- DL manuals
- IBM
- Gateway
- WebSphere XS40
- Command Reference Manual
IBM WebSphere XS40 Command Reference Manual
Summary of WebSphere XS40
Page 1
Websphere ® datapower xml security gateway xs40 command reference version 3.7.2.
Page 3
Websphere ® datapower xml security gateway xs40 command reference version 3.7.2.
Page 4
Note before using this information and the product it supports, read the information in “notices and trademarks” on page 1011. First edition (december 2008) this edition applies to version 3, release 7, modification 2, level 0 of ibm websphere datapower xml security gateway xs40 and to all subsequen...
Page 5: Contents
Contents preface . . . . . . . . . . . . . . Xix who should read this document . . . . . . . Xix publications . . . . . . . . . . . . . . Xix installation and upgrade documentation . . . Xix administration documentation . . . . . . . Xx development documentation . . . . . . . Xx reference documentat...
Page 6
Logging eventfilter . . . . . . . . . . . . 62 logging object . . . . . . . . . . . . . 63 logging target . . . . . . . . . . . . . 64 loglevel. . . . . . . . . . . . . . . . 64 logsize . . . . . . . . . . . . . . . . 65 matching . . . . . . . . . . . . . . . 66 memoization . . . . . . . . . . . . ....
Page 7
Wsrr-subscription . . . . . . . . . . . . 138 wsrr-synchronize . . . . . . . . . . . . 139 xml parser limits . . . . . . . . . . . . 139 xml validate . . . . . . . . . . . . . . 139 xmlfirewall . . . . . . . . . . . . . . 141 xml-manager . . . . . . . . . . . . . 141 xml-mgmt . . . . . . . . . . . ....
Page 8
Result-is-conformance-report . . . . . . . . 205 chapter 10. Crl configuration mode 207 bind-dn . . . . . . . . . . . . . . . 207 bind-pass. . . . . . . . . . . . . . . 207 fetch-url . . . . . . . . . . . . . . . 208 issuer . . . . . . . . . . . . . . . . 208 read-dn . . . . . . . . . . . . . . . 20...
Page 9
Result . . . . . . . . . . . . . . . . 291 result-name-pattern . . . . . . . . . . . 291 success-delete . . . . . . . . . . . . . 292 success-rename-pattern . . . . . . . . . . 292 target-dir . . . . . . . . . . . . . . . 292 xml-manager . . . . . . . . . . . . . 293 chapter 22. Ftp quoted commands ...
Page 10
Chapter 32. Interface configuration mode . . . . . . . . . . . . . . . 351 arp . . . . . . . . . . . . . . . . . 351 dhcp . . . . . . . . . . . . . . . . 351 ip address . . . . . . . . . . . . . . 352 ip default-gateway . . . . . . . . . . . 353 ip route . . . . . . . . . . . . . . . 353 mac-address...
Page 11
Hostmatch (deprecated) . . . . . . . . . . 410 httpmatch . . . . . . . . . . . . . . 410 match-with-pcre . . . . . . . . . . . . 411 no match . . . . . . . . . . . . . . . 411 urlmatch . . . . . . . . . . . . . . . 411 xpathmatch . . . . . . . . . . . . . . 412 chapter 43. Message count monitor conf...
Page 12
Wsrm-destination-inorder . . . . . . . . . 478 wsrm-destination-maximum-inorder-queue-length 479 wsrm-destination-maximum-sequences . . . . . 479 wsrm-request-force . . . . . . . . . . . 480 wsrm-response-force . . . . . . . . . . . 480 wsrm-sequence-expiration . . . . . . . . . 480 wsrm-source-back...
Page 13
Iterator-expression . . . . . . . . . . . . 533 iterator-type . . . . . . . . . . . . . . 534 log-level . . . . . . . . . . . . . . . 534 log-type . . . . . . . . . . . . . . . 535 loop-action . . . . . . . . . . . . . . 535 multiple-outputs . . . . . . . . . . . . 536 output. . . . . . . . . . . . ...
Page 14
Pwd-history . . . . . . . . . . . . . . 607 pwd-max-age . . . . . . . . . . . . . 608 pwd-max-history . . . . . . . . . . . . 608 pwd-minimum-length . . . . . . . . . . 609 pwd-mixed-case . . . . . . . . . . . . 609 pwd-nonalphanumeric . . . . . . . . . . 610 pwd-username . . . . . . . . . . . . . 6...
Page 15
Tfim-issuer . . . . . . . . . . . . . . 666 tfim-operation . . . . . . . . . . . . . 666 tfim-pathaddr . . . . . . . . . . . . . 667 tfim-port . . . . . . . . . . . . . . . 668 tfim-porttype . . . . . . . . . . . . . 668 tfim-schema-validate . . . . . . . . . . . 669 tfim-sslproxy . . . . . . . . . ...
Page 16
Dhcp . . . . . . . . . . . . . . . . 731 identifier . . . . . . . . . . . . . . . 732 interface . . . . . . . . . . . . . . . 732 ip address . . . . . . . . . . . . . . 733 ip default-gateway . . . . . . . . . . . 734 ip route . . . . . . . . . . . . . . . 734 ip secondary-address . . . . . . . . . ...
Page 17
Autocreate-sources . . . . . . . . . . . . 784 back-attachment-format . . . . . . . . . . 785 back-persistent-timeout . . . . . . . . . . 785 back-timeout . . . . . . . . . . . . . 786 backend-url . . . . . . . . . . . . . . 786 backside-port-rewrite . . . . . . . . . . . 787 chunked-uploads . . . ....
Page 18
Operation . . . . . . . . . . . . . . . 852 transport . . . . . . . . . . . . . . . 853 wsdl . . . . . . . . . . . . . . . . 853 chapter 101. Ws-proxy endpoint rewrite configuration mode . . . . . 855 backend-rule . . . . . . . . . . . . . 855 listener-rule . . . . . . . . . . . . . . 856 publisher-...
Page 19
Loadbalancer-group . . . . . . . . . . . 921 schedule-rule . . . . . . . . . . . . . 921 user-agent . . . . . . . . . . . . . . 922 chapter 109. Xml parser limits configuration mode . . . . . . . . . 923 attribute-count . . . . . . . . . . . . . 923 bytes-scanned . . . . . . . . . . . . . 923 elemen...
Page 20
Show stylesheet. . . . . . . . . . . . . 968 show stylesheets . . . . . . . . . . . . 968 show system . . . . . . . . . . . . . 969 show tcp . . . . . . . . . . . . . . . 969 show throttle . . . . . . . . . . . . . 969 show throughput . . . . . . . . . . . . 970 show time . . . . . . . . . . . . . ....
Page 21: Preface
Preface ibm ® websphere ® datapower ® soa appliances are purpose-built, easy-to-deploy network appliances that simplify, help secure, and accelerate your xml and web services deployments while extending your soa infrastructure. These appliances offer an innovative, pragmatic approach to harness the ...
Page 22
Administration documentation v ibm websphere datapower soa appliances: appliance overview provides an introduction and understanding of the ibm websphere datapower soa appliances. V ibm websphere datapower soa appliances: administrators guide provides instructions for using the datapower gui for man...
Page 23
V ibm websphere datapower soa appliances: extension elements and functions catalog provides programming information about the usage of datapower xslt extension elements and extension functions. Integration documentation the following documents are available for managing the integration of related pr...
Page 25
Other domains. When viewed from other domains, the directory name changes from local: to the name of the application domain. Logstore: this directory contains log files that are stored for future reference. Typically, the logging targets use the logtemp: directory for active logs. You can move log f...
Page 26
Schemas this subdirectory contains schemas that are used by datapower services. Dp this encrypted subdirectory contains files that are used by the appliance itself. This subdirectory is available from the command line only. Pubcerts this encrypted subdirectory contains files that are used by the app...
Page 27
Chapter 1. Initial login and common commands this chapter provides an alphabetic listing of the commands that are available before entering a specific configuration mode (available at initial login) and commands that are available in most, if not all, configuration modes. Initial login commands for ...
Page 28
Table 2. Commands by type of user that are available after initial login (continued) command admin user privileged-type user user-type user clock yes yes no configure terminal yes yes no disable yes yes no disconnect yes yes no echo yes yes yes enable no no yes exec yes yes no exit yes yes yes help ...
Page 29
Table 3. Common configuration commands and their general purpose (continued) command purpose 1 the command is also available after initial log in, which is before you explicitly enter a configuration mode. To determine whether these commands are available to a specific user-type class after an initi...
Page 30
Guidelines also available in global configuration mode. If creating a macro that uses multiple commands, you can either v surround the string in quotes and separate commands with a semicolon. For example: alias eth0 "configure terminal; interface ethernet 0" v separate commands with an escaped semic...
Page 31
Syntax cancel guidelines the cancel command cancels all configuration changes to the current object and returns to the parent configure mode. This command is available in all configuration modes except interface configuration mode. Related commands exit , reset examples v cancels the current configu...
Page 32
Configure terminal enters global configuration mode. Syntax configure terminal guidelines you use global configuration mode to create system-wide resources that are available to various system service, to configure global behaviors, and to enter specialized configuration modes. Related commands disa...
Page 33
Disconnect closes a user session. Syntax disconnect session parameters session specifies the session id. Guidelines the disconnect command closes a user session. Use the show users command to display the list of active user sessions. Related commands show users examples v closes the session that is ...
Page 34
Related commands disable , exit examples v exits user mode and enters privileged mode. > enable username: admin password: ******** # exec calls and runs a target configuration script. Syntax exec url parameters url identifies the location of the configuration file. V if the file resides on the appli...
Page 35
Exit applies changes to the current object and returns to the parent configuration mode. Syntax exit guidelines the exit command applies all changes made to the object to the running configuration. To save these changes to the startup configuration, use the write mem command. When issued from user m...
Page 36
V displays help for the shutdown command. # ? Shutdown login logs in to the appliance as a specific user. Syntax login guidelines after entering the login command, the cli prompts for a username and password. User accounts log in to user mode, while admin, privileged accounts, and group-specific acc...
Page 37
Use the ntp command to identify the ntp (network time protocol) server. After identifying an ntp server, the appliance functions as a simple network time protocol (sntp) client as described in rfc 2030. Note: from the cli, the appliance supports the configuration of only one ntp server. Although the...
Page 38
Examples v pings ragnarok. # ping ragnarok v pings 192.168.77.144. # ping 192.168.77.144 reset restores default values. Syntax reset guidelines the reset command sets mode-specific properties to their default values. Properties that lack default values, are unchanged. Default values assigned by the ...
Page 39
Shutdown restarts or shuts down the appliance. Syntax shutdown reboot [seconds] shutdown reload [seconds] shutdown halt [seconds] parameters reboot shuts down and restarts the appliance. Reload restarts the appliance. Halt shuts down the appliance. Seconds specifies the number of seconds before the ...
Page 40
Syntax summary string parameters string specifies descriptive text for the object. Guidelines the summary command specifies a brief, object-specific comment. If the comment contains spaces, enclose the comment in double quotation marks. Examples v adds an object-specific comment. # summary "amended ...
Page 41
Parameters url specifies the fully-qualified location of the interactive command line script. Guidelines also available in global configuration mode. The template command specifies the url of the interactive command line script. The script is an xml file that can be local or remote to the datapower ...
Page 42
Test tcp-connection tests the tcp connection to a remote appliance. Syntax test tcp-connection host port [timeout] parameters host specifies the target host. Use either the ip address or host name. Port specifies the target port. Timeout specifies an optional timeout value, the number of seconds tha...
Page 43
Examples v returns the user, either the admin account or a privileged account, to privileged mode, the user-specific login mode. (config crypto-val-credentials)# top # traceroute traces the network path to a target host. Syntax traceroute host parameters host specifies the target host as either the ...
Page 44
18 command reference.
Page 45
Chapter 2. Global configuration mode you use global configuration mode to create system-wide resources that are available to various system services, to configure global behaviors, and to enter specialized configuration modes. This chapter provides an alphabetic listing of commands that are availabl...
Page 46
Parameters lockout-duration minutes specifies the number of minutes to lock out an account after exceeding the maximum number of failed login attempts. A value of 0 indicates that accounts are locked out until reset by a privileged administrator. Use an integer in the range of 0 through 1000. The de...
Page 47
Examples v enables lockout behavior for accounts that on the fifth login failure, the account is locked out locked out until reset by a privileged administrator: # account lockout-duration 0 # account max-login-failure 4 v disables lockout behavior. # account max-login failure 0 acl enters access co...
Page 48
List. A candidate address is denied or granted access to the service provider in accordance with the first matching clause. Consequently, the order of clauses is important in an access control list. Use the no acl command to delete a named acl. Use the exit command to exit access control list config...
Page 49
Related commands cancel , exit, show action alias creates a command macro. Syntax alias aliasname commandstring no alias aliasname parameters aliasname specifies the name of the command macro. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on p...
Page 50
V creates the back2 alias that moves back two configuration modes. If invoked while in validation credentials configuration mode, moves to global configuration mode. # alias back2 "exit; exit" alias update successful # v creates the proxys alias that displays information about xsl proxy objects. # a...
Page 51
Audit delete-backup (common criteria) deletes the archived version of the audit log. Syntax audit delete-backup context available only when the appliance is in common criteria mode. Guidelines the audit delete-backup command deletes the audit:///audit-log.1 file. This file is the archived version of...
Page 52
Parameters kilobytes specifies the amount of disk space in kilobytes to reserve for the audit log. The reserve space must be at least four kilobytes less than the total amount of free space that is currently available on the file system. Use an integer in the range of 0 through 10000. The default is...
Page 53
Stream compiles the schema in streaming mode if in doubt about whether the target schema lends itself to streaming, retain the default value of general. Related commands cache stylesheet , cache wsdl examples v compiles the schema in streaming mode and adds the schema to the schema cache that is mai...
Page 54
Syntax cache wsdl xmlmgrname wsdlurl parameters xmlmgrname specifies the name of an xml manager. Wsdlurl specifies a url of the schema to cache. Related commands cache schema , cache stylesheet examples v compile and adds the specified wsdl to the wsdl cache of the mgr1 xml manager. # cache wsdl mgr...
Page 55
Guidelines also available in interface configuration mode. Related commands arp , show netarp examples v clears the arp table. # clear arp # clear dns-cache clears the dns cache. Syntax clear dns-cache examples v clears the dns cache. # clear dns-cache cleared dns cache # clear pdp cache clears all ...
Page 56
Is associated with the aaa policy with the clear xsl cache command. This command clears the compiled xacml policies in the xml manager that is referenced by the aaa policy. Use a url refresh policy you can use a url refresh policy whose match conditions match the internal url xacmlpolicy:///pdpname ...
Page 57
Examples v clears the stylesheet cache of the mgr1 xml manager. # clear xsl cache mgr1 cleared cache of xmlmgr mgr1 # cli remote open establishes a tcp/ip connection to a specific remote host. Syntax cli remote open address port parameters address specifies the ip address of the remote host. Port id...
Page 58
Parameters name specifies the name of the telnet service. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Telnetserverip specifies the ip address (either primary or secondary) of a datapower ethernet interface. In conjunction with ...
Page 59
V deletes the support telnet service. # no cli telnet support deleted cli telnet handler # compact-flash (type 9235) enters compact flash configuration mode. Syntax compact-flash name parameters name specifies the name of the existing compact flash volume. For appliances that have a compact flash fo...
Page 60
Syntax compact-flash-repair-filesystem name parameters name specifies the name of the existing compact flash volume. For appliances that have a compact flash for auxiliary data storage, the name is cf0. Guidelines the compact-flash-repair-filesystem command repairs the file system on the compact fla...
Page 61
Conformancepolicy enters conformance policy configuration mode. Syntax conformancepolicy name no conformancepolicy name parameters name specifies the name of the conformance policy. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. G...
Page 62
Parameters -f overwrites an existing file, if one of the same name already exists. In the absence of this argument, an attempt to save a file with the same name as an existing file will result in a prompt that requests confirmation to overwrite the existing file. Source and destination specifies the...
Page 63
Related commands delete , dir, move, send file (global) examples v uses http to copy a file from the specified url to the image: directory. # copy http://host/image.Crypt image:///image.Crypt file copy successful (1534897 bytes transferred) # v uses http over ssl to copy a file from the specified ur...
Page 64
Parameters create-copy the tivoli ® access manager key database and key stash files are placed in the cert: directory when created. This directory does not allow files to be moved out of it. By selecting to create copies of the created files, a copy of the key database and stash files will be placed...
Page 65
Ldap-auth-timeout specifies the timeout, in seconds, that is allowed for ldap authentication operations. There is no range limit. The default is 30. Ldap-search-timeout specifies the timeout, in seconds, that is allowed for ldap search operations. There is no range limit. The default is 30. Use-ldap...
Page 66
Related commands exit delete deletes a file from the datapower appliance. Syntax delete url parameters url specifies a url of the file to delete. This argument take the directory:///filename form, where: directory specifies a directory on the appliance. Refer to “directories on the appliance” on pag...
Page 67
The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines use the deployment-policy command to enter deployment policy configuration mode to create or edit a deployment policy. Use the cancel or exit command to exit deployment pol...
Page 68
Disable enters user mode. Syntax disable guidelines use the disable command to exit global configuration mode and enter user mode. Use the exit command to exit global configuration mode and enter privileged mode. Also available in privileged mode. Related commands enable , exit examples v exits glob...
Page 69
# no dns # document-crypto-map enters document crypto map configuration mode. Syntax document-crypto-map name no document-crypto-map name parameters name specifies the name of the document crypto map. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventio...
Page 70
Related commands exit domain enters application domain configuration mode. Syntax domain name no domain name parameters name specifies the name of the application domain. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines t...
Page 72
V disables the file capture trace utility, which restores the default state. # file-capture off file nature mode set to off # flash enters flash configuration mode. Syntax flash guidelines use the exit command to exit flash configuration mode and enter global configuration mode. Related commands exi...
Page 73
Parameters alias specifies the alias to assign to the specified ip address. Guidelines use the no host-alias command to remove an alias map. Related commands cancel , exit httpserv enters http server configuration mode. Syntax httpserv name httpserv name address port no httpserv name parameters name...
Page 74
If you wish to restrict access to an http server, you can compile an acl using the acl, allow, and deny commands. Use the no httpserv command to delete an http server. Use the exit command to exit http server configuration mode and return to global configuration mode. Related commands acl , exit, sh...
Page 75
Syntax import-package name no import-package name parameters name specifies the name of the import configuration file object. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines the import-package command enters import confi...
Page 76
Related commands exec examples v enters include configuration configuration mode to create the standardserviaceproxies include configuration. # include-config standardserviceproxies include configuration configuration mode # v deletes the standardserviaceproxies include configuration. # no include s...
Page 77
Note: to disable an ethernet interface, use the admin-state command in interface configuration mode. Use the exit command to exit interface configuration mode and enter global configuration mode. Related commands admin-state (interface), exit, show interface examples v enters interface configuration...
Page 78
Examples v adds the datapower.Com, somewhereelse.Com, and endoftheearth.Com ip domains to the ip domain table. The appliance attempts to resolve the host name loki in following ways: loki.Datapower.Com loki.Somewhereelse.Com loki.Endoftheearth.Com # ip domain datapower.Com # ip domain somewhereelse....
Page 79
# no ip host * # ip name-server identifies a local dns provider. Syntax ip name-server address [ udpportnumber] [tcpportnumber] [flags] [max-retries] no ip name-server address no ip name-server * parameters address specifies the ip address of the dns server. Udpportnumber optionally identifies the u...
Page 80
Iscsi-chap (type 9235) enters iscsci chap configuration mode. Syntax iscsi-chap name no iscsi-chap name parameters name specifies the name of the iscsi chap. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines the iscsi-chap...
Page 81
Related commands admin-state (iscsi volume) examples v disables, initializes, and re-enables the georgia iscsi volume. # iscsi-volume georgia modify iscsi volume configuration # admin-state disabled # exit # iscsi-fs-init georgia iscsi filesystem georgia initialized # iscsi-volume georgia modify isc...
Page 83
Syntax iscsi-volume name no iscsi-volume name parameters name specifies the name of the iscsi volume to configure. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines the iscsi-volume command enters iscsi volume configuratio...
Page 85
Examples v adds ragnarok.Datapower.Com by host name as an ssh known host. # known-host ragnarok.Datapower.Com ssh-rsa aaaab3nzac1yc2eaaaabiwaaaiea1j/99rrvdzmvvkakvcg2a+pecm25 p8ojl87sa6mtfxuda2me6n3lcxeakpq8kftppbbxt+ydknfr9gnhifrl udho1han/a0gesvrndy5wkrtcrhrqdc/x0bupzbsemxi0lud5pl7+bxq vppbyvujohi...
