Webcullis User Manual April 2006
Contents
1. limit is specified in the CRLFreshness value Note that this option is not enabled by default 3 2 4 CRLFreshness This option is used to specify the maximum age in seconds for a CRL used during validation If a CRL is older than this limit a fresh copy will be fetched before vali dation is performed If this option is omitted or provided with a value of 0 it will be implemented as a 30 day limit by default 3 2 5 RequireFreshCRL If this option is used a cached CRL is used during validation only if the current date is before the CRL s nextUpdate field In this manner a cached CRL is only updated if 1ts issuer should have published an update by the time of the validation Note that this option is not enabled by default 3 2 6 AllowedPolicy This option allows an administrator to specify a certificate policy that is acceptable for accessing the given directory It is possible to list multiple allowed policies an entry is required for each one AllowedPolicy 2 16 840 1 101 3 2 1 48 2 AllowedPolicy 2 16 840 1 101 3 2 1 48 6 If the Al lowedPolicy option is used a certificate must contain at least one of the allowed policies in order to be acceptable for access Note In order for the policies specified under this option to be enforced the InitialExplicitPolicy option must also be set to Yes In the vast majority of cases it will be desirable to also set the InitialInhibitAnyPolicy option to Yes 12 3 2 7 Req2. option In this exam ple the administrator has decided to require a recent Certificate Revocation List while building a validation path for certificates presented for authorization to the given direc tory tree Note that values of yes Yes and YES will be treated equally whereas any other value to binary options will be treated as No See Section 4 for more information on configuration file formatting 3 1 General Configuration Options The following table outlines the Webcullis general configuration options Option Key Valid Value s Default Value TrustRootPath Directory none CacheEntries 0 2147483647 150 MaxCacheAge 0 2147483647 seconds 300 LogLevel Log level none LogPath Log file none TracePath Log file for trace logs none ErrorDocument HTML file none 3 1 1 TrustRootPath This is the location of the Webcullis trustroot store see Section 2 2 for more infor mation The value assigned to this option should be a well formatted absolute path pointing a directory containing only properly formatted DER encoded certificate files This is a required field Without a value for this field in the configuration file We beullis will not be able to run Note that the use of backslashes is necessary to specify a path in the Windows file system 3 1 2 CacheEntries This is the number of certificate chain validation results that the server will cache While the identifier for a g
3. rotation schedule Its rate of growth will depend greatly on the amount of traffic to the web server and the configured verbosity of the Webcullis log messages 3 1 6 TracePath This is the file to which trace log messages will be written if the LogLevel option is set to 5 Itis highly recommended that a system administrator delete or rotate this file off disk if trace logging is enabled as 1t could grow very large in a short amount of time depending on the amount of traffic to the web server If no trace file is specified no trace logging will be performed If the log level is set to 5 but no trace file is specified a message stating this fact will be written to the general log file 3 1 7 ErrorDocument This is the HTML file to which a browser requesting authorization will be directed if the validation fails If no page is specified the browser will be directed to an empty page The sample configuration file points to a generic error document provided with the Webcullis installation 3 2 Directory Level Configuration Options Directory specific configurations are made in blocks starting with an identifier of the directory So a block containing configurations for the directory reports fy00 10 would start with the following line reports fy00 Note The root directory of the IIS web file system is considered as the root for the directory access control options Forward slashes should be used to identify all directories rel
4. 2 policySet WithPolicy 1 policySet WithPolicy2 policySet WithPolicy3 policySet WithPolicy TrustRoots File name Jwspac_isapi dll Files of type ISAPI Filters dl y Cancel A e Press OK in the Filter Properties window e Press OK in the properties window of the web server e To start using the Webcullis plug in restart the web server This is accomplished by right clicking on the server name in the main body of the window and choos ing Stop then Start e Verify that Webcullis is running by again right clicking on the web server choos ing properties and clicking on the ISAPI Filters tab To the left of the Webcullis filter name there should be a green arrow indicating that it is running MIMI 5 Test Properties EE Directory Security HTTP Headers Custom Errors Server Extensions Web Site Operators Performance ISAPI Filters Home Directory Documents Filters installed here are active for this Web site only Filters are executed in the order listed below Sta Fer Nae Webcullis Unknown Add Remove Edit Disable Cancel Apply Help 2 4 De installation To de install Webcullis you should first remove it from IIS This is accomplished by at first following the instructions of Section 2 3 on how to configure it as an ISAPI filter However where the directions instruct you to add the new filter you should instead select the Webcullis filter
