SecurityConfigurationCommands


Use Jython to configure security with wsadmin. Use the commands and parameters in the SecurityConfigurationCommands group to configure and manage...

Administer user registry configurations:

Administer JAAS login configurations:

Administer data entry configurations:

Administer CISv2 configurations:

Administer trust association configurations:

Manage the security configuration:

 

configureAdminCustomUserRegistry

The configureAdminCustomUserRegistry command configures a custom user registry in the global security configuration.

Target object

None.

Optional parameters

-autoGenerateServerId

Specifies whether the command automatically generates the server identity that the system uses for internal process communication. Specify true to automatically generate the server identity. (Boolean)

-serverId

Server identity in the repository that the system uses for internal process communication. (String)

-serverIdPassword

Password that corresponds to the server identity. (String)

-primaryAdminId

Name of the user with admin privileges that is defined in the registry. This parameter does not apply to security configurations. (String)

-customRegClass

Class name that implements the UserRegistry interface in com.ibm.websphere.security property. (String)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If we set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If we specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureAdminLDAPUserRegistry

The configureAdminLDAPUserRegistry command configures a LDAP user registry in the global security configuration.

Target object

None.

Optional parameters

-autoGenerateServerId

Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)

-serverId

Server identity in the repository that the system uses for internal process communication. (String)

-serverIdPassword

Password that corresponds to the server identity. (String)

-primaryAdminId

Name of the user with admin privileges that is defined in the registry. This parameter does not apply to security configurations. (String)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If we set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If we specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-ldapServerType

Type of LDAP server. The default type is IBM_DIRECTORY_SERVER. (String)

Specify one of the following valid values:

  • IBM_DIRECTORY_SERVER
  • IPLANET
  • NETSCAPE
  • NDS
  • DOMINO502
  • SECUREWAY
  • ACTIVE_DIRECTORY
  • CUSTOM

-ldapHost

Host name of the LDAP server. (String)

-ldapPort

Port that the system uses to access the LDAP server. The default value is 389. (String)

-baseDN

Base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed. (String)

-bindDN

Distinguished name for the appserver, which is used to bind to the directory service. (String)

-bindPassword

Binding DN password for the LDAP server. (String)

-searchTimeout

Timeout value in seconds for an LDAP server to respond before stopping a request. The default value is 120 seconds. (Long)

-reuseConnection

Specifies whether the server reuses the LDAP connection. By default, this option is enabled. Specify false for this parameter only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity. (Boolean)

When you disable the reuse of the LDAP connection, the appserver creates a new LDAP connection for every LDAP search request. This situation impacts system performance if the environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between the appserver and LDAP is too small.

-userFilter

Specifies the LDAP filter clause that the system uses to search the user registry for users. The default value is the default user filter for the LDAP server type. (String)

-groupFilter

Specifies the LDAP filter clause that the system uses to search the user registry for groups. The default value is the default group filter for the LDAP server type. (String)

-userIdMap

Specifies the LDAP filter that maps the short name of a user to an LDAP entry. The default value is the default user filter for the LDAP server type. (String)

-groupIdMap

Specifies the LDAP filter that maps the short name of a group to an LDAP entry. The default value is the default group filter for the LDAP server type. (String)

-groupMemberIdMap

Specifies the LDAP filter that identifies users to group memberships. (String)

-certificateMapMode

Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping. (String)

-certificateFilter

Filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry. (String)The syntax or structure of this filter is: (&(uid=${SubjectCN})(objectclass=inetOrgPerson)). The left side of the filter spec is an LDAP attribute that depends on the schema that the LDAP server is configured to use. The right side of the filter spec is one of the public attributes in the client certificate. The right side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}).

