server task create

Edit online

The server task create command creates a WebSEAL junction point.

Requires authentication (administrator ID and password) to use this command.

Syntax

For local junctions:

server task instance_name-webseald-host_name create -t type [options] junction_point

For non-local junctions:

server task instance_name-webseald-host_name create -t type -h host_name [options] junction_point

Options

instance_name-webseald-host_name
Specifies the full server name of the installed WebSEAL instance. You must specify this full server name in the exact format as displayed in the output of the server list command.

The instance_name specifies the configured name of the WebSEAL instance. The webseald designation indicates that the WebSEAL service performs the command task. The host_name is the name of the physical machine where the WebSEAL server is installed.

For example, if the configured name of a single WebSEAL instance is default, and host machine name where the WebSEAL server is installed is abc.ibm.com, the full WebSEAL server name is default-webseald-abc.ibm.com.

If an additional WebSEAL instance is configured and named web2, the full WebSEAL server name is web2-webseald-abc.ibm.com.

junction_point
Specifies the name of the directory in the WebSEAL protected object space where the document space of the back-end server is mounted.
options
Specifies the options that you can use with the server task create command. The options include:
-a address
Specifies the local IP address for WebSEAL to use when communicating with the target back-end server. If this option is not provided, WebSEAL uses the default address as determined by the operating system.

If an address is supplied for a particular junction, WebSEAL is modified to bind to this local address for all communication with the junctioned server.

-A
Enables or disables lightweight third-party authentication mechanism (LTPA) junctions. This option requires the -F and -Z options. The -A, -F, and -Z options all must be used together.

This option is valid for all junctions except for the type of local.

-2
You can use this option in conjunction with the -A option to specify that LTPA version 2 cookies (LtpaToken2) are used. The -A option without the -2 option specifies that LTPA version 1 cookies (LtpaToken) are used.
-b BA_value
Defines how the WebSEAL server passes the HTTP BA authentication information to the back-end server, which is one of the following values:
  • filter (default)
  • ignore
  • supply
  • gso
This option is valid for all junctions except for the type of local.
-B
Indicates that WebSEAL uses the BA header information to authenticate to the back-end server and to provide mutual authentication over SSL. This option requires the -U and -W options.

This option is valid only with junctions that were created with the type of ssl or sslproxy.

-c header_type
Inserts the Verify Identity Access client identity in HTTP headers across the junction. The header_type argument can include any combination of the following Verify Identity Access HTTP header types:
  • {iv-user|iv-user-l}
  • iv-groups
  • iv-creds
  • all

The header types must be comma separated, and cannot have spaces between the types. For example: -c iv_user,iv_groups

Specifying -c all is the same as specifying -c iv-user,iv-groups,iv-creds.

This option is valid for all junctions except for the type of local.

-C
Indicates single signon from a front-end WebSEAL server to a back-end WebSEAL server. The -C option is not mutual authentication.

This option is valid only with junctions that were created with the type of ssl or sslproxy.

-D "dn"
Specifies the distinguished name of the back-end server certificate. This value, matched with the actual certificate DN enhances authentication and provides mutual authentication over SSL. For example, the certificate for www.example.com might have a DN of 
"CN=WWW.EXAMPLE.COM,OU=Software,O=example.com\, Inc,L=Austin,
ST=Texas,C=US"

This option is valid only with junctions that were created with the type of ssl or sslproxy.

-e encoding_type
Specifies the encoding to use when generating HTTP headers for junctions. This encoding applies to headers that are generated with both the -c junction option and tag-value. The following values for encoding are supported:
utf8_bin
WebSEAL sends the headers in UTF-8.
utf8_uri
WebSEAL sends the headers in UTF-8 but URI also encodes them. This behavior is the default behavior.
lcp_bin
WebSEAL sends the headers in the local code page of the WebSEAL server.
lcp_uri
WebSEAL sends the headers in the local code page of the WebSEAL server, but URI also encodes them.

This option is valid for all junctions except for the type of local.

-f
Forces the replacement of an existing junction.

This option is used for junctions that were created with any junction type.

-F keyfile

Specifies the name of the keyfile used to encrypt LTPA cookie data.

The -F option requires -A and -Z options. The -A, -F, and -Z options all must be used together.

This option is valid for all junctions except for the type of local.

