plugin-cfg.xml file

The plugin-cfg.xml file contains configuration information that determines how the web server plug-in forwards requests.

WebSphere Application Server

You can create two types of plugin-cfg.xml files: application-centric and topology-centric.

Deprecated feature: Topology-centric, also called global, configuration is deprecated. Use application-centric configuration when you configure a new web server plug-in, and consider reconfiguring existing topology-centric configurations to use application-centric configuration instead. For more information, see Implementing a web server plug-in.

An application-centric file has an application that is mapped to both web server and application server definitions. Changes that you make to the plug-in by using the administrative console persist to the plugin-cfg.xml file upon generation.

A topology-centric file represents everything that is defined in the environment. Typically, this plugin-cfg.xml file is used when you do not have web servers defined. Consider the following rules when you want to update a topology-centric plugin-cfg.xml file:
  • If the plugin-cfg.xml file exists within the app_server_root\dmgr\cells directory, the plug-in generation process ignores the updated values from the Web server plug-in properties page of the administrative console and uses the existing values within the XML file. In this case, you must manually update the XML file for those values to persist.
  • If the plugin-cfg.xml file does not exist within the app_server_root\dmgr\cells directory, the plug-in generation process creates plugin-cfg.xml file. The process persists the latest values that are set on the Web server plug-in properties page in the administrative console.
The design of this file and its related function enable the product to support different types of configurations. For example, web server definitions might not exist. In addition, many web server plug-in properties, such as RefreshInterval, LogLevel, and the Edge Side Include (ESI) processor properties, can be updated manually only. Those values must be maintained through each iteration.

Use the administrative console to set these properties for each web server definition. Any manual changes you make to the plug-in configuration file for each web server are overridden whenever the file is regenerated.

Avoid trouble: Use the administrative console to set these properties for each web server definition. Any manual changes you make to the plug-in configuration file for each web server are overridden whenever the file is regenerated.
Deprecated feature: Topology-centric, or global, plug-in configuration is deprecated. New features are not supported when using topology-centric generation and topology-centric plug-in configuration support may be removed in the future. Configurations should be migrated to application-centric as described in Implementing a web server plug-in.

When using a topology-centric configuration, custom properties may need to be added manually to the generated plugin-cfg.xml. Generation will not modify existing values in plugin-cfg.xml. To generate a new configuration without existing modifications, the file config/cells/plugin-cfg.xml must be removed prior to global plug-in configuration generation.

When working with an existing topology-centric configuration, you can update the global plugin-cfg.xml file using the administrative console or running the GenPluginCfg command for all of the clusters in a cell. However, you must delete the config/cells/plugin-cfg.xml file before you update the global plugin-cfg.xml file. Be aware that if you do not delete the config/cells/plugin-cfg.xml file, only the new properties and their values are added to the global plugin-cfg.xml file. Any updates to existing plug-in property values are not added to the global plugin-cfg.xml file.

Note: Because the GenPluginCfg command runs within its own Java™ virtual machine (JVM) instead of the WebSphere® Application Server JVM, the command might not be able to access other class files. If you encounter this problem when you run the GenPluginCfg command, you can instead run the httpPluginManagement.py script to generate application-centric plug-in configuration. This script uses wsadmin to initiate the plug-in generation. For more information, see httpPluginManagement.py script.

Elements and attributes

The plugin-cfg.xml file includes the following elements and attributes. Unless indicated otherwise, you can specify each element and attribute only once within the plugin-cfg.xml file. The Config element is required.

Config

This element, which is required, starts the HTTP plug-in configuration file.

IgnoreDNSFailures
Specifies whether the plug-in ignores DNS failures within a configuration when starting. When set to true, the plug-in ignores DNS failures within a configuration and starts successfully if at least one server in each server cluster is able to resolve the host name. Any server for which the host name cannot be resolved is marked unavailable for the life of the configuration. No attempts to resolve the host name are made during the routing of requests. If a DNS failure occurs, a log message is written to the plug-in log file, and the plug-in initialization continues rather than causing the web server not to start. The default value is false, meaning DNS failures cause the web server not to start.
RefreshInterval
Specifies the time interval, in seconds, at which the plug-in checks the configuration file to see if updates or changes have occurred. The plug-in checks the file for any modifications that have occurred since the last time the plug-in configuration was loaded.
In a development environment in which changes are frequent, a setting smaller than the default setting of 60 is preferable. In production, a higher value than the default is preferable because updates to the configuration do not occur so often. If the plug-in reload fails for some reason, a message is written to the plug-in log file and the previous configuration is used until the plug-in configuration file successfully reloads. If you are not seeing the changes you made to your plug-in configuration, check the plug-in log file for indications of the problem.
Note: Also, on Microsoft, UNIX, and Linux® platforms, you can disable automatic reload by setting RefreshInterval to -1 in plugin-cfg.xml.
request503Retry
Specifies a limit for the number of times the HTTP plug-in retries a request that got a 503 response from the application server. The default value, -1, sets no additional limits, and the request is retried once for each server in the cluster until a response is received. A value of 0 indicates that there are no retries. The number of retries is always less than or equal to the number of servers in the cluster, regardless of the value set for this property.
Set this property using the administrative console.
  • Go to Clusters > [your cluster] > cluster members > [1st member] > Administration > Custom Properties
  • Add the property, 'PLG.Cluster.requesst503Retry' with the integer value you desire ( -1, 0, # of member to try.
RelayServer
Specifies to whether the plug in is to reuse a connection from a different client. The default of false specifies to NOT reuse the connection from a different client. Specifying true indicates to reuse the connection from a different client.
ASDisableNagle
Specifies whether the user wants to disable the nagle algorithm for the connection between the plug-in and the application server. By default, the nagle algorithm is enabled.

The value can be true or false.

IISDisableNagle
Specifies whether the user wants to disable the nagle algorithm on Microsoft Internet Information Services (IIS). By default, the nagle algorithm is enabled.

The value can be true or false.

VHostMatchingCompat
Specifies that the port number is to be used for virtual host matching. Specify one of the following values:
  • true if matching is to be done physically by using the port number for which the request was received.
  • false if matching is to be done logically by using the port number contained in the host header.

The default value is false.

AppServerPortPreference
Specifies which port number the application server uses to build URIs for a sendRedirect() method. The following values can be specified:
  • hostHeader if the port number from the host header of the HTTP request coming in is to be used.
  • webserverPort if the port number on which the web server received the request is to be used.

