IBM WebSphere XS40, Command Reference Manual

Page 1: ...WebSphere DataPower XML Security Gateway XS40 Command Reference Version 3 7 2 ...

Page 2: ......

Page 3: ...WebSphere DataPower XML Security Gateway XS40 Command Reference Version 3 7 2 ...

Page 4: ...o version 3 release 7 modification 2 level 0 of IBM WebSphere DataPower XML Security Gateway XS40 and to all subsequent releases and modifications until otherwise indicated in new editions Copyright International Business Machines Corporation 1999 2008 US Government Users Restricted Rights Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp ...

Page 5: ...mon Criteria 25 audit level Common Criteria 25 audit reserve Common Criteria 25 cache schema 26 cache stylesheet 27 cache wsdl 27 clear aaa cache 28 clear arp 28 clear dns cache 29 clear pdp cache 29 clear rbm cache 30 clear xsl cache 30 cli remote open 31 cli telnet 31 compact flash Type 9235 33 compact flash initialize filesystem Type 9235 33 compact flash repair filesystem Type 9235 33 compile ...

Page 6: ...3 service monitor 94 set system var 94 simple rate limiter 95 slm action 96 slm cred 96 slm policy 97 slm rsrc 97 slm sched 97 snmp 98 soap disposition 99 source ftp poller 99 source ftp server 100 source http 100 source https 100 source nfs poller 101 source raw 101 source stateful tcp 102 ssh 102 sslforwarder 103 sslproxy 105 ssltrace 107 startup 108 statistics 109 stylepolicy 109 no stylesheet ...

Page 7: ...ter 5 Application Domain configuration mode 173 config mode 173 deployment policy 173 domain user deprecated 174 file monitoring 175 file permissions 175 import format 176 import url 176 local ip rewrite 177 maxchkpoints 177 reset domain 178 visible domain 179 Chapter 6 Application Security Policy configuration mode 181 error match 181 request match 182 response match 182 Chapter 7 Compact Flash c...

Page 8: ...e 251 certificate 252 crldp 253 explicit policy 253 initial policy set 254 require crl 255 use crl 256 Chapter 15 Deployment Policy configuration mode 257 accept 257 filter 258 modify 259 Chapter 16 DNS Settings configuration mode 263 name server 263 search domain 264 static host 265 Chapter 17 Document Cache configuration mode 267 clear 267 maxdocs 268 policy 268 size 270 static document calls 27...

Page 9: ... 317 Chapter 26 HTTP Front Side Handler mode 319 acl 319 allowed features 320 compression 321 local address 321 http client version 321 max header count 322 max header name len 322 max header value len 323 max querystring len 323 max total header len 323 max url len 324 persistent connections 324 port 325 Chapter 27 HTTP Input Conversion Map configuration mode 327 default encoding 327 rule 328 Cha...

Page 10: ...ion mode 379 base dn 379 filter prefix 379 filter suffix 380 returned attribute 380 scope 381 Chapter 40 Load Balancer Group configuration mode 383 algorithm 383 damp 384 giveup when all members down 385 health check 385 masquerade 387 server 387 try every server 388 Chapter 41 Log Target configuration mode 389 ansi color 389 archive mode 389 backup 390 email address 390 encrypt 390 event 391 even...

Page 11: ...ow redirects 441 forbid external references deprecated 442 front attachment format 442 front persistent timeout 442 front protocol 443 front timeout 443 fwcred 444 gateway parser limits 444 host rewriting 445 http client ip label 446 http server version 446 include content type encoding 447 inject 447 load balancer hash header 448 loop detection 449 max message size 449 max node size 450 mime back...

Page 12: ...8 read only 498 retrans 499 rsize 499 timeo 500 transport 501 version 501 wsize 501 Chapter 53 NFS Poller Front Side Handler configuration mode 503 delay time 503 error delete 503 error rename pattern 504 match pattern 504 processing rename pattern 504 processing seize pattern 505 processing seize timeout 506 result 507 result name pattern 507 success delete 508 success rename pattern 508 target d...

Page 13: ...65 output filter 565 results 566 results async 566 rewrite 567 route action 567 route set 568 setvar 568 slm 569 strip attachments 569 type 569 unprocessed 570 validate 570 xform 572 xformpi 573 Chapter 63 RADIUS configuration mode 575 aaaserver 575 id 576 retries 576 server 577 timeout 578 Chapter 64 RBM Settings configuration mode 581 apply cli 581 au cache mode 582 au cache ttl 583 au custom ur...

Page 14: ... duration 635 start 636 Chapter 72 SNMP Settings configuration mode 637 access 637 port 638 trap code 638 trap priority 639 trap target 639 version 640 Chapter 73 SOAP Header Disposition Table configuration mode 643 refine 643 Chapter 74 Stateful Raw XML Handler configuration mode 645 acl 645 close on fault 645 local address 646 port 647 remote address 647 remote port 647 ssl 648 Chapter 75 Statel...

Page 15: ...9 inquiry url 689 port 690 publish url 690 security url 690 ssl 691 ssl port 691 subscription url 692 use ssl 692 version 692 Chapter 83 UDDI Subscription configuration mode 693 key 693 password 693 registry 694 username 694 Chapter 84 URL Map configuration mode 695 match 695 Chapter 85 URL Refresh Policy configuration mode 697 disable cache 697 disable flush 697 interval urlmap 698 protocol speci...

Page 16: ... 757 acl 757 cookie policy 758 error policy override 759 multipart form data 760 policy type 760 ratelimiter policy 761 request body max 762 request body min 762 request body profile 762 request content type 763 request header profile 763 request methods 764 request nonxml policy 765 request nonxml rule 765 request qs policy 766 request qs profile 766 request uri filter dotdot 767 request uri filt...

Page 17: ...18 soap schema url 819 ssl 819 stream output to back 820 stream output to front 820 stylepolicy 821 suppress 821 type 822 uddi subscription 822 urlrewrite policy 823 user policy 824 wsa back protocol 825 wsa default faultto 826 wsa default replyto 827 wsa faultto rewrite 827 wsa force 828 wsa genstyle 829 wsa http async response code 830 wsa mode 830 wsa replyto rewrite 832 wsa strip headers 833 w...

Page 18: ...87 method 887 namespace 888 object name 888 object type 889 refresh interval 889 server 890 use version 890 version 890 Chapter 106 XML Firewall configuration mode 893 acl 893 attachment byte count 893 attribute count 894 back attachment format 894 bytes scanned 895 default param namespace 895 element depth 896 external references 896 firewall parser limits 897 forbid external references deprecate...

Page 19: ...word 944 port 945 ssl 945 system name 945 user name 946 Chapter 114 Monitoring commands 949 show aliases 949 show application security policy 949 show audit log 949 show audit search 950 show chkpoints 951 show clock 951 show compact flash Type 9235 952 show conformancepolicy 952 show cpu 952 show crypto 952 show default gateway 952 show deployment policy 953 show documentcache 953 show domain 953...

Page 20: ...transaction variables 985 Headers transaction variables 986 Information transaction variables 987 Persistent connection transaction variables 988 Routing transaction variables 988 Statistics variables 989 URL based transaction variables 989 Web Services Management transaction variables 990 Extension variables 992 System variables 994 List of available variables 995 Appendix B Processing Policy pro...

Page 21: ... into the following categories v Installation and upgrade documentation v Administration documentation on page xx v Development documentation on page xx v Reference documentation on page xx v Integration documentation on page xxi v Problem determination documentation on page xxi v Supplemental documentations on page xxi Installation and upgrade documentation v IBM WebSphere DataPower SOA Appliance...

Page 22: ...e DataPower SOA Appliances Multi Protocol Gateway Developers Guide Provides instructions for using the WebGUI to configure Multiple Protocol Gateway services v IBM WebSphere DataPower SOA Appliances Web Service Proxy Developers Guide Provides instructions for using the WebGUI to configure Web Service Proxy services v IBM WebSphere DataPower SOA Appliances B2B Gateway Developers Guide Provides inst...

Page 23: ...plemental documentations v IBM WebSphere DataPower SOA Appliances Understanding Web Services Policy Provides conceptual information about how the DataPower appliance can use Web Services Policy WS Policy v IBM WebSphere DataPower SOA Appliances Understanding WS Addressing Provides conceptual information about how the DataPower appliance can use WS Addressing v IBM WebSphere DataPower SOA Appliance...

Page 24: ...domain You can add delete and view files but you cannot modify these files while in the domain Each application domain contains one cert directory This directory is not shared across domains chkpoints This directory contains the configuration checkpoint files for the appliance Each application domain contains one chkpoints directory This directory is not shared across domains config This directory...

Page 25: ... encrypted directory contains security certificates that are shared with partners Each appliance contains only one sharedcert directory This directory is shared across domains However you must be in default domain to create or upload keys and certificates store This directory contains example style sheets default style sheets and schemas that are used by the local appliance Do not modify the files...

Page 26: ...irectory is visible to the default domain only temporary This directory is used as temporary disk space by processing rules Each application domain contains one temporary directory This directory is not shared across domains Object name conventions The name must be unique in this object namespace The following characters in an object name are valid v a through z v A through Z v 0 through 9 v _ und...

Page 27: ...on echo Echoes text to the console enable Enters Privileged mode exec Calls and runs a target configuration script from another configuration script exit Closes the CLI connection help Displays online help login Logs in to the appliance as a specific user ntp1 Identifies an NTP server ping Determines if a target host is reachable on the network show Displays configuration or status information shu...

Page 28: ... refer to Table 3 This table provides a listing of the available commands and their purpose Table 3 Common configuration commands and their general purpose Command Purpose admin state Sets the administrative state of an object cancel Cancels changes to the current object and returns to the parent configuration mode disconnect1 Closes a user session echo1 Echoes text to the console exit1 Applies ch...

Page 29: ... active state disabled Places an object in the disabled inactive state Guidelines The admin state command sets the administrative state of an object Administrative states are not equivalent to operational states When an object has an administrative state of enabled its operational state might be up down or pending However when an object has an administrative state of disabled its operational state...

Page 30: ...igure terminal and interface commands for Management Port 0 alias mgtport configure terminal interface management 0 Alias update successful v Creates an alias back2 When invoked moves back two configuration modes If invoked from Validation Credentials configuration mode moves to Global configuration mode alias back2 exit exit Alias update successful v Creates an alias proxies When invoked displays...

Page 31: ...clock hh mm ss Parameters yyyy mm dd Specifies the date in four digit year two digit month and two digit day format When setting the date separate each value with a hyphen hh mm ss Specifies the time in two digit hour two digit minute and two digit second format When setting the time separate each value with a colon Guidelines Also available in Global configuration mode Related Commands ntp show c...

Page 32: ...mples v Enters Global configuration mode configure terminal Global configuration mode config diagnostics Enters Diagnostics mode Syntax diagnostics Guidelines The diagnostics command enters Diagnostics mode Attention Use this command only at the explicit direction of IBM Support disable Enters User Mode Syntax disable Guidelines Also available in Global configuration mode Related Commands enable e...

Page 33: ...Echoes text to the console Syntax echo text Parameters text Specifies the text to display enable Enters Privileged mode Syntax enable Guidelines After entering the enable command the CLI prompts for a user name and password Only authenticated users are allowed to enter Privileged Mode Use the disable command to exit Privileged Mode and enter User Mode Use the exit command to exit Privileged Mode a...

Page 34: ...es one of the following forms http user password host file https user password host file scp user password host file sftp user password host file The host name can be specified as an IP address or as a qualified host name when DNS services were previously enabled Guidelines The exec command enables the modularity of configuration scripts For example you can include all service configuration comman...

Page 35: ...CLI connection from User or Privileged Mode exit v Applies all changes made to the Crypto Validation Credentials object Leaves this Crypto Validation Credentials configuration mode and returns to Crypto configuration mode Leaves Crypto configuration mode and returns to Global configuration mode Persists the changes made to all object during this session to the startup configuration Closes the CLI ...

Page 36: ...initial log in the CLI prompts you to change your password Related Commands username Examples v Logs in as support a privileged account login Username support Password v Logs in as eugene a user account login Username eugene Password ntp Identifies an NTP server Syntax ntp server interval no ntp Parameters server Specifies the IP address or host name interval Specifies the number of seconds betwee...

Page 37: ... Related Commands clock show ntp service show ntp refresh time Examples v Identifies 10 10 12 13 as the NTP server Uses the default synchronization interval ntp 10 10 12 13 Modifying NTP Service configuration v Replaces 10 10 12 13 with 10 10 12 14 as an NTP server Sets the synchronization interval to every 2 minutes ntp 10 10 12 13 120 Modifying NTP Service configuration v Deletes the configured ...

Page 38: ...eturns to Global configuration model reset exit show Displays configuration or status information Syntax show arguments Parameters arguments Specifies the specific configuration object or status object Guidelines The show command displays configuration information or status information that is relevant to the provided argument In the absence of an argument the result differs depending on where you...

Page 39: ...n specified by the boot config command and the startup firmware image specified by the boot image command If a startup configuration or firmware image has not been designated the appliance restarts with the configuration and firmware image that were active when the shutdown command was executed Related Commands boot config boot image Examples v Shuts down and restarts the appliance after 10 second...

Page 40: ...ain Specifies the name of the target domain Guidelines In the absence of a specified target domain the command prompts for the domain name Related Commands domain Examples v Switches from the default domain to the application 1 domain config switch domain application 1 application 1 config v Displays the list of available domains and switches from the application 1 domain to the default domain app...

Page 41: ...ml store schemas dp cli template xsd v Runs the interactive script as defined in the local shell script xml file template local shell script xml test schema Tests conformity of an XML file against a schema Syntax test schema file schema Parameters file Specifies the URL of the XML file to test schema Specifies the URL of the schema Guidelines Also available in Global configuration mode The test sc...

Page 42: ...le TCP connection to the specified host on port number 80 the well known HTTP port using the default timeout value 10 seconds test tcp connection ragnarok 80 TCP connection successful v Confirms an available TCP connection to the specified IP address on port 21 the well known FTP control port The timeout value is 5 seconds test tcp connection 192 168 77 27 21 5 TCP connection successful top Return...

Page 43: ...s the network path to a target host Syntax traceroute host Parameters host Specifies the target host as either the IP address or host name Guidelines Also available in Global configuration mode Related Commands ip host ip name server ping test tcp connection Examples v Confirms an available TCP connection to loki traceroute loki Chapter 1 Initial login and common commands 17 ...

Page 44: ...18 Command Reference ...

Page 45: ...cy Enters AAA Policy configuration mode Syntax aaapolicy name no aaapolicy name Parameters name Specifies the name of the object The name can contain a maximum of 32 characters For restrictions refer to Object name conventions on page xxiv Guidelines The aaapolicy command enters AAA Authentication Authorization Audit configuration mode where you can create or modify an AAA Policy Use the no aaapol...

Page 46: ...account is locked out The duration of the lockout depends on the value defined by the lockout duration parameter If successful the account is not locked out and the count is reset If the value is 0 lockout behavior is disabled Repeated successive login failures by a user do not cause lockout of that account v An invocation with the lockout duration parameter defines the duration to lock out an acc...

Page 47: ...he Protocol Handler types The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv ssh Identifies the SSH service In this case the command enters ACL configuration mode to create an SSH specific ACL web mgmt Identifies the WebGUI Management Interface In this case the command enters ACL configuration mode to create a WebGUI Management Interface...

Page 48: ...ode v Deletes the standalone ACL 1 ACL no acl ACL 1 v Enters ACL configuration mode for the SSH service acl XSLProxy 1 acl ssh ACL configuration mode v Enters ACL configuration mode for the XML Management Interface acl xml mgmt ACL configuration mode action Enters Processing Action configuration mode Syntax action name no action name Parameters name Specifies the name of the Processing Action The ...

Page 49: ...fter each commend For example alias eth0 configure terminal interface ethernet 0 v Separate commands with an escaped semicolon For example alias eth0 configure terminal interface ethernet0 Use the no alias command to delete a command macro Also available in Privileged mode Related Commands show alias Examples v Creates the eth0 alias that moves to Interface configuration mode with the interface co...

Page 50: ...th0 Alias eth0 deleted application security policy Enters Application Security Policy configuration mode Syntax application security policy name no application security policy name Parameters name Specifies the name of the Application Security Policy The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines The application security p...

Page 51: ...nterface prompts for confirmation audit level Common Criteria Sets the audit level of the firmware Syntax audit level full standard Parameters full Default Audits the standard set of events and decisions on information flow standard Audits the standard set of events only Does not audit decisions on information flow Context Available only when the appliance is in Common Criteria mode Guidelines The...

Page 52: ...l be forced into an operational down state and cease to process traffic v All administrative services such as the WebGUI Telnet and so forth will continue to work When the appliance forces the release the log will contain a message that states that the disk space for audit events is low Before restoring the appliance to service a privileged administrator needs to free up disk space When there is e...

Page 53: ...me of an XML Manager match Specifies a shell style match pattern that selects the URLs of the style sheets to cache You can use wildcards to define a match pattern as follows The string wildcard matches 0 or more occurrences of any character The single character wildcard matches one occurrence of any single character The delimiters bracket a character or numeric range 1 5 Matches 1 2 3 4 or 5 xy M...

Page 54: ...oteNYSE wsdl clear aaa cache Clears the information caches of a specific AAA Policy Syntax clear aaa aaaPolicyName Parameters aaaPolicyName Specifies the name of the AAA Policy Guidelines The clear aaa cache command clears both the authentication and authorization information caches of the specified AAA Policy Related Commands cache allow cache ttl Examples v Clears the authentication and authoriz...

Page 55: ...che pdpName Parameters pdpName Specifies the name of the XACML PDP Related Commands cache ttl XACML Policy Decision Point clear xsl cache urlrefresh Guidelines In addition to using the clear pdp cache command to explicitly clear the PDP specific XACML policy cache you can use the following WebGUI properties to control XACML policy cache Specify the TTL for the PDP During PDP configuration use the ...

Page 56: ... a refresh interval setting the TTL of the PDP is ignored and the URL Refresh Policy refresh interval governs cache refresh v When the URL Refresh Policy is the no flush type with a refresh interval setting the greater of the URL Refresh Policy refresh interval or the TTL of the PDP governs cache refresh Examples v Clears the XACML policy cache of the PDP orderEntry PDP clear pdp cache PDP orderEn...

Page 57: ...he appliance This command provides a command shell to a remote host that allows offsite technicians to access a appliance that is protected by a firewall or other security measures This command provides the same function as the cli telnet command but provides the function from a remote host Related Commands cli telnet Examples v Establishes an appliance initiated TCP IP connection between the Data...

Page 58: ...an be expressed in CIDR slash format or in dotted decimal format Guidelines Without the telnetClientIP and clientMask arguments client access to the Telnet service is unrestricted To restrict access to a noncontiguous IP address range compile an ACL with the acl allow and deny commands Note Telnet is an unsecure protocol and should be used with extreme caution Telnet should be enabled only on the ...

Page 59: ...ration mode for volume cf0 compact flash cf0 Compact Flash configuration mode compact flash initialize filesystem Type 9235 Initializes the file system Syntax compact flash initialize filesystem name Parameters name Specifies the name of the existing compact flash volume For appliances that have a compact flash for auxiliary data storage the name is cf0 Guidelines The compact flash initialize file...

Page 60: ...ers name Specifies the name of the Compile Options Policy The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines Profiling results are available with the show profile command from the WebGUI Status Stylesheet Profiles or from the XML Management Interface Note After a style sheet is compiled with profiling enabled it must be flushe...

Page 61: ...the named Conformance Policy A Conformance Policy supports the following profiles v Web Services Interoperability WS I Basic Profile version 1 0 The documentation is available at the http www ws i org Profiles BasicProfile 1 0 html site v WS I Basic Profile version 1 1 The documentation is available at the http www ws i org Profiles BasicProfile 1 1 html site v WS I Attachments Profile version 1 0...

Page 62: ...738 To use an absolute path scp user host port file_path sftp user host port file_path To use a path that is relative to the user s home directory scp user host port file_path sftp user host port file_path Where host Specifies the fully qualified host name or IP address of the remote server If DNS is enabled the host name port Specifies the listening port on the remote server After issuing the com...

Page 63: ...tapower com LOGS Week1 log Password yetanotherpassword file copy successful v Uses SFTP to copy a file from the specified URL to the store directory copy sftp jrb 10 10 1 159 XML stylesheets InitalConvert xsl store InitalConvert xsl Password yetanotherpassword file copy successful v Uses SFTP to copy a file from the logstore directory to the specified remote target copy logstore Week1 log sftp jrb...

Page 64: ...me of the TAM domain The specified domain is the TAM domain to which the TAM client authenticate and use at runtime The default is Default application Specifies the name of the TAM application The specified name is combined with the host name of the appliance to create a unique identifier for objects that are created for the TAM client host Specifies the host name or IP address of the TAM policy s...

Page 65: ...mmand to create the configuration files needed to create a TAM object The configuration files specify the network and security configuration for the policy server replica authorization servers and the LDAP directory server This command creates the following files v Client configuration file v Key database file v Key stash file v Client obfuscation file TAM version 5 1 and above The created files a...

Page 66: ...iance The deletion of a file is permanent After a file is deleted it cannot be recovered Note The delete command does not prompt for confirmation Be certain that you want to delete the file before issuing this command Related Commands copy dir move Examples v Deletes the startup config deprecated file from the store directory delete store startup config deprecated v Deletes the betaImage file from...

Page 67: ...x dir directory Parameters directory Specifies a directory on the appliance Refer to Directories on the appliance on page xxii for details Related Commands copy delete move Examples v Displays the contents of the config directory dir config File Name Last Modified Size unicenter cfg Mon Jul 9 11 09 36 2007 3411 autoconfig cfg Mon Jul 9 14 20 27 2007 20907 89 2 MB available to config v Displays the...

Page 68: ...and enters User Mode disable v Exits Global configuration mode and enters Privileged Mode exit dns Enters DNS Settings configuration mode Syntax dns no dns Guidelines Use the no dns command to disable DNS services Use the exit or cancel command to exit DNS Settings configuration mode and return to Global configuration mode Related Commands cancel exit ip domain ip host ip name server Examples v En...

Page 69: ...Enters Document Cache configuration mode for a specific XML Manager Syntax documentcache XML manager Parameters XML manager Specifies the name of an XML Manager Guidelines By default document caching is disabled Document caching enables an XML Manager to cache any document that is through HTTP In Document Cache configuration mode you can v Enable and specify the size of the document cache v Design...

Page 70: ...on of the Application Domain object To delete an Application Domain object use the no domain command To exit this configuration mode without saving configuration changes to the running configuration use the cancel command To exit this configuration mode and save configuration changes to the running configuration use the exit command Related Commands cancel exit failure notification Enters Failure ...

Page 71: ...wn according to the semantics of its URL that is a directory for the hostname portion and a directory for each slash portion of the URL and then further by individual transaction Each transaction that represents a transformation stores not only the inputs but information on style sheets and disposition of the transformation Documents are stored in compressed format to reduce byte count Should docu...

Page 72: ...name no ftp quote command list name Parameters name Specifies the name of the FTP quoted command list The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines Use the no ftp quote command list command to delete an a FTP quoted commands list Use the cancel or exit command to exit FTP Quoted Commands List configuration mode and enter ...

Page 73: ...s for incoming HTTP client requests Guidelines You can use either of two forms of the httpserv command to create an HTTP server v The single command form creates a basic HTTP server that serves documents only from the general user storage store area If you wish to restrict access to an HTTP server you can compile an ACL using the acl allow and deny commands v The multi command form creates an HTTP...

Page 74: ...2 HTTP server on the specified interface httpserv Serv 2 192 168 1 200 64000 Installed HTTP server on port 64000 v Deletes the Serv 2 HTTP server no httpserv Serv 2 import execute Imports an Import Package object Syntax import execute package Parameters package Specifies the name of the Import Package object Guidelines The import execute command imports an existing Import Package object The Import...

Page 75: ...command To exit this configuration mode without saving configuration changes to the running configuration use the cancel command To exit this configuration mode and save configuration changes to the running configuration use the exit command Related Commands cancel exit include config Enters Include Configuration File configuration mode Syntax include config filename no include config filename Par...

Page 76: ...refer to Object name conventions on page xxiv Guidelines Use the no input conversion map command to delete an Input Conversion Map Use the cancel or exit command to exit HTTP Input Conversion Map configuration mode and enter Global configuration mode Related Commands cancel exit interface Enters Interface configuration mode for a specified interface Syntax interface ethernet 0 eth0 ethernet 1 eth1...

Page 77: ...o interface eth0 ip domain Adds an entry to the IP domain suffix search table Syntax ip domain domain no ip domain domain Parameters domain Specifies the base domain name to which a host name can be prefixed Guidelines This command enables the usage on non fully qualified domain names host names by specifying a list of one or more domain names that can be appended to a host name Use multiple ip do...

Page 78: ...host name loki in following ways loki somewhereelse com loki endoftheearth com no ip domain datapower com ip host Maps a host name to an IP address Syntax ip host hostname address no ip host hostname Parameters hostname Specifies the name of the host address Specifies the IP address of the host Specifies all hosts Guidelines Use the no ip host command to remove the host name IP address mapping Rel...

Page 79: ...col level DNS behavior Should be set to 0 max retries Optionally specifies the maximum number of times to retransmit an unacknowledged resolution request to the DNS server The default is 3 Specifies all DNS servers Guidelines Use the no ip name server command to delete a DNS provider Note Unless specifically requested do not change that DNS parameter Related Commands ip host show ip hosts show ip ...

Page 80: ...ge on the remote server Use the no iscsi chap command to remove an iSCSI CHAP Related Commands cancel exit iscsi hba Examples v Enters iSCSCI CHAP configuration mode to create the CHAP 1 iSCSI CHAP iscsi chap CHAP 1 New iSCSI CHAP configuration v Removes the CHAP 1 iSCSI CHAP no iscsi chap CHAP 1 iscsi chap CHAP 1 Configuration deleted iscsi fs init Type 9235 Initializes the iSCSI volume Syntax is...

Page 81: ...irs the iSCSI volume in case it was corrupted by an abnormal shutdown of the appliance or other error Before the iSCSI volume can be repaired use the admin state command in iSCSI Volume configuration mode to disable the volume After the iSCSI volume is repaired it must be enabled for further use Related Commands admin state iSCSI Volume Examples v Disables repairs and re enables the Georgia iSCSI ...

Page 82: ...ands cancel exit iscsi target Type 9235 Enters iSCSI Target configuration mode Syntax iscsi target name no iscsi target name Parameters name Specifies the name of the iSCSI target The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines The iscsi target command enters iSCSI Target configuration mode While in this configuration defin...

Page 83: ...group name Parameters name Specifies the name of the Load Balancer Group The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines After completing configuration of the Load Balancer Group assign the group to a specific XML Manager Assignment of the Load Balancer Group to an XML Manager makes the group available to the DataPower serv...

Page 84: ...Deactivates the locate LED light locate device off known host Adds or removes an SSH peer as an SSH known host Syntax known host host ssh rsa key no known host host Parameters host Specifies the fully qualified host name or IP address for the peer For example ragnarok datapower com 10 97 111 108 ssh rsa Identifies RSA as the key type key Specifies the host public key for the peer For example AAAAB...

Page 85: ...rs Enters LDAP Search Parameters configuration mode Syntax ldap search parameters name no ldap search parameters name Parameters name Specifies the name of the LDAP Search Parameters object The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines The ldap search parameters command enters LDAP Search Parameters configuration mode In ...

Page 86: ...he greater the use of system resources Related Commands show cpu show load Examples v Specifies an measurement interval of 2 5 seconds load interval 2500 logging category Enters Log Category configuration mode or delete a custom logging category Syntax logging category name no logging category name Parameters name Specifies the name for a custom logging category Guidelines Use the no logging categ...

Page 87: ...rities Use the no logging event command to remove an event class from a log Related Commands show logging event show logging priority Examples v Adds all events of critical alert or emergency priority to the Alarms log logging event Alarms all critic v Specifies which event classes and which event priorities to add to the CryptoLog log logging event CryptoLog schema error logging event CryptoLog x...

Page 88: ...get logging eventfilter Adds an event code to the suppression list for a specific log Syntax logging eventfilter target event code no logging eventfilter target event code Parameters target Specifies the name of an existing log target event code Specifies the hexadecimal value of the event code Guidelines The logging eventfilter commands adds an event code to the suppression list for the specified...

Page 89: ...viceManagementService DeviceSettings DNSNameService DocumentCryptoMap Domain DurationMonitor DynamicSchema DynamicStylesheet DynamicXMLContentMap ErrorReportSettings EthernetInterface EventLog FilterAction HTTPInputConversionMap HTTPProxyService HTTPService HTTPUserAgent ImportPackage IncludeConfig InternalProxy IPInterface LoadBalancerGroup LogLabel LogTarget Matching MessageFlowControl MessageMa...

Page 90: ...name of the system log The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines After entering Logging configuration mode you should first use the type command to identify the log type Additional configuration requirements and options are dependent upon the log type Use the no logging target command to delete an event log Related Co...

Page 91: ... greater or equal criticality to the argument are logged Note The loglevel logsize and syslog commands provide the ability to configure a rudimentary basic logging system Users however are encouraged to use the logging target command to enter Logging configuration mode From within this mode users can exercise more precise control over log formats and contents Related Commands logsize show log sysl...

Page 92: ...l show log Examples v Sets the log size to 250 lines logsize 250 v Displays the configured log size in lines logsize 250 matching Enters Matching Rule configuration mode Syntax matching name no matching name Parameters name Specifies the name of the Matching Rule The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines Use the cance...

Page 93: ...r to the expression so that expression values that have already been calculated are returned from a cache rather than being recomputed each time Memoization can provide significant performance gains for computing intensive calls Memoization is enabled by default and should rarely if ever be disabled It is possible however that with certain style sheets memoization could inflict a performance penal...

Page 94: ...r requested documents Use the cancel or exit command to leave Message Matching configuration mode and enter Global configuration mode Use the no message matching command to delete a traffic flow definition Related Commands cancel exit reset message type Enters Message Type configuration mode Syntax message type name no message type name Parameters name Specifies the name of the message class The n...

Page 95: ... the Metadata Processing object a list or manifest of metadata items that are returned in an XML nodeset to the object using the Metadata This is typically an AAA Policy Use the cancel or exit command to leave Processing Metadata configuration mode and enter Global configuration mode Use the no metadata command to delete a Processing Metadata object Related Commands cancel exit mkdir Creates a sub...

Page 96: ...ters name Specifies the name of the control procedure The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines A monitor action is a control procedure that specifies an action or set of actions to take when a monitored message class exceeds a configured threshold Use the cancel or exit command to leave Message Filter Action configur...

Page 97: ...nters Message Duration Monitor configuration mode Syntax monitor duration name no monitor duration name Parameters name Specifies the name of the duration monitor The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines A duration or time based monitor consists of a target message class two thresholds and a control procedure that is...

Page 98: ...etails filename Specifies the name of a file in the specified directory Guidelines You can use the move command to transfer a file to or from a directory However you cannot use the move command to copy a file from the private cryptographic area such as the cert directory Related Commands copy delete dir Examples v Moves a file from the config directory to the store directory move config startup co...

Page 99: ...ments with base 64 encoded character data The selected elements are decoded and attached as MIME attachment parts before transmission Decoding before transmission reduces the overhead that is associated with base 64 encoded data Use the cancel or exit command to leave MTOM Policy configuration mode and enter Global configuration mode Use the no mtom command to delete an MTOM Policy Related Command...

Page 100: ... mode and enter Global configuration mode Use the no nfs client command to disable the NFS client Related Commands cancel exit nfs dynamic mounts Enters NFS Dynamic Mounts configuration mode Syntax nfs dynamic mounts no nfs dynamic mounts Guidelines While in NFS Dynamic Mounts configuration mode you configure NFS dynamic mounts settings which are employed within the current application domain By d...

Page 101: ...ounts configuration mode and enter Global configuration mode Use the no nfs static mount command to delete an NFS static mount Related Commands cancel exit ntp Identifies an NTP Network Time Protocol server Syntax ntp address interval no ntp address Parameters address Specifies the IP address of an NTP server interval Optionally specifies the number of seconds between NTP updates Guidelines After ...

Page 102: ...r is identified by the remote server command NTP Service the appliance functions as a Simple Network Time Protocol SNTP client as described in RFC 2030 While functioning as an NTP client the appliance issues time of day requests to the specified NTP server every 15 minutes 900 seconds The appliance supports one NTP server at a time To designate a new NTP server use the no ntp service command to de...

Page 103: ...and to delete a Peer Group Related Commands cancel exit policy attachments Enters Policy Attachment configuration mode Syntax policy attachments name no policy attachments name Parameters name Specifies the name of the object The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines Use the cancel or exit command to exit Policy Attac...

Page 104: ...onfiguration mode you configure RADIUS Remote Authentication Dial In User Service settings Use the cancel or exit command to exit RADIUS configuration mode and return to Global configuration mode Use the no radius command to disable RADIUS service Related Commands cancel exit raid activate Type 9235 Activates an existing array volume Syntax raid activate name Parameters name Specifies the name of ...

Page 105: ...ys the content of the array volume Examples v Deletes the hard disk array volume on the disks raid delete raid0 raid initialize Type 9235 Initializes an array volume Syntax raid initialize name Parameters name Specifies the name of the existing hard disk array volume For appliances that have a hard disk array for auxiliary data storage the name is raid0 Guidelines The raid initialize command makes...

Page 106: ...k array volume For appliances that have a hard disk array for auxiliary data storage the name is raid0 Guidelines The raid volume command enters Hard Disk Array configuration mode for an existing hard disk array enabled appliance For appliances that have a hard disk array for auxiliary data storage the name is raid0 Related Commands cancel exit Examples v Enters Hard Disk Array configuration mode ...

Page 107: ...sk array for auxiliary data storage the name is raid0 Guidelines The raid volume repair filesystem command repairs the file system on the hard disk array in case it was corrupted by an abnormal shutdown of the appliance or other error Examples v Repairs the file system on the raid0 hard disk array volume raid volume repair filesystem raid0 rbm Enters RBM Settings configuration mode Syntax rbm no r...

Page 108: ... single character The delimiters bracket a character or numeric range 1 5 Matches 1 2 3 4 or 5 xy Matches x or y The refresh stylesheet command forces a one time reload In contrast the xslrefresh command enables a periodic policy based refresh cycle Related Commands xslrefresh Examples v Refreshes the OrderEntry xsl style sheet that is cached by the mgr1 XML Manager refresh stylesheet mgr1 http ww...

Page 109: ...uccessful reset domain Deletes the configuration for a domain Syntax Resets an application domain from the default domain reset domain name Resets an current domain reset domain Parameters name Specifies the name of the domain to reset Guidelines The reset domain command resets the configuration for the domain v When invoked from the default domain without an explicit domain the command resets the...

Page 110: ...ame account password Parameters account Specifies the name of the user account to reset password Optional Specifies the new temporary password for the account Guidelines The reset username command allows a privileged administrator to re enable an account after lockout If the invocation does not include the password the interface prompts for the password In either case the interface prompts for con...

Page 111: ... the existing domain running configuration and re initializing the domain with its startup configuration file either autoconfig cfg or the startup file that is identified by the boot config command Related Commands boot config save config overwrite write memory Examples v Restarts the AcceptanceCriteria domain from the default domain restart domain AcceptanceCriteria Restarting AcceptanceCriteria ...

Page 112: ...chkpoint command reverts the running configuration to the configuration that is defined in the named checkpoint configuration file Note If you use the rollback chkpoint command after a configuration was persisted with the write memory command the appliance uses the configuration in the checkpoint configuration file not the configuration in the startup configuration file Before reverting to a check...

Page 113: ...licy Rules initiated from Global configuration mode are global named objects that are available for assignment to one or more Processing Policies Rules initiated from Stylesheet Policy configuration mode are internal to a specific Processing Policy and cannot be reused by other policies In the absence of a request or response keyword the global rule is bidirectional and is applied to both client r...

Page 114: ...ClientServer global rule no rule valClientServer save chkpoint Creates a checkpoint configuration file Syntax save chkpoint name Parameters name Specifies the name of the checkpoint configuration file Do not specify a file extension Guidelines The save chkpoint command creates the named checkpoint configuration file in the domain specific chkpoint directory The created archive file has the zip ext...

Page 115: ...uments It automatically creates a file that contains any backtrace or watchdog error report the contents of the audit log and the running configuration If there is insufficient space to write the file the following error message indicates this condition Could not write error report to FILE If you receive this message delete files to make sufficient space Related Commands failure notification send ...

Page 116: ...the startup configuration Use no save config overwrite command to override the default behavior and designate the file defined with the boot config command as the startup configuration Related Commands boot config write memory Examples v Uses config autoconfig cfg as the startup configuration after saving the running configuration save config overwrite Save Config will overwrite startup config v U...

Page 117: ...1 Schema Exception Map no schema exception map SEM 1 search results Enables the search results optimization algorithm for an XML Manager Syntax search results XML manager no search results XML manager Parameters XML manager Specifies the name of an XML manager Guidelines The search results algorithm provides more efficient processing of style sheets that contain all element expressions If the styl...

Page 118: ...n finding a backtrace file the appliance sends the file to the appliance does not issue any notifications v Place this command within the configuration file to ensure that it will be executed upon each reboot v If identifying the SMTP server by host name you must place this command after the ip name server command in the configuration file otherwise the appliance will be unable to perform host nam...

Page 119: ...lure notification send error report Examples v Sends the config autoconfig cfg file to supportteam customer com through the smtp customer com mail server send file config autoconfig cfg smtp customer com supportteam customer com service battery installed Notifies the firmware that the battery was changed Syntax service battery installed Guidelines The service battery installed command resets the i...

Page 120: ...name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines In XML Manager configuration mode you can configure the target Web Service Monitor to perform WSDL aware monitoring Use the no service monitor command to delete a Web Services Monitor Examples v Enters Web Services Monitor Configuration mode to create the WSMonitor 2 Web Services ...

Page 121: ...xamples v Creates the counter system variable in the signerID context set system var var system signerID counter 0 simple rate limiter Enters Simple Rate Limiter configuration mode Syntax simple rate limiter name no simple rate limiter name Parameters name Specifies the name of the Simple Rate Limiter The name can contain a maximum of 128 characters For restrictions refer to Object name convention...

Page 122: ...ion command to delete an SLM Action Related Commands cancel exit slm cred Enters SLM Credential Class configuration mode Syntax slm cred name no slm cred name Parameters name Specifies the name of the SLM Credential Class The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines In SLM Service Level Monitor Credential Class configura...

Page 123: ...slm policy command to delete an SLM Policy Related Commands cancel exit slm rsrc Enters SLM Resource Class configuration mode Syntax slm rsrc name no slm rsrc name Parameters name Specifies the name of the SLM Resource Class The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines In SLM Resource Class configuration mode define a se...

Page 124: ... the no slm sched command to delete an SLM Schedule Related Commands cancel exit snmp Enables or disables SNMP Syntax snmp no snmp Guidelines While in SNMP Settings configuration mode you configure Simple Network Management Protocol settings Use the cancel or exit command to exit SNMP configuration mode and return to Global configuration mode Use the no snmp command to disable SNMP Related Command...

Page 125: ... SOAP headers child elements or both SOAP headers and child elements This object is used by an xform action that uses the store soap refine xsl style sheet Use the no soap disposition command to delete the named object Use the cancel or exit command to exit this configuration mode and return to Global configuration mode Related Commands cancel exit source ftp poller Enters FTP Poller Front Side Ha...

Page 126: ...ce ftp server command to delete an FTP Server Front Side Handler object Related Commands cancel exit source http Enters HTTP Front Side Handler configuration mode Syntax source http handler no source http handler Parameters handler Specifies the name of the HTTP Front Side Handler The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidel...

Page 127: ...Enters NFS Poller Front Side Handler configuration mode Syntax source nfs poller handler no source nfs poller handler Parameters handler Specifies the name of the NFS Poller Front Side Handler object The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines Use the no source nfs poller command to delete an NFS Poller Front Side Handl...

Page 128: ...rce stateful tcp handler Parameters handler Specifies the name of the Stateful Raw XML Handler The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines Use the no source stateful tcp command to delete a Stateful Raw XML Handler object Related Commands cancel exit ssh Enables SSH on appliance interfaces Syntax ssh ssh address port no...

Page 129: ...ace ssh 10 10 13 4 2200 SSH service listener enabled v Disables SSH on all interfaces which restores the default state no ssh SSH service listener disabled sslforwarder Creates an SSL Proxy forwarder service Syntax sslforwarder name local address 0 local port remote address remote port sslproxy priority no sslforwarder name Parameters name Specifies the name of the SSL forwarding service The name ...