Page 86
Syntax load-interval measurement-interval parameters measurement-interval specifies the measurement interval in milliseconds. Use an integer in the range of 500 through 5000. The default is 1000. Guidelines the load-interval command specifies the duration of a measurement interval. During this inter...
Page 87
Parameters name specifies the name of the existing log to which an event class will be added. Category specifies the name of an event-class to add. Priority identifies the event priority. The priority indicates that all events that are greater than or equal to this value are logged. Events use the f...
Page 88
Parameters target specifies the name of an existing log target. Event-code specifies the hexadecimal value of the event code. Guidelines the logging eventcode commands adds an event code to the subscription list for the specified log target. This command is equivalent to using the event-code command...
Page 89
Logging object adds an object filter to a specific log. Syntax logging object name object class no logging object name object class parameters name specifies the name of the existing log to which to add an object filter. Object identifies the object type. Class identifies a specific instance of the ...
Page 90
Examples v adds an object filter to the alarms log. This log will record only events that are issued by the proxy-1 xsl proxy. Event priority uses the existing configuration of the alarms log. # logging object alarms xslproxyservice proxy-1 # v deletes an object filter from the alarms log. This log ...
Page 91
V critic or 2 v error or 3 v warn or 4 v notice or 5 v info or 6 v debug or 7 guidelines the loglevel command determines which system-generated events to log to the basic event log. The log priority also functions as filter and determines which events to forward to a remote syslog daemon. In contras...
Page 92
Syntax logsize size parameters size specifies the size of the log in lines. The default is 200. Guidelines in the absence of an argument, logsize displays the size of the log file in lines. Note: the loglevel, logsize, and syslog commands provide the ability to configure a rudimentary basic logging ...
Page 93
Implementation of processing policy objects. A processing policy uses matching rule objects to determine whether a candidate xml document is subject to specific processing instructions in the policy. Refer to appendix b, “processing policy procedures,” on page 999 for procedural details about the cr...
Page 94
Message-matching enters message matching configuration mode. Syntax message-matching name no message-matching name parameters name specifies the name of the traffic-flow definition. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. G...
Page 95
Use the cancel or exit command to leave message type configuration mode and enter global configuration mode. Use the no message-type command to delete a message class. Related commands cancel , exit metadata enters processing metadata configuration mode. Syntax metadata name no metadata name paramet...
Page 96
Use the rmdir command to delete subdirectories. Related commands rmdir examples v creates the stylesheets subdirectory of the local: directory. # mkdir local:///stylesheets directory 'local:///stylesheets' successfully created. # v creates the c-1 subdirectory in the stylesheets subdirectory of the ...
Page 97
Parameters name specifies the name of the monitor. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines a monitor count is an incremental, or counter-based, monitor that consists of a target message class, a configured thresh...
Page 98
Syntax move [-f] source-url destination-url parameters -f overwrites an existing file, if one of the same name already exists. In the absence of this argument, an attempt to save a file with the same name as an existing file results in a prompt that requests confirmation to overwrite the existing fi...
Page 99
Guidelines use the no mpgw command to delete a multi-protocol gateway. Related commands cancel , exit mtom enters mtom policy configuration mode. Syntax mtom name no mtom name parameters name specifies the name of the mtom policy. The name can contain a maximum of 128 characters. For restrictions, r...
Page 100
You can also control routing behavior, interface isolation and ecn settings. Use the cancel or exit command to leave network settings configuration mode and enter global configuration mode. Use the no network command to reset network settings to their defaults. Related commands cancel , exit nfs-cli...
Page 101
Related commands cancel , exit nfs-static-mount enters nfs static mounts configuration mode. Syntax nfs-static-mount name no nfs-static-mount name parameters name specifies the name of the nfs static mount object. The name can contain a maximum of 128 characters. For restrictions, refer to “object n...
Page 102
The appliance supports one ntp server at a time. To designate a new ntp server, use the no ntp command to delete the current server, and then use the ntp command to designate the new server. Also available in privileged mode. Related commands clock , ntp-service, show ntp time examples v identifies ...
Page 103
Parameters name specifies the name of the peer group. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines while in peer group configuration mode, you identify members of an slm monitoring peer group. Group members run identi...
Page 104
Parameters name specifies the name of the object. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines use the cancel or exit command to exit policy parameters configuration mode and return to global configuration mode. Use t...
Page 105
Examples v activates the raid volume in the disks as the active raid volume. # raid-activate raid0 raid-delete (type 9235) deletes an array volume. Syntax raid-delete name parameters name specifies the name of the existing hard disk array volume. For appliances that have a hard disk array for auxili...
Page 106
Parameters name specifies the name of the existing hard disk array volume. For appliances that have a hard disk array for auxiliary data storage, the name is raid0. Guidelines the raid-rebuild command forces a rebuild of a hard disk array volume. The contents of the primary disk in the array volume ...
Page 107
Guidelines the raid-volume-initialize-filesystem command initializes the filesystem on the hard disk array to allow it to be made active. This action destroys the existing contents of the hard disk array. Examples v makes a new file system on the raid0 hard disk array volume. # raid-volume-initializ...
Page 109
Syntax remove chkpoint name parameters name specifies the name of the checkpoint configuration file. Guidelines the remove chkpoint command deletes the named checkpoint configuration file from the domain-specific chkpoint: directory. The command is equivalent to using the delete command to remove th...
Page 110
V the reset domain command deletes all configured objects in the domain but retains the configuration of the domain and all files in the local: directory. V the no domain command deletes all configured objects in the domain, deletes all files in the domain, and deletes the configuration of the domai...
Page 111
V not be one of the past five passwords examples v re-enables the suehill account by changing the password for the account (without the administrator specifying the password). # configure terminal (config)# reset username suehill enter new password: ******** re-enter new password: ******** password ...
Page 112
Syntax rmdir local:/// subdirectory parameters local:/// subdirectory the subdirectory to remove from the local: directory. Guidelines the rmdir command removes subdirectories from the local: directory. Related commands mkdir examples v deletes the stylesheets subdirectory and all its contents from ...
Page 114
Related commands cancel , exit, match, matching, response-rule, request-rule, rule (stylesheet policy), show rule , stylepolicy examples v creates the star matching rule to use for matching all urls. # matching star matching rule configuration mode # urlmatch * # exit v creates the valclientserver g...
Page 115
Related commands backup , maxchkpoints (application domain), remove chkpoint, rollback chkpoint , show chkpoints, write memory examples v creates the foo checkpoint configuration file. # save chkpoint foo save configuration checkpoint foo scheduled (may take a few minutes to complete) # save error-r...
Page 116
Guidelines the save internal-state command writes the internal state to the temporary:///internal-state.Txt file examples v saves the internal state of the appliance. # save internal-state internal state written to temporary:///internal-state.Txt # save-config overwrite specifies system behavior aft...
Page 117
Parameters name specifies the name of the schema exception map the name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines use the cancel or exit command to exit schema exception map configuration mode and return to global configura...
Page 118
V enables the search results algorithm for the mgr1 xml manager, which restores the default condition. # search results mgr1 configuration successfully updated # send error-report sends an error report as e-mail. Syntax send error-report mail-server subject email-address [email-address ...] paramete...
Page 119
Parameters url identifies the target file and takes one of the following forms: v audit:///filename v pubcert:///filename v config:///filename v store:///filename v image:///filename v tasktemplates:///filename v logstore:///filename v temporary:///filename v logtemp:///filename mail-server identifi...
Page 120
Guidelines the service nagle command enables or disables the nagle slow packet avoidance algorithm. By default, the algorithm is enabled. Examples v disables the nagle algorithm. # service nagle disabled service nagle algorithm. V enables the nagle algorithm. # service nagle enabled service nagle al...
Page 121
Var://system specifies the required prefix that identifies a global variable. Contextname specifies the required name of the context within which the global variable resides. Value specifies the value to assign. Guidelines the set-system-var command creates a new system variable that actions or styl...
Page 122
Slm-action enters slm action configuration mode. Syntax slm-action name no slm-action name parameters name specifies the name of the slm action. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines in slm (service level monit...
Page 123
Slm-policy enters slm policy configuration mode. Syntax slm-policy name no slm-policy name parameters name specifies the name of the slm policy. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines in slm policy configuration...
Page 124
Syntax slm-sched name no slm-sched name parameters name specifies the name of the slm schedule. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines in slm schedule configuration mode, define an slm schedule by specifying the...
Page 125
Soap-disposition enters soap header disposition table configuration mode. Syntax soap-disposition name no soap-disposition name parameters name specifies the name of the disposition table. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page ...
Page 126
Related commands cancel , exit source-ftp-server enters ftp server front side handler configuration mode. Syntax source-ftp-server handler no source-ftp-server handler parameters handler specifies the name of the ftp server front side handler object. The name can contain a maximum of 128 characters....
Page 127
Syntax source-https handler no source-https handler parameters handler specifies the name of the secure http front side handler object. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines use the no source-https command to d...
Page 128
Parameters handler specifies the name of the stateless raw xml handler object. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines use the no source-raw command to delete a stateless raw xml handler object. Related commands ...
Page 129
Guidelines ssh is disabled by default. You can use the optional arguments to explicitly bind ssh to a specified interface. If you explicitly bind ssh to an interface, you must have previously configured that interface. In the absence of an explicit address assignment, ssh first attempts to bind to t...
Page 130
Local-port identifies the local port. Use an integer in the range of 0 through 65535. In conjunction with the ip address, identifies the ip addresses and ports that the ssl proxy service monitors. Remote-address specifies the ip address of the remote ssl peer. In conjunction with the remote port num...
Page 131
# event cli error # exit logging configuration successful # v deletes the syslog-ng-stunnel ssl proxy service. # no sslforwarder syslog-ng-stunnel sslforwarder syslog-ng-stunnel - configuration deleted. # sslproxy creates an ssl proxy profile that defines an ssl service type. Syntax create an ssl pr...
Page 132
(or functions in both directions). In two-way mode, ssl is used over both the appliance-to-server connection and over the appliance-to-client connection. Two-way mode requires both a client and server cryptographic profile. Server-profile when the operational mode is either client or two-way, identi...
Page 133
Use the no sslproxy command to delete an ssl proxy profile. Related commands profile (crypto) examples v creates the ssl-1 server ssl proxy profile using the low crypto profile on the appliance-to-client connections. Default values are used for the other properties. # sslproxy ssl-1 server low v cre...
Page 134
Ssl connection completed the trace is not specific to a port, but rather to an ssl proxy profile. Consequently, the traced object is the first connection using the target ssl proxy profile. Keep in mind that a single ssl proxy profile can be used by multiple datapower services. If the target ssl pro...
Page 135
Related commands show startup-config (global), show startup-errors (global) examples v starts the installation wizard. # startup # statistics initiates statistical data collection. Syntax statistics no statistics guidelines statistical data collection is disabled by default. Statistical display (wit...
Page 136
Xsldefault url identifies a default xsl style sheet used for document transformation. This default style sheet performs transformation only if a candidate xml document fails to match any of the processing rules defined within the named processing policy, and if the candidate document does not contai...
Page 137
Match defines a shell-style match pattern that defines the style sheets to delete. You can use wildcards to define a match pattern as follows: * the string wildcard matches 0 or more occurrences of any character. ? The single character wildcard matches one occurrence of any single character. [] the ...
Page 138
Syslog designates where to forward log messages. Syntax syslog address log-level parameters address specifies the ip address of the target workstation. Log-level specifies the type of messages to forward to the target workstation. The log level can be a keyword or an integer. V emerg or 0 v alert or...
Page 139
Related commands loglevel examples v identifies appliance 10.10.100.17 as the recipient of emergency events only. # syslog 10.10.100.17 0 # v identifies appliance 10.10.100.17 as the recipient of emergency events only. # syslog 10.10.100.17 emerg # v identifies appliance 10.10.100.17 as the recipien...
Page 140
Although native tam supports both local and remote clients, the appliance supports only remote client operations. The tam configuration supports only one policy server, and supports only ldap directories. Although the configuration files allow the specification of uraf (user registry adapter framewo...
Page 141
High receives above normal priority. Guidelines the tcp proxy service terminates the inbound tcp connection, and initiates an outbound tcp connection to the destination address. Use the no tcpproxy command to delete a tcp proxy. Examples v creates a forwardhttp tcp proxy that redirects incoming traf...
Page 142
Test hardware tests the hardware. Syntax test hardware guidelines the test hardware command tests the hardware. Depending on the state of the hardware, the command produces output that states the status for each component: v success v warning v failure the components are broken down into the followi...
Page 143
Parameters category specifies the name of an existing log category. Priority identifies the event priority. The priority indicates that all events that are greater than or equal to this value are logged. Events use the following priority in descending order: v emerg (emergency) v alert (alert) v cri...
Page 144
Guidelines the test schema command tests the conformity of an xml file against an xsd schema file. Examples v tests conformity of the xyzbanner.Xml xml file against the dp-user- interface.Xsd schema. # test schema store:///xyzbanner.Xml store:///schemas/dp-user-interface.Xsd performing validation of...
Page 145
# test urlmap urlmap-1 https://www.Company.Com/xml/stylesheets/style1.Xsl match # test urlmap urlmap-1 https://www.Distributer.Com/renditions/xml2html.Xsl match # test tcp-connection tests the tcp connection to a remote appliance. Syntax test tcp-connection host port [timeout] parameters host specif...
Page 146
Refer to appendix c, “stylesheet refresh policy configuration,” on page 1005 for procedural details regarding the creation and implementation of url maps and stylesheet refresh policies. Related commands interval urlmap , match, test urlmap, urlmap, urlrefresh, xslrefresh examples v tests two candid...
Page 147
Examples v enter the url rewrite policy configuration mode to create the rw-1 url rewrite policy. Adds a rule to the url rewrite policy. Applies the changes and returns to global configuration mode. # urlrewrite rw-1 url rewrite policy configuration mode # rewrite (.*)xsl=(.*)\?(.*) $1xsl=ident.Xsl?...
Page 148
Parameters throttle-threshold specifies the free memory threshold (expressed as a percentage of total memory) at which the appliance starts to implement a memory conservation algorithm. Use an integer in the range of 1 through 100. The default is 20. Kill-threshold specifies the free memory threshol...
Page 149
# throttle 20 5 30 # v disables throttling. # no throttle # v disables throttling. # throttle 0 0 0 # timezone enters timezone configuration mode. Syntax timezone guidelines while in timezone configuration mode, you configure the time zone settings for the appliance. The time zone alters the display...
Page 150
Parameters name specifies the name of the uddi registry object. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines in uddi (universal description discovery and integration) registry configuration mode, you configure a uddi ...
Page 151
Syntax undo object-type name parameters object-type specifies the type of object. For a complete list of object types, use the show command name specifies the name of the object. Guidelines the undo command reverts a modified object to its last persisted state. The persisted state is the configurati...
Page 152
Syntax urlmap name parameters name specifies the name of the url map. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines url maps are used in the implementation of stylesheet refresh policies that enable the periodic update...
Page 153
Related commands cancel , exit, refresh stylesheet urlrewrite enters url rewrite policy configuration mode. Syntax urlrewrite name no urlrewrite name parameters name specifies the name of the url rewrite policy. The name can contain a maximum of 128 characters. For restrictions, refer to “object nam...
Page 154
Guidelines the user command is available in global configuration mode. The user command enters user configuration mode. While in user configuration mode, you can create or modify user objects. To exit the configuration mode and not apply the changes, use the cancel command. To apply the changes and ...
Page 155
Parameters account identifies the target user account. Examples v forces password change for the josephb account on the next login. # user-expire-password josephb expire password for user 'josephb' succeeded # user-password changes the password of the current user. Syntax user-password examples v en...
Page 156
Syntax enter the configuration mode to create or modify vlan objects vlan-sub-interface name delete vlan objects no vlan-sub-interface name disable vlan objects disable vlan-sub-interface name note: the admin state of ethernet interfaces can be set from enabled to disabled while ethernet cables are ...
Page 157
Guidelines the watchdog sets watchdog timeout values. Watchdog timer values are set to default values. These default values should rarely, if ever, require a change. Before changing these values, contact datapower customer support. Web-application-firewall enters web application firewall configurati...
Page 158
On timeout sets the idle-session logout timer in seconds. Use an integer in the range of 0 to 65535. The default is 600 (10 minutes). A value of 0 disables the session timer. Off resets the idle-session logout timer to its default timer. Guidelines you can create only a single webgui server. The idl...
Page 159
Webapp-error-handling enters web application error handling policy configuration mode. Syntax webapp-error-handling name no webapp-error-handling name parameters name specifies the name of the web application error handling policy. The name can contain a maximum of 128 characters. For restrictions, ...
Page 160
Webapp-request-profile enters web application request profile configuration mode. Syntax webapp-request-profile name no webapp-request-profile name parameters name specifies the name of the web application request profile. The name can contain a maximum of 128 characters. For restrictions, refer to ...
Page 161
Webapp-session-management enters session management policy configuration mode. Syntax webapp-session-management name no webapp-session-management name parameters name specifies the name of the web application session management policy. The name can contain a maximum of 128 characters. For restrictio...
Page 162
Wsgw enters web services proxy configuration mode. Syntax wsgw name no wsgw name parameters name specifies the optional name of the web services proxy. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines use the cancel or ex...
Page 163
Guidelines use the no wsm-endpointrewrite command to delete a ws-proxy endpoint rewrite policy. Related commands cancel , exit wsm-rule enters web services processing rule configuration mode. Syntax wsm-rule name no wsm-rule name parameters name specifies the name of the web services processing rule...
Page 164
Wsrr-server enters wsrr server configuration mode. Syntax wsrr-server name no wsrr-server name parameters name specifies the name of the wssr server object. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines in websphere se...
Page 165
Wsrr-synchronize performs a synchronization of wsrr content with the wssr server. Syntax wsrr-synchronize wsrrsubscriptionname parameters wsrrsubscriptionname specifies the name of a wssr subscription object. Content previously retrieved using this subscription is immediately synchronized with the w...
Page 166
Syntax xml validate xml-manager matching-rule [attribute-rewrite policy] xml validate xml-manager matching-rule [dynamic-schema url] xml validate xml-manager matching-rule [schema url] no xml validate xml-manager parameters xml-manager specifies the name of an xml manager that performs xml schema va...
Page 167
# xml validate mgr1 star attribute-rewrite url-rw-1 # v enables schema-based validation for the mgr1 xml manager. All xml documents that match star are validated against the schema1.Xsd schema. # xml validate mgr1 star schema store:///schema1.Xsd # v disables schema-based validation for the mgr1 xml...
Page 168
Guidelines in xml manager configuration mode, you can configure the target manager to perform a rule-based action. Use the no xml-manager command to delete an xml manager. Related commands documentcache , refresh stylesheet, xml parser limits, xml validate, xmlfirewall, xpath function map examples v...
Page 169
When enabled, the xml management interface allows users to send requests to the enabled service protocols to manage the datapower appliance. The datapower appliance has a single xml management interface. The xml management interface runs ssl and uses http basic authentication (user name and password...
Page 170
Parameters xml-manager specifies the name of an xml manager. Capacity specifies the maximum size of the cache in style sheets. Use an integer in the range of 4 through 1000000. Guidelines the initial cache size is set to 256 style sheets. Related commands xsl checksummed cache examples v assigns a c...
Page 171
# xsl checksummed cache mgr1 # v disables sha-1-assisted caching for the mgr1 xml manager. # no xsl checksummed cache mgr1 # xslconfig assigns a compile options policy. Syntax xslconfig xml-manager compileoptionspolicyname no xslconfig xml-manager parameters xml-manager specifies the name of the xml...
Page 172
Xslcoproc name address-local port-local xml-manager [default-style-sheet] no xslcoproc name parameters name specifies the name of the xsl coprocessor. The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. 0 binds to all enabled appliance...
Page 173
Examples v enters xsl coprocessor service configuration mode for the coproc-1 xsl coprocessor. # xslcoproc coproc-1 xsl coprocessor service configuration mode # v creates the coproc-1 xsl coprocessor. Listens for requests on port 3300 of all enabled appliance ports. # xslcoproc coproc-1 0 3300 mgr1 ...
Page 174
Processingpolicy optionally specifies the name of a processing policy to perform transforms. The default is to use processing instructions, if any, that are in incoming xml documents. Guidelines you can use either of two forms (referred to as single-command and multi-command) of the xslproxy command...
Page 175
Syntax xslrefresh xml-manager policy no xslrefresh xml-manager parameters xml-manager specifies the name of an xml manager. Policy specifies the name of a stylesheet refresh policy. Guidelines you can assign only a single stylesheet refresh policy to an xml manager. With a stylesheet refresh policy,...