The default value is hostHeader.

ResponseChunkSize
Specifies the maximum chunk size to use when reading the response body. For example, specify Config ResponseChunkSize="N">, where N equals the chunk size in kilobytes.

The plug-in reads the response body in 64 K chunks until all of the response data is read. This approach causes a performance problem for requests whose response body contains large amounts of data.

If the content length of the response body is unknown, a buffer size of N KBs is allocated and the body is read in N KB size chunks, until the entire body is read. If the content length is known, then a buffer size of either content length or N (whichever is less) is used to read the response body.

The default chunk size is 64 K.

AcceptAllContent
Specifies whether users can include content in POST, PUT, GET, and HEAD requests when a Content-Length or Transfer-encoding header is contained in the request header. You can specify one of the following values for this attribute:
  • True if content is expected and read for all requests
  • False if content is only expected and read for POST and PUT requests.

The default value is True.

ChunkedResponse
Specifies whether the plug-in must use chunks the response to the client when a Transfer-Encoding: Chunked response header is present in the response.

This attribute applies to the IIS, Oracle iPlanet, and Lotus® Domino® web servers only. The IBM® HTTP Server automatically handles the chunking of the response to the client.

You can specify one of the following values for this attribute:

  • true if the plug-in is to chunk the response to the client when a Transfer-Encoding: Chunked response header is present in the response.
  • false if the response is not to be chunked.

The default value is false.

ESIEnableToPassCookies
Specifies whether to allow forwarding of session cookies to WebSphere Application Server when processing ESI include requests. If the value is set to true, this custom property is enabled. If the value is set to false, the custom property is disabled. By default, the value is set to false.
ESICacheidFull
When this property is set to true, plug-in behavior is changed. Instead of using request URI only to calculate the cache ID, plug-in uses both virtual host and URI to calculate cache ID. Setting this property means that plug-in does not have a cache hit when it handles http://vhost2/URI. The request is forwarded to the application server and gets the correct response.
GetDWLMTable
Specifies whether to allow a newly created plug-in process to proactively request a partition table from WebSphere Application Server before it handles any HTTP requests. This custom property is used only when memory-to-memory session management is configured. If the value is set to true, this custom property is enabled. If the value is set to false, the custom property is disabled. By default, the value is set to false.
Avoid trouble: If memory-to-memory session management, or replication, is enabled in WebSphere Application Server, then the GetDWLMTable setting in the plug-in configuration must be changed to true. Memory-to-memory session management uses partition IDs rather than clone IDs. When GetDWLMTable is set to false, which is the default, broken session affinity can occur.
[IBM i]OS400ConvertQueryStringToJobCCSID
[IBM i]Specifies whether the query string for an HTTP request is converted to the Code Page of the IBM HTTP Server Job or EBCDIC Code Page 37 for internal processing. The default value is false, which causes the query string to be converted to EBCDIC Code Page 37.
TrustedProxyEnable

Permits the web server plug-in to interface with the proxy servers and load balancers that are listed for the TrustedProxyList custom property. When this property is set to true, the proxy servers and load balancers in this trusted proxy list can set values for the $WSRA and $WSRH internal headers. The $WSRA internal header is the IP address of the remote host, which is typically the browser, or an internal address that is obtained by Network Address Translation (N.A.T.). The $WSRH internal header is the host name of the remote host. This header information enables the web server plug-in to interface with that specific proxy server or load balancer.

When you use this custom property, you must also use the TrustedProxyList custom property to specify a list of trusted proxy servers and load balancers. Also, you must clear the Remove special headers check box on the Request Routing panel within the administrative console. For more information, see the documentation on web server plug-in request routing properties.

TrustedProxyList

Specifies a comma-delimited list of all proxy servers or load balancers that have permission to interface with this web server plug-in. You must use this property with the TrustedProxyEnable=true custom property setting. If the TrustedProxyEnable custom property is set to false, this list is ignored.

SSLConsolidate

Specifies whether the web server plug-in is to compare the setup of each new SSL transport with the setup of other SSL transports that are already defined in the configuration file. When you set this property to true, and the plug-in determines that the keyring and CertLabel values specified for the new SSL transport match the values specified for an already defined SSL transport, the plug-in uses the existing SSL environment instead of creating a new SSL environment. Creating fewer SSL environments means that the plug-in requires less memory, and the plug-in initialization time decreases, thus optimizing your overall GSkit environment.

[AIX Solaris HP-UX Linux Windows]SSLPKCSDriver
[AIX Solaris HP-UX Linux Windows]

Specifies the fully qualified name of the loadable module that interfaces with an optional SSL co-processor. The fully qualified name must include the directory path and the module name.

[AIX Solaris HP-UX Linux Windows]SSLPKCSPassword
[AIX Solaris HP-UX Linux Windows]

Specifies the password for the SSL co-processor with which the module, specified for the SSLPKCSDriver custom property, is interfacing.

[AIX Solaris HP-UX Linux Windows]

If you are using an IBM HTTP Server, you can use the sslstash program to create a file that contains this password. In this situation, you can specify the fully qualified name of that file, instead of the actual password, as the value for this custom property.

Log

Describes the location and level of log messages that are written by the plug-in. If a log element is not specified within the configuration file, then, in some cases, log messages are written to the web server error log.

For example, you might specify the following line of code:

[AIX Solaris HP-UX Linux Windows][IBM i]
<Log LogLevel="Error" Name="/opt/WebSphere/AppServer60/logs/http_plugin.log"/>
[z/OS]
<Log LogLevel="Error" Name="/log_directory/file_name"/>
  • Name

    Specifies the fully qualified path to the log file to which the plug-in writes error messages. Specify exactly one attribute for each log.

    [AIX Solaris HP-UX Linux Windows][IBM i]If the file does not exist, then one is created. If the file exists, then it is opened in append mode, and the previous plug-in log messages remain.

    [z/OS]Note: A date and time stamp, and the process ID are no longer appended to the name you specify for the plug-in log file beginning with version 7. Therefore, a single web server plug-in log file is created instead of multiple log files that are distinguished by date.
  • LogLevel

    Specifies the level of detail of the log messages that the plug-in writes to the log. Specify zero or one of the following values for each log.

    Log Level Value Log Level Description
    Trace All of the steps in the request process are logged in detail.
    Stats The server selected for each request and other load balancing information relating to request handling is logged.
    Warn All warning and error messages resulting from abnormal request processing are logged
    Error Only error messages resulting from abnormal request processing are logged
    Debug All of the critical steps performed in processing requests are logged.
    Detail All of the information about requests and responses are logged.

