SecurityConfigurationCommands command group for the AdminTask object

-autoGenerateServerId

Specifies whether the command automatically generates the server identity that the system uses for internal process communication. Specify true to automatically generate the server identity. (Boolean)

-serverId

Specifies the server identity in the repository that the system uses for internal process communication. (String)

-serverIdPassword

Specifies the password that corresponds to the server identity. (String)

-primaryAdminId

Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)

-customRegClass

Specifies the class name that implements the UserRegistry interface in com.ibm.websphere.security property. (String)

-ignoreCase

Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-autoGenerateServerId

Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)

-serverId

Specifies the server identity in the repository that the system uses for internal process communication. (String)

-serverIdPassword

Specifies the password that corresponds to the server identity. (String)

-primaryAdminId

Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)

-ignoreCase

Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-ldapServerType

Specifies the type of LDAP server. The default type is IBM_DIRECTORY_SERVER. (String)

Specify one of the following valid values:

• IBM_DIRECTORY_SERVER
• IPLANET
• NETSCAPE
• NDS
• DOMINO502
• SECUREWAY
• ACTIVE_DIRECTORY
• CUSTOM

-ldapHost

Specifies the host name of the LDAP server. (String)

-ldapPort

Specifies the port that the system uses to access the LDAP server. The default value is 389. (String)

-baseDN

Specifies the base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed. (String)

-bindDN

Specifies the distinguished name for the application server, which is used to bind to the directory service. (String)

-bindPassword

Specifies the binding DN password for the LDAP server. (String)

-bindAuthMechanism

The bind authentication mechanism for binding to the LDAP server when you search for or modify an LDAP entry. The following values are valid:

• none - Anonymous bind to the LDAP server.
• simple - The default, which uses a simple bind distinguished name with a bind password to bind to the LDAP server.
• GSSAPI - Kerberos authentication enablement, which requires the Kerberos principal name or the Kerberos service principal name to be set.

-krb5Principal

Kerberos principal name or Kerberos service principal name that is used to authenticate with the Key Distribution Center (KDC). The Kerberos principal name is required if the bindAuthMechanism parameter is set to the GSSAPI value.

-krb5TicketCache

The directory location and file name of the Kerberos ticket cache, which is also referred to as the Kerberos credential cache, or ccache file.

-krb5Config

The Kerberos configuration file that contains the client configuration information, including the location of each Key Distribution Centers (KDC) for the realm. This file is used for Kerberos authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. The following information gives the default file name and location for the Kerberos configuration file:

• /etc/krb5.conf
• C:\Windows\krb5.ini

-krb5Keytab

The Kerberos keytab file that contains one or more Kerberos service principal names and keys. This file is also used for Kerberos authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. If the Kerberos ticket cache and the Kerberos keytab file are both specified, only the ticket cache is used.

-searchTimeout

Specifies the timeout value in seconds for an LDAP server to respond before stopping a request. The default value is 120 seconds. (Long)

-reuseConnection

Specifies whether the server reuses the LDAP connection. By default, this option is enabled. Specify false for this parameter only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity. (Boolean)

Avoid trouble: When you disable the reuse of the LDAP connection, the application server creates a new LDAP connection for every LDAP search request. This situation impacts system performance if your environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between the application server and LDAP is too small.

-userFilter

Specifies the LDAP filter clause that the system uses to search the user registry for users. The default value is the default user filter for the LDAP server type. (String)

-groupFilter

Specifies the LDAP filter clause that the system uses to search the user registry for groups. The default value is the default group filter for the LDAP server type. (String)

-userIdMap

Specifies the LDAP filter that maps the short name of a user to an LDAP entry. The default value is the default user filter for the LDAP server type. (String)

-groupIdMap

Specifies the LDAP filter that maps the short name of a group to an LDAP entry. The default value is the default group filter for the LDAP server type. (String)

-groupMemberIdMap

Specifies the LDAP filter that identifies users to group memberships. (String)

-certificateMapMode

Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping. (String)

-certificateFilter

Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry. (String)

