Creation of a junction for an initial server
You can create a new junction with the create command.
Operation: Creates a new junction point and junctions an initial server.
Syntax:
create -t type -h host-name options junction-point- –t type
- Type of junction. One of: tcp, ssl,
tcpproxy,sslproxy, local,
mutual. This parameter is required.
Default port for –t tcp is 80. Default port for –t ssl is 443.
- –h host-name
- The DNS host name or IP address of the target back-end server. This parameter is required.
- options
- See Table 1.
- junction-point
- The name of the junction point. This parameter is required.
See Standard WebSEAL junction configuration.
| Junction type | Parameter | Description |
|---|---|---|
| Standard junction types |
–a address |
Specifies the local IP address that WebSEAL uses when communicating with the target back-end server. If this option is not provided, WebSEAL uses the default address as determined by the operating system. If you supply an address for a particular junction, WebSEAL will be modified to bind to this local address for all communication with the junctioned server. |
| Standard junction types | -E description | A description of the junction. |
| Standard junction types |
–f |
Forces the replacement of an existing junction. |
| Standard junction types |
–i |
WebSEAL server treats URLs as case insensitive. |
| Standard junction types |
–q location |
Provides WebSEAL with the correct name of the query_contents program file
and where to find the file. By default, the Windows™ file is
called Required for back-end Windows and UNIX Web servers. See Installing and configuring query_contents on Windows-based Web servers. |
| Standard junction types |
–T resource/resource-group |
Name of GSO resource or resource group. Required for and used only with –b gso option. |
| Standard junction types |
–w |
Windows filesystem support. |
| Standard junction types | -y priority | The priority for the server (1-9). Default is 9. See Adding multiple back-end servers to the same junction |
| TCP and SSL junction types |
–p port |
TCP port of the back-end third-party server. Default is 80 for TCP junctions; 443 for SSL junctions. See Creating TCP type standard junctions and Creating SSL type standard junctions. |
| Stateful junctions See Stateful junctions. |
–s |
Specifies that the junction should support stateful applications. By default, junctions are not stateful. |
| Stateful junctions See Stateful junctions. |
–u UUID |
Specifies the UUID of a back-end server connected to WebSEAL using a stateful junction (–s). |
| Mutual junctions See Stateful junctions. |
–p HTTP port |
HTTP port of the back-end third-party server. |
| Mutual junctions See Stateful junctions. |
–P HTTPS port |
HTTPS port of the back-end third-party server. |
| Mutual authentication over Basic Authentication and SSL certificates |
–B |
WebSEAL uses BA header information to authenticate to back-end server. Requires –U, and –W options. |
| Mutual authentication over Basic Authentication and SSL certificates |
–D "DN" |
Specifies the distinguished name of back-end server certificate. This value, matched with actual certificate DN enhances authentication. |
| Mutual authentication over Basic Authentication and SSL certificates |
–K "key-label" |
Key label of WebSEAL's client-side certificate, used to authenticate to back-end server. |
| Mutual authentication over Basic Authentication and SSL certificates |
–U "username" |
WebSEAL user name. Use with –B to send BA header information to back-end server. |
| Mutual authentication over Basic Authentication and SSL certificates |
–W "password" |
WebSEAL password. Use with –B to send BA header information to back-end server. |
| Proxy junction (requires –t tcpproxy or –t sslproxy) |
–H host-name |
The DNS host name or IP address of the proxy server. |
| Proxy junction (requires –t tcpproxy or –t sslproxy) |
–P port |
The TCP port of the proxy server. |
| Supply identity information in HTTP headers |
–b BA-value |
Defines how the WebSEAL server passes client identity information in HTTP basic authentication (BA) headers to the back-end server. One of: filter (default), ignore, supply, gso |
| Supply identity information in HTTP headers |
–c header-types |
Inserts client identity information specific to Verify Identity Access in HTTP headers across the junction. The header-types argument can include any combination of the following Verify Identity Access HTTP header types: iv-user, iv-user-l, iv-groups, iv-creds, all. |
| Supply identity information in HTTP headers |
–e encoding-type |
Specifies the encoding to use when generating HTTP headers for junctions. This encoding applies to headers that are generated with both the –c junction option and tag-value. Possible values for encoding are:
|
| Supply identity information in HTTP headers |
–I |
Cookie handling: -I ensures unique Set-Cookie header name attribute. See Cookie handling: -I ensures unique Set-Cookie name attribute. |