5. 2048 Figure 8 MinKeySize Sample 19 4 3 6 Prohibit test certificates from being used in production This server is generally available to anyone in the organization with a valid non test certificate This CA issues 3 production policies 2 16 840 1 101 9 8 7 1 is asserted on software protected certificates 2 16 840 1 101 9 8 7 2 is asserted on certificates pro tected by traditional hardware tokens and 2 16 840 1 101 9 8 7 3 is asserted on cer tificates protected by biometric hardware tokens For test certificates they assert the policy 2 16 840 1 101 9 8 7 6 TrustRootPath c WebSecurity WCTrustroots LogLevel 1 LogPath c WebSecurity logs WCgeneral log CacheEntries 500 MaxCacheAge 3600 ErrorDocument c website validation custom_failed html LDAPRepository ldap ketogen com These should be set to Yes in most cases where policy based restriction is in use nitialExplicitPloicy Yes nhibitAnyPolicy Yes PermittedSubtree o Ketogen Pharmaceuticals c US RequireFreshCRL Yes AllowedPolicy 2 16 840 1 101 9 8 7 1 AllowedPolicy 2 16 840 1 101 9 8 7 2 AllowedPolicy 2 16 840 1 101 9 8 7 3 Figure 9 Another Policy Sample 5 For More Information This document contains the information necessary to install and configure the We bcullis plug in to the IIS web server We suggest the following resources should you need more information to help you during this process e The II
6. ISAPI Filter The Webcullis installer will include an ISAPI filter DLL which is made available to IIS using the IIS Administration MMC snap in Follow these steps to configure IIS 5 0 to use the filter e From the start menu choose Programs gt Administrative tools gt IIS msc e Within the tree window to the left expand the Internet Information Services node to view the server machine name Select this machine name ii Console1 Console Window Help O Ca Ta Console Root Internet Informat Action View Favorites Tree Favorites 3 Console Root E Certificates Current User 4 Internet Information Services yl ago tcicada2 ye 1 e Within the main window identify the web server on which you would like to run Webcullis Right click on the server name and choose properties jai Console JO Ma fai Console Root Internet Information Services tcicada2 e Choose the ISAPI Filters tab Administration Web Site Stopped Properties e Press the Add button In the window that appears enter a name to identify the plug in such as Webcullis iter Name Webcullis Executable Browse Cancel Help e Press the browse button and navigate to the location of the Webcullis installation Choose the file wspac_isapi d11 and press Open Look in a CTest e El certadm dll NoRegiment
7. Policies Yes No No InitialExplicitPolicy Yes No No InitialInhibitAnyPolicy Yes No No PolicyMapInhibit Yes No No ExtendedKeyUsage OID none RequireMatchAIEKU Yes No No PermittedSubtree Distinguished Name DN none ExcludedSubtree Distinguished Name DN none MinKeySize 1 32767 1024 3 2 1 LDAPRepository This is the LDAP repository to which the web server should look in performing vali dation If no repository is listed the Webcullis plug in will by default consider inter 2In rare cases where forward slashes are used as application specific delimiters absolute file names de limited by backslashes can be considered However this form is discouraged for the majority of Webcullis configurations 11 mediate certificates or CRLs stored in CAPI as well as consult other AIAs specified in the the certificate chain during validation Credentials or CRLs that have been fetched are cached in CAPI and thus available to other applications using this store for creden tial information The LDAPPort directive may be used to specify a port other than the default 389 3 2 2 LocalOCSPURL This is the url to a local trusted OCSP responder which the web server should consult first for revocation information when performing path validation 3 2 3 RequireRecentCRL This option allows a system administrator to require that a cached CRL be no older than a certain number of seconds in order for it to be used during validation This time
8. S documentation http www microsoft com windows2000 en server iis e Guide to the Secure Configuration of Microsoft Internet and Information Ser vices http www nsa gov snac downloads miis cfm MenulD ses 1 4 e RFC 3280 Internet X 509 Public Key Infrastructure Certificate and Certifi cate Revocation List Profile http www faqs org rfcs rfc3280 html 20