The syntax or structure of this filter is: (&(uid=${SubjectCN})(objectclass=inetOrgPerson)). The first part of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The second part of the filter specification is one of the public attributes in your client certificate. The second side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). You can use the following certificate attribute values on the second side of the filter specification. The case of the strings is important:

• ${UniqueKey}
• ${PublicKey}
• ${Issuer}
• ${NotAfter}
• ${NotBefore}
• ${SerialNumber}
• ${SigAlgName}
• ${SigAlgOID}
• ${SigAlgParams}
• ${SubjectCN}
• ${Version}

-krbUserFilter

Specifies that the default value is the default user filter for the LDAP server type. (String)

-nestedGroupSearch

Specifies whether to perform a recursive nested group search. Specify true to perform a recursive nested group search, or specify false to disable recursive nested group searching. (Boolean)

-sslEnabled

Specifies whether to enable Secure Sockets Layer (SSL). Specify true to enable an SSL connection to the LDAP server. (Boolean)

-sslConfig

Specifies the SSL configuration alias to use for the secure LDAP connection. (String)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-resetDefaultFilters

Specify true, to reset all of the filter values to the default value of the LDAP server type. The default value for this parameter is false. The LDAP filter attributes reset are: userFilter, groupFilter, userIdMap, groupIdMap, groupMemberIdMap and krbUserFilter. If any of the other filter flags are used to specify a filter value on the command line at the same time resetDefaultFilter is set to true, the filter value specified is used. Any filter not specified on the command line at the time is reset to the default value of the LDAP server type.

-autoGenerateServerId

Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)

-serverId

Specifies the server identity in the repository that the system uses for internal process communication. (String)

-serverIdPassword

Specifies the password that corresponds to the server identity. (String)

-primaryAdminId

Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)

-ignoreCase

Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-autoGenerateServerId

Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)

-serverId

Specifies the server identity in the repository that the system uses for internal process communication. (String)

-serverIdPassword

Specifies the password that corresponds to the server identity. (String)

-primaryAdminId

Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)

-ignoreCase

Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)

-realmName

Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-securityDomainName

Specifies the name of the security configuration. (String)

-realmName

Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)

-customRegClass

Specifies the class name that implements the UserRegistry interface in com.ibm.websphere.security property. (String)

-ignoreCase

Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-securityDomainName

Specifies the name of the security configuration. (String)

-realmName

Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)

-ignoreCase

Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-ldapServerType

Specifies the type of LDAP server. The default type is IBM_DIRECTORY_SERVER. (String)

Specify one of the following valid values:

• IBM_DIRECTORY_SERVER
• IPLANET
• NETSCAPE
• NDS
• DOMINO502
• SECUREWAY
• ACTIVE_DIRECTORY
• CUSTOM

-ldapHost

Specifies the host name of the LDAP server. (String)

-ldapPort

Specifies the port that the system uses to access the LDAP server. The default value is 389. (String)

-baseDN

Specifies the base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed. (String)

-bindDN

Specifies the distinguished name for the application server, which is used to bind to the directory service. (String)

-bindPassword

Specifies the binding DN password for the LDAP server. (String)

-bindAuthMechanism

The bind authentication mechanism for binding to the LDAP server when you search for or modify an LDAP entry. The following values are valid:

• none - Anonymous bind to the LDAP server.
• simple - The default, which uses a simple bind distinguished name with a bind password to bind to the LDAP server.
• GSSAPI - Kerberos authentication enablement, which requires the Kerberos principal name or the Kerberos service principal name to be set.

-krb5Principal

Kerberos principal name or Kerberos service principal name that is used to authenticate with the Key Distribution Center (KDC). The Kerberos principal name is required if the bindAuthMechanism parameter is set to the GSSAPI value.

-krb5TicketCache

The directory location and file name of the Kerberos ticket cache, which is also referred to as the Kerberos credential cache, or ccache file.

