You can use the Jython scripting language to configure
security with the wsadmin tool. Use the commands and parameters in
the SecurityConfigurationCommands group to configure and manage user
registries, single sign-on, data entries, trust association, login
modules, and interceptors.
Use the following command to administer user registry
configurations:
Use the following commands to administer Java Authentication and Authorization Service
(JAAS) login configurations:
Use the following commands to administer data entry configurations:
Use the following commands to administer Common Secure
Interoperability Version 2 (CSIv2) configurations:
Use the following commands to administer trust association
configurations:
Use the following commands to manage your security configuration:
configureAdminCustomUserRegistry
The
configureAdminCustomUserRegistry command configures a custom user
registry in the global security configuration.
Supported configurations: This command is not
supported in a local mode.
sptcfg
Target object
None.
Optional parameters
- -autoGenerateServerId
- Specifies whether the command automatically generates the server
identity that the system uses for internal process communication.
Specify true to automatically generate the server
identity. (Boolean)
- -serverId
- Specifies the server identity in the repository that the system
uses for internal process communication. (String)
- -serverIdPassword
- Specifies the password that corresponds to the server identity.
(String)
- -primaryAdminId
- Specifies the name of the user with administrative privileges
that is defined in the registry. This parameter does not apply to
security configurations. (String)
- -customRegClass
- Specifies the class name that implements the UserRegistry interface
in com.ibm.websphere.security property. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration
is correct. If you set this parameter to true, then
the system verifies the registry by making a call to the user registry
to verify the admin ID. If you specify a server ID and password, then
the system verifies the user and password with the user registry.
Set the parameter to false to store the attributes
in the configuration without validation. The command verifies the
registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureAdminCustomUserRegistry('-autoGenerateServerId true -serverIdPassword password4server
-primaryAdminId serverAdmin')
- Using Jython list:
AdminTask.configureAdminCustomUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server',
'-primaryAdminId', 'serverAdmin'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAdminCustomUserRegistry('-interactive')
configureAdminLDAPUserRegistry
The
configureAdminLDAPUserRegistry command configures a Lightweight Directory
Access Protocol (LDAP) user registry in the global security configuration.
Supported configurations: This command is not
supported in a local mode.
sptcfg
Target object
None.
Optional parameters
- -autoGenerateServerId
- Specifies whether the command automatically generates the server
identity used for internal process communication. Specify true to
automatically generate the server identity. (Boolean)
- -serverId
- Specifies the server identity in the repository that the system
uses for internal process communication. (String)
- -serverIdPassword
- Specifies the password that corresponds to the server identity.
(String)
- -primaryAdminId
- Specifies the name of the user with administrative privileges
that is defined in the registry. This parameter does not apply to
security configurations. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration
is correct. If you set this parameter to true, then
the system verifies the registry by making a call to the user registry
to verify the admin ID. If you specify a server ID and password, then
the system verifies the user and password with the user registry.
Set the parameter to false to store the attributes
in the configuration without validation. The command verifies the
registry configuration by default. (Boolean)
- -ldapServerType
- Specifies the type of LDAP server. The default type is IBM_DIRECTORY_SERVER.
(String)
- Specify one of the following valid values:
- IBM_DIRECTORY_SERVER
- IPLANET
- NETSCAPE
- NDS
- DOMINO502
- SECUREWAY
- ACTIVE_DIRECTORY
- CUSTOM
- -ldapHost
- Specifies the host name of the LDAP server. (String)
- -ldapPort
- Specifies the port that the system uses to access the LDAP server.
The default value is 389. (String)
- -baseDN
- Specifies the base distinguished name (DN) of the directory service,
which indicates the starting point for LDAP searches of the directory
service. In most cases, bind DN and bind password are needed. However,
when anonymous bind can satisfy all of the required functions, bind
DN and bind password are not needed. (String)
- -bindDN
- Specifies the distinguished name for the application server, which
is used to bind to the directory service. (String)
- -bindPassword
- Specifies the binding DN password for the LDAP server. (String)
- -searchTimeout
- Specifies the timeout value in seconds for an LDAP server to respond
before stopping a request. The default value is 120 seconds.
(Long)
- -reuseConnection
- Specifies whether the server reuses the LDAP connection. By default,
this option is enabled. Specify false for this parameter
only in rare situations where a router is used to distribute requests
to multiple LDAP servers and when the router does not support affinity.
(Boolean)
Avoid trouble: When you disable the reuse of the
LDAP connection, the application server creates a new LDAP connection
for every LDAP search request. This situation impacts system performance
if your environment requires extensive LDAP calls. This option is
provided because the router is not sending the request to the same
LDAP server. The option is also used when the idle connection timeout
value or firewall timeout value between the application server and
LDAP is too small.
gotcha
- -userFilter
- Specifies the LDAP filter clause that the system uses to search
the user registry for users. The default value is the default user
filter for the LDAP server type. (String)
- -groupFilter
- Specifies the LDAP filter clause that the system uses to search
the user registry for groups. The default value is the default group
filter for the LDAP server type. (String)
- -userIdMap
- Specifies the LDAP filter that maps the short name of a user to
an LDAP entry. The default value is the default user filter for the
LDAP server type. (String)
- -groupIdMap
- Specifies the LDAP filter that maps the short name of a group
to an LDAP entry. The default value is the default group filter for
the LDAP server type. (String)
- -groupMemberIdMap
- Specifies the LDAP filter that identifies users to group memberships.
(String)
- -certificateMapMode
- Specifies whether to map X.509 certificates into an LDAP directory
by EXACT_DN or CERTIFICATE_FILTER.
Specify CERTIFICATE_FILTER to use the specified
certificate filter for the mapping. (String)
- -certificateFilter
- Specifies the filter certificate mapping property for the LDAP
filter. The filter is used to map attributes in the client certificate
to entries in the LDAP registry. (String)
The syntax or structure
of this filter is:
(&(uid=${SubjectCN})(objectclass=inetOrgPerson)).
The left side of the filter specification is an LDAP attribute that
depends on the schema that your LDAP server is configured to use.
The right side of the filter specification is one of the public attributes
in your client certificate. The right side must begin with a dollar
sign (
$) and open bracket (
{) and
end with a close bracket (
}). You can use the following
certificate attribute values on the right side of the filter specification.
The case of the strings is important:
- ${UniqueKey}
- ${PublicKey}
- ${Issuer}
- ${NotAfter}
- ${NotBefore}
- ${SerialNumber}
- ${SigAlgName}
- ${SigAlgOID}
- ${SigAlgParams}
- ${SubjectCN}
- ${Version}
- -krbUserFilter
- Specifies that the default value is the default user filter for
the LDAP server type. (String)
- -nestedGroupSearch
- Specifies whether to perform a recursive nested group search.
Specify true to perform a recursive nested group
search, or specify false to disable recursive nested
group searching. (Boolean)
- -sslEnabled
- Specifies whether to enable Secure Sockets Layer (SSL). Specify true to
enable an SSL connection to the LDAP server. (Boolean)
- -sslConfig
- Specifies the SSL configuration alias to use for the secure LDAP
connection. (String)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
- -resetDefaultFilters
- Specify true, to reset all of the filter values
to the default value of the LDAP server type. The default value for
this parameter is false. The LDAP filter attributes
reset are: userFilter, groupFilter, userIdMap, groupIdMap, groupMemberIdMap
and krbUserFilter. If any of the other filter flags are used to specify
a filter value on the command line at the same time resetDefaultFilter
is set to true, the filter value specified is used.
