- –a address
- Specifies the local IP address for WebSEAL to use when communicating
with the target back-end server. If this option is not provided, WebSEAL
uses the default address as determined by the operating system.
If
an address is supplied for a particular junction, WebSEAL is modified
to bind to this local address for all communication with the junctioned
server.
- –A
- Enables or disables lightweight third-party authentication mechanism
(LTPA) junctions. This option requires the –F and –Z options.
The –A, –F, and –Z options
all must be used together.
This option is valid for all junctions
except for the type of local.
- -2
- You can use this option in conjunction with the -A option
to specify that LTPA version 2 cookies (LtpaToken2) are used. The -A option
without the -2 option specifies that LTPA version
1 cookies (LtpaToken) are used.
- –b BA_value
- Defines how the WebSEAL server passes the HTTP BA authentication
information to the back-end server, which is one of the following
values:
- filter (default)
- ignore
- supply
- gso
This option is valid for all junctions except for the type of local.
- –B
- Indicates that WebSEAL uses the BA header information to authenticate
to the back-end server and to provide mutual authentication over SSL.
This option requires the –U and –W options.
This
option is valid only with junctions that were created with the type
of ssl or sslproxy.
- –c header_type
- Inserts the Security Access Manager client
identity in HTTP headers across the junction. The header_type argument
can include any combination of the following Security Access Manager HTTP
header types:
- {iv-user|iv-user-l}
- iv-groups
- iv-creds
- all
The header types must be comma separated, and cannot have
spaces between the types. For example: -c iv_user,iv_groups
Specifying –c all is
the same as specifying –c iv-user,iv-groups,iv-creds.
This
option is valid for all junctions except for the type of local.
- –C
- Indicates single signon from a front-end WebSEAL server to a back-end
WebSEAL server. The –C option is not mutual
authentication.
This option is valid only with junctions that were
created with the type of ssl or sslproxy.
- –D "dn"
- Specifies the distinguished name of the back-end server certificate.
This value, matched with the actual certificate DN enhances authentication
and provides mutual authentication over SSL. For example, the certificate
for www.example.com might have a DN of
"CN=WWW.EXAMPLE.COM,OU=Software,O=example.com\, Inc,L=Austin,
ST=Texas,C=US"
This option is valid only with junctions
that were created with the type of ssl or sslproxy.
- –e encoding_type
- Specifies the encoding to use when generating HTTP headers for
junctions. This encoding applies to headers that are generated with
both the –c junction option and tag-value.
The following values for encoding are supported:
- utf8_bin
- WebSEAL sends the headers in UTF-8.
- utf8_uri
- WebSEAL sends the headers in UTF-8 but URI also encodes them.
This behavior is the default behavior.
- lcp_bin
- WebSEAL sends the headers in the local code page of the WebSEAL
server.
- lcp_uri
- WebSEAL sends the headers in the local code page of the WebSEAL
server, but URI also encodes them.
This option is valid for all junctions except for
the type of local.
- –f
- Forces the replacement of an existing junction.
This option
is used for junctions that were created with any junction type.
- –F keyfile
Specifies the location of the keyfile used to encrypt LTPA
cookie data.
The –F option requires –A and –Z options.
The –A, –F, and –Z options
all must be used together.
This option is valid for all junctions
except for the type of local.
- –H host_name
- Specifies the DNS host name or IP address of the proxy server.
The –P option also supports proxy server
junctions. Valid values for host_name include
any valid IP host name. For example:
proxy.www.example.com
This
option is valid only with junctions that were created with the type
of tcpproxy or sslproxy.
- –i
- Indicates that the WebSEAL junction does not treat URLs as case-sensitive.
To correctly authorize requests for junctions that are not case-sensitive,
WebSEAL does the authorization check on a lowercase version of the
URL. For example, a Web server that is running on a Windows operating system treats
requests for INDEX.HTM and index.htm as
requests for the same file.
Junctions to such a Web server should
be created with the
–i or
–w option.
ACLs or POPs that are attached to objects beneath the junction point
should use the lowercase object name. An ACL attached to
/junction/index.htm will
apply to all of the following requests if the
–i or
–w option
is used:
- /junction/INDEX.HTM
- /junction/index.htm
- /junction/InDeX.HtM
This option is valid for all junctions except for the
type of local. Local junctions are not case-sensitive
only on Win32 platforms; all other platforms are case-sensitive.
- –I
- Ensures a unique Set-Cookie header name attribute when using the –j option
to modify server-relative URLs in requests.
This option is valid
for all junctions except for the type of local.
- –j
- Supplies junction identification in a cookie to handle script-generated
server-relative URLs.
This option is valid for all junctions except
for the type of local.
- -J trailer,inhead,onfocus,xhtml10
-
Controls the junction cookie JavaScript block.
Use –J
trailer to append (rather than prepend) the junction cookie JavaScript to HTML page returned
from back-end server.
Use –J inhead to
insert the JavaScript block
between <head> </head> tags for HTML 4.01 compliance.
Use –J
onfocus to use the onfocus event handler in the JavaScript to ensure the correct
junction cookie is used in a multiple-junction/multiple-browser-window
scenario.
