WebSEAL server task virtualhost create command

server task virtualhost create

The server task virtualhost create command creates a virtual host junction.
Requires authentication (administrator ID and password) to use.

For local junctions:

server task instance-webseald-host virtualhost create -t type -v virtual_host_name [options] vhost_label

For non-local junctions:

server task instance-webseald-host virtualhost create -t type -h host_name [options] vhost_label

Options

instance-webseald-host

Full server name of the installed WebSEAL instance. Specify the full server name in the exact format as displayed in the output of the server list command.
The instance_name specifies the configured name of the WebSEAL instance. The webseald designation indicates the WebSEAL service performs the command task. The host_name is the name of the physical machine where the WebSEAL server is installed.
For example, if the configured name of a single WebSEAL instance is default, and host machine name where the WebSEAL server is installed is abc.ibm.com, the full WebSEAL server name is default-webseald-abc.ibm.com.
If an additional WebSEAL instance is configured and named web2, the full WebSEAL server name is web2-webseald-abc.ibm.com.

options

Options we can use with the server task virtualhost create command. These options include:

-A

Enables a virtual host junction to support the lightweight third-party authentication mechanism (LTPA). Requires the -F and -Z options. The -A, -F, and -Z options all must be used together.
Valid for all junction types except localtcp and localssl.

-2

We can use this option in conjunction with the -A option to specify that LTPA version 2 cookies (LtpaToken2) are used. The -A option without the -2 option specifies that LTPA version 1 cookies (LtpaToken) are used.

-b BA_value

Defines how the WebSEAL server passes client identity information in HTTP basic authentication (BA) headers to the back-end virtual host, which is one of the following values:

filter
ignore
supply
gso

Valid for all junction types except localtcp and localssl.
The default value is filter.

-B

WebSEAL uses the BA header information to authenticate to the back-end virtual host and to provide mutual authentication over SSL. Requires the -U and -W options.
This option is valid only with junctions that were created with the type of ssl or sslproxy.

-c header_type

Inserts the ISAM client identity in HTTP headers across the virtual host junction. The header_type argument can include any combination of the following Security Verify Access HTTP header types:

{iv-user|iv-user-l}
iv-groups
iv-creds
all

The header types must be comma separated, and cannot have a spaces between the types. For example: -c iv_user,iv_groups
Specify -c all is the same as specifying -c iv-user,iv-groups,iv-creds.
This option is valid for all junction types except localtcp and localssl.

-C

Supports mutual authentication by enabling the front-end WebSEAL server to pass its identity information to the back-end WebSEAL server in a Basic Authentication (BA) header. Additionally, the -C option enables single signon functionality provided by the -c option.
This option is valid only with junctions that were created with the type of ssl or sslproxy.

-D "dn"

Distinguished name of the back-end server certificate. This value, matched with the actual certificate DN enhances authentication and provides mutual authentication over SSL. For example, the certificate for www.example.com might have a DN of
"CN=WWW.EXAMPLE.COM,OU=Software,O=example.com\, Inc,L=Minneapolis,ST=Texas,C=US"

Valid only with junctions that were created with the type of ssl or sslproxy.

-e encoding_type

Encoding to use when generating HTTP headers for virtual host junctions. This encoding applies to headers that are generated with both the -c junction option and tag-value. Possible values for encoding are as follows:

utf8_bin

WebSEAL sends the headers in UTF-8.

utf8_uri

WebSEAL sends the headers in UTF-8 but URI also encodes them. This behavior is the default behavior.

lcp_bin

WebSEAL sends the headers in the local code page of the WebSEAL server.

lcp_uri

WebSEAL sends the headers in the local code page of the WebSEAL server, but URI also encodes them.

Valid for all junction types except localtcp and localssl.

-f

Forces the replacement (overwrite) of an existing virtual host junction.
This option is used for junctions that were created with the any junction type.

-F "keyfile"

Name of the keyfile used to encrypt LTPA cookie data.
The -F option requires -A and -Z options. The -A, -F, and -Z options all must be used together.
Valid for all junction types except localtcp and localssl.

-g vhost_label

The -g option causes a second additional virtual host junction to share the same protected object space as the initial virtual host junction.
This option is appropriate for junction pairs only (two junctions using complementary protocols). The option does not support the association of more than two junctions.

-H host_name

DNS host name or IP address of the proxy server. The -P option also supports proxy server junctions. Valid values for host_name include any valid IP host name. For example:
proxy.www.example.com
This option is valid only with junctions that were created with the type of tcpproxy or sslproxy.

-i

That the WebSEAL junction does not treat URLs as case-sensitive. To correctly authorize requests for junctions that are not case-sensitive, WebSEAL does the authorization check on a lowercase version of the URL. For example, a Web server running on a Windows operating system treats requests for INDEX.HTM and index.htm as requests for the same file. Junctions to such a Web server should be created with the -i or -w option. ACLs or POPs that are attached to objects beneath the junction point should use the lower case object name. An ACL attached to /junction/index.htm will apply to all of the following requests if the -i or -w option is used:

/junction/INDEX.HTM
/junction/index.htm
/junction/InDeX.HtM

Valid for all junction except for the type of localtcp and localssl. Local junctions are not case-sensitive only on Win32 platforms; all other platforms are case-sensitive.

-k

Sends WebSEAL session cookies to the back-end virtual host. By default, cookies are removed from requests that are sent to the server.
This option is valid for all junction types except localtcp and localssl.

-K "key_label"

Key label of the client-side certificate that WebSEAL should present to the back-end server. Use of this option allows the virtual host to authenticate the WebSEAL server using client certificates.
This option is valid only with junctions that were created with the type of ssl and sslproxy.