Use the following certificate attribute values on the right side of the filter specification. The case of the strings is important:

  • ${UniqueKey}
  • ${PublicKey}
  • ${Issuer}
  • ${NotAfter}
  • ${NotBefore}
  • ${SerialNumber}
  • ${SigAlgName}
  • ${SigAlgOID}
  • ${SigAlgParams}
  • ${SubjectCN}
  • ${Version}

-krbUserFilter

Default value is the default user filter for the LDAP server type. (String)

-nestedGroupSearch

Specifies whether to perform a recursive nested group search. Specify true to perform a recursive nested group search, or specify false to disable recursive nested group searching. (Boolean)

-sslEnabled

Specifies whether to enable SSL. Specify true to enable an SSL connection to the LDAP server. (Boolean)

-sslConfig

SSL configuration alias to use for the secure LDAP connection. (String)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureAdminLocalOSUserRegistry

The configureAdminLocalOSUserRegistry command configures a local operating system user registry in the global security configuration.

Target object

None.

Optional parameters

-autoGenerateServerId

Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)

-serverId

Server identity in the repository that the system uses for internal process communication. (String)

-serverIdPassword

Password that corresponds to the server identity. (String)

-primaryAdminId

Name of the user with admin privileges that is defined in the registry. This parameter does not apply to security configurations. (String)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If we set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If we specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureAdminWIMUserRegistry

The configureAdminWIMUserRegistry command configures a federated repository user registry in the administrative security configuration.

Target object

None.

Optional parameters

-autoGenerateServerId

Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)

-serverId

Server identity in the repository that the system uses for internal process communication. (String)

-serverIdPassword

Password that corresponds to the server identity. (String)

-primaryAdminId

Name of the user with admin privileges that is defined in the registry. This parameter does not apply to security configurations. (String)

-realmName

Realm of the user registry. The system automatically generates a realm name if we do not specify a value for the -realmName parameter. (String)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If we set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If we specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureAppCustomUserRegistry

The configureAppCustomUserRegistry command configures a custom user registry in an application security domain.

Target object

None.

Required parameters

-securityDomainName

Name of the security configuration. (String)

Optional parameters

-realmName

Realm of the user registry. The system automatically generates a realm name if we do not specify a value for the -realmName parameter. (String)

-customRegClass

Class name that implements the UserRegistry interface in com.ibm.websphere.security property. (String)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If we set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If we specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureAppLDAPUserRegistry

The configureAppLDAPUserRegistry command configures LDAP user registries in a security configuration or a global security configuration.

Target object

None.

Required parameters

-securityDomainName

Name of the security configuration. (String)

Optional parameters

-realmName

Realm of the user registry. The system automatically generates a realm name if we do not specify a value for the -realmName parameter. (String)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If we set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If we specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-ldapServerType

Type of LDAP server. The default type is IBM_DIRECTORY_SERVER. (String)

Specify one of the following valid values:

  • IBM_DIRECTORY_SERVER

  • IPLANET

  • NETSCAPE

  • NDS

  • DOMINO502

  • SECUREWAY

  • ACTIVE_DIRECTORY

  • CUSTOM

-ldapHost

Host name of the LDAP server. (String)

-ldapPort

Port that the system uses to access the LDAP server. The default value is 389. (String)

-baseDN

Base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed. (String)

-bindDN

Distinguished name for the appserver, which is used to bind to the directory service. (String)

-bindPassword

Binding DN password for the LDAP server. (String)

-searchTimeout

Timeout value in seconds for an LDAP server to respond before stopping a request. The default value is 120 seconds. (Long Integer)

-reuseConnection

Specifies whether the server reuses the LDAP connection. By default, this option is enabled. Specify false for this parameter only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity. (Boolean)

When you disable the reuse of the LDAP connection, the appserver creates a new LDAP connection for every LDAP search request. This situation impacts system performance if the environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between the appserver and LDAP is too small.