    If a LogLevel value is not specified for the Log element, the default value, Error, is used.

    [AIX Solaris HP-UX Linux Windows][IBM i]
    Note: Be careful when setting the level to Trace. Multiple messages are logged at this level, which can consume disk space quickly. Do not use a Trace setting in a normally functioning environment because it adversely affects performance.
    [z/OS]
    Note: Be careful when setting the level to Trace. Multiple messages are logged at this level, which can consume the file system quickly. Do not use a Trace setting in a normally functioning environment because it adversely affects performance.

ESI

Property Name="esiEnable" Value="true/false"
Enables or disables the Edge Side Include (ESI) processor. If the ESI processor is disabled, the other ESI elements in this file are ignored.

You can set Value to true or false. By default, the ESI processor is enabled with its value set to true.

Property Name="esiMaxCacheSize" Value="integer"
Specifies, in 1 KB units, the maximum size of the cache. The default maximum size of the cache is 1024 KB (1 MB). If the cache is full, the first entry deleted from the cache is the entry that is closest its expiration time.
Property Name="ESIInvalidationMonitor" Value="true/false"
Specifies whether the ESI processor receives invalidations from the application server.

You can set Value to true or false. By default, this property is set to false.

Property Name="FIPSEnable" Value="true/false"
Specifies whether the Federal Information Processing Standard (FIPS) is enabled for making Secure Sockets Layer (SSL) connections to the application server. Set this property to true, if FIPS is enabled on the application server.

You can set Value value to true or false. By default, this property is set to false.

Property Name="PluginInstallRoot" Value="C:\IBM\WebSphere\Plugins"
Specifies the installation path for the plug-in. This property is mandatory if using the Global Security Kit (GSKit) because WebSphere Application Server supports the local installation of the GSKit instead of a global installation. The attribute value is set to a fully qualified path to the plug-in installation root.

Supported names recognized by the transport are keyring, stashfile, and password. By default, this property is set to none.

ServerCluster

Specifies a group of servers that are generally configured to service the same types of requests. Specify one or more clusters for each configuration.

In the simplest case, the cluster contains only one server definition. In the case in which more than one server is defined, the plug-in load balances across the defined servers by using either a Round-Robin or a Random algorithm. The default algorithm is Round-Robin.

The following code is an example of a ServerCluster element.

[AIX Solaris HP-UX Linux Windows][IBM i]
<ServerCluster Name="Servers">
<ClusterAddress Name="ClusterAddr">
<Transport Hostname="192.168.1.2" Port="9080" Protocol="HTTP"/>
<Transport Hostname="192.168.1.2" Port="9443" Protocol="HTTPS">
<Property Name="Keyring" value="c:/WebSphere/AppServer/keys/keyring.kdb"/>
<Property Name="Stashfile" value="c:/WebSphere/AppServer/keys/keyring.sth"/>
</Transport>
</ClusterAddress>
<Server Name="Server1">
<Transport Hostname="192.168.1.3" Port="9080" Protocol="HTTP"/>
<Transport Hostname="192.168.1.3" Port="9443" Protocol="HTTPS">
<Property Name="Keyring" value="c:/WebSphere/AppServer/keys/keyring.kdb"/>
<Property Name="Stashfile" value="c:/WebSphere/AppServer/keys/keyring.sth"/>
</Transport>
</Server>
<Server Name=Server2>
<Transport Hostname="192.168.1.4" Port="9080" Protocol="HTTP"/>
<Transport Hostname="192.168.1.4" Port="9443" Protocol="HTTPS">
<Property Name="Keyring" value="c:/WebSphere/AppServer/keys/keyring.kdb"/>
<Property Name="Stashfile" value="c:/WebSphere/AppServer/keys/keyring.sth"/>
</Transport>
</Server>
<Server Name="Server3">
<Transport Hostname="192.168.1.5" Port="9080" Protocol="HTTP"/>
<Transport Hostname="192.168.1.5" Port="9443" Protocol="HTTPS">
<Property Name="Keyring" value="c:/WebSphere/AppServer/keys/keyring.kdb"/>
<Property Name="Stashfile" value="c:/WebSphere/AppServer/keys/keyring.sth"/>
</Transport>
</Server>
<PrimaryServers>
<Server Name="Server1"/>
<Server Name="Server2"/>
</PrimaryServers>
<BackupServers>
<Server Name="Server3"/>
</BackupServers>
</ServerCluster>
[z/OS]
<ServerCluster CloneSeparatorChange="false"
        LoadBalance="Round-Robin" Name="Cluster1"
        PostSizeLimit="10000000" RemoveSpecialHeaders="true" 
        RetryInterval="60">
<Server
CloneID="BA36BEC1EB243D8B000000E4000000030926301B"
            ConnectTimeout="0" ExtendedHandshake="false"
            LoadBalanceWeight="2" MaxConnections="0"
            Name="SY1_ClusterMember1" WaitForContinue="false">
<Transport Hostname="BOSSXXXX.PLEX1.L2.IBM.COM" Port="9084" Protocol="http"/>
<Transport Hostname="BOSSXXXX.PLEX1.L2.IBM.COM" Port="0" Protocol="https">
<Property Name="Keyring" value="safkeyring:///mzjring1/"/>
<Property Name="Stashfile" value=/>
<Property Name="certLabel" Value="selfsigned"/>
</Transport>
</Server>
<Server CloneID="BA36BED017FDF40E000000E4000000030926301B"
            ConnectTimeout="0" ExtendedHandshake="false"
            LoadBalanceWeight="2" MaxConnections="0"
            Name="SY1_ClusterMember2" WaitForContinue="false">
<Transport Hostname="BOSSXXXX.PLEX1.L2.IBM.COM" Port="9085" Protocol="http"/>
<Transport Hostname="BOSSXXXX.PLEX1.L2.IBM.COM" Port="0" Protocol="https">
<Property Name="Keyring" value="safkeyring:///mzjring1/">
<Property Name="Stashfile" value=/>
<Property Name="certLabel" Value="selfsigned"/>
</Transport>
</Server>
<PrimaryServers>
<Server Name="SY1_ClusterMember1"/>
<Server Name="SY1_ClusterMember2"/>
</PrimaryServers>
</ServerCluster>
[z/OS]For transitioning users: The web server plug-in for the IBM HTTP Server for z/OS®, Version 5.3, uses an SSL interface that is different from the SSL interface that was used in versions of this plug-in prior to version 7. The SSL connections between the plug-in for the IBM HTTP Serve for z/OS, Version 5.3 and an application server now works the same way as the SSL connections between an IBM HTTP Server powered by Apache, and an application server. The values specified for the keyring and stashfile elements in the plugin-cfg.xml file are no longer ignored and are not affected by the SSL environment that is set up in the IBM HTTP Server for z/OS, Version 5.3.

