server task create
Create a WebSEAL junction point. Requires authentication (administrator ID and password) to use.
Local junctions server task instance-webseald-host create -t type -d dir [options] junction_point Non-local junctions server task instance-webseald-host create -t type -h host_name [options] junction_point
Required parameters
-d dir Local directory to the junction. Required if the junction type is local. Valid only with junctions created with the type of local. -h host_name DNS host name or IP address of the target server. Valid only for non-local junctions; local junctions do not need a host name. Valid values for host_name include any valid IP host name. For example: >www.example.com -T {resource | resource_group} Resource or resource group. Required only when the -b gso option is used. Valid for all junctions except for the type of local. instance-webseald-host Full server name of the installed WebSEAL server instance. Specify in the exact format as displayed in the output of the server list command.
instance_name Name of the WebSEAL server instance. webseald WebSEAL service daemon designator. The WebSEAL service performs the command task. host where the WebSEAL server is installed. For example myhost.myco.com The full WebSEAL server name is...
default-webseald-myhost.myco.com
If an additional WebSEAL server instance is configured and named web2, the full WebSEAL server name is...
web2-webseald-myhost.myco.com
junction_point Directory in the WebSEAL protected object space where the document space of the server is mounted.
Optional parameters
-a address Local IP address that WebSEAL uses to communicate with the target back-end server. If not provided, WebSEAL uses the default address as determined by the operating system. If an address is supplied for a particular junction, WebSEAL is modified to bind to this local address for all communication with the junctioned server. -A Enable or disable lightweight third-party authentication mechanism (LTPA) junctions. Requires the -F and -Z options. The -A, -F, and -Z options all must be used together. Valid for all junctions except for the type of local. -2 We can use this option with the -A option to specify that LTPA version 2 cookies (LtpaToken2) are used. The -A option without the -2 option specifies that LTPA version 1 cookies (LtpaToken) are used. -b BA_value Define how the WebSEAL server passes the HTTP BA authentication information to the server:
- filter (default)
- ignore
- supply
- gso
Valid for all junctions except for the type of local.
-B WebSEAL uses the BA header information to authenticate to the server and to provide mutual authentication over SSL. This option requires the -U and -W options. Valid only with junctions that were created with the type of ssl or sslproxy. -c header_type Insert the ISAM client identity in HTTP headers across the junction. The header_type argument can include any combination of the ISAM HTTP header types:
- {iv_user|iv_user_l}
- iv_groups
- iv_creds
- all
The header types must be comma-separated, and cannot have a space between the types. For example: -c iv_user,iv_groups Specify -c all is the same as specifying -c iv_user,iv_groups,iv_creds. Valid for all junctions except for the type of local.
-C Indicates single sign-on from a front-end WebSEAL server to a back-end WebSEAL server. The -C option is not mutual authentication. Valid only with junctions that were created with the type of ssl or sslproxy. -D "dn" Distinguished name of the server certificate. This value, matched with the actual certificate DN, enhances authentication and provides mutual authentication over SSL. For example, the certificate for www.example.com might have a DN of "CN=WWW.EXAMPLE.COM,OU=Software,O=example.com\, Inc,L=Minneapolis, ST=Texas,C=US"
Valid only with junctions that were created with the type of ssl or sslproxy.
-e encoding_type Encoding to use when HTTP headers are generated for junctions. This encoding applies to headers generated with both the -c junction option and tag-value. The following values for encoding are supported:
utf8_bin WebSEAL sends the headers in UTF-8. utf8_uri WebSEAL sends the headers in UTF-8 but URI also encodes them. This behavior is the default behavior. lcp_bin WebSEAL sends the headers in the local code page of the WebSEAL server. lcp_uri WebSEAL sends the headers in the local code page of the WebSEAL server, but URI also encodes them. Valid for all junctions except for the type of local.
-f Force the replacement of an existing junction. This option is used for junctions that were created with any junction type. -F keyfile Location of the key file used to encrypt LTPA cookie data. The -F option requires -A and -Z options. The -A, -F, and -Z options all must be used together. Valid for all junctions except for the type of local. -H host_name DNS host name or IP address of the proxy server. The -P option also supports proxy server junctions. Valid values for host_name include any valid IP host name. For example, proxy.www.example.com
This option is valid only with junctions that were created with the type of tcpproxy or sslproxy.
-i The WebSEAL junction does not treat URLs as case-sensitive. To correctly authorize requests for junctions that are not case-sensitive, WebSEAL does the authorization check on a lowercase version of the URL. For example, a Web server running on a Windows operating system treats requests for INDEX.HTM and index.htm as requests for the same file. Junctions to such a Web server must be created with the -i or -w option. ACLs or POPs that are attached to objects beneath the junction point must use the lowercase object name. An ACL attached to /junction/index.htm applies to all the following requests if the -i or -w option is used:
- /junction/INDEX.HTM
- /junction/index.htm
- /junction/InDeX.HtM
Valid for all junctions except for the type of local. Local junctions are not case-sensitive only on Win32 platforms; all other platforms are case-sensitive.
-I Ensure a unique Set-Cookie header name attribute when the -j option is used to modify server-relative URLs in requests. This option is valid for all junctions except for the type of local. -j Supply junction identification in a cookie to handle script-generated server-relative URLs. Valid for all junctions except for the type of local. -J type Junction cookie JavaScript block.