-userFilter

Specifies the LDAP filter clause that the system uses to search the user registry for users. The default value is the default user filter for the LDAP server type. (String)

-groupFilter

Specifies the LDAP filter clause that the system uses to search the user registry for groups. The default value is the default group filter for the LDAP server type. (String)

-userIdMap

Specifies the LDAP filter that maps the short name of a user to an LDAP entry. The default value is the default user filter for the LDAP server type. (String)

-groupIdMap

Specifies the LDAP filter that maps the short name of a group to an LDAP entry. The default value is the default group filter for the LDAP server type. (String)

-groupMemberIdMap

Specifies the LDAP filter that identifies users to group memberships. (String)

-certificateMapMode

Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping. (String)

-certificateFilter

Filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry. (String)The syntax or structure of this filter is: (&(uid=${SubjectCN})(objectclass=inetOrgPerson)). The left side of the filter spec is an LDAP attribute that depends on the schema that the LDAP server is configured to use. The right side of the filter spec is one of the public attributes in the client certificate. The right side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). Use the following certificate attribute values on the right side of the filter specification. The case of the strings is important:

  • ${UniqueKey}

  • ${PublicKey}

  • ${Issuer}

  • ${NotAfter}

  • ${NotBefore}

  • ${SerialNumber}

  • ${SigAlgName}

  • ${SigAlgOID}

  • ${SigAlgParams}

  • ${SubjectCN}

  • ${Version}

-krbUserFilter

Default value is the default user filter for the LDAP server type. (String)

-nestedGroupSearch

Specifies whether to perform a recursive nested group search. Specify true to perform a recursive nested group search, or specify false to disable recursive nested group searching. (Boolean)

-sslEnabled

Specifies whether to enable SSL. Specify true to enable an SSL connection to the LDAP server. (Boolean)

-sslConfig

SSL configuration alias to use for the secure LDAP connection. (String)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureAppLocalOSUserRegistry

The configureAppLocalOSUserRegistry command configures a local operating system user registry in a security domain.

Target object

None.

Required parameters

-securityDomainName

Name of the security configuration. (String)

Optional parameters

-realmName

Realm of the user registry. The system automatically generates a realm name if we do not specify a value for the -realmName parameter. (String)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If we set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If we specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureAppWIMUserRegistry

The configureAppWIMUserRegistry command configures federated repository user registries in a security domain.

Target object

None.

Required parameters

-securityDomainName

Name of the security configuration. (String)

Optional parameters

-realmName

Realm of the user registry. The system automatically generates a realm name if we do not specify a value for the -realmName parameter. (String)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If we set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If we specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

getLTPATimeout

The getLTPATimeout command displays the number of seconds that the system waits before the LTPA request reaches timeout.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns the number of seconds that the server waits before the LTPA request is cancelled.

Batch mode example usage

Interactive mode example usage

 

setLTPATimeout

The setLTPATimeout command sets the amount of time that the system waits before the LTPA request becomes invalid.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

-timeout

Amount of time, in seconds, before the request times out. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

getUserRegistryInfo

The getUserRegistryInfo command displays information about a user registry in a security domain or in the global security configuration. If we do not specify a value for the -userRegistryType parameter, the command returns the active user registry information.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

-userRegistryType

Type of user registry. Specify LDAPUserRegistry for LDAP user registries. Specify WIMUserRegistry for federated repository user registries. Specify CustomUserRegistry for custom user registries. Specify LocalOSUserRegisty for local operating system user registries. (String)

Return value

The command returns configuration information in the form of attribute and value pairs for the user registry object of interest.

Batch mode example usage

Interactive mode example usage

 

unconfigureUserRegistry

The unconfigureUserRegistry command modifies the user registry. For a global security configuration, the command reduces the user registry to the minimum registry values. For application-level security, the command removes the user registry from the security domain of interest.

Target object

None.

Required parameters

-userRegistryType

Type of user registry. Specify LDAPUserRegistry for LDAP user registries. Specify WIMUserRegistry for federated repository user registries. Specify CustomUserRegistry for custom user registries. Specify LocalOSUserRegisty for local operating system user registries. (String)

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureLoginEntry

The configureLoginEntry command configures a Java Authentication and Authorization Service (JAAS) login entry in a security domain or in the global security configuration. Use this command to modify existing JAAS login entries or to create new login entries.

