Ansicht
Dokumentation

icm/accept_forwarded_cert_via_http - Accept X.509 client certificate that was forwarded via HTTP

------------------------------------------------------------------------

| Parameter : icm/accept_forwarded_cert_via_http                       |

------------------------------------------------------------------------

------------------------------------------------------------------------

| Short Descrption : Accept X.509 client certificate that was          |

|                    forwarded using HTTP.                             |

------------------------------------------------------------------------

------------------------------------------------------------------------

| Parameter description :                                              |

| -----------------------                                              |

| If the SSL connection in a load balancer (such as Web Dispatcher) is |

| terminated, the X.509 certificate is available at the load balancer, |

| but not at the application server, where it is required. To be able  |

| to use the X.509 certificate at the server for logon, it must be     |

| transported to the server (through a secured channel). The           |

| If the following conditions are fulilled, the load balancer writes   |

| the certificate's data in the HTTP header, and the ICM then accepts  |

| it:                                                                  |

| 1. The connection between the load balancer and the ICM was          |

|    encrypted with SSL.                                               |

| 2. The ICM accepts the client certificate of the load balancer       |

|    (you can control this trust relationship with the parameters      |

|    %%icm/HTTPS/trust_client_with_issuer%% and                        |

|    %%icm/HTTPS/trust_client_with_subject%% ).                        |

|                                                                      |

| With the default configuration, the ICM does not accept any          |

| certificate data in the HTTP header, if the request was received by  |

| HTTP, and instead deletes the header fields from the request.        |

| If you can discount the chance of fraud on the basis of network      |

| measures, you can configure the parameter                            |

| icm/accept_forwarded_cert_via_http of the ICM so that it also        |

| accepts client certificate data in the HTTP header, if this was      |

| received over HTTP. In this case, there is no trust relationship     |

| between the load balancer and the ICM.                               |

| Note:                                                                |

| You should only set this parameter to TRUE after carefully           |

| considering the security risks.                                      |

|                                                                      |

------------------------------------------------------------------------

------------------------------------------------------------------------

| Application Area : ICM                                               |

------------------------------------------------------------------------

------------------------------------------------------------------------

| Unit :  Truth Value                                                  |

------------------------------------------------------------------------

------------------------------------------------------------------------

| Default value: FALSE                                                 |

------------------------------------------------------------------------

------------------------------------------------------------------------

| Who is permitted to make changes: The customer                       |

------------------------------------------------------------------------

------------------------------------------------------------------------

| Limitations for Operating Systems: None                              |

------------------------------------------------------------------------

------------------------------------------------------------------------

| Limitations for Database Systems: None                               |

------------------------------------------------------------------------

------------------------------------------------------------------------

| Are other parameters affected/dependent: No                          |

------------------------------------------------------------------------

------------------------------------------------------------------------

| Valid input, formats, areas :  TRUE, FALSE, 0, 1                     |

------------------------------------------------------------------------



------------------------------------------------------------------------ 

| Short Description : Accept X.509 client certificate that was forwarded via HTTP 

------------------------------------------------------------------------ 



------------------------------------------------------------------------ 

| Applications Area : ICM 

------------------------------------------------------------------------ 



------------------------------------------------------------------------ 

| Parameter Type : B 

------------------------------------------------------------------------ 



------------------------------------------------------------------------ 

| Changes allowed : X 

------------------------------------------------------------------------ 



------------------------------------------------------------------------ 

| Valid for Operating System : * 

------------------------------------------------------------------------ 



------------------------------------------------------------------------ 

| Dynamic switchable :  

------------------------------------------------------------------------ 



------------------------------------------------------------------------ 

| Same on all Servers :  

------------------------------------------------------------------------