SecurityConfigurationCommands command group for the AdminTask object
You can use the Jython scripting language to configure security with the wsadmin tool. Use the commands and parameters in the SecurityConfigurationCommands group to configure and manage user registries, single sign-on, data entries, trust association, login modules, and interceptors.
- configureAdminCustomUserRegistry
- configureAdminLDAPUserRegistry
- configureAdminLocalOSUserRegistry
- configureAdminWIMUserRegistry
- configureAppCustomUserRegistry
- configureAppLDAPUserRegistry
- configureAppLocalOSUserRegistry
- configureAppWIMUserRegistry
- getLTPATimeout
- setLTPATimeout
- getUserRegistryInfo
- unconfigureUserRegistry
configureAdminCustomUserRegistry
Target object
None.
Optional parameters
- -autoGenerateServerId
- Specifies whether the command automatically generates the server identity that the system uses for internal process communication. Specify true to automatically generate the server identity. (Boolean)
- -serverId
- Specifies the server identity in the repository that the system uses for internal process communication. (String)
- -serverIdPassword
- Specifies the password that corresponds to the server identity. (String)
- -primaryAdminId
- Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)
- -customRegClass
- Specifies the class name that implements the UserRegistry interface in com.ibm.websphere.security property. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureAdminCustomUserRegistry('-autoGenerateServerId true -serverIdPassword password4server -primaryAdminId serverAdmin')
- Using this Jython string demonstrates:
- That the interceptor doesn't have to be one that is delivered with WebSphere.
- The use of all three properties together.
- How to contain a list in the string.
- That even if you have only one property in the -customProperties value, it still has to be specified as a list.
- Using Jython list:
AdminTask.configureAdminCustomUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server', '-primaryAdminId', 'serverAdmin'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAdminCustomUserRegistry('-interactive')
configureAdminLDAPUserRegistry
Target object
None.
Optional parameters
- -autoGenerateServerId
- Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)
- -serverId
- Specifies the server identity in the repository that the system uses for internal process communication. (String)
- -serverIdPassword
- Specifies the password that corresponds to the server identity. (String)
- -primaryAdminId
- Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
- -ldapServerType
- Specifies the type of LDAP server. The default type is IBM_DIRECTORY_SERVER. (String)
- -ldapHost
- Specifies the host name of the LDAP server. (String)
- -ldapPort
- Specifies the port that the system uses to access the LDAP server. The default value is 389. (String)
- -baseDN
- Specifies the base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed. (String)
- -bindDN
- Specifies the distinguished name for the application server, which is used to bind to the directory service. (String)
- -bindPassword
- Specifies the binding DN password for the LDAP server. (String)
- -bindAuthMechanism
- The bind authentication mechanism for binding to the LDAP server when you search for or modify
an LDAP entry. The following values are valid:
none
- Anonymous bind to the LDAP server.simple
- The default, which uses a simple bind distinguished name with a bind password to bind to the LDAP server.GSSAPI
- Kerberos authentication enablement, which requires the Kerberos principal name or the Kerberos service principal name to be set.
- -krb5Principal
- Kerberos principal name or Kerberos service principal name that is used to authenticate with the
Key Distribution Center (KDC). The Kerberos principal name is required if the
bindAuthMechanism parameter is set to the
GSSAPI
value. - -krb5TicketCache
- The directory location and file name of the Kerberos ticket cache, which is also referred to as the Kerberos credential cache, or ccache file.
- -krb5Config
- The Kerberos configuration file that contains the client configuration information, including
the location of each Key Distribution Centers (KDC) for the realm. This file is used for Kerberos
authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. The
following information gives the default file name and location for the Kerberos configuration file:
- /etc/krb5.conf
- C:\Windows\krb5.ini
- -krb5Keytab
- The Kerberos keytab file that contains one or more Kerberos service principal names and keys. This file is also used for Kerberos authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. If the Kerberos ticket cache and the Kerberos keytab file are both specified, only the ticket cache is used.
- -searchTimeout
- Specifies the timeout value in seconds for an LDAP server to respond before stopping a request. The default value is 120 seconds. (Long)
- -reuseConnection
- Specifies whether the server reuses the LDAP connection. By default, this option is enabled.
Specify false for this parameter only in rare situations where a router is used to
distribute requests to multiple LDAP servers and when the router does not support affinity.
(Boolean)Avoid trouble: When you disable the reuse of the LDAP connection, the application server creates a new LDAP connection for every LDAP search request. This situation impacts system performance if your environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between the application server and LDAP is too small.
- -userFilter
- Specifies the LDAP filter clause that the system uses to search the user registry for users. The default value is the default user filter for the LDAP server type. (String)
- -groupFilter
- Specifies the LDAP filter clause that the system uses to search the user registry for groups. The default value is the default group filter for the LDAP server type. (String)
- -userIdMap
- Specifies the LDAP filter that maps the short name of a user to an LDAP entry. The default value is the default user filter for the LDAP server type. (String)
- -groupIdMap
- Specifies the LDAP filter that maps the short name of a group to an LDAP entry. The default value is the default group filter for the LDAP server type. (String)
- -groupMemberIdMap
- Specifies the LDAP filter that identifies users to group memberships. (String)
- -certificateMapMode
- Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping. (String)
- -certificateFilter
- Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map
attributes in the client certificate to entries in the LDAP registry. (String)The syntax or structure of this filter is: (&(uid=${SubjectCN})(objectclass=inetOrgPerson)). The first part of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The second part of the filter specification is one of the public attributes in your client certificate. The second side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). You can use the following certificate attribute values on the second side of the filter specification. The case of the strings is important:
- ${UniqueKey}
- ${PublicKey}
- ${Issuer}
- ${NotAfter}
- ${NotBefore}
- ${SerialNumber}
- ${SigAlgName}
- ${SigAlgOID}
- ${SigAlgParams}
- ${SubjectCN}
- ${Version}
- -krbUserFilter
- Specifies that the default value is the default user filter for the LDAP server type. (String)
- -nestedGroupSearch
- Specifies whether to perform a recursive nested group search. Specify true to perform a recursive nested group search, or specify false to disable recursive nested group searching. (Boolean)
- -sslEnabled
- Specifies whether to enable Secure Sockets Layer (SSL). Specify true to enable an SSL connection to the LDAP server. (Boolean)
- -sslConfig
- Specifies the SSL configuration alias to use for the secure LDAP connection. (String)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
- -resetDefaultFilters
- Specify true, to reset all of the filter values to the default value of the LDAP server type. The default value for this parameter is false. The LDAP filter attributes reset are: userFilter, groupFilter, userIdMap, groupIdMap, groupMemberIdMap and krbUserFilter. If any of the other filter flags are used to specify a filter value on the command line at the same time resetDefaultFilter is set to true, the filter value specified is used. Any filter not specified on the command line at the time is reset to the default value of the LDAP server type.
