Command-line interface
Access the command-line interface (CLI) of the appliance by using either an ssh session or the console.
For additional information about accessing the CLI via an SSH session, see SSH management interface.
For information about accessing support files via SFTP, see SFTP support file management.
The following example shows the transcript of using an ssh session to access the appliance:
usernameA@example.ibm.com>ssh -l admin webapp.vwasp.gc.au.ibm.com
admin@webapp.vmasp.gc.au.ibm.com's password:
Welcome to the IBM® Verify Identity Access appliance
Enter "help" for a list of available commands
webapp.vwasp.gc.au.ibm.com> isam
webapp.vwasp.gc.au.ibm.com:isam> help
Current mode commands:
aac Work with the Advanced Access Control settings.
admin Start an administration session which can be used to
administer the Verify Identity Access security policy.
ca Work with the Policy server CA update operations.
cluster Work with the Verify Identity Access cluster.
dscadmin Start an administration session which can be used to
administer the Distributed Session Cache.
logs Work with the Verify Identity Access log files.
policy_db_dump Validate and maintain the Verify Identity Access policy
database.
runtime_dump Generate a core dump of the Verify Identity Access runtime.
store_dhe_parameters Store Diffie Hellman Ephemeral (DHE) parameters in the
specified key file.
tracing_status Display a list of components with tracing enabled.
Global commands:
back Return to the previous command mode.
exit Log off from the appliance.
help Display information for using the specified command.
reboot Reboot the appliance.
shutdown End system operation and turn off the power.
top Return to the top level.Tip: Use the help command to display usage notes about a specific
command.
The following example shows the options available under the menu.
webapp.vwasp.gc.au.ibm.com:locked> help
Current mode commands:
list List all of the locked accounts and the amount of time before each
of the accounts will be automatically unlocked.
unlock_all Unlock all of the locked accounts.
unlock <account> Unlock a specific account.The following example shows the options available under the menu.
webapp.vwasp.gc.au.ibm.com:logs> help
Current mode commands:
archive Archive the log files to a USB device.
delete Delete the log files which have been rolled over by the system.
delete_tmp Deletes files in the /tmp directory.
delete_trace Delete the trace files (trace, stats, translog) from the system.
monitor Monitor log files on the system.
ssl Works with the Verify Identity Access SSL log files.The following example shows the options available under the network menu.
webapp.vwasp.gc.au.ibm.com:network> help
Current mode commands:
arp Work with the ARP cache.
defgw Work with the default gateway.
dns Work with the appliance DNS settings.
hostname Work with the applaince host name.
interfaces Work with interface settings.
routes Work with the static routes.The following example shows the options available under the routes menu.
webapp.vwasp.gc.au.ibm.com:routes> help
Current mode commands:
add Add a static route.
delete Delete a static route.
edit Edit a static route.
reset Reset all the routing tables.
show Show the static routes including both Active and Configured.
The usage of the policy_db_dump command is as follows.
policy_db_dump {-f <db_name>} {-l [1|2]} {-g} {-n} {-q} {-s} {-r}
{-d <find-entry-name> [-c <replace-entry-name>[:<hostname}[:<principal>]}
-f <db_name> : Specifies the name of the policy database. This argument is optional
if there is only a single Verify Identity Access domain.
-l [1|2] : The validation check level (2 is the default).
-g : Display the glossary information only.
-n : Display the object names only.
-q : Display the sequence number of the policy database.
-s : Display statistical information from the policy database.
-r : Validate and repair the policy database. The policy server will be
restarted as a result of this command.
-d: Locate an entry in the database. If the -c flag is also specified the
located entry is replaced with the new entry, otherwise the located
entry is deleted from the database. The policy server will be restarted
as a result of this command.
-c: Replace the located entry in the database. This flag can only be used
in conjunction with the -d flag. The policy server will be restarted
as a result of this command.The following example shows the options available under the menu.
webapp.vwasp.gc.au.ibm.com:aac> help
Current mode commands:
restart Restart the Advanced Access Control runtime.
