SecurityConfigurationCommands command group for the AdminTask object

You can use the Jython scripting language to configure security with the wsadmin tool. Use the commands and parameters in the SecurityConfigurationCommands group to configure and manage user registries, single sign-on, data entries, trust association, login modules, and interceptors.

Use the following commands to administer Java™ Authentication and Authorization Service (JAAS) login configurations:
Use the following commands to administer data entry configurations:
Use the following commands to administer Common Secure Interoperability Version 2 (CSIv2) configurations:

configureAdminCustomUserRegistry

The configureAdminCustomUserRegistry command configures a custom user registry in the global security configuration.
Supported configurations: This command is not supported in a local mode.

Target object

None.

Optional parameters

-autoGenerateServerId
Specifies whether the command automatically generates the server identity that the system uses for internal process communication. Specify true to automatically generate the server identity. (Boolean)
-serverId
Specifies the server identity in the repository that the system uses for internal process communication. (String)
-serverIdPassword
Specifies the password that corresponds to the server identity. (String)
-primaryAdminId
Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)
-customRegClass
Specifies the class name that implements the UserRegistry interface in com.ibm.websphere.security property. (String)
[z/OS]-ignoreCase
[z/OS]Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)
-verifyRegistry
Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureAdminCustomUserRegistry('-autoGenerateServerId true -serverIdPassword password4server 
    -primaryAdminId serverAdmin')
  • Using Jython list:
    AdminTask.configureAdminCustomUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server',
    '-primaryAdminId', 'serverAdmin'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureAdminCustomUserRegistry('-interactive')

configureAdminLDAPUserRegistry

The configureAdminLDAPUserRegistry command configures a Lightweight Directory Access Protocol (LDAP) user registry in the global security configuration.
Supported configurations: This command is not supported in a local mode.

Target object

None.

Optional parameters

-autoGenerateServerId
Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)
-serverId
Specifies the server identity in the repository that the system uses for internal process communication. (String)
-serverIdPassword
Specifies the password that corresponds to the server identity. (String)
-primaryAdminId
Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)
[z/OS]-ignoreCase
[z/OS]Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)
-verifyRegistry
Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
-ldapServerType
Specifies the type of LDAP server. The default type is IBM_DIRECTORY_SERVER. (String)
Specify one of the following valid values:
  • IBM_DIRECTORY_SERVER
  • IPLANET
  • NETSCAPE
  • NDS
  • DOMINO502
  • SECUREWAY
  • ACTIVE_DIRECTORY
  • CUSTOM
-ldapHost
Specifies the host name of the LDAP server. (String)
-ldapPort
Specifies the port that the system uses to access the LDAP server. The default value is 389. (String)
-baseDN
Specifies the base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed. (String)
-bindDN
Specifies the distinguished name for the application server, which is used to bind to the directory service. (String)
-bindPassword
Specifies the binding DN password for the LDAP server. (String)
[8.5.5.19 or later]-bindAuthMechanism
The bind authentication mechanism for binding to the LDAP server when you search for or modify an LDAP entry. The following values are valid:
  • none - Anonymous bind to the LDAP server.
  • simple - The default, which uses a simple bind distinguished name with a bind password to bind to the LDAP server.
  • GSSAPI - Kerberos authentication enablement, which requires the Kerberos principal name or the Kerberos service principal name to be set.
[8.5.5.19 or later]-krb5Principal
Kerberos principal name or Kerberos service principal name that is used to authenticate with the Key Distribution Center (KDC). The Kerberos principal name is required if the bindAuthMechanism parameter is set to the GSSAPI value.
[8.5.5.19 or later]-krb5TicketCache
The directory location and file name of the Kerberos ticket cache, which is also referred to as the Kerberos credential cache, or ccache file.
[8.5.5.19 or later]-krb5Config
The Kerberos configuration file that contains the client configuration information, including the location of each Key Distribution Centers (KDC) for the realm. This file is used for Kerberos authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. The following information gives the default file name and location for the Kerberos configuration file:
  • [IBM i][z/OS][Linux][AIX][Solaris][HP-UX]/etc/krb5.conf
  • [Windows]C:\Windows\krb5.ini
[8.5.5.19 or later]-krb5Keytab
The Kerberos keytab file that contains one or more Kerberos service principal names and keys. This file is also used for Kerberos authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. If the Kerberos ticket cache and the Kerberos keytab file are both specified, only the ticket cache is used.
-searchTimeout
Specifies the timeout value in seconds for an LDAP server to respond before stopping a request. The default value is 120 seconds. (Long)
-reuseConnection
Specifies whether the server reuses the LDAP connection. By default, this option is enabled. Specify false for this parameter only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity. (Boolean)
Avoid trouble: When you disable the reuse of the LDAP connection, the application server creates a new LDAP connection for every LDAP search request. This situation impacts system performance if your environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between the application server and LDAP is too small.
-userFilter
Specifies the LDAP filter clause that the system uses to search the user registry for users. The default value is the default user filter for the LDAP server type. (String)
-groupFilter
Specifies the LDAP filter clause that the system uses to search the user registry for groups. The default value is the default group filter for the LDAP server type. (String)
-userIdMap
Specifies the LDAP filter that maps the short name of a user to an LDAP entry. The default value is the default user filter for the LDAP server type. (String)
-groupIdMap
Specifies the LDAP filter that maps the short name of a group to an LDAP entry. The default value is the default group filter for the LDAP server type. (String)
-groupMemberIdMap
Specifies the LDAP filter that identifies users to group memberships. (String)
-certificateMapMode
Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping. (String)
-certificateFilter
Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry. (String)
The syntax or structure of this filter is: (&(uid=${SubjectCN})(objectclass=inetOrgPerson)). The first part of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The second part of the filter specification is one of the public attributes in your client certificate. The second side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). You can use the following certificate attribute values on the second side of the filter specification. The case of the strings is important:
  • ${UniqueKey}
  • ${PublicKey}
  • ${Issuer}
  • ${NotAfter}
  • ${NotBefore}
  • ${SerialNumber}
  • ${SigAlgName}
  • ${SigAlgOID}
  • ${SigAlgParams}
  • ${SubjectCN}
  • ${Version}
-krbUserFilter
Specifies that the default value is the default user filter for the LDAP server type. (String)
-nestedGroupSearch
Specifies whether to perform a recursive nested group search. Specify true to perform a recursive nested group search, or specify false to disable recursive nested group searching. (Boolean)
-sslEnabled
Specifies whether to enable Secure Sockets Layer (SSL). Specify true to enable an SSL connection to the LDAP server. (Boolean)
-sslConfig
Specifies the SSL configuration alias to use for the secure LDAP connection. (String)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)
-resetDefaultFilters
Specify true, to reset all of the filter values to the default value of the LDAP server type. The default value for this parameter is false. The LDAP filter attributes reset are: userFilter, groupFilter, userIdMap, groupIdMap, groupMemberIdMap and krbUserFilter. If any of the other filter flags are used to specify a filter value on the command line at the same time resetDefaultFilter is set to true, the filter value specified is used. Any filter not specified on the command line at the time is reset to the default value of the LDAP server type.

