post-process

Parameters

custom-style-sheet (custom-processing submode command)

Indicates whether the postprocessing activity is to run a custom stylesheet or GatewayScript file. The default value is off.

on

Indicates that the postprocessing activity is to run a custom file.

off

Indicates that the postprocessing activity is not to run a custom file.

When enabled, you must specify the location of the custom file.

URL (custom-url submode command)

Specifies the location (URL) of the custom stylesheet file that runs the postprocessing activity. To not use a custom file, use two double quotation marks without any intervening space.

SAML-generate-assertion (saml-generate-assertion submode command)

Indicates whether the postprocessing activity is to generate a SAML assertion that contains a SAML authentication statement for the authenticated user identity. The default value is off.

on

Indicates that the postprocessing activity is to generate a SAML assertion.

off

Indicates that the postprocessing activity is not to generate a SAML assertion.

SAML-server (saml-server-name submode command)

Specifies the name of the SAML server. The default value is XS.

• Identifies the server that makes the assertion for a generated SAML assertion.
• Identifies the issuer that sends the request for a SAML Logout (SLO) request.

SAML-name-qualifier (saml-name-qualifier submode command)

Specifies the value of the NameQualifier attribute of the NameIdentifier in the generated SAML assertion. Although the attribute is an optional attribute, some SAML implementations require that this attribute must be present.

Kerberos-include-token (kerberos-include-token submode command)

Indicates whether the postprocessing activity is to include an AP-REQ token to act as a Kerberos client. The default value is off.

on

Indicates that the postprocessing activity is to include a Kerberos token.

off

Indicates that the postprocessing activity is not to include a Kerberos token.

Kerberos-client-prinicpal (kerberos-client-principal submode command)

Specifies the client identity (cname of the Kerberos ticket) for the Kerberos client principal.

Kerberos-server (kerberos-server submode command)

Specifies the server identity (sname of the Kerberos ticket) for the Kerberos server principal.

WS-Trust-generate-response (ws-trust-generate-resp submode command)

Indicates whether the postprocessing activity is to generate the appropriate security token response for a valid WS-Trust SecurityContextToken (SCT) request. The default value is off.

on

Indicates that the postprocessing activity is to generate the token response.

off

Indicates that the postprocessing activity is not to generate the token response.

WS-Trust-add-timestamp (ws-trust-add-timestamp submode command)

Indicates whether to generate a WS-Trust token time stamp for the security token response. The default value is on.

on

Generate a WS-Trust token time stamp.

off

Does not generate a WS-Trust token time stamp.

WS-Trust-timestamp-expiry (ws-trust-timestamp-expiry submode command)

Specifies the validity duration for the WS-Trust SCT in seconds to issue a new security context or to renew a context instance with new instance. Enter a value in the range 0 - 31622400. The default value is 0, which uses the value of the var://system/AAA/defaultexpiry variable if defined. If you did not define this variable, the value is 14400.

If this setting is used to renew an existing security context or instance, the value 0 means to use the old duration for the renewed cycle.

WS-Trust-allow-renewal (ws-trust-allow-renewal submode command)

Indicates whether WS-Trust tokens can have their lifetime period reset without a new bootstrapping authentication event. If the WS-Trust request specifically asks that the issued token should be renewable, this setting is ignored. The default value is off.

on

Allows token renewal without a new bootstrapping authentication event.

off

Requires a new bootstrapping authentication event to renew a token.

SAML-version (saml-version submode command)

Sets the protocol level of SAML messages. The version affects the extraction of the identity from the original message and the format of messages. The default value is 1.1.

• 1.0
• 1.1
• 2.0

SAML-send-SLO (saml-send-slo submode command)

Indicates whether the postprocessing activity is to send a SAML Logout (SLO) request to revoke the SAML Assertion token that is used for single-sign-on (SSO). The SLO is a request-response that the DataPower® Gateway handles differently when it is working as a service provider (SP) or identity provider (IdP).

• When an SP, the DataPower Gateway sends an SLO request to the SAML SLO endpoint (IdP). On response, the DataPower Gateway processes the SLO response for its status.
• When an IdP, the request to the DataPower Gateway contains the SLO request. The DataPower Gateway postprocessing validates against the SAML metadata file and sends the corresponding endpoint the SLO response.

This postprocessing activity is valid for only SAML 2.0 only.

