Configuring the AJAX proxy

2 | OpenTopic | TOC

Contents
Configuring the AJAX proxy...............................................................................................3
 OpenTopic | Configuring the AJAX proxy | 3

Configuring the AJAX proxy

By default, the IBM® Lotus® Connections AJAX proxy is configured to allow cookies, headers or mime types,
and all HTTP actions to be exchanged among the Lotus® Connections features. However, from any non-Lotus
Connections service, it only allows HTTP GET requests and it prevents all cookies or headers from being directed to
the features. If you want to change the traffic that is allowed from other services, you must explicitly configure it.
This task is not required. Only perform it if you want to allow an external service to do more than retrieve information
from the Lotus® Connections features.
The proxy-config.tpl template file defines rules about which HTTP requests, headers, and cookies are allowed
to be redirected to the Lotus® Connections features. When a Lotus® Connections server is started, it reads information
about the features from the LotusConnections-config.xml file, and, based on the rules defined in the proxy-
config.tpl template file, configures the proxy to be used by any Web browsers or other servers that send requests
to Lotus® Connections.
For example, if you want to allow one feature, such as Home page, to proxy a widget, but not allow any of the other
features to proxy it, you must create a feature-specific version of the proxy-config.tpl file and edit that. See
Configuring the AJAX proxy for a specific feature for more details.
Note: The Search feature provides a Search-specific
Ajax proxy configuration file called proxy-search-
config.xml. It is not created from the proxy-
config.tpl template file at runtime. See Configuring
the Ajax proxy for Search for more details.
To configure the AJAX proxy, complete the following steps:
1. Access the common AJAX proxy configuration template file:
a) Open a command-line window, start the wsadmin tool, and then use the following commands to check out the
proxy configuration file:
• Stand-alone deployments:
execfile("connectionsConfig.py")
• Network deployments:
execfile("<$WAS_HOME>/profiles/<DMGR>/config/bin_lc_admin/
connectionsConfig.py")
b) Check out the configuration file using the following command:
LCConfigService.checkOutProxyConfig("<temp_directory>",
"<cell_name>")
where <temp_directory> is a temporary directory of your choice, and <cell_name> is the name of the cell
where the Lotus Connections feature that uses the global proxy template file is located.
2. From the temporary directory to which you checked out the configuration files, open the proxy-config.tpl
file in a text editor.
3. Make your edits. For example, you can do the following things:
• To explicitly refuse all traffic from a specific site, add a policy as follows:
<proxy:policy url="malicious.site.com" acf="none">
<proxy:actions/>
<proxy:headers/>
<proxy:cookies/>
</proxy:policy>
• To allow a particular service on your network to display a custom widget, you can add the following policy
entry to the file:
<proxy:policy url="http://my.network.com/widget/*" acf="none">
<proxy:actions>
4 | OpenTopic | Configuring the AJAX proxy

<proxy:method>GET</proxy:method>
</proxy:actions>
<proxy:headers>
<proxy:header>User-Agent</proxy:header>
<proxy:header>Accept.*</proxy:header>
<proxy:header>Content.*</proxy:header>
<proxy:header>Authorization.*</proxy:header>
<proxy:header>If-.*</proxy:header>
<proxy:header>Pragma</proxy:header>
<proxy:header>Cache-Control</proxy:header>
</proxy:headers>
<proxy:cookies>
<proxy:cookie>JSESSIONID</proxy:cookie>
</proxy:cookies>
</proxy:policy>
• If a service requires authentication, you can configure it to also allow basic authentication requests by adding a
basic-auth-support="true" attribute to the <proxy:policy> element. For example:
<proxy:policy
url="http://my.network.com/service/*"
acf="none"
basic-auth-support="true">
...
</proxy:policy>
If this attribute is not added, when an unauthenticated request is sent to a service that requires authentication,
the service does not display the basic authentication dialog, but returns an HTTP 403 status code instead.
• To allow a particular service to run on your network and to pass cookies for LTPA tokens to the features:
<proxy:policy url="http://my.network.com/service/*" acf="none">
<proxy:actions>
<proxy:method>GET</proxy:method>
</proxy:actions>
<proxy:headers>
<proxy:header>User-Agent</proxy:header>
<proxy:header>Accept.*</proxy:header>
<proxy:header>Content.*</proxy:header>
<proxy:header>Authorization.*</proxy:header>
<proxy:header>If-.*</proxy:header>
<proxy:header>Pragma</proxy:header>
<proxy:header>Cache-Control</proxy:header>
</proxy:headers>
<proxy:cookies>
<proxy:cookie>JSESSIONID</proxy:cookie>
<proxy:cookie>LtpaToken</proxy:cookie>
<proxy:cookie>LtpaToken2</proxy:cookie>
</proxy:cookies>
</proxy:policy>
Note: Specify the headers using regular expressions.
4. Add any new policy blocks before the default policy setting in the template file. The default policy setting serves
as a catch-all for all other requests and looks like this:
<proxy:policy url="*" acf="none">
<proxy:actions>
<proxy:method>GET</proxy:method>
</proxy:actions>
<proxy:headers/>
<proxy:cookies/>
</proxy:policy>
By default, it allows all services to send GET requests to the Lotus® Connections features, and it prevents all
cookies or headers from being directed to the features.
5. Specify values for the following proxy configuration properties:
 OpenTopic | Configuring the AJAX proxy | 5

circular_redirects Specifies that circular redirects are allowed.

This property accepts a Boolean value of
true or false specified in lower-case letters.
If set to true, it supports using a proxy for a
site that redirects to the same URL but with
different parameters. Such a change is not
recognized as a new URL. The default value
of this property is true.
connection-timeout Amount of time before an attempt to connect
to a host times out. Specified in milliseconds,
the default value of this property is 60,000,
which is 1 minute.
max_circular_redirects Maximum number of times a circular
redirect is allowed before the proxy rejects it.
Specified as an integer, the default value of
this property is 100.
maxconnectionsperhost Maximum number of simultaneous
connections between the proxy and a given
host. Specified as an integer, the default value
of this property is 20.
maxtotalconnections Maximum number of simultaneous
connections between the proxy and all of the
hosts together. Specified as an integer, the
default value of this property is 50.
socket-timeout Amount of time before an attempt to use a
socket times out. Specified in milliseconds,
the default value of this property is 60,000,
which is 1 minute.
unsigned_ssl_certificate_support Specifies that self-signed SSL certificates are
supported. This property accepts a Boolean
value of true or false specified in lower-case
letters. The default value of this property is
true. Change it to false when the system is
ready for production.
6. Save and close the file.
7. Check the proxy-config.tpl file in during the same session in which you checked it out. Use the following
command to check the file in:
LCConfigService.checkInProxyConfig("<temp_directory>",
"<cell_name>")
where <temp_directory> is the temporary directory to which you checked out the configuration files, and
<cell_name> is the name of the cell where the feature that uses the common proxy-config.tpl file is located.
8. Restart the application server hosting Lotus® Connections.