WebSEAL server task create command

server task create

The server task create command creates a WebSEAL junction point.
Requires authentication (administrator ID and password) to use.
For local junctions:
server task instance-webseald-host create -t type [options] junction_point
For non-local junctions:
server task instance-webseald-host create -t type -h host_name [options] junction_point
Options

instance-webseald-host

Full server name of the installed WebSEAL instance. Specify in the exact format as displayed in the output of the server list command.
The instance_name specifies the configured name of the WebSEAL instance. The webseald designation indicates the WebSEAL service performs the command task. The host_name is the name of the physical machine where the WebSEAL server is installed.
For example, if the configured name of a single WebSEAL instance is default, and host machine name where the WebSEAL server is installed is abc.ibm.com, the full WebSEAL server name is default-webseald-abc.ibm.com.
If an additional WebSEAL instance is configured and named web2, the full WebSEAL server name is web2-webseald-abc.ibm.com.

junction_point

Name of the directory in the WebSEAL protected object space where the document space of the back-end server is mounted.

options

Options we can use with the server task create command. The options include:

-a address

Local IP address for WebSEAL to use when communicating with the target back-end server. If not provided, WebSEAL uses the default address as determined by the operating system.
If an address is supplied for a particular junction, WebSEAL is modified to bind to this local address for all communication with the junctioned server.

-A

Enable or disable lightweight third-party authentication mechanism (LTPA) junctions. Requires the -F and -Z options. The -A, -F, and -Z options all must be used together.
Valid for all junctions except for the type of local.

-2

We can use this option in conjunction with the -A option to specify that LTPA version 2 cookies (LtpaToken2) are used. The -A option without the -2 option specifies that LTPA version 1 cookies (LtpaToken) are used.

-b BA_value

Defines how the WebSEAL server passes the HTTP BA authentication information to the back-end server, which is one of the following values:

filter (default)
ignore
supply
gso
Valid for all junctions except for the type of local.

-B

WebSEAL uses the BA header information to authenticate to the back-end server and to provide mutual authentication over SSL. Requires the -U and -W options.
This option is valid only with junctions that were created with the type of ssl or sslproxy.

-c header_type

Inserts the ISAM client identity in HTTP headers across the junction. The header_type argument can include any combination of the following Security Verify Access HTTP header types:

{iv-user|iv-user-l}
iv-groups
iv-creds
all

The header types must be comma separated, and cannot have spaces between the types. For example: -c iv_user,iv_groups
Specify -c all is the same as specifying -c iv-user,iv-groups,iv-creds.
This option is valid for all junctions except for the type of local.

-C

Indicates single signon from a front-end WebSEAL server to a back-end WebSEAL server. The -C option is not mutual authentication.
Valid only with junctions that were created with the type of ssl or sslproxy.

-D "dn"

Distinguished name of the back-end server certificate. This value, matched with the actual certificate DN enhances authentication and provides mutual authentication over SSL. For example, the certificate for www.example.com might have a DN of
"CN=WWW.EXAMPLE.COM,OU=Software,O=example.com\, Inc,L=Minneapolis, ST=Texas,C=US"

Valid only with junctions that were created with the type of ssl or sslproxy.

-e encoding_type

Encoding to use when generating HTTP headers for junctions. This encoding applies to headers generated with both the -c junction option and tag-value. The following values for encoding are supported:

utf8_bin

WebSEAL sends the headers in UTF-8.

utf8_uri

WebSEAL sends the headers in UTF-8 but URI also encodes them. This behavior is the default behavior.

lcp_bin

WebSEAL sends the headers in the local code page of the WebSEAL server.

lcp_uri

WebSEAL sends the headers in the local code page of the WebSEAL server, but URI also encodes them.

Valid for all junctions except for the type of local.

-f

Forces the replacement of an existing junction.
This option is used for junctions that were created with any junction type.

-F keyfile

Name of the keyfile used to encrypt LTPA cookie data.
The -F option requires -A and -Z options. The -A, -F, and -Z options all must be used together.
Valid for all junctions except for the type of local.