-J trailer Append the junction cookie JavaScript to HTML page returned from back-end server. -J inhead Insert the Javascript block between <head> </head> tags for HTML 4.01 compliance. -J onfocus Use the onfocus event handler in the JavaScript to ensure the correct junction cookie is used in a multiple-junction/multiple-browser-window scenario. -J xhtml10 Insert a JavaScript block that is HTML 4.01 and XHTML 1.0 compliant. -k Sends WebSEAL session cookies to the junction server. By default, cookies are removed from requests that are sent to the server. Valid for all junctions except for the type of local. -K "key_label" Key label of the client personal certificate that WebSEAL must present to the server. Use of this option allows the junction server to authenticate the WebSEAL server by using client certificates. Valid only with junctions that were created with the type of ssl and sslproxy. -l percent Soft limit for consumption of worker threads. Valid for all junctions except for the type of local. -L percent Hard limit for consumption of worker threads. Valid for all junctions except for the type of local. -n That no modifications of the names of non-domain cookies are to be made. Use when client side scripts depend on the names of cookies. WebSEAL modifies the names of non-domain cookies that are returned from the junction to prefix with AMWEBJCT!junction_point. WebSEAL does this action by default, if a junction is listed in the JMT or if the -j junction option is used. This option is valid for all junctions except for the type of local. -p port Specifies the TCP port of the back end third-party server. Default is 80 for TCP junctions and 443 for SSL junctions. This option is valid for all junctions except for the type of local. -P port For proxy junctions that were created with the type of tcpproxy or sslproxy this option specifies the TCP port number for the HTTP proxy server. The -P option is required when the -H option is used. This option is also valid for mutual junctions to specify the HTTPS port of the back-end third-party server. -q path Relative path for the query_contents script. By default, Security Verify Access looks for the query_contents script in the /cgi_bin directory. If this directory is different or the query_contents file name is renamed, this option indicates to WebSEAL the new URL to the file. Required for back end Windows servers. To set Security Verify Access to not get any query_contents data from the junctioned server, we can specify this option as "-q disabled". Valid for all junctions except for the type of local. -r Insert the incoming IP address into the HTTP header across the junction. Valid for all junctions except for the type of local. -R Allow the request to proceed but provides the rule failure reason to the junction in an HTTP header. If the -R option is not used and a rule failure occurs, WebSEAL does not allow the request to proceed. Valid for all junctions except for the type of local. -s Support stateful applications. By default, junctions are not stateful. Valid for all junctions except for the type of local. -S path Location of the forms single sign-on configuration file. Valid for all junctions except for the type of local. -t type Type of junction; must be one of the following types:
- tcp
- tcpproxy
- ssl
- sslproxy
- local
-u uuid Universally Unique Identifier (UUID) of a server that is connected to WebSEAL using a stateful junction (-s option). Valid for all junctions except for the type of local. -U "user_name" WebSEAL server user name. Requires the -B and -W options. WebSEAL uses the BA header information to authenticate to the server and to provide mutual authentication over SSL. Valid only with junctions that were created with the type of ssl or sslproxy. -v vhost[:port] Virtual host name for the server. This option supports multiple virtual hosts served from the same Web server. Use -v when the junction server expects a host name header different from the DNS name of the server. Valid for all junctions except for the type of local. For mutual junctions, this value corresponds to the virtual host used for HTTP requests. -V vhost[:port] Virtual host name for the back-end server. This option supports multiple virtual hosts served from the same Web server. Use -V when the back-end junction server expects a host name header that is different from the DNS name of the server. This option is used only for mutual junctions and corresponds to the virtual host used for HTTPS requests. -w Indicates Microsoft Windows 32-bit (Win32) file system support. This option:
- Provides all the functionality provided by the -i junction option.
- Disallows requests containing file names that might be interpreted as Win32 file name aliases.
The option is valid for all junctions except for the type of local. Local junctions prohibit URLs that contain Win32 file name aliases on Win32 but allow such URLs on other platforms.
-W "password" WebSEAL server password. Requires the -B and -U options. WebSEAL uses the BA header information to authenticate to the server and to provide mutual authentication over SSL. Valid only with junctions that were created with the type of ssl or sslproxy. -x Creates a path junction that is not apparent. This option is valid for all junctions except for the type of local. -Y Enables the Federation Runtime single sign-on (SSO) for the junction. That Kerberos SSO is enabled for the junction. Before we use this command, configure the WebSEAL configuration file to support Kerberos single sign-on over junctions. -Z keyfile_pwd Password of the key file used to encrypt LTPA cookie data. Requires the -A and -F options. The -A, -F, and -Z options all must be used together. Valid for all junctions except for the type of local.
Authorization
Users and groups that require access to this command must be given the s (server administration) permission in the ACL that governs the /WebSEAL/host_name-instance_name/junction_point object. For example, the sec_master administrative user is given this permission by default.
Return codes
0 The command completed successfully. For WebSEAL server task commands, the return code is 0 when the command is sent to the WebSEAL server without errors. However, even after the command was successfully sent, the WebSEAL server might not be able to successfully complete the command. The WebSEAL server returns an error message. 1 The command failed. See "Error messages" in the IBM Knowledge Center. This reference provides a list of the ISAM error messages by decimal or hexadecimal codes. Examples
- Create a basic WebSEAL junction /pubs on the default-webseald-cruz WebSEAL server. The junction type is TCP, and the host name is doc.tivoli.com:
pdadmin> server task default-webseald-cruz create -t tcp -h doc.tivoli.com /pubs
Output is like:
Created junction at /pubs
- Create a new local junction / to replace the current junction point. The -f option is required to force a new junction that overwrites an existing junction at the /tmp/docs directory:
pdadmin> server task default-webseald-cruz create -t local -f -d /tmp/docs /
Output is like:
Created junction at /
- The following example limits worker thread consumption on a per junction basis with a:
- Soft thread limit of 60.
- Hard thread limit of 80.
The junction in this example is /myjunction.
pdadmin> server task default-webseald-cruz create -t tcp -h cruz.dallas.ibm.com -l 60 -L 80 /myjunction
See also
server task add
server task delete
server task remove
server task showParent topic: pdadmin commands