-H host_name
Specifies the DNS host name or IP address of the proxy server. The -P option also supports proxy server junctions. Valid values for host_name include any valid IP host name. For example: 
proxy.www.example.com
This option is valid only with junctions that were created with the type of tcpproxy or sslproxy.
-i
Indicates that the WebSEAL junction does not treat URLs as case-sensitive. To correctly authorize requests for junctions that are not case-sensitive, WebSEAL does the authorization check on a lowercase version of the URL. For example, a Web server that is running on a Windows operating system treats requests for INDEX.HTM and index.htm as requests for the same file.
Junctions to such a Web server should be created with the -i or -w option. ACLs or POPs that are attached to objects beneath the junction point should use the lowercase object name. An ACL attached to /junction/index.htm will apply to all of the following requests if the -i or -w option is used:
  • /junction/INDEX.HTM
  • /junction/index.htm
  • /junction/InDeX.HtM

This option is valid for all junctions except for the type of local. Local junctions are not case-sensitive only on Win32 platforms; all other platforms are case-sensitive.

-I
Ensures a unique Set-Cookie header name attribute when using the -j option to modify server-relative URLs in requests.

This option is valid for all junctions except for the type of local.

-j
Supplies junction identification in a cookie to handle script-generated server-relative URLs.

This option is valid for all junctions except for the type of local.

-J trailer,inhead,onfocus,xhtml10

Controls the junction cookie JavaScript™ block.

Use –J trailer to append (rather than prepend) the junction cookie JavaScript to HTML page returned from back-end server.

Use –J inhead to insert the JavaScript block between <head> </head> tags for HTML 4.01 compliance.

Use –J onfocus to use the onfocus event handler in the JavaScript to ensure the correct junction cookie is used in a multiple-junction/multiple-browser-window scenario.

Use –J xhtml10 to insert a JavaScript block that is HTML 4.01 and XHTML 1.0 compliant.

For complete details on this option, see Control on the junction cookie JavaScript block.

-k
Sends WebSEAL session cookies to the junction server. By default, cookies are removed from requests that are sent to the server.

This option is valid for all junctions except for the type of local.

-K "key_label"
Specifies the key label of the client personal certificate that WebSEAL should present to the back-end server. Use of this option allows the junction server to authenticate the WebSEAL server using client certificates.

This option is valid only with junctions that were created with the type of ssl and sslproxy.

-l percent
Defines the soft limit for consumption of worker threads.

This option is valid for all junctions except for the type of local.

-L percent
Defines the hard limit for consumption of worker threads.

This option is valid for all junctions except for the type of local.

-n
Indicates that no modification of the names of non-domain cookies are to be made. Use when client side scripts depend on the names of cookies.

By default, if a junction is listed in the JMT or if the -j junction option is used, WebSEAL will modify the names of non-domain cookies that are returned from the junction to prepend AMWEBJCT!junction_point.

This option is valid for all junctions except for the type of local.

-o
Indicates the hostname WebSEAL connects to at the start of the handshaking process. Sends the string <hostname> in the SSL/TLS handshake as the Server Name Indicator (SNI) value.

For example, -o sni=www.test.local.

-p port
Specifies the TCP port of the back-end third-party server. The default value is 80 for TCP junctions and 443 for SSL junctions.

This option is valid for all junctions except for the type of local.

-P port
For proxy junctions that were created with the type of tcpproxy or sslproxy this option specifies the TCP port number for the HTTP proxy server. The -P option is required when the -H option is used.

This option is also valid for mutual junctions to specify the HTTPS port of the back-end third-party server.

-q path
Required option for back-end Windows™ servers. Specifies the relative path for the query_contents script. By default, Verify Identity Access looks for the query_contents script in the /cgi_bin directory. If this directory is different or the query_contents file name is renamed, this option will indicates to WebSEAL the new URL to the file.

This option is valid for all junctions except for the type of local.