Page 176
The name can contain a maximum of 128 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines while in z/os nss client configuration mode, you configure a z/os nss client which provides the parameters necessary for authentication with saf on a z/os communications se...
Page 177
Chapter 3. Aaa policy configuration mode this chapter provides an alphabetic listing of commands that are available in aaa (authentication, authorization, audit) policy configuration mode. To enter this configuration mode, use the global aaapolicy command. While in this mode, define the aaa policy t...
Page 178
Guidelines if a value is specified for the ws-security s11:actor or s12:role identifier, the aaa action will act as the assumed actor or role when it consumes the security headers. This setting takes effect only when the aaa policy attempts to process the incoming message before making an authorizat...
Page 179
Validation credentials list that references the certificate that is used to validate the remote ssl peer. If the method is not client-ssl or if the credentials that are submitted by the ssl peer are not authenticated, (other than checking the expiration date of the certificate and that it has not be...
Page 180
Examples v specifies tivoli authorization services. # authorize tivoli "" "" "" # v specifies xsl-based authorization using the identified style sheet. # authorize stylesheet store:///authorize.Xsl "" "" # authorized-counter specifies a message count monitor for approved messages. Syntax authorized-...
Page 181
Parameters seconds specifies the number of seconds that authentication and authorization data is retained in the policy cache. The default is 3. Guidelines meaningful only if caching is enabled. Related commands cache-allow examples v specifies a cache lifetime of 10 seconds for the current aaa poli...
Page 182
Examples v limits repetitions to 5. # dos-valve 5 extract-identity specifies and enables the methods to extract the identity of a service requester. Syntax extract-identity http ws-sec client-ssl saml-attribute saml-authenticate stylesheet url parameters http specifies either on or off to indicate w...
Page 183
Parameters target-url specifies either on or off to indicate whether of not the resource identity is based on the url sent by the current aaa policy to the backend server. Original-url specifies either on or off to indicate whether of not the resource identity is based on the url received by the cur...
Page 184
Parameters 2 (default) indicates ldap version 2. 3 indicates ldap version 3. Log-allowed enables or disables the logging of successful aaa operations. Syntax log-allowed no log-allowed guidelines by default, successful log operations are logged as info. Use the no log-allowed command to disable logg...
Page 185
Syntax log-rejected no log-rejected guidelines by default, successful log operations are logged as warning. Use the no log-rejected command to disable unsuccessful aaa operations. Related commands log-allowed , log-allowed-level, log-rejected-level log-rejected-level specifies the log priority for m...
Page 186
Parameters custom custom-url specifies the location of the style sheet. Xmlfile xml-file-url specifies the location of the xml file. Xpath expression specifies the operative xpath expression. Examples v specifies that credentials mapping uses the mapcreds.Xsl style sheet. # map-credentials custom lo...
Page 187
Examples v specifies the schema for soap 1.1 envelope namespace. # namespace-mapping soap http://schemas.Xmlsoap.Org/soap/envelope/ # ping-identity-compatibility enables or disables compatibility with a pingfederate identity server. Syntax ping-identity-compatibility no ping-identity-compatibility g...
Page 188
Syntax rejected-counter name parameters name identifies the assigned message count monitor. Examples v associates the aaa-reject message count monitor with the current aaa policy. # rejected-counter aaa-reject # saml-artifact-mapping specifies the location of the saml artifact-mapping file syntax sa...
Page 189
Winchester name provides the local name of the attribute. For example, cats would match messages with the following attribute: winchester value provides the value given for the attribute with the corresponding name. For example, winchester would match the following attribute: winchester saml-name-qu...
Page 190
Rsa-ripemd160 http://www.W3.Org/2001/04/xmldsig-more/rsa-ripemd160 rsa-sha256 http://www.W3.Org/2001/04/xmldsig-more#rsa-sha256 rsa-sha384 http://www.W3.Org/2001/04/xmldsig-more#rsa-sha384 rsa-sha512 http://www.W3.Org/2001/04/xmldsig-more#rsa-sha512 guidelines if the saml message that is generated f...
Page 191
Sha512 http://www.W3.Org/2001/04/xmlenc#sha512 guidelines if the saml message that is generated for this policy will be digitally signed, use the saml-sign-hash command to specify the algorithm to calculate the message digest for signing. Saml-sign-key specifies the key used by the current aaa polic...
Page 192
Examples v locates the metadata file. # saml2-metadata local:///policy-1.Metadata # ssl assigns an ssl proxy profile. Syntax ssl name parameters name specifies the name of the ssl proxy profile. Transaction-priority assigns a transactional priority to the user. Syntax transaction-priority name prior...
Page 193
Parameters name identifies the certificate object. Guidelines use the no wstrust-encrypt-key command to remove the certificate assignment from the current aaa policy. Chapter 3. Aaa policy configuration mode 167.
Page 194
168 command reference.
Page 195
Chapter 4. Access control list configuration mode this chapter provides an alphabetic listing of commands that are available in access control list (acl) configuration mode. To enter this configuration mode, use the global acl command. While in this mode, create an acl. An acl consists of a sequence...
Page 196
Syntax allow address/netmask allow any parameters address/netmask defines a range of ip addresses. Specify the ip address in dotted decimal format. Specify the net mask in cidr (slash) format or dotted decimal format. Cidr format is an integer that specifies the length of the network portion of the ...
Page 197
Guidelines the deny command defines an deny clause for the acl. This clause identifies which ip addresses to deny access. If the acl contains only deny clauses, the last clause in the acl must be the allow any clause. Related commands allow examples v enters acl configuration mode for the public acl...
Page 198
172 command reference.
Page 199
Chapter 5. Application domain configuration mode this chapter provides an alphabetic listing of commands that are available in application domain configuration mode. To enter this configuration mode, use the global domain command. The global command creates the specified application domain if it doe...
Page 200
Syntax deployment-policy name parameters name specifies the name of an existing deployment policy object. Guidelines the deployment-policy command specifies the name of the deployment policy object that preprocesses the configuration package. To create a deployment policy object, use the global depl...
Page 201
# domain test modify application domain configuration # domain-user gharrison # exit # file-monitoring establishes the level of monitoring applied to files stored in the local: domain directory. Syntax file-monitoring type[+type] parameters type can be audit or log. The type audit causes the system ...
Page 202
Only display but rbm allows a user to display and delete, the user will only be able to display the contents of files. On the other hand, if the permissions allow both display and delete but rbm allows only display, the user will only be able to display the contents of files. Examples v modifies the...
Page 203
Parameters url specifies the location of the remote configuration file. Guidelines if config-mode is set to import, you must specify both the location and type of the remote configuration resource with the import-url and import-format commands. Related commands config-mode , import-format examples v...
Page 204
Parameters count specifies the maximum number of configuration checkpoints to allow. Use an integer in the range of 1 through 5. The default is 3. Related commands config-mode , import-format, import-url reset domain deletes the currently running configuration of the domain and returns the domain to...
Page 205
[test]# reset domain reset domain resetting 'test' will delete all services configured within the domain! Do you want to continue? [y/n]:y domain reset successfully. [test]# visible-domain specifies other application domains that are visible to this domain. Syntax visible-domain domain parameters do...
Page 206
180 command reference.
Page 207
Chapter 6. Application security policy configuration mode this chapter provides an alphabetic listing of commands that are available in application security policy configuration mode. To enter this configuration mode, use the global application-security-policy command. If the policy does not exist, ...
Page 208
# error-match svrredir portal-redir-errors # error-match svrerr portal-svr-errors # error-match allerr portal-default-errors v empties the error map, effectively eliminating all custom error handling from the security policy. # no error-match request-match establishes one or more web request maps fo...
Page 209
Parameters rule specifies the name of an existing match rule. Use the global match command to create a new match rule. Profile specifies the name of an existing web response profile. Use the global webapp-response-profile command to create a new web response profile. Guidelines any server response t...
Page 210
184 command reference.
Page 211
Chapter 7. Compact flash configuration mode (type 9235) this chapter provides an alphabetic listing of commands that are available in compact flash configuration mode. To enter this configuration mode, use the global compact-flash command. All of the commands that are listed in “common commands” on ...
Page 212
# compact-flash cf0 compact flash configuration mode # read-only # v makes the file system read-write, the default state. # compact-flash cf0 compact flash configuration mode # no read-only # 186 command reference.
Page 213
Chapter 8. Compile options policy configuration mode this chapter provides an alphabetic listing of commands that are available in compile options policy configuration mode. To enter this configuration mode, use the global compile-options command. While in this configuration mode, define the compile...
Page 214
Guidelines a compile options policy can contain multipleprofile and debug commands. A candidate url is subject to debug profiling if it matches any of the match criteria specified in the url map. Refer toappendix d, “compile options policy configuration,” on page 1007for procedural details regarding...
Page 215
A candidate url is subject to standard profiling if it matches any of the match criteria specified in the url map. Refer to appendix d, “compile options policy configuration,” on page 1007 for procedural details regarding the creation and implementation of profiling policies. Related commands debug ...
Page 216
# stream fastpath # strict controls strict xslt error-checking. Syntax strict guidelines use this command to toggle between enabling and disabling strict xslt error-checking. By default, the compile options policy disables strict xslt error-checking. Non-strict operation attempts to recover from cer...
Page 217
Validate-soap-enc-array designates the set of schemas to perform extra validation on elements of type soap-enc:array . Syntax validate-soap-enc-array map parameters map identifies the url map that defines the set of schemas that perform extra validation on elements of type soap-enc:array rule. Guide...
Page 219
Parameters skip disables validation of the fault detail. Lax forces validation of the fault details that match the wsdl definition. Strict (default) validates all fault details, which allows only messages that match the wsdl description. Guidelines by default, strict validation is applied to soap fa...
Page 220
Wsdl-wrapped-faults controls compatibility with rpc-style wrappers. Syntax wsdl-wrapped-faults guidelines by default, the compile options policy disables required compatibility with rpc-style wrappers. Use this command to toggle between enabling and disabling required compatibility with rpc-style wr...
Page 222
196 command reference.
Page 223
Chapter 9. Conformance policy configuration mode this chapter provides an alphabetic listing of commands that are available in conformance policy configuration mode. To enter this configuration mode, use the global conformancepolicy command. All of the commands that are listed in “common commands” o...
Page 224
Syntax fixup-stylesheet file no fixup-stylesheet file parameters file specifies the name and location of the style sheet. Guidelines the fixup-stylesheet command defines which style sheets to invoke after conformance analysis. These style sheets can transform the analysis results to repair instances...
Page 225
Guidelines the ignored-requirements command defines which profile requirements to exclude from validation. For each requirement to exclude, use the ignored-requirements command. To remove an excluded requirement, use the no ignored-requirements command. For information about the requirements defined...
Page 226
Examples v specifies that messages validation is against ws-i basic profile, version 1.1 and ws-i basic security profile, version 1.0. # profiles bp11+bsp10 # v specifies that messages validation is against ws-i attachments profile, ws-i basic profile, version 1.1, and ws-i basic security profile, v...
Page 227
Parameters failure rejects messages that are identified as conformance failures. Never (default) never rejects messages. Warning rejects messages that are identified as either conformance failures or conformance warnings. Guidelines the reject-level command identifies the degree of nonconformance th...
Page 228
# report-level failures # report-target http://datapower.Com/conform report-target specifies where to send conformance reports for requests. Syntax report-target url parameters url specifies the location to send conformance reports. Use the following url format: protocol://host/uri guidelines the re...
Page 230
Guidelines the response-reject-level command identifies the degree of nonconformance that causes a response message to be rejected. When a response message is rejected, you can use the response-reject-include-summary command to include a summary of the conformance analysis in the rejection message. ...
Page 231
Parameters url specifies the location to send conformance reports. Use the following url format: protocol://host/uri guidelines the response-report-target command identifies where to send conformance reports for responses. This command is meaningful only when the value for the response-report-level ...
Page 232
206 command reference.
Page 233
Chapter 10. Crl configuration mode this chapter provides an alphabetic listing of commands that are available in crl configuration mode. Crl is the abbreviation for certificate revocation list. To enter this configuration mode, use the crypto crl command. While in crl configuration mode, define the ...
Page 234
Guidelines you must specify a password when defining an ldap-enabled crl update policy. Related commands bind-dn , read-dn, refresh, remote-address examples v enters crl mode to create the ldap1440 ldap-enabled crl update policy. The ldap server is accessed with the account name of x with a password...
Page 235
Guidelines this property is required to implement a crl update policy. Examples v enters crl mode to create the http30 http-enabled crl update policy. Specifies crlvalidate as the validation credentials to validate the crl issuer. # crl http30 http entering crl mode for 'http30' # issuer crlvalidate...
Page 236
Parameters minutes specifies the interval in minutes between crl updates. Guidelines you must specify a refresh interval when defining either an http-enabled or ldap-enabled crl update policy. Related commands bind-dn , bind-pass, fetch-url, read-dn, remote-address examples v enters crl mode to crea...
Page 237
Examples v enters crl mode to create the ldap1440 ldap-enabled crl update policy. The ragnarok ldap server (with default port 389) is accessed with the account name of x and a password of 1pass$word. The target certificate is issued by verisign australia. # crl ldap1440 ldap entering crl mode for 'l...
Page 238
212 command reference.
Page 239
Chapter 11. Crypto configuration mode this chapter provides an alphabetic listing of commands that are available in crypto configuration mode. To enter this configuration mode, use the global crypto command. All of the commands that are listed in “common commands” on page 2 and most, but not all, of...
Page 240
Appliance sends the certificate to the ssl peer for an ssl connection, but the peer can reject the certificate as not valid. Guidelines the password or password-alias keyword is required only when a certificate file is password-protected. Prior to using the password-alias keyword, you must use the p...
Page 241
# certificate bob pubcert:bob.Pem password-alias dundaulk creating certificate 'bob' # v deletes the bob certificate alias. # no certificate bob certificate 'bob' deleted # cert-monitor enters crypto certificate monitor configuration mode. Syntax cert-monitor guidelines the certificate monitor is a ...
Page 242
Use the no crl command to delete a crl update policy. Examples v enters crl mode to create the http30 http-enabled crl update policy. # crl http30 http entering crl mode for 'http30' # v enters crl mode to create the ldap1440 ldap-enabled crl update policy. # crl ldap1440 ldap entering crl mode for ...
Page 243
Syntax importing certificates crypto-import cert name [...] input file importing keys (hsm models) crypto-import key name [...] input file [password-alias alias] [mechanism hsmkwk ] crypto-import key name [...] input file [password password] [mechanism hsmkwk ] parameters key name [...] identifies t...
Page 244
Directory must be one of the following directory-specific keywords: audit: contains the audit log cert: contains domain-specific private keys and certificates config: contains configuration scripts export: contains export packages image: contains primary and secondary firmware images local: contains...
Page 245
Encrypt encrypts a file stored on the appliance. Syntax encrypt url cert alias alg algorithm parameters url identifies the local file to be encrypted, and takes the directory:/// filename format. Directory must be one of the following directory-specific keywords that reference specific directories. ...
Page 246
Alg algorithm identifies the encryption method. Related commands certificate , idcred, send file, sign (crypto) examples v encrypts the fwsec-1 log file with the recipient certificate that is referenced by the bob alias. # encrypt logtemp:///fwsec-1 cert bob alg smime file 'fwsec-1' successfully enc...
Page 247
V deletes the fwcred-1 firewall credentials. # no fwcred fwcred-1 firewall credentials 'fwcred-1' deleted # hsm-clone-kwk (hsm models) clones a key wrapping key between hsm-equipped appliances. Syntax hsm-clone-kwk [input filename] [output filename] parameters input filename indicates the name of th...
Page 248
Related commands hsm-delete-key , hsm-reinit hsm-delete-key (hsm models) deletes a key from the hsm (hardware security module). Syntax hsm-delete-key key parameters key identifies the key stored on the hsm. Guidelines this command is available only on systems with an internal hsm. Related commands h...
Page 249
Syntax idcred name key-alias certificate-alias [ca certificate-alias-n ...] parameters name specifies the name of the identification credentials that authenticates the appliance. The name can contain a maximum of 32 characters. For restrictions, refer to “object name conventions” on page xxiv. Key-a...
Page 250
# idcred bob bob bob creating identification credentials 'bob' # v creates the bob identification credentials that consists of the private key aliased by bob and the x.509 certificates aliased by bob and bob-intermediate. # idcred bob bob bob ca bob-intermediate creating identification credentials '...
Page 251
Syntax kerberos-keytab name no kerberos-keytab name parameters name specifies the name of the kerberos keytab. The name can contain a maximum of 32 characters. For restrictions, refer to “object name conventions” on page xxiv. Guidelines a keytab (or key table) is an unencrypted file that contains a...
Page 252
Caution: do not store private key files in the public cryptographic area. This area is intended for the storage of public certificate files. Password password optionally identifies the plaintext password required to access the private key file. Password-alias password-alias optionally identifies the...
Page 254
Gen-object creates a crypto key management object. To create a crypto certificate management object use the gen-sscert property. Object-name name optionally specifies the names for the objects that are created by the gen-object property. If not specified, the value for the commonname property is use...
Page 255
Use the password and password-alias properties in environments that require password-protected files. Before using the password-alias property, use the password-map command to 3des-encrypt the private key password (plaintext) and associate an alias with the encrypted password. An attempt to referenc...
Page 256
Alias-name: ssl: password-map saved # keygen c au l "south melbourne" st victoria o "datapower australia, ltd." ou "customer support" cn www.Bob.Datapower.Com.Au rsa 2048 out bob password-alias waltzingmatilda # password-map creates a password map, a which associates an alias with an encrypted passw...
Page 257
Examples v creates a new password map and generates a host key used to 3des-encrypt the two plaintext passwords. # password-map # please enter alias-name and plaintext password pairs - leading and trailing white space is removed - enter a blank alias name to finish alias-name: towson plaintext passw...
Page 258
Syntax profile name idcred [ssl name] [ciphers cipher-string] [options options-mask] profile name %none% [ssl name] [ciphers cipher-string] [options options-mask] no profile name parameters name specifies the name of the crypto profile. The name can contain a maximum of 32 characters. For restrictio...
Page 259
Table 5. Available algorithm keywords for the cipher string (continued) algorithm keyword meaning enull or null null ciphers offer no encryption at all and are a security risk. These cipher suites are disabled unless explicitly included. Anull the cipher suites offering no authentication. This is cu...
Page 260
Optionally, each cipher keyword can be preceded by the following characters: ! Permanently deletes the cipher from the list. Even if you explicitly add the cipher to the list, it can never reappear in the list. - deletes the cipher from the list. You can add this cipher again. + moves the cipher to ...
Page 261
V the ssl client requires a validation credentials only when it validates the certificate that is presented by an ssl server. The ssl standard does not require the validation of the server certificate. V the ssl server requires a validation credentials only when it validates certificates that are pr...
Page 262
V same as the previous example. # profile low xssl-1 options disable-sslv2+disabletlsv1 creating new crypto profile 'low' # v creates the high crypto profile that uses the identification credentials aliased by xssl-2 to identify the ssl proxy. The crypto profile validates the ssl peer with the tsc-1...
Page 263
Sharedcert: contains private keys and certificates which are shared across domains store: contains datapower-supplied processing resources such as style sheets, schemas and authentication/authorization files tasktemplates: contains task template files temporary: contains temporary files filename spe...
Page 264
Url specifies a local url that identifies the file that contains the private key. V if the private key is stored in the private cryptographic area, the url takes the filename form. V if the private key is stored in the public cryptographic area, the url takes the pubcert:///filename form. Note: do n...
Page 265
V creates the alice alias the specified ss2.Pem secret key. The target key is contained within the private cryptographic area, and is accessed with an encrypted password aliased by havredegrace. # sskey alice ss2.Pem password-alias havredegrace creating key 'alice' # v deletes the alice shared secre...
Page 266
V indicates that the columbia candidate alias does not reference the encrypted password that protects the k2.Der key file. # test password-map columbia key k2.Der alias 'columbia' with file 'k2.Der' --> fail # v indicates that the towson candidate alias does reference the encrypted password that pro...
Page 267
Related commands certificate (validation credentials), profile examples v enters validation credentials mode to create the valcred-1 validation credentials. # valcred valcred-1 entering validation credentials mode for 'valcred-1' # v deletes the valcred-1 validation credentials. # no valcred valcred...
Page 268
242 command reference.
Page 269
Chapter 12. Crypto certificate monitor configuration mode this chapter provides an alphabetic listing of commands that are available in crypto certificate monitor configuration mode. To enter this configuration mode, use the crypto cert-monitor command. All of the commands that are listed in “common...
