Chapter 5. WAF Configuration

5.1. Configuration Following Installation

Configuration for WAF is very straightforward. There is a single configuration file, /etc/ccm-core.cfg, which handles configurations for the WAF core application. Understanding this file and how it works is the key to success. If you have used WAF in the past and are familiar with this file, please take the time to review it again for changes. Configuration variables are not necessarily consistent across versions.

The configuration file is relatively straightforward and self-explanatory. Some of the items it handles are:

It is very important to consider and test your configuration, both for the initial installation and subsequent changes. Because of the central role of this configuration file, it is one location where a single character out of place could disable the entire application.

TipTip
 

Once you have tested and completed your initial configuration file, you can check it into a source and revision control system (such as RCS or CVS) along with the installation file you used (RPM or ZIP). If you ever need to recreate your WAF installation from scratch, these files are most of what you need.

TipTip
 

If your system consists of a single instance of WAF with no cache peers, leave the caching cachePeers parameter blank. For single instances of CMS you can also leave publishToFile server, thisServer, and publishSource parameters blank. Any reference to a host which cannot be resolved may cause serious memory leaks.

Here is a list of the prompts and values in a typical configuration file (your configuration file may have different values depending on the specific RPM/ZIP that you are using):

ParameterDescriptionSample Value
servlet-container Name of a servlet container. tomcat4
servlet-webxml Determines which web.xml file to use. servlet23
app-home Home directory of your application. /var/www/ccm-core
runtime-home Home directory of the runtime. /usr/share/ccm-core
tomcat-home The home of your Tomcat installation. /usr/share/tomcat
user The user that the servlet process will run as. servlet
group The group that the servlet process will run as. servlet
java-home $JAVA_HOME for this server. /opt/IBMJava2-131
jre-args Arguments to be passed to the JRE e.g., stack size.
http-port The port that Tomcat will listen on for HTTP requests. 8000
shutdown-port The port that Tomcat will listen on for shutdown requests. 8005
admin-answer The answer to the question the administrator would be asked if they forgot their password. 6
admin-email Site administrator's email address. [email protected]
admin-forename Administrator's first name. Administrator
admin-password Administrator password. 123456
admin-question Question administration will be asked if their password is forgotten. 12345?
admin-screenname Used if screen name/username authentication is used instead of email address. JaneDoeAdmin
admin-surname Administrator's last name. Doe
cache-expiry How long to cache pages, in seconds. 259200
caching-active Is caching on or off. yes
db-pass Password to access the database schema. dbpassword
db-pool Number of connections to hold open. 100
db-user Username to access the database schema. dbuser
debug-mode Enable debugging. Make sure this is false for production instances. false
developer-support Enable developer support for debugging. Make sure this is false for production instances. false
front-page URL for registration page. Do not change this unless you have a custom registration page. register/
hostname Hostname of the server. ccm.example.com
jdbc-url The JDBC URL to access the database. You can also use a tnsnames.ora entry immediately after the @ symbol. jdbc:oracle:oci8:@(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost )(PORT = 1521 )))(CONNECT_DATA = (SERVICE_NAME = oracle ) (SRVR = DEDICATED)))
log-dir Logfiles directory. This must be created during installation or the server will not start. /var/log/projectname
log-level Choices are debug, info, warn, error, fatal; use fatal for production. fatal
log-size Log file size before it gets rolled over, measured in bytes. 1000000
permissionsDMLCheckingAutomatically enforce permissions for all DML (save, delete, update) operations?true
sitename Set to what you want to appear on the login page of the site. Web Application Framework
smtp-host Set to this server's SMTP host. localhost
state-dir This directory is used by the security initializer. It must be writable by the servlet container process, and must exist for WAF to start. /var/www/ccm-core/lib
xslt-engine Which XSLT engine should we use? We recommend Saxon in production. Saxon
xslt-timeout This is measured in seconds, and defines how often the file system is checked for changes in the XSL stylesheets. [a] 60000
Notes:
a. On a production system, this number should be higher to prevent the system from needlessly checking for new stylesheets. A development, pre-production or testing system might use a lower value, especially where new stylesheets are being tested but the WAF services are not going to be restarted.

Table 5-1. Configuration Values