The default value is off.

on

Indicates that the postprocessing activity is to send a SAML SLO request.

off

Indicates that the postprocessing activity is not to send a SAML SLO request.

SAML-SLO-endpoint (saml-slo-endpoint submode command)

The endpoint URL for SAML 2.0 Single Logout (SLO) messages. This endpoint is the authority that authenticated the assertion subject.

WSS-add-token (wssec-add-user-name-token submode command)

Indicates whether the postprocessing activity is to add a WS-Security UsernameToken. The user name and password are taken from the output of the mapped credentials phase. The default value is off.

on

Indicates that the postprocessing activity is to add a WS-Security UsernameToken.

off

Indicates that the postprocessing activity is not to add a WS-Security UsernameToken.

WSS-token-type (wssec-user-name-token-type submode command)

Sets the type of password that the UsernameToken provides. The default value is Digest.

Digest

Indicates the digest of the password as specified in the Web Services Security UsernameToken Profile 1.0 specification.

Text

Indicates the actual password for the user name, the password hash, or the derived password.

SAML-validity (saml-validity submode command)

Specifies the value of the SAML assertion validity in seconds. Use this setting and the skew time setting for fine control of the validity duration of the SAML assertion. The default value is 0.

SAML-skew (saml-skew submode command)

Specifies the acceptable skew interval. The IdP and SP system clocks can have a skew time. When the SAML assertion is generated, the expiration takes the skew time setting into account.

• When NotBefore has the value of (CurrentTime - SkewTime).
• When NotOnOrAfter has the value of (CurrentTime + Validity + SkewTime).

The default value is 0.

WSS-contains-password (wssec-user-name-token-contains-pwd submode command)

Indicates whether the WS-Security UsernameToken must include the password. The default value is on.

on

The WS-Security UsernameToken must contain the password.

off

The WS-Security UsernameToken does not have to contain the password.

LTPA-generate-token (lpta-generate-token submode command)

Indicates whether the postprocessing activity is to generate a Lightweight Third-Party Authentication (LTPA) token. The default value is off.

on

Indicates that the postprocessing activity is to generate an LTPA token.

off

Indicates that the postprocessing activity is not to generate an LTPA token.

LTPA-version (lpta-version submode command)

Sets the LTPA token version to generate. The default value is LTPA2.

LTPA

Indicates the LTPA token version if for WebSphere® Application Server releases before version 5.1.0.2 (for z/OS®) and before version 5.1.1 for other platforms. The default format for releases before version 6.1.

LTPA1FIPS

Indicates that the LTPA token version is for FIPS-compliant WebSphere Application Server releases. This token format is supported in WebSphere Application Server version 6.0 and later.

LTPA2

Indicates the LTPA token version that is introduced in WebSphere Application Server version 5.1.0.2 (for z/OS) and version 5.1.1 for other platforms. The default format for version 6.1 and later.

LTPA2WAS7

Indicates the LTPA token version 2 introduced in WebSphere Application Server version 7.0. This token format is the same as previous LTPA token version 2. The difference is in the ValueType attribute of the BinarySecurityToken token.

LTPADomino

Indicates the LTPA-like Lotus Domino Session ID cookie. Domino can consume WebSphere version 1 tokens.

LTPA-expiry (lpta-expirary submode command)

Specifies the lifetime of LTPA token in seconds. Enter a value in the range 1 - 600.

LTPA-key-file (lpta-key-file submode command)

Specifies the location of the LTPA key file that secures the LTPA token. The LTPA key file contains the cryptographic material necessary to create an LTPA token that can be consumed by WebSphere (both version 1 and version 2) or Domino.

• For WebSphere tokens, you must export the LTPA key file from WebSphere. This file has portions encrypted by a password.
• For Domino tokens, the key file should contain only the base 64-encoded Domino shared secret.

LTPA-key-file-password (lpta-key-file-password submode command) (deprecated)

Specifies the password for the LTPA key file. Because this argument is deprecated, use the lpta-key-file-password-alias submode command and specify this argument as .

When both the password and password alias are defined, the configuration uses the password alias.