Target object

None.

Required parameters

-loginType

Type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

Optional parameters

-securityDomainName

Name of the security configuration. If we do not specify a security domain name, the system updates the global security configuration. (String)

-loginModules

comma (,) separated list of login module class names. Specify the list in the order that the system calls them. (String)

-authStrategies

comma-separated list of authentication strategies that sets the authentication behavior as authentication proceeds down the list of login modules. Specify one authentication strategy for each login module. (String)Specify one or many of the following values in a comma (,) separated list:

  • REQUIRED

    Specifies that the LoginModule module is required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list for each realm.

  • REQUISITE

    Specifies that the LoginModule module is required to succeed. If authentication is successful, the process continues down the LoginModule list in the realm entry. If authentication fails, control immediately returns to the application. Authentication does not proceed down the LoginModule list.

  • SUFFICIENT

    Specifies that the LoginModule module is not required to succeed. If authentication succeeds, control immediately returns to the application. Authentication does not proceed down the LoginModule list. If authentication fails, the process continues down the list.

  • OPTIONAL

    Specifies that the LoginModule module is not required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list.

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureLoginModule

The configureLoginModule command modifies an existing login module or creates a new login module on an existing JAAS login entry in the global security configuration or in a security domain.

Target object

None.

Required parameters

-loginType

Type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

-loginModule

Name of the login module. (String)

Optional parameters

-securityDomainName

Name of the security configuration. (String)

-useLoginModuleProxy

Specifies that the JAAS loads the login module proxy class. JAAS then delegates calls to the login module classes defined in the Module class name field. Specify true to use the login module proxy. (Boolean)

-authStrategy

Authentication behavior as authentication proceeds down the list of login modules. (String)Specify one of the following values:

  • REQUIRED

    Specifies that the LoginModule module is required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list for each realm.

  • REQUISITE

    Specifies that the LoginModule module is required to succeed. If authentication is successful, the process continues down the LoginModule list in the realm entry. If authentication fails, control immediately returns to the application. Authentication does not proceed down the LoginModule list.

  • SUFFICIENT

    Specifies that the LoginModule module is not required to succeed. If authentication succeeds, control immediately returns to the application. Authentication does not proceed down the LoginModule list. If authentication fails, the process continues down the list.

  • OPTIONAL

    Specifies that the LoginModule module is not required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list.

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

getJAASLoginEntryInfo

The getJAASLoginEntryInfo command displays configuration for a specific JAAS login entry.

Target object

None.

Required parameters

-loginType

Type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an attribute list that contains configuration information for the JAAS login entry of interest.

Batch mode example usage

Interactive mode example usage

 

listJAASLoginEntries

The listJAASLoginEntries command displays each defined JAAS login modules for given type in a security domain or the global security configuration.

Target object

None.

Required parameters

-loginType

Type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an array of attribute lists that contain the login entries for the login type of interest.

Batch mode example usage

Interactive mode example usage

 

listLoginModules

The listLoginModules command displays the class names and associated options for a specific JAAS login module in a security domain or in the global security configuration.

Target object

None.

Required parameters

-loginType

Type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an array that contains the login modules in a specific login entry.

Batch mode example usage

Interactive mode example usage

 

unconfigureJAASLoginEntry

The unconfigureJAASLoginEntry command removes a JAAS login entry from the global security configuration or a security domain. We cannot remove all login entries. The command returns an error if it cannot remove the login entry of interest.

Target object

None.

Required parameters

-loginType

Type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

unconfigureLoginModule

The unconfigureLoginModule command removes a login module class from a login module entry.

Target object

None.

Required parameters

-loginType

Type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

-loginModule

Name of the login module class to remove from the configuration. (String)

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

createAuthDataEntry

The createAuthDataEntry command creates an authentication data entry for a J2EE Connector architecture (J2C) connector in the global security or security domain configuration.

Target object

None.