Use –J xhtml10 to insert a JavaScript block that is HTML
4.01 and XHTML 1.0 compliant.
For complete details on this
option, see Control on the junction cookie JavaScript block.
- –k
- Sends WebSEAL session cookies to the junction server. By default,
cookies are removed from requests that are sent to the server.
This
option is valid for all junctions except for the type of local.
- –K "key_label"
- Specifies the key label of the client personal certificate that
WebSEAL should present to the back-end server. Use of this option
allows the junction server to authenticate the WebSEAL server using
client certificates.
This option is valid only with junctions that
were created with the type of ssl and sslproxy.
- –l percent
- Defines the soft limit for consumption of worker threads.
This
option is valid for all junctions except for the type of local.
- –L percent
- Defines the hard limit for consumption of worker threads.
This
option is valid for all junctions except for the type of local.
- –n
- Indicates that no modification of the names of non-domain cookies
are to be made. Use when client side scripts depend on the names of
cookies.
By default, if a junction is listed in the JMT or if
the –j junction option is used, WebSEAL
will modify the names of non-domain cookies that are returned from
the junction to prepend AMWEBJCT!junction_point.
This
option is valid for all junctions except for the type of local.
- –p port
- Specifies the TCP port of the back-end third-party server. The
default value is 80 for TCP junctions and 443 for SSL junctions.
This
option is valid for all junctions except for the type of local.
- –P port
- For proxy junctions that were created with the type of tcpproxy or sslproxy this
option specifies the TCP port number for the HTTP proxy server. The -P option
is required when the –H option is used.
This
option is also valid for mutual junctions to specify the HTTPS port
of the back-end third-party server.
- –q path
- Required option for back-end Windows servers.
Specifies the relative path for the query_contents script.
By default, Security Access Manager looks
for the query_contents script in the /cgi_bin directory.
If this directory is different or the query_contents file
name is renamed, this option will indicates to WebSEAL the new URL
to the file.
This option is valid for all junctions except for
the type of local.
- –r
- Inserts the incoming IP address into the HTTP header across the
junction. This option is valid for all junctions except for the type
of local.
- –R
- Allows the request to proceed but provides the rule failure reason
to the junction in an HTTP header. If the –R option
is not used and a rule failure occurs, WebSEAL will not allow the
request to proceed. This option is valid for all junctions except
for the type of local.
- –s
- Indicates that the junction support stateful applications. By
default, junctions are not stateful. This option is valid for all
junctions except for the type of local.
- –S pathfile_name
- Specifies the location of the forms single signon configuration
file. This option is valid for all junctions except for the type of local.
- –T {resource | resource_group}
- Specifies the name of the resource or resource group. This option
is required only when the –b gso option
is used. This option is valid for all junctions except for the type
of local.
- –u uuid
- Specifies the Universally Unique Identifier (UUID) of a back-end
server connected to WebSEAL by using a stateful junction (–s option).
This option is valid for all junctions except for the type of local.
- –U "user_name"
- Specifies the WebSEAL server user name. This option requires the –B and –W options.
WebSEAL uses the BA header information to authenticate to the back-end
server and to provide mutual authentication over SSL. This option
is valid only with junctions that were created with the type of ssl or sslproxy.
- –v virtual_hostname[:HTTP-port]
- Specifies the virtual host name for the back-end server. This
option supports multiple virtual hosts being served from the same
Web server. Use –v when the back-end junction
server expects a host name header different from the DNS name of the
server. This option is valid for all junctions except for the type
of local. For mutual junctions this value corresponds
to the virtual host which is used for HTTP requests.
- -V virtual_hostname[:HTTPS-port]
- Specifies the virtual host name for the back-end server. This
option supports multiple virtual hosts being served from the same
Web server. Use –V when the back-end junction
server expects a host name header different from the DNS name of the
server. This option is only used for mutual junctions and corresponds
to the virtual host which is used for HTTPS requests.
- –w
- Indicates Microsoft Windows file system support. This option
provides all of the functionality provided by the –i junction
option but disallows requests that contain file names that might be
interpreted as Windows file
name aliases. This option is valid for all junctions except for the
type of local. Local junctions prohibit URLs that
contain Windows file name
aliases on Windows but allow
such URLs on other platforms.
- –W "password"
- Specifies the WebSEAL server password. This option requires the –B and –U options.
WebSEAL uses the BA header information to authenticate to the back-end
server and to provide mutual authentication over SSL. This option
is valid only with junctions that were created with the type of ssl or sslproxy.
- –x
- Creates a transparent path junction.
This option is valid for
all junctions except for the type of local .
- –Y
- Enables Tivoli® Federated
Identity Manager single-signon (SSO) for the junction.
Note: Before
using this option, you must first configure the WebSEAL configuration
file to support Tivoli Federated
Identity Manager single-signon over junctions.
- –Z keyfile_pwd
- Specifies the password of the keyfile used to encrypt LTPA cookie
data. This option requires the –A and –F options.
The –A, –F, and –Z options
all must be used together. This option is valid for all junctions
except for the type of local.