LTPA-stash-file (lpta-stash-file submode command)

Specifies the location of the file that contains the LTPA key file password.

generate-SPNEGO (kerberos-generate-spnego submode command)

Indicates whether the postprocessing activity is to generate an SPNEGO token to be inserted into the HTTP WWW-Authenticate header. The default value is off.

on

Indicates that the postprocessing activity is to generate an SPNEGO token.

off

Indicates that the postprocessing activity is not to generate an SPNEGO token.

Kerberos-value-type (kerberos-value-type submode command)

Indicates the value for the ValueType attribute of the WS-Security BinarySecurityToken. The Kerberos AP-REQ message contains the ValueType attribute. The default value is for WSS Kerberos Token Profile 1.1 (GSS).

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ

Indicates WSS Kerberos Token Profile 1.1.

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ

Indicates WSS Kerberos Token Profile 1.1 (GSS).

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510

Indicates WSS Kerberos Token Profile 1.1 RFC 1510.

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510

Indicates WSS Kerberos Token Profile 1.1 RFC 1510 (GSS).

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120

Indicates WSS Kerberos Token Profile 1.1 RFC 4120.

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120

Indicates WSS Kerberos Token Profile 1.1 RFC 4120 (GSS).

http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ

Indicates WSS Kerberos Token Profile 1.1 Draft.

http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ

Indicates WSS Kerberos Token Profile 1.1 Draft (GSS).

http://www.docs.oasis-open.org/wss/2004/07/oasis-000000-wss-kerberos-token-profile-1.0#Kerberosv5_AP_REQ

Indicates WSS Kerberos Token Profile 1.0 Draft.

SAML-in-WSS (saml-in-wssec submode command)

Indicates where to place the SAML assertion. The default value is off.

on

Inserts the SAML assertion within a WS-Security-compliant header, as defined by the WS-Security SAML token profile.

off

Inserts the SAML assertion as a child element of the SOAP header.

Kerberos-client-keytab (kerberos-client-keytab submode command)

Specifies the name of existing the Kerberos keytab configuration that defines the keytab for the client. This keytab is required to authenticate the client to the KDC. To create a Kerberos keytab configuration, use the Crypto kerberos-keytab command.

WSS-header-wrap (wssec-header-wrap submode command)

Indicates whether the token can be wrapped by the WS-Security wsse:Security header. This setting is for LTPA tokens. The default value is off.

on

Generate a WS-Security header that contains the token.

off

Indicates that the token cannot be wrapped by the WS-Security header.

WSS-actor-role-ID (wssec-actor-role-id submode command)

Specify the identifier for the SOAP 1.1 actor or SOAP 1.2 role for processing a WS-Security Security header. The DataPower Gateway works as that actor or role in consuming the input and generating the output for the next SOAP endpoint. This setting is meaningful when a SOAP message is being used for WS-Security 1.0 or 1.1.

The following table lists some well known values and their meanings.

Table 1. Well known values for actor or role with their meanings.

Value	Meaning
http://schemas.xmlsoap.org/soap/actor/next	Each receiver, including the intermediary and ultimate receiver, can process the Security header.
http://www.w3.org/2003/05/soap-envelope/role/none	No one can process the Security header.
http://www.w3.org/2003/05/soap-envelope/role/next	Each receiver, including the intermediary and ultimate receiver, can process the Security header.
http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver	The ultimate receiver of the message can process the Security header. This value is the default value if such setting is not configured.
Blank or empty string.	The empty string (without quotation marks) indicates that no actor or role identifier is configured. If no actor or role setting is configured, the ultimate receiver is assumed during message processing, and no actor or role attribute is added during the generation of the Security header. This value does not generate an attribute with an empty value, which is the behavior as defined by the USE_MESSAGE_BASE_URI constant string. There cannot be more than one Security header that omits the actor or role identifier.
USE_MESSAGE_BASE_URI	The constant value indicates that the actor or role identifier is the base URL of the message. If the SOAP message is transported over HTTP, the base URI is the Request-URI of the HTTP request.
Any other custom string.	You can input any string to identify the actor or role of the Security header.

TFIM-token-mapping (tfim-token-mapping submode command)

Indicates whether the postprocessing activity is to request a token mapping from Tivoli® Federated Identity Manager. The default value is off.

on

Indicates that the postprocessing activity it to request a token mapping.

off

Indicates that the postprocessing activity is not to request a token mapping.

TFIM-endpoint (tfim-token-mapping submode command)

Specifies the name of the existing Tivoli Federated Identity Manager configuration. To create a Tivoli Federated Identity Manager configuration, use the global tfim command.