Required parameters

-alias

Name that uniquely identifies the authentication data entry. (String)

-user

Specifies the J2C authentication data user ID. (String)

-password

Password to use for the target enterprise information system (EIS). (String)

Optional parameters

-securityDomainName

Name of the security domain configuration. The application server uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

-description

Description of the authentication data entry. (String)

Return value

The command returns the object name of the new authentication data entry object.

Batch mode example usage

Interactive mode example usage

 

deleteAuthDataEntry

The deleteAuthDataEntry command removes an authentication data entry for a J2C connector in a global security or security domain configuration.

Target object

None.

Required parameters

-alias

Name that uniquely identifies the authentication data entry. (String)

Optional parameters

-securityDomainName

Name of the security domain configuration. The application server uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

getAuthDataEntry

The getAuthDataEntry command displays information about an authentication data entry for the J2C connector in the global security configuration or for a specific security domain.

Target object

None.

Required parameters

-alias

Name that uniquely identifies the authentication data entry. (String)

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an attribute list that contains the authentication data entry attributes and values.

Batch mode example usage

Interactive mode example usage

 

listAuthDataEntries

The listAuthDataEntries command displays each authentication data entry in the global security configuration or in a security domain.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an array of attribute lists for each authentication data entry.

Batch mode example usage

Interactive mode example usage

 

modifyAuthDataEntry

The modifyAuthDataEntry command modifies an authentication data entry for a J2C connector in the global security or security domain configuration.

Target object

None.

Required parameters

-alias

Name that uniquely identifies the authentication data entry. (String)

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

-user

Specifies the J2C authentication data user ID. (String)

-password

Password to use for the target enterprise information system (EIS). (String)

-description

Description for the authentication data entry. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureCSIInbound

The configureCSIInbound command configures CSIv2 inbound authentication on a security domain or on the global security configuration. When configuring CSI inbound authentication in a security domain for the first time that the CSI objects are copied from global security so thatany changes to that configuration are applied.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. If one is not provided the task will work on the global security user registry configuration. (String)

-messageLevelAuth

Specifies whether clients connecting to this server must specify a user ID and password. Specify Never to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String)

-supportedAuthMechList

Authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA for Lightweight Third-Party Authentication, BasicAuth for BasicAuth authentication, and custom to use the own authentication token implementation. We can specify more then one in a space-separated list. (String)

-clientCertAuth

Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String)

-transportLayer

Transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String)

-sslConfiguration

SSL configuration alias to use for inbound transport. (String)

-enableIdentityAssertion

Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean)

-trustedIdentities

List of trusted server identities, separated by the pipe character (|). To specify a null value, set the value of the -trustedIdentities parameter as an empty string (""). (String)

-statefulSession

Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean)

-enableAttributePropagation

Specifies whether to enable security attribute propagation. Security attribute propagation allows the appserver to transport authenticated Subject contents and security context information from one server to another in the configuration. Specify true to enable security attribute propagation. (Boolean)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureCSIOutbound

The configureCSIOutbound command configures the CSIv2 outbound authentication in a security domain or in the global security configuration. When configuring CSI Outbound in a security domain for the first time, the appserver copies the CSI objects from global security. Then, the appserver applies the changes to that configuration from the command.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. (String)

-enableAttributePropagation

Specifies whether to enable security attribute propagation. Security attribute propagation allows the appserver to transport authenticated Subject contents and security context information from one server to another in the configuration. Specify true to enable security attribute propagation. (Boolean)

-enableIdentityAssertion

Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean)

-useServerIdentity

Specifies whether to use the server identity to establish trust with the target server. Specify true to use the server identity. (Boolean)

-trustedId

Trusted identity that the appserver uses to establish trust with the target server. (String)

-trustedIdentityPassword

Password of the trusted server identity. (String)

-messageLevelAuth

Specifies whether clients connecting to this server must specify a user ID and password. Specify includeNever to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String)