Any filter not specified on the command line at the time is reset
to the default value of the LDAP server type.
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureAdminCustomUserRegistry('-autoGenerateServerId true -serverIdPassword password4server
-primaryAdminId serverAdmin -ldapServerType NETSCAPE -ldapHost 195.168.1.1')
- Using Jython list:
AdminTask.configureAdminCustomUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server',
'-primaryAdminId', 'serverAdmin', '-ldapServerType', 'NETSCAPE', '-ldapHost', '195.168.1.1'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAdminLDAPUserRegistry('-interactive')
configureAdminLocalOSUserRegistry
The
configureAdminLocalOSUserRegistry command configures a local operating
system user registry in the global security configuration.
Supported configurations: This command is not
supported in a local mode.
sptcfg
Target object
None.
Optional parameters
- -autoGenerateServerId
- Specifies whether the command automatically generates the server
identity used for internal process communication. Specify true to
automatically generate the server identity. (Boolean)
- -serverId
- Specifies the server identity in the repository that the system
uses for internal process communication. (String)
- -serverIdPassword
- Specifies the password that corresponds to the server identity.
(String)
- -primaryAdminId
- Specifies the name of the user with administrative privileges
that is defined in the registry. This parameter does not apply to
security configurations. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration
is correct. If you set this parameter to true, then
the system verifies the registry by making a call to the user registry
to verify the admin ID. If you specify a server ID and password, then
the system verifies the user and password with the user registry.
Set the parameter to false to store the attributes
in the configuration without validation. The command verifies the
registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureAdminLocalOSUserRegistry('-autoGenerateServerId true -serverIdPassword password4server
-primaryAdminId serverAdmin')
- Using Jython list:
AdminTask.configureAdminLocalOSUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server',
'-primaryAdminId', 'serverAdmin'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAdminLocalOSUserRegistry('-interactive')
configureAdminWIMUserRegistry
The
configureAdminWIMUserRegistry command configures a federated repository
user registry in the administrative security configuration.
Supported configurations: This command is not
supported in a local mode.
sptcfg
Target object
None.
Optional parameters
- -autoGenerateServerId
- Specifies whether the command automatically generates the server
identity used for internal process communication. Specify true to
automatically generate the server identity. (Boolean)
- -serverId
- Specifies the server identity in the repository that the system
uses for internal process communication. (String)
- -serverIdPassword
- Specifies the password that corresponds to the server identity.
(String)
- -primaryAdminId
- Specifies the name of the user with administrative privileges
that is defined in the registry. This parameter does not apply to
security configurations. (String)
- -realmName
- Specifies the realm of the user registry. The system automatically
generates a realm name if you do not specify a value for the -realmName
parameter. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration
is correct. If you set this parameter to true, then
the system verifies the registry by making a call to the user registry
to verify the admin ID. If you specify a server ID and password, then
the system verifies the user and password with the user registry.
Set the parameter to false to store the attributes
in the configuration without validation. The command verifies the
registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureAdminWIMUserRegistry('-autoGenerateServerId true -serverIdPassword password4server
-primaryAdminId serverAdmin')
- Using Jython list:
AdminTask.configureAdminWIMUserRegistry(['-autoGenerateServerId', 'true', '-serverIdPassword', 'password4server',
'-primaryAdminId', 'serverAdmin'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAdminWIMUserRegistry('-interactive')
configureAppCustomUserRegistry
The
configureAppCustomUserRegistry command configures a custom user registry
in an application security domain.
Supported configurations: This command is not
supported in a local mode.
sptcfg
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Optional parameters
- -realmName
- Specifies the realm of the user registry. The system automatically
generates a realm name if you do not specify a value for the -realmName
parameter. (String)
- -customRegClass
- Specifies the class name that implements the UserRegistry interface
in com.ibm.websphere.security property. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration
is correct. If you set this parameter to true, then
the system verifies the registry by making a call to the user registry
to verify the admin ID. If you specify a server ID and password, then
the system verifies the user and password with the user registry.
Set the parameter to false to store the attributes
in the configuration without validation. The command verifies the
registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureAppCustomUserRegistry('-securityDomainName testDomain -realmName server_name.domain:port_number')
- Using Jython list:
AdminTask.configureAppCustomUserRegistry(['-securityDomainName', 'testDomain', '-realmName',
'server_name.domain:port_number'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAppCustomUserRegistry('-interactive')
configureAppLDAPUserRegistry
The
configureAppLDAPUserRegistry command configures LDAP user registries
in a security configuration or a global security configuration.
Supported configurations: This command is not
supported in a local mode.
sptcfg
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Optional parameters
- -realmName
- Specifies the realm of the user registry. The system automatically
generates a realm name if you do not specify a value for the -realmName
parameter. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration
is correct. If you set this parameter to true, then
the system verifies the registry by making a call to the user registry
to verify the admin ID. If you specify a server ID and password, then
the system verifies the user and password with the user registry.
Set the parameter to false to store the attributes
in the configuration without validation. The command verifies the
registry configuration by default. (Boolean)
- -ldapServerType
- Specifies the type of LDAP server. The default type is IBM_DIRECTORY_SERVER.
(String)
- Specify one of the following valid values:
- IBM_DIRECTORY_SERVER
- IPLANET
- NETSCAPE
- NDS
- DOMINO502
- SECUREWAY
- ACTIVE_DIRECTORY
- CUSTOM
- -ldapHost
- Specifies the host name of the LDAP server. (String)
- -ldapPort
- Specifies the port that the system uses to access the LDAP server.
The default value is 389. (String)
- -baseDN
- Specifies the base distinguished name (DN) of the directory service,
which indicates the starting point for LDAP searches of the directory
service. In most cases, bind DN and bind password are needed. However,
when anonymous bind can satisfy all of the required functions, bind
DN and bind password are not needed. (String)
- -bindDN
- Specifies the distinguished name for the application server, which
is used to bind to the directory service. (String)
- -bindPassword
- Specifies the binding DN password for the LDAP server. (String)
- -searchTimeout
- Specifies the timeout value in seconds for an LDAP server to respond
before stopping a request. The default value is 120 seconds.
(Long Integer)
- -reuseConnection
- Specifies whether the server reuses the LDAP connection. By default,
this option is enabled. Specify false for this parameter
only in rare situations where a router is used to distribute requests
to multiple LDAP servers and when the router does not support affinity.
(Boolean)
Avoid trouble: When you disable the reuse of the
LDAP connection, the application server creates a new LDAP connection
for every LDAP search request. This situation impacts system performance
if your environment requires extensive LDAP calls. This option is
provided because the router is not sending the request to the same
LDAP server. The option is also used when the idle connection timeout
value or firewall timeout value between the application server and
LDAP is too small.
gotcha
- -userFilter
- Specifies the LDAP filter clause that the system uses to search
the user registry for users. The default value is the default user
filter for the LDAP server type. (String)
- -groupFilter
- Specifies the LDAP filter clause that the system uses to search
the user registry for groups. The default value is the default group
filter for the LDAP server type. (String)
- -userIdMap
- Specifies the LDAP filter that maps the short name of a user to
an LDAP entry. The default value is the default user filter for the
LDAP server type. (String)
- -groupIdMap
- Specifies the LDAP filter that maps the short name of a group
to an LDAP entry. The default value is the default group filter for
the LDAP server type. (String)
- -groupMemberIdMap
- Specifies the LDAP filter that identifies users to group memberships.
