Page 1 WebSphere DataPower XML Security Gateway XS40 ® Version 3.7.2 Command Reference...
Page 3 WebSphere DataPower XML Security Gateway XS40 ® Version 3.7.2 Command Reference...
Page 4 Before using this information and the product it supports, read the information in “Notices and trademarks” on page 1011. First Edition (December 2008) This edition applies to version 3, release 7, modification 2, level 0 of IBM WebSphere DataPower XML Security Gateway XS40 and to all subsequent releases and modifications until otherwise indicated in new editions.
Page 5: Table Of Contents
. 59 application-security-policy . . 24 logging category. . 60 audit delete-backup (Common Criteria) . . 25 logging event . . 60 audit level (Common Criteria) . . 25 logging eventcode . . 61 © Copyright IBM Corp. 1999, 2008...
Page 6 logging eventfilter . . 62 snmp . 98 logging object . 63 soap-disposition . . 99 logging target . 64 source-ftp-poller . . 99 loglevel. . 64 source-ftp-server . . 100 logsize . . 65 source-http . . 100 matching . .
Page 7 wsrr-subscription . . 138 config-mode . . 173 wsrr-synchronize . . 139 deployment-policy. . 173 xml parser limits . . 139 domain-user (deprecated) . . 174 xml validate . . 139 file-monitoring . . 175 xmlfirewall . . 141 file-permissions. .
Page 8 result-is-conformance-report . 205 use-crl . . 256 Chapter 10. CRL configuration mode Chapter 15. Deployment Policy bind-dn . . 207 configuration mode ..257 bind-pass. . 207 ??? accept . 257 fetch-url . .
Page 9 result . . 291 local-address . 321 result-name-pattern . . 291 http-client-version . . 321 success-delete . . 292 max-header-count . . 322 success-rename-pattern . . 292 max-header-name-len. . 322 target-dir . . 292 max-header-value-len. . 323 xml-manager . 293 max-querystring-len .
Page 10 Chapter 32. Interface configuration filter-suffix . . 380 returned-attribute . . 380 mode ....351 scope . . 381 arp . . 351 dhcp . . 351 Chapter 40.
Page 11 hostmatch (deprecated) . . 410 default-param-namespace . . 440 httpmatch . 410 element-depth . . 440 match-with-pcre . 411 external-references. . 441 no match . . 411 follow-redirects . . 441 urlmatch . . 411 forbid-external-references (deprecated) . . 442 xpathmatch .
Page 12 wsrm-destination-inorder . . 478 result . . 507 wsrm-destination-maximum-inorder-queue-length result-name-pattern . . 507 wsrm-destination-maximum-sequences . . 479 success-delete . . 508 wsrm-request-force . 480 success-rename-pattern . . 508 wsrm-response-force . . 480 target-dir . . 509 wsrm-sequence-expiration . . 480 xml-manager .
Page 13 iterator-expression . . 533 rewrite . 567 iterator-type . . 534 route-action . . 567 log-level . . 534 route-set . . 568 log-type . . 535 setvar . . 568 loop-action . . 535 slm . . 569 multiple-outputs . .
Page 14 pwd-history . . 607 Chapter 72. SNMP Settings pwd-max-age . . 608 configuration mode ..637 pwd-max-history . . 608 access . . 637 pwd-minimum-length . 609 port . 638 pwd-mixed-case . 609 trap-code .
Page 15 tfim-issuer . . 666 Chapter 83. UDDI Subscription tfim-operation . . 666 configuration mode ..693 tfim-pathaddr . . 667 key . . 693 tfim-port . . 668 password . . 693 tfim-porttype .
Page 16 dhcp . . 731 error-policy-override . . 759 identifier . . 732 multipart-form-data . . 760 interface . . 732 policy-type . . 760 ip address . 733 ratelimiter-policy . . 761 ip default-gateway . 734 request-body-max . . 762 ip route .
Page 17 autocreate-sources . . 784 stream-output-to-front . 820 back-attachment-format . . 785 stylepolicy . . 821 back-persistent-timeout . . 785 suppress . . 821 back-timeout . 786 type . 822 backend-url . . 786 uddi-subscription . . 822 backside-port-rewrite . . 787 urlrewrite-policy .
Page 18 operation . . 852 method . . 887 transport . . 853 namespace . . 888 wsdl . . 853 object-name . . 888 object-type . . 889 refresh-interval . . 889 Chapter 101. WS-Proxy Endpoint server . . 890 Rewrite configuration mode .
Page 19 loadbalancer-group . 921 port . 945 schedule-rule . 921 ssl . . 945 user-agent . 922 system-name . 945 user-name . 946 Chapter 109. XML Parser Limits Chapter 114. Monitoring commands configuration mode ..923 show aliases .
Page 20 Load balancer service variables . . 983 Getting a fix . . 1009 Multistep variables . 983 Contacting IBM Support . . 1010 Transaction variables . . 984 Asynchronous transaction variables . . 984 Notices and trademarks ..1011 Error handling transaction variables .
Page 21: Preface
This document assumes that you have installed and initially configured the appliance as described in the IBM WebSphere DataPower SOA Appliances: 9003: Installation Guide or in the IBM WebSphere DataPower SOA Appliances: Type 9235: Installation Guide, depending on the model type.
Page 22: Administration Documentation
Guide Provides instructions for using the WebGUI to configure Multiple-Protocol Gateway services. v IBM WebSphere DataPower SOA Appliances: Web Service Proxy Developers Guide Provides instructions for using the WebGUI to configure Web Service Proxy services. v IBM WebSphere DataPower SOA Appliances: B2B Gateway Developers Guide Provides instructions for using the WebGUI to configure B2B Gateway services.
Page 23: Integration Documentation
IBM WebSphere DataPower SOA Appliances: Extension Elements and Functions Catalog Provides programming information about the usage of DataPower XSLT extension elements and extension functions. Integration documentation The following documents are available for managing the integration of related products that can be associated with the DataPower appliance:...
Page 24: Reading Syntax Statements
Reading syntax statements The reference documentation uses the following special characters to define syntax: Identifies optional options. Options not enclosed in brackets are required. Indicates that you can specify multiple values for the previous option. Indicates mutually exclusive information. You can use the option to the left of the separator or the option to the right of the separator.
Page 25 other domains. When viewed from other domains, the directory name changes from local: to the name of the application domain. logstore: This directory contains log files that are stored for future reference. Typically, the logging targets use the logtemp: directory for active logs. You can move log files to the logstore: directory.
Page 26: Object Name Conventions
schemas This subdirectory contains schemas that are used by DataPower services. This encrypted subdirectory contains files that are used by the appliance itself. This subdirectory is available from the command line only. pubcerts This encrypted subdirectory contains files that are used by the appliance itself.
Page 27: Chapter 1. Initial Login And Common Commands
Traces the network path to a target host. Also available in Global mode. Also available in Flash configuration mode. Table 2. Commands by type of user that are available after initial login Command admin user Privileged-type user User-type user alias © Copyright IBM Corp. 1999, 2008...
Page 28: Common Commands
Table 2. Commands by type of user that are available after initial login (continued) Command admin user Privileged-type user User-type user clock configure terminal disable disconnect echo enable exec exit help login ping show shutdown switch template test schema test tcp-connection traceroute Common commands For a list of the commands that are available in most configuration modes, refer to...
Page 29: Admin-State
Table 3. Common configuration commands and their general purpose (continued) Command Purpose The command is also available after initial log in, which is before you explicitly enter a configuration mode. To determine whether these commands are available to a specific user-type class after an initial login, refer to Table 2 on page 1. The output from the command differs when invoked after initial log in and when invoked while in a configuration mode.
Page 30: Cancel
Guidelines Also available in Global configuration mode. If creating a macro that uses multiple commands, you can either v Surround the string in quotes and separate commands with a semicolon. For example: alias eth0 "configure terminal; interface ethernet 0" v Separate commands with an escaped semicolon. For example: alias eth0 configure terminal\;interface ethernet0 Use the no alias command to delete a command macro.
Page 31: Clock
Syntax cancel Guidelines The cancel command cancels all configuration changes to the current object and returns to the parent configure mode. This command is available in all configuration modes except Interface configuration mode. Related Commands exit, reset Examples v Cancels the current configuration, which leaves the objects unchanged. # cancel clock Sets the date or time.
Page 32: Configure Terminal
(config)# diagnostics Enters Diagnostics mode. Syntax diagnostics Guidelines The diagnostics command enters Diagnostics mode. Attention: Use this command only at the explicit direction of IBM Support. disable Enters User Mode. Syntax disable Guidelines Also available in Global configuration mode. Related Commands...
Page 33: Disconnect
disconnect Closes a user session. Syntax disconnect session Parameters session Specifies the session ID. Guidelines The disconnect command closes a user session. Use the show users command to display the list of active user sessions. Related Commands show users Examples v Closes the session that is associated with session ID 36..
Page 34: Exec
Related Commands disable, exit Examples v Exits User Mode and enters Privileged Mode. > enable Username: admin Password: ******** exec Calls and runs a target configuration script. Syntax exec URL Parameters Identifies the location of the configuration file. v If the file resides on the appliance, this parameter takes the form directory:///filename, where: directory Identifies a local directory.
Page 35: Exit
exit Applies changes to the current object and returns to the parent configuration mode. Syntax exit Guidelines The exit command applies all changes made to the object to the running configuration. To save these changes to the startup configuration, use the write mem command.
Page 36: Login
v Displays help for the shutdown command. # ? shutdown login Logs in to the appliance as a specific user. Syntax login Guidelines After entering the login command, the CLI prompts for a username and password. User accounts log in to User Mode, while admin, privileged accounts, and group-specific accounts log in to Privileged Mode.
Page 37: Ping
Use the ntp command to identify the NTP (Network Time Protocol) server. After identifying an NTP server, the appliance functions as a Simple Network Time Protocol (SNTP) client as described in RFC 2030. Note: From the CLI, the appliance supports the configuration of only one NTP server.
Page 38: Reset
Examples v Pings ragnarok. # ping ragnarok v Pings 192.168.77.144. # ping 192.168.77.144 reset Restores default values. Syntax reset Guidelines The reset command sets mode-specific properties to their default values. Properties that lack default values, are unchanged. Default values assigned by the reset command are not applied until the user uses the exit command to save changes and exit the current configuration mode.
Page 39: Shutdown
shutdown Restarts or shuts down the appliance. Syntax shutdown reboot [seconds] shutdown reload [seconds] shutdown halt [seconds] Parameters reboot Shuts down and restarts the appliance. reload Restarts the appliance. halt Shuts down the appliance. seconds Specifies the number of seconds before the appliance starts the shutdown operation.
Page 40: Switch Domain
Syntax summary string Parameters string Specifies descriptive text for the object. Guidelines The summary command specifies a brief, object-specific comment. If the comment contains spaces, enclose the comment in double quotation marks. Examples v Adds an object-specific comment. # summary "Amended server list" switch domain Moves to a specified domain.
Page 41: Test Schema
Parameters Specifies the fully-qualified location of the interactive command line script. Guidelines Also available in Global configuration mode. The template command specifies the URL of the interactive command line script. The script is an XML file that can be local or remote to the DataPower appliance. The script must conform to the store:///schemas/dp-cli-template.xsd schema.
Page 42: Test Tcp-Connection
test tcp-connection Tests the TCP connection to a remote appliance. Syntax test tcp-connection host port [timeout] Parameters host Specifies the target host. Use either the IP address or host name. port Specifies the target port. timeout Specifies an optional timeout value, the number of seconds that the CLI waits for a response from the target host.
Page 43: Traceroute
Examples v Returns the user, either the admin account or a privileged account, to Privileged Mode, the user-specific login mode. (config crypto-val-credentials)# top traceroute Traces the network path to a target host. Syntax traceroute host Parameters host Specifies the target host as either the IP address or host name. Guidelines Also available in Global configuration mode.
Page 44 Command Reference...
Page 45: Chapter 2. Global Configuration Mode
Use the cancel or exit commands to exit AAA Policy configuration mode and return to Global configuration mode. Related Commands cancel, exit account (Common Criteria) Defines the lockout behavior for local accounts. Syntax account max-login-failure count account lockout-duration minutes © Copyright IBM Corp. 1999, 2008...
Page 46 Parameters lockout-duration minutes Specifies the number of minutes to lock out an account after exceeding the maximum number of failed login attempts. A value of 0 indicates that accounts are locked out until reset by a privileged administrator. Use an integer in the range of 0 through 1000.
Page 47: Acl
Examples v Enables lockout behavior for accounts that on the fifth login failure, the account is locked out locked out until reset by a privileged administrator: # account lockout-duration 0 # account max-login-failure 4 v Disables lockout behavior. # account max-login failure 0 Enters Access Control List configuration mode for a specified service provider.
Page 48: Action
list. A candidate address is denied or granted access to the service provider in accordance with the first matching clause. Consequently, the order of clauses is important in an Access Control List. Use the no acl command to delete a named ACL. Use the exit command to exit Access Control list configuration mode and return to Global configuration mode.
Page 49: Alias
Related Commands cancel, exit, show action alias Creates a command macro. Syntax alias aliasName commandString no alias aliasName Parameters aliasName Specifies the name of the command macro. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. commandString Defines a sequence of commands.
Page 50: Application-Security-Policy
v Creates the back2 alias that moves back two configuration modes. If invoked while in Validation Credentials configuration mode, moves to Global configuration mode. # alias back2 "exit; exit" Alias update successful v Creates the proxys alias that displays information about XSL Proxy objects. # alias proxys show xslproxy Alias update successful v Creates the update-cfg alias that restarts the appliance with an updated...
Page 51: Audit Delete-Backup (Common Criteria)
audit delete-backup (Common Criteria) Deletes the archived version of the audit log. Syntax audit delete-backup Context Available only when the appliance is in Common Criteria mode. Guidelines The audit delete-backup command deletes the audit:///audit-log.1 file. This file is the archived version of the audit log and is created when the log reaches When the size of the audit log, the audit:///audit-log file, reaches approximately 250 kilobytes, the appliance save this file as the audit:///audit-log.1 file, which overwrites the previous version of the audit:///audit-log.1 file.
Page 52: Cache Schema
Parameters kilobytes Specifies the amount of disk space in kilobytes to reserve for the audit log. The reserve space must be at least four kilobytes less than the total amount of free space that is currently available on the file system. Use an integer in the range of 0 through 10000.
Page 53: Cache Stylesheet
stream Compiles the schema in streaming mode If in doubt about whether the target schema lends itself to streaming, retain the default value of general. Related Commands cache stylesheet, cache wsdl Examples v Compiles the schema in streaming mode and adds the schema to the schema cache that is maintained by the mgr1 XML Manager.
Page 54: Clear Aaa Cache
Syntax cache wsdl xmlMgrName wsdlURL Parameters xmlMgrName Specifies the name of an XML manager. wsdlURL Specifies a URL of the schema to cache. Related Commands cache schema, cache stylesheet Examples v Compile and adds the specified WSDL to the WSDL cache of the mgr1 XML Manager.
Page 55: Clear Dns-Cache
Guidelines Also available in Interface configuration mode. Related Commands arp, show netarp Examples v Clears the ARP table. # clear arp clear dns-cache Clears the DNS cache. Syntax clear dns-cache Examples v Clears the DNS cache. # clear dns-cache Cleared DNS cache clear pdp cache Clears all compiled XACML policies of a specific XACML Policy Decision Point (PDP).
Page 56: Clear Rbm Cache
is associated with the AAA Policy with the clear xsl cache command. This command clears the compiled XACML policies in the XML Manager that is referenced by the AAA Policy. Use a URL Refresh Policy You can use a URL Refresh Policy whose match conditions match the internal URL xacmlpolicy:///pdpName to perform periodic cache refreshes.
Page 57: Cli Remote Open
Examples v Clears the stylesheet cache of the mgr1 XML Manager. # clear xsl cache mgr1 Cleared cache of xmlmgr mgr1 cli remote open Establishes a TCP/IP connection to a specific remote host. Syntax cli remote open address port Parameters address Specifies the IP address of the remote host.
Page 58 Parameters name Specifies the name of the Telnet service. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. telnetServerIP Specifies the IP address (either primary or secondary) of a DataPower Ethernet interface.
Page 59: Compact-Flash (Type 9235)
v Deletes the support Telnet service. # no cli telnet support Deleted cli telnet handler compact-flash (Type 9235) Enters Compact Flash configuration mode. Syntax compact-flash name Parameters name Specifies the name of the existing compact flash volume. For appliances that have a compact flash for auxiliary data storage, the name is cf0. Guidelines The compact-flash command enters Compact Flash configuration mode for an existing compact flash enabled appliance.
Page 60: Compile-Options
Syntax compact-flash-repair-filesystem name Parameters name Specifies the name of the existing compact flash volume. For appliances that have a compact flash for auxiliary data storage, the name is cf0. Guidelines The compact-flash-repair-filesystem command repairs the file system on the compact flash storage card, in case it was corrupted by an abnormal shutdown of the appliance or other error.
Page 61: Conformancepolicy
conformancepolicy Enters Conformance Policy configuration mode. Syntax conformancepolicy name no conformancepolicy name Parameters name Specifies the name of the Conformance Policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the conformancepolicy command to enter Conformance Policy configuration mode to create or edit a Conformance Policy.
Page 62 Parameters Overwrites an existing file, if one of the same name already exists. In the absence of this argument, an attempt to save a file with the same name as an existing file will result in a prompt that requests confirmation to overwrite the existing file.
Page 63: Create-Tam-Files
Related Commands delete, dir, move, send file (Global) Examples v Uses HTTP to copy a file from the specified URL to the image: directory. # copy http://host/image.crypt image:///image.crypt file copy successful (1534897 bytes transferred) v Uses HTTP over SSL to copy a file from the specified URL to the image: directory.
Page 64 Parameters create-copy ® The Tivoli Access Manager key database and key stash files are placed in the cert: directory when created. This directory does not allow files to be moved out of it. By selecting to create copies of the created files, a copy of the key database and stash files will be placed in the temporary: directory, and can be downloaded off of the appliance.
Page 65: Crypto
ldap-auth-timeout Specifies the timeout, in seconds, that is allowed for LDAP authentication operations. There is no range limit. The default is 30. ldap-search-timeout Specifies the timeout, in seconds, that is allowed for LDAP search operations. There is no range limit. The default is 30. use-ldap-cache Indicates whether to enable client-side caching.
Page 66: Delete
Related Commands exit delete Deletes a file from the DataPower appliance. Syntax delete URL Parameters Specifies a URL of the file to delete. This argument take the directory:///filename form, where: directory Specifies a directory on the appliance. Refer to “Directories on the appliance”...
Page 67: Dir
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the deployment-policy command to enter Deployment Policy configuration mode to create or edit a Deployment Policy. Use the cancel or exit command to exit Deployment Policy configuration mode and return to Global configuration mode.
Page 68: Disable
disable Enters User Mode. Syntax disable Guidelines Use the disable command to exit Global configuration mode and enter User mode. Use the exit command to exit Global configuration mode and enter Privileged mode. Also available in Privileged mode. Related Commands enable, exit Examples v Exits Global configuration mode and enters User Mode.
Page 69: Document-Crypto-Map
# no dns document-crypto-map Enters Document Crypto Map configuration mode. Syntax document-crypto-map name no document-crypto-map name Parameters name Specifies the name of the Document Crypto Map. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the no document-crypto-map command to delete a Document Crypto Map.
Page 70: Domain
Related Commands exit domain Enters Application Domain configuration mode. Syntax domain name no domain name Parameters name Specifies the name of the application domain. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The domain command enters Application Domain configuration mode to create a new Application Domain object or to modify an existing Application Domain...
Page 71: File-Capture
Related Commands cancel, exit, send error-report file-capture Controls the file capture trace utility. Syntax file-capture {always | errors | off} Parameters always Enables the file capture trace utility and provides a trace of all appliance traffic. errors Enables the file capture trace utility and provides a trace for failed transactions only.
Page 72: Flash
v Disables the file capture trace utility, which restores the default state. # file-capture off File nature mode set to off flash Enters Flash configuration mode. Syntax flash Guidelines Use the exit command to exit Flash configuration mode and enter Global configuration mode.
Page 73: Httpserv
Parameters alias Specifies the alias to assign to the specified IP address. Guidelines Use the no host-alias command to remove an alias map. Related Commands cancel, exit httpserv Enters HTTP Server configuration mode. Syntax httpserv name httpserv name address port no httpserv name Parameters name...
Page 74: Import-Execute
If you wish to restrict access to an HTTP server, you can compile an ACL using the acl, allow, and deny commands. Use the no httpserv command to delete an HTTP server. Use the exit command to exit HTTP Server configuration mode and return to Global configuration mode.
Page 75: Include-Config
Syntax import-package name no import-package name Parameters name Specifies the name of the Import Configuration File object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The import-package command enters Import Configuration File configuration mode to create a new Import Configuration File object or to modify an existing Import Configuration File object.
Page 76: Input-Conversion-Map
Related Commands exec Examples v Enters Include Configuration configuration mode to create the standardServiAceProxies Include Configuration. # include-config standardServiceProxies Include Configuration configuration mode v Deletes the standardServiAceProxies Include Configuration. # no include standardServiceProxies input-conversion-map Enters HTTP Input Conversion Map configuration mode. Syntax input-conversion-map name no input-conversion-map name...
Page 77: Ip Domain
Note: To disable an Ethernet interface, use the admin-state command in Interface configuration mode. Use the exit command to exit Interface configuration mode and enter Global configuration mode. Related Commands admin-state (Interface), exit, show interface Examples v Enters Interface configuration mode for Ethernet interface 0. # interface ethernet 0 Interface configuration mode (ethernet 0) v Enters Interface configuration mode for Ethernet interface 0.
Page 78: Ip Host
Examples v Adds the datapower.com, somewhereelse.com, and endoftheearth.com IP domains to the IP domain table. The appliance attempts to resolve the host name loki in following ways: loki.datapower.com loki.somewhereelse.com loki.endoftheearth.com # ip domain datapower.com # ip domain somewhereelse.com # ip domain endoftheearth.com # xslproxy Proxy-01 XSL proxy configuration mode # remote-address loki 80...
Page 79: Ip Name-Server
# no ip host * ip name-server Identifies a local DNS provider. Syntax ip name-server address [ udpPortNumber] [tcpPortNumber] [flags] [max-retries] no ip name-server address no ip name-server * Parameters address Specifies the IP address of the DNS server. udpPortNumber Optionally identifies the UDP port that the DNS server monitors.
Page 80: Iscsi-Chap (Type 9235)
iscsi-chap (Type 9235) Enters iSCSCI CHAP configuration mode. Syntax iscsi-chap name no iscsi-chap name Parameters name Specifies the name of the iSCSI CHAP. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The iscsi-chap command enters iSCSCI CHAP configuration mode.
Page 81: Iscsi-Fs-Repair (Type 9235)
Related Commands admin-state (iSCSI Volume) Examples v Disables, initializes, and re-enables the Georgia iSCSI volume. # iscsi-volume Georgia Modify iSCSI Volume configuration # admin-state disabled # exit # iscsi-fs-init Georgia iSCSI filesystem Georgia initialized # iscsi-volume Georgia Modify iSCSI Volume configuration # admin-state enabled iscsi-fs-repair (Type 9235) Repairs an iSCSI volume.
Page 82: Iscsi-Hba (Type 9235)
iscsi-hba (Type 9235) Enters iSCSI HBA configuration mode. Syntax iscsi-hba {iscsi1 | iscsi2} Parameters iscsi1 Identifies the existing iSCSI HBA for the eth1 Ethernet interface. iscsi2 Identifies the existing iSCSI HBA for the eth2 Ethernet interface. Guidelines The iscsi-hba command enters iSCSI HBA configuration mode for the specified HBA.
Page 83: Loadbalancer-Group
Syntax iscsi-volume name no iscsi-volume name Parameters name Specifies the name of the iSCSI volume to configure. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The iscsi-volume command enters iSCSI Volume configuration mode. While in this configuration mode, create, partition, and name the logical storage volume.
Page 84: Known-Host
Syntax locate-device {on | off} Parameters Activates the locate LED light. (Default) Deactivates the locate LED light. Guidelines The locate-device command activates or deactivates the locate LED light on Type 9235 appliances. The locate LED is on the front of the appliance. v When activated, the locate LED light is illuminated in blue.
Page 85: Ldap-Search-Parameters
Examples v Adds ragnarok.datapower.com by host name as an SSH known host. # known-host ragnarok.datapower.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1J/99rRvdZmVvkaKvcG2a+PeCm25 p8OJl87SA6mtFxudA2ME6n3lcXEakpQ8KFTpPbBXt+yDKNFR9gNHIfRl UDho1HAN/a0gEsvrnDY5wKrTcRHrqDc/x0buPzbsEmXi0lud5Pl7+BXQ VpPbyVujoHINCrx0k/z7Qpkozb4qZd8== v Adds ragnarok.datapower.com by IP address as an SSH known host. # known-host 10.97.111.108 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1J/99rRvdZmVvkaKvcG2a+PeCm25 p8OJl87SA6mtFxudA2ME6n3lcXEakpQ8KFTpPbBXt+yDKNFR9gNHIfRl UDho1HAN/a0gEsvrnDY5wKrTcRHrqDc/x0buPzbsEmXi0lud5Pl7+BXQ VpPbyVujoHINCrx0k/z7Qpkozb4qZd8== v Removes ragnarok.datapower.com by IP address as an SSH known host. # no known-host 10.97.111.108 ldap-search-parameters Enters LDAP Search Parameters configuration mode.
Page 86: Logging Category
Syntax load-interval measurement-interval Parameters measurement-interval Specifies the measurement interval in milliseconds. Use an integer in the range of 500 through 5000. The default is 1000. Guidelines The load-interval command specifies the duration of a measurement interval. During this interval, system load is estimated and expressed as a percentage. Use this command in conjunction with the show load command to monitor system load.
Page 87: Logging Eventcode
Parameters name Specifies the name of the existing log to which an event class will be added. category Specifies the name of an event-class to add. priority Identifies the event priority. The priority indicates that all events that are greater than or equal to this value are logged. Events use the following priority in descending order: v emerg (Emergency) v alert (Alert)
Page 88: Logging Eventfilter
Parameters target Specifies the name of an existing log target. event-code Specifies the hexadecimal value of the event code. Guidelines The logging eventcode commands adds an event code to the subscription list for the specified log target. This command is equivalent to using the event-code command in Logging configuration mode.
Page 89: Logging Object
logging object Adds an object filter to a specific log. Syntax logging object name object class no logging object name object class Parameters name Specifies the name of the existing log to which to add an object filter. object Identifies the object type. class Identifies a specific instance of the target class.
Page 90: Logging Target
Examples v Adds an object filter to the Alarms log. This log will record only events that are issued by the Proxy-1 XSL Proxy. Event priority uses the existing configuration of the Alarms log. # logging object Alarms XSLProxyService Proxy-1 v Deletes an object filter from the Alarms log.
Page 91: Logsize
v critic or 2 v error or 3 v warn or 4 v notice or 5 v info or 6 v debug or 7 Guidelines The loglevel command determines which system-generated events to log to the basic event log. The log priority also functions as filter and determines which events to forward to a remote syslog daemon.
Page 92: Matching
Syntax logsize size Parameters size Specifies the size of the log in lines. The default is 200. Guidelines In the absence of an argument, logsize displays the size of the log file in lines. Note: The loglevel, logsize, and syslog commands provide the ability to configure a rudimentary basic logging system.
Page 93: Memoization
implementation of Processing Policy objects. A Processing Policy uses Matching Rule objects to determine whether a candidate XML document is subject to specific processing instructions in the policy. Refer to Appendix B, “Processing Policy procedures,” on page 999 for procedural details about the creation and implementation of Matching Rule and Processing Policy objects.
Page 94: Message-Matching
message-matching Enters Message Matching configuration mode. Syntax message-matching name no message-matching name Parameters name Specifies the name of the traffic-flow definition. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The message-matching command create a traffic-flow definition that describes a traffic stream to be subject to administrative monitoring and control.
Page 95: Metadata
Use the cancel or exit command to leave Message Type configuration mode and enter Global configuration mode. Use the no message-type command to delete a message class. Related Commands cancel, exit metadata Enters Processing Metadata configuration mode. Syntax metadata name no metadata name Parameters name...
Page 96: Monitor-Action
Use the rmdir command to delete subdirectories. Related Commands rmdir Examples v Creates the stylesheets subdirectory of the local: directory. # mkdir local:///stylesheets Directory 'local:///stylesheets' successfully created. v Creates the C-1 subdirectory in the stylesheets subdirectory of the local: directory. # mkdir local:///stylesheets/C-1 Directory 'local:///stylesheets/C-1' successfully created.
Page 97: Monitor-Duration
Parameters name Specifies the name of the monitor. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines A monitor count is an incremental, or counter-based, monitor that consists of a target message class, a configured threshold, and a control procedure that is triggered when the threshold is exceeded.
Page 98: Mpgw
Syntax move [-f] source-URL destination-URL Parameters Overwrites an existing file, if one of the same name already exists. In the absence of this argument, an attempt to save a file with the same name as an existing file results in a prompt that requests confirmation to overwrite the existing file.
Page 99: Mtom
Guidelines Use the no mpgw command to delete a Multi-Protocol Gateway. Related Commands cancel, exit mtom Enters MTOM Policy configuration mode. Syntax mtom name no mtom name Parameters name Specifies the name of the MTOM Policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions”...
Page 100: Nfs-Client
You can also control routing behavior, interface isolation and ECN settings. Use the cancel or exit command to leave Network Settings configuration mode and enter Global configuration mode. Use the no network command to reset network settings to their defaults. Related Commands cancel, exit nfs-client...
Page 101: Nfs-Static-Mount
Related Commands cancel, exit nfs-static-mount Enters NFS Static Mounts configuration mode. Syntax nfs-static-mount name no nfs-static-mount name Parameters name Specifies the name of the NFS static mount object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions”...
Page 102: Ntp-Service
The appliance supports one NTP server at a time. To designate a new NTP server, use the no ntp command to delete the current server, and then use the ntp command to designate the new server. Also available in Privileged mode. Related Commands clock, ntp-service, show ntp time Examples...
Page 103: Policy-Attachments
Parameters name Specifies the name of the peer group. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines While in Peer Group configuration mode, you identify members of an SLM Monitoring Peer Group.
Page 104: Radius
Parameters name Specifies the name of the object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit command to exit Policy Parameters configuration mode and return to Global configuration mode.
Page 105: Raid-Delete (Type 9235)
Examples v Activates the RAID Volume in the disks as the active RAID volume. # raid-activate raid0 raid-delete (Type 9235) Deletes an array volume. Syntax raid-delete name Parameters name Specifies the name of the existing hard disk array volume. For appliances that have a hard disk array for auxiliary data storage, the name is raid0.
Page 106: Raid-Volume (Type 9235)
Parameters name Specifies the name of the existing hard disk array volume. For appliances that have a hard disk array for auxiliary data storage, the name is raid0. Guidelines The raid-rebuild command forces a rebuild of a hard disk array volume. The contents of the primary disk in the array volume are copied to the secondary disk.
Page 107: Raid-Volume-Repair-Filesystem (Type 9235)
Guidelines The raid-volume-initialize-filesystem command initializes the filesystem on the hard disk array to allow it to be made active. This action destroys the existing contents of the hard disk array. Examples v Makes a new file system on the raid0 hard disk array volume. # raid-volume-initialize-filesystem raid0 raid-volume-repair-filesystem (Type 9235) Repairs the file system.
Page 108: Refresh Stylesheet
Related Commands cancel, exit refresh stylesheet Forces a reload of a specified style sheets by an XML Manager. Syntax refresh stylesheet {* | XML-manager} match Parameters XML-manager Specifies the name of a specific XML Manager. Specifies all XML Manager objects. match Defines a shell-style match pattern that defines the style sheets to refresh.
Page 109: Reset Domain
Syntax remove chkpoint name Parameters name Specifies the name of the checkpoint configuration file. Guidelines The remove chkpoint command deletes the named checkpoint configuration file from the domain-specific chkpoint: directory. The command is equivalent to using the delete command to remove the file from a specified directory.
Page 110: Reset Username
v The reset domain command deletes all configured objects in the domain but retains the configuration of the domain and all files in the local: directory. v The no domain command deletes all configured objects in the domain, deletes all files in the domain, and deletes the configuration of the domain itself. Related Commands domain Examples...
Page 111: Restart Domain
v Not be one of the past five passwords Examples v Re-enables the suehill account by changing the password for the account (without the administrator specifying the password). # configure terminal (config)# reset username suehill Enter new password: ******** Re-enter new password: ******** Password for user 'suehill' is reset.
Page 112: Rollback Chkpoint
Syntax rmdir local:///subdirectory Parameters local:///subdirectory The subdirectory to remove from the local: directory. Guidelines The rmdir command removes subdirectories from the local: directory. Related Commands mkdir Examples v Deletes the stylesheets subdirectory and all its contents from the local: directory. # rmdir local:///stylesheets Removing 'local:///stylesheets' will delete all files including subdirectories!
Page 113: Rule
# rollback chkpoint foo Rollback Chkpoint foo is initiated (may take a few minutes to complete) rule Enters Stylesheet Policy Rule configuration mode. Syntax rule name rule name {request | response} no rule name Parameters name Specifies the name of the global processing rule. The name can contain a maximum of 128 characters.
Page 114: Save Chkpoint
Related Commands cancel, exit, match, matching, response-rule, request-rule, rule (Stylesheet Policy), show rule, stylepolicy Examples v Creates the star matching rule to use for matching all URLs. # matching star Matching Rule configuration mode # urlmatch * # exit v Creates the valClientServer global bidirectional rule that validates client and server input against the specified schema.
Page 115: Save Error-Report
Related Commands backup, maxchkpoints (Application Domain), remove chkpoint, rollback chkpoint, show chkpoints, write memory Examples v Creates the foo checkpoint configuration file. # save chkpoint foo Save Configuration Checkpoint foo scheduled (may take a few minutes to complete) save error-report Creates an error report.
Page 116: Save-Config Overwrite
Guidelines The save internal-state command writes the internal state to the temporary:///internal-state.txt file Examples v Saves the internal state of the appliance. # save internal-state Internal state written to temporary:///internal-state.txt save-config overwrite Specifies system behavior after a running configuration is saved. Syntax save-config overwrite no save-config overwrite...
Page 117: Search Results
Parameters name Specifies the name of the Schema Exception Map The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit command to exit Schema Exception Map configuration mode and return to Global configuration mode.
Page 118: Send Error-Report
v Enables the search results algorithm for the mgr1 XML Manager, which restores the default condition. # search results mgr1 Configuration successfully updated send error-report Sends an error report as e-mail. Syntax send error-report mail-server subject email-address [email-address ...] Parameters mail-server Identifies a local SMTP server by IP address or by host name.
Page 119: Service Battery-Installed
Parameters Identifies the target file and takes one of the following forms: v audit:///filename v pubcert:///filename v config:///filename v store:///filename v image:///filename v tasktemplates:///filename v logstore:///filename v temporary:///filename v logtemp:///filename mail-server Identifies a local SMTP server by IP address or by host name. email-address Specifies the fully-qualified Email addresses of the file recipient.
Page 120: Service-Monitor
Guidelines The service nagle command enables or disables the Nagle slow packet avoidance algorithm. By default, the algorithm is enabled. Examples v Disables the Nagle algorithm. # service nagle disabled service nagle algorithm. v Enables the Nagle algorithm. # service nagle enabled service nagle algorithm.
Page 121: Simple-Rate-Limiter
var://system Specifies the required prefix that identifies a global variable. contextName Specifies the required name of the context within which the global variable resides. value Specifies the value to assign. Guidelines The set-system-var command creates a new system variable that actions or style sheets can access with the dp:variable() function.
Page 122: Slm-Action
slm-action Enters SLM Action configuration mode. Syntax slm-action name no slm-action name Parameters name Specifies the name of the SLM Action. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In SLM (Service Level Monitor) Action configuration mode, define an administrative response by defining an action type (log, reject, or shape traffic) and...
Page 123: Slm-Policy
slm-policy Enters SLM Policy configuration mode. Syntax slm-policy name no slm-policy name Parameters name Specifies the name of the SLM Policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In SLM Policy configuration mode, define an SLM policy by specifying an evaluation method, noting peer groups and assigning statements to the policy.
Page 124: Snmp
Syntax slm-sched name no slm-sched name Parameters name Specifies the name of the SLM Schedule. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In SLM Schedule configuration mode, define an SLM Schedule by specifying the days and hours when the schedule is in effect.
Page 125: Soap-Disposition
soap-disposition Enters SOAP Header Disposition Table configuration mode. Syntax soap-disposition name no soap-disposition name Parameters name Specifies the name of the disposition table. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The soap-disposition command enters SOAP Header Disposition Table configuration mode and creates the named object if it does not exist.
Page 126: Source-Ftp-Server
Related Commands cancel, exit source-ftp-server Enters FTP Server Front Side Handler configuration mode. Syntax source-ftp-server handler no source-ftp-server handler Parameters handler Specifies the name of the FTP Server Front Side Handler object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions”...
Page 127: Source-Nfs-Poller
Syntax source-https handler no source-https handler Parameters handler Specifies the name of the Secure HTTP Front Side Handler object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the no source-https command to delete a Secure HTTP Front Side Handler object.
Page 128: Source-Stateful-Tcp
Parameters handler Specifies the name of the Stateless Raw XML Handler object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the no source-raw command to delete a Stateless Raw XML Handler object. Related Commands cancel, exit source-stateful-tcp...
Page 129: Sslforwarder
Guidelines SSH is disabled by default. You can use the optional arguments to explicitly bind SSH to a specified interface. If you explicitly bind SSH to an interface, you must have previously configured that interface. In the absence of an explicit address assignment, SSH first attempts to bind to the management port.
Page 130 local-port Identifies the local port. Use an integer in the range of 0 through 65535. In conjunction with the IP address, identifies the IP addresses and ports that the SSL Proxy service monitors. remote-address Specifies the IP address of the remote SSL peer. In conjunction with the remote port number, identifies a specific destination.
Page 131: Sslproxy
# event cli error # exit Logging configuration successful v Deletes the syslog-ng-stunnel SSL Proxy service. # no sslforwarder syslog-ng-stunnel sslforwarder syslog-ng-stunnel - configuration deleted. sslproxy Creates an SSL Proxy Profile that defines an SSL service type. Syntax Create an SSL proxy profile for a client sslproxy name client client-profile [client-cache {on | off}] sslproxy name forward client-profile [client-cache {on | off}] Create an SSL proxy profile for a server...