-supportedAuthMechList

Authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA for Lightweight Third-Party Authentication, BasicAuth for BasicAuth authentication, and custom to use the own authentication token implementation. We can specify more then one in a space-separated list. (String)

-clientCertAuth

Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String)

-transportLayer

Transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String)

-sslConfiguration

SSL configuration alias to use for inbound transport. (String)

-statefulSession

Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean)

-enableOutboundMapping

Specifies whether to enable custom outbound identity mapping. Specify true to enable custom outbound identity mapping. (Boolean)

-trustedTargetRealms

List of target realms to trust. Separate each realm name with the pipe character (|). (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

getCSIInboundInfo

The getCSIInboundInfo command displays information about the Common Secure Interoperability (CSI) inbound settings for the global security configuration or for a security domain.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

-displayModel

Output format of the configuration information. Specify true to return an attribute list of the model. Specify false to display an attribute of the value used to create the object. (Boolean)

Return value

The command returns an attribute list of the attributes and values of the CSI inbound object.

Batch mode example usage

Interactive mode example usage

 

getCSIOutboundInfo

The getCSIOutboundInfo command displays information for the CSI outbound settings for the global security configuration or for a security domain.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

-displayModel

Output format of the configuration information. Specify true to return an attribute list of the model. Specify false to display an attribute of the value used to create the object. (Boolean)

Return value

The command returns an attribute list that contains the attributes and values of the CSI outbound configuration.

Batch mode example usage

Interactive mode example usage

 

unconfigureCSIInbound

The unconfigureCSIInbound command removes the CSI inbound information from a security domain.

Target object

None.

Required parameters

-securityDomainName

Name of the security configuration. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

unconfigureCSIOutbound

The unconfigureCSIOutbound command removes the CSI outbound information from a security domain.

Target object

None.

Required parameters

-securityDomainName

Name of the security configuration. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureInterceptor

The configureInterceptor command modifies an existing interceptor or creates an interceptor if one does not exist.

Target object

None.

Required parameters

-interceptor

Trust association interceptor class name. (String)

Optional parameters

-securityDomainName

Name of the security domain. If we do not specify a security domain, the command assigns the global security configuration. (String)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureTrustAssociation

The configureTrustAssociation command enables or disable the trust association. If the security domain does not have a trust association defined, the appserver copies each trust association and its interceptors from the global security configuration.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. (String)

-enable

Specifies whether to enable trust association to act as a reverse proxy server. (Boolean)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

getTrustAssociationInfo

The getTrustAssociationInfo command displays configuration information for trust association.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an attribute list that contains attributes and values for trust association.

Batch mode example usage

Interactive mode example usage

 

listInterceptors

The listInterceptors command displays the trust association interceptors that are configured in the global security or security domain configuration.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an array list of each interceptor and the associated custom properties.

Batch mode example usage

Interactive mode example usage

 

unconfigureInterceptor

The unconfigureInterceptor command removes a trust association interceptor from the global security configuration or from a security domain.

Target object

None.

Required parameters

-interceptor

Trust association interceptor class name. (String)

Optional parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

unconfigureTrustAssociation

The unconfigureTrustAssociation command removes the trust association object from a security domain.

Target object

None.

Required parameters

-securityDomainName

Name of the security configuration. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

applyWizardSettings

The applyWizardSettings command can be used to automate the global security configuration.

Target object

None.

Optional parameters

-secureApps

Specifies to secure applications.

-secureLocalResources

Specifies to secure local resources such as data sets and MVS commands.

-userRegistryType

Specifies whether the user is a user, a group, or a group member.

-ldapServerType

Type of LDAP server that is being used. The default value is IDS51.

-ldapHostName

Specifies the LDAP host name.

-ldapPort

Specifies the LDAP port name.

-ldapBaseDN

Specifies the LDAP base dynamic member attribute.

-ldapBindDN

Dynamically updates LDAP binding information.

-ldapBindPassword

Dynamically updates LDAP binding password information.

-adminName

Refers to the name of an administrator account on the remote target machine.

Return value

The command does not return output.