Page 270
Log-level specifies the log priority assigned to certificate monitor messages that note the impending expiration date of a certificate syntax log-level priority parameters priority specifies the log priority assigned to certificate expiration messages. Guidelines the level of log events are characte...
Page 271
Examples v specifies that the certificate monitor performs a certificate scan every 3 days. # poll 3 # reminder specifies the notification window before certificate expiration that initiates certificate expiration log messages. Syntax reminder days parameters days specifies the notification window. ...
Page 272
246 command reference.
Page 273
Chapter 13. Crypto firewall credentials configuration mode this chapter provides an alphabetic listing of commands that are available in crypto firewall credentials configuration mode. To enter this configuration mode, use the crypto fwcred command. While in this configuration mode, you can create a...
Page 274
Syntax key alias parameters alias specifies the alias for the target private key. The target private key must be previously created with the crypto key command. Guidelines prior to adding a key alias to the list: 1. Use the copy command (or the webgui) to transfer the actual key to the appliance. 2....
Page 275
Examples v enters firewall credentials mode for the fwcred-1 firewall credentials. Adds the shared secret key that is referenced by the ss-bob-alice alias. # fwcred fwcred-1 entering firewall credentials mode for 'fwcred-1' # sskey ss-bob-alice # chapter 13. Crypto firewall credentials configuration...
Page 276
250 command reference.
Page 277
Chapter 14. Crypto validation credentials configuration mode this chapter provides an alphabetic listing of commands that are available in crypto validation credentials configuration mode. To enter this configuration mode, use the crypto valcred command. While in this mode, compile a validation cred...
Page 278
Examples v enters validation credentials mode to create the valcred-1 validation credentials list. Specifies pkix validation mode. # valcred valcred-1 crypto validation credentials configuration mode # cert-validation-mode pkix # v restores the default setting. # valcred valcred-1 crypto validation ...
Page 279
Examples v enters validation credentials mode to create the valcred-1 validation credentials list. Adds the bob-1 certificate alias to the list. # valcred valcred-1 crypto validation credentials configuration mode # certificate bob-1 # crldp controls support for the x.509 certificate distribution po...
Page 280
Guidelines meaningful only if cert-validation mode is pkix; otherwise, it is not used. If enabled, the chain validation algorithm must end with a non-empty policy tree. If disabled, the algorithm may end with an empty policy tree (unless policy constraints extensions in the chain require an explicit...
Page 281
Applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range. The certificate policies extension contains a sequence of one or more policy information terms, each of which consists of an object identifier...
Page 282
Guidelines by default, crl usage is not required when processing certificate chains. Use the no require-crl command to restore the default condition, which allows, but does not require, crl usage when processing certificate chains. Related commands use-crl examples v enters validation credentials mo...
Page 283
Chapter 15. Deployment policy configuration mode this chapter provides an alphabetic listing of commands that are available in deployment policy configuration mode. A deployment policy is a sequence of accept, filter, and modify clauses that accept, filter, or modify configuration data of specific r...
Page 284
Property=property-name optionally specifies the name of the configuration property. This property limits the match statement to resources of the specified property. Value=property-value optionally specifies the value for the configuration property. This property limits the match statement to resourc...
Page 285
Resource specifies the resource type. The value * matches all resource type. Name=resource-name optionally specifies a name match for a resource. This property limits the match statement to resources of the specified name. Use a pcre to select groups of resource instances. For example, foo* would ma...
Page 286
The appliance preprocesses the add statements first, the change statements second, and the delete statements last when applying the modify clause. The statement takes the following form: address/domain/resource[?Name=resource-name &property=property-name&value=property-value] address specifies the i...
Page 287
Examples v ??? Adds a summary to the turbotans host alias in the default domain. The usersummary property with a value of blueskinners is added to the configuration of the turbotans host alias during the import. # modify */default/network/host-alias?Name=turbotans add usersummary blueskinners # v ??...
Page 288
262 command reference.
Page 289
Chapter 16. Dns settings configuration mode this chapter provides an alphabetic listing of commands that are available in dns (domain name services) configuration mode. To enter this configuration mode, use the global dns command. While in this mode, identify sources of dns information and perform s...
Page 290
V identifies a dns server at 10.10.10.240 udp port 60000. # name-server 10.10.10.240 60000 # v deletes the specified dns provider. # no name-server 10.10.10.240 # v deletes all dns providers. # no name-server * # search-domain adds an entry to the ip domain-suffix search table, thus enabling the usa...
Page 292
266 command reference.
Page 293
Chapter 17. Document cache configuration mode this chapter provides an alphabetic listing of commands that are available in document cache configuration mode. To enter this configuration mode, use the global documentcache command. While in this mode, define the policy that specifies which http-obtai...
Page 294
# clear *xs[dl] cleared documents in cache matching pattern *xs[dl] # maxdocs specifies the maximum size of the document cache in documents. Syntax maxdocs documents parameters documents specifies the maximum number of documents to retain in the document cache. Use an integer in the range of 1 throu...
Page 295
Priority specifies the priority of a document in the cache. The greater the value, the higher its priority. Use an integer in the range of 1 through 255. The default is 128. Ttl specifies the maximum number of seconds to retain a document in the cache. Use an integer in the range of 5 through 86400....
Page 296
# documentcache mgr1 document cache configuration mode # policy *xsd # v caches all xml schemas with a priority of 210 and the default ttl. # documentcache mgr1 document cache configuration mode # policy *xsd 210 # v caches all style sheets and schemas with a priority of 255 and the default ttl. Cac...
Page 298
272 command reference.
Page 299
Chapter 18. Document crypto map configuration mode this chapter provides an alphabetic listing of commands that are available in document crypto map configuration mode. To enter this configuration mode, use the global document-crypto-map command. While in this mode, design a map to enable partial (f...
Page 300
Related commands namespace-mapping , select examples v specifies document decryption. # document-crypto-map dcm-1 modify document crypto map configuration # decrypt # select specifies the document nodes to encrypt or decrypt. Syntax select xpath parameters xpath defines an xpath expression that iden...
Page 301
Chapter 19. Failure notification configuration mode this chapter provides an alphabetic listing of commands that are available in failure notification configuration mode. To enter this configuration mode, use the global failure-notification command. All of the commands that are listed in “common com...
Page 302
Location-id specifies the subject line of the email. Syntax location-id string parameters string specifies descriptive text. Guidelines the location-id command specifies the subject line of the email. If the message contains spaces, wrap the value in double quotation marks. Examples v provides an id...
Page 303
Chapter 20. Flash configuration mode this chapter provides an alphabetic listing of commands that are available in flash configuration mode. To enter this configuration mode, use the global flash command. All of the commands that are listed in “common commands” on page 2 and most, but not all, of th...
Page 304
Guidelines a firmware upgrade performed with the boot image command retains current configuration data, allowing the appliance to be restored to a known, stable state if necessary. The previous firmware image and associated configuration data is referred to as the secondary install. While, you can u...
Page 305
Syntax boot switch guidelines a firmware upgrade performed with the boot image command retains current configuration data, allowing the appliance to be restored (rolled back) to a known, stable state if necessary. The previous firmware image and associated configuration data is referred to as the se...
Page 306
Guidelines after opening the newly created or existing configuration, the command prompts for command input: enter startup commands, one per line. End with a period. Enter commands, terminating each command by pressing the return or enter key. If appending commands to an existing configuration, make...
Page 307
Directory:///filename directory specifies a directory on the appliance. Refer to “directories on the appliance” on page xxii for details. Filename specifies the name of a file in the specified directory. V if the source file or target destination is remote to the datapower appliance and the transpor...
Page 308
V uses scp to copy a file from the specified url to the store: directory. # copy scp://jrb@10.10.1.159//xml/stylesheets/initialconvert.Xsl store:///initialconvert.Xsl password: yetanotherpassword file copy successful # v uses scp to copy a file from the logstore: directory to the specified remote ta...
Page 309
Note: the delete command does not prompt for confirmation. Be certain that you want to delete the file before issuing this command. Related commands copy , dir, move examples v deletes the startup-config-deprecated file from the store: directory. # delete store:\\\startup-config-deprecated # v delet...
Page 310
Move moves a file from one directory to another. Syntax move [-f] source destination parameters -f overwrites an existing file, if one of the same name already exists. In the absence of this argument, an attempt to save a file with the same name as an existing file results in a prompt that requests ...
Page 311
Parameters filename specifies the name of the firmware image to re-initialize the appliance. The file must be in the image: directory. Guidelines deletes user-modified or added configuration information, including data in the datapower directories. This data consists of style sheets, object configur...
Page 312
Guidelines the appliance restarts using the startup configuration specified by the boot config command and the firmware image specified by the boot image command. If a startup configuration or firmware image is not designated, the appliance restarts with the configuration and firmware image that wer...
Page 313
Chapter 21. Ftp poller front side handler configuration mode this chapter provides an alphabetic listing of commands that are available in ftp poller front side handler configuration mode. To enter this configuration mode, use the global source-ftp-poller command. While in this configuration mode, d...
Page 314
Syntax error-rename-pattern pattern parameters pattern specifies a pcre that defines the rename pattern. Guidelines the error-rename-pattern command specifies the pcre to rename a file when it could not be processed. This command is relevant when error-delete is off. Otherwise, it is ignored. Pcre d...
Page 315
Parameters pattern specifies a pcre that defines the rename pattern. Guidelines the processing-rename-pattern command specifies the pcre to rename a file that is being processed. This functionality allows multiple poller objects to poll the same directory with the same match pattern. There is no lac...
Page 316
Syntax processing-seize-pattern pattern parameters pattern specifies the pcre to use as the match pattern to search for files that are being processed. Guidelines the processing-seize-pattern command specifies the pcre to find files that were renamed to indicate that they are in the ″being processed...
Page 319
Syntax target-dir directory parameters directory specifies the directory to poll. Guidelines the target-dir command specifies a directory to poll. The path must end in a slash. The slash denotes a directory. For a relative path to the home directory of the specified user ftp://user:password@host:por...
Page 320
294 command reference.
Page 321
Chapter 22. Ftp quoted commands configuration mode this chapter provides an alphabetic listing of commands that are available in ftp quoted commands configuration mode. To enter this configuration mode, use the global ftp-quote-command-list command. Many of the commands that are listed in “common co...
Page 322
296 command reference.
Page 323
Chapter 23. Ftp server front side handler mode an instance of an ftp server front side handler object defines a handler service that receives ftp request messages from clients and forwards them to the appropriate datapower service. To enter the configuration mode to create a new instance or to modif...
Page 324
Table 7. Ftp server front side handler commands (continued) command purpose password-aaa-policy assigns an aaa policy to evaluate the user name and password. Port specifies the listening port. Require-tls controls whether ftp client connections require tls encryption. Response-nfs-mount specifies th...
Page 325
Parameters address specifies the local ip address or host alias on which the service listens. The default is 0.0.0.0. Guidelines the local-address command specifies the local ip address on which the service listens. The default of 0.0.0.0 indicates that the service is active on all ip addresses. The...
Page 327
Parameters name specifies the name of an existing aaa policy object. Guidelines the certificate-aaa-policy command assigns the aaa policy that determines whether a password is required for secondary authentication of the information in the tls/ssl certificate that is provided during tls negotiation ...
Page 328
Guidelines the default-directory command specifies the current working directory for all users of this ftp server. This directory will be the initial working directory after users connect and authenticate. When using a virtual file system and the working directory is not the root directory, the spec...
Page 329
Related commands persistent-filesystem-timeout , virtual-directory filesystem-size specifies the maximum size for the temporary file system. Syntax filesystem-size megabytes parameters megabytes specifies the maximum size in megabytes for the temporary file system. Use an integer in the range of 1 t...
Page 331
Guidelines the passive-idle-timeout command controls the amount of time in seconds between when the ftp server issues code 227 (“entering passive mode”) in response to the pasv or epsv command from the ftp client and when the ftp client must establish a tcp data connection to the listening port and ...
Page 332
Passive-port-min sets the lowest port value for the passive port range. Syntax passive-port-min port parameters port specify the lower end of the passive port range. Use an integer in the range of 1024 through 65534. The default is 1024. Guidelines the passive-port-min command sets the lowest port v...
Page 333
Note: while multiple ftp servers on the same system can use the same or overlapping passive port ranges, this configuration could introduce contention for a common resource in the tcp implementation. Because of contention, do not use a port range that overlaps with other services that are on the sam...
Page 334
Syntax password-aaa-policy name parameters name specifies the name of an existing aaa policy object. Guidelines the password-aaa-policy command assigns the aaa policy to perform authentication of user names and passwords provided to the ftp server by the client with the user and pass commands. V if ...
Page 335
Parameters on requires tls encryption. Off (default) does not require tls encryption. Guidelines the require-tls command controls whether ftp control connections require tls encryption. If required, the ftp client must use the ftp auth tls command before any other command. To support tls encryption,...
Page 336
Parameters temporary (default) stores response files in temporary storage on the system. This storage space has limited size. Nfs stores response files on the top level directory of the specified nfs server. Only the nfs server limits the storage space. Guidelines the response-storage command specif...
Page 338
Guidelines the response-url command selects the url that is used in generating a response. This url enables a response to be written using ftp commands. The url must be an ftp url that starts with ftp://. The url should include a directory, but not a file name. The url cannot include query parameter...
Page 339
Parameters variable defines the prefix for file names that are generated when using the ftp stou command. When defining the prefix, the directory separator (/) is not allowed. The default is to not add a prefix, which is an empty string. Use a regular expression in the ^[^/]*$ form. Guidelines the u...
Page 340
314 command reference.
Page 341
Chapter 24. Hard disk array configuration mode (type 9235) this chapter provides an alphabetic listing of commands that are available in hard disk array configuration mode. To enter this configuration mode, use the global raid-volume command. All of the commands that are listed in “common commands” ...
Page 342
# raid-volume raid0 hard disk array configuration mode # read-only # v makes the file system read-write, the default state. # raid-volume raid0 hard disk array configuration mode # no read-only # 316 command reference.
Page 343
Chapter 25. Host alias configuration mode this chapter provides an alphabetic listing of commands available in host alias configuration mode. To enter this configuration mode, use the global host-alias command. Many of the commands listed in “common commands” on page 2 and most, but not all, of the ...
Page 344
318 command reference.
Page 345
Chapter 26. Http front side handler mode an instance of an http front side handler object defines a handler service that receives http request messages from clients and forwards them to the appropriate datapower service. To enter the configuration mode to create a new instance or to modify an existi...
Page 346
Parameters name specifies the name of an existing access control list object. Guidelines the acl command defines a reference to an existing access control list object. The access control list object allows or denies access to this service based on the ip address of the client. When attached to a ser...
Page 348
Http/1.1 (default) uses http 1.1. Guidelines the http-client-version command set the http version for the connection. The specified version should not conflict with the http version that is allowed by the allowed-features command. Related commands allowed-features max-header-count specifies the maxi...
Page 349
Related commands max-header-value-len max-header-value-len specifies the maximum length of header values to allow. Syntax max-header-value-len bytes parameters bytes specifies the maximum length in bytes. The default is 0, which indicates no limit. Guidelines the max-header-value-len command specifi...
Page 350
Syntax max-total-header-len bytes parameters bytes specifies the maximum length in bytes. Use an integer in the range of 5 through 128000. The default is 128000. Guidelines the max-total-header-len command specifies the maximum aggregate length of incoming http headers to allow in request messages. ...
Page 351
Guidelines the persistent-connections command controls the negotiation of persistent connections. V when enabled, the handler negotiates with the remote peer and establishes a persistent connection if agreeable to the peer. V when disabled, the handler does not attempt to negotiate the establishment...
Page 352
326 command reference.
Page 353
Chapter 27. Http input conversion map configuration mode this chapter provides an alphabetic listing of commands that are available in http input conversion map configuration mode. To enter this configuration mode, use the global input-conversion-map command. All of the commands that are listed in “...
Page 355
Chapter 28. Http service configuration mode this chapter provides an alphabetic listing of commands that are available in http service configuration mode. To enter this configuration mode, use the global httpserv command. All of the commands that are listed in “common commands” on page 2 and most, b...
Page 356
Note: users should consider security implications before revealing software version information. Use the no identifier command to suppress the server response header field. Examples v specifies release 3.7.1 as the contents of the server response header field. # identifier "release 3.7.1" # v suppre...
Page 357
Image: serves documents from the firmware image (image:) directory store: (default) serves documents from the general storage (store:) directory temporary: serves documents from the temporary (temporary:) directory examples v specifies that the current http service serves documents from the temporar...
Page 358
Port specifies the local port monitored by the http service for incoming traffic. Syntax port port parameters port specifies the port. The default is 80. Guidelines use the port command to change the port that is assigned with the ip-address command. Related commands ip-address examples v specifies ...
Page 359
Guidelines in the absence of this command, the http service displays the directory listing that is specified by the local-directory command. Related commands local-directory examples v specifies welcome.Html as the start page. # start-page welcome.Html # chapter 28. Http service configuration mode 3...
Page 360
334 command reference.
Page 361
Chapter 29. Https front side handler mode an instance of an https front side handler object defines a handler service that receives http request messages from clients and forwards them to the appropriate datapower service. To enter the configuration mode to create a new instance or to modify an exis...
Page 362
Parameters name specifies the name of an existing access control list object. Guidelines the acl command defines a reference to an existing access control list object. The access control list object allows or denies access to this service based on the ip address of the client. When attached to a ser...
Page 364
Http/1.1 (default) uses http 1.1. Guidelines the http-client-version command set the http version for the connection. The specified version should not conflict with the http version that is allowed by the allowed-features command. Related commands allowed-features max-header-count specifies the maxi...
Page 365
Related commands max-header-value-len max-header-value-len specifies the maximum length of header values to allow. Syntax max-header-value-len bytes parameters bytes specifies the maximum length in bytes. The default is 0, which indicates no limit. Guidelines the max-header-value-len command specifi...
Page 366
Syntax max-total-header-len bytes parameters bytes specifies the maximum length in bytes. Use an integer in the range of 5 through 128000. The default is 128000. Guidelines the max-total-header-len command specifies the maximum aggregate length of incoming http headers to allow in request messages. ...
Page 367
Guidelines the persistent-connections command controls the negotiation of persistent connections. V when enabled, the handler negotiates with the remote peer and establishes a persistent connection if agreeable to the peer. V when disabled, the handler does not attempt to negotiate the establishment...
Page 368
342 command reference.
Page 369
Chapter 30. Import configuration file configuration mode this chapter provides an alphabetic listing of commands that are available in import configuration file configuration mode. To enter this configuration mode, use the global import-package command. While in this mode, identify the location and ...
Page 370
# import-package englewood new import configuration file configuration # auto-execute off # deployment-policy specifies the name of an existing deployment policy that preprocesses the configuration package. Syntax deployment-policy name parameters name specifies the name of an existing deployment po...
Page 373
Chapter 31. Include configuration file configuration mode this chapter provides an alphabetic list of commands in include configuration file configuration mode. To enter this configuration mode, use the global include-config command. While in this mode, specify the location of configuration files to...
Page 374
Parameters url identifies the location of the configuration file to include. V if the file resides on the appliance, this parameter takes the form directory:///filename , where: directory identifies a local directory. Generally, the directory is one of the following keywords: – config – local – temp...
Page 375
Guidelines the interface-detection command determine when to retrieve the include configuration file in relationship to the state of the local interface. This command is meaningful only when auto-execute is on. Related commands auto-execute examples v specifies synchronous execution of the include c...
Page 376
350 command reference.
Page 377
Chapter 32. Interface configuration mode this chapter provides an alphabetic listing of commands that are available in interface configuration mode. To enter this configuration mode, use the global interface command. All of the commands that are listed in “common commands” on page 2 and most, but no...
Page 378
Guidelines you can use dhcp to obtain the following parameters from a dhcp server: v interface ip address v default gateway ip address v dns ip address use the no dhcp command to disable the dhcp client. Examples v enables a dhcp client on ethernet 2. # interface eth2 # dhcp # exit # v disables the ...
Page 379
Examples v assigns a primary ip address to ethernet port 0. # ip address 192.168.7.6/27 # v functionally equivalent to the previous example. # ip address 192.168.7.6 255.255.224.0 # v assigns a secondary ip address to ethernet port 0. # ip address 192.168.7.7/27 secondary # v removes the primary ip ...
Page 380
Syntax ip route address/netmask next-hop-address [metric] no ip route address/netmask next-hop-address parameters address specifies the address of the destination network. Netmask identifies the network portion of the address. Can be expressed in cidr (slash) format, which is an integer that specifi...
Page 381
Mode specifies the operational mode (speed and duplex) for the current ethernet interface. Syntax mode mode parameters mode specifies the ethernet mode using one of the following keywords: 10baset-fd or 10baset-hd indicates standard ethernet configuration options. 100basetx-fd or 100basetx-hd indica...