-krb5Config

The Kerberos configuration file that contains the client configuration information, including the location of each Key Distribution Centers (KDC) for the realm. This file is used for Kerberos authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. The following information gives the default file name and location for the Kerberos configuration file:

• /etc/krb5.conf
• C:\Windows\krb5.ini

-krb5Keytab

The Kerberos keytab file that contains one or more Kerberos service principal names and keys. This file is also used for Kerberos authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. If the Kerberos ticket cache and the Kerberos keytab file are both specified, only the ticket cache is used.

-searchTimeout

Specifies the timeout value in seconds for an LDAP server to respond before stopping a request. The default value is 120 seconds. (Long Integer)

-reuseConnection

Specifies whether the server reuses the LDAP connection. By default, this option is enabled. Specify false for this parameter only in rare situations where a router is used to distribute requests to multiple LDAP servers and when the router does not support affinity. (Boolean)

Avoid trouble: When you disable the reuse of the LDAP connection, the application server creates a new LDAP connection for every LDAP search request. This situation impacts system performance if your environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between the application server and LDAP is too small.

-userFilter

Specifies the LDAP filter clause that the system uses to search the user registry for users. The default value is the default user filter for the LDAP server type. (String)

-groupFilter

Specifies the LDAP filter clause that the system uses to search the user registry for groups. The default value is the default group filter for the LDAP server type. (String)

-userIdMap

Specifies the LDAP filter that maps the short name of a user to an LDAP entry. The default value is the default user filter for the LDAP server type. (String)

-groupIdMap

Specifies the LDAP filter that maps the short name of a group to an LDAP entry. The default value is the default group filter for the LDAP server type. (String)

-groupMemberIdMap

Specifies the LDAP filter that identifies users to group memberships. (String)

-certificateMapMode

Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping. (String)

-certificateFilter

Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry. (String)

The syntax or structure of this filter is: (&(uid=${SubjectCN})(objectclass=inetOrgPerson)). The first part of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The second part of the filter specification is one of the public attributes in your client certificate. The second side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). You can use the following certificate attribute values on the second side of the filter specification. The case of the strings is important:

• ${UniqueKey}
• ${PublicKey}
• ${Issuer}
• ${NotAfter}
• ${NotBefore}
• ${SerialNumber}
• ${SigAlgName}
• ${SigAlgOID}
• ${SigAlgParams}
• ${SubjectCN}
• ${Version}

-krbUserFilter

Specifies the default value is the default user filter for the LDAP server type. (String)

-nestedGroupSearch

Specifies whether to perform a recursive nested group search. Specify true to perform a recursive nested group search, or specify false to disable recursive nested group searching. (Boolean)

-sslEnabled

Specifies whether to enable Secure Sockets Layer (SSL). Specify true to enable an SSL connection to the LDAP server. (Boolean)

-sslConfig

Specifies the SSL configuration alias to use for the secure LDAP connection. (String)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-resetDefaultFilters

Specify true, to reset all of the filter values to the default value of the LDAP server type. The default value for this parameter is false. The LDAP filter attributes reset are: userFilter, groupFilter, userIdMap, groupIdMap, groupMemberIdMap and krbUserFilter. If any of the other filter flags are used to specify a filter value on the command line at the same time resetDefaultFilter is set to true, the filter value specified is used. Any filter not specified on the command line at the time is reset to the default value of the LDAP server type.

-securityDomainName

Specifies the name of the security configuration. (String)

-realmName

Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)

-ignoreCase

Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-securityDomainName

Specifies the name of the security configuration. (String)

-realmName

Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)

-ignoreCase

Specifies whether authorization is case-sensitive. Specify true to ignore the case during authorization. (Boolean)

-verifyRegistry

Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-useGlobalFederatedRepository

Specifies whether to use the same instance of federated repository for the domain as is defined in the global domain. Specify true to use the same instance as defined in the global domain. (Boolean)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-timeout

Specifies the amount of time, in seconds, before the request times out. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-userRegistryType

Specifies the type of user registry. Specify LDAPUserRegistry for LDAP user registries. Specify WIMUserRegistry for federated repository user registries. Specify CustomUserRegistry for custom user registries. Specify LocalOSUserRegisty for local operating system user registries. (String)