WSS-use-derived-key (wssec-use-derived-key submode command)

Indicates whether to generate a derived key from a password. When enabled, the process adds a WS-Security derived-key UsernameToken to the message and adds an HMAC signature with the derived-key. The user name and password are taken from the output of the mapped credentials phase. The default value is off.

on

Generates a derived-key from the password.

off

Does not generate a derived-key from the password.

WSS-derived-key-hash-iteration (wssec-derived-key-hash-iter submode command)

Specifies the number of hashing cycles to do during the generation of a derived key from a password. The minimum value is 2. The default value is 1000.

WSS-replace-existing (wssec-replace-existing submode command)

Indicates whether to retain the original token (not generate a new one) if the message already contains a UsernameToken. The default value is off.

on

Generates a token to replace any existing ones.

off

Retains the original token.

TFIM-replace-method (tfim-replace-method submode command)

Sets the method to handle tokens that Tivoli Federated Identity Manager returns. The default value is all.

all

Replaces all tokens in the selected header with the tokens in the response.

preserve

If the token type is not in the message, add the token in the response to the beginning of the header. If the same token type exists in the message, preserves the original token and ignores the token in the response.

replace

If the token type is not in the message, add the token in the response to the beginning of the header. If the same token type exists in the message, replace the original token with the token in the response.

TFIM-retrieve-method (tfim-retrieval-method submode command)

Sets the method to retrieve tokens from Tivoli Federated Identity Manager. The default value is CallTFIM.

CallTFIM

Calls Tivoli Federated Identity Manager, and uses the tokens in the response.

FromMC

Does not call Tivoli Federated Identity Manager, but uses the tokens from the map credentials phase.

HMAC-signing-algorithm (hmac-signing-algorithm submode command)

Sets the HMAC algorithm to sign the token. This option is available to request a WS-Security UsernameToken in postprocessing and WS-Security Derived-Key UsernameToken is added to the message with an HMAC signature. The default value is hmac-sha1.

hmac-md5

http://www.w3.org/2001/04/xmldsig-more#hmac-md5

hmac-ripemd160

http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160

hmac-sha1

http://www.w3.org/2000/09/xmldsig#hmac-sha1

hmac-sha224

http://www.w3.org/2001/04/xmldsig-more#hmac-sha224

hmac-sha256

http://www.w3.org/2001/04/xmldsig-more#hmac-sha256

hmac-sha384

http://www.w3.org/2001/04/xmldsig-more#hmac-sha384

hmac-sha512

http://www.w3.org/2001/04/xmldsig-more#hmac-sha512

message-digest-algorithm (message-digest-algorithm submode command)

Sets the algorithm for the message digest for the generation of a digital signature. This algorithm is for only the UsernameToken postprocessing method. The default value is sha1.

md5

http://www.w3.org/2001/04/xmldsig-more#md5

ripemd160

http://www.w3.org/2001/04/xmlenc#ripemd160

sha1

http://www.w3.org/2000/09/xmldsig#sha1

sha224

http://www.w3.org/2001/04/xmldsig-more#sha224

sha256

http://www.w3.org/2001/04/xmlenc#sha256

sha384

http://www.w3.org/2001/04/xmldsig-more#sha384

sha512

http://www.w3.org/2001/04/xmlenc#sha512

WS-Trust-in-header (ws-trust-in-header submode command)

Indicates whether to return the WS-Trust token as a SOAP header. The default value is off.

on

Return the token as a SOAP header by wrapping the wst:RequestedSecurityToken by a wst:IssuedToken.

off

Puts the token in the SOAP body.

WS-Trust-key-source (ws-trust-key-source submode command)

Specifies the source of the key. For WS-Trust postprocessing, the DataPower Gateway works as an on-box WS-Trust security token service that is backed by WS-SecureConversation. A symmetric shared secret key is needed to initialize the WS-SecureConversation SecurityContext. The default value is random.

client-entropy

Uses the WS-Trust client entropy.

in-encryptkey

Decrypts the encrypted key from the message.

in-kerberos

Uses the authenticated Kerberos session key.

random

Generates a random key.

static

Uses a static shared secret. This method specifies a static symmetric key for every security context. Therefore, this method is less secure than other key types.