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureAdminLDAPUserRegistry('-autoGenerateServerId true -serverIdPassword password4server
    -primaryAdminId serverAdmin -ldapServerType NETSCAPE -ldapHost 195.168.1.1')
  • Using Jython list:
    AdminTask.configureAdminLDAPUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server',
    '-primaryAdminId', 'serverAdmin', '-ldapServerType', 'NETSCAPE', '-ldapHost', '195.168.1.1'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureAdminLDAPUserRegistry('-interactive')

configureAdminLocalOSUserRegistry

The configureAdminLocalOSUserRegistry command configures a local operating system user registry in the global security configuration.
Supported configurations: This command is not supported in a local mode.

Target object

None.

Optional parameters

-autoGenerateServerId
Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)
-serverId
Specifies the server identity in the repository that the system uses for internal process communication. (String)
-serverIdPassword
Specifies the password that corresponds to the server identity. (String)
-primaryAdminId
Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)
[z/OS]-ignoreCase
[z/OS]Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)
-verifyRegistry
Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureAdminLocalOSUserRegistry('-autoGenerateServerId true -serverIdPassword password4server
    -primaryAdminId serverAdmin')
  • Using Jython list:
    AdminTask.configureAdminLocalOSUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server',
    '-primaryAdminId', 'serverAdmin'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureAdminLocalOSUserRegistry('-interactive')

configureAdminWIMUserRegistry

The configureAdminWIMUserRegistry command configures a federated repository user registry in the administrative security configuration.
Supported configurations: This command is not supported in a local mode.

Target object

None.

Optional parameters

-autoGenerateServerId
Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)
-serverId
Specifies the server identity in the repository that the system uses for internal process communication. (String)
-serverIdPassword
Specifies the password that corresponds to the server identity. (String)
-primaryAdminId
Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)
[z/OS]-ignoreCase
[z/OS]Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)
-realmName
Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)
-verifyRegistry
Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureAdminWIMUserRegistry('-autoGenerateServerId true -serverIdPassword password4server
    -primaryAdminId serverAdmin')
  • Using Jython list:
    AdminTask.configureAdminWIMUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server',
    '-primaryAdminId', 'serverAdmin'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureAdminWIMUserRegistry('-interactive')

configureAppCustomUserRegistry

The configureAppCustomUserRegistry command configures a custom user registry in an application security domain.
Supported configurations: This command is not supported in a local mode.

Target object

None.

Required parameters

-securityDomainName
Specifies the name of the security configuration. (String)

Optional parameters

-realmName
Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)
-customRegClass
Specifies the class name that implements the UserRegistry interface in com.ibm.websphere.security property. (String)
[z/OS]-ignoreCase
[z/OS]Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)
-verifyRegistry
Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    [AIX Solaris HP-UX Linux Windows][IBM i]
    AdminTask.configureAppCustomUserRegistry('-securityDomainName testDomain -realmName server_name.domain:port_number')
    [z/OS]
    AdminTask.configureAppCustomUserRegistry('-securityDomainName testDomain -realmName server_name.domain:port_number
    -ignoreCase true')
  • Using Jython list:
    [AIX Solaris HP-UX Linux Windows][IBM i]
    AdminTask.configureAppCustomUserRegistry(['-securityDomainName', 'testDomain', '-realmName',
    'server_name.domain:port_number'])
    [z/OS]
    AdminTask.configureAppCustomUserRegistry(['-securityDomainName', 'testDomain', '-realmName',
    'server_name.domain:port_number', '-ignoreCase true'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureAppCustomUserRegistry('-interactive')

configureAppLDAPUserRegistry

The configureAppLDAPUserRegistry command configures LDAP user registries in a security configuration or a global security configuration.
Supported configurations: This command is not supported in a local mode.

Target object

None.

Required parameters

-securityDomainName
Specifies the name of the security configuration. (String)

Optional parameters

-realmName
Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)
[z/OS]-ignoreCase
[z/OS]Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)
-verifyRegistry
Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
-ldapServerType
Specifies the type of LDAP server. The default type is IBM_DIRECTORY_SERVER. (String)
Specify one of the following valid values:
  • IBM_DIRECTORY_SERVER
  • IPLANET
  • NETSCAPE
  • NDS
  • DOMINO502
  • SECUREWAY
  • ACTIVE_DIRECTORY
  • CUSTOM
-ldapHost
Specifies the host name of the LDAP server. (String)
-ldapPort
Specifies the port that the system uses to access the LDAP server. The default value is 389. (String)
-baseDN
Specifies the base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed. (String)
-bindDN
Specifies the distinguished name for the application server, which is used to bind to the directory service. (String)
-bindPassword
Specifies the binding DN password for the LDAP server. (String)
[8.5.5.19 or later]-bindAuthMechanism
The bind authentication mechanism for binding to the LDAP server when you search for or modify an LDAP entry. The following values are valid:
  • none - Anonymous bind to the LDAP server.
  • simple - The default, which uses a simple bind distinguished name with a bind password to bind to the LDAP server.
  • GSSAPI - Kerberos authentication enablement, which requires the Kerberos principal name or the Kerberos service principal name to be set.
[8.5.5.19 or later]-krb5Principal
Kerberos principal name or Kerberos service principal name that is used to authenticate with the Key Distribution Center (KDC). The Kerberos principal name is required if the bindAuthMechanism parameter is set to the GSSAPI value.
[8.5.5.19 or later]-krb5TicketCache
The directory location and file name of the Kerberos ticket cache, which is also referred to as the Kerberos credential cache, or ccache file.
[8.5.5.19 or later]-krb5Config
The Kerberos configuration file that contains the client configuration information, including the location of each Key Distribution Centers (KDC) for the realm. This file is used for Kerberos authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. The following information gives the default file name and location for the Kerberos configuration file:
  • [IBM i][z/OS][Linux][AIX][Solaris][HP-UX]/etc/krb5.conf
  • [Windows]C:\Windows\krb5.ini
[8.5.5.19 or later]-krb5Keytab
The Kerberos keytab file that contains one or more Kerberos service principal names and keys. This file is also used for Kerberos authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. If the Kerberos ticket cache and the Kerberos keytab file are both specified, only the ticket cache is used.
-searchTimeout
Specifies the timeout value in seconds for an LDAP server to respond before stopping a request. The default value is 120 seconds. (Long Integer)
-reuseConnection
Specifies whether the server reuses the LDAP connection. By default, this option is enabled. Specify false for this parameter only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity. (Boolean)
Avoid trouble: When you disable the reuse of the LDAP connection, the application server creates a new LDAP connection for every LDAP search request. This situation impacts system performance if your environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between the application server and LDAP is too small.
-userFilter
Specifies the LDAP filter clause that the system uses to search the user registry for users. The default value is the default user filter for the LDAP server type. (String)
-groupFilter
Specifies the LDAP filter clause that the system uses to search the user registry for groups. The default value is the default group filter for the LDAP server type. (String)
-userIdMap
Specifies the LDAP filter that maps the short name of a user to an LDAP entry. The default value is the default user filter for the LDAP server type. (String)
-groupIdMap
Specifies the LDAP filter that maps the short name of a group to an LDAP entry. The default value is the default group filter for the LDAP server type. (String)
-groupMemberIdMap
Specifies the LDAP filter that identifies users to group memberships. (String)
-certificateMapMode
Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping. (String)
-certificateFilter
Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry. (String)
The syntax or structure of this filter is: (&(uid=${SubjectCN})(objectclass=inetOrgPerson)). The first part of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The second part of the filter specification is one of the public attributes in your client certificate. The second side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). You can use the following certificate attribute values on the second side of the filter specification. The case of the strings is important:
  • ${UniqueKey}
  • ${PublicKey}
  • ${Issuer}
  • ${NotAfter}
  • ${NotBefore}
  • ${SerialNumber}
  • ${SigAlgName}
  • ${SigAlgOID}
  • ${SigAlgParams}
  • ${SubjectCN}
  • ${Version}
-krbUserFilter
Specifies the default value is the default user filter for the LDAP server type. (String)
-nestedGroupSearch
Specifies whether to perform a recursive nested group search. Specify true to perform a recursive nested group search, or specify false to disable recursive nested group searching. (Boolean)
-sslEnabled
Specifies whether to enable Secure Sockets Layer (SSL). Specify true to enable an SSL connection to the LDAP server. (Boolean)
-sslConfig
Specifies the SSL configuration alias to use for the secure LDAP connection. (String)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)
-resetDefaultFilters
Specify true, to reset all of the filter values to the default value of the LDAP server type. The default value for this parameter is false. The LDAP filter attributes reset are: userFilter, groupFilter, userIdMap, groupIdMap, groupMemberIdMap and krbUserFilter. If any of the other filter flags are used to specify a filter value on the command line at the same time resetDefaultFilter is set to true, the filter value specified is used. Any filter not specified on the command line at the time is reset to the default value of the LDAP server type.