-r
Inserts the incoming IP address into the HTTP header across the junction. This option is valid for all junctions except for the type of local.
-R
Allows the request to proceed but provides the rule failure reason to the junction in an HTTP header. If the -R option is not used and a rule failure occurs, WebSEAL will not allow the request to proceed. This option is valid for all junctions except for the type of local.
-s
Indicates that the junction support stateful applications. By default, junctions are not stateful. This option is valid for all junctions except for the type of local.
-S
Specifies the name of the forms single signon configuration file. This option is valid for all junctions except for the type of local.
-T {resource | resource_group}
Specifies the name of the resource or resource group. This option is required only when the -b gso option is used. This option is valid for all junctions except for the type of local.
-u uuid
Specifies the Universally Unique Identifier (UUID) of a back-end server connected to WebSEAL by using a stateful junction (-s option). This option is valid for all junctions except for the type of local.
-U "user_name"
Specifies the WebSEAL server user name. This option requires the -B and -W options. WebSEAL uses the BA header information to authenticate to the back-end server and to provide mutual authentication over SSL. This option is valid only with junctions that were created with the type of ssl or sslproxy.
-v virtual_hostname[:HTTP-port]
Specifies the virtual host name for the back-end server. This option supports multiple virtual hosts being served from the same Web server. Use -v when the back-end junction server expects a host name header different from the DNS name of the server. This option is valid for all junctions except for the type of local. For mutual junctions this value corresponds to the virtual host which is used for HTTP requests.
-V virtual_hostname[:HTTPS-port]
Specifies the virtual host name for the back-end server. This option supports multiple virtual hosts being served from the same Web server. Use -V when the back-end junction server expects a host name header different from the DNS name of the server. This option is only used for mutual junctions and corresponds to the virtual host which is used for HTTPS requests.
-w
Indicates Microsoft™ Windows file system support. This option provides all of the functionality provided by the –i junction option but disallows requests that contain file names that might be interpreted as Windows file name aliases. This option is valid for all junctions except for the type of local. Local junctions prohibit URLs that contain Windows file name aliases on Windows but allow such URLs on other platforms.
-W "password"
Specifies the WebSEAL server password. This option requires the -B and -U options. WebSEAL uses the BA header information to authenticate to the back-end server and to provide mutual authentication over SSL. This option is valid only with junctions that were created with the type of ssl or sslproxy.
-x
Creates a transparent path junction.

This option is valid for all junctions except for the type of local .

-Y
Enables the Federation Runtime single sign-on (SSO) for the junction.
Note: Before using this option, you must first configure the WebSEAL configuration file to support the Federation Runtime single sign-on over junctions.
-Z keyfile_pwd
Specifies the password of the keyfile used to encrypt LTPA cookie data. This option requires the -A and -F options. The -A, -F, and -Z options all must be used together. This option is valid for all junctions except for the type of local.
-h host_name
Required option for non-local junctions. Specifies the DNS host name or IP address of the target server. This option is valid only for non-local junctions; local junctions do not need a host name. Valid values for host_name include any valid IP host name. For example: 
www.example.com
-t type
Required option. Specifies the type of junction; must be one of the following types:
  • tcp
  • tcpproxy
  • ssl
  • sslproxy
  • local

Authorization

Users and groups that require access to this command must be given the s (server administration) permission in the ACL that governs the /WebSEAL/host_name-instance_name/junction_point object. For example, the sec_master administrative user is given this permission by default.

Note:

For more information about gathering statistics, see the Troubleshooting topics in the Knowledge Center..

This command is available only when WebSEAL is installed.

Return codes

0
The command completed successfully. For WebSEAL server task commands, the return code will be 0 when the command is sent to the WebSEAL server without errors. However, even after the command was successfully sent, the WebSEAL server might not be able to successfully complete the command and returns an error message.
1
The command failed. See "Error messages" in the IBM Knowledge Center which provides a list of the Verify Identity Access error messages by decimal or hexadecimal codes.

Examples

  • The following example (entered as one line) creates a basic WebSEAL junction /pubs on the default-webseald-cruz WebSEAL server. The junction type is TCP, and the host name is doc.tivoli.com: 
    pdadmin> server task default-webseald-cruz create -t tcp 
-h doc.tivoli.com /pubs
    Output is similar to: 
    Created junction at /pubs
  • The following example (entered as one line) limits worker thread consumption on a per junction basis with a soft thread limit of 60 and a hard thread limit of 80 on the /myjunction junction: 
    pdadmin> server task default-webseald-cruz create -t tcp 
-h cruz.dallas.ibm.com -l 60 -L 80 /myjunction

See also

server task add
server task delete
server task remove
server task show