*********************************************************START*******************************************************

You are here: Appendixes > Appx D: Gateway Cluster Properties > UDDI Cluster Properties

UDDI Cluster Properties

The following cluster properties are used to configure how the Gateway works with UDDI registries.

Table 429: Gateway Cluster Properties - UDDI

Property

uddi.auto_republish

Automatically republish to UDDI as needed (for example, when the cluster hostname or port

number changes).

Default: true

uddi.batch

The number of records to retrieve at a time. This value is effective only if less than or equal to the uddi.limit value.

Default: 100

uddi.centrasite.activesoa.target

The target to reference for CentraSite ActiveSOA UDDI metrics. The value should match the value that is configured in the CentraSite web interface.

uddi.centrasite.activesoa.virtual

.service.tmodelkey

The tModelKey to add to virtual published business services in CentraSite ActiveSOA. The value of this key is added as a keyedReference to each published business service, when the original business service and the published business services are contained in the same CentraSite ActiveSOA registry.

Default: uddi:9de0173b-5117-11de-8cf9-da0192ff3739

uddi.connectTimeout

The IO timeout for a UDDI connection. The value must be greater than '0' (zero).

Default: 30000 (milliseconds)

uddi.limit

The maximum number of records to retrieve for any UDDI inquiry.

Default: 100

uddi.policyUrlTemplate

The template to use for building the WS-Policy Attachment URL.

Default:
http://{0}:{1}/ssg/policy/disco?serviceoid={3}&fulldoc={4}&inline={5}

uddi.systinet.gif.management.system

(This property must be manually entered to be used.)

The key value for keyed reference to tModel with key uddi:systinet.com:management:system. There is no default value for this property.

Sample value: Layer7 Gateway

uddi.timeout

The IO timeout for the UDDI response. The value must be greater than '0' (zero).

Default: 60000 (milliseconds)

uddi.wsdlpublish.maxretries

The maximum number of retry attempts when publishing Gateway WSDL information to UDDI.

Default: 3

For more information on when this property is used, see Publish to UDDI Settings.

*********************************************************END*******************************************************

*********************************************************START*******************************************************

You are here: Appendixes > Appx D: Gateway Cluster Properties > WS-Security Cluster Properties

WS-Security Cluster Properties

The following cluster properties control various aspects of WS-Security behavior on the Gateway.

Table 430: Gateway Cluster Properties - WS-Security

Property

outbound.secureConversation.

defaultSessionDuration

Defines the system default for the token lifetime. Value is a time unitâ??see Table 409 for allowable time units.Valid range is 1 minute to 24 hours.

Default: 2h

This property is used in the following assertions:

Build RST SOAP Request

Establish Outbound Secure Conversation

outbound.secureConversation.

maxSessions

Defines the maximum number of outbound secure conversation sessions that can be created. Enter a range between 1 and 1000000.

Default: 10000

outbound.secureConversation.

sessionPreExpiryAge

Defines a pre-expiry age for outbound secure conversation sessions. This is used to "move up" the supplied expiry time and can help prevent the use of an expired session. For example, if the maximum expiry period is 20 minutes and the value of this cluster property is 5 minutes, the Gateway will use 15 minutes (20-5) as the final expiry period

Value is a time unitâ??see Table 409 for allowable time units. Maximum is 2 hours.

Default: 1m <![CDATA[ ]]>

This property is used in the following assertion:

Establish Outbound Secure Conversation

security.wss.timestamp.

createdFutureGrace

To accommodate clock skew, WSS timestamp created dates are permitted to be up to this far into the future.

Default: 60000 (milliseconds)

security.wss.timestamp.

expiresPastGrace

To accommodate clock skew, WSS timestamp created dates are permitted to be up to this far in the past.

Default: 60000 (milliseconds)

wss.decorator.digsig.messagedigest

Specifies the default digital signature message digest algorithm that will be used by the following assertions:

(Non-SOAP) Sign XML Element

Add Security Token

Add Timestamp (when timestamp is signed)
Sign Element

Valid algorithms are: SHA-1, SHA-256, SHA-384, SHA-512.

Default: SHA-1

Requires a Gateway restart for changes to take

effect.

wss.decorator.mustUnderstand

Default: true

The Gateway must be restarted for changes to this property to take effect.

wss.decorator.soap.

soapActorNamespaced

Controls whether the SOAP 1.1 actor attribute created by the WSS decorator is in the SOAP namespace. Value is a Boolean.

true = Actor attribute is in the SOAP namespace; example: <wsse:Security soapenv:actor="secure_span">

false = Actor attribute is not in the SOAP namespace; example: <wsse:Security actor="secure_span">

Default: true

wss.decorator.omitNanos

Controls whether dates created by WS-Security timestamps should omit nanoseconds. Value is a Boolean.