Page 382
Parameters size specifies the maximum size of an mtu. Specifies the mtu for the current interface in bytes. Use an integer in the range of 576 to 16128. The default is 1500. Guidelines the mtu is determined without regard to the length of the layer 2 encapsulation. Examples v sets the mtu for the cu...
Page 383
# packet-capture store://eth0trace 1800 2500 trace begun. . . . # v initiates and then terminates a packet-capture session. # packet-capture store://eth0trace 1800 2500 trace begun. . . . # no packet-capture store://eth0trace # standby implements a failover configuration syntax to assign both interf...
Page 384
Guidelines the standby command implements a failover configuration to ensure that an interface on another datapower appliance is available if an active interface becomes unresponsive. There are two types of failover configurations: v an active interface is backed up by a warm standby interface. This...
Page 385
# standby 2 ip 10.10.66.66 # standby 2 preempt # exit # v assigns ethernet 0 to standby group 2 and specifies a vip of 10.10.66.66. The priority value of 90 ensures that the interface is the standby member of the group. Because it is the standby member, it is not placed in preempt mode. # interface ...
Page 386
360 command reference.
Page 387
Chapter 33. Iscsi chap configuration mode (type 9235) this chapter provides an alphabetic listing of commands that are available in iscsi chap configuration mode. The chap is the challenge handshake authentication protocol. To enter this configuration mode, use the global iscsi-chap command. While i...
Page 388
Examples v sets gerry as the user with the password bigsecret as the credentials for the chap-2 chap. # iscsi-chap chap-2 new iscsi chap configuration mode # username gerry # password bigsecret # 362 command reference.
Page 389: 9235)
Chapter 34. Iscsi host bus adapter configuration mode (type 9235) this chapter provides an alphabetic listing of commands that are available in iscsi host bus adapter configuration mode. To enter this configuration mode, use the global iscsi-hba command. All type 9235 appliances have two host bus ad...
Page 390
Iname changes the iscsi qualified name. Syntax iname iqn parameters iqn specifies the iqn. Guidelines the iname command changes the “burned in” value for the iscsi qualified name (iqn). If you need to change this value, specify an iqn in the following format: v iqn.2001-04.Com.Example v iqn.2001-04....
Page 391
# iscsi-hba iscsi-2 modify iscsi host bus adapter configuration # ip-address 10.10.10.44 # ip default-gateway 10.10.10.46 # ip default-gateway specifies the default gateway for the hba. Syntax ip default-gateway address parameters address specifies the ip address of the default gateway. Guidelines t...
Page 392
366 command reference.
Page 393
Chapter 35. Iscsi target configuration mode (type 9235) this chapter provides an alphabetic listing of commands that are available in iscsi target configuration mode. To enter this configuration mode, use the global iscsi-target command. All of the commands that are listed in “common commands” on pa...
Page 394
Guidelines the hba command assigns an existing iscsi hba to which to bind this target instance. Examples v assigns the iscsi1 hba to the target-2 iscsi target. # iscsi-target target-2 new iscsi target configuration mode # hba iscsi1 # hostname specifies the host of the iscsi target. Syntax hostname ...
Page 395
Target-name specifies a name of the remote iscsi target. Syntax target-name name parameters name specifies the iscsi qualified name (iqn) or ieee extended unique identifier (eui) for the iscsi target. Guidelines the target-name specifies the iscsi qualified name (iqn) or ieee extended unique identif...
Page 396
370 command reference.
Page 397
Chapter 36. Iscsi volume configuration mode (type 9235) this chapter provides an alphabetic listing of commands that are available in iscsi volume configuration mode. To enter this configuration mode, use the global iscsi-volume command. All of the commands that are listed in “common commands” on pa...
Page 399
Chapter 37. Kerberos kdc server configuration mode this chapter provides an alphabetic listing of commands that are available in kerberos kdc server configuration mode. To enter this configuration mode, use the global kerberos-kdc command. All of the commands that are listed in “common commands” on ...
Page 400
Examples v provides the name of the kerberos realm. # realm us.Ibm.Com # server identifies the server by domain name or ip address. Syntax server server parameters server specifies the host name or ip address of the kerberos kdc server. Guidelines you must specify a kerberos kdc server to complete t...
Page 401
V restores udp, the default, as the transport layer protocol. # no tcp # udp-timeout when using udp as the transport protocol, specifies the number of seconds to wait for a server response. Syntax udp-timeout time parameters time specifies the maximum time to wait for a kerberos kdc server response....
Page 402
376 command reference.
Page 403
Chapter 38. Kerberos keytab configuration mode this chapter provides an alphabetic listing of commands that are available in kerberos keytab configuration mode. To enter this configuration mode, use the crypto kerberos-keytab command. All of the commands that are listed in “common commands” on page ...
Page 404
378 command reference.
Page 405
Chapter 39. Ldap search parameters configuration mode this chapter provides an alphabetic listing of commands that are available in ldap search parameters configuration mode. To enter this configuration mode, use the global ldap-search-parameters command. Many of the commands that are listed in “com...
Page 406
You can use the filter-suffix to append a string to the ldap filter expression to complete the search filter. Related commands filter-suffix examples creates the ldap filter expression (&(mail=bob@example.Com)(c=us)) based on bob@example.Com as the user name. # filter-prefix "(&(mail=" # filter-suff...
Page 408
382 command reference.
Page 409
Chapter 40. Load balancer group configuration mode this chapter provides an alphabetic listing of commands that are available in load balancer group configuration mode. To enter this configuration mode, use the global loadbalancer-group command. The global command creates the load balancer group if ...
Page 410
Weighted-round-robin maintains a weighted list of servers and forwards new connections in proportion to the weight (or preference) of each server. Guidelines the algorithm command specifies the server selection algorithm. A request to connect to a load balancer group results in a healthy server bein...
Page 412
Ldap specifies that the group consists of ldap servers. Performs a tcp ping. Standard (default) specifies that the group does not consist of ldap or ims connect servers. Use-soap when the check type is standard, specifies the http method used to access the target uri. On (default) accesses the targe...
Page 414
If the server selection algorithm is first-alive, the order is significant. The first server is the primary server, while subsequent entries serve as backup servers. For all other algorithms, the order is not significant. If the server selection algorithm is weighted-round-robin, specify the relativ...
Page 415
Chapter 41. Log target configuration mode this chapter provides an alphabetic listing of commands that are available in log target configuration mode. To enter this configuration mode, use the global logging target command. All of the commands that are listed in “common commands” on page 2 and most,...
Page 416
Related commands backup , email-addr, encrypt, format, local-file, local-ident, remote-addr, remote-login , rotate, sender-addr, sign, size, timestamp, upload-method examples v specifies an archive type of upload. # archive-mode upload # v specifies an archive type of rotate, which restores the defa...
Page 417
Syntax encrypt certalias smime parameters certalias specifies a string that contains the alias for a certificate file that contains the public key of the message recipient. Smime specifies the required keyword for the encryption method. Guidelines the encrypt command is only used when the log type i...
Page 418
Examples v specifies which event classes and which event priorities to log. # event schema error # event xmlfilter error # event crypto error # event ssl error # event auth warning # event-code specifies an event code included in the current log. Syntax event-code value parameters value identifies t...
Page 419
Parameters on suppresses the writing of identical events to the log for the specified suppression period. Off (default) identical events are written to the log. Guidelines the event-detection command allows for the suppression of identical log events that are generated by the same configuration obje...
Page 420
Facility specifies the syslog facility. Syntax facility facility parameters facility identifies the syslog facility. Guidelines facility is used only when the logging type is syslog or syslog-ng. Related commands local-address , local-ident, remote-address examples v specifies the syslog facility, l...
Page 421
Parameters text specifies the log format as formatted text raw specifies the log format as unformatted text xml specifies the log format as xml cbe specifies the log format as ibm common base event csv specifies the log format as comma-separated guidelines use the show logging format command to disp...
Page 422
Local-file specifies a local file that will store log messages. Syntax local-file url parameters url specifies the file to store log messages and takes the logstore:///filename form. Guidelines when the log type is file, the use of the local-file command is required. For all other log types, it is n...
Page 423
The file must have write permission. Related commands nfs-static-mount , type nfs-static-mount assigns an static mount. Syntax nfs-static-mount name parameters name specifies the name of an existing nfs static mount. Guidelines when the log type is nfs, specifies the nfs static mount point to write ...
Page 424
Create a log target to collect log messages for a particular instance of a particular object type. For example, you can create a log target to write messages associated with the xyz xsl proxy only. Examples v adds an object filter to the current log to log messages for the proxy-1 xsl proxy only. # ...
Page 425
V when the log type, as specified by the type command, is smtp, syslog, or syslog-ng v when the log type, as specified by the type command, is file and the archive mode, as specified by the archive-mode command, is upload use the remote-address command with the remote-port command to define the dest...
Page 426
Guidelines remote-directory is used only in the following situations: v the log type is file. V the archive mode is upload. V the upload mode is scp, ftp, or sftp. To denote an absolute directory from the root directory, specify a single forward slash character or equivalent encoded character (%2f) ...
Page 427
Guidelines the remote-login command is used only if the log type is file and the archive-mode is upload. If a password is not specified, it must be provided during the upload session. Related commands archive-mode , remote-address, remote-directory, type examples v specifies the recipient address, u...
Page 428
Retry (deprecated) comments deprecated command. Has no effect. Rotate sets the maximum number of file rotations. Syntax rotate count parameters count specifies how many times to rotate a log file. Use an integer in the range of 1 through 100. The default is 3. Guidelines the rotate command specifies...
Page 429
Sender-address specifies the email address of the sender syntax sender-address string parameters string specifies the local email address. Guidelines the sender-address command is only used when the log type is smtp. Related commands type sign enables the s/mime signing of logs. Syntax sign idcred s...
Page 430
Syntax size log-size parameters log-size specifies the maximum size of the file in kilobytes. Use an integer in the range of 100 through 50000. The default is 500. Guidelines the size command sets the maximum size of a local log file in kilobytes. Depending on the machine type of the appliance, the ...
Page 433
Guidelines for all log types, use the event command to specify log contents. Cache logs require no configuration beyond the identification of the logging type. You can, however, optionally use the format, size, and timestamp commands to customize log behavior. V for a console log, no additional conf...
Page 434
Scp (default) identifies the secure copy protocol. Sftp identifies the secure file transfer protocol. Smtp identifies the simple mail transfer protocol. Guidelines upload-method is used only if the log type is file and the archive-mode is upload. Related commands archive-mode , backup, email-addr, e...
Page 435
Chapter 42. Matching rule configuration mode this chapter provides an alphabetic listing of commands that are available in matching rule configuration mode. To enter this configuration mode, use the global matching command. Matching rules are used in a processing policy. A processing policy enables ...
Page 436
Related commands match-with-pcre examples v enters matching rule configuration mode to create the allerrors matching rule. Adds a pattern to match all error codes. # matching allerrors matching configuration mode # errorcode * # fullurlmatch (deprecated) comments the fullurlmatch command is deprecat...
Page 438
Syntax urlmatch pattern parameters pattern defines a shell-style match pattern that defines the url set subject. Guidelines the urlmatch command adds a pattern to match urls. To determine whether the pattern is a pcre expression or shell style expression, use the match-with-pcre command. Related com...
Page 439
Chapter 43. Message count monitor configuration mode this chapter provides an alphabetic listing of commands that are available in message count monitor configuration mode. To enter this configuration mode, use the global monitor-count command. Message count monitor configuration mode enables the cr...
Page 440
Threshold specifies the threshold value. Exceeding this value triggers the specified the control procedure. Burst-limit specifies an acceptable traffic burst. The value should be approximately twice the threshold value. Control-procedure specifies the name of a control procedure that was created wit...
Page 442
After completing the configuration of a count monitor, activate the monitor by assigning it to a datapower service. Related commands message-matching (global), message-type (global) examples v specifies the extranet message class as the target for the logsquelch count monitor. # monitor-count logsqu...
Page 443
Chapter 44. Message duration monitor configuration mode this chapter provides an alphabetic listing of commands that are available in message duration monitor configuration mode. To enter this configuration mode, use the global monitor-duration command. All of the commands that are listed in “common...
Page 444
Related commands monitor-action (global), show message-durations, show message-duration-filters examples v defines the ratelimit1 duration message monitor. If the average server processing time of the extranet message class exceeds 500 milliseconds, implement the yell control procedure. # monitor-co...
Page 445
The server and messages types deal with external processing, specifically the processing performed by the web or application server. The server type measures the actual server processing time. The messages type approximates the sum of requests , server, and responses types. After completing the conf...
Page 446
420 command reference.
Page 447
Chapter 45. Message filter action configuration mode this chapter provides an alphabetic listing of commands that are available in message filter action configuration mode. To enter this configuration mode, use either the global monitor-action command. While in this mode, define a filter action. Thi...
Page 448
Log-priority enables the generation of a log entry when a control procedure is triggered. Syntax log-priority priority parameters priority identifies the event priority. The priority indicates that all events that are greater than or equal to this value are logged. Events use the following priority ...
Page 449
Notify adds a log entry when a message class exceeds a configured threshold. Reject drops all over-threshold traffic originating from a message class, and optionally adds a log entry, when a message class exceeds the configured threshold. Guidelines conditional tests that trigger the execution of co...
Page 450
424 command reference.
Page 451
Chapter 46. Message matching configuration mode this chapter provides an alphabetic listing of commands that are available in message matching configuration mode. To enter this configuration mode, use the global message-matching command. While in message matching configuration mode, you specify traf...
Page 452
Use the no http-header command to remove a http header field match from a traffic-flow definition. Related commands http-header-exclude examples v creates the tfdef1 traffic-flow definition. Http traffic that contains a from request header field with the string @businesspartner.Com is defined as par...
Page 453
Examples v creates the tfdef1 traffic-flow definition. Http traffic that contains a from request header field with the string @businesspartner.Com is excluded from the target traffic flow. # message-matching tfdef1 message matching configuration mode # http-header-exclude from *businessparter.Com # ...
Page 454
Parameters address specifies a dotted decimal ip address that, with the prefix length, defines a range of excluded ip addresses. Prefix-length defines a range of excluded ip addresses. Use an integer in the range of 1 through 32. Guidelines a traffic flow definition can contain a single ip-exclude c...
Page 455
Request-url specifies a requested url set to include in the traffic-flow definition. Syntax request-url pattern parameters pattern defines a shell-style match pattern that defines the requested url. You can use wildcard characters when identifying the target url. You can use wildcards to define a ma...
Page 456
430 command reference.
Page 457
Chapter 47. Message type configuration mode this chapter provides an alphabetic listing of commands that are available in message type configuration mode. To enter this configuration mode, use the global message-type command. While in this mode, create a message class. A message class is a list of o...
Page 458
# message-type extranet message type configuration mode # no message-matching tfdef2 # 432 command reference.
Page 459
Chapter 48. Mtom policy configuration mode this chapter provides an alphabetic listing of commands that are available in mtom policy configuration mode. Mtom is the abbreviation for soap message transmission optimization mechanism. To enter this configuration mode, use the global mtom command. Many ...
Page 460
Parameters encode optimizes an input message. Decode extracts the attachment parts on an optimized message, which reconstitutes the original, non-optimized message. Examples v enters mtom policy configuration mode to create the mtom1 mtom policy and sets the optimization mode to enable. # mtom mtom1...
Page 461
Chapter 49. Multi-protocol gateway configuration mode this chapter provides an alphabetic listing of commands that are available in multi-protocol gateway configuration mode. To enter this configuration mode, use the global mpgw command. This global command creates the specified multi-protocol gatew...
Page 462
Parameters bytes specifies the maximum number of bytes allowed for all parts of an attachment package the default is 0. Guidelines the attachment-package-byte-count command defines the maximum number of bytes allowed for all parts of an attachment package, including the root part. Attachment package...
Page 463
Related commands front-attachment-format examples v specifies that attachments output to servers are dime-encapsulated. # back-attachment-format dime # back-persistent-timeout sets the inter-transaction timeout between the completion of a tcp transaction and the initiation of a new tcp one on the ga...
Page 464
The client request and receiving the server response. In other words, this time monitors the idle time within the data transfer process. If the specified idle time is exceeded, the connection is torn down. Related commands back-persistent-timeout , front-timeout, front-persistent-timeout, persistent...
Page 466
Default-param-namespace specifies the namespace into which to assign the parameter. Syntax default-param-namespace url parameters url specifies a valid namespace url. The default is http:// www.Datapower.Com/param/config . Guidelines if a stylesheet parameter is defined without a namespace (or witho...
Page 469
An idle tcp connection might remain in the idle state for as long as 20 seconds after the expiration of the persistence timer. Related commands back-persistent-timeout , back-timeout, front-timeout, persistent-connections front-protocol assigns a front side protocol handlers. Syntax front-protocol n...
Page 470
Guidelines the front-timeout command sets the value of the intra-transaction timeout. This value is the maximum idle time to allow in a transaction on the gateway-to-client connection. This timer monitors idle time in the data transfer process. If the specified idle time is exceeded, the connection ...
Page 471
With gateway-specific parser limitations enabled, the values specified by the attachment-byte-count , attribute-count, element-depth, max-message-size, and max-node-size commands (multi-protocol gateway) are used to evaluate incoming xml documents. With gateway-specific parser limitations disabled (...
Page 472
# host-rewriting off . . . # host-rewriting on # http-client-ip-label identifies the http header that contains the ip address of the calling client. Syntax http-client-ip-label header no http-client-ip-label parameters header identifies the http header that contains the ip address. The default is x-...
Page 474
Value specifies the value of the field and can contain a character string or an integer. This property is case-sensitive. Guidelines use the no inject command to remove a previously-injected proprietary http header field. Related commands suppress examples v injects the procinst http header field wi...
Page 476
Related commands attachment-byte-count , attribute-count, element-depth, gateway-parser-limits, max-node-size examples v sets the maximum message size to 500000 kilobytes. # max-message-size 500000 # max-node-size specifies the maximum size of a single xml node. Syntax max-node-size bytes parameters...
Page 477
Note that if this is on and there are no mime headers contained in the message, the appliance will continue to try and parse the message, using the protocol header information, if available. When this is off and mime headers are present in the body of the message, these mime headers will be consider...
Page 478
Related commands mime-back-headers , request-attachments, response-attachments examples v disables client-side support for mime package headers and subsequently enables support, which restores the default state. # mime-front-headers off . . . # mime-front-headers on # monitor-count assigns a count m...
Page 479
Syntax monitor-duration name no monitor-duration name parameters name specifies the name of a duration monitor. Guidelines use the monitor-duration command to assign a duration monitor to the current multi-protocol gateway. Duration monitors watch for events that meet or exceed a configured duration...
Page 480
Examples v allows only the first matching monitor to execute when a service has multiple monitors attached. # monitor-processing-policy terminate-at-first-match # monitor-service assign a service level monitor. Syntax monitor-service name no monitor-service name parameters name specifies the name of...
Page 481
Parameters name is the name of the parameter made available to the current multi-protocol gateway. Value is the value of the parameter. Guidelines style sheets that are used in processing policies can take stylesheet parameters. These parameters can be passed in. Use the parameter to define each req...
Page 482
Off disables the establishment of persistent connections. Guidelines with persistent connections enabled, the default state for both http 1.0 and http 1.1, the appliance negotiates with the remote http peer and establishes a persistent connection if agreeable to the peer. With persistent connections...
Page 483
Depending on the protocol, the backend service might return a response code that indicates an error condition. For http messages, the response from the backend server might include a response body that contains xml that provides more details about the error. Propagate-uri enables or disables the pro...
Page 484
Query-param-namespace identifies the namespace in which to put all parameters that are specified in the url query string. Syntax query-param-namespace namespace parameters namespace enter a valid namespace url. Defaults to: http://www.Datapower.Com/param/query related commands default-param-namespac...
Page 485
Message package, which is a soap with attachments message, are supported. Processing can be applied individually to each attachment. The appliance does not create a manifest of all attachments. Attachments must be accessed and processed in the order that they appear in the package. Unprocessed allow...
Page 486
Unprocessed (default) characterizes the client-originated traffic stream as non-xml traffic that is not transformed by the multi-protocol gateway. Related commands response-type , soap-schema-url examples v characterizes client-originated traffic as xml. # request-type xml # v characterizes client-o...
Page 487
Contain large attachments. The root part of the message, which typically contains a soap message, is subject to filter and transform actions. No processing of parts other than the root part is possible. Accompanying documents can be passed intact. Guidelines the response-attachment command specifies...