Page 130: ...ith an SSL wrapper for example Stunnel Before you can create an SSL Proxy service you must create an identification credentials set an SSL profile and an SSL Proxy Profile to be used by the SSL Proxy service Use the no sslforwarder command to delete an SSL Proxy service Related Commands idcred logging target profile sslproxy type Logging Examples v Creates the syslog ng stunnel SSL Proxy service M...

Page 131: ...ries client cache on off client auth optional on off client auth always request on off sslproxy name both server profile client profile sess timeout timer value cache size entries client cache on off client auth optional on off client auth always request on off Deletes an SSL proxy profile no sslproxy name Parameters name Specifies the name of the SSL Proxy Profile The name can contain a maximum o...

Page 132: ...e of 10 defines a maximum cache size of 10 240 entries By default the maximum cache size is 20 20 480 entries client cache on off Optionally disables client side caching of session state data on Default Enables client side caching off Disables client side caching client auth optional on off When acting as an SSL server controls when SSL client authentication is optional on Requests but does not re...

Page 133: ...nection The session specific state data times out after 15 minutes 900 seconds and maximum cache size is allocated for 102 400 entries Default values are used for the other properties sslproxy SSL 5 reverse Low sess timeout 900 cache size 100 v Creates the SSL 6 two way SSL Proxy Profile using the NoMD Crypto Profile on the appliance to client connections and the High Crypto Profile on the applian...

Page 134: ... Examples v Initiates an SSL trace for the SSL 1 SSL Proxy ssltrace SSL 1 Press ENTER to stop tracing Waiting for connection to begin startup Starts the DataPower installation wizard Syntax startup Guidelines The startup command is available when you initially log in to the appliance You can invoke this command after accepting the DataPower license and changing the password to the admin account Th...

Page 135: ...nd to clear all data collection counters and to suspend statistical data collection Related Commands show statistics Examples v Initiates statistical data collection statistics v Clears all data collection counters and suspends statistical data collection no statistics stylepolicy Enters Processing Policy configuration mode Syntax stylepolicy name xsldefault URL filter URL no stylepolicy name Para...

Page 136: ...h or instead of processing instructions contained within the input document Use the no stylepolicy command to delete a Processing Policy Refer to Appendix B Processing Policy procedures on page 999 for procedural details regarding the creation and implementation of Processing Policies Related Commands cancel exit Examples v Enters Processing Policy configuration mode to create the FW 1 Processing ...

Page 137: ...e mgr1 XML Manager no stylesheet mgr1 http www somecompany XML stylesheets OrderEntry xsl v Deletes any style sheet cached by the mgr1 XML Manager whose URL contains datapower no stylesheet mgr1 datapower v Deletes all style sheets cached by the mgr1 XML Manager no stylesheet mgr1 switch domain Moves to the specified application domain Syntax switch domain domain Parameters domain Identifies the t...

Page 138: ... important The log level specifies that all events of greater or equal importance to the argument are logged The loglevel command specifies the event types that will be logged locally The syslog command specifies a subset of locally logged events that will be forwarded to a remote appliance Reception of log events by the remote appliance requires configuration of that appliance or the installation...

Page 139: ... mode Related Commands cancel exit tam Enters TAM IBM Tivoli Access Manager configuration mode Syntax tam name Parameters name Optionally identifies the TAM object The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv In the absence of a name argument the appliance firmware creates a TAM object named default Guidelines While in TAM configur...

Page 140: ...ame of the TCP proxy The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv local address Specifies an IP address primary or secondary of an interface With the local port identifies the incoming TCP traffic stream that will be redirected local port Identifies a specific port on the local host Use an integer in the range of 0 through 65535 Wi...

Page 141: ...xy no tcpproxy ForwardHTTP template Runs an interactive command line script Syntax template URL Parameters URL Specifies the fully qualified location of the interactive command line script Guidelines The template command specifies the URL of the interactive command line script The script is an XML file that can be local or remote to the DataPower appliance The script must conform to the store sche...

Page 142: ...5 27 bf e7 v success Statistics for interface eth0 show no errors v success 6 fans expected 6 fans found v success fan 1 operating within expected range v success Status of the crypto standard is fully operational Samples of warning statements are as follows v warning Backtrace file exists v warning Physical link on interface eth0 is down v warning eth1 has invalid MAC ff ff ff ff ff Samples of fa...

Page 143: ...og target Use this command to test the configuration of a Logging Target To create a Logging Target use the Global logging target command Related Commands logging target global Examples v Tests two candidate URLs against the URLmap 1 URL map urlmap URLmap 1 URL map mode match https www company com XML stylesheets match https www distributer com xsl exit test urlmap URLmap 1 https www company com X...

Page 144: ...ot a URL map that is used by a Stylesheet Refresh Policy The command returns match if the candidate URL matches a pattern in the URL map or returns no match if the URL does not match a pattern The test urlmap command tests a candidate URL against a single URL map The test urlrefresh command tests a candidate URL against all URL maps used by a Stylesheet Refresh Policy Refer to Appendix C Styleshee...

Page 145: ... number 80 the well known HTTP port using the default timeout value 10 seconds test tcp connection ragnarok 80 TCP connection successful v Confirms an available TCP connection to the specified IP address on port 21 the well known FTP control port The timeout value is 5 seconds test tcp connection 192 168 77 27 21 5 TCP connection successful test urlrefresh Tests a given URL against a specific Styl...

Page 146: ...tch 43200 seconds rule https www company com XML stylesheets test urlrefresh 2aday https www amajoraccount com Zeus RenderHtml xsl match 43200 seconds rule https www amajoraccount com Zeus xsl test urlrewrite Tests a URL against a URL Rewrite Policy Syntax test urlrewrite URL rewrite policy URL Parameters URL rewrite policy Specifies the name of the URL Rewrite Policy to test URL Specifies the can...

Page 147: ...ame is a required string that identifies the TFIM object The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines In TFIM IBM Tivoli Federated Identity Manager configuration mode you configure a TFIM object that provides the information needed to locate and access a TFIM server Use the cancel or exit command to exit TFIM configurati...

Page 148: ...he amount of free memory does not rise above the throttle threshold in the specified timeout expressed in seconds the appliance restarts If free memory falls below the kill threshold also a measure of free memory expressed as a percentage of total memory the appliance restarts immediately Use the no throttle command to turn off throttling Related Commands show throttle Examples v Customizes applia...

Page 149: ...it command to exit Timezone configuration mode and return to Global configuration mode Related Commands cancel exit traceroute Traces the network path to a target host Syntax traceroute host Parameters host Specifies the target host as either the IP address or host name Related Commands ip host ip name server ping test tcp connection Examples v Confirms an available TCP connection to loki tracerou...

Page 150: ...e name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines In UDDI Universal Description Discovery and Integration Subscription configuration mode you configure a UDDI Subscription object that provides the username and password information used to access a specified UDDI Registry via reference to a previously created UDDI Registry objec...

Page 151: ...the startup configuration you will receive the following message Cannot undo new configuration If invoked against a object that has not been modified you will receive the following message Cannot undo configuration has not been modified If invoked against a nonexistent named object you will receive the following message Cannot undo last configuration change If invoked against a nonexistent object ...

Page 152: ...28 characters For restrictions refer to Object name conventions on page xxiv Guidelines With a Stylesheet Refresh Policy in place the appliance refreshes specified style sheets at regular intervals Update eligibility is determined by match criteria contained with URL maps assigned to the Stylesheet Refresh Policy When implementing a Stylesheet Refresh Policy keep in mind that frequent updates of c...

Page 153: ...tent Type header based on a URL match v Replace the value of an arbitrary header based on its value v Rewrite the body of an HTTP POST request Rewrite rules that are defined in the URL Rewrite Policy occur before document processing v Any Matching Rule must match the rewritten URL v Any action in the Processing Policy can change the URI that is sent to the backend server Use the no urlrewrite comm...

Page 154: ... Enters User Agent configuration mode Syntax user agent name no user agent name Parameters name Optionally specifies the name of the HTTP user agent The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv In the absence of an explicitly identified HTTP User Agent the command enters User Agent Configuration mode for the default HTTP User Agent...

Page 155: ...ers User Group configuration mode Syntax usergroup name no usergroup name Parameters name Specifies the name of the User Group The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines A user group consists of a set of access privileges that are subsequently assigned to individual user accounts Use the no usergroup command to delete ...

Page 156: ...on mode While in VLAN configuration mode you can create or modify VLAN objects Use the no vlan sub interface command to delete a VLAN object A VLAN object is generally used to provide a trunk between adjacent DataPower appliances The VLAN object creates a virtual IP interface VIP on one of the physical Ethernet interfaces on the appliance VLAN packets are identified by the IEEE 802 1Q tagging prot...

Page 157: ...elines Use the cancel or exit commands to exit Web Application Firewall configuration mode and return to Global configuration mode Use the no web application firewall command to delete a Web Application Firewall Related Commands cancel exit web mgmt Creates a specialized HTTP server that supports WebGUI access Syntax web mgmt web mgmt address port on timeout web mgmt address port off no web mgmt P...

Page 158: ...assword map Examples v Enters Web Management Service configuration mode web mgmt Web Management Service configuration mode v Creates a WebGUI server on the specified IP address port pair The idle session logout timer defaults to 5 minutes web mgmt 10 10 13 31 9090 HTTP configuration update successful v Creates a WebGUI server on the specified IP address port pair The idle session logout timer is e...

Page 159: ...bapp error handling command to delete a Web Application Error Handling Policy Related Commands cancel exit webapp gnvc Enters Web Application Name Value Profile configuration mode Syntax webapp gnvc name no webapp gnvc name Parameters name Specifies the name of the Web Application Name Value Profile The name can contain a maximum of 128 characters For restrictions refer to Object name conventions ...

Page 160: ...pp request profile command to delete a Web Application Request Profile Related Commands cancel exit webapp response profile Enters Web Application Response Profile configuration mode Syntax webapp response profile name no webapp response profile name Parameters name Specifies the name of the Web Application Response Profile The name can contain a maximum of 128 characters For restrictions refer to...

Page 161: ...Session Management policy Related Commands cancel exit write memory Copies the running configuration as the startup configuration Syntax write memory Guidelines After copying the running configuration to config autoconfig cfg the appliance determines if the current startup configuration script file can be overridden by config autoconfig cfg If it can be overridden determined by the save config ove...

Page 162: ...lated Commands cancel exit wsm agent Enters Web Services Management Agent configuration mode Syntax wsm agent Guidelines The Web Services Management Agent provides manageability for Web Services by providing status metrics and transaction history to external management stations Related Commands cancel exit wsm endpointrewrite Enters WS Proxy Endpoint Rewrite configuration mode Syntax wsm endpointr...

Page 163: ...onventions on page xxiv Guidelines Use the no wsm rule command to delete a Web Services Processing Rule Related Commands cancel exit wsm stylepolicy Enters Web Services Processing Policy configuration mode Syntax wsm stylepolicy name no wsm stylepolicy name Parameters name Specifies the name of the Processing Policy The name can contain a maximum of 128 characters For restrictions refer to Object ...

Page 164: ...er object Related Commands cancel exit wsrr subscription Enters WSRR Subscription configuration mode Syntax wsrr subscription name no wsrr subscription name Parameters wsrrSubscriptionName Specifies the name of the WSSR subscription object The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines In WebSphere Services Repository and ...

Page 165: ...ML Parser Limits configuration mode for an XML Manager Syntax xml parser limits XML manager Parameters XML manager Specifies the name of an XML Manager Guidelines While in XML Parser Limits configuration mode you can set configurable limits on various characteristics of XML documents for example input documents style sheets schemas that are parsed by the appliance These limits provide for increase...

Page 166: ...cument schema URL Specifies the use of a specific schema regardless of any validation processing instructions in the XML document Guidelines Identifies the validation methodology and XML schema to use for document validation In the absence a keyword validation is performed according to validation instructions if any that are contained in the XML document Documents that contain no validation instru...

Page 167: ... of 128 characters For restrictions refer to Object name conventions on page xxiv Guidelines In the absence of the optional name argument the DataPower appliance provides a default name The name takes the form xmlfirewalln Use the cancel or exit command to exit XML Firewall configuration mode and return to Global configuration mode Use the no xmlfirewall command to delete an XML Firewall Related C...

Page 168: ...leHandler xml manager ScheduleHandler Configuration deleted xml mgmt Enter XML Management Interface configuration mode or enables or disables the XML Management Interface Syntax xml mgmt xml mgmt address port no xml mgmt Parameters address Specifies an IP address that in conjunction with port identifies the XML Management Interface A value of 0 0 0 0 indicates all local addresses port Identifies t...

Page 169: ...nt Interface on port 1080 of the specified local address xml mgmt 10 10 13 7 1080 XML management successfully started v Disables the XML Management Interface no xml mgmt XML management successfully disabled xpath routing Enters XPath Routing Map configuration mode Syntax xpath routing name no xpath routing name Parameters name Specifies the name of the XPath Routing Map The name can contain a maxi...

Page 170: ...delines SHA 1 is defined in FIPS 180 1 and published to the internet community as RFC 3174 SHA 1 takes an input message or string of less than 264 bits and computes a 160 bit output that is called a message digest The message digest can be thought of as a digital fingerprint or signature With SHA 1 assisted caching enabled style sheets are cached by both URL and SHA 1 message digest values SHA 1 a...

Page 171: ...r associating a Compile Options Policy with an XML Manager The XML Manager profiles all style sheets that match the policy definitions To create a Compile Option Policy use the compile options command with the profile or debug commands Use the no xslconfig command to remove the assignment of a Compile Options Policy from an XML manager Related Commands compile options debug profile show profile Ex...

Page 172: ...her of two forms referred to as single command and multi command of the xslcoproc command to create an XSL Coprocessor v The single command form creates a basic XSL Coprocessor This form requires the following arguments The IP address of the appliance interface The port number for the appliance interface The XML Manager that supports coprocessor operations The single command form supports the abil...

Page 173: ... 0 port local address server port server XML manager processingPolicy xslproxy name address local port local address server port server XML manager processingPolicy no xslproxy name Parameters name Specifies the name of the XSL Proxy The name can contain a maximum of 128 characters For restrictions refer to Object name conventions on page xxiv 0 Binds to all enabled appliance interfaces address lo...

Page 174: ...nctionality Use the exit command to exit XSL Proxy configuration mode and return to Global configuration mode Use the no form of this command to delete an XSL Proxy Related Commands stylepolicy xmlmgr Examples v Enters XSL Proxy Service configuration mode for the Proxy 1 XSL proxy xsl proxy Proxy 1 XSL Proxy Service configuration mode v Creates the catalogOrders XSL Proxy Monitors the local addres...

Page 175: ...rovides for the more frequent updates of style sheets that are subject to change and provides less frequent updates for stable style sheets Refer to Appendix C Stylesheet Refresh Policy configuration on page 1005 for procedural details regarding the creation and implementation of URL maps and Stylesheet Refresh Policies Use the no xslrefresh command to remove the assignment of a Stylesheet Refresh...

Page 176: ...ventions on page xxiv Guidelines While in z OS NSS Client configuration mode you configure a z OS NSS Client which provides the parameters necessary for authentication with SAF on a z OS Communications Server Use the no zos nss command to delete a z OS NSS Client object 150 Command Reference ...

Page 177: ...ng the Security header http www w3 org 2003 05 soap envelope role none No one should process the Security Header http www w3 org 2003 05 soap envelope role next Every one including the intermediary and ultimate receiver receives the message should be able to processing the Security header http www w3 org 2003 05 soap envelope role ultimateReceiver The message ultimate receiver can process the Secu...

Page 178: ...tion method and takes one of the following values v cleartrust v client ssl v custom v kerberos v ldap v netegrity v radius v saml artifact v saml authen query v saml signature v tivoli v token v validate signer v ws secureconversation v ws trust v xmlfile url Specifies the location of the style sheet for authentication purposes If the method is other than custom use two double quotation mark char...

Page 179: ... custom url authorize ldap host port authorize netegrity host port Parameters method Specifies the authorization method and takes one of the following values v anyauthenticated v cleartrust v custom v ldap v netegrity v passthrough v saml attr v saml authz v tivoli v use authen attr v xmlfile url Specifies the location of the style sheet for authorization purposes If the method is other than custo...

Page 180: ...t AAA Policy Syntax cache allow on off Parameters on Default Enables caching of authentication and authorization data by the current AAA policy off Disables caching of authentication and authorization data by the current AAA policy Related Commands cache ttl Examples v Specifies that authentication and authorization data is not cached by the current AAA Policy cache allow off v Restores the defaul...

Page 181: ...s v Identity extraction when the method is Subject DN from Certificate in the Message s signature extract identity command set to the signer dn method v Authentication when the method is Validate the Signer Certificate for a Digitally Signed Message the authorize command set to the validate signer method When used with a value of 1 the AAA Policy extracts the first signature and its first referenc...

Page 182: ...not the identity of a requester is presented as a SAML attribute assertion SAML authenticate Specifies either on or off to indicate whether of not the identity of a requester is presented as a SAML authentication assertion stylesheet Specifies either on or off to indicate whether of not the identity of a requester is extracted via an XSL style sheet url Meaningful only if stylesheet is on to ident...

Page 183: ...sed on the HTTP Request method xPath Specifies either on or off to indicate whether of not the resource identity is determined by an XPath expression expression Meaningful only if xPath is on to specify the operative XPath expression Examples v Specifies that resource extraction is based on input and output URLs extract resource on on on off off off ldap suffix Specifies the LDAP suffix used by th...

Page 184: ...wed level Specifies the log priority for messages that report successful AAA operations Syntax log allowed level priority Parameters priority Specifies the log priority of messages that report successful AAA operations and takes one of the following values v emergency v alert v critical v error v warning v notice v info Default v debug Guidelines Meaningful only if logging of successful AAA operat...

Page 185: ...iority Specifies the log priority of messages that report unsuccessful AAA operations and takes one of the following values v emergency v alert v critical v error v warning Default v notice v info v debug Guidelines Meaningful only if logging of unsuccessful AAA operations is enabled Related Commands log allowed low allowed level log rejected map credentials Specifies the method used to map authen...

Page 186: ...om custom URL map resource xmlfile XML file URL map resource XPath expression Parameters custom custom URL Specifies the location of the style sheet xmlfile XML file URL Specifies the location of the XML file XPath expression Specifies the operative XPath expression Examples v Specifies that resources mapping uses the mapResource xsl style sheet map resource custom local mapResource xsl namespace ...

Page 187: ...rate compatibility ping identity compatibility post process Enables or disables a style sheet based postprocessing action Syntax post process on off URL Parameters on off Enables or disables postprocessing on Enables postprocessing off Disables postprocessing URL Specifies the URL of the style sheet that performs post processing activities Examples v Enables postprocessing with the specified style...

Page 188: ...ved from multiple endpoints and the source ID for these endpoints are encoded in the artifact itself as per the SAML spec If there is only one artifact retrieval URL it can be specified by the SAML artifact responder URL in the authentication phase Examples v Locates the SAML artifact mapping file saml artifact mapping local artifactTO xml saml attribute Specifies the namespace URI local name and ...

Page 189: ...p www example com AttributeValue Winchester AttributeValue Attribute saml name qualifier Specifies the value of the SAML NameQualifier attribute Syntax saml name qualifier name Parameters name Identifies the SAML NameQualifier attribute value saml server name Specifies the value of the Server field for SAML assertions Syntax saml server name name Parameters name Identifies the Server field value s...

Page 190: ...ated with the key used by the current AAA Policy to sign SAML messages Syntax saml sign cert name Parameters name Identifies the crypto certificate object Related Commands saml sign key saml sign hash Specifies the algorithm to calculate the message digest for signing Syntax saml sign hash algorithm Parameters algorithm Specify one of the following keywords md5 http www w3 org 2001 04 xmldsig more...

Page 191: ...olicy for SAML signature verification Syntax saml valcred name Parameters name Identifies the Validation Credentials Set to use for signature verification saml2 metadata Specifies the location of the SAML 2 0 metadata file Syntax saml2 metadata URL Parameters URL Specifies a local or remote URL that specifies the file location Guidelines The SAML metadata file contains metadata used in SAML 2 0 pr...

Page 192: ...iority Indicates the priority to assign for scheduling or for resource allocation Use one of the following values low Receives below normal priority normal Default Receives normal priority high Receives above normal priority authorize Indicates whether to require authorization Use one of the following values on Requires authorization off Default Does not require authorization wstrust encrypt key S...

Page 193: ...ameters name Identifies the certificate object Guidelines Use the no wstrust encrypt key command to remove the certificate assignment from the current AAA Policy Chapter 3 AAA Policy configuration mode 167 ...

Page 194: ...168 Command Reference ...

Page 195: ...r example the following ACL fails its intended purpose The address range that is specified by the deny clause 192 168 14 224 through 192 168 14 255 is granted access before the allow clause allow 192 168 14 0 24 deny 192 168 14 0 27 However as shown in the following example reversing the sequence of the clauses achieves the desired effect deny 192 168 14 0 27 allow 192 168 14 0 24 An ACL that cont...

Page 196: ...low any clause Related Commands deny Examples v Enters ACL configuration mode for the Restricted ACL Limits access to IP addresses 10 10 10 224 through 10 10 10 255 192 168 14 1 and 10 10 100 1 All other IP addresses are denied access acl Restricted ACL configuration mode allow 10 10 10 0 27 allow 192 168 14 1 32 allow 10 10 100 1 32 exit deny Identifies IP addresses to deny access Syntax deny add...

Page 197: ...e allow any clause Related Commands allow Examples v Enters ACL configuration mode for the Public ACL Denies access to IP addresses 10 0 0 0 through 10 255 255 255 and to addresses 192 168 0 0 through 192 168 255 255 All other IP addresses are granted access acl Public ACL configuration mode deny 10 0 0 0 8 deny 192 168 0 0 16 allow any exit Chapter 4 Access Control List configuration mode 171 ...

Page 198: ...172 Command Reference ...

Page 199: ...based configuration Domain configuration is defined in a local configuration file import Specifies remote configuration Domain configuration is defined in a remote resource Guidelines If config mode is set to import you must specify both the location and type of the remote configuration resource with the import url and import format commands Also if config mode is set to import you can specify a d...

Page 200: ...on New Application Domain configuration config mode import import url http www datapower com configs AppDomainTest cfg import format xml deployment policy GeneralDeploy domain user deprecated This command is deprecated To provide the same behavior use the domain command from the User configuration mode In the absence of an RBM policy defines the accessible domains for all user interfaces Syntax do...

Page 201: ...pplication domain Related Commands file permissions Examples v Modifies the test application domain and enables both auditing and logging of changes to files domain test Modify Application Domain configuration file monitoring audit log exit file permissions Establishes user access permissions for files stored in the local domain directory Syntax file permissions type type Parameters type Can be Co...

Page 202: ...he format of the remote configuration file Syntax import format xml zip Parameters xml Specifies an XML file zip Default Specifies a ZIP file Guidelines If config mode is set to import you must specify both the location and type of the remote configuration resource with the import url and import format commands Related Commands config mode import url Examples v Creates the test application domain ...

Page 203: ...fg import format xml exit local ip rewrite Indicates whether to rewrite the local IP address during an import Syntax local ip rewrite on off Parameters on Default Rewrites the IP address in the package to match the equivalent interfaces on the appliance during an import In other words a service bound to eth1 in the package is rewritten to bind to eth1 during the import off Retains the IP addresses...

Page 204: ...efault domain this command deletes the currently running configuration of the default domain and returns the default domain to its initial state v v The primary difference between the no domain command and the reset domain command removes only the currently running configuration for a domain and does not delete the physical domain A possible use case would be to import new configuration settings i...

Page 205: ...omains that are visible to this domain All files stored in visible domains are read only to this domain No other objects are available Note References to visible domains are explicit not bidirectional If domainA is made visible to domainB domainB cannot see domainA In this case you cannot make domainA visible to domainB References to visible domains cannot be circular Examples v Modifies the test ...

Page 206: ...180 Command Reference ...

Page 207: ...rs match rule Specifies the name of an existing Match Rule Use the Global match command to create a new Match Rule processing rule Specifies the name of an existing Processing Rule Use the Global rule command to create a new Processing Rule Guidelines Any error condition that matches the configured Match Rule will be handled by the corresponding Processing Rule The first Match Rule in the Map that...

Page 208: ...elines Any client request that matches a configured Match Rule will be handled by the corresponding Web Request Profile The first Match Rule in the Map that matches will handle the request A Security Policy must have at least one entry in the Web Request Map Use the no request match command to remove the entire Web Request Map Related Commands webapp request profile Global match Global Examples v ...

Page 209: ...e Map that matches will handle the response A Security Policy must have at least one entry in the Web Response Map Use the no request match command to remove the entire Web Response Map Related Commands webapp request profile Global match Global Examples v Creates three entries in the Web Response Map in the order in which they were created response match PortalA portal a resp request match Portal...

Page 210: ...184 Command Reference ...

Page 211: ...name Parameters name Specifies the name of the subdirectory Guidelines The directory command specifies the directory under which to make the files on the compact flash available in the local and logstore directories in each application domain Examples v Makes the files on the compact flash storage card accessible in the local flash and logstore flash directories compact flash cf0 Compact Flash con...

Page 212: ... compact flash cf0 Compact Flash configuration mode read only v Makes the file system read write the default state compact flash cf0 Compact Flash configuration mode no read only 186 Command Reference ...

Page 213: ...at accept most uses of elements with xsi type SOAP ENC Array Syntax allow soap enc array map Parameters map Identifies the URL map that defines the set of schemas that specifically allow the xsi type SOAP ENC Array rule Guidelines The allow soap enc array command designates a set of schemas that will accept most uses of elements with xsi type SOAP ENC Array consistent with SOAP 1 1 Section 5 even ...

Page 214: ... profiled in debug mode debug URLMap Compile 1 minesc Disables output escaping for a specified set of style sheets Syntax minesc map Parameters map Specifies the name of a URL map that defines the set of style sheets Guidelines By default output of style sheets is escaped during the transformation process for example when handling non English character sets that requires minimal escaping Examples ...

Page 215: ...s Specifies the maximum memory usage Use an integer in the range of 10240 through 104857600 Examples v Sets a maximum of 10 megabytes to allow for the compilation for style sheets stack size 10485760 stream Specifies a set of style sheets whose output is streamed Syntax stream map Parameters map Specifies the name of a URL map that defines the set of style sheets Guidelines With streaming enabled ...

Page 216: ...ng strict strict try stream Specifies a set of style sheets whose output is conditionally streamed Syntax try stream map Parameters map Specifies the name of a URL map that defines the set of style sheets Guidelines With conditional streaming enabled transformation of a document begins before the input is fully parsed Not all style sheets can be streamed If a style sheet cannot be conditionally st...

Page 217: ...esignates a set of schemas where wildcards xs any elements only validate children by element name Syntax wildcard ignore xsi type map Parameters map Identifies the URL map that defines the set of schemas set of schemas where wildcards xs any elements only validate children by element name Guidelines The allow soap enc array command designates a set of schemas set of schemas set of schemas where wi...

Page 218: ...ge Syntax wsdl validate body strict lax strict Parameters skip Disables validation of the body lax Forces validation of the bodies that match the WSDL definition strict Validates all bodies which allows only messages that match the WSDL description Guidelines By default strict validation is applied to soap Body Use this command to relax these restrictions thus allowing more messages to pass valida...

Page 219: ...te faults strict wsdl validate headers Specifies validation behavior of the soap Header of the message Syntax wsdl validate headers skip lax strict Parameters skip Disables validation of the headers lax Forces validation of the headers that match the WSDL definition strict Validates all headers which allows only messages that match the WSDL description Guidelines By default lax validation is appli...

Page 220: ...ers wsdl wrapped faults wsdl wrapped faults wsi validate Validates WSDL files against section 5 of WS I Basic Profile Syntax wsi validate ignore warn fail Parameters ignore Disables conformance checking of the WS I Basic Profile warn Logs warnings for WS I Basic Profile violations fail Forces conformance of the WS I Basic Profile Guidelines By default the system issues a warning when validation fa...

Page 221: ...sages are also controlled by log events in the XACML category Use the debug log level to view the full XACML debugging messages xslt version Specifies the XSLT version to use during compilation Syntax xslt version xslt10 xslt20 stylesheet Parameters xslt10 Uses XSLT 1 0 xslt20 Uses XSLT 2 0 stylesheet Supports for both versions Selection is based on specifications internal to each style sheet Exam...

Page 222: ...196 Command Reference ...

Page 223: ...on off Does not attach an assertion Use this setting with filter action Guidelines The assert bp10 conformance command is meaningful only when validating messages against WS I Basic Profile 1 0 The profiles for message validation are defined using the profiles command Use the assert bp10 conformance command only when the value for the profiles command includes BP10 as part of its definition Relate...

Page 224: ... fixup stylesheet local conformError2 xsl v Removes the local conformError2 xsl style sheet as a corrective style sheet no fixup stylesheet local conformError2 xsl ignored requirements Identifies which profile requirements to exclude from validation Syntax ignored requirements profile requirement no ignored requirements profile requirement Parameters profile Specifies the literal representation fo...

Page 225: ...mples v Excludes requirements R4221 and R4222 in the WS I Basic Security Profile version 1 0 from validation ignored requirements BSP1 0 R4221 ignored requirements BSP1 0 R4221 v Removes the excluded requirement BSP1 0 R4221 so that it is part of conformance validation no ignored requirements BSP1 0 R4221 profiles Defines the profiles against which to validate conformance Syntax profiles profile p...

Page 226: ...ummary Guidelines The reject include summary command determines whether to include a summary of the conformance analysis in the request rejection message This command is meaningful only when request messages are rejected Request messages are rejected when the value for the reject level command is set to failure or warning Related Commands reject level Examples v Includes a summary in rejection req...

Page 227: ...lure reject include summary on report level Identifies when to record a conformance report for requests Syntax report level always failure never warning Parameters always Always records a conformance report failure Records a conformance report for conformance failures never Default Never records a conformance report warning Records a conformance report for both conformance failures and conformance...

Page 228: ...or requests to datapower com conform with the HTTP protocol report level failures report target http datapower com conform response properties enabled Controls the enablement of conformance for response messages Syntax response properties enabled on off Parameters on Allows the definition of conformance for response messages off Default Does not allow the definition of conformance for response mes...

Page 229: ...e or warning Related Commands response reject level Examples v Includes a summary in rejection messages that indicate conformance failures for responses response reject level failure response reject include summary on v Does not include a summary in rejection messages for responses which restores the default state response reject include summary off response reject level Identifies when to reject ...

Page 230: ...mance report failure Records a conformance report for conformance failures never Default Never records a conformance report warning Records a conformance report for both conformance failures and conformance warnings Guidelines The response report level command determines when to send a conformance report for responses To send a conformance report for responses you must use the response report targ...

Page 231: ...mance report Determines whether to use conformance analysis as output Syntax result is conformance report on off Parameters on Delivers a conformance analysis as a results action off Default Delivers the original message possibly modified by one or more style sheets to the next document processing action Guidelines The result is conformance report command indicates whether the conformance analysis...

Page 232: ...206 Command Reference ...

Page 233: ...also available in CRL configuration mode bind dn Specifies the login DN distinguished name used to access an LDAP server Syntax bind dn dn Parameters dn Specifies the login name to access the target LDAP server Guidelines You must specify a login DN when defining LDAP enabled CRL Update Policy Related Commands bind pass read dn refresh remote address Examples v Enters CRL Mode to create the LDAP14...

Page 234: ...fies the URL of the target CRL Guidelines You must specify the URL of the target CRL when defining an HTTP enabled CRL Update Policy The CRL is stored in memory Consequently the CRL is lost after a system reboot Related Commands refresh Examples v Enters CRL mode to create the HTTP30 HTTP enabled CRL Update Policy The target CRL is retrieved from the specified URL crl HTTP30 http Entering CRL mode...

Page 235: ...specify a CA when defining an LDAP enabled CRL Update Policy The specified CRL is stored in memory Consequently the CRL is lost after a system reboot Related Commands bind dn bind pass refresh remote address Examples v Enters CRL Mode to create the LDAP1440 LDAP enabled CRL Update Policy The LDAP server is accessed with the account name of X and a password of 1PAss WorD The target certificate is i...

Page 236: ...uth Melbourne O VeriSign Australia Limited OU IT Department CN www verisign com au remote address ragnarok refresh 1440 v Enters CRL Mode to create the HTTP30 HTTP enabled CRL Update Policy The target CRL is retrieved from the specified URL and refreshed every half hour crl HTTP30 http Entering CRL mode for HTTP30 fetch URL http crl verisign com ATTClass1Individual crl refresh 30 remote address Sp...

Page 237: ...he name of an existing SSL Proxy Profile Guidelines The client SSL Proxy profile must be previously created with the sslproxy command The assigned SSL Proxy Profile enables CRL retrieval over a secure connection The SSL proxy profile specifies the SSL operational mode client and identifies the cryptographic resources key certificates and cipher list available to support the SSL connection Assignme...

Page 238: ...212 Command Reference ...

Page 239: ... the public cryptographic area takes the pubcert filename form v If stored in the private cryptographic area takes the filename form password password Specifies the plaintext password required to access the certificate file password alias password alias Specifies the alias for the encrypted password required to access the certificate file ignore expiration Specifies an optional keyword to allow th...

Page 240: ...tification Credentials consists of a certificate which contains a public key and the corresponding private key Use the certificate command in conjunction with the valcred command to create a Validation Credentials A Validation Credentials can be used but is not required during the SSL handshake procedure to authenticate the certificate that is received from the remote SSL peer The no certificate c...

Page 241: ...nearing its expiration date Examples v Enters Crypto Certificate Monitor configuration mode cert monitor Crypto Certificate Monitor configuration mode crl Creates a named CRL Certificate Revocation List Update Policy and enters CRL Mode Syntax crl name http ldap no crl Parameters name Specifies the name of the CRL update policy The name can contain a maximum of 32 characters For restrictions refer...

Page 242: ...t key name output file mechanism hsmkwk Parameters key name Identifies the names of the keys to include in the export package To specify more than one key use a space separated list cert name Identifies the names of the certificates to include in the export package To specify more than one certificate use a space separated list output file Identifies the name and location to store the export mecha...

Page 243: ...rd that was used to encrypt the input file This parameter is mutually exclusive to the password alias parameter password alias alias HSM appliances only Optionally specifies the password that was used to encrypt the input file This parameter is mutually exclusive to the password parameter mechanism hsmkwk HSM appliances only Optionally indicates that the imported material can be exported at a late...

Page 244: ...d across domains store Contains DataPower supplied processing resources such as style sheets schemas and authentication authorization files tasktemplates Contains Task Template files temporary Contains temporary files filename Specifies the name of the file to decrypt idcred name Specifies an existing alias for an Identification Credentials a matched public private key pair to identify the DataPow...

Page 245: ...le sheets schemas document encryption maps or XML mapping files logstore Contains logging files logtemp Contains active and rotated log files pubcert Contains well known for example VeriSign public certificate files sharedcert Contains private keys and certificates which are shared across domains store Contains DataPower supplied processing resources such as style sheets schemas and authentication...

Page 246: ...nd sskey commands to add specified keys to the Firewall Credentials and use the certificate command to add specified certificates to the list A Firewall Credentials can be assigned to DataPower services The Firewall Credentials provides a means to specify which keys and certificates are permitted with various cryptographic extension functions in support of service specific security activities In t...

Page 247: ... output file for example temporary source one that contains the key material After validating that the command created the file copy it to the destination HSM system 2 On the destination HSM system create an output file for example temporary destination two that uses the copied file for example temporary source one as the input file After validating that the command created the file copy it to the...

Page 248: ...sm reinit Examples v Deletes the bob key from the HSM hsm delete key bob hsm reinit HSM models Restores the HSM to its factory state Syntax hsm reinit Guidelines This command is available only on systems with an internal HSM CAUTION This command destroys all data stored on the HSM and restores the HSM to its factory state Related Commands hsm clone kwk hsm delete key Examples v Restores the HSM to...

Page 249: ...r reverse or two way proxy mode must be assigned an Identification Credentials with which to authenticate itself to a remote SSL client The SSL standard allows an SSL server to authenticate the remote client peer Consequently an SSL proxy operating as a SSL client in either forward or two way proxy mode can be assigned a set of identification credentials if the remote SSL server requires authentic...

Page 250: ...tain a maximum of 32 characters For restrictions refer to Object name conventions on page xxiv Guidelines A Kerberos KDC Server issues Kerberos tickets essentially a KDC is a database of all users within the Kerberos realm or administrative domain Each user entry in the database is called a principal and includes an associated encryption key derived from the user password Use the no kerberos kdc c...

Page 251: ...e v Deletes the Kerberos keytab object Inferno no kerberos keytab Inferno kerberos keytab Inferno deleted key Creates an alias for a private key stored on the appliance Syntax key key alias URL password password key key alias URL password alias password alias no key key alias Parameters key alias Specifies an alias for the stored private key The name can contain a maximum of 32 characters For rest...

Page 252: ...ncrypted password The encrypted password in turn is then 3DES decrypted with the locally generated host key to yield the plaintext password that opens and reads the key file Use the key command in conjunction with the certificate and idcred commands to create an Identification Credentials that consists of a certificate which contains a public key and the corresponding private key Use the no key co...

Page 253: ...ISO two character country identifier for the CSR L localityName locality Optionally specifies the city or town name for the CSR Use a text string up to 64 characters in length If the string contains spaces enclose in double quotation marks ST stateOrProvinceName state Optionally specifies the unabbreviated state or province name for the CSR Use a text string up to 64 characters in length If the st...

Page 254: ...onally specifies the password to 3DES encrypt the private key when it is saved to a file password alias alias Optionally specifies a password alias in an existing password map file This alias is used to 3DES decrypt the password using key name Optionally specifies an existing key object to sign the CSR and any self signed certificate that is generated The point of this parameter is to reissue a ne...

Page 255: ...csr The private key file is not password protected keygen C au L South Melbourne ST Victoria O DataPower Australia Ltd OU Customer Support CN www bob datapower com au v Generates a private key and CSR for the specified server with the following options The private key 2048 bits in length is saved as cert bob privkey pem The CSR is saved as temporary bob csr The private key file is password protect...

Page 256: ... file The password map and the host key are saved to separate files on the appliance The plaintext passwords are not stored in memory or committed to the flash You must ensure that synchronization is maintained between the startup configuration and the password map file You must use the password map command to generate aliases for and encrypt certificate or key passwords before using the certifica...

Page 257: ...p A password map already exists overwrite it with a new map y n n SSL Appending to current password map Please enter alias name and plaintext password pairs Leading and trailing white space is removed Enter a blank alias name to finish Alias name columbia Plaintext password Akiru Kurasawa Alias name SSL password map saved v Confirms addition to the Password map with the show password map command s...

Page 258: ...ng Optionally specifies a list of symmetric key encryption algorithms that are supported by this Crypto Profile Table 5 list the available keywords Table 5 Available algorithm keywords for the cipher string Algorithm keyword Meaning DEFAULT Default Includes all cipher suites except eNULL ciphers cipher suites that use DH authentication and all cipher suites that contain RC4 RSA and SSL version 2 c...

Page 259: ...her suites using FORTEZZA key exchange authentication encryption or all FORTEZZA algorithms Not implemented TLSv1 SSLv3 and SSLv2 TLS version 1 0 SSL version 3 0 and SSL version 2 0 cipher suites respectively DH Cipher suites using DH including anonymous DH ADH Anonymous DH cipher suites 3DES Cipher suites using triple DES DES Cipher suites using DES except triple DES RC4 Cipher suites using RC4 R...

Page 260: ...6 SSL options as string and hexadecimal representation String value Hexadecimal representation Description OpenSSL default 0x000FFFFF Default value Disable SSLv2 0x01000000 Disallows the use of SSL version 2 Disable SSLv3 0x02000000 Disallows the use of SSL version 3 Disable TLSv1 0x04000000 Disallows the use of TLS version 3 When using hexadecimal representation use a logical OR to modify the beh...

Page 261: ...al Crypto Profile remain available for use as do as the files that contain the actual certificates and private keys that are used to implement the Crypto Profile Related Commands certificate Crypto certificate Validation Credentials idcred sslproxy valcred Examples v Creates the Low Crypto Profile that uses the Identification Credentials certificate and private key aliased by XSSL 1 to identify th...