-userRegistryType

Specifies the type of user registry. Specify LDAPUserRegistry for LDAP user registries. Specify WIMUserRegistry for federated repository user registries. Specify CustomUserRegistry for custom user registries. Specify LocalOSUserRegisty for local operating system user registries. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-loginType

Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

-securityDomainName

Specifies the name of the security configuration. If you do not specify a security domain name, the system updates the global security configuration. (String)

-loginModules

Specifies a comma (,) separated list of login module class names. Specify the list in the order that the system calls them. (String)

-authStrategies

Specifies a comma-separated list of authentication strategies that sets the authentication behavior as authentication proceeds down the list of login modules. You must specify one authentication strategy for each login module. (String)

Specify one or many of the following values in a comma (,) separated list:

• REQUIRED

  Specifies that the LoginModule module is required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list for each realm.

• REQUISITE

  Specifies that the LoginModule module is required to succeed. If authentication is successful, the process continues down the LoginModule list in the realm entry. If authentication fails, control immediately returns to the application. Authentication does not proceed down the LoginModule list.

• SUFFICIENT

  Specifies that the LoginModule module is not required to succeed. If authentication succeeds, control immediately returns to the application. Authentication does not proceed down the LoginModule list. If authentication fails, the process continues down the list.

• OPTIONAL

  Specifies that the LoginModule module is not required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list.

-loginType

Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

-loginModule

Specifies the name of the login module. (String)

-newModule

Specifies that you want a new login module to have the same class name as a previously configured login module. (Boolean)

For example, if you issued the following command to configure a login module for a given login entry:

wsadmin>AdminTask.configureLoginModule('-loginType application -loginEntryAlias                                                        
TestLogin -loginModule                                                  
com.ibm.ws.security.common.auth.module.WSClientLoginModuleImpl') 

You can issue the following command to configure another login module with the same class name:

wsadmin>AdminTask.configureLoginModule('-loginType application -loginEntryAlias                                                        
TestLogin -loginModule                                                  
com.ibm.ws.security.common.auth.module.WSClientLoginModuleImpl' -newModule true') 

The login entry now contains two login modules that use the same class name.

-modifyModule

Specifies that you want multiple login modules with the same class name to be modified. (Integer)

For example, if you issued the following command:

wsadmin>AdminTask.configureLoginModule('-loginType application       
-loginEntryAlias                                                        
TestLogin -loginModule                                                  
com.ibm.ws.security.common.auth.module.WSClientLoginModul               
eImpl -modifyModule 2 -authStrategy OPTIONAL')

The second login module in the TestLogin entry is modified with the OPTIONAL flag.

-securityDomainName

Specifies the name of the security configuration. (String)

-useLoginModuleProxy

Specifies that the JAAS loads the login module proxy class. JAAS then delegates calls to the login module classes that are defined in the Module class name field. Specify true to use the login module proxy. (Boolean)

-authStrategy

Specifies the authentication behavior as authentication proceeds down the list of login modules. (String)

Specify one of the following values:

• REQUIRED

  Specifies that the LoginModule module is required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list for each realm.

• REQUISITE

  Specifies that the LoginModule module is required to succeed. If authentication is successful, the process continues down the LoginModule list in the realm entry. If authentication fails, control immediately returns to the application. Authentication does not proceed down the LoginModule list.

• SUFFICIENT

  Specifies that the LoginModule module is not required to succeed. If authentication succeeds, control immediately returns to the application. Authentication does not proceed down the LoginModule list. If authentication fails, the process continues down the list.

• OPTIONAL

  Specifies that the LoginModule module is not required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list.