-H host_name

DNS host name or IP address of the proxy server. The -P option also supports proxy server junctions. Valid values for host_name include any valid IP host name. For example:
proxy.www.example.com

Valid only with junctions that were created with the type of tcpproxy or sslproxy.

-i

That the WebSEAL junction does not treat URLs as case-sensitive. To correctly authorize requests for junctions that are not case-sensitive, WebSEAL does the authorization check on a lowercase version of the URL. For example, a Web server running on a Windows operating system treats requests for INDEX.HTM and index.htm as requests for the same file. Junctions to such a Web server should be created with the -i or -w option. ACLs or POPs that are attached to objects beneath the junction point should use the lowercase object name. An ACL attached to /junction/index.htm will apply to all of the following requests if the -i or -w option is used:

/junction/INDEX.HTM
/junction/index.htm
/junction/InDeX.HtM

Valid for all junctions except for the type of local. Local junctions are not case-sensitive only on Win32 platforms; all other platforms are case-sensitive.

-I

Ensures a unique Set-Cookie header name attribute when using the -j option to modify server-relative URLs in requests.
Valid for all junctions except for the type of local.

-j

Supplies junction identification in a cookie to handle script-generated server-relative URLs.
Valid for all junctions except for the type of local.

-J trailer,inhead,onfocus,xhtml10

Controls the junction cookie JavaScript block.
Use -J trailer to append (rather than prepend) the junction cookie JavaScript to HTML page returned from back-end server.
Use -J inhead to insert the JavaScript block between <head> </head> tags for HTML 4.01 compliance.
Use -J onfocus to use the onfocus event handler in the JavaScript to ensure the correct junction cookie is used in a multiple-junction/multiple-browser-window scenario.
Use -J xhtml10 to insert a JavaScript block that is HTML 4.01 and XHTML 1.0 compliant.
For complete details on this option, see Control on the junction cookie JavaScript block.

-k

Sends WebSEAL session cookies to the junction server. By default, cookies are removed from requests that are sent to the server.
This option is valid for all junctions except for the type of local.

-K "key_label"

Key label of the client personal certificate that WebSEAL should present to the back-end server. Use of this option allows the junction server to authenticate the WebSEAL server using client certificates.
Valid only with junctions that were created with the type of ssl and sslproxy.

-l percent

Soft limit for consumption of worker threads.
This option is valid for all junctions except for the type of local.

-L percent

Hard limit for consumption of worker threads.
This option is valid for all junctions except for the type of local.

-n

That no modification of the names of non-domain cookies are to be made. Use when client side scripts depend on the names of cookies.
By default, if a junction is listed in the JMT or if the -j junction option is used, WebSEAL will modify the names of non-domain cookies that are returned from the junction to prepend AMWEBJCT!junction_point.
Valid for all junctions except for the type of local.

-o

Indicates the hostname WebSEAL connects to at the start of the handshaking process. Sends the string <hostname> in the SSL/TLS handshake as the Server Name Indicator (SNI) value.
For example, -o sni=www.test.local.

-p port

Specifies the TCP port of the back-end third-party server. The default value is 80 for TCP junctions and 443 for SSL junctions.
This option is valid for all junctions except for the type of local.

-P port

For proxy junctions that were created with the type of tcpproxy or sslproxy this option specifies the TCP port number for the HTTP proxy server. The -P option is required when the -H option is used.
This option is also valid for mutual junctions to specify the HTTPS port of the back-end third-party server.

-q path

Required option for back-end Windows servers. Relative path for the query_contents script. By default, Security Verify Access looks for the query_contents script in the /cgi_bin directory. If this directory is different or the query_contents file name is renamed, this option will indicates to WebSEAL the new URL to the file.
Valid for all junctions except for the type of local.

-r

Inserts the incoming IP address into the HTTP header across the junction. Valid for all junctions except for the type of local.

-R

Allows the request to proceed but provides the rule failure reason to the junction in an HTTP header. If the -R option is not used and a rule failure occurs, WebSEAL will not allow the request to proceed. Valid for all junctions except for the type of local.

