Oracle iPlanet Web Server Settings

Contents
sm1252sp1
Contents
Use any of the following settings to manage your
CA Single Sign-On
Agent Oracle iPlanet servers:
 
Restrict Directory Browsing on an Oracle iPlanet Web Server
To help ensure that users who try to browse the directories of a Oracle iPlanet web server are challenged by
CA Single Sign-On
, you can set the following parameter:
DisableDirectoryList
Specifies whether the Web Agent allows a user to view or browse the contents of a directory without challenging them first. This occurs when 
all 
of the following conditions are true:
  • The realm is set to protect a root resource (/)
  • The default web page in the directory (such as index.html) is renamed or deleted.
Default:
 No
To restrict directory browsing on a Oracle iPlanet server
  1. Add the DisableDirectoryList parameter to your Agent Configuration object or your local configuration file.
  2. Set the value of the DisableDirectoryList parameter to yes.
    Directory browsing is restricted.
    CA Single Sign-On
    challenges users who try to browse directories.
Handle Multiple AuthTrans Functions for Oracle iPlanet Web Servers
AuthTrans functions are directives that initialize the Oracle iPlanet web server. The Oracle iPlanet web server executes AuthTrans functions in the order that they are listed in the obj.conf file. The Oracle iPlanet server reads through the AuthTrans functions until it finds a function that returns a REQ_PROCEED command. Once a REQ_PROCEED command executes, no other AuthTrans functions are executed.
By default,
CA Single Sign-On
is the first AuthTrans function and it returns a REQ_PROCEED. To allow other AuthTrans functions to execute, you need to add the EnableOtherAuthTrans parameter and set the value to yes.
The default value for this parameter is no. To enable multiple AuthTrans functions set the EnableOtherAuthTrans parameter to yes.
By adding this parameter, you permit the
CA Single Sign-On
Web Agent to exist with other functions.
Be sure the
CA Single Sign-On
Agent function is the first entry in the obj.conf file for the AuthTrans directive. The entry should read:
AuthTrans fn="
CA Single Sign-On
Agent"
Record the Transaction ID in Oracle iPlanet Web Server Logs
Valid on Solaris
The Web Agent generates a unique transaction ID for each successful user authorization request. The Agent adds the ID to the HTTP header. The ID is also recorded in the following logs:
  • Audit log
  • Web server log (if the server is configured to log query strings)
  • Policy Server log
You can track user activities for a given application using the transaction ID.
For more information, see the Policy Server documentation.
The transaction ID appears in the log as a mock query parameter in the log that is appended to the end of an existing query string. The following example shows transaction ID (in bold) appended to a query string (which ends with STATE=MA):
172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realm/index.html, STATE=MA&SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1
If no query parameters are in the URL, the Agent adds the transaction ID at the end of the web server log entry. For example:
172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realma/index.html, SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1.
Web Agents log user names and access information in native web server log files when users access resources.
You can record the
CA Single Sign-On
transaction ID in the Oracle iPlanet web server logs.
Follow these steps:
  1. Open the magnus.conf file.
  2. Add the following header variable to the existing list of HTTP server variables that you want to log when the web server initializes:
    %Req->headers.SM_TRANSACTIONID%"
    Enter the header variable in uppercase unless the value of the LowerCaseHTTP parameter is set to yes in your Agent Configuration Object or local configuration file.
    The following example shows the SMTRANSACTIONID header variable in bold at the end of an existing entry. However, you can place it anywhere in the list of variables.
    Init fn="flex-init" access="D:/iPlanet/server4/https-orion/logs/access" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \" %Req->srvhdrs.clf-status% %Req-srvhdrs.content-length% %Req->headers.- SM_TRANSACTIONID%"
  3. Restart the Oracle iPlanet Server to apply the change.
    The transaction ID appears in the Oracle iPlanet web server logs. The following example shows a web server log entry with the transaction ID in bold:
    11.22.33.44 - user1 [21/Nov/2003:16:12:24 -0500] "GET /Anon/index.html HTTP/1.0" 200 748 3890b4b9-58f8-4a74df53-07f6-0002df88