Refreshing credentials for a specified user

We can send a command to the WebSEAL server, instructing it to perform a credential refresh operation for all of the sessions of the specified user on the WebSEAL server. The refresh all_sessions command is not supported in a distributed session cache environment.

pdadmin> server task instance-webseald-host refresh all_sessions user_name

Enter the above command as one continuous command line.

To obtain the server name in the correct format, use the pdadmin server list command. Then enter the pdadmin command to refresh all sessions. For example, when logged in to pdadmin as the administrative user sec_master:

pdadmin sec_master> server list default-webseald-diamond.subnet1.ibm.com default-webseald-cmd pdadmin sec_master> server task default-webseald-diamond.subnet1.ibm.com refresh all_sessions brian DPWWA2043IThe user's credential was updated.

Note the pdadmin server task command must each be entered as one continuous command line.

A warning message is returned if the user is not logged in to the WebSEAL server.

Usage notes:

• Configure credential refresh for WebSEAL before using this pdadmin command. See Configure credential refresh.

• We must issue a separate pdadmin command for each user whose credentials are to be refreshed. We cannot refresh credentials for more than one user at a time.
• The user invoking this command must have server admin (the s ACL bit) permission on the /WebSEAL/hostname_instance_name server object. This permission prevents unauthorized users from performing credential refresh operations.

  Note the name of the hostname_instance_name server object is different from the server name. To determine the exact name of the server object, use pdadmin object list. For example, when logged in to pdadmin as the administrative user sec_master:

  pdadmin sec_master> object list /WebSEAL /WebSEAL/cmd-default /WebSEAL/diamond.subnet1.ibm.com-default

Parent topic: Credential refresh usage