Sun Java logo     Previous      Main      Next     

Sun logo
Sun Java System Web Proxy Server User Interface 

The Global Settings Tab


The Global Settings tab is used to configure directory services, specify access control, create and manage Simple Network Management Protocol (SNMP) master agent communities and SNMP trap destinations, and start and stop SNMP master agents. All SNMP-related pages pertain to UNIX and Linux only.

The tab contains the following pages:


The Configure Directory Service Page

Based on Lightweight Directory Access Protocol (LDAP), a directory server allows you to manage all user information from a single source. You can also configure the directory server to allow your users to retrieve directory information from multiple, easily accessible network locations. Key files and digest files can also be used to manage user information.

The Configure Directory Service page is used to create a new directory service, and to edit or delete an existing one. For more information, see "About Directory Services" in the Proxy Server Administration Guide.


Note

To set up distributed administration, the default directory service must be LDAP-based. The first directory service will be created with the Directory Service ID set to default.


The following elements are displayed:

Create New Service of Type. From the drop-down list, select the directory service type. The following options are available:

New. Click this button to create a new directory service of the selected type. The appropriate configuration page displays.

Delete. Select the service you want to delete and click OK. This deletes the directory service entry from the server_root/userdb/dbswitch.conf file but does not delete the file itself.

Directory Service ID. The name of the directory service. Click the name of a service to edit its properties.

Directory Service Type. Lists the type of service: Digest File, Key File, or LDAP Server.

OK. Saves your entries and updates the server_root/userdb/dbswitch.conf file with an appropriate entry.

Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.


The Digest File Configuration Page

The Digest File Configuration page is used to bind a directory service name with a digest file.

The following elements are displayed:

Directory Service ID. The name of the directory service. If this is the first directory service being configured, the Directory Service ID is set to default.

File Name. The name of the digest file. When you click Save Changes, the server checks to see if this file exists. If the file does not exist, it is created. If the file cannot be created, an error message displays.

Save Changes. Adds the directory service entry to the server_root/userdb/dbswitch.conf file.

Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.


The Key File Configuration Page

The Key File Configuration page is used to bind a directory service name with a text file called a key file. This key file stores user and group authentication settings for use by the file realm.

The following elements are displayed:

Directory Service ID. The name of the directory service. If this is the first directory service being configured, the Directory Service ID is set to default.

File Name. The name of the key file. When you click Save Changes, the server checks to see if this file exists. If the file does not exist it is created. If the file cannot be created, an error message displays.

Save Changes. Adds the directory service entry to the server_root/userdb/dbswitch.conf file.

Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.


The LDAP Directory Server Configuration Page

The LDAP Directory Server Configuration page is used to configure LDAP settings for your server.

The following elements are displayed:

Directory Service ID. The name of the directory service. If this is the first directory service being configured, the Directory Service ID is set to default.

Host Name. Specify the name of the LDAP server. You must enter a host name even if the directory server is running on the local machine.

Port No. Specify the port on which the LDAP server runs. If you are going to use SSL with a directory server, then you should enter the port number that the directory server is using for SSL. The standard port for LDAP over SSL is 636.

Use Secure Sockets Layer (SSL) for connections. Specify whether the server should use SSL for communications with the directory server. If you select Yes, then you must also configure the Administration Server to use SSL communications.

Base DN. Specify the distinguished name where directory lookups will occur by default, and where all Administration Server entries will be placed in your directory tree (for example, dc=example.com). A distinguished name (DN) is the string representation for the name of an entry in a directory server.

Bind DN. Specify the distinguished name the Administration Server will use to initially bind (or log in) to the directory server (for example, cn=Directory Manager). Binding determines the permission level you are granted for the duration of a connection. The DN supplied in a bind request can be the DN of an alias entry.

This bind DN only requires read and search access to the directory. Because this DN and associated password (if any) is easily compromised, it is best to simply leave this field blank and then set up your directory server to allow anonymous search access. If you do not want to allow anonymous search access to your directory, specify a bind DN entry here that only has read and search access to your directory. Do not specify your directory server’s unrestricted user (Root DN) in this field.


Note

This bind DN is used only to initially search for the user name you entered in the Administration Server authentication dialog box. Once the entry corresponding to this user name is located, the Administration Server rebinds to the directory server using the retrieved entry. Therefore, if the user name you specified when you first logged into the Administration Server does not have access to the directory server, you will not have any access to the directory server, regardless of the bind DN information provided in this field.


Bind Password. Specifies the password used for authentication.