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureAdminLDAPUserRegistry('-autoGenerateServerId true -serverIdPassword password4server -primaryAdminId serverAdmin -ldapServerType NETSCAPE -ldapHost 195.168.1.1')
- Using Jython list:
AdminTask.configureAdminLDAPUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server', '-primaryAdminId', 'serverAdmin', '-ldapServerType', 'NETSCAPE', '-ldapHost', '195.168.1.1'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAdminLDAPUserRegistry('-interactive')
configureAdminLocalOSUserRegistry
Target object
None.
Optional parameters
- -autoGenerateServerId
- Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)
- -serverId
- Specifies the server identity in the repository that the system uses for internal process communication. (String)
- -serverIdPassword
- Specifies the password that corresponds to the server identity. (String)
- -primaryAdminId
- Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureAdminLocalOSUserRegistry('-autoGenerateServerId true -serverIdPassword password4server -primaryAdminId serverAdmin')
- Using Jython list:
AdminTask.configureAdminLocalOSUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server', '-primaryAdminId', 'serverAdmin'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAdminLocalOSUserRegistry('-interactive')
configureAdminWIMUserRegistry
Target object
None.
Optional parameters
- -autoGenerateServerId
- Specifies whether the command automatically generates the server identity used for internal process communication. Specify true to automatically generate the server identity. (Boolean)
- -serverId
- Specifies the server identity in the repository that the system uses for internal process communication. (String)
- -serverIdPassword
- Specifies the password that corresponds to the server identity. (String)
- -primaryAdminId
- Specifies the name of the user with administrative privileges that is defined in the registry. This parameter does not apply to security configurations. (String)
- -realmName
- Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureAdminWIMUserRegistry('-autoGenerateServerId true -serverIdPassword password4server -primaryAdminId serverAdmin')
- Using Jython list:
AdminTask.configureAdminWIMUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server', '-primaryAdminId', 'serverAdmin'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAdminWIMUserRegistry('-interactive')
configureAppCustomUserRegistry
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Optional parameters
- -realmName
- Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)
- -customRegClass
- Specifies the class name that implements the UserRegistry interface in com.ibm.websphere.security property. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureAppCustomUserRegistry('-securityDomainName testDomain -realmName server_name.domain:port_number')
- Using Jython list:
AdminTask.configureAppCustomUserRegistry(['-securityDomainName', 'testDomain', '-realmName', 'server_name.domain:port_number'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAppCustomUserRegistry('-interactive')
configureAppLDAPUserRegistry
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Optional parameters
- -realmName
- Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
- -ldapServerType
- Specifies the type of LDAP server. The default type is IBM_DIRECTORY_SERVER. (String)
- -ldapHost
- Specifies the host name of the LDAP server. (String)
- -ldapPort
- Specifies the port that the system uses to access the LDAP server. The default value is 389. (String)
- -baseDN
- Specifies the base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches of the directory service. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed. (String)
- -bindDN
- Specifies the distinguished name for the application server, which is used to bind to the directory service. (String)
- -bindPassword
- Specifies the binding DN password for the LDAP server. (String)
- -bindAuthMechanism
- The bind authentication mechanism for binding to the LDAP server when you search for or modify
an LDAP entry. The following values are valid:
none
- Anonymous bind to the LDAP server.simple
- The default, which uses a simple bind distinguished name with a bind password to bind to the LDAP server.GSSAPI
- Kerberos authentication enablement, which requires the Kerberos principal name or the Kerberos service principal name to be set.
- -krb5Principal
- Kerberos principal name or Kerberos service principal name that is used to authenticate with the
Key Distribution Center (KDC). The Kerberos principal name is required if the
bindAuthMechanism parameter is set to the
GSSAPI
value. - -krb5TicketCache
- The directory location and file name of the Kerberos ticket cache, which is also referred to as the Kerberos credential cache, or ccache file.
- -krb5Config
- The Kerberos configuration file that contains the client configuration information, including
the location of each Key Distribution Centers (KDC) for the realm. This file is used for Kerberos
authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. The
following information gives the default file name and location for the Kerberos configuration file:
- /etc/krb5.conf
- C:\Windows\krb5.ini
- -krb5Keytab
- The Kerberos keytab file that contains one or more Kerberos service principal names and keys. This file is also used for Kerberos authentication, SPNEGO web authentication, and LDAP user registry authentication with Kerberos. If the Kerberos ticket cache and the Kerberos keytab file are both specified, only the ticket cache is used.
- -searchTimeout
- Specifies the timeout value in seconds for an LDAP server to respond before stopping a request. The default value is 120 seconds. (Long Integer)
- -reuseConnection
- Specifies whether the server reuses the LDAP connection. By default, this option is enabled.
Specify false for this parameter only in rare situations where a router is used to
distribute requests to multiple LDAP servers and when the router does not support affinity.
(Boolean)Avoid trouble: When you disable the reuse of the LDAP connection, the application server creates a new LDAP connection for every LDAP search request. This situation impacts system performance if your environment requires extensive LDAP calls. This option is provided because the router is not sending the request to the same LDAP server. The option is also used when the idle connection timeout value or firewall timeout value between the application server and LDAP is too small.
