server task virtualhost create

Syntax

For local junctions:

server task instance_name-webseald-host_name virtualhost create –t type –d dir –v virtual_host_name [options] vhost_label

For non-local junctions:

server task instance_name-webseald-host_name virtualhost create –t type –h host_name [options] vhost_label

Options

–d dir

Specifies the local directory for a local virtual host junction.

This option is required for localtcp and localssl junction types.

–h host_name

Specifies the DNS host name or IP address of the target server. This option is valid only for non-local junctions; local junctions do not need a host name. Valid values for host_name include any valid IP host name. For example:

www.example.com

–t type

Specifies the type of virtual host junction. This option is required and must be one of the following types:

• tcp
• tcpproxy
• ssl
• sslproxy
• localtcp
• localssl

–v virtual_host_name[:port]

WebSEAL selects a virtual host junction to process a request if the HTTP Host header of the request matches:

• The virtual host name by the -v option and
• The port number that is specified by the -v option.

The –v option is also used to specify the value of the Host header of the request sent to the server.

The port number is required if the virtual host uses a non-standard port for the protocol. Standard port for TCP is 80; standard port for SSL is 443.

If –v is not specified for tcp, ssl, tcpproxy, and sslproxy type junctions, the junction is selected from the information that is contained in the –h host_name and –p port options.

The –v option is required for localtcp and localssl type junctions

instance_name-webseald-host_name

Specifies the full server name of the installed WebSEAL server instance. You must specify this full server name in the exact format as displayed in the output of the server list command.

The instance_name specifies the configured name of the WebSEAL server instance. The webseald designation indicates that the WebSEAL service performs the command task. The host_name is the name of the physical computer where the WebSEAL server is installed.

For example, the configured name of a single WebSEAL server instance is default. The host computer name where the WebSEAL server is installed is abc.ibm.com. Then, the full WebSEAL server name is default-webseald-abc.ibm.com.

If an additional WebSEAL server instance is configured and named web2, the full WebSEAL server name is web2-webseald-abc.ibm.com.

options

Specifies the options that you can use with the server task virtualhost create command. (Optional) These options include:

–A

Enables a virtual host junction to support the lightweight third-party authentication mechanism (LTPA). This option requires the –F and –Z options. The –A, –F, and –Z options all must be used together.

This option is valid for all junction types except localtcp and localssl.

–2

You can use this option with the –A option to specify that LTPA version 2 cookies (LtpaToken2) are used. The –A option without the –2 option specifies that LTPA version 1 cookies (LtpaToken) are used.

–b BA_value

Defines how the WebSEAL server passes client identity information in HTTP basic authentication (BA) headers to the virtual host, which is one of the following values:

• filter
• ignore
• supply
• gso

This option is valid for all junction types except localtcp and localssl. The default value is filter.

–B

Indicates that WebSEAL uses the BA header information to authenticate to the virtual host and to provide mutual authentication over SSL. This option requires the –U and –W options.

This option is valid only with junctions that were created with the type of ssl or sslproxy.

–c header_type

Inserts the Security Access Manager client identity in HTTP headers across the virtual host junction. The header_type argument can include any combination of the listed Security Access Manager HTTP header types:

• {iv_user|iv_user-l}
• iv_groups
• iv_creds
• all

The header types must be comma-separated, and cannot have a space between the types. For example: -c iv_user,iv_groups

Specifying –c all is the same as specifying –c iv_user,iv_groups,iv_creds.

This option is valid for all junction types except localtcp and localssl.

–C

Supports mutual authentication by enabling the front-end WebSEAL server to pass its identity information to the back-end WebSEAL server. The front-end WebSEAL server passes information in a Basic Authentication (BA) header. Additionally, the –C option enables the single sign-on functionality that is provided by the –c option.

This option is valid only with junctions that were created with the type of ssl or sslproxy.

–D "dn"

Specifies the distinguished name of the server certificate. This value, matched with the actual certificate DN, enhances authentication and provides mutual authentication over SSL. For example, the certificate for www.example.com might have a DN of

"CN=WWW.EXAMPLE.COM,OU=Software,O=example.com\, Inc,L=Austin,
ST=Texas,C=US"

This option is valid only with junctions that were created with the type of ssl or sslproxy.

–e encoding_type

Specifies the encoding to use when HTTP headers is generated for virtual host junctions. This encoding applies to headers that are generated with both the –c junction option and tag-value. Possible values for encoding are as follows:

utf8_bin

WebSEAL sends the headers in UTF-8.

utf8_uri

WebSEAL sends the headers in UTF-8 but URI also encodes them. This behavior is the default behavior.

lcp_bin

WebSEAL sends the headers in the local code page of the WebSEAL server.

lcp_uri

WebSEAL sends the headers in the local code page of the WebSEAL server, but URI also encodes them.

This option is valid for all junction types except localtcp and localssl.

–f

Forces the replacement (overwrite) of an existing virtual host junction.

This option is used for junctions that were created with any junction type.

–F "keyfile"

Specifies the location of the key file that is used to encrypt LTPA cookie data.

The –F option requires –A and –Z options. The –A, –F, and –Z options all must be used together.

This option is valid for all junction types except localtcp and localssl.

–g vhost_label

The –g option causes a second more virtual host junction to share a protected object space as the initial virtual host junction.

This option is appropriate for junction pairs only (two junctions by using complementary protocols). The option does not support the association of more than two junctions.

–H host_name

Specifies the DNS host name or IP address of the proxy server. The –P option also supports proxy server junctions. Valid values for host_name include any valid IP host name. For example:

proxy.www.example.com

This option is valid only with junctions that were created with the type of tcpproxy or sslproxy.