Page 132 (or functions in both directions). In two-way mode, SSL is used over both the appliance-to-server connection and over the appliance-to-client connection. Two-way mode requires both a client and server cryptographic profile. server-profile When the operational mode is either client or two-way, identifies the Crypto Profile that is used by the SSL client to authenticate itself to the SSL server.
Page 133: Ssltrace
Use the no sslproxy command to delete an SSL Proxy Profile. Related Commands profile (Crypto) Examples v Creates the SSL-1 server SSL Proxy Profile using the Low Crypto Profile on the appliance-to-client connections. Default values are used for the other properties. # sslproxy SSL-1 server Low v Creates the SSL-2 client SSL Proxy Profile using the High Crypto Profile on appliance-to-server connections.
Page 134: Startup
SSL connection completed The trace is not specific to a port, but rather to an SSL Proxy Profile. Consequently, the traced object is the first connection using the target SSL Proxy Profile. Keep in mind that a single SSL Proxy Profile can be used by multiple DataPower services.
Page 135: Statistics
Related Commands show startup-config (Global), show startup-errors (Global) Examples Starts the installation wizard. # startup statistics Initiates statistical data collection. Syntax statistics no statistics Guidelines Statistical data collection is disabled by default. Statistical display (with the show statistics command) is not available if statistical data collection is suspended.
Page 136: No Stylesheet
xsldefault URL Identifies a default XSL style sheet used for document transformation. This default style sheet performs transformation only if a candidate XML document fails to match any of the processing rules defined within the named Processing Policy, and if the candidate document does not contain internal transformation instructions.
Page 137: Switch Domain
match Defines a shell-style match pattern that defines the style sheets to delete. You can use wildcards to define a match pattern as follows: The string wildcard matches 0 or more occurrences of any character. The single character wildcard matches one occurrence of any single character.
Page 138: Syslog
syslog Designates where to forward log messages. Syntax syslog address log-level Parameters address Specifies the IP address of the target workstation. log-level Specifies the type of messages to forward to the target workstation. The log level can be a keyword or an integer. v emerg or 0 v alert or 1 v critic or 2...
Page 139: System
Guidelines Use the cancel or exit command to exit System Settings configuration mode and return to Global configuration mode. Related Commands cancel, exit Enters TAM (IBM Tivoli Access Manager) configuration mode. Syntax tam name Parameters name Optionally identifies the TAM object.
Page 140: Tcpproxy
® ® Active Directory and Lotus Domino TAM is a licensed feature, and requires the presence of a TAM license on the DataPower appliance. Contact your IBM representative, to obtain the needed license. Related Commands cancel, create-tam-files, exit tcpproxy Creates a TCP proxy that redirects an incoming TCP packet stream to a remote address.
Page 141: Template
high Receives above normal priority. Guidelines The TCP Proxy service terminates the inbound TCP connection, and initiates an outbound TCP connection to the destination address. Use the no tcpproxy command to delete a TCP proxy. Examples v Creates a ForwardHTTP TCP proxy that redirects incoming traffic received on appliance interface 192.68.14.12:80 to host 10.10.20.100:80.
Page 142: Test Hardware
test hardware Tests the hardware. Syntax test hardware Guidelines The test hardware command tests the hardware. Depending on the state of the hardware, the command produces output that states the status for each component: v success v warning v failure The components are broken down into the following categories: v Backtrace availability v Interface diagnostics...
Page 143: Test Schema
Parameters category Specifies the name of an existing Log Category. priority Identifies the event priority. The priority indicates that all events that are greater than or equal to this value are logged. Events use the following priority in descending order: v emerg (Emergency) v alert (Alert) v critic (Critical)
Page 144: Test Urlmap
Guidelines The test schema command tests the conformity of an XML file against an XSD schema file. Examples v Tests conformity of the xyzbanner.xml XML file against the dp-user- interface.xsd schema. # test schema store:///xyzbanner.xml store:///schemas/dp-user-interface.xsd Performing validation of document 'store:///xyzbanner.xml' using schema 'store:///schemas/dp-user-interface.xsd' ...
Page 145: Test Tcp-Connection
# test urlmap URLmap-1 https://www.company.com/XML/stylesheets/style1.xsl match # test urlmap URLmap-1 https://www.distributer.com/Renditions/XML2HTML.xsl match test tcp-connection Tests the TCP connection to a remote appliance. Syntax test tcp-connection host port [timeout] Parameters host Specifies the target host. Use either the IP address or host name. port Specifies the target port.
Page 146: Test Urlrewrite
Refer to Appendix C, “Stylesheet Refresh Policy configuration,” on page 1005 for procedural details regarding the creation and implementation of URL maps and Stylesheet Refresh Policies. Related Commands interval urlmap, match, test urlmap, urlmap, urlrefresh, xslrefresh Examples v Tests two candidate matches against the 2aday Stylesheet Refresh Policy. Output confirms the matches and displays the refresh interval and the match pattern.
Page 147: Tfim
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In TFIM (IBM Tivoli Federated Identity Manager) configuration mode, you configure a TFIM object that provides the information needed to locate and access a TFIM server.
Page 148 Parameters throttle-threshold Specifies the free memory threshold (expressed as a percentage of total memory) at which the appliance starts to implement a memory conservation algorithm. Use an integer in the range of 1 through 100. The default is 20. kill-threshold Specifies the free memory threshold (expressed as a percentage of total memory) at which the appliance restarts itself.
Page 149: Timezone
# throttle 20 5 30 v Disables throttling. # no throttle v Disables throttling. # throttle 0 0 0 timezone Enters Timezone configuration mode. Syntax timezone Guidelines While in Timezone configuration mode, you configure the time zone settings for the appliance. The time zone alters the display of time to the user. Use the cancel or exit command to exit Timezone configuration mode and return to Global configuration mode.
Page 150: Uddi-Subscription
Parameters name Specifies the name of the UDDI Registry object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In UDDI (Universal Description Discovery and Integration) Registry configuration mode, you configure a UDDI Registry object that provides the information needed to locate and access a UDDI Registry.
Page 151: Urlmap
Syntax undo object-type name Parameters object-type Specifies the type of object. For a complete list of object types, use the show command name Specifies the name of the object. Guidelines The undo command reverts a modified object to its last persisted state. The persisted state is the configuration in the startup configuration.
Page 152: Urlrefresh
Syntax urlmap name Parameters name Specifies the name of the URL map. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines URL maps are used in the implementation of Stylesheet Refresh Policies that enable the periodic update of the stylesheet cache maintained by an XML manager.
Page 153: Urlrewrite
Related Commands cancel, exit, refresh stylesheet urlrewrite Enters URL Rewrite Policy configuration mode. Syntax urlrewrite name no urlrewrite name Parameters name Specifies the name of the URL Rewrite Policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions”...
Page 154: User-Agent
Guidelines The user command is available in Global configuration mode. The user command enters User configuration mode. While in User configuration mode, you can create or modify User objects. To exit the configuration mode and not apply the changes, use the cancel command.
Page 155: User-Password
Parameters account Identifies the target user account. Examples v Forces password change for the josephb account on the next login. # user-expire-password josephb Expire password for user 'josephb' succeeded user-password Changes the password of the current user. Syntax user-password Examples v Enters an interactive session to change a password.
Page 156: Watchdog
Syntax Enter the configuration mode to create or modify VLAN objects vlan-sub-interface name Delete VLAN objects no vlan-sub-interface name Disable VLAN objects disable vlan-sub-interface name Note: The Admin State of Ethernet interfaces can be set from enabled to disabled while Ethernet cables are still physically connected to the appliance.
Page 157: Web-Application-Firewall
Guidelines The watchdog sets watchdog timeout values. Watchdog timer values are set to default values. These default values should rarely, if ever, require a change. Before changing these values, contact DataPower Customer Support. web-application-firewall Enters Web Application Firewall configuration mode. Syntax web-application-firewall name no web-application-firewall name...
Page 158 on timeout Sets the idle-session logout timer in seconds. Use an integer in the range of 0 to 65535. The default is 600 (10 minutes). A value of 0 disables the session timer. Resets the idle-session logout timer to its default timer. Guidelines You can create only a single WebGUI server.
Page 159: Webapp-Error-Handling
webapp-error-handling Enters Web Application Error Handling Policy configuration mode. Syntax webapp-error-handling name no webapp-error-handling name Parameters name Specifies the name of the Web Application Error Handling Policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit commands to exit Web Application Error Handling Policy configuration mode and return to Global configuration mode.
Page 160: Webapp-Request-Profile
webapp-request-profile Enters Web Application Request Profile configuration mode. Syntax webapp-request-profile name no webapp-request-profile name Parameters name Specifies the name of the Web Application Request Profile. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit commands to exit Web Application Request Profile configuration mode and return to Global configuration mode.
Page 161: Webapp-Session-Management
webapp-session-management Enters Session Management Policy configuration mode. Syntax webapp-session-management name no webapp-session-management name Parameters name Specifies the name of the Web Application Session Management policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit commands to exit this configuration mode and return to Global configuration mode.
Page 162: Wsgw
wsgw Enters Web Services Proxy configuration mode. Syntax wsgw name no wsgw name Parameters name Specifies the optional name of the Web Services Proxy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit command to exit Web Services Proxy configuration mode and return to Global configuration mode.
Page 163: Wsm-Rule
Guidelines Use the no wsm-endpointrewrite command to delete a WS-Proxy Endpoint Rewrite policy. Related Commands cancel, exit wsm-rule Enters Web Services Processing Rule configuration mode. Syntax wsm-rule name no wsm-rule name Parameters name Specifies the name of the Web Services Processing Rule. The name can contain a maximum of 128 characters.
Page 164: Wsrr-Server
wsrr-server Enters WSRR Server configuration mode. Syntax wsrr-server name no wsrr-server name Parameters name Specifies the name of the WSSR server object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In WebSphere Services Repository and Registry (WSRR) Server configuration mode, provide the information necessary to locate and access a WSRR server.
Page 165: Wsrr-Synchronize
wsrr-synchronize Performs a synchronization of WSRR content with the WSSR server. Syntax wsrr-synchronize wsrrSubscriptionName Parameters wsrrSubscriptionName Specifies the name of a WSSR subscription object. Content previously retrieved using this subscription is immediately synchronized with the WSSR server specified by the subscription. Related Commands refresh-interval, wsrr-subscription Examples...
Page 166 Syntax xml validate XML-manager matching-rule [attribute-rewrite policy] xml validate XML-manager matching-rule [dynamic-schema URL] xml validate XML-manager matching-rule [schema URL] no xml validate XML-manager Parameters XML-manager Specifies the name of an XML manager that performs XML schema validation. matching-rule Specifies the name of a Matching Rule. XML documents that match any of the patterns contained within this Matching Rule are subject to manager-specific XML schema validation.
Page 167: Xmlfirewall
# xml validate mgr1 star attribute-rewrite URL-RW-1 v Enables schema-based validation for the mgr1 XML Manager. All XML documents that match star are validated against the schema1.xsd schema. # xml validate mgr1 star schema store:///schema1.xsd v Disables schema-based validation for the mgr1 XML Manager. # no xml validate mgr1 xmlfirewall Enters XML Firewall Service configuration mode.
Page 168: Xml-Mgmt
Guidelines In XML Manager configuration mode, you can configure the target manager to perform a rule-based action. Use the no xml-manager command to delete an XML Manager. Related Commands documentcache, refresh stylesheet, xml parser limits, xml validate, xmlfirewall, xpath function map Examples v Enters XML Manager configuration mode to create the ScheduleHandler XML Manager.
Page 169: Xpath-Routing
The DataPower appliance has a single XML Management Interface. The XML Management Interface runs SSL and uses HTTP Basic Authentication (user name and password). For information about the XML Management Interface, refer to the IBM WebSphere DataPower SOA Appliances: Administrators Guide. Examples v Enters XML Management Interface configuration mode.
Page 170: Xsl Checksummed Cache
Parameters XML-manager Specifies the name of an XML manager. capacity Specifies the maximum size of the cache in style sheets. Use an integer in the range of 4 through 1000000. Guidelines The initial cache size is set to 256 style sheets. Related Commands xsl checksummed cache Examples...
Page 171: Xslconfig
# xsl checksummed cache mgr1 v Disables SHA-1-assisted caching for the mgr1 XML Manager. # no xsl checksummed cache mgr1 xslconfig Assigns a Compile Options Policy. Syntax xslconfig XML-manager compileOptionsPolicyName no xslconfig XML-manager Parameters XML-manager Specifies the name of the XML Manager. compileOptionsPolicyName Specifies the name of an existing Compile Options Policy.
Page 172 xslcoproc name address-local port-local XML-manager [default-style-sheet] no xslcoproc name Parameters name Specifies the name of the XSL Coprocessor. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Binds to all enabled appliance interfaces. address-locals Binds to the specified appliance interface.
Page 173: Xslproxy
Examples v Enters XSL Coprocessor Service configuration mode for the CoProc-1 XSL Coprocessor. # xslcoproc CoProc-1 XSL Coprocessor Service configuration mode v Creates the CoProc-1 XSL Coprocessor. Listens for requests on port 3300 of all enabled appliance ports. # xslcoproc CoProc-1 0 3300 mgr1 v Creates the CoProc-1 XSL Coprocessor.
Page 174: Xslrefresh
processingPolicy Optionally specifies the name of a Processing Policy to perform transforms. The default is to use processing instructions, if any, that are in incoming XML documents. Guidelines You can use either of two forms (referred to as single-command and multi-command) of the xslproxy command to create an XSL proxy.
Page 175: Zos-Nss
Syntax xslrefresh XML-manager policy no xslrefresh XML-manager Parameters XML-manager Specifies the name of an XML Manager. policy Specifies the name of a Stylesheet Refresh Policy. Guidelines You can assign only a single Stylesheet Refresh Policy to an XML manager. With a Stylesheet Refresh Policy, an XML Manager refreshes the specified style sheets at regular intervals.
Page 176 The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines While in z/OS NSS Client configuration mode, you configure a z/OS NSS Client which provides the parameters necessary for authentication with SAF on a z/OS Communications Server.
Page 177: Chapter 3. Aaa Policy Configuration Mode
The actor/role identifier will be the base URL of the message, if the SOAP message is transported using HTTP, the base URI is the Request-URI of the HTTP request. A string value Any string to identify the actor or role of the Security header. © Copyright IBM Corp. 1999, 2008...
Page 178: Authenticate
Guidelines If a value is specified for the WS-Security S11:actor or S12:role identifier, the AAA action will act as the assumed actor or role when it consumes the Security headers. This setting takes effect only when the AAA policy attempts to process the incoming message before making an authorization decision.
Page 179: Authorize
Validation Credentials List that references the certificate that is used to validate the remote SSL peer. If the method is not client-ssl or if the credentials that are submitted by the SSL peer are not authenticated, (other than checking the expiration date of the certificate and that it has not been revoked) use two double quotation mark (“”) characters without any intervening space.
Page 180: Authorized-Counter
Examples v Specifies Tivoli authorization services. # authorize tivoli "" "" "" v Specifies XSL-based authorization using the identified style sheet. # authorize stylesheet store:///Authorize.xsl "" "" authorized-counter Specifies a message count monitor for approved messages. Syntax authorized-counter name Parameters name Identifies the assigned message count monitor.
Page 181: Dos-Valve
Parameters seconds Specifies the number of seconds that authentication and authorization data is retained in the policy cache. The default is 3. Guidelines Meaningful only if caching is enabled. Related Commands cache-allow Examples v Specifies a cache lifetime of 10 seconds for the current AAA Policy. # cache-ttl 10 dos-valve Limits the number of times to perform the same XML processing per user request.
Page 182: Extract-Identity
Examples v Limits repetitions to 5. # dos-valve 5 extract-identity Specifies and enables the methods to extract the identity of a service requester. Syntax extract-identity http WS-SEC client-SSL SAML-attribute SAML-authenticate stylesheet Parameters http Specifies either on or off to indicate whether of not the identity of a requester is presented as HTTP basic authentication (name and password).
Page 183: Ldap-Suffix
Parameters target-URL Specifies either on or off to indicate whether of not the resource identity is based on the URL sent by the current AAA Policy to the backend server. original-URL Specifies either on or off to indicate whether of not the resource identity is based on the URL received by the current AAA Policy.
Page 184: Log-Allowed
Parameters (Default) Indicates LDAP version 2. Indicates LDAP version 3. log-allowed Enables or disables the logging of successful AAA operations. Syntax log-allowed no log-allowed Guidelines By default, successful log operations are logged as info. Use the no log-allowed command to disable logging. Related Commands log-allowed-level, log-rejected, log-rejected-level log-allowed-level...
Page 185: Log-Rejected-Level
Syntax log-rejected no log-rejected Guidelines By default, successful log operations are logged as warning. Use the no log-rejected command to disable unsuccessful AAA operations. Related Commands log-allowed, log-allowed-level, log-rejected-level log-rejected-level Specifies the log priority for messages that report successful AAA operations. Syntax log-rejected-level priority Parameters...
Page 186: Map-Resource
Parameters custom custom-URL Specifies the location of the style sheet. xmlfile XML-file-URL Specifies the location of the XML file. XPath expression Specifies the operative XPath expression. Examples v Specifies that credentials mapping uses the mapCreds.xsl style sheet. # map-credentials custom local:///mapCreds.xsl map-resource Specifies the method used to map resources.
Page 187: Ping-Identity-Compatibility
Examples v Specifies the schema for SOAP 1.1 envelope namespace. # namespace-mapping SOAP http://schemas.xmlsoap.org/soap/envelope/ ping-identity-compatibility Enables or disables compatibility with a PingFederate identity server. Syntax ping-identity-compatibility no ping-identity-compatibility Guidelines By default, compatibility is disabled. Use the no ping-identity-compatibility command to disable compatibility. Examples v Enables PingFederate compatibility.
Page 188: Saml-Artifact-Mapping
Syntax rejected-counter name Parameters name Identifies the assigned message count monitor. Examples v Associates the AAA-Reject message count monitor with the current AAA Policy. # rejected-counter AAA-Reject saml-artifact-mapping Specifies the location of the SAML artifact-mapping file Syntax saml-artifact-mapping url Parameters Specifies a local or remote URL that specifies the file location.
Page 189: Saml-Name-Qualifier
<Attribute AttributeName="cats" AttributeNamespace="http://www.example.com"> <AttributeValue>Winchester</AttributeValue> <Attribute> name Provides the local name of the attribute. For example, cats would match messages with the following attribute: <Attribute AttributeName="cats" AttributeNamespace="http://www.example.com"> <AttributeValue>Winchester</AttributeValue> <Attribute> value Provides the value given for the attribute with the corresponding name. For example, Winchester would match the following attribute: <Attribute AttributeName="cats"...
Page 190: Saml-Sign-Cert
rsa-ripemd160 http://www.w3.org/2001/04/xmldsig-more/rsa-ripemd160 rsa-sha256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 rsa-sha384 http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 rsa-sha512 http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 Guidelines If the SAML message that is generated for this policy will be digitally signed, use the saml-sign-alg command to specify the SignatureMethod for the signing algorithm. saml-sign-cert Specifies the public certificate associated with the key used by the current AAA Policy to sign SAML messages.
Page 191: Saml-Sign-Key
sha512 http://www.w3.org/2001/04/xmlenc#sha512 Guidelines If the SAML message that is generated for this policy will be digitally signed, use the saml-sign-hash command to specify the algorithm to calculate the message digest for signing. saml-sign-key Specifies the key used by the current AAA Policy to sign SAML messages. Syntax saml-sign-key name Parameters...
Page 192: Ssl
Examples v Locates the metadata file. # saml2-metadata local:///policy-1.metadata Assigns an SSL Proxy Profile. Syntax ssl name Parameters name Specifies the name of the SSL Proxy Profile. transaction-priority Assigns a transactional priority to the user. Syntax transaction-priority name priority authorize Parameters name Specifies the name of the output credential.
Page 193 Parameters name Identifies the certificate object. Guidelines Use the no wstrust-encrypt-key command to remove the certificate assignment from the current AAA Policy. Chapter 3. AAA Policy configuration mode...
Page 194 Command Reference...
Page 195: Chapter 4. Access Control List Configuration Mode
All of the commands that are listed in “Common commands” on page 2 and most, but not all, of the commands that are listed in Chapter 114, “Monitoring commands,” on page 949 are also available in ACL configuration mode. allow Identifies IP addresses to grant access. © Copyright IBM Corp. 1999, 2008...
Page 196: Deny
Syntax allow address/netmask allow any Parameters address/netmask Defines a range of IP addresses. Specify the IP address in dotted decimal format. Specify the net mask in CIDR (slash) format or dotted decimal format. CIDR format is an integer that specifies the length of the network portion of the address.
Page 197 Guidelines The deny command defines an deny clause for the ACL. This clause identifies which IP addresses to deny access. If the ACL contains only deny clauses, the last clause in the ACL must be the allow any clause. Related Commands allow Examples v Enters ACL configuration mode for the Public ACL.
Page 198 Command Reference...
Page 199: Chapter 5. Application Domain Configuration Mode
Creates the Randall application domain. Identifies a remote configuration resource at the specified URL. # domain Randall New Application Domain configuration # config-mode import # import-url http://www.datapower.com/configs/AppDomainTest.cfg # import-format xml deployment-policy Specifies the deployment policy that preprocesses the configuration package. © Copyright IBM Corp. 1999, 2008...
Page 200: Domain-User (Deprecated)
Syntax deployment-policy name Parameters name Specifies the name of an existing Deployment Policy object. Guidelines The deployment-policy command specifies the name of the Deployment Policy object that preprocesses the configuration package. To create a Deployment Policy object, use the Global deployment-policy command. Related Commands deployment-policy Examples...
Page 201: File-Monitoring
# domain test Modify Application Domain configuration # domain-user gharrison # exit file-monitoring Establishes the level of monitoring applied to files stored in the local: domain directory. Syntax file-monitoring type[+type] Parameters type Can be audit or log. The type audit causes the system to place entries in the audit log whenever a file is added, deleted or altered.
Page 202: Import-Format
only Display but RBM allows a user to Display and Delete, the user will only be able to Display the contents of files. On the other hand, if the permissions allow both Display and Delete but RBM allows only Display, the user will only be able to Display the contents of files.
Page 203: Local-Ip-Rewrite
Parameters Specifies the location of the remote configuration file. Guidelines If config-mode is set to import, you must specify both the location and type of the remote configuration resource with the import-url and import-format commands. Related Commands config-mode, import-format Examples v Creates the test application domain.
Page 204: Reset Domain
Parameters count Specifies the maximum number of configuration checkpoints to allow. Use an integer in the range of 1 through 5. The default is 3. Related Commands config-mode, import-format, import-url reset domain Deletes the currently running configuration of the domain and returns the domain to its initial state.
Page 205: Visible-Domain
[Test]# reset domain reset domain Resetting 'Test' will delete all services configured within the domain! Do you want to continue? [y/n]:y Domain reset successfully. [Test]# visible-domain Specifies other application domains that are visible to this domain. Syntax visible-domain domain Parameters domain Specifies the name of a valid application domain on the current system.
Page 206 Command Reference...
Page 207: Chapter 6. Application Security Policy Configuration Mode
Related Commands error-policy (Web Application Firewall), error-policy-override (Web Request Profile), error-policy-override (Web Response Profile), match (Global), rule (Global) Examples v Creates three entries in the Error Map, in the order in which they were created. © Copyright IBM Corp. 1999, 2008...
Page 208: Request-Match
# error-match SvrRedir portal-redir-errors # error-match SvrErr portal-svr-errors # error-match AllErr portal-default-errors v Empties the Error Map, effectively eliminating all custom error handling from the security policy. # no error-match request-match Establishes one or more Web Request Maps for this Security Policy. Syntax request-match rule profile no request-match...
Page 209 Parameters rule Specifies the name of an existing Match Rule. Use the Global match command to create a new Match Rule. profile Specifies the name of an existing Web Response Profile. Use the Global webapp-response-profile command to create a new Web Response Profile. Guidelines Any server response that matches a configured Match Rule will be handled by the corresponding Web Response Profile.
Page 210 Command Reference...
Page 211: Chapter 7. Compact Flash Configuration Mode (Type 9235)
Sets the files on the compact flash to read-only access. Syntax read-only no read-only Guidelines The read-only command sets the files on the compact flash to read-only access. The default is read-write. Examples v Makes the file system read-only. © Copyright IBM Corp. 1999, 2008...
Page 212 # compact-flash cf0 Compact Flash configuration mode # read-only v Makes the file system read-write, the default state. # compact-flash cf0 Compact Flash configuration mode # no read-only Command Reference...
Page 213: Chapter 8. Compile Options Policy Configuration Mode
SOAP-ENC:Array — the opposite of the normal allowable case. debug Identifies set of style sheets to profile in debug mode. Syntax debug map Parameters Specifies the name of a URL map that defines the set of style sheets. © Copyright IBM Corp. 1999, 2008...
Page 214: Minesc
Guidelines A Compile Options Policy can contain multipleprofile and debug commands. A candidate URL is subject to debug profiling if it matches any of the match criteria specified in the URL Map. Refer toAppendix D, “Compile Options Policy configuration,” on page 1007for procedural details regarding the creation and implementation of profiling policies.
Page 215: Stack-Size
A candidate URL is subject to standard profiling if it matches any of the match criteria specified in the URL Map. Refer to Appendix D, “Compile Options Policy configuration,” on page 1007 for procedural details regarding the creation and implementation of profiling policies. Related Commands debug, show profile Examples...
Page 216: Strict
# stream fastPath strict Controls strict XSLT error-checking. Syntax strict Guidelines Use this command to toggle between enabling and disabling strict XSLT error-checking. By default, the Compile Options Policy disables strict XSLT error-checking. Non-strict operation attempts to recover from certain common XSLT errors such as use of undeclared variables or templates.
Page 217: Validate-Soap-Enc-Array
validate-soap-enc-array Designates the set of schemas to perform extra validation on elements of type SOAP-ENC:Array. Syntax validate-soap-enc-array map Parameters Identifies the URL map that defines the set of schemas that perform extra validation on elements of type SOAP-ENC:Array rule. Guidelines The allow-soap-enc-array command designates a set of schemas that will perform extra validation on elements of type SOAP-ENC:Array, following the encoding rules in SOAP 1.1 Section 5.
Page 218: Wsdl-Validate-Body
Syntax wsdl-strict-soap-version {on | off} Parameters Follows the version of the SOAP binding in the WSDL. Allows only messages that are bound to SOAP 1.2 to appear in SOAP 1.2 envelopes, and allows only messages that are bound to SOAP 1.1 to appear in SOAP 1.1 envelopes.
Page 219: Wsdl-Validate-Headers
Parameters skip Disables validation of the fault detail. Forces validation of the fault details that match the WSDL definition. strict (Default) Validates all fault details, which allows only messages that match the WSDL description. Guidelines By default, strict validation is applied to SOAP Fault messages. Use this command to relax these restrictions, thus allowing more messages to pass validation.
Page 220: Wsdl-Wrapped-Faults
wsdl-wrapped-faults Controls compatibility with RPC-style wrappers. Syntax wsdl-wrapped-faults Guidelines By default, the Compile Options Policy disables required compatibility with RPC-style wrappers. Use this command to toggle between enabling and disabling required compatibility with RPC-style wrappers. Related Commands wsdl-validate-faults Examples v Enables and subsequently disables required compatibility with RPC-style wrappers.
Page 221: Xslt-Version
Syntax xacml-debug {on | off} Parameters Makes the compiler add more debugging information when evaluating a XACML policy. (Default) Does not compile the XACML policy with debugging information. Guidelines The xacml-debug command indicates whether to compile the XACML policy with debug information.
Page 222 Command Reference...
Page 223: Chapter 9. Conformance Policy Configuration Mode
# assert-bp10-conformance off v Enables the attachment of assertions when validating compliance against WS-I Basic Profile 1.0, which restores the default state. # assert-bp10-conformance on fixup-stylesheet Identifies which style sheets to invoke after conformance analysis. © Copyright IBM Corp. 1999, 2008...
Page 224: Ignored-Requirements
Syntax fixup-stylesheet file no fixup-stylesheet file Parameters file Specifies the name and location of the style sheet. Guidelines The fixup-stylesheet command defines which style sheets to invoke after conformance analysis. These style sheets can transform the analysis results to repair instances of nonconformance. Corrective style sheets cannot be applied to filter actions.
Page 225: Profiles
Guidelines The ignored-requirements command defines which profile requirements to exclude from validation. For each requirement to exclude, use the ignored-requirements command. To remove an excluded requirement, use the no ignored-requirements command. For information about the requirements defined in the supported profiles, refer to the following Web sites: WS-I Attachments Profile, version 1.0 http://www.ws-i.org/Profiles/AttachmentsProfile-1.0.html...
Page 226: Reject-Include-Summary
Examples v Specifies that messages validation is against WS-I Basic Profile, version 1.1 and WS-I Basic Security Profile, version 1.0. # profiles BP11+BSP10 v Specifies that messages validation is against WS-I Attachments Profile, WS-I Basic Profile, version 1.1, and WS-I Basic Security Profile, version 1.0, which restores the default state.
Page 227: Report-Level
Parameters failure Rejects messages that are identified as conformance failures. never (Default) Never rejects messages. warning Rejects messages that are identified as either conformance failures or conformance warnings. Guidelines The reject-level command identifies the degree of nonconformance that causes a request message to be rejected.
Page 228: Report-Target
# report-level failures # report-target http://datapower.com/conform report-target Specifies where to send conformance reports for requests. Syntax report-target URL Parameters Specifies the location to send conformance reports. Use the following URL format: protocol://host/URI Guidelines The report-target command identifies where to send conformance reports for requests.
Page 229: Response-Reject-Include-Summary
response-reject-include-summary Controls the inclusion of the summary in the rejection message for responses. Syntax response-reject-include-summary {on | off} Parameters Includes the summary. (Default) Does not include the summary. Guidelines The response-reject-include-summary command determines whether to include a summary of the conformance analysis in the rejection message for responses. This command is meaningful only when response messages are rejected.
Page 230: Response-Report-Level
Guidelines The response-reject-level command identifies the degree of nonconformance that causes a response message to be rejected. When a response message is rejected, you can use the response-reject-include-summary command to include a summary of the conformance analysis in the rejection message. Examples v Includes a summary in rejection messages that indicate conformance failures for responses.
Page 231: Result-Is-Conformance-Report
Parameters Specifies the location to send conformance reports. Use the following URL format: protocol://host/URI Guidelines The response-report-target command identifies where to send conformance reports for responses. This command is meaningful only when the value for the response-report-level command is always, failure, or warning. Examples v Sends conformance reports for conformance failures for responses to datapower.com/conform with the HTTP protocol.
Page 232 Command Reference...
Page 233: Chapter 10. Crl Configuration Mode
# crl LDAP1440 ldap Entering CRL mode for 'LDAP1440' # bind-dn X # bind-pass 1PAss$WorD bind-pass Specifies the password to access an LDAP server. Syntax bind-pass password Parameters password Specifies the password for the login DN. © Copyright IBM Corp. 1999, 2008...
Page 234: Fetch-Url
Guidelines You must specify a password when defining an LDAP-enabled CRL Update Policy. Related Commands bind-dn, read-dn, refresh, remote-address Examples v Enters CRL Mode to create the LDAP1440 LDAP-enabled CRL Update Policy. The LDAP server is accessed with the account name of X with a password of 1PAss$WorD.
Page 235: Read-Dn
Guidelines This property is required to implement a CRL Update Policy. Examples v Enters CRL mode to create the HTTP30 HTTP-enabled CRL Update Policy. Specifies crlValidate as the Validation Credentials to validate the CRL issuer. # crl HTTP30 http Entering CRL mode for 'HTTP30' # issuer crlValidate read-dn Specifies the Distinguished Name of the CA that issued the target CRL.
Page 236: Remote-Address
Parameters minutes Specifies the interval in minutes between CRL updates. Guidelines You must specify a refresh interval when defining either an HTTP-enabled or LDAP-enabled CRL Update Policy. Related Commands bind-dn, bind-pass, fetch-URL, read-dn, remote-address Examples v Enters CRL Mode to create the LDAP1440L DAP-enabled CRL Update Policy. The ragnarok LDAP server (with default port 389) is accessed with the account name of X and a password of 1PAss$WorD.
Page 237: Ssl-Profile
Examples v Enters CRL Mode to create the LDAP1440 LDAP-enabled CRL Update Policy. The ragnarok LDAP server (with default port 389) is accessed with the account name of X and a password of 1PAss$WorD. The target certificate is issued by VeriSign Australia.
Page 238 Command Reference...
Page 239: Chapter 11. Crypto Configuration Mode
If the certificate is used for a certificate chain validation from a Validation Credentials and the certificate is not valid, validation fails. Similarly, if the certificate is used from an Identification Credentials, the DataPower © Copyright IBM Corp. 1999, 2008...
Page 240 appliance sends the certificate to the SSL peer for an SSL connection, but the peer can reject the certificate as not valid. Guidelines The password or password-alias keyword is required only when a certificate file is password-protected. Prior to using the password-alias keyword, you must use the password-map command to 3DES-encrypt the certificate password and associate an alias with the encrypted password.
Page 241: Cert-Monitor
# certificate bob pubcert:bob.pem password-alias dundaulk Creating certificate 'bob' v Deletes the bob certificate alias. # no certificate bob Certificate 'bob' deleted cert-monitor Enters Crypto Certificate Monitor configuration mode. Syntax cert-monitor Guidelines The Certificate Monitor is a configurable periodic task that checks the expiration date of all certificate objects.
Page 242: Crypto-Export
Use the no crl command to delete a CRL update policy. Examples v Enters CRL Mode to create the HTTP30 HTTP-enabled CRL update policy. # crl HTTP30 http Entering CRL mode for 'HTTP30' v Enters CRL Mode to create the LDAP1440 LDAP-enabled CRL update policy. # crl LDAP1440 ldap Entering CRL mode for 'LDAP1440' v Deletes the LDAP1440 LDAP-enabled CRL update policy.
Page 243: Decrypt
Syntax Importing certificates crypto-import cert name [...] input file Importing keys (HSM models) crypto-import key name [...] input file [password-alias alias] [mechanism hsmkwk] crypto-import key name [...] input file [password password] [mechanism hsmkwk] Parameters key name [...] Identifies the names of the keys to import. To specify more than one key, use a space separated list.
Page 244 directory Must be one of the following directory-specific keywords: audit: Contains the audit log Contains domain-specific private keys and certificates cert: config: Contains configuration scripts export: Contains export packages image: Contains primary and secondary firmware images local: Contains user processing resources such as style sheets, schemas, document encryption maps, or XML mapping files logstore:...
Page 245: Encrypt
encrypt Encrypts a file stored on the appliance. Syntax encrypt URL cert alias alg algorithm Parameters Identifies the local file to be encrypted, and takes the directory:/// filename format. directory Must be one of the following directory-specific keywords that reference specific directories. audit: Contains the audit log Contains domain-specific private keys and certificates cert:...
Page 246: Fwcred
alg algorithm Identifies the encryption method. Related Commands certificate, idcred, send file, sign (Crypto) Examples v Encrypts the FWSec-1 log file with the recipient certificate that is referenced by the bob alias. # encrypt logtemp:///FWSec-1 cert bob alg smime File 'FWSec-1' successfully encoded fwcred Enters Firewall Credentials configuration mode.
Page 247: Hsm-Clone-Kwk (Hsm Models)
v Deletes the FWCred-1 Firewall Credentials. # no fwcred FWCred-1 Firewall Credentials 'FWCred-1' deleted hsm-clone-kwk (HSM models) Clones a key wrapping key between HSM-equipped appliances. Syntax hsm-clone-kwk [input filename] [output filename] Parameters input filename Indicates the name of the local file to use as input to the cloning action. During the first part of this four-part task, do not specify this parameter.
Page 248: Hsm-Delete-Key (Hsm Models)
Related Commands hsm-delete-key, hsm-reinit hsm-delete-key (HSM models) Deletes a key from the HSM (Hardware Security Module). Syntax hsm-delete-key key Parameters Identifies the key stored on the HSM. Guidelines This command is available only on systems with an internal HSM. Related Commands hsm-clone-kwk, hsm-reinit Examples v Deletes the bob key from the HSM.
Page 249 Syntax idcred name key-alias certificate-alias [ca certificate-alias-n ...] Parameters name Specifies the name of the Identification Credentials that authenticates the appliance. The name can contain a maximum of 32 characters. For restrictions, refer to “Object name conventions” on page xxiv. key-alias Specifies an existing alias for the private key that is referenced by the Identification Credentials.
Page 250: Kerberos-Kdc
# idcred bob bob bob Creating identification credentials 'bob' v Creates the bob Identification Credentials that consists of the private key aliased by bob and the X.509 certificates aliased by bob and bob-intermediate. # idcred bob bob bob ca bob-intermediate Creating identification credentials 'bob' v Deletes the Identification Credentials alias bob.
Page 251: Key
Syntax kerberos-keytab name no kerberos-keytab name Parameters name Specifies the name of the Kerberos keytab. The name can contain a maximum of 32 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines A keytab (or key table) is an unencrypted file that contains a list of Kerberos principals and their passwords.
Page 252 CAUTION: Do not store private key files in the public cryptographic area. This area is intended for the storage of public certificate files. password password Optionally identifies the plaintext password required to access the private key file. password-alias password-alias Optionally identifies the alias for the encrypted password required to access the private key file.
Page 253: Keygen
# no key bob Key 'bob' deleted keygen Generates a public-private key pair and a CSR (certificate signing request) for a server. Syntax Generates a key pair on a non-HSM appliance keygen [{C | countryName} iso-code] [{L | localityName} locality] [{ST | stateOrProvinceName} state] [{O | organizationName} org] [{OU | organizationalUnitName} unit-name] {CN | commonName} server-name rsa {1024 | 2048 | 4096} [gen-object] [object-name name] [gen-sscert] [days...
Page 254 gen-object Creates a crypto key management object. To create a crypto certificate management object use the gen-sscert property. object-name name Optionally specifies the names for the objects that are created by the gen-object property. If not specified, the value for the commonName property is used.
Page 255 Use the password and password-alias properties in environments that require password-protected files. Before using the password-alias property, use the password-map command to 3DES-encrypt the private key password (plaintext) and associate an alias with the encrypted password. An attempt to reference an encrypted password that is not in the password map results in command failure.