- -userFilter
- Specifies the LDAP filter clause that the system uses to search the user registry for users. The default value is the default user filter for the LDAP server type. (String)
- -groupFilter
- Specifies the LDAP filter clause that the system uses to search the user registry for groups. The default value is the default group filter for the LDAP server type. (String)
- -userIdMap
- Specifies the LDAP filter that maps the short name of a user to an LDAP entry. The default value is the default user filter for the LDAP server type. (String)
- -groupIdMap
- Specifies the LDAP filter that maps the short name of a group to an LDAP entry. The default value is the default group filter for the LDAP server type. (String)
- -groupMemberIdMap
- Specifies the LDAP filter that identifies users to group memberships. (String)
- -certificateMapMode
- Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping. (String)
- -certificateFilter
- Specifies the filter certificate mapping property for the LDAP filter. The filter is used to map
attributes in the client certificate to entries in the LDAP registry. (String)The syntax or structure of this filter is: (&(uid=${SubjectCN})(objectclass=inetOrgPerson)). The first part of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The second part of the filter specification is one of the public attributes in your client certificate. The second side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). You can use the following certificate attribute values on the second side of the filter specification. The case of the strings is important:
- ${UniqueKey}
- ${PublicKey}
- ${Issuer}
- ${NotAfter}
- ${NotBefore}
- ${SerialNumber}
- ${SigAlgName}
- ${SigAlgOID}
- ${SigAlgParams}
- ${SubjectCN}
- ${Version}
- -krbUserFilter
- Specifies the default value is the default user filter for the LDAP server type. (String)
- -nestedGroupSearch
- Specifies whether to perform a recursive nested group search. Specify true to perform a recursive nested group search, or specify false to disable recursive nested group searching. (Boolean)
- -sslEnabled
- Specifies whether to enable Secure Sockets Layer (SSL). Specify true to enable an SSL connection to the LDAP server. (Boolean)
- -sslConfig
- Specifies the SSL configuration alias to use for the secure LDAP connection. (String)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
- -resetDefaultFilters
- Specify true, to reset all of the filter values to the default value of the LDAP server type. The default value for this parameter is false. The LDAP filter attributes reset are: userFilter, groupFilter, userIdMap, groupIdMap, groupMemberIdMap and krbUserFilter. If any of the other filter flags are used to specify a filter value on the command line at the same time resetDefaultFilter is set to true, the filter value specified is used. Any filter not specified on the command line at the time is reset to the default value of the LDAP server type.
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureAppLDAPUserRegistry('-securityDomainName testDomain -ldapServerType NETSCAPE -ldapHost 195.168.1.1 -searchTimeout 300')
- Using Jython list:
AdminTask.configureAppLDAPUserRegistry(['-securityDomainName', 'testDomain', '-ldapServerType', 'NETSCAPE', '-ldapHost', '195.168.1.1', '-searchTimeout', '300'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAppLDAPUserRegistry('-interactive')
configureAppLocalOSUserRegistry
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Optional parameters
- -realmName
- Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureAppLocalOSUserRegistry('-securityDomainName testDomain')
- Using Jython list:
AdminTask.configureAppLocalOSUserRegistry(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAppLocalOSUserRegistry('-interactive')
configureAppWIMUserRegistry
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Optional parameters
- -realmName
- Specifies the realm of the user registry. The system automatically generates a realm name if you do not specify a value for the -realmName parameter. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration is correct. If you set this parameter to true, then the system verifies the registry by making a call to the user registry to verify the admin ID. If you specify a server ID and password, then the system verifies the user and password with the user registry. Set the parameter to false to store the attributes in the configuration without validation. The command verifies the registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
- -useGlobalFederatedRepository
- Specifies whether to use the same instance of federated repository for the domain as is defined in the global domain. Specify true to use the same instance as defined in the global domain. (Boolean)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureAppWIMUserRegistry('-securityDomainName testDomain -realmName testRealm')
- Using Jython list:
AdminTask.configureAppWIMUserRegistry(['-securityDomainName', 'testDomain', '-realmName', 'testRealm'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAppWIMUserRegistry('-interactive')
getLTPATimeout
The getLTPATimeout command displays the number of seconds that the system waits before the LTPA request reaches timeout.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command returns the number of seconds that the server waits before the LTPA request is cancelled.
Batch mode example usage
- Using Jython string:
AdminTask.getLTPATimeout('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getLTPATimeout(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getLTPATimeout('-interactive')
setLTPATimeout
The setLTPATimeout command sets the amount of time that the system waits before the LTPA request becomes invalid.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
- -timeout
- Specifies the amount of time, in seconds, before the request times out. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.setLTPATimeout('-timeout 120')
- Using Jython list:
AdminTask.setLTPATimeout(['-timeout', '120'])
Interactive mode example usage
- Using Jython:
AdminTask.setLTPATimeout('-interactive')
getUserRegistryInfo
The getUserRegistryInfo command displays information about a user registry in a security domain or in the global security configuration. If you do not specify a value for the -userRegistryType parameter, the command returns the active user registry information.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
- -userRegistryType
- Specifies the type of user registry. Specify LDAPUserRegistry for LDAP user registries. Specify WIMUserRegistry for federated repository user registries. Specify CustomUserRegistry for custom user registries. Specify LocalOSUserRegisty for local operating system user registries. (String)
Return value
The command returns configuration information in the form of attribute and value pairs for the user registry object of interest.
Batch mode example usage
- Using Jython string:
AdminTask.getUserRegistryInfo('-securityDomainName testDomain -userRegistryType LDAPUserRegistry')
- Using Jython list:
AdminTask.getUserRegistryInfo(['-securityDomainName', 'testDomain', '-userRegistryType', 'LDAPUserRegistry'])
Interactive mode example usage
- Using Jython:
AdminTask.getUserRegistryInfo('-interactive')
unconfigureUserRegistry
The unconfigureUserRegistry command modifies the user registry. For a global security configuration, the command reduces the user registry to the minimum registry values. For application-level security, the command removes the user registry from the security domain of interest.
Target object
None.
Required parameters
- -userRegistryType
- Specifies the type of user registry. Specify LDAPUserRegistry for LDAP user registries. Specify WIMUserRegistry for federated repository user registries. Specify CustomUserRegistry for custom user registries. Specify LocalOSUserRegisty for local operating system user registries. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.unconfigureUserRegistry('-userRegistryType WIMUserRegistry -securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureUserRegistry(['-userRegistryType', 'WIMUserRegistry', '-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureUserRegistry('-interactive')
configureJAASLoginEntry
The configureJAASLoginEntry command configures a Java Authentication and Authorization Service (JAAS) login entry in a security domain or in the global security configuration. You can use this command to modify existing JAAS login entries or to create new login entries.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the configuration. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. If you do not specify a security domain name, the system updates the global security configuration. (String)
- -loginModules
- Specifies a comma (,) separated list of login module class names. Specify the list in the order that the system calls them. (String)
- -authStrategies
- Specifies a comma-separated list of authentication strategies that sets the authentication
behavior as authentication proceeds down the list of login modules. You must specify one
authentication strategy for each login module. (String)Specify one or many of the following values in a comma (,) separated list:
- REQUIRED
Specifies that the LoginModule module is required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list for each realm.
- REQUISITE
Specifies that the LoginModule module is required to succeed. If authentication is successful, the process continues down the LoginModule list in the realm entry. If authentication fails, control immediately returns to the application. Authentication does not proceed down the LoginModule list.