-s

That the junction support stateful applications. By default, junctions are not stateful. Valid for all junctions except for the type of local.

-S

Name of the forms single signon configuration file. Valid for all junctions except for the type of local.

-T {resource | resource_group}

Name of the resource or resource group. This option is required only when the -b gso option is used. Valid for all junctions except for the type of local.

-u uuid

Universally Unique Identifier (UUID) of a back-end server connected to WebSEAL using a stateful junction (-s option). Valid for all junctions except for the type of local.

-U "user_name"

Specifies the WebSEAL server user name. Requires the -B and -W options. WebSEAL uses the BA header information to authenticate to the back-end server and to provide mutual authentication over SSL. This option is valid only with junctions that were created with the type of ssl or sslproxy.

-v virtual_hostname[:HTTP-port]

Virtual host name for the back-end server. This option supports multiple virtual hosts being served from the same Web server. Use -v when the back-end junction server expects a host name header different from the DNS name of the server. Valid for all junctions except for the type of local. For mutual junctions this value corresponds to the virtual host used for HTTP requests.

-V virtual_hostname[:HTTPS-port]

Virtual host name for the back-end server. This option supports multiple virtual hosts being served from the same Web server. Use -V when the back-end junction server expects a host name header different from the DNS name of the server. This option is only used for mutual junctions and corresponds to the virtual host used for HTTPS requests.

-w

Indicates Microsoft Windows file system support. This option provides all of the functionality provided by the -i junction option but disallows requests containing file names that might be interpreted as Windows file name aliases. Valid for all junctions except for the type of local. Local junctions prohibit URLs that contain Windows file name aliases on Windows but allow such URLs on other platforms.

-W "password"

Specifies the WebSEAL server password. Requires the -B and -U options. WebSEAL uses the BA header information to authenticate to the back-end server and to provide mutual authentication over SSL. This option is valid only with junctions that were created with the type of ssl or sslproxy.

-x

Creates a transparent path junction.
Valid for all junctions except for the type of local .

-Y

Enables the Federation Runtime single sign-on (SSO) for the junction. Before using this option, we must first configure the WebSEAL configuration file to support the Federation Runtime single sign-on over junctions.

-Z keyfile_pwd

Password of the keyfile used to encrypt LTPA cookie data. Requires the -A and -F options. The -A, -F, and -Z options all must be used together. Valid for all junctions except for the type of local.

-h host_name

Required option for non-local junctions. DNS host name or IP address of the target server. Valid only for non-local junctions; local junctions do not need a host name. Valid values for host_name include any valid IP host name. For example:
www.example.com

-t type

Required option. Type of junction; must be one of the following types:

tcp
tcpproxy
ssl
sslproxy
local

Authorization

Users and groups that require access to this command must be given the s (server administration) permission in the ACL that governs the /WebSEAL/host_name-instance_name/junction_point object. For example, the sec_master administrative user is given this permission by default.
For information about gathering statistics, see the Troubleshooting topics in the Knowledge Center..
Return codes

0

The command completed successfully. For WebSEAL server task commands, the return code will be 0 when the command is sent to the WebSEAL server without errors. However, even after the command was successfully sent, the WebSEAL server might not be able to successfully complete the command and returns an error message.

1

The command failed. See "Error messages" in the IBM Knowledge Center which provides a list of the ISAM error messages by decimal or hexadecimal codes.

Examples

The following example creates a basic WebSEAL junction /pubs on the default-webseald-cruz WebSEAL server. The junction type is TCP, and the host name is doc.tivoli.com:
pdadmin> server task default-webseald-cruz create -t tcp -h doc.tivoli.com /pubs

Output is similar to:
Created junction at /pubs

The following example limits worker thread consumption on a per junction basis with a soft thread limit of 60 and a hard thread limit of 80 on the /myjunction junction:
pdadmin> server task default-webseald-cruz create -t tcp -h cruz.dallas.ibm.com -l 60 -L 80 /myjunction

See also
server task add
server task delete
server task remove
server task show
Parent topic: Command reference