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureAppLDAPUserRegistry('-securityDomainName testDomain -ldapServerType NETSCAPE -ldapHost
    195.168.1.1 -searchTimeout 300') 
  • Using Jython list:
    AdminTask.configureAppLDAPUserRegistry(['-securityDomainName', 'testDomain', '-ldapServerType',
    'NETSCAPE', '-ldapHost', '195.168.1.1', '-searchTimeout', '300'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureAppLDAPUserRegistry('-interactive')

configureAppLocalOSUserRegistry

The configureAppLocalOSUserRegistry command configures a local operating system user registry in a security domain.
Supported configurations: This command is not supported in a local mode.

Target object

None.

Required parameters

-securityDomainName
Specifies the name of the security configuration. (String)

Optional parameters

-realmName
Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)
[z/OS]-ignoreCase
[z/OS]Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)
-verifyRegistry
Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    [AIX Solaris HP-UX Linux Windows][IBM i]
    AdminTask.configureAppLocalOSUserRegistry('-securityDomainName testDomain')
    [z/OS]
    AdminTask.configureAppLocalOSUserRegistry('-securityDomainName testDomain -ignoreCase true')
  • Using Jython list:
    [AIX Solaris HP-UX Linux Windows][IBM i]
    AdminTask.configureAppLocalOSUserRegistry(['-securityDomainName', 'testDomain'])
    [z/OS]
    AdminTask.configureAppLocalOSUserRegistry(['-securityDomainName', 'testDomain', '-ignoreCase', 'true'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureAppLocalOSUserRegistry('-interactive')

configureAppWIMUserRegistry

The configureAppWIMUserRegistry command configures federated repository user registries in a security domain.
Supported configurations: This command is not supported in a local mode.

Target object

None.

Required parameters

-securityDomainName
Specifies the name of the security configuration. (String)

Optional parameters

-realmName
Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)
[z/OS]-ignoreCase
[z/OS]Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)
-verifyRegistry
Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)
-useGlobalFederatedRepository
Specifies whether to use the same instance of federated repository for the domain as is defined in the global domain. Specify true to use the same instance as defined in the global domain. (Boolean)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureAppWIMUserRegistry('-securityDomainName testDomain -realmName testRealm')
  • Using Jython list:
    AdminTask.configureAppWIMUserRegistry(['-securityDomainName', 'testDomain', '-realmName', 'testRealm'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureAppWIMUserRegistry('-interactive')

getLTPATimeout

The getLTPATimeout command displays the number of seconds that the system waits before the LTPA request reaches timeout.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns the number of seconds that the server waits before the LTPA request is cancelled.

Batch mode example usage

  • Using Jython string:
    AdminTask.getLTPATimeout('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.getLTPATimeout(['-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.getLTPATimeout('-interactive')

setLTPATimeout

The setLTPATimeout command sets the amount of time that the system waits before the LTPA request becomes invalid.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
-timeout
Specifies the amount of time, in seconds, before the request times out. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.setLTPATimeout('-timeout 120')
  • Using Jython list:
    AdminTask.setLTPATimeout(['-timeout', '120'])

Interactive mode example usage

  • Using Jython:
    AdminTask.setLTPATimeout('-interactive')

getUserRegistryInfo

The getUserRegistryInfo command displays information about a user registry in a security domain or in the global security configuration. If you do not specify a value for the -userRegistryType parameter, the command returns the active user registry information.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
-userRegistryType
Specifies the type of user registry. Specify LDAPUserRegistry for LDAP user registries. Specify WIMUserRegistry for federated repository user registries. Specify CustomUserRegistry for custom user registries. Specify LocalOSUserRegisty for local operating system user registries. (String)

Return value

The command returns configuration information in the form of attribute and value pairs for the user registry object of interest.

Batch mode example usage

  • Using Jython string:
    AdminTask.getUserRegistryInfo('-securityDomainName testDomain -userRegistryType LDAPUserRegistry')
  • Using Jython list:
    AdminTask.getUserRegistryInfo(['-securityDomainName', 'testDomain', '-userRegistryType', 'LDAPUserRegistry'])

Interactive mode example usage

  • Using Jython:
    AdminTask.getUserRegistryInfo('-interactive')

unconfigureUserRegistry

The unconfigureUserRegistry command modifies the user registry. For a global security configuration, the command reduces the user registry to the minimum registry values. For application-level security, the command removes the user registry from the security domain of interest.

Target object

None.

Required parameters

-userRegistryType
Specifies the type of user registry. Specify LDAPUserRegistry for LDAP user registries. Specify WIMUserRegistry for federated repository user registries. Specify CustomUserRegistry for custom user registries. Specify LocalOSUserRegisty for local operating system user registries. (String)

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.unconfigureUserRegistry('-userRegistryType WIMUserRegistry -securityDomainName testDomain')
  • Using Jython list:
    AdminTask.unconfigureUserRegistry(['-userRegistryType', 'WIMUserRegistry', '-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.unconfigureUserRegistry('-interactive')

configureJAASLoginEntry

The configureJAASLoginEntry command configures a Java Authentication and Authorization Service (JAAS) login entry in a security domain or in the global security configuration. You can use this command to modify existing JAAS login entries or to create new login entries.