- SUFFICIENT
Specifies that the LoginModule module is not required to succeed. If authentication succeeds, control immediately returns to the application. Authentication does not proceed down the LoginModule list. If authentication fails, the process continues down the list.
- OPTIONAL
Specifies that the LoginModule module is not required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list.
- REQUIRED
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureJAASLoginEntry('[-loginType application -loginEntryAlias JAASLoginEntry1 -authStrategies " REQUIRED,REQUISITE"]')
- Using Jython list:
AdminTask.configureJAASLoginEntry(['-loginType', 'application', '-loginEntryAlias', 'JAASLoginEntry1', '-authStrategies', 'REQUIRED,REQUISITE'])
Interactive mode example usage
- Using Jython:
AdminTask.configureJAASLoginEntry('-interactive')
configureLoginModule
The configureLoginModule command modifies an existing login module or creates a new login module on an existing JAAS login entry in the global security configuration or in a security domain.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the configuration. (String)
- -loginModule
- Specifies the name of the login module. (String)
Optional parameters
- -newModule
- Specifies that you want a new login module to have the same class name as a previously
configured login module. (Boolean) For example, if you issued the following command to configure a login module for a given login entry:
wsadmin>AdminTask.configureLoginModule('-loginType application -loginEntryAlias TestLogin -loginModule com.ibm.ws.security.common.auth.module.WSClientLoginModuleImpl')
You can issue the following command to configure another login module with the same class name:
wsadmin>AdminTask.configureLoginModule('-loginType application -loginEntryAlias TestLogin -loginModule com.ibm.ws.security.common.auth.module.WSClientLoginModuleImpl' -newModule true')
The login entry now contains two login modules that use the same class name.
- -modifyModule
- Specifies that you want multiple login modules with the same class name to be modified.
(Integer)
For example, if you issued the following command:
wsadmin>AdminTask.configureLoginModule('-loginType application -loginEntryAlias TestLogin -loginModule com.ibm.ws.security.common.auth.module.WSClientLoginModul eImpl -modifyModule 2 -authStrategy OPTIONAL')
The second login module in the TestLogin entry is modified with the OPTIONAL flag.
- -securityDomainName
- Specifies the name of the security configuration. (String)
- -useLoginModuleProxy
- Specifies that the JAAS loads the login module proxy class. JAAS then delegates calls to the login module classes that are defined in the Module class name field. Specify true to use the login module proxy. (Boolean)
- -authStrategy
- Specifies the authentication behavior as authentication proceeds down the list of login modules.
(String)Specify one of the following values:
- REQUIRED
Specifies that the LoginModule module is required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list for each realm.
- REQUISITE
Specifies that the LoginModule module is required to succeed. If authentication is successful, the process continues down the LoginModule list in the realm entry. If authentication fails, control immediately returns to the application. Authentication does not proceed down the LoginModule list.
- SUFFICIENT
Specifies that the LoginModule module is not required to succeed. If authentication succeeds, control immediately returns to the application. Authentication does not proceed down the LoginModule list. If authentication fails, the process continues down the list.
- OPTIONAL
Specifies that the LoginModule module is not required to succeed. Whether authentication succeeds or fails, the process still continues down the LoginModule list.
- REQUIRED
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureLoginModule('-loginType application -loginEntryAlias JAASLoginEntry1 -loginModule class1')
- Using Jython list:
AdminTask.configureLoginModule(['-loginType', 'application', '-loginEntryAlias', 'JAASLoginEntry1', '-loginModule', 'class1'])
Interactive mode example usage
- Using Jython:
AdminTask.configureLoginModule('-interactive')
getJAASLoginEntryInfo
The getJAASLoginEntryInfo command displays configuration for a specific JAAS login entry.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the configuration. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command returns an attribute list that contains configuration information for the JAAS login entry of interest.
Batch mode example usage
- Using Jython string:
AdminTask.getJAASLoginEntryInfo('-loginType application -loginEntryAlias JAASLoginEntry -securityDomainName testDomain')
- Using Jython list:
AdminTask.getJAASLoginEntryInfo(['-loginType', 'application', '-loginEntryAlias', 'JAASLoginEntry', '-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getJAASLoginEntryInfo('-interactive')
listJAASLoginEntries
The listJAASLoginEntries command displays each defined JAAS login modules for given type in a security domain or the global security configuration.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command returns an array of attribute lists that contain the login entries for the login type of interest.
Batch mode example usage
- Using Jython string:
AdminTask.listJAASLoginEntries('-loginType application -securityDomainName testDomain')
- Using Jython list:
AdminTask.listJAASLoginEntries(['-loginType', 'application','-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.listJAASLoginEntries('-interactive')
listLoginModules
The listLoginModules command displays the class names and associated options for a specific JAAS login module in a security domain or in the global security configuration.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the configuration. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command returns an array that contains the login modules in a specific login entry.
Batch mode example usage
- Using Jython string:
AdminTask.listLoginModules('-loginType system -loginEntryAlias JAASLoginEntry')
- Using Jython list:
AdminTask.listLoginModules(['-loginType', 'system', '-loginEntryAlias', 'JAASLoginEntry'])
Interactive mode example usage
- Using Jython:
AdminTask.listLoginModules('-interactive')
unconfigureJAASLoginEntry
The unconfigureJAASLoginEntry command removes a JAAS login entry from the global security configuration or a security domain. You cannot remove all login entries. The command returns an error if it cannot remove the login entry of interest.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the configuration. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.unconfigureJAASLoginEntry('-loginType application -loginEntryAlias myLoginEntry')
- Using Jython list:
AdminTask.unconfigureJAASLoginEntry(['-loginType', 'application', '-loginEntryAlias', 'myLoginEntry'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureJAASLoginEntry('-interactive')
unconfigureLoginModule
The unconfigureLoginModule command removes a login module class from a login module entry.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for the system login type or application for the application login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the configuration. (String)
- -loginModule
- Specifies the name of the login module class to remove from the configuration. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.unconfigureLoginModule('-loginType system -loginEntryAlias systemLoginEntry -loginModule moduleClass')
- Using Jython list:
AdminTask.unconfigureLoginModule(['-loginType', 'system', '-loginEntryAlias', 'systemLoginEntry', '-loginModule', 'moduleClass'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureLoginModule('-interactive')
createAuthDataEntry
The createAuthDataEntry command creates an authentication data entry for a J2EE Connector architecture (J2C) connector in the global security or security domain configuration.
By default when configuring authentication data entries in Global security, the node name is
added to the name of the entry. To stop the node name from being added, the
com.ibm.websphere.security.JAASAuthData.removeNodeNameGlobal
security property can
be set to true using the setAdminActiveSecuritySettings
task.