Page 489
Guidelines when a multi-protocol gateway is in soap mode, either on the request or response side, it validates incoming messages against a w3c schema that defines the format of a soap message. It is possible to customize which schema is used on a per-gateway basis by changing this property to accomm...
Page 491
Examples v changes the default to stream output to the client until an infraction is encountered. # stream-until-infraction # stylepolicy assigns a processing policy. Syntax stylepolicy name parameters name specifies the name of an existing processing policy. If not specified, the multi-protocol gat...
Page 492
Guidelines use the no suppress command to restore the standard http header field to the packet stream. Related commands host-rewriting , inject examples v deletes the authorization http header field from the packet stream directed to the http server. # suppress back authorization # v restores the au...
Page 493
Parameters name specifies the name of a url rewrite policy. Guidelines you need not specify a url rewrite policy when configuring a multi-protocol gateway. Use the no urlrewrite-policy command to remove the url rewrite policy assignment. Related commands propagate-uri examples v assigns the rw1 url ...
Page 494
Syntax wsa-default-faultto faulturl parameters faulturl specifies the value of the faultto element. Guidelines the wsa-default-faultto command is relevant when the datapower service provides service for ws-addressing clients (the wsa-mode command is wsa2sync or wsa2wsa). In these topologies, this co...
Page 495
Or wsa2wsa). In these topologies, this command ensures that all messages contain the ws-addressing replyto element. This element identifies the recipient endpoint of a response message. Because the ws-addressing specifications do not require the inclusion of the replyto element, the datapower servic...
Page 496
Examples v assigns the wsaerrorhandler url rewrite policy to modify the contents of the faultto element. # wsa-faultto-rewrite wsaerrorhandler # v removes the assigned url rewrite policy. # no wsa-faultto-rewrite # wsa-force forces the inclusion of web services addressing (ws-addressing) headers int...
Page 498
Parameters responsecodevalue specifies the http response code to close the original client channel. Use a value in the range of 200 through 599. The default is 204. Guidelines if the server response to an http client request is asynchronous, the datapower service must close the original http channel...
Page 499
– strip the ws-addressing headers from any server-generated response before forwarding the response to the original client. The default behavior is to strip the ws-addressing headers. – process synchronous or asynchronous server responses of either the replyto (a standard response to a client reques...
Page 500
(non-anonymous) client-originated replyto and faultto element values that are preserved by the datapower service and passed to the server. Related commands wsa-back-protocol , wsa-force, wsa-genstyle, wsa-timeout, wsa-strip-headers examples v specifies sync2wsa mode, indicating that the datapower se...
Page 502
Guidelines the wsa-timeout command specifies the maximum period of time to wait for an asynchronous response, before abandoning the transaction. This timeout value can be overridden by the var://service/wsa/timeout variable. Related commands wsa-mode examples v specifies a maximum pause of 1 minute ...
Page 503
Related commands wsrm-aaapolicy , wsrm-destination-accept-create-sequence, wsrm-destination- accept-offers , wsrm-destination-inorder, wsrm-destination-maximum-inorder- queue-length , wsrm-destination-maximum-sequences, wsrm-request-force, wsrm-response-force , wsrm-sequence-expiration, wsrm-source-...
Page 504
Off disables this feature. If disabled, the client cannot use reliable messaging to communicate with this datapower service. If disabled, the only way that a reliable messaging destination can be created on this datapower service is when the reliable messaging source is configured to make offers. In...
Page 505
Client is one greater than the last one that was processed. Inorder delivery assurance increases memory and resource utilization by the reliable messaging destination. Related commands wsrm , wsrm-destination-maximum-inorder-queue-length wsrm-destination-maximum-inorder-queue-length specifies the ma...
Page 507
Syntax wsrm-sequence-expiration lifetime parameters lifetime specifies the lifetime in seconds. The default is 3600. Guidelines if an incoming createsequence soap message has an expireslifetime that is longer than this value, the value in the sequenceresponse soap message is reduced to this value. T...
Page 509
V with a specified front side protocol handler and the front-side sends a createsequence soap message to establish a reliable back channel, there will be a non-anonymous url specified in the acksto element of the createsequence soap request. V without a front side protocol handler, the acksto elemen...
Page 510
Datapower service creates a reliable messaging source to send requests to the server. If the server does not accept the offer, datapower server does not create a reliable messaging destination. Related commands wsrm , wsrm-source-request-create-sequence wsrm-source-maximum-queue-length specifies the...
Page 511
Wsrm-source-request-ack-count specifies the number of messages to send before requesting acknowledgement. Syntax wsrm-source-request-ack-count numberofmessages parameters numberofmessages use an integer in the range of 1 through 256. The default is 1. Guidelines the wsrm-source-request-ack-count com...
Page 512
Parameters on creates a reliable messaging source. Off (default) does not create a reliable messaging source. Guidelines when the ws-addressing mode as defined by the wsa-mode command is wsa2sync or wsa2wsa, the wsrm-source-response-create-sequence command indicates whether to create a reliable mess...
Page 513
Guidelines the wsrm-source-retransmit-count command specifies the number of times a reliable messaging source retransmits a message before declaring a failure. This command also controls the retransmission of createsequence requests. Related commands wsrm , wsrm-destination-accept-offers, wsrm-sourc...
Page 514
User-specific characteristics, use the global xml-manager command to create a new manager. Then use this command to associate it with the current multi-protocol gateway. Related commands stylesheet-policy xml-manager (global) examples v assigns the mgr1 xml manager to the current multi-protocol gate...
Page 515
Chapter 50. Network settings configuration mode this chapter provides an alphabetic listing of commands that are available in network settings configuration mode. To enter this configuration mode, use the global network command. All of the commands that are listed in “common commands” on page 2 and ...
Page 517
Guidelines by default the appliance will refuse to accept a packet on an interface other than the one bound to the destination address of the packet. Use the disable-interface-isolation command to disable that behavior and allow any interface on the same subnet to accept the packet. As a security po...
Page 518
Use the no icmp-disable command to enable the generation of a specific icmp reply. Related commands network examples v disables icmp echo message (ping) replies. # icmp-disable echo-reply # v enables ping replies, which restores the default state. # no icmp-disable echo-reply # relax-interface-isola...
Page 519
Parameters retries specifies the number of times the local system attempt send a tcp syn that receives no response. Use an integer in the range of 1 through 32. The default is 5. Examples v sets the retry limit to 10. # tcp-retries 10 # chapter 50. Network settings configuration mode 493.
Page 520
494 command reference.
Page 521
Chapter 51. Nfs client settings configuration mode this chapter provides an alphabetic listing of all commands that are available in nfs client settings configuration mode. To enter this configuration mode, use the global nfs-client command. Many of the commands that are listed in “common commands” ...
Page 522
Decreasing the interval lessens the chance that a transaction will time out while waiting for an nfs file open operation to fail because the nfs server is down or unreachable. Increasing the interval reduced local and nfs server overhead from mount checking. Related commands mount-timeout (nfs dynam...
Page 523
Chapter 52. Nfs dynamic mounts configuration mode this chapter provides an alphabetic listing of all commands that are available in nfs dynamic mounts configuration mode. To enter this configuration mode, use the global nfs-dynamic-mounts command. Many of the commands that are listed in “common comm...
Page 524
Syntax inactivity-timeout seconds parameters seconds specifies the number of seconds an idle nfs mount, that is a mount with no file read-write activity, is maintained before the file system is unmounted. The default is 900. A value of 0 indicates that the nfs mount is never unmounted. Related comma...
Page 525
Guidelines use the read-only command to specify the mount type as read-only. This setting allows only file read operations on nfs mounts. By default, nfs mounts can read transactions and write transactions. Retrans specifies the maximum number of rpc minor time outs to allow before the transaction f...
Page 526
Parameters size specifies the number of bytes in each nfs read operation. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines operations greater than 8192 bytes should only be used with tcp as the transport-layer protocol. Related commands read-only , transport, wsize ...
Page 528
Parameters size specifies the number of bytes in each nfs write transaction. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines operations greater than 8192 bytes should only be used with tcp as the transport-layer protocol. Related commands rsize , transport examples...
Page 529
Chapter 53. Nfs poller front side handler configuration mode this chapter provides an alphabetic listing of commands that are available in nfs poller front side handler configuration mode. To enter this configuration mode, use the global source-nfs-poller command. While in this mode, define the clie...
Page 530
Error-rename-pattern specifies the rename pattern when a file could not be processed. Syntax error-rename-pattern pattern parameters pattern defines a pcre that defines the rename pattern. Guidelines the error-rename-pattern command specifies the pcre to rename a file when it could not be processed....
Page 531
Syntax processing-rename-pattern pattern parameters pattern defines a pcre that defines the rename pattern. Guidelines the processing-rename-pattern command specifies the pcre to rename a file that is being processed. This functionality allows multiple pollers to poll the same directory with the sam...
Page 532
Syntax processing-seize-pattern pattern parameters pattern defines the pcre to use as the match pattern to search for files that are being processed. Guidelines the processing-seize-pattern command specifies the pcre to find files that were renamed to indicate that they are in the ″being processed″ ...
Page 533
When these conditions are met, this system renames the file (with its host name and a fresh timestamp) and locally processes the file. This processing assumes that the rename succeeded. Related commands processing-seize-pattern result indicates whether to create a response file after processing an i...
Page 535
Target-dir specifies the directory to poll. Syntax target-dir directory parameters directory specifies the directory to poll. Guidelines the target-dir command specifies a directory to poll. The path must end in a slash, which denoting a directory. For example: dpnfs://static-mount-name/path/ do not...
Page 536
510 command reference.
Page 537
Chapter 54. Nfs static mounts configuration mode this chapter provides an alphabetic listing of all commands that are available in nfs static mounts configuration mode. To enter this configuration mode, use the global nfs-static-mount command. Many of the commands that are listed in “common commands...
Page 539
Must match or be more specific than the nfs export that is provided by the target server. For example, the server provides an export of xml/stylesheets, the portion can specify xml/stylesheets or xml/stylesheets/financialservices , (if there is a financialservices subdirectory). Guidelines refer to ...
Page 540
Syntax rsize size parameters size specifies the number of bytes in each nfs read operation. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines operations greater than 8192 bytes should only be used with tcp as the transport-layer protocol. Related commands read-only ,...
Page 542
Parameters bytes specifies the number of bytes in each nfs write operation. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines operations greater than 8192 bytes should only be used with tcp as the transport-layer protocol. Related commands rsize , transport examples ...
Page 543
Chapter 55. Ntp service configuration mode this chapter provides an alphabetic listing of commands that are available in ntp service configuration mode. To enter this configuration mode, use the global ntp-service command. All of the commands that are listed in “common commands” on page 2 and most, ...
Page 544
Parameters server identifies the ntp server by host name or ip address. Guidelines from the command line, the appliance supports one ntp server at a time. To designate a new ntp server, use the no ntp-service command to delete the current server. Note: the webgui supports the specification of multip...
Page 545
Chapter 56. Peer group configuration mode this chapter provides an alphabetic listing of commands that are available in peer group configuration mode. To enter this configuration mode, use the global peer-group command. All of the commands that are listed in “common commands” on page 2 and most, but...
Page 546
Examples v enters peer group configuration mode to create the slm-group1 peer group. Specifies the peer group type as slm and designates group members. # peer-group slm-group1 peer group configuration mode # type slm # url 192.168.12.100 # url 192.168.49.13 # url 192.168.80.126 # 520 command referen...
Page 547
Chapter 57. Policy attachments configuration mode this chapter provides an alphabetic listing of commands that are available in policy attachments configuration mode. To enter this configuration mode, use the global policy-attachments command. Many of the commands that are listed in “common commands...
Page 548
Parameters service indicates to associate the policy with a wsdl service. Port indicates to associate the policy with a wsdl port. Wsdlcomponentvalue specifies the qname of a wsdl component in the {namespace}ncname format. Url specify the location of the document that contain the policy to attach. I...
Page 549
Chapter 58. Policy parameters configuration mode this chapter provides an alphabetic listing of commands that are available in policy parameters configuration mode. To enter this configuration mode, use the global policy-parameters command. Many of the commands that are listed in “common commands” o...
Page 550
524 command reference.
Page 551
Chapter 59. Processing action configuration mode this chapter provides an alphabetic listing of commands that are available in processing action configuration mode. To enter this configuration mode, use the global action command. While in this mode, create a named, reusable processing action. All of...
Page 553
Parameters uri identifies a document attachment to be stripped from the mime multipart package. Guidelines attachment-uri is used only if the action type (as specified by the type command) is strip-attachments. Related commands type examples v strips attachments from the specified document. # type s...
Page 554
Destination either identifies an external resource or identifies the target destination for a transmitted message. Syntax destination uri parameters uri identifies the resource or message destination. Guidelines destination is required when the action type is fetch, log, results-async, or route-set ...
Page 555
Syntax dynamic-schema schema parameters schema identifies the dynamic schema. Guidelines the dynamic-schema command is used only if the action type (as specified by the type command) is validate to identify a dynamic schema to validate incoming documents. Examples v specifies the dynamic schema used...
Page 556
Guidelines the error-input command is used only if the action type (as specified by the type command) is on-error. If no context is explicitly identified, the input context of the failed action is used. Examples v specifies temp1 as the input context for the on-error action. # type on-error # error-...
Page 557
Guidelines the error-output command is used only if the action type (as specified by the type command) is on-error. If no context is explicitly identified, the output context of the failed action is used. Examples v specifies trashcan as the output context for the action. # type on-error # error-out...
Page 558
Guidelines the input command is required when the action type (as specified by the type command) is aaa, call, checkpoint, convert-http, extract, filter, log, results, results-async , route-action, setvar, slm, strip-attachments, validate, xform, or xformpi . The input command is not used when the a...
Page 559
Guidelines the iterator-count command specifies the number of times to run the specified action for the current for-each action. During the loop, the var://service/ multistep/loop-count service variable is set to the current iteration of the loop. The first iteration starts the count at 1. This comm...
Page 561
Parameters priority specifies one of the following message priority: emergency alert critical error warning notice (default) info debug guidelines the log-level command is used only if the action type (as specified by the type command) is log. Examples v identifies the message priority as warning. #...
Page 562
Syntax loop-action action parameters action specifies the name of an existing action to run. Guidelines the loop-action command specifies the name of the existing action within the current for-each action. The output context of the for-each action replaces the output context of the named action. If ...
Page 563
Examples v specifies that the transformer action runs one time for each item element in the input context. The processing generates output contexts out_1, out_2, and so forth. # type for-each # output out # multiple-outputs # iterator-type xpath # iterator-expression //*[local-name()='item'] # loop-...
Page 564
Type field of the document; if the content type is xml or undeclared, the data is treated as xml. Otherwise, the data is treated as binary. Xml indicates that the data is treated and parsed as xml. Binary indicates that the data is treated as binary and unprocessed. Guidelines the output-type comman...
Page 565
Require-all indicates that targets are dispatched in parallel. The action succeeds only after the input reaches all of the backend targets. Attempt-all indicates that targets are dispatched in parallel. The action succeeds if the input reaches any backend target. In other words, the action is succes...
Page 566
Examples v specifies that if the action fails to write the input to http://log-server/log, the request is tried 10 times at 5 seconds intervals. # type results # input ctx # destination http://log-server/log # retry-count 10 # retry-interval 5000 retry-interval specifies the retry interval for the c...
Page 567
Examples v indicates that the call action invokes the validatesoap processing rule. # type call # rule validatesoap # schema-url specifies a schema to be used in validation operations by the current validate action. Syntax schema-url url parameters url identifies the schema used for document validat...
Page 569
Related commands type examples v indicates that the current route-set action uses the sslprofile-2 ssl proxy profile. # type route-set # sslcred sslprofile-2 # timeout specifies the wait duration for the current event-sink action. Syntax timeout duration parameters duration specifies the time to wai...
Page 570
Guidelines the transform command is required when the action type (as specified by the type command) is filter, route-action, xform, or xformpi. Related commands type examples v identifies the processheader.Xsl style sheet in the local: directory for the current xform action. # type xform # transfor...
Page 571
Fetch indicates a fetch action. This action retrieves a remote resource and stores it in a specified context. This action is relevant for all services. Filter indicates a filter action. This action filters a document set with a specified style sheet. This action is relevant for all services except x...
Page 572
Xform indicates an xform action. This action performs a style sheet-based document transform. This action is relevant for all services. Xformpi indicates an xformpi action. This action performs a transform based on processing instructions in the candidate documents. This action is relevant for all s...
Page 573
Variable identifies the variable declared by the current setvar action. Syntax variable name parameters name specifies the name of the variable name. Guidelines the variable command is required when the action type (as specified by the type command) is setvar. Examples v assigns the value preferreda...
Page 574
Wsdl-message-direction-or-name specifies the wsdl-defined service traffic to validate with the current validate action. Syntax wsdl-message-direction-or-name name parameters name specifies the name or direction of the service traffic. Guidelines the wsdl-message-direction-or-name command specifies t...
Page 575
Related commands type wsdl-port specifies the qname of the wsdl port for the current validate action. Syntax wsdl-port qname parameters qname specifies the qname of a wsdl port. Guidelines the wsdl-port command specifies the qname of the wsdl port. The wsdl port defines the service traffic to valida...
Page 576
Syntax xpath expression parameters expression identifies the xpath expression. Guidelines the xpath command is required when the action type (as specified by the type command) is extract. Otherwise, it in not used. Examples v indicates that the current extract action should use .//order_number as th...
Page 577
Chapter 60. Processing metadata configuration mode this chapter provides an alphabetic listing of commands that are available in processing metadata configuration mode. To enter this configuration mode, use the global metadata command. A processing metadata object provides access to the value of pro...
Page 578
Table 10. Predefined metadata items in the http category accept accept-charset accept-encoding accept-language accept-ranges age allow authorization cache-control connection content-encoding content-language content-length content-location content-md5 content-range content-type date etag expect expi...
Page 579
Chapter 61. Processing policy configuration mode this chapter provides an alphabetic listing of commands that are available in processing policy configuration mode. To enter this configuration mode, use the global stylepolicy command. All of the commands that are listed in “common commands” on page ...
Page 580
Syntax filter url parameters url specifies the location of the default style sheet. Guidelines this default style sheet performs xml filtering only if a candidate xml document fails to match any of the filter rules in the processing policy. Refer to appendix b, “processing policy procedures,” on pag...
Page 581
Examples v adds the associated matching rule and global rule to the current processing policy. # match star valclientserver # v remove all rules from the current processing policy. # no match # request-rule assigns a request rule. Syntax request-rule rule parameters rule specifies the name of an exi...
Page 582
Guidelines the response-rule command defines a request rule. A response rule requires a matching rule. A response rule is applied to server-originated traffic only. Create the matching rule with the matching command and populated it with the httpmatch or urlmatch commands. The matching rule serves a...
Page 583
Xsldefault identifies a default style sheet to transform documents. Syntax xsldefault url parameters url specifies the location of the default style sheet. Guidelines this default style sheet performs xml transformation only if a candidate xml document fails to match any of the transformation rules ...
Page 584
558 command reference.
Page 585
Chapter 62. Processing rule configuration mode this chapter provides an alphabetic listing of commands that are available in processing rule configuration mode. To enter this configuration mode, use the global rule command. All of the commands that are listed in “common commands” on page 2 and most,...
Page 586
Output-context identifies the context where results are stores. Use output to specify the final policy output, that is the transformed client request or transformed server response examples v applies the processrequest rule to the document in the temp1 context and moves the results to the temp2 cont...
Page 587
Parameters input-context identifies the context that contains the non-xml source. Use input to specify the initial policy input, that is the original client request or server response. Output-context identifies an output context where the converted document is stored. Use output to specify the final...
Page 588
# extract input three //games/url # v applies the xpath expression //games/url to the input context and stores the result in the variable url within the three context. # extract input three //games/url var://local/url # v applies the xpath expression referenced by the local variable xpath and stores...
Page 589
Parameters input-context identifies the context that contains the document to be filtered. Use input to specify the initial policy input, that is the original client request or server response. Url identifies the xsl style sheet to filter the source document. Takes the form of a url or a variable th...
Page 590
Examples v decompresses all incoming traffic with pkzip. # input-filter pkzip # v restores the default state, where incoming traffic is not decompressed. # input-filter none # log adds a log action. Syntax log input-context destination [output-context] parameters input-context identifies the context...
Page 591
On-error adds an on-error action. Syntax on-error mode [rule] [ input-context] [output-context] parameters mode specifies the operational response to an error and takes one of the following forms: abort indicates that processing ceases in the event of an error. Continue indicates that processing con...
Page 592
# output-filter none # results adds a results action. Syntax results context [destination] [response] parameters context identifies the target context, that is the target whose contents are transmitted. Destination optionally specifies the destination. In the absence of this argument, the contents o...