(String)
- -certificateMapMode
- Specifies whether to map X.509 certificates into an LDAP directory
by EXACT_DN or CERTIFICATE_FILTER.
Specify CERTIFICATE_FILTER to use the specified
certificate filter for the mapping. (String)
- -certificateFilter
- Specifies the filter certificate mapping property for the LDAP
filter. The filter is used to map attributes in the client certificate
to entries in the LDAP registry. (String)
The syntax or structure
of this filter is:
(&(uid=${SubjectCN})(objectclass=inetOrgPerson)).
The left side of the filter specification is an LDAP attribute that
depends on the schema that your LDAP server is configured to use.
The right side of the filter specification is one of the public attributes
in your client certificate. The right side must begin with a dollar
sign (
$) and open bracket (
{) and
end with a close bracket (
}). You can use the following
certificate attribute values on the right side of the filter specification.
The case of the strings is important:
- ${UniqueKey}
- ${PublicKey}
- ${Issuer}
- ${NotAfter}
- ${NotBefore}
- ${SerialNumber}
- ${SigAlgName}
- ${SigAlgOID}
- ${SigAlgParams}
- ${SubjectCN}
- ${Version}
- -krbUserFilter
- Specifies the default value is the default user filter for the
LDAP server type. (String)
- -nestedGroupSearch
- Specifies whether to perform a recursive nested group search.
Specify true to perform a recursive nested group
search, or specify false to disable recursive nested
group searching. (Boolean)
- -sslEnabled
- Specifies whether to enable Secure Sockets Layer (SSL). Specify true to
enable an SSL connection to the LDAP server. (Boolean)
- -sslConfig
- Specifies the SSL configuration alias to use for the secure LDAP
connection. (String)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
- -resetDefaultFilters
- Specify true, to reset all of the filter values
to the default value of the LDAP server type. The default value for
this parameter is false. The LDAP filter attributes
reset are: userFilter, groupFilter, userIdMap, groupIdMap, groupMemberIdMap
and krbUserFilter. If any of the other filter flags are used to specify
a filter value on the command line at the same time resetDefaultFilter
is set to true, the filter value specified is used.
Any filter not specified on the command line at the time is reset
to the default value of the LDAP server type.
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureAppLDAPUserRegistry('-securityDomainName testDomain -ldapServerType NETSCAPE -ldapHost
195.168.1.1 -searchTimeout 300')
- Using Jython list:
AdminTask.configureAppLDAPUserRegistry(['-securityDomainName', 'testDomain', '-ldapServerType',
'NETSCAPE', '-ldapHost', '195.168.1.1', '-searchTimeout', '300'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAppLDAPUserRegistry('-interactive')
configureAppLocalOSUserRegistry
The
configureAppLocalOSUserRegistry command configures a local operating
system user registry in a security domain.
Supported configurations: This command is not
supported in a local mode.
sptcfg
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Optional parameters
- -realmName
- Specifies the realm of the user registry. The system automatically
generates a realm name if you do not specify a value for the -realmName
parameter. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration
is correct. If you set this parameter to true, then
the system verifies the registry by making a call to the user registry
to verify the admin ID. If you specify a server ID and password, then
the system verifies the user and password with the user registry.
Set the parameter to false to store the attributes
in the configuration without validation. The command verifies the
registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureAppLocalOSUserRegistry('-securityDomainName testDomain')
- Using Jython list:
AdminTask.configureAppLocalOSUserRegistry(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAppLocalOSUserRegistry('-interactive')
configureAppWIMUserRegistry
The
configureAppWIMUserRegistry command configures federated repository
user registries in a security domain.
Supported configurations: This command is not
supported in a local mode.
sptcfg
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Optional parameters
- -realmName
- Specifies the realm of the user registry. The system automatically
generates a realm name if you do not specify a value for the -realmName
parameter. (String)
- -verifyRegistry
- Specifies whether to verify that the user registry configuration
is correct. If you set this parameter to true, then
the system verifies the registry by making a call to the user registry
to verify the admin ID. If you specify a server ID and password, then
the system verifies the user and password with the user registry.
Set the parameter to false to store the attributes
in the configuration without validation. The command verifies the
registry configuration by default. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
- -useGlobalFederatedRepository
- Specifies whether to use the same instance of federated repository
for the domain as is defined in the global domain. Specify true to
use the same instance as defined in the global domain. (Boolean)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureAppWIMUserRegistry('-securityDomainName testDomain -realmName testRealm')
- Using Jython list:
AdminTask.configureAppWIMUserRegistry(['-securityDomainName', 'testDomain', '-realmName', 'testRealm'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAppWIMUserRegistry('-interactive')
getLTPATimeout
The
getLTPATimeout command displays the number of seconds that the system
waits before the LTPA request reaches timeout.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command returns the number of seconds that the server waits before
the LTPA request is cancelled.
Batch
mode example usage
- Using Jython string:
AdminTask.getLTPATimeout('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getLTPATimeout(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getLTPATimeout('-interactive')
setLTPATimeout
The
setLTPATimeout command sets the amount of time that the system waits
before the LTPA request becomes invalid.
Target
object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
- -timeout
- Specifies the amount of time, in seconds, before the request times
out. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.setLTPATimeout('-timeout 120')
- Using Jython list:
AdminTask.setLTPATimeout(['-timeout', '120'])
Interactive mode example usage
- Using Jython:
AdminTask.setLTPATimeout('-interactive')
getUserRegistryInfo
The
getUserRegistryInfo command displays information about a user registry
in a security domain or in the global security configuration. If
you do not specify a value for the -userRegistryType parameter, the
command returns the active user registry information.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
- -userRegistryType
- Specifies the type of user registry. Specify LDAPUserRegistry for
LDAP user registries. Specify WIMUserRegistry for
federated repository user registries. Specify CustomUserRegistry for
custom user registries. Specify LocalOSUserRegisty for
local operating system user registries. (String)
Return value
The
command returns configuration information in the form of attribute
and value pairs for the user registry object of interest.
Batch mode example usage
- Using Jython string:
AdminTask.getUserRegistryInfo('-securityDomainName testDomain -userRegistryType LDAPUserRegistry')
- Using Jython list:
AdminTask.getUserRegistryInfo(['-securityDomainName', 'testDomain', '-userRegistryType', 'LDAPUserRegistry'])
Interactive mode example usage
- Using Jython:
AdminTask.getUserRegistryInfo('-interactive')
unconfigureUserRegistry
The
unconfigureUserRegistry command modifies the user registry. For a
global security configuration, the command reduces the user registry
to the minimum registry values. For application-level security, the
command removes the user registry from the security domain of interest.
Target object
None.