Page 262: ...le stored on the appliance Syntax sign URL idcred alias alg algorithm Parameters URL Identifies the local file to be signed and takes the directory filename format directory Must be one of the following directory specific keywords that reference specific directories audit Contains the audit log cert Contains domain specific private keys and certificates config Contains configuration scripts export...

Page 263: ...ore encrypting a file use the sign command to attach a digital signature to the file You can email an encrypted file with the send file command Related Commands validate Examples v Use S MIME to sign the FWSec 1 log file The uses S MIME to encrypt the signed file sign logtemp FWSec 1 idcred bob alg smime File FWSec 1 successfully signed encrypt logtemp FWSec 1 cert bob alg smime File FWSec 1 succe...

Page 264: ... that utilize plaintext unencrypted passwords the password argument is used to open and read the shared secret key file v In environments that utilize encrypted passwords the password alias argument is searched for in the password map file and its associated encrypted password is identified The encrypted password in turn is then 3DES decrypted using the locally generated host key to yield the plai...

Page 265: ... the public cryptographic area takes the pubcert filename form v If stored in the private cryptographic area takes the filename form Guidelines Assuming syntactical correctness testing a key or certificate file that does not require a password will succeed in all cases Note The test password map command cannot be used in a startup configuration If found the script ignores the command Related Comma...

Page 266: ... the certificate presented by an SSL server Validation of a server s certificate is not required by the SSL standard v A Validation Credentials is required by an SSL server only when it validates certificates presented by SSL clients Validation of SSL clients is not required by the SSL standard If you want the SSL service to validate received certificates v Use the valcred and certificate Validati...

Page 267: ... a directory on the appliance Refer to Directories on the appliance on page xxii for details filename Specifies the name of a file in the specified directory valcred name Specifies the name of a Validation Credentials a certificate list alg algorithm Identifies the signature method Guidelines The validation process attempts to validate the digital signature of the target document by iterating thro...

Page 268: ...242 Command Reference ...

Page 269: ...le of the associated crypto certificate object Disable of the crypto certificate object triggers disable of all Firewall Credential Lists Identification Credential Sets and Validation Credential Lists that use the expired certificate In turn crypto profiles that use disabled Identification Credential Sets and Validation Credential Lists are disabled leading to the disable of SSL Proxy Profiles dep...

Page 270: ...or v warning v notice v info The debug event is used for system troubleshooting and diagnostics Do not use the debug event in production environments Related Commands reminder Examples v Specifies that certificate expiration messages are logged as errors log level error poll Specifies the frequency with which the Certificate Monitor examines certificate object expiration dates Syntax poll frequenc...

Page 271: ...on window Use an integer in the range of 1 through 65535 Guidelines For example the value 21 specifies that all scanned certificate objects due to expire in 3 weeks or less generate a log entry at the priority specified by the log level command Related Commands log level poll Examples v Specifies that the Certificate Monitor begins issuing certificate expiration messages 21 days before certificate...

Page 272: ...246 Command Reference ...

Page 273: ...mode certificate Adds a certificate alias Syntax certificate alias Parameters alias Specifies the alias for the target certificate The target certificate must be previously created with the Crypto certificate command Guidelines Prior to adding a certificate alias to the Firewall Credentials list 1 Use the copy command or the WebGUI to transfer the actual certificate to the appliance 2 Use the Cryp...

Page 274: ...redentials Adds the key that is referenced by the alice 3 alias fwcred FWCred 1 Entering Firewall Credentials mode for FWCred 1 key alice 3 sskey Adds a shared secret key alias Syntax sskey alias Parameters alias Specifies the alias for the target shared secret key The target shared secret key must be previously created with the Crypto sskey command Guidelines Prior to adding a shared secret key a...

Page 275: ...the FWCred 1 Firewall Credentials Adds the shared secret key that is referenced by the ss bob alice alias fwcred FWCred 1 Entering Firewall Credentials mode for FWCred 1 sskey ss bob alice Chapter 13 Crypto Firewall Credentials configuration mode 249 ...

Page 276: ...250 Command Reference ...

Page 277: ...ntermediate CA or a root CA This mode is useful when you want to match the peer certificate exactly but that certificate is not a self signed root certificate pkix The complete certificate chain is checked from subject to root when using this Validation Credentials for certificate validation Validation succeeds only if the chain ends with a root certificate in the Validation Credentials Non root c...

Page 278: ...tes the certificate presented by the remote SSL server Authentication of the server s certificate is not required by the SSL standard v A Validation Credentials List is required by an SSL server only when it authenticates remote SSL clients Authentication of SSL clients is not required by the SSL standard Assignment of a Validation Credentials List to a Crypto Profile requires that SSL validates t...

Page 279: ...s noncritical certificate extension specifies how CRL information is obtained Refer to RFC 2527 Internet X 509 Public Key Infrastructure Certificate Policy and Certification Practices Framework and to RFC 3280 Internet X 509 Public Key Infrastructure Certificate and Certificate Revocation List CRL Profile for information on Certificate Policies Examples v Enters Validation Credentials Mode to crea...

Page 280: ...e default state Crypto Validation Credentials configuration mode no explicit policy initial policy set Identifies a Certificate Policy used by the current Validation Credentials List Syntax initial policy set identifier no initial policy set identifier Parameters identifier Specifies the unique object identifier for the certificate policy associated with the current Validation Credentials List Gui...

Page 281: ...tifiers by default the initial Certificate Policy Set consists of the single OID 2 5 29 32 0 identifying anyPolicy All members of the constructed set are used in certificate chain processing as described in Section 6 1 1 of RFC 3280 Use the no initial policy set command to remove a Certificate Policy from the Validation Credentials List Related Commands explicit policy inhibit anypolicy Examples v...

Page 282: ...configuration mode no require crl use crl Enables but does not require the use of Certificate Revocation Lists during certificate chain processing Syntax use crl no use crl Guidelines By default CRL usage is enabled when processing certificate chains Use the no use crl command to disable the use of Certificate Revocation Lists during certificate chain processing Related Commands crl Crypto require...

Page 283: ...tement Specifies a cumulative white list used as a pattern match in a deployment policy This PCRE statement represents the metadata whose values the deployment policy will match and then accept or allow into the appliance while searching the contents of the imported configuration file Accept clauses allow properties into the appliance The statement takes the following form address domain resource ...

Page 284: ...oad Balancer Group If this resource is part of the exported configuration package this resource is accepted during the import accept 10 10 10 1 8888 jets network loadbalancer group Name Cessnae filter Defines a filter clause Syntax filter statement Parameters statement Specifies a cumulative black list used as a pattern match in a deployment policy This PCRE statement represents the metadata whose...

Page 285: ...Guidelines The filter command defines a black list of metadata that is not accepted or disallowed into the appliance Related Commands import execute global Examples v Defines a filter clause for a deployment policy where the matching statement is made up of the 10 10 10 1 8888 IP address the jets domain the Cessnae Load Balancer Group If this resource is part of the exported configuration package ...

Page 286: ...uration property This property limits the match statement to resources of the specified property Value property value Optionally specifies the value for the configuration property This property limits the match statement to resources of the specified property PCRE documentation is available at the following web site http www pcre org add Indicates that the modify clause adds the identified propert...

Page 287: ...Summary BlueSkinners v Changes the value of the summary for the Turbotans host alias in the default domain to Turbotans5 during the import modify default network host alias Name Turbotans Property UserSummary Value BlueSkinners change Turbotans5 v Deletes the summary for the Turbotans host alias in the default domain during the import modify default network host alias Name Turbotans Property UserS...

Page 288: ...262 Command Reference ...

Page 289: ...he IP address or host name of the DNS server UDP port Optionally identifies the UDP port number that the target DNS server monitors Use an integer in the range of 0 through 65535 The default is 53 TCP port Optionally identifies the TCP port number that the target DNS server monitors Use an integer in the range of 0 through 65535 The default is 53 flags Optionally specifies protocol level DNS behav...

Page 290: ...e or more domain names that can be appended to a host name Use multiple search domain or ip domain commands to add more than one entry to the IP domain name table The appliance attempts to resolve a host name in conjunction with any domains identified by the search domain or ip domain commands The host name is resolved as soon as a match is found Use the no search domain command to delete an entry...

Page 291: ...ress of the host Specifies all hosts Guidelines Use the no static host command to remove the a specific host address map or all host address maps Related Commands ip host Examples v Maps IP address 10 10 10 168 to host loki static host loki 10 10 10 168 v Deletes the mapping between IP address 10 10 10 168 and host loki no static host loki v Deletes all entries from the host mapping table no stati...

Page 292: ...266 Command Reference ...

Page 293: ...ears specified documents from the document cache Syntax clear clear pattern Parameters pattern An shell style match pattern that identifies documents You can use wildcards to define a match pattern as follows The string wildcard matches 0 or more occurrences of any character The single character wildcard matches one occurrence of any single character The delimiters bracket a character or numeric r...

Page 294: ...mum cache capacity of 4 000 documents maxdocs 40000 Ok Document cache size is now limited to 4000 documents v policy Defines a Document Cache Policy Syntax policy pattern priority ttl policy pattern priority nocache no policy pattern Parameters pattern A shell style match pattern that identifies documents You can use wildcards to define a match pattern as follows The string wildcard matches 0 or m...

Page 295: ...f the document in the cache When this time expires the document is deleted from the cache Policy is set as follows v If the document does not contain a Data or Last Modified header do not cache the document v If the document contains a Vary header do not cache the document v If the document contains a Cache Control header HTTP 1 1 cache the document and use the contents of that field to determine ...

Page 296: ...xs dl 255 policy xml policy gif 1 v Removes the cache policy for XML schema files no policy xsd v Removes all cache policies no policy size Defines the size of the document cache Syntax size bytes Parameters bytes Specifies the size of the document cache in bytes The default is 0 Guidelines The appliance calculates a maximum cache size based on available memory Because the default is 0 you must si...

Page 297: ...document calls in the same transform return the same result However you can disable this behavior with the off keyword When disabled all document calls as independent of each other Examples v Disables static document calls static document calls off v Restores the default behavior by enabling static document calls static document calls on Chapter 17 Document Cache configuration mode 271 ...

Page 298: ...272 Command Reference ...

Page 299: ...ation mode namespace mapping Adds XML namespace data to the map Syntax namespace mapping prefix URI Parameters prefix Specifies the namespace prefix URI Specifies the location of the namespace Related Commands operation select Examples v Enters Document Crypto Map mode to create the DCM 1 Document Crypto Map Specifies the schema for SOAP 1 1 envelope namespace document crypto map DCM 1 New Documen...

Page 300: ...sion that identifies the target nodes Guidelines Document nodes that match the XPath expression are encrypted or decrypted depending on the value of the operation command Related Commands namespace mapping operation Examples v Specifies that all SSN nodes are subject to the cryptographic operation Because an operation is not specified the default encrypt operation is assumed document crypto map DC...

Page 301: ...rtup Indicates whether to send an error report on each firmware restart Syntax always on startup on off on Sends the report off Default Does not send the report email address Provides the email address to which to send error reports Syntax email address address Parameters address Specifies the full email address of the message recipient Related Commands location id mode remote address Examples v S...

Page 302: ...es wrap the value in double quotation marks Examples v Provides an identifying string location id South Campus Building 9 5th Floor remote address Identifies the remote SMTP server to which to send the failure notification Syntax remote address server Parameters server Identifies the remote SMTP server by name or by IP address Examples v Identifies the remote SMTP server remote address smtp TeraCo...

Page 303: ...artup configuration file Guidelines The boot config and boot image commands work in conjunction to define the restart process with boot config designating the startup configuration and boot image designating the appliance startup firmware image Note You can also use the Global write memory command in conjunction with the Global save config overwrite command to save the appliance running configurat...

Page 304: ... v Deletes the secondary install boot delete Previous firmware install deleted boot image Designates the startup firmware image Syntax boot image image Parameters image Specifies the name of the firmware image to restart the appliance Guidelines The boot image and boot config commands work in conjunction to define the restart process The boot image command designates the appliance startup image an...

Page 305: ...ete the secondary install keep in mind that its deletion will prevent firmware rollback as provided by the boot switch command Consequently deletion of the secondary install is not recommended Related Commands boot delete boot image Examples v Rollback failed because the secondary install has been deleted with the boot delete command boot switch Firmware roll back failed Switch active firmware fai...

Page 306: ...t config boot image shutdown Examples v Creates a new configuration jrb_03 cfg If it exists erases and opens the file boot update write jrb_03 cfg Enter startup commands one per line End with a period v Opens an existing configuration jrb_03 cfg to which commands will be appended boot update append jrb_01 cfg Enter startup commands one per line End with a period copy Copies a file to or from the D...

Page 307: ...in password Guidelines The copy command transfers files to or from the DataPower appliance You must issue this command from the appliance When the source file or target destination is remote to the appliance this command supports only the following protocols v HTTP v HTTPS v Secure Copy SCP v Secured File Transfer Protocol To send a file from the appliance as an email use the Global send file comm...

Page 308: ...TP to copy a file from the logstore directory to the specified remote target copy logstore Week1 log sftp jrb 10 10 1 159 LOGS x Week1 log Password yetanotherpassword file copy successful v Copies a file from the config directory to the local directory copy config startup config local startup config file copy successful 2347 bytes transferred delete Deletes a file from the flash Syntax delete url ...

Page 309: ...irectory on the appliance Refer to Directories on the appliance on page xxii for details Related Commands copy delete move Examples v Displays the contents of the config directory dir config File Name Last Modified Size unicenter cfg Mon Jul 9 11 09 36 2007 3411 autoconfig cfg Mon Jul 9 14 20 27 2007 20907 89 2 MB available to config v Displays the contents of the msgcat subdirectory of the config...

Page 310: ...ectory Specifies a directory on the appliance Refer to Directories on the appliance on page xxii for details filename Specifies the name of a file in the specified directory Guidelines You can use the move command to transfer a file to or from a directory However you cannot use the move command to copy a file from the private cryptographic area such as the cert directory Related Commands copy dele...

Page 311: ...e configuration refer to the IBM WebSphere DataPower SOA Appliances 9003 Installation Guide or to the IBM WebSphere DataPower SOA Appliances Type 9235 Installation Guide depending on your model type Related Commands boot delete Examples v Deletes all user files and data stored on the DataPower appliance and reboots the appliance reinitialize firmware scrypt2 WARNING all user data and files will be...

Page 312: ...restarts with the configuration and firmware image that were active when you invoke the shutdown command Related Commands boot config boot image Examples v Waits 10 seconds to shut down and restart the appliance shutdown reboot Reboot in 10 second s v Waits 20 seconds to restart the appliance shutdown reload 20 Reload in 20 second s v Waits 1 minute to shut down the appliance shutdown halt 60 Shut...

Page 313: ...ervals in milliseconds Use an integer in the range of 25 through 100000 The default is 60000 Guidelines The delay time command specifies the number of milliseconds to wait after the completion of one poll before starting the next interval This interval is not the polling interval The interval is the delay between polling intervals error delete Indicates whether to delete a file after a processing ...

Page 314: ...eria Syntax match pattern pattern Parameters pattern Specifies a PCRE to use as the match pattern to search the contents of the directory Guidelines The match pattern command specifies the PCRE used to match the contents of the directory being polled If there is file renaming or there is a response this PCRE must create PCRE back references using pairs For example if input files are NNNNNN input t...

Page 315: ...rial number of the DataPower appliance domain Specifies the domain of the polling object poller Specifies the name of the polling object timestamp Specifies the timestamp Note File renaming cannot be used with an FTP server that supports only 8 3 file names For example if the input files are NNNNNN input and you want to rename them to NNNNNN processing the match pattern would be 0 9 6 input and th...

Page 316: ... before processing a file that is already in the processing state Use an integer in the range of 0 through 1000 The default is 0 which disable this behavior Guidelines The processing seize timeout command allows failure handling of a poller when multiple data routers are polling the same target If another data router renames a file and does not process and rename or delete it within the specified ...

Page 317: ... name pattern command specifies the PCRE to use as the match pattern to build the name of the result file This PCRE will normally have a back reference to the base input file name For instance in input files are NNNNNN input and the desired result file name is NNNNNN result then the match pattern would be 0 9 6 input and the result pattern would be 1 result Some servers might allow this pattern to...

Page 318: ...n command specifies the PCRE to rename the input file on success This PCRE will normally have a back reference for the base input file name For instance in input files are NNNNNN input and the desired result file name is NNNNNN processed then the match pattern would be 0 9 6 input and the result pattern would be 1 processed Some servers might allow this pattern to indicate a path that puts the fil...

Page 319: ...th to the root directory ftp user password host port 2Fpath Do not configure one FTP poller to point at a host name that is the virtual name of a load balancer group This configuration is not the correct way to poll multiple hosts To poll multiple hosts use the same Multi Protocol Gateway and configure one FTP poller object for each real host xml manager Assigns an XML Manager Syntax xml managerna...

Page 320: ...294 Command Reference ...

Page 321: ...f the commands that are listed in Chapter 114 Monitoring commands on page 949 are also available in this configuration mode quoted command Adds an entry to the list of quoted FTP commands Syntax quoted command FTP command Parameters FTP command Specifies the FTP command to add to the list Guidelines Adds an FTP command to the end of the list of FTP commands to be sent by the FTP User Agent to an F...

Page 322: ...296 Command Reference ...

Page 323: ... ccc Controls the use of the FTP CCC command allow compression Controls the use of the FTP MODE Z command allow restart Controls the use of the FTP REST command allow unique filename Controls the use of the FTP STOU command certificate aaa policy Assigns an AAA Policy object that determines whether to require a password for secondary authentication data encryption Controls the use of encryption of...

Page 324: ... object specific comment unique filename prefix Specifies the prefix for the file name virtual directory Creates a directory in the virtual file system on the FTP server acl Assigns an Access Control List ACL Syntax acl name Parameters name Specifies the name of an existing Access Control List object Guidelines The acl command defines a reference to an existing Access Control List object The Acces...

Page 325: ...f the FTP control connection after user authentication If allowed the CCC command can be used to turn off encryption after authentication Turning off encryption is necessary when the FTP control connection crosses a firewall or NAT device that needs to sniff the control connection Turning off encryption eliminates the secrecy about the files being transferred and allows TCP packet injection attack...

Page 326: ...ransfer with the SIZE REST and STOR commands The argument to the REST command must be the same as the byte count returned by the SIZE command allow unique filename Controls the use of the FTP STOU command Syntax allow unique filename on on off Parameters on Permits the use of the STOU command off Default Denies the use of the STOU command Guidelines The allow unique filename command controls wheth...

Page 327: ...ways be required If the AUTH TLS command is not used by the FTP client USER and PASS will always be required data encryption Controls the use of encryption of data connections file transfers Syntax data encryption disallow allow require Parameters disallow Does not allow the FTP client to encrypt data connections allow Default Allows but does not require the FTP client to encrypt data connections ...

Page 328: ...eated by configuration The contents of this file system are shared by all FTP control connections to this FTP server with the same authenticated user identity The user identity is determined by the FTP user name and if used by the TLS SSL certificate The contents of this file system will persist for the duration defined by the persistent filesystem timeout after all FTP control connections end Thi...

Page 329: ...tual persistent and the response storage as defined by the response storage command is temporary Related Commands filesystem response storage idle timeout Specifies the inactivity duration of FTP control connections Syntax idle timeout seconds Parameters seconds Specifies the number of seconds that the FTP control connection can be idle The default is 0 which disables the timeout Guidelines The id...

Page 330: ... PASV command to open all data connections to the FTP server This mode is useful when the FTP server is behind a firewall device that requires clients to use passive mode Guidelines The passive command controls whether the FTP server allows does not allow or requires passive mode to be used by the FTP client When requiring passive mode the FTP client must use the FTP PASV command Without the use o...

Page 331: ...mode and when limiting port usage to a specific range In other words this command is relevant when both of the following conditions are met v The value of the passive command is any keyword except disallow v The value of the passive port range command is the keyword on Related Commands passive passive port range passive port max Sets the highest port value for the passive port range Syntax passive...

Page 332: ...limit the port range for passive connections Syntax passive port range on off Parameters on Enables the use of a limited port range off Default Disables the use of a limited port range Guidelines The passive port range controls whether to use a limited TCP port range for passive connections This command is useful when a firewall or proxy server want to allow incoming FTP data connections for a lim...

Page 333: ...assive command is any keyword except disallow Related Commands passive passive idle timeout passive port max passive port min persistent filesystem timeout Specifies the inactivity duration for a connection to a virtual persistent file system Syntax persistent filesystem timeout seconds Parameters seconds Specifies the inactivity duration in seconds Use an integer in the range of 1 through 43000 T...

Page 334: ...olicy succeeds an FTP client cannot perform any of the following FTP operations v Read files with the RETR command v Write files with the STOU command v Delete files with the DELE command v Take a directory with the NLST command or with the LIST command port Specifies the listening port Syntax port port Parameters port Specifies the TCP listening port for the service The default is 21 Guidelines T...

Page 335: ... Specifies the NFS mount in which to store response files Syntax response nfs mount name Parameters name Specifies the name of an existing NFS static mount Guidelines The response nfs mount command specifies the NFS static mount in which to store response files Each response file will have a unique file name in the NFS directory The name of the response file is not related to the file name that th...

Page 336: ...nt file system In virtual persistent file systems it is highly unlikely that there would be enough space Selecting nfs uses an NFS server to store these files which eliminates storage space constraints This command is relevant when response type is virtual filesystem Otherwise it is ignored Related Commands filesystem response nfs mount response type response suffix Specifies the suffix to add whe...

Page 337: ...r responses is configured on a per virtual directory basis The suffix specified by the response suffix command is added to the input file name The virtual directory command controls where the files are stored If ftp client is chosen the response is not made available using the FTP server The response is written using the FTP client The response is written to the URL specified by the response url c...

Page 338: ... to the server Guidelines The restart timeout command specifies the number of seconds that the FTP client has to reconnect to the server The FTP client needs to use SIZE REST and STOR commands to continue an interrupted file transfer If this period of time elapses the data that was received to this point on the TCP data connection will be passed to the DataPower service This timeout is canceled if...

Page 339: ...virtual directory path directory Parameters path Specifies the directory in the virtual file system of the FTP server where the FTP client can find this directory Use a regular expression in the form directory Specifies the directory in the virtual file system of the FTP server where the responses to files that are stored in this directory will go Use a regular expression in the form Guidelines Th...

Page 340: ...314 Command Reference ...

Page 341: ...ctory name Parameters name Specifies the name of the subdirectory Guidelines The directory command specifies the directory under which to make the files on the hard disk array available in the local and logstore directories in each application domain Examples v Makes the files on the hard disk array accessible in the local disk and logstore disk directories raid volume raid0 Hard Disk Array config...

Page 342: ...raid volume raid0 Hard Disk Array configuration mode read only v Makes the file system read write the default state raid volume raid0 Hard Disk Array configuration mode no read only 316 Command Reference ...

Page 343: ...49 are also available in Host Alias configuration mode ip address Creates an alias for an IP address on a Ethernet port Syntax ip address address Parameters address Specifies the IP address to map Guidelines The ip address commands creates an alias for a local IP address of the DataPower appliance Instead of providing the IP address you can specify this alias Examples v Creates the Ragnarok alias ...

Page 344: ...318 Command Reference ...

Page 345: ...andler commands Command Purpose acl Assigns an Access Control List object admin state Sets the administrative state of an object allowed features Specifies the methods and versions to allow in incoming HTTP requests compression Controls the negotiation of GZIP compression local address Specifies the local IP address for the service http client version Sets the HTTP version for the connection max h...

Page 346: ...ecifies the methods and versions to allow in incoming HTTP requests Syntax allowed features feature feature Parameters feature feature Specifies a list of features to allow in requests Concatenate features with the plus sign The following feature tokens are available v CmdExe v DELETE v DotDot v FragmentIdentifiers v GET v HEAD v HTTP 1 0 v HTTP 1 1 v OPTIONS v POST v PUT v QueryString v TRACE Gui...

Page 347: ...ifies the local address for the service Syntax local address address Parameters address Specifies the local IP address or host alias on which the service listens The default is 0 0 0 0 Guidelines The local address command specifies the local IP address on which the service listens The default of 0 0 0 0 indicates that the service is active on all IP addresses The use of a host aliases can help to ...

Page 348: ...mber of HTTP header to allow in incoming request messages Examples v Limits the number HTTP headers to 20 max header count 20 max header name len Specifies the maximum length of header names to allow Syntax max header name len bytes Parameters bytes Specifies the maximum length in bytes The default is 0 which indicates no limit Guidelines The max header name len command specifies the maximum lengt...

Page 349: ...n command to specify the maximum length of the name portion for HTTP headers Related Commands max header name len max querystring len Specifies the maximum length of the query string to allow Syntax max querystring len bytes Parameters bytes Specifies the maximum length in bytes The default is 0 which indicates no limit Guidelines The max querystring len command specifies the maximum length of the...

Page 350: ...ow Syntax max url len bytes Parameters bytes Specifies the maximum length in bytes Use an integer in the range of 1 through 128000 The default is 16384 Guidelines The max url len command specifies the maximum length of the URL to allow in request messages The URL includes the query string and fragment identifiers Examples v Limits the URL to 32000 bytes max url len 32000 persistent connections Con...

Page 351: ...if agreeable to the peer v When disabled the handler does not attempt to negotiate the establishment of persistent connections port Specifies the TCP listening port Syntax port port Parameters port Specifies the TCP listening port for the service The default is 80 Guidelines The port command specifies the port that is monitored by the DataPower service Chapter 26 HTTP Front Side Handler mode 325 ...

Page 352: ...326 Command Reference ...

Page 353: ...the input urlencoded Default URL unescapes then XML escapes the input xml Treats input literally no processing Related Commands rule Guidelines The input conversion map describes the way an incoming document is expected to be encoded For each input in a request the name is compared to the list of rules Each rule contains a regular expression and the resulting encoding The first matching regular ex...

Page 354: ...encoded For each input in a request the name is compared to the list of rules Each rule contains a regular expression and the resulting encoding The first matching regular expression indicates the encoding to be used for the input If no rules match the encoding specified by the default encoding property is used PCRE documentation is available at the following web site http www pcre org Examples v ...

Page 355: ...ice is optional If an ACL is assigned to the service only those IP addresses specifically allowed by the ACL can initiate access to the HTTP Service on the appliance if an ACL is not assigned access to the HTTP service on the appliance is unrestricted Related Commands acl Global allow ACL deny ACL identifier Specifies the contents of the Server response header field Syntax identifier string no ide...

Page 356: ...pecifies the IP address primary or secondary of a DataPower Ethernet interface 0 Indicates all DataPower Ethernet interfaces Guidelines In conjunction with the port command identifies the IP addresses and ports that the HTTP service monitors Related Commands port Examples v Specifies 10 10 13 35 23000 as the local IP address port that the current HTTP service monitor http telnet 1 Telnet Service c...

Page 357: ...Examples v Creates the echoServer loopback HTTP service that monitors port 8888 on all active Ethernet interfaces Creates two XSL Proxy services Proxy 1 and Proxy 2 with a remote address of 127 0 0 1 standard IP loopback address and port 8888 the echoServer loopback HTTP service httpserv echoServer New HTTP Service configuration mode echo ip address 0 port 8888 exit xslproxy Proxy 1 New XSL Proxy ...

Page 358: ...net 1 Telnet Service configuration mode ip address 10 10 13 35 port 23000 priority Assigns a service level priority Syntax priority low normal high Parameters low Receives below normal priority for scheduling or for resource allocation normal Default Receives normal priority for scheduling or for resource allocation high Receives above normal priority for scheduling or for resource allocation star...

Page 359: ...HTTP service displays the directory listing that is specified by the local directory command Related Commands local directory Examples v Specifies Welcome html as the start page start page Welcome html Chapter 28 HTTP Service configuration mode 333 ...

Page 360: ...334 Command Reference ...

Page 361: ...ommand Purpose acl Assigns an Access Control List object admin state Sets the administrative state of an object allowed features Specifies the methods and versions to allow in incoming HTTP requests compression Controls the negotiation of GZIP compression local address Specifies the local IP address for the service http client version Sets the HTTP version for the connection max header count Speci...

Page 362: ...ecifies the methods and versions to allow in incoming HTTP requests Syntax allowed features feature feature Parameters feature feature Specifies a list of features to allow in requests Concatenate features with the plus sign The following feature tokens are available v CmdExe v DELETE v DotDot v FragmentIdentifiers v GET v HEAD v HTTP 1 0 v HTTP 1 1 v OPTIONS v POST v PUT v QueryString v TRACE Gui...

Page 363: ...ifies the local address for the service Syntax local address address Parameters address Specifies the local IP address or host alias on which the service listens The default is 0 0 0 0 Guidelines The local address command specifies the local IP address on which the service listens The default of 0 0 0 0 indicates that the service is active on all IP addresses The use of a host aliases can help to ...

Page 364: ...mber of HTTP header to allow in incoming request messages Examples v Limits the number HTTP headers to 20 max header count 20 max header name len Specifies the maximum length of header names to allow Syntax max header name len bytes Parameters bytes Specifies the maximum length in bytes The default is 0 which indicates no limit Guidelines The max header name len command specifies the maximum lengt...

Page 365: ...n command to specify the maximum length of the name portion for HTTP headers Related Commands max header name len max querystring len Specifies the maximum length of the query string to allow Syntax max querystring len bytes Parameters bytes Specifies the maximum length in bytes The default is 0 which indicates no limit Guidelines The max querystring len command specifies the maximum length of the...

Page 366: ...ow Syntax max url len bytes Parameters bytes Specifies the maximum length in bytes Use an integer in the range of 1 through 128000 The default is 16384 Guidelines The max url len command specifies the maximum length of the URL to allow in request messages The URL includes the query string and fragment identifiers Examples v Limits the URL to 32000 bytes max url len 32000 persistent connections Con...

Page 367: ...stent connections port Specifies the TCP listening port Syntax port port Parameters port Specifies the TCP listening port for the service The default is 80 Guidelines The port command specifies the port that is monitored by the DataPower service ssl Assigns an SSL Proxy Profile object Syntax ssl name Parameters name Specifies the name of an existing SSL Proxy Profile Guidelines The ssl command ind...

Page 368: ...342 Command Reference ...

Page 369: ... Imports the configuration package when manually triggered The configuration is not marked external and can be saved to the startup configuration This behavior is equivalent to importing the configuration one time Guidelines The auto execute indicates whether to import the configuration package at startup or to import the configuration only when manually triggered When configuration data are marke...

Page 370: ...mmand Examples v Enter Import Configuration File configuration mode to create the Norwood configuration package and applies the existing Policy 3 Deployment policy on the package being imported import package Norwood New Import Configuration File configuration deployment policy Policy 3 source url http 10 10 10 10 import format Specifies the file format of the configuration package Syntax import f...

Page 371: ...ckage contains the same file Syntax overwrite files on off Parameters on Default Overwrites files of the same name off Does not import the file if a file of the same name exists Guidelines The overwrite files command indicates whether to overwrite files when the configuration package contains the same file If files in the configuration package overwrite files on the system a warning is written to ...

Page 372: ...og Related Commands destination domain overwrite files Examples v Specifies that existing objects in the destination domain are not overwritten by imported objects overwrite objects off source url Specifies the location of the Import Package Syntax source url URL Parameters URL Specifies the location of the Import Package Guidelines The import tool does not support SCP and SFTP URL protocols All o...

Page 373: ...ation is marked external and cannot be saved to the startup configuration This behavior is equivalent to always importing the configuration off Imports the configuration package when manually triggered The configuration is not marked external and can be saved to the startup configuration This behavior is equivalent to importing the configuration one time Guidelines The auto execute indicates wheth...

Page 374: ...ame when DNS services were previously enabled Guidelines The config url command specifies the location of a configuration file to include in another configuration file Examples v Specifies the location of a remote configuration file to include include config StdSvcProxy New Include Configuration File configuration config url scp jrb passWoRd baldar ibm com configs Proxy1 cfg v Specifies the locati...

Page 375: ...e local interface This command is meaningful only when auto execute is on Related Commands auto execute Examples v Specifies synchronous execution of the Include Configuration File include config StdSvcProxy New Include Configuration File configuration interface detection on Chapter 31 Include Configuration File configuration mode 349 ...

Page 376: ...350 Command Reference ...

Page 377: ...nterfaces provided by the current Ethernet port Syntax arp no arp Guidelines ARP is enabled by default on all IP interfaces Certain network topologies and load balancing configurations might require that you disable ARP If required use the no arp command to disable ARP on all IP interfaces supported by the current Ethernet port Use the arp command to restore default ARP processing Related Commands...

Page 378: ...ddress to be assigned to the current Ethernet port netmask Identifies the network portion of the interface address Can be expressed in CIDR slash format which is an integer that specifies the length of the network portion of the address or in dotted decimal format secondary Optionally identifies the address as a secondary address Guidelines After assigning an initial IP address referred to as the ...

Page 379: ...esses from Ethernet port 0 no ip address secondary ip default gateway Designates the system default gateway reachable from the current interface Syntax ip default gateway address no ip default gateway address Parameters address Specifies the IP address of the default gateway Guidelines Use the no ip default gateway command to delete the default gateway Related Commands show ip default gateway Exam...

Page 380: ...he default is 0 Guidelines Use the no ip route command to delete a static route Examples v Adds a static route subnet 10 10 10 224 reached via next hop router 192 168 1 100 to the routing table ip route 10 10 10 0 27 192 168 1 100 v Deletes the same static route subnet 10 10 10 224 reached via next hop router 192 168 1 100 from the routing table no ip route 10 10 10 0 27 192 168 1 100 mac address ...

Page 381: ...rnet interface On Type 9235 appliances you cannot change the operational mode associated with eth1 and eth2 Related Commands interface show interface mode Examples v Modifies the Ethernet 0 interface by placing it in 100baseTx full duplex mode interface eth0 Interface configuration mode eth0 config if eth0 mode 100baseTx FD Interface operational parameters set 100baseTx FD config if eth0 v Modifie...

Page 382: ...e a value in the range of 5 through 3600 The special value of 1 indicates that the packet capture completes when the maximum file size is reached or until you invoke the no packet capture kilobytes Specifies the maximum size in kilobytes of the packet capture file in kilobytes Use a value in the range of 10 through 50000 Guidelines Packet capture date is saved in a pcap format Use a utility such a...

Page 383: ...ll standby groups on the current interface no standby Parameters group number Specifies the number of the standby group Use a value in the range of 1 through 255 ip address Specifies the virtual IP address VIP to assign to the standby group Both interfaces must use the same VIP priority priority value Specifies the priority of the interface Use a value in the range of 0 through 255 The default is ...

Page 384: ...n this scenario assured failure protection is provided without the cost of idle standby interfaces Note In an active active topology the standby groups must be configured on different Ethernet ports To implement a failover configuration use the standby command to configure both active and standby interfaces 1 Assign both interfaces to the same group 2 Assign a priority to the standby interface 3 O...

Page 385: ...Assigns Ethernet 1 to standby group 7 in the standby role and specifies a VIP of 10 10 66 67 The priority value of 90 ensures that the interface is the standby member of the group Because it is the standby member it is not placed in preempt mode interface ethernet 0 Interface configuration mode ethernet 0 ip address 10 10 66 1 255 0 0 0 ip default gateway 10 20 1 1 standby 5 ip 10 10 66 66 standby...

Page 386: ...360 Command Reference ...

Page 387: ...apter 114 Monitoring commands on page 949 are also available in iSCSI CHAP configuration mode password Specifies the password for the CHAP user Syntax password password Parameters password Specifies the password for the CHAP user Guidelines The password command specifies the password for the CHAP user Examples v Sets Gerry as the user with the password BigSecret as the credentials for the CHAP 2 C...

Page 388: ...mples v Sets Gerry as the user with the password BigSecret as the credentials for the CHAP 2 CHAP iscsi chap CHAP 2 New iSCSI CHAP configuration mode username Gerry password BigSecret 362 Command Reference ...

Page 389: ...s that are listed in Chapter 114 Monitoring commands on page 949 are also available in iSCSI Host Bus Adapter configuration mode dhcp Indicates whether to use DHCP Syntax dhcp on off Parameters on Enables DHCP off Default Disables DHCP Guidelines The dhcp command specifies whether to use DHCP v When enabled values for the ip address and ip default gateway commands are ignored v When disabled defin...

Page 390: ...com example storage disk6 Balboa for iscsi 2 HBA iscsi hba iscsi 2 Modify iSCSI Host Bus Adapter configuration iname iqn 2001 04 com example storage disk6 Balboa ip address Specifies the IP address for the HBA Syntax ip address address Parameters address Specifies the IP address Guidelines The ip address command specifies the IP address for the HBA Use this command with the ip default gateway comm...

Page 391: ...the IP address of the default gateway for the HBA Use this command with the ip address command to define the network connection Do not use the ip address command or the ip default gateway command when dhcp is on Related Commands dhcp ip address Examples v Sets 10 10 10 44 as the IP address and 10 10 10 46 as the default gateway for the iscsi 2 HBA iscsi hba iscsi 2 Modify iSCSI Host Bus Adapter co...

Page 392: ...366 Command Reference ...

Page 393: ...Target configuration mode chap Assigns an iSCSI CHAP Syntax chap name Parameters name Specifies the name of the existing iSCSI CHAP Guidelines The chap command specifies the name of the existing iSCSI CHAP Examples v Assigns the CHAP 1 CHAP to the Target 1 iSCSI target iscsi target Target 1 NEW iSCSI Target configuration mode chap CHAP 1 hba Assigns an iSCSI HBA Syntax hba name hba iscsi1 iscsi2 P...

Page 394: ...me command identifies the remote iSCSI target by host name or IP address Examples v Identifies theTarget 3 iSCSI target with the 10 10 10 33 IP address iscsi target Target 3 New iSCSI Target configuration mode hostname 10 10 10 33 port Specifies the listening port Syntax port port Parameters port Specifies the listening port The default is 3260 Guidelines The port command specifies the listening p...

Page 395: ...t iqn 2001 04 com example iqn 2001 04 com example storage diskarrays sn a8675309 iqn 2001 04 com example storage tape1 sys1 xyz iqn 2001 04 com example storage disk2 sys1 xyz v To specify an EUI use the eui 02004567A425678D format Examples v Sets the target name using an IQN iscsi target Target 7 New iSCSI Target configuration mode target name iqn 2001 04 com example disk7 Balboa v Sets the target...

Page 396: ...370 Command Reference ...

Page 397: ...ry name Parameters name Specifies the name of the subdirectory Guidelines The directory command specifies the name of the directory under which to make the files on the iSCSI volume available in the local and logstore directories in each application domain Examples v Makes the files on the VOL1 iSCSI volume accessible in the local and logstore directories under the StoreDisk 1 subdirectory iscsi v...

Page 398: ...he iSCSI volume are read only or read write Examples v Sets the files on VOL3 to read only iscsi volume VOL3 New iSCSI Volume configuration mode read only on target Specifies the name of the iSCSI target to which to bind Syntax target name Parameters name Specifies the name of the iSCSI target Guidelines The target command specifies the name of the iSCSI target instance to which to bind the iSCSI ...

Page 399: ... are also available in Kerberos KDC Server configuration mode port Specifies the UDP or TCP port that the target Kerberos KDC server monitors Syntax port port Parameters port Identifies the listening port on the Kerberos server The default is 88 Related Commands server tcp Examples v Specifies port 8888 as the monitored port port 8888 realm Specifies the realm administrative domain to support Synt...

Page 400: ...p Examples v Identifies the Kerberos KDC Server by domain name server Furio v Identifies the Kerberos KDC Server by IP address server 192 168 12 12 tcp Enables the use of TCP as the transport layer protocol Syntax tcp no tcp Guidelines UDP is the default transport protocol to access the Kerberos KDC server Use the no tcp command to restore the default state which is to use UDP as the transport lay...

Page 401: ...timeout time Parameters time Specifies the maximum time to wait for a Kerberos KDC Server response Use an interval in the range of 1 through 60 The default is 5 Guidelines Only meaningful when the default UDP protocol is used to access the Kerberos KDC server Related Commands tcp Examples v Specifies a 7 second timeout value udp timeout 7 Chapter 37 Kerberos KDC Server configuration mode 375 ...

Page 402: ...376 Command Reference ...

Page 403: ...t Kerberos tickets Syntax filename URL Parameters URL Identities the fully qualified name of the keytab file in the cert directory Guidelines The filename command specifies the location of the keytab file The keytab file is Kerberos generated and must be uploaded to the cert directory on the appliance Examples v Identifies the KKTab keytab file in the cert directory filename cert KKTab use replay ...

Page 404: ...378 Command Reference ...