9. Webcullis User Manual April 2006 Orion Security Solutions Inc webcullis gt E S SS AD Contents 1 Introduction Tell COVETVIEW 2 ge e ae ae A ee ee ee we e Installation 2 1 The Configuration File o 2 2 Trust Anchor Management e 2 3 TheISAPI Filter eee 2 4 De installation 2 2 00 eee eee eee Configuration Options 3 1 3 2 4 1 4 2 4 3 General Configuration Options 00 3 1 1 TrustRootPath aoaaa a 3 1 2 CacheEntries se gos a a e E 3 1 3 MaxCacheAge coco ea 2201952 3 114 LogLevel ociosos ROSAS Pee ee ead SAS WbosPath tios chet be eee Boh ew bg 3 16 WracePath 2 0 6 0 4 640 oes a a Re eee AA 3 1 7 ErrorDocument 002 000 2 eee Directory Level Configuration Options 3 2 1 LDAPRepository 00 3 2 2 LocalOCSPURL pocece ceened arseen 3 2 3 RequireRecentCRL o 3 2 4 CRLFreshmess o e 3 2 5 RequireFreshCRL o 3 2 6 AllowedPolicy o o e 3 2 7 RequireAllPolicies o 3 2 8 InitialExplicitPolicy 3 2 9 InitiallnhibitAnyPolicy o 3 2 10 PolicyMapIdhibit o 3 2 11 ExtendedKeyUsage o 3 2 12 Requi
10. and remove it For your changes to take effect you should restart all web servers that were using Webcullis for access control Once Webcullis is no longer running you can safely remove the software itself from your computer 3 Configuration Options The options used in the Webcullis configuration file can be broken into two broad categories those that affect the Webcullis program as a whole and those that affect the way in which authorization is decided for a given directory tree for example the set of directories and files rooted at reports fy2000 Note that options of the second category those that enforce authorization policies on a given directory can also be specified as general options in the configuration file header Restrictions on a directory will be executed in the following order Specific defined in an individual directory block of the configuration file General specified in the header block of the configuration file and Default no value is specified and the default Webcullis value is used Note also that specifying a general authorization option in the header has a different effect than specifying one for the root directory which is discussed in Section 3 2 Options are generally specified in the configuration file in the following format RequireRecentCRL Yes where the left hand side of the equation is the option key and the right had side is the value that the administrator would like implemented for this
11. ative to the web server root for directory level options It is not recom mended that files be referenced from outside this subtree in configuring directory level access control policies Do not attempt to construct absolute paths in the Windows file system Note also that restrictions are inherited throughout the subtree of the directory to which they are applied If reports is restricted with the RequireFreshCRL op tion then access to the reports fy00 subdirectory would also be restricted Note also that once a restriction is tightened on a directory it can not be loosened on a sub tree of that directory in the above example creating a block for reports fy00 and excluding the option RequireFreshCRL would have no effect because the RequireFreshCRL option had already been applied to reports This means that any restrictions applied to the root directory will be applied to all files on the server even if looser restrictions are defined for subdirectories In Section 3 it is also noted that you can specify general configuration settings in the configuration file header that can be overridden at the individual directory level Option Key Valid Value s Default Value LDAPRepository Server address LDAPPort TCP port 1 65535 LocalOCSPURL full http URL RequireRecentCRL Yes No No CRLFreshness 0 2 1 billion seconds 0 RequireFreshCRL Yes No No AllowedPolicy OID none RequireAll
12. cullis makes it easy to quickly restrict access to such data using name constraints TrustRootPath c WebSecurity WCTrustroots LogLevel 1 LogPath c WebSecurity logs WCgeneral log CacheEntries 500 MaxCacheAge 3600 ErrorDocument c website validation custom_failed html LDAPRepository ldap ketogen com PermittedSubtree o Ketogen Pharmaceuticals c US RequireFreshCRL Yes Accounting PermittedSubtree ou Accounting o Ketogen Pharmaceuticals c US Figure 4 Simple configuration file for an intranet server 4 3 2 Restricting access to particular individuals Webcullis can also be used as a quick simple form of access control list This con figuration file restricts an upcoming annual report only to those who are working on it 16 TrustRootPath c WebSecurity WCTrustroots LogLevel 1 LogPath c WebSecurity logs WCgeneral log CacheEntries 500 MaxCacheAge 3600 ErrorDocument c website validation custom_failed html LDAPRepository ldap ketogen com PermittedSubtree o Ketogen Pharmaceuticals c US RequireFreshCRL Yes Accounting PermittedSubtree ou Accounting o Ketogen Pharmaceuticals c US Accounting FY06 PermittedSubtree CN Joe Dimaggio ou Accounting o Ketogen Pharmaceuticals c US PermittedSubtree CN Mickey Mantle ou Accounting o Ketogen Pharmaceuticals c US PermittedSubtree CN Ted Williams ou Accounting o Ketogen Pharmaceuticals c US Figu