Save Changes. Adds the directory service entry to the server_root/userdb/dbswitch.conf file.

Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.


The Administer Access Control Page

The Administer Access Control page is used to specify access control to the Administration Server. For more information, see "Setting Access Control Globally" in the Proxy Server Administration Guide.


Note

You must configure an administration group and enable distributed administration from The Configure Distributed Administration Page on the Preferences tab before creating access control for the Administration Server.


The following elements are displayed:

For The ACL. From the drop-down list, specify an access control list (ACL) entry.

Go. Click this button to load data.

New ACL. Click this button to create an ACL for the server. If an ACL has already been created, this button will be labeled Edit ACL.


Access Control Rules for Page

The Access Control Rules For page is divided into two frames that set access control rules. If the resource you chose already has access control, the rules appear in the top frame. For more information, see "Setting Access Control Globally" in the Proxy Server Administration Guide.

The following elements are displayed:

Upper Frame

The upper frame displays access control rules representing each configurable setting as a link. When you click a link, the Lower Frame displays and is used to set the access control rules. The ACL for the Administration Server begins with two non-editable Deny statements by default.

The following elements are displayed in the upper frame:

Action

Specifies whether to deny or allow access to the users, groups, or hosts. For the Administration Server, the first two lines of the access control rules are set to deny everyone except the group admin access to any portion of the Administration Server. To allow access to users and groups outside of the group admin, you must click New Line, make sure that the Access Control Is On checkbox is selected, and create an access control rule. For more information, see "Setting Access Control Globally" in the Proxy Server Administration Guide.

Users/Groups

Allows you to specify user and group authentication when you click the Anyone link. The User/Group lower frame allows you to configure User-Group authentication. By default, no users or groups outside of the group admin can access the Administration Server resources. For more information, see "Specifying Users and Groups" in the Proxy Server Administration Guide.

From Host

Allows you to specify the computers you want to include in the rule when you click the Anyplace link. In the From Host lower frame, you can enter wildcard patterns of host names or IP addresses to allow or deny. For more information, see "Specifying the From Host" in the Proxy Server Administration Guide.

Programs

Allows you to restrict access to areas in the Administration Server when you click the All link. In the Programs lower frame, you can restrict access to all pages for configuring the Administration Server by selecting All Programs. If you want to restrict access to one or more areas, choose the name of the program group in the drop-down list. If you want to restrict access to one page in a tab, enter the name of the page in Program Items. For example, to restrict access to the Access Control List Management page, type distacl in Program Items. For more information, see "Restricting Access to Programs" in the Proxy Server Administration Guide.

Extra

Allows you to specify a customized ACL entry when you click the X link. The Customized Expressions lower frame displays. This is useful if you use the access control API to customize ACLs. For more information, see "Writing Customized Expressions" in the Proxy Server Administration Guide.

Continue

Specifies that the next line in the access control rule chain is evaluated before the server determines if the user is allowed access. When creating multiple lines in an access control entry, work from the most general restrictions to the most specific ones.

Trash Can Icon

Deletes the corresponding line from the access control rules.


Note

Do not delete all ACL rules from the ACL files. At least one ACL file containing at least one ACL rule is required to start the server. If you delete all ACL rules in the ACL files and try to restart the server, you will receive a syntax error.


Access Control Is On

Specifies whether access control is enabled.

New Line

Adds a default ACL rule to the bottom row of the table.

To swap an access control restriction with the access control restriction preceding it, click the up arrow figure. To swap an access control restriction with the access control restriction after it, click the down arrow figure.

Response When Denied

Specifies the response a user sees when denied access. You can create a different message for each access control object by clicking Response When Denied. The Access Deny Response lower frame displays. By default, the user is sent the default Permission Denied message in the admin-denymsg.html file in server_root/httpacl. For more information, see "Responding When Access is Denied" in the Proxy Server Administration Guide.

Submit

Saves your entries.

Revert

Erases your changes and resets the elements in the page to the values that they contained before your changes.

Lower Frame

The lower frame is used to configure access control rules for the ACL in the Upper Frame.

The following elements are displayed in the lower frame:

User/Group

For more information, see "Specifying Users and Groups" in the Proxy Server Administration Guide.

Anyone (No Authentication). Allows everyone access to the resource. No authentication is required.