Page 405: ...ase dn command specifies the distinguished name DN relative to which the LDAP search is to be performed This value identifies the entry level of the tree used by the scope command Related Commands scope filter prefix Specifies the prefix of the LDAP filter expression Syntax filter prefix prefix Parameters prefix Specifies the prefix of the filter expression Guidelines The filter prefix command spe...

Page 406: ...er expression as defined in LDAP String Representations of Search Filters This string is added after the user name to construct the LDAP filter to search for the DN of the user If the prefix is mail and the user name is bob example com and the suffix is c US the LDAP search filter would be mail bob example com c US You must use the filter prefix to add the prefix string to the LDAP filter expressi...

Page 407: ...cope base one level subtree Parameters base Searches the entry level of the tree only one level Searches the entry level of the tree and any object that is one level below the input subtree Default Search the entry level of the tree and all of its descendents Guidelines The scope command indicates the depth of the LDAP search The entry level of the tree is defined by the base dn command Related Co...

Page 408: ...382 Command Reference ...

Page 409: ...rs first alive Uses the concept of a primary server and backup servers When the primary server is healthy all connections are forwarded to this server When the primary server is quarantined or convalescent connections are forwarded to backup servers The primary server is the first server in the members list hash Uses the IP address of the client or the value of an HTTP header as the basis for serv...

Page 410: ...weighted round robin damp Specifies the dampening period for a quarantined server Syntax damp interval Parameters interval Specifies the number of seconds that a server remains in an softdown state Use a value in the range of 1 through 86400 The default is 120 Guidelines The damp command specifies the dampening period for a member server The dampening period is the amount of time that a server is ...

Page 411: ...hether to perform the periodic health check on Enables the health check off Default Disables the health check URI When the check type is Standard specifies the non server file path portion of the target URI That is specify the URI to receive the client request that is generated by the rule The default is This URI is used with the specified remote port port Specify the port on the target server to ...

Page 412: ...XPath When the check type is Standard use with the filter argument to specify the XPath expression that must be found in a valid server response filter When the check type is Standard specifies the style sheet to filter the server response The default is the healthcheck xsl file in the store directory store healthcheck xsl This style sheet uses the specified XPath argument as input and scans the s...

Page 413: ...s Specifies the name or IP address of the server weight If the algorithm is weighted round robin only specifies the relative weight preference Use a value in the range of 1 through 65000 The default is 1 mapped port Specifies the member specific target port or retain the default value 0 to use the DataPower service defined port Use a value in the range of 0 through 65535 The default is 0 health po...

Page 414: ...ives 50 of requests B receives 30 of requests and C receives 20 of requests Related Commands algorithm health check Examples v Adds ragnarok datapower com with a weight of 5 to the Load Balancer Group server ragnarok datapower com 5 try every server Specifies the retry behavior for a failed attempt Syntax try every server on off Parameters on Sends the requests to each server until one responds or...

Page 415: ...e displayed in different colors off provides a monochrome display Guidelines Meaningful only when the logging type is console and otherwise unused archive mode Specifies an archival behavior for file based logs Syntax archive mode rotate upload Parameters rotate default Specifies that when a log file reaches its maximum size the log is rotated as specified by the rotate command upload Specifies th...

Page 416: ...he name of an existing log of any log type The name can contain a maximum of 32 characters For restrictions refer to Object name conventions on page xxiv email address Specifies the email address of a remote recipient of SMTP log messages Syntax e mail address string Parameters string Specifies the remote email address Guidelines The email address command is only used when the log type is smtp Rel...

Page 417: ...nally signed upon transmission Related Commands sign type event Adds an event class and a priority to the current log Syntax event event class priority Parameters event class Specifies the name of an event class a set of related events priority Identifies the event priority Guidelines Log priority is characterized in descending order of importance as emergency alert critic error warn notice info a...

Page 418: ... it is possible to create a log target that only collects log messages for a particular set of event codes for example Operational State down Use the View List of Event Codes from the WebGUI to view a list of all event codes Related Commands event filter Examples v Creates a file based log that contains only XML parser events type file event code 0x00030001 event code 0x00030002 event code 0x00030...

Page 419: ...sion period event filter Specifies an event code excluded from the current log Syntax event filter value Parameters value Specifies the hexadecimal value of the event code Guidelines Event filters provide for the exclusion of log message that contain specified event codes from the current log target Use the View List of Event Codes from the WebGUI to view a list of all event codes Related Commands...

Page 420: ...g subsystem off Default Suppresses log events triggered by the target itself but writes events that are generated by other log targets Guidelines The feedback detection command allows for the suppression of log events that are triggered by the log subsystem itself Log targets always suppress log events triggered by the target itself but write events that are generated by other log targets Under ce...

Page 421: ...of the interface over which log events are transmitted port is the optional UDP or TCP port number used to transmit log events For TCP the default is 25 For UDP the default is 514 Guidelines When the log type is smtp the use of the local address command is required For this log type identification of a TCP port is optional When the log type is syslog or syslog ng the use of the local address comma...

Page 422: ...recipient to identify this log Syntax local ident id Parameters id Identifies the current log Guidelines When the log type is smtp syslog or syslog ng the use of the local ident command is optional For all other log types it is not used Related Commands type nfs file Specifies the path to the mount file Syntax nfs file filename Parameters filename Specifies the path to the log file relative to the...

Page 423: ...ies the name of an existing object instance of the selected object type follow references Indicates whether to log messages for objects that the selected object instance references For example an XSL Proxy references an XML Manager object as well as many other objects on Logs messages for all objects that the selected object instance references off Default Logs messages for the selected object ins...

Page 424: ...r second Syntax rate limit seconds Parameters seconds Specifies the maximum number of transactions per second Use an integer in the range of 1 through 1000 The default is 100 Guidelines Meaningful when the log type is nfs smtp snmp soap syslog or syslog ng Otherwise it is not used Examples v Limits transactions to a maximum of 50 per second rate limit 50 remote address Specifies the destination ad...

Page 425: ... and the remote port commands to the values of a local SSL Proxy service on the appliance The local SSL Proxy service as defined by the Global sslforwarder command can then forward log messages over a secure connection to the remote server Related Commands archive mode load balancer group Global loadbalancer group XML Manager remote port sslforwarder Global type Examples v Specifies the address of...

Page 426: ...me for example specify file path The path in the URL resolves to file path Related Commands archive mode remote address type upload mode Examples v Specifies the remote directory for an uploaded log file that is relative to the user s home directory type file archive mode upload upload method sftp remote address 172 16 100 1 2121 remote directory logs v Specifies the remote directory for an upload...

Page 427: ...ing port on the remote server This command is relevant only when the log type as specified by the type command is smtp syslog or syslog ng Use the remote port command with the remote address command to define the destination of transmitted log messages You can use SSL to establish a secure connection to a remote server by setting the values of the remote server and the remote port commands to the ...

Page 428: ...file system and the model specific auxiliary data storage compact flash or hard disk array v The compact flash provides 512 MB of storage v The hard disk array provides 70 GB of storage Assuming a file name of CryptoLog and three rotations the directory that contains the log file can consist of up to the following four local files CryptoLog The current log file CryptoLog1 The log file that was mos...

Page 429: ...th the required keyword Guidelines The sign command is only used when the log type is file or smtp to enable S MIME Secure Multipurpose Internet Mail Extensions signing v When enabled and the log type is file the log is signed and optionally encrypted when the log is rotated or uploaded v When enabled and the log type is smtp each log entry is signed and optionally encrypted on transmission Relate...

Page 430: ...age v The hard disk array provides 70 GB of storage This command is only meaningful when the log type as specified by the type command is file Related Commands type smtp domain Specifies the fully qualified domain name of the SMTP client Syntax smtp domain domain Parameters domain Specifies the domain name of the SMTP client Guidelines The smtp domain command specifies the fully qualified domain n...

Page 431: ...oap specifies the version of SOAP for use by SOAP log targets Related Commands type ssl Assigns an SSL Proxy Profile for SOAP based log over HTTPS Syntax ssl name Parameters name Is an existing SSL Proxy Profile to use Guidelines Use the ssl command to assign an SSL proxy profile to use when target type is soap and URL uses HTTPS Related Commands type url suppression period Interval to suppress id...

Page 432: ...the logging model Syntax type cache console file nfs smtp snmp soap syslog syslog ng Parameters cache Writes log entries to system memory console Writes log entries to the console screen file Writes log entries to a file on the appliance nfs Writes log entries to a file on a remote NFS mount smtp Forwards log entries via email to a specified recipient snmp Forwards log entries as SNMP traps soap F...

Page 433: ... port commands to identify nonstandard source or destination ports the sender addr command to specify a pseudo recipient email address the local ident command to specify a local identifier the backup command to specify a backup log the format command to specify the log format and the sign and encrypt commands to sign and encrypt logs v For a SOAP based log you must use the url command to specify t...

Page 434: ...dress username and password and remote directory to upload a file based log to a remote storage site type file upload method sftp remote address 172 16 100 1 remote login jrb brj remote directory logs url Specifies the URL to which SOAP based log entries are posted Syntax url URL Parameters URL Identifies the destination to which SOAP based logs entries are sent Guidelines url is used only if the ...

Page 435: ... and most but not all of the commands that are listed in Chapter 114 Monitoring commands on page 949 are also available in Matching Rule configuration mode combine with or Indicates whether to combine the match criteria with OR semantics or with AND semantics Syntax combine with or on off Parameters on Uses OR semantics to evaluate the criteria Only a single match condition needs to be true for th...

Page 436: ...match HTTP headers Syntax httpmatch field pattern Parameters field Specifies an HTTP header as defined in sections 4 5 5 3 6 2 and 7 1 of RFC 2616 pattern Defines a match pattern that defines the value for the HTTP header Guidelines The httpmatch command adds a pattern to match HTTP headers To determine whether the pattern is a PCRE expression or shell style expression use the match with pcre comm...

Page 437: ... define a match pattern as follows The string wildcard matches 0 or more occurrences of any character For a PCRE expression use rather than to match any number of any characters The single character wildcard matches one occurrence of any single character The delimiter pair to bracket a character or numeric range 1 5 Matches 1 2 3 4 or 5 xy Matches x or y Related Commands errorcode httpmatch urlmat...

Page 438: ...rs Matching Rule configuration mode to create the Product Matching Rule Adds a pattern to match only candidate URLs that start with http www datapower com products followed by zero or more characters matching Product Matching configuration mode urlmatch http www datapower com products xpathmatch Adds an expression to match an XPath Syntax xpathmatch expression Parameters expression Specifies an XP...

Page 439: ...urces Specifies the number of distinct IP addresses to track Syntax distinct sources count Parameters count Specifies the maximum number of IP addresses to track The default is 10000 Guidelines The distinct sources command specifies the maximum number of IP addresses to track When too many distinct counts are observed the addresses not observed in the longest amount of time are discarded filter Sp...

Page 440: ... Related Commands measure message type show Message Count filters Examples v Defines the LogSquelch Message Count monitor If the Extranet message class exceeds 50 client requests the default counter per second implement the Squelch control procedure which logs an error and imposes a 2 5 second blackout on the Extranet message class monitor count LogSquelch Message count monitor Configuration mode ...

Page 441: ...itor count monitor1 error Indicates that the receipt of an HTTP error response increments the counter Processing the Error Rule can increment this counter Guidelines To activate a count monitor assign it to a DataPower service Related Commands filter message type Examples v Specifies that the LogSquelch monitor counter increments by a server responses from the target message class monitor count Lo...

Page 442: ...for all IP addresses up to 1000 within the range defined by the Message Matching ip command ip from header Specifies that IP source address monitoring and information gathering is individualized for all IP addresses up to 1000 within the range defined by the Message Matching ip command IP addresses are read from the Header field Guidelines The source command is used only if a traffic flow definiti...

Page 443: ...ment if the threshold value is exceeded Syntax filter name average threshold control procedure no filter name Parameters name Specifies the name of the filter The name can contain a maximum of 32 characters For restrictions refer to Object name conventions on page xxiv average Indicates a required keyword threshold Specifies the threshold processing interval in milliseconds Exceeding this value tr...

Page 444: ...quest and the transmission of the associated server response requests Specifies the time spent by the appliance in processing a client request that is the interval between the receipt of a client request and its transmission to the target server responses Specifies the time spent by the appliance in processing a server response that is the interval between the receipt of a server response and its ...

Page 445: ...onfiguration mode measure messages message type Specifies the target message class Syntax message type name Parameters name Specifies the name of the target message class that was configured with the message type Global command Guidelines You can assign only a single message class to an incremental monitor After completing the configuration of a duration monitor activate the monitor by assigning i...

Page 446: ...420 Command Reference ...

Page 447: ...114 Monitoring commands on page 949 are also available in Message Filter Action configuration mode block interval Specifies the time period during which a message class is denied service as a consequence of exceeding a configured threshold Syntax block interval milliseconds Parameters milliseconds Specifies the blackout in milliseconds Guidelines This command is meaningful only if the type command...

Page 448: ...et to notify otherwise it is optional Related Commands block interval type Examples v Enters Message Filter Action configuration mode to create the PaperTrail control procedure monitor action PaperTrail Message filter action Configuration mode v Defines the PaperTrail control procedure as being of the notify type Log a warning and take no further action type notify log priority warning type Specif...

Page 449: ...ream defined by the TFDef1 traffic flow definition for 2 seconds monitor action Squelch Message filter action Configuration mode type block block interval 2500 block messages TFDef1 log priority error exit v Enters Message Filter Action configuration mode to create the Restrain control procedure Defines the Restrain control procedure as being of the reject type Logs an error and reject drop the ov...

Page 450: ...424 Command Reference ...

Page 451: ... Specifies an HTTP header field and associated header field value to be included in the traffic flow definition Syntax http header field pattern no http header field Parameters field Identifies an HTTP header field as defined in sections 4 5 5 3 6 2 and 7 1 of RFC 2616 pattern Defines a shell style match pattern that defines the contents of the HTTP header field You can use wildcard characters whe...

Page 452: ...der exclude Specifies an HTTP header field and associated header field value to be excluded from the traffic flow definition Syntax http header exclude field pattern no http header exclude field Parameters field Identifies an HTTP header field as defined in sections 4 5 5 3 6 2 and 7 1 of RFC 2616 pattern Defines a shell style match pattern that defines the contents of the HTTP header field Guidel...

Page 453: ... IP address that with the prefix length defines a range of included IP addresses prefix length Defines a range of included IP addresses Use an integer in the range of 1 through 32 Guidelines A traffic flow definition can contain only a single ip command In the absence of an ip or ip exclude command source address is not considered when evaluating an individual message against a traffic flow defini...

Page 454: ...atching TFDef1 Message matching configuration mode ip exclude 10 10 1 0 24 method Specifies an HTTP method type to be included in the traffic flow definition Syntax method connect delete get head options post put trace Parameters connect delete get head options post put and trace Identifies keywords for the HTTP methods that are defined in RFC 2616 Guidelines A traffic flow definition may contain ...

Page 455: ...racket a character or numeric range 1 5 Matches 1 2 3 4 or 5 xy Matches x or y Guidelines A traffic flow definition can contain a single request url command In the absence of a request url command the target URL is not considered when evaluating an individual message against a traffic flow definition Examples v Creates the TFDef1 traffic flow definition Identifies all requests for XML documents in...

Page 456: ...430 Command Reference ...

Page 457: ...ode message matching Adds a traffic flow definition to a message class Syntax message matching name no message matching name Parameters name Specifies the name of a traffic flow definition previously created with the message matching Global command Guidelines You can add multiple traffic flow definitions to a message class Use the no message matching command to delete a traffic flow definition fro...

Page 458: ... message type Extranet Message type configuration mode no message matching TFDef2 432 Command Reference ...

Page 459: ...lt Adds the contentType attribute to the output message off Does not add the contentType attribute to the output message Guidelines The include content type command determines whether the processing of the MTOM policy adds the contentType attribute to output messages when the input message does not contain this attribute If the input message contains this attribute the MTOM policy passes through t...

Page 460: ...ng MIME attachment part will contain a content type header with this value If different content type values are required selective XPath expressions are required ID If not explicitly configured content identifiers are automatically generated Using this option allows for the explicit configuration of content id headers and associated href values Rules that match multiple data elements result in one...

Page 461: ...n attachments Syntax attachment byte count bytes Parameters bytes Specifies the maximum number of bytes allowed in any single attachment If this value is 0 no limit is enforced The default is 2000000000 Guidelines The attachment byte count command defines the maximum number of bytes to allow in a single attachment Attachments that exceed this size result in a failure of the entire transaction Only...

Page 462: ...ay they will override those on the XML Manager Syntax attribute count count Parameters count Specifies the maximum number of attribute elements allowed by the current Multi Protocol Gateway The default is 128 Related Commands element depth external references gateway parser limits max node size Examples v Sets the maximum number of attributes allowed to 512 attribute count 512 back attachment form...

Page 463: ...tion and the initiation of a new TCP transaction on the gateway to server connection If the specified idle timeout is exceeded the connection is torn down An idle TCP connection might remain in the idle state for as long as 20 seconds after the expiration of the inter transaction timer Related Commands back timeout front persistent timeout front timeout persistent connections back timeout Sets the...

Page 464: ...ad Balancer Group instead of the address port pair in the URL Guidelines HTTP and HTTPS The service uses the HTTP or HTTPS protocol to connect the host at the specified port The URL includes the URI The URL or URI might be rewritten by other configuration options With HTTPS the configured SSL Proxy handles the SSL security negotiation Related Commands type Examples v Sets the static backend URL to...

Page 465: ...l other HTTP 1 1 features that can be negotiated down at runtime if necessary you must know beforehand that the server you are communicating with is RFC 2616 compatible You might also consider leaving this property turned off and turning it on a per URL basis with the User Agent configuration Examples v Enables HTTP 1 1 chunked encoding and subsequently disable chunked encoding support thus restor...

Page 466: ...mples v Identifies http www space com wsnames as the default parameter namespace default param namespace http www space com wsnames element depth Defines the maximum depth of element nesting in the XML parser Syntax element depth depth Parameters depth Defines the maximum depth of element nesting in XML parser Defaults to 512 Guidelines The element depth command defines the maximum depth of elemen...

Page 467: ... definitions Examples v Specifies that the XML parser processes documents that contain external references but ignores such references external references ignore follow redirects Controls the resolution of redirects Syntax follow redirects on off Parameters on Default Resolves redirects off Disables the resolution of redirects Guidelines Some protocols generate redirects as part of the protocol fo...

Page 468: ...hat front end attachments are DIME encapsulated front attachment format dime front persistent timeout Sets the inter transaction timeout between the completion of a TCP transaction and the initiation of a new one on the gateway to client connection Syntax front persistent timeout timerValue Parameters timerValue Specifies the maximum inter transaction idle time in seconds Use an integer in the ran...

Page 469: ...ing the source http source https or source raw Global command Examples v Creates the httpHandler Front Side Protocol Handler and assigns the local address of 10 10 12 10 and port of 16000 Assigns the handler to the schemafilter Multi Protocol Gateway source http httpHandler HTTP Front Side Handler configuration mode local address 10 10 12 10 port 16000 exit mpgw schemafilter Multi Protocol Gateway...

Page 470: ...edentials List If not specified all locally stored keys and certificates are available Guidelines The fwcred command assigns a Firewall Credentials list to the current Multi Protocol Gateway A Firewall Credentials list specifies which keys and certificates are available to support gateway processing Related Commands fwcred Crypto Examples v Assigns the standardCreds Firewall Credentials List to th...

Page 471: ...ations for the current Multi Protocol Gateway The Multi Protocol Gateway inherits parser limits if any from the assigned XML Manager no gateway parser limits host rewriting Controls host rewriting Syntax host rewriting on off Parameters on Enables host rewriting off Disables host rewriting Related Commands urlrewrite policy propagate uri Guidelines Some protocols have distinct name based elements ...

Page 472: ...ing Use the no http client ip label command to disable the reading of the HTTP header to identify the IP address of the calling client Examples v Disables the reading of the HTTP header to identify the IP address of the calling client Subsequently enables this function to read the IP address from the X Forwarded For HTTP header for monitoring and logging no http client ip label http client ip labe...

Page 473: ... text xml Examples v Enables the inclusion of content type encoding and subsequently disables such inclusion which restores the default state include content type encoding on include content type encoding off inject Injects proprietary HTTP header fields into the packet stream between the current Multi Protocol Gateway and an HTTP client or server Syntax inject front back header value no inject fr...

Page 474: ...of the HTTP header Guidelines The load balancer hash header command identifies the HTTP header to use for calculating the hash for load balancing traffic to the backend servers v When defined the hash algorithm uses the value of the identified HTTP header v When not defined the hash algorithm uses the IP address of the client This command is relevant only when the value defined by the algorithm co...

Page 475: ...ak Use the loop detection command to specify if the Multi Protocol Gateway assists in loop detection within the network Related Commands inject suppress Guidelines When enabled the Multi Protocol Gateway inserts a Via HTTP header that contains the gateway name in the HTTP transmission Examples v Enables loop detection and subsequently disables it which restores the default state loop detection on ...

Page 476: ...headers Controls MIME multipart messages sent over HTTP in server responses Syntax mime back headers on off Parameters on Default Enables the ability to handle MIME package headers in the HTTP body of messages that are received from a server off Disables the ability to handle MIME package headers in the HTTP body of messages that are received from a server Guidelines The body of a message that is ...

Page 477: ... body of messages that are received from a client off Disables the ability to handle MIME package headers in the HTTP body of messages that are received from a client Guidelines The body of a message that is the payload independent of any protocol headers can sometimes contain MIME headers before any preamble and before the first MIME boundary contained in the body of the message These MIME header...

Page 478: ... current Multi Protocol Gateway Count Monitors watch for defined messaging events and increment counters each time the event occurs When a certain threshold is reached the monitor can either post a notification to a log or block service for a configured amount of time Use the no monitor count command to remote the assignment of a Count monitor from a Multi Protocol Gateway Related Commands monitor...

Page 479: ...s v Assigns the mpgwDuration Duration Monitor to the current Multi Protocol Gateway monitor duration mpgwDuration v Removes the mpgwDuration Duration Monitor no monitor duration mpgwDuration monitor processing policy Sets the behavior when a service has multiple monitors Syntax monitor processing policy terminate at first throttle terminate at first match Parameters terminate at first throttle Def...

Page 480: ...itors watch Web Services endpoints A Service Level Monitor collects statistics establishes count and duration monitors and can take action when thresholds are met or exceeded Use the no monitor service command to remove the monitor from the Multi Protocol Gateway assignment Related Commands monitor count Global monitor duration Global Examples v Assigns the mpgwSLM Service Level Monitor to the cur...

Page 481: ...ry param namespace Examples v Makes two parameter value pairs available to the current Multi Protocol Gateway The default parameter namespace is used parameter recipient ALICE parameter type content v Makes a single parameter value pair available to the current Multi Protocol Gateway http www example com designates the parameter namespace parameter foobar value v Makes a single parameter value pai...

Page 482: ... the default state persistent connections off persistent connections on priority Assigns a service level priority Syntax priority low normal high Parameters low Receives below normal priority for scheduling or for resource allocation normal Default Receives normal priority for scheduling or for resource allocation high Receives above normal priority for scheduling or for resource allocation proces...

Page 483: ...use a dynamic backend and dynamic routing is set with a route with style sheet route action action in the processing policy In this case use the dp set target extension element to define that target backend server For the other dynamic routing options that are available with the route action and route set actions the URI is absolute When enabled the service rewrites the URI of the backend URL to t...

Page 484: ...ywords to indicate the processing mode for SOAP attachments allow Allows messages that contain attachments and processes needed attachments Needed attachments are buffered but attachments that are not needed might be streamed directly to output Attachments are buffered when an action in the processing rule requests any of the following v Needed attachments v All attachments in the package before t...

Page 485: ...terrelated body parts and is the mechanism that is used to support the bundling of attachments in a SOAP message package which is commonly referred to as a SOAP with Attachments message Meaningful only if the value of the request type command is soap Related Commands request type Examples v Provides full SOAP with Attachments support request attachments allow v Provides partial SOAP with Attachmen...

Page 486: ...when an action in the processing rule requests any of the following v Needed attachments v All attachments in the package before the needed attachment v All attachments in the package for a needed manifest v All attachments in the package if the package does not contain the needed attachment reject Rejects messages that contain attachments strip Default Removes attachments from the message before ...

Page 487: ...s support request attachments allow v Provides partial SOAP with Attachments support request attachments streaming response type Characterizes the server originated traffic stream Syntax response type preprocessed xml soap unprocessed Parameters preprocessed Characterizes the server originated traffic stream as non XML traffic that is not transformed by the Multi Protocol Gateway The Multi Protoco...

Page 488: ...s after the root will be streamed from the network Guidelines When streaming MIME messages specifies the action to take when the root part is not the first part of the message If the root part must be first for example to do conformance checking and the action is set to process in order the attachments up to the root will be buffered This command is meaningful only when the value of either the req...

Page 489: ...name Specifies the name of an existing SSL Proxy Profile If not specified the Multi Protocol Gateway and server exchanges are accomplished over a nonsecure connection Guidelines An SSL Proxy Profile specifies the SSL operational mode client server or two way and identifies the cryptographic resources key certificates and cipher lists available to the SSL proxy The SSL Proxy Profile must have previ...

Page 490: ... Commands stream output to front Examples v Changes the default to stream output to the backend server until an infraction is encountered stream until infraction stream output to front Determines whether or not the Multi Protocol Gateway will begin sending output to the client before all processing of the message completes Syntax stream output to front buffer until verification stream until infrac...

Page 491: ...cify a Processing Policy when configuring a Multi Protocol Gateway Related Commands xml manager Examples v Assigns the highRoad Stylesheet Policy to the current Multi Protocol Gateway stylesheet policy highRoad suppress Deletes standard HTTP header fields from the packet stream Syntax suppress front back header no suppress front back header Parameters front Indicates the packet stream between a Mu...

Page 492: ...rotocol Gateway type Syntax type dynamic backend static backend Parameters dynamic backend Sets the gateway type to dynamic The address of the target server is dynamically extracted from the client request using the dp set target or dp xset target extension elements static backend Default Sets the gateway type to static Use the backend url command to set a static backend destination Related Comman...

Page 493: ...inal client Syntax wsa back protocol frontSideProtocolHandler Parameters frontSideProtocolHandler Specifies the name of an existing Front Side Protocol Handler Guidelines The wsa back protocol command is relevant when the DataPower service provides asynchronous service the wsa genstyle command is async In these topologies this command specifies the Front Side Protocol Handler to receive the asynch...

Page 494: ... message to include a FaultTo element This element contains the value specified by the faultURL argument If a default recipient endpoint of fault messages is not explicitly identified by this command the DataPower service provides the following default value http schemas xmlsoap org ws 2004 08 addressing role anonymous Related Commands wsa mode Examples v Specifies http www datapower com cs intern...

Page 495: ...a mode Examples v Specifies http www customer com PO inventoryReq as the default message recipient wsa default replyto http www customer com PO inventoryReq wsa faultto rewrite Assigns or removes a URL Rewrite Policy that rewrites the contents of the Web Services Addressing WS Addressing FaultTo element Syntax Assign a URL Rewrite Policy wsa faultto rewrite urlRewritePolicy Removes a URL Rewrite P...

Page 496: ...ix of messages that use the WS Addressing format and the traditional format Use this command to ensure that all messages use WS Addressing By default wsa force is disabled When disabled the DataPower service supports of mix of addressing styles When enabled the DataPower service converts traditionally addressed messages to the WS Addressing format by adding the reply to and fault to headers to the...

Page 497: ...used by the DataPower service to convey the client request Guidelines If the request response transmission model is async use the wsa back protocol command to identify the Front Side Protocol Handler to convey asynchronous server responses to the original requesting clients For the asynchronous model use the wsa timeout command to specify the maximum time allowed for a server response If the reque...

Page 498: ...taPower service will use traditional addressing sync2wsa Specifies that the DataPower service is mediating between hosts that employ traditional addressing and servers that support WS Addressing wsa2sync Specifies that the DataPower service is mediating between hosts that support WS Addressing and servers that employ traditional addressing wsa2wsa Specifies that the DataPower service is mediating ...

Page 499: ...ion variety A synchronous response is received over the same connection that carried the client request to the server An asynchronous response is received over a different connection that carried the client request to the server and requires the DataPower service to maintain state information associating the received response with an outstanding request v When operating in wsa2wsa mode the DataPow...

Page 500: ...icy Guidelines The wsa replyto rewrite command is relevant when the DataPower service provides service for WS Addressing client users the wsa mode command is wsa2sync or wsa2wsa In these topologies this command modifies the contents of an incoming ReplyTo element This element identifies the recipient endpoint of response messages Related Commands absolute rewrite urlrewrite wsa mode wsa faultto re...

Page 501: ...of WS Addressing sequences Changing the default value can break interoperability Related Commands wsa force wsa mode Examples v Changes the default state Retains all WS Addressing headers contained in incoming messages wsa strip headers off or no wsa strip headers v Restores the default state Deletes all WS Addressing headers contained in incoming messages wsa strip headers on or wsa strip headers...

Page 502: ...ement Syntax wsa to rewrite urlRewritePolicy no wsa to rewrite Parameters urlRewritePolicy Specifies the name of an existing URL Rewrite Policy Guidelines The wsa to rewrite command modifies the contents of an incoming To element that identifies the message destination This command is relevant when the DataPower service provides service for clients that support WS Addressing formats In these cases...

Page 503: ... be the same one that is used in later processing by the request or response rule The results are cached so it is not evaluated again While this is focused on protecting the Reliable Messaging control messages such as CreateSequence and TerminateSequence it is also run on incoming Reliable Messaging data messages with a Sequence header This prevents unauthorized clients from using system resources...

Page 504: ...essaging in CreateSequence SOAP requests If the request includes an offer the creation of a Reliable Messaging destination creates a Reliable Messaging source to send responses to the client Related Commands wsrm wsrm source exponential backoff wsrm source inactivity close interval wsrm source maximum queue length wsrm source request ack count wsrm source retransmission interval wsrm source retran...

Page 505: ...he Reliable Messaging queue beyond a gap in the received sequence numbers This property controls memory utilization Related Commands wsrm wsrm destination inorder wsrm destination maximum sequences Sets a limit on the maximum number of simultaneously active sequences to Reliable Messaging destinations Syntax wsrm destination maximum sequences maximumSequences Parameters maximumSequences Specifies ...

Page 506: ...rce Indicates whether to require Reliable Messaging for all SOAP messages that response rules process Syntax wsrm response force on off Parameters on Requires Reliable Messaging for all responses off Default Does not require Reliable Messaging for all responses Guidelines The wsrm response force command indicates whether to require the use of Reliable Messaging for all SOAP messages that response ...

Page 507: ...ng Front Side Protocol Handler Guidelines The wsrm source back acks to command identifies the Front Side Protocol Handler to receive the asynchronous Reliable Messaging SequenceAcknowledgement SOAP responses from the server The Front Side Protocol Handler must be associated with the same DataPower service where the corresponding Reliable Messaging sequence is occurring This property controls wheth...

Page 508: ...andler to receive response for the client Syntax wsrm source front acks to handler Parameters handler Specifies the name of an existing Front Side Protocol Handler Guidelines The wsrm source front acks to command identifies the Front Side Protocol Handler to receive the asynchronous Reliable Messaging SequenceAcknowledgement SOAP responses from the client The Front Side Protocol Handler must be as...

Page 509: ... wsrm source inactivity close interval command specifies the duration in second that a Reliable Messaging source waits for an another message to be sent before closing the sequence by sending a CloseSequence SOAP message Related Commands wsrm wsrm destination accept offers wsrm source request create sequence wsrm source response create sequence wsrm source make offer Indicates whether to include a...

Page 510: ...ck messages This property controls memory utilization Related Commands wsrm wsrm destination accept offers wsrm source request create sequence wsrm source response create sequence wsrm source maximum sequences Sets the limit of simultaneous active sequences Syntax wsrm source maximum sequences limit Parameters limit Specifies the number of simultaneous active sequence Use an integer in the range o...

Page 511: ... on Creates a Reliable Messaging source off Default Does not create a Reliable Messaging source Guidelines The wsrm source request create sequence command indicates whether to create a Reliable Messaging source from the backend to the server when there is SOAP data to sent to the server and when there is no Reliable Messaging source that was created by a MakeOffer from the server The Reliable Mess...

Page 512: ...e retransmit count wsrm source retransmission interval Specifies the duration that a source waits Syntax wsrm source retransmission interval interval Parameters interval Specifies the duration in milliseconds Use an integer in the range of 10 through 60000 The default is 2000 Guidelines The wsrm source retransmission interval command specifies the duration in milliseconds that a Reliable Messaging...

Page 513: ...ages and sequence messages are bound to the original SSL TLS session that is created by the Reliable Messaging source to transmit the CreateSequence control message Sequence messages that are received by the Reliable Messaging destination with the correct identifier but on a different SSL TLS session are rejected The lifetime of a SSL TLS protected sequence is bound by the lifetime of the SSL TLS ...

Page 514: ...create a new Manager Then use this command to associate it with the current Multi Protocol Gateway Related Commands stylesheet policy xml manager Global Examples v Assigns the mgr1 XML Manager to the current Multi Protocol Gateway xml manager mgr1 488 Command Reference ...

Page 515: ...ets the time interval between ARP retries Syntax arp interval interval Parameters interval Specifies the amount of time in milliseconds to wait before retrying a failed ARP request Use an integer in the range of 10 through 5000 The default is 50 Related Commands arp retries Examples v Sets the arp interval to 100 milliseconds arp interval 100 arp retries Sets the number of times the networking sys...

Page 516: ... of the service that generated the response If the service is bound to a single address responses are routed using the interface that is assigned to that address If the service is bound to more than one address a configuration of 0 0 0 0 responses are routed using the interface that received the original client request not the interface that is bound to the service that generated the response Rela...

Page 517: ...o accept a packet disable interface isolation on ecn disable Turn on or off ECN capable TCP sessions Syntax ecn disable on off Parameters on Stops the generation of ECN capable TCP sessions off Default Generates ECN capable TCP sessions Examples v Stops the networking system from generating ECN enabled TCP sessions ecn disable on icmp disable Disables the generation of a specific Internet Control ...

Page 518: ...f the packet off Allows only the interface bound to the destination address to accept the packet Guidelines As a security policy the interface that receives a network packet must also be configured with the IP address that is the destination address of the packet Enabling this option relaxes that restriction Relax interface isolation if destination routing is enabled Related Commands destination r...

Page 519: ... of times the local system attempt send a TCP SYN that receives no response Use an integer in the range of 1 through 32 The default is 5 Examples v Sets the retry limit to 10 tcp retries 10 Chapter 50 Network Settings configuration mode 493 ...

Page 520: ...494 Command Reference ...

Page 521: ...es The kerberos keytab command is meaningful only when the authentication method for NFS mount uses Kerberos A keytab or key table is an unencrypted file that contains a list of Kerberos principals and their passwords Use the Crypto kerberos keytab command to create a Kerberos keytab object Related Commands authenticate NFS Dynamic Mounts authenticate NFS Static Mounts kerberos keytab Crypto mount...

Page 522: ...Related Commands mount timeout NFS Dynamic Mounts nfs dynamic mounts NFS Dynamic Mounts nfs static mount NFS Static Mounts show NFS Client Settings Examples v Enters NFS Client Settings configuration mode to specify a 15 second interval between NFS mount maintenance rounds and return to Global configuration mode after saving configuration changes NFS Client Settings Modify NFS Client Settings conf...

Page 523: ...pecifies the authentication version to use on the Kerberos credentials that are stored on the appliance This authentication method includes a secure hash function to protect the data from being changed by the network krb5p Specifies the authentication version to use on the Kerberos credentials that are stored on the appliance This authentication method includes a secure hash function to protect th...

Page 524: ...essed in seconds that the appliance allows for the completion of an NFS mount Use an integer in the range of 10 through 240 The default is 30 Guidelines Failure to complete the NFS mount process within the period specified by this timer results in a file open error and the cancellation of the NFS mount process This timer should be set to a value greater than the interval between NFS maintenance ro...

Page 525: ...ite error is declared The timeo command provides a base value to determine the interval between the RPC time out and the subsequent retransmission attempt For example assuming default values 3 for retrans and 0 7 seconds for timeo RPC time outs are dealt with as follows 1 In response to the first RPC time out the appliance waits 0 7 seconds and then retransmits 2 In response to the second RPC time...

Page 526: ...he number of RPC minor time outs that are tolerated per NFS transaction before an NFS read or write error is declared The timeo command provides a base value to determine the interval between the RPC time out and the subsequent retransmission attempt For example assuming default values 3 for retrans and 0 7 seconds for timeo RPC time outs are dealt with as follows 1 In response to the first RPC ti...

Page 527: ... and it is not available on the NFS server UDP will be used instead v For NFS version 4 this property is ignored NFS version 4 only supports TCP Related Commands rsize wsize version Identifies the preferred protocol version Syntax version 2 3 4 Parameters 2 Specifies NFS version 2 3 Default Specifies NFS version 3 4 Specifies NFS version 4 Guidelines The version command specifies the preferred NFS...

Page 528: ...mode Sets the mount time out to 1 minute Sets the mount inactivity timer to 3 minutes Sets the read and write request sizes to 8192 bytes Sets the maximum number of RPC time outs per NFS transaction to 4 Sets the initial retransmission interval to 0 5 seconds Default values are retained for the transport layer protocol TCP the NFS version 3 and the mount type read write nfs dynamic mounts Modify N...

Page 529: ...iseconds after the completion of one poll interval and the start of the next interval Use an integer in the range 25 through 100000 The default is 60000 1 minute Guidelines The delay time command specifies the number of milliseconds to wait after the completion of one poll before starting the next interval This interval is not the polling interval It is the delay between polling intervals error de...

Page 530: ...tch pattern Specifies the file name pattern for the search criteria Syntax match pattern pattern Parameters pattern Defines a PCRE to use as the match pattern to search the contents of the directory Guidelines The match pattern command specifies the PCRE used to match the contents of the directory being polled If there is file renaming or there is a response this PCRE must create PCRE back referen...

Page 531: ...serial The serial number of the configured DataPower appliance domain The domain of the polling object poller The name of the polling object timestamp The timestamp Note File renaming cannot be used with an FTP server that supports only 8 3 file names For example if the input files are NNNNNN input and you want to rename them to NNNNNN processing the match pattern would be 0 9 6 input and the rena...

Page 532: ...ng state Syntax processing seize timeout timeout Parameters timeout Specifies the number of seconds to wait before processing a file that is already in the processing state Use an integer in the range of 0 through 1000 The default is 0 Guidelines The processing seize timeout command allows failure handling of a poller when multiple data routers are polling the same target If another data router re...

Page 533: ...ines the PCRE to use as the match pattern to build the name of the response file Guidelines The result name pattern command specifies the PCRE to use as the match pattern to build the name of the result file This PCRE will normally have a back reference to the base input file name For instance in input files are NNNNNN input and the desired result file name is NNNNNN result then the match pattern ...

Page 534: ...lines The success rename pattern command specifies the PCRE to rename the input file on success This PCRE will normally have a back reference for the base input file name For instance in input files are NNNNNN input and the desired result file name is NNNNNN processed then the match pattern would be 0 9 6 input and the result pattern would be 1 processed Some servers might allow this pattern to in...

Page 535: ...nt name path Do not configure one NFS poller to point at a host name that is the virtual name of a load balancer group This configuration is not the correct way to poll multiple hosts To poll multiple hosts use the same Multi Protocol Gateway and configure one NFS poller object for each real host xml manager Assigns an XML Manager Syntax xml managername Parameters name Specifies the name of the XM...

Page 536: ...510 Command Reference ...

Page 537: ... Specifies the authentication version to use on the Kerberos credentials that are stored on the appliance This authentication method includes a secure hash function to protect the data from being changed by the network krb5p Specifies the authentication version to use on the Kerberos credentials that are stored on the appliance This authentication method includes a secure hash function to protect ...

Page 538: ...read only This setting allows only file read operations on NFS mounts By default NFS mounts are read write file access When mounting the same NFS version 4 mount point in different domains the first mount sets file access privileges For example if domain A mounts host foo as read only access and then domain B mounts host foo as read write access both mounts are read only Alternatively use the no r...

Page 539: ...e number of RPC minor time outs that are tolerated per NFS transaction before an NFS read or write error is declared The timeo command provides a base value to determine the interval between the RPC time out and the subsequent retransmission attempt For example assuming default values 3 for retrans and 0 7 seconds for timeo RPC time outs are dealt with as follows 1 In response to the first RPC tim...