Page 256: Password-Map
Alias-name: SSL: password-map saved # keygen C au L "South Melbourne" ST Victoria O "DataPower Australia, Ltd." OU "Customer Support" CN www.bob.datapower.com.au rsa 2048 out bob password-alias WaltzingMatilda password-map Creates a Password map, a which associates an alias with an encrypted password. Syntax password-map no password-map...
Page 257: Profile
Examples v Creates a new Password map and generates a host key used to 3DES-encrypt the two plaintext passwords. # password-map Please enter alias-name and plaintext password pairs - Leading and trailing white space is removed - Enter a blank alias name to finish Alias-name: towson Plaintext password: Toshiro Mifune Alias-name: dundaulk...
Page 258 Syntax profile name idCred [ssl name] [ciphers cipher-string] [options options-mask] profile name %none% [ssl name] [ciphers cipher-string] [options options-mask] no profile name Parameters name Specifies the name of the Crypto Profile. The name can contain a maximum of 32 characters. For restrictions, refer to “Object name conventions”...
Page 259 Table 5. Available algorithm keywords for the cipher string (continued) Algorithm keyword Meaning eNULL or NULL NULL ciphers offer no encryption at all and are a security risk. These cipher suites are disabled unless explicitly included. The cipher suites offering no authentication. This is aNULL currently the anonymous DH algorithms.
Page 260 Optionally, each cipher keyword can be preceded by the following characters: Permanently deletes the cipher from the list. Even if you explicitly add the cipher to the list, it can never reappear in the list. Deletes the cipher from the list. You can add this cipher again. Moves the cipher to the end of the list.
Page 261 v The SSL client requires a Validation Credentials only when it validates the certificate that is presented by an SSL server. The SSL standard does not require the validation of the server certificate. v The SSL server requires a Validation Credentials only when it validates certificates that are presented by SSL clients.
Page 262: Sign
v Same as the previous example. # profile Low XSSL-1 options Disable-SSLv2+DisableTLSv1 Creating new crypto profile 'Low' v Creates the High Crypto Profile that uses the Identification Credentials aliased by XSSL-2 to identify the SSL proxy. The Crypto Profile validates the SSL peer with the TSC-1 validation credentials, and supports symmetric encryption algorithms with key lengths of 128 bits or more.
Page 263: Sskey
sharedcert: Contains private keys and certificates which are shared across domains store: Contains DataPower-supplied processing resources such as style sheets, schemas and authentication/authorization files tasktemplates: Contains Task Template files temporary: Contains temporary files filename Specifies the name of the file to sign. idcred alias Specifies and existing alias for an Identification Credentials (a matched public/private key pair) used to identify the identification-set-alias references...
Page 264 Specifies a local URL that identifies the file that contains the private key. v If the private key is stored in the private cryptographic area, the URL takes the filename form. v If the private key is stored in the public cryptographic area, the URL takes the pubcert:///filename form.
Page 265: Test Password-Map
v Creates the alice alias the specified SS2.pem secret key. The target key is contained within the private cryptographic area, and is accessed with an encrypted password aliased by HavredeGrace. # sskey alice SS2.pem password-alias HavredeGrace Creating key 'alice' v Deletes the alice shared secret key alias. # no sskey alice Key 'alice' deleted test password-map...
Page 266: Valcred
v Indicates that the columbia candidate alias does not reference the encrypted password that protects the K2.der key file. # test password-map columbia key K2.der Alias 'columbia' with file 'K2.der' --> FAIL v Indicates that the towson candidate alias does reference the encrypted password that protects the K2.der key file.
Page 267: Validate
Related Commands certificate (Validation Credentials), profile Examples v Enters Validation Credentials Mode to create the ValCred-1 Validation Credentials. # valcred ValCred-1 Entering Validation Credentials mode for 'ValCred-1' v Deletes the ValCred-1 Validation Credentials. # no valcred ValCred-1 Validation Credentials 'ValCred-11' deleted validate Validates the digital signature of a specified file.
Page 268 Command Reference...
Page 269: Chapter 12. Crypto Certificate Monitor Configuration Mode
Specifies that all objects that use or reference a certificate are disabled on certificate expiration. # disable-expired-certs on v Restores the default state. Objects that use or refer to a certificate are not disabled on certificate expiration. # disable-expired-certs off # no disable-expired-certs © Copyright IBM Corp. 1999, 2008...
Page 270: Log-Level
log-level Specifies the log priority assigned to certificate monitor messages that note the impending expiration date of a certificate Syntax log-level priority Parameters priority Specifies the log priority assigned to certificate expiration messages. Guidelines The level of log events are characterized (in descending order of criticality) as: v emergency v alert v critical...
Page 271: Reminder
Examples v Specifies that the Certificate Monitor performs a certificate scan every 3 days. # poll 3 reminder Specifies the notification window before certificate expiration that initiates certificate expiration log messages. Syntax reminder days Parameters days Specifies the notification window. Use an integer in the range of 1 through 65535.
Page 272 Command Reference...
Page 273: Chapter 13. Crypto Firewall Credentials Configuration Mode
Enters Firewall Credentials mode for the FWCred-1 Firewall Credentials. Adds the certificate that is referenced by the alice-3 alias. # fwcred FWCred-1 Entering Firewall Credentials mode for 'FWCred-1' # certificate alice-3 Adds a key alias. © Copyright IBM Corp. 1999, 2008...
Page 274: Sskey
Syntax key alias Parameters alias Specifies the alias for the target private key. The target private key must be previously created with the Crypto key command. Guidelines Prior to adding a key alias to the list: 1. Use the copy command (or the WebGUI) to transfer the actual key to the appliance.
Page 275 Examples v Enters Firewall Credentials mode for the FWCred-1 Firewall Credentials. Adds the shared secret key that is referenced by the ss-bob-alice alias. # fwcred FWCred-1 Entering Firewall Credentials mode for 'FWCred-1' # sskey ss-bob-alice Chapter 13. Crypto Firewall Credentials configuration mode...
Page 276 Command Reference...
Page 277: Chapter 14. Crypto Validation Credentials Configuration Mode
Validation Credentials List consists of self-signed certificates and certificates of trust anchors. Certificates can be a root CA or an intermediate CA. Use the no cert-validation-mode command to delete a certificate alias from a Validation Credentials List. Related Commands certificate (Crypto) © Copyright IBM Corp. 1999, 2008...
Page 278: Certificate
Examples v Enters Validation Credentials Mode to create the ValCred-1 Validation Credentials List. Specifies PKIX validation mode. # valcred ValCred-1 Crypto Validation Credentials configuration mode # cert-validation-mode pkix v Restores the default setting. # valcred ValCred-1 Crypto Validation Credentials configuration mode # cert-validation-mode legacy certificate Adds a certificate alias to the current Validation Credentials List.
Page 279: Crldp
Examples v Enters Validation Credentials Mode to create the ValCred-1 Validation Credentials List. Adds the bob-1 certificate alias to the list. # valcred ValCred-1 Crypto Validation Credentials configuration mode # certificate bob-1 crldp Controls support for the X.509 Certificate Distribution Point certificate extension. Syntax crldp {ignore | require} Parameters...
Page 280: Initial-Policy-Set
Guidelines Meaningful only if cert-validation mode is pkix; otherwise, it is not used. If enabled, the chain validation algorithm must end with a non-empty policy tree. If disabled, the algorithm may end with an empty policy tree (unless Policy Constraints extensions in the chain require an explicit policy). Refer to RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework and to RFC 3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile for information...
Page 281: Require-Crl
applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range. The certificate policies extension contains a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers.
Page 282: Use-Crl
Guidelines By default, CRL usage is not required when processing certificate chains. Use the no require-crl command to restore the default condition, which allows, but does not require, CRL usage when processing certificate chains. Related Commands use-crl Examples v Enters Validation Credentials Mode to create the ValCred-1 Validation Credentials List.
Page 283: Chapter 15. Deployment Policy Configuration Mode
Optionally specifies a name match for a resource. This property limits the match statement to resources of the specified name. Use a PCRE to select groups of resource instances. For example, foo* would match all resources with names that start with foo. © Copyright IBM Corp. 1999, 2008...
Page 284: Filter
Property=property-name Optionally specifies the name of the configuration property. This property limits the match statement to resources of the specified property. Value=property-value Optionally specifies the value for the configuration property. This property limits the match statement to resources of the specified property.
Page 285: Modify
resource Specifies the resource type. The value * matches all resource type. Name=resource-name Optionally specifies a name match for a resource. This property limits the match statement to resources of the specified name. Use a PCRE to select groups of resource instances. For example, foo* would match all resources with names that start with foo.
Page 286 The appliance preprocesses the add statements first, the change statements second, and the delete statements last when applying the modify clause. The statement takes the following form: address/domain/resource[?Name=resource-name &Property=property-name&Value=property-value] address Specifies the IP address or host alias. The value * matches all IP addresses.
Page 287 Examples v ??? Adds a summary to the Turbotans host alias in the default domain. The UserSummary property with a value of BlueSkinners is added to the configuration of the Turbotans host alias during the import. # modify */default/network/host-alias?Name=Turbotans add UserSummary BlueSkinners v ??? Changes the value of the summary for the Turbotans host alias in the default domain to Turbotans5 during the import.
Page 288 Command Reference...
Page 289: Chapter 16. Dns Settings Configuration Mode
Use the no name-server command to delete a DNS provider. Note: Unless explicitly instructed, do not change the value of the DNS parameter. Related Commands ip name-server Examples v Identifies 10.10.10.240:53 (the well-known DNS port) as a DNS provider. # name-server 10.10.10.240 © Copyright IBM Corp. 1999, 2008...
Page 290: Search-Domain
v Identifies a DNS server at 10.10.10.240 UDP port 60000. # name-server 10.10.10.240 60000 v Deletes the specified DNS provider. # no name-server 10.10.10.240 v Deletes all DNS providers. # no name-server * search-domain Adds an entry to the IP domain-suffix search table, thus enabling the usage of non-fully qualified domain names.
Page 291: Static-Host
# xslproxy Proxy-01 XSL proxy configuration mode # remote-address loki 80 static-host Maps a host name to an IP address. Syntax static-host hostname address no static-host {hostname | *} Parameters hostname Identifies a specific host. address Specifies the IP address of the host. Specifies all hosts.
Page 292 Command Reference...
Page 293: Chapter 17. Document Cache Configuration Mode
Related Commands policy Examples v Removes all documents from the document cache # clear Cleared documents in cache matching pattern * v Removes all XML schemas and XSL style sheets from the document cache © Copyright IBM Corp. 1999, 2008...
Page 294: Maxdocs
# clear *xs[dl] Cleared documents in cache matching pattern *xs[dl] maxdocs Specifies the maximum size of the document cache in documents. Syntax maxdocs documents Parameters documents Specifies the maximum number of documents to retain in the document cache. Use an integer in the range of 1 through 250000. The default is 5000. Guidelines Retain the default value of 5000 documents.
Page 295 priority Specifies the priority of a document in the cache. The greater the value, the higher its priority. Use an integer in the range of 1 through 255. The default is 128. Specifies the maximum number of seconds to retain a document in the cache.
Page 296: Size
# documentcache mgr1 Document cache configuration mode # policy *xsd v Caches all XML schemas with a priority of 210 and the default TTL. # documentcache mgr1 Document cache configuration mode # policy *xsd 210 v Caches all style sheets and schemas with a priority of 255 and the default TTL. Caches all XML files with the default priority and TTL.
Page 297 Syntax static-document-calls {on | off} Parameters (Default) Specifies dependent document calls. Specifies independent document calls. Guidelines XSLT specifications require that multiple document calls in the same transform return the same result. However, you can disable this behavior with the off keyword.
Page 298 Command Reference...
Page 299: Chapter 18. Document Crypto Map Configuration Mode
New Document Crypto Map configuration # namespace-mapping SOAP http://schemas.xmlsoap.org/soap/envelope/ operation Specifies the cryptographic operation to perform. Syntax operation {encrypt | decrypt} Parameters encrypt (Default) Specifies that selected nodes are encrypted. decrypt Specifies that selected nodes are decrypted. © Copyright IBM Corp. 1999, 2008...
Page 300: Select
Related Commands namespace-mapping, select Examples v Specifies document decryption. # document-crypto-map DCM-1 Modify Document Crypto Map configuration # decrypt select Specifies the document nodes to encrypt or decrypt. Syntax select XPath Parameters XPath Defines an XPath expression that identifies the target nodes. Guidelines Document nodes that match the XPath expression are encrypted or decrypted depending on the value of the operation command.
Page 301: Chapter 19. Failure Notification Configuration Mode
Specifies the email address of the recipient. # email-address techsupport@TeraCorp.com internal-state Indicates whether to include a snapshot of the internal state. Syntax internal-state {on | off} Includes the snapshot. (Default) Does not include the snapshot. © Copyright IBM Corp. 1999, 2008...
Page 302: Location-Id
location-id Specifies the subject line of the email. Syntax location-id string Parameters string Specifies descriptive text. Guidelines The location-id command specifies the subject line of the email. If the message contains spaces, wrap the value in double quotation marks. Examples v Provides an identifying string.
Page 303: Chapter 20. Flash Configuration Mode
Related Commands boot image, boot update, save-config, overwrite, shutdown, write memory Examples v Designates testEnvironment.cfg as the startup configuration. # boot config testEnvironment.cfg boot delete Deletes the secondary install. Syntax boot delete © Copyright IBM Corp. 1999, 2008...
Page 304: Boot Image
Guidelines A firmware upgrade performed with the boot image command retains current configuration data, allowing the appliance to be restored to a known, stable state if necessary. The previous firmware image and associated configuration data is referred to as the secondary install. While, you can use the boot delete command to delete the secondary install, keep in mind that its deletion will prevent firmware rollback as provided by the boot switch command.
Page 305: Boot Update
Syntax boot switch Guidelines A firmware upgrade performed with the boot image command retains current configuration data, allowing the appliance to be restored (rolled back) to a known, stable state if necessary. The previous firmware image and associated configuration data is referred to as the secondary install; the newly installed firmware image and associated configuration data is referred to as the primary install.
Page 306: Copy
Guidelines After opening the newly created or existing configuration, the command prompts for command input: Enter startup commands, one per line. End with a period. Enter commands, terminating each command by pressing the Return or Enter key. If appending commands to an existing configuration, make certain to start with appropriate commands to transition to the correct configuration mode.
Page 307 directory:///filename directory Specifies a directory on the appliance. Refer to “Directories on the appliance” on page xxii for details. filename Specifies the name of a file in the specified directory. v If the source file or target destination is remote to the DataPower appliance and the transport protocol is SCP or SFTP, these arguments take the form that is compliant with RFC 1738.
Page 308: Delete
v Uses SCP to copy a file from the specified URL to the store: directory. # copy scp://jrb@10.10.1.159//XML/stylesheets/InitialConvert.xsl store:///InitialConvert.xsl Password: yetanotherpassword file copy successful v Uses SCP to copy a file from the logstore: directory to the specified remote target (identified by a qualified host name). # copy logstore:///Week1.log scp://jrb@ragnarok.datapower.com//LOGS/Week1.log Password: yetanotherpassword file copy successful...
Page 309: Dir
Note: The delete command does not prompt for confirmation. Be certain that you want to delete the file before issuing this command. Related Commands copy, dir, move Examples v Deletes the startup-config-deprecated file from the store: directory. # delete store:\\\startup-config-deprecated v Deletes the betaImage file from the image: directory.
Page 310: Move
move Moves a file from one directory to another. Syntax move [-f] source destination Parameters Overwrites an existing file, if one of the same name already exists. In the absence of this argument, an attempt to save a file with the same name as an existing file results in a prompt that requests confirmation to overwrite the existing file.
Page 311: Shutdown
After files are deleted, they cannot be recovered. If you might need any of these files after restoring the system to a manufactured state, ensure that you have copies of these files. To recreate the appliance configuration, refer to the IBM WebSphere DataPower SOA Appliances: 9003: Installation Guide or to the IBM WebSphere DataPower SOA Appliances: Type 9235: Installation Guide, depending on your model type.
Page 312 Guidelines The appliance restarts using the startup configuration specified by the boot config command and the firmware image specified by the boot image command. If a startup configuration or firmware image is not designated, the appliance restarts with the configuration and firmware image that were active when you invoke the shutdown command.
Page 313: Chapter 21. Ftp Poller Front Side Handler Configuration Mode
Guidelines The error-delete command indicates whether the input or processing renamed file should be deleted when it could not be processed. error-rename-pattern Specifies the rename pattern when a file could not be processed. © Copyright IBM Corp. 1999, 2008...
Page 314: Match-Pattern
Syntax error-rename-pattern pattern Parameters pattern Specifies a PCRE that defines the rename pattern. Guidelines The error-rename-pattern command specifies the PCRE to rename a file when it could not be processed. This command is relevant when error-delete is off. Otherwise, it is ignored. PCRE documentation is available at the following web site: http://www.pcre.org Related Commands...
Page 315: Processing-Seize-Pattern
Parameters pattern Specifies a PCRE that defines the rename pattern. Guidelines The processing-rename-pattern command specifies the PCRE to rename a file that is being processed. This functionality allows multiple poller objects to poll the same directory with the same match pattern. There is no lack of atomicity if the rename operation on the server is atomic.
Page 316: Processing-Seize-Timeout
Syntax processing-seize-pattern pattern Parameters pattern Specifies the PCRE to use as the match pattern to search for files that are being processed. Guidelines The processing-seize-pattern command specifies the PCRE to find files that were renamed to indicate that they are in the ″being processed″ state but the processing was never completed.
Page 317: Result
Related Commands processing-seize-pattern result Indicates whether to create a response file after processing an input file. Syntax result {on | off} Parameters (Default) Creates a result file. Does not create a result file. Guidelines The result command indicates whether the appliance should create a response file after successfully processing an input file.
Page 318: Success-Delete
success-delete Indicates whether the input file is deleted after successful processing. Syntax success-delete on {on | off} Parameters Deletes the input file. (Default) Does not delete the input file. Guidelines The success-delete command indicates whether the input or processing renamed files should be deleted after successful processing.
Page 319: Xml-Manager
Syntax target-dirdirectory Parameters directory Specifies the directory to poll. Guidelines The target-dir command specifies a directory to poll. The path must end in a slash. The slash denotes a directory. For a relative path to the home directory of the specified user ftp://user:password@host:port/path/ For an absolute path to the root directory ftp://user:password@host:port/%2Fpath/...
Page 320 Command Reference...
Page 321: Chapter 22. Ftp Quoted Commands Configuration Mode
Adds an FTP command to the end of the list of FTP commands to be sent by the FTP User Agent to an FTP server before a file transfer. Generally the quoted-command command is used to send FTP SITE commands. © Copyright IBM Corp. 1999, 2008...
Page 322 Command Reference...
Page 323: Chapter 23. Ftp Server Front Side Handler Mode
Sets the lowest port value for the passive port range. passive-port-range Controls whether to limit the port range for passive connections. persistent-filesystem-timeout Specifies the inactivity duration for a connection to a virtual persistent file system. © Copyright IBM Corp. 1999, 2008...
Page 324: Acl
Table 7. FTP Server Front Side Handler commands (continued) Command Purpose password-aaa-policy Assigns an AAA Policy to evaluate the user name and password. port Specifies the listening port. require-tls Controls whether FTP client connections require TLS encryption. response-nfs-mount Specifies the NFS mount in which to store response files. response-storage Specifies where to store response files.
Page 325: Allow-Ccc
Parameters address Specifies the local IP address or host alias on which the service listens. The default is 0.0.0.0. Guidelines The local-address command specifies the local IP address on which the service listens. The default of 0.0.0.0 indicates that the service is active on all IP addresses.
Page 326: Allow-Restart
allow-restart Controls the use of the REST command for interrupted file transfers. Syntax allow-restart {on | off} Parameters (Default) Permits the use of the REST command. Denies the use of the REST command. Guidelines The allow-restart command controls whether to support the REST command to continue the transfer of a file after an interruption in the data transfer.
Page 327: Data-Encryption
Parameters name Specifies the name of an existing AAA Policy object. Guidelines The certificate-aaa-policy command assigns the AAA policy that determines whether a password is required for secondary authentication of the information in the TLS/SSL certificate that is provided during TLS negotiation after the AUTH TLS command to the FTP server.
Page 328: Filesystem
Guidelines The default-directory command specifies the current working directory for all users of this FTP server. This directory will be the initial working directory after users connect and authenticate. When using a virtual file system and the working directory is not the root directory, the specified directory must be one of the configured virtual directories.
Page 329: Filesystem-Size
Related Commands persistent-filesystem-timeout, virtual-directory filesystem-size Specifies the maximum size for the temporary file system. Syntax filesystem-size megabytes Parameters megabytes Specifies the maximum size in megabytes for the temporary file system. Use an integer in the range of 1 through 2048. The default is 32. Guidelines The filesystem-size command specifies the maximum size in megabytes for the temporary file system.
Page 330: Passive
Parameters length Specifies the maximum length of a file name on the FTP server. Use an integer in the range of 1 through 4000. The default is 256. passive Controls the use of passive mode by the FTP client. Syntax passive {disallow | allow | require} Parameters disallow...
Page 331: Passive-Port-Max
Guidelines The passive-idle-timeout command controls the amount of time in seconds between when the FTP server issues code 227 (“Entering Passive Mode”) in response to the PASV or EPSV command from the FTP client and when the FTP client must establish a TCP data connection to the listening port and issue a data transfer command.
Page 332: Passive-Port-Min
passive-port-min Sets the lowest port value for the passive port range. Syntax passive-port-min port Parameters port Specify the lower end of the passive port range. Use an integer in the range of 1024 through 65534. The default is 1024. Guidelines The passive-port-min command sets the lowest port value for the passive port range.
Page 333: Persistent-Filesystem-Timeout
Note: While multiple FTP servers on the same system can use the same or overlapping passive port ranges, this configuration could introduce contention for a common resource in the TCP implementation. Because of contention, do not use a port range that overlaps with other services that are on the same system as the FTP server.
Page 334: Port
Syntax password-aaa-policy name Parameters name Specifies the name of an existing AAA Policy object. Guidelines The password-aaa-policy command assigns the AAA policy to perform authentication of user names and passwords provided to the FTP server by the client with the USER and PASS commands. v If authentication succeeds, the FTP client can use all of the features of the FTP server.
Page 335: Response-Nfs-Mount
Parameters Requires TLS encryption. (Default) Does not require TLS encryption. Guidelines The require-tls command controls whether FTP control connections require TLS encryption. If required, the FTP client must use the FTP AUTH TLS command before any other command. To support TLS encryption, ensure that the configuration of the associated instance of the User Agent object defines the relevant information to contact the FTP server.
Page 336: Response-Suffix
Parameters temporary (Default) Stores response files in temporary storage on the system. This storage space has limited size. Stores response files on the top level directory of the specified NFS server. Only the NFS server limits the storage space. Guidelines The response-storage command specifies the storage for response file.
Page 337: Response-Type
response-type Selects how to make a response available for gateway transactions started by an FTP STOR or SOUT operation. Syntax response-type {none | virtual-filesystem | ftp-client} Parameters none (Default) Indicates that no response is made available to the client. Any response from the server is dropped.
Page 338: Restart-Timeout
Guidelines The response-url command selects the URL that is used in generating a response. This URL enables a response to be written using FTP commands. The URL must be an FTP URL that starts with ftp://. The URL should include a directory, but not a file name.
Page 339: Virtual-Directory
Parameters variable Defines the prefix for file names that are generated when using the FTP STOU command. When defining the prefix, the directory separator (/) is not allowed. The default is to not add a prefix, which is an empty string. Use a regular expression in the ^[^/]*$ form.
Page 340 Command Reference...
Page 341: Chapter 24. Hard Disk Array Configuration Mode (Type 9235)
Sets the files on the hard disk array to read-only access. Syntax read-only no read-only Guidelines The read-only command sets the files on the hard disk array to read-only access. The default is read-write. Examples v Makes the file system read-only. © Copyright IBM Corp. 1999, 2008...
Page 342 # raid-volume raid0 Hard Disk Array configuration mode # read-only v Makes the file system read-write, the default state. # raid-volume raid0 Hard Disk Array configuration mode # no read-only Command Reference...
Page 343: Chapter 25. Host Alias Configuration Mode
Instead of providing the IP address, you can specify this alias. Examples v Creates the Ragnarok alias. Maps Ragnarok to IP address 192.168.12.12. # host-alias Ragnarok New Host Alias configuration # ip-address 192.168.12.12 # exit © Copyright IBM Corp. 1999, 2008...
Page 344 Command Reference...
Page 345: Chapter 26. Http Front Side Handler Mode
Specifies the maximum length of URLs to allow. Controls the negotiation of persistent connections. persistent-connections port Specifies the listening port. Specifies a brief, object-specific comment. summary Assigns an Access Control List (ACL). Syntax acl name © Copyright IBM Corp. 1999, 2008...
Page 346: Allowed-Features
Parameters name Specifies the name of an existing Access Control List object. Guidelines The acl command defines a reference to an existing Access Control List object. The Access Control List object allows or denies access to this service based on the IP address of the client.
Page 347: Compression
Examples v Limits features to HTTP-1.0, HTTP-1.1, POST, and QueryString. # allowed-features HTTP-1.0+HTTP-1.1+POST+QueryString compression Controls the negotiation of GZIP compression. Syntax compression {on | off} Parameters Enables compression negotiation. (Default) Disables compression negotiation. Guidelines The compression command controls whether to enable or to disable GZIP compression negotiation.
Page 348: Max-Header-Count
http/1.1 (Default) Uses HTTP 1.1. Guidelines The http-client-version command set the HTTP version for the connection. The specified version should not conflict with the HTTP version that is allowed by the allowed-features command. Related Commands allowed-features max-header-count Specifies the maximum number of headers to allow. Syntax max-header-count count Parameters...
Page 349: Max-Header-Value-Len
Related Commands max-header-value-len max-header-value-len Specifies the maximum length of header values to allow. Syntax max-header-value-len bytes Parameters bytes Specifies the maximum length in bytes. The default is 0, which indicates no limit. Guidelines The max-header-value-len command specifies the maximum length of header values to allow for HTTP headers in request messages.
Page 350: Max-Url-Len
Syntax max-total-header-len bytes Parameters bytes Specifies the maximum length in bytes. Use an integer in the range of 5 through 128000. The default is 128000. Guidelines The max-total-header-len command specifies the maximum aggregate length of incoming HTTP headers to allow in request messages. Examples v Limits aggregated HTTP headers to 65535 bytes.
Page 351: Port
Guidelines The persistent-connections command controls the negotiation of persistent connections. v When enabled, the handler negotiates with the remote peer and establishes a persistent connection if agreeable to the peer. v When disabled, the handler does not attempt to negotiate the establishment of persistent connections.
Page 352 Command Reference...
Page 353: Chapter 27. Http Input Conversion Map Configuration Mode
XML. Any input that ends with base64 is treated and tagged as Base64. # input-conversion-map ICM-1 New HTTP Input Conversion Map configuration # default-encoding urlencoded # rule xml$ xml # rule base64$ base64 © Copyright IBM Corp. 1999, 2008...
Page 354: Rule
rule Adds a processing rule to the current HTTP conversion map. Syntax rule expression {base64 | plain | urlencoded | xml} Parameters expression Defines a PCRE regular expression that defines an input element. base64 Treats input literally. Adds encoding='base64' to input element. plain XML escapes the input.
Page 355: Chapter 28. Http Service Configuration Mode
Guidelines The Server response header field generally contains information (name and version) that describes the server application software. By default, inclusion of the Server response header field is suppressed. © Copyright IBM Corp. 1999, 2008...
Page 356: Ip-Address
Note: Users should consider security implications before revealing software version information. Use the no identifier command to suppress the Server response header field. Examples v Specifies Release 3.7.1 as the contents of the Server response header field. # identifier "Release 3.7.1" v Suppresses the transmission of the Server response header field.
Page 357: Mode
image: Serves documents from the firmware image (image:) directory store: (Default) Serves documents from the general storage (store:) directory temporary: Serves documents from the temporary (temporary:) directory Examples v Specifies that the current HTTP service serves documents from the temporary: directory.
Page 358: Port
port Specifies the local port monitored by the HTTP service for incoming traffic. Syntax port port Parameters port Specifies the port. The default is 80. Guidelines Use the port command to change the port that is assigned with the ip-address command.
Page 359 Guidelines In the absence of this command, the HTTP service displays the directory listing that is specified by the local-directory command. Related Commands local-directory Examples v Specifies Welcome.html as the start page. # start-page Welcome.html Chapter 28. HTTP Service configuration mode...
Page 360 Command Reference...
Page 361: Chapter 29. Https Front Side Handler Mode
Specifies the maximum length of URLs to allow. Controls the negotiation of persistent connections. persistent-connections port Specifies the listening port. Specifies a brief, object-specific comment. summary Assigns an SSL Proxy Profile object. Assigns an Access Control List (ACL). Syntax acl name © Copyright IBM Corp. 1999, 2008...
Page 362: Allowed-Features
Parameters name Specifies the name of an existing Access Control List object. Guidelines The acl command defines a reference to an existing Access Control List object. The Access Control List object allows or denies access to this service based on the IP address of the client.
Page 363: Compression
Examples v Limits features to HTTP-1.0, HTTP-1.1, POST, and QueryString. # allowed-features HTTP-1.0+HTTP-1.1+POST+QueryString compression Controls the negotiation of GZIP compression. Syntax compression {on | off} Parameters Enables compression negotiation. (Default) Disables compression negotiation. Guidelines The compression command controls whether to enable or to disable GZIP compression negotiation.
Page 364: Max-Header-Count
http/1.1 (Default) Uses HTTP 1.1. Guidelines The http-client-version command set the HTTP version for the connection. The specified version should not conflict with the HTTP version that is allowed by the allowed-features command. Related Commands allowed-features max-header-count Specifies the maximum number of headers to allow. Syntax max-header-count count Parameters...
Page 365: Max-Header-Value-Len
Related Commands max-header-value-len max-header-value-len Specifies the maximum length of header values to allow. Syntax max-header-value-len bytes Parameters bytes Specifies the maximum length in bytes. The default is 0, which indicates no limit. Guidelines The max-header-value-len command specifies the maximum length of header values to allow for HTTP headers in request messages.
Page 366: Max-Url-Len
Syntax max-total-header-len bytes Parameters bytes Specifies the maximum length in bytes. Use an integer in the range of 5 through 128000. The default is 128000. Guidelines The max-total-header-len command specifies the maximum aggregate length of incoming HTTP headers to allow in request messages. Examples v Limits aggregated HTTP headers to 65535 bytes.
Page 367: Port
Guidelines The persistent-connections command controls the negotiation of persistent connections. v When enabled, the handler negotiates with the remote peer and establishes a persistent connection if agreeable to the peer. v When disabled, the handler does not attempt to negotiate the establishment of persistent connections.
Page 368 Command Reference...
Page 369: Chapter 30. Import Configuration File Configuration Mode
In this case, a warning is written to the log. Related Commands overwrite-files, overwrite-objects Examples v Disables automatic importation at startup. © Copyright IBM Corp. 1999, 2008...
Page 370: Deployment-Policy
# import-package Englewood New Import Configuration File configuration # auto-execute off deployment-policy Specifies the name of an existing deployment policy that preprocesses the configuration package. Syntax deployment-policy name Parameters name Specifies the name of an existing Deployment Policy object. Related Commands deployment-policy Guidelines The deployment-policy command specifies the name of an existing Deployment...
Page 371: Local-Ip-Rewrite
local-ip-rewrite Indicates whether to rewrite local IP addresses. Syntax local-ip-rewrite {on | off} Parameters (Default) Rewrites IP addresses to match the local configuration when imported. Retains the original IP address in the configuration package. Guidelines The local-ip-rewrite command indicates whether to rewrite local IP addresses on import.
Page 372: Source-Url
Syntax overwrite-objects {on | off} Parameters (Default) Overwrites objects of the same name. Does not import the objects if an objects of the same name exists. Guidelines The overwrite-objects command indicates whether to objects when the configuration package contains the same object. If objects in the configuration package overwrite objects on the system, a warning is written to the log.
Page 373: Chapter 31. Include Configuration File Configuration Mode
Disables automatic execution at appliance startup. # include-config StdSvcProxy New Include Configuration File configuration # auto-execute off config-url Specifies the location of a configuration file to include in another configuration file. Syntax config-url URL © Copyright IBM Corp. 1999, 2008...
Page 374: Interface-Detection
Specifies the location of a remote configuration file to include. # include-config StdSvcProxy New Include Configuration File configuration # config-url scp://jrb:passWoRd@baldar.ibm.com/configs/Proxy1.cfg v Specifies the location of a local configuration file to include. # include-config StdSvcProxy Modify Include Configuration File configuration # config-url local:///Proxy2.cfg...
Page 375 Guidelines The interface-detection command determine when to retrieve the Include Configuration File in relationship to the state of the local interface. This command is meaningful only when auto-execute is on. Related Commands auto-execute Examples v Specifies synchronous execution of the Include Configuration File. # include-config StdSvcProxy New Include Configuration File configuration # interface-detection on...
Page 376 Command Reference...
Page 377: Chapter 32. Interface Configuration Mode
Disables ARP on the current interface. # no arp v Enables ARP on the current interface, restoring the default state. # arp dhcp Enables a DHCP (Dynamic Host Configuration Protocol) client on the current interface. Syntax dhcp no dhcp © Copyright IBM Corp. 1999, 2008...
Page 378: Ip Address
Guidelines You can use DHCP to obtain the following parameters from a DHCP server: v Interface IP address v Default Gateway IP address v DNS IP address Use the no dhcp command to disable the DHCP client. Examples v Enables a DHCP client on Ethernet 2. # interface eth2 # dhcp # exit...
Page 379: Ip Default-Gateway
Examples v Assigns a primary IP address to Ethernet port 0. # ip address 192.168.7.6/27 v Functionally equivalent to the previous example. # ip address 192.168.7.6 255.255.224.0 v Assigns a secondary IP address to Ethernet port 0. # ip address 192.168.7.7/27 secondary v Removes the primary IP address from Ethernet port 0.
Page 380: Mac-Address
Syntax ip route address/netmask next-hop-address [metric] no ip route address/netmask next-hop-address Parameters address Specifies the address of the destination network. netmask Identifies the network portion of the address. Can be expressed in CIDR (slash) format, which is an integer that specifies the length of the network portion of the address, or in dotted decimal format.
Page 381: Mode
mode Specifies the operational mode (speed and duplex) for the current Ethernet interface. Syntax mode mode Parameters mode Specifies the Ethernet mode using one of the following keywords: 10baseT-FD or 10baseT-HD Indicates standard Ethernet configuration options. 100baseTx-FD or 100baseTx-HD Indicates Fast Ethernet configuration options. 1000baseTxFD Indicates Gigabit Ethernet configuration options.
Page 382: Packet-Capture
Parameters size Specifies the maximum size of an MTU. Specifies the MTU for the current interface in bytes. Use an integer in the range of 576 to 16128. The default is 1500. Guidelines The MTU is determined without regard to the length of the layer 2 encapsulation. Examples v Sets the MTU for the current interface to 4 kilobytes.
Page 383: Standby
# packet-capture store://Eth0Trace 1800 2500 Trace begun. v Initiates and then terminates a packet-capture session. # packet-capture store://Eth0Trace 1800 2500 Trace begun. # no packet-capture store://Eth0Trace standby Implements a failover configuration Syntax To assign both interfaces to a group using a Virtual IP address (VIP) standby group-number ip address To assign a priority to a standby member of a group standby group-number priority priority-value...
Page 384 Guidelines The standby command implements a failover configuration to ensure that an interface on another DataPower appliance is available if an active interface becomes unresponsive. There are two types of failover configurations: v An active interface is backed up by a warm standby interface. This configuration is known as an active-standby topology.
Page 385 # standby 2 ip 10.10.66.66 # standby 2 preempt # exit v Assigns Ethernet 0 to standby group 2 and specifies a VIP of 10.10.66.66. The priority value of 90 ensures that the interface is the standby member of the group.
Page 386 Command Reference...
Page 387: Chapter 33. Iscsi Chap Configuration Mode (Type 9235)
New iSCSI CHAP configuration mode # username Gerry # password BigSecret username Specifies the user for the CHAP. Syntax username user Parameters user Specifies a user name. Guidelines The username command specifies the user for the CHAP. © Copyright IBM Corp. 1999, 2008...
Page 388 Examples v Sets Gerry as the user with the password BigSecret as the credentials for the CHAP-2 CHAP. # iscsi-chap CHAP-2 New iSCSI CHAP configuration mode # username Gerry # password BigSecret Command Reference...
Page 389: Chapter 34. Iscsi Host Bus Adapter Configuration Mode (Type 9235)
Enables DHCP for the iscsi-1 HBA. # iscsi-hba iscsi-1 Modify iSCSI Host Bus Adapter configuration # dhcp on v Disables DHCP for the iscsi-1 HBA. # iscsi-hba iscsi-1 Modify iSCSI Host Bus Adapter configuration # dhcp off © Copyright IBM Corp. 1999, 2008...
Page 390: Iname
iname Changes the iSCSI qualified name. Syntax iname IQN Parameters Specifies the IQN. Guidelines The iname command changes the “burned in” value for the iSCSI qualified name (IQN). If you need to change this value, specify an IQN in the following format: v iqn.2001-04.com.example v iqn.2001-04.com.example:storage:diskarrays-sn-a8675309 v iqn.2001-04.com.example:storage.tape1.sys1.xyz...
Page 391: Ip Default-Gateway
# iscsi-hba iscsi-2 Modify iSCSI Host Bus Adapter configuration # ip-address 10.10.10.44 # ip default-gateway 10.10.10.46 ip default-gateway Specifies the default gateway for the HBA. Syntax ip default-gateway address Parameters address Specifies the IP address of the default gateway. Guidelines The ip default-gateway command specifies the IP address of the default gateway for the HBA.
Page 392 Command Reference...
Page 393: Chapter 35. Iscsi Target Configuration Mode (Type 9235)
Assigns an iSCSI HBA. Syntax hba name hba{iscsi1 | iscsi2} Parameters iscsi1 Specifies the existing iSCSI HBA keyword that identifies the eth1 Ethernet interface. iscsi2 Specifies the existing iSCSI HBA keyword that identifies the eth2 Ethernet interface. © Copyright IBM Corp. 1999, 2008...
Page 394: Hostname
Guidelines The hba command assigns an existing iSCSI HBA to which to bind this target instance. Examples v Assigns the iscsi1 HBA to the Target-2 iSCSI target. # iscsi-target Target-2 New iSCSI Target configuration mode # hba iscsi1 hostname Specifies the host of the iSCSI target. Syntax hostname host Parameters...