Default: false

wss.decorator.

wsTrustRequestTypeIndex

Sets the WS-Trust request type:

0 = 2005/02 version of WS-Trust

1 = IBM TFIM (Tivoli

Federated Identity Manager) compatible

Default: 0

Requires a Gateway restart for changes to take

effect.

wss.processor.allowMultiple

TimestampSignatures

Default: false

wss.processor.allowUnknown

BinarySecurityTokens

Controls how the Gateway responds to Binary Security Tokens of an unknown type. Value is a Boolean.

true = Unknown tokens are permitted

false = Unknown tokens will cause security processing to fail

Default: false

wss.processor.strictSignature

ConfirmationValidation

Controls how signature confirmation validation is performed. Value is a Boolean.

true = Signature confirmation validation is strictly enforced. All WSS 1.1 signature confirmation checks are performed. All checks are also performed on responses that are detected as using WSS 1.1.

false = Signature confirmation validation is more lenient. The following conditions are permitted and will not cause validation to fail:

no SignatureConfirmation element in a WSS 1.1 response

SignatureConfirmation element with no Value attribute is not the only SignatureConfirmation element

signature confirmation values that are not found in the request

unencrypted signature confirmations corresponding to encrypted signatures in the request

Default: true

wss.secureConversation.
clusterSessions

Indicates whether WS-SecureConversation sessions should be shared between cluster nodes. Value is a Boolean.

Default: false

Note: WS-SecureConversation session persistence may not be required when using a load balancer with node affinity.

wss.secureConversation.

defaultSessionDuration

The default duration for WS-SecureConversation sessions. Minimum is one minute, while the maximum is one day. Value is a time unitâ??see Table 409 for allowable time units.

Default: 2h

Note: If the value is outside of the minimum/maximum range or is otherwise invalid, then the default value is used.

wss.secureConversation.
maxSessions

The maximum number of WS-SecureConversation sessions permitted at any one time.

Default: 10000

*********************************************************END*******************************************************

*********************************************************START*******************************************************

You are here: Appendixes > Appx D: Gateway Cluster Properties > XML Security Cluster Properties

XML Security Cluster Properties

The following cluster properties are used to configure XML security.

Table 431: Gateway Cluster Properties - XML Security

Property

security.xml.dsig.idAttributeNames

List of attribute names that will be recognized as ID attributes for purposes of locating Signature Reference URI targets during WS-Security processing. The special prefix 'local:' matches the namespace URI against the owning element rather than the attribute. All other prefixes are ignored.

Default:

{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Id

{http://schemas.xmlsoap.org/ws/2002/07/utility}Id

{http://schemas.xmlsoap.org/ws/2003/06/utility}Id

{urn:oasis:names:tc:SAML:1.0:assertion}local:
AssertionID

{urn:oasis:names:tc:SAML:2.0:assertion}local:ID

Note: This property is for WSS processing and will affect all WSS processing across the cluster after a Gateway restart.

security.xml.dsig.

permittedDigestAlgorithms

List of message digest algorithm names that will be respected when verifying XML digital signatures. DigestMethod and SignatureMethod references that require algorithms not on this list will not be respected. Separate each entry with a comma.

Default: MD5,SHA,SHA-1,SHA-256,SHA-384,SHA-512

Requires a Gateway restart for changes to take

effect.

Note: When using this cluster property, observe the following:

If the Securespan XML VPN Client is involved in any message sending, ensure that SHA is enabled in the cluster property.

If the Securespan XML VPN Client will be decorating messages for the Gateway, SHA-1 must be enabled; otherwise, all WS-Security decorated messages will fail.

security.xml.dsig.

permittedTransformAlgorithms

List of transform algorithm URIs that will be permitted when verifying XML digital signatures. Transforms that require algorithms not on this list will fail. Separate each URI with a comma.

The following signature transforms are accepted by default when this cluster property is not populated:

"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform," +

"http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Transform," +

"http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Only-Transform," +

"http://www.w3.org/2000/09/xmldsig#enveloped-signature," +

"http://www.w3.org/2001/10/xml-exc-c14n#," +

"http://www.w3.org/2001/10/xml-exc-c14n#WithComments"

security.xml.xenc.
blacklist.capacity

The number of entries permitted in the decryption key blacklist.

Default: 50000

security.xml.xenc.
blacklist.enabled

Determines whether symmetric keys should be blacklisted. Value is a Boolean.

true = Symmetric keys that fail to successfully decrypt XML (in the number of times specified by the security.xml.xenc.blacklist.maxFailures property) are blacklisted on this node for a period of time (set in the security.xml.xenc.blacklist.maxAge property). This makes it more difficult to

use the Gateway as a decryption oracle. This setting is the default.

false = Symmetric keys will never be blacklisted, even upon failure to decrypt XML.

security.xml.xenc.
blacklist.failWhenFull

Controls the response should the blacklist reach capacity. Value is a Boolean.

true = All XML decryption attempts will fail immediately once the blacklist has reached its capacity (as set in the security.xml.xenc.blacklist.capacity property).

false = XML decryption will continue even if the blacklist is full. This setting is the default.

security.xml.xenc.
blacklist.maxAge

The minimum period of time a blacklisted key must remain on the blacklist. Value is a timeunitâ??see Table 409 for allowable time units.