Page 540: ...ommand specifies the number of RPC minor time outs that are tolerated per NFS transaction before an NFS read or write error is declared The timeo command provides a base value to determine the interval between the RPC time out and the subsequent retransmission attempt For example assuming default values 3 for retrans and 0 7 seconds for timeo RPC time outs are dealt with as follows 1 In response t...

Page 541: ... is selected and it is not available on the NFS server UDP will be used instead v For NFS version 4 this property is ignored NFS version 4 only supports TCP Related Commands rsize wsize version Identifies the preferred protocol version Syntax version 2 3 4 Parameters 2 Specifies NFS version 2 3 Default Specifies NFS version 3 4 Specifies NFS version 4 Guidelines The version command specifies the p...

Page 542: ...erver2 NFS server and export XML stylesheets mount point Sets the mount time out to 1 minute Sets the read and write request sizes to 8192 bytes Sets the maximum number of RPC time outs per NFS transaction to 4 Sets the initial retransmission interval to 0 5 seconds Default values are retained for the transport layer protocol TCP for the NFS version 3 for the mount type read write and for local ac...

Page 543: ...interval between clock synchronizations Syntax refresh interval frequency Parameters frequency Specifies the number of seconds between clock synchronizations Use an integer in the range of 60 through 86400 The default is 900 Guidelines In the absence of a specified interval the appliance synchronizes with the NTP server every 15 minutes Related Commands remote server Examples v Identifies the NTP ...

Page 544: ...ote The WebGUI supports the specification of multiple NTP servers If you invoke the no ntp service command all defined NTP servers are deleted To delete just one of the defined NTP servers use the WebGUI Related Commands refresh interval Examples v Identifies the NTP server and specifies a clock synchronization interval of 5 minutes ntp service NTP Service configuration mode remote server Chronos ...

Page 545: ...ype Syntax type slm Parameters slm Specifies a token for an SLM Monitoring Peer Group Guidelines The firmware supports only the SLM type Examples v Enters Peer Group configuration mode to create the SLM Group1 Peer Group Identifies the peer group as of type SLM peer group SLM Group1 Peer Group configuration mode type slm url Identifies a member of the current peer group Syntax url member Parameter...

Page 546: ...mode to create the SLM Group1 Peer Group Specifies the peer group type as SLM and designates group members peer group SLM Group1 Peer Group configuration mode type slm url 192 168 12 100 url 192 168 49 13 url 192 168 80 126 520 Command Reference ...

Page 547: ...esponses that do not satisfy policy A rejection triggers error handling Guidelines The enforcement mode command defines how the configuration enforces WS Policy For example if a policy requires a response to be encrypted filter will reject the response and trigger error handling if the output is not encrypted but enforce will encrypt the outgoing If the mode is enforce and the configuration does n...

Page 548: ...lComponentValue Specifies the QName of a WSDL component in the namespace ncname format Guidelines The ignore attachment point command disable all policies that are attached by policy reference at a configured attachment point All other policy references remain intact policy references Controls WSDL defined policy references Syntax policy references on off Parameters on Uses WSDL defined policy ref...

Page 549: ...l required policy parameters that are needed by the policy mapping style sheet A policy parameters is the way that you must map the needed parameters that are defined in or referenced by the WSDL policy or that are defined in an attached source to the specific DataPower object If you do not define all the needed parameters processing a message with the defined WS Policy generates errors For exampl...

Page 550: ...524 Command Reference ...

Page 551: ...on mode aaa policy Identifies an AAA Policy for the current aaa action Syntax aaa policy name Parameters name Specifies the name of the AAA Policy Examples v Assigns the AAA Policy1 AAA Policy to the current aaa action type aaa aaa policy AAA Policy1 async action Specifies the action for the current event sink action Syntax async action action Parameters action Specifies the name of the action to ...

Page 552: ...nt sink action Without an event sink action the output of an asynchronous action is not reliably available to subsequent actions In this case there are no guarantees as to when the asynchronous action will finish errors that are generated by the action are ignored by the remainder of the processing rule and the network transaction could complete while this action is still in progress Examples v Sp...

Page 553: ... run when the XPath expression matches Guidelines The condition command specifies an XPath expression as the match criteria and the name of the action to run when that XPath expression matches Use this command to define multiple condition based clauses The first XPath expression that matches against the named input context invokes the corresponding action This command is meaningful only when the a...

Page 554: ...he form of a DataPower variable a context name or a standard URI v When the action type is route set specifies the routing destination v When the action type is results specifies the destination location of the data recipient Related Commands multiple outputs Examples v Stores the fetch resource in the destination identity xml type fetch destination http datapower com identity xml v Stores the log...

Page 555: ...t to process documents Syntax dynamic stylesheet url Parameters url Identifies the URL of the dynamic style sheet Guidelines The dynamic stylesheet command is used when the action type as specified by the type command is route action xform or xformpi to either route or transform documents Examples v Specifies the validate xsl dynamic style sheet to use to transform the document type xform dynamic ...

Page 556: ...at processing ceases alternative Indicates that processing invokes the alternative processing rule continue Indicates that processing continues with the next action Guidelines The error mode command is used only if the action type as specified by the type command is on error to determine whether to continue processing or to cease processing of the current processing rule Examples v Specifies to co...

Page 557: ...ent that triggers the checkpoint AuthComplete Default Signifies the completion of an authentication process Fault Signifies a fault condition Request Signifies the input of a client originated document Response Signifies the input of a server originated document Guidelines The event command is used only if the action type as specified by the type command is checkpoint Examples v Specifies fault as...

Page 558: ...ert http action Syntax input conversion name Parameters name Specifies the name of a conversion map Guidelines The input conversion command is used only if the action type as specified by the type command is convert http to specify the conversion map to translate non XML content Examples v Identifies the httpToXML conversion map for the current convert http action type convert http input conversio...

Page 559: ... Specifies an XPath expression for the current for each action Syntax iterator expression expression Parameters expression Specifies the XPath expression that the loop should use Guidelines The iterator expression command specifies the XPath expression to apply to the input context of a loop The loop action runs one time for each item in the node set that the XPath expression produces The var serv...

Page 560: ...ions use the iterator count command v To run one time for each XPath expression match use the iterator expression command This command is meaningful only when the action type as specified by the type command is for each Related Commands iteration count loop action iteration expression type Examples v Specifies that the transformer action runs one time for each item element in the INPUT input conte...

Page 561: ...t is generated by the current log action Syntax log type messageType Parameters messageType Specifies the category of event Use the show logging event command to view available categories Guidelines The log type command is used only if the action type as specified by the type command is log Related Commands show logging event Examples v Identifies that the log action sends messages as belonging to...

Page 562: ...ecifies that the transformer action runs one time for each item element in the INPUT context type for each input INPUT iterator type xpath iterator expression local name item loop action transformer multiple outputs Indicates whether to generate an output context for each iteration or result Syntax multiple outputs on off Parameters on Generates multiple output contexts off Default Generates a sin...

Page 563: ...tract fetch xform or xformpi output is optional when the action type is aaa filter log results route action slm or validate The output command is not used when the action type is checkpoint on error results async rewrite route set setvar or strip attachments Examples v Specifies temp2 as the output context for the current fetch action For a fetch action the output context is the context that conta...

Page 564: ...tax parameter name value Parameters name Specifies the name of the parameter value Specifies the value of the parameter The parameter command is optionally used to specify a parameter for the current style sheet only when the action type as specified by the type command is filter route action xform or xformpi Examples v Defines the staticRoute stylesheet parameter and sets its value to 192 168 12 ...

Page 565: ...on to which to send a copy of the ctx input context one at a time until successful type results input ctx destination var context ctx urls results first available retry count Specifies the number of retry attempts for the current results action Syntax retry count count Parameters count Specifies the number of times to retry a target after a failure A value of 0 indicates no retry attempts and the ...

Page 566: ...results action waits before attempting to retry a connection to a target This command is meaningful only when the action type as specified by the type command is results Related Commands destination input retry count type Examples v Specifies that if the action fails to write the input to http log server log the request is tried 10 times at 5 seconds intervals type results input ctx destination ht...

Page 567: ...mand identifies the schema to validate incoming documents Examples v Indicates that the validate action uses the soapSchema2 xsd schema for validation type validate schema url local soapSchema2 xsd slm Identifies an SLM Policy for the current slm action Syntax slm name Parameters name Specifies the name of an existing SLM Policy Guidelines The slm command is used only if the action type as specifi...

Page 568: ...entifies the type of validation to perform Validation of SOAP messages does not affect the validation of input context to ensure that it is a valid document If you are validating an intermediate context such as the result of a transform the intermediate context is not implicitly validated as SOAP To validate the entire document retain the default value envelope Examples v Indicates that only the S...

Page 569: ...tion waits for its named actions to complete A value of 0 indicates that the action waits indefinitely This command is meaningful only when the action type that is specified by the type command is event sink Related Commands type Examples v Indicates that the async fetch action has only 1 second to complete If it does not complete during this interval it fails type event sink async action async fe...

Page 570: ...ction This action records information about each transaction for reporting through Web Services Management This action is relevant for Web Service Proxy services only conditional Indicates a conditional action This action enables if then else processing This action is relevant for all services except XSL Coprocessor and XSL Proxy services convert http Indicates a convert http action This action co...

Page 571: ...ext to a remote destination This action is relevant for all services rewrite Indicates a rewrite action This action implements a specified URL Rewrite Policy This action is relevant for all services except XSL Coprocessor services route action Indicates a route action action This action implements dynamic routing with an XPath or style sheet in the routing action This action is relevant for all se...

Page 572: ...e action type as specified by the type command is rewrite The command is optional when the action type is validate xform or xformpi Examples v Identifies rewritePolicy 1 as the URL Rewrite Policy to implement for the current rewrite action type rewrite urlrewrite policy rewritePolicy 1 value Sets the value of the variable declared in the current setvar action Syntax value value Parameters value Sp...

Page 573: ...sdl attachment part name Parameters name Specifies the name of the WSDL message part that contains the MIME attachment Guidelines The wsdl attachment part command specifies the name of the WSDL message part that defines the content of a MIME attachment The value should be the unqualified name of the message part This name is the same as the part attribute on the corresponding mime content componen...

Page 574: ...at match the specified name or direction are considered valid Faults are considered valid for the response direction The command is meaningful only when the action type that is specified by the type command is validate Related Commands type wsdl operation Specifies the name of the WSDL operation for the current validate action Syntax wsdl operation name Parameters name Specifies the name of the WS...

Page 575: ...id The command is meaningful only when the action type that is specified by the type command is validate Related Commands type wsdl url Identifies the WSDL URL for the current validate action Syntax wsdl url url Parameters url Specifies the URL of the WSDL file Guidelines The wsdl url command specifies the URL of the WSDL file that defines the operations to use during the validate action The WSDL ...

Page 576: ...delines The xpath command is required when the action type as specified by the type command is extract Otherwise it in not used Examples v Indicates that the current extract action should use Order_Number as the XPath expression type extract xpath Order_Number 550 Command Reference ...

Page 577: ...Parameters http Specifies the predefined HTTP metadata category that contains the desired item name Specifies the name of the predefined metadata item Refer to Table 10 on page 552 for the list of predefined items See the list of predefined inputs below for valid values The value can be any alphanumeric string to define a custom protocol header or variable item header Specifies a metadata category...

Page 578: ...on timeout transaction name transaction error code transaction error message error protocol response error protocol reason phrase error subcode xmlmgr name domain name service type service name transaction id transaction client transaction rule name transaction rule type transaction policy name input message size response mode rule direction See the file store ProcessingMetadata html for complete ...

Page 579: ...or rule An error rule is invoked in response to a processing error An error rules requires a matching rule Create the matching rule with the matching command and populated it with the httpmatch or urlmatch commands The matching rule serves as a source of URL or HTTP templates Candidate documents that match any of the templates in the matching rule can be processed Refer to Appendix B Processing Po...

Page 580: ...ering rule Guidelines Use the Global matching command to create a Matching Rule and populated it with the httpmatch or urlmatch commands The matching rule serves as a source of URL or HTTP templates Candidate documents that match any of the templates in the matching rule can be processed Use the Global rule command to create a global rule The global rule defines processing procedures for documents...

Page 581: ... Create the matching rule with the matching command and populated it with the httpmatch or urlmatch commands The matching rule serves as a source of URL or HTTP templates Candidate documents that match any of the templates in the matching rule can be processed Refer to Appendix B Processing Policy procedures on page 999 for details about the creation and implementation of Processing Policies Relat...

Page 582: ...onse rule responseMatch rule Assigns a bidirectional rule Syntax rule rule Parameters rule Specifies the name of an existing Matching Rule Guidelines The rule command defines a bidirectional rule A bidirectional rule requires a matching rule A bidirectional rule is applied to both client originated and server originated traffic Create the matching rule with the matching command and populated it wi...

Page 583: ...didate XML document fails to match any of the transformation rules that are defined in the processing policy Refer to Appendix B Processing Policy procedures on page 999 for details about the creation and implementation of processing policies Examples v Identifies identity xsl in the store directory as the default style sheet to transform documents xsldefault store identity xsl Chapter 61 Processi...

Page 584: ...558 Command Reference ...

Page 585: ...ted or authorized by the AAA policy that is implemented in this Processing Rule name Specifies the name of an existing AAA Policy output context Optionally identifies the context where any post processing output is stored Use OUTPUT to specify the final policy output that is the transformed client request or transformed server response Examples v Applies the AAA Policy1 AAA Policy to the original ...

Page 586: ... the checkpoint and takes one of the following values AuthComplete Indicates the completion of an authentication process Fault Indicates a fault condition Request Indicates the input of a client originated document Response Indicates the input of a server originated document input context Optionally identifies the context in which the checkpoint is triggered In the absence of an explicit context a...

Page 587: ...ut context output context expression variable Parameters input context Identifies the context to which the XPath expression is applied Use INPUT to specify the initial policy input that is the original client request or server response output context Identifies the context that stores the result of the XPath expression Use OUTPUT to specify the final policy output that is the transformed client re...

Page 588: ...three url fetch Adds a fetch action Syntax fetch url output context Parameters url Identifies the resource to be fetched and can be expressed as a URL or as a variable that expands to a URL output context Identifies the context in which to store the fetched resource Guidelines You can use any protocol specific URL when addressing the target resource Examples v Retrieves the resource referenced by ...

Page 589: ... to Appendix B Processing Policy procedures on page 999 for procedural details regarding the creation and implementation of Style Policies Related Commands validate Examples v Uses the specified style sheet to filter the original input to the Processing Policy filter INPUT store filter 1 xsl v Uses the style sheet that is referenced by the filter variable in the tools context to filter the origina...

Page 590: ...ient request or server response destination Specifies a URL for the log message recipient output context Optionally identifies an output context Examples v Sends the contents of the INPUT context to the specified target URL log INPUT http www us ibm ragnarok log non xml processing Enables processing of non XML input or output Syntax non xml processing no non xml processing Guidelines Use the no no...

Page 591: ...ally identifies the output context for the error rule If no context is explicitly identified the output context of the failed action is used Examples v Specifies that rule processing ceases in the event of an error calls the rule faultProcessing as an error handler on error abort faultProcessing output filter Specifies a compression algorithm to apply to all outgoing traffic after all other proces...

Page 592: ...he destination otherwise it is not used Examples v Sends the contents of the INPUT context to the destination of the rule results INPUT v Sends the contents of the INPUT context to the destination referenced by the local var local dest variable results INPUT var local dest v Sends the contents of the INPUT context to the loopback server for processing Processing results are stored in the apple con...

Page 593: ...ntext results INPUT http 127 0 0 1 9000 apple rewrite Adds a rewrite action Syntax rewrite name Parameters name Specifies the name of the URL Rewrite Policy Examples v Rewrites the input URL with the URLRewrite 1 policy rewrite URLRewrite 1 route action Adds a route action action Syntax route action input context URL route action input context dynamic stylesheet name Parameters input context Ident...

Page 594: ... from the dest 1 variable in the destinations context The DySSL 1 SSL Proxy Profile provides the credentials to establish a secure connection route set var context destinations dest 1 DySSL 1 setvar Adds a setvar action Syntax setvar context variable value Parameters context Identifies the context in which the variable is set variable Specifies the name of the variable and takes the form of a var ...

Page 595: ...n existing SLM Policy Examples v Assigns the SLM 1 SLM Policy to the INPUT context slm INPUT SLM 1 strip attachments Adds a strip attachments action Syntax strip attachments context uri Parameters context Identifies the context from which attachments are stripped uri Identifies a document attachment to strip In the absence of a specified attachment all attachments are stripped from the target cont...

Page 596: ...t rule unprocessed Enables data to passthrough subsequent actions in an unprocessed state Syntax unprocessed no unprocessed Examples v Enables unprocessed mode unprocessed v Disables unprocessed mode no unprocessed validate Adds a validate action Syntax validate input context output context validate input context attribute rewrite name output context validate input context dynamic schema url outpu...

Page 597: ... URL identifies the schema to use for document validation wsdl url url Regardless of xsi schemaLocation attributes in the document specifies the URL of the WSDL file that contains the schema for document validation The value can be expressed as a URL or as a variable that expands to a URL output context Optionally specifies the output context of the validated document Guidelines The validate comma...

Page 598: ...d output context Identifies the context that receives the transformed document Use OUTPUT to specify the final policy output that is the transformed client request or transformed server response Guidelines Transformations are implemented by Style Policies A Style Policy enables DataPower server to select an appropriate style sheet with which to filter or transform an input document The selected st...

Page 599: ...ing Map from which the dynamic style sheet is generated output context Identifies the context that receives the transformed document Use OUTPUT to specify the final policy output that is the transformed client request or transformed server response Guidelines XSL transformations are implemented by Processing Policies A Processing Policy enables DataPower service to select an appropriate style shee...

Page 600: ...574 Command Reference ...

Page 601: ...A requests Use an integer in the range of 0 to 65535 The default is 1812 Guidelines The aaaserver command identifies a RADIUS AAA server prompts for the secret unique to this appliance RADIUS server pair and adds the server to the list of RADIUS servers Use position to determine the order in which the appliance contacts RADIUS AAA servers For example assume that an appliance has a list of 3 RADIUS...

Page 602: ...secret YetAnotherPasswordServer10 id Specifies the NAS identifier Syntax id value Parameters value Identifies the appliance when acting as a RADIUS client Guidelines The NAS identifier defined in Section 5 32 of RFC 2865 can be used in some RADIUS environments in the place of an IP address to identify a client appliance It consists of one or more octets and must be unique within the scope of the R...

Page 603: ...s the IP address of a RADIUS server port Optionally identifies the port number on IP address that monitors RADIUS requests Use an integer in the range of 0 to 65535 The default is 1812 Guidelines The server command identifies a RADIUS server prompts for the secret unique to this appliance RADIUS server pair and adds the server to the list of RADIUS servers Use position to determine the order in wh...

Page 604: ...tax timeout milliseconds Parameters milliseconds Specifies the number of milliseconds to wait for a reply from a RADIUS server before retransmitting the outstanding request The default is 1000 Guidelines The timeout command specifies the RADIUS retransmit interval This interval is the number of seconds that the appliance waits for a reply from a RADIUS server before retransmitting the outstanding ...

Page 605: ... timeout 500 Chapter 63 RADIUS configuration mode 579 ...

Page 606: ...580 Command Reference ...

Page 607: ... the following methods Any user who attempts to access the appliance through the WebGUI Any user who attempts to access the appliance through the command line Any user who attempts to access the appliance through a Telnet session Any user who attempts to access the appliance through the serial port connection WebGUI or command line apply cli Specifies whether the RBM policy applies to command line...

Page 608: ...aches the results of user authentications for a period of time specified by the au cache ttl command the explicit time to live disabled Disables caching The system will not cache any results and instead always authenticate every time a user requests access maximum Default Compares the explicit TTL to the TTL contained in the response if any and cache authentication results for the maximum of the t...

Page 609: ...u cache mode Examples v Sets the TTL to five minutes au cache ttl 300 au custom url Specifies the URL of the custom style sheet Syntax au custom url URL Parameters URL Specifies the location of the style sheet Guidelines The au custom url command defines the fully qualified file name URL of the custom style sheet for authentication This command is relevant when the authentication method as defined...

Page 610: ...RBM AU xml file in the local directory as the authentication XML file au method xmlfile au info url local RBM AU xml au kerberos keytab Assigns the keytab for SPNEGO user authentication Syntax au kerberos keytab name Parameters name Specifies the name of an existing Kerberos Keytab object Guidelines The au kerberos keytab command is meaningful only when the authentication method as defined with th...

Page 611: ...d Beyond specifying the login DN when searching the LDAP for the group name you need to use the au ldap bind password command to specify the user s password and optionally use the au ldap parameters command to associate an existing LDAP Search Parameters object Related Commands au ldap bind password au ldap parameters au ldap search au method Examples v Identifies LDAP authentication with optional...

Page 612: ...tion with optional retrieval of the group DN au method ldap au server host ldap 1 au server port 389 au ldap search on au ldap bind dn proxyuser au ldap bind password p Ssw0rd au ldap parameters Assigns the LDAP Search Parameters to perform an LDAP search Syntax au ldap parameters name Parameters name Specifies the name of an existing LDAP Search Parameters object Guidelines The au ldap parameters...

Page 613: ...ccess the LDAP server the au ldap bind password command to specify the user s password and optionally use the au ldap parameters command to associate an existing LDAP Search Parameters object v When disabled use the ldap prefix command to specify the LDAP prefix to add to the user name and use the ldap suffix command to specify the LDAP suffix to append to the user name The provided prefix and suf...

Page 614: ...PNEGO server Requires the au kerberos keytab value xmlfile Uses a locally stored AAA Info file Requires an au info url value zosnss Uses an NSS server Requires the au zos nss value Guidelines The au method command sets the authentication method for RBM The selected method must be fully configured before invoking this command If the admin account is not configured with all permissions the admin acc...

Page 615: ...defined with the au method command you need to define the LDAP server in one of the following ways v The au server host and au server port commands v The loadbalancer group command Related Commands au method au server port loadbalancer group Examples v Identifies LDAP authentication with optional retrieval of the group DN au method ldap au server host ldap 1 au server port 389 au ldap search on au...

Page 616: ... au ldap bind dn proxyuser au ldap bind password p Ssw0rd au zos nss Assigns a z OS NSS Client for authentication with the NSS server Syntax au zos nss name Parameters name Specifies the name of an existing z OS NSS Client object Guidelines The au zos nss command is meaningful only when the authentication method as defined with the au method command is zosnss The z OS NSS Client object defines all...

Page 617: ...ity Syntax cli timeout seconds Parameters seconds Specifies the timeout value of the idle session in seconds Use an integer in the range of 0 through 65535 The default is 0 which disables the timeout function Guidelines The cli timeout command specifies the amount of idle time in seconds before closing a command line session because of inactivity When the session times out you must reestablish a s...

Page 618: ...yword In this case use the fallback user command to define the specific locally defined users to allows as fallback users The fallback login command is relevant only when remote authentication In other words this command is relevant when the setting for the au method is any value except local Related Commands au method fallback user Examples v Allows all locally defined users to log in fallback lo...

Page 619: ...m the DN Syntax ldap prefix prefix Parameters prefix Specifies an LDAP prefix Guidelines The ldap prefix command specifies the string to add as a prefix to the user name to form the distinguished name DN for LDAP authentication The LDAP prefix and the user name are separated with a comma and both are included within quotes For example if the LDAP prefix is cn and the user name is Bob Smith then th...

Page 620: ...ile for secure communications ldap sslproxy ldapone ldap suffix Specifies the LDAP suffix to add to the user name to form the DN Syntax ldap suffix suffix Parameters suffix Specifies an LDAP suffix Guidelines The ldap suffix command specifies the string to add after the user name to form the base distinguished name DN for LDAP authentication The LDAP suffix and the user name are separated with a c...

Page 621: ... LDAP authentication Syntax loadbalancer group name Parameters name Specifics the name of an existing load balancer group Guidelines The loadbalancer group command assigns a load balancer group for LDAP authentication When the authentication method is ldap as defined with the au method command you need to define the LDAP server in one of the following ways v The au server host and au server port c...

Page 622: ...ttempts defined by the max login failure command Instead of locking out an account for a specific duration the account can be locked out until re enabled by a privileged administrator To lock out accounts until reset set the duration to 0 Note The lockout duration commands applies to all accounts including the admin account The only difference is that the admin account cannot be locked out until r...

Page 623: ...unt The only difference is that the admin account cannot be locked out until reset When the duration is 0 the admin account is locked out for 120 minutes or until re enabled by another administrator Related Commands lockout duration Examples v Enables lockout behavior for accounts that on the fifth login failure the account is locked out locked out until reset by a privileged administrator lockout...

Page 624: ... is relevant when the mapping credentials method as defined with the mc method command is xmlfile Related Commands mc method Examples v Identifies the RBM MC xml in the local directory mc method xmlfile mc info url local RBM MC xml mc ldap bind dn Specifies the login DN distinguished name to access an LDAP server Syntax mc ldap bind dn DN Parameters DN Specifies the login name to access the target...

Page 625: ...uished name mc method xmlfile mc info url local RBM MC xml mc ldap search on mc server host ldap mydomain com mc server port 389 mc ldap bind dn cn proxyuser mc ldap bind password p Ssw0rd mc ldap parameters ldap1 MC mc ldap bind password Specifies the password for the login DN to access an LDAP server Syntax mc ldap bind password password Parameters password Specifies the password for the login D...

Page 626: ...rs ldap1 MC mc ldap parameters Assigns the LDAP Search Parameters to perform an LDAP search Syntax mc ldap parameters name Parameters name Specifies the name of an existing LDAP Search Parameters object Guidelines The mc ldap parameters command assigns the LDAP Search Parameters object to perform an LDAP search The search retrieves the user s group This command is relevant only in the following si...

Page 627: ...h the LDAP Search Parameters will be used as part of an LDAP search to retrieve the user s group off Default Disables an LDAP search for the user s group The authenticated identity of the user DN or user group of local user will be used directly as the input credential Guidelines The mc ldap search command indicates whether to retrieve the distinguished name with an LDAP search This command is rel...

Page 628: ...se secure communication with the LDAP credentials server When specified LDAP communication uses the configuration that is defined in the assigned SSL Proxy Profile If not specified communications do not use SSL and are nonsecure This command is relevant only in the following situation v LDAP search is enabled with the mc ldap search command v When the credentials mapping method as defined with the...

Page 629: ... s group This command is relevant only in the following situation v LDAP search is enabled with the mc ldap search command v When the credentials mapping method as defined with the mc method command is local or xmlfile This command is mutually exclusive with the combination of the mc server host and mc server port commands Related Commands mc ldap search mc method mc server host mc server port sho...

Page 630: ... xmlfile custom custom No Yes Yes ldap No Yes Yes local Yes Yes Yes radius No Yes Yes spnego No Yes Yes client ssl No Yes Yes xmlfile Yes Yes Yes When the credentials mapping method is local or xmlfile you can use the mc ldap search command to retrieve the distinguished name with an LDAP search Notes 1 The selected credentials mapping method must be fully configured before invoking this command 2 ...

Page 631: ... mc server port command to specify the listening port on the LDAP server v Optionally the mc ldap sslproxy command to associate an existing SSL Proxy Profile object to use secure communication with the LDAP server v The mc ldap bind dn command to specify the login DN to access the LDAP server v The mc ldap bind password command to specify the user s password v Optionally the mc ldap parameters com...

Page 632: ...command to specify the LDAP server v Optionally the mc ldap sslproxy command to associate an existing SSL Proxy Profile object to use secure communication with the LDAP server v The mc ldap bind password command to specify the user s password v Optionally the mc ldap parameters command to associate an existing LDAP Search Parameters object Related Commands mc ldap bind dn mc ldap parameters mc lda...

Page 633: ...f Parameters on Indicates that passwords must contain at least one numeric characters off Default Indicates that passwords do not require numeric characters Guidelines When enabled p4AssWord would be acceptable but password or PASSWORD would not be acceptable When disabled p4AssWord password or PASSWORD would be acceptable Related Commands pwd minimum length pwd mixed case pwd nonalphanumeric pwd ...

Page 634: ...used pwd history on pwd max history 3 pwd max age Specifies the maximum duration of passwords Syntax pwd max age duration Parameters duration Specifies the maximum number of days that a password is valid Use an integer in the range of 1 through 65535 The default is 300 Guidelines If password aging is enabled use the pwd max age command to specify the maximum shelf life of a user password Related C...

Page 635: ... passwords cannot be reused pwd minimum length Specifies the minimum length of passwords Syntax pwd minimum length length Parameters length Specifies the minimum length Use an integer in the range of 1 through 128 The default is 6 Related Commands pwd digit pwd mixed case pwd nonalphanumeric pwd username Examples v Sets the minimum password length of 10 characters pwd minimum length 10 pwd mixed c...

Page 636: ...passwords must contain nonalphanumeric characters Syntax pwd nonalphanumeric on off Parameters on Indicates that passwords must contain nonalphanumeric characters off Default Indicates that passwords do not require nonalphanumeric characters Guidelines When enabled pa word is acceptable but pAssWord or pa33word is not acceptable When disabled pa word pAssWord or pa33word is acceptable Related Comm...

Page 637: ...pecifies whether to restrict access by the admin account to the command line on the serial port Syntax restrict admin on off Parameters on Restricts the admin account to command line access on the serial port off Default Allows the admin account to all access methods Guidelines The restrict admin command specifies whether to restrict access by the admin account to the command line on the serial po...

Page 638: ...v Allow access by the admin account to all access methods restrict admin off 612 Command Reference ...

Page 639: ...ma which is subject to the exception rules defined by the current Schema Exception Map Syntax original schema URL Parameters URL Identifies the URL of the target schema Related Commands rule Examples v Specifies store schema 12b xsd as the target schema original schema store schema 12b xsd rule Adds an exception rule to the current Schema Exception Map Syntax rule expression allowEncrypted require...

Page 640: ...es store schema 12b xsd as the target schema Adds a rule to the current Schema Exception Map which requires that all SSN nodes be encrypted schema exception map SEM 1 Schema Exception Map configuration mode original schema store schema 12b xsd rule SSN requireEncrypted 614 Command Reference ...

Page 641: ... the appropriate application domain Log targets must subscribe to this event to capture message reject Requests are rejected until transaction rate drops below the configured limit shape Delay requests as much as possible to lower the transaction rate to the configured limit Once too many messages are buffered creating a low memory state transactions are rejected until rate drops The ability to sh...

Page 642: ...arameters count Specifies the number of distinct sources tracked by this limiter The default is 10000 Related Commands concurrent connection limit tps Determines the number of transactions per second to allow per user identity Syntax tps count Parameters count Specifies the number of transactions to allow The default is 500 Related Commands action 616 Command Reference ...

Page 643: ... the log priority of the message that is generated when the current SLM Action is triggered Syntax log priority priority no log priority Parameters priority Specifies the message level Use one of the following keywords v emergency v alert v critical v error v warning v notice v info v debug Default Guidelines Use the no log priority command to restore the default debug setting Examples v Creates t...

Page 644: ...e appliance drops all traffic until the monitored entity is within conformance levels When the SLM Action type is shape the appliance queues the next 2500 transactions for later transmission when the monitored entity is within conformance levels After 2500 transactions are queued further transactions are rejected You must explicitly designate an SLM Action type to complete object configuration Exa...

Page 645: ...er command is meaningful only if the match type as defined by the type command is ip from header or request header Related Commands type match type Identifies the match type Syntax match type exact match per extracted value regexp match Parameters exact match Specifies that only a subset of the group that is defined by the type command is subject an SLM policy The subset is defined by one or more ...

Page 646: ... previously implemented an AAA policy which provides the needed credentials The match type is ignored when the credential type is custom stylesheet and is otherwise required Examples v Creates the extranetPartner SLM Credential Class Specifies that Credential Class membership is based on source IP address and that only a subset of IP addresses is subject to an SLM policy slm cred extranetPartner S...

Page 647: ...addresses custom stylesheet Specifies that members of this Credentials Class are defined by an style sheet ip from header Specifies that members of this Credentials Class are defined the name of the HTTP header that contains the client IP address for example X Client IP When specified use the header command to define the name of the header request header Specifies that members of this Credentials ...

Page 648: ...entifies the exact match criteria v If the type is aaa mapped credential specify a string in the format returned by the mapping operation v If the type is aaa username specify a user name in the format extracted by the AAA Policy v If the type is client ip specify an IP address and network prefix mask Guidelines Meaningful only if the match type is exact match A Credential Class defines a user gro...

Page 649: ...ass membership is based on source IP address and that only the defined subset of IP addresses is subject to an SLM policy slm cred extranetPartner SLM Credential Class configuration mode type client ip match type exact match value 10 119 10 3 32 value 192 168 3 012 27 value 192 168 12 0 24 v Removes an exact match value from the Credential Class no value 192 168 12 0 24 Chapter 68 SLM Credential C...

Page 650: ...624 Command Reference ...

Page 651: ...cute all statements Indicates that policy execution continues until all associated statements are evaluated terminate at first action Indicates that policy execution ceases upon the triggering of any action by an associated statement terminate at first reject Indicates that policy execution ceases upon the triggering of any action that drops traffic by an associated statement Guidelines Use the no...

Page 652: ...tement Syntax statement index credential class resource class schedule action interval length interval type algorithm threshold type threshold level high low burst reporting interval records no statement index Parameters index Specifies the order in which the statement is executed Statements are executed from least to greatest Note Adding a statement with the same index value as an existing statem...

Page 653: ...lgorithm that triggers the SLM Action at the high threshold and continues to trigger until the low threshold is reached less than Specifies a simple numeric algorithm that triggers the SLM action when the threshold level is less than the defined value token bucket Specifies a rate based algorithm that allows bursting The algorithm consists of a bucket with a maximum capacity of N tokens that refil...

Page 654: ...t size should be at least twice the value of the threshold level The default is 0 which means the burst limit is the configured threshold level reporting interval Specifies the base aggregation level in minutes for reporting of statistics This value does not affect the threshold intervals records Specifies the maximum records to save per reporting interval Guidelines Use the no statement command t...

Page 655: ...rovided by the value command are not subject to the SLM policy per extracted value Specifies that the system extracts and keeps a list of all unique resources that is defined by the type command All configured policies apply to each of the extracted resources regexp match Specifies that only a subset of the members of the group that is defined by the type command is covered by this SLM Resource Cl...

Page 656: ... URL Identifies the location of the style sheet Guidelines Used only if the Resource Method defined by the type command is custom stylesheet to specify the style sheet to produce resource identification Related Commands type Examples v Identifies the local extractResourceID xsl style sheet as the source of resource identification data type custom stylesheet stylesheet local extractResourceID xsl v...

Page 657: ...ts an AAA Policy that provides the required resource mapping concurrent connections Defines membership by concurrent TCP connections The TCP connection is from the requesting client to the DataPower appliance Generally a client opens only one connection to the DataPower appliance at a time Concurrent connections are not specific to user credentials concurrent transactions Defines membership by con...

Page 658: ...Path expression Related Commands match type value value Specifies which members of an SLM Resource Class are subject to coverage by the current resource class Syntax value string no value Parameters string Identifies a specific resource that is subject to coverage by the current SLM Resource Class Guidelines The value command is used when the match type as defined by the match type command is exac...

Page 659: ...ription name no wsrr subscription name Parameters name specifies the WSRR subscription object name Guidelines Specifies the WSRR subscription object name Used only if the Resource Method as defined by the type command is wsrr subscription Use the no wsrr subscription command to remove a WSRR based credential source Related Commands type Examples v Specifies the update WS Proxy 1 WSRR subscription ...

Page 660: ...e type command is xpath filter Use the no xpath filter command to delete an XPath based credential source Related Commands type Examples v Identifies the XPath Expression destination as the resource identification tool type xpath filter xpath filter destination v Removes the XPath Expression destination as the resource identification tool no xpath filter destination 634 Command Reference ...

Page 661: ...onfiguration mode days Specifies the days of the week that the schedule is operational Syntax days day Parameters day Species the days of the week Use one of the following keywords v Sunday v Monday v Tuesday v Wednesday v Thursday v Friday v Saturday Guidelines Use this command as often as necessary to specify all days during which the schedule is operational Examples v Creates the weekEnds SLM S...

Page 662: ...on mode days Saturday days Sunday duration 1080 start 24 00 00 start Specifies the time of day for the SLM Schedule to become operational Syntax start time Parameters time Specifies the time of day in military hh mm ss format at which the schedule becomes operational Guidelines Use the command in conjunction with duration to define specific time blocks during which this SLM Schedule is operational...

Page 663: ...sage header Any SNMP message that contains this community name is considered valid by the SNMP agent or engine read only managers are restricted to SNMP get operations meaning that such managers can read but cannot change system values contained in the Management Information Base MIB read write managers have access to both SNMP get and set operations meaning that these managers can both read and c...

Page 664: ...gine for SNMP requests Syntax port address port Parameters address Specifies an optional IP address that identifies a specific local interface as a recipient of SNMP requests port Identifies the UDP port monitored by the SNMP agent or engine for SNMP requests Use an integer in the range of 0 to 65535 The default is 161 Guidelines In the absence of an IP address argument the SNMP agent or engine mo...

Page 665: ...priority Specifies the minimum priority for trap events Syntax trap priority priority Parameters priority Identifies the event priority The default is error Guidelines The trap priority command specifies the minimum priority for trap events The priorities are hierarchical in descending order of criticality as emergency alert critic error warn notice info and debug Examples v Sets trap priority to ...

Page 666: ...nt of SNMP traps at 10 10 10 11 162 The trap recipient is accessed with the public community trap target 10 10 10 11 v Specifies a recipient of SNMP traps at 10 10 100 19 162 The trap recipient is accessed with the OpenView community trap target 10 10 100 19 OpenView v Deletes 10 10 10 11 162 from the list of trap recipients no trap target 10 10 10 11 version Specifies the supported SNMP version S...

Page 667: ...v Specifies support for SNMP Version 2c the default state version 2c Chapter 72 SNMP Settings configuration mode 641 ...

Page 668: ...642 Command Reference ...

Page 669: ...truction to process a SOAP header or child element Syntax refine namespace header element action no refine Parameters namespace Specifies the namespace URI to match a SOAP header element The default is a blank string which indicates no restriction header Specifies the string to match a SOAP header element local name The default is a blank string which indicates no restriction element Specifies the...

Page 670: ...tions The first removes the Foo header if the namespace URI is my namespace The second keeps the abc child element local name of a SOAP header named Bar regardless of the namespace URI The last instruction uses the default processed header rules for all the headers in some namespace namespace soap soap1 New SOAP Header Disposition Table configuration refine my namespace Foo remove refine Bar abc k...

Page 671: ...ame Parameters name Identifies the ACL to be assigned to the Stateful Raw XML Handler Guidelines Only those IP addresses explicitly granted access by the assigned ACL are able to access the Stateful Raw XML Handler Use the no acl command to remove an ACL from a Stateful Raw XML Handler Examples v Enters Stateful Raw XML Handler configuration mode to create the avecTCP Stateful Raw XML Handler Assi...

Page 672: ...ess Binds the Stateful Raw XML Handler to a single specific interface port pair 0 Binds the Stateful Raw XML Handler to the specified port on all enabled interfaces Guidelines This command only sets the IP address for the Stateful Raw XML Handler Use the port command to set the TCP port on which the Stateful Raw XML Handler listens Related Commands port remote address remote port Examples v Binds ...

Page 673: ...s the current Stateful Raw XML Handler to the specified port number port 16000 remote address Specifies the remote server address Syntax remote address address Parameters address Binds the Stateful Raw XML Handler to a single specific interface port pair Guidelines This command only sets the IP address for the remote server Use the remote port command to set the remote TCP port Related Commands re...

Page 674: ...Proxy Profile Syntax ssl name no ssl Parameters name Specifies the name of the existing SSL Proxy Profile assigned to the Stateful Raw XML Handler Guidelines The SSL Proxy Profile identified here must already exist in the current application domain Use the Global configuration mode command sslproxy to create a new SSL Proxy Profile Use the no ssl command to remove the SSL Proxy Profile assignment ...

Page 675: ...meters name Identifies the ACL to be assigned to the Stateless Raw XML Handler Guidelines Only those IP addresses explicitly granted access by the assigned ACL are able to access the Stateless Raw XML Handler Use the no acl command to remove an ACL from a Stateless Raw XML Handler Examples v Enters Stateless Raw XML Handler configuration mode to create the sansTCP Stateless Raw XML Handler Assigns...