Page 395: Target-Name
target-name Specifies a name of the remote iSCSI target. Syntax target-name name Parameters name Specifies the iSCSI qualified name (IQN) or IEEE Extended Unique Identifier (EUI) for the iSCSI target. Guidelines The target-name specifies the iSCSI qualified name (IQN) or IEEE Extended Unique Identifier (EUI) for the iSCSI target.
Page 396 Command Reference...
Page 397: Chapter 36. Iscsi Volume Configuration Mode (Type 9235)
Specifies the logical unit number. Syntax lun LUN Parameters Specifies the logical unit number. Guidelines The lun command specifies the logical unit number (LUN). Use an integer in the range of 0 through 255. © Copyright IBM Corp. 1999, 2008...
Page 398: Read-Only
Examples v Makes LUN 33 the VOL2 iSCSI volume . # iscsi-volume VOL2 New iSCSI Volume configuration mode # lun 22 read-only Defines whether to makes the files on the iSCSI volume read-only. Syntax read-only {on | off} Parameters Sets the file to read-only. (Default) Sets the files to read-write.
Page 399: Chapter 37. Kerberos Kdc Server Configuration Mode
Specifies the realm (administrative domain) to support. Syntax realm name Parameters name Specifies the name of the Kerberos realm. Guidelines You must specify a Kerberos realm to complete KDC configuration. Related Commands server © Copyright IBM Corp. 1999, 2008...
Page 400: Server
Examples v Provides the name of the Kerberos realm. # realm us.ibm.com server Identifies the server by domain name or IP address. Syntax server server Parameters server Specifies the host name or IP address of the Kerberos KDC server. Guidelines You must specify a Kerberos KDC Server to complete the configuration.
Page 401: Udp-Timeout
v Restores UDP, the default, as the transport layer protocol. # no tcp udp-timeout When using UDP as the transport protocol, specifies the number of seconds to wait for a server response. Syntax udp-timeout time Parameters time Specifies the maximum time to wait for a Kerberos KDC Server response. Use an interval in the range of 1 through 60.
Page 402 Command Reference...
Page 403: Chapter 38. Kerberos Keytab Configuration Mode
Controls the caching of Kerberos authenticators on tickets for Kerberos principals in this keytab. Syntax use-replay-cache {on | off} Parameters (Default) Enables caching of Kerberos authenticators. Disables caching of Kerberos authenticators. Examples v Disables the authenticators cache. # use-replay-cache off © Copyright IBM Corp. 1999, 2008...
Page 404 Command Reference...
Page 405: Chapter 39. Ldap Search Parameters Configuration Mode
LDAP filter to search for the DN of the user. If the prefix is (&(mail= and the user name is bob@example.com and the suffix is )(c=US)), the LDAP search filter would be (&(mail=bob@example.com)(c=US)). © Copyright IBM Corp. 1999, 2008...
Page 406: Filter-Suffix
You can use the filter-suffix to append a string to the LDAP filter expression to complete the search filter. Related Commands filter-suffix Examples Creates the LDAP filter expression (&(mail=bob@example.com)(c=US)) based on bob@example.com as the user name. # filter-prefix "(&(mail=" # filter-suffix ")(c=US))" filter-suffix Specifies the suffix of the LDAP filter expression.
Page 407: Scope
Parameters attribute Specifies the name of the attribute to return. The default is dn. Guidelines The returned-attribute command specifies the name of the attribute to return for each entry that matches the search criteria. scope Indicates the depth of the search Syntax scope {base | one-level | subtree} Parameters...
Page 408 Command Reference...
Page 409: Chapter 40. Load Balancer Group Configuration Mode
Maintains a record of active server connections and forward a new connection to the server with the least number of active connections. round-robin (Default) Maintains a list of servers and forwards a new connection to the next server on the list. © Copyright IBM Corp. 1999, 2008...
Page 410: Damp
weighted-round-robin Maintains a weighted list of servers and forwards new connections in proportion to the weight (or preference) of each server. Guidelines The algorithm command specifies the server selection algorithm. A request to connect to a Load Balancer Group results in a healthy server being selected from the pool according to the server selection algorithm.
Page 411: Giveup-When-All-Members-Down
giveup-when-all-members-down Specifies the connection-behavior when no member is up. Syntax giveup-when-all-members-down {on | off} Parameters Does not forward the connection to any member. Makes the next attempt when at least one members is in the up state. (Default) Selects the first member in the down state and forwards the connection to this server.
Page 412 LDAP Specifies that the group consists of LDAP servers. Performs a TCP ping. Standard (Default) Specifies that the group does not consist of LDAP or IMS Connect servers. use-SOAP When the check type is Standard, specifies the HTTP method used to access the target URI.
Page 413: Masquerade
Examples v Specifies a periodic health check for members. # health-check on cgi-bin/x.cgi 80 Standard on store:///identity.xsl 4 60 / store:///healthcheck.xsl sslProxy1 masquerade Specifies the host name to provide to the backend server. Syntax masquerade {on | off} Parameters Passes the name of the Load Balanced Group name to the backend server. (Default) Passes the name of the member server to the backend server.
Page 414: Try-Every-Server
If the server selection algorithm is first-alive, the order is significant. The first server is the primary server, while subsequent entries serve as backup servers. For all other algorithms, the order is not significant. If the server selection algorithm is weighted-round-robin, specify the relative preference of a server.
Page 415: Chapter 41. Log Target Configuration Mode
The archive-mode command is required when the log type is either file or nfs; otherwise, it is not used. After specifying upload mode, you must use the remote-address, remote-directory, remote-login, and upload-method commands to enable transfer of the log file to the remote site. © Copyright IBM Corp. 1999, 2008...
Page 416: Backup
Related Commands backup, email-addr, encrypt, format, local-file, local-ident, remote-addr, remote-login, rotate, sender-addr, sign, size, timestamp, upload-method Examples v Specifies an archive type of upload. # archive-mode upload v Specifies an archive type of rotate, which restores the default state. # archive-mode rotate backup Specifies a backup for the current log.
Page 417: Event
Syntax encrypt certAlias smime Parameters certAlias Specifies a string that contains the alias for a certificate file that contains the public key of the message recipient. smime Specifies the required keyword for the encryption method. Guidelines The encrypt command is only used when the log type is file, nfs, or smtp to enable S/MIME (Secure Multipurpose Internet Mail Extension) encryption.
Page 418: Event-Code
Examples v Specifies which event classes and which event priorities to log. # event schema error # event xmlfilter error # event crypto error # event ssl error # event auth warning event-code Specifies an event code included in the current log. Syntax event-code value Parameters...
Page 419: Event-Filter
Parameters Suppresses the writing of identical events to the log for the specified suppression period. (Default) Identical events are written to the log. Guidelines The event-detection command allows for the suppression of identical log events that are generated by the same configuration object over a configurable time period.
Page 420: Facility
facility Specifies the syslog facility. Syntax facility facility Parameters facility Identifies the syslog facility. Guidelines facility is used only when the logging type is syslog or syslog-ng. Related Commands local-address, local-ident, remote-address Examples v Specifies the syslog facility, local0. # type syslog # local address 10.10.13.4 # remote-address 172.16.100.1 # facility local0...
Page 421: Group (Deprecated)
Specifies the log format as formatted text Specifies the log format as unformatted text Specifies the log format as XML Specifies the log format as IBM Common Base Event Specifies the log format as comma-separated Guidelines Use the show logging format command to display a list of available log formats.
Page 422: Local-File
local-file Specifies a local file that will store log messages. Syntax local-file URL Parameters Specifies the file to store log messages and takes the logstore:///filename form. Guidelines When the log type is file, the use of the local-file command is required. For all other log types, it is not used.
Page 423: Nfs-Static-Mount
The file must have write permission. Related Commands nfs-static-mount, type nfs-static-mount Assigns an static mount. Syntax nfs-static-mount name Parameters name Specifies the name of an existing NFS Static Mount. Guidelines When the log type is nfs, specifies the NFS Static Mount point to write the log over NFS.
Page 424: Rate-Limit
create a log target to collect log messages for a particular instance of a particular object type. For example, you can create a log target to write messages associated with the xyz XSL Proxy only. Examples v Adds an object filter to the current log to log messages for the Proxy-1 XSL Proxy only.
Page 425: Remote-Directory
v When the log type, as specified by the type command, is smtp, syslog, or syslog-ng v When the log type, as specified by the type command, is file and the archive mode, as specified by the archive-mode command, is upload Use the remote-address command with the remote-port command to define the destination of transmitted log messages.
Page 426: Remote-Login
Guidelines remote-directory is used only in the following situations: v The log type is file. v The archive mode is upload. v The upload mode is scp, ftp, or sftp. To denote an absolute directory from the root directory, specify a single forward slash character or equivalent encoded character (%2F) before the fully-qualified file name (for SCP or SFTP, specify /file-path;...
Page 427: Remote-Port
Guidelines The remote-login command is used only if the log type is file and the archive-mode is upload. If a password is not specified, it must be provided during the upload session. Related Commands archive-mode, remote-address, remote-directory, type Examples v Specifies the recipient address, username and password, and remote directory for an uploaded log file.
Page 428: Retry (Deprecated)
retry (deprecated) Comments Deprecated command. Has no effect. rotate Sets the maximum number of file rotations. Syntax rotate count Parameters count Specifies how many times to rotate a log file. Use an integer in the range of 1 through 100. The default is 3. Guidelines The rotate command specifies the maximum number of rotations for the log file.
Page 429: Sender-Address
sender-address Specifies the email address of the sender Syntax sender-address string Parameters string Specifies the local email address. Guidelines The sender-address command is only used when the log type is smtp. Related Commands type sign Enables the S/MIME signing of logs. Syntax sign idCred smime Parameters...
Page 430: Smtp-Domain
Syntax size log-size Parameters log-size Specifies the maximum size of the file in kilobytes. Use an integer in the range of 100 through 50000. The default is 500. Guidelines The size command sets the maximum size of a local log file in kilobytes. Depending on the Machine Type of the appliance, the location of the file can be the local file system, the compact flash, or the hard disk array.
Page 431: Soap-Version
Examples v Specifies the recipient of SMTP domain. # type smtp # smtp-domain popServer-1.datapower.com soap-version Specifies the version of SOAP to use. Syntax soap-version {soap11 | soap12} Parameters soap11 SOAP targets use SOAP 1.1. soap12 SOAP targets use SOAP 1.2. Guidelines When the log type is soap, specifies the version of SOAP for use by SOAP log targets.
Page 432: Timeout (Deprecated)
Parameters interval Specifies the interval to suppress identical events in seconds. The default is Related Commands event-detection timeout (deprecated) Comments Deprecated command. Has not effect. timestamp Specifies the timestamp format. Syntax timestamp {numeric | syslog} Parameters numeric (default) Specifies a numeric timestamp format. syslog Specifies a syslog timestamp format.
Page 433: Upload-Method
Guidelines For all log types, use the event command to specify log contents. Cache logs require no configuration beyond the identification of the logging type. You can, however, optionally use the format, size, and timestamp commands to customize log behavior. v For a console log, no additional configuration is required.
Page 434: Url
(Default) Identifies the Secure Copy Protocol. sftp Identifies the Secure File Transfer Protocol. smtp Identifies the Simple Mail Transfer Protocol. Guidelines upload-method is used only if the log type is file and the archive-mode is upload. Related Commands archive-mode, backup, email-addr, encrypt, format, local-file, local-ident, remote-addr, remote-login, rotate, sender-addr, sign, size, timestamp Examples v Provides the required information (transfer protocol, recipient address, username...
Page 435: Chapter 42. Matching Rule Configuration Mode
Defines a match pattern that defines the error code set. Guidelines The errorcode command adds a pattern to match error codes. To determine whether the pattern is a PCRE expression or shell style expression, use the match-with-pcre command. © Copyright IBM Corp. 1999, 2008...
Page 436: Fullurlmatch (Deprecated)
Related Commands match-with-pcre Examples v Enters Matching Rule configuration mode to create the allErrors Matching Rule. Adds a pattern to match all error codes. # matching allErrors Matching configuration mode # errorcode * fullurlmatch (deprecated) Comments The fullurlmatch command is deprecated. Use the urlmatch command. hostmatch (deprecated) Comments The hostmatch command is deprecated.
Page 437: Match-With-Pcre
match-with-pcre Indicates whether expression uses PCRE or shell-style expression. Syntax match-with-pcre {on|off Parameters Uses PCRE expressions. (Default) Uses shell style expressions. Guidelines The match-with-pcre command indicates whether match patterns use PCRE expression or shell-style expressions. This command applies to patterns defined by the following commands: v errorcode v httpmatch...
Page 438: Xpathmatch
Syntax urlmatch pattern Parameters pattern Defines a shell-style match pattern that defines the URL set subject. Guidelines The urlmatch command adds a pattern to match URLs. To determine whether the pattern is a PCRE expression or shell style expression, use the match-with-pcre command.
Page 439: Chapter 43. Message Count Monitor Configuration Mode
Parameters name Specifies the name of the object. The name can contain a maximum of 32 characters. For restrictions, refer to “Object name conventions” on page xxiv. interval Specifies the measurement interval in milliseconds. © Copyright IBM Corp. 1999, 2008...
Page 440: Header
threshold Specifies the threshold value. Exceeding this value triggers the specified the control procedure. burst-limit Specifies an acceptable traffic burst. The value should be approximately twice the threshold value. control-procedure Specifies the name of a control procedure that was created with the monitor-action command.
Page 441: Measure
measure Specifies how to increment the counter. Syntax measure {requests | responses | xpath | error} Parameters requests (Default) Indicates that the receipt of a client request increments the counter. responses Indicates that the receipt of a server response increments the counter. xpath Indicates that a style sheet increments the counter.
Page 442: Source
After completing the configuration of a count monitor, activate the monitor by assigning it to a DataPower service. Related Commands message-matching (Global), message-type (Global) Examples v Specifies the Extranet message class as the target for the LogSquelch count monitor. # monitor-count LogSquelch Message count monitor Configuration mode # message-type Extranet source...
Page 443: Chapter 44. Message Duration Monitor Configuration Mode
You can add multiple filters to a duration monitor. After completing the configuration of a duration message monitor, activate the monitor by assigning it to a DataPower service. Use the no filter command to remove a filter from an incremental message monitor. © Copyright IBM Corp. 1999, 2008...
Page 444: Measure
Related Commands monitor-action (Global), show message-durations, show message-duration-filters Examples v Defines the RateLimit1 duration message monitor. If the average server processing time of the Extranet message class exceeds 500 milliseconds, implement the Yell control procedure. # monitor-count RateLimit1 Message duration monitor Configuration mode # message-type Extranet # measure server # filter Filter3 average 500 Yell...
Page 445: Message-Type
The server and messages types deal with external processing, specifically the processing performed by the web or application server. The server type measures the actual server processing time. The messages type approximates the sum of requests, server, and responses types. After completing the configuration of a duration monitor, activate the monitor by assigning it to a DataPower service.
Page 446 Command Reference...
Page 447: Chapter 45. Message Filter Action Configuration Mode
Enters Message Filter Action configuration mode to create the Squelch control procedure. # monitor-action Squelch Message filter action Configuration mode v Specifies a block interval of 2½ seconds. # type block # block-interval 2500 © Copyright IBM Corp. 1999, 2008...
Page 448: Log-Priority
log-priority Enables the generation of a log entry when a control procedure is triggered. Syntax log-priority priority Parameters priority Identifies the event priority. The priority indicates that all events that are greater than or equal to this value are logged. Events use the following priority in descending order: v emerg (Emergency) v alert (Alert)
Page 449 notify Adds a log entry when a message class exceeds a configured threshold. reject Drops all over-threshold traffic originating from a message class, and optionally adds a log entry, when a message class exceeds the configured threshold. Guidelines Conditional tests that trigger the execution of control procedures are defined by the monitor-count and monitor-duration commands.
Page 450 Command Reference...
Page 451: Chapter 46. Message Matching Configuration Mode
Matches x or y [xy] Guidelines A traffic-flow definition may contain multiple http-header commands. In the absence of an http-header command, HTTP header contents are not considered when evaluating a candidate message against a traffic-flow definition. © Copyright IBM Corp. 1999, 2008...
Page 452: Http-Header-Exclude
Use the no http-header command to remove a HTTP header field match from a traffic-flow definition. Related Commands http-header-exclude Examples v Creates the TFDef1 traffic-flow definition. HTTP traffic that contains a From request header field with the string @businessPartner.com is defined as part of the target traffic flow.
Page 453: Ip-Exclude
Examples v Creates the TFDef1 traffic-flow definition. HTTP traffic that contains a From request header field with the string @businessPartner.com is excluded from the target traffic flow. # message-matching TFDef1 Message matching configuration mode # http-header-exclude From *businessParter.com v Removes HTTP traffic that contains a From request header field from the TFDef1 traffic-flow definition.
Page 454: Method
Parameters address Specifies a dotted decimal IP address that, with the prefix length, defines a range of excluded IP addresses. prefix-length Defines a range of excluded IP addresses. Use an integer in the range of 1 through 32. Guidelines A traffic flow definition can contain a single ip-exclude command. In the absence of an ip or ip-exclude command, source address is not considered when evaluating an individual message against a traffic-flow definition.
Page 455: Request-Url
request-url Specifies a requested URL set to include in the traffic-flow definition. Syntax request-url pattern Parameters pattern Defines a shell-style match pattern that defines the requested URL. You can use wildcard characters when identifying the target URL. You can use wildcards to define a match pattern as follows: The string wildcard matches 0 or more occurrences of any character.
Page 456 Command Reference...
Page 457: Chapter 47. Message Type Configuration Mode
Adds the TFDef2 and TFDef2 traffic-flow definitions to the Extranet message class. # message-type Extranet Message type configuration mode # message-matching TFDef1 # message-matching TFDef2 v Deletes the TFDef2 traffic-flow definition from the Extranet message class. © Copyright IBM Corp. 1999, 2008...
Page 458 # message-type Extranet Message type configuration mode # no message-matching TFDef2 Command Reference...
Page 459: Chapter 48. Mtom Policy Configuration Mode
# mtom mtom1 MTOM policy configuration mode # mode enable # include-content-type off mode Sets the optimization mode for the MTOM policy. Syntax mode {encode | decode} © Copyright IBM Corp. 1999, 2008...
Page 460: Rule
Parameters encode Optimizes an input message. decode Extracts the attachment parts on an optimized message, which reconstitutes the original, non-optimized message. Examples v Enters MTOM policy configuration mode to create the mtom1 MTOM policy and sets the optimization mode to enable. # mtom mtom1 MTOM policy configuration mode # mode enable...
Page 461: Chapter 49. Multi-Protocol Gateway Configuration Mode
5000000 bytes. Any attachment that passes through the gateway can be no larger than 500000 bytes. If larger, the message will be rejected. # attachment-byte-count 500000 attachment-package-byte-count Defines the maximum number of bytes to allow for all parts of an attachment package. Syntax attachment-package-byte-count bytes © Copyright IBM Corp. 1999, 2008...
Page 462: Attribute-Count
Parameters bytes Specifies the maximum number of bytes allowed for all parts of an attachment package The default is 0. Guidelines The attachment-package-byte-count command defines the maximum number of bytes allowed for all parts of an attachment package, including the root part. Attachment packages that exceed this size will result in a failure of the whole transaction.
Page 463: Back-Persistent-Timeout
Related Commands front-attachment-format Examples v Specifies that attachments output to servers are DIME-encapsulated. # back-attachment-format dime back-persistent-timeout Sets the inter-transaction timeout between the completion of a TCP transaction and the initiation of a new TCP one on the gateway-to-server connection. Syntax back-persistent-timeout timerValue Parameters...
Page 464: Backend-Url
the client request and receiving the server response. In other words, this time monitors the idle time within the data transfer process. If the specified idle time is exceeded, the connection is torn down. Related Commands back-persistent-timeout, front-timeout, front-persistent-timeout, persistent-connections backend-url Specifies the URL to which all traffic to the static backend server is routed.
Page 465: Compression
Syntax chunked-uploads {on | off} Parameters Enables chunked encoding when sending HTTP 1.1 requests to the backend server. (default) Disables chunked encoding when sending HTTP 1.1 requests to the backend server. Guidelines The gateway might send an HTTP 1.1 request to the backend server. In this case, the body of the document can be delimited by either Content-Length or chunked encoding.
Page 466: Default-Param-Namespace
default-param-namespace Specifies the namespace into which to assign the parameter. Syntax default-param-namespace URL Parameters Specifies a valid namespace URL. The default is http:// www.datapower.com/param/config. Guidelines If a stylesheet parameter is defined without a namespace (or without explicitly specifying the null namespace), use the default-param-namespace command to specify the namespace into which the parameter is assigned.
Page 467: External-References
external-references Defines the handling mode for input documents that contain external references. Syntax external-references {allow | forbid | ignore} Parameters allow Allows and resolves external references. forbid Stops processing if the XML parser encounters an external reference. ignore (Default) Ignores external references and replaces external entities with the empty string.
Page 468: Forbid-External-References (Deprecated)
forbid-external-references (deprecated) Comments This command has been deprecated. Use the external-references command in its place. front-attachment-format Specifies the attachment format received from front end clients. Syntax front-attachment-format {dime | dynamic | mime | detect} Parameters dime Specifies that client attachments are DIME-encapsulated documents. dynamic Specifies that client attachments are deduced from document content.
Page 469: Front-Protocol
An idle TCP connection might remain in the idle state for as long as 20 seconds after the expiration of the persistence timer. Related Commands back-persistent-timeout, back-timeout, front-timeout, persistent-connections front-protocol Assigns a front side protocol handlers. Syntax front-protocol name Parameters name Specifies the name of an existing front side protocol handler.
Page 470: Fwcred
Guidelines The front-timeout command sets the value of the intra-transaction timeout. This value is the maximum idle time to allow in a transaction on the gateway-to-client connection. This timer monitors idle time in the data transfer process. If the specified idle time is exceeded, the connection is torn down. Related Commands back-persistent-timeout, back-timeout, front-persistent-timeout, persistent-connections...
Page 471: Host-Rewriting
With gateway-specific parser limitations enabled, the values specified by the attachment-byte-count, attribute-count, element-depth, max-message-size, and max-node-size commands (Multi-Protocol Gateway) are used to evaluate incoming XML documents. With gateway-specific parser limitations disabled (the default condition), parser limitations, if any, are derived from the assigned XML Manager. Use the no gateway-parser-limits command to disable gateway-specific parser limitations.
Page 472: Http-Client-Ip-Label
# host-rewriting off # host-rewriting on http-client-ip-label Identifies the HTTP header that contains the IP address of the calling client. Syntax http-client-ip-label header no http-client-ip-label Parameters header Identifies the HTTP header that contains the IP address. The default is X-Client-IP. Guidelines The http-client-ip-label command identifies the HTTP header that contains the IP address of the calling client.
Page 473: Include-Content-Type-Encoding
# http-server-version http/1.0 include-content-type-encoding Controls the inclusion of character set encoding data in content-type headers. Syntax include-content-type-encoding {on | off} Parameters Enables the inclusion of character set encoding date in content-type headers. Disables the inclusion of character set encoding date in content-type headers.
Page 474: Load-Balancer-Hash-Header
value Specifies the value of the field and can contain a character string or an integer. This property is case-sensitive. Guidelines Use the no inject command to remove a previously-injected proprietary HTTP header field. Related Commands suppress Examples v Injects the ProcInst HTTP header field with a value of 0 into the packet stream directed to the HTTP client.
Page 475: Loop-Detection
# no load-balancer-hash-header # load-balancer-hash-header X-Forwarded-For loop-detection Controls loop detection behavior in the network. Syntax loop-detection {on | off} Parameters Enables a loop detection mechanism. (Default) Disables a loop detection mechanism. Guidelines Some protocols provide a loop detection mechanism that can detect network loops. Loop detection is a good policy, but it runs the risk that the current Multi-Protocol Gateway might be publicly recorded in a transmitted message.
Page 476: Max-Node-Size
Related Commands attachment-byte-count, attribute-count, element-depth, gateway-parser-limits, max-node-size Examples v Sets the maximum message size to 500000 kilobytes. # max-message-size 500000 max-node-size Specifies the maximum size of a single XML node. Syntax max-node-size bytes Parameters bytes Specifies the maximum message node size in bytes. The default is 0. A value of 0 indicates that no size limit is applied to incoming message nodes.
Page 477: Mime-Front-Headers
Note that if this is on and there are no MIME headers contained in the message, the appliance will continue to try and parse the message, using the protocol header information, if available. When this is off and MIME headers are present in the body of the message, these MIME headers will be considered part of the preamble, and not used to parse out the message.
Page 478: Monitor-Count
Related Commands mime-back-headers, request-attachments, response-attachments Examples v Disables client-side support for MIME package headers and subsequently enables support, which restores the default state. # mime-front-headers off # mime-front-headers on monitor-count Assigns a Count Monitor. Syntax monitor-count name no monitor-count name Parameters name Specifies the name of an existing Count Monitor.
Page 479: Monitor-Processing-Policy
Syntax monitor-duration name no monitor-duration name Parameters name Specifies the name of a Duration Monitor. Guidelines Use the monitor-duration command to assign a Duration Monitor to the current Multi-Protocol Gateway. Duration Monitors watch for events that meet or exceed a configured duration. When a duration is met or exceeded, the monitor can either post a notification to a log or block service for a configured amount of time.
Page 480: Monitor-Service
Examples v Allows only the first matching monitor to execute when a service has multiple monitors attached. # monitor-processing-policy terminate-at-first-match monitor-service Assign a Service Level Monitor. Syntax monitor-service name no monitor-service name Parameters name Specifies the name of the Service Level Monitor. Guidelines Use the monitor-service command to assign a Service Level Monitor to the current Multi-Protocol Gateway.
Page 481: Persistent-Connections
Parameters name is the name of the parameter made available to the current Multi-Protocol Gateway. value is the value of the parameter. Guidelines Style sheets that are used in processing policies can take stylesheet parameters. These parameters can be passed in. Use the parameter to define each required stylesheet parameter.
Page 482: Priority
Disables the establishment of persistent connections. Guidelines With persistent connections enabled, the default state for both HTTP 1.0 and HTTP 1.1, the appliance negotiates with the remote HTTP peer and establishes a persistent connection if agreeable to the peer. With persistent connections disabled, the appliance refuses to negotiate the establishment of persistent connections.
Page 483: Propagate-Uri
Depending on the protocol, the backend service might return a response code that indicates an error condition. For HTTP messages, the response from the backend server might include a response body that contains XML that provides more details about the error. propagate-uri Enables or disables the propagation of the local portion of URL from the URL given by the client to the URL used to contact the backend server.
Page 484: Query-Param-Namespace
query-param-namespace Identifies the namespace in which to put all parameters that are specified in the URL query string. Syntax query-param-namespace namespace Parameters namespace Enter a valid namespace URL. Defaults to: http://www.datapower.com/param/query Related Commands default-param-namespace, parameter Examples v Assigns the namespace http://www.example.com/queries to all query parameters in the client URL.
Page 485: Request-Type
message package, which is a SOAP with Attachments message, are supported. Processing can be applied individually to each attachment. The appliance does not create a manifest of all attachments. Attachments must be accessed and processed in the order that they appear in the package. unprocessed Allows messages that contain attachments, but does not process attachments.
Page 486: Response-Attachments
unprocessed (Default) Characterizes the client-originated traffic stream as non-XML traffic that is not transformed by the Multi-Protocol Gateway. Related Commands response-type, soap-schema-url Examples v Characterizes client-originated traffic as XML. # request-type xml v Characterizes client-originated traffic as SOAP. # request-type soap response-attachments Specifies the processing mode for SOAP attachments in server responses.
Page 487: Response-Type
contain large attachments. The root part of the message, which typically contains a SOAP message, is subject to filter and transform actions. No processing of parts other than the root part is possible. Accompanying documents can be passed intact. Guidelines The response-attachment command specifies the processing mode for attachments in server responses (as defined in RFC 2387).
Page 488: Root-Part-Not-First-Action
# response-type xml v Characterizes server-originated traffic as SOAP. # response-type soap root-part-not-first-action Defines the action to take when the MIME message root part is not first. Syntax root-part-not-first-action {abort | buffer | process-in-order} Parameters Stops the transaction and return an error. abort buffer Buffers attachments before the root part into memory.
Page 489: Ssl
Guidelines When a Multi-Protocol Gateway is in SOAP mode, either on the request or response side, it validates incoming messages against a W3C Schema that defines the format of a SOAP message. It is possible to customize which schema is used on a per-gateway basis by changing this property to accommodate nonstandard configurations or other special cases.
Page 490: Stream-Output-To-Back
stream-output-to-back Determines whether or not the Multi-Protocol Gateway will begin sending output to the backend server before all processing of the message completes. Syntax stream-output-to-back {buffer-until-verification | stream-until-infraction} Parameters buffer-until-verification (Default) Buffers submitted messages until all processing has been verified complete, and then the message is forwarded to the appropriate backend URL.
Page 491: Stylepolicy
Examples v Changes the default to stream output to the client until an infraction is encountered. # stream-until-infraction stylepolicy Assigns a Processing Policy. Syntax stylepolicy name Parameters name Specifies the name of an existing Processing Policy. If not specified, the Multi-Protocol Gateway uses the processing instructions, if any, in the XML document.
Page 492: Type
Guidelines Use the no suppress command to restore the standard HTTP header field to the packet stream. Related Commands host-rewriting, inject Examples v Deletes the Authorization HTTP header field from the packet stream directed to the HTTP server. # suppress back Authorization v Restores the Authorization HTTP header field to the packet stream directed to the HTTP server.
Page 493: Wsa-Back-Protocol
Parameters name Specifies the name of a URL Rewrite Policy. Guidelines You need not specify a URL Rewrite Policy when configuring a Multi-Protocol Gateway. Use the no urlrewrite-policy command to remove the URL Rewrite Policy assignment. Related Commands propagate-uri Examples v Assigns the Rw1 URL Rewrite Policy to the current Multi-Protocol Gateway.
Page 494: Wsa-Default-Replyto
Syntax wsa-default-faultto faultURL Parameters faultURL Specifies the value of the FaultTo element. Guidelines The wsa-default-faultto command is relevant when the DataPower service provides service for WS-Addressing clients (the wsa-mode command is wsa2sync or wsa2wsa). In these topologies, this command ensures that all messages contain the WS-Addressing FaultTo element.
Page 495: Wsa-Faultto-Rewrite
or wsa2wsa). In these topologies, this command ensures that all messages contain the WS-Addressing ReplyTo element. This element identifies the recipient endpoint of a response message. Because the WS-Addressing specifications do not require the inclusion of the ReplyTo element, the DataPower service might receive messages that do not contain a ReplyTo element or that contain the element without a value.
Page 496: Wsa-Force
Examples v Assigns the wsaErrorHandler URL Rewrite Policy to modify the contents of the FaultTo element. # wsa-faultto-rewrite wsaErrorHandler v Removes the assigned URL Rewrite Policy. # no wsa-faultto-rewrite wsa-force Forces the inclusion of Web Services Addressing (WS-Addressing) headers into incoming, traditionally-addressed messages.
Page 497: Wsa-Genstyle
# wsa-force on v Leaves traditionally-addressed message headers untouched. # wsa-force off # no wsa-force wsa-genstyle Specifies the request-response transmission model between the DataPower service and the target server. Syntax wsa-genstyle { async | oob | sync } Parameters async Identifies an asynchronous exchange pattern in which the server response is received over a different channel than the one used by the DataPower service to convey the client request.
Page 498: Wsa-Mode
Parameters responseCodeValue Specifies the HTTP response code to close the original client channel. Use a value in the range of 200 through 599. The default is 204. Guidelines If the server response to an HTTP client request is asynchronous, the DataPower service must close the original HTTP channel with a valid response code.
Page 499 – Strip the WS-Addressing headers from any server-generated response before forwarding the response to the original client. The default behavior is to strip the WS-Addressing headers. – Process synchronous or asynchronous server responses of either the ReplyTo (a standard response to a client request) or FaultTo (reporting an error condition) variety.
Page 500: Wsa-Replyto-Rewrite
(non-anonymous) client-originated ReplyTo and FaultTo element values that are preserved by the DataPower service and passed to the server. Related Commands wsa-back-protocol, wsa-force, wsa-genstyle, wsa-timeout, wsa-strip-headers Examples v Specifies sync2wsa mode, indicating that the DataPower service is mediating between hosts that employ traditional addressing and servers that support WS-Addressing.
Page 501: Wsa-Timeout
Syntax wsa-strip-headers {on | off} Parameters (Default) Enables the deletion of WS-Addressing headers from an incoming message. Disables the deletion of WS-Addressing headers from an incoming message. Guidelines This command is relevant when the DataPower service is positioned between users of WS-Addressing and a nonusers;...
Page 502: Wsa-To-Rewrite
Guidelines The wsa-timeout command specifies the maximum period of time to wait for an asynchronous response, before abandoning the transaction. This timeout value can be overridden by the var://service/wsa/timeout variable. Related Commands wsa-mode Examples v Specifies a maximum pause of 1 minute while waiting for an asynchronous response.
Page 503: Wsrm-Aaapolicy
Related Commands wsrm-aaapolicy, wsrm-destination-accept-create-sequence, wsrm-destination- accept-offers, wsrm-destination-inorder, wsrm-destination-maximum-inorder- queue-length, wsrm-destination-maximum-sequences, wsrm-request-force, wsrm-response-force, wsrm-sequence-expiration, wsrm-source-back-acks-to, wsrm-source-exponential-backoff, wsrm-source-front-acks-to, wsrm-source-inactivity-close-interval, wsrm-source-make-offer, wsrm-source-maximum-queue-length, wsrm-source-maximum-sequences, wsrm-source-request-ack-count, wsrm-source-request-create-sequence, wsrm-source-response-create-sequence, wsrm-source-sequence-ssl, wsrm-source-retransmission-interval, wsrm-source-retransmit-count wsrm-aaapolicy Assigns an AAA Policy. Syntax wsrm-aaapolicy name Parameters name Specifies the name of an existing AAA Policy. Guidelines Use the wsrm-aaapolicy command to assign an AAA Policy to perform authentication of incoming Reliable Messaging messages.
Page 504: Wsrm-Destination-Accept-Offers
Disables this feature. If disabled, the client cannot use Reliable Messaging to communicate with this DataPower service. If disabled, the only way that a Reliable Messaging destination can be created on this DataPower service is when the Reliable Messaging source is configured to make offers. In this case an Offer and Accept can create a Reliable Messaging destination for the server to send Reliable Messaging messages to the client.
Page 505: Wsrm-Destination-Maximum-Inorder-Queue-Length
client is one greater than the last one that was processed. InOrder delivery assurance increases memory and resource utilization by the Reliable Messaging destination. Related Commands wsrm, wsrm-destination-maximum-inorder-queue-length wsrm-destination-maximum-inorder-queue-length Specifies the maximum number of messages held in the queue. Syntax wsrm-destination-maximum-inorder-queue-length numberOfMessages Parameters numberOfMessages...
Page 506: Wsrm-Request-Force
wsrm-request-force Indicates whether to require Reliable Messaging for all SOAP messages that request rules process. Syntax wsrm-request-force {on | off} Parameters Requires Reliable Messaging for all requests. (Default) Does not require Reliable Messaging for all requests. Guidelines The xxx command indicates whether to require the use of Reliable Messaging for all SOAP messages that request rules process.
Page 507: Wsrm-Source-Back-Acks-To
Syntax wsrm-sequence-expiration lifetime Parameters lifetime Specifies the lifetime in seconds. The default is 3600. Guidelines If an incoming CreateSequence SOAP message has an Expireslifetime that is longer than this value, the value in the SequenceResponse SOAP message is reduced to this value.
Page 508: Wsrm-Source-Exponential-Backoff
wsrm-source-exponential-backoff Indicates whether to use the exponential back off. Syntax wsrm-source-exponential-backoff {on | off} Parameters (Default) Uses the exponential back off to increase the interval between retransmissions. The value of the wsrm-source-retransmission-interval command sets with the initial timeout. Does not use the exponential back off to increase the interval between retransmissions.
Page 509: Wsrm-Source-Inactivity-Close-Interval
v With a specified Front Side Protocol Handler and the front-side sends a CreateSequence SOAP message to establish a reliable back channel, there will be a non-anonymous URL specified in the AcksTo element of the CreateSequence SOAP request. v Without a Front Side Protocol Handler, the AcksTo elements has the value http://www.w3.org/2005/08/addressing/anonymous, which indicates synchronous Acks.
Page 510: Wsrm-Source-Maximum-Queue-Length
DataPower service creates a Reliable Messaging source to send requests to the server. If the server does not accept the offer, DataPower server does not create a Reliable Messaging destination. Related Commands wsrm, wsrm-source-request-create-sequence wsrm-source-maximum-queue-length Specifies the maximum number of messages held in the queue. Syntax wsrm-source-maximum-queue-length numberOfMessages Parameters...
Page 511: Wsrm-Source-Request-Ack-Count
wsrm-source-request-ack-count Specifies the number of messages to send before requesting acknowledgement. Syntax wsrm-source-request-ack-count numberOfMessages Parameters numberOfMessages Use an integer in the range of 1 through 256. The default is 1. Guidelines The wsrm-source-request-ack-count command specifies the number of messages that the a Reliable Messaging source sends before including the AckRequested SOAP header to request an acknowledgement.
Page 512: Wsrm-Source-Retransmission-Interval
Parameters Creates a Reliable Messaging source. (Default) Does not create a Reliable Messaging source. Guidelines When the WS-Addressing mode as defined by the wsa-mode command is wsa2sync or wsa2wsa, the wsrm-source-response-create-sequence command indicates whether to create a Reliable Messaging source from the front side to the client when there is SOAP data to send to the client and there is no Reliable Messaging source that was created by a MakeOffer from the client by sending a CreateSequence SOAP request to the WS-Addressing ReplyTo address.
Page 513: Wsrm-Source-Sequence-Ssl
Guidelines The wsrm-source-retransmit-count command specifies the number of times a Reliable Messaging source retransmits a message before declaring a failure. This command also controls the retransmission of CreateSequence requests. Related Commands wsrm, wsrm-destination-accept-offers, wsrm-source-request-create-sequence, wsrm-source-response-create-sequence wsrm-source-sequence-ssl Indicates whether to use an SSL session binding to protect sequence lifecycle messages.