Target object
None.
Required parameters
- -alias
- Specifies the name that uniquely identifies the authentication data entry. (String)
- -user
- Specifies the J2C authentication data user ID. (String)
- -password
- Specifies the password to use for the target enterprise information system (EIS). (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security domain configuration. The application server uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
- -description
- Specifies a description of the authentication data entry. (String)
Return value
The command returns the object name of the new authentication data entry object.
Batch mode example usage
- Using Jython string:
AdminTask.createAuthDataEntry('-alias dataEntry1 -user userID -password userIDpw')
- Using Jython list:
AdminTask.createAuthDataEntry(['-alias', 'dataEntry1', '-user', 'userID', '-password', 'userIDpw'])
Interactive mode example usage
- Using Jython:
AdminTask.createAuthDataEntry('-interactive')
deleteAuthDataEntry
The deleteAuthDataEntry command removes an authentication data entry for a J2C connector in a global security or security domain configuration.
Target object
None.
Required parameters
- -alias
- Specifies the name that uniquely identifies the authentication data entry. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security domain configuration. The application server uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.deleteAuthDataEntry('-alias dataEntry1')
- Using Jython list:
AdminTask.deleteAuthDataEntry(['-alias', 'dataEntry1'])
Interactive mode example usage
- Using Jython:
AdminTask.deleteAuthDataEntry('-interactive')
getAuthDataEntry
The getAuthDataEntry command displays information about an authentication data entry for the J2C connector in the global security configuration or for a specific security domain.
Target object
None.
Required parameters
- -alias
- Specifies the name that uniquely identifies the authentication data entry. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command returns an attribute list that contains the authentication data entry attributes and values.
Batch mode example usage
- Using Jython string:
AdminTask.getAuthDataEntry('-alias authDataEntry1 -securityDomainName testDomain')
- Using Jython list:
AdminTask.getAuthDataEntry(['-alias', 'authDataEntry1', '-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getAuthDataEntry('-interactive')
listAuthDataEntries
The listAuthDataEntries command displays each authentication data entry in the global security configuration or in a security domain.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command returns an array of attribute lists for each authentication data entry.
Batch mode example usage
- Using Jython string:
AdminTask.listAuthDataEntries('-securityDomainName testDomain')
- Using Jython list:
AdminTask.listAuthDataEntries(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.listAuthDataEntries('-interactive')
modifyAuthDataEntry
The modifyAuthDataEntry command modifies an authentication data entry for a J2C connector in the global security or security domain configuration.
Target object
None.
Required parameters
- -alias
- Specifies the name that uniquely identifies the authentication data entry. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
- -user
- Specifies the J2C authentication data user ID. (String)
- -password
- Specifies the password to use for the target enterprise information system (EIS). (String)
- -description
- Specifies a description for the authentication data entry. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.modifyAuthDataEntry('-alias dataEntry1 -user userID1 -password newPassword')
- Using Jython list:
AdminTask.modifyAuthDataEntry(['-alias', 'dataEntry1', '-user', 'userID1', '-password', 'newPassword'])
Interactive mode example usage
- Using Jython:
AdminTask.modifyAuthDataEntry('-interactive')
clearAuthCache
The clearAuthCache command purges the entire security authentication cache of the associated security domain.
Target object
None.
Optional parameters
- -securityDomainId
- Specifies the unique identifier for the security domain. If no security domain ID is specified, the authentication cache of the admin domain is cleared. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.clearAuthCache('-securityDomainId descurity_domain_id')
- Using Jython list:
AdminTask.clearAuthCache(['-securityDomainId', 'security_domain_id', '-user', 'userID1', '-password', 'newpassword'])
Interactive mode example usage
- Using Jython:
AdminTask.clearAuthCache('-interactive')
purgeUserFromAuthCache
The purgeUserFromAuthCache command removes a user from the security authentication cache associated with a security domain.
Target object
None.
Required parameters
- -user
- Specifies the user Id associated with an authentication cache data entry (String)
Optional parameters
- -securityDomainID
- Specifies the unique identifier of the security domain. If no security domain ID is specified, the authentication cache of admin domain is cleared. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.purgeUserFromAuthCache('-user userID1 -securityDomainId security_domain_id')
- Using Jython list:
AdminTask.purgeUserFromAuthCache(['-user' 'userID1 ', 'securityDomainId', 'security_domain_id1', '-user', 'userID2', '-password', 'newPassword'])
Interactive mode example usage
- Using Jython:
AdminTask.purgeUserFromAuthCache('-interactive')
configureCSIInbound
The configureCSIInbound command configures CSIv2 inbound authentication on a security domain or on the global security configuration. When configuring CSI inbound authentication in a security domain for the first time, the CSI objects are copied from global security so that any changes to that configuration are applied.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. If one is not provided the task will work on the global security user registry configuration. (String)
- -messageLevelAuth
- Specifies whether clients connecting to this server must specify a user ID and password. Specify Never to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String)
- -supportedAuthMechList
- Specifies the authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA for Lightweight Third-Party Authentication, BasicAuth for BasicAuth authentication, and custom to use your own authentication token implementation. You can specify more then one in a space-separated list. (String)
- -clientCertAuth
- Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String)
- -transportLayer
- Specifies the transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String)
- -sslConfiguration
- Specifies the SSL configuration alias to use for inbound transport. (String)
- -enableIdentityAssertion
- Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean)
- -trustedIdentities
- Specifies a list of trusted server identities, separated by the pipe character (|). To specify a null value, set the value of the -trustedIdentities parameter as an empty string (""). (String)
- -statefulSession
- Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean)
- -enableAttributePropagation
- Specifies whether to enable security attribute propagation. Security attribute propagation allows the application server to transport authenticated Subject contents and security context information from one server to another in your configuration. Specify true to enable security attribute propagation. (Boolean)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureCSIInbound('[-securityDomainName testDomain -messageLevelAuth Required -supportedAuthMechList "KRB5 LTPA"]')
- Using Jython list:
AdminTask.configureCSIInbound(['-securityDomainName', 'testDomain', '-messageLevelAuth', 'Required', '-supportedAuthMechList', 'KRB5 LTPA'])
Interactive mode example usage
- Using Jython:
AdminTask.configureCSIInbound('-interactive')
configureCSIOutbound
The configureCSIOutbound command configures the CSIv2 outbound authentication in a security domain or in the global security configuration. When configuring CSI Outbound in a security domain for the first time, the application server copies the CSI objects from global security. Then, the application server applies the changes to that configuration from the command.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
- -enableAttributePropagation