The z/OS PTF UK35083 package includes the SSL interface change for the z/OS HTTP Server, Version 5.3, that corresponds to this web server plug-in change. Therefore, you must apply this PTF to your system before the new web server plug-in SSL interface can function properly.

You must also include the SSLMODE=MULTI option in the httpd.conf file for the IBM HTTP Server for z/OS, Version 5.3. The SSLMODE=ON option is not supported in Version 7.0 or higher.

If the SSLMode multi option is not specified in the httpd.conf file, or if you do not have the z/OS PTF UK35083 package applied to your system, you might receive error message IMW0584W. This message indicates that the SSL mode, which is specified for the HTTP Server, is not compatible with the SSL mode for the web server plug-in that is used with the IBM HTTP Server for z/OS, Version 5.3. In either of these situations, unpredictable results might occur.

For the web server plug-ins for both the IBM HTTP Server for z/OS, Version 5.3 and the IBM HTTP Server on z/OS powered by Apache:
  • If you use a kdb file with a stashfile in the hierarchical file system (HFS), specify both the Property Name=keyring and the Property Name=stashfile elements, as shown in the preceding example.
    Avoid trouble: The format of the values you specify for these elements is different from what you specified in earlier versions of the product.
  • If you use a System Authorization Facility (SAF) keyring, instead of a kdb file, you must create the following two custom plug-in properties from the administrative console:
    KeyringLocation
    Specify the directory location of the SAF keyring as the value for this property. When you save this configuration change, this directory location becomes the value of the keyring property in the plugin-cfg.xml file.
    StashfileLocation
    Specify (null) as the value for this property. When you save this configuration change, (null) becomes the value of the stashfile property in the plugin-cfg.xml file

    See Web server plug-in configuration properties for instructions on how to create KeyringLocation and StashfileLocation from the administrative console.

    Use the following example for the SAF keyring:
    <Transport Hostname="appserver.example.com" Port="9443" Protocol="https">
    <Property name="keyring" value="safkeyring:///SAF_keyring_name"/>
    <Property Name="stashfile" value=""/>
    </Transport>
  • Name

    Specifies the logical or administrative name to be used for this group of servers. Specify one attribute for each ServerCluster.

  • LoadBalance

    The following values can be specified for this attribute:

    Round-Robin

    Random

    The Round-Robin implementation has a random starting point. The first application server is picked randomly. Round-Robin is then used to pick application servers from that point forward. This implementation ensures that in multiple process-based web servers, all of the processes do not start by sending the first request to the same Application Server.

    The Random implementation also has a random starting point. However with this implementation all subsequent servers are also randomly selected. Therefore, the same server might get selected repeatedly while other servers remain idle.

    The default load balancing type is Round-Robin.

  • IgnoreAffinityRequests

    Specifies whether the plug-in ignores the number of affinity requests made to a server when selecting servers based on the Round-Robin algorithm. The value is true or false. This custom property does not affect how affinity requests are routed. It affects only round-robin load weight counts. If this custom property is set to true, then affinity requests are not counted and only new requests are counted. The plug-in evenly distributes new requests, but total requests that contain affinity and new can seem skewed because of session affinity. If this custom property is set to false, then affinity requests are counted against load balance weights. The plug-in distributes new requests to more available cluster members with fewer total requests. This setting skews the distribution of new requests in favor of better distribution of total requests.

    [8.5.5.19 or later]Important: The recommended value for the IgnoreAffinityRequests custom property is true. Some fix pack levels default to false. Change the default value to true if it is set to false.
  • RetryInterval

    Specifies an integer value for the length of time that elapses from the time that a server is marked down to the time that the plug-in tries a connection again. The default is 60 seconds. Specify zero or one attribute for each ServerCluster.

  • RemoveSpecialHeaders

    The plug-in adds special headers to the request before it is forwarded to the application server. These headers store information about the request that is used by the application. By default, the plug-in removes these headers from incoming requests before adding the headers it is supposed to add. Specify zero or one attribute for each ServerCluster.

    The value can be true or false. Setting the attribute to false introduces a potential security exposure by not removing headers from incoming requests.

  • CloneSeparatorChange

    Tells the plug-in to expect the plus character (+) as the clone separator. Some pervasive devices cannot handle the colon character (:) that is used to separate clone IDs in conjunction with session affinity. You must change application server configurations so that an application server separates clone IDs with the plus character as well. Specify zero or one attribute for each ServerCluster.

    The value can be true or false.

  • PostSizeLimit

    The maximum number of KBs (1024 byte) blocks of request content allowed for the plug-in to attempt to send the request to an application server. If a request is received that is greater than this size, the plug-in fails the request. The default value is -1 byte, which indicates that there is no limit for the post size. Specify zero or one attribute for each ServerCluster.

  • PostBufferSize

    Specifies, in KBs, the maximum buffer size that is used when the content of an HTTP request is read. If the application server that initially receives a request cannot process that request, the data contained in this buffer is sent to another application server. It then attempts to have that application server process the request. You can set this option to zero if you do not want requests that have content to be buffered, and then retried.

    This option improves the availability of the plug-in. When this option is set to a non-zero value, any pending packets that contain a payload are resent if the selected application server does not respond.

    Typically, POST and PUT requests carry a payload, but other requests might also carry a payload. Even if a POST or PUT request does not have a payload, it is retried if the value specified for this option is not zero.

    The default value is 0. Specify zero or one attribute for each ServerCluster.

  • ServerIOTimeoutRetry

    Specifies a limit for the number of times the HTTP plugin retries an HTTP request that has timed out, due to ServerIOTimeout. The default value, -1, indicates that no additional limits apply to the number of retries. A 0 value indicates there are no retries. Retries are always limited by the number of available servers in the cluster.

    Important: This directive does not apply to connection failures or timeouts due to the HTTP plug-in ConnectTimeout.
  • Server
    Specifies a WebSphere Application Server instance that is configured to handle requests routed to it, based on the routing rules of the plug-in configuration. The server corresponds to an application server running on either the local machine or a remote machine. Specify zero or one attribute for each ServerCluster.
    • Name

      Specifies the administrative or logical name for the server. Specify exactly one attribute for each Server.