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-loginType

Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-loginType

Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-loginType

Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-loginType

Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-loginType

Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)

-loginEntryAlias

Specifies an alias that identifies the JAAS login entry in the configuration. (String)

-loginModule

Specifies the name of the login module class to remove from the configuration. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-alias

Specifies the name that uniquely identifies the authentication data entry. (String)

-user

Specifies the J2C authentication data user ID. (String)

-password

Specifies the password to use for the target enterprise information system (EIS). (String)

-securityDomainName

Specifies the name of the security domain configuration. The application server uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-description

Specifies a description of the authentication data entry. (String)

-alias

Specifies the name that uniquely identifies the authentication data entry. (String)

-securityDomainName

Specifies the name of the security domain configuration. The application server uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-alias

Specifies the name that uniquely identifies the authentication data entry. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-alias

Specifies the name that uniquely identifies the authentication data entry. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-user

Specifies the J2C authentication data user ID. (String)

-password

Specifies the password to use for the target enterprise information system (EIS). (String)

-description

Specifies a description for the authentication data entry. (String)

-securityDomainId

Specifies the unique identifier for the security domain. If no security domain ID is specified, the authentication cache of the admin domain is cleared. (String)

-user

Specifies the user Id associated with an authentication cache data entry (String)

-securityDomainID

Specifies the unique identifier of the security domain. If no security domain ID is specified, the authentication cache of admin domain is cleared. (String)

-securityDomainName

Specifies the name of the security configuration. If one is not provided the task will work on the global security user registry configuration. (String)

-messageLevelAuth

Specifies whether clients connecting to this server must specify a user ID and password. Specify Never to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String)

-supportedAuthMechList

Specifies the authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA for Lightweight Third-Party Authentication, BasicAuth for BasicAuth authentication, and custom to use your own authentication token implementation. You can specify more then one in a space-separated list. (String)

-clientCertAuth

Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String)

-transportLayer

Specifies the transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String)

-sslConfiguration

Specifies the SSL configuration alias to use for inbound transport. (String)

-enableIdentityAssertion

Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean)

-trustedIdentities

Specifies a list of trusted server identities, separated by the pipe character (|). To specify a null value, set the value of the -trustedIdentities parameter as an empty string (""). (String)

-statefulSession

Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean)

-enableAttributePropagation

Specifies whether to enable security attribute propagation. Security attribute propagation allows the application server to transport authenticated Subject contents and security context information from one server to another in your configuration. Specify true to enable security attribute propagation. (Boolean)

-securityDomainName

Specifies the name of the security configuration. (String)

-enableAttributePropagation

Specifies whether to enable security attribute propagation. Security attribute propagation allows the application server to transport authenticated Subject contents and security context information from one server to another in your configuration. Specify true to enable security attribute propagation. (Boolean)

-enableIdentityAssertion

Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean)

-useServerIdentity

Specifies whether to use the server identity to establish trust with the target server. Specify true to use the server identity. (Boolean)

-trustedId

Specifies the trusted identity that the application server uses to establish trust with the target server. (String)

-trustedIdentityPassword

Specifies the password of the trusted server identity. (String)

-messageLevelAuth

Specifies whether clients connecting to this server must specify a user ID and password. Specify includeNever to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String)

-supportedAuthMechList

Specifies the authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA for Lightweight Third-Party Authentication, BasicAuth for BasicAuth authentication, and custom to use your own authentication token implementation. You can specify more then one in a space-separated list. (String)

-clientCertAuth

Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String)

-transportLayer

Specifies the transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String)

-sslConfiguration

Specifies the SSL configuration alias to use for inbound transport. (String)

-statefulSession

Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean)

-enableOutboundMapping

Specifies whether to enable custom outbound identity mapping. Specify true to enable custom outbound identity mapping. (Boolean)

-trustedTargetRealms

Specifies a list of target realms to trust. Separate each realm name with the pipe character (|). (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-displayModel

Specifies the output format of the configuration information. Specify true to return an attribute list of the model. Specify false to display an attribute of the value used to create the object. (Boolean)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-displayModel

Specifies the output format of the configuration information. Specify true to return an attribute list of the model. Specify false to display an attribute of the value used to create the object. (Boolean)

-securityDomainName

Specifies the name of the security configuration. (String)

-securityDomainName

Specifies the name of the security configuration. (String)

-interceptor

Specifies the trust association interceptor class name. (String)

-securityDomainName

Specifies the name of the security domain. If you do not specify a security domain, the command assigns the global security configuration. (String)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-securityDomainName

Specifies the name of the security configuration. (String)

-enable

Specifies whether to enable trust association to act as a reverse proxy server. (Boolean)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-interceptor

Specifies the trust association interceptor class name. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-securityDomainName

Specifies the name of the security configuration. (String)

-secureApps

Specifies to secure applications.