Target object

None.

Required parameters

-loginType
Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
-loginEntryAlias
Specifies an alias that identifies the JAAS login entry in the configuration. (String)

Optional parameters

-securityDomainName
Specifies the name of the security configuration. If you do not specify a security domain name, the system updates the global security configuration. (String)
-loginModules
Specifies a comma (,) separated list of login module class names. Specify the list in the order that the system calls them. (String)
-authStrategies
Specifies a comma-separated list of authentication strategies that sets the authentication behavior as authentication proceeds down the list of login modules. You must specify one authentication strategy for each login module. (String)
Specify one or many of the following values in a comma (,) separated list:
  • REQUIRED

    Specifies that the LoginModule module is required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list for each realm.

  • REQUISITE

    Specifies that the LoginModule module is required to succeed. If authentication is successful, the process continues down the LoginModule list in the realm entry. If authentication fails, control immediately returns to the application. Authentication does not proceed down the LoginModule list.

  • SUFFICIENT

    Specifies that the LoginModule module is not required to succeed. If authentication succeeds, control immediately returns to the application. Authentication does not proceed down the LoginModule list. If authentication fails, the process continues down the list.

  • OPTIONAL

    Specifies that the LoginModule module is not required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list.

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureJAASLoginEntry('[-loginType application -loginEntryAlias JAASLoginEntry1 -authStrategies "
    REQUIRED,REQUISITE"]')
  • Using Jython list:
    AdminTask.configureJAASLoginEntry(['-loginType', 'application', '-loginEntryAlias', 'JAASLoginEntry1', '-authStrategies',
    'REQUIRED,REQUISITE'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureJAASLoginEntry('-interactive')

configureLoginModule

The configureLoginModule command modifies an existing login module or creates a new login module on an existing JAAS login entry in the global security configuration or in a security domain.

Target object

None.

Required parameters

-loginType
Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
-loginEntryAlias
Specifies an alias that identifies the JAAS login entry in the configuration. (String)
-loginModule
Specifies the name of the login module. (String)

Optional parameters

-newModule
Specifies that you want a new login module to have the same class name as a previously configured login module. (Boolean)
For example, if you issued the following command to configure a login module for a given login entry:
wsadmin>AdminTask.configureLoginModule('-loginType application -loginEntryAlias                                                        
TestLogin -loginModule                                                  
com.ibm.ws.security.common.auth.module.WSClientLoginModuleImpl') 

You can issue the following command to configure another login module with the same class name:

wsadmin>AdminTask.configureLoginModule('-loginType application -loginEntryAlias                                                        
TestLogin -loginModule                                                  
com.ibm.ws.security.common.auth.module.WSClientLoginModuleImpl' -newModule true') 

The login entry now contains two login modules that use the same class name.

-modifyModule
Specifies that you want multiple login modules with the same class name to be modified. (Integer)

For example, if you issued the following command:

wsadmin>AdminTask.configureLoginModule('-loginType application       
-loginEntryAlias                                                        
TestLogin -loginModule                                                  
com.ibm.ws.security.common.auth.module.WSClientLoginModul               
eImpl -modifyModule 2 -authStrategy OPTIONAL')

The second login module in the TestLogin entry is modified with the OPTIONAL flag.

-securityDomainName
Specifies the name of the security configuration. (String)
-useLoginModuleProxy
Specifies that the JAAS loads the login module proxy class. JAAS then delegates calls to the login module classes that are defined in the Module class name field. Specify true to use the login module proxy. (Boolean)
-authStrategy
Specifies the authentication behavior as authentication proceeds down the list of login modules. (String)
Specify one of the following values:
  • REQUIRED

    Specifies that the LoginModule module is required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list for each realm.

  • REQUISITE

    Specifies that the LoginModule module is required to succeed. If authentication is successful, the process continues down the LoginModule list in the realm entry. If authentication fails, control immediately returns to the application. Authentication does not proceed down the LoginModule list.

  • SUFFICIENT

    Specifies that the LoginModule module is not required to succeed. If authentication succeeds, control immediately returns to the application. Authentication does not proceed down the LoginModule list. If authentication fails, the process continues down the list.

  • OPTIONAL

    Specifies that the LoginModule module is not required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list.

-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureLoginModule('-loginType application -loginEntryAlias JAASLoginEntry1 -loginModule class1')
  • Using Jython list:
    AdminTask.configureLoginModule(['-loginType', 'application', '-loginEntryAlias', 'JAASLoginEntry1', '-loginModule',
    'class1'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureLoginModule('-interactive')

getJAASLoginEntryInfo

The getJAASLoginEntryInfo command displays configuration for a specific JAAS login entry.

Target object

None.

Required parameters

-loginType
Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
-loginEntryAlias
Specifies an alias that identifies the JAAS login entry in the configuration. (String)

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an attribute list that contains configuration information for the JAAS login entry of interest.

Batch mode example usage

  • Using Jython string:
    AdminTask.getJAASLoginEntryInfo('-loginType application -loginEntryAlias JAASLoginEntry -securityDomainName
    testDomain')
  • Using Jython list:
    AdminTask.getJAASLoginEntryInfo(['-loginType', 'application', '-loginEntryAlias', 'JAASLoginEntry', '-securityDomainName',
    'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.getJAASLoginEntryInfo('-interactive')

listJAASLoginEntries

The listJAASLoginEntries command displays each defined JAAS login modules for given type in a security domain or the global security configuration.

Target object

None.

Required parameters

-loginType
Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an array of attribute lists that contain the login entries for the login type of interest.

Batch mode example usage

  • Using Jython string:
    AdminTask.listJAASLoginEntries('-loginType application -securityDomainName testDomain')
  • Using Jython list:
    AdminTask.listJAASLoginEntries(['-loginType', 'application','-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.listJAASLoginEntries('-interactive')

listLoginModules

The listLoginModules command displays the class names and associated options for a specific JAAS login module in a security domain or in the global security configuration.

Target object

None.

Required parameters

-loginType
Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
-loginEntryAlias
Specifies an alias that identifies the JAAS login entry in the configuration. (String)

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an array that contains the login modules in a specific login entry.

Batch mode example usage

  • Using Jython string:
    AdminTask.listLoginModules('-loginType system -loginEntryAlias JAASLoginEntry')
  • Using Jython list:
    AdminTask.listLoginModules(['-loginType', 'system', '-loginEntryAlias', 'JAASLoginEntry'])

Interactive mode example usage

  • Using Jython:
    AdminTask.listLoginModules('-interactive')

unconfigureJAASLoginEntry

The unconfigureJAASLoginEntry command removes a JAAS login entry from the global security configuration or a security domain. You cannot remove all login entries. The command returns an error if it cannot remove the login entry of interest.