Page 676: ...couraged for production environments local address 0 persistent connections Indicates whether to establish persistent connections Syntax persistent connections on off Parameters on Default Enables the establishment of persistent connections off Disables the establishment of persistent connections Guidelines With persistent connections enabled the default state for both HTTP 1 0 and HTTP 1 1 the St...

Page 677: ...dress command to set the IP address on which the handler listens Related Commands local address remote address remote port Examples v Binds the current Stateless Raw XML Handler to the specified port number port 16000 ssl Assigns an SSL Proxy Profile Syntax ssl name no ssl name Parameters name Specifies the name of the existing SSL Proxy Profile Guidelines Assignment of an SSL Proxy Profile provid...

Page 678: ... Proxy Profile assignment Examples v Assigns the SSL 1 SSL Proxy to the current Stateless Raw XML Handler ssl SSL 1 v Removes the assignment of the SSL 1 SSL Proxy from the current Stateless Raw XML Handler no ssl SSL 1 652 Command Reference ...

Page 679: ...elines The audit reserve command specifies the amount of disk space in kilobytes to reserve for the audit log Use this command to alter the amount of disk space to reserve to prevent the loss of audit events in case of a full disk This function is disabled if the value is 0 If the appliance is forced to release the audit reserve v All data services will be forced into an operational down state and...

Page 680: ...he appliance Guidelines The custom ui file command specifies the location of the custom user interface file The file must reside in the local or store directory on the appliance The file cannot reside on a mounted file system such as iSCSI This XML file contains custom user interface messages to display in the WebGUI and from the command line This file also defines the custom prompt for the comman...

Page 681: ...ter receiving a replacement appliance Without the serial number of the original appliance IBM cannot entitle the replacement appliance for future maintenance or warranty service location Specifies the location of the appliance Syntax location location Parameters location Specifies the appliance location Guidelines The location command identifies the location of the appliance Related Commands conta...

Page 682: ...he system identifier of the appliance When the custom user interface file defines the command line extension this identifier is added before the prompt Examples v Specifies the name of the appliance name Duluth v Specifies the name of the appliance Use double quotes to bracket a appliance name that contains spaces name Tango Lake 656 Command Reference ...

Page 683: ...meters name Specifies the name of the TAM configuration file ldap ssl key file Specifies the location of an SSL key file that contains a certificate used for LDAP access Syntax ldap ssl key file name Parameters name Specifies the name of the TAM SSL key file to use for LDAP server access Guidelines The TAM client application configuration file must contain an ldap ssl keyfile pwd to access the fil...

Page 684: ...use ldap ssl is on Related Commands use ldap ssl ldap ssl key file password Specifies the password for the LDAP key file Syntax ldap ssl key file password password Parameters password Specifies the password for the LDAP key file Guidelines Applicable only when use ldap ssl is on Related Commands ldap ssl key file use ldap ssl ldap ssl port Specifies the SSL port for the LDAP server Syntax ldap ssl...

Page 685: ...ol no Default Uses SSL version 3 as the secure communication protocol Guidelines The use fips command determines whether to enable Federal Information Processing Standard FIPS mode for secure communication between the DataPower appliance the TAM client and the TAM authorization server In the following situations the TAM client will be down after configuration because the TAM client cannot establis...

Page 686: ...dap ssl on off Parameters on The connection is secured by SSL off The connection is not secure Related Commands ldap ssl key file ldap ssl key file dn ldap ssl key file password ldap ssl port 660 Command Reference ...

Page 687: ... in the request token format that is configured for the TFIM endpoint For example a WS Security Username TokenType that is to be used as the request token cannot be created when the available user credential is an X 509 certificate All of the commands that are listed in Common commands on page 2 and most but not all of the commands that are listed in Chapter 114 Monitoring commands on page 949 are...

Page 688: ...eters format Specifies the format of the token Only the following values are supported BinarySecurityToken Indicates a WS Security BinarySecurityToken Custom Indicates the use of a style sheet to generate TFIM requests When specified requires the use of the tfim custom req url command CustomToken Indicates a custom token SAML1 0 Indicates a SAML Assertion 1 0 SAML1 1 Indicates a SAML Assertion 1 1...

Page 689: ...rs format Specifies the format of the token Only the following values are supported BinarySecurityToken Indicates a WS Security BinarySecurityToken Custom Indicates the use of a style sheet to generate TFIM requests When specified requires the use of the tfim custom req url command CustomToken Indicates a custom token SAML1 0 Indicates a SAML Assertion 1 0 SAML1 1 Indicates a SAML Assertion 1 1 SA...

Page 690: ... the TFIM server Syntax tfim addr address Parameters address Specifies the host name or IP address of the TFIM server Guidelines The tfim addr command specifies the host name or IP address of the TFIM server Related Commands tfim port Examples v Indicates that FIMHost ibm com is the fully qualified host name of the TFIM server and that this server is using the port 9080 the default port tfim addr ...

Page 691: ...rver select TFIM 6 1 as the compatibility mode If the 6 1 compatibility mode is selected TFIM 6 2 will behave the same as TFIM 6 1 Examples v Indicates that the current version of Tivoli Federated Identity Manager is version 6 1 tfim compatible v6 1 tfim custom req url Specifies the location of the custom style sheet Syntax tfim custom req url stylesheet Parameters stylesheet Specifies the locatio...

Page 692: ... all TFIM request tokens except Custom otherwise it is ignored Related Commands tfim 60 req tokenformat tfim 61 req tokenformat tfim 62 req tokenformat tfim compatible tfim operation tfim pathaddr tfim porttype Examples v Indicates that the WSSM token consumer issued the request to access the TFIM web service located at itfim wssm wssm default EchoWSDL EchoService using the EchoService port type a...

Page 693: ...tfim operation echo tfim pathaddr Specifies the scope for the security token Syntax tfim pathaddr destination Parameters destination Specifies the scope for the security token For example v http itfim ibm com 9080 EchoApplication services EchoServiceUsername v http 9 33 97 251 9080 EchoApplication services EchoServiceUsername Guidelines The tfim pathaddr command specifies the scope for this securi...

Page 694: ... tfim port command specifies the port number of the TFIM server Related Commands tfim addr Examples v Indicates that 9 33 97 251 is the IP address of the TFIM server and that this server is using port 19080 tfim addr 9 33 97 251 tfim port 19080 tfim porttype Specifies the Web services port type Syntax tfim porttype type Parameters type Specifies the Web services port type For example EchoService G...

Page 695: ...yntax tfim schema validate on off Parameters on Indicates that TFIM responses are schema validated off Default Indicates that TFIM responses are not schema validated Guidelines The tfim schema validate command indicates whether TFIM responses are schema validated When validating TFIM responses the response is validated against the WS Trust version indicated by the tfim compatible command Related C...

Page 696: ... to manage SSL communications with peers The SSL Proxy Profile identifies the keys and certificates that are used in the handshake Examples v Specifies that TFIM SSLProxy 1 is the SSL Proxy Profile to manage SSL communications with peers tfim sslproxy TFIM SSLProxy 1 670 Command Reference ...

Page 697: ...trol List ACL Syntax acl name Parameters name Specifics the name of an ACL Guidelines Assignment of an ACL to a Telnet Service is optional If an ACL is assigned to the service only those IP addresses specifically allowed by the ACL can initiate Telnet access to the appliance if an ACL is not assigned Telnet access to the appliance is unrestricted Related Commands acl Global allow ACL deny ACL ip a...

Page 698: ...ax port port Parameters port Specifies the port on one or all IP interfaces Use an integer in the range of 0 through 65535 Guidelines In conjunction with the ip address command identifies the IP address and port that the Telnet service monitors Related Commands ip address Examples v Specifies 10 10 13 35 23000 as the local IP address port that the current Telnet service monitor cli telnet telnet 1...

Page 699: ...percent Specifies the percentage of minimum free memory Use an integer in the range of 0 through 100 The default is 5 Guidelines The memory terminate command specifies the memory kill threshold This threshold is the point at which the appliance reboots The appliance reboots after the duration defined by the timeout command Related Commands memory throttle timeout memory throttle Specifies the memo...

Page 700: ...rcentage of available QCodes is below the defined threshold After you receive this alert schedule a system reboot as soon as possible to prevent an unscheduled reboot If the available QCodes is less than 5 available the system reboots sensors log Controls the collection of environmental log messages Syntax sensors log on off Parameters on Default Enables the collection of environmental log message...

Page 701: ...pecifies the message priority Use one of the following keywords or integers v emerg or 0 v alert or 1 v critic or 2 v error or 3 v warn or 4 v notice or 5 v info or 6 v debug or 7 Default Guidelines The status loglevel command sets the criticality of throttle messages This command is meaningful only if the status log command is set to on Related Commands status log temp fs terminate Specifies the ...

Page 702: ...e threshold This threshold is the point at which the appliance stops accepting new connections No new connection is accepted for the duration defined by the timeout command Related Commands temp fs terminate timeout timeout Specifies the interval between the threshold trigger and the subsequent action Syntax timeout seconds Parameters seconds Specifies the interval in seconds The value is unbounde...

Page 703: ...fies that the appliance reboots 20 seconds after free memory drops to 10 of total memory throttle Throttle Settings configuration mode memory terminate 10 timeout 20 Chapter 80 Throttle Settings configuration mode 677 ...

Page 704: ...678 Command Reference ...

Page 705: ...e of a custom timezone Syntax custom name Parameters name Specifies the name of the custom timezone daylight name Specifies the name of the timezone when in daylight savings time This name is appended to the time display when applicable Syntax daylight name name Parameters name Specifies the name of the timezone when in daylight savings time Guidelines Applies to the timezone set by the name or cu...

Page 706: ...y v Saturday v Sunday Guidelines Applies to the timezone that is identified by the name or custom command Related Commands daylight start hours daylight start minutes daylight start month daylight start week Examples v Sets Sunday as the day of the week when daylight savings time starts daylight start day Sunday daylight start hours Specifies the hour of the day when daylight savings time starts S...

Page 707: ...0 and 59 Guidelines Applies to the timezone that is identified by the name or custom command Related Commands daylight start day daylight start hours daylight start month daylight start week Examples v Sets 0 as the minutes of the hour when daylight savings time starts daylight start minutes 0 daylight start month Specifies the month of the year when daylight savings time starts Syntax daylight st...

Page 708: ...ek week Parameters week Specifies the week of the month when daylight savings time starts Use an integer between 1 and 5 Guidelines Applies to the timezone that is identified by the name or custom command Related Commands daylight start day daylight start hours daylight start minutes daylight start month Examples v Sets 1 as the week of the month when daylight savings time starts daylight start we...

Page 709: ...light stop hours hours Parameters hours Specifies the hour of the day when daylight savings time stops Use an integer between 0 and 23 Guidelines Uses the 24 hour clock A setting of 2 is 2 AM A setting of 14 is 2 PM Applies to the timezone that is identified by the name or custom command Related Commands daylight stop day daylight stop minutes daylight stop month daylight stop week Examples v Sets...

Page 710: ...s the month of the year when daylight savings time stops Syntax daylight stop month month Parameters month Specifies the month of the year when daylight savings time stops Use one of the following keywords v January v February v March v April v May v June v July v August v September v October v November v December Guidelines Applies to the timezone that is identified by the name or custom command ...

Page 711: ...ime stops daylight stop week 5 direction Specifies the direction relative to GMT of the timezone North America is West Asia is East Syntax direction direction Parameters direction Specifies the direction relative to GMT of the timezone Use one of the following keywords v East v West Guidelines Determines whether the offset is added to West or subtracted from East GMT A timezone that is in GMT coul...

Page 712: ...ussian DST rules AST 3 Saudi Arabia 3 hrs East no DST KRT 5 Pakistan 5 hrs East no DST IST 5 30 India 5 30 hrs East no DST CST 8 China 8 hrs East no DST WST 8 Western Australia 8 hrs East no DST JST 9 Japan 9 hrs East no DST CST 9 30 Central Australia 9 30 hrs East no DST EST 10 Eastern Australia 10 hrs East no DST Guidelines Use one of the preset timezone names to automatically set the timezone a...

Page 713: ... GMT offset hours 5 offset minutes Specifies the offset in minutes relative to GMT of the timezone Syntax offset minutes minutes Parameters minutes Specifies the offset in minutes relative to GMT of the timezone Use an integer between 0 and 59 Guidelines Determines the number of minutes the timezone is offset from GMT Applies to the timezone that is identified by the name or custom command Related...

Page 714: ...688 Command Reference ...

Page 715: ...de hostname Sets the IP address or hostname Syntax hostname host Parameters host Specifies the IP address or host name of the remote UDDI Registry If a host name the appliance must have a method to resolve the name through DNS Related Commands port inquiry url Sets the URI to send inquiry requests Syntax inquiry url URI Parameters URI The local path URI portion of the URL used to query the Registr...

Page 716: ...sed by the appliance to send WSDL files to the Registry for publication This operation is typically protected by SSL communications requiring both an SSL Proxy Profile and setting the use ssl value to publish at minimum Examples v Enters UDDI Registry configuration mode to create the Registry1 object Sets the Publish URI uddi registry Registry1 New UDDI Registry Registry1 publish url web uddi publ...

Page 717: ... To create a new Profile for this use or to alter an existing Profile for this use employ the sslproxy Global Configuration command Examples v Enters UDDI Registry configuration mode to create the Registry1 object Assigns the StdProxyProfile SSL Proxy Profile uddi registry Registry1 New UDDI Registry Registry1 ssl StdProxyProfile ssl port Sets the TCP port for HTTPS connections Syntax ssl port por...

Page 718: ... Registry configuration mode to create the Registry1 object Sets the Security URI uddi registry Registry1 New UDDI Registry Registry1 security url web uddi subscription use ssl Determines when to use HTTPS connections Syntax use ssl always publish Parameters always Uses SSL for all communications publish Uses SSL for Publish requests only version Determines which level of the UDDI Specification Sy...

Page 719: ...y as defined on the remote UDDI registry Guidelines Use this command as many times as needed to include all of the subscription keys desired for this object Subscription keys are defined on the remote UDDI registry The remote UDDI registry is defined with the registry command Related Commands registry Examples v Creates the ActivityEndpoint1 subscription and sets the subscription key uddi subscrip...

Page 720: ... registry object Related Commands uddi registry Global username Sets the username to authenticate with the remote UDDI registry Syntax username username Parameters username Specifies the username sent to the remote UDDI registry to authenticate the appliance with the registry This authentication retrieves the subscription data Related Commands password 694 Command Reference ...

Page 721: ...s The string wildcard matches 0 or more occurrences of any character The single character wildcard matches one occurrence of any single character The delimiters bracket a character or numeric range 1 5 Matches 1 2 3 4 or 5 xy Matches x or y Guidelines URL maps are used in the implementation of Stylesheet Refresh Policies and Compile Options Profiling policies Use the no match command to reset the ...

Page 722: ...nfiguration mode match https www amajoraccount com Zeus xsl v Creates the URLmap 2 URL Map Adds two match patterns to the map urlmap URLmap 2 URL Map configuration mode match https www company com XML stylesheets match https www distributer com xsl v Removes all match patterns from the URLmap 2 URL Map urlmap URLmap 2 URL Map configuration mode match https www company com XML stylesheets match htt...

Page 723: ... the name of a URL map Guidelines Use the disable cache command to identify style sheets that are frequently updated Disabling caching for such style sheets ensures that the most recent version of the style sheet is obtained by the XML Manager and used for filtering or transformation Refer to Appendix C Stylesheet Refresh Policy configuration on page 1005 for procedural details regarding the creat...

Page 724: ... Map are refreshed Guidelines The interval urlmap command assigns a URL map to a URL Refresh Policy Candidate style sheets that match the rules in this URL map are cached by an XML Manager Cached style sheets cached do not receive preferential treatment within the stylesheet cache They can be deleted from the cache before their scheduled refresh for example if the cache exceeds its maximum size Re...

Page 725: ...ined via the URL Map are refreshed Guidelines Use the protocol specified command to indicate that style sheets should be cached in accordance with the expiration semantics that are supplied by protocols Refer to Appendix C Stylesheet Refresh Policy configuration on page 1005 for procedural details regarding the creation and implementation of Stylesheet Refresh Policies Related Commands urlmap Chap...

Page 726: ...700 Command Reference ...

Page 727: ... the Processing Policy can change the URI that is sent to the backend server All of the commands that are listed in Common commands on page 2 and most but not all of the commands that are listed in Chapter 114 Monitoring commands on page 949 are also available in URL Rewrite Policy configuration mode absolute rewrite Rewrites the entire URL or a portion of the URL based on a URL match Syntax absol...

Page 728: ...ifies a PCRE that identifies the replacement style sheet This style sheet filters or transforms the XML document that is referenced by the rewritten URL For example v If the match pattern is or specify the complete replacement v If the match pattern is xsl specify the PCRE evaluation replacement for any text subpattern or retain the original text subpattern To retain the first text subpattern spec...

Page 729: ...y xsl ident xsl input xml and rewrites the URL to http mantis 8000 style xsl absolute rewrite xsl 1xsl ident xsl 3 http mantis 8000 2 content type Rewrites the contents of the Content Type header based on a URL match Syntax content type expression input replace normalize Parameters expression Specifies a PCRE that defines the match condition that triggers the rewrite rule A candidate URL that matc...

Page 730: ...http www pcre org web site Examples v Adds a Content Type header rewrite rule to a URL Rewrite Policy If the candidate URL contain web Server the rule replaces the value of the Content Type header with text xml content type web Server text xml header rewrite Rewrites the contents of an arbitrary header based on a name match Syntax header rewrite name expression input replace normalize Parameters n...

Page 731: ...ntax no rule Guidelines The no rule command deletes all rules from the current policy Examples v Deletes all rules from the current policy no rule post body Rewrites the contents of the HTTP POST body based on a URL match Syntax post body expression input replace style replace input unescape style unescape normalize Parameters Indicates a required argument for backward compatibility expression Spe...

Page 732: ...d text subpattern only specify 1 3 style replace Specifies a PCRE that identifies the replacement style sheet This style sheet filters or transforms the XML document that is referenced by the rewritten POST For example v If the match pattern is or specify the complete replacement v If the match pattern is xsl specify the PCRE evaluation replacement for any text subpattern or retain the original te...

Page 733: ...age library PCRE documentation is available at the http www pcre org web site Examples v Adds a post body rewrite rule to the current URL Rewrite Policy If the candidate URL is http mantis 8000 foo bar my cgi x y xsl style xsl input xml the rule rewrites the body of the HTTP POST to http mantis 8000 foo bar my cgi x y input xml and rewrites the URL to http 10 10 10 200 909 xsl style xsl post body ...

Page 734: ...708 Command Reference ...

Page 735: ...wildcards to define a match pattern as follows The string wildcard matches 0 or more occurrences of any character The single character wildcard matches one occurrence of any single character The delimiters bracket a character or numeric range 1 5 Matches 1 2 3 4 or 5 xy Matches x or y field Identifies a proprietary HTTP header field value Specifies the field value Can contain a character string or...

Page 736: ...aracter The single character wildcard matches one occurrence of any single character The delimiters bracket a character or numeric range 1 5 Matches 1 2 3 4 or 5 xy Matches x or y user Specifies the user name used to access the URL set password Specifies the user password used to access the URL set Guidelines A Basic Authentication Policy defines a URL set and uses a simple user name and password ...

Page 737: ... delimited by either Content Length or chunked encoding All servers will understand how to interpret Content Length and many applications will fail to understand chunked so Content Length is generally used However doing so interferes with the ability of the appliance to fully stream If you must stream full documents towards the back side this property should be turned on However you must know befo...

Page 738: ... Agent and the backend server Examples v Adds a Compression Policy which enables compression negotiation on the URL set defined by datapower com Subsequently disables compression negotiation thus restoring the default state compression policy datapower com on compression policy datapower com off ftp policy Creates a policy that associates a URL set with a set of default policies for the FTP protoc...

Page 739: ...e TLS results in a failure of the related transaction ccc off ccc opt ccc req Indicates how to use command channel encryption after user authentication with the FTP CCC command ccc off Do not request command channel encryption ccc opt Request but do not require command channel encryption ccc req Request and require command channel encryption Use this option when the command connection crosses a NA...

Page 740: ...If you do not need this property enter size check optional size check disabled Indicates how to use a size check after a data transfer with the FTP SIZE command size check optional If the command is available use it to check the size of the file after transfer The command compares the returned value to the number of bytes that were transferred If not equal the transfer is marked as failing size ch...

Page 741: ... proxy pattern server port proxy pattern none no proxy pattern Parameters pattern Specifies a shell style match pattern that defines the URL set subject to this proxy policy You can use wildcards to define a match pattern as follows The string wildcard matches 0 or more occurrences of any character The single character wildcard matches one occurrence of any single character The delimiters bracket ...

Page 742: ...rnet gateway The second policy will never be reached since all candidate URLs match the first policy proxy internet gateway 8080 proxy http internal datapower com backoffice 8080 v Creates three proxy policies URLs matching the http internal datapower com pattern are directed to port 8080 on backoffice URLs matching the http finance datapower com pattern are dropped All other URLs are directed to ...

Page 743: ...ypting with your private key and returning the plaintext message to the server Use the no pubkeyauth command to remove the authentication policy Examples v Adds a Public Key Authentication Policy which uses the private key bob to access the URL set defined by datapower com pubkeyauth datapower com bob v Removes the Public Key Authentication Policy no pubkeyauth datapower com restrict http policy C...

Page 744: ...tion policy Syntax soap action pattern value no soap action pattern Parameters pattern Specifies a shell style match pattern that defines the URL set subject to this SOAPAction header injection policy You can use wildcards to define a match pattern as follows The string wildcard matches 0 or more occurrences of any character The single character wildcard matches one occurrence of any single charac...

Page 745: ...se wildcards to define a match pattern as follows The string wildcard matches 0 or more occurrences of any character The single character wildcard matches one occurrence of any single character The delimiters bracket a character or numeric range 1 5 Matches 1 2 3 4 or 5 xy Matches x or y name Identifies the SSL Proxy Profile assigned the User Agent Guidelines An SSL Proxy Profile specifies the SSL...

Page 746: ...es the SSL UA1 SSL profile ssl https testbase SSL UA1 timeout Specifies the User Agent idle timeout value Syntax timeout time Parameters time Specifies the idle timeout Use an integer in the range of 0 to 86400 The default is 300 Guidelines The timeout is the maximum idle period before an established connection is torn down 720 Command Reference ...

Page 747: ...access levels as the admin account It differs only in that a privileged account cannot delete the admin user Assigns restricted access to the account A user account is limited to the common commands and most but not all of the show commands Guidelines By default newly created accounts are assigned the user access level Related Commands group password domain Restricts access to specific application...

Page 748: ... Settings apply cli command Related Commands apply cli RBM Setting group Examples v Limits access for the gharrison User object to the engineering domain user gharrison Modify User configuration domain engineering group Associates an account with a group Syntax group name Parameters name Specifies the name of an existing User Group object Guidelines Refer to the name command for information on cre...

Page 749: ...ntication protocol authentication secret type Indicates whether the authentication secret is a password or a fully localized key This parameter is required when the value for authentication protocol is md5 or sha password Default The authentication secret is a password that will be converted to an intermediate key with a standardized algorithm and then localized against the engine ID value key The...

Page 750: ...tion of a 16 byte key v If a key and HMAC SHA 96 is the authentication protocol specify the hexadecimal representation of a 20 byte key You can use colons between each two hexadecimal characters Guidelines The snmp cred command adds SNMP V3 credentials for this account Each account can have multiple SNMP V3 credentials one for each SNMP V3 engine that is identified by an engine ID value Note The c...

Page 751: ...none password v Creates SNMP V3 credentials for this account on the remote machine with the engine ID 000000000000000000000002 with HMAC MD5 96 as the authentication algorithm and with no privacy algorithm The fully localized key is 52 6f 5e ed 9f cc e2 6f 89 64 c2 93 07 87 d8 2b snmp cred 000000000000000000000002 md5 key 52 6f 5e ed 9f cc e2 6f 89 64 c2 93 07 87 d8 2b none password Chapter 88 Use...

Page 752: ...726 Command Reference ...

Page 753: ...ess domain resource Name name Access permission address An IP address This policy will apply only to clients with IP addresses that match this value PCRE expressions are supported The special value matches any IP address domain The name of an application domain This policy will apply only to resources within the identified domain The special value matches any domain resource The resource type to w...

Page 754: ...rivileges to all resources and read only access for login and network resources to members of the appdev User Group usergroup appdev User group configuration mode access policy Access r w a d access policy login Access r access policy network Access r exit Usergroup update successful add Adds a command suite Syntax add name Parameters name Specifies the name of the command group Guidelines To disp...

Page 755: ...lay a list of available command groups enter the delete command with no arguments at the command prompt Edit of an existing User Group with either the add or delete commands does not effect the access privileges of current user accounts assigned to the User Group The updated access privileges defined by the edited User Group are assigned to user accounts subsequently added to the User Group To ass...

Page 756: ...730 Command Reference ...

Page 757: ...age 949 are available arp Enables or disables ARP Syntax arp no arp Guidelines The arp command enables or disables the Address Resolution Protocol ARP on all IP interfaces that are provided by the current VLAN port By default ARP is enabled Certain network topologies and load balancing configurations might require that you disable ARP To disable use the no arp command Related Commands vlan sub int...

Page 758: ...LAN identifier to send and to receive traffic Syntax identifier identifier Parameters identifier Specifies the number of the VLAN identifier Use an integer in the range of 1 through 4094 The default is 2 Guidelines The identifier command specifies the number of the VLAN identifier to send and to receive traffic The identifier must be unique among all VLAN interfaces on the same Ethernet Interface ...

Page 759: ...erface Examples v Enable the VLAN interface on Ethernet 2 interface eth2 ip address Assigns a primary network address Syntax ip address address no ip address Parameters address Specifies the network address IP address and subnet Specify the IP address in decimal format Specify the subnet mask in CIDR format 27 or its equivalent decimal format 255 255 255 224 Guidelines The ip address command assig...

Page 760: ...teway ip default gateway 10 10 10 100 v Deletes the default gateway no ip default gateway ip route Adds a static route to the routing table Syntax ip route address gateway metric no ip route address gateway Parameters address Specifies the network address IP address and subnet of the target destination Specify the IP address in decimal format Specify the subnet mask in CIDR format 27 or its equiva...

Page 761: ...y the IP address in decimal format Specify the subnet mask in CIDR format 27 or its equivalent decimal format 255 255 255 224 Guidelines The ip secondary address command adds a secondary network address IP address and subnet mask to the current VLAN interface This address accepts incoming connections This address is used only as a source IP address when responding to incoming requests TCP or ICMP ...

Page 762: ...ion on the current interface Syntax Starts a package capture packet capture filename duration kilobytes Immediately stops a package capture no packet capture filename Parameters filename specifies the file to which packet capture data is written duration is an integer within the range 5 through 3600 that specifies the maximum duration in seconds of the packet capture session A value of 1 indicates...

Page 763: ...oup auth auth high auth low Add additional IP addresses for a group standby group ip aux IP address IP address Indicate preempt mode for the group standby group on off Delete a group from the current interface no standby group Delete all groups from the current interface no standby Parameters group Identifies the standby group Use an integer in the range of 1 to 255 ip VIP Specifies the IP address...

Page 764: ...onnected IP subnet can be active listening on that address at one time The interfaces must all be in the same broadcast domain and must be able to receive IP packets that are sent to the multicast address 224 0 0 2 all routers from each other The interfaces in a group should implement the same services Only the first form of the command is required to create a standby configuration The other forms...

Page 765: ... 1 1 standby 2 ip 10 10 66 66 standby 2 priority 90 exit v Assigns vlan 3 to standby group 5 in the active role and specifies a VIP of 10 10 66 66 Not specifying a priority accepting the default of 100 ensures that the interface is the active member of this group Places the interface in preempt mode meaning that it resumes the active role following a failure and subsequent restoration to service v...

Page 766: ... vlan vlan 3 Modify VLAN Sub Interface configuration no standby 2 exit v Deletes all standby groups on vlan 3 vlan vlan 3 Modify VLAN Sub Interface configuration no standby exit 740 Command Reference ...

Page 767: ... commands on page 949 are available in Error Handling Policy configuration mode error monitor Assigns or removes a Count Monitor Syntax error monitor name no error monitor Parameters name Specifies the name of an existing Count Monitor Guidelines The Count Monitor can monitor transactions that are handled by this Error Handling Policy The Count Monitor must be configured to count transactions that...

Page 768: ... URL and then return its contents to the client error rule The appliance runs the specified error rule and return the result to the client standard The appliance passes the error to the Application Security Policy selected for the Web Application Firewall If the Application Security Policy includes an Error Map that will match the error then that action is taken This mode is useful even if no Erro...

Page 769: ...tion timeout value for firewall to server connections Syntax back persistent timeout time Parameters time Specifies the maximum inter transaction idle time Use an integer in the range of 0 to 7200 The default is 180 A value of 0 disables persistent connections Guidelines Sets the inter transaction timeout value the maximum idle time allowed between the completion of a TCP transaction and the initi...

Page 770: ...Disables chunked encoded documents Alternatively use the no chunked uploads command Guidelines The Gateway may send an HTTP 1 1 request to the back end server In this case the body of the document can be delimited by either Content Length or chunked encoded documents All servers will understand how to interpret Content Length and many applications will fail to understand chunked so Content Length ...

Page 771: ... Handling Policy follow redirects Controls attempts to resolve redirects Syntax follow redirects on off Parameters on Enables the resolution of redirects off Disables the resolution of redirects Alternatively use the no follow redirects command Guidelines Some protocols generate redirects as part of the protocol for example HTTP response code 302 Use the follow redirects command to specify if the ...

Page 772: ...nsaction on the firewall to client connection This timer for example monitors idle time within the data transfer process If the specified idle time is exceeded the connection is torn down Related Commands back persistent timeout back timeout front persistent timeout persistent connections host rewriting Controls the rewriting of the Host header to reflect the final route Syntax host rewriting on o...

Page 773: ...X Client IP http front version Selects the HTTP version to use on the client side frontend connection Syntax http front version HTTP 1 0 HTTP 1 1 Parameters HTTP 1 0 Uses HTTP 1 0 HTTP 1 1 Default Uses HTTP 1 1 listen on Sets the addresses and ports on which the firewall listens Syntax listen on address port use SSL Parameters address Specifies the local IP address on the appliance Can be 0 0 0 0 ...

Page 774: ...ing no address and port assigned An assignment to only the 10 10 13 35 address and 3345 port web application firewall portal fw Web Application Firewall configuration mode listen on 0 0 0 0 3345 no listen on listen on 10 10 13 35 3345 priority Assigns a service level priority Syntax priority low normal high Parameters low Receives below normal priority for scheduling or for resource allocation nor...

Page 775: ...nt of security on client requests Syntax request security on off Parameters on Enables the enforcement of request security off Disables the enforcement of request security Alternatively use the no request security command response security Controls the enforcement of security on server responses Syntax response security on off Parameters on Enables the enforcement of response security off Disables...

Page 776: ... identifies the cryptographic resources key certificates and cipher lists available to the SSL proxy Assignment of an SSL Proxy Profile to a Web Application Firewall is optional unless the useSSL argument of the listen on command is set to on for at least one address port assignment In the absence of an assigned SSL Proxy Profile the firewall conducts all communications with both clients and serve...

Page 777: ...ll processing is complete Syntax stream output to back buffer until verification stream until infraction Parameters buffer until verification Default Causes the Web Application Firewall to buffer submitted messages until all processing is verified complete After verification returns messages to the client stream until infraction Causes the Web Application Firewall to begin sending the message to t...

Page 778: ...e are unescaped This makes checking for attack sequences such as more reliable xml manager Assigns an XML manager Syntax xml manager name Parameters name Specifies the name of the XML Manager The default is default Guidelines You do not need to change the default value To use an XML Manager with user specific characteristics use the Global xml manager command to create a new XML Manager Use this c...

Page 779: ... but not all of the commands that are listed in Chapter 114 Monitoring commands on page 949 are also available in Web Application Name Value Profile configuration mode max aggregate size Specifies the maximum size of the combined name value pairs Syntax max aggregate size bytes Parameters bytes Specifies the maximum size in bytes The default is 128000 max attributes Specifies the maximum number of...

Page 780: ...lue to a Value attribute that does not match an entry in the validation list Syntax unvalidated fixup map value Parameters value Specifies an alphanumeric string Use quotation marks around the string Guidelines The value of the Value attribute of any name value pair that does not match at least one entry in the validation list is replaced with this constant value when unvalidated fixup policy is s...

Page 781: ...ines Cross site scripting XSS signatures are generally attempts to obfuscate the real meaning of the value if the value were displayed directly in a browser You want to validate any data that might get stored and displayed again later such as the contents of a comment form The check looks for escaped characters characters with the high bit set and various forms of the term script which is often us...

Page 782: ...he Failure Policy is executed Additionally unmatched values can be checked for Cross Site Scripting Cross site scripting signatures are generally attempts to obfuscate the real meaning of the value if the value were displayed directly in a browser You want to validate any data that might get stored and displayed again later such as the contents of a comment form The check looks for escaped charact...

Page 783: ... all of the commands that are listed in Chapter 114 Monitoring commands on page 949 are also available in Web Application Request Profile configuration mode aaa policy Assigns an AAA Policy Syntax aaa policy name no aaa policy name Parameters name Specifies the name of an existing AAA Policy Guidelines The aaa policy command assigns an AAA policy to the Web Application Request Profile The AAA Poli...

Page 784: ...use an error type Specifies what to do with the cookie contents in the request none Default Does not encrypt or sign cookie contents encrypt Encrypts cookie contents using the specified key sign Appends a digital signature to the cookie contents using the specified key key Specifies the secret passphrase to encrypt or sign cookie contents If the key is the same on multiple appliances each applianc...

Page 785: ...override name no error policy override Parameters name Specifies the name of an existing Error Handling Policy Related Commands web application firewall Global webapp error handling Global Guidelines Establishes an Error Policy for the Request Profile An Error Policy determines the handling of errors that are encountered during processing This is the default behavior for all requests and responses...

Page 786: ...fies the maximum size of all parts combined to allow The default is 5000000 on off If on forces the individual form data content types to be matched against the general list of request acceptable content type expressions The default is off Guidelines The defaults are enforced automatically Use the request content type command to create content types Related Commands request content type Examples v...

Page 787: ...application security policy Global ratelimiter policy Assigns or removes a Rate Limit Policy Applies to all requests Syntax ratelimiter policy name no ratelimiter policy name Parameters name Specifies the name of an existing Rate Limit Policy Guidelines A Rate Limit policy is optional A Rate Limit Policy restricts identities as determined by an AAA Policy or the client IP address when not using an...

Page 788: ...od provides a body Syntax request body min bytes Parameters bytes Specifies the minimum request body size in bytes The default is 0 Related Commands request body max request body profile Assigns or removes the Name Value Profile to process URL encoded HTTP POST body content Syntax request body profile name no request body profile name Parameters name Specifies the name of an existing Name Value Pr...

Page 789: ...tent types are allowed You can use a PCRE expression to match one or more HTTP Content type expressions Use the no form with the PCRE to remove only the designated Content type from the list Use the noform without the PCRE argument to remove all Content types that are assigned Examples v Adds text xml and text html to the Contents types list request content type text html request content type text...

Page 790: ...equest header profile portal hdr nvp v Removes all Name Value Profile assignments no request header profile request methods Sets the HTTP methods to allow Syntax request methods Method Method Parameters Method Method Specifies one or more of the allowed Methods concatenated with the symbol v POST v GET v PUT v HEAD v OPTIONS v TRACE v DELETE Guidelines Specifies all methods to allow when using thi...

Page 791: ...arsed binary object This rule can alter the content of the request The Rule can perform such actions as authenticate and authorize convert to XML repackage with additional information retrieved from elsewhere and or send a copy of the request content to a third destination The result of this rule is then used as the request payload for further processing Related Commands request nonxml rule reques...

Page 792: ...y Strings Rejects requests without Query Strings Related Commands request qs profile request qs profile Specifies the Name Value Profile to apply to HTTP Query Strings Syntax request qs profile name no request qs profile name Parameters name Specifies the name of an existing Name Value Profile Guidelines Use the request qs profile command to set the Name Value Profile to apply to Query Strings whe...

Page 793: ...Parameters on Default Filters for the exe string off Disables the filter Related Commands request uri filter dotdot request uri filter fragment request uri filter unicode request uri filter fragment Determines how to handle URI fragments Syntax request uri filter fragment allow reject truncate Parameters allow Default Allows requests that contain URI fragments reject Rejects requests that contain ...

Page 794: ...est uri filter fragment request uri max Sets the maximum size to allow for the entire URI Syntax request uri max characters Parameters characters Specifies the maximum number of characters The default is 1024 Related Commands request uri filter dotdot request uri filter exe request uri filter fragment request uri filter unicode request versions Sets HTTP protocol versions to support Syntax request...

Page 795: ...equest nonxml rule request xml rule Examples v Sets the policy for XML requests to validate that the request is well formed XML A Processing Rule is then configured to run on the request request xml policy xml request xml rule request aaa request xml rule Specifies the Processing Rule to apply to XML content Syntax request xml rule name Parameters name The name of an existing Processing Rule Guide...

Page 796: ... Management Policy Syntax session policy name no session policy name Parameters name Specifies the name of an existing Session Management Policy Guidelines Without a Session Management Policy no Policy is applied Use the Global webapp session management command to create a Session Management Policy Use the no session policy to remove any Session Policy assignment Related Commands webapp session ma...

Page 797: ...de name no error policy override Parameters name Specifies the name of an existing Error Handling Policy Guidelines Establishes an optional Error Policy for the Response Profile An Error Policy determines the handling of errors that are encountered during processing This is the default behavior for all responses and responses handled by this Response Profile It can override the Error Policy config...

Page 798: ...e backend service Guidelines Each transaction can match more than one response profile on the same transaction When this happens the satisfaction style policy type helps to determine how the results of the profiles are combined v When the policy type is pre requisite all matching profiles in the Application Security Policy are run A failure of any of these profiles results in the failure of the tr...

Page 799: ...s code code Specifies one or more codes to allow To specify multiple codes concatenate with the symbol The default values are shown in this list Possible values v HTTP 100 100 Continue default v HTTP 101 101 Switching Protocols v HTTP 200 200 OK default v HTTP 201 201 Created default v HTTP 202 202 Accepted default v HTTP 203 203 Informative v HTTP 204 204 No Content default v HTTP 205 205 Reset v...

Page 800: ...TP 100 and HTTP 200 only response codes HTTP 100 HTTP 200 response content type Sets the HTTP Content types to allow Syntax response content type PCRE no response content type PCRE Parameters PCRE Specifies a string representation of the Content type to allow such as text xml This is a PCRE expression that may match one or more HTTP Content type expressions Guidelines Use this command as many time...

Page 801: ...nd to remove any profile assigned If no Profile is specified no processing occurs Related Commands webapp gnvc Global Examples v Specifies the portal hdr nvp Name Value Profile to apply the HTTP header content response header profile portal hdr nvp v Removes the Name Value Profile no response header profile response nonxml policy Determines how to handle non XML content Syntax response nonxml poli...

Page 802: ...er processing Related Commands request nonxml rule request xml policy response xml rule response nonxml rule Specifies the Processing Rule to apply to non XML content Syntax response nonxml rule name Parameters name Specifies the name of an existing Processing Rule Guidelines The response nonxml rule specifies the Processing Rule to apply to non XML content Use this command when the response nonxm...

Page 803: ...e content Related Commands request nonxml policy request nonxml rule response xml rule response xml rule Specifies the Processing Rule to apply to XML content Syntax response nonxml rule name Parameters name Specifies the name of an existing Processing Rule Guidelines Specifies the Processing Rule to apply to XML content when the response xml policy is either xml or soap Without a Processing Rule ...

Page 804: ...778 Command Reference ...

Page 805: ...de allow cookie sharing Enables or disables the use of cookies by more than one Internet address Syntax allow cookie sharing on off Parameters on Makes the session cookie address independent off Default Cookies cannot be shared by IP addresses Guidelines The allow cookie sharing command enables or disables the use of cookies by more than one Internet address Enabling cooking sharing is useful when...

Page 806: ...sion in seconds The default is 3600 Related Commands auto renew matching policy Sets the Matching Rule to determine the URLs of session start pages Syntax matching policy name Parameters name Specifies the name of an existing Match Rule to identify start pages Guidelines The matching policy command sets the Matching Rule to determine the URLs of session start pages Start pages are pages that can b...