Page 593
Guidelines a results-async action differs from a results action in that results-async transmits the contents message asynchronously. That is, a results-async action never expects a response from the target destination. Examples v sends the contents of the input context to the destination of the rule...
Page 594
Examples v specifies style sheet-based routing of the contents of the temp1 context with the route.Xsl style sheet. # route-action temp1 local:///route.Xsl # route-set adds a route-set action. Syntax route-set destination [proxy] parameters destination identifies the document destination and can be ...
Page 595
V sets a variable in the routing context with the name of dest and a value of http://ragnarok:9010/ . # setvar input var://context/routing/dest http://ragnarok:9010/ # slm adds an slm action. Syntax slm input-context name parameters input-context identifies the context monitored by the specified slm...
Page 596
Parameters error-rule indicates an error rule, a rule invoked in response to a fault condition. Request-rule indicates a request rule, a rule applied to client requests only. Response-rule indicates a response rule, a rule applied to server responses only. Rule indicates a bidirectional rule, a rule...
Page 597
Attribute-rewrite name specifies the name of the url rewrite policy to rewrite the schema that is referenced by an xsi:schemalocation attribute in the xml document. The rewritten schema reference usually specifies the location of a local, trusted copy of the schema to use for document validation. Dy...
Page 598
V adds a validation action. Validates xml documents in the input context with the local schemaone.Xsd schema. Possibly stores the transformed document in the post-validation context. # validate input schema store:///schemaone.Xsd post-validation # xform adds an xform action. Syntax xform input-conte...
Page 599
V adds a transformation rule. Transforms the document in the step2 context with the style sheet that is referenced by the var://stylesheets/5 variable, and sends the transformed document to the final destination of the rule. # xform step2 var://stylesheets/5 output # xformpi adds an xformpi action. ...
Page 600
574 command reference.
Page 601
Chapter 63. Radius configuration mode this chapter provides an alphabetic listing of commands that are available in radius configuration mode. To enter this configuration mode, use the global radius command. All of the commands that are listed in “common commands” on page 2 and most, but not all, of...
Page 602
V identifies a radius server at 172.16.100.100:1812 # aaaserver 30 172.16.100.100 1812 secret: yetanotherpasswordserver20 # v identifies a radius server at 172.16.200.200:18120. Radius servers will be contacted in the following order: 172.16.200.200 18120, 172.16.1.1 1812, 172.16.100.100 1812. # aaa...
Page 603
Parameters number specifies the number of re-transmittals. The default is 3. Guidelines in conjunction with the timeout command, the retries command specifies the maximum amount of time that the appliance spends attempting to connect to a specific radius server. At the expiration of this period, the...
Page 604
Examples v identifies a radius server at 172.16.1.1:1812. # server 20 172.16.1.1 1812 secret: yetanotherpasswordserver20 # v identifies a radius server at 172.16.100.100:1812 # server 30 172.16.100.100 1812 secret: yetanotherpasswordserver20 # v identifies a radius server at 172.16.200.200:18120. Ra...
Page 605
# timeout 500 # chapter 63. Radius configuration mode 579.
Page 606
580 command reference.
Page 607
Chapter 64. Rbm settings configuration mode this chapter provides an alphabetic listing of commands that are available in rbm settings configuration mode. All of the commands that are listed in “common commands” on page 2 and most, but not all, of the commands that are listed in chapter 114, “monito...
Page 608
Client certificates for authentication, only local fallback users, as defined with the fallback-login and fallback-users commands, will be able to access the appliance from the command line. Related commands access-policy (user group), add (user group), au-method, delete (user group), domain-user (a...
Page 609
Au-cache-ttl specifies the time-to-live for cached authentication results. Syntax au-cache-ttl seconds parameters seconds specifies the time-to-live (ttl) in seconds. Use an integer in the range of 1 through 86400. The default is 600. Guidelines the au-cache-ttl command defines the explicit ttl in s...
Page 610
# au-method custom # au-custom-url https://myserver.Domain.Com/authn/rbm-au.Xsl # au-info-url specifies the url of the authentication xml file. Syntax au-info-url url parameters url specifies the location of the xml file. Guidelines the au-info-url command defines the fully-qualified file name (url)...
Page 611
Examples v assigns the keytab-1 kerberos keytab object for spnego authentication. # au-method spnego # au-kerberos-keytab keytab-1 # au-ldap-bind-dn specifies the login dn (distinguished name) to access an ldap server. Syntax au-ldap-bind-dn dn parameters dn specifies the login dn. Guidelines the au...
Page 612
Guidelines the au-ldap-bind-password command specifies the password for the login dn to access the target ldap server. This command is relevant when the authentication method, as defined with the au-method command, is ldap and when the ldap search for group name property, as defined with the au-ldap...
Page 615
# au-ldap-search on # au-ldap-bind-dn proxyuser # au-ldap-bind-password p@ssw0rd # v set the authentication method to local. # au-method local # au-server-host specifies the ip address or domain name of a remote authentication server. Syntax au-server-host host parameters host specifies the ip addre...
Page 616
Guidelines the au-server-port command specifies the listening port of the authentication server defined with the au-server-host command. When the authentication method is ldap, as defined with the au-method command, you need to define the ldap server in one of the following ways: v the au-server-hos...
Page 617
Guidelines the au-valcred command associates a validation credentials object for validating the identity presented in a client certificate from an ssl peer. This command is relevant when the authentication method, as defined with the au-method command, is client-ssl. Use the crypto valcred command t...
Page 618
Parameters disabled (default) indicates that no locally-defined user can log in. Local indicates that all locally-defined users can log in. Restricted indicates that only specific locally-defined users can log in. Guidelines the fallback-login command indicates whether to use local user accounts as ...
Page 619
Guidelines the fallback-user command allows a locally-defined user to be a fallback user. Invoke the fallback-user command for each fallback user. This command is relevant when the fallback-login command is restricted. Use the no fallback-user command to remove a user from the list of fallback users...
Page 620
Syntax ldap-sslproxy name parameters name specifies the name of an existing ssl proxy profile. Guidelines the ldap-sslproxy command assigns an existing ssl proxy profile to secure communication with the ldap server during ldap authentication. When specified, ldap communication uses the configuration...
Page 622
Examples v sets the ldap load balancer to lbgroup1. # au-method ldap # loadbalancer-group lbgroup1 # au-ldap-serach on # au-ldap-bind-dn proxyuser # au-ldap-bind-password p@ssw0rd # lockout-duration specifies the duration to lock out the local account. Syntax lockout-duration minutes parameters minu...
Page 623
Parameters count specifies the maximum number of failed login attempts to allow before lockout. A value of 0 disables account lockout. Use an integer in the range of 0 through 64. The default is 3. Guidelines the max-login-failure command defines the number of failed login attempts to permit before ...
Page 624
Examples v identifies the rbm-mc.Xsl style sheet in the mapcred directory of the myserver.Domain.Com server as the style sheet for custom authentication. File retrieval uses the https protocol. # mc-method custom # mc-custom-url https://myserver.Domain.Com/mapcred/rbm.Xsl # mc-info-url specifies the...
Page 625
Beyond specifying the login dn when searching the ldap for the group name, you need to use the following properties: v how to connect to the ldap server. Use either approach: – the mc-server-host and mc-server-port commands – the mc-loadbalancer-group command v optionally associate an existing ssl p...
Page 626
– the mc-loadbalancer-group command v optionally associate an existing ssl proxy profile object to use secure communication with the ldap server with the mc-ldap-sslproxy command v specify the login dn to access the ldap server with the mc-ldap-bind-dn command v optionally associate an existing ldap...
Page 627
V specify the login dn to access the ldap server with the mc-ldap-bind-dn command v specify the user's password with the mc-ldap-bind-password command related commands mc-ldap-bind-dn , mc-ldap-bind-password, mc-ldap-search, mc-ldap-sslproxy, mc-loadbalancer-group , mc-method, mc-server-host, mc-ser...
Page 628
V optionally associate an existing ldap search parameters object with the mc-ldap-parameters command related commands mc-ldap-bind-dn , mc-ldap-bind-password, mc-ldap-parameters, mc-ldap-sslproxy, mc-loadbalancer-group , mc-server-host, mc-server-port examples v uses a local xml file to map credenti...
Page 629
Related commands mc-ldap-bind-dn , mc-ldap-parameters, mc-ldap-bind-password, mc-ldap-search, mc-loadbalancer-group , mc-server-host, mc-server-port examples v uses the ldapone ssl proxy profile for secure communications. # ldap-sslproxy ldapone # mc-loadbalancer-group assigns a load balancer group ...
Page 631
V sets the authorization method to local. # mc-method local # mc-server-host specifies the ip address or domain name of a remote credentials server. Syntax mc-server-host host parameters host specifies the ip address or domain name of the server. Guidelines the mc-server-host command specifies the i...
Page 632
Mc-server-port specifies the port on the credentials server. Syntax mc-server-port port parameters port specifies the port number of the credentials server. Guidelines the mc-server-port command specifies the listening port on the credentials server. This command is relevant only in the following si...
Page 633
Parameters on requires the periodic change of passwords. Off (default) allows continued use of passwords. Guidelines if password aging is enabled, use the pwd-max-age command to specify the maximum shelf-life of a user password. Related commands pwd-max-age examples v requires passwords to be change...
Page 635
Syntax pwd-max-history count parameters count specifies the number of passwords to retain. Use an integer in the range of 1 through 65535. The default is 5. Guidelines if password reuse is enabled, use the pwd-max-history command to specify the number of recent passwords to retain. Passwords that ar...
Page 636
Off (default) indicates that passwords do not require uppercase and lowercase characters. Guidelines when enabled, password is acceptable, but password or password is not acceptable. When disabled, password, password, or password is acceptable. Related commands pwd-digit , pwd-minimum-length, pwd-no...
Page 638
V allow access by the admin account to all access methods. # restrict-admin off # 612 command reference.
Page 639
Chapter 65. Schema exception map configuration mode this chapter provides an alphabetic listing of commands that are available in schema exception map configuration mode. To enter this configuration mode, use the global schema-exception-map command. All of the commands that are listed in “common com...
Page 640
Related commands original-schema examples v creates the sem-1 schema exception map. Specifies store:///schema-12b.Xsd as the target schema adds a rule to the current schema exception map, which requires that all ssn nodes be encrypted. # schema-exception-map sem-1 schema exception map configuration ...
Page 641
Chapter 66. Simple rate limiter configuration mode this chapter provides an alphabetic listing of commands that are available in simple rate limiter configuration mode. To enter this configuration mode, use the global simple-rate-limiter command. While in this mode, define the simple rate limiter. A...
Page 642
Related commands distinct-sources , tps distinct-sources determines the number of distinct sources, or user identities, tracked by the limiter. Syntax distinct-sources count parameters count specifies the number of distinct sources tracked by this limiter. The default is 10000. Related commands conc...
Page 643
Chapter 67. Slm action configuration mode this chapter provides an alphabetic listing of commands that are available in slm action configuration mode. Slm is the abbreviation for service level monitor. To enter this configuration mode, use the global slm-action command. Many of the commands that are...
Page 644
Syntax type type parameters type identifies the administrative procedure. Use one of the following keywords: log-only generates a log message when the current action is triggered and continues to process transactions. Reject generates a log message and drops traffic when the current action is trigge...
Page 645
Chapter 68. Slm credential class configuration mode this chapter provides an alphabetic listing of commands that are available in ssl credential class configuration mode. To enter this configuration mode, use the global slm-cred command. Many of the commands that are listed in “common commands” on p...
Page 646
To the slm policy. The subset is defined by one or more entries specified by the value command. The policy statement is evaluated only in the event of a match. Guidelines a credential class defines a user group subject to an slm policy. It consists of: v a credential type (defined by the type comman...
Page 647
# slm-cred extranetpartner slm credential class configuration mode # type custom-stylesheet # stylesheet local:///extranetpartner.Xsl # v removes the specified style sheet from the credentials class. # no stylesheet local:///extranetpartner.Xsl # type specifies the group of credentials subject to th...
Page 648
V a credential value (defined by the value command), which is used when the match type is exact-match to identify specific members of a credential class subject to an slm policy the aaa-mapped-credential and aaa-username types can only be used if the processing rule that uses this credentials class ...
Page 649
The value command is ignored when the credential class type is custom-stylesheet . Use the no value command to remove an exact match value. Examples v creates the extranetpartner slm credential class. Specifies that credential class membership is based on source ip address, and that only the defined...
Page 650
624 command reference.
Page 651
Chapter 69. Slm policy configuration mode this chapter provides an alphabetic listing of commands that are available in slm policy configuration mode. Slm is the abbreviation for service level monitor. To enter this configuration mode, use the global slm-policy command. Many of the commands that are...
Page 652
Peer-group associates a peer group. Syntax peer-group name parameters name specifies the name of an existing peer group object. Guidelines the peer-group command assigns a peer group object to the slm policy. This peer group enables the aggregation and sharing of slm date across similarly configured...
Page 653
Interval-length specifies the length of the measurement interval in seconds. The default is 0, which allows all messages and never triggers the threshold to enforce the slm action. Interval-type specifies the threshold type and takes one of the following values: fixed indicates a fixed interval. A f...
Page 654
Threshold-level specifies the threshold that triggers the slm action. If the algorithm is high-low-thresholds , specifies the high threshold. The units of measure depends on the threshold type. V if the threshold is a count, specify an integer for the aggregate count. V if the threshold is latency, ...
Page 655
Chapter 70. Slm resource class configuration mode this chapter provides an alphabetic listing of commands that are available in slm action configuration mode. Slm is an abbreviation for service level monitor. To enter this configuration mode, use the global slm-rsrc command. Many of the commands tha...
Page 656
Examples v creates the profitlossstatements resource class. Specifies that membership in the resource class is defined by the destination url method. Coverage by the resource class is restricted to a specific subset of destination urls that contain www.Datapower.Com . # slm-rsrc profitlossstatements...
Page 657
Guidelines specifies the subscription key. Applicable only when the resource method (as defined by the type command) is uddi-subscription. Use the no subscription command to delete a uddi-based credential-source. Examples v specifies the uddi:8b071240-428d-11db-a30b-47fc0b00a30a subscription key. # ...
Page 658
Response-message restricts membership to all server requests. Soap-fault restricts membership to soap fault messages. Uddi-subscription defines membership by a uddi subscription key. Wsdl defines membership by a wsdl file. Wsdl-operation defines membership by the name of a wsdl operation. Wsdl-port ...
Page 659
Examples v creates the profitlossstatements resource class. Specifies that membership in the resource class is defined by the destination url method. Coverage by the resource class is restricted to a specific subset of destination urls that contain www.Datapower.Com . # slm-rsrc profitlossstatements...
Page 660
Parameters expression specifies the operative xpath expression. Guidelines specifies the xpath expression to produce resource identification. Used only if the resource method (as defined by the type command) is xpath-filter. Use the no xpath-filter command to delete an xpath-based credential-source....
Page 661
Chapter 71. Slm schedule configuration mode this chapter provides an alphabetic listing of commands that are available in slm schedule configuration mode. Slm is an abbreviation for service level monitor. To enter this configuration mode, use the global slm-sched command. Many of the commands that a...
Page 662
Parameters minutes specifies the number of minutes that the current slm schedule is operational. Use an integer in the range of 0 through 1439. The default is 1439. Guidelines use the command in conjunction with start to define specific time blocks during which this slm schedule is operational. Rela...
Page 663
Chapter 72. Snmp settings configuration mode this chapter provides an alphabetic listing of commands that are available in snmp settings configuration mode. To enter this configuration mode, use the global snmp command. All of the commands that are listed in “common commands” on page 2 and most, but...
Page 664
Use the no access command to delete a previously configured snmp manager. Examples v creates a read-only community. Any snmp manager, using the public community is granted read-only access to the local agent. # access public read-only # v specifies two snmp managers granted access to the local agent...
Page 665
Syntax trap-code code no trap-code code parameters code specifies the hexadecimal identifier of an event code. Guidelines the trap-code command specifies individual event codes to add to the trap list. Invoke this command for each event to add to the list. Use the no trap-code command to delete a pr...
Page 666
Parameters address specifies the ip address that receives traps. Port optionally identifies a udp port at the ip address. Use an integer in the range of 0 to 65535. The default is 162. Community optionally provides a community name (essentially a password) that is included within the snmp message he...
Page 667
V specifies support for snmp version 2c, the default state. # version 2c # chapter 72. Snmp settings configuration mode 641.
Page 668
642 command reference.
Page 669: Mode
Chapter 73. Soap header disposition table configuration mode this chapter provides an alphabetic listing of commands that are available in soap header disposition table configuration mode. To enter this configuration mode, use the global soap-disposition command. A soap header disposition table obje...
Page 670
Guidelines the refine command defines an item of soap header processing instruction to include in the list of items returned by the soap header disposition table object. Issue this command as many times as needed to include all desired items. Use the no refine command to delete the entire list of it...
Page 671
Chapter 74. Stateful raw xml handler configuration mode this chapter provides an alphabetic listing of commands that are available in stateful raw xml handler configuration mode. To enter this configuration mode, use the global source-stateful-tcp command. While in this mode, define the client-side ...
Page 672
Parameters on abandons the session in the event of a fault condition. Off (default) maintains the session in the event of a fault. Examples v causes the datapower appliance to close front and back tcp connections if the appliance generates a fault. # close-on-fault on # or # no close-on-fault # v re...
Page 673
Port specifies the tcp port to monitor for client requests. Syntax port port parameters port binds the stateful raw xml handler to a specific port. Guidelines this command only sets the tcp port for the stateful raw xml handler. This port applies to all configured local addresses. Use the local-addr...
Page 674
Syntax remote-port port parameters port binds the stateful raw xml handler to a specific port. Guidelines this command only sets the remote tcp port for the stateful raw xml handler. Use the remote-address command to set the remote ip address. Related commands local-address , port, remote-address ex...
Page 675
Chapter 75. Stateless raw xml handler configuration mode this chapter provides an alphabetic listing of commands that are available in stateless raw xml handler configuration mode. To enter this configuration mode, use the global source-raw command. While in this mode, define the client-side traffic...
Page 676
Parameters address binds the stateless raw xml handler to a single, specific interface-port pair. 0 binds the stateless raw xml handler to the specified port on all enabled interfaces. Guidelines this command only sets the ip address for the stateless raw xml handler. Use the port command to set the...
Page 677
# no persistent-connections # v enables persistent connection negotiation, which restores the default state. # persistent-connections on # or # persistent-connections # port specifies the tcp port to monitor for client requests. Syntax port port parameters port binds the stateless raw xml handler to...
Page 678
Use the no ssl command to remove the ssl proxy profile assignment. Examples v assigns the ssl-1 ssl proxy to the current stateless raw xml handler. # ssl ssl-1 # v removes the assignment of the ssl-1 ssl proxy from the current stateless raw xml handler. # no ssl ssl-1 # 652 command reference.
Page 679
Chapter 76. System settings configuration mode this chapter provides an alphabetic list of commands for system settings configuration mode. To enter this configuration mode, use the global system command. Most, but not all, of the commands in “common commands” on page 2 and in chapter 114, “monitori...
Page 680
Syntax contact contact parameters contact identifies the person or function responsible for appliance maintenance. Guidelines the contact command identifies the person who is responsible for managing the appliance. This information identifies the person who is responsible for managing this appliance...
Page 681
Examples specifies the xyzbanner.Xml file in the store: directory as the custom user interface file. # custom-ui-file store:///xyzbanner.Xml # entitlement specifies the original serial number. Syntax entitlement original-serial-number parameters original-serial-number specifies the original serial n...
Page 682
Syntax name identifier parameters identifier specifies the identifer. Use a string up to 127 characters in length. Guidelines the name command specifies the system identifier of the appliance. When the custom user interface file defines the command line extension, this identifier is added before the...
Page 683
Chapter 77. Tam configuration mode this chapter provides an alphabetic listing of commands that are available in tam configuration mode. Tam is an abbreviation for ibm tivoli access manager. To enter this configuration mode, use the global tam command. All of the commands that are listed in “common ...
Page 684
Syntax ldap-ssl-key-file-dn label parameters label specifies the subject dn of the certificate. Guidelines the ldap-ssl-key-file-dn command specifies the subject dn of the certificate. When using client-side ssl and the key file contains multiple certificates, the dn specifies which certificate to u...
Page 685
Related commands use-ldap-ssl ssl-key specifies the location of the tam ssl key file. Syntax ssl-key name parameters name specifies the name of the tam ssl key file. Ssl-key-stash specifies the location of the tam ssl key password stash file. Syntax ssl-key name parameters name specifies the name of...