Required parameters
- -userRegistryType
- Specifies the type of user registry. Specify LDAPUserRegistry for
LDAP user registries. Specify WIMUserRegistry for
federated repository user registries. Specify CustomUserRegistry for
custom user registries. Specify LocalOSUserRegisty for
local operating system user registries. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.unconfigureUserRegistry('-userRegistryType WIMUserRegistry -securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureUserRegistry(['-userRegistryType', 'WIMUserRegistry', '-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureUserRegistry('-interactive')
configureJAASLoginEntry
The
configureJAASLoginEntry command configures a Java Authentication and Authorization Service
(JAAS) login entry in a security domain or in the global security
configuration. You can use this command to modify existing JAAS login
entries or to create new login entries.
Target
object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for
the system login type or application for the application
login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the
configuration. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. If you do not
specify a security domain name, the system updates the global security
configuration. (String)
- -loginModules
- Specifies a comma (,) separated list of login
module class names. Specify the list in the order that the system
calls them. (String)
- -authStrategies
- Specifies a comma-separated list of authentication strategies
that sets the authentication behavior as authentication proceeds down
the list of login modules. You must specify one authentication strategy
for each login module. (String)
Specify one or many of the following
values in a comma (
,) separated list:
- REQUIRED
Specifies that the LoginModule module is required to
succeed. Whether authentication succeeds or fails, the process still
continues down the LoginModule list for each realm.
- REQUISITE
Specifies that the LoginModule module is required
to succeed. If authentication is successful, the process continues
down the LoginModule list in the realm entry. If authentication fails,
control immediately returns to the application. Authentication does
not proceed down the LoginModule list.
- SUFFICIENT
Specifies that the LoginModule module is not required
to succeed. If authentication succeeds, control immediately returns
to the application. Authentication does not proceed down the LoginModule
list. If authentication fails, the process continues down the list.
- OPTIONAL
Specifies that the LoginModule module is not required
to succeed. Whether authentication succeeds or fails, the process
still continues down the LoginModule list.
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureJAASLoginEntry('[-loginType application -loginEntryAlias JAASLoginEntry1 -authStrategies "
REQUIRED,REQUISITE"]')
- Using Jython list:
AdminTask.configureJAASLoginEntry(['-loginType', 'application', '-loginEntryAlias', 'JAASLoginEntry1', '-authStrategies',
'REQUIRED,REQUISITE'])
Interactive mode example usage
- Using Jython:
AdminTask.configureJAASLoginEntry('-interactive')
configureLoginModule
The
configureLoginModule command modifies an existing login module or
creates a new login module on an existing JAAS login entry in the
global security configuration or in a security domain.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for
the system login type or application for the application
login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the
configuration. (String)
- -loginModule
- Specifies the name of the login module. (String)
Optional parameters
- -newModule
- Specifies that you want a new login module to have the same class
name as a previously configured login module. (Boolean)
For example,
if you issued the following command to configure a login module for
a given login entry:
wsadmin>AdminTask.configureLoginModule('-loginType application -loginEntryAlias
TestLogin -loginModule
com.ibm.ws.security.common.auth.module.WSClientLoginModuleImpl')
You
can issue the following command to configure another login module
with the same class name:
wsadmin>AdminTask.configureLoginModule('-loginType application -loginEntryAlias
TestLogin -loginModule
com.ibm.ws.security.common.auth.module.WSClientLoginModuleImpl' -newModule true')
The
login entry now contains two login modules that use the same class
name.
- -modifyModule
- Specifies that you want multiple login modules with the same class
name to be modified. (Integer)
For example, if you issued the following
command:
wsadmin>AdminTask.configureLoginModule('-loginType application
-loginEntryAlias
TestLogin -loginModule
com.ibm.ws.security.common.auth.module.WSClientLoginModul
eImpl -modifyModule 2 -authStrategy OPTIONAL')
The second
login module in the TestLogin entry is modified with the OPTIONAL
flag.
- -securityDomainName
- Specifies the name of the security configuration. (String)
- -useLoginModuleProxy
- Specifies that the JAAS loads the login module proxy class. JAAS
then delegates calls to the login module classes that are defined
in the Module class name field. Specify true to use
the login module proxy. (Boolean)
- -authStrategy
- Specifies the authentication behavior as authentication proceeds
down the list of login modules. (String)
Specify one of the following
values:
- REQUIRED
Specifies that the LoginModule module is required to
succeed. Whether authentication succeeds or fails, the process still
continues down the LoginModule list for each realm.
- REQUISITE
Specifies that the LoginModule module is required
to succeed. If authentication is successful, the process continues
down the LoginModule list in the realm entry. If authentication fails,
control immediately returns to the application. Authentication does
not proceed down the LoginModule list.
- SUFFICIENT
Specifies that the LoginModule module is not required
to succeed. If authentication succeeds, control immediately returns
to the application. Authentication does not proceed down the LoginModule
list. If authentication fails, the process continues down the list.
- OPTIONAL
Specifies that the LoginModule module is not required
to succeed. Whether authentication succeeds or fails, the process
still continues down the LoginModule list.
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: ["attr1=value1","attr2=value2"]
(String)
Return
value
The command does not return output.
Batch mode example usage
- Using Jython string:
AdminTask.configureLoginModule('-loginType application -loginEntryAlias JAASLoginEntry1 -loginModule class1')
- Using Jython list:
AdminTask.configureLoginModule(['-loginType', 'application', '-loginEntryAlias', 'JAASLoginEntry1', '-loginModule',
'class1'])
Interactive mode example usage
- Using Jython:
AdminTask.configureLoginModule('-interactive')
getJAASLoginEntryInfo
The
getJAASLoginEntryInfo command displays configuration for a specific
JAAS login entry.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for
the system login type or application for the application
login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the
configuration. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command returns an attribute list that contains configuration information
for the JAAS login entry of interest.
Batch
mode example usage
- Using Jython string:
AdminTask.getJAASLoginEntryInfo('-loginType application -loginEntryAlias JAASLoginEntry -securityDomainName
testDomain')
- Using Jython list:
AdminTask.getJAASLoginEntryInfo(['-loginType', 'application', '-loginEntryAlias', 'JAASLoginEntry', '-securityDomainName',
'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getJAASLoginEntryInfo('-interactive')
listJAASLoginEntries
The
listJAASLoginEntries command displays each defined JAAS login modules
for given type in a security domain or the global security configuration.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for
the system login type or application for the application
login type. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command returns an array of attribute lists that contain the login
entries for the login type of interest.
Batch
mode example usage
- Using Jython string:
AdminTask.listJAASLoginEntries('-loginType application -securityDomainName testDomain')
- Using Jython list:
AdminTask.listJAASLoginEntries(['-loginType', 'application','-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.listJAASLoginEntries('-interactive')
listLoginModules
The
listLoginModules command displays the class names and associated options
for a specific JAAS login module in a security domain or in the global
security configuration.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for
the system login type or application for the application
login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the
configuration. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command returns an array that contains the login modules in a specific
login entry.
Batch mode example usage
- Using Jython string:
AdminTask.listLoginModules('-loginType system -loginEntryAlias JAASLoginEntry')
- Using Jython list:
AdminTask.listLoginModules(['-loginType', 'system', '-loginEntryAlias', 'JAASLoginEntry'])
Interactive mode example usage
- Using Jython:
AdminTask.listLoginModules('-interactive')
unconfigureJAASLoginEntry
The
unconfigureJAASLoginEntry command removes a JAAS login entry from
the global security configuration or a security domain. You cannot
remove all login entries. The command returns an error if it cannot
remove the login entry of interest.