WS-Trust-shared-key (ws-trust-shared-key submode command)

Specifies the name of the existing shared secret key configuration as the WS-Trust key source.

WS-Trust-renewal-wait (ws-trust-renewal-wait submode command)

Specifies the number of seconds to allow the STS to keep an expired SecurityContext token. After a WS-Trust token expires, it can be removed from the STS and cannot be renewed. Therefore, the token must be renewed before a token expires. Enter a value in the range of 0 - 2678400. The default value is 0.

The token is issued or renewed with a 1-hour wait time in the following situation.

• The WS-Trust request asks that the issued token can be renewed after expiration.
• This setting has a value of 0.

WS-Trust-new-instance (ws-trust-new-instance submode command)

Indicates whether the STS renewal request issues a new instance for WS-Trust renewal. The default value is off.

on

Creates a new instance.

off

Renews the existing instance.

WS-Trust-new-key (ws-trust-new-key submode command)

Indicates whether to update the context key for WS-Trust renewal. The default value is off.

on

Do not use the existing shared secret for the SCT renewal request.

off

Use the existing shared secret for the SCT renewal request.

WS-Trust-never-expire (ws-trust-never-expire submode command)

Indicates whether the WS-Trust security context expires. The default value is off.

on

Indicates that the security context never expires. You can still change the duration afterward with an explicit number of seconds before expiry.

off

Indicates that the security context expires.

generate-ICRX (generate-icrx submode command)

Indicates whether the postprocessing activity is to generate an Extended Identity Context Reference (ICRX) for z/OS identity propagation from the authenticated credentials. When generated, the WS-Security binary token with an ICRX token is inserted into the WS-Security header. You can use this token interoperability with the CICS® Transaction Server for z/OS identity propagation support. The default value is off.

on

Indicates that the postprocessing activity is to generate an ICRX.

off

Indicates that the postprocessing activity is not to generate an ICRX.

ICRX-realm (generate-user-realm submode command)

Specifies the realm of a user for ICRX identity propagation. The ICRX realm is defined in the SAF configuration. Generally, this value is the equivalent of the prefix for a DN in a user registry.

generate-SAML-assertion (generate-saml-assertion submode command)

Indicates whether the postprocessing activity is to generate a SAML assertion. The SAML assertion can contain an authentication statement, an authorization statement, an attribute statement, or any combination of these statements.

The SAML attribute value can be a user LDAP Attribute value that can be retrieved in the following ways:

• Directly by the LDAP authentication or authorization method with the list of LDAP attribute names that are defined by user auxiliary LDAP attributes
• Indirectly with the var://context/ldap/auxiliary-attributes variable in a custom stylesheet or GatewayScript file. A call with dp:ldap-search to the user registry, and put the <attribute-value/> elements of search result to the variable.

To sign the SAML assertion, configure a WS-Security sign action or SAML enveloped sign action after the AAA action in the processing rule.

The default value is off.

on

Indicates that the postprocessing activity is to generate a SAML assertion.

off

Indicates that the postprocessing activity is not to generate a SAML assertion.

SAML-protocol (saml-protocol submode command)

Sets the SAML protocol to wrap up the SAML assertion. The default value is assertion.

assertion

The SAML assertion can be put to WS-Security wrap-up later. However, the SAML assertion is not required to respond to any SAML-specific requests.

response

The SAML assertion is put into a SAML Response element. This approach might indicate that the request message contains some SAML protocol information for the response, such as AuthnRequest.

SAML-response-destination (saml-response-destination submode command)

Specifies the destination (URI) for a SAML response. This information can prevent malicious forwarding of requests to unintended recipients, which is a required protection by some protocol bindings. If it is present, the actual recipient must check that the URI reference identifies the location at which the message was received. If it does not check that the URI reference identifies the location, the request must be discarded. Some protocol bindings might require the use of this attribute.

result-wrap-up (result-wrapup submode command)

Sets the method to generate the result. When the DataPower Gateway is configured for SOAP or WS-Security processing, different output methods can be used. The default value is wssec-replace.

none

Generates the result as a single XML file.

soap-body

Generates the result as the SOAP Body, which replaces the original SOAP Body. This method is applicable if request-response protocol handling is required.

wssec-inject

Generates the result to an existing WS-Security message and preserves all tokens in the current message.

wssec-new

Generates the result to an existing WS-Security message as a new token. See also the SOAP actor-role setting.

wssec-replace

Generates the results to an existing WS-Security message and replaces the same token in the requesting message.