Batch mode example usage

 

configureAuthzConfig

The configureAuthzConfig command configures an external Java Authorization Contract for Containers (JACC) authorization provider in a security domain or the global security configuration.

Target object

None.

Optional parameters

-securityDomainName

Name of the security configuration. (String)

-useJACCProvider

Specifies whether to use a JACC provider. Specify true to use a JACC provider. (Boolean)

-name

Name of the JACC provider to use. (String)

-description

Description of the JACC provider. (String)

-j2eePolicyImplClassName

Class name of an implementation class that represents the javax.security.jacc.policy.provider property according to the specification. (String)

-policyConfigurationFactoryImplClassName

Class name of an implementation class that represents the javax.security.jacc.PolicyConfigurationFactory.provider property. (String)

-roleConfigurationFactoryImplClassName

Class name of an implementation class that implements the com.ibm.wsspi.security.authorization.RoleConfigurationFactory interface. (String)

-requiresEJBArgumentsPolicyContextHandler

Specifies whether policy providers require the Enterprise Java Beans™ arguments policy context handler to make access decisions. Specify true to enable this option. (Boolean)

-initializeJACCProviderClassName

Class name of an implementation class that implements the com.ibm.wsspi.security.authorization.IntializeJACCProvider interface.(String)

-supportsDynamicModuleUpdates

Specifies whether the provider supports dynamic changes to the Web modules. Specify true to enable this option. (Boolean)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

configureSingleSignon

The configureSingleSignon command configures a single sign-on object in global security.

Target object

None.

Optional parameters

-enable

Specifies whether to enable single sign-on. Specify true to enable single sign-on, or false to disable single sign-on. (Boolean)

-requiresSSL

Specifies whether single sign-on requests send through HTTPS. Specify true to enable this option. (Boolean)

-domainName

Domain name that contains a set of hosts to which the single sign-on applies. (String)

-interoperable

Specifies interoperability options. Specify true to send an interoperable cookie to the browser to support back-level servers.

Specify false disable the sending of interoperable cookies. (Boolean)

-attributePropagation

Specifies whether to enable inbound security attribute propagation. Specify true to enable Web inbound security attribution propagation. Specify false to use the single sign-on token to log in and recreate the Subject from the user registry. (Boolean)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

getActiveSecuritySettings

The getActiveSecuritySettings command displays the active security settings for global security or a specific security domain.

Target object

None.

Optional parameters

-securityDomainName

Name of the security domain configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value The command returns the active security settings for the security domain of interest or the global security configuration, which includes the following settings:

Batch mode example usage

Interactive mode example usage

 

getAuthzConfigInfo

The getAuthzConfigInfo command displays information about an external JACC authorization provider in a security domain or the global security configuration.

Target object

None.

Optional parameters

-securityDomainName

Name of the security domain configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an attribute list that contains the attributes and values that are associated with the JACC authorization provider.

Batch mode example usage

Interactive mode example usage

 

getSingleSignon

The getSingleSignon command displays configuration information about the single sign-on object as defined in the global security configuration.

Target object

None.

Optional parametersNone.

Return value

The command returns an attribute list that contains the attributes and values of the single sign-on configuration.

Batch mode example usage

Interactive mode example usage

 

setAdminActiveSecuritySettings

The setAdminActiveSecuritySettings command sets the active security settings on the global security object.

Target object

None.

Optional parameters

-enableGlobalSecurity

Specifies whether to enable global security. Specify true to enable global security, or specify false to disable global security. (Boolean)

-cacheTimeout

Amount of time, in seconds, before authentication data becomes invalid. (Integer)

-issuePermissionWarning

Specifies whether to issue a warning during application installation if the application requires security permissions. Specify true to enable the warning notification, or specify false to disable the warning notification. (Boolean)

-enforceJava 2Security

Specifies whether to enable Java EE security. Specify true to enable Java EE security permissions checking, or specify false to disable Java EE security. (Boolean)