Target
object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for
the system login type or application for the application
login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the
configuration. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.unconfigureJAASLoginEntry('-loginType application -loginEntryAlias myLoginEntry')
- Using Jython list:
AdminTask.unconfigureJAASLoginEntry(['-loginType', 'application', '-loginEntryAlias', 'myLoginEntry'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureJAASLoginEntry('-interactive')
unconfigureLoginModule
The
unconfigureLoginModule command removes a login module class from a
login module entry.
Target object
None.
Required parameters
- -loginType
- Specifies the type of JAAS login entry of interest. Specify system for
the system login type or application for the application
login type. (String)
- -loginEntryAlias
- Specifies an alias that identifies the JAAS login entry in the
configuration. (String)
- -loginModule
- Specifies the name of the login module class to remove from the
configuration. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.unconfigureLoginModule('-loginType system -loginEntryAlias systemLoginEntry -loginModule moduleClass')
- Using Jython list:
AdminTask.unconfigureLoginModule(['-loginType', 'system', '-loginEntryAlias', 'systemLoginEntry', '-loginModule',
'moduleClass'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureLoginModule('-interactive')
createAuthDataEntry
The
createAuthDataEntry command creates an authentication data entry for
a J2EE Connector architecture (J2C) connector in the global security
or security domain configuration.
Target
object
None.
Required parameters
- -alias
- Specifies the name that uniquely identifies the authentication
data entry. (String)
- -user
- Specifies the J2C authentication data user ID. (String)
- -password
- Specifies the password to use for the target enterprise information
system (EIS). (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security domain configuration. The application
server uses the global security configuration if you do not specify
a value for the -securityDomainName parameter. (String)
- -description
- Specifies a description of the authentication data entry. (String)
Return value
The
command returns the object name of the new authentication data entry
object.
Batch mode example usage
- Using Jython string:
AdminTask.createAuthDataEntry('-alias dataEntry1 -user userID -password userIDpw')
- Using Jython list:
AdminTask.createAuthDataEntry(['-alias', 'dataEntry1', '-user', 'userID', '-password', 'userIDpw'])
Interactive mode example usage
- Using Jython:
AdminTask.createAuthDataEntry('-interactive')
deleteAuthDataEntry
The
deleteAuthDataEntry command removes an authentication data entry for
a J2C connector in a global security or security domain configuration.
Target object
None.
Required parameters
- -alias
- Specifies the name that uniquely identifies the authentication
data entry. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security domain configuration. The application
server uses the global security configuration if you do not specify
a value for the -securityDomainName parameter. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.deleteAuthDataEntry('-alias dataEntry1')
- Using Jython list:
AdminTask.deleteAuthDataEntry(['-alias', 'dataEntry1'])
Interactive mode example usage
- Using Jython:
AdminTask.deleteAuthDataEntry('-interactive')
getAuthDataEntry
The
getAuthDataEntry command displays information about an authentication
data entry for the J2C connector in the global security configuration
or for a specific security domain.
Target
object
None.
Required parameters
- -alias
- Specifies the name that uniquely identifies the authentication
data entry. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command returns an attribute list that contains the authentication
data entry attributes and values.
Batch
mode example usage
- Using Jython string:
AdminTask.getAuthDataEntry('-alias authDataEntry1 -securityDomainName testDomain')
- Using Jython list:
AdminTask.getAuthDataEntry(['-alias', 'authDataEntry1', '-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getAuthDataEntry('-interactive')
listAuthDataEntries
The
listAuthDataEntries command displays each authentication data entry
in the global security configuration or in a security domain.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command returns an array of attribute lists for each authentication
data entry.
Batch mode example usage
- Using Jython string:
AdminTask.listAuthDataEntries('-securityDomainName testDomain')
- Using Jython list:
AdminTask.listAuthDataEntries(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.listAuthDataEntries('-interactive')
modifyAuthDataEntry
The
modifyAuthDataEntry command modifies an authentication data entry
for a J2C connector in the global security or security domain configuration.
Target object
None.
Required parameters
- -alias
- Specifies the name that uniquely identifies the authentication
data entry. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
- -user
- Specifies the J2C authentication data user ID. (String)
- -password
- Specifies the password to use for the target enterprise information
system (EIS). (String)
- -description
- Specifies a description for the authentication data entry. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.modifyAuthDataEntry('-alias dataEntry1 -user userID1 -password newPassword')
- Using Jython list:
AdminTask.modifyAuthDataEntry(['-alias', 'dataEntry1', '-user', 'userID1', '-password', 'newPassword'])
Interactive mode example usage
- Using Jython:
AdminTask.modifyAuthDataEntry('-interactive')
clearAuthCache
The
clearAuthCache command purges the entire security authentication cache
of the associated security domain.
Target
object
None.
Optional parameters
- -securityDomainId
- Specifies the unique identifier for the security domain. If no
security domain ID is specified, the authentication cache of the admin
domain is cleared. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.clearAuthCache('-securityDomainId descurity_domain_id')
- Using Jython list:
AdminTask.clearAuthCache(['-securityDomainId', 'security_domain_id', '-user', 'userID1', '-password', 'newpassword'])
Interactive mode example usage
- Using Jython:
AdminTask.clearAuthCache('-interactive')
purgeUserFromAuthCache
The
purgeUserFromAuthCache command removes a user from the security authentication
cache associated with a security domain
Target
object
None.
Required parameters
- -user
- Specifies the user Id associated with an authentication cache
data entry (String)
Optional parameters
- -securityDomainID
- Specifies the unique identifier of the security domain. If no
security domain ID is specified, the authentication cache of admin
domain is cleared. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.purgeUserFromAuthCache('-user userID1 -securityDomainId security_domain_id')
- Using Jython list:
AdminTask.purgeUserFromAuthCache(['-user' 'userID1 ', 'securityDomainId', 'security_domain_id1', '-user', 'userID2', '-password', 'newPassword'])
Interactive mode example usage
- Using Jython:
AdminTask.purgeUserFromAuthCache('-interactive')
configureCSIInbound
The
configureCSIInbound command configures CSIv2 inbound authentication
on a security domain or on the global security configuration. When
configuring CSI inbound authentication in a security domain for the
first time, the CSI objects are copied from global security so that
any changes to that configuration are applied.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. If one is not
provided the task will work on the global security user registry configuration.
(String)
- -messageLevelAuth
- Specifies whether clients connecting to this server must specify
a user ID and password. Specify Never to disable
the user ID and password requirement. Specify Supported to
accept a user ID and password. Specify Required to
require a user ID and password. (String)
- -supportedAuthMechList
- Specifies the authentication mechanism to use. Specify KRB5 for
Kerberos authentication, LTPA for Lightweight Third-Party
Authentication, BasicAuth for BasicAuth authentication,
and custom to use your own authentication token implementation.