13. e must contain at least one of the key usage extensions listed to be acceptable 3 2 12 RequireMatchAlEKU This option is parallel to RequireAllPolicies It allows an administrator to re quire that an acceptable certificate contain all specified key usage policies instead of the default gt 1 3 2 13 PermittedSubtree This option combined with ExcludedSubt ree allows an administrator to exert name restrictions during authorization More than one permitted subtree can be speci fied with this option in the manner used for the Al lowedPolicy option If this option is used only certificates with DNs falling under one of the listed subtree s q will be authorized for access This option can be used in tandem with 13 the ExcludedSubt ree option although this would be redundant unless the subtree listed in one was an ancestor to the subtree listed in the other See Section 4 2 for an example Note that for both this and the ExcludedSubt ree option the DN is specified in local order i e the most local qualifier is first PermittedSubt ree cn JoseVidro o State Polytechnic Institute cu us 3 2 14 ExcludedSubtree This and the previous option allow a system administrator to use name constraints to control access to the web server file system If this option is used all certificates other than those listed under it will be allowed to access the given directory As with PermittedSubt ree it is possible to list more than one e
14. icy 2 3 4 5 1 AllowedPolicy 2 3 4 5 4 RequireAllPolicies Yes ExtendedKeyUsage 1 2 3 4 5 6 HR MinkeySize 2048 RequireRecentCRL Yes CRLFreshness 3600 Figure 3 A sample configuration file body using various restrictions for the root Cog Sci Grades Faculty and HR directories 15 Note that in Figure 3 the restrictions specified in the first entry that of the root directory will be applied universally to all web server documents as the entire web file system is in the subtree of the root We see that the PermittedSubtree re strictions for the Cog_Sci subdirectory provide further name restrictions than those defined for the root directory For Faculty the PermittedSubTree option is used with ExcludedSubt ree to provide small exceptions for administrative access to restricted files Due to the sensitive nature of the documents access to Grades is restricted based on certificate policy and the key usage policy Similarly the entire cert chain must have keys of size at least 2048 in order to access HR For this last directory Webcullis is also required to use CRLs that are no older than an hour in performing validation 4 3 Configuration Scenarios 4 3 1 Restricting access to a particular department Imagine an intranet server containing both information of general organizational inter est and information such as for example unreleased financial performance data that should not be generally available Web
15. inappropriately used keys If you know that a particular CA uses the extended key usage extension you can con figure Webcullis to enforce it 18 TrustRootPath c WebSecurity WCTrustroots LogLevel 1 LogPath c WebSecurity logs WCgeneral log CacheEntries 500 MaxCacheAge 3600 ErrorDocument c website validation custom_failed html LDAPRepository ldap ketogen com PermittedSubtree o Ketogen Pharmaceuticals c US RequireFreshCRL Yes require the TLS Client Auth extended key usage extension be presen since this CA always sets it ExtendedKeyUsage 1 3 6 1 5 5 7 3 2 Accounting PermittedSubtree ou Accounting o Ketogen Pharmaceuticals c US Figure 7 ExtendedKeyUsage Sample 4 3 5 Key Size Restriction If an organization is in the process of transitioning end entities from one key size to another it may be desirable to restrict access to some resources based on key size TrustRootPath c WebSecurity WCTrustroots LogLevel 1 LogPath c WebSecurity logs WCgeneral log CacheEntries 500 MaxCacheAge 3600 ErrorDocument c website validation custom_failed html LDAPRepository ldap ketogen com PermittedSubtree o Ketogen Pharmaceuticals c US RequireFreshCRL Yes Accounting PermittedSubtree ou Accounting o Ketogen Pharmaceuticals c US Archiving This is a long term archiving application Require at least a 2048 bit RSA key for entry MinkeySize
16. ion on the options available for use in this file and Section 4 for sample configuration files Webcullis is a trademark of Orion Security Solutions all rights reserved All other trademarks and registered trademarks are the property of their respective owners Unless stated to the contrary no association with any other company or product is intended or should be inferred 2 2 Trust Anchor Management Webcullis maintains its own store of trusted root CA certificates distinct from those in the Windows CAPI store These trust anchors are added or removed by copying them to or deleting them from the trustroot directory which is identified in the configuration file The contents of the directory are read every time Webcullis is restarted it is recommended that all instances of IIS be restarted if modifications to this directory are made Because improper configuration of Webcullis or incorrect file permissions on the trustroot directory could open the web server to unauthorized access we recommend that the administrator in charge of the web server on which Webcullis is to be installed first consult resources such as the National Security Agency s Guide to the Secure Configuration of Microsoft Internet and Information Services Section 5 We note also that the Webcullis plug in only needs read access to the files in the trustroots directory and recommend that administrators apply permissions to those files accord ingly 2 3 The