SAML-assertion-type (saml-assertion-type submode command)

Sets the supported SAML statement types. Specify multiple statement types as a plus-separated string. The default value is authentication+attribute.

attribute

Indicates an attribute statement.

authentication

Indicates an authentication statement.

authorization

Indicates an authorization decision statement.

SAML-subject-confirm (saml-subject-confirm submode command)

Sets the method that allows the destination system to confirm the subject of the SAML assertion. The default value is bearer.

bearer

Indicates bearer as the subject.

hok

Indicates holder-of-key as the subject.

sv

Indicates sender vouches as the subject.

SAML-name-ID (saml-nid submode command)

Indicates whether the SAML Subject element contains the name identifier. The default value is on.

on

The SAML subject contains the name identifier.

off

The SAML subject does not contain the name identifier. Use this value if the subject confirmation method is holder-of-key because the key represent the same entity as the subject.

SAML-name-ID-format (saml-nid-format submode command)

Specifies the URI reference that represents the classification of string-based identifier information. Any standard or arbitrary URI is allowed. If the value is an empty string, the DataPower Gateway attempts to determine the value from the AAA context. Some SAML Protocols require a specified value, such as urn:oasis:names:tc:SAML:2.0:nameid-format:entity or urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

SAML-recipient (saml-recipient submode command)

Specifies a URI that identifies the entity or location that an attesting entity can present the assertion to. Any standard or arbitrary URI is allowed. If the value is an empty string, the optional attribute is not generated.

This setting is applicable for only SAML 2.0.

SAML-audience (saml-audience submode command)

Specifies URI references that identify an intended audience. Specify any number of the audience URIs to process the generated SAML assertion. If the value is an empty string, the SAML audience is not restricted. If there is more than one audience URI, use a + delimiter between URIs. In this case, you must convert any URI that contains the + characters to \+.

SAML-omit-not-before (saml-omit-notbefore submode command)

Indicates whether to omit the NotBefore attribute in the SAML assertion. When omitted, the assertion is considered valid even before the time it was issued. The default value is off.

on

Omits the NotBefore attribute. This behavior might be required to respond to an AuthnRequest.

off

Does not omit the NotBefore attribute.

one-time-use (one-time-use submode command)

Indicates whether the destination system or relying party should cache the generated token. The generated token might contain the property for this characteristic, which is especially practical for SAML assertions. The default value is off.

on

Indicates that the destination system should not cache the generated token.

off

Indicates that the destination system can cache the generated token.

SAML-proxy (saml-proxy submode command)

Indicates whether to allow SAML proxy restriction. The generated SAML assertion provides limitations that the asserting party imposes on relying parties that want to act as asserting parties.

• A relying party that acts as an asserting party can issue subsequent assertions that are based on the information in the original assertion.
• The relying party cannot issue an assertion that violates these restrictions.

The default value is off.

on

Allows proxy restrictions.

off

Does not allow proxy restrictions.

SAML-proxy-audience (saml-proxy-audience submode command)

Specifies the set of audiences (proxy) to whom the asserting party permits new assertions to be issued based on this assertion. If the value is an empty string, the audience for the ProxyRestriction is not issued with this SAML assertion. If there is more than one audience URI, use a + delimiter between URIs. In this case, you must convert any URI that contains the + characters to \+.

SAML-proxy-count (saml-proxy-count submode command)

Specifies the maximum number of indirections that the asserting party permits between this assertion and an assertion that was issued. Enter a value in the range 0 - 65535. The default value is 0.

A value of 0 indicates that a relying party must not issue an assertion to another relying party based on this assertion. If greater than zero, any assertion that is issued must itself contain a ProxyRestriction element with a Count value of at most one less than this value.

SAML-authorize-action (saml-authz-action submode command)

Sets the standard action that the subject can take on the resource. The SAML specification defines the list of action identifiers with corresponding namespace URIs. The default value is AllHTTP.

AllHTTP

All HTTP operations, where 'urn:oasis:names:tc:SAML:1.0:action:ghpp' is the namespace URI.

Control

The subject has control access the resource, where 'urn:oasis:names:tc:SAML:1.0:action:rwedc' is the namespace URI.