Page 514 user-specific characteristics, use the Global xml-manager command to create a new Manager. Then use this command to associate it with the current Multi-Protocol Gateway. Related Commands stylesheet-policy xml-manager (Global) Examples v Assigns the mgr1 XML Manager to the current Multi-Protocol Gateway. # xml-manager mgr1 Command Reference...
Page 515: Chapter 50. Network Settings Configuration Mode
Sets the number of times the networking system retries a failed ARP request. Syntax arp-retries retries Parameters retries Specifies the number of times to retry a failed ARP request. Use an integer in the range from 1 through 64. The default is 8. Related Commands arp-interval © Copyright IBM Corp. 1999, 2008...
Page 516: Destination-Routing
Examples v Sets the ARP retry limit to 5. # arp-retries 5 destination-routing Controls the behavior of destination-based routing. Syntax destination-routing {on | off} Parameters Selects the interface based on the best path to the client, irrespective of the service or receiving interface. Best path is determined by static routes bound to the available interfaces.
Page 517: Ecn-Disable
Guidelines By default the appliance will refuse to accept a packet on an interface other than the one bound to the destination address of the packet. Use the disable-interface-isolation command to disable that behavior and allow any interface on the same subnet to accept the packet. As a security policy, the interface receiving a network packet must also be configured with the IP address that is the destination address of the packet.
Page 518: Relax-Interface-Isolation
Use the no icmp-disable command to enable the generation of a specific ICMP reply. Related Commands network Examples v Disables ICMP echo message (ping) replies. # icmp-disable echo-reply v Enables ping replies, which restores the default state. # no icmp-disable echo-reply relax-interface-isolation Relaxes the restriction on interface isolation.
Page 519 Parameters retries Specifies the number of times the local system attempt send a TCP SYN that receives no response. Use an integer in the range of 1 through 32. The default is 5. Examples v Sets the retry limit to 10. # tcp-retries 10 Chapter 50.
Page 520 Command Reference...
Page 521: Chapter 51. Nfs Client Settings Configuration Mode
1 through 1000. The default is 10. Guidelines Each NFS mount maintenance round checks all existing NFS mounts (both dynamic and static), and retries any NFS mount that is not currently up. © Copyright IBM Corp. 1999, 2008...
Page 522 Decreasing the interval lessens the chance that a transaction will time out while waiting for an NFS file open operation to fail because the NFS server is down or unreachable. Increasing the interval reduced local and NFS server overhead from mount checking.
Page 523: Chapter 52. Nfs Dynamic Mounts Configuration Mode
Use the krb, krb5i, or krb5p Kerberos authentication method when using NFS version 4. If authenticating with Kerberos, ensure that a keytab is defined in the NFS client. Related Commands version, kerberos-keytab (Crypto) inactivity-timeout Specifies the time period before an inactive mount is unmounted. © Copyright IBM Corp. 1999, 2008...
Page 524: Mount-Timeout
Syntax inactivity-timeout seconds Parameters seconds Specifies the number of seconds an idle NFS mount, that is a mount with no file read-write activity, is maintained before the file system is unmounted. The default is 900. A value of 0 indicates that the NFS mount is never unmounted.
Page 525: Retrans
Guidelines Use the read-only command to specify the mount type as read-only. This setting allows only file read operations on NFS mounts. By default, NFS mounts can read transactions and write transactions. retrans Specifies the maximum number of RPC minor time outs to allow before the transaction fails.
Page 526: Timeo
Parameters size Specifies the number of bytes in each NFS read operation. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines Operations greater than 8192 bytes should only be used with TCP as the transport-layer protocol.
Page 527: Transport
transport Identifies the preferred transport-layer protocol. Syntax transport {tcp | udp} Parameters (Default) Identifies TCP as the protocol identifies UDP as the protocol Guidelines The transport command specifies the preferred transport-layer protocol to use, if available. Use the TCP protocol to perform read or write transactions larger than 8192 bytes.
Page 528 Parameters size Specifies the number of bytes in each NFS write transaction. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines Operations greater than 8192 bytes should only be used with TCP as the transport-layer protocol.
Page 529: Chapter 53. Nfs Poller Front Side Handler Configuration Mode
(Default) Does not delete the input or processing renamed file if it could not be processed. Guidelines The error-delete command indicates whether the input or processing renamed file should be deleted when it could not be processed. © Copyright IBM Corp. 1999, 2008...
Page 530: Error-Rename-Pattern
error-rename-pattern Specifies the rename pattern when a file could not be processed. Syntax error-rename-pattern pattern Parameters pattern Defines a PCRE that defines the rename pattern. Guidelines The error-rename-pattern command specifies the PCRE to rename a file when it could not be processed. This command is relevant when error-delete is off.
Page 531: Processing-Seize-Pattern
Syntax processing-rename-pattern pattern Parameters pattern Defines a PCRE that defines the rename pattern. Guidelines The processing-rename-pattern command specifies the PCRE to rename a file that is being processed. This functionality allows multiple pollers to poll the same directory with the same match pattern. There is no lack of atomicity if the rename operation on the server is atomic.
Page 532: Processing-Seize-Timeout
Syntax processing-seize-pattern pattern Parameters pattern Defines the PCRE to use as the match pattern to search for files that are being processed. Guidelines The processing-seize-pattern command specifies the PCRE to find files that were renamed to indicate that they are in the ″being processed″ state but the processing was never completed.
Page 533: Result
When these conditions are met, this system renames the file (with its host name and a fresh timestamp) and locally processes the file. This processing assumes that the rename succeeded. Related Commands processing-seize-pattern result Indicates whether to create a response file after processing an input file. Syntax result { on | off} Parameters...
Page 534: Success-Delete
Related Commands result success-delete Indicates whether the input file is deleted after successful processing. Syntax success-delete {on | off} Parameters Deletes the input file. (Default) Does not delete the input file. Guidelines The success-delete command indicates whether the input (or processing renamed) files should be deleted after successful processing.
Page 535: Target-Dir
target-dir Specifies the directory to poll. Syntax target-dir directory Parameters directory Specifies the directory to poll. Guidelines The target-dir command specifies a directory to poll. The path must end in a slash, which denoting a directory. For example: dpnfs://static-mount-name/path/ Do not configure one NFS poller to point at a host name that is the virtual name of a load balancer group.
Page 536 Command Reference...
Page 537: Chapter 54. Nfs Static Mounts Configuration Mode
Use the krb, krb5i, or krb5p Kerberos authentication method when using NFS version 4. If authenticating with Kerberos, ensure that a keytab is defined in the NFS client. Related Commands version, kerberos-keytab (Crypto) local-filesystem-access Controls local access to the mounted file system. © Copyright IBM Corp. 1999, 2008...
Page 538: Read-Only
Syntax local-filesystem-access {on | off} Parameters Enables local access. (Default) Disables local access. Guidelines By default, access to the mounted file system is not supported. This command enables access to the mounted file system through a folder with the name of the NFS Static Mount object.
Page 539: Retrans
<path> must match or be more specific than the NFS export that is provided by the target server. For example, the server provides an export of XML/stylesheets, the <path> portion can specify XML/stylesheets or XML/stylesheets/financialServices, (if there is a financialServices subdirectory).
Page 540: Timeo
Syntax rsize size Parameters size Specifies the number of bytes in each NFS read operation. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines Operations greater than 8192 bytes should only be used with TCP as the transport-layer protocol.
Page 541: Transport
Related Commands retrans transport Identifies the preferred transport-layer protocol. Syntax transport {tcp | udp} Parameters (Default) Identifies TCP as the protocol. Identifies UDP as the protocol. Guidelines The transport command specifies the preferred transport-layer protocol to use, if available. Use the TCP protocol to perform read or write transactions larger than 8192 bytes.
Page 542 Parameters bytes Specifies the number of bytes in each NFS write operation. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines Operations greater than 8192 bytes should only be used with TCP as the transport-layer protocol.
Page 543: Chapter 55. Ntp Service Configuration Mode
Identifies the NTP server and specifies a clock synchronization interval of 5 minutes. # ntp-service NTP Service configuration mode # remote-server Chronos-1 # refresh-interval 300 remote-server Identifies an NTP server. Syntax remote-server server no remote-server © Copyright IBM Corp. 1999, 2008...
Page 544 Parameters server Identifies the NTP server by host name or IP address. Guidelines From the command line, the appliance supports one NTP server at a time. To designate a new NTP server, use the no ntp-service command to delete the current server.
Page 545: Chapter 56. Peer Group Configuration Mode
Identifies a peer group member by IP address or domain name. Guidelines When configuring a peer group you must add this DataPower appliance to the peer group list; the peer group lists must be identical across all group members. © Copyright IBM Corp. 1999, 2008...
Page 546 Examples v Enters Peer Group configuration mode to create the SLM-Group1 Peer Group. Specifies the peer group type as SLM and designates group members. # peer-group SLM-Group1 Peer Group configuration mode # type slm # url 192.168.12.100 # url 192.168.49.13 # url 192.168.80.126 Command Reference...
Page 547: Chapter 57. Policy Attachments Configuration Mode
Wed Nov 07 2007 08:24:00 [ws-security-policy][ws-proxy][warn] wsgw(wssp-policy-015h): tid(1425)[request]: WS-SecurityPolicy Mapping: A message cannot be encrypted during enforcement external-policy Associate external policy with a service or port. Syntax external-policy {service | port} wsdlComponentValue URL © Copyright IBM Corp. 1999, 2008...
Page 548: Ignore-Attachment-Point
Parameters service Indicates to associate the policy with a WSDL service. port Indicates to associate the policy with a WSDL port. wsdlComponentValue Specifies the QName of a WSDL component in the {namespace}ncname format. Specify the location of the document that contain the policy to attach. ignore-attachment-point Disables external policy for a service or port.
Page 549: Chapter 58. Policy Parameters Configuration Mode
Note: If you defined a policy parameters at the port or port-operation level, these parameters are not applied to its parallel synthesize port or operation. The policy parameters for synthesized ports and operations must be inherited from the service level or redefined at the synthesized level. © Copyright IBM Corp. 1999, 2008...
Page 550 Command Reference...
Page 551: Chapter 59. Processing Action Configuration Mode
The async-action command specifies the name of an asynchronous action that the current event-sink action should wait for. This command is meaningful only when the action type specified by the type command is event-sink. Related Commands type © Copyright IBM Corp. 1999, 2008...
Page 552: Asynchronous
Examples v Causes the event-sink action to wait until the async-fetch-1 and async-fetch-2 actions complete. # type event-sink # async-action async-fetch-1 # async-action async-fetch-2 asynchronous Indicates when to run the action asynchronously. Syntax asynchronous {on | off} Parameters Runs the action asynchronously. (Default) Runs the action synchronously.
Page 553: Condition
Parameters Identifies a document attachment to be stripped from the MIME multipart package. Guidelines attachment-uri is used only if the action type (as specified by the type command) is strip-attachments. Related Commands type Examples v Strips attachments from the specified document. # type strip-attachments # attachment-uri https://sona/TestBase/simple.xsl condition...
Page 554: Destination
destination Either identifies an external resource or identifies the target destination for a transmitted message. Syntax destination uri Parameters Identifies the resource or message destination. Guidelines destination is required when the action type is fetch, log, results-async, or route-set. This command is optional when the action type is results. v When the action type is fetch, specifies the source location of the resource to be retrieved.
Page 555: Dynamic-Stylesheet
Syntax dynamic-schema schema Parameters schema Identifies the dynamic schema. Guidelines The dynamic-schema command is used only if the action type (as specified by the type command) is validate to identify a dynamic schema to validate incoming documents. Examples v Specifies the dynamic schema used for document validation. # type validate # dynamic-schema https://sona/TestBase/validate.xsd dynamic-stylesheet...
Page 556: Error-Mode
Guidelines The error-input command is used only if the action type (as specified by the type command) is on-error. If no context is explicitly identified, the input context of the failed action is used. Examples v Specifies temp1 as the input context for the on-error action. # type on-error # error-input temp1 error-mode...
Page 557: Event
Guidelines The error-output command is used only if the action type (as specified by the type command) is on-error. If no context is explicitly identified, the output context of the failed action is used. Examples v Specifies trashCan as the output context for the action. # type on-error # error-output trashCan event...
Page 558: Input-Conversion
Guidelines The input command is required when the action type (as specified by the type command) is aaa, call, checkpoint, convert-http, extract, filter, log, results, results-async, route-action, setvar, slm, strip-attachments, validate, xform, or xformpi. The input command is not used when the action type is fetch, on-error, rewrite, or route-set.
Page 559: Iterator-Expression
Guidelines The iterator-count command specifies the number of times to run the specified action for the current for-each action. During the loop, the var://service/ multistep/loop-count service variable is set to the current iteration of the loop. The first iteration starts the count at 1. This command is meaningful only when both of the following conditions are met: v The action type that is specified by the type command is for-each.
Page 560: Iterator-Type
# type for-each # input INPUT # iterator-type xpath # iterator-expression //*[local-name()='item'] # loop-action transformer iterator-type Indicates the iteration type for the current for-each action. Syntax iterator-type {count | xpath} Parameters count Indicates that iterations are based on a fixed count. xpath Indicates that iterations are based on each XPath expression match.
Page 561: Log-Type
Parameters priority Specifies one of the following message priority: emergency alert critical error warning notice (Default) info debug Guidelines The log-level command is used only if the action type (as specified by the type command) is log. Examples v Identifies the message priority as warning. # type log # log-level warning log-type...
Page 562: Multiple-Outputs
Syntax loop-action action Parameters action Specifies the name of an existing action to run. Guidelines The loop-action command specifies the name of the existing action within the current for-each action. The output context of the for-each action replaces the output context of the named action. If the output context of the for-each action and the named action are the same and the value of the multiple-outputs command is on, the final output context uses the same name and appends a number.
Page 563: Output
Examples v Specifies that the transformer action runs one time for each item element in the input context. The processing generates output contexts out_1, out_2, and so forth. # type for-each # output out # multiple-outputs # iterator-type xpath # iterator-expression //*[local-name()='item'] # loop-action transformer output Specifies the output context for the current action.
Page 564: Parameter
type field of the document; if the content type is XML or undeclared, the data is treated as XML. Otherwise, the data is treated as binary. Indicates that the data is treated and parsed as XML. binary Indicates that the data is treated as binary and unprocessed. Guidelines The output-type command is optionally used only when the action type (as specified by the type command) is fetch, log, results, xform, or xformpi.
Page 565: Retry-Count
require-all Indicates that targets are dispatched in parallel. The action succeeds only after the input reaches all of the backend targets. attempt-all Indicates that targets are dispatched in parallel. The action succeeds if the input reaches any backend target. In other words, the action is successful even when the input does not reach each of the backend targets.
Page 566: Retry-Interval
Examples v Specifies that if the action fails to write the input to http://log-server/log, the request is tried 10 times at 5 seconds intervals. # type results # input ctx # destination http://log-server/log # retry-count 10 # retry-interval 5000 retry-interval Specifies the retry interval for the current results action.
Page 567: Schema-Url
Examples v Indicates that the call action invokes the validateSOAP processing rule. # type call # rule validateSOAP schema-url Specifies a schema to be used in validation operations by the current validate action. Syntax schema-url url Parameters Identifies the schema used for document validation. Guidelines The schema-url command is used only if the action type (as specified by the type command) is validate.
Page 568: Soap-Validation
soap-validation Specify the SOAP validation type Syntax soap-validation {body | body-or-detail | envelope | ignore-faults} Parameters body Validates the contents of the SOAP body element. body-or-detail Validates the content of the detail element for SOAP faults and the contents of the SOAP body element. envelope (default) Validates the entire message to include the contents of the SOAP envelope.
Page 569: Timeout
Related Commands type Examples v Indicates that the current route-set action uses the SSLProfile-2 SSL Proxy Profile. # type route-set # sslcred SSLProfile-2 timeout Specifies the wait duration for the current event-sink action. Syntax timeout duration Parameters duration Specifies the time to wait for the action to complete in milliseconds. Guidelines The timeout command specifies the duration that an event-sink action waits for its named actions to complete.
Page 570: Type
Guidelines The transform command is required when the action type (as specified by the type command) is filter, route-action, xform, or xformpi. Related Commands type Examples v Identifies the processHeader.xsl style sheet in the local: directory for the current xform action. # type xform # transform local:///processHeaders.xsl type...
Page 571 fetch Indicates a fetch action. This action retrieves a remote resource and stores it in a specified context. This action is relevant for all services. filter Indicates a filter action. This action filters a document set with a specified style sheet. This action is relevant for all services except XSL Coprocessor services.
Page 572: Urlrewrite-Policy
xform Indicates an xform action. This action performs a style sheet-based document transform. This action is relevant for all services. xformpi Indicates an xformpi action. This action performs a transform based on processing instructions in the candidate documents. This action is relevant for all services. urlrewrite-policy Identifies the URL Rewrite Policy implemented by the current action.
Page 573: Variable
variable Identifies the variable declared by the current setvar action. Syntax variable name Parameters name Specifies the name of the variable name. Guidelines The variable command is required when the action type (as specified by the type command) is setvar. Examples v Assigns the value preferredAccount to the customer variable as declared by the current setvar action.
Page 574: Wsdl-Message-Direction-Or-Name
wsdl-message-direction-or-name Specifies the WSDL-defined service traffic to validate with the current validate action. Syntax wsdl-message-direction-or-name name Parameters name Specifies the name or direction of the service traffic. Guidelines The wsdl-message-direction-or-name command specifies the name or direction of the WSDL input, output, or fault that defines the service traffic to validate. Use one of the following values: v The name of one or more WSDL input, output, or fault components.
Page 575: Wsdl-Port
Related Commands type wsdl-port Specifies the QName of the WSDL port for the current validate action. Syntax wsdl-port qname Parameters qname Specifies the QName of a WSDL port. Guidelines The wsdl-port command specifies the QName of the WSDL port. The WSDL port defines the service traffic to validate.
Page 576 Syntax xpath expression Parameters expression Identifies the XPath expression. Guidelines The xpath command is required when the action type (as specified by the type command) is extract. Otherwise, it in not used. Examples v Indicates that the current extract action should use .//Order_Number as the XPath expression.
Page 577: Chapter 60. Processing Metadata Configuration Mode
Issue this command for each item included in the complete object configuration. If the metadata desired consists of three different items of data, you would issue this command three times, once for each item. To remove all items, use the no meta-item. © Copyright IBM Corp. 1999, 2008...
Page 578 Table 10. Predefined metadata items in the http category Accept If-Range URL-in Accept-Charset If-Unmodified-Since URL-out Accept-Encoding Last-Modified URI-request Accept-Language Location local-service-address Accept-Ranges Max-Forwards Client-Address Pragma Client-Protocol Allow Proxy-Authenticate transaction-key Authorization Proxy-Authorization transaction-timeout Cache-Control Range transaction-name Connection Referer transaction-error-code Content-Encoding Retry-After transaction-error-message Content-Language Server...
Page 579: Chapter 61. Processing Policy Configuration Mode
Enters Processing Policy configuring mode to create the faultProcess error rule that uses the faultMatch Matching Rule. # stylepolicy faultProcess Processing Policy configuration # error-rule faultMatch filter Identifies a default style sheet to filter documents. © Copyright IBM Corp. 1999, 2008...
Page 580: Match
Syntax filter URL Parameters Specifies the location of the default style sheet. Guidelines This default style sheet performs XML filtering only if a candidate XML document fails to match any of the filter rules in the processing policy. Refer to Appendix B, “Processing Policy procedures,” on page 999 for details about the creation and implementation of Processing Policies.
Page 581: Request-Rule
Examples v Adds the associated matching rule and global rule to the current Processing Policy. # match star valClientServer v Remove all rules from the current Processing Policy. # no match request-rule Assigns a request rule. Syntax request-rule rule Parameters rule Specifies the name of an existing Matching Rule.
Page 582: Rule
Guidelines The response-rule command defines a request rule. A response rule requires a matching rule. A response rule is applied to server-originated traffic only. Create the matching rule with the matching command and populated it with the httpmatch or urlmatch commands. The matching rule serves as a source of URL or HTTP templates.
Page 583: Xsldefault
xsldefault Identifies a default style sheet to transform documents. Syntax xsldefault URL Parameters Specifies the location of the default style sheet. Guidelines This default style sheet performs XML transformation only if a candidate XML document fails to match any of the transformation rules that are defined in the processing policy.
Page 584 Command Reference...
Page 585: Chapter 62. Processing Rule Configuration Mode
Identifies the context in which the specified rule is called. Use INPUT to specify the initial policy input, that is the original client request or server response. rule Specifies the name of the existing rule to invoke. © Copyright IBM Corp. 1999, 2008...
Page 586: Checkpoint
output-context Identifies the context where results are stores. Use OUTPUT to specify the final policy output, that is the transformed client request or transformed server response Examples v Applies the processRequest rule to the document in the temp1 context and moves the results to the temp2 context.
Page 587: Extract
Parameters input-context Identifies the context that contains the non-XML source. Use INPUT to specify the initial policy input, that is the original client request or server response. output-context Identifies an output context where the converted document is stored. Use OUTPUT to specify the final policy output, that is the transformed client request or transformed server response Optionally identifies an input conversion map that specifies document encoding.
Page 588: Fetch
# extract INPUT three //games/url v Applies the XPath expression //games/url to the INPUT context and stores the result in the variable url within the three context. # extract INPUT three //games/url var://local/url v Applies the XPath expression referenced by the local variable xpath and stores the result in the variable url in the three context.
Page 589: Input-Filter
Parameters input-context Identifies the context that contains the document to be filtered. Use INPUT to specify the initial policy input, that is the original client request or server response. Identifies the XSL style sheet to filter the source document. Takes the form of a URL or a variable that expands to a URL.
Page 590: Log
Specifies a URL for the log message recipient. output-context Optionally identifies an output context. Examples v Sends the contents of the INPUT context to the specified target URL. # log INPUT http://www.us.ibm/ragnarok/log non-xml-processing Enables processing of non-XML input or output. Syntax non-xml-processing...
Page 591: On-Error
on-error Adds an on-error action. Syntax on-error mode [rule] [ input-context] [output-context] Parameters mode Specifies the operational response to an error and takes one of the following forms: Indicates that processing ceases in the event of an error. abort continue Indicates that processing continues with the next action in the event of an error.
Page 592: Results
# output-filter none results Adds a results action. Syntax results context [destination] [response] Parameters context Identifies the target context, that is the target whose contents are transmitted. destination Optionally specifies the destination. In the absence of this argument, the contents of the target context are transmitted to the OUTPUT of the Processing Rule.
Page 593: Rewrite
Guidelines A results-async action differs from a results action in that results-async transmits the contents message asynchronously. That is, a results-async action never expects a response from the target destination. Examples v Sends the contents of the INPUT context to the destination of the rule. # results INPUT v Sends the contents of the INPUT context to the destination referenced by the local var://local/dest variable.
Page 594: Route-Set
Examples v Specifies style sheet-based routing of the contents of the temp1 context with the route.xsl style sheet. # route-action temp1 local:///route.xsl route-set Adds a route-set action. Syntax route-set destination [proxy] Parameters destination Identifies the document destination and can be expressed as a protocol-specific URL or as a variable that expands to a transport URL.
Page 595: Slm
v Sets a variable in the routing context with the name of dest and a value of http://ragnarok:9010/. # setvar INPUT var://context/routing/dest http://ragnarok:9010/ Adds an slm action. Syntax slm input-context name Parameters input-context Identifies the context monitored by the specified SLM Policy. Use INPUT to specify the initial policy input, that is the original client request or server response.
Page 596: Unprocessed
Parameters error-rule Indicates an error rule, a rule invoked in response to a fault condition. request-rule Indicates a request rule, a rule applied to client requests only. response-rule Indicates a response rule, a rule applied to server responses only. rule Indicates a bidirectional rule, a rule applied to both client requests and server responses.
Page 597 attribute-rewrite name Specifies the name of the URL Rewrite Policy to rewrite the schema that is referenced by an xsi:schemaLocation attribute in the XML document. The rewritten schema reference usually specifies the location of a local, trusted copy of the schema to use for document validation. dynamic-schema url Regardless of xsi:schemaLocation attributes in the document, specifies the use of a dynamically generated schema to use for document validation.
Page 598: Xform
v Adds a validation action. Validates XML documents in the INPUT context with the local SchemaOne.xsd schema. Possibly stores the transformed document in the Post-Validation context. # validate INPUT schema store:///SchemaOne.xsd Post-Validation xform Adds an xform action. Syntax xform input-context URL output-context xform input-context dynamic-stylesheet objectName output-context Parameters input-context...
Page 599: Xformpi
v Adds a transformation rule. Transforms the document in the Step2 context with the style sheet that is referenced by the var://stylesheets/5 variable, and sends the transformed document to the final destination of the rule. # xform Step2 var://stylesheets/5 OUTPUT xformpi Adds an xformpi action.
Page 600 Command Reference...
Page 601: Chapter 63. Radius Configuration Mode
30 (the highest server number is the least preferred). Use the no aaaserver command to delete a server from the list of RADIUS servers. Examples v Identifies a RADIUS AAA server at 172.16.1.1:1812. # aaaserver 20 172.16.1.1 1812 secret: YetAnotherPasswordServer20 © Copyright IBM Corp. 1999, 2008...
Page 602: Retries
v Identifies a RADIUS server at 172.16.100.100:1812 # aaaserver 30 172.16.100.100 1812 secret: YetAnotherPasswordServer20 v Identifies a RADIUS server at 172.16.200.200:18120. RADIUS servers will be contacted in the following order: 172.16.200.200 18120, 172.16.1.1 1812, 172.16.100.100 1812. # aaaserver 10 172.16.200.200 18120 secret: YetAnotherPasswordServer10 v Deletes the RADIUS server at 172.16.200.200:18120.
Page 603: Server
Parameters number Specifies the number of re-transmittals. The default is 3. Guidelines In conjunction with the timeout command, the retries command specifies the maximum amount of time that the appliance spends attempting to connect to a specific RADIUS server. At the expiration of this period, the appliance attempts to connect to the next server on its list of RADIUS servers.
Page 604: Timeout
Examples v Identifies a RADIUS server at 172.16.1.1:1812. # server 20 172.16.1.1 1812 secret: YetAnotherPasswordServer20 v Identifies a RADIUS server at 172.16.100.100:1812 # server 30 172.16.100.100 1812 secret: YetAnotherPasswordServer20 v Identifies a RADIUS server at 172.16.200.200:18120. RADIUS servers will be contacted in the following order: 172.16.200.200 18120, 172.16.1.1 1812, 172.16.100.100 1812.
Page 605 # timeout 500 Chapter 63. RADIUS configuration mode...
Page 606 Command Reference...
Page 607: Chapter 64. Rbm Settings Configuration Mode
Application Domain configuration are ignored. Note: Do not enable this option when the authentication method, as defined with the au-method command, is client-ssl. If you enable this option and use SSL © Copyright IBM Corp. 1999, 2008...
Page 608: Au-Cache-Mode
client certificates for authentication, only local fallback users, as defined with the fallback-login and fallback-users commands, will be able to access the appliance from the command line. Related Commands access-policy (User Group), add (User Group), au-method, delete (User Group), domain-user (Application Domain), fallback-login, fallback-users Examples v Applies the RBM policy to the WebGUI access and command line access.
Page 609: Au-Cache-Ttl
au-cache-ttl Specifies the time-to-live for cached authentication results. Syntax au-cache-ttl seconds Parameters seconds Specifies the time-to-live (TTL) in seconds. Use an integer in the range of 1 through 86400. The default is 600. Guidelines The au-cache-ttl command defines the explicit TTL in seconds for cached authentication results.
Page 610: Au-Info-Url
# au-method custom # au-custom-url https://myserver.domain.com/authn/RBM-AU.xsl au-info-url Specifies the URL of the authentication XML file. Syntax au-info-url URL Parameters Specifies the location of the XML file. Guidelines The au-info-url command defines the fully-qualified file name (URL) of the XML file for authentication. This command is relevant when the authentication method, as defined with the au-method command, is xmlfile.
Page 611: Au-Ldap-Bind-Dn
Examples v Assigns the keytab-1 Kerberos Keytab object for SPNEGO authentication. # au-method spnego # au-kerberos-keytab keytab-1 au-ldap-bind-dn Specifies the login DN (distinguished name) to access an LDAP server. Syntax au-ldap-bind-dn DN Parameters Specifies the login DN. Guidelines The au-ldap-bind-dn command specifies the login DN to access the target LDAP server.
Page 612: Au-Ldap-Parameters
Guidelines The au-ldap-bind-password command specifies the password for the login DN to access the target LDAP server. This command is relevant when the authentication method, as defined with the au-method command, is ldap and when the LDAP search for group name property, as defined with the au-ldap-search command, is enabled.
Page 613: Au-Ldap-Search
# au-method ldap # au-server-host ldap-1 # au-server-port 389 # au-ldap-search on # au-ldap-bind-dn proxyuser # au-ldap-bind-password p@Ssw0rd # au-ldap-parameters ldap1-AU au-ldap-search Indicates whether to retrieve the distinguished name (DN) with an LDAP search. Syntax au-ldap-search {on | off} Parameters Enables an LDAP search for the user’s DN.
Page 614: Au-Method
# au-method ldap # au-server-host ldap-1 # au-server-port 389 # au-ldap-search off # au-ldap-prefix "cn=" # au-ldap-suffix "O=example.com" au-method Specifies the authentication method. Syntax au-method {client-ssl | custom | ldap | local | radius | spnego | xmlfile | zosnss} Parameters client-ssl Uses a SSL certificate from a connection peer.
Page 615: Au-Server-Host
# au-ldap-search on # au-ldap-bind-dn proxyuser # au-ldap-bind-password p@Ssw0rd v Set the authentication method to local. # au-method local au-server-host Specifies the IP address or domain name of a remote authentication server. Syntax au-server-host host Parameters host Specifies the IP address or domain name of the server. Guidelines The au-server-host command specifies the IP address or domain name of the authentication server.
Page 616: Au-Zos-Nss
Guidelines The au-server-port command specifies the listening port of the authentication server defined with the au-server-host command. When the authentication method is ldap, as defined with the au-method command, you need to define the LDAP server in one of the following ways: v The au-server-host and au-server-port commands v The loadbalancer-group command Related Commands...
Page 617: Cli-Timeout
Guidelines The au-valcred command associates a Validation Credentials object for validating the identity presented in a client certificate from an SSL peer. This command is relevant when the authentication method, as defined with the au-method command, is client-ssl. Use the Crypto valcred command to create a Validation Credentials object. Related Commands au-method, valcred (Crypto) Examples...
Page 618: Fallback-User
Parameters disabled (Default) Indicates that no locally-defined user can log in. local Indicates that all locally-defined users can log in. restricted Indicates that only specific locally-defined users can log in. Guidelines The fallback-login command indicates whether to use local user accounts as fallback users when the primary authentication method fails.
Page 619: Ldap-Prefix
Guidelines The fallback-user command allows a locally-defined user to be a fallback user. Invoke the fallback-user command for each fallback user. This command is relevant when the fallback-login command is restricted. Use the no fallback-user command to remove a user from the list of fallback users. Related Commands fallback-login Examples...
Page 620: Ldap-Suffix
Syntax ldap-sslproxy name Parameters name Specifies the name of an existing SSL Proxy Profile. Guidelines The ldap-sslproxy command assigns an existing SSL Proxy Profile to secure communication with the LDAP server during LDAP authentication. When specified, LDAP communication uses the configuration in the assigned SSL Proxy Profile.
Page 621: Ldap-Version
ldap-version Specifies the LDAP version. Syntax ldap-version {v2 | v3} Parameters (Default) Uses LDAP version 2. Uses LDAP version 3. Guidelines The ldap-version command specifies the LDAP version for LDAP authentication. This command is relevant only when the authentication method is ldap, as defined with the au-method command.
Page 622: Lockout-Duration
Examples v Sets the LDAP load balancer to LBGroup1. # au-method ldap # loadbalancer-group LBGroup1 # au-ldap-serach on # au-ldap-bind-dn proxyuser # au-ldap-bind-password p@Ssw0rd lockout-duration Specifies the duration to lock out the local account. Syntax lockout-duration minutes Parameters minutes Specifies the number of minutes to lock out an account after exceeding the maximum number of failed login attempts.
Page 623: Mc-Custom-Url
Parameters count Specifies the maximum number of failed login attempts to allow before lockout. A value of 0 disables account lockout. Use an integer in the range of 0 through 64. The default is 3. Guidelines The max-login-failure command defines the number of failed login attempts to permit before a successful login.
Page 624: Mc-Info-Url
Examples v Identifies the RBM-MC.xsl style sheet in the mapCred directory of the myserver.domain.com server as the style sheet for custom authentication. File retrieval uses the HTTPS protocol. # mc-method custom # mc-custom-url https://myserver.domain.com/mapCred/RBM.xsl mc-info-url Specifies the URL of the mapping credentials XML file. Syntax mc-info-url URL Parameters...
Page 625: Mc-Ldap-Bind-Password
Beyond specifying the login DN when searching the LDAP for the group name, you need to use the following properties: v How to connect to the LDAP server. Use either approach: – The mc-server-host and mc-server-port commands – The mc-loadbalancer-group command v Optionally associate an existing SSL Proxy Profile object to use secure communication with the LDAP server with the mc-ldap-sslproxy command v Specify the user's password with the mc-ldap-bind-password command...
Page 626: Mc-Ldap-Parameters
– The mc-loadbalancer-group command v Optionally associate an existing SSL Proxy Profile object to use secure communication with the LDAP server with the mc-ldap-sslproxy command v Specify the login DN to access the LDAP server with the mc-ldap-bind-dn command v Optionally associate an existing LDAP Search Parameters object with the mc-ldap-parameters command Related Commands mc-ldap-bind-dn, mc-ldap-parameters, mc-ldap-search, mc-ldap-sslproxy,...
Page 627: Mc-Ldap-Search
v Specify the login DN to access the LDAP server with the mc-ldap-bind-dn command v Specify the user's password with the mc-ldap-bind-password command Related Commands mc-ldap-bind-dn , mc-ldap-bind-password, mc-ldap-search, mc-ldap-sslproxy, mc-loadbalancer-group, mc-method, mc-server-host, mc-server-port Examples v Uses a local XML file to map credentials and performs an LDAP search to retrieve the distinguished name.
Page 628: Mc-Ldap-Sslproxy
v Optionally associate an existing LDAP Search Parameters object with the mc-ldap-parameters command Related Commands mc-ldap-bind-dn, mc-ldap-bind-password, mc-ldap-parameters, mc-ldap-sslproxy, mc-loadbalancer-group, mc-server-host, mc-server-port Examples v Uses a local XML file to map credentials and performs an LDAP search to retrieve the distinguished name. # mc-method xmlfile # mc-info-url local:///RBM-MC.xml # mc-ldap-search on...
Page 629: Mc-Loadbalancer-Group
Related Commands mc-ldap-bind-dn, mc-ldap-parameters, mc-ldap-bind-password, mc-ldap-search, mc-loadbalancer-group, mc-server-host, mc-server-port Examples v Uses the ldapone SSL Proxy Profile for secure communications. # ldap-sslproxy ldapone mc-loadbalancer-group Assigns a load balancer group to for LDAP credentials searching. Syntax mc-loadbalancer-group name Parameters name Specifics the name of an existing load balancer group. Guidelines The mc-loadbalancer-group command assigns an LDAP load balancer group instead of a single LDAP server for performing an LDAP search to retrieve the...
Page 630 Syntax mc-method {custom | local | xmlfile} Parameters custom Uses a custom style sheet. Requires an mc-custom-url value. local Uses the user group configuration that is maintained on the local system. Does not access external resources. xmlfile Uses a locally stored AAA Info file. Requires an mc-info-url value. Guidelines The mc-method command sets the credential mapping (authorization) method for RBM.
Page 631: Mc-Server-Host
v Sets the authorization method to local. # mc-method local mc-server-host Specifies the IP address or domain name of a remote credentials server. Syntax mc-server-host host Parameters host Specifies the IP address or domain name of the server. Guidelines The mc-server-host command specifies the IP address or domain name of the credentials server.
Page 632: Mc-Server-Port
mc-server-port Specifies the port on the credentials server. Syntax mc-server-port port Parameters port Specifies the port number of the credentials server. Guidelines The mc-server-port command specifies the listening port on the credentials server. This command is relevant only in the following situation: v LDAP search is enabled with the mc-ldap-search command v When the credentials mapping method, as defined with the mc-method command, is local or xmlfile.
Page 633: Pwd-Digit
Parameters Requires the periodic change of passwords. (Default) Allows continued use of passwords. Guidelines If password aging is enabled, use the pwd-max-age command to specify the maximum shelf-life of a user password. Related Commands pwd-max-age Examples v Requires passwords to be changed every 15 days. # pwd-aging on # pwd-max-age 15 pwd-digit...
Page 634: Pwd-Max-Age
Syntax pwd-history {on | off} Parameters Indicates that passwords can be reused. (Default) Indicates that passwords cannot be reused. Guidelines When enabled, use the pwd-max-history command to specify the number of passwords to retain. Passwords that are retained are not eligible for reuse. Related Commands pwd-max-history Examples...
Page 635: Pwd-Minimum-Length
Syntax pwd-max-history count Parameters count Specifies the number of passwords to retain. Use an integer in the range of 1 through 65535. The default is 5. Guidelines If password reuse is enabled, use the pwd-max-history command to specify the number of recent passwords to retain. Passwords that are retained are not eligible for reuse.
Page 636: Pwd-Nonalphanumeric
(Default) Indicates that passwords do not require uppercase and lowercase characters. Guidelines When enabled, pAssWord is acceptable, but password or PASSWORD is not acceptable. When disabled, pAssWord, password, or PASSWORD is acceptable. Related Commands pwd-digit, pwd-minimum-length, pwd-nonalphanumeric, pwd-username Examples v Requires passwords to contain both uppercase and lowercase characters. # pwd-mixed-case on v Restores the default state.
Page 637: Restrict-Admin
Syntax pwd-username {on | off} Parameters Indicates that passwords can contain the user name. (Default) Indicates that passwords cannot contain the user name. Guidelines When enabled, the password BobPassword or password4Bob is acceptable for user name Bob. When disabled, the password BobPassword or password4Bob is not acceptable for user name Bob.
Page 638 v Allow access by the admin account to all access methods. # restrict-admin off Command Reference...
Page 639: Chapter 65. Schema Exception Map Configuration Mode
Specifies an XPath expression that identifies a schema element or elements subject to this rule. allowEncrypted Specifies that elements subject to this rule can be encrypted. requireEncrypted Specifies that elements subject to this rule must be encrypted. © Copyright IBM Corp. 1999, 2008...