Authenticated People Only. Allows only authenticated users and groups to access the resource. Choose from the following options:

Prompt For Authentication. Allows you to specify message text that appears in the authentication dialog box. You can use this text to describe what the user needs to enter. Depending on the operating system, the user will see approximately the first 40 characters of the prompt. Most browsers cache the user name and password and associate them with the prompt text. This means that if the user accesses areas (files and directories) of the server that have the same prompt, the user will not have to retype user names and passwords. Conversely, if you want to force users to reauthenticate for various areas, you must change the prompt for the ACL on that resource.

Update. Saves your entries.

Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.

From Host

For more information, see "Specifying the From Host" in the Proxy Server Administration Guide.

Anyplace. Allows any machine access to the resource.

Only from. Allows you to restrict access based on:

Enter wildcard patterns that match the machines’ host names or IP addresses in these fields. For example, to allow or deny all computers in a specific domain, you would enter a wildcard pattern that matches all hosts from that domain, such as *.example.com.

Update. Saves your entries.

Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.

Programs

For more information, see "Restricting Access to Programs" in the Proxy Server Administration Guide.

All Programs. Allows users or groups access to all tabs in the Administration Server or the Server Manager.

Only The Following. Allows the users or groups you have specified to access specific areas of the server. Select the areas from the Program Groups list. You can choose multiple program groups by pressing the control key and clicking the names. The choices reflect the tabs in either the Administration Server or the Server Manager.

Program Items. Allows you to restrict access to one page in a program group by entering the name of the page in the Program Items field. For more information, see "Restricting Access to Programs" in the Proxy Server Administration Guide.

Update. Saves your entries.

Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.

Customized Expressions

Customized Expressions. Allows you to enter custom expressions for an ACL in the text box. You can use this feature if you are familiar with the syntax and structure of ACL files. For more information on customized expressions, see "Writing Customized Expressions" and "ACL File Syntax" in the Proxy Server Administration Guide.

Update. Saves your entries.

Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.

Access Deny Response

Respond With The Default File (redirection off). The default Permission Denied message is sent. This message is found in the admin-denymsg.html file in server_root/httpacl. For more information, see "Responding When Access is Denied" in the Proxy Server Administration Guide.

Respond With The Following File (physical path) : (redirection on). Allows you to create a different message for each ACL. Enter the path for the desired file.

Update. Saves your entries.

Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.


The Set SNMP Master Agent Community Page

A community string is a password that an SNMP agent uses for authentication, which means that a network management station would have to send the special password with each message sent to the agent. The agent can then verify whether the network management station is authorized to get information. Community strings are not concealed when sent in SNMP packets. The strings are sent in ASCII text. Therefore, you should consider changing the community string on a regular basis. The master agent uses the community string for authentication.

The Set SNMP Master Agent Community page is used to create, edit, and remove communities on your UNIX or Linux server. For more information, see "Configuring the Community String" in the Proxy Server Administration Guide.

The following elements are displayed:

Community. Specify the name of the community you want to create.

Operation. From the drop-down list, specify the permissions for the new community. The following options are available:

New. Click this button to create a new community.

Current Communities. Lists all communities currently defined for the server.


The Set SNMP Master Agent Trap Page

The Set SNMP Master Agent Trap page is used to create, edit, and remove SNMP trap destinations on your UNIX or Linux server. An SNMP trap is a message the SNMP agent sends to a network management station. For example, an SNMP agent would send a trap when an interface’s status has changed from up to down. The SNMP agent must know the address of the network management station so it knows where to send traps. You can configure this trap destination for the SNMP master agent from the Server Status tab in the Server Manager.

For more information, see "Configuring Trap Destinations" in the Proxy Server Administration Guide.

The following elements are displayed:

Manager Station. Specify the name of the system running your network management software.

Trap Port. Specify the port number on which your network management system listens for traps (162 is the well known port).

With Community. Specify the community string you want to use in the trap.

New. Click this button to create a new SNMP trap destination.

Current Managers. Lists all manager stations defined for the server.


The Control SNMP Master Agent Page

The master SNMP agent exchanges information between the subagent and the network management station. A master agent runs on the same host machine as the subagents it talks to. You can have multiple subagents installed on a host machine. All subagents can communicate with the master agent. The Control SNMP Master Agent page is used to start, stop, or restart the SNMP master agent after installing the SNMP master agent on your UNIX or Linux server.

For more information, see "Installing the SNMP Master Agent" and "Enabling and Starting the SNMP Master Agent" in the Proxy Server Administration Guide.

The following elements are displayed:

Start. Starts the SNMP master agent.

Stop. Stops the SNMP master agent.

Restart. Restarts the SNMP master agent.



Previous      Main      Next     


  Copyright 2006 Sun Microsystems, Inc. All rights reserved.