-l percent

Soft limit for consumption of worker threads.
This option is valid for all junction types except localtcp and localssl.

-L percent

Hard limit for consumption of worker threads.
This option is valid for all junction types except localtcp and localssl.

-p port

Specifies the TCP port of the back-end third-party server. The default value is 80 for TCP junctions and 443 for SSL junctions.
Valid for all junction types except localtcp and localssl.

-P port

Specifies the TCP port number for the HTTP proxy server. The -P option is required when the -H option is used.
This option is valid only with junctions that were created with the type of tcpproxy or sslproxy.

-q path

Required option for back-end Windows virtual hosts. Relative path for the query_contents script. By default, Security Verify Access looks for the query_contents script in the /cgi_bin directory. If this directory is different or the query_contents file name is renamed, this option will indicate to WebSEAL the new URL to the file.
Valid for all junction types except localtcp and localssl.

-r

Inserts the incoming IP address into the HTTP header across the junction.
Valid for all junction types except localtcp and localssl.

-R

Allows the request to proceed but provides the rule failure reason to the junction in an HTTP header. If the -R option is not used and a rule failure occurs, WebSEAL will not allow the request to proceed.
Valid for all junction types except localtcp and localssl.

-s

That the virtual host junction support stateful applications. By default, virtual host junctions are not stateful.
This option is valid for all junction types except localtcp and localssl.

-S

The name of the forms single signon configuration file.
Valid for all junction types except localtcp and localssl.

-T {resource | resource_group}

Name of the GSO resource or resource group. This option is required only when the -b gso option is used.
Valid for all junction types except localtcp and localssl.

-u uuid

Universally Unique Identifier (UUID) of a back-end server connected to WebSEAL using a stateful virtual host junction (-s option).
Valid for all junction types except localtcp and localssl.

-U "user_name"

Specifies the WebSEAL server user name. Requires the -B and -W options. WebSEAL uses the BA header information to authenticate to the back-end virtual host and to provide mutual authentication over SSL.
This option is valid only with junctions that were created with the type of ssl or sslproxy.

-v vhost_name[:port]

WebSEAL selects a virtual host junction to process a request if the request's HTTP Host header matches the virtual host name and port number specified by the -v option.
The -v option also specifies the value of the Host header of the request sent to the back-end server.
The port number is required if the virtual host uses a non-standard port for the protocol. Standard port for TCP is 80; standard port for SSL is 443.
If -v is not specified for tcp, ssl, tcpproxy, and sslproxy type junctions, the junction is selected from the information contained in the -h host and -p port options.
The -v option is required for localtcp and localssl type junctions.

-w

Indicates Microsoft Windows file system support. This option provides all of the functionality provided by the -i junction option but disallows requests containing file names that might be interpreted as Windows file name aliases.
Valid for all junction types except localtcp and localssl. Local junctions prohibit URLs that contain Windows file name aliases on Win64 but allow such URLs on other platforms.

-W "password"

Specifies the WebSEAL server password. Requires the -B and -U options. WebSEAL uses the BA header information to authenticate to the back-end virtual host and to provide mutual authentication over SSL.
This option is valid only with junctions that were created with the type of ssl or sslproxy.

-Y

Enables the Federation Runtime single sign-on (SSO) for the junction. Before using this option, we must first configure the WebSEAL configuration file to support the Federation Runtime single sign-on over junctions.

-z replica_set

Replica set, as follows:

For distributed session cache environments:

The replica set that sessions on the virtual host junction are managed under and provides the ability to group or separate login sessions among multiple virtual hosts.

For environments that do not use the distributed session cache:

The replica set that sessions on the virtual host junction are managed under and controls the partitioning of the WebSEAL session cache so the virtual host can be part of the same replica set as any standard junction assigned to that same replica set through the standard-junction-replica-set entry of the [session] stanza.

-Z keyfile_pwd

Password of the keyfile used to encrypt LTPA cookie data. Requires the -A and -F options. The -A, -F, and -Z options all must be used together.
Valid for all junction types except localtcp and localssl.

vhost_label

Label name of the virtual host junction.

-h host_name

Required option for non-local junctions. DNS host name or IP address of the target server. Valid only for non-local junctions; local junctions do not need a host name. Valid values for host_name include any valid IP host name. For example:
www.example.com

-t type

Required option. Type of virtual host junction. Required and must be one of the following types:

tcp
tcpproxy
ssl
sslproxy
localtcp
localssl

Authorization

Users and groups that require access to this command must be given the s (server administration) permission in the ACL that governs the /WebSEAL/host_name-instance_name/@vhost_label object. For example, the sec_master administrative user has permission by default. For information about gathering statistics, see the Auditing topics in the IBM Knowledge Center.
Return codes

0

The command completed successfully. For WebSEAL server task commands, the return code becomes 0 when the command is sent to the WebSEAL server without errors. Even if the command was successfully sent, the WebSEAL server might not be able to successfully complete the command and can return an error message.

1

The command failed. See "Error messages" in the IBM Knowledge Center which provides a list of the ISAM error messages by decimal or hexadecimal codes.

Examples
The following example creates an SSL type virtual host junction with the vhost-xy-https label. This junction serves the virtual host x.y.com located on the junctioned server cruz1.ibm.com. WebSEAL responds to the Host: x.y.com header in SSL (HTTPS) requests by forwarding the requests across this virtual host junction:
pdadmin> server task default-webseald-abc.ibm.com virtualhost create -t ssl -h cruz1.ibm.com -v x.y.com vhost-xy-https

See also
server task virtualhost add
server task virtualhost delete
server task virtualhost list
server task virtualhost remove
server task virtualhost show
Parent topic: Command reference