- Specifies whether to enable security attribute propagation. Security attribute propagation allows the application server to transport authenticated Subject contents and security context information from one server to another in your configuration. Specify true to enable security attribute propagation. (Boolean)
- -enableIdentityAssertion
- Specifies whether to enable identity assertion. When using the identity assertion authentication method, the security token generated is a <wsse:UsernameToken> element that contains a <wsse:Username> element. Specify true for the -enableIdentityAssertion parameter to enable identity assertion. (Boolean)
- -useServerIdentity
- Specifies whether to use the server identity to establish trust with the target server. Specify true to use the server identity. (Boolean)
- -trustedId
- Specifies the trusted identity that the application server uses to establish trust with the target server. (String)
- -trustedIdentityPassword
- Specifies the password of the trusted server identity. (String)
- -messageLevelAuth
- Specifies whether clients connecting to this server must specify a user ID and password. Specify includeNever to disable the user ID and password requirement. Specify Supported to accept a user ID and password. Specify Required to require a user ID and password. (String)
- -supportedAuthMechList
- Specifies the authentication mechanism to use. Specify KRB5 for Kerberos authentication, LTPA for Lightweight Third-Party Authentication, BasicAuth for BasicAuth authentication, and custom to use your own authentication token implementation. You can specify more then one in a space-separated list. (String)
- -clientCertAuth
- Specifies whether a client that connects to the server must connect using an SSL certificate. Specify Never to allow clients to connect without SSL certificates. Specify Supported to accept clients connecting with and without SSL certificates. Specify Required to require clients to use SSL certificate. (String)
- -transportLayer
- Specifies the transport layer support level. Specify Never to disable transport layer support. Specify Supported to enable transport layer support. Specify Required to require transport layer support. (String)
- -sslConfiguration
- Specifies the SSL configuration alias to use for inbound transport. (String)
- -statefulSession
- Specifies whether to enable a stateful session. Specify true to enable a stateful session. (Boolean)
- -enableOutboundMapping
- Specifies whether to enable custom outbound identity mapping. Specify true to enable custom outbound identity mapping. (Boolean)
- -trustedTargetRealms
- Specifies a list of target realms to trust. Separate each realm name with the pipe character (|). (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureCSIOutbound('-securityDomainName testDomain -useServerIdentity true -messageAuthLevel Supported')
- Using Jython list:
AdminTask.configureCSIOutbound(['-securityDomainName', 'testDomain', '-useServerIdentity', 'true', '-messageAuthLevel', 'Supported'])
Interactive mode example usage
- Using Jython:
AdminTask.configureCSIOutbound('-interactive')
getCSIInboundInfo
The getCSIInboundInfo command displays information about the Common Secure Interoperability (CSI) inbound settings for the global security configuration or for a security domain.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
- -displayModel
- Specifies the output format of the configuration information. Specify true to return an attribute list of the model. Specify false to display an attribute of the value used to create the object. (Boolean)
Return value
The command returns an attribute list of the attributes and values of the CSI inbound object.
Batch mode example usage
- Using Jython string:
AdminTask.getCSIInboundInfo('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getCSIInboundInfo(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getCSIInboundInfo('-interactive')
getCSIOutboundInfo
The getCSIOutboundInfo command displays information for the CSI outbound settings for the global security configuration or for a security domain.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
- -displayModel
- Specifies the output format of the configuration information. Specify true to return an attribute list of the model. Specify false to display an attribute of the value used to create the object. (Boolean)
Return value
The command returns an attribute list that contains the attributes and values of the CSI outbound configuration.
Batch mode example usage
- Using Jython string:
AdminTask.getCSIOutboundInfo('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getCSIOutboundInfo(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getCSIOutboundInfo('-interactive')
unconfigureCSIInbound
The unconfigureCSIInbound command removes the CSI inbound information from a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.unconfigureCSIInbound('-securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureCSIInbound(['securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureCSIInbound('-interactive')
unconfigureCSIOutbound
The unconfigureCSIOutbound command removes the CSI outbound information from a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.unconfigureCSIOutbound('-securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureCSIOutbound(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureCSIOutbound('-interactive')
configureInterceptor
The configureInterceptor command modifies an existing interceptor or creates an interceptor if one does not exist.
Target object
None.
Required parameters
- -interceptor
- Specifies the trust association interceptor class name. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security domain. If you do not specify a security domain, the command assigns the global security configuration. (String)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureInterceptor('-interceptor com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus -securityDomainName testDomain')
AdminTask.configureInterceptor('-interceptor com.company.customInterceptor -securityDomainName testDomain -customProperties ["p1=value1"]' )
- Using this Jython string for SAML TAI:
AdminTask.configureInterceptor('-interceptor com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor -customProperties ["sso_1.sp.acsUrl=https://company.com/was1/samlsps/sso1Sp","sso_1.sp.filter=request-url%=snoop","sso_1.sp.login.error.page=https://company.com/idP1/login.aspx","sso_1.sp.acsErrorPage=https://company.com/index.html","sso_2.sp.acsUrl=https://company.com/was1/samlsps/sso2Sp","sso_2.sp.filter=request-url%=appA","sso_2.sp.login.error.page=https://company.com/idP2/login.aspx","sso_1.sp.acsErrorPage=https://company.com/index.html" ] ')
- Using Jython list:
AdminTask.configureInterceptor(['-interceptor', 'com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus', '-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.configureInterceptor('-interactive')
configureTrustAssociation
The configureTrustAssociation command enables or disable the trust association. If the security domain does not have a trust association defined, the application server copies each trust association and its interceptors from the global security configuration.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
- -enable
- Specifies whether to enable trust association to act as a reverse proxy server. (Boolean)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureTrustAssociation('-securityDomainName testDomain -enable true')
- Using Jython list:
AdminTask.configureTrustAssociation(['-securityDomainName', 'testDomain', '-enable', 'true'])
Interactive mode example usage
- Using Jython:
AdminTask.configureTrustAssociation('-interactive')
getTrustAssociationInfo
The getTrustAssociationInfo command displays configuration information for trust association.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command returns an attribute list that contains attributes and values for trust association.
Batch mode example usage
- Using Jython string:
AdminTask.getTrustAssociationInfo('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getTrustAssociationInfo(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getTrustAssociationInfo('-interactive')
listInterceptors
The listInterceptors command displays the trust association interceptors that are configured in the global security or security domain configuration.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command returns an array list of each interceptor and the associated custom properties.