17. iven certificate is in the cache and younger than the value specified by MaxCacheAge the server will not re validate that cert chain when pre sented with it during an authorization request 3 1 3 MaxCacheAge The maximum number of seconds for which a certificate chain identifier will be cached 3 1 4 LogLevel This is how the verbosity of the log messages are configured A value of 0 specifies no logging 5 is the most verbose It is strongly recommended that logging be set at least to level 1 and this setting should be sufficient in the general case The following table outlines the information logged at each level Level Verbosity No messages will be logged after plug in startup Not Recommended Only error messages will be logged Error and warning messages Error warning and informational messages All of the above plus debug messages All of the above plus path building and validation traces MB LB O 3 1 5 LogPath This is the location of the principal Webcullis log file in the Windows file system specified using backslashes 1 All log messages generated below level 5 trace level will be logged to this file This is a required field Failing to set it in the configuration file will prevent Webcullis from starting It is recommended that system administrators monitor the size of this file during the initial period of operation and consider placing it under a regular automated
18. mented on a per directory basis and managed in this configuration file as described in Sections 3 and 4 We recommend that administrators read carefully the options for configuration before writing their configu ration file as improper access policies can lead to the compromise of otherwise secure systems In this document we will first outline the procedure for installation of the Webcullis plug in on a machine running IIS Section 2 Next we will consider the options avail able for the configuration of Webcullis including general options as well as those for per directory access control Section 3 Finally we will consider excerpts of exam ple configuration files to better illustrate the capabilities of Webcullis Section 4 and conclude with information on resources for administrators using Webcullis Section 5 2 Installation To perform the installation with the Webcullis installer complete the following steps which are outlined in more detail in the rest of this section This instructions assume that IIS has been installed and is configured to accept ISAPI filter plug ins 1 Run the Webcullis installer 2 Write a configuration file 3 Import trust anchors into the trustroot directory 4 Configure ISAPI Filter for IIS 5 Restart the web server 2 1 The Configuration File The sample configuration file provided with Webcullis can serve as a starting point in writing a custom version See also Section 3 for more informat
19. re 5 Simple ACL 4 3 3 Excluding Low Assurance certificates Policy based access control allows you to trust certificates issued under one policy but not another Suppose that Ketogen s CA issues 3 policies 2 16 840 1 101 9 8 7 1 is as serted on software protected certificates 2 16 840 1 101 9 8 7 2 is asserted on certifi cates protected by traditional hardware tokens and 2 16 840 1 101 9 8 7 3 is asserted on certificates protected by biometric hardware tokens 17 TrustRootPath c WebSecurity WCTrustroots LogLevel 1 LogPath c WebSecurity logs WCgeneral log CacheEntries 500 MaxCacheAge 3600 ErrorDocument c website validation custom_failed html LDAPRepository ldap ketogen com These should be set to Yes in most cases where policy based restriction is in use nitialExplicitPloicy Yes nhibitAnyPolicy Yes PermittedSubtree o Ketogen Pharmaceuticals c US RequireFreshCRL Yes General content is open to anyone with a software hardware or biometric hardware cert AllowedPolicy 2 16 840 1 101 9 8 7 1 AllowedPolicy 2 16 840 1 101 9 8 7 2 AllowedPolicy 2 16 840 1 101 9 8 7 3 Accounting PermittedSubtree ou Accounting o Ketogen Pharmaceuticals c US Require either hardware or hardware biometric tokens for the accounting department AllowedPolicy 2 16 840 1 101 AllowedPolicy 2 16 840 1 101 WN 9 83 9 287 Figure 6 Policy Sample 4 3 4 Excluding