Delete

The subject has delete access the resource, where 'urn:oasis:names:tc:SAML:1.0:action:rwedc' is the namespace URI.

Execute

The subject has execute access the resource, where 'urn:oasis:names:tc:SAML:1.0:action:rwedc' is the namespace URI.

General

General access (read, write, execute, delete, control) to the resource, where 'urn:oasis:names:tc:SAML:1.0:action:ghpp' is the namespace URI.

GET

HTTP GET operations, where 'urn:oasis:names:tc:SAML:1.0:action:ghpp' is the namespace URI.

HEAD

HTTP HEAD operations, where 'urn:oasis:names:tc:SAML:1.0:action:ghpp' is the namespace URI.

NegatedControl

The subject does not have control access the resource, where 'urn:oasis:names:tc:SAML:1.0:action:rwedc' is the namespace URI.

NegatedDelete

The subject does not have delete access the resource, where 'urn:oasis:names:tc:SAML:1.0:action:rwedc' is the namespace URI.

NegatedExecute

The subject does not have execute access the resource, where 'urn:oasis:names:tc:SAML:1.0:action:rwedc' is the namespace URI.

NegatedRead

The subject does not have read access the resource, where 'urn:oasis:names:tc:SAML:1.0:action:rwedc' is the namespace URI.

NegatedWrite

The subject does not have write access the resource, where 'urn:oasis:names:tc:SAML:1.0:action:rwedc' is the namespace URI.

POST

HTTP POST operations, where 'urn:oasis:names:tc:SAML:1.0:action:ghpp' is the namespace URI.

PUT

HTTP PUT operations, where 'urn:oasis:names:tc:SAML:1.0:action:ghpp' is the namespace URI.

Read

The subject has read access to the resource, where 'urn:oasis:names:tc:SAML:1.0:action:rwedc' is the namespace URI.

Write

The subject has write access the resource, where 'urn:oasis:names:tc:SAML:1.0:action:rwedc' is the namespace URI.

SAML-attributes (saml-attributes submode command)

Specifies the name of an existing SAML attributes configuration. The SAML attributes define the information to put in the SAML assertion to generate the attribute statement. Each SAML attribute requires the name, format or namespace, and value. The value can be from a DataPower variable.

LTPA-insert-cookie (ltpa-insert-cookie submode command)

Indicates whether to insert a Set-Cookie header in the response that contains the LTPA token. This setting is for generating LTPA tokens that are not wrapped in the WS-Security wsse:Security header. The default value is on.

on

Inserts a Set-Cookie header in the response.

off

Does not insert a Set-Cookie header in the response.

The Set-Cookie header in the response is different from the Cookie header that is forwarded in the server request.

TAM-propagate-PAC (propagate-tam-pac submode command)

Indicates whether the postprocessing activity is to add the Access Manager privilege attribute certificate (PAC) token to an HTTP header. The PAC token was returned from the previous authentication or authorization phase. The default value is off.

on

Adds the PAC token to the header.

off

Does not add the PAC token to the header.

TAM-header (tam-header submode command)

Specifies the name of the HTTP header to store the token in. The default value is iv_creds, which is HTTP header that Access Manager WebSEAL uses to write headers.

TAM-header-size (tam-header-size submode command)

Specifies the maximum size in bytes of HTTP headers. A value of 0 disables this function. If the value is nonzero, the PAC token is split across multiple headers of the specified length. The default value is 0.

kerberos-use-s4u2proxy (kerberos-use-s4u2proxy submode command)

Indicates whether to use constrained delegation, namely S4U2Proxy, when it generates a WS-Security Kerberos AP-REQ token or a Kerberos SPNEGO token in the postprocessing phase. The default value is off.

on

Uses constrained delegation when AP-REQ tokens and SPNEGO tokens are generated.

off

Does not use constrained delegation when AP-REQ tokens or SPNEGO tokens are generated.

cookie-attributes (cookie-attributes submode command)

Specifies the cookie attribute policy to include standard or custom attributes in the cookie. The response message that contains a Set-Cookie header is updated with the attributes defined in this policy.

kerberos-use-s4u2self-and-s4u2proxy (kerberos-use-s4u2self-and-s4u2proxy submode command)

Indicates whether to use protocol transition, namely S4U2Self, to convert a non-Kerberos token to a Kerberos token to the DataPower Gateway itself. Then use constrained delegation, namely S4U2Proxy, to generate a WS-Security Kerberos AP-REQ token or a Kerberos SPNEGO token in the postprocessing phase. The default value is off.

on

Uses protocol transition and constrained delegation when AP-REQ tokens or SPNEGO tokens are generated.

off

Does not use protocol transition and constrained delegation when AP-REQ tokens or SPNEGO tokens are generated.

kerberos-client-source (kerberos-client-source submode command)

Specifies where to get the principal name of the Kerberos client. The default value is mc-output.

