server task virtualhost create

Requires authentication (administrator ID and password) to use this command.

Syntax

For local junctions:

server task instance_name-webseald-host_name virtualhost create –t type –v virtual_host_name [options] vhost_label

For non-local junctions:

server task instance_name-webseald-host_name virtualhost create –t type –h host_name [options] vhost_label

Options

instance_name-webseald-host_name

Specifies the full server name of the installed WebSEAL instance. You must specify the full server name in the exact format as displayed in the output of the server list command.

The instance_name specifies the configured name of the WebSEAL instance. The webseald designation indicates that the WebSEAL service performs the command task. The host_name is the name of the physical machine where the WebSEAL server is installed.

For example, if the configured name of a single WebSEAL instance is default, and host machine name where the WebSEAL server is installed is abc.ibm.com, the full WebSEAL server name is default-webseald-abc.ibm.com.

If an additional WebSEAL instance is configured and named web2, the full WebSEAL server name is web2-webseald-abc.ibm.com.

options

Specifies the options that you can use with the server task virtualhost create command. These options include:

–A

Enables a virtual host junction to support the lightweight third-party authentication mechanism (LTPA). This option requires the –F and –Z options. The –A, –F, and –Z options all must be used together.

This option is valid for all junction types except localtcp and localssl.

-2

You can use this option in conjunction with the -A option to specify that LTPA version 2 cookies (LtpaToken2) are used. The -A option without the -2 option specifies that LTPA version 1 cookies (LtpaToken) are used.

–b BA_value

Defines how the WebSEAL server passes client identity information in HTTP basic authentication (BA) headers to the back-end virtual host, which is one of the following values:

• filter
• ignore
• supply
• gso

This option is valid for all junction types except localtcp and localssl.

The default value is filter.

–B

Indicates that WebSEAL uses the BA header information to authenticate to the back-end virtual host and to provide mutual authentication over SSL. This option requires the –U and –W options.

This option is valid only with junctions that were created with the type of ssl or sslproxy.

–c header_type

Inserts the Verify Identity Access client identity in HTTP headers across the virtual host junction. The header_type argument can include any combination of the following Verify Identity Access HTTP header types:

• {iv-user|iv-user-l}
• iv-groups
• iv-creds
• all

The header types must be comma separated, and cannot have a spaces between the types. For example: -c iv_user,iv_groups

Specifying –c all is the same as specifying –c iv-user,iv-groups,iv-creds.

This option is valid for all junction types except localtcp and localssl.

–C

Supports mutual authentication by enabling the front-end WebSEAL server to pass its identity information to the back-end WebSEAL server in a Basic Authentication (BA) header. Additionally, the –C option enables single signon functionality provided by the –c option.

This option is valid only with junctions that were created with the type of ssl or sslproxy.

–D "dn"

Specifies the distinguished name of the back-end server certificate. This value, matched with the actual certificate DN enhances authentication and provides mutual authentication over SSL. For example, the certificate for www.example.com might have a DN of

"CN=WWW.EXAMPLE.COM,OU=Software,O=example.com\, Inc,L=Austin,
ST=Texas,C=US"

This option is valid only with junctions that were created with the type of ssl or sslproxy.

–e encoding_type

Specifies the encoding to use when generating HTTP headers for virtual host junctions. This encoding applies to headers that are generated with both the –c junction option and tag-value. Possible values for encoding are as follows:

utf8_bin

WebSEAL sends the headers in UTF-8.

utf8_uri

WebSEAL sends the headers in UTF-8 but URI also encodes them. This behavior is the default behavior.

lcp_bin

WebSEAL sends the headers in the local code page of the WebSEAL server.

lcp_uri

WebSEAL sends the headers in the local code page of the WebSEAL server, but URI also encodes them.

This option is valid for all junction types except localtcp and localssl.

–f

Forces the replacement (overwrite) of an existing virtual host junction.

This option is used for junctions that were created with the any junction type.

–F "keyfile"

Specifies the name of the keyfile used to encrypt LTPA cookie data.

The –F option requires –A and –Z options. The –A, –F, and –Z options all must be used together.

This option is valid for all junction types except localtcp and localssl.

–g vhost_label

The –g option causes a second additional virtual host junction to share the same protected object space as the initial virtual host junction.

This option is appropriate for junction pairs only (two junctions using complementary protocols). The option does not support the association of more than two junctions.

–H host_name

Specifies the DNS host name or IP address of the proxy server. The –P option also supports proxy server junctions. Valid values for host_name include any valid IP host name. For example:

proxy.www.example.com

This option is valid only with junctions that were created with the type of tcpproxy or sslproxy.

–i

Indicates that the WebSEAL junction does not treat URLs as case-sensitive. To correctly authorize requests for junctions that are not case-sensitive, WebSEAL does the authorization check on a lowercase version of the URL. For example, a Web server that is running on a Windows operating system treats requests for INDEX.HTM and index.htm as requests for the same file.

Junctions to such a Web server should be created with the –i or –w option. ACLs or POPs that are attached to objects beneath the junction point should use the lower case object name. An ACL attached to /junction/index.htm will apply to all of the following requests if the –i or –w option is used:

• /junction/INDEX.HTM
• /junction/index.htm
• /junction/InDeX.HtM

This option is valid for all junction except for the type of localtcp and localssl. Local junctions are not case-sensitive only on Win32 platforms; all other platforms are case-sensitive.

–k

Sends WebSEAL session cookies to the back-end virtual host. By default, cookies are removed from requests that are sent to the server.

This option is valid for all junction types except localtcp and localssl.