    • CloneID

      If this unique ID is present in the HTTP cookie header of a request, or the URL if using URL rewriting, the plug-in routes the request to this particular server, provided all other routing rules are met. If a CloneID is not specified in the server, then session affinity is not enabled for this server. There can be zero or one attribute for each Server.

      This attribute is used with session affinity. When this attribute is set, the plug-in checks the incoming cookie header or URL for JSESSIONID. If JSESSIONID is found, then the plug-in looks for one or more clone IDs. If clone IDs are found, and a match is made to the value specified for this attribute, then the request is sent to this server rather than load balanced across the cluster.

      Best practice: If you are not using session affinity, then remove these clone IDs from the configuration because there is added request processing in the plug-in when these values are set. If clone IDs are not in the plug-in, then it is assumed that session affinity is not enabled, and the request is load balanced across the cluster.
    • WaitForContinue

      Specifies whether to use the HTTP 1.1 100 Continue support before sending the request content to the application server. Possible attribute values are true or false. The default value is false; the plug-in does not wait for the 100 Continue response from the application server before sending the request content because it is a performance hit. Specify zero or one attribute for each Server.

      This property is ignored for POST requests to prevent a failure from occurring if the application server closes a connection because of a keep-alive timeout.

      Enable this function true when configuring the plug-in to work with certain types of proxy firewalls.

    • LoadBalanceWeight

      Specifies the weight associated with this server when the plug-in performs weighted Round-Robin load balancing. Specify zero or one attribute for each Server. The starting value for a server can be any integer between 0 and 20. However, specify zero only for a server that is not running.

      The LoadBalanceWeight value for each server is decremented for each request that is processed by that server. After the weight for a particular server in a server cluster reaches zero, only requests with session affinity are routed to that server. When all servers in the cluster reach a weight of zero, the weights for all servers in the cluster are reset, and the algorithm restarts.

      Best practice: When a server is not running, set the weight for that server to zero. The plug-in can then reset the weights of the servers that are still running, and maintain proper load balancing.
    • ConnectTimeout

      Enables the plug-in to perform non-blocking connections with the application server. Non-blocking connections are beneficial when the plug-in is unable to contact the destination to determine if the port is available or unavailable. Specify zero or one attribute for each Server.

      If a ConnectTimeout value is not specified or set to 0, the plug-in performs a blocking connect in which the plug-in sits until an operating system times out (as long as 2 minutes depending on the platform) and allows the plug-in to mark the server unavailable. A value of 0 causes the plug-in to perform a blocking connect. A value greater than 0 specifies the number of seconds you want the plug-in to wait for a successful connection. If a connection does not occur after that time interval, the plug-in marks the server unavailable and fails over to one of the other servers defined in the cluster.

      The default value is 0 for the first application server (server1) of a profile, and 5 for all of the other application servers of a profile.

    • ExtendedHandshake

      Is used when a proxy firewall is between the plug-in and the application server. In such a case, the plug-in is not failing over, as expected. Specify zero or one attribute for each Server.

      The plug-in marks a server as down when the connect() method fails. However, when a proxy firewall is in between the plug-in and the application server, the connect() method succeeds, even though the back-end application server is down. This causes the plug-in to not failover correctly to other application servers.

      The plug-in performs some handshaking with the application server to ensure that it is started before sending the request. This scenario enables the plug-in to failover in the event the application server is down.

      The value can be true or false.

    • MaxConnections

      Specifies the maximum number of pending connections to an application server that can be flowing through a web server process at any point in time. Specify one element for each Server.

      For example, in the following scenario:
      • The application server is fronted by five nodes that are running an IBM HTTP Server.
      • Each node starts two processes.
      • The MaxConnections attribute is set to 50.

      In this example, the application server can potentially get up to 500 connections. Multiply the number of nodes, 5, by the number of processes, 2, and then multiply that number by the number specified for the MaxConnections attribute, 50, for a total of 500 connections.

      [z/OS]This attribute is not necessary on the z/OS operating system. The z/OS controller working with Workload Manager (WLM), handles new connections dynamically.

      By default, MaxConnections is set to -1. If this attribute is set to either zero or -1, there is no limit to the number of pending connections to the application servers.

    • Transport

      Specifies the transport for reading and writing requests to a particular WebSphere Application Server instance. The transport provides the information that is necessary to determine the location of the application server to which the request is sent. The plug-in cannot recognize when multiple transports are defined to use the same protocol. The transport that the plug-in selects cannot be predicted. The plug-in always picks the first transport that it encounters in its processing. Specify one or more elements for each Server.

      It is possible to configure the server to have one non-secure transport and one that uses SSL. In this configuration, a match of the incoming request protocol is performed to determine the appropriate transport to use to send the request to the application server.

      • Hostname

        Specifies the host name or IP address of the machine on which the WebSphere Application Server instance is running. There is exactly one attribute for each transport.

      • Port

        Specifies the port on which the WebSphere Application Server instance is listening. There is exactly one attribute for each transport.

      • Protocol

        Specifies the protocol to use when communicating over this transport -- either HTTP or HTTPS. There is exactly one attribute for each transport.

    • Property
      Specify zero, one, or more elements for each transport. When the protocol of the transport is set to HTTPS, use this element to supply the various initialization parameters, such as password, keyring and stashfile. For example, the portion of the plugin-cfg.xml file containing these elements might look like the following code:
      <Transport Hostname="192.168.1.2" Port="9443" Protocol="HTTPS">
      <Property Name="keyring" value="c:/WebSphere/AppServer/keys/keyring.kdb"/>
      <Property Name="stashfile" value="c:/WebSphere/AppServer/keys/keyring.sth"/>
      <Property Name="password" value="WebAS"/>
      • Name

        Specifies the name of the property that is being defined. Supported names recognized by the transport are keyring, stashfile, and password.

        Avoid trouble: The only name that can be specified for the WebSphere HTTP plug-in for z/OS is password. If you specify keyring and stashfile, they are ignored.
        Specify exactly one attribute for each property.
      • Value

        Specifies the value of the property being defined. Specify exactly one attribute for each property.

    • ServerIOTimeout

      Enables the plug-in to set a timeout value, in seconds, for sending requests to and reading responses from the application server.