You can specify more then one in a space-separated list. (String)
- -clientCertAuth
- Specifies whether a client that connects to the server must connect
using an SSL certificate. Specify Never to allow
clients to connect without SSL certificates. Specify Supported to
accept clients connecting with and without SSL certificates. Specify Required to
require clients to use SSL certificate. (String)
- -transportLayer
- Specifies the transport layer support level. Specify Never to
disable transport layer support. Specify Supported to
enable transport layer support. Specify Required to
require transport layer support. (String)
- -sslConfiguration
- Specifies the SSL configuration alias to use for inbound transport.
(String)
- -enableIdentityAssertion
- Specifies whether to enable identity assertion. When using the
identity assertion authentication method, the security token generated
is a <wsse:UsernameToken> element that contains a <wsse:Username>
element. Specify true for the -enableIdentityAssertion
parameter to enable identity assertion. (Boolean)
- -trustedIdentities
- Specifies a list of trusted server identities, separated by the
pipe character (|). To specify a null value, set
the value of the -trustedIdentities parameter as an empty string ("").
(String)
- -statefulSession
- Specifies whether to enable a stateful session. Specify true to
enable a stateful session. (Boolean)
- -enableAttributePropagation
- Specifies whether to enable security attribute propagation. Security
attribute propagation allows the application server to transport authenticated
Subject contents and security context information from one server
to another in your configuration. Specify true to
enable security attribute propagation. (Boolean)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureCSIInbound('[-securityDomainName testDomain -messageLevelAuth Required
-supportedAuthMechList "KRB5 LTPA"]')
- Using Jython list:
AdminTask.configureCSIInbound(['-securityDomainName', 'testDomain', '-messageLevelAuth', 'Required',
'-supportedAuthMechList', 'KRB5 LTPA'])
Interactive mode example usage
- Using Jython:
AdminTask.configureCSIInbound('-interactive')
configureCSIOutbound
The
configureCSIOutbound command configures the CSIv2 outbound authentication
in a security domain or in the global security configuration. When
configuring CSI Outbound in a security domain for the first time,
the application server copies the CSI objects from global security.
Then, the application server applies the changes to that configuration
from the command.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
- -enableAttributePropagation
- Specifies whether to enable security attribute propagation. Security
attribute propagation allows the application server to transport authenticated
Subject contents and security context information from one server
to another in your configuration. Specify true to
enable security attribute propagation. (Boolean)
- -enableIdentityAssertion
- Specifies whether to enable identity assertion. When using the
identity assertion authentication method, the security token generated
is a <wsse:UsernameToken> element that contains a <wsse:Username>
element. Specify true for the -enableIdentityAssertion
parameter to enable identity assertion. (Boolean)
- -useServerIdentity
- Specifies whether to use the server identity to establish trust
with the target server. Specify true to use the server
identity. (Boolean)
- -trustedId
- Specifies the trusted identity that the application server uses
to establish trust with the target server. (String)
- -trustedIdentityPassword
- Specifies the password of the trusted server identity. (String)
- -messageLevelAuth
- Specifies whether clients connecting to this server must specify
a user ID and password. Specify includeNever to disable
the user ID and password requirement. Specify Supported to
accept a user ID and password. Specify Required to
require a user ID and password. (String)
- -supportedAuthMechList
- Specifies the authentication mechanism to use. Specify KRB5 for
Kerberos authentication, LTPA for Lightweight Third-Party
Authentication, BasicAuth for BasicAuth authentication,
and custom to use your own authentication token
implementation. You can specify more then one in a space-separated
list. (String)
- -clientCertAuth
- Specifies whether a client that connects to the server must connect
using an SSL certificate. Specify Never to allow
clients to connect without SSL certificates. Specify Supported to
accept clients connecting with and without SSL certificates. Specify Required to
require clients to use SSL certificate. (String)
- -transportLayer
- Specifies the transport layer support level. Specify Never to
disable transport layer support. Specify Supported to
enable transport layer support. Specify Required to
require transport layer support. (String)
- -sslConfiguration
- Specifies the SSL configuration alias to use for inbound transport.
(String)
- -statefulSession
- Specifies whether to enable a stateful session. Specify true to
enable a stateful session. (Boolean)
- -enableOutboundMapping
- Specifies whether to enable custom outbound identity mapping.
Specify true to enable custom outbound identity mapping.
(Boolean)
- -trustedTargetRealms
- Specifies a list of target realms to trust. Separate each realm
name with the pipe character (|). (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureCSIOutbound('-securityDomainName testDomain -useServerIdentity true -messageAuthLevel
Supported')
- Using Jython list:
AdminTask.configureCSIOutbound(['-securityDomainName', 'testDomain', '-useServerIdentity', 'true',
'-messageAuthLevel', 'Supported'])
Interactive mode example usage
- Using Jython:
AdminTask.configureCSIOutbound('-interactive')
getCSIInboundInfo
The
getCSIInboundInfo command displays information about the Common Secure
Interoperability (CSI) inbound settings for the global security configuration
or for a security domain.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
- -displayModel
- Specifies the output format of the configuration information.
Specify true to return an attribute list of the model.
Specify false to display an attribute of the value
used to create the object. (Boolean)
Return value
The
command returns an attribute list of the attributes and values of
the CSI inbound object.
Batch mode
example usage
- Using Jython string:
AdminTask.getCSIInboundInfo('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getCSIInboundInfo(['securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getCSIInboundInfo('-interactive')
getCSIOutboundInfo
The
getCSIOutboundInfo command displays information for the CSI outbound
settings for the global security configuration or for a security domain.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
- -displayModel
- Specifies the output format of the configuration information.
Specify true to return an attribute list of the model.
Specify false to display an attribute of the value
used to create the object. (Boolean)
Return value
The
command returns an attribute list that contains the attributes and
values of the CSI outbound configuration.
Batch
mode example usage
- Using Jython string:
AdminTask.getCSIOutboundInfo('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getCSIOutboundInfo(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getCSIOutboundInfo('-interactive')
unconfigureCSIInbound
The
unconfigureCSIInbound command removes the CSI inbound information
from a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.unconfigureCSIInbound('-securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureCSIInbound(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureCSIInbound('-interactive')
unconfigureCSIOutbound
The
unconfigureCSIOutbound command removes the CSI outbound information
from a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.unconfigureCSIOutbound('-securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureCSIOutbound(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureCSIOutbound('-interactive')
configureInterceptor
The
configureInterceptor command modifies an existing interceptor or creates
an interceptor if one does not exist.
Target
object
None.
Required parameters
- -interceptor
- Specifies the trust association interceptor class name. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security domain. If you do not specify
a security domain, the command assigns the global security configuration.
(String)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureInterceptor('-interceptor com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus
-securityDomainName testDomain')
- Using Jython list:
AdminTask.configureInterceptor(['-interceptor', 'com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus',
'-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.configureInterceptor('-interactive')
configureTrustAssociation
The
configureTrustAssociation command enables or disable the trust association.
If the security domain does not have a trust association defined,
the application server copies each trust association and its interceptors
from the global security configuration.
Target
object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
- -enable
- Specifies whether to enable trust association to act as a reverse
proxy server. (Boolean)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureTrustAssociation('-securityDomainName testDomain -enable true')
- Using Jython list:
AdminTask.configureTrustAssociation(['-securityDomainName', 'testDomain', '-enable', 'true'])
Interactive mode example usage
- Using Jython:
AdminTask.configureTrustAssociation('-interactive')
getTrustAssociationInfo
The
getTrustAssociationInfo command displays configuration information
for trust association.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command returns an attribute list that contains attributes and values
for trust association.