20. reMatchAIEKU o o 3 2 13 PermittedSubtree o e e 3 2 14 ExcludedSubtree o o e 3 2 15 MinKeySize Configuration File Examples General Options The Configuration File Header Directory Options The Configuration File Body Configuration ScenarlOS e ee 4 3 1 Restricting access to a particular department 4 3 2 Restricting access to particular individuals 4 3 3 Excluding Low Assurance certificates 4 3 4 Excluding inappropriately used keys 4 3 5 Key Size Restriction o o NSH HW O O O oO oo o0 o0 o0 N 4 3 6 Prohibit test certificates from being used in production 5 For More Information 19 1 Introduction Webcullis is a security plug in for Microsoft s Internet Information Services IIS web server It is designed to strengthen the web server s ability to limit access to files based on certificate policy or name constraints when the server implements X 509 PKI based authorization schemes 1 1 Overview The heart of the Webcullis plug in is its configuration file which must be written ac cording to the authorization policies of the web server in which it is being installed The Webcullis installation includes a sample configuration file which may be useful in this writing Webcullis access constraints are imple
21. rrorDocument c cTest validation custom_failed html PermittedSubtree o State Polytechnic Institute c US Figure 2 A larger configuration file header In this example the cache settings are also cus tomized as well as a custom error document specified Also access to the site is by default limited to certificates from State Polytechnic Institute although this can be overridden at the individual directory level in the body of the configuration file 4 2 Directory Options The Configuration File Body The body of the configuration file is composed of blocks of options for each directory tree one per directory tree Each block is identified by an initial line identifying the directory in question There are no required options for the body of the configuration file other than this leading identifier LDAPRepository ldap spi edu PermittedSubtree o State Polytechnic Institute c US RequireFreshCRL Yes Cog_Sci PermittedSubtree ou Computer Science o State College c US PermittedSubtree ou Psychology o State College c US PermittedSubtree ou Linguistics o State College c US PermittedSubtree ou Philosophy o State College c US Faculty ExcludedSubtree ou Students o State College c US ExcludedSubtree ou Staff o State College c US PermittedSubtree cn Jane Admin ou Staff o State College c US PermittedSubtree cn Jose Admin ou Staff o State College c US Grades AllowedPol
22. uireAllPolicies This option is only used in a directory configuration block containing more than a single AllowedPolicy statement It requires that an acceptable certificate contain all listed policies instead of the default of gt 1 3 2 8 InitialExplicitPolicy This option indicates that the end entity certificate in the chain being validated must contain an explicit certificate policy This option must be set to Yes to perform access control based on certificate policies 3 2 9 InitialInhibitAnyPolicy This allows a system administrator to ignore the assertion of the special any policy in the end entity certificate being validated In this manner if access is restricted based on certificate policies it can only be granted if the certificate contains one or all of the exact policies put forth in the configuration file 3 2 10 PolicyMapInhibit This option allows a system administrator to prevent the validation of a certificate chain using a mapped policy In this manner if there are certificate policy restrictions using AllowedPolicy they can only be satisfied if the certificate conforms to them na tively 3 2 11 ExtendedKeyUsage This option is similar to the Al lowedPolicy option but instead of specifying cer tificate policy OIDs it allows an administrator to limit access to a directory based on key usage extensions As with AllowedPolicy if the option is present at all in a directory configuration block a certificat
23. xcluded subtree 3 2 15 MinKeySize This option allows an administrator to limit access to certificates of keys with a certain size or greater It should be noted that if this option is used the constraint will be ap plied to all certificates in a chain not just the end entity certificate Thus if a minimum key size of 1024 is imposed and the end entity certificate satisfies this requirement but another certificate in the chain does not validation will fail 4 Configuration File Examples In this section we will consider a couple of simple example configuration file excerpts 4 1 General Options The Configuration File Header Every Webcullis configuration file must be headed by a set of general configuration file options Of these TrustRootPath and LogPath are mandatory and customizing LogLevel is strongly recommended Other options need to be specified only if you would like to override their default values as defined in Section 3 1 Figure 1 shows the minimal recommended configuration file header Figure 2 shows a more complex set of options TrustRootPath c Trustroots LogLevel 1 LogPath c WebSecurity logs WCgeneral log Figure A small configuration file header In this example the trustroot store is identified and the logging functionality configured 14 TrustRootPath c WebSecurity WCTrustroots LogLevel 1 LogPath c WebSecurity logs WCgeneral log CacheEntries 500 MaxCacheAge 3600 E
Download Pdf Manuals
Related Search