Page 640 Related Commands original-schema Examples v Creates the SEM-1 Schema Exception Map. Specifies store:///schema-12b.xsd as the target schema Adds a rule to the current Schema Exception Map, which requires that all SSN nodes be encrypted. # schema-exception-map SEM-1 Schema Exception Map configuration mode # original-schema store:///schema-12b.xsd # rule //SSN requireEncrypted Command Reference...
Page 641: Chapter 66. Simple Rate Limiter Configuration Mode
# action shape concurrent-connection-limit Determines the number of concurrent connections allowed. Syntax concurrent-connection-limit limit Parameters limit Specifies the number of simultaneous connections to allow per user. Set to 0 to disable enforcement. © Copyright IBM Corp. 1999, 2008...
Page 642: Distinct-Sources
Related Commands distinct-sources, tps distinct-sources Determines the number of distinct sources, or user identities, tracked by the limiter. Syntax distinct-sources count Parameters count Specifies the number of distinct sources tracked by this limiter. The default is 10000. Related Commands concurrent-connection-limit Determines the number of transactions per second to allow per user identity.
Page 643: Chapter 67. Slm Action Configuration Mode
Creates the minorPenalty SLM Action. Sets the priority to informational. # slm-action minorPenalty SLM Action configuration mode # log-priority info v Restores the default priority. # no log-priority type Specifies the administrative procedure followed when the current SLM Action is triggered. © Copyright IBM Corp. 1999, 2008...
Page 644 Syntax type type Parameters type Identifies the administrative procedure. Use one of the following keywords: log-only Generates a log message when the current action is triggered and continues to process transactions. reject Generates a log message and drops traffic when the current action is triggered.
Page 645: Chapter 68. Slm Credential Class Configuration Mode
Specifies that the system extracts and keeps a list of all unique credentials that is defined by the type command. All configured policies apply to each of the extracted credentials. regexp-match Specifies that only PCRE-style expressions that match the values are subject © Copyright IBM Corp. 1999, 2008...
Page 646: Stylesheet
to the SLM policy. The subset is defined by one or more entries specified by the value command. The policy statement is evaluated only in the event of a match. Guidelines A Credential Class defines a user group subject to an SLM policy. It consists of: v A credential type (defined by the type command), which specifies a method used to obtain credentials v A match type (defined by this command), which specifies if all or selected...
Page 647: Type
# slm-cred extranetPartner SLM Credential Class configuration mode # type custom-stylesheet # stylesheet local:///extranetPartner.xsl v Removes the specified style sheet from the Credentials Class. # no stylesheet local:///extranetPartner.xsl type Specifies the group of credentials subject to the SLM policy. Syntax type type Parameters type...
Page 648: Value
v A credential value (defined by the value command), which is used when the match type is exact-match to identify specific members of a Credential Class subject to an SLM policy The aaa-mapped-credential and aaa-username types can only be used if the processing rule that uses this Credentials Class (as part of an SLM policy) previously implemented an AAA policy to provide the needed credentials.
Page 649 The value command is ignored when the Credential Class type is custom-stylesheet. Use the no value command to remove an exact match value. Examples v Creates the extranetPartner SLM Credential Class. Specifies that Credential Class membership is based on source IP address, and that only the defined subset of IP addresses is subject to an SLM policy.
Page 650 Command Reference...
Page 651: Chapter 69. Slm Policy Configuration Mode
# action SLM-Policy-1 SLM Policy configuration mode # eval-method terminate-at-first-reject v Deletes the current behavior and assigns the execute-all-statements behavior. # action SLM-Policy-1 SLM Policy configuration mode # no eval-method # eval-method execute-all-statements © Copyright IBM Corp. 1999, 2008...
Page 652: Peer-Group
peer-group Associates a peer group. Syntax peer-group name Parameters name Specifies the name of an existing Peer Group object. Guidelines The peer-group command assigns a Peer Group object to the SLM policy. This peer group enables the aggregation and sharing of SLM date across similarly configured DataPower appliances.
Page 653 interval-length Specifies the length of the measurement interval in seconds. The default is 0, which allows all messages and never triggers the threshold to enforce the SLM Action. interval-type Specifies the threshold type and takes one of the following values: fixed Indicates a fixed interval.
Page 654 threshold-level Specifies the threshold that triggers the SLM Action. If the algorithm is high-low-thresholds, specifies the high threshold. The units of measure depends on the threshold type. v If the threshold is a count, specify an integer for the aggregate count. v If the threshold is latency, specify an integer for the latency in seconds.
Page 655: Chapter 70. Slm Resource Class Configuration Mode
Resource Method is concurrent-connections, custom-stylesheet, request-message, response-message, soap-fault, or xpath-filter since these types test only for existence. Related Commands type, value © Copyright IBM Corp. 1999, 2008...
Page 656: Stylesheet
Examples v Creates the profitLossStatements resource class. Specifies that membership in the resource class is defined by the destination URL method. Coverage by the resource class is restricted to a specific subset of destination URLs that contain www.datapower.com. # slm-rsrc profitLossStatements SLM Resource configuration mode # type destination-url # exact-match...
Page 657: Type
Guidelines Specifies the subscription key. Applicable only when the Resource Method (as defined by the type command) is uddi-subscription. Use the no subscription command to delete a UDDI-based credential-source. Examples v Specifies the uddi:8b071240-428d-11db-a30b-47fc0b00a30a subscription key. # type uddi-subscription # subscription uddi:8b071240-428d-11db-a30b-47fc0b00a30a type Specifies the method to obtain the resource value.
Page 658: Value
response-message Restricts membership to all server requests. soap-fault Restricts membership to SOAP fault messages. uddi-subscription Defines membership by a UDDI Subscription key. wsdl Defines membership by a WSDL file. wsdl-operation Defines membership by the name of a WSDL operation. wsdl-port Defines membership by the name of a WSDL port.
Page 659: Wsrr-Subscription
Examples v Creates the profitLossStatements resource class. Specifies that membership in the resource class is defined by the destination URL method. Coverage by the resource class is restricted to a specific subset of destination URLs that contain www.datapower.com. # slm-rsrc profitLossStatements SLM Resource configuration mode # type destination-url # exact-match...
Page 660 Parameters expression Specifies the operative XPath Expression. Guidelines Specifies the XPath expression to produce resource identification. Used only if the Resource Method (as defined by the type command) is xpath-filter. Use the no xpath-filter command to delete an XPath-based credential-source. Related Commands type Examples...
Page 661: Chapter 71. Slm Schedule Configuration Mode
Creates the weekEnds SLM Schedule. Specifies Saturday and Sunday operation. # sched weekEnds SLM Schedule configuration mode # days Saturday # days Sunday duration Specifies the number of minutes per day that the current SLM Schedule is operational. Syntax duration minutes © Copyright IBM Corp. 1999, 2008...
Page 662: Start
Parameters minutes Specifies the number of minutes that the current SLM Schedule is operational. Use an integer in the range of 0 through 1439. The default is 1439. Guidelines Use the command in conjunction with start to define specific time blocks during which this SLM Schedule is operational.
Page 663: Chapter 72. Snmp Settings Configuration Mode
A private (read-write) community There is no limit to the number of communities that can be supported. Nor is there any limit to the number of SNMP managers contained within a specific community. © Copyright IBM Corp. 1999, 2008...
Page 664: Port
Use the no access command to delete a previously configured SNMP manager. Examples v Creates a read-only community. Any SNMP manager, using the public community is granted read-only access to the local agent. # access public read-only v Specifies two SNMP managers granted access to the local agent. Both managers are granted read-write access using the private community.
Page 665: Trap-Priority
Syntax trap-code code no trap-code code Parameters code Specifies the hexadecimal identifier of an event code. Guidelines The trap-code command specifies individual event codes to add to the trap list. Invoke this command for each event to add to the list. Use the no trap-code command to delete a previously configured code from the trap list.
Page 666: Version
Parameters address Specifies the IP address that receives traps. port Optionally identifies a UDP port at the IP address. Use an integer in the range of 0 to 65535. The default is 162. community Optionally provides a community name (essentially a password) that is included within the SNMP message header.
Page 667 v Specifies support for SNMP Version 2c, the default state. # version 2c Chapter 72. SNMP Settings configuration mode...
Page 668 Command Reference...
Page 669: Chapter 73. Soap Header Disposition Table Configuration Mode
Take the default SOAP action, because the specified element was not processed. keep Keep this SOAP header or child element. remove Remove this SOAP header or child element. fault Generate a SOAP fault if the element exists. © Copyright IBM Corp. 1999, 2008...
Page 670 Guidelines The refine command defines an item of SOAP header processing instruction to include in the list of items returned by the SOAP Header Disposition Table object. Issue this command as many times as needed to include all desired items. Use the no refine command to delete the entire list of items tat are configured for the object.
Page 671: Chapter 74. Stateful Raw Xml Handler Configuration Mode
# acl aclRestrictive-1 v Removes the aclRestrictive ACL from the current Stateful Raw XML Handler. # no acl aclRestrictive-1 close-on-fault Controls session behavior in the event of a fault condition. Syntax close-on-fault {on | off} © Copyright IBM Corp. 1999, 2008...
Page 672: Local-Address
Parameters Abandons the session in the event of a fault condition. (Default) Maintains the session in the event of a fault. Examples v Causes the DataPower appliance to close front and back TCP connections if the appliance generates a fault. # close-on-fault on # no close-on-fault v Restores the default state.
Page 673: Port
port Specifies the TCP port to monitor for client requests. Syntax port port Parameters port Binds the Stateful Raw XML Handler to a specific port. Guidelines This command only sets the TCP port for the Stateful Raw XML Handler. This port applies to all configured local addresses.
Page 674: Ssl
Syntax remote-port port Parameters port Binds the Stateful Raw XML Handler to a specific port. Guidelines This command only sets the remote TCP port for the Stateful Raw XML Handler. Use the remote-address command to set the remote IP address. Related Commands local-address, port, remote-address Examples...
Page 675: Chapter 75. Stateless Raw Xml Handler Configuration Mode
# acl aclRestrictive-1 v Removes the aclRestrictive-1 ACL from the current Stateless Raw XML Handler. # no acl aclRestrictive-1 local-address Specifies the local interface to monitor for client requests. Syntax local-address {address | 0} © Copyright IBM Corp. 1999, 2008...
Page 676: Persistent-Connections
Parameters address Binds the Stateless Raw XML Handler to a single, specific interface-port pair. Binds the Stateless Raw XML Handler to the specified port on all enabled interfaces. Guidelines This command only sets the IP address for the Stateless Raw XML Handler. Use the port command to set the TCP port on which the Stateless Raw XML Handler listens.
Page 677: Port
# no persistent-connections v Enables persistent connection negotiation, which restores the default state. # persistent-connections on # persistent-connections port Specifies the TCP port to monitor for client requests. Syntax port port Parameters port Binds the Stateless Raw XML Handler to a specific port. Guidelines This command only sets the TCP port for the Stateless Raw XML Handler.
Page 678 Use the no ssl command to remove the SSL Proxy Profile assignment. Examples v Assigns the SSL-1 SSL Proxy to the current Stateless Raw XML Handler. # ssl SSL-1 v Removes the assignment of the SSL-1 SSL Proxy from the current Stateless Raw XML Handler.
Page 679: Chapter 76. System Settings Configuration Mode
When there is enough available disk space for normal operations, the administration can restart the appliance, which will resume the processing of traffic. contact Identifies the person or function responsible for appliance maintenance. © Copyright IBM Corp. 1999, 2008...
Page 680: Custom-Ui-File
Use the no custom-ui-file command to remove the use of custom messages and the command line prompt that are defined in the custom user interface file. For information on creating a custom user interface file, refer to the IBM WebSphere DataPower SOA Appliances: Administrators Guide.
Page 681: Entitlement
Guidelines The entitlement command specifies the serial number of the original appliance after receiving a replacement appliance. Without the serial number of the original appliance, IBM cannot entitle the replacement appliance for future maintenance or warranty service. location Specifies the location of the appliance.
Page 682 Syntax name identifier Parameters identifier Specifies the identifer. Use a string up to 127 characters in length. Guidelines The name command specifies the system identifier of the appliance. When the custom user interface file defines the command line extension, this identifier is added before the prompt.
Page 683: Chapter 77. Tam Configuration Mode
Chapter 77. TAM configuration mode This chapter provides an alphabetic listing of commands that are available in TAM configuration mode. TAM is an abbreviation for IBM Tivoli Access Manager. To enter this configuration mode, use the Global tam command. All of the commands that are listed in “Common commands” on page 2 and most, but not all, of the commands that are listed in Chapter 114, “Monitoring...
Page 684: Ldap-Ssl-Key-File-Password
Syntax ldap-ssl-key-file-dn label Parameters label Specifies the subject DN of the certificate. Guidelines The ldap-ssl-key-file-dn command specifies the subject DN of the certificate. When using client-side SSL and the key file contains multiple certificates, the DN specifies which certificate to use. This property is relevant for mutually- authenticated SSL only.
Page 685: Ssl-Key
Related Commands use-ldap-ssl ssl-key Specifies the location of the TAM SSL key file. Syntax ssl-key name Parameters name Specifies the name of the TAM SSL key file. ssl-key-stash Specifies the location of the TAM SSL key password stash file. Syntax ssl-key name Parameters name...
Page 686 Syntax use-ldap-ssl {on | off} Parameters The connection is secured by SSL. The connection is not secure. Related Commands ldap-ssl-key-file, ldap-ssl-key-file-dn, ldap-ssl-key-file-password, ldap-ssl-port Command Reference...
Page 687: Chapter 78. Tfim Configuration Mode
Chapter 78. TFIM configuration mode This chapter provides an alphabetic listing of commands that are available in TFIM configuration mode. TFIM is the abbreviation for IBM Tivoli Federated Identity Manager. To enter this configuration mode, use the Global tfim command.
Page 688: Tfim-61-Req-Tokenformat
Related Commands tfim-compatible, tfim-custom-req-url Examples v Indicates that the request token format for TFIM version 6.0 is SAML Assertion 1.0. # tfim-compatible v6.0 # tfim-60-req-tokenformat SAML1.0 v Indicates that the request token format for TFIM version 6.0 is a custom token that is defined in the specified style sheet.
Page 689: Tfim-62-Req-Tokenformat
Related Commands tfim-compatible, tfim-custom-req-url Examples v Indicates that the request token format for TFIM version 6.1 is a WS-Security X.509 Token. # tfim-compatible v6.1 # tfim-61-req-tokenformat WSX509Token v Indicates that the request token format for TFIM version 6.1 is a custom token that is defined in the specified style sheet.
Page 690: Tfim-Addr
Related Commands tfim-port Examples v Indicates that FIMHost.ibm.com is the fully qualified host name of the TFIM server and that this server is using the port 9080 (the default port). # tfim-addr FIMHost.ibm.com v Indicates that 9.33.97.251 is the IP address of the TFIM server and that this server is using port 19080.
Page 691: Tfim-Custom-Req-Url
Parameters v6.0 Indicates Tivoli Federated Identity Manager, version 6.0. v6.1 Indicates Tivoli Federated Identity Manager, version 6.1. v6.2 Indicates Tivoli Federated Identity Manager, version 6.2. Guidelines The tfim-compatible command indicates the currently configured version of Tivoli Federated Identity Manager. The specified value determines the details for the namespace and WS-Trust messages.
Page 692: Tfim-Issuer
# tfim-compatible v6.1 # tfim-61-req-tokenformat custom # tfim-custom-req-url local:///tfim-custom.xsl tfim-issuer Specifies the identity that issued the request. Syntax tfim-issuer issuer Parameters issuer Specifies the identity that issued the request in the following format: urn:itfim:wssm:tokenconsumer Guidelines The tfim-issuer command specifies the issuer of the request. In the WS-Security Management (WSSM) component, the issuer is either the WSSM token generator or the WSSM token consumer.
Page 693: Tfim-Pathaddr
Specifies the scope for the security token. Syntax tfim-pathaddr destination Parameters destination Specifies the scope for the security token. For example: v http://itfim.ibm.com:9080/EchoApplication/services/ EchoServiceUsername v http://9.33.97.251:9080/EchoApplication/services/ EchoServiceUsername Guidelines The tfim-pathaddr command specifies the scope for this security token. Within the TFIM service, this information specifies the destination of the request.
Page 694: Tfim-Port
Examples v Indicates that the WSSM token consumer issued the request to access the TFIM web service located at /itfim-wssm/wssm-default/EchoWSDL/EchoService using the EchoService port type and the echo operation. # tfim-issuer urn:itfim:wssm:tokenconsumer # tfim-pathaddr /itfim-wssm/wssm-default/EchoWSDL/EchoService # tfim-porttype EchoService # tfim-operation echo tfim-port Specifies the port number of the TFIM server.
Page 695: Tfim-Schema-Validate
Related Commands tfim-61-req-tokenformat, tfim-62-req-tokenformat, tfim-compatible, tfim-issuer, tfim-operation, tfim-pathaddr Examples v Indicates that the WSSM token consumer issued the request to access the TFIM web service located at /itfim-wssm/wssm-default/EchoWSDL/EchoService using the EchoService port type and the echo operation. # tfim-issuer urn:itfim:wssm:tokenconsumer # tfim-pathaddr /itfim-wssm/wssm-default/EchoWSDL/EchoService # tfim-porttype EchoService # tfim-operation echo...
Page 696 Guidelines The tfim-sslproxy command specifies the name of an existing SSL Proxy Profile to manage SSL communications with peers. The SSL Proxy Profile identifies the keys and certificates that are used in the handshake. Examples v Specifies that TFIM-SSLProxy-1 is the SSL Proxy Profile to manage SSL communications with peers.
Page 697: Chapter 79. Telnet Service Configuration Mode
Specifies the IP address (primary or secondary) of a DataPower Ethernet interface. Indicates all DataPower Ethernet interfaces. Guidelines In conjunction with the port command, identifies the IP addresses and ports that the Telnet service monitors. © Copyright IBM Corp. 1999, 2008...
Page 698: Port
Related Commands port Examples v Specifies 10.10.13.35:23000 as the local IP address-port that the current Telnet service monitor. # cli telnet telnet-1 Telnet Service configuration mode # ip-address 10.10.13.35 # port 23000 port Specifies the local port to monitor for incoming CLI traffic. Syntax port port Parameters...
Page 699: Chapter 80. Throttle Settings Configuration Mode
Guidelines The memory-throttle command specifies the memory throttle-threshold. This threshold is the point at which the appliance stops accepting new connections. No new connection is accepted for the duration defined by the timeout command. © Copyright IBM Corp. 1999, 2008...
Page 700: Qcode-Warn
Related Commands memory-terminate, timeout qcode-warn Specifies the namespace-threshold for QCodes. Syntax qcode-warn percent Parameters percent Specifies the percentage of available namespace QCodes. Use an integer in the range of 5 through 100. The default is 10. Guidelines The qcode-warn command specifies the namespace-threshold. This threshold is the point at which the number of available QCodes fall below the namespace-threshold (a measure of free QCodes expressed as a percentage of the total QCodes), the appliance writes an alert to the log.
Page 701: Status-Loglevel
Disables throttle settings log messages. Guidelines The status-log command controls the collection of throttle log messages. These messages pertain to available memory, available temporary file space, and available namespace QCodes. The criticality of these messages is set by the value of the status-loglevel command.
Page 702: Temp-Fs-Throttle
Guidelines The memory-terminate command specifies the free temporary file space kill-threshold. This threshold is the point at which the appliance reboots. The appliance reboots after the duration defined by the timeout command. Related Commands temp-fs-throttle, timeout temp-fs-throttle Specifies the temporary file space throttle-threshold. Syntax temp-fs-throttle percent Parameters...
Page 703 Examples v Specifies that the appliance reboots 20 seconds after free memory drops to 10% of total memory. # throttle Throttle Settings configuration mode # memory-terminate 10 # timeout 20 Chapter 80. Throttle Settings configuration mode...
Page 704 Command Reference...
Page 705: Chapter 81. Timezone Configuration Mode
Applies to the timezone set by the name or custom command. daylight-offset Specifies the offset, in hours, of daylight savings time. Syntax daylight-offset hours Parameters hours Specifies the offset (difference) in hours between daylight savings time and regular time. © Copyright IBM Corp. 1999, 2008...
Page 706: Daylight-Start-Day
Guidelines Specifies the offset, in hours, of daylight savings time. This is typically 1, meaning that the clock moves forward or back 1 hour when the time boundary is crossed. Applies to the timezone that is identified by the name or custom command. daylight-start-day Specifies the day of the week when daylight savings time starts.
Page 707: Daylight-Start-Minutes
Related Commands daylight-start-day, daylight-start-minutes, daylight-start-month, daylight-start-week Examples v Sets 2 AM as the hour of the day when daylight savings time starts. # daylight-start-hour 2 daylight-start-minutes Specifies the minutes of the hour when daylight savings time starts. Syntax daylight-start-minutes minutes Parameters minutes Specifies the minutes of the hour when daylight savings time starts.
Page 708: Daylight-Start-Week
v September v October v November v December Guidelines Applies to the timezone that is identified by the name or custom command. Related Commands daylight-start-day, daylight-start-hours, daylight-start-minutes, daylight-start-week Examples v Sets April as the month of the year when daylight savings time starts. # daylight-start-month April daylight-start-week Specifies the week of the month when daylight savings time starts.
Page 709: Daylight-Stop-Hours
v Monday v Tuesday v Wednesday v Thursday v Friday v Saturday v Sunday Guidelines Applies to the timezone that is identified by the name or custom command. Related Commands daylight-stop-hours, daylight-stop-minutes, daylight-stop-month, daylight-stop-week Examples v Sets Sunday as the day of the week when daylight savings time stops. # daylight-stop-day Sunday daylight-stop-hours Specifies the hour of the day when daylight savings time stops.
Page 710: Daylight-Stop-Month
Parameters minutes Specifies the minutes of the hour when daylight savings time stops. Use an integer between 0 and 59. Guidelines Applies to the timezone that is identified by the name or custom command. Related Commands daylight-stop-day, daylight-stop-hours, daylight-stop-month, daylight-stop-week Examples v Sets 0 as the minutes of the hour when daylight savings time stops.
Page 711: Daylight-Stop-Week
daylight-stop-week Specifies the week of the month when daylight savings time stops. Syntax daylight-stop-week week Parameters week Specifies the week of the month when daylight savings time stops. Use an integer between 1 and 5. Guidelines Applies to the timezone that is identified by the name or custom command. Related Commands daylight-stop-day, daylight-stop-hours, daylight-stop-minutes, daylight-stop-month...
Page 712: Name
name Specifies the name of the timezone. This name is appended to the displayed time. Syntax name name Parameters name Specifies the name of a preset timezone. Value Meaning HST10 Honolulu 10 hrs West of UTC, no DST AKST9AKDT Alaska 9 hrs West, US DST rules PST8PDT Pacific...
Page 713: Offset-Minutes
Parameters hours Specifies the offset in hours, relative to GMT, of the timezone. Use an integer between 0 and 12. Guidelines Determines the number of hours the timezone is offset from GMT. Applies to the timezone that is identified by the name or custom command. Related Commands direction, offset-minutes Examples...
Page 714 Command Reference...
Page 715: Chapter 82. Uddi Registry Configuration Mode
A typical default looks like https://192.18.1.120:443/uddi/inquiry. Examples v Enters UDDI Registry configuration mode to create the Registry1 object. Sets the inquiry URI. # uddi-registry Registry1 New UDDI Registry Registry1 # inquiry-url "/web/uddi/inquiry" © Copyright IBM Corp. 1999, 2008...
Page 716: Port
port Sets the TCP port. Syntax port port Parameters port The TCP port number the Registry uses to listen for requests. The default is 80. publish-url Sets the URI to send Publish requests. Syntax publish-url URI Parameters Specifies the local path (URI) portion of the URL used to send Publish requests the Registry.
Page 717: Ssl
Examples v Enters UDDI Registry configuration mode to create the Registry1 object. Sets the Security URI. # uddi-registry Registry1 New UDDI Registry Registry1 # security-url "/web/uddi/security" Assigns an SSL Proxy Profile. Syntax ssl name Parameters name Specifies name of an existing SSL Proxy Profile in the current application domain.
Page 718: Subscription-Url
subscription-url Sets the URI to request subscription information requests. Syntax subscription-url URI Parameters The local path (URI) portion of the URL used to send Subscription-related requests the Registry. UDDI inquiry requests will be sent to http(s)://hostname:port/subscription-url. A typical default looks like https://192.18.1.120:443/uddi/subscription.
Page 719: Chapter 83. Uddi Subscription Configuration Mode
Sets the password used to authenticate with the remote UDDI registry. Syntax password password Parameters password Specifies the password sent to the remote UDDI registry to authenticate the appliance with the registry. This authentication is then used to retrieve the subscription data. © Copyright IBM Corp. 1999, 2008...
Page 720: Registry
Related Commands username registry Determines the remote UDDI registry that holds the subscriptions. Syntax registry name Parameters name Specifies the name of an existing UDDI registry object. Related Commands uddi-registry (Global) username Sets the username to authenticate with the remote UDDI registry. Syntax username username Parameters...
Page 721: Chapter 84. Url Map Configuration Mode
URL maps and Stylesheet-Refresh Policies. Refer to Appendix D, “Compile Options Policy configuration,” on page 1007 for procedural details about the creation and implementation of URL maps and Compile Options Policies. © Copyright IBM Corp. 1999, 2008...
Page 722 Related Commands disable cache, disable flush, interval urlmap, test urlmap, test urlrefresh, urlmap, urlrefresh, xslrefresh Examples v Creates the URLmap-1 URL Map. Adds the match pattern https:// www.amajoraccount.com/Zeus/*xsl to the map. # urlmap URLmap-1 URL Map configuration mode # match https://www.amajoraccount.com/Zeus/*xsl v Creates the URLmap-2 URL Map.
Page 723: Chapter 85. Url Refresh Policy Configuration Mode
Defines a policy for style sheets in the URL Map are preferentially cached. Syntax disable flush map interval Parameters Specifies the name of a URL map. interval Specifies the frequency, in seconds, at which style sheets obtained via the URL Map are refreshed. © Copyright IBM Corp. 1999, 2008...
Page 724: Interval Urlmap
Guidelines Use the disable flush command to identify style sheets that should be preferentially cached. These style sheets remain in the cache for the full duration of the refresh cycle. This command overrides the setting in the XML Manager for caching rules for a particular URL that matches the URL Map.
Page 725: Protocol-Specified
protocol-specified Defines a policy in which style sheets are cached on protocol semantics. Syntax protocol-specified map interval Parameters Specifies the name of a URL map. interval Specifies the frequency, in seconds, at which style sheets obtained via the URL Map are refreshed. Guidelines Use the protocol-specified command to indicate that style sheets should be cached in accordance with the expiration semantics that are supplied by protocols.
Page 726 Command Reference...
Page 727: Chapter 86. Url Rewrite Policy Configuration Mode
1. A text subpattern. 2. Followed by xsl=. 3. Followed by a text subpattern. 4. Followed by ?. The backward slash (\) in the PCRE is a URL escape. 5. Followed by a text subpattern. © Copyright IBM Corp. 1999, 2008...
Page 728 (.*)&[Xx][Ss][Ll]=([^&]+)(.*) Matches a string of the following format: 1. A text subpattern. 2. Followed by &. 3. Followed by X or x. 4. Followed by S or s. 5. Followed by L or l. 6. Followed by =. 7. Followed by a text subpattern that does not contain an ampersand (&) character.
Page 729: Content-Type
false Disables normalization. Guidelines The absolute-rewrite command creates a rewrite rule that rewrites the entire URL based on a URL match and adds the URL rewrite rule to the current URL Rewrite Policy. This rewrite rule operates on an entire URL. The decoding (unescape) process replaces URL escape sequences with character equivalents.
Page 730: Header-Rewrite
7. Followed by a text subpattern that does not contain an ampersand (&) character. 8. Followed by a text subpattern. input-replace Specifies the replacement value for the Content-Type header. normalize Specifies whether URL strings are normalized. Normalizing a URL compresses '.' and '..' and converts backward slashes (\) to forward slashes (/).
Page 731: No Rule
true (Default) Enables normalization. false Disables normalization. Guidelines Use the header-rewrite command to replace the contents of an arbitrary header. PCRE documentation is available at the http://www.pcre.org web site. Related Commands Examples v Adds a header rewrite rule to a URL Rewrite Policy. If the message contains the Age header, the rule replaces its value with 1.
Page 732 1. A text subpattern. 2. Followed by xsl=. 3. Followed by a text subpattern. 4. Followed by ?. The backward slash (\) in the PCRE is a URL escape. 5. Followed by a text subpattern. (.*)&[Xx][Ss][Ll]=([^&]+)(.*) Matches a string of the following format: 1.
Page 733: Rewrite (Deprecated)
normalize Specifies whether URL strings are normalized. Normalizing a URL compresses '.' and '..' and converts backward slashes (\) to forward slashes (/). true (Default) Enables normalization. false Disables normalization. Guidelines The decoding (unescape) process replaces URL escape sequences with character equivalents.
Page 734 Command Reference...
Page 735: Chapter 87. User Agent Configuration Mode
URLs processed by the User Agent are evaluated against the defined URL set. Matching URLs are altered as need be to include the associated HTTP header field and value. Use the no add-header-policy command to remove the Header Injection Policy. © Copyright IBM Corp. 1999, 2008...
Page 736: Basicauth
Examples v Injects the ProcInt HTTP header field that contains a value of 0 into all URLs matching the *datapower.com* match expression. # add-header-policy *datapower.com* ProcInst 0 v Removes the Header Injection Policy. # no add-header-policy *datapower.com* basicauth Creates a basic authentication policy. Syntax basicauth pattern user password no basicauth-policy pattern...
Page 737: Chunked-Uploads-Policy
chunked-uploads-policy Creates a chunked uploads policy. Syntax chunked-uploads pattern {on | off} Parameters pattern Specifies a shell-style match pattern that defines the URL set subject to this chunked uploads policy. You can use wildcards to define a match pattern as follows: The string wildcard matches 0 or more occurrences of any character.
Page 738: Ftp-Policy
Syntax compression-policy pattern {on | off} Parameters pattern Specifies a shell-style match pattern that defines the URL set subject to this compression policy. You can use wildcards to define a match pattern as follows: The string wildcard matches 0 or more occurrences of any character. The single character wildcard matches one occurrence of any single character.
Page 739 The single character wildcard matches one occurrence of any single character. The delimiters bracket a character or numeric range: Matches 1, 2, 3, 4, or 5 [1-5] Matches x or y [xy] pasv-off | pasv-opt | pasv-req Indicates how to use passive mode with the FTP PASV command. pasv-off Do not request passive mode.
Page 740: Identifier
ascii Transfers data in ASCII mode using the FTP TYPE A command. Use caution when transferring XML documents in this mode. Many XML documents are sensitive to the exact end-of-line convention. binary Transfers data in image mode using the FTP TYPE I command. slash-stou-off | slash-stou-on Indicates how to use server-generated unique file names when the URL being written to ends in a slash (/).
Page 741: Max-Redirects
Guidelines The User Agent request header field contains information about the User Agent initiating the request, that is the appliance. By default the appliance does not include a User Agent request-header field. max-redirects Specifies the maximum number of HTTP redirect messages. Syntax max-redirects messages Parameters...
Page 742: Pubkeyauth
none Specifies that the URL set that is defined by the match pattern is not forwarded to an HTTP proxy. Guidelines A proxy policy associates a URL set with a specific HTTP proxy. You can create multiple proxy policies. In this case, candidate URLs are evaluated against each policy in turn.
Page 743: Restrict-Http-Policy
The single character wildcard matches one occurrence of any single character. The delimiters bracket a character or numeric range: Matches 1, 2, 3, 4, or 5 [1-5] Matches x or y [xy] Specifies the Crypto Key object used in the authentication process. This key must reside on the appliance.
Page 744: Soapaction
The delimiters bracket a character or numeric range: Matches 1, 2, 3, 4, or 5 [1-5] Matches x or y [xy] Enables version restrictions. Disables version restrictions. Alternatively, use the no restrict-http-policy- policy command. Guidelines An HTTP version restriction policy limits access to a specified URL set to HTTP Version 1.0.
Page 745: Ssl
Use the no soap-action command to remove the SOAPAction header injection policy. Examples v Injects the SOAPAction header field that contains a value of http://example.org/ add into all URLs matching the *datapower.com* match expression. # soap-action *datapower.com* http://example.org/add v Removes the SOAPAction Header Injection Policy. # no soap-action *datapower.com* Assigns an SSL Proxy Profile.
Page 746: Timeout
Examples v Creates an SSL policy for use by the current User Agent. When fetching a URL conforming to the specified match pattern, the Use Agent uses the SSL-UA1 SSL profile. # ssl https://*/testbase/* SSL-UA1 timeout Specifies the User Agent idle timeout value. Syntax timeout time Parameters...
Page 748: Group
v The user is a member of a user group, but the user group does not define access policies. In these cases, the domain command defines access through all interfaces (WebGUI, command line, XML Management interface). With access policies in the user group, the domain command can limit access to specific application domains from the command line only, not the WebGUI or XML Management interface.
Page 749: Snmp-Cred
Guidelines You must assign a password to a newly created account. Related Commands access-level, group snmp-cred Adds SNMP V3 credentials to this account. Syntax snmp-cred engine-ID authentication-protocol authentication-secret-type authentication-secret privacy-protocol privacy-secret-type privacy-secret Parameters engine-ID Specifies the engine ID of the SNMP V3 engine for which this account is being defined.
Page 750 You can use colons (:) between each two hexadecimal characters. privacy-protocol Identifies which privacy (encryption) protocol to use. none The account has no privacy key. (Default) The account uses CBC-DES as the privacy protocol. The account uses CFB128-AES-128 as the privacy protocol. privacy-secret-type Indicates whether the privacy secret is a password or a fully localized key.
Page 751 algorithm, and with no privacy algorithm. The password is maplesyrup, which will be converted to a localized key for the specified engine ID (000000000000000000000002). snmp-cred 000000000000000000000002 md5 password maplesyrup none password "" v Creates SNMP V3 credentials for this account on the remote machine with the engine ID 000000000000000000000002, with HMAC-MD5-96 as the authentication algorithm, and with no privacy algorithm.
Page 752 Command Reference...
Page 753: Chapter 89. User Group Configuration Mode
PCRE expressions can be used (for example foo*). Access=permission The permission string assigns permissions. The string is cumulative and connected by plus (+) signs. For example r+w+a+d Read Write (modify) Add new object © Copyright IBM Corp. 1999, 2008...
Page 754: Add
Delete existing object Execute Guidelines The access-policy command assigns one or more access policy statements to the user group. If there are more than one statement, the statements are cumulative. If more than one statement applies to the same resource, the most specific statement will apply.
Page 755: Delete
Related Commands delete Examples v Adds access to configuration mode, URL Map Mode, URL Refresh Mode, URL Rewrite Policy configuration mode, Matching Rule configuration mode, Stylesheet Policy configuration mode, and XSL Proxy configuration mode to members of the stylesheet User Group. # usergroup stylesheets User group configuration mode # add configuration...
Page 756 Command Reference...
Page 757: Chapter 90. Vlan Configuration Mode
To disable, use the no arp command. Related Commands vlan-sub-interface, show netarp Examples v Disables ARP. # no arp v Enables ARP (restores default state). # arp dhcp Enables or disables the DHCP client. Syntax dhcp no dhcp © Copyright IBM Corp. 1999, 2008...
Page 758: Identifier
Guidelines The dhcp command enables or disables the (Dynamic Host Configuration Protocol (DHCP) client. By default, DHCP is disabled. When enabled, the DHCP client can obtain the following parameters from the DHCP server: v Interface IP address v Default Gateway IP address v DNS IP address To disable the DHCP client, use the no dhcp command.
Page 759: Ip Address
Guidelines The interface command specifies the Ethernet interface that provides connectivity to the VLAN interface. Even if the Ethernet interface is not configured with an IP address, this command enables that Ethernet port. Depending on model type, the appliance provides three or four Ethernet interfaces: v A single dedicated management port (labelled either MANAGEMENT or MGMT) v Two or three network ports (labelled either ETHERNET or NETWORK) Use the show interface command to view the available Ethernet interfaces.
Page 760: Ip Default-Gateway
ip default-gateway Specifies the default gateway. Syntax ip default-gateway gateway no ip default-gateway Parameters gateway Specifies the host name or IP address. Guidelines The ip default-gateway command specifies the default gateway that is reachable by the current interface. You can define the default gateway by IP address or host name.
Page 761: Ip Secondary-Address
Examples v Adds a static route with destination network 10.10.10.0, subnet mask /27 (equivalent to 255.255.255.224), and next-hop gateway 192.168.1.100 to the routing table. # ip route 10.10.10.0/27 192.168.1.100 # ip route 10.10.10.0 255.255.255.224 192.168.1.100 v Deletes a static route with destination network 10.10.10.0 and subnet mask /27 from the routing table.
Page 762: Outbound-Priority
outbound-priority Sets the priority of outbound packets. Syntax outbound-priority priority Parameters priority Specifies the priority value. Use an integer in the range of 0 through 7. The default is 0. Guidelines The outbound-priority command sets the priority value to place in outgoing VLAN headers for packets that sent on this VLAN interface.
Page 763: Standby
Examples v Initiates a packet-capture session on Ethernet 0. Packet-capture data is written to the file Eth0Trace in the general storage directory. The session terminates after 30 seconds or when Eth0Trace contains 2500 kilobytes of data (whichever occurs first). # packet-capture store://Eth0Trace 1800 2500 Trace begun.
Page 764 Only one interface on a given system can have a failover configuration with a particular group VIP. For detailed information about implementing a standby configuration, refer to the “Standby configurations” topic in the IBM WebSphere DataPower SOA Appliances: Administrators Guide. Command Reference...
Page 765 To disable a failover configuration or to disable preemption, use the no standby command Related Commands interface, ip address Examples v Assigns vlan-1 to standby group 2. Specifies a VIP of 10.10.66.66. Not specifying a priority (accepting the default of 100) ensures that the interface is the active member of the group.
Page 766 # vlan vlan-3 Modify VLAN Sub-Interface configuration # no standby 2 # exit v Deletes all standby groups on vlan-3. # vlan vlan-3 Modify VLAN Sub-Interface configuration # no standby # exit Command Reference...