Page 807: ...sing a WebGUI session because of inactivity Syntax idle timeout seconds Parameters seconds Specifies the timeout value of the idle session in seconds Use an integer in the range of 0 through 65535 local address Identifies the local address to monitor for requests Syntax local address address port Parameters address port Specifies the IP address and port number monitored for incoming Web Management...

Page 808: ... Examples v Assuming that this file is the startup configuration clicking the Save Config WebGUI button Writes the running configuration to config autoconfig cfg Retains the file designated by the boot config command as the startup configuration no save config overwrite v Assuming that this file is the startup configuration clicking the Save Config WebGUI button Writes the running configuration to...

Page 809: ...x aaa policy aaaPolicyName Parameters aaaPolicyName Specifies the name of an existing AAA Policy Guidelines The results of the AAA Policy are cached so it is not evaluated again when used in later processing by the request or response rule With Reliable Messaging the focus is on protecting the Reliable Messaging control messages such as CreateSequence and TerminateSequence it is also run on incomi...

Page 810: ...mber of attributes associated with an XML element The default is 128 Guidelines If proxy specific parser limitations are enabled by the gateway parser limits command the attribute count assigned by attribute count overrides any parser limit that might be inherited from the XML manager assigned to the Web Service Proxy Related Commands attachment byte count element depth gateway parser limits max m...

Page 811: ...he inter transaction timeout for proxy to server connections Syntax back persistent timeout timerValue Parameters timerValue Specifies the maximum inter transaction idle time in seconds Use an integer in the range of 0 through 7200 The default is 180 A value of 0 disables persistent connections Guidelines The back persistent timeout command sets the inter transaction timeout value the proxy specif...

Page 812: ...thin the data transfer process If the specified idle time is exceeded the connection is torn down backend url Specifies the URL to which all traffic to the static backend server is routed Syntax backend url url Parameters url Specifies a URL that fully identifies where all traffic is routed by default This property can take one of the following general forms v http host port URI v https host port ...

Page 813: ...e Specifies the name of an existing URL Rewrite Policy to rewrite the backend WSDL port address Guidelines If no URL Rewrite Policy is specified the default local address is the IP address of the appliance and the relative URI and the original port number are from the WSDL port address that are specified in the source WSDL Related Commands frontside port rewrite Examples v Identifies the URL Rewri...

Page 814: ...disabled the default state and enabling it on a per URL basis with the User Agent configuration client principal Specifies the name of the Kerberos client principal to decrypt encrypted requests Syntax client principal principal Parameters principal Specifies the full name of a client principal Guidelines The client principal command the full name of a Kerberos client principal to decrypt encrypte...

Page 815: ...tions Syntax decrypt key name Parameters name Specifies the name of an existing Key object Guidelines The decrypt key command specifies the key to decrypt encrypted payloads if any The resulting decrypted node set will be passed to the processing rules default param namespace Specifies the default XML namespace for stylesheet parameters that are defined without an explicit namespace Syntax default...

Page 816: ...int rewrite policy Assigns an Endpoint Rewrite Policy to the Web Service Proxy Syntax endpoint rewrite policy policyName Parameters policyName Specifies the name of an existing Endpoint Rewrite Policy Guidelines The Endpoint Rewrite Policy determines the local remote and published endpoints that are used by the Web Service Proxy If absence of an existing policy the proxy uses local and remote endp...

Page 817: ...rty is enabled the proxy will try and transparently resolve those redirects forbid external references deprecated Comments This command is deprecated Use the external references command front attachment format Specifies the attachment format received from front end clients Syntax front attachment format dime dynamic mime Parameters dime Specifies that client attachments are DIME encapsulated docum...

Page 818: ... for as long as 20 seconds after the expiration of the persistence timer Related Commands back persistent timeout back timeout front timeout persistent connections front protocol Assigns a specified protocol handler to the Web Service Proxy Syntax front protocol name no front protocol name Parameters name Identifies the client side protocol handler Guidelines Issue this command as many times as ne...

Page 819: ...port rewrite Specifies a URL Rewrite Policy used to modify the WSDL port address specified in the source WSDL when the service is loaded Syntax frontside port rewrite name Parameters name Identifies the URL Rewrite Policy used to rewrite the frontend WSDL port address Guidelines If no URL Rewrite Policy is specified the default local address is the IP address of the appliance and the relative URI ...

Page 820: ...Firewall Credentials List to the current proxy fwcred standard creds v Removes the standard creds Firewall Credentials List from the current proxy no fwcred standard creds v Removes all Firewall Credentials List objects from the current proxy no fwcred gateway parser limits Enables or disables proxy specific parser limitations Syntax Enables parser limitations gateway parser limits Disables proxy ...

Page 821: ... distinct name based elements that are separate from the URL to demultiplex HTTP uses the Host header for this purposes Web servers that issue redirects might want to disable this feature These web servers often depend on the Host header for the value of their redirect Related Commands urlrewrite policy propagate uri http client ip label Identifies the HTTP header that contains the IP address of t...

Page 822: ...s version 1 1 of the protocol include content type encoding Enables or disables the inclusion of character set encoding data in content type headers that are generated by the Web Service Proxy Syntax Enables the inclusion of character set encoding data include content type encoding Disables the inclusion of character set encoding data no include content type encoding Guidelines Assume a UTF 8 enco...

Page 823: ...s suppress kerberos keytab Specifies the keytab that contains the principals Syntax kerberos keytab name Parameters name Specifies the name of an existing Kerberos Keytab object Guidelines The kerberos keytab command specifies the keytab that contains the principals The Web Service Proxy uses these principals to decrypt automatically encrypted requests and responses This keytab must contain the pr...

Page 824: ...orithm Examples v Disables the use of an HTTP header for load balancing uses the IP address to calculate the hash Subsequently enables load balancing traffic to the backend servers using a hash algorithm identified by the X Forwarded For HTTP header no load balancer hash header load balancer hash header X Forwarded For loop detection Enables or disables the loop detection algorithm Syntax Enables ...

Page 825: ...XML document is considered malicious and dropped The default is 0 This value indicates that there is no size limit Related Commands attachment byte count attribute count element depth max message size mime back headers Enables or disables the parsing of MIME headers in multipart messages that are sent over HTTP to and from backend servers Syntax Enables MIME header parsing mime back headers Disabl...

Page 826: ...a message can sometimes contain MIME headers before any preamble and before the first MIME boundary in the body of the message These MIME headers might contain important information that is not available in the protocol headers such as the string identifying the MIME boundary If this command is enabled the default state the DataPower service processes these MIME headers When enabled and there are ...

Page 827: ...tor to the current proxy monitor count wsgw counter v Removes the wsgw counter Count from the current proxy no monitor count wsgw counter v Removes all Count Monitors from the current proxy no monitor count monitor duration Assigns or removes a Duration Monitor Syntax Assigns a Duration monitor monitor duration name Removes a Duration monitor no monitor duration name Parameters name Specifies the ...

Page 828: ...y monitor either shapes buffers to delay or rejects a message no further monitors will execute terminate at first match Monitors will execute in the order in which they are listed After any monitor matches a message and takes any action at all no further monitor will execute monitor service Assigns or removes a Service Level Monitor Syntax Assigns a Service Level Monitor monitor service name Remov...

Page 829: ...of the following values Disables all WSDL based matching criteria Disabling the matching criteria effectively creates a document based Processing Policy all Default Matches all inputs which Includes or excludes all WSDL component types operation port service to and from the match criteria operation Matches when the identified operation is requested in the current transaction Matches wsdl binding o...

Page 830: ...quotation marks Any specified value is ignored v If wsdl specifies either a URL or the local name mnemonic that is assigned to the WSDL file subscription Specifies the name of an existing Subscription object The property is meaningful only when the value of the component type is subscription Guidelines To create a new Conformance Policy use the Global conformancepolicy command Related Commands con...

Page 831: ...s included in the identified WSDL port Matches wsdl service wsdl port name when formatted as serviceNamespace port name service Matches when the operation requested in the current transaction is included in the identified WSDL service Matches wsdl service name when formatted as serviceNamespace name subscription Matches an identified subscription key wsdl Matches when the operation requested in th...

Page 832: ... Matches wsdl binding operation name when formatted as bindingNamespace name or matches wsdl service wsdl port when formatted as serviceNamespace port name operation name port Matches when the operation requested in the current transaction is included in the identified WSDL port Matches wsdl service wsdl port name when formatted as serviceNamespace port name service Matches when the operation requ...

Page 833: ... allocation Use one of the following values low Receives below normal priority normal Default Receives normal priority high Receives above normal priority Guidelines The priority set by the priority command is overridden by this property Related Commands priority parameter Assigns or removes a stylesheet parameter Syntax parameter name value no parameter name Parameters name Specifies the name of ...

Page 834: ...y no parameter persistent connections Enables or disables HTTP 1 1 persistent connections on the proxy to server connection Syntax Enables persistent connections persistent connections Disables persistent connections no persistent connections Guidelines With persistent connections enabled the default state for both HTTP 1 0 and HTTP 1 1 the DataPower service negotiates with the remote HTTP peer an...

Page 835: ...t Matches wsdl service wsdl port name when formatted as serviceNamespace port name service Matches when the operation requested in the current transaction is included in the identified WSDL service Matches wsdl service name when formatted as serviceNamespace name subscription Matches an identified subscription key wsdl Matches when the operation requested in the current transaction is defined in t...

Page 836: ...heduling or for resource allocation normal Default Receives normal priority for scheduling or for resource allocation high Receives above normal priority for scheduling or for resource allocation Guidelines The priority set by the operation priority command overrides this setting Related Commands operation priority process http errors Indicates whether to processing errors from the backend server ...

Page 837: ... route with style sheet route action action in the processing policy In this case use the dp set target extension element to define that target backend server For the other dynamic routing options that are available with the route action and route set actions the URI is absolute When enabled the service rewrites the URI of the backend URL to the URI in the client request If URI propagation is enab...

Page 838: ...und to underlying transport level protocol InOrder Reliable Messaging messages must be delivered in the same sequence as sent by the source deliveryAssuranceType Identifies the assurance type Use the following keyword exactly once Messages must be delivered exactly one time wsdlComponentType Specifies the type of the WSDL component to match Use one of the following values Disables all WSDL based m...

Page 839: ... wildcard character to specify all operations v If port specifies the name of the WSDL port Use the wildcard character to specify all ports v If service specifies the name of the WSDL service Use the wildcard character to specify all services v If subscription specify double quotation marks Any specified value is ignored v If wsdl specifies either a URL or the local name mnemonic that is assigned ...

Page 840: ...e twice If this connection attempt fails the system logs the message at the debug level and then four seconds later logs the message at the error level Note If identical event detection for the Log Target is enabled and its suppression period is greater than the reporting interval logging of the failure message at the error level is suppressed While the Web Service Proxy attempts to retrieve the W...

Page 841: ...the forwarding of messages that contain large attachments The root part of the message which typically contains a SOAP message is subject to filter and transform actions No processing of parts other than the root part is possible Accompanying documents can be passed intact Guidelines The request attachment command specifies the processing mode for attachments in client requests as defined in RFC 2...

Page 842: ...ts in the package for a needed manifest v All attachments in the package if the package does not contain the needed attachment reject Rejects messages that contain attachments strip Default Removes attachments from the message before processing streaming Allows messages that contain attachments in streaming mode but provides limited processing Messages in the form of a SOAP message package which i...

Page 843: ...e such as determining the route or performing authentication and authorization xml Characterizes the traffic as raw unencapsulated XML soap Characterizes the traffic as SOAP unprocessed Characterizes the traffic as non XML traffic that is not transformed by the proxy Related Commands request type soap schema url root part not first action Sets the action to take when the MIME message root part is ...

Page 844: ...nd the full name of a Kerberos server principal to decrypt encrypted responses This command is meaningful when the service needs to decrypt automatically encrypted requests Use when the encryption uses a Kerberos session key or uses a key that was derived from the session key This principal must be in the keytab identified by the kerberos keytab command Related Commands kerberos keytab soap action...

Page 845: ...onfigurations or other special cases Related Commands request type response type ssl Assigns an SSL Proxy Profile Syntax ssl name no ssl name Parameters name Specifies the name of the SSL Proxy Profile Guidelines The ssl command assigns or removes an SSL Proxy Profile to the current Web Service Proxy thus enabling a secure communications line between the Web Service Proxy and the remote servers or...

Page 846: ...o be certain that the DataPower service streams messages end to end Related Commands stream output to front stream output to front Specifies client facing streaming behavior Syntax stream output to back buffer until verification stream until infraction Parameters buffer until verification Default Specifies that the DataPower service buffer server response messages until all processing is verified ...

Page 847: ...ml manager suppress Suppresses deletes HTTP header fields from the traffic stream between a Web Service Proxy and an HTTP client or server Syntax suppress front back field no suppress front back field Parameters front Indicates the traffic stream between a proxy and the HTTP client back Indicates the traffic stream between a proxy and the HTTP server field Specifies the name of an HTTP header fiel...

Page 848: ...ic backend Default Sets the proxy type to static backend Guidelines If the type is static backend use the backend url command to identify the supported server Related Commands backend url uddi subscription Adds or removes a UDDI subscription Syntax uddi subscription uddiSubscriptionName no uddi subscription Parameters uddiSubscriptionName Specifies the name of an existing UDDI Subscription object ...

Page 849: ... Rewrite Policy Syntax urlrewrite policy name no urlrewrite policy name Parameters name Specifies the name of the URL Rewrite Policy Guidelines A URL Rewrite Policy is not required to configure a Web Service Proxy Use the no urlrewrite policy command to remove the assignment of a specific URL Rewrite Policy Without a URL Rewrite Policy removes all assigned URL Rewrite Policy objects from the proxy...

Page 850: ...or enter for any portType WSDL binding Specifies WSDL binding criteria for policy selection Specify a particular binding with the wsdl definitions wsdl binding name form or enter for any binding WSDL operation Specifies WSDL operation criteria for policy selection Specify a particular operation with the wsdl definitions wsdl operation name form or enter for any operation behavior Identifies the av...

Page 851: ... NoResponseValidation Does not validate response messages against the schema that is contained in the corresponding WSDL file SuppressFaultsElementsForRPCWrappers Allows RPC operation wrapper for fault messages This setting applies to the full selected WSDL files NoWSA Ignores all Web Services Addressing WS Addressing configuration settings NoWSRM Ignores all Web Services Reliable Messaging WS Rel...

Page 852: ...is wsa2sync or wsa2wsa In these topologies this command ensures that all messages contain the WS Addressing FaultTo element This element identifies the recipient endpoint of fault messages Because the WS Addressing specifications do not require the inclusion of the FaultTo element the DataPower service might receive messages that do not contain a FaultTo element or that contain the element with no...

Page 853: ...o element or that contain the element without a value When this happens the DataPower service modifies the message to include a ReplyTo element that contains the value specified by the replyURL argument If a default recipient endpoint of response messages is not explicitly identified by this command the DataPower service provides the following default value http schemas xmlsoap org ws 2004 08 addr...

Page 854: ...eaders into incoming traditionally addressed messages Syntax wsa force on off Parameters on Default Forces the inclusion of WS Addressing headers off Retains the traditional addressing headers Guidelines The was force command is relevant when the DataPower service provides service to users of WS Addressing and users or traditionally addressed messages the wsa mode command is wsa2wsa wsa2sync or sy...

Page 855: ... an asynchronous exchange pattern in which the server response is received over a different channel than the one used by the DataPower service to convey the client request oob Identifies an out of band exchange pattern in which the routing of the response to the original client is handled by the target server and does not pass through the DataPower service sync Default Identifies a synchronous exc...

Page 856: ...nes If the server response to an HTTP client request is asynchronous the DataPower service must close the original HTTP channel with a valid response code After the channel is closed the DataPower service forwards the server generated response or fault message to the client over a new channel Related Commands wsa genstyle Examples v Specifies an HTTP Response Code of 210 to close an open HTTP clie...

Page 857: ...o the server and requires the DataPower service to maintain state information associating the received response with an outstanding request v When operating in wsa2sync mode the DataPower service under user control can Insert WS Addressing headers into the traditionally addressed server response The default behavior is to retain the original addressing format Strip the WS Addressing headers from a...

Page 858: ... the target server and does not pass through the DataPower service An out of band response requires explicit non anonymous client originated ReplyTo and FaultTo element values that are preserved by the DataPower service and passed to the server Related Commands wsa back protocol wsa force wsa genstyle wsa timeout wsa strip headers Examples v Specifies sync2wsa mode indicating that the DataPower se...

Page 859: ...Addressing headers from an incoming message off Disables the deletion of WS Addressing headers from an incoming message Guidelines This command is relevant when the DataPower service is positioned between users of WS Addressing and a nonusers that is when the WS Addressing mode as specified by the wsa mode command is wsa2sync or sync2wsa Note WS Reliable Messaging requires the termination of WS Ad...

Page 860: ...m pause of 1 minute while waiting for an asynchronous response wsa timeout 60 wsa to rewrite Assigns or removes a URL Rewrite Policy that rewrites the contents of the Web Services Addressing WS Addressing To element Syntax wsa to rewrite urlRewritePolicy no wsa to rewrite Parameters urlRewritePolicy Specifies the name of an existing URL Rewrite Policy Guidelines The wsa to rewrite command modifies...

Page 861: ...y subjects service endpoint operation message in the WSDL file Guidelines The wsdl command associates a WSDL file with the Web Service Proxy The WSDL file defines the Web services that the Web Service Proxy supports Use the no wsdl command to remove a WSDL file from the Web Service Proxy Related Commands user policy Examples v Associates the accountQuery wsdl WSDL file in the local directory defin...

Page 862: ... files at http server banking are cached every 24 hours wsdl wsdl cache policy http server banking 86400 wsrr subscription Obtains web services through a WSRR subscription Syntax wsrr subscription wsrrSubscriptionName no wsrr subscription Parameters wsrrSubscriptionName Specifies the name of an existing WSSR subscription object Guidelines Adds a WSRR Subscription to the current Web Service Proxy A...

Page 863: ...l wsrm source retransmit count wsrm aaapolicy Assigns an AAA Policy Syntax wsrm aaapolicy name Parameters name Specifies the name of an existing AAA Policy Guidelines Use the wsrm aaapolicy command to assign an AAA Policy to perform authentication of incoming Reliable Messaging messages This AAA Policy can be the same one that is used in later processing by the request or response rule The results...

Page 864: ...Accept can create a Reliable Messaging destination for the server to send Reliable Messaging messages to the client Related Commands wsrm wsrm destination accept offers Indicates whether to accept offers for two way Reliable Messaging in CreateSequence SOAP requests Syntax wsrm destination accept offers on off Parameters on Accepts two way requests off Default Does not accept two way requests Guid...

Page 865: ...utilization by the Reliable Messaging destination Related Commands wsrm wsrm destination maximum inorder queue length wsrm destination maximum inorder queue length Specifies the maximum number of messages held in the queue Syntax wsrm destination maximum inorder queue length numberOfMessages Parameters numberOfMessages Specifies the maximum number of messages beyond the gap Use an integer in the r...

Page 866: ...saging for all SOAP messages that request rules process Syntax wsrm request force on off Parameters on Requires Reliable Messaging for all requests off Default Does not require Reliable Messaging for all requests Guidelines The xxx command indicates whether to require the use of Reliable Messaging for all SOAP messages that request rules process The client must establish a sequence with a CreateSe...

Page 867: ... SOAP message has an Expireslifetime that is longer than this value the value in the SequenceResponse SOAP message is reduced to this value The same process applies to the Expireslifetime in any accepted Offer in an incoming CreateSequence and for the requested Expires value in any CreateSequence SOAP call that is made to the client or server from a Reliable Messaging source This implementation ne...

Page 868: ...synchronous Acks Related Commands wsrm wsrm source exponential backoff Indicates whether to use the exponential back off Syntax wsrm source exponential backoff on off Parameters on Default Uses the exponential back off to increase the interval between retransmissions The value of the wsrm source retransmission interval command sets with the initial timeout off Does not use the exponential back off...

Page 869: ...ceResponse SOAP reply v With a specified Front Side Protocol Handler and the front side sends a CreateSequence SOAP message to establish a reliable back channel there will be a non anonymous URL specified in the AcksTo element of the CreateSequence SOAP request v Without a Front Side Protocol Handler the AcksTo elements has the value http www w3 org 2005 08 addressing anonymous which indicates syn...

Page 870: ... a Reliable Messaging destination Related Commands wsrm wsrm source request create sequence wsrm source maximum queue length Specifies the maximum number of messages held in the queue Syntax wsrm source maximum queue length numberOfMessages Parameters numberOfMessages Specifies the size of the queue in number of messages Use an integer in the range of 1 through 256 The default is 30 Guidelines The...

Page 871: ...numberOfMessages Parameters numberOfMessages Use an integer in the range of 1 through 256 The default is 1 Guidelines The wsrm source request ack count command specifies the number of messages that the a Reliable Messaging source sends before including the AckRequested SOAP header to request an acknowledgement Related Commands wsrm wsrm destination accept offers wsrm source request create sequence...

Page 872: ...ndicates whether to create a Reliable Messaging source from the front side to the client when there is SOAP data to send to the client and there is no Reliable Messaging source that was created by a MakeOffer from the client by sending a CreateSequence SOAP request to the WS Addressing ReplyTo address Related Commands wsa mode wsrm wsrm source exponential backoff wsrm source inactivity close inter...

Page 873: ...fers wsrm source request create sequence wsrm source response create sequence wsrm source sequence ssl Indicates whether to use an SSL session binding to protect sequence lifecycle messages Syntax wsrm source sequence ssl on off Parameters on Uses an SSL session binding off Default Does not use an SSL session binding Guidelines All Reliable Messaging control messages and sequence messages are boun...

Page 874: ...command assign an XML manager to the Web Service Proxy An XML manager obtains and controls resources required by the Web Service Proxy In the absence of an explicit limit the DataPower appliance assigns the default XML Manager to support Web Service Proxy operations Related Commands stylesheet policy xml manager Global 848 Command Reference ...

Page 875: ...mation for the current domain in the expectation that a manager will connect Buffering reduces the loss of transaction accounting information but at the cost of more memory consumed discard Discards transaction information for the current domain Guidelines Buffering Mode controls the behavior of the Web Services Management Agent when there are no registered consumers of transaction events Records ...

Page 876: ...ed consumers of transaction events Buffering reduces the loss of transaction accounting information but at the cost of more memory consumed Records are accumulated until the configured size limits are reached After maximum values are reached new records will be dropped max records Specifies the maximum number of buffered transactions Syntax max records count Parameters count Specifies the maximum ...

Page 877: ...n mode endpoint name Specifies the WSDL defined endpoint to monitor Syntax endpoint name endpoint Parameters endpoint Identifies the target WSDL endpoint Guidelines Use the endpoint name exactly as defined in the WSDL file endpoint url Specifies the URL of the WSDL endpoint to monitor Syntax endpoint url URL Parameters URL Specifies the URL of the target endpoint Guidelines Use the URL exactly as ...

Page 878: ...s to monitor Specify the following keyword all Monitors all WSDL defined operations target Specifies whether to monitor errors or transactions Specify one of the following keywords front Monitors error counts rate Monitors transaction counts threshold Specifies the threshold level Use one of the following keywords v low v high For example as transaction rates rise the first limit might be reached ...

Page 879: ...gh 50 throttle transport Specifies the transport type that the monitored endpoint uses Syntax transport type Parameters type Identifies the transport type Use one of the following values v HTTP GET v HTTP SOAP v SOAP document v SOAP RPC wsdl Specifies the location of the WSDL file Syntax wsdl URL Parameters URL Specifies the location of the target WSDL file Guidelines The WSDL file can reside on t...

Page 880: ...854 Command Reference ...

Page 881: ... this argument protocol Specifies the part of the URL from web service binding that specifies the protocol This defaults to the protocol found in the WSDL file host Specifies the part of the URL from web service binding that specifies the host name or IP address If not specified the value from the WSDL will be used To use a load balancer specify the name of an existing Load Balancer Group port Spe...

Page 882: ... Rewrite policy named someBanking moves to WS Proxy Endpoint Rewrite configuration mode and defines a remote endpoint rewrite rule with the following properties A PCRE of http somebank com SomeBankPort to match the web service port A protocol of http An IP address for the remote endpoint of 10 10 13 35 A port of 2068 A local path of SomeBankService services SomeBankPort wsm endpointrewrite someBan...

Page 883: ...cates whether the front side protocol handler determines the protocol interface and port of the local address for any matched WSDL service port Specifying on overrides the values specified for protocol hostname and port in this rewrite rule The default is off Guidelines All of the arguments for the listener rule command must be specified in the documented order The Local Endpoint defines the IP ad...

Page 884: ...e binding that specifies the local path If no string is configured the value from the WSDL will be used Guidelines All of the arguments for the publisher rule command must be specified in the documented order This rule rewrites the endpoint published to UDDI registries or included in the WSDL supplied by the Proxy in response to a request for a WSDL describing the services offered by the Proxy PCR...

Page 885: ...lue from the WSDL will be used port Specifies the part of the URL from web service binding that specifies the port A value of 0 uses the port value from the WSDL The default is 0 uri Specifies the part of the URL from web service binding that specifies the remote path If no string is configured the value from the WSDL will be used binding protocol Specifies the WSDL binding protocol to use in the ...

Page 886: ...Service services SomeBankPort subscription listener rule Adds edits or deletes a subscription local endpoint rewrite rule Syntax subscription listener rule subscription protocol host port uri front protocol use front protocol Parameters subscription Specifies the name of an existing UDDI Subscription to match against a subscription that the Proxy uses for this rewrite rule protocol Specifies the p...

Page 887: ...equest for service as described in the published WSDL The Proxy listens for requests at the Local Endpoint URL Related Commands subscription backend rule subscription publisher rule Examples v Creates an Endpoint Rewrite policy named testing moves to WS Proxy Endpoint Rewrite configuration mode and defines a local endpoint rewrite rule with the following properties The uddiSubscriber SomeBankPort ...

Page 888: ...be specified in the documented order This rule rewrites the endpoint published to UDDI registries or included in the WSDL supplied by the Proxy in response to a request for a WSDL describing the services offered by the Proxy Related Commands subscription backend rule subscription listener rule Examples v Creates an Endpoint Rewrite policy named someBanking moves to WS Proxy Endpoint Rewrite config...

Page 889: ... documents Syntax filter URL Parameters URL Specifies the location of the style sheet Guidelines The assigned default style sheet performs XML filtering only if a candidate XML document fails to match any of the filter rules defined within the processing policy Examples v Identifies validate xsl as the default style sheet to filter documents filter store validate xsl match Adds a Policy Map or del...

Page 890: ... Specifies the name of the WSDL port service Specifies the name of the WSDL service subscription Specify double quotation marks Any specified value is ignored wsdl Specifies the name of the WSDL file matching rule Specifies the name of a matching rule previously created with the matching command and populated with the httpmatch or urlmatch commands that serves as a source of URL or HTTP templates ...

Page 891: ...scription test valClientServer wsrrSub 1 v Remove all rules from the current Processing Policy no match xsldefault Identifies a default style sheet to transform documents Syntax xsldefault URL Parameters URL Specifies the location of the default style sheet Guidelines This default style sheet performs XML transformation only if a candidate XML document fails to match any transform rule in the proc...

Page 892: ...866 Command Reference ...

Page 893: ...ntext name output context Parameters input context Identifies the context that contains the document authenticated or authorized by the AAA policy that is implemented in this Processing Rule name Specifies the name of an AAA Policy output context Optionally identifies the context where any post processing output is stored Use OUTPUT to specify the final policy output that is the transformed client...

Page 894: ...original client request or server response rule Specifies the name of the rule to invoke output context Specifies the output context to store the result Specify OUTPUT to use the final policy output which is the transformed client request or transformed server response Guidelines A call action invokes another named rule Examples v Applies the specified call rule processRequest to the document in t...

Page 895: ...iginal client request or server response output context Specifies an output context where the converted document is stored Specify OUTPUT to use the final policy output which is the transformed client request or transformed server response map Optionally identifies the input conversion map to perform document encoding The default is to treat as URL escaped Guidelines A convert http action implemen...

Page 896: ...applies an XPath expression to a context and stores the result in another context In the absence of variable argument the results of the XPath expression are stored as the default contents tree of the destination context Examples v Applies the games url XPath expression to the INPUT context and stores the result in the three context extract INPUT three games url v Applies the games url XPath expre...

Page 897: ...filter input context stylesheet Parameters input context Specifies the context that contains the document to be filtered Specify INPUT to use the initial policy input which is the original client request or server response stylesheet Specifies the style sheet to filter the source document and can take the form of a URL or of a var URL that expands to a URL Guidelines A filter action accepts or rej...

Page 898: ... with the ZIP algorithm pkzip Decompresses all incoming traffic with the PKZIP algorithm none Default Performs no decompression on incoming traffic Guidelines Use the input filter command only if all incoming traffic can be compressed with the selected algorithm Attempts to decompress data that is not compressed data will result in data corruption log Adds a log action Syntax log input context des...

Page 899: ...s the operational response to an error and takes one of the following forms abort Indicates that processing is ceased continue Indicates that processing continues rule Optionally specifies an error rule that is executed in the event of an error condition input context Optionally identifies the input context for the error rule The default is to use the input context of the failed action output cont...

Page 900: ...In the absence of this argument the contents of the target context are transmitted to the OUTPUT of the Processing Rule response Specifies the target context that stores the parsed reply This argument is required when a response is expected Otherwise it is not used Guidelines A results action transmits the contents of a context to a specified destination Examples v Sends the contents of the INPUT ...

Page 901: ...he INPUT context to the destination of the rule results INPUT v Sends the contents of the INPUT context to the destination referenced by the local var local dest URL results INPUT var local dest v Sends the contents of the INPUT context to the loopback server for processing Stores results in the apple context results INPUT http 127 0 0 1 9000 apple rewrite Adds a rewrite action that implements a U...

Page 902: ... Syntax route set destination sslProxyProfile Parameters destination Specifies a URL that identifies the document destination This argument can be expressed as a protocol specific URL or as a var URL that expands to a transport URL sslProxyProfile Optionally specifies the name of an SSL Proxy Profile to establish a secure connection with the destination Guidelines A route set action enables dynami...

Page 903: ...the dest variable to http ragnarok 9010 in the routing context Overrides INPUT as the context argument setvar INPUT var context routing dest http ragnarok 9010 slm Adds an slm action that implements an SLM Policy Syntax slm input context name Parameters input context Specifies the context to monitor Specify INPUT to use the initial policy input which is the original client request or server respon...

Page 904: ...e error rule request rule response rule rule Parameters error rule Identifies the rule as an error rule to invoke in response to a fault condition request rule Identifies the rule as a request rule to apply to client requests response rule Identifies the rule as a response rule to apply to server responses rule Identifies the rule as a bidirectional rule to apply to client requests and to server r...

Page 905: ...nt specifies the use of a dynamically generated schema to use for document validation url identifies the URL of the dynamic schema to use for document validation The value can be expressed as a URL or as a variable that expands to a URL schema url Regardless of xsi schemaLocation attributes in the document specifies the URL of the schema to for document validation The value can be expressed as a U...

Page 906: ...the INPUT context with the schema that is referenced by the var context schemas 1 variable validate INPUT schema var context schemas 1 v Adds a validation action Validates XML documents in the INPUT context with the local SchemaOne xsd schema Possibly stores the transformed document in the Post Validation context validate INPUT schema store SchemaOne xsd Post Validation xform Adds an xform action ...

Page 907: ...o the Processing Rule Transforms the document in the Step2 context with the style sheet that the var stylesheets 5 variable references Sends the transformed document to the final output xform Step2 var stylesheets 5 OUTPUT xformpi Adds an xformpi action Syntax xformpi input context URL output context xformpi input context dynamic stylesheet object output context Parameters input context Specifies ...

Page 908: ...An optional style sheet can be specifies when the XML document does not contain processing instructions An optional style sheet can be identified to transform documents that lack internal processing instructions Related Commands convert http Examples v Adds a transform to the Processing Rule Transforms the original input with processing instructions in the XML document Sends the transformed docume...

Page 909: ...re also available in WSSR Server configuration mode password Specifies WSRR server credentials Syntax password passphrase Parameters passphrase Specifies the user password Guidelines Used in conjunction with username command to provide the credentials used to access the WSRR Server Required when the WSRR server enforces authentication Related Commands username server version Identifies the WSRR se...

Page 910: ...he URL to access the SOAP API on the WSRR server The URL differs by WSRR version v The default listening port for HTTP is 9080 v The default listening port for HTTPS is 9443 For additional information about the URI for the Core Web service refer to your version specific WSRR documentation Examples v Access the default internal HTTP transport port for the Core Web service on a WSRR 6 0 2 server htt...

Page 911: ... url command starts with https Related Commands soap url username Provides WSRR server credentials Syntax username name Parameters name Specifies the user name Guidelines Use in conjunction with password command to provide the credentials used to access the WSRR Server Required when the WSRR server enforces authentication Related Commands password Chapter 104 WSRR Server configuration mode 885 ...

Page 912: ...886 Command Reference ...

Page 913: ...on Syntax fetch policy attachments on off Parameters on Default Enables the retrieval of policy attachments off Disables the retrieval of policy attachments Guidelines The fetch policy attachments command indicates whether the subscription service can retrieve external policy attachments for a WSDL subscription This command is relevant only when server version is WSRR_6 1 Related Commands server v...

Page 914: ...ct name Examples v Specifies the resource name and namespace providing an unambiguous identification of the target resource wsrr subscription Proxy 1 New WSRR Subscription configuration namespace http tonawanda sr ibm com ValidateInsurance object name InsuranceService wsdl object name Used in conjunction with the namespace command to unambiguously identify a subscribed to WSSR resource Syntax obje...

Page 915: ... is created and maintained by the WSRR administrator is simply a package for metadata and can contain one or more WSDL files possibly along with a number of associated files to include XSD schemas and XML files such as AAA info files refresh interval Specifies the synchronization frequency Syntax refresh interval seconds Parameters seconds Specifies the interval in seconds between synchronization ...

Page 916: ...query the registry for the version of a WSDL file The WSRR registry maintains a Version attribute for WSDL files This attribute is a user defined suffix that identifies different versions of a WSDL file For example subsequent versions of a WSDL file could be identifies as 1 1 or 2 If enabled the value for the version command must match exactly the Version attribute v If disabled and there are mult...

Page 917: ...the version of the WSDL file to retrieve from the WSRR registry The registry maintains a Version attribute for WSDL files This command is relevant only when use version is on and there is more than one version of the WSDL file in the registry Related Commands use version Chapter 105 WSRR Subscription configuration mode 891 ...

Page 918: ...892 Command Reference ...

Page 919: ...meters name Specifies the name of the ACL Guidelines An ACL restricts access to those IP addresses specified by the ACL You can assign a single ACL to an XML Firewall Use the no acl command to remove the ACL XML Firewall assignment Related Commands acl allow deny attachment byte count Specifies the XML Firewall specific maximum size for an attached document Syntax attachment byte count bytes Param...

Page 920: ...om the XML Manager that is assigned to the XML Firewall Related Commands attachment byte count bytes scanned element depth firewall parser limits max message size max node size Examples v Sets the maximum attribute count for the current XML Firewall to 512 xmlfirewall FW 1 XML Firewall configuration mode firewall parser limits on attribute count 512 back attachment format Specifies the attachment ...

Page 921: ...uced by expanding entity references Related Commands firewall parser limits Examples v Specifies a maximum document scan of 2 MB firewall parser limits on bytes scanned 2097152 default param namespace Specifies the default namespace for parameters made available via the CLI or WebGUI Syntax default param namespace namespace Parameters namespace Specifies the name of the default namespace Guideline...

Page 922: ...tations are enabled by the firewall parser limits command the nesting limit assigned by this command overrides the value which is inherited from the XML Manager assigned to the XML Firewall Related Commands attachment byte count attribute count bytes scanned firewall parser limits max message size max node size Examples v Sets the maximum nesting depth to 128 firewall parser limits on element dept...

Page 923: ... resources With firewall specific parser limits enabled incoming documents are evaluated using the values that are defined by the attribute count bytes scanned and element depth commands Related Commands attribute count bytes scanned element depth Examples v Enables firewall specific parser limits firewall parser limits on attribute count 512 bytes scanned 2097152 element depth 128 forbid external...

Page 924: ...ies Without a Firewall Credentials List all keys and certificates on the appliance are available to support firewall activities Before using this commands a Firewall Credentials List must exist If needed create a Firewall Credentials List with the fwcred Crypto command Use the no fwcred command to remove the assignment of a Firewall Credentials List to an XML Firewall Related Commands fwcred Crypt...

Page 925: ...erfaces local address 0 45000 max message size Specifies the maximum size of SOAP or XML messages to process Syntax max message size kilobytes Parameters kilobytes Specifies the maximum size of SOAP or XML messages in kilobytes Use an integer in the range of 0 through 2097151 The default is 0 A value of 0 specifies unlimited size Guidelines Limits the SOAP XML payload not the size of the incoming ...

Page 926: ...Use the no mime headers command to disable MIME support monitor count Assigns a Count Monitor Syntax monitor count name no monitor count name Parameters name is the name of the message count monitor assigned to the service Guidelines After completing the configuration of a message count monitor activate the monitor by assigning it to a service Use the no monitor count command to remove the Count M...

Page 927: ...ion RateLimit1 v Removes the assignment of the RateLimit1 duration monitor from the current service no monitor duration RateLimit1 monitor processing policy Sets the behavior when a service has multiple monitors Syntax monitor processing policy terminate at first throttle terminate at first match Parameters terminate at first throttle Default Monitors will execute in the order in which they are li...

Page 928: ...or by assigning it to a service Use the no service count command to remove the Service Level Monitor assignment Related Commands monitor count monitor duration Examples v Assigns the wsdlPortSLM SLM to the current service monitor service wsdlPortSLM v Removes the assignment of the wsdlPortSLM SLM from the current service no monitor count LogSquelch parameter Makes a parameter available and to styl...

Page 929: ... designates the parameter namespace parameter http www example com foobar value v Makes a parameter available designates no namespace parameter foobar value v Deletes the recipient parameter from the current XML Firewall no parameter recipient v Deletes all parameters from the current XML Firewall no parameter priority Assigns a service level priority Syntax priority low normal high Parameters low...

Page 930: ...rs made available through a URL query string query param namespace http www somecompany com namespaces remote address Specifies the address port pair of the backend server Syntax remote address address port remote address load balancer remote address loopback remote address dynamic Parameters address port Specifies a dotted decimal IP address or host name with the port in the range 0 to 65535 that...

Page 931: ...rface port pair of the web or application server as 10 10 1 100 45000 remote address 10 10 1 100 45000 v Supports multiple servers Actual server addresses are extracted using the set target or xset target extension elements remote address dynamic v Operating under server control loops back a received document after performing document processing remote address loopback request attachments Specifie...

Page 932: ...he forwarding of messages that contain large attachments The root part of the message which typically contains a SOAP message is subject to filter and transform actions No processing of parts other than the root part is possible Accompanying documents can be passed intact Guidelines The request attachment command specifies the processing mode for attachments in client requests as defined in RFC 23...

Page 933: ...ocessing mode for SOAP attachments in server responses Syntax response attachments mode Parameters mode Specifies one of the following keywords to indicate the processing mode for SOAP attachments allow Allows messages that contain attachments and processes needed attachments Needed attachments are buffered but attachments that are not needed might be streamed directly to output Attachments are bu...

Page 934: ...t command specifies the processing mode for attachments in server responses as defined in RFC 2387 This type of request is a compound object that consists of several interrelated body parts and is the mechanism that is used to support the bundling of attachments in a SOAP message package which is commonly referred to as a SOAP with Attachments message Meaningful only when the value of the response...

Page 935: ...bsequent attachments process in order Default Processes the attachments and root part in the order that they appear in the original message All parts are still processed in streaming mode even though only attachments after the root will be streamed from the network Guidelines When streaming MIME messages specifies the action to take when the root part is not the first part of the message If the ro...

Page 936: ...x ssl name no ssl Parameters name Specifies the name of the SSL Proxy Profile assigned to the XML Firewall Guidelines Assignment of an SSL Proxy Profile to an XML Firewall is optional In the absence of an assigned SSL Proxy Profile the XML Firewall client and server exchanges are accomplished over a nonsecure connection An SSL Proxy Profile specifies the SSL operational mode client server or two w...