Batch mode example usage
- Using Jython string:
AdminTask.listInterceptors('-securityDomainName testDomain')
- Using Jython list:
AdminTask.listInterceptors(['securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.listInterceptors('-interactive')
unconfigureInterceptor
The unconfigureInterceptor command removes a trust association interceptor from the global security configuration or from a security domain.
Target object
None.
Required parameters
- -interceptor
- Specifies the trust association interceptor class name. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.unconfigureInterceptor('-interceptor com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus -securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureInterceptor(['-interceptor', 'com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus', '-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureInterceptor('-interactive')
unconfigureTrustAssociation
The unconfigureTrustAssociation command removes the trust association object from a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.unconfigureTrustAssociation('-securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureTrustAssociation(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureTrustAssociation('
applyWizardSettings
The applyWizardSettings command can be used to automate the global security configuration.
Target object
None.
Optional parameters
- -secureApps
- Specifies to secure applications.
- -secureLocalResources
- Specifies to secure local resources such as data sets and MVS™ commands.
- -userRegistryType
- Specifies whether the user is a user, a group, or a group member.
- -ldapServerType
- Specifies the type of LDAP server that is being used. The default value is IDS51.
- -ldapHostName
- Specifies the LDAP host name.
- -ldapPort
- Specifies the LDAP port name.
- -ldapBaseDN
- Specifies the LDAP base dynamic member attribute.
- -ldapBindDN
- Dynamically updates LDAP binding information.
- -ldapBindPassword
- Dynamically updates LDAP binding password information.
- -adminName
- Refers to the name of an administrator account on the remote target machine.
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.applyWizardSettings('[-secureApps true -secureLocalResources false -userRegistryType LDAPUserRegistry -ldapServerType IBM_DIRECTORY_SERVER -ldapHostName '+ldapServer+' -ldapPort 389 -ldapBaseDN o=ibm,c=us -ldapBindDN cn=root -ldapBindPassword a1x4meok -adminName '+adminUsername+' ]'))
configureAuthzConfig
The configureAuthzConfig command configures an external Java Authorization Contract for Containers (JACC) authorization provider in a security domain or the global security configuration.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
- -useJACCProvider
- Specifies whether to use a JACC provider. Specify true to use a JACC provider. (Boolean)
- -name
- Specifies the name of the JACC provider to use. (String)
- -description
- Specifies a description of the JACC provider. (String)
- -j2eePolicyImplClassName
- Specifies the class name of an implementation class that represents the javax.security.jacc.policy.provider property according to the specification. (String)
- -policyConfigurationFactoryImplClassName
- Specifies the class name of an implementation class that represents the javax.security.jacc.PolicyConfigurationFactory.provider property. (String)
- -roleConfigurationFactoryImplClassName
- Specifies the class name of an implementation class that implements the com.ibm.wsspi.security.authorization.RoleConfigurationFactory interface. (String)
- -requiresEJBArgumentsPolicyContextHandler
- Specifies whether policy providers require the Enterprise JavaBeans arguments policy context handler to make access decisions. Specify true to enable this option. (Boolean)
- -initializeJACCProviderClassName
- Specifies the class name of an implementation class that implements the com.ibm.wsspi.security.authorization.IntializeJACCProvider interface.(String)
- -supportsDynamicModuleUpdates
- Specifies whether the provider supports dynamic changes to the web modules. Specify true to enable this option. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureAuthzConfig('[-securityDomainName testDomain -useJACCProvider true -name testProvider -description "JACC provider for testing"]')
- Using Jython list:
AdminTask.configureAuthzConfig(['-securityDomainName', 'testDomain', '-useJACCProvider', 'true', '-name', 'testProvider', '-description', 'JACC provider for testing'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAuthzConfig('-interactive')
configureSingleSignon
The configureSingleSignon command configures a single sign-on object in global security.
Target object
None.
Optional parameters
- -enable
- Specifies whether to enable single sign-on. Specify true to enable single sign-on, or false to disable single sign-on. (Boolean)
- -requiresSSL
- Specifies whether single sign-on requests send through HTTPS. Specify true to enable this option. (Boolean)
- -domainName
- Specifies the domain name that contains a set of hosts to which the single sign-on applies. (String)
- -interoperable
- Specifies interoperability options. Specify true to send an interoperable cookie to the browser to support back-level servers. Specify false disable the sending of interoperable cookies. (Boolean)
- -attributePropagation
- Specifies whether to enable inbound security attribute propagation. Specify true to enable web inbound security attribution propagation. Specify false to use the single sign-on token to log in and recreate the Subject from the user registry. (Boolean)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureSingleSignon('-enable true -domainName mycompany.com')
- Using Jython list:
AdminTask.configureSingleSignon(['-enable', 'true', '-domainName', 'mycompany.com'])
Interactive mode example usage
- Using Jython:
AdminTask.configureSingleSignon('-interactive')
getActiveSecuritySettings
The getActiveSecuritySettings command displays the active security settings for global security or a specific security domain.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security domain configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
- cacheTimeout
- issuePermissionWarning
- activeAuthMechanism
- enforceJava2Security
- appSecurityEnabled
- enableGlobalSecurity (global security only)
- adminPreferredAuthMech (global security only)
- activeAuthMechanism (global security only)
- activeUserRegistry
- enforceFineGrainedJCASecurity
- dynUpdateSSLConfig (global security only)
- useDomainQualifiedUserNames
- customProperties
Batch mode example usage
- Using Jython string:
AdminTask.getActiveSecuritySettings('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getActiveSecuritySettings(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getActiveSecuritySettings('-interactive')
getAuthzConfigInfo
The getAuthzConfigInfo command displays information about an external JACC authorization provider in a security domain or the global security configuration.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security domain configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command returns an attribute list that contains the attributes and values that are associated with the JACC authorization provider.
Batch mode example usage
- Using Jython string:
AdminTask.getAuthzConfigInfo('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getAuthzConfigInfo(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getAuthzConfigInfo('-interactive')
getSingleSignon
The getSingleSignon command displays configuration information about the single sign-on object as defined in the global security configuration.
Target object
None.
Optional parameters
None.Return value
The command returns an attribute list that contains the attributes and values of the single sign-on configuration.
Batch mode example usage
- Using Jython:
AdminTask.getSingleSignon()
Interactive mode example usage
- Using Jython:
AdminTask.getSingleSignon('-interactive')
setAdminActiveSecuritySettings
The setAdminActiveSecuritySettings command sets the active security settings on the global security object.