-secureLocalResources

Specifies to secure local resources such as data sets and MVS™ commands.

-userRegistryType

Specifies whether the user is a user, a group, or a group member.

-ldapServerType

Specifies the type of LDAP server that is being used. The default value is IDS51.

Specify one of the following valid values:

• IBM_DIRECTORY_SERVER
• IPLANET
• NETSCAPE
• NDS
• DOMINO502
• SECUREWAY
• ACTIVE_DIRECTORY
• CUSTOM

-ldapHostName

Specifies the LDAP host name.

-ldapPort

Specifies the LDAP port name.

-ldapBaseDN

Specifies the LDAP base dynamic member attribute.

-ldapBindDN

Dynamically updates LDAP binding information.

-ldapBindPassword

Dynamically updates LDAP binding password information.

-adminName

Refers to the name of an administrator account on the remote target machine.

-securityDomainName

Specifies the name of the security configuration. (String)

-useJACCProvider

Specifies whether to use a JACC provider. Specify true to use a JACC provider. (Boolean)

-name

Specifies the name of the JACC provider to use. (String)

-description

Specifies a description of the JACC provider. (String)

-j2eePolicyImplClassName

Specifies the class name of an implementation class that represents the javax.security.jacc.policy.provider property according to the specification. (String)

-policyConfigurationFactoryImplClassName

Specifies the class name of an implementation class that represents the javax.security.jacc.PolicyConfigurationFactory.provider property. (String)

-roleConfigurationFactoryImplClassName

Specifies the class name of an implementation class that implements the com.ibm.wsspi.security.authorization.RoleConfigurationFactory interface. (String)

-requiresEJBArgumentsPolicyContextHandler

Specifies whether policy providers require the Enterprise JavaBeans arguments policy context handler to make access decisions. Specify true to enable this option. (Boolean)

-initializeJACCProviderClassName

Specifies the class name of an implementation class that implements the com.ibm.wsspi.security.authorization.IntializeJACCProvider interface.(String)

-supportsDynamicModuleUpdates

Specifies whether the provider supports dynamic changes to the web modules. Specify true to enable this option. (Boolean)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-enable

Specifies whether to enable single sign-on. Specify true to enable single sign-on, or false to disable single sign-on. (Boolean)

-requiresSSL

Specifies whether single sign-on requests send through HTTPS. Specify true to enable this option. (Boolean)

-domainName

Specifies the domain name that contains a set of hosts to which the single sign-on applies. (String)

-interoperable

Specifies interoperability options. Specify true to send an interoperable cookie to the browser to support back-level servers. Specify false disable the sending of interoperable cookies. (Boolean)

-attributePropagation

Specifies whether to enable inbound security attribute propagation. Specify true to enable web inbound security attribution propagation. Specify false to use the single sign-on token to log in and recreate the Subject from the user registry. (Boolean)

-securityDomainName

Specifies the name of the security domain configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

• cacheTimeout
• issuePermissionWarning
• activeAuthMechanism
• enforceJava2Security
• appSecurityEnabled
• enableGlobalSecurity (global security only)
• adminPreferredAuthMech (global security only)
• activeAuthMechanism (global security only)
• activeUserRegistry
• enforceFineGrainedJCASecurity
• dynUpdateSSLConfig (global security only)
• useDomainQualifiedUserNames
• customProperties

-securityDomainName

Specifies the name of the security domain configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

AdminTask.isSAFVersionValidForIdentityMapping()

-enableGlobalSecurity

Specifies whether to enable global security. Specify true to enable global security, or specify false to disable global security. (Boolean)