Target object

None.

Required parameters

-loginType
Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
-loginEntryAlias
Specifies an alias that identifies the JAAS login entry in the configuration. (String)

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.unconfigureJAASLoginEntry('-loginType application -loginEntryAlias myLoginEntry')
  • Using Jython list:
    AdminTask.unconfigureJAASLoginEntry(['-loginType', 'application', '-loginEntryAlias', 'myLoginEntry'])

Interactive mode example usage

  • Using Jython:
    AdminTask.unconfigureJAASLoginEntry('-interactive')

unconfigureLoginModule

The unconfigureLoginModule command removes a login module class from a login module entry.

Target object

None.

Required parameters

-loginType
Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
-loginEntryAlias
Specifies an alias that identifies the JAAS login entry in the configuration. (String)
-loginModule
Specifies the name of the login module class to remove from the configuration. (String)

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.unconfigureLoginModule('-loginType system -loginEntryAlias systemLoginEntry -loginModule moduleClass')
  • Using Jython list:
    AdminTask.unconfigureLoginModule(['-loginType', 'system', '-loginEntryAlias', 'systemLoginEntry', '-loginModule',
    'moduleClass'])

Interactive mode example usage

  • Using Jython:
    AdminTask.unconfigureLoginModule('-interactive')

createAuthDataEntry

The createAuthDataEntry command creates an authentication data entry for a J2EE Connector architecture (J2C) connector in the global security or security domain configuration.

By default when configuring authentication data entries in Global security, the node name is added to the name of the entry. To stop the node name from being added, the com.ibm.websphere.security.JAASAuthData.removeNodeNameGlobal security property can be set to true using the setAdminActiveSecuritySettings task.

Target object

None.

Required parameters

-alias
Specifies the name that uniquely identifies the authentication data entry. (String)
-user
Specifies the J2C authentication data user ID. (String)
-password
Specifies the password to use for the target enterprise information system (EIS). (String)

Optional parameters

-securityDomainName
Specifies the name of the security domain configuration. The application server uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
-description
Specifies a description of the authentication data entry. (String)

Return value

The command returns the object name of the new authentication data entry object.

Batch mode example usage

  • Using Jython string:
    AdminTask.createAuthDataEntry('-alias dataEntry1 -user userID -password userIDpw')
  • Using Jython list:
    AdminTask.createAuthDataEntry(['-alias', 'dataEntry1', '-user', 'userID', '-password', 'userIDpw'])

Interactive mode example usage

  • Using Jython:
    AdminTask.createAuthDataEntry('-interactive')

deleteAuthDataEntry

The deleteAuthDataEntry command removes an authentication data entry for a J2C connector in a global security or security domain configuration.

Target object

None.

Required parameters

-alias
Specifies the name that uniquely identifies the authentication data entry. (String)

Optional parameters

-securityDomainName
Specifies the name of the security domain configuration. The application server uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.deleteAuthDataEntry('-alias dataEntry1')
  • Using Jython list:
    AdminTask.deleteAuthDataEntry(['-alias', 'dataEntry1'])

Interactive mode example usage

  • Using Jython:
    AdminTask.deleteAuthDataEntry('-interactive')

getAuthDataEntry

The getAuthDataEntry command displays information about an authentication data entry for the J2C connector in the global security configuration or for a specific security domain.

Target object

None.

Required parameters

-alias
Specifies the name that uniquely identifies the authentication data entry. (String)

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an attribute list that contains the authentication data entry attributes and values.

Batch mode example usage

  • Using Jython string:
    AdminTask.getAuthDataEntry('-alias authDataEntry1 -securityDomainName testDomain')
  • Using Jython list:
    AdminTask.getAuthDataEntry(['-alias', 'authDataEntry1', '-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.getAuthDataEntry('-interactive')

listAuthDataEntries

The listAuthDataEntries command displays each authentication data entry in the global security configuration or in a security domain.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an array of attribute lists for each authentication data entry.

Batch mode example usage

  • Using Jython string:
    AdminTask.listAuthDataEntries('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.listAuthDataEntries(['-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.listAuthDataEntries('-interactive')

modifyAuthDataEntry

The modifyAuthDataEntry command modifies an authentication data entry for a J2C connector in the global security or security domain configuration.

Target object

None.

Required parameters

-alias
Specifies the name that uniquely identifies the authentication data entry. (String)

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
-user
Specifies the J2C authentication data user ID. (String)
-password
Specifies the password to use for the target enterprise information system (EIS). (String)
-description
Specifies a description for the authentication data entry. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.modifyAuthDataEntry('-alias dataEntry1 -user userID1 -password newPassword')
  • Using Jython list:
    AdminTask.modifyAuthDataEntry(['-alias', 'dataEntry1', '-user', 'userID1', '-password', 'newPassword'])

Interactive mode example usage

  • Using Jython:
    AdminTask.modifyAuthDataEntry('-interactive')

clearAuthCache

The clearAuthCache command purges the entire security authentication cache of the associated security domain.

Target object

None.

Optional parameters

-securityDomainId
Specifies the unique identifier for the security domain. If no security domain ID is specified, the authentication cache of the admin domain is cleared. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.clearAuthCache('-securityDomainId descurity_domain_id')
  • Using Jython list:
    AdminTask.clearAuthCache(['-securityDomainId', 'security_domain_id', '-user', 'userID1', '-password', 'newpassword'])

Interactive mode example usage

  • Using Jython:
    AdminTask.clearAuthCache('-interactive')

purgeUserFromAuthCache

The purgeUserFromAuthCache command removes a user from the security authentication cache associated with a security domain.

Avoid trouble: The purgeUserFromAuthCache command does not log the user out of an already established application session.

Target object

None.

Required parameters

-user
Specifies the user Id associated with an authentication cache data entry (String)

Optional parameters

-securityDomainID
Specifies the unique identifier of the security domain. If no security domain ID is specified, the authentication cache of admin domain is cleared. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.purgeUserFromAuthCache('-user userID1 -securityDomainId security_domain_id')
  • Using Jython list:
    AdminTask.purgeUserFromAuthCache(['-user' 'userID1 ', 'securityDomainId', 'security_domain_id1', '-user', 'userID2', '-password', 'newPassword'])