Page 687
Chapter 78. Tfim configuration mode this chapter provides an alphabetic listing of commands that are available in tfim configuration mode. Tfim is the abbreviation for ibm tivoli federated identity manager. To enter this configuration mode, use the global tfim command. The datapower appliance integr...
Page 688
Related commands tfim-compatible , tfim-custom-req-url examples v indicates that the request token format for tfim version 6.0 is saml assertion 1.0. # tfim-compatible v6.0 # tfim-60-req-tokenformat saml1.0 # v indicates that the request token format for tfim version 6.0 is a custom token that is de...
Page 689
Related commands tfim-compatible , tfim-custom-req-url examples v indicates that the request token format for tfim version 6.1 is a ws-security x.509 token. # tfim-compatible v6.1 # tfim-61-req-tokenformat wsx509token # v indicates that the request token format for tfim version 6.1 is a custom token...
Page 690
Related commands tfim-compatible , tfim-custom-req-url examples v indicates that the request token format for tfim version 6.2 is a ws-security x.509 token. # tfim-compatible v6.2 # tfim-62-req-tokenformat wsx509token # v indicates that the request token format for tfim version 6.2 is a custom token...
Page 691
Parameters v6.0 indicates tivoli federated identity manager, version 6.0. V6.1 indicates tivoli federated identity manager, version 6.1. V6.2 indicates tivoli federated identity manager, version 6.2. Guidelines the tfim-compatible command indicates the currently configured version of tivoli federate...
Page 692
# tfim-compatible v6.1 # tfim-61-req-tokenformat custom # tfim-custom-req-url local:///tfim-custom.Xsl # tfim-issuer specifies the identity that issued the request. Syntax tfim-issuer issuer parameters issuer specifies the identity that issued the request in the following format: urn:itfim:wssm:toke...
Page 693
Guidelines the tfim-operation command specifies the name of the web services operation. To determine the correct value, consult your tfim administrator. This command is optional for all tfim version 6.1 or 6.2 request tokens except custom ; otherwise, it is ignored. Related commands tfim-61-req-toke...
Page 694
Examples v indicates that the wssm token consumer issued the request to access the tfim web service located at /itfim-wssm/wssm-default/echowsdl/echoservice using the echoservice port type and the echo operation. # tfim-issuer urn:itfim:wssm:tokenconsumer # tfim-pathaddr /itfim-wssm/wssm-default/ech...
Page 695
Related commands tfim-61-req-tokenformat , tfim-62-req-tokenformat, tfim-compatible, tfim-issuer, tfim-operation , tfim-pathaddr examples v indicates that the wssm token consumer issued the request to access the tfim web service located at /itfim-wssm/wssm-default/echowsdl/echoservice using the echo...
Page 696
Guidelines the tfim-sslproxy command specifies the name of an existing ssl proxy profile to manage ssl communications with peers. The ssl proxy profile identifies the keys and certificates that are used in the handshake. Examples v specifies that tfim-sslproxy-1 is the ssl proxy profile to manage ss...
Page 697
Chapter 79. Telnet service configuration mode this chapter provides an alphabetic listing of commands that are available in telnet service configuration mode. To enter this configuration mode, use the global cli telnet command. While in telnet configuration mode, define a telnet server that supports...
Page 698
Related commands port examples v specifies 10.10.13.35:23000 as the local ip address-port that the current telnet service monitor. # cli telnet telnet-1 telnet service configuration mode # ip-address 10.10.13.35 # port 23000 # port specifies the local port to monitor for incoming cli traffic. Syntax...
Page 699
Chapter 80. Throttle settings configuration mode this chapter provides an alphabetic listing of commands that are available in throttle settings configuration mode. To enter this configuration mode, use the global throttle command. While in throttle settings configuration mode, you define a threshol...
Page 700
Related commands memory-terminate , timeout qcode-warn specifies the namespace-threshold for qcodes. Syntax qcode-warn percent parameters percent specifies the percentage of available namespace qcodes. Use an integer in the range of 5 through 100. The default is 10. Guidelines the qcode-warn command...
Page 701
Off disables throttle settings log messages. Guidelines the status-log command controls the collection of throttle log messages. These messages pertain to available memory, available temporary file space, and available namespace qcodes. The criticality of these messages is set by the value of the st...
Page 702
Guidelines the memory-terminate command specifies the free temporary file space kill-threshold. This threshold is the point at which the appliance reboots. The appliance reboots after the duration defined by the timeout command. Related commands temp-fs-throttle , timeout temp-fs-throttle specifies ...
Page 703
Examples v specifies that the appliance reboots 20 seconds after free memory drops to 10% of total memory. # throttle throttle settings configuration mode # memory-terminate 10 # timeout 20 # chapter 80. Throttle settings configuration mode 677.
Page 704
678 command reference.
Page 705
Chapter 81. Timezone configuration mode this chapter provides an alphabetic listing of commands that are available in timezone configuration mode. To enter this configuration mode, use the global timezone command. All of the commands that are listed in “common commands” on page 2 and most, but not a...
Page 706
Guidelines specifies the offset, in hours, of daylight savings time. This is typically 1, meaning that the clock moves forward or back 1 hour when the time boundary is crossed. Applies to the timezone that is identified by the name or custom command. Daylight-start-day specifies the day of the week ...
Page 707
Related commands daylight-start-day , daylight-start-minutes, daylight-start-month, daylight-start-week examples v sets 2 am as the hour of the day when daylight savings time starts. # daylight-start-hour 2 # daylight-start-minutes specifies the minutes of the hour when daylight savings time starts....
Page 708
V september v october v november v december guidelines applies to the timezone that is identified by the name or custom command. Related commands daylight-start-day , daylight-start-hours, daylight-start-minutes, daylight-start-week examples v sets april as the month of the year when daylight saving...
Page 709
V monday v tuesday v wednesday v thursday v friday v saturday v sunday guidelines applies to the timezone that is identified by the name or custom command. Related commands daylight-stop-hours , daylight-stop-minutes, daylight-stop-month, daylight-stop-week examples v sets sunday as the day of the w...
Page 710
Parameters minutes specifies the minutes of the hour when daylight savings time stops. Use an integer between 0 and 59. Guidelines applies to the timezone that is identified by the name or custom command. Related commands daylight-stop-day , daylight-stop-hours, daylight-stop-month, daylight-stop-we...
Page 711
Daylight-stop-week specifies the week of the month when daylight savings time stops. Syntax daylight-stop-week week parameters week specifies the week of the month when daylight savings time stops. Use an integer between 1 and 5. Guidelines applies to the timezone that is identified by the name or c...
Page 712
Name specifies the name of the timezone. This name is appended to the displayed time. Syntax name name parameters name specifies the name of a preset timezone. Value meaning hst10 honolulu 10 hrs west of utc, no dst akst9akdt alaska 9 hrs west, us dst rules pst8pdt pacific 8 hrs west, us dst rules m...
Page 713
Parameters hours specifies the offset in hours, relative to gmt, of the timezone. Use an integer between 0 and 12. Guidelines determines the number of hours the timezone is offset from gmt. Applies to the timezone that is identified by the name or custom command. Related commands direction , offset-...
Page 714
688 command reference.
Page 715
Chapter 82. Uddi registry configuration mode this chapter provides an alphabetic listing of commands that are available in uddi registry configuration mode. To enter this configuration mode, use the global uddi-registry command. While in uddi registry configuration mode, define the parameters needed...
Page 716
Port sets the tcp port. Syntax port port parameters port the tcp port number the registry uses to listen for requests. The default is 80. Publish-url sets the uri to send publish requests. Syntax publish-url uri parameters uri specifies the local path (uri) portion of the url used to send publish re...
Page 717
Examples v enters uddi registry configuration mode to create the registry1 object. Sets the security uri. # uddi-registry registry1 new uddi registry registry1 # security-url "/web/uddi/security" ssl assigns an ssl proxy profile. Syntax ssl name parameters name specifies name of an existing ssl prox...
Page 718
Subscription-url sets the uri to request subscription information requests. Syntax subscription-url uri parameters uri the local path (uri) portion of the url used to send subscription-related requests the registry. Uddi inquiry requests will be sent to http(s)://hostname:port/subscription-url . A t...
Page 719
Chapter 83. Uddi subscription configuration mode this chapter provides an alphabetic listing of commands that are available in uddi subscription configuration mode. To enter this configuration mode, use the uddi-subscription command. While in this mode, define the uddi subscription. All of the comma...
Page 720
Related commands username registry determines the remote uddi registry that holds the subscriptions. Syntax registry name parameters name specifies the name of an existing uddi registry object. Related commands uddi-registry (global) username sets the username to authenticate with the remote uddi re...
Page 721
Chapter 84. Url map configuration mode this chapter provides an alphabetic listing of commands that are available in url map configuration mode. To enter this configuration mode, use the global urlmap command. All of the commands that are listed in “common commands” on page 2 and most, but not all, ...
Page 722
Related commands disable cache , disable flush, interval urlmap, test urlmap, test urlrefresh, urlmap, urlrefresh , xslrefresh examples v creates the urlmap-1 url map. Adds the match pattern https:// www.Amajoraccount.Com/zeus/*xsl to the map. # urlmap urlmap-1 url map configuration mode # match htt...
Page 723
Chapter 85. Url refresh policy configuration mode this chapter provides an alphabetic listing of commands that are available in url refresh policy configuration mode. To enter this configuration mode, use the global urlrefresh command. All of the commands that are listed in “common commands” on page...
Page 724
Guidelines use the disable flush command to identify style sheets that should be preferentially cached. These style sheets remain in the cache for the full duration of the refresh cycle. This command overrides the setting in the xml manager for caching rules for a particular url that matches the url...
Page 725
Protocol-specified defines a policy in which style sheets are cached on protocol semantics. Syntax protocol-specified map interval parameters map specifies the name of a url map. Interval specifies the frequency, in seconds, at which style sheets obtained via the url map are refreshed. Guidelines us...
Page 726
700 command reference.
Page 727
Chapter 86. Url rewrite policy configuration mode this chapter provides an alphabetic listing of commands that are available in url rewrite policy configuration mode. To enter this configuration mode, use the global urlrewrite command. While in this configuration, define rewrite rules that perform t...
Page 728
(.*)&[xx][ss][ll]=([^&]+)(.*) matches a string of the following format: 1. A text subpattern. 2. Followed by &. 3. Followed by x or x. 4. Followed by s or s. 5. Followed by l or l. 6. Followed by =. 7. Followed by a text subpattern that does not contain an ampersand (&) character. 8. Followed by a t...
Page 729
False disables normalization. Guidelines the absolute-rewrite command creates a rewrite rule that rewrites the entire url based on a url match and adds the url rewrite rule to the current url rewrite policy. This rewrite rule operates on an entire url. The decoding (unescape) process replaces url es...
Page 730
7. Followed by a text subpattern that does not contain an ampersand (&) character. 8. Followed by a text subpattern. Input-replace specifies the replacement value for the content-type header. Normalize specifies whether url strings are normalized. Normalizing a url compresses '.' and '..' and conver...
Page 731
True (default) enables normalization. False disables normalization. Guidelines use the header-rewrite command to replace the contents of an arbitrary header. Pcre documentation is available at the http://www.Pcre.Org web site. Related commands examples v adds a header rewrite rule to a url rewrite p...
Page 732
1. A text subpattern. 2. Followed by xsl=. 3. Followed by a text subpattern. 4. Followed by ?. The backward slash (\) in the pcre is a url escape. 5. Followed by a text subpattern. (.*)&[xx][ss][ll]=([^&]+)(.*) matches a string of the following format: 1. A text subpattern. 2. Followed by &. 3. Foll...
Page 733
Normalize specifies whether url strings are normalized. Normalizing a url compresses '.' and '..' and converts backward slashes (\) to forward slashes (/). True (default) enables normalization. False disables normalization. Guidelines the decoding (unescape) process replaces url escape sequences wit...
Page 734
708 command reference.
Page 735
Chapter 87. User agent configuration mode this chapter provides an alphabetic listing of commands that are available in user agent configuration mode. To enter this configuration mode, use the global user-agent command. All of the commands that are listed in “common commands” on page 2 and most, but...
Page 736
Examples v injects the procint http header field that contains a value of 0 into all urls matching the *datapower.Com* match expression. # add-header-policy *datapower.Com* procinst 0 # v removes the header injection policy. # no add-header-policy *datapower.Com* # basicauth creates a basic authenti...
Page 741
Guidelines the user agent request header field contains information about the user agent initiating the request, that is the appliance. By default the appliance does not include a user agent request-header field. Max-redirects specifies the maximum number of http redirect messages. Syntax max-redire...
Page 742
None specifies that the url set that is defined by the match pattern is not forwarded to an http proxy. Guidelines a proxy policy associates a url set with a specific http proxy. You can create multiple proxy policies. In this case, candidate urls are evaluated against each policy in turn. Consequen...
Page 743
? The single character wildcard matches one occurrence of any single character. [] the delimiters bracket a character or numeric range: [1-5] matches 1, 2, 3, 4, or 5 [xy] matches x or y key specifies the crypto key object used in the authentication process. This key must reside on the appliance. Gu...
Page 744
[] the delimiters bracket a character or numeric range: [1-5] matches 1, 2, 3, 4, or 5 [xy] matches x or y on enables version restrictions. Off disables version restrictions. Alternatively, use the no restrict-http-policy- policy command. Guidelines an http version restriction policy limits access t...
Page 745
Use the no soap-action command to remove the soapaction header injection policy. Examples v injects the soapaction header field that contains a value of http://example.Org/ add into all urls matching the *datapower.Com* match expression. # soap-action *datapower.Com* http://example.Org/add # v remov...
Page 746
Examples v creates an ssl policy for use by the current user agent. When fetching a url conforming to the specified match pattern, the use agent uses the ssl-ua1 ssl profile. # ssl https://*/testbase/* ssl-ua1 # timeout specifies the user agent idle timeout value. Syntax timeout time parameters time...
Page 747
Chapter 88. User configuration mode this chapter provides an alphabetic listing of commands that are available in user configuration mode. To enter this configuration mode, use the global user command. Many of the commands that are listed in “common commands” on page 2 and most, but not all, of the ...
Page 748
V the user is a member of a user group, but the user group does not define access policies. In these cases, the domain command defines access through all interfaces (webgui, command line, xml management interface). With access policies in the user group, the domain command can limit access to specif...
Page 749
Guidelines you must assign a password to a newly created account. Related commands access-level , group snmp-cred adds snmp v3 credentials to this account. Syntax snmp-cred engine-id authentication-protocol authentication-secret-type authentication-secret privacy-protocol privacy-secret-type privacy...
Page 750
You can use colons (:) between each two hexadecimal characters. Privacy-protocol identifies which privacy (encryption) protocol to use. None the account has no privacy key. Des (default) the account uses cbc-des as the privacy protocol. Aes the account uses cfb128-aes-128 as the privacy protocol. Pr...
Page 751
Algorithm, and with no privacy algorithm. The password is maplesyrup, which will be converted to a localized key for the specified engine id (000000000000000000000002). Snmp-cred 000000000000000000000002 md5 password maplesyrup none password "" v creates snmp v3 credentials for this account on the r...
Page 752
726 command reference.
Page 753
Chapter 89. User group configuration mode this chapter provides an alphabetic listing of commands that are available in user group configuration mode. To enter this configuration mode, use the global usergroup command. All of the commands that are listed in “common commands” on page 2 and most, but ...
Page 754
D delete existing object x execute guidelines the access-policy command assigns one or more access policy statements to the user group. If there are more than one statement, the statements are cumulative. If more than one statement applies to the same resource, the most specific statement will apply...
Page 755
Related commands delete examples v adds access to configuration mode, url map mode, url refresh mode, url rewrite policy configuration mode, matching rule configuration mode, stylesheet policy configuration mode, and xsl proxy configuration mode to members of the stylesheet user group. # usergroup s...
Page 756
730 command reference.
Page 757
Chapter 90. Vlan configuration mode this chapter provides an alphabetic listing of commands that are available in vlan configuration mode. To enter this configuration mode, use the global vlan-sub-interface command. In this configuration mode, all of the commands that are in “common commands” on pag...
Page 758
Guidelines the dhcp command enables or disables the (dynamic host configuration protocol (dhcp) client. By default, dhcp is disabled. When enabled, the dhcp client can obtain the following parameters from the dhcp server: v interface ip address v default gateway ip address v dns ip address to disabl...
Page 759
Guidelines the interface command specifies the ethernet interface that provides connectivity to the vlan interface. Even if the ethernet interface is not configured with an ip address, this command enables that ethernet port. Depending on model type, the appliance provides three or four ethernet int...
Page 760
Ip default-gateway specifies the default gateway. Syntax ip default-gateway gateway no ip default-gateway parameters gateway specifies the host name or ip address. Guidelines the ip default-gateway command specifies the default gateway that is reachable by the current interface. You can define the d...
Page 761
Examples v adds a static route with destination network 10.10.10.0, subnet mask /27 (equivalent to 255.255.255.224), and next-hop gateway 192.168.1.100 to the routing table. # ip route 10.10.10.0/27 192.168.1.100 # or # ip route 10.10.10.0 255.255.255.224 192.168.1.100 # v deletes a static route wit...
Page 762
Outbound-priority sets the priority of outbound packets. Syntax outbound-priority priority parameters priority specifies the priority value. Use an integer in the range of 0 through 7. The default is 0. Guidelines the outbound-priority command sets the priority value to place in outgoing vlan header...
Page 763
Examples v initiates a packet-capture session on ethernet 0. Packet-capture data is written to the file eth0trace in the general storage directory. The session terminates after 30 seconds or when eth0trace contains 2500 kilobytes of data (whichever occurs first). # packet-capture store://eth0trace 1...
Page 765
To disable a failover configuration or to disable preemption, use the no standby command related commands interface , ip address examples v assigns vlan-1 to standby group 2. Specifies a vip of 10.10.66.66. Not specifying a priority (accepting the default of 100) ensures that the interface is the ac...
Page 766
# vlan vlan-3 modify vlan sub-interface configuration # no standby 2 # exit v deletes all standby groups on vlan-3. # vlan vlan-3 modify vlan sub-interface configuration # no standby # exit 740 command reference.
Page 767: Configuration Mode
Chapter 91. Web application error handling policy configuration mode this chapter provides an alphabetic listing of commands that are available in web application error handling policy configuration mode. To enter this mode, use the global webapp-error-handling command. The global command creates th...
Page 769
Chapter 92. Web application firewall configuration mode this chapter provides an alphabetical listing of commands that are available in web application firewall configuration mode. To enter this configuration mode, use the global web-application-firewall command. The global command creates the web a...
Page 770
Parameters time specifies the maximum intra-transaction idle time. Use an integer in the range of 10 to 86400. The default is 120. Guidelines sets the intra-transaction timeout value, the maximum idle time allowed within a transaction on the firewall-to-server connection. This timer, for example, mo...
Page 771
Parameters name specifies the name of an existing error handling policy. Related commands security-policy , webapp-error-handling (global) guidelines an error policy determines the handling of errors encountered during processing. This is the default behavior for all requests and responses. It may b...
Page 772
Guidelines sets the inter-transaction timeout value, the maximum idle time allowed between the completion of a tcp transaction and the initiation of a new tcp transaction on the firewall-to-client connection. If the specified idle timeout is exceeded, the connection is torn down. An idle tcp connect...
Page 774
Use-ssl control ssl connections. Can be on or off. The defaults is off. When on, the ssl proxy profile that is specified with the ssl-profile command controls connections on this port. Related commands ssl-profile guidelines issue this command as many times as needed to add the desired addresses and...
Page 775
Load-balancer specifies the name of an existing load balancer group that identifies server address-port pairs of its members. Related commands remote-port remote-port establishes the tcp port number of remote (backend) application server. Syntax remote-port port parameters port specifies the tcp por...
Page 776
Syntax security-policy name parameters name specifies the name of an existing application security policy. Guidelines specifies an application security policy when configuring a web application firewall. Use the global application-security-policy command to create a policy. Related commands applicat...
Page 777
Parameters buffer-until-verification (default) causes the web application firewall to buffer submitted messages until all processing is verified complete. After verification, forwards messages to the appropriate backend url. Stream-until-infraction causes the web application firewall to begin sendin...
Page 778
Off disables uri normalization. Alternatively, use the no uri-normalization command. Guidelines enables or disables the normalization of uris before processing. If this property is enabled, the uri is rewritten to make sure the uri is rfc-compliant by escaping certain characters. Additionally, chara...
Page 779: Mode
Chapter 93. Web application name value profile configuration mode this chapter provides an alphabetic listing of commands that are available in web application name value profile configuration mode. To enter this configuration mode, use the global webapp-gnvc command. The global command creates the ...
Page 780