      If you set the ServerIOTimeout attribute to a positive value, this attempt to contact the server ends when the timeout occurs. However, the server is not considered unavailable and future requests are still sent to the server on which the unavailable timeout occurred.

      If you set the ServerIOTimeout attribute to a negative value, the server is considered unavailable whenever a timeout occurs, and no future requests are sent to the server on which the timeout occurred.

      If a value is not set for the ServerIOTimeout attribute, the plug-in, by default, uses blocked I/O to write requests to and read responses from the application server, and does not time out the TCP connection. For example, you might specify the following setting:

      <Server Name="server1" ServerIOTimeout=300>

      In this situation, if an application server stops responding to requests, the plug-in waits 300 seconds (5 minutes) before timing out the TCP connection. Setting the ServerIOTimeout attribute to a reasonable value enables the plug-in to timeout the connection sooner, and transfer requests to another application server when possible.

      When selecting a value for this attribute, remember that sometimes it might take several minutes for an application server to process a request. Setting the value of the ServerIOTimeout attribute too low might cause the plug-in to send a false server error response to the client.

      The default value is 900, which is equivalent to 15 minutes.

      Avoid trouble: The ServerIOTimeout limits the amount of time the plug-in waits for each individual read or write operation to return. ServerIOTimeout does not represent a timeout for the overall request.

      For additional recommendations on how to configure the ServerIOTimeout attribute, see the web server plug-in configuration technote on the IBM Support website.

  • Not all requests to and reading responses from the application server require the same time-out rules. Different URLs might need to time out a request quicker or not retry every server for a request. You can designate specific URLs that use a modified ServerIOTimeout, ServerIOTimeoutRetry, websphere-wsserveriotimeout, or websphere-wsserveriotimeoutretry attribute. You can alternatively designate URLs that use a shortened-timeout for ExtendedHandshake and 100-Continues responses. Other URLs not so modified continue to use the values that are specified within the Plugin-cfg.xml file.
    • websphere-wsserveriotimeout

      This attribute sets a timeout value, in seconds, for pending read and write actions between the web server plug-in and a WebSocket application. When the specified value is exceeded, resources that are held by a non-responding application server are released.

      The default value is 30 seconds.

    • websphere-wsserveriotimeoutretry

      This attribute sets a timeout value, in seconds, that a connection between the web server plug-in and a WebSocket application can remain idle. When the specified value is exceeded, resources that are held by the application server are released.

      The default value is 900 seconds. Useful settings might be 24 hours (86400 seconds), 7 days (604800 seconds).

    • websphere-wsserveridletimeout

      This attribute sets a timeout value, in seconds, for read or write actions between the web server plug-in and a websocket client or application. When the specified value is exceeded, resources associated with the websocket connection are released.

      In other words, this attribute sets the amount of time that the websocket client can be idle with no data being transferred between the client and application. When this idle time is reached, the websocket client times out and is closed.

      The default value is 900 seconds.

    • You can set the webSphere-shorten-handshake attribute only to a value of 1. This value tells the plug-in to use the ConnectTimeout value as the wait time for ExtendedHandshake or 100-Continue responses.
    To designate a URL for this modified time-out processing, you modify the httpd.conf file by using SetEnvIf directives. You can apply multiple properties to the same URL group. For example, both the websphere-serveriotimeout and websphere-serveriotimeoutretry attributes can be specified for the same Request_URI value:
    SetEnvIf Request_URI "\.jsp$" websphere-serveriotimeout=10
    SetEnvIf Request_URI "\.jsp$" websphere-serveriotimeoutretry=-1
    SetEnvIf Request_URI "\.jsp$" websphere-wsserveriotimeout=300
    SetEnvIf Request_URI "\.jsp$" websphere-wsserveridletimeout=1800
    SetEnvIf Request_URI "\.jsp$" websphere-shorten-handshake=1
  • ClusterAddress

    A ClusterAddress is like a server element in that you can specify the same attributes and elements as for a server element. The difference is that you can define only one of them within a ServerCluster. Use a ClusterAddress when you do not want the plug-in to perform any type of load balancing because you already have some type of load balancer in between the plug-in and the application server.

    Avoid trouble: If you include a ClusterAddress tag, you must include the Name attribute on that tag. The plug-in uses the Name attribute to associate the cluster address with the correct host and port. If you do not specify the Name attribute, the plug-in assigns the cluster address the name that is specified for the server that is using the same host and port.
    <ClusterAddress Name="MyClusterAddr">
    <Transport Hostname="192.168.1.2" Port="9080" Protocol="HTTP"/>
    <Transport Hostname="192.168.1.2" Port="9443" Protocol="HTTPS">
    </ClusterAddress>

    If a request comes in that does not have affinity established, the plug-in routes it to the cluster address, if defined. If affinity has been established, then the plug-in routes the request directly to the clone, bypassing the cluster address entirely. If no cluster address is defined for the server cluster, then the plug-in load balances across the servers in the primary servers list.

    There can be zero or one element for each ServerCluster.

  • PrimaryServers

    Specifies a list of servers to which the plug-in routes requests for this cluster. If a list of primary servers is not specified, the plug-in routes requests to servers defined for the server cluster. Specify zero or one element for each ServerCluster.

  • BackupServers

    Specifies a list of servers to which requests are sent if all servers that are specified in the primary servers list are unavailable. The plug-in does not load balance across the backup servers, but traverses the list in order until no servers remain in the list or until a request is successfully sent and a response is received from an application server. Specify zero or one element for each ServerCluster.

VirtualHostGroup
Specifies a group of virtual host names that are specified in the HTTP Host header. Use this property to group virtual host definitions together that are configured to handle similar types of requests.

The following example shows a VirtualHostGroup element and associated elements and attributes:

<VirtualHostGroup Name="Hosts">
<VirtualHost Name="www.x.com"/>
<VirtualHost Name="www.x.com:443"/>
<VirtualHost Name="*:8080"/>
<VirtualHost Name="www.x.com:*"/>
<VirtualHost Name="*:*"/>
</VirtualHostGroup>
  • Name

    Specifies the logical or administrative name to be used for this group of virtual hosts. Specify exactly one attribute for each VirtualHostGroup.

  • VirtualHost

    Specifies the name used for a virtual or real machine used to determine if incoming requests must be handled by WebSphere Application Server. Use this element to specify host names that are in the HTTP Host header which must be seen for requests that need to be handled by the application server. You can specify specific host names and ports for incoming requests or specify an asterisk (*) for either the host name, port, or both.