Interactive mode example usage

  • Using Jython:
    AdminTask.purgeUserFromAuthCache('-interactive')

configureCSIInbound

The configureCSIInbound command configures CSIv2 inbound authentication on a security domain or on the global security configuration. When configuring CSI inbound authentication in a security domain for the first time, the CSI objects are copied from global security so that any changes to that configuration are applied.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. If one is not provided the task will work on the global security user registry configuration. (String)
-messageLevelAuth
Specifies whether clients connecting to this server must specify a user ID and password. Specify Never to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String)
-supportedAuthMechList
Specifies the authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA for Lightweight Third-Party Authentication, BasicAuth for BasicAuth authentication, and custom to use your own authentication token implementation. You can specify more then one in a space-separated list. (String)
-clientCertAuth
Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String)
-transportLayer
Specifies the transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String)
-sslConfiguration
Specifies the SSL configuration alias to use for inbound transport. (String)
-enableIdentityAssertion
Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean)
-trustedIdentities
Specifies a list of trusted server identities, separated by the pipe character (|). To specify a null value, set the value of the -trustedIdentities parameter as an empty string (""). (String)
-statefulSession
Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean)
-enableAttributePropagation
Specifies whether to enable security attribute propagation. Security attribute propagation allows the application server to transport authenticated Subject contents and security context information from one server to another in your configuration. Specify true to enable security attribute propagation. (Boolean)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureCSIInbound('[-securityDomainName testDomain -messageLevelAuth Required
    -supportedAuthMechList "KRB5 LTPA"]')
  • Using Jython list:
    AdminTask.configureCSIInbound(['-securityDomainName', 'testDomain', '-messageLevelAuth', 'Required',
    '-supportedAuthMechList', 'KRB5 LTPA'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureCSIInbound('-interactive')

configureCSIOutbound

The configureCSIOutbound command configures the CSIv2 outbound authentication in a security domain or in the global security configuration. When configuring CSI Outbound in a security domain for the first time, the application server copies the CSI objects from global security. Then, the application server applies the changes to that configuration from the command.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. (String)
-enableAttributePropagation
Specifies whether to enable security attribute propagation. Security attribute propagation allows the application server to transport authenticated Subject contents and security context information from one server to another in your configuration. Specify true to enable security attribute propagation. (Boolean)
-enableIdentityAssertion
Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean)
-useServerIdentity
Specifies whether to use the server identity to establish trust with the target server. Specify true to use the server identity. (Boolean)
-trustedId
Specifies the trusted identity that the application server uses to establish trust with the target server. (String)
-trustedIdentityPassword
Specifies the password of the trusted server identity. (String)
-messageLevelAuth
Specifies whether clients connecting to this server must specify a user ID and password. Specify includeNever to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String)
-supportedAuthMechList
Specifies the authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA for Lightweight Third-Party Authentication, BasicAuth for BasicAuth authentication, and custom to use your own authentication token implementation. You can specify more then one in a space-separated list. (String)
-clientCertAuth
Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String)
-transportLayer
Specifies the transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String)
-sslConfiguration
Specifies the SSL configuration alias to use for inbound transport. (String)
-statefulSession
Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean)
-enableOutboundMapping
Specifies whether to enable custom outbound identity mapping. Specify true to enable custom outbound identity mapping. (Boolean)
-trustedTargetRealms
Specifies a list of target realms to trust. Separate each realm name with the pipe character (|). (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureCSIOutbound('-securityDomainName testDomain -useServerIdentity true -messageAuthLevel
    Supported')
  • Using Jython list:
    AdminTask.configureCSIOutbound(['-securityDomainName', 'testDomain', '-useServerIdentity', 'true',
    '-messageAuthLevel', 'Supported'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureCSIOutbound('-interactive')

getCSIInboundInfo

The getCSIInboundInfo command displays information about the Common Secure Interoperability (CSI) inbound settings for the global security configuration or for a security domain.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
-displayModel
Specifies the output format of the configuration information. Specify true to return an attribute list of the model. Specify false to display an attribute of the value used to create the object. (Boolean)

Return value

The command returns an attribute list of the attributes and values of the CSI inbound object.

Batch mode example usage

  • Using Jython string:
    AdminTask.getCSIInboundInfo('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.getCSIInboundInfo(['-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.getCSIInboundInfo('-interactive')

getCSIOutboundInfo

The getCSIOutboundInfo command displays information for the CSI outbound settings for the global security configuration or for a security domain.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
-displayModel
Specifies the output format of the configuration information. Specify true to return an attribute list of the model. Specify false to display an attribute of the value used to create the object. (Boolean)

Return value

The command returns an attribute list that contains the attributes and values of the CSI outbound configuration.

Batch mode example usage

  • Using Jython string:
    AdminTask.getCSIOutboundInfo('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.getCSIOutboundInfo(['-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.getCSIOutboundInfo('-interactive')

unconfigureCSIInbound

The unconfigureCSIInbound command removes the CSI inbound information from a security domain.

Target object

None.

Required parameters

-securityDomainName
Specifies the name of the security configuration. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.unconfigureCSIInbound('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.unconfigureCSIInbound(['securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.unconfigureCSIInbound('-interactive')

unconfigureCSIOutbound

The unconfigureCSIOutbound command removes the CSI outbound information from a security domain.

Target object

None.

Required parameters

-securityDomainName
Specifies the name of the security configuration. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.unconfigureCSIOutbound('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.unconfigureCSIOutbound(['-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.unconfigureCSIOutbound('-interactive')

configureInterceptor

The configureInterceptor command modifies an existing interceptor or creates an interceptor if one does not exist.

Target object

None.

Required parameters

-interceptor
Specifies the trust association interceptor class name. (String)

Optional parameters

-securityDomainName
Specifies the name of the security domain. If you do not specify a security domain, the command assigns the global security configuration. (String)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureInterceptor('-interceptor com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus
    -securityDomainName testDomain')
  • Using Jython list:
    AdminTask.configureInterceptor(['-interceptor', 'com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus',
    '-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureInterceptor('-interactive')

configureTrustAssociation

The configureTrustAssociation command enables or disable the trust association. If the security domain does not have a trust association defined, the application server copies each trust association and its interceptors from the global security configuration.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. (String)
-enable
Specifies whether to enable trust association to act as a reverse proxy server. (Boolean)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureTrustAssociation('-securityDomainName testDomain -enable true')
  • Using Jython list:
    AdminTask.configureTrustAssociation(['-securityDomainName', 'testDomain', '-enable', 'true'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureTrustAssociation('-interactive')

getTrustAssociationInfo

The getTrustAssociationInfo command displays configuration information for trust association.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an attribute list that contains attributes and values for trust association.

Batch mode example usage

  • Using Jython string:
    AdminTask.getTrustAssociationInfo('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.getTrustAssociationInfo(['-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.getTrustAssociationInfo('-interactive')

listInterceptors

The listInterceptors command displays the trust association interceptors that are configured in the global security or security domain configuration.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an array list of each interceptor and the associated custom properties.

Batch mode example usage

  • Using Jython string:
    AdminTask.listInterceptors('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.listInterceptors(['securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.listInterceptors('-interactive')

unconfigureInterceptor

The unconfigureInterceptor command removes a trust association interceptor from the global security configuration or from a security domain.

Target object

None.

Required parameters

-interceptor
Specifies the trust association interceptor class name. (String)

Optional parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.unconfigureInterceptor('-interceptor com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus
    -securityDomainName testDomain')
  • Using Jython list:
    AdminTask.unconfigureInterceptor(['-interceptor', 'com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus',
    '-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.unconfigureInterceptor('-interactive')

unconfigureTrustAssociation

The unconfigureTrustAssociation command removes the trust association object from a security domain.