The following example shows the options available under the tools menu:
webapp.vwasp.gc.au.ibm.com:tools> help
Current mode commands:
connect Test the connection to a particular server.
connections Display the network connections for the appliance.
curl Test the connection to a particular Web server using
curl.
database Get the connections currently open to the database.
ldapsearch Perform an LDAP search using the ldapsearch tool.
nslookup Query internet domain name servers.
ping Send an ICMP ECHO_REQUEST to network hosts.
session Test network sessions with TCP or SSL.
sockets Display the socket information for the appliance using
the Linux ss command.
sslscan Run the sslscan tool against a particular server.
telnet Connect to telnet server.
traceroute Trace a packet from a computer to a remote destination
to display the number of hops required and the time
taken for each hop.The following example shows the options available under the support menu:
webapp.vwasp.gc.au.ibm.com:support> help
Current mode commands:
create Create a support information file.
delete Delete a support information file.
download Download a support information file to a USB flash drive.
get_comment View the comment associated with a support information file.
list List the support information files.
list_categories List the categories registered for the support information file.
list_instances List the instances for a specific registered category.
purge Purge the support files from the hard drive.
set_comment Replace the comment associated with a support information file.Note: The purge command deletes all core files, crashmap files,
and support files from the /var/support/ directory.
The following example shows the options available under the
pending_changes
menu:
webapp.vwasp.gc.au.ibm.com:pending_changes> help
Current mode commands:
discard Discard the pending changes for a particular user or all users.
list List all users who have outstanding pending changes.The following example shows the options available under the
diagnostics
menu:
webapp.vwasp.gc.au.ibm.com:diagnostics> help
Current mode commands:
core_dumps Work with core dump files.
java_dump Generate {heap|system|thread} java dump for
{default|runtime} profile.
kill Kill the specified process. This command will wait for the
process to be terminated before returning.
list List the contents of the local filesystem.
monitor Generate monitoring output.
monitor_list Print a list of all available monitor items.
pidstat Report statistics for Linux tasks.
ps List the processes which are running on the system.The method to access the console differs between the hardware appliance and the virtual appliance:
- For the hardware appliance, a serial console device must be used. For more information about attaching a serial console device to the hardware, see Connecting a serial console to the appliance.
- For the virtual appliance, you can access the console by using the appropriate VMWare
software.
For example, VMWare vSphere Client.
Note: The CLI contains only a subset of the functions available from the local management
interface. The following list gives a high-level overview of the functions available from the
command-line interface. To see a list of the options for these commands, type the command name
followed by -help.
- diagnostics
- Work with the IBM Verify Identity Access diagnostics.
- firmware
- Work with firmware images.
- fixpacks
- Work with fix packs.
- hardware
- Work with the hardware settings.
- isam
- Work with the IBM Verify Identity Access settings.
- lmi
- Work with the local management interface.
- lmt
- Work with the License Metric Tool.
- management
- Work with management settings.
- network
- Work with network settings.
- pending_changes
- Work with the IBM Verify Identity Access pending changes.
- snapshots
- Work with policy snapshot files.
- support
- Work with support information files.
- tools
- Work with network diagnostic tools.
- updates
- Work with firmware and security updates.
You can also use a web service call to run most CLI commands. The web service URL
is https:<appliance>/core/cli. For more information about this web service,
see the REST API documentation.
Note: The following CLI commands cannot be run through the web service:
- isam > admin
- isam > dscadmin
- isam > logs > monitor
- isam > thales > rocs
- isam > thales > hsconfig
- isam > thales > cknfastrc
- isam > thales > nfdiag
- isam > thales > ckcheckinst
- hardware > ipmitool
- management > set_password
A customizable access banner can be presented on the command-line interface. Use the Login Screen Header and Login Screen Message properties on the Administrator Settings page to set the access banner content.