Page 937: ...he backend server by examining the request The XML Firewall processes request and response messages with the processing policy defined with the stylesheet policy command An SSL Client Profile can be defined with the ssl command to communicate with the target server and an SSL Server Profile can be defined with the ssl command to communicate with the client v When loopback the XML Firewall processe...

Page 938: ...o provide in response to NET WSDL requests Syntax wsdl file location url Parameters url Specifies the location of the target WSDL file Guidelines Used when the value of the wsdl response policy command is serve to designate the local WSDL file to provide in response to NET WSDL requests received via the http domain com service wsdl convention Related Commands wsdl response policy Examples v Specif...

Page 939: ...uest via the http domain com service wsdl convention Related Commands wsdl file location Examples v Specifies that NET WSDL requests are responded to by serving the designated local pseudoProxy wsdl file Such requests are not forwarded to the backend server wsdl response policy serve wsdl file location local pseudoProxy wsdl xml manager Assigns an XML Manager Syntax xml manager name Parameters nam...

Page 940: ...914 Command Reference ...

Page 941: ...s address Specifies an IP address that in conjunction with the port identifies the XML Management Interface The default is 0 0 0 0 which indicates all active addresses Guidelines The local address command specifies the IP address to monitor for incoming requests Instead of specifying an IP address you can specify the name of an existing Host Alias Local host aliases help to ease migration tasks be...

Page 942: ...upports the SLM protocol The URI for the SLM protocol is service slm datashare 1 0 The SLM protocol is used to communicate SLM data between appliances and is not a public web service By default this mode is enabled wsm WS Management Endpoint Exposes a management endpoint that supports the WS Management family of protocols The URI for the WS Management endpoint is service ws management wsdm WSDM En...

Page 943: ... Identifies the listening port on the appliance that monitors SOAP XML management traffic The default is 5050 Related Commands local address Examples v Configure the XML Management Interface on port 1080 of the specified interface xml mgmt Modify XML Management Interface configuration local address 10 10 13 7 port 1080 slm peering Specifies the frequency to issue SLM peer group updates Syntax slm ...

Page 944: ...domain To create a new SSL Proxy Profile use the Global sslproxy command Related Commands sslproxy Global Examples v Changes the assignment of the SSL Proxy Profile to mgmtProxy xml mgmt Modify XML Management Interface configuration ssl mgmtProxy user agent Assigns a User Agent Syntax user agent name Parameters name Specifies the name of an existing User Agent The default is xml mgmt Guidelines Th...

Page 945: ...Examples v Changes the assignment of the User Agent to mgmtAgent xml mgmt Modify XML Management Interface configuration user agent mgmtAgent Chapter 107 XML Management Interface configuration mode 919 ...

Page 946: ...920 Command Reference ...

Page 947: ...e listed in Common commands on page 2 and most but not all of the commands that are listed in Chapter 114 Monitoring commands on page 949 are also available in XML Manager configuration mode loadbalancer group Associates a Load Balancer Group with an XML Manager Syntax loadbalancer group name no loadbalancer group Parameters name Specifies the name of the Load Balancer Group Guidelines Assignment ...

Page 948: ...n the absence of the frequency argument the rule is run a single time Use the no schedule rule command to cancel rule execution user agent Assigns a User Agent Syntax user agent name no user agent Parameters name Specifies the name of the User Agent Guidelines You can assign only one User Agent to an XML Manager Use the no user agent command to remove the User Agent assignment from the XML Manager...

Page 949: ...er element attribute count Syntax attribute count limit Parameters limit Specifies the maximum number of attributes to allow within an XML element The default is 128 Related Commands bytes scanned element depth bytes scanned Specifies the maximum scope of the scan operation for the XML parser Syntax bytes scanned bytes Parameters bytes Specifies the maximum scan in bytes The default is 4 MB Guidel...

Page 950: ...ces and replaces external entities with the empty string Guidelines An external reference is an external entity or external DTD definition forbid external references deprecated Comments This command is deprecated Use the external reference command max node size Specifies the maximum size of a single XML node in kilobytes Syntax max node size kilobytes Parameters kilobytes Specifies the maximum mes...

Page 951: ...Specifies the namespace prefix URI Specifies the namespace location Examples v Creates the Departmental XPath Routing Map and enters XPath Routing Map configuration mode Adds XML namespace data xpath routing Departmental XPath Routing Map configuration mode namspace mapping dp http www datapower com extensions rule Creates a forwarding rule Syntax rule expression host port on off Parameters expres...

Page 952: ...tmental XPath Routing Map and enters XPath Routing Map configuration mode Adds four XPath based forwarding rules to Departmental XML documents that contain elements that match the XPath expression request dept dev are forwarded to server 127 0 0 1 8001 via a secure connection documents that contain elements that match the expression request dept sales are forwarded to 127 0 0 1 8002 via a secure c...

Page 953: ...ient URLs in the document cache Syntax cache relative url on off Parameters on Enables caching of relative client URLs off Default Disable caching of relative client URLs Alternatively use the no cache relative url command Guidelines connection timeout Specifies the amount of time that the XSL Coprocessor maintains an idle connection Syntax connection timeout seconds Parameters seconds Specifies t...

Page 954: ...e result node set Syntax intermediate result timeout seconds Parameters seconds Specifies the number of seconds that an XSL Coprocessor retains an unused intermediate result node set Use an integer in the range of 1 through 600 The default is 20 ip address Specifies the local IP address to monitor for incoming traffic Syntax ip address address 0 Parameters address Specifies the IP address primary ...

Page 955: ...s ip address Examples v Specifies 10 10 13 35 23000 as the local IP address port that the current XSL Coprocessor service monitor xslcoproc proxy 1 XSL Coprocessor Service configuration mode ip address 10 10 13 35 port 23000 priority Assigns a service level priority Syntax priority low normal high Parameters low Receives below normal priority for scheduling or for resource allocation normal Defaul...

Page 956: ...ginated documents The assigned policy is used in place of any processing instructions contained within the server originated documents Examples v Assigns the processHeaders Document Processing Rule to the current XSL Coprocessor stylesheet policy processHeaders stylesheet rule Assigns a Processing Rule Syntax stylesheet rule name Parameters name Specifies the name of the Processing Rule Guidelines...

Page 957: ...former transformer factory newTransformer transform input file and send result to stdout transformer transform new StreamSource args 0 new StreamResult System out This command sequence creates the global SignSoapSec Processing Rule rule signSoapSec xform INPUT store sign soapsec xsl OUTPUT exit Now create the coprocCrypto XSL Coprocessor and assign the SignSoapSec Processing Rule to the Coprocesso...

Page 958: ...rs name Specifies the name of the URL Rewrite Policy use client resolver Enables or disables the use of a client based JAXP URI resolver to resolve external URLs Syntax use client resolver on off Parameters on Default Enables client based URI resolver off Disable client based URI resolver Alternatively use the no use client resolver command xml manager Assigns an XML Manager Syntax xml manager nam...

Page 959: ...ss Control List ACL Syntax acl name no acl Parameters name is the name of the ACL assigned to the current XSL Proxy Guidelines The acl command assigns an ACL to an XSL Proxy An ACL restricts access to the current XSL Proxy to those IP addresses that are specified by the ACL Use the no acl command to remove the ACL assignment from the XSL Proxy Related Commands acl Global allow deny Examples v Assi...

Page 960: ...ocal IP address to monitor for incoming traffic Syntax ip address address 0 Parameters address Specifies the IP address primary or secondary of a DataPower Ethernet interface 0 Indicates all DataPower Ethernet interfaces Guidelines In conjunction with the port command identifies the IP addresses and ports that the XSL Proxy service monitors Related Commands port Examples v Specifies 10 10 13 35 23...

Page 961: ...ental monitor to the current XSL Proxy monitor count LogSquelch v Removes the LogSquelch incremental monitor no monitor count LogSquelch monitor duration Assigns a duration monitor to an XSL Proxy Syntax monitor duration name no monitor duration name Parameters name Specifies the name of the duration monitor assigned to the XSL Proxy Guidelines After completing the configuration of a duration moni...

Page 962: ...nate at first match Monitors will execute in the order in which they are listed After any monitor matches a message and takes any action none of the further monitors will execute Examples v Allows only the first matching monitor to execute when a service has multiple monitors attached monitor processing policy terminate at first match parameter Makes a parameter available for the processing policy...

Page 963: ...rameter value pair available to the current XSL Proxy designates no namespace parameter foobar value v Deletes the foo parameter no parameter foo v Deletes all parameters no parameter priority Assigns a service level priority Syntax priority low normal high Parameters low Receives below normal priority for scheduling or for resource allocation normal Default Receives normal priority for scheduling...

Page 964: ...via a URL query string Syntax query param namespace namespace Parameters namespace Specifies the name of the default namespace Guidelines The default namespace for parameters introduced by a URL query string is http www datapower com param query Related Commands default param namespace parameter Examples v Assigns a default namespace for parameters made available to the current XSL Proxy through a...

Page 965: ...ans that the address of the target server is dynamically extracted from the client request using the dp set target or dp xset target extension elements loopback Sets the proxy type to loopback proxy Sets the XSL Proxy type to strict proxy which means that the address of the target server is extracted from HTTP directives Guidelines XSL Proxy types differ in how they route and forward client reques...

Page 966: ...v reverse v two way Use the no ssl command to remove the SSL Proxy Profile assignment Related Commands stylesheet policy urlrewrite policy xml manager Examples v Assigns the SSL1 SSL proxy to the current XSL Proxy ssl SSL1 v Removes the assignment of an SSL Proxy Profile from the current XSL Proxy no ssl stylesheet policy Assigns a Processing Policy Syntax stylesheet policy name Parameters name Sp...

Page 967: ...xy identifies the backend server using the IP address and port defined with the remote address command The XSL Proxy processes request and response messages with the processing policy defined with the stylesheet policy command An SSL Client Profile can be defined with the ssl command to communicate with the target server and an SSL Server Profile can be defined with the ssl command to communicate ...

Page 968: ...t policy xml manager Examples v Assigns the Rw1 URL Rewrite Policy to the current XSL Proxy urlrewrite policy Rw1 xml manager Assigns an XML Manager Syntax xml manager name Parameters name Specifies the name of an existing XML Manager Guidelines You must assign an XML manager to the current XSL Proxy Related Commands ssl stylesheet policy urlrewrite policy Examples v Assigns the mgr1 XML Manager t...

Page 969: ...aPower appliance with the NSS server The NSS client ID is a unique string used by the NSS Server to track clients The client ID does not have to correspond to any preexisting object It is provided by the NSS client to the server at the time of registration If another client attempts to register with the same client ID to the same NSS Server the NSS server will send a heartbeat to the first client ...

Page 970: ...he target NSS server zos nss nssClient2 New zOS NSS Client configuration host 192 168 1 109 password Password to use to authenticate as in SAF on the NSS server Syntax password password Parameters password Specifies the password to use to authenticate to the NSS server Minimum length is 1 Maximum length is 8 Valid characters are v a through z v A through Z v 0 through 9 v _ underscore v dash Embed...

Page 971: ...ort 4159 zos nss nssClient1 New zOS NSS Client configuration host 192 168 1 109 port 4159 ssl Assigns an SSL Proxy Profile Syntax ssl name Parameters name Specifies the name of an existing SSL Proxy Profile to use for a secure connection Guidelines An SSL Proxy Profile must be assigned to the z OS NSS Client to use secure communication The SSL Proxy Profile must exist in the current application do...

Page 972: ...n an NSS client is a z OS system this field contains the system name such as MVS046 Examples v Sets DP001 as the system name zos nss nssClient1 New zOS NSS Client configuration system name DP001 user name Specifies a user name to authenticate as in SAF on the NSS server Syntax user name user Parameters user Specifies a user name to use to authenticate to the NSS server Minimum length is 1 Maximum ...

Page 973: ...s the user name to testUser with the password pword as the credentials to authenticate on the NSS server zos nss nssClient1 New zOS NSS Client configuration user name testUser password pword Chapter 113 z OS NSS Client configuration mode 947 ...

Page 974: ...948 Command Reference ...

Page 975: ...absence of the optional name argument the system displays a list of all current command macros Related Commands alias show application security policy Displays a list of Web Application Security Policies Syntax show application security policy name Parameters name Specifies the name of an existing Application Security Policy Guidelines Policy names are followed by the associated command or command...

Page 976: ... with or without pagination Use the np keyword to display the audit log without pagination When displaying the audit log use the user date time or address keyword to indicate the sorting sequence The date and time keywords are equivalent Examples v Displays the events in the audit log in date sequence show audit log date show audit search Searches the audit log and displays matching events Syntax ...

Page 977: ... v Display events in the audit log for the joesmith account one screen at a time show audit search user joesmith v Display events in the audit log from February 10 2008 onward one screen at a time show audit search time 20080210 v Display events in the audit log from IP address 10 10 10 15 upward as one continuous list show audit search np address 10 10 10 15 v Display events in the audit log from...

Page 978: ...n mode only show cpu Displays average CPU utilization data for the last 10 seconds 1 minute 10 minutes 1 hour and 1 day Syntax show cpu show crypto Displays SSL configuration information Syntax show crypto tree type Parameters tree Default Displays the information in a tree format with each SSL Proxy Profile as the root type Displays an object oriented view of the cryptographic resources Context A...

Page 979: ...document cache and the number of documents cached Syntax show documentcache xml mgr Parameters xml mgr Specifies the name of an existing XML Manager Related Commands documentcache show domain Displays configuration settings for domains Syntax show domain name show domains Displays status information about each domain Syntax show domains Guidelines The show domains command displays the following st...

Page 980: ...o display The URL takes the directory filename format where directory Specifies a directory on the appliance Refer to Directories on the appliance on page xxii for details filename Specifies the name of a file in the directory Guidelines You cannot use the show file command to display a file stored in the cert directory Related Commands copy dir delete show firmware Displays the current firmware v...

Page 981: ...e is the primary or secondary installation image or the date on which the image was installed For these details use the show firmware command Related Commands show firmware show library version show version show http Displays HTTP configuration details for a specified DataPower service or displays transaction counts and times for all DataPower services Syntax show http name Parameters name Specifi...

Page 982: ... Related Commands interface show interface mode show interface mode Displays configuration information about all Ethernet interfaces Syntax show interface mode Guidelines The show interface mode displays the following configuration information about the Ethernet interfaces v The connection status v Indicates whether the physical mode speed and duplex is negotiated v The interface speed v The MAC a...

Page 983: ... maps or display this information about the specified host Displays each map with an alphabetic prefix S Designates a static mapping entered from the CLI D Designates a dynamic mapping learned from the DNS The show ip name servers command displays the IP addresses of the DNS servers Context show ip address command is available in Interface configuration mode only Related Commands ip address ip dom...

Page 984: ...oup Displays all current Load Balancer Group objects or a specific object Syntax show loadbalancer group group Parameters group Specifies the name of an existing Load Balancer Group Related Commands loadbalancer group show loadbalancer status show loadbalancer status Displays the status of all Load Balancer Group objects Syntax show loadbalancer status Related Commands loadbalancer group show load...

Page 985: ...me of a log and optionally displays only the events from the specified log that match the specified expression archive Displays a list of available archival methods category log category Displays summary information about all active log categories or displays summary information about the specified log category encrypt Displays a list of available log encryption methods event Displays a list of su...

Page 986: ...evel Syntax show loglevel Guidelines Log messages are characterized in descending order of criticality as emergency alert critical error warning notice and info The log levels can also be expressed as integer values with 0 equating to emergency and 6 equating to info Related Commands loglevel show matching Displays a list of all matching rules or displays a specific Stylesheet Policy matching rule...

Page 987: ...y 503216 kbytes XG4 Resource Usage 1 show netarp Displays the address resolution table Syntax show netarp Related Commands arp show ntp refresh Displays the refresh status for the current NTP server Syntax show ntp refresh Guidelines The show ntp refresh command provides the following details about the current NTP server if configured v The IP address of the last NTP server that was contacted v Th...

Page 988: ...nds password map show radius Displays RADIUS configuration settings Syntax show radius Related Commands id retries server timeout show raid phys disks Type 9235 Displays the status of the physical disks in the RAID volume Syntax show raid phys disks Context Available only of Type 9235 appliances with the hard disk array as auxiliary storage show raid volume Type 9235 Displays the configuration of ...

Page 989: ...s auxiliary storage show route Displays the appliance routing table Syntax show route Related Commands ip default gateway show rule Displays a list of named transformation or filtering rules Syntax show rule Related Commands rule Global show running config Displays the running configuration as a set of commands Syntax show running config Related Commands write memory show sensors deprecated This c...

Page 990: ...h values for the intrusion switch each of the two power supply modules and the battery If the appliance uses the hard disk array configuration provides truth values for each of the two disks in the array v A value of true indicates that the condition exists v A value of false indicates that the conditions does not exist For the intrusion switch the value indicates whether it has been tripped For e...

Page 991: ... show services Displays a list of all active services Syntax show services Guidelines Use the show services command to display a concise list of all active services The local IP field of the list contains the IP address and port in the form address port where the service is active An IP address of 0 0 0 0 indicates that the service is active on all interfaces Related Commands cli telnet httpserv t...

Page 992: ...s the contents commands of the configuration with which the appliance was last booted or restarted Syntax show startup config Guidelines Displays the configuration with which the appliance was booted The startup configuration might not reflect the current operational state or the startup configuration designated by the boot config file Context Available in Global Configuration mode only show start...

Page 993: ...xy XSL Coprocessor TCP Server HTTP Server Telnet Server and CLI Connections services Memory use shows the amount of memory currently being used and total memory Connections accepted shows the number of connections over the last 10 seconds 1 minute 10 minutes 1 hour and 24 hours CPU usage shows the average CPU utilization over the last 10 seconds 1 minute 10 minutes 1 hour and 24 hours executions s...

Page 994: ...stylepolicy urlmatch show stylesheet Displays compilation information about a specified stylesheet Syntax show stylesheet XML manager URL Parameters XML manager Specifies the name of an XML Manager URL Specifies the local URL of the style sheet Guidelines Use this command to obtain the URL of the target style sheet Related Commands show stylesheets show stylesheets Displays data about style sheets...

Page 995: ...havior of the DataPower appliance when faced with a user defined low memory condition Syntax show throttle Guidelines The appliance monitors its memory usage and reacts to low memory conditions by first refusing to accept new connections If the refusal to accept new connections does not free sufficient memory the appliance responds by restarting itself When free memory falls below the throttle thr...

Page 996: ...RL map Syntax show urlmap URL map Parameters URL map Specifies the name of an existing URL map Guidelines Must be used in Global configuration mode In the absence of an argument this command displays a list of all URL maps When issued with an argument this command displays the contents of the named URL map Related Commands urlmap show urlrefresh Displays a list of Stylesheet Refresh Policies Synta...

Page 997: ...ist of all users currently logged into the appliance Syntax show users Related Commands show usernames show version Displays the current version of the firmware and libraries Syntax show version Guidelines The show version command provides the combined details of the show firmware version and show library version commands Related Commands show firmware version show library version show web applica...

Page 998: ...b Application Error Handling Policy Guidelines Policy names are followed by the associated command or command sequence In the absence of the optional name argument the system displays a list of all current command macros Related Commands webapp error handling show webapp gnvc Displays a list of Web Application Name Value Profile objects Syntax show webapp gnvc name Parameters name Specifies the na...

Page 999: ... a list of Web Application Response Profile objects Syntax show webapp response profile name Parameters name Specifies the name of an existing Web Application Response Profile Guidelines Profile names are followed by the associated command or command sequence In the absence of the optional name argument the system displays a list of all current command macros Related Commands webapp response profi...

Page 1000: ...ommand provides configuration details of all WSRR Server objects Context Available in Global configuration mode only Related Commands wsrr server Global show wsrr subscription Displays the configuration of WSRR subscriptions Syntax show wsrr subscription name Parameters name Specifies the name of the target WSRR Subscription object Guidelines In the absence of the optional argument the command pro...

Page 1001: ...ring the configuration of the subscription The method is one of the following values v Poll v Manual Refresh Interval The refresh interval assigned during the configuration of the subscription This value is meaningful only when the synchronization method is Poll WSDLs The number of WSDL files covered by the subscription In the absence of the optional argument the command provides operational detai...

Page 1002: ...optional argument the command provides configuration details of all WSRR Subscription objects Context Available in Global configuration mode only Related Commands wsrr subscription Global show wsrr subscription show wsrr subscription status show xmlfirewall Displays configuration details for XML Firewall objects Syntax show xmlfirewall name Parameters name Specifies the name of an existing XML Fir...

Page 1003: ...name Parameters name Specifies the name of an existing XSL Proxy Guidelines In the absence of an argument displays configuration data for all proxies When issued with an argument it displays configuration data for the named target proxy only show xslrefresh Displays information about Stylesheet Refresh Policy objects Syntax show xslrefresh xml manager Chapter 114 Monitoring commands 977 ...

Page 1004: ...978 Command Reference ...

Page 1005: ...the multistep transaction In other words the service cannot read and use the variable A local context variables can be user defined or based on an extension variable For a complete list of the available extension variables refer to Extension variables on page 992 var context context variable Addresses a variable called variable in a context called context The following example transforms the docum...

Page 1006: ...ing categories v General service variables that are available to all DataPower services v Service variables that are available only to Multi Protocol Gateway services and to Web Service Proxy services v Configuration services v Load balancer service General service variables This section contains information about general variables in alphabetic order by permission category General variables are a...

Page 1007: ...ateway and Web Service Proxy services only gets the size of a request message The value 0 indicates that the size cannot be determined perhaps temporarily due to message streaming or some other processing issue var service mpgw response size For Multi Protocol Gateway and Web Service Proxy services only gets the size of a response message The value 0 indicates that the size cannot be determined pe...

Page 1008: ... variables var service back attachment format Gets the format for the backside attachment var service default stylesheet Gets the name of the default processing policy var service domain name Gets domain of the service var service front attachment format Gets the format for the frontend attachment var service system frontwsdl Gets the frontend WSDL URL of the service var service processor name Get...

Page 1009: ...tep variables usually impact the behavior of specific actions in the context of a processing rule Table 16 lists the names and permission for these variables Table 16 Names and permissions for variables that are available to all services Variable name Permission var multistep loop count Read only var multistep loop iterator Read only var service log soapversion Read write var service multistep con...

Page 1010: ...information about asynchronous transaction variables in alphabetic order by permission category Table 17 lists the names and permission for these variables Table 17 Names and permissions for variables that are available for asynchronous transactions Variable name Permission var service soap oneway mep Read write var service transaction key Write only var service transaction name Write only var ser...

Page 1011: ...le for error handling Variable name Permission var service error code Read write var service error headers Read only var service error ignore Read write var service error message Read write var service error protocol reason phrase Write only var service error protocol response Write only var service error subcode Read write var service formatted error message Read only var service strict error mod...

Page 1012: ...ice error code variable Sometimes the sub code is a more specific result code var service strict error mode Gets or sets the strict error mode This variable controls the error mode for multistep processing v If the value is set an invocation of the dp reject extension element stops multistep processing v If the value is not set an invocation of the dp reject extension element logs a message but do...

Page 1013: ...l depth Read only var service input size Read only var service transaction audit trail Read only var service transaction client Read only var service transaction id Read only var service transaction policy name Read only var service transaction rule name Read only var service transaction rule type Read only Read only variables var service current call depth Gets the current call depth This variabl...

Page 1014: ...intain the state based on an existing protocol session Routing transaction variables This section contains information about routing variables in alphabetic order by permission category Table 22 lists the names and permission for these variables Table 22 Names and permissions for variables that are available for routing Variable name Permission var service routing url Write only var service routin...

Page 1015: ...nd permissions for variables that are available for statistics Variable name Permission var service time elapsed Read only var service time forwarded Read only var service time response complete Read only var service time started Read only Read only variables var service time elapsed Gets the duration of the transaction var service time forwarded Gets the timestamp for when the request messaged wa...

Page 1016: ...Web Services Management WSM variables in alphabetic order by permission category Table 25 lists the names and permission for these variables Table 25 Names and permissions for variables that are available to WSM Variable name Permission var service wsa timeout Read write var service wsa genpattern Read write var service wsm aaa policy name Read only var service wsm binding Read only var service ws...

Page 1017: ...ice wsm validate message Gets the WSM validate message var service wsm wsdl Gets the WSM WSDL var wsm num subschema Gets the number of WSM subschema var wsm operation Gets the WSM service operation var wsm schemalocation Gets the WSM schema location var wsm resolve hrefs Gets the WSM resolve HREFs var wsm service Gets the WSM service name var wsm service port Gets the WSM service port var wsm serv...

Page 1018: ...ar local _extension header Write only var local _extension http 10 only Write only var local _extension messages Read only var local _extension prevent persistent connection Write only var local _extension response headers Read only var local _extension response header headerName Read only var local _extension responsecode Read only var local _extension sslprofile Write only var local _extension v...

Page 1019: ...is means the content encoding and accept encoding headers var local _extension donot follow redirect Disables HTTP redirects Set this variable to prevent the following of protocol level redirect sequences on the outgoing results and fetch calls that are associated with this context By default redirects are followed var local _extension header Appends the specified header field to the protocol conn...

Page 1020: ... notepad sslprofiletouse results tmpvar2 https foo bar com foome asp tmpvar3 var local _extension timeout Sets the request timeout on an input context to override any previously set timeout parameter Set the value in seconds System variables This section contains information about system variables in alphabetic order by permission category Table 27 lists the names and permission for these variable...

Page 1021: ...ead write binding var service wsm binding Transaction WSM Read only client service address var service client service address Transaction URL Read only config param var service config param Service configuration Write only contexts var service multistep contexts Service multistep Read only current call depth var service current call depth Transaction information Read only debug var system map debu...

Page 1022: ...rvice header manifest Transaction headers Read only http 10 only var local _extension http 10 only Extension Write only ident var service system ident Service general Read only input size var service input size Transaction information Read only lbhealth var service lbhealth Service load balancer Write only local service address var service local service address Transaction URL Read only loop count...

Page 1023: ...routing Write only schemalocation var wsm schemalocation Transaction WSM Read only service var wsm service Transaction WSM Read only service port var wsm service port Transaction WSM Read only service port operation var wsm service port operation Transaction WSM Read only set request header var service set request header Transaction headers Write only set response header var service set response h...

Page 1024: ...vice transaction policy name Transaction information Read only transaction rule name var service transaction rule name Transaction information Read only transaction rule type var service transaction rule type Transaction information Read only transaction timeout var service transaction timeout Transaction asynchronous Write only URI var service URI Transaction URL Read write URL in var service URL...

Page 1025: ...reate a Processing Policy and enter Processing Policy configuration mode You can also use the stylepolicy command to specify a default style sheets used for SOAP filtering and XSL transformations of candidate documents that fail to match Processing Policy rules 4 For XML Firewall services only use the request rule response rule or rule commands in conjunction with the filter and validate actions t...

Page 1026: ...gn encrypt all successfully created This command sequence creates the multi step Processing Policy that 1 Transforms all client requests using a specified style sheet 2 Transforms the results of the initial transforms using a second style sheet 3 Performs a final transformation using another style sheet 4 Forwards the final transformation to the target server stylepolicy multi step Processing Poli...

Page 1027: ...procedure to implement a processing policy using global rules 1 Use the matching command to enter Matching Rule configuration mode and to create a named matching rule or rules 2 Use the urlmatch command or the httpmatch command to populate the matching rules with shell style match patterns The URL or HTTP match patterns specify the conditions under which policy based XSL filtering or transformatio...

Page 1028: ...nd sequence creates the validate sign encrypt global rule that 1 Validates client and server generated documents against a named schema 2 Signs validated documents 3 Encrypts signed documents 4 Forwards encrypted documents to the destination client or server rule validate sign encrypt all Processing Policy Rule configuration mode validate INPUT schema store soap envelope 1 1 xsd xform INPUT store ...

Page 1029: ...ence assigns the validate sign encrypt all Processing Policy to the XML Firewall of the same name xmlfirewall validate sign encrypt all XML firewall configuration mode local address 0 9050 remote address 10 10 0 1 9000 xml manager mgr1 stylesheet policy validate sign encrypt all parameter keypair ALICE parameter recipient Alice request type xml response type unprocessed exit This command sequence ...

Page 1030: ...1004 Command Reference ...

Page 1031: ...he test urlmap command to test candidate patterns against a specific URL map 1 Use the urlrefresh command to create a Stylesheet Refresh Policy 2 Use the disable cache disable flush or interval urlmap command to populate the Stylesheet Refresh Policy with one or more URL maps and when required to assign a refresh interval to each URL map that was added to the Stylesheet Refresh Policy If desired y...

Page 1032: ...1006 Command Reference ...

Page 1033: ...emplate It is a flat measurement of total time spent in that particular template one could think of as a stop watch which starts when the template is entered and is stopped when another template is called when the other template returns the stopwatch resumes measurement Special Entities Certain specially constructed entities are also measured such as the time spent gathering key data on the docume...

Page 1034: ... modified to output an HTML web page describing which line of the style sheet generated each piece of the output In addition the debug page is annotated with notes when templates are entered with the values that are assigned to variables and other messages that may assist the user in XSLT development or troubleshooting Configuration overview Use the following procedure to implement a Compile Optio...

Page 1035: ...wer in the documentation use the Search Support feature from the product specific support page From the Search Support this product area of the product specific support page you can search the following IBM resources v IBM technote database v IBM downloads v IBM Redbooks v IBM developerWorks Getting a fix A product fix might be available to resolve your problem To determine what fixes are availabl...

Page 1036: ...Access the product support at the following Web address http www ibm com software integration datapower support b Locate the Assistance area of the product support page c Click Information to include to access that technote that lists the information that is required to report a problem 3 Submit the problem in one of the following ways Online From the IBM Support Web site http www ibm com support ...

Page 1037: ... MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF NON INFRINGEMENT MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE Some states do not allow disclaimer of express or implied warranties in certain transactions therefore this statement may not apply to you This information could inclu...

Page 1038: ...Other company product and service names may be trademarks or service marks of others 1012 Command Reference ...

Page 1039: ...g Rule 867 actor role id AAA Policy 151 add User Group 728 add header policy User Agent 709 address FTP Server Front Side Handler 298 admin state common command 3 algorithm Load Balancer Group 383 alias Global 23 login privileged type user 3 allow ACL 169 allow ccc FTP Server Front Side Handler 299 allow compression FTP Server Front Side Handler 299 allow cookie sharing Web Application Session Man...

Page 1040: ...t rewrite Web Service Proxy 787 backup Log Target 390 base dn LDAP Search Parameters 379 basicauth User Agent 710 bind dn CRL 207 bind pass CRL 207 block interval Message Filter Action 421 bold typeface xxiv boot config Flash 277 boot delete Flash 277 boot image Flash 278 boot switch Flash 278 boot update Flash 279 buffer mode Web Services Management Agent 849 bytes scanned XML Firewall 895 XML Pa...

Page 1041: ...configure terminal login privileged type user 6 Conformance Policy assert bp10 conformance 197 fixup stylesheet 197 ignored requirements 198 no fixup stylesheet 197 profiles 199 reject include summary 200 reject level 200 report level 201 report target 202 response properties enabled 202 response reject include summary 203 response reject level 203 response report level 204 response report target ...

Page 1042: ...l references Multi Protocol Gateway 442 Web Service Proxy 791 XML Firewall 897 XML Parser Limits 924 fullurlmatch 410 group 395 hostmatch 410 retry 402 rewrite 707 show sensors 963 timeout 406 destination Processing Action 528 destination routing Network Settings 490 dhcp Interface 351 iSCSI Host Bus Adapter 363 VLAN 731 diagnostics login privileged type user 6 dir Flash 283 Global 41 direction Ti...

Page 1043: ...nsion attachment format 992 local _extension attachment manifest 992 local _extension attachment root uri 992 local _extension donot follow redirect 993 local _extension error 992 local _extension header 993 local _extension http 10 only 993 local _extension messages 992 local _extension prevent persistent connection 993 local _extension response header 993 local _extension response headers 992 lo...

Page 1044: ...e storage 309 response suffix 310 response type 311 response url 311 restart timeout 312 ssl 312 unique filename prefix 312 virtual directory 313 ftp policy User Agent 712 ftp quote command list Global 46 fullurlmatch Matching Rule 410 fwcred Crypto 220 Multi Protocol Gateway 444 Web Service Proxy 793 XML Firewall 898 G gateway parser limits Multi Protocol Gateway 444 Web Service Proxy 794 general...

Page 1045: ... user password 129 usergroup 129 vlan sub interface 129 watchdog 130 web application firewall 131 web mgmt 131 webapp error handling 133 webapp gnvc 133 webapp request profile 134 webapp response profile 134 webapp session management 135 write memory 135 wsgw 136 wsm agent 136 wsm endpointrewrite 136 wsm rule 137 wsm stylepolicy 137 wsrr server 138 wsrr subscription 138 wsrr synchronize 139 xml pa...

Page 1046: ...rt execute Global 48 import format Application Domain 176 Import Configuration File 344 import package Global 48 import url Application Domain 176 inactivity timeour NFS Dynamic Mounts 497 iname iSCSI Host Bus Adapter 364 Include Configuration File auto execute 347 config url 347 interface detection 348 include config Global 49 include content type MTOM Policy 433 include content type encoding Mul...

Page 1047: ...er service variables listing 983 service lb group 983 service lb member 983 service lbhealth 983 load balancer hash header Multi Protocol Gateway 448 Web Service Proxy 797 load interval Global 59 loadbalancer group Global 57 RBM Settings 595 XML Manager 921 local address HTTP Front Side Handler 321 HTTPS Front Side Handler 337 Log Target 395 Stateful Raw XML Handler 646 local address continued Sta...

Page 1048: ...629 match with pcre Matching Rule 411 matching Global 66 Matching Rule combine with or 409 errorcode 409 fullurlmatch 410 hostmatch 410 httpmatch 410 match with pcre 411 no match 411 urlmatch 411 xpathmatch 412 matching policy Web Application Session Management 780 max aggregate size Web Application Name Value 753 max attributes Web Application Name Value 753 max filename len FTP Server Front Side...

Page 1049: ...entcache 953 show domains 953 show file 954 show firmware 954 show firmware version 955 show http 955 show interface 955 show interface mode 956 show ip 956 show library version 957 show license 958 show loadbalancer group 958 show loadbalancer status 958 show log 958 show logging 959 show loglevel 960 show matching 960 show memory 961 show netarp 961 show ntp refresh 961 show ntp service 962 show...

Page 1050: ...um sequences 484 wsrm source request ack count 485 wsrm source request create sequence 485 wsrm source response create sequence 485 wsrm source retransmission interval 486 wsrm source retransmit count 486 wsrm source sequence ssl 487 xml manager 487 multipart form data Web Application Request Profile 760 multiple outputs Processing Action 536 multistep variables log soapversion 984 multistep conte...

Page 1051: ...monitor count XML Firewall 900 XSL Proxy Service 934 no monitor duration XML Firewall 901 XSL Proxy Service 935 no monitor service XML Firewall 902 no name server DNS Settings 263 no non xml processing Processing Rule 564 WS Proxy Processing Rule 873 no ntp login privileged type user 10 no overwrite objects Import Configuration File 345 no packet capture Interface 356 VLAN 736 no parameter XML Fir...

Page 1052: ...n FTP Server Front Side Handler 306 passive port range FTP Server Front Side Handler 306 password iSCSI CHAP 361 User 722 WSSR Server 883 z OS NSS Client 944 password aaa policy FTP Server Front Side Handler 307 password map Crypto 230 patents 1011 Peer Group type 519 url 519 peer group Global 76 SLM Policy 626 persistent connections variables listing 988 service connection note 988 service persis...

Page 1053: ...68 slm 569 strip attachments 569 type 569 unprocessed 570 validate 570 xform 572 xformpi 573 processing rename pattern FTP Poller Front Side Handler 288 NFS Poller Front Side Handler 504 processing seize pattern FTP Poller Front Side Handler 289 NFS Poller Front Side Handler 505 processing seize timeout FTP Poller Front Side Handler 290 NFS Poller Front Side Handler 506 profile Compile Options 188...

Page 1054: ... Service Proxy 814 XML Firewall 905 request body max Web Application Request Profile 762 request body min Web Application Request Profile 762 request body profile Web Application Request Profile 762 request content type Web Application Request Profile 763 request header profile Web Application Request Profile 763 request match Application Security Policy 182 request methods Web Application Request...

Page 1055: ...ocessing Rule 875 route set Processing Rule 568 WS Proxy Processing Rule 876 rsize NFS Dynamic Mounts 499 NFS Static Mounts 513 rule Global 87 HTTP Input Conversion Map 328 MTOM Policy 434 Processing Action 540 Processing Policy 556 Schema Exception Map 613 XPath Routing Map 925 S saml artifact mapping AAA Policy 162 saml attribute AAA Policy 162 saml name qualifier AAA Policy 163 saml server name...

Page 1056: ...tory xxiii show common command 12 login privileged type user 12 login user type user 12 show aliases 949 show application security policy 949 show audit log 949 show audit search 950 show chkpoints 951 show clock 951 show compact flash 952 show conformancepolicy 952 show cpu 952 show crypto 952 show default gateway 952 show deployment policy 953 show documentcache 953 show domain 953 show domains ...

Page 1057: ...rotocol Gateway 463 Stateful Raw XML Handler 648 Stateless Raw XML Handler 651 UDDI Registry 691 User Agent 719 Web Management Service 782 Web Service Proxy 819 WSSR Server 884 XML Firewall 910 XML Management Interface 918 XSL Coprocessor Service 929 XSL Proxy Service 939 z OS NSS Client 945 ssl key TAM 659 ssl key stash TAM 659 ssl port UDDI Registry 691 ssl profile CRL 211 Web Application Firewa...

Page 1058: ...get 369 tasktemplates directory xxiv tcp Kerberos KDC Server 374 tcp retries Network Settings 492 tcpproxy Global 114 Telnet Service acl 671 ip address 671 port 672 temp fs terminate Throttle Settings 675 temp fs throttle Throttle Settings 676 template Global 115 login privileged type user 14 login user type user 14 temporary directory xxiv test hardware Global 116 test logging Global 116 test pas...

Page 1059: ...eway 466 Peer Group 519 Processing Action 544 Processing Rule 569 SLM Action 617 SLM Credential Class 621 SLM Resource Class 631 Web Application Error Handling Policy 742 Web Service Proxy 822 WS Proxy Processing Rule 878 XML Firewall 911 XSL Proxy Service 941 typeface conventions xxiv U UDDI Registry hostname 689 inquiry url 689 port 690 publish url 690 security url 690 ssl 691 ssl port 691 subsc...

Page 1060: ...at 992 local _extension attachment manifest 992 local _extension attachment root uri 992 local _extension donot follow redirect 993 local _extension error 992 local _extension header 993 local _extension http 10 only 993 local _extension messages 992 local _extension prevent persistent connection 993 local _extension response header 993 local _extension response headers 992 local _extension respon...

Page 1061: ... security policy 749 ssl profile 750 stream output to back 750 stream output to front 751 uri normalization 751 xml manager 752 Web Application Name Value max aggregate size 753 max attributes 753 max name size 753 max value size 754 unvalidated fixup map 754 unvalidated fixup policy 754 unvalidated xss check 755 validation 755 Web Application Request Profile aaa policy 757 acl 757 cookie policy 7...

Page 1062: ... force 840 wsrm response force 840 wsrm sequence expiration 841 wsrm source back acks to 841 wsrm source exponential backoff 842 wsrm source front acks to 842 wsrm source inactivity close interval 843 wsrm source make offer 844 wsrm source maximum queue length 844 wsrm source maximum sequences 844 wsrm source request ack count 845 wsrm source request create sequence 845 wsrm source response create...

Page 1063: ...ateway 476 Web Service Proxy 837 wsrm destination accept create sequence Multi Protocol Gateway 477 Web Service Proxy 838 wsrm destination accept offers Multi Protocol Gateway 478 Web Service Proxy 838 wsrm destination inorder Multi Protocol Gateway 478 Web Service Proxy 839 wsrm destination maximum inorder queue length Multi Protocol Gateway 479 wsrm destination maximum inorder queue length Web S...

Page 1064: ...es 924 max node size 924 xml validate Global 139 xml manager FTP Poller Front Side Handler 293 Global 141 Multi Protocol Gateway 487 NFS Poller Front Side Handler 509 Web Application Firewall 752 Web Service Proxy 848 XML Firewall 913 XSL Coprocessor Service 932 XSL Proxy Service 942 xml mgmt Global 142 xmlfirewall Global 141 xpath Processing Action 549 XPath Routing Map namespace mapping 925 rule...

Page 1065: ......

Page 1066: ... Printed in USA ...