Target object

None.

Required parameters

-securityDomainName
Specifies the name of the security configuration. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.unconfigureTrustAssociation('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.unconfigureTrustAssociation(['-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.unconfigureTrustAssociation('

applyWizardSettings

The applyWizardSettings command can be used to automate the global security configuration.

Target object

None.

Optional parameters

-secureApps
Specifies to secure applications.
-secureLocalResources
Specifies to secure local resources such as data sets and MVS™ commands.
-userRegistryType
Specifies whether the user is a user, a group, or a group member.
-ldapServerType
Specifies the type of LDAP server that is being used. The default value is IDS51.
Specify one of the following valid values:
  • IBM_DIRECTORY_SERVER
  • IPLANET
  • NETSCAPE
  • NDS
  • DOMINO502
  • SECUREWAY
  • ACTIVE_DIRECTORY
  • CUSTOM
-ldapHostName
Specifies the LDAP host name.
-ldapPort
Specifies the LDAP port name.
-ldapBaseDN
Specifies the LDAP base dynamic member attribute.
-ldapBindDN
Dynamically updates LDAP binding information.
-ldapBindPassword
Dynamically updates LDAP binding password information.
-adminName
Refers to the name of an administrator account on the remote target machine.

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.applyWizardSettings('[-secureApps true -secureLocalResources false 
    -userRegistryType LDAPUserRegistry -ldapServerType IBM_DIRECTORY_SERVER 
    -ldapHostName '+ldapServer+' -ldapPort 389 -ldapBaseDN o=ibm,c=us -ldapBindDN 
    cn=root -ldapBindPassword a1x4meok -adminName '+adminUsername+' ]'))

configureAuthzConfig

The configureAuthzConfig command configures an external Java Authorization Contract for Containers (JACC) authorization provider in a security domain or the global security configuration.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security configuration. (String)
-useJACCProvider
Specifies whether to use a JACC provider. Specify true to use a JACC provider. (Boolean)
-name
Specifies the name of the JACC provider to use. (String)
-description
Specifies a description of the JACC provider. (String)
-j2eePolicyImplClassName
Specifies the class name of an implementation class that represents the javax.security.jacc.policy.provider property according to the specification. (String)
-policyConfigurationFactoryImplClassName
Specifies the class name of an implementation class that represents the javax.security.jacc.PolicyConfigurationFactory.provider property. (String)
-roleConfigurationFactoryImplClassName
Specifies the class name of an implementation class that implements the com.ibm.wsspi.security.authorization.RoleConfigurationFactory interface. (String)
-requiresEJBArgumentsPolicyContextHandler
Specifies whether policy providers require the Enterprise JavaBeans arguments policy context handler to make access decisions. Specify true to enable this option. (Boolean)
-initializeJACCProviderClassName
Specifies the class name of an implementation class that implements the com.ibm.wsspi.security.authorization.IntializeJACCProvider interface.(String)
-supportsDynamicModuleUpdates
Specifies whether the provider supports dynamic changes to the web modules. Specify true to enable this option. (Boolean)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureAuthzConfig('[-securityDomainName testDomain -useJACCProvider true -name
    testProvider -description "JACC provider for testing"]')
  • Using Jython list:
    AdminTask.configureAuthzConfig(['-securityDomainName', 'testDomain', '-useJACCProvider', 'true', '-name',
    'testProvider', '-description', 'JACC provider for testing'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureAuthzConfig('-interactive')

configureSingleSignon

The configureSingleSignon command configures a single sign-on object in global security.

Target object

None.

Optional parameters

-enable
Specifies whether to enable single sign-on. Specify true to enable single sign-on, or false to disable single sign-on. (Boolean)
-requiresSSL
Specifies whether single sign-on requests send through HTTPS. Specify true to enable this option. (Boolean)
-domainName
Specifies the domain name that contains a set of hosts to which the single sign-on applies. (String)
-interoperable
Specifies interoperability options. Specify true to send an interoperable cookie to the browser to support back-level servers. Specify false disable the sending of interoperable cookies. (Boolean)
-attributePropagation
Specifies whether to enable inbound security attribute propagation. Specify true to enable web inbound security attribution propagation. Specify false to use the single sign-on token to log in and recreate the Subject from the user registry. (Boolean)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.configureSingleSignon('-enable true -domainName mycompany.com')
  • Using Jython list:
    AdminTask.configureSingleSignon(['-enable', 'true', '-domainName', 'mycompany.com'])

Interactive mode example usage

  • Using Jython:
    AdminTask.configureSingleSignon('-interactive')

getActiveSecuritySettings

The getActiveSecuritySettings command displays the active security settings for global security or a specific security domain.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security domain configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns the active security settings for the security domain of interest or the global security configuration, which includes the following settings:
  • cacheTimeout
  • issuePermissionWarning
  • activeAuthMechanism
  • enforceJava2Security
  • appSecurityEnabled
  • enableGlobalSecurity (global security only)
  • adminPreferredAuthMech (global security only)
  • activeAuthMechanism (global security only)
  • activeUserRegistry
  • enforceFineGrainedJCASecurity
  • dynUpdateSSLConfig (global security only)
  • useDomainQualifiedUserNames
  • customProperties

Batch mode example usage

  • Using Jython string:
    AdminTask.getActiveSecuritySettings('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.getActiveSecuritySettings(['-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.getActiveSecuritySettings('-interactive')

getAuthzConfigInfo

The getAuthzConfigInfo command displays information about an external JACC authorization provider in a security domain or the global security configuration.

Target object

None.

Optional parameters

-securityDomainName
Specifies the name of the security domain configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command returns an attribute list that contains the attributes and values that are associated with the JACC authorization provider.

Batch mode example usage

  • Using Jython string:
    AdminTask.getAuthzConfigInfo('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.getAuthzConfigInfo(['-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.getAuthzConfigInfo('-interactive')

getSingleSignon

The getSingleSignon command displays configuration information about the single sign-on object as defined in the global security configuration.

Target object

None.

Optional parameters

None.

Return value

The command returns an attribute list that contains the attributes and values of the single sign-on configuration.

Batch mode example usage

  • Using Jython:
    AdminTask.getSingleSignon()

Interactive mode example usage

  • Using Jython:
    AdminTask.getSingleSignon('-interactive')
[z/OS]

isSAFVersionValidForIdentityMapping

The isSAFVersionValidForIdentityMapping command returns a Boolean indicating if the z/OS® security product supports SAF identity mapping. The command returns false on distributed platforms. The server that the wsadmin client is connected to must be active when issuing this command.

Target object

None.

Optional parameters

None.

Return value

The command returns a Boolean indicating if the z/OS security product supports SAF identity mapping. The command returns false on all platforms other than z/OS.

Example usage

AdminTask.isSAFVersionValidForIdentityMapping()

setAdminActiveSecuritySettings

The setAdminActiveSecuritySettings command sets the active security settings on the global security object.