Page 767: Chapter 91. Web Application Error Handling Policy Configuration Mode
Use the Global monitor-count command to create a Count Monitor. Related Commands monitor-count error-rule Assigns or removes a Processing Rule. Syntax error-rule name Parameters name Specifies the name of an existing Processing Rule. © Copyright IBM Corp. 1999, 2008...
Page 768: Type
Guidelines The Processing Rule runs when the Policy type is set to error-rule. Use the Global rule command to create a new Processing Rule. Related Commands rule (Global), type type Establishes the mode of operation for this Error Handling Policy. Syntax type { redirect | proxy | error-rule | standard } Parameters...
Page 769: Chapter 92. Web Application Firewall Configuration Mode
An idle TCP connection can remain in the idle state for as long as 20 seconds after the expiration of the inter-transaction timer. Related Commands back-timeout, front-persistent-timeout, front-timeout, persistent-connections back-timeout Sets the intra-transaction timeout value for firewall-to-server connections. Syntax back-timeout time © Copyright IBM Corp. 1999, 2008...
Page 770: Chunked-Uploads
Parameters time Specifies the maximum intra-transaction idle time. Use an integer in the range of 10 to 86400. The default is 120. Guidelines Sets the intra-transaction timeout value, the maximum idle time allowed within a transaction on the firewall-to-server connection. This timer, for example, monitors the interval between sending the client request and receiving the server response, and idle time within the data transfer process.
Page 771: Follow-Redirects
Parameters name Specifies the name of an existing Error Handling Policy. Related Commands security-policy, webapp-error-handling (Global) Guidelines An Error Policy determines the handling of errors encountered during processing. This is the default behavior for all requests and responses. It may be overridden by configurations set in the Security Policy.
Page 772: Front-Timeout
Guidelines Sets the inter-transaction timeout value, the maximum idle time allowed between the completion of a TCP transaction and the initiation of a new TCP transaction on the firewall-to-client connection. If the specified idle timeout is exceeded, the connection is torn down. An idle TCP connection can remain in the idle state for as long as 20 seconds after the expiration of the persistence timer.
Page 773: Http-Back-Version
http-back-version Selects the HTTP version to use on the server-side (backend) connection. Syntax http-back-version {HTTP/1.0 | HTTP/1.1} Parameters HTTP/1.0 Uses HTTP 1.0. HTTP/1.1 (Default) Uses HTTP 1.1. http-client-ip-label Sets the HTTP Client IP label (header name) in the HTTP header. Syntax http-client-ip-label label Parameters...
Page 774: Priority
use-SSL Control SSL connections. Can be on or off. The defaults is off. When on, the SSL Proxy Profile that is specified with the ssl-profile command controls connections on this port. Related Commands ssl-profile Guidelines Issue this command as many times as needed to add the desired addresses and ports to this firewall.
Page 775: Remote-Port
load-balancer Specifies the name of an existing Load Balancer Group that identifies server address-port pairs of its members. Related Commands remote-port remote-port Establishes the TCP port number of remote (backend) application server. Syntax remote-port port Parameters port Specifies the TCP port to which all traffic is routed. Related Commands remote-address request-security...
Page 776: Ssl-Profile
Syntax security-policy name Parameters name Specifies the name of an existing Application Security Policy. Guidelines Specifies an Application Security Policy when configuring a Web Application Firewall. Use the Global application-security-policy command to create a policy. Related Commands application-security-policy (Global), request-security, response-security ssl-profile Assigns an SSL Proxy Profile.
Page 777: Stream-Output-To-Front
Parameters buffer-until-verification (Default) Causes the Web Application Firewall to buffer submitted messages until all processing is verified complete. After verification, forwards messages to the appropriate backend URL. stream-until-infraction Causes the Web Application Firewall to begin sending the message to the backend URL before all processing is complete, potentially increasing the speed.
Page 778: Xml-Manager
Disables URI normalization. Alternatively, use the no uri-normalization command. Guidelines Enables or disables the normalization of URIs before processing. If this property is enabled, the URI is rewritten to make sure the URI is RFC-compliant by escaping certain characters. Additionally, characters that are escaped that do not need to be are unescaped.
Page 779: Chapter 93. Web Application Name Value Profile Configuration Mode
Syntax max-aggregate-size number Parameters number Specifies the maximum number of attributes. The default is 256. max-name-size Specifies the maximum number of characters in the Name attribute of name-value pairs to allow. Syntax max-name-size characters © Copyright IBM Corp. 1999, 2008...
Page 780: Max-Value-Size
Parameters characters Specifies the maximum number of characters in the Name attribute The default is 512. Related Commands max-value-size max-value-size Specifies the maximum number of characters in the Value attribute of name-value pairs to allow. Syntax max-value-size characters Parameters characters Specifies the maximum number of characters in the Value attribute The default is 1024.
Page 781: Unvalidated-Xss-Check
Parameters error Generates an error. The Error Handling Policy or the Error Handling Map can then handle the error condition. passthru Passes the name-value pair through for further processing. Replaces the Value attribute with the string set by the unvalidated-fixup-map command. strip Removes the name-value pair from the entity (HTTP header, HTTP body, or query string).
Page 782 value-PCRE Specifies a PCRE that is applied to a value input to see if it is an expected input. policy Specifies the action to take when a value does not match the expression. Values are as follows: error (Default) The profile validation fails and an error is generated. passthru Passes the given name-value pair to the next step in processing.
Page 783: Chapter 94. Web Application Request Profile Configuration Mode
Use the no aaa-policy command to remove the AAA Policy. Related Commands aaapolicy (Global) Assigns an Access Control List (ACL). Syntax acl name no acl name Parameters name Specifies the name of an existing Access Control List. © Copyright IBM Corp. 1999, 2008...
Page 784: Cookie-Policy
Guidelines The acl command assigns an Access Control List to the Web Application Request Profile. The Access Control List applies to all requests. Use the Global acl command to create an Access Control List. Use the no acl command to remove the Access Control List. Without an Access Control List, no restrictions are enforced on clients that make requests.
Page 785: Error-Policy-Override
Guidelines The cookie-policy command sets the Cookie processing policy for this Request Profile. Requests that violate these limits cause an error. By default, cookies are allowed, but they are not encrypted or signed. Use the Global webapp-gnvc command to create a Name-Value Profile. Examples v Requires requests to present cookies.
Page 786: Multipart-Form-Data
Examples v Assigns the req-1-errors Error Handling Policy. # error-policy-override req-1-errors v Sets the error handling policy to none, which effectively disables error handling. # no error-policy-override multipart-form-data Sets the policy for processing multipart requests. Syntax multipart-form-data parts maximum-part-size maximum-size {on | off} Parameters parts Specifies the maximum number of parts to allow.
Page 787: Ratelimiter-Policy
request (the transaction request) is immediately forwarded to the back end service. No other matching profile is run. pre-requisite If a request passes the criteria set forth in this profile, any other profiles that match the request may now run. The request is not necessarily forwarded to the back end service.
Page 788: Request-Body-Max
# no ratelimiter-policy request-body-max Specifies the maximum request body size in bytes, if the HTTP method provides a body. Syntax request-body-max bytes Parameters bytes Specifies the maximum request body size in bytes. The default is 128000000. Related Commands request-body-min request-body-min Specifies the minimum request body size in bytes, if the HTTP method provides a body.
Page 789: Request-Content-Type
Use the no request-body-profile command to remove any profile assigned using this command. Related Commands webapp-gnvc (Global) request-content-type Sets the HTTP content types to allow. Syntax request-content-type PCRE no request-content-type PCRE no request-content-type Parameters PCRE Specifies a string representation of the Content type. Guidelines Use this command as many times as needed to create a list of HTTP Content types that this profile allows.
Page 790: Request-Methods
Parameters name Specifies the name of an existing Name-Value Profile. Guidelines If no Name-Value Profile is specified, no processing occurs. Use the Global webapp-gnvc command to create a new profile. Use the no request-header-profile command to remove any Name-Value Profile that is assigned.
Page 791: Request-Nonxml-Policy
Examples v Adds the HTTP TRACE method to the default methods (GET, POST and HEAD) to allow. # request-methods GET+POST+HEAD+TRACE request-nonxml-policy Determines how to handle non-XML content. Syntax request-nonxml-policy {nothing | side | binary} Parameters nothing (Default) Performs no processing. side The appliance executes the Non-XML Processing Rule specified.
Page 792: Request-Qs-Policy
Examples v Sets the policy for non-XML requests to run a side effect Processing Rule, which does not change the content of the request but does check authentication. The Processing Rule is then identified. # request-nonxml-policy side # request-nonxml-rule request-aaa request-qs-policy Determines how to handle HTTP Query Strings.
Page 793: Request-Uri-Filter-Dotdot
request-uri-filter-dotdot Controls a filter for URLs that include the string .. (dot dot) after URI normalization is performed. Syntax request-uri-filter-dotdot {on | off} Parameters (Default) Filters all content for a .. string. Disables the filter. Related Commands request-uri-filter-exe, request-uri-filter-fragment, request-uri-filter-unicode request-uri-filter-exe Controls a filter for URLs that include the string exe after URI normalization is performed.
Page 794: Request-Uri-Filter-Unicode
Related Commands request-uri-filter-dotdot, request-uri-filter-exe, request-uri-filter-unicode request-uri-filter-unicode Controls the filter for URLs that include Unicode after URI normalization is performed. Syntax request-uri-filter-unicode {on | off} Parameters (Default) Filters for Unicode. Disables the filter. Related Commands request-uri-filter-dotdot, request-uri-filter-exe, request-uri-filter-fragment request-uri-max Sets the maximum size to allow for the entire URI. Syntax request-uri-max characters Parameters...
Page 795: Request-Xml-Policy
Related Commands request-methods request-xml-policy Determines how to handle XML content. Syntax request-xml-policy {nothing | xml | soap} Parameters nothing (Default) Performs no processing. The appliance parses the response to validate that the response is well-formed XML. The XML Transformation Rule specified then runs on the response and the result is used as the response content.
Page 796: Session-Policy
Examples v Sets the policy for XML requests to validate that the request is well-formed XML. A Processing Rule is then configured to run on the request. # request-xml-policy xml # request-xml-rule request-aaa session-policy Assigns a Session Management Policy. Syntax session-policy name no session-policy name Parameters...
Page 797: Chapter 95. Web Application Response Profile Configuration Mode
Response Profile. Use the Global webapp-error-handling command to create a new Error Handling Policy. Use theno error-policy-override command to set the Error Policy to none. Related Commands web-application-firewall (Global), webapp-error-handling (Global) © Copyright IBM Corp. 1999, 2008...
Page 798: Policy-Type
Examples v Sets the rsp-1-errors Error Handling Policy. # error-policy-override rsp-1-errors v Sets the Error Handling Policy to none, which effectively disables the error handling. # no error-policy-override policy-type Determines the satisfaction policy. Syntax policy-type {admission |pre-requisite} Parameters admission If a response passes the criteria set forth in this profile, the client’s response (the transaction response) is immediately forwarded to the back end service.
Page 799: Response-Body-Min
Parameters bytes Specifies the maximum size of the response body in bytes, if the HTTP method provides a body. The default is 128000000. Related Commands response-body-min response-body-min Determine the minimum response body size if the HTTP method provides a body. Syntax response-body-min bytes Parameters...
Page 800: Response-Content-Type
v HTTP-402 — Payment Required v HTTP-403 — Forbidden v HTTP-404 — Not Found v HTTP-405 — Method Not Allowed v HTTP-406 — Not Acceptable v HTTP-407 — Proxy Authentication Required v HTTP-408 — Request Timeout v HTTP-409 — Conflict v HTTP-410 —...
Page 801: Response-Header-Profile
# response-content-type text/html # response-content-type text/xml v Removestext/xml from the allowed Content types. # no response-content-type text/xml response-header-profile Sets the Name-Value Profile to process HTTP Header content. Syntax response-header-profile name no response-header-profile name Parameters name Specifies the name of an existing Name-Value Profile. Guidelines Use the Global webapp-gnvc command to create a Name-Value Profile.
Page 802: Response-Nonxml-Rule
OUTPUT multistep processing contexts). The Rule can perform such actions as authenticate and authorize, or send a copy of the response content to a third destination. binary The appliance executes the Non-XML Processing Rule specified. The response payload is submitted as an unparsed binary object. This rule can alter the content of the response.
Page 803: Response-Xml-Policy
response-xml-policy Determines how to handle XML content. Syntax response-nonxml-policy {nothing | xml | soap} Parameters nothing (Default) No processing performed. The appliance parses the response to validate that the response is well-formed XML. The XML Transformation Rule specified then runs on the response and the result is used as the response content.
Page 804 Command Reference...
Page 805: Chapter 96. Web Application Session Management Policy Configuration Mode
Syntax auto-renew {on | off} (Default) Renews the session lifetime on each use of the session. The session lifetime is the total amount of time to allow before returning to the login section. © Copyright IBM Corp. 1999, 2008...
Page 806: Lifetime
Guidelines The auto-renew command enables or disables the automatic renewal of a session whenever the user takes action. The click of a mouse or submission of a form constitutes a use. When enables, the session lifetime measures idle time between uses.
Page 807: Chapter 97. Web Management Service Configuration Mode
You can use the special IP address 0.0.0.0 to specify all local addresses. Examples v Specifies that port 8090 on all interfaces is monitored for incoming Web Management Service requests. # web-mgmt Web Management Service configuration mode # local-address 0.0.0.0:8090 © Copyright IBM Corp. 1999, 2008...
Page 808: Save-Config-Overwrite
save-config-overwrite Specifies system behavior after a running configuration is saved. Syntax save-config overwrite Guidelines By default the Save Config button and the write mem command write the current running configuration to config:///autoconfig.cfg, and designate that file as the startup configuration. To override the default behavior, place the no form of this command in a startup configuration script.
Page 809: Chapter 98. Web Service Proxy Configuration Mode
Reliable Messaging sequences with CloseSequence or TerminateSequence messages, or from falsely acknowledging messages with SequenceAcknowledgement messages. Related Commands wsrm attachment-byte-count Specifies the maximum size for an attached document in bytes. Syntax attachment-byte-count bytes © Copyright IBM Corp. 1999, 2008...
Page 810: Attribute-Count
Parameters bytes Specifies the maximum number of bytes to allow in any attachment. The default is 2000000000. Guidelines A value of 0 specifies that size limitations are not enforced by this proxy. Attachments that exceed this size will result in a failure of the entire transaction. Related Commands gateway-parser-limits, request-attachments, response-attachments attribute-count...
Page 811: Back-Attachment-Format
Guidelines If front side traffic is conveyed by standard HTTP protocol, use this command to enable a default traffic handler. Otherwise, use the front-protocol command to assign one or more protocol-specific traffic handlers to the Web Service Proxy. Related Commands front-protocol back-attachment-format Specifies the attachment format output to backend servers.
Page 812: Back-Timeout
back-timeout Sets the intra-transaction timeout value. Syntax back-timeout timerValue Parameters timerValue Specifies the maximum intra-transaction idle time in seconds. Use an integer in the range of 10 to 86400. The default is 120. Related Commands back-persistent-timeout, front-timeout, front-persistent-timeout, persistent-connections Guidelines The back-timeout command sets the intra-transaction timeout value, the proxy-specific maximum idle time allowed within a transaction on the Web Services proxy-to-server connection.
Page 813: Backside-Port-Rewrite
Examples v Sets the static backend URL to http://10.10.10.2:3000/services. # backend-url http://10.10.10.2:3000/services v Sets the static backend URL to https://10.10.10.2:3000/services. To support the SSL connection with the backend server, assigns the clientssl SSL Proxy Profile to provide the credentials for the secure connection. # backend-url https://10.10.10.2:3000/services # ssl clientssl backside-port-rewrite...
Page 814: Client-Principal
Guidelines The Web Service Proxy can send an HTTP 1.1 request to the backend server. In this case, the body of the document can be delimited by either Content-Length or chunked encoding. All servers will understand how to interpret Content-Length, and many applications will fail to understand chunked.
Page 815: Decrypt-Key
Guidelines If enabled, the Web Service Proxy uses gzip to compress HTTP transmissions to the server only if the server indicates the ability to process compressed documents in the Accept-Encoding HTTP header field. The proxy signals compression usage in the Transfer-Encoding HTTP header field. GNU zip is described in RFC 1952, GZIP File Format Specification, Version 4.3.
Page 816: Element-Depth
element-depth Defines the maximum depth of element nesting in an XML document. Syntax element-depth depth Parameters depth Specifies the proxy-specific maximum depth of element nesting. The default is 512. Guidelines If proxy-specific parser limitations are enabled by the gateway-parser-limits command, the element depth assigned by the element depth overrides any parser limit that might be inherited from the XML manager assigned to the Web Service Proxy.
Page 817: Follow-Redirects
Parameters allow Specifies that external references are allowed and resolved. forbid (Default) Specifies that external references cause the XML parser to abort. ignore Specifies that external references are ignored. External entities are replaced with an empty string. follow-redirects Enables or disables redirection on the current Web Service Proxy. Syntax Enables redirection follow-redirects...
Page 818: Front-Protocol
Syntax front-persistent-timeout timerValue Parameters timerValue Specifies the maximum inter-transaction idle time in seconds. Use an integer in the range of 0 through 7200. The default is 180. A time value of 0 disables persistent connections. Guidelines The front-persistent-timeout command sets the inter-transaction timeout value. This value is the maximum idle time to allow between the completion of a TCP transaction and the initiation of a new TCP transaction on the proxy-to-client connection.
Page 819: Frontside-Port-Rewrite
Syntax front-timeout timerValue Parameters timerValue Specifies the maximum intra-transaction idle time in seconds. Use an integer in the range of 10 to 86400. The default is 120. Guidelines Sets the intra-transaction timeout value, the maximum idle time allowed within a transaction on the proxy-to-client connection.
Page 820: Gateway-Parser-Limits
Syntax fwcred [fwCredName] no fwcred [fwCredName] Parameters fwCredName Specifies the name of an existing Firewall Credentials List. Guidelines A Firewall Credentials list specifies which keys and certificates are available to support Web Service Proxy processing. In the absence of a Firewall Credentials List, all locally-stored key and certificates are available.
Page 821: Host-Rewriting
With proxy-specific parser limitations disabled (the default condition), parser limitations, if any, are derived from the XML Manager assigned to the Web Service Proxy. Related Commands attribute-count, element-depth host-rewriting Enables or disables host rewriting. Syntax host-rewriting {on | off} Parameters (Default) The backend server receives a request that reflects the final route.
Page 822: Http-Server-Version
Use the no http-client-ip-label command to disable the reading of the HTTP header to identify the IP address of the calling client. Examples v Disables the reading of the HTTP header to identify the IP address of the calling client. Subsequently, enables this function to read the IP address from the X-Forwarded-For HTTP header for monitoring and logging.
Page 823: Kerberos-Keytab
Syntax inject {front | back} field value no inject {front | back} field Parameters front Indicates that the packet stream is between a proxy and the HTTP client. back Indicates that the packet stream is between a proxy and the HTTP server. field Specifies the name of a nonstandard HTTP header field.
Page 824: Loop-Detection
Uses the client IP address no load-balancer-hash-header Parameters header Specifies the name of the HTTP header. Guidelines The load-balancer-hash-header command identifies the HTTP header to use for calculating the hash for load balancing traffic to the backend servers. v When defined, the hash algorithm uses the value of the identified HTTP header. v When not defined, the hash algorithm uses the IP address of the client.
Page 825: Max-Node-Size
Syntax max-message-size [kilobytes] Parameters kilobytes Specifies the maximum number of kilobytes to scan before the document is considered malicious and dropped. Use an integer in the range of 0 through 2097151. The default is 0. A value of 0 specifies unlimited size. Guidelines The specified kilobyte count includes the contents or any external documents that are referenced by the incoming XML.
Page 826: Mime-Front-Headers
When enabled and there are no MIME headers in the message, the DataPower service will try to parse the message by using the protocol header information, if available. When disabled and MIME headers is in the body of the message, the MIME headers are considered part of the preamble.
Page 827: Monitor-Duration
Syntax Assigns a Count Monitor monitor-count name Removes a Count Monitor no monitor-count [name] Parameters name Specifies the name of a Count Monitor. Guidelines Use this command to add or to remove one or more Count Monitors. Count Monitors watch for defined messaging events and increment counters each time event occurs.
Page 828: Monitor-Processing-Policy
Related Commands monitor-count (Global), monitor-service (Global) Examples v Assigns the wsgw-duration Duration monitor to the current proxy. # monitor-duration wsgw-duration v Removes the wsgw-duration Duration monitor from the current proxy. # no monitor-duration wsgw-duration v Removes all Duration monitors from the current proxy. # no monitor-duration monitor-processing-policy Sets the behavior when a service has multiple monitors.
Page 829: Operation-Conformance
Use the no monitor-service command to remove the Service Level Monitor assignment. Related Commands monitor-count, monitor-duration Examples v Assigns the wsgw-service Service Level Monitor to the current proxy. # monitor-service wsgw-service v Removes the wsgw-service Service from the current proxy. # no monitor-service wsgw-service v Removes all Service Level Monitors from the current proxy.
Page 830: Operation-Policy-Opt-Out
Matches wsdl:service/@name when formatted as {serviceNamespace}name. subscription Matches an identified subscription key. wsdl Matches when the operation requested in the current transaction is defined in the identified WSDL file. wsdlComponentValue Identifies the value of the WSDL-defined component. The value to specify depends on the identified WSDL component type.
Page 831 Operation Ignores the policy defined for the operation policy subject. MessageIn Ignores the policy defined for the message policy subject for input messages. MessageOut Ignores the policy defined for the message policy subject for output messages. wsdlComponentType Specifies the type of the WSDL component to match. Use one of the following values: Disables all WSDL-based matching criteria.
Page 832: Operation-Priority
v If wsdl, specifies either a URL or the “local name” mnemonic that is assigned to the WSDL file. subscription Specifies the name of an existing Subscription object. The property is meaningful only when the value of the component type is subscription. operation-priority Defines the priority for a specific web services operation.
Page 833: Parameter
v If port, specifies the name of the WSDL port. Use the wildcard character (*) to specify all ports. v If service, specifies the name of the WSDL service. Use the wildcard character (*) to specify all services. v If subscription, specify double quotation marks (""). Any specified value is ignored.
Page 834: Persistent-Connections
Examples v Makes the recipient parameter with a value of ALICE and the type parameter with a value of content available to the current proxy. The default parameter namespace is used. # parameter recipient ALICE # parameter type content v Makes foobar parameter with a value of value available to the current proxy. {http://www.example.com} designates the parameter namespace.
Page 835 Syntax policy-parameters parameterSet wsdlComponentType [wsdlComponentValue | subscription] Parameters parameterSet Specifies the name of an existing Policy Parameters object. wsdlComponentType Specifies the type of the WSDL component to match. Use one of the following values: Disables all WSDL-based matching criteria. Disabling the matching ""...
Page 836: Priority
v If wsdl, specifies either a URL or the “local name” mnemonic that is assigned to the WSDL file. subscription Specifies the name of an existing Subscription object. The property is meaningful only when the value of the component type is subscription. Guidelines To create a new Policy Parameters object, use the Global policy-parameters command.
Page 837: Propagate-Uri
Depending on the protocol, the backend service might return a response code that indicates an error condition. For HTTP messages, the response from the backend server might include a response body that contains XML that provides more details about the error. propagate-uri Enables or disables propagation of the local portion of the URI to the target server.
Page 838: Reliable-Messaging
Parameters namespace Identifies the default namespace for query parameters. The default is the http://www.datapower.com/param/query namespace. Related Commands default-param-namespace, parameter reliable-messaging Controls reliable messaging properties. Syntax reliable-messaging options deliveryAssuranceType wsdlComponentType [wsdlComponentValue | subscription] Parameters options Identifies the options for reliable messaging. Use any combination of the following keywords.
Page 839: Remote-Retry
port Matches when the operation requested in the current transaction is included in the identified WSDL port. Matches wsdl:service/wsdl:port/@name when formatted as {serviceNamespace}port-name. service Matches when the operation requested in the current transaction is included in the identified WSDL service. Matches wsdl:service/@name when formatted as {serviceNamespace}name.
Page 840: Request-Attachments
reporting-interval Specifies the number of seconds after a failed attempt to log a message at the error level instead of the default debug level. The minimum and default is 1. total-retries Specifies the total number of connection attempts to perform after the initial failed attempt.
Page 841: Request-Type
Attachments are buffered when an action in the processing rule requests any of the following: v Needed attachments v All attachments in the package before the needed attachment v All attachments in the package for a needed manifest v All attachments in the package if the package does not contain the needed attachment reject Rejects messages that contain attachments.
Page 842: Response-Attachments
Characterizes the traffic as raw (unencapsulated) XML. soap (Default) Characterizes the traffic as SOAP. unprocessed Characterizes the traffic as non-XML traffic that is not transformed by the proxy. Related Commands response-type, soap-schema-url response-attachments Specifies the processing mode for SOAP attachments in server responses. Syntax response-attachments mode Parameters...
Page 843: Response-Type
Guidelines The response-attachment command specifies the processing mode for attachments in server responses (as defined in RFC 2387). This type of request is a compound object that consists of several interrelated body parts and is the mechanism that is used to support the bundling of attachments in a SOAP message package, which is commonly referred to as a SOAP with Attachments message.
Page 844: Server-Principal
Guidelines When streaming MIME messages, specifies the action to take when the root part is not the first part of the message. If the root part must be first (for example to do conformance checking) and the action is set to process-in-order, the attachments up to the root will be buffered.
Page 845: Soap-Schema-Url
soap-schema-url Assigns a schema to validate incoming SOAP messages. Syntax soap-schema-url schemaURL Parameters schemaURL Specifies the URL of the schema file to validate that SOAP messages conform to the SOAP schema. The default is the schemas/soap- envelope.xsd schema in the store: directory. Guidelines When a Web Service Proxy is in SOAP mode, either on the request or response side, it validates the incoming messages against a W3C Schema that defines a...
Page 846: Stream-Output-To-Back
stream-output-to-back Specifies server-facing streaming behavior. Syntax stream-output-to-back {buffer-until-verification | stream-until-infraction} Parameters buffer-until-verification (Default) Specifies that the DataPower service buffer client request messages until all processing is verified as complete. After verification, transmits the request to the server. stream-until-infraction Specifies that the DataPower service begins sending client request messages to the server before all processing is complete, potentially increasing the speed.
Page 847: Stylepolicy
Related Commands stream-output-to-back stylepolicy Assigns a Processing Policy. Syntax stylepolicy wsProcessingPolicyName Parameters wsProcessingPolicyName Specifies the name of a Processing Policy. Guidelines You do not need to specify a Processing Policy to configuring a Web Service Proxy. If absence, the Web Service Proxy uses processing instructions (if any) that are in the XML document.
Page 848: Type
Examples v Deletes the HTTP Authorization header from the traffic stream to the HTTP server. # suppress back Authorization v Restores the HTTP Authorization header to the traffic stream to the HTTP server. # no suppress back Authorization type Specifies the type of Web Service Proxy. Syntax type {dynamic-backend | static-backend} Parameters...
Page 849: Urlrewrite-Policy
You can add more than one UDDI Subscription to the current Proxy by repeating this command. Use the no uddi-subscription command to remove the assignment of a UDDI Subscription from the current proxy. Related Commands uddi-subscription (Global) Examples v Adds the ActivityEndpoint1 and ActivityEndpoint2 UDDI Subscription objects to the current proxy.
Page 850: User-Policy
# no urlrewrite-policy user-policy Assigns a user-policy. Syntax user-policy target-namespace WSDL-file WSDL-service WSDL-portType WSDL-binding WSDL-operation [behavior] no user-policy Parameters target-namespace Specifies namespace criteria for policy selection. The target namespace is found in the WSDL definitions element. Enter the target namespace, or enter * to match any namespace.
Page 851: Wsa-Back-Protocol
external clients. It is possible to enable an operation but not publish it until some other time. Also, it is possible to discontinue publishing an operation after a sunset period. VerifyFaults Validates fault messages against the schema that is contained in the corresponding WSDL file.
Page 852: Wsa-Default-Faultto
Guidelines The wsa-back-protocol command is relevant when the DataPower service provides asynchronous service (the wsa-genstyle command is async). In these topologies, this command specifies the Front Side Protocol Handler to receive the asynchronous response and forward that response to the original client. This Front Side Protocol Handler can be overridden by the var://context/ __WSA_REQUEST/replyto variable.
Page 853: Wsa-Default-Replyto
wsa-default-replyto Force the inclusion of the ReplyTo element in Web Services Addressing (WS-Addressing) messages. Syntax wsa-default-replyto replyURL Parameters replyURL Specifies the value of the ReplyTo element. Guidelines The wsa-default-replyto command is relevant when the DataPower service provides service for WS-Addressing clients (the wsa-mode command is wsa2sync or wsa2wsa).
Page 854: Wsa-Force
Parameters urlRewritePolicy Specifies the name of the URL Rewrite Policy. Guidelines The wsa-faultto-write command is relevant when the DataPower service provides service for WS-Addressing clients (the wsa-mode command is wsa2sync or wsa2wsa). In these topologies, this command modifies the contents of an incoming FaultTo element.
Page 855: Wsa-Genstyle
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous The fault-to header will contain the following default value: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous These default values can be overridden with the wsa-default-replyto and wsa-default-faultto commands. Related Commands wsa-default-faultto, wsa-default-replyto, wsa-strip-headers Examples v Adds WS-Addressing headers to traditionally-addressed messages. # wsa-force on v Leaves traditionally-addressed message headers untouched. # wsa-force off # no wsa-force wsa-genstyle...
Page 856: Wsa-Http-Async-Response-Code
If the request-response transmission model is oob, ensure that the Web Server Proxy preserves explicit (non-anonymous), client-originated values for the ReplyTo and FaultTo elements and passes these values intact to the server. Related Commands wsa-back-protocol, wsa-http-async-response-code, wsa-mode, wsa-timeout wsa-http-async-response-code Specifies the HTTP response code to send to a client appliance before transmitting the actual asynchronous server response.
Page 857 wsa2sync Specifies that the DataPower service is mediating between hosts that support WS-Addressing and servers that employ traditional addressing. wsa2wsa Specifies that the DataPower service is mediating between hosts and servers that support WS-Addressing. Guidelines The wsa-mode command specifies the WS-Addressing support that the DataPower service provides.
Page 858: Wsa-Replyto-Rewrite
– Strip the WS-Addressing headers from any client-generated request before forwarding the request to the target server. The default behavior is to strip the WS-Addressing headers. – Rewrite the contents of, or supply default values, for client-generated ReplyTo and FaultTo elements to specify the destinations of these response types. –...
Page 859: Wsa-Strip-Headers
Related Commands absolute-rewrite, urlrewrite, wsa-mode, wsa-faultto-rewrite, wsa-to-rewrite Examples v Identifies wsaResponseHandler as the URL Rewrite Policy used to modify the contents of the ReplyTo element. # wsa-replyto-rewrite wsaResponseHandler v Removes the assignment of wsaResponseHandler as the URL Rewrite Policy used to modify the contents of the ReplyTo element.
Page 860: Wsa-Timeout
# wsa-strip-headers wsa-timeout Specifies the asynchronous timeout value. Syntax wsa-timeout timerValue Parameters timerValue Specifies the maximum wait period in seconds. Use an integer in the range of 1 through 4000000. The default is 120. Guidelines The wsa-timeout command specifies the maximum period of time to wait for an asynchronous response, before abandoning the transaction.
Page 861: Wsdl
Related Commands wsa-mode wsdl Assigns or removes a source WSDL file. Syntax wsdl source-location local-name [policy-attachment] no wsdl source-location Parameters source-location Specifies the exact location (URL) of the WSDL file. The file can be stored on the appliance or on a remote server (for example, local:/// searchservice.wsdl).
Page 862: Wsdl-Cache-Policy
wsdl-cache-policy Establishes a WSDL caching policy file with the current Web Service Proxy. Syntax wsdl-cache-policy wsdlLocation ttlValue Parameters wsdlLocation Specifies the location of one or more WSDL files. ttlValue Specifies the number of seconds before the proxy refreshes the WSDL files. Guidelines The proxy can automatically refresh one or more of the WSDL files on which the proxy is based.
Page 863: Wsrm
Related Commands uddi-subscription wsrm Enable or disables Web Services Reliable Messaging. Syntax wsrm {on | off} Parameters Enables Reliable Messaging. (Default) Disables Reliable Messaging. Related Commands wsrm-aaapolicy, wsrm-destination-accept-create-sequence, wsrm-destination- accept-offers, wsrm-destination-inorder, wsrm-destination-maximum-inorder- queue-length, wsrm-destination-maximum-sequences, wsrm-request-force, wsrm-response-force, wsrm-sequence-expiration, wsrm-source-back-acks-to, wsrm-source-exponential-backoff, wsrm-source-front-acks-to, wsrm-source-inactivity-close-interval, wsrm-source-make-offer, wsrm-source-maximum-queue-length, wsrm-source-maximum-sequences, wsrm-source-request-ack-count, wsrm-source-request-create-sequence,...
Page 864: Wsrm-Destination-Accept-Create-Sequence
Related Commands aaapolicy (global), wsrm wsrm-destination-accept-create-sequence Indicates whether to accept incoming CreateSequence SOAP requests and create a Reliable Messaging destination when one is received. Syntax wsrm-destination-accept-create-sequence {on | off} Parameters (Default) Enables this feature. If enabled, both the client and the server can use Reliable Messaging to send messages to this DataPower service.
Page 865: Wsrm-Destination-Inorder
wsrm-destination-inorder Indicates whether to enable InOrder delivery assurance for Reliable Messaging destinations Syntax wsrm-destination-inorder {on | off} Parameters Enables InOrder and ExactlyOnce delivery assurance. (Default) Enables ExactlyOnce delivery assurance only. Guidelines The wsrm-destination-inorder command indicates whether to enable InOrder delivery assurance for Reliable Messaging destinations in addition to the standard ExactlyOnce delivery assurance.
Page 866: Wsrm-Request-Force
Syntax wsrm-destination-maximum-sequences maximumSequences Parameters maximumSequences Specifies the maximum number of simultaneous active sequences. The default is 400. Guidelines The wsrm-destination-maximum-sequences command sets a limit on the maximum number of simultaneously active sequences to Reliable Messaging destinations of this DataPower service. Attempts by clients to create sequences in excess of this limit result in a SOAP Faults.
Page 867: Wsrm-Sequence-Expiration
(Default) Does not require Reliable Messaging for all responses. Guidelines The wsrm-response-force command indicates whether to require the use of Reliable Messaging for all SOAP messages that response rules process. Any SOAP message without a Sequence results in a SOAP fault. Note: When WS-Addressing is in use, SOAP messages without a WS-Addressing RelatesTo SOAP Header are processed by the request rule, not the response rule, even if the message come from the backend server.
Page 868: Wsrm-Source-Exponential-Backoff
SOAP responses from the server. The Front Side Protocol Handler must be associated with the same DataPower service where the corresponding Reliable Messaging sequence is occurring. This property controls whether the backside Reliable Messaging source uses a unique URL to receive asynchronous Acks from the server Reliable Messaging destination, or whether Acks are sent synchronously in future responses to the backside server.
Page 869: Wsrm-Source-Inactivity-Close-Interval
Parameters handler Specifies the name of an existing Front Side Protocol Handler. Guidelines The wsrm-source-front-acks-to command identifies the Front Side Protocol Handler to receive the asynchronous Reliable Messaging SequenceAcknowledgement SOAP responses from the client. The Front Side Protocol Handler must be associated with the same DataPower service where the corresponding Reliable Messaging sequence is occurring.
Page 870: Wsrm-Source-Make-Offer
wsrm-source-make-offer Indicates whether to include an offer for two-way. Syntax wsrm-source-make-offer {on | off} Parameters Include an offer. (Default) Does not include an offer. Guidelines The wsrm-source-make-offer command indicates whether to include an offer for two-way Reliable Messaging in CreateSequence SOAP requests that are made as the result of request processing.
Page 871: Wsrm-Source-Request-Ack-Count
Parameters limit Specifies the number of simultaneous active sequence. Use an integer in the range of 1 through 2048. The default is 400. Guidelines The wsrm-source-maximum-sequences command sets a limit on the maximum number of simultaneously active sequences from Reliable Messaging sources of this DataPower server.
Page 872: Wsrm-Source-Response-Create-Sequence
to sent to the server and when there is no Reliable Messaging source that was created by a MakeOffer from the server. The Reliable Messaging source is created by sending a CreateSequence SOAP request to the server address. Related Commands wsrm, wsrm-source-exponential-backoff, wsrm-source-inactivity-close-interval, wsrm-source-make-offer, wsrm-source-maximum-queue-length, wsrm-source-request-ack-count, wsrm-source-retransmission-interval,...
Page 873: Wsrm-Source-Retransmit-Count
Related Commands wsrm, wsrm-destination-accept-offers, wsrm-source-exponential-backoff, wsrm-source-request-create-sequence, wsrm-source-response-create-sequence wsrm-source-retransmit-count Specifies the number of times to retransmit a message. Syntax wsrm-source-retransmit-count count Parameters count Specifies the number of retransmissions. Use and integer in the range of 1 through 256. The default is 4. Guidelines The wsrm-source-retransmit-count command specifies the number of times a Reliable Messaging source retransmits a message before declaring a failure.
Page 874: Xml-Manager
xml-manager Assigns an XML manager. Syntax xml-manager name Parameters name Specifies the name of the XML manager. Guidelines The xml-manager command assign an XML manager to the Web Service Proxy. An XML manager obtains and controls resources required by the Web Service Proxy. In the absence of an explicit limit, the DataPower appliance assigns the default XML Manager to support Web Service Proxy operations.
Page 875: Chapter 99. Web Services Management Agent Configuration Mode
After maximum configured values are reached, new records will be dropped. capture-mode Specifies a message capture mode. Syntax capture-mode {all-messages | faults | none} Parameters all-messages Captures all messages. faults (Default) Captures fault messages. none Does not capture messages. © Copyright IBM Corp. 1999, 2008...
Page 876: Max-Memory
Guidelines capture-mode identifies messages that are captured and forwarded to a Web Services Manager for further analysis. Not all Web Service Management protocols accommodate full message capture. Use the all-messages option only if the spooler can forward full messages. Use of this option incurs a performance penalty that can be seen when performing load testing.
Page 877: Chapter 100. Web Services Monitor Configuration Mode
Use the URL exactly as defined in the WSDL file. frontend-url Specifies the URL that the client uses to access the WSDL endpoint that is monitored. Syntax frontend-url URL Parameters Specifies the URL sent by the client to access the monitored endpoint. © Copyright IBM Corp. 1999, 2008...