Batch mode example
usage
- Using Jython string:
AdminTask.getTrustAssociationInfo('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getTrustAssociationInfo(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getTrustAssociationInfo('-interactive')
listInterceptors
The
listInterceptors command displays the trust association interceptors
that are configured in the global security or security domain configuration.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command returns an array list of each interceptor and the associated
custom properties.
Batch mode example
usage
- Using Jython string:
AdminTask.listInterceptors('-securityDomainName testDomain')
- Using Jython list:
AdminTask.listInterceptors(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.listInterceptors('-interactive')
unconfigureInterceptor
The
unconfigureInterceptor command removes a trust association interceptor
from the global security configuration or from a security domain.
Target object
None.
Required parameters
- -interceptor
- Specifies the trust association interceptor class name. (String)
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.unconfigureInterceptor('-interceptor com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus
-securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureInterceptor(['-interceptor', 'com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus',
'-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureInterceptor('-interactive')
unconfigureTrustAssociation
The
unconfigureTrustAssociation command removes the trust association
object from a security domain.
Target
object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.unconfigureTrustAssociation('-securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureTrustAssociation(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureTrustAssociation('
applyWizardSettings
The
applyWizardSettings command can be used to automate the global security
configuration.
Target object
None.
Optional parameters
- -secureApps
- Specifies to secure applications.
- -secureLocalResources
- Specifies to secure local resources such as data sets and MVS commands.
- -userRegistryType
- Specifies whether the user is a user, a group, or a group member.
- -ldapServerType
- Specifies the type of LDAP server that is being used. The default
value is IDS51.
- -ldapHostName
- Specifies the LDAP host name.
- -ldapPort
- Specifies the LDAP port name.
- -ldapBaseDN
- Specifies the LDAP base dynamic member attribute.
- -ldapBindDN
- Dynamically updates LDAP binding information.
- -ldapBindPassword
- Dynamically updates LDAP binding password information.
- -adminName
- Refers to the name of an administrator account on the remote target
machine.
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.applyWizardSettings('[-secureApps true -secureLocalResources false
-userRegistryType LDAPUserRegistry -ldapServerType IBM_DIRECTORY_SERVER
-ldapHostName '+ldapServer+' -ldapPort 389 -ldapBaseDN o=ibm,c=us -ldapBindDN
cn=root -ldapBindPassword a1x4meok -adminName '+adminUsername+' ]'))
configureAuthzConfig
The
configureAuthzConfig command configures an external Java Authorization Contract for Containers (JACC)
authorization provider in a security domain or the global security
configuration.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security configuration. (String)
- -useJACCProvider
- Specifies whether to use a JACC provider. Specify true to
use a JACC provider. (Boolean)
- -name
- Specifies the name of the JACC provider to use. (String)
- -description
- Specifies a description of the JACC provider. (String)
- -j2eePolicyImplClassName
- Specifies the class name of an implementation class that represents
the javax.security.jacc.policy.provider property according to the
specification. (String)
- -policyConfigurationFactoryImplClassName
- Specifies the class name of an implementation class that represents
the javax.security.jacc.PolicyConfigurationFactory.provider property.
(String)
- -roleConfigurationFactoryImplClassName
- Specifies the class name of an implementation class that implements
the com.ibm.wsspi.security.authorization.RoleConfigurationFactory
interface. (String)
- -requiresEJBArgumentsPolicyContextHandler
- Specifies whether policy providers require the Enterprise JavaBeans arguments policy
context handler to make access decisions. Specify true to
enable this option. (Boolean)
- -initializeJACCProviderClassName
- Specifies the class name of an implementation class that implements
the com.ibm.wsspi.security.authorization.IntializeJACCProvider interface.(String)
- -supportsDynamicModuleUpdates
- Specifies whether the provider supports dynamic changes to the
web modules. Specify true to enable this option.
(Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureAuthzConfig('[-securityDomainName testDomain -useJACCProvider true -name
testProvider -description "JACC provider for testing"]')
- Using Jython list:
AdminTask.configureAuthzConfig(['-securityDomainName', 'testDomain', '-useJACCProvider', 'true', '-name',
'testProvider', '-description', 'JACC provider for testing'])
Interactive mode example usage
- Using Jython:
AdminTask.configureAuthzConfig('-interactive')
configureSingleSignon
The
configureSingleSignon command configures a single sign-on object in
global security.
Target object
None.
Optional parameters
- -enable
- Specifies whether to enable single sign-on. Specify true to
enable single sign-on, or false to disable single
sign-on. (Boolean)
- -requiresSSL
- Specifies whether single sign-on requests send through HTTPS.
Specify true to enable this option. (Boolean)
- -domainName
- Specifies the domain name that contains a set of hosts to which
the single sign-on applies. (String)
- -interoperable
- Specifies interoperability options. Specify true to
send an interoperable cookie to the browser to support back-level
servers. Specify false disable the sending of interoperable
cookies. (Boolean)
- -attributePropagation
- Specifies whether to enable inbound security attribute propagation.
Specify true to enable web inbound security attribution
propagation. Specify false to use the single sign-on
token to log in and recreate the Subject from the user registry. (Boolean)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.configureSingleSignon('-enable true -domainName mycompany.com')
- Using Jython list:
AdminTask.configureSingleSignon(['-enable', 'true', '-domainName', 'mycompany.com'])
Interactive mode example usage
- Using Jython:
AdminTask.configureSingleSignon('-interactive')
getActiveSecuritySettings
The
getActiveSecuritySettings command displays the active security settings
for global security or a specific security domain.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security domain configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command returns the active security settings for the security domain
of interest or the global security configuration, which includes the
following settings:
- cacheTimeout
- issuePermissionWarning
- activeAuthMechanism
- enforceJava2Security
- appSecurityEnabled
- enableGlobalSecurity (global security only)
- adminPreferredAuthMech (global security only)
- activeAuthMechanism (global security only)
- activeUserRegistry
- enforceFineGrainedJCASecurity
- dynUpdateSSLConfig (global security only)
- useDomainQualifiedUserNames
- customProperties
Batch mode example usage
- Using Jython string:
AdminTask.getActiveSecuritySettings('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getActiveSecuritySettings(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getActiveSecuritySettings('-interactive')
getAuthzConfigInfo
The
getAuthzConfigInfo command displays information about an external
JACC authorization provider in a security domain or the global security
configuration.
Target object
None.
Optional parameters
- -securityDomainName
- Specifies the name of the security domain configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command returns an attribute list that contains the attributes and
values that are associated with the JACC authorization provider.
Batch mode example usage
- Using Jython string:
AdminTask.getAuthzConfigInfo('-securityDomainName testDomain')
- Using Jython list:
AdminTask.getAuthzConfigInfo(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.getAuthzConfigInfo('-interactive')
getSingleSignon
The
getSingleSignon command displays configuration information about the
single sign-on object as defined in the global security configuration.
Target object
None.
Optional parameters
None.
Return value
The command returns an
attribute list that contains the attributes and values of the single
sign-on configuration.