Avoid trouble: To set the security settings for a security domain, see the setAppActiveSecuritySettings command.

Target object

None.

Optional parameters

-enableGlobalSecurity
Specifies whether to enable global security. Specify true to enable global security, or specify false to disable global security. (Boolean)
-cacheTimeout
Specifies the amount of time, in seconds, before authentication data becomes invalid. (Integer)
-issuePermissionWarning
Specifies whether to issue a warning during application installation if the application requires security permissions. Specify true to enable the warning notification, or specify false to disable the warning notification. (Boolean)
-enforceJava2Security
Specifies whether to enable Java Platform, Enterprise Edition (Java EE) security. Specify true to enable Java EE security permissions checking, or specify false to disable Java EE security. (Boolean)
-enforceFineGrainedJCASecurity
Specifies whether to restrict application access. Specify true to restrict application access to sensitive Java EE Connector Architecture (JCA) mapping authentication data. (Boolean)
-appSecurityEnabled
Specifies whether to enable application-level security. Specify true to enable application level security, or specify false to disable application-level security. (Boolean)
-dynUpdateSSLConfig
Specifies whether to dynamically update SSL configuration changes. Specify true to update SSL configuration changes dynamically, or specify false to update the SSL configuration when the server starts. (Boolean)
-activeAuthMechanism
Specifies the active authentication mechanism. Specify LTPA for LTPA authentication, KRB5 for Kerberos authentication, or RSAToken for RSA token authorization. (String)
-adminPreferredAuthMech
Specifies the preferred authentication mechanism. Specify LTPA for LTPA authentication, KRB5 for Kerberos authentication, or RSAToken for RSA token authorization. (String)
-activeUserRegistry
Specifies the active user registry for the server. (String)
Specify one of the following values:
CustomUserRegistry
This option enables you to specify a custom user registry as the active user registry for the server.
LDAPUserRegistry
This option enables you to specify an LDAP user registry as the active user registry for the server.
LocalOSUserRegistry
This option enables you to specify the local operating system user registry as the active user registry for the server.
WIMUserRegistry
This option enables you to specify a federated repository as the active user registry for the server.
-useDomainQualifiedUserNames
Specifies the type of user name to use. Specify true to use domain qualified user names, or specify false to use the short name. (Boolean)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.setAdminActiveSecuritySettings('-enableGlobalSecurity true -cacheTimeout 300
    -enforceJava2Security true -appSecurityEnabled true -activeUserRegistry LDAPUserRegistry')
  • Using Jython list:
    AdminTask.setAdminActiveSecuritySettings(['-enableGlobalSecurity', 'true', '-cacheTimeout', 
    '300', '-enforceJava2Security', 'true', '-appSecurityEnabled', 'true' '-activeUserRegistry', 
    'LDAPUserRegistry])

Interactive mode example usage

  • Using Jython:
    AdminTask.setAdminActiveSecuritySettings('-interactive')

setAppActiveSecuritySettings

The setAppActiveSecuritySettings command sets the active security settings on a security domain.

Avoid trouble: To set the security settings for global security, see the setAdminActiveSecuritySettings command.

Target object

None.

Required parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Optional parameters

-cacheTimeout
Specifies the amount of time, in seconds, before authentication data becomes invalid. (Integer)
-issuePermissionWarning
Specifies whether to issue a warning during application installation if the application requires security permissions. Specify true to enable the warning notification, or specify false to disable the warning notification. (Boolean)
-enforceJava2Security
Specifies whether to enable Java Platform, Enterprise Edition (Java EE) security. Specify true to enable Java EE security permissions checking, or specify false to disable Java EE security. (Boolean)
-enforceFineGrainedJCASecurity
Specifies whether to restrict application access. Specify true to restrict application access to sensitive Java EE Connector Architecture (JCA) mapping authentication data. (Boolean)
-appSecurityEnabled
Specifies whether to enable application-level security. Specify true to enable application level security, or specify false to disable application-level security. (Boolean)
-activeUserRegistry
Specifies the active user registry for the server. (String)
-useDomainQualifiedUserNames
Specifies the type of user name to use. Specify true to use domain qualified user names, or specify false to use the short name. (Boolean)
-customProperties
Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: "attr1=value1","attr2=value2" (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.setAppActiveSecuritySettings('-securityDomainName testDomain -issuePermissionWarning false
    -enforceFineGrainedJCASecurity true')
  • Using Jython list:
    AdminTask.setAppActiveSecuritySettings(['-securityDomainName', 'testDomain', '-issuePermissionWarning',
    'false', '-enforceFineGrainedJCASecurity', 'true'])
    Interactive mode example usage
  • Using Jython:
    AdminTask.setAppActiveSecuritySettings('-interactive')

unconfigureAuthzConfig

The unconfigureAuthzConfig command removes an external JACC authorization provider from the global security configuration or a security domain.

Target object

None.

Required parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.unconfigureAuthzConfig('-securityDomainName testDomain')
  • Using Jython list:
    AdminTask.unconfigureAuthzConfig(['-securityDomainName', 'testDomain'])

Interactive mode example usage

  • Using Jython:
    AdminTask.unconfigureAuthzConfig('-interactive')

unsetAppActiveSecuritySettings

The unsetAppActiveSecuritySettings command removes an attribute from the global security configuration or a security domain.

Target object

None.

Required parameters

-securityDomainName
Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

Optional parameters

-unsetAppSecurityEnabled
Specifies whether to remove the attribute that enables application security. Specify true to remove the attribute. (Boolean)
-unsetActiveUserRegistry
Specifies whether to remove the active user registry attribute. Specify true to remove the attribute. (Boolean)
-unsetUseDomainQualifiedUserNames
Specifies whether to remove the user domain qualified user names attribute. Specify true to remove the attribute. (Boolean)
-unsetEnforceJava2Security
Specifies whether to remove the Java EE security attribute. Specify true to remove the attribute. (Boolean)
-unsetEnforceFineGrainedJCASecurity
Specifies whether to remove the fine-grained JCA security attribute. Specify true to remove the attribute. (Boolean)
-unsetIssuePermissionWarning
Specifies whether to remove the attribute that issues user permission warnings. Specify true to remove the attribute. (Boolean)
-unsetCacheTimeout
Specifies whether to remove the cache timeout attribute. Specify true to remove the attribute. (Boolean)

Return value

The command does not return output.

Batch mode example usage

  • Using Jython string:
    AdminTask.unsetAppActiveSecuritySettings('-securityDomainName testDomain -unsetAppSecurityEnabled true
    -unsetPermissionWarning true')
  • Using Jython list:
    AdminTask.unsetAppActiveSecuritySettings(['-securityDomainName', 'testDomain', '-unsetAppSecurityEnabled',
    'true', '-unsetPermissionWarning', 'true'])

Interactive mode example usage

  • Using Jython:
    AdminTask.unsetAppActiveSecuritySettings('-interactive')