-cacheTimeout

Specifies the amount of time, in seconds, before authentication data becomes invalid. (Integer)

-issuePermissionWarning

Specifies whether to issue a warning during application installation if the application requires security permissions. Specify true to enable the warning notification, or specify false to disable the warning notification. (Boolean)

-enforceJava2Security

Specifies whether to enable Java Platform, Enterprise Edition (Java EE) security. Specify true to enable Java EE security permissions checking, or specify false to disable Java EE security. (Boolean)

-enforceFineGrainedJCASecurity

Specifies whether to restrict application access. Specify true to restrict application access to sensitive Java EE Connector Architecture (JCA) mapping authentication data. (Boolean)

-appSecurityEnabled

Specifies whether to enable application-level security. Specify true to enable application level security, or specify false to disable application-level security. (Boolean)

-dynUpdateSSLConfig

Specifies whether to dynamically update SSL configuration changes. Specify true to update SSL configuration changes dynamically, or specify false to update the SSL configuration when the server starts. (Boolean)

-activeAuthMechanism

Specifies the active authentication mechanism. Specify LTPA for LTPA authentication, KRB5 for Kerberos authentication, or RSAToken for RSA token authorization. (String)

-adminPreferredAuthMech

Specifies the preferred authentication mechanism. Specify LTPA for LTPA authentication, KRB5 for Kerberos authentication, or RSAToken for RSA token authorization. (String)

-activeUserRegistry

Specifies the active user registry for the server. (String)

Specify one of the following values:

CustomUserRegistry

This option enables you to specify a custom user registry as the active user registry for the server.

LDAPUserRegistry

This option enables you to specify an LDAP user registry as the active user registry for the server.

LocalOSUserRegistry

This option enables you to specify the local operating system user registry as the active user registry for the server.

WIMUserRegistry

This option enables you to specify a federated repository as the active user registry for the server.

-useDomainQualifiedUserNames

Specifies the type of user name to use. Specify true to use domain qualified user names, or specify false to use the short name. (Boolean)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-cacheTimeout

Specifies the amount of time, in seconds, before authentication data becomes invalid. (Integer)

-issuePermissionWarning

Specifies whether to issue a warning during application installation if the application requires security permissions. Specify true to enable the warning notification, or specify false to disable the warning notification. (Boolean)

-enforceJava2Security

Specifies whether to enable Java Platform, Enterprise Edition (Java EE) security. Specify true to enable Java EE security permissions checking, or specify false to disable Java EE security. (Boolean)

-enforceFineGrainedJCASecurity

Specifies whether to restrict application access. Specify true to restrict application access to sensitive Java EE Connector Architecture (JCA) mapping authentication data. (Boolean)

-appSecurityEnabled

Specifies whether to enable application-level security. Specify true to enable application level security, or specify false to disable application-level security. (Boolean)

-activeUserRegistry

Specifies the active user registry for the server. (String)

-useDomainQualifiedUserNames

Specifies the type of user name to use. Specify true to use domain qualified user names, or specify false to use the short name. (Boolean)

-customProperties

Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-securityDomainName

Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)

-unsetAppSecurityEnabled

Specifies whether to remove the attribute that enables application security. Specify true to remove the attribute. (Boolean)

-unsetActiveUserRegistry

Specifies whether to remove the active user registry attribute. Specify true to remove the attribute. (Boolean)

-unsetUseDomainQualifiedUserNames

Specifies whether to remove the user domain qualified user names attribute. Specify true to remove the attribute. (Boolean)

-unsetEnforceJava2Security

Specifies whether to remove the Java EE security attribute. Specify true to remove the attribute. (Boolean)

-unsetEnforceFineGrainedJCASecurity

Specifies whether to remove the fine-grained JCA security attribute. Specify true to remove the attribute. (Boolean)

-unsetIssuePermissionWarning

Specifies whether to remove the attribute that issues user permission warnings. Specify true to remove the attribute. (Boolean)

-unsetCacheTimeout

Specifies whether to remove the cache timeout attribute. Specify true to remove the attribute. (Boolean)