Page 878: Operation
You can use wildcards to define a match pattern as follows: The string wildcard matches 0 or more occurrences of any character. The single character wildcard matches one occurrence of any single character. The delimiters bracket a character or numeric range: Matches 1, 2, 3, 4, or 5 [1-5] Matches x or y...
Page 879: Transport
Examples v Specifies monitor operations, generates log entries in response to more than 30 transactions per second, and throttles excessive transactions (greater than 50 per second). # service-monitor WSMonitor-2 Web Services Monitor configuration mode # operation all rate low 30 log # operation all rate high 50 throttle transport Specifies the transport type that the monitored endpoint uses.
Page 880 Command Reference...
Page 881: Chapter 101. Ws-Proxy Endpoint Rewrite Configuration Mode
Specifies the WSDL binding protocol to use in the rewritten web service. default (Default) Uses the binding protocol in the WSDL files. http-get Uses the HTTP binding for WSDL 1.1 (http:// schemas.xmlsoap.org/wsdl/http/). http-post Uses the HTTP binding for WSDL 1.1 (http:// schemas.xmlsoap.org/wsdl/http/). © Copyright IBM Corp. 1999, 2008...
Page 882: Listener-Rule
soap-11 Uses the SOAP 1.1 binding for WSDL 1.1 (http:// schemas.xmlsoap.org/wsdl/soap11/). soap-12 Uses the SOAP 1.2 binding for WSDL 1.1 (http:// schemas.xmlsoap.org/wsdl/soap12/). Guidelines All of the arguments for the backend-rule command must be specified in the documented order. A Remote Endpoint specifies the location to which requests are sent by a Web Service Proxy after processing the request.
Page 883 This argument is relevant when use-front-protocol is off. This argument is ignored when use-front-protocol is on. host Specifies the part of the URL from web service binding that specifies the host alias or IP address. The default is 0.0.0.0. This argument is relevant when use-front-protocol is off. This argument is ignored when use-front-protocol is on.
Page 884: Publisher-Rule
# wsm-endpointrewrite testing WS-Proxy Endpoint Rewrite configuration mode # listener-rule ".*" "default" "0.0.0.0" "0" "/search/beta2" "Searcher" "on" publisher-rule Adds, edits, or deletes a publish endpoint rewrite rule. Syntax publisher-rule pattern protocol host port uri Parameters pattern Specifies a PCRE to specify web services port to rewrite endpoint for. protocol Specifies the part of the URL from web service binding that specifies the protocol.
Page 885: Subscription-Backend-Rule
# wsm-endpointrewrite someBanking WS-Proxy Endpoint Rewrite configuration mode # publisher-rule "{http://somebank.com}SomeBankPort" "http" "10.10.13.35" "2068" "/SomeBankService/services/SomeBankPort" subscription-backend-rule Adds, edits, or deletes a subscription remote endpoint rewrite rule. Syntax subscription-backend-rule subscription protocol host port uri binding-protocol Parameters subscription Specifies the name of an existing UDDI Subscription to match against a subscription that the Proxy uses for this rewrite rule.
Page 886: Subscription-Listener-Rule
A Remote Endpoint specifies the location to which requests are sent by a Web Service Proxy after processing the request. This is the backend endpoint, of the transaction. It is possible to direct traffic to an endpoint other than that specified in the underlying WSDL by rewriting the endpoint.
Page 887 Specifies the part of the URL from web service binding that specifies the local path. If no string is configured, the value from the WSDL will be used. front-protocol Specifies the front side handler to use for matching web service ports. This argument is relevant when use-front-protocol is on.
Page 888 Parameters subscription Specifies the name of an existing UDDI Subscription to match against a subscription that the Proxy uses for this rewrite rule. protocol Specifies the part of the URL from web service binding that specifies the protocol. host Specifies the part of the URL from web service binding that specifies the host name or IP address.
Page 889: Chapter 102. Ws-Proxy Processing Policy Configuration Mode
Parameters type Specifies the type of the WSDL component to match. (Default) Matches all input. Includes all component types. operation Matches when the identified operation is requested in the current transaction. © Copyright IBM Corp. 1999, 2008...
Page 890 Matches wsdl:binding/operation/@name when formatted as {bindingNamespace}name, or matches wsdl:service/wsdl:port when formatted as {serviceNamespace}port-name/operation-name. port Matches when the operation requested in the current transaction is included in the identified WSDL port. Matches wsdl:service/wsdl:port/@name formatted {serviceNamespace}port-name. service Matches when the operation requested in the current transaction is included in the identified WSDL service.
Page 891: Xsldefault
Guidelines Use the no match command to delete all policy maps from the processing policy. To delete or modify a specific policy map, use the WebGUI. Examples v Adds the star matching rule and the valClientServer processing rule. # match all "" star valClientServer v Adds the test matching rule and the valClientServer processing rule when the match is against the wsrrSub-1 subscription.
Page 892 Command Reference...
Page 893: Chapter 103. Ws-Proxy Processing Rule Configuration Mode
Applies the AAA-Policy1 AAA Policy to the original input to the Processing Rule. # aaa INPUT AAA-Policy-1 action Adds or deletes a named action. Syntax action name no action name no action Parameters name Specifies the name of the action. © Copyright IBM Corp. 1999, 2008...
Page 894: Call
Guidelines Use the no action command to delete a named action from the current Processing Rule or to delete all actions from the current Processing Rule. Examples v Applies the checkError rule. # action checkError v Deletes the checkError rule from the current Processing Rule. # no action checkError call Adds a call action.
Page 895: Convert-Http
AuthComplete Indicates the completion of an authentication process Indicates a fault condition Fault Request Indicates the input of a client-originated document Response Indicates the input of a server-originated document input-context Optionally identifies the context in which the checkpoint is triggered. The default is INPUT.
Page 896: Fetch
Syntax extract input-context output-context expression [variable] Parameters input-context Specifies the context to which to apply the XPath expression. Specify INPUT to use the initial policy input, which is the original client request or server response. output-context Specifies the context that stores the result of the XPath expression. Specify OUTPUT to use the final policy output, which is the transformed client request or transformed server response expression...
Page 897: Filter
Parameters Specifies the resource to be fetched and can be expressed as a URL or as a var:// URL that expands to a URL. output-context Specifies the context in which to store the retrieved resource. Guidelines A fetch action retrieves a remote resource for use in a Processing Rule, You can use any protocol-specific URL when addressing the target resource.
Page 898: Input-Filter
Refer to Appendix B, “Processing Policy procedures,” on page 999 for procedural details. Related Commands validate Examples v Uses the specified style sheet to filter the original input. # filter INPUT store:///filter-1.xsl v Uses the style sheet referenced by the filter variable in the tools context to filter the original input.
Page 899: Non-Xml-Processing
A log action generates a log message that contains the contents of a specified context and sends the message to a target location Examples v Sends the contents of the INPUT context to the www.us.ibm/ragnarok/log target. # log INPUT http://www.us.ibm/ragnarok/log non-xml-processing Enables processing of non-XML contexts in a Processing Rule.
Page 900: Output-Filter
# on-error abort faultProcessing output-filter Specifies a compression algorithm to apply to all outgoing traffic after all processing. Syntax output-filter {zip | pkzip | none} Parameters Compresses all incoming traffic with the ZIP algorithm. pkzip Compresses all incoming traffic with the PKZIP algorithm. none (Default) Performs no compression on outgoing traffic.
Page 901: Results-Async
results-async Adds a results-async action. Syntax results context destination Parameters context Specifies the target context, which is the target whose contents are sent. destination Specifies the destination. Guidelines A results-async action transmits the contents of a context to a specified destination.
Page 902: Route-Set
Parameters input-context Specifies the context whose contents are to be routed by the specified style sheet. Specify INPUT to use the initial policy input, which is the original client request or server response. dynamic-stylesheet Indicates that the action uses a dynamic style sheet. Specifies the style sheet to route the contents of the input context.
Page 903: Slm
Syntax setvar context variable value Parameters context Specifies the context in which to set the variable. variable Specifies the name of the variable and takes the var:// URL format. value Assigns the value to the variable. Guidelines If the var:// URL is not local, this value overrides the context that is specified by the context argument.
Page 904: Type
Parameters context Specifies the context from which attachments are stripped. Specifies the attachment to strip. Guidelines A strip-attachments action removes all or specified attachments from a target context In the absence of a specified attachment, all attachments are stripped from the target context.
Page 905: Validate
Examples v Enables unprocessed mode. # unprocessed v Disables unprocessed mode. # no unprocessed validate Adds a validate action. Syntax validate input-context [output-context] validate input-context attribute-rewrite name [output-context] validate input-context dynamic-schema url [output-context] validate input-context schema url [output-context ] validate input-context wsdl url [output-context ] Parameters input-context Specifies the context whose contents are to be validated.
Page 906: Xform
output-context Optionally specifies the output context of the validated document. Guidelines The validate command adds a validate action to the current processing rule. This action defines a policy-based XML schema validation filter. If no methodology is identified, documents are validated in accordance with xsi:schemaLocation attributes in the specific context.
Page 907: Xformpi
output-context Specifies the context for the transformed document. Specify OUTPUT to use the final policy output, which is the transformed client request or transformed server response. Guidelines An xform action defines a policy-based XSL transform. An xform action transforms the document using a specified style sheet. Related Commands convert-http Examples...
Page 908 OUTPUT to use the final policy output, which is the transformed client request or transformed server response. Guidelines Adds an xformpi action; an xformpi action defines a policy-based XSL transformation performed according to processing instructions contained within the candidate XML document. An xformpi action defines a policy-based transform that uses processing instructions in the XML document.
Page 909: Chapter 104. Wsrr Server Configuration Mode
Identifies the WSRR server version. Syntax server-version {WSRR_6.0 | WSRR_6.1} Parameters WSRR_6.0 (Default) Uses WSRR Server, version 6.0. WSRR_6.1 Uses WSRR Server, version 6.1 or later. Guidelines The server-version command specifies the version of the WSRR server. © Copyright IBM Corp. 1999, 2008...
Page 910: Soap-Url
When the value is WSRR_6.1, use the WSRR Subscription fetch-policy- attachments command to configure the ability to retrieve policy attachments. If enabled, the subscription service can retrieve policy attachments from the registry. Related Commands fetch-policy-attachments (WSRR Subscription) soap-url Specifies the URL to access a WSRR server. Syntax soap-url URL Parameters...
Page 911: Username
Guidelines The ssl command assigns an SSL Proxy Profile to support secure communications between the appliance and a remote WSRR server. Meaningful only if the SOAP API URL, as defined by the soap-url command, starts with https:. Related Commands soap-url username Provides WSRR server credentials.
Page 912 Command Reference...
Page 913: Chapter 105. Wsrr Subscription Configuration Mode
(Default) Specifies an automatic, periodic refresh of the subscription by regularly scheduled WSRR queries that request the target subscribed-to resource. manual Specifies that synchronization is achieved by direct user-intervention, specifically the issuing of the Global wsrr-synchronize command. © Copyright IBM Corp. 1999, 2008...
Page 914: Namespace
Specifies the resource name and namespace, providing an unambiguous identification of the target resource. # wsrr-subscription Proxy-1 New WSRR Subscription configuration # namespace http://tonawanda.sr.ibm.com/ValidateInsurance # object-name InsuranceService.wsdl object-name Used in conjunction with the namespace command to unambiguously identify a subscribed-to WSSR resource.
Page 915: Object-Type
Examples v Specifies the resource name and namespace, which provides an unambiguous identification of the target resource. # wsrr-subscription Proxy-1 New WSRR Subscription configuration # namespace http://tonawanda.sr.ibm.com/ValidateInsurance # object-name InsuranceService.wsdl object-type Identifies a resource type. Syntax object-type {wsdl | concept}...
Page 916: Server
server Specifies the WSSR server object. Syntax server name Parameters name Specifies the name of the WSSR server object Guidelines Specifies the WSSR server object, previously created with the wsrr-server command that identifies the WSSR Server that stores the subscribed-to resource. Related Commands wsrr-server use-version...
Page 917 Syntax version version Parameters version Specifies the version of the WSDL file. Guidelines The version command specifies the version of the WSDL file to retrieve from the WSRR registry. The registry maintains a Version attribute for WSDL files. This command is relevant only when use-version is on and there is more than one version of the WSDL file in the registry.
Page 918 Command Reference...
Page 919: Chapter 106. Xml Firewall Configuration Mode
Indicates the maximum number of bytes to allow in any attachment. The default is 2000000000. Guidelines Attachments that exceed the specified size result in a failure of the entire transaction. A value of 0 indicates that no size limit is enforced. © Copyright IBM Corp. 1999, 2008...
Page 920: Attribute-Count
Related Commands attribute-count, bytes-scanned, element-depth, firewall-parser-limits, request-attachments, response-attachments attribute-count Defines the XML-Firewall-specific maximum number of attributes associated with a given XML element. Syntax attribute-count count Parameters count Sets the gateway-specific maximum number of attributes. The default is 128. Guidelines If firewall-specific parser limitations are enabled by the firewall-parser-limits command, the maximum attribute count that is assigned by this command overrides the value that is inherited from the XML Manager that is assigned to the XML Firewall.
Page 921: Bytes-Scanned
Related Commands front-attachment-format bytes-scanned Specifies the maximum scope of the XML parser scanning operation. Syntax bytes-scanned bytes Parameters bytes Specifies the maximum scan in bytes. The default is 4194304. Guidelines If firewall-specific parser limits are enabled by the firewall-parser-limits command, the maximum byte count that is assigned by this command overrides the value that is inherited from the XML Manager that is assigned to the XML Firewall.
Page 922: Element-Depth
http://www.datapower.com/param/query Related Commands parameter, query-param-namespace Examples v Assigns a default namespace for parameters made available via the CLI or WebGUI. # default-param-namespace http://www.somecompany.com/namespaces/ element-depth Defines the XML-Firewall-specific maximum depth of element nesting in an XML document. Syntax element-depth depth Parameters depth Specifies the gateway-specific maximum depth of element nesting.
Page 923: Firewall-Parser-Limits
forbid Forbids external references. An external reference causes the XML parser to abort. ignore Ignores external DTD references, and replaces external entities with the empty string firewall-parser-limits Indicates whether to use firewall-specific parser limitations. Syntax firewall-parser-limits {on | off} Parameters Enables firewall-specific parser limits.
Page 924: Fwcred
dynamic Indicates that the format if client attachments is deduced from document content. mime Indicates that client attachments are MIME-encapsulated documents. Related Commands back-attachment-format fwcred Assigns a Firewall Credentials List. Syntax fwcred name no fwcred Parameters name Specifies the name of an existing Firewall Credentials List. Guidelines Assignment of a Firewall Credentials List is optional.
Page 925: Max-Message-Size
port Is a port number (within the range 0 to 65535) that binds the XML Firewall to a single, specific interface-port or to this port on all enabled interfaces. Guidelines You must specify both a local and remote address and an XML manager when configuring an XML Firewall.
Page 926: Mime-Headers
Parameters bytes Specifies the firewall-specific maximum number of bytes to allow in a single parsed XML node before the source XML document is considered malicious and dropped. The default is 0. A value of 0 indicates that no size limits are imposed. Related Commands attachment-byte-count, attribute-count, element-depth, gateway-parser-limits, max-message-size...
Page 927: Monitor-Duration
# no monitor-count LogSquelch monitor-duration Assigns a Duration Monitor. Syntax monitor-duration name no monitor-duration name Parameters name is the name of the duration monitor assigned to the service. Guidelines After completing the configuration of a duration monitor, activate the monitor by assigning it to a service.
Page 928: Monitor-Service
Examples v Allows only the first matching monitor to execute when a service has multiple monitors attached. # monitor-processing-policy terminate-at-first-match monitor-service Assigns a Service Level Monitor (SLM). Syntax service-count name no service-count name Parameters name is the name of the SLM assigned to the service. Guidelines After completing the configuration of an SLM, activate the monitor by assigning it to a service.
Page 929: Priority
Guidelines The following namespace declaration must be included in a style sheet to enable that style sheet to access parameter-value pairs that are defined by the parameter command. xmlns:dpconfig="http://www.datapower.com/param/config" Use the no parameter command to remove parameters from the current XML Firewall.
Page 930: Remote-Address
Syntax query-param-namespace namespace Parameters namespace Specifies the name of the default namespace. Guidelines Parameters can be made available to an XML Firewall using the parameter command. The default namespace for parameters introduced with the CLI or WebGUI is: http://www.datapower.com/param/config The default namespace for parameters introduced by a URL query string is: http://www.datapower.com/param/query Related Commands default-param-namespace, parameter...
Page 931: Request-Attachments
Sets the XML Firewall type to static backend. %loopback% Sets the XML Firewall type to loopback. %dynamic% | * Sets the XML Firewall type to dynamic backend, which means that the address of the target server is dynamically extracted from the client request using the dp:set-target or dp:xset-target extension elements.
Page 932: Request-Type
v All attachments in the package before the needed attachment v All attachments in the package for a needed manifest v All attachments in the package if the package does not contain the needed attachment reject Rejects messages that contain attachments. strip (Default) Removes attachments from the message before processing.
Page 933: Response-Attachments
Parameters Characterizes the client-originated traffic stream as raw (unencapsulated) XML. soap Characterizes the client-originated traffic stream as SOAP. unprocessed Characterizes the client-originated traffic stream as non-XML traffic that is not transformed by the XML Firewall. Guidelines By default, both the client-originated (request) and server-originated (response) traffic streams are characterized as SOAP.
Page 934: Response-Type
streaming Allows messages that contain attachments in streaming mode, but provides limited processing. Messages in the form of a SOAP message package, which is a SOAP with Attachments message, are supported. Processing can be applied individually to each attachment. The appliance does not create a manifest of all attachments.
Page 935: Root-Part-Not-First-Action
Guidelines By default, both the client-originated (request) and server-originated (response) traffic streams are characterized as SOAP. Related Commands raw-mode, request-type Examples v Characterizes server-originated traffic as XML. # response-type xml v Characterizes server-originated traffic as SOAP, restoring the default condition. # response-type soap root-part-not-first-action Sets the action to take when the MIME message root part is not first.
Page 936: Ssl
Parameters Specifies the URL of the schema file. Guidelines When an XML Firewall is in SOAP mode, either on the request or response side, it validates the incoming messages against a W3C Schema that defines a conforming SOAP message. It is possible to customize which schema is used on a per-firewall basis by using this command;...
Page 937: Type
Syntax stylesheet-policy name Parameters name Specifies the name of a Processing Policy. Guidelines Assigning a Processing Policy is optional. In the absence of a Processing Policy, the XML Firewall uses processing instructions (if any) that are in the XML document. Related Commands ssl, urlrewrite-policy, xml-manager type...
Page 938: Urlrewrite-Policy
Do not use the type command to create a new XML Firewall. Use it to recast the type of an existing XML Firewall. Related Commands remote-address, ssl, stylesheet-policy urlrewrite-policy Assigns a URL Rewrite Policy. Syntax urlrewrite-policy name Parameters name Specifies the name of the URL Rewrite Policy. Guidelines Assignment of a URL Rewrite Policy is optional.
Page 939: Wsdl-Response-Policy
wsdl-response-policy Specifies XML Firewall response to receipt of a .NET WSDL request via the http://domain.com/service?wsdl convention. Syntax wsdl-response-policy {intercept | off | serve} Parameters intercept Indicates that the XML Firewall rewrites the wsdl:service/wsdl:port/ soap:address field to point to the proxy. (Default) Indicates that the XML Firewall does not touch .NET requests and responses.
Page 940 Command Reference...
Page 941: Chapter 107. Xml Management Interface Configuration Mode
Configure the XML Management Interface on port 1080 of the specified interface. # xml-mgmt Modify XML Management Interface configuration # local-address 10.10.13.7 # port 1080 mode Identifies the local address to monitor for incoming requests. Syntax mode mode[+mode] © Copyright IBM Corp. 1999, 2008...
Page 942 Parameters mode Indicates which modes to enable. Separate multiple modes with the plus sign (+) character. The following keywords are available to indicate the modes to enable: any — SOAP Management URI Enables processing of messages received on any (*) URI for legacy applications.
Page 943: Port
When the mode command exposes the SLM Endpoint (slm keyword), you can use the slm-peering command to indicate the frequency to update SLM peers. Related Commands slm-peering Examples v Changes the default modes to include the WS-Management Endpoint service and the WSDM Endpoint service. # xml-mgmt Modify XML Management Interface configuration # mode any+soma+v2004+amp+slm+wsm+wsdm...
Page 944: Ssl
Related Commands mode Examples v Changes the interval between updates of SLM peer groups to 25 seconds. # xml-mgmt Modify XML Management Interface configuration # slm-peering 25 Assigns an SSL Proxy Profile. Syntax ssl name Parameters name Specifies the name of an existing SSL Proxy Profile. Guidelines The ssl command identifies the SSL Proxy Profile to assign instead of the default profile.
Page 945 Examples v Changes the assignment of the User Agent to mgmtAgent. # xml-mgmt Modify XML Management Interface configuration # user-agent mgmtAgent Chapter 107. XML Management Interface configuration mode...
Page 946 Command Reference...
Page 947: Chapter 108. Xml Manager Configuration Mode
Use the no loadbalancer-group command to remove the association of the Load Balancer Group to the XML Manager. schedule-rule Schedules the invocation of a Processing Rule. Syntax schedule-rule name [frequency] no schedule-rule name © Copyright IBM Corp. 1999, 2008...
Page 948: User-Agent
Parameters name Specifies the name of an existing Processing Rule. frequency Specifies the frequency of rule invocation. Guidelines The schedule-rule command schedules the XML Manager to run the specified Processing Rule. In the absence of the frequency argument, the rule is run a single time.
Page 949: Chapter 109. Xml Parser Limits Configuration Mode
The document scan includes the document itself, plus any external DTD, plus any text that is produced by expanding entity references. Related Commands attribute-count, element-depth element-depth Specifies the maximum depth of element nesting. Syntax element-depth limit © Copyright IBM Corp. 1999, 2008...
Page 950: External-References
Parameters limit Specifies the maximum nesting depth. The default is 512. Related Commands attribute-count, bytes-scanned external-references Defines the handling mode for input documents that contain external references. Syntax external-references {allow | forbid | ignore} Parameters allow Allows and resolves external references. forbid Forbids external references.
Page 951: Chapter 110. Xpath Routing Map Configuration Mode
Identifies a port number on the destination host. Use an integer in the range of 0 to 65535. on | off Indicates whether to use a secure connection to the destination. Uses a secure connection Uses a nonsecure connection © Copyright IBM Corp. 1999, 2008...
Page 952 Guidelines The rule command creates XPath-based forwarding rule by adding an XPath expression and associated forwarding data to the current XPath Routing Map. That is, the selection of a target Web or application server is based upon the contents of the XML document being processed.
Page 953: Chapter 111. Xsl Coprocessor Service Configuration Mode
Use a value in the range of 3 through 7200. The default is 60. crypto-extensions Controls XSL Coprocessor access to cryptographic extensions. Syntax crypto-extensions {on | off} Parameters (Default) Enables access to cryptographic extensions. © Copyright IBM Corp. 1999, 2008...
Page 954: Default-Param-Namespace
Disable access to cryptographic extensions. Alternatively, use the no crypto-extensions command. default-param-namespace Specifies the default namespace for stylesheet parameters. Syntax default-param-namespace namespace Parameters namespace Specifies the name of the default namespace. The default namespace for parameters is: http://www.datapower.com/param/config intermediate-result-timeout Specifies the time that the XSL Coprocessor retains an unused intermediate-result node set.
Page 955: Port
Examples v Specifies 10.10.13.35:23000 as the local IP address-port that the current XSL Coprocessor service monitor. # xslcoproc proxy-1 XSL Coprocessor Service configuration mode # ip-address 10.10.13.35 # port 23000 port Specifies the local port monitored for incoming traffic. Syntax port port Parameters port...
Page 956: Stylesheet-Policy
Syntax ssl name Parameters name Specifies the name of the SSL Proxy Profile assigned to the XSL Coprocessor Service. Guidelines The SSL Proxy Profile enables a secure Coprocessor-to-server connection. stylesheet-policy Assigns a Processing Policy. Syntax stylesheet-policy name Parameters name Specifies the name of the Processing Policy. Guidelines This command enables the implementation of a static processing policy applied to all server-originated documents.
Page 957 The assignment of a Processing Rule allows the Java client code to instantiate a minimal identity transformer and invoke statically configured rule-based transformations with little overhead. For example, consider the following two examples. This command sequence creates the global coprocXform Processing Rule. rule coprocXform xform INPUT http://10.10.1.66/Diff_part_1.xsl x1 xform x1 http://10.10.1.66/Diff_part_2.xsl x2...
Page 958: Urlrewrite-Policy
stdout transformer.transform( new StreamSource(args[0]), new StreamResult(System.out)); Examples v Assigns the coprocXform Processing Rule to the current XSL Coprocessor. # stylesheet-rule coprocXform urlrewrite-policy Assigns a URL Rewrite Policy. Syntax urlrewrite-policy name Parameters name Specifies the name of the URL Rewrite Policy. use-client-resolver Enables or disables the use of a client-based (JAXP) URI-resolver to resolve external URLs.
Page 959: Chapter 112. Xsl Proxy Service Configuration Mode
Assigns the ACL-2 ACL to the current XSL Proxy. # acl ACL-2 v Removes the ACL. # no acl default-param-namespace Specifies the default namespace for parameters made available via the command line or WebGUI. Syntax default-param-namespace namespace © Copyright IBM Corp. 1999, 2008...
Page 960: Ip-Address
Parameters namespace Specifies the name of the default namespace. Guidelines The default namespace for parameters introduced with the CLI or WebGUI is: http://www.datapower.com/param/config Related Commands parameter, query-param-namespace Examples v Assigns a default namespace for parameters made available to the current XSL Proxy via the command line or WebGUI.
Page 961: Monitor-Duration
Syntax monitor-count name no monitor-count Parameters name Specifies the name of the message-count monitor assigned to the XSL Proxy. Guidelines After completing the configuration of a message-count monitor, you activate the monitor by assigning it to an XML Firewall or XSL Proxy. Use the no monitor-count command to remove the message count monitor assignment from the XSL Proxy.
Page 962: Monitor-Processing-Policy
Examples v Assigns the RateLimit1 duration monitor to the current XSL Proxy. # monitor-duration RateLimit1 v Removes the assignment of the RateLimit1 duration monitor. # no monitor-duration RateLimit1 monitor-processing-policy Sets the behavior when a service has multiple monitors. Syntax monitor-processing-policy {terminate-at-first-throttle | terminate-at-first-match} Parameters terminate-at-first-throttle (Default) Monitors will execute in the order in which they are listed.
Page 963: Priority
xmlns:dpconfig="http://www.datapower.com/param/config" Use the no parameter command to delete a parameter and associated value. Related Commands default-param-namespace, query-param-namespace Examples v Makes a parameter-value pair available to the current XSL Proxy. # parameter foo BAR v Makes a single parameter-value pair available to the current XSL Proxy. {http://www.example.com} designates the parameter namespace.
Page 964: Query-Param-Namespace
Guidelines Use the port command to change the port that is assigned with the ip-address command. Related Commands ip-address Examples v Specifies 10.10.13.35:23000 as the local IP address-port that the current XSL Proxy service monitor. # xslproxy proxy-1 XSL Proxy Service configuration mode # ip-address 10.10.13.35 # port 23000 query-param-namespace...
Page 965: Ssl
remote-address %dynamic% remote-address %loopback% remote-address {%proxy% | *} Parameters address port Specifies a dotted decimal IP address or host name with the port (in the range 0 to 65535) that identifies a single, specific server address-port pair. Sets the XSL Proxy type to static backend, which means that the XSL Proxy supports the single, specified server.
Page 966: Stylesheet-Policy
Parameters name Specifies the name of an existing SSL Proxy Profile. Guidelines The ssl command assigns an SSL Proxy Profile to an XSL Proxy. In the absence of an assigned SSL Proxy Profile, the XSL Proxy uses nonsecure connections in client and server exchanges.
Page 967: Type
Examples v Assigns the WebQuery Stylesheet Policy to the current XSL Proxy. # stylesheet-policy WebQuery type Specifies the XSL Proxy type. Syntax type {loopback-proxy | static-backend | strict-proxy} loopback-proxy Sets the XSL Proxy type to loopback. static-backend (Default) Sets the XSL Proxy type to static backend. The address of the target server is identified with the remote-address command.
Page 968: Urlrewrite-Policy
urlrewrite-policy Assigns a URL Rewrite Policy. Syntax urlrewrite-policy name Parameters name Specifies the name of the URL Rewrite Policy to assign. Guidelines You need not specify a URL Rewrite Policy when configuring an XSL Proxy. Related Commands ssl, stylesheet-policy, xml-manager Examples v Assigns the Rw1 URL Rewrite Policy to the current XSL Proxy.
Page 969: Chapter 113. Z/Os Nss Client Configuration Mode
Related Commands host, port host Identifies the NSS server by host name or IP address. Syntax host host Parameters host Specifies the host name or IP address of an NSS server. © Copyright IBM Corp. 1999, 2008...
Page 970: Password
Guidelines The host command identifies the NSS server by domain name or IP address. In conjunction with the port command, identifies the host and listening port of the NSS server. The NSS server must have the XMLAppliance discipline support enabled. Related Commands port Examples...
Page 971: Port
# zos-nss nssClient1 New zOS NSS Client configuration # user-name testUser # password pword port Identifies the listening port on the NSS server. Syntax port port Parameters port Specifies a destination port on the NSS server. Guidelines The port command is used in conjunction with the host command to identify the listening port on the specified NSS server.
Page 972: User-Name
Syntax system-name string Parameters string Specifies a name for the NSS client. Minimum length is 1. Maximum length is 8. Valid characters are: v a through z v A through Z v 0 through 9 v _ (underscore) v - (dash) Embedded spaces are invalid.
Page 973 Related Commands password Examples v Sets the user name to testUser with the password pword as the credentials to authenticate on the NSS server. # zos-nss nssClient1 New zOS NSS Client configuration # user-name testUser # password pword Chapter 113. z/OS NSS Client configuration mode...
Page 974 Command Reference...
Page 975: Chapter 114. Monitoring Commands
Policy names are followed by the associated command or command sequence. In the absence of the optional name argument, the system displays a list of all current command macros. Related Commands application-security-policy show audit-log Displays the contents of the audit log. © Copyright IBM Corp. 1999, 2008...
Page 976: Show Audit-Search
Syntax show audit-log [-np] show audit-log [-np] user show audit-log [-np] date show audit-log [-np] time show audit-log [-np] address Parameters Indicates no pagination. Sorts the events in the audit log alphabetically by user name. user address Sorts the events in the audit log numerically by IP address. date Sorts the events in the audit log numerically by date.
Page 977: Show Chkpoints
date start [end] Displays events in the audit log from the specified start date to optional end date. Without an end date, displays events to the most recent date. time start [end] Displays events in the audit log from the specified start time to the optional end time.
Page 978: Show Compact-Flash (Type 9235)
show compact-flash (Type 9235) Displays the configuration of the compact flash. Syntax show compact-flash cf0 Context Available only of Type 9235 appliances with the compact flash as auxiliary storage. show conformancepolicy Displays configuration settings for Conformance Policy objects. Syntax show conformancepolicy [name] Context Available in Global configuration mode only.
Page 979: Show Deployment-Policy
Related Commands ip default-gateway Context Available in Interface configuration mode only. show deployment-policy Displays configuration settings for Deployment Policy objects. Syntax show deployment-policy [name] Context Available in Global configuration mode only. show documentcache Displays the current size of the document cache and the number of documents cached.
Page 980: Show File
Diagnostics Indicates that diagnostic tracing is enabled. Diagnostic tracing applies to all domain. Note: The only time that tracing should be enabled is at the explicit direction of IBM Support. show file Displays a specified printable file. Syntax show file URL Parameters Identifies the URL of the file to display.
Page 981: Show Firmware-Version
Related Commands show firmware-version show firmware-version Displays the current firmware version, without image type and installation date. Syntax show firmware-version Guidelines The show firmware-version command provides information about the current firmware version. This command provides the same details as the show version command, but it does not provide the versions of the licenses that are available with the show library-version command.
Page 982: Show Interface Mode
Guidelines The show interface command displays the following inofrmation: v The IP address for the interface v Statistics about received transactions: – Number of kilobytes/second – Number of packets – Number of aggregated errors v Statistics about transmitted transaction: – Number of kilobytes/second –...
Page 983: Show Library-Version
Parameters address Displays the primary and standby addresses, if any, that are assigned to the current interface. domains Displays the IP domain search suffix table. hosts hostname Displays all host-to-IP address mappings, or display this information about the specified host. name-servers Displays the addresses of the DNS servers.
Page 984: Show License
show license Displays the installed licenses. Syntax show license Guidelines The show license command provides information about which of the available licenses are enabled. Some licenses are available because of the type of DataPower appliance, but some licenses must be purchased to be enabled. Licenses cannot be updated.
Page 985: Show Logging
Related Commands show logging show logging Displays a specified appliance log. Syntax show logging log-name [pcre] show logging archive show logging category [log-category] show logging encrypt show logging event show logging format show logging priority show logging sign show logging target [target-name] show logging timestamp show logging type [log-type] show logging upload...
Page 986: Show Loglevel
target [target-name] Displays summary information about all active log targets, displays detailed information about a specific log target. timestamp Displays a list of timestamp formats type [log-type] Displays summary information about all available logging types, or displays detailed information about the specified logging type. upload Displays a list of available upload methods.
Page 987: Show Memory
Related Commands matching show memory Displays memory usage. Syntax show memory Guidelines The show memory command displays memory usage. This command is also available from the diag (login) mode. Output # show memory Memory Usage: 10 % Total Memory: 4149324 kbytes Used Memory: 433761 kbytes Free Memory: 3715563 kbytes Requested Memory: 503216 kbytes...
Page 988: Show Ntp-Service
show ntp-service Displays the refresh interval for the current NTP server. Syntax show ntp-service Related Commands ntp, show ntp-refresh show password-map Displays the Password map. Syntax show password-map Context Available in Crypto configuration mode only. Related Commands password-map show radius Displays RADIUS configuration settings.
Page 989: Show Raid-Volumes (Type 9235)
Context Available only of Type 9235 appliances with the hard disk array as auxiliary storage. show raid-volumes (Type 9235) Displays the status of the disks in the hard disk array. Syntax show raid-volumes Context Available only of Type 9235 appliances with the hard disk array as auxiliary storage.
Page 990: Show Sensors-Fans
Guidelines The show sensors command has been deprecated. Use one of the following commands: v show sensors-fans v show sensors-other v show sensors-temperature v show sensors-voltage show sensors-fans Displays the values for sensors that read the speed of the fans. Syntax show sensors-fans Guidelines...
Page 991: Show Sensors-Voltage
Syntax show sensors-temperature Guidelines The show sensors-temperature command provides values for sensors that read temperatures. These sensors provide the temperature of the air flowing through the system and of key components in the system. show sensors-voltage Displays the values for sensors that read voltage. Syntax show sensors-voltage Guidelines...
Page 992: Show Snmp
In the absence of the optional name argument, the system displays a list of all current command macros. Related Commands simple-rate-limiter show snmp Displays SNMP configuration data Syntax show snmp Related Commands port, show system, version show standby Displays failover configuration information. Syntax show standby Related Commands...
Page 993: Show Statistics
Guidelines Should the appliance find an error, it displays and logs the following message: Notice: startup config contains errors. You can access the startup error log to locate the source in the startup configuration. Context Available in Global configuration mode only. show statistics Displays information about XSL transformations.
Page 994: Show Stylesheet
Guidelines When issued without an argument, displays data for all Processing Policy objects. When issued for a specific Processing Policy, displays data for the specified Stylesheet Policies. For each Processing Policy, the results contain the following details: v The name of the Processing Policy v The default style sheet for transforms v The default style sheet for SOAP filtering v The match patterns for the Processing Policy...
Page 995: Show System
within the style sheet, or a corrupted document, possibly caused by transient network conditions at the time the style sheet was accessed) DUPLICATE Usually indicates a temporary style sheet that was generated during a pipeline transformation PENDING Indicates that the style sheet is being retrieved or undergoing compilation Related Commands show stylesheet, xsl cache size show system...
Page 996: Show Throughput
show throughput Displays interface-specific traffic counts. Syntax show throughput show time Displays the current date, time, and appliance uptime. Syntax show time Related Commands clock, show clock show urlmap Displays a list of all URL maps (along with match patterns contained within the map) or displays the contents of a specific URL map.
Page 997: Show Usergroups
show usergroups Displays a list of User Groups and the commands suites to which group members are granted access. Syntax show usergroups Related Commands usergroup show usernames Displays a list of all current user accounts with associated access levels. Syntax show usernames Related Commands show users, username...
Page 998: Show Webapp-Error-Handling
Parameters name Specifies the name of an existing Web Application Firewall. Guidelines Firewall names are followed by the associated command or command sequence. In the absence of the optional name argument, the system displays a list of all current command macros. Related Commands web-application-firewall show webapp-error-handling...
Page 999: Show Webapp-Request-Profile
show webapp-request-profile Displays a list of Web Application Request Profile objects. Syntax show webapp-request-profile [name] Parameters name Specifies the name of an existing Web Application Request Profile. Guidelines Profile names are followed by the associated command or command sequence. In the absence of the optional name argument, the system displays a list of all current command macros.
Page 1000: Show Wsrr-Server
Guidelines Policy names are followed by the associated command or command sequence. In the absence of the optional name argument, the system displays a list of all current command macros. Related Commands webapp-session-management show wsrr-server Displays the configuration of WSRR servers. Syntax show wsrr-server [name] Parameters...
Page 1001: Show Wsrr-Subscription-Status
show wsrr-subscription-status Displays operational details of WSRR subscriptions. Syntax show wsrr-subscription-status [name] Parameters name Specifies the name of the target WSRR Subscription object. Guidelines This command provides the following operational details: Subscription The name of the WSRR subscription object that is assigned during the configuration of the subscription.

IBM WebSphere XS40 Command Reference Manual

Preface

Chapter 1. Initial Login and Common Commands

Chapter 2. Global Configuration Mode

Chapter 3. AAA Policy Configuration Mode

Chapter 4. Access Control List Configuration Mode

Chapter 5. Application Domain Configuration Mode

Chapter 6. Application Security Policy Configuration Mode

Quick Links

Related Manuals for IBM WebSphere XS40

Summary of Contents for IBM WebSphere XS40