-enforceFineGrainedJCASecurity

Specifies whether to restrict application access. Specify true to restrict application access to sensitive Java EE Connector Architecture (JCA) mapping authentication data. (Boolean)

-appSecurityEnabled

Specifies whether to enable application-level security. Specify true to enable application level security, or specify false to disable application-level security. (Boolean)

-dynUpdateSSLConfig

Specifies whether to dynamically update SSL configuration changes. Specify true to update SSL configuration changes dynamically, or specify false to update the SSL configuration when the server starts. (Boolean)

-activeAuthMechanism

Active authentication mechanism. Specify LTPA for LTPA authentication, KRB5 for Kerberos authentication, or RSAToken for RSA token authorization. (String)

-adminPreferredAuthMech

Preferred authentication mechanism. Specify LTPA for LTPA authentication, KRB5 for Kerberos authentication, or RSAToken for RSA token authorization. (String)

-activeUserRegistry

Active user registry for the server. (String)

-useDomainQualifiedUserNames

Type of user name to use. Specify true to use domain qualified user names, or specify false to use the short name. (Boolean)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

setAppActiveSecuritySettings

The setAppActiveSecuritySettings command sets the active security settings on a security domain.

Target object

None.

Required parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Optional parameters

-cacheTimeout

Amount of time, in seconds, before authentication data becomes invalid. (Integer)

-issuePermissionWarning

Specifies whether to issue a warning during application installation if the application requires security permissions. Specify true to enable the warning notification, or specify false to disable the warning notification. (Boolean)

-enforceJava 2Security

Specifies whether to enable Java EE security. Specify true to enable Java EE security permissions checking, or specify false to disable Java EE security. (Boolean)

-enforceFineGrainedJCASecurity

Specifies whether to restrict application access. Specify true to restrict application access to sensitive Java EE Connector Architecture (JCA) mapping authentication data. (Boolean)

-appSecurityEnabled

Specifies whether to enable application-level security. Specify true to enable application level security, or specify false to disable application-level security. (Boolean)

-activeUserRegistry

Active user registry for the server. (String)

-useDomainQualifiedUserNames

Type of user name to use. Specify true to use domain qualified user names, or specify false to use the short name. (Boolean)

-customProperties

comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

unconfigureAuthzConfig

The unconfigureAuthzConfig command removes an external JACC authorization provider from the global security configuration or a security domain.

Target object

None.

Required parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage

 

unsetAppActiveSecuritySettings

The unsetAppActiveSecuritySettings command removes an attribute from the global security configuration or a security domain.

Target object

None.

Required parameters

-securityDomainName

Name of the security configuration. The command uses the global security configuration if we do not specify a value for the -securityDomainName parameter. (String)

Optional parameters

-unsetAppSecurityEnabled

Specifies whether to remove the attribute that enables application security. Specify true to remove the attribute. (Boolean)

-unsetActiveUserRegistry

Specifies whether to remove the active user registry attribute. Specify true to remove the attribute. (Boolean)

-unsetUseDomainQualifiedUserNames

Specifies whether to remove the user domain qualified user names attribute. Specify true to remove the attribute. (Boolean)

-unsetEnforceJava 2Security

Specifies whether to remove the Java EE security attribute. Specify true to remove the attribute. (Boolean)

-unsetEnforceFineGrainedJCASecurity

Specifies whether to remove the fine-grained JCA security attribute. Specify true to remove the attribute. (Boolean)

-unsetIssuePermissionWarning

Specifies whether to remove the attribute that issues user permission warnings. Specify true to remove the attribute. (Boolean)

-unsetCacheTimeout

Specifies whether to remove the cache timeout attribute. Specify true to remove the attribute. (Boolean)

Return value

The command does not return output.

Batch mode example usage

Interactive mode example usage





 

Related tasks


Set multiple security domains using scripting
Set trust association using scripting
Set Common Secure Interoperability authentication using scripting

 

Related


SecurityDomainCommands
NamingAuthzCommands
SecurityRealmInfoCommands