Target object
None.
Optional parameters
- -enableGlobalSecurity
- Specifies whether to enable global security. Specify true to enable global security, or specify false to disable global security. (Boolean)
- -cacheTimeout
- Specifies the amount of time, in seconds, before authentication data becomes invalid. (Integer)
- -issuePermissionWarning
- Specifies whether to issue a warning during application installation if the application requires security permissions. Specify true to enable the warning notification, or specify false to disable the warning notification. (Boolean)
- -enforceJava2Security
- Specifies whether to enable Java Platform, Enterprise Edition (Java EE) security. Specify true to enable Java EE security permissions checking, or specify false to disable Java EE security. (Boolean)
- -enforceFineGrainedJCASecurity
- Specifies whether to restrict application access. Specify true to restrict application access to sensitive Java EE Connector Architecture (JCA) mapping authentication data. (Boolean)
- -appSecurityEnabled
- Specifies whether to enable application-level security. Specify true to enable application level security, or specify false to disable application-level security. (Boolean)
- -dynUpdateSSLConfig
- Specifies whether to dynamically update SSL configuration changes. Specify true to update SSL configuration changes dynamically, or specify false to update the SSL configuration when the server starts. (Boolean)
- -activeAuthMechanism
- Specifies the active authentication mechanism. Specify LTPA for LTPA authentication, KRB5 for Kerberos authentication, or RSAToken for RSA token authorization. (String)
- -adminPreferredAuthMech
- Specifies the preferred authentication mechanism. Specify LTPA for LTPA authentication, KRB5 for Kerberos authentication, or RSAToken for RSA token authorization. (String)
- -activeUserRegistry
- Specifies the active user registry for the server. (String)Specify one of the following values:
- CustomUserRegistry
- This option enables you to specify a custom user registry as the active user registry for the server.
- LDAPUserRegistry
- This option enables you to specify an LDAP user registry as the active user registry for the server.
- LocalOSUserRegistry
- This option enables you to specify the local operating system user registry as the active user registry for the server.
- WIMUserRegistry
- This option enables you to specify a federated repository as the active user registry for the server.
- -useDomainQualifiedUserNames
- Specifies the type of user name to use. Specify true to use domain qualified user names, or specify false to use the short name. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.setAdminActiveSecuritySettings('-enableGlobalSecurity true -cacheTimeout 300 -enforceJava2Security true -appSecurityEnabled true -activeUserRegistry LDAPUserRegistry')
- Using Jython list:
AdminTask.setAdminActiveSecuritySettings(['-enableGlobalSecurity', 'true', '-cacheTimeout', '300', '-enforceJava2Security', 'true', '-appSecurityEnabled', 'true' '-activeUserRegistry', 'LDAPUserRegistry])
Interactive mode example usage
- Using Jython:
AdminTask.setAdminActiveSecuritySettings('-interactive')
setAppActiveSecuritySettings
The setAppActiveSecuritySettings command sets the active security settings on a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Optional parameters
- -cacheTimeout
- Specifies the amount of time, in seconds, before authentication data becomes invalid. (Integer)
- -issuePermissionWarning
- Specifies whether to issue a warning during application installation if the application requires security permissions. Specify true to enable the warning notification, or specify false to disable the warning notification. (Boolean)
- -enforceJava2Security
- Specifies whether to enable Java Platform, Enterprise Edition (Java EE) security. Specify true to enable Java EE security permissions checking, or specify false to disable Java EE security. (Boolean)
- -enforceFineGrainedJCASecurity
- Specifies whether to restrict application access. Specify true to restrict application access to sensitive Java EE Connector Architecture (JCA) mapping authentication data. (Boolean)
- -appSecurityEnabled
- Specifies whether to enable application-level security. Specify true to enable application level security, or specify false to disable application-level security. (Boolean)
- -activeUserRegistry
- Specifies the active user registry for the server. (String)
- -useDomainQualifiedUserNames
- Specifies the type of user name to use. Specify true to use domain qualified user names, or specify false to use the short name. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value pairs that the system stores as custom properties on the user registry object. For example, use the format: ["attr1=value1","attr2=value2"] (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.setAppActiveSecuritySettings('-securityDomainName testDomain -issuePermissionWarning false -enforceFineGrainedJCASecurity true')
- Using Jython
list:
Interactive mode example usageAdminTask.setAppActiveSecuritySettings(['-securityDomainName', 'testDomain', '-issuePermissionWarning', 'false', '-enforceFineGrainedJCASecurity', 'true'])
- Using Jython:
AdminTask.setAppActiveSecuritySettings('-interactive')
unconfigureAuthzConfig
The unconfigureAuthzConfig command removes an external JACC authorization provider from the global security configuration or a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.unconfigureAuthzConfig('-securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureAuthzConfig(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureAuthzConfig('-interactive')
unsetAppActiveSecuritySettings
The unsetAppActiveSecuritySettings command removes an attribute from the global security configuration or a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. The command uses the global security configuration if you do not specify a value for the -securityDomainName parameter. (String)
Optional parameters
- -unsetAppSecurityEnabled
- Specifies whether to remove the attribute that enables application security. Specify true to remove the attribute. (Boolean)
- -unsetActiveUserRegistry
- Specifies whether to remove the active user registry attribute. Specify true to remove the attribute. (Boolean)
- -unsetUseDomainQualifiedUserNames
- Specifies whether to remove the user domain qualified user names attribute. Specify true to remove the attribute. (Boolean)
- -unsetEnforceJava2Security
- Specifies whether to remove the Java EE security attribute. Specify true to remove the attribute. (Boolean)
- -unsetEnforceFineGrainedJCASecurity
- Specifies whether to remove the fine-grained JCA security attribute. Specify true to remove the attribute. (Boolean)
- -unsetIssuePermissionWarning
- Specifies whether to remove the attribute that issues user permission warnings. Specify true to remove the attribute. (Boolean)
- -unsetCacheTimeout
- Specifies whether to remove the cache timeout attribute. Specify true to remove the attribute. (Boolean)
Return value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.unsetAppActiveSecuritySettings('-securityDomainName testDomain -unsetAppSecurityEnabled true -unsetPermissionWarning true')
- Using Jython list:
AdminTask.unsetAppActiveSecuritySettings(['-securityDomainName', 'testDomain', '-unsetAppSecurityEnabled', 'true', '-unsetPermissionWarning', 'true'])
Interactive mode example usage
- Using Jython:
AdminTask.unsetAppActiveSecuritySettings('-interactive')