The client principal is based on the authenticated identity, which is followed by the corresponding realm name. For example, if the authenticated user is alice, the client principal name can be HTTP/alice.datapower.com@DATAPOWER.COM. The client principal must be present in the KDC for S4U2Self to work.

mc-output

Uses the output of credential mapping in the AAA policy as the client principal name.

custom-url

Uses the value of the output of a specified custom stylesheet or GatewayScript file as the client principal name.

ctx-var

Uses the value of a specified context variable as the client principal name.

kerberos-self-principal (kerberos-self-principal submode command)

Specifies the principal name of the DataPower Gateway.

kerberos-self-keytab (kerberos-self-keytab submode command)

Specifies the name of an existing Kerberos keytab configuration that defines the keytab for the DataPower Gateway. This keytab is required to authenticate the DataPower Gateway to the KDC. To create a Kerberos keytab configuration, use the Crypto kerberos-keytab command.

kerberos-client-custom-url (kerberos-client-custom-url submode command)

Specifies the location of a custom stylesheet or GatewayScript file. This file returns the client principal name within the <kerberos-client-principal> element. For example:

<kerberos-client-principal>
  HTTP/s4ualice.datapower.com@DATAPOWER.COM
</kerberos-client-principal>

This file gets the following input:

• The output of all the steps that are executed in this AAA action
• The incoming request message

kerberos-client-ctx-var (kerberos-client-ctx-var submode command)

Specifies the context variable. The value of this context variable is used as the Kerberos client principal. This context variable must be specified in the var://context/name format. For example, var://context/AAA/krb-client-princ. You can use the setvar action to set this variable in the processing rule before you define the AAA action.

kerberos-server-source (kerberos-server-source submode command)

Specifies where to get the principal name of the Kerberos server. The default value is as-is-string. Ensure that the server principal is in the correct format. For example, HTTP/was-backend.datapower.com@DATAPOWER.COM

as-is-string

Uses the value of the string as specified with the kerberos-server parameter as the Kerberos server principal name.

custom-url

Uses the value of the output of a specified custom stylesheet or GatewayScript file as the server principal name.

ctx-var

Uses the value of a specified context variable as the server principal name.

kerberos-server-custom-url (kerberos-server-custom-url submode command)

Specifies the location of a custom stylesheet or GatewayScript file. This file returns the client principal name within the <kerberos-server-principal> element. For example:

<kerberos-server-principal>
  HTTP/s4ubob.datapower.com@DATAPOWER.COM
</kerberos-server-principal>

When constrained delegation is not used, this file gets the following input:

• The output of all steps that this AAA action processes
• The incoming request message

When constrained delegation is used, this file gets the following input:

• The output of only the identity extraction step
• The incoming request message

kerberos-server-ctx-var (kerberos-server-ctx-var submode command)

Specifies the context variable. The value of this context variable is used as the Kerberos server principal. This context variable must be specified in the var://context/name format. For example, var:///context/AAA/krb-server-princ. You can use the setvar action to set this variable in the processing rule before you define the AAA action.

TLS-client (ssl-client submode command)

Specifies the name of the TLS client profile to secure connections. To create a TLS client profile, use the Crypto ssl-client command.

LTPA-key-file-password-alias (lpta-key-file-password-alias submode command)

Specifies the alias for password of the LTPA key file.

When both the password and password alias are defined, the configuration uses the password alias.

jwt (jwt submode command)

Indicates whether the AAA policy can generate a JSON Web Token (JWT). The default value is off.

on

Enables the AAA policy to generate a JWT.

off

Disables the JWT generation action.

jwt-generator (generate-jwt submode command)

Specifies the JWT Generator name. To create a JWT Generator, use the Crypto jwt-generator command.

Guidelines