–i

Indicates that the WebSEAL junction does not treat URLs as case-sensitive. To correctly authorize requests for junctions that are not case-sensitive, WebSEAL does the authorization check on a lowercase version of the URL. For example, a web server that is running on a Windows operating system treats requests for INDEX.HTM and index.htm as requests for the same file.

Junctions to such a web server must be created with the –i or –w option. ACLs or POPs that are attached to objects beneath the junction point must use the lowercase object name. An ACL attached to /junction/index.htm applies to all the following requests if the –i or –w option is used:

• /junction/INDEX.HTM
• /junction/index.htm
• /junction/InDeX.HtM

This option is valid for all junction except for the type of localtcp and localssl. Local junctions are not case-sensitive only on Win32 platforms; all other platforms are case-sensitive.

–k

Sends WebSEAL session cookies to the back-end virtual host. By default, cookies are removed from requests that are sent to the server.

This option is valid for all junction types except localtcp and localssl.

–K "key_label"

Specifies the key label of the client-side certificate that WebSEAL must present to the server. Use of this option allows the virtual host to authenticate the WebSEAL server by using client certificates.

This option is valid only with junctions that were created with the type of ssl and sslproxy.

–l percent

Defines the soft limit for consumption of worker threads.

This option is valid for all junction types except localtcp and localssl.

–L percent

Defines the hard limit for consumption of worker threads.

This option is valid for all junction types except localtcp and localssl.

–p port

Specifies the TCP port of the third-party server. The default value is 80 for TCP junctions and 443 for SSL junctions.

This option is valid for all junction types except localtcp and localssl.

–P port

Specifies the TCP port number for the HTTP proxy server. The –P option is required when the –H option is used.

This option is valid only with junctions that were created with the type of tcpproxy or sslproxy.

–q –S

Specifies the relative path for the query_contents script. By default, Security Access Manager looks for the query_contents script in the /cgi_bin directory. If this directory is different or the query_contents file name is renamed, this option indicates to WebSEAL the new URL to the file. Required for Windows virtual hosts.

This option is valid for all junction types except localtcp and localssl.

–r

Inserts the incoming IP address into the HTTP header across the junction.

This option is valid for all junction types except localtcp and localssl.

–R

Allows the request to proceed but provides the rule failure reason to the junction in an HTTP header. If the –R option is not used and a rule failure occurs, WebSEAL does not allow the request to proceed.

This option is valid for all junction types except localtcp and localssl.

–s

Indicates that the virtual host junction support stateful applications. By default, virtual host junctions are not stateful.

This option is valid for all junction types except localtcp and localssl.

–S

Indicates the location of the forms single sign-on configuration file.

This option is valid for all junction types except localtcp and localssl.

–T {resource | resource_group}

Specifies the name of the GSO resource or resource group. This option is required only when the –b gso option is used.

This option is valid for all junction types except localtcp and localssl.

–u uuid

Specifies the Universally Unique Identifier (UUID) of a server that is connected to WebSEAL by using a stateful virtual host junction (–s option).

This option is valid for all junction types except localtcp and localssl.

–U "user_name"

Specifies the WebSEAL server user name. This option requires the –B and –W options. WebSEAL uses the BA header information to authenticate to the virtual host and to provide mutual authentication over SSL.

This option is valid only with junctions that were created with the type of ssl or sslproxy.

–w

Indicates Microsoft Windows 32 bit (Win32) file system support. This option provides all the functionality that is provided by the –i junction option. The option disallows requests that contain file names that might be interpreted as Win32 file name aliases.

This option is valid for all junction types except localtcp and localssl. Local junctions prohibit URLs that contain Win32 file name aliases on Win32 but allow such URLs on other platforms.

–W "password"

Specifies the WebSEAL server password. This option requires the –B and –U options. WebSEAL uses the BA header information to authenticate to the virtual host and to provide mutual authentication over SSL.

This option is valid only with junctions that were created with the type of ssl or sslproxy.

–Y

Enables the Federation Runtime single sign-on (SSO) for the junction.

Note: Before you use this option, you must first configure the WebSEAL configuration file to support the Federation Runtime single sign-on over junctions.

–z replica_set

Specifies the replica set, as follows:

For SMS environments:

Sessions on the virtual host junction are managed under the specified replica set. Used to group or separate login sessions among multiple virtual hosts.

For non-SMS environments:

Sessions on the virtual host junction are managed under the specified replica set. Controls the partitioning of the WebSEAL session cache. The virtual host can be part of the same replica set as any standard junction that is assigned to that same replica set. Standard junctions are assigned to replica sets through the standard-junction-replica-set entry of the [session] stanza.

–Z keyfile_pwd

Specifies the password of the key file that is used to encrypt LTPA cookie data. This option requires the –A and –F options. The –A, –F, and –Z options all must be used together.

This option is valid for all junction types except localtcp and localssl.

vhost_label

Specifies the label name of the virtual host junction.

Authorization

Users and groups that require access to this command must be given the s (server administration) permission in the ACL that governs the /WebSEAL/host_name-instance_name/@vhost_label object. For example, the sec_master administrative user is given this permission by default.

Return codes

0

The command completed successfully. For WebSEAL server task commands, the return code is 0 when the command is sent to the WebSEAL server without errors. However, even after the command was successfully sent, the WebSEAL server might not be able to successfully complete the command. The WebSEAL server returns an error message.

1

The command failed. See "Error messages" in the IBM Knowledge Center. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.

See also