Default: 7d

Note: The blacklist is cleared when a node is restarted. Blacklisted keys are released, regardless of whether the blacklist period has been observed.

security.xml.xenc.
blacklist.maxFailures

The maximum number of XML decryption attempts that may fail before a

key is blacklisted on a node.

Default: 5

security.xml.xenc.
decryptionAlwaysSucceeds

Determines whether XML decryption should appear to succeed once the Gateway has obtained the symmetric key and attempted to decrypt the CipherValue. Value is a Boolean.

true = Decryption will always be successful. XML that cannot be decrypted will be

replaced with a dummy element named L7xenc:DecryptionFault in the

namespace http://layer7tech.com/ns/xenc/decryptionfault. This makes it more difficult to use the Gateway as a decryption oracle. This setting is the default.

false = The Gateway will return its normal response for decryption success and failure. The dummy element is not used.

security.xml.xenc.
encryptEmptyElements

Determines whether the Encrypt Element assertion should encrypt the content of empty elements. Value is a Boolean.

true = The content of empty elements are encrypted when the assertion is run. This setting is the default.

false = The empty elements are left unencrypted.Setting this to "false" restores pre-v6.1.5 behaviour and may be required for interoperability with earlier versions of the SecureSpan XML VPN Client.

*********************************************************END*******************************************************

*********************************************************START*******************************************************

You are here: 2: Policy Manager Overview > Workflow

General Workflow

Several Policy Manager tasks are required before you can leverage

the Gateway's functionality. Since every organization will

use the Policy Manager differently, the following list includes only

the key tasks for configuring and using the Policy Manager. If you

require assistance in the configuration process, contact CA Technical Support.

The following workflow assumes the user has the Administrator role.

For information on the steps required to configure identity bridging in

the Policy Manager and Securespan XML VPN Client, see Identity

Bridging

Connect

to the Gateway.

Upon first connection

to a Gateway, you need to install

the license file.

Each Gateway

Internal Identity Provider (IIP) is pre-configured with a single default

administrative user ("admin") and a set of predefined roles.

Optionally configure additional users

and groups

for the IIP.

Configure LDAP

Identity Providers

Publish a new SOAP

web service

, Web API service, or a RESTful service proxy.

Construct

a valid policy for a published service.

Analyze

the performance of the Gateway and refine if necessary.

*********************************************************END*******************************************************

*********************************************************START*******************************************************

You are here: 3: Managing Certificates > Managing Private Keys > Generating a Certificate Signing Request (CSR)

Generating a Certificate Signing Request (CSR)

You can use a private key to generate a new PKCS#10 certificate signing request (CSR). This CSR is then saved to the local hard disk of the machine running the Policy Manager, in either binary (*.p10) or Base64 PEM (*.pem) format. You can then send this CSR to a certificate authority

(CA) to apply for an actual certificate.

Tip: <![CDATA[ ]]>Many

CAs allow you to apply for a certificate by uploading a CSR file through

a Web page.

To generate a certificate signing request:

In the Policy Manager,

select [Tasks] > Manage

The Manage Private Keys dialog appears.

Select the private key to be used to generate the CSR and then click [Properties]. The Private Keys Properties dialog appears.

Click [Generate CSR] in the Other Actions section. You are prompted to provide a subject DN for the CSR. The current subject DN is offered as a default.

Enter the CSR Subject (DN). This specifies the owner of the initial self-signed certificate and should be

in the form of an X.509 subject. For example:

CN=ssl.layer7tech.com, O="CA Technologies, Inc", L=Vancouver, ST=British Columbia, C=CA

Note: Fields that contain commas must be enclosed in quotes, as shown in the above example.

Choose the Signature hash to use from the drop-down list. The following options are available:

Auto (default)
SHA-1
SHA-256
SHA-384
SHA-512

Tip: Selecting "Auto" duplicates the automatic signature hash selection that occurred in versions prior to 7.1. With this setting, the Gateway uses the com.l7tech.security.cert.alwaysSignWithSha1 system property to determine the hash.

Click [OK]. You are prompted for a location to save the file.

Navigate to the destination and then click [Save]. Note that by default, the file is saved as a Base64 PEM file; you can change this to PKCS #10 format if necessary.

*********************************************************END*******************************************************

Search This Blog

live feed

Featured Post

Affiliate Marketing

Chapter-9

UDDI Cluster Properties

WS-Security Cluster Properties

XML Security Cluster Properties

General Workflow

Generating a Certificate Signing Request (CSR)

Comments

Popular posts from this blog

California traffic signals