–K "key_label"

Specifies the key label of the client-side certificate that WebSEAL should present to the back-end server. Use of this option allows the virtual host to authenticate the WebSEAL server using client certificates.

This option is valid only with junctions that were created with the type of ssl and sslproxy.

–l percent

Defines the soft limit for consumption of worker threads.

This option is valid for all junction types except localtcp and localssl.

–L percent

Defines the hard limit for consumption of worker threads.

This option is valid for all junction types except localtcp and localssl.

–p port

Specifies the TCP port of the back-end third-party server. The default value is 80 for TCP junctions and 443 for SSL junctions.

This option is valid for all junction types except localtcp and localssl.

–P port

Specifies the TCP port number for the HTTP proxy server. The –P option is required when the –H option is used.

This option is valid only with junctions that were created with the type of tcpproxy or sslproxy.

–q path

Required option for back-end Windows™ virtual hosts. Specifies the relative path for the query_contents script. By default, Verify Identity Access looks for the query_contents script in the /cgi_bin directory. If this directory is different or the query_contents file name is renamed, this option will indicate to WebSEAL the new URL to the file.

This option is valid for all junction types except localtcp and localssl.

–r

Inserts the incoming IP address into the HTTP header across the junction.

This option is valid for all junction types except localtcp and localssl.

–R

Allows the request to proceed but provides the rule failure reason to the junction in an HTTP header. If the –R option is not used and a rule failure occurs, WebSEAL will not allow the request to proceed.

This option is valid for all junction types except localtcp and localssl.

–s

Indicates that the virtual host junction support stateful applications. By default, virtual host junctions are not stateful.

This option is valid for all junction types except localtcp and localssl.

–S

Indicates the name of the forms single signon configuration file.

This option is valid for all junction types except localtcp and localssl.

–T {resource | resource_group}

Specifies the name of the GSO resource or resource group. This option is required only when the –b gso option is used.

This option is valid for all junction types except localtcp and localssl.

–u uuid

Specifies the Universally Unique Identifier (UUID) of a back-end server connected to WebSEAL by using a stateful virtual host junction (–s option).

This option is valid for all junction types except localtcp and localssl.

–U "user_name"

Specifies the WebSEAL server user name. This option requires the –B and –W options. WebSEAL uses the BA header information to authenticate to the back-end virtual host and to provide mutual authentication over SSL.

This option is valid only with junctions that were created with the type of ssl or sslproxy.

–v vhost_name[:port]

WebSEAL selects a virtual host junction to process a request if the request's HTTP Host header matches the virtual host name and port number specified by the -v option.

The -v option is also used to specify the value of the Host header of the request sent to the back-end server.

The port number is required if the virtual host uses a non-standard port for the protocol. Standard port for TCP is 80; standard port for SSL is 443.

If –v is not specified for tcp, ssl, tcpproxy, and sslproxy type junctions, the junction is selected from the information contained in the –h host and –p port options.

The –v option is required for localtcp and localssl type junctions.

–w

Indicates Microsoft™ Windows file system support. This option provides all of the functionality provided by the –i junction option but disallows requests that contain file names that might be interpreted as Windows file name aliases.

This option is valid for all junction types except localtcp and localssl. Local junctions prohibit URLs that contain Windows file name aliases on Win64 but allow such URLs on other platforms.

–W "password"

Specifies the WebSEAL server password. This option requires the –B and –U options. WebSEAL uses the BA header information to authenticate to the back-end virtual host and to provide mutual authentication over SSL.

This option is valid only with junctions that were created with the type of ssl or sslproxy.

–Y

Enables the Federation Runtime single sign-on (SSO) for the junction.

Note: Before using this option, you must first configure the WebSEAL configuration file to support the Federation Runtime single sign-on over junctions.

–z replica_set

Specifies the replica set, as follows:

For distributed session cache environments:

The replica set that sessions on the virtual host junction are managed under and provides the ability to group or separate login sessions among multiple virtual hosts.

For environments that do not use the distributed session cache:

The replica set that sessions on the virtual host junction are managed under and controls the partitioning of the WebSEAL session cache so the virtual host can be part of the same replica set as any standard junction that is assigned to that same replica set through the standard-junction-replica-set entry of the [session] stanza.

–Z keyfile_pwd

Specifies the password of the keyfile used to encrypt LTPA cookie data. This option requires the –A and –F options. The –A, –F, and –Z options all must be used together.

This option is valid for all junction types except localtcp and localssl.

vhost_label

Specifies the label name of the virtual host junction.

–h host_name

Required option for non-local junctions. Specifies the DNS host name or IP address of the target server. This option is valid only for non-local junctions; local junctions do not need a host name. Valid values for host_name include any valid IP host name. For example:

www.example.com

–t type

Required option. Specifies the type of virtual host junction. This option is required and must be one of the following types:

• tcp
• tcpproxy
• ssl
• sslproxy
• localtcp
• localssl

Authorization

Users and groups that require access to this command must be given the s (server administration) permission in the ACL that governs the /WebSEAL/host_name-instance_name/@vhost_label object. For example, the sec_master administrative user has permission by default.

Return codes

0

The command completed successfully. For WebSEAL server task commands, the return code becomes 0 when the command is sent to the WebSEAL server without errors.

Note: Even if the command was successfully sent, the WebSEAL server might not be able to successfully complete the command and can return an error message.

1

The command failed. See "Error messages" in the IBM Knowledge Center which provides a list of the Verify Identity Access error messages by decimal or hexadecimal codes.

See also

server task virtualhost add
server task virtualhost delete
server task virtualhost list
server task virtualhost remove
server task virtualhost show