Apache Web Server Settings

This section contains the following topics:
sm1252sp1
This section contains the following topics:
Use the HttpsPorts Parameter on Apache 2.x Servers
If you use an SSL accelerator or any intermediate device that changes the value of the HTTP_HOST header with an Apache 2.x Web server, use the
HttpsPorts
parameter.
Follow these steps:
  1. Open the httpd.conf file of your Apache Web server:
  2. Change the value of the UseCanonicalName parameter to
    on
    .
  3. Change the value of the ServerName parameter to the following format:
    server_name:port_number
    • server_name
      specifies the host name of the SSL accelerator.
  4. In the ACO for your Web Agent, set the value of the HttpsPorts parameter to the SSL port number.
If you have legacy applications (that do not support HTTP 1.1), and you want to run them on an Apache Web Server, you can set the following parameter:
  • LegacyTransferEncoding
    Specifies the type of message encoding used by the Web Agent. When the value of this parameter is set to no, transfer-encoding is supported.
    When the value of this parameter is set to yes, content encoding is used. The transfer-encoding header is ignored and only the content-length header is supported.
    Default
    : No
To use legacy applications with an Apache Web Server, set the value of the LegacyTransferEncoding parameter to yes.
If you set the value of this parameter to yes, these features will not work: Federation; preservation of POST data longer than 4 KB; and large certificates may not be recognized.
Record the Transaction ID in Apache Web Server Logs
The Web Agent generates a unique transaction ID for each successful user authorization request. The Agent adds the ID to the HTTP header. The ID is also recorded in the following logs:
  • Audit log
  • Web server log (if the server is configured to log query strings)
  • Policy Server log
You can track user activities for a given application using the transaction ID.
For more information, see the Policy Server documentation.
The transaction ID appears in the log as a mock query parameter in the log that is appended to the end of an existing query string. The following example shows transaction ID (in bold) appended to a query string (which ends with STATE=MA):
111.22.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 122.111.100.100, 26844, 47, 101, 400, 123, GET, /realm/index.html, STATE=MA&SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1
If no query parameters are in the URL, the Agent adds the transaction ID at the end of the web server log entry. For example:
111.22.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 122.111.100.100, 26844, 47, 101, 400, 123, GET, /realma/index.html, SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1.
Web Agents log user names and access information in native web server log files when users access resources.
You can record the transaction ID in the Apache web server logs SMTRANSACTIONID header variable.
Follow these steps:
  1. Open the httpd.conf file.
  2. Add the SM_TRANSACTIONID header variable to the LogFormat directive.
    For example:
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{SM_TRANSACTIONID}i\"" common
    For more information about the httpd.conf file and the LogFormat directive, see your Apache web server documentation.
  3. Restart the server to apply the change.
    The transaction ID is recorded in the Apache web server logs.
Choose How Content Types are Transferred in POST Requests
sm1252sp1
If you are using an Apache web server, you can control how content is transferred to the server during POST requests with the following parameter:
LegacyStreamingBehavior
Specifies how content will be transferred to the server during POST requests. When the value of this parameter is set to yes, all content types are streamed,
except
for the following:
  • text/xml
  • application/x-www-form-urlencoded
When the value of this parameter is set to no, all content types are spooled.
Default
: No
To stream most types of content in POST requests, change the value of the LegacyStreamingBehavior parameter to yes.
Restrict IPC Semaphore-Related Message Output to the Apache Error Log
By default the Apache Web Agent logs all levels (informational and error) of IPC semaphore-related messages to the Apache error log, regardless of the configured Apache logging level.
To restrict the verbosity of Web Agent IPC semaphore-related output to the Apache error log, add the following parameter in the trace.conf file located in
web _agent_home
/config:
  • nete.stderr.loglevel
    Specifies the level of IPC semaphore-related messages the Web Agent logs to the Apache error log. Accepts the following values:
    • off
      The Web Agent logs no IPC semaphore-related messages to the Apache error log.
    • error
      The Web Agent logs only IPC semaphore-related error messages to the Apache error log.
    • info
      (Default) The Web Agent logs IPC semaphore-related error and informational messages to the Apache error log.
Example: Define the nete.stderr.loglevel parameter in trace.conf
In the following snippet from trace.conf, the nete.stderr.loglevel parameter is configured to restrict the Web Agent to log only IPC semaphore-related
error
messages to the Apache error log:
# CA Web Agent IPC logging levels # nete.stderr.loglevel=error
Delete Certificates from Stronghold (Apache Agent Only)
Stronghold web servers write client certificates to a local, temporary file, which the Web Agent uses for certificate-based authentication. The Stronghold server uses this file to make information in the client certificate available for authentication. As users visit a website, these certificate files increase, taking up space on your server. You can configure the Web Agent to delete a certificate file after the Agent has finished using it.
To delete certificate files, set the DeleteCerts parameter to yes.