    There can be one or more elements for each VirtualHostGroup.

    • Name

      Specifies that the name in the HTTP Host header that matches the name in the VirtualHost. Specify exactly one attribute for each VirtualHost.

      The value is a host name or IP address and port combination, separated by a colon.

      You can configure the plug-in to route requests to the application server based on the incoming HTTP Host header and port for the request. The Name attribute specifies those combinations.

      You can use a wildcard for this attribute. The only acceptable solutions are either an asterisk (*) for the host name, an asterisk for the port, or an asterisk for both. An asterisk for both means that any request matches this rule. If no port is specified in the definition, the default HTTP port of 80 is assumed.

UriGroup
Specifies a group of URIs that are specified on the HTTP request line. The same application server must be able to handle the URIs. The route compares the incoming URI with the URIs in the group to determine if the application server handles the request.

The following example shows a UriGroup element and associated elements and attributes:

<UriGroup Name="Uris">
<Uri Name="/servlet/snoop/">
<Uri Name="/webapp/*/">
<Uri Name="*.jsp/">
</UriGroup>
  • Name

    Specifies the logical or administrative name for this group of URIs. Specify exactly one attribute for each UriGroup.

  • Uri

    Specifies the virtual path to the resource that is serviced by WebSphere Application Server. Each URI specifies the incoming URLs that the application server needs to handle. You can use a wildcard in these definitions. There can be one or more attributes for each UriGroup.

    • Name

      Specifies the actual string to specify in the HTTP request line to match successfully with this URI. You can use a wildcard within the URI definition. You can specify rules such as *.jsp or /servlet/* to be handled by WebSphere Application Server. When you assemble your application, if you specify File Serving Enabled, then only a wildcard URI is generated for the web application, regardless of any explicit servlet mappings. If you specify Serve servlets by classname, then the following URI is generated: <Uri Name="Web_application_URI/servlet/*">

      There is exactly one attribute for each URI.

    • AffinityCookie

      Specifies the name of the cookie that the plug-in uses when trying to determine if the inbound request has session affinity. The default value is JSESSIONID.

      See the description of the CloneID attribute for additional session affinity information.

      There can be zero or one attribute for each URI.

    • AffinityURLIdentifier

      Specifies the name of the identifier that the plug-in uses when trying to determine if the inbound request has affinity specified in the URL to a particular clone. The default value is jsessionid.

      See the description of the CloneID attribute for additional session affinity information.

      There can be zero or one attribute for each URI.

Route

Specifies a request routing rule by which the plug-in determines if an incoming request must be handled by WebSphere Application Server.

The route definition is the central element of the plug-in configuration. It specifies how the plug-in handles requests, based on certain characteristics of the request. The route definition contains the other main elements: a required ServerCluster, and either a VirtualHostGroup, UriGroup, or both.

Using the information that is defined in the VirtualHostGroup and the UriGroup for the route, the plug-in determines if the incoming request to the web server is sent on to the ServerCluster element that is defined in this route.

See the following example of this element:

<Route VirtualHostGroup="Hosts" UriGroup="Uris" ServerCluster="servers"/>
  • VirtualHostGroup

    Specifies the group of virtual hosts that are used in route determination. The incoming host header and server port are matched to determine if this request is handled by the application server.

    It is possible to omit this property from the route definition. If it is not present, then every request matches during the virtual host match portion of route determination.

    There can be zero or one attribute for each Route.

  • UriGroup

    Specifies the group of URIs to use for determining the route. Select zero or one group for each route. The incoming URI for the request is matched to the defined URIs in this group to determine whether this request is handled by the application server.

    It is possible to omit this property from the route definition. If it is not present, then every request matches during the URI match portion of route determination.

  • ServerCluster

    Specifies the cluster that receives the requests that successfully matches the route. Select exactly one cluster for each route.

    The cluster is used to handle this request. If both the URI and the virtual host matching is successful for this route, then the request is sent to one of the servers that is defined within this cluster.

RequestMetrics
Used to determine whether request metrics are enabled, and how to filter the requests based on the Internet Protocol (IP) and Uniform Resource Identifiers (URI) filters when request metrics are enabled.

See the following example of this element:

<RequestMetrics armEnabled="false"  loggingEnabled="true"
			rmEnabled="false" traceLevel="PERF_DEBUG">
  • armEnabled

    Specifies whether the ARM 4 agent is enabled in the plug-in. When it is set to true, the ARM 4 agent is called.

    Avoid trouble: For the SunOne (iPlanet) web Server the following directive must be included in the obj.conf file to enable ARM 4 support:
    AddLog fn="as_term" 
    If this directive is not included, the arm_stop procedure is never called.

    Select zero or one attribute for RequestMetrics

  • loggingEnabled

    Specifies whether request metrics logging is enabled in the plug-in. When it is set to true and the traceLevel is not set to NONE, the request response time, and other request information, is logged. When it is set to false, there is no request logging. The value of loggingEnabled depends on the value specified for the system property, com.ibm.websphere.pmi.reqmetrics.loggingEnabled. When this system property is not present, loggingEnable is set to true. Specify exactly one attribute for RequestMetrics.

  • rmEnabled

    Specifies whether the request metrics are enabled in the plug-in. When it is set to true, the plug-in, request metrics, inspects the filters and logs the request trace record in the plug-in log file. This action is performed if a request passes the filters. When this attribute is set to false, the rest of the request metrics attributes are ignored. Specify exactly one attribute for RequestMetrics.

  • traceLevel

    Indicates how much information is logged when the rmEnabled attribute is set to true. When this attribute is set to NONE, no request logging is performed. When this attribute is not set to NONE, and loggingEnabled is set to true, the request response time, and other request information, is logged when the request is done. Specify exactly one attribute for RequestMetrics.

  • filters

    When rmEnabled is true, the filters control which requests are traced. Specify zero, one, or two attributes for RequestMetrics.

    • enable

      When enable is true, the type of filter is on and requests must pass the filter. Specify exactly one attribute for each filter.

    • type

      There are two types of filters: SOURCE_IP (for example, client IP address) and URI. For the SOURCE_IP filter type, requests are filtered based on a known IP address. You can specify a mask for an IP address using the asterisk (*). If the asterisk is used, the asterisk must always be the last character of the mask, for example 127.0.0.*, 127.0.*, 127*. For performance reasons, the pattern matches character by character, until either an asterisk is found in the filter, a mismatch occurs, or the filters are found as an exact match.