| Supply identity information in HTTP headers |
–j |
Supplies junction identification in a cookie to handle script generated server-relative URLs. See Modification of server-relative URLs with junction cookies. |
| Supply identity information in HTTP headers |
–J {trailer,inhead, onfocus,xhtml10} |
Controls the junction cookie JavaScript™ block. Use –J trailer to append (rather than prepend) the junction cookie JavaScript to HTML page returned from back-end server. Use –J inhead to insert the JavaScript block between <head> </head> tags for HTML 4.01 compliance. Use –J onfocus to use the onfocus event handler in the JavaScript to ensure the correct junction cookie is used in a multiple-junction/multiple-browser-window scenario. Use –J xhtml10 to insert a JavaScript block that is HTML 4.01 and XHTML 1.0 compliant. For complete details on this option, see Control on the junction cookie JavaScript block. |
| Supply identity information in HTTP headers |
–k |
Sends session cookie to back-end portal server. See Passing of session cookies to junctioned portal servers. |
| Supply identity information in HTTP headers |
–n |
Specifies that no modification of the names of non-domain cookies are to be made. Use when client-side scripts depend on the names of cookies. By default, if a junction is listed in the JMT or if the -j junction
option is used, WebSEAL prepends the names of non-domain cookies that are returned from the junction
to with: |
| Supply identity information in HTTP headers |
–r |
Inserts incoming IP address in HTTP header across the junction. |
| Junction fairness See Per-junction allocation of worker threads for junctions. |
–l percent-value |
Defines the soft limit for consumption of worker threads. |
| Junction fairness See Per-junction allocation of worker threads for junctions. |
–L percent-value |
Defines the hard limit for consumption of worker threads. |
| WebSphere single signon (LTPA) junctions See LTPA overview. |
–A |
Enables junctions to support LTPA cookies (tokens). LTPA version 1 cookies (LtpaToken) and LTPA version 2 cookies (LtpaToken2) are both supported. LTPA version 1 cookies are specified by default. LTPA version 2 cookies must be specified with the additional -2 option. Also requires –F, and –Z options. |
| WebSphere single signon (LTPA) junctions See LTPA overview. |
–2 |
Used with the -A option, this option specifies that LTPA version 2 cookies (LtpaToken2) are used. The -A option without the -2 option specifies that LTPA version 1 cookies (LtpaToken) are used. |
| WebSphere single signon (LTPA) junctions See LTPA overview. |
–F "keyfile" |
Name of the key file used to encrypt LTPA cookie data. Only valid with -A option. |
| WebSphere single signon (LTPA) junctions See LTPA overview. |
–Z "keyfile-password" |
Password for the key file used to encrypt LTPA cookie data. Only valid with -A option. |
| Federation Runtime junctions |
-Y |
Enables the Federation Runtime for the junction. NOTE: Before using this option, you must first configure the WebSEAL configuration files to support the Federation Runtime single sign-on over junctions. |
| WebSEAL-to-WebSEAL SSL junctions |
–C |
Mutual authentication between a front-end WebSEAL server and a back-end WebSEAL server over SSL. Requires –t ssl or –t sslproxy type. |
| Forms single signon |
–S file_name |
Name of the forms single signon configuration file. |
| Virtual hosts |
–v virtual-host-name[:HTTP-port] |
Virtual host name represented on the back-end server. This option supports a virtual host setup on the back-end server. For mutual junctions this value corresponds to the virtual host which is used for HTTP requests. You use –V when the back-end junction server expects a Host header because you are junctioning to one virtual instance of that server. The default HTTP header request from the browser does not know that the back-end server has multiple names and multiple virtual servers. You must configure WebSEAL to supply that extra header information in requests destined for a back-end server set up as a virtual host. |
| Virtual hosts |
–V virtual-host-name[:HTTPS-port] |
Virtual host name represented on the back-end server. This option supports a virtual host setup on the back-end server. The value corresponds to the virtual host which is used for HTTPS requests. Only used for mutual junctions. You use –V when the back-end junction server expects a Host header because you are junctioning to one virtual instance of that server. The default HTTPS header request from the browser does not know that the back-end server has multiple names and multiple virtual servers. You must configure WebSEAL to supply that extra header information in requests destined for a back-end server set up as a virtual host. |
| Transparent junctions |
–x |
Creates a transparent path junction. |
| SSL junction types | –O CN |
Specifies the expected common name or subject alternative name, of the back-end server certificate. See Matching the common name (CN) and subject alternative name (SAN). |