA Single Sign-On
SDK. See Configure Support for SDK Third-Party Cookies.
AgentConfigObject
N/A
(In WebAgent.conf) Determines which Agent Configuration Object that the agent should use. See Parameters Found Only in Local Configuration Files.
AgentName
Defines the identity of the agent. See Set the AgentName and DefaultAgentName Values
AgentNamesAreFQHostNames
No
Instructs an FCC or SCC to use the fully qualified host name in the target URL as the Agent name. See Configure Credential Collectors in a Mixed Environment.
AgentWaitTime
5
Determines how long to wait for the Policy Server when attaining the Host Configuration Object and Agent Configuration Object. See Accommodate Network Latency.
AllowCacheHeaders
No
Determines if the agent removes cache headers such as “if-modified-since” and “if-none-match.” See Control How HTTP Header Resources are Cached.
AllowLocalConfig
No
AppendIISServerLog
No
Determines whether the the agent adds the Transaction ID to the IIS log. See Record the User Name and Transaction ID in IIS Server Logs.
Note:
The parameter values for any Agent Configuration object that supports multi value property, must be separated by Ctrl-C or %03 using
CA Single Sign-On
API.