      For the URI filter type, requests are filtered based on the URI of the incoming HTTP request. The rules for pattern matching are the same as matching SOURCE_IP address filters.

      If both URI and client IP address filters are enabled, request metrics require a match for both filter types. If neither is enabled, all requests are considered a match.

      There is exactly one attribute for each filter.

    • filterValues

      Specifies the detailed filter information. Specify one or multiple attributes for each filter.

      • value

        Specifies the filter value for the corresponding filter type. This value might be either a client IP address or a URI. Specify exactly one attribute for each filterValue.

IntelligentManagement Properties

Property Name=OdrPortPathPrefix Value=fully-qualified path
The OdrPortPathPrefix property indicates the directory to be used to store temporary files used for UNIX sockets. By default, this location is the web servers logs directory. If starting the web server as a non-root user, you should either change the permissions on this directory to allow read and write access to these temporary files or set the OdrPortPathPrefix property to a fully-qualified path that has the necessary permissions.

IBM does not recommend hand editing the plugin-cfg.xml file to define the OdrPortPathPrefix property. Instead, all desired properties should be set using the administrative console and running the plugin generator to create a properly formatted server.xml file. Use the administrative console and the following navigation path to set the OdrPortPathPrefix property:

Web servers > Intelligent Management > Intelligent Management Plug-in Properties

If you need to manually add this property, it must be added within the <IntelligentManagement> stanza of the plugin-cfg.xml file for it to be recognized by the plugin binary. Otherwise, the property does not take effect. Also, this manual process of defining the OdrPortPathPrefix property must be performed every time a newly generated server.xml file is produced. The following is an example of editing the plugin-cfg.xml file and setting this property manually within the <IntelligentManagement> stanza.
<Property name="OdrPortPathPrefix" value="/tmp/odrpidloc"/>
enableRoutingToAdminConsole
Enables routing to the administrative console of the WebSphere cell that the connector group represents.
retryinterval
Specifies the retry interval (in seconds) for enabling the Intelligent Management service. The default value is 60 seconds.
maxRetries
Specifies the maximum number of retries for enabling the Intelligent Management service. The default value is -1.
RoutingRulesConnectorClusterName
Specifies the cell from which Intelligent Management for web servers reads routing rules and which is specified in the <IntelligentManagement> stanza in the plugin-cfg.xml file. The value of the property is initialized with the name of the cell in the plugin-cfg.xml file. To change this behavior, add your routing rules to the cell that is specified by the RoutingRulesConnectorClusterName property of the <IntelligentManagement> stanza in the plugin-cfg.xml file.
RemoveSpecialHeaders
Specifies to the plugin whether or not to remove the special headers from incoming requests before adding special headers to the request and then forwarding the request to the application server. The headers added contain information about the request that is needed by the application. By default the plugin removes these headers from incoming requests before adding the headers with the information the application needs.
Warning: Only set this attribute to false if you are able to ensure the security of the processing. A security exposure can exist when the headers are not removed from incoming requests.

This attribute is typically used at the cluster level. Intelligent Management does not know of this attribute because of way its processing manages the cluster. This attribute is a configuration-level attribute and can be added by setting PLG.Config.RemoveSpecialHeaders to true.

You set this property using the administrative console.
  • Go to Webserver [your Webserver] > Plugin Properties > Custom Properties
  • Add the property PLG.Config.RemoveSpecialHeaders with the value of true.

    If the property is not set, the setting of false is assumed.

[8.5.5.24 or later]

Security Web Server Plug-ins

CAUTION:
These security Web Server plug-in properties and the instructions for their use only apply to WebSphere Application Server traditional. For Liberty, refer to the instructions for the plug-in generation described under extraConfigProperties in WebSphere Application Server Liberty Web Server Plugin (pluginConfiguration) and Web Server Plugin (pluginConfiguration) for Open Liberty.

HostVerificationStartupCheck

Specifies whether the plug-in validates all defined transports within the XML at startup. The possible values are true or false. The default setting is true if no value is specified.

This property can be set at Webserver [your Webserver] > Plugin Properties > Custom Properties.

SecureHostVerification

Specifies how to process when validation fails. The possible values are true-markdown, true-nomarkdown, and false. If you set this property to true-markdown or true-nomarkdown and validation fails, then the server markdown behavior is handled based on the setting. Intelligent Management handles markdown behavior outside this property setting. Setting this property to false turns off all validation regardless of the product type. The default setting is true-markdown if no value is specified.

This property can be set at Webserver [your Webserver] > Plugin Properties > Custom Properties.

IMSecureConnectorVerification

Specifies whether the plug-in validates all connectors within the Intelligent Management group. Valid values for this property are fail, warn, and off. This validation can only occur when the SecureHostVerification property is set to a true-markdown or true-nomarkdown value.

As the plug-in loads, it creates a list of all connectors from all Intelligent Management groups. When a new HTTPS connection is needed, the plug-in software performs the necessary certificate validation. When the IMSecureConnectorVerification property is set to fail, a validation failure cancels the stream and posts messages to the log. When the IMSecureConnectorVerification property is set to warn, only messages are posted to the log, but the stream is allowed to continue. The default setting is fail if no value is specified.

This property can be set at Webserver [your Webserver] > Plugin Properties > Custom Properties.

IMSecureEndpointVerification

Specifies whether the plug-in validates the Endpoint hostname that is returned by the connector. Valid values for this property are fail, warn, and off. This validation can only occur when the SecureHostVerification property is set to a true-markdown or true-nomarkdown value.

When a new stream is needed, the plug-in performs the necessary certificate validation. A validation failure with the property set to fail cancels the stream and posts messages to the log. When the IMSecureConnectorVerification property is set to warn, only messages are posted to the log, but the stream is allowed to continue. The default setting is fail if no value is specified.

This property can be set at Webserver [your Webserver] > Plugin Properties > Custom Properties.

GlobalHostAlias

Specifies a comma-separated list of either hostname or IP values for which you want certificate validation performed. This comma-separated list must have no spaces in it. There is no default value setting for this property.

This property can be set at Webserver [your Webserver] > Plugin Properties > Custom Properties.

HostnameAlias

This property is specifically a transport property to validate a certificate for a single hostname value. Specify hostname or IP address.

This property is not available for use with Liberty or Intelligent Management.

This property can be set at Application servers [your App Server] > Web container > transport chains > WCinboundDefaultSecure > TCP inbound channel (TCP_4) > Custom Properties .