Batch mode example
usage
- Using Jython:
AdminTask.getSingleSignon()
Interactive mode example usage
- Using Jython:
AdminTask.getSingleSignon('-interactive')
setAdminActiveSecuritySettings
The
setAdminActiveSecuritySettings command sets the active security settings
on the global security object.
Target object
None.
Optional parameters
- -enableGlobalSecurity
- Specifies whether to enable global security. Specify true to
enable global security, or specify false to disable
global security. (Boolean)
- -cacheTimeout
- Specifies the amount of time, in seconds, before authentication
data becomes invalid. (Integer)
- -issuePermissionWarning
- Specifies whether to issue a warning during application installation
if the application requires security permissions. Specify true to
enable the warning notification, or specify false to
disable the warning notification. (Boolean)
- -enforceJava2Security
- Specifies whether to enable Java Platform,
Enterprise Edition (Java EE)
security. Specify true to enable Java EE security permissions checking, or specify false to
disable Java EE security. (Boolean)
- -enforceFineGrainedJCASecurity
- Specifies whether to restrict application access. Specify true to
restrict application access to sensitive Java EE
Connector Architecture (JCA) mapping authentication data. (Boolean)
- -appSecurityEnabled
- Specifies whether to enable application-level security. Specify true to
enable application level security, or specify false to
disable application-level security. (Boolean)
- -dynUpdateSSLConfig
- Specifies whether to dynamically update SSL configuration changes.
Specify true to update SSL configuration changes
dynamically, or specify false to update the SSL configuration
when the server starts. (Boolean)
- -activeAuthMechanism
- Specifies the active authentication mechanism. Specify LTPA for
LTPA authentication, KRB5 for Kerberos authentication,
or RSAToken for RSA token authorization. (String)
- -adminPreferredAuthMech
- Specifies the preferred authentication mechanism. Specify LTPA for
LTPA authentication, KRB5 for Kerberos authentication,
or RSAToken for RSA token authorization. (String)
- -activeUserRegistry
- Specifies the active user registry for the server. (String)
Specify
one of the following values:
- CustomUserRegistry
- This option enables you to specify a custom user registry as the
active user registry for the server.
- LDAPUserRegistry
- This option enables you to specify an LDAP user registry as the
active user registry for the server.
- LocalOSUserRegistry
- This option enables you to specify the local operating system
user registry as the active user registry for the server.
- WIMUserRegistry
- This option enables you to specify a federated repository as the
active user registry for the server.
- -useDomainQualifiedUserNames
- Specifies the type of user name to use. Specify true to
use domain qualified user names, or specify false to
use the short name. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.setAdminActiveSecuritySettings('-enableGlobalSecurity true -cacheTimeout 300
-enforceJava2Security true -appSecurityEnabled true -activeUserRegistry LDAPUserRegistry')
- Using Jython list:
AdminTask.setAdminActiveSecuritySettings(['-enableGlobalSecurity', 'true', '-cacheTimeout',
'300', '-enforceJava2Security', 'true', '-appSecurityEnabled', 'true' '-activeUserRegistry',
'LDAPUserRegistry])
Interactive mode example usage
- Using Jython:
AdminTask.setAdminActiveSecuritySettings('-interactive')
setAppActiveSecuritySettings
The
setAppActiveSecuritySettings command sets the active security settings
on a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Optional parameters
- -cacheTimeout
- Specifies the amount of time, in seconds, before authentication
data becomes invalid. (Integer)
- -issuePermissionWarning
- Specifies whether to issue a warning during application installation
if the application requires security permissions. Specify true to
enable the warning notification, or specify false to
disable the warning notification. (Boolean)
- -enforceJava2Security
- Specifies whether to enable Java Platform,
Enterprise Edition (Java EE)
security. Specify true to enable Java EE security permissions checking, or specify false to
disable Java EE security. (Boolean)
- -enforceFineGrainedJCASecurity
- Specifies whether to restrict application access. Specify true to
restrict application access to sensitive Java EE
Connector Architecture (JCA) mapping authentication data. (Boolean)
- -appSecurityEnabled
- Specifies whether to enable application-level security. Specify true to
enable application level security, or specify false to
disable application-level security. (Boolean)
- -activeUserRegistry
- Specifies the active user registry for the server. (String)
- -useDomainQualifiedUserNames
- Specifies the type of user name to use. Specify true to
use domain qualified user names, or specify false to
use the short name. (Boolean)
- -customProperties
- Specifies a comma separated list of quoted attribute and value
pairs that the system stores as custom properties on the user registry
object. For example, use the format: "attr1=value1","attr2=value2"
(String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.setAppActiveSecuritySettings('-securityDomainName testDomain -issuePermissionWarning false
-enforceFineGrainedJCASecurity true')
- Using Jython list:
AdminTask.setAppActiveSecuritySettings(['-securityDomainName', 'testDomain', '-issuePermissionWarning',
'false', '-enforceFineGrainedJCASecurity', 'true'])
Interactive mode example usage
- Using Jython:
AdminTask.setAppActiveSecuritySettings('-interactive')
unconfigureAuthzConfig
The
unconfigureAuthzConfig command removes an external JACC authorization
provider from the global security configuration or a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.unconfigureAuthzConfig('-securityDomainName testDomain')
- Using Jython list:
AdminTask.unconfigureAuthzConfig(['-securityDomainName', 'testDomain'])
Interactive mode example usage
- Using Jython:
AdminTask.unconfigureAuthzConfig('-interactive')
unsetAppActiveSecuritySettings
The
unsetAppActiveSecuritySettings command removes an attribute from the
global security configuration or a security domain.
Target object
None.
Required parameters
- -securityDomainName
- Specifies the name of the security configuration. The command
uses the global security configuration if you do not specify a value
for the -securityDomainName parameter. (String)
Optional parameters
- -unsetAppSecurityEnabled
- Specifies whether to remove the attribute that enables application
security. Specify true to remove the attribute. (Boolean)
- -unsetActiveUserRegistry
- Specifies whether to remove the active user registry attribute.
Specify true to remove the attribute. (Boolean)
- -unsetUseDomainQualifiedUserNames
- Specifies whether to remove the user domain qualified user names
attribute. Specify true to remove the attribute.
(Boolean)
- -unsetEnforceJava2Security
- Specifies whether to remove the Java EE
security attribute. Specify true to remove the attribute.
(Boolean)
- -unsetEnforceFineGrainedJCASecurity
- Specifies whether to remove the fine-grained JCA security attribute.
Specify true to remove the attribute. (Boolean)
- -unsetIssuePermissionWarning
- Specifies whether to remove the attribute that issues user permission
warnings. Specify true to remove the attribute. (Boolean)
- -unsetCacheTimeout
- Specifies whether to remove the cache timeout attribute. Specify true to
remove the attribute. (Boolean)
Return value
The
command does not return output.
Batch
mode example usage
- Using Jython string:
AdminTask.unsetAppActiveSecuritySettings('-securityDomainName testDomain -unsetAppSecurityEnabled true
-unsetPermissionWarning true')
- Using Jython list:
AdminTask.unsetAppActiveSecuritySettings(['-securityDomainName', 'testDomain', '-unsetAppSecurityEnabled',
'true', '-unsetPermissionWarning', 'true'])
Interactive mode example usage
- Using Jython:
AdminTask.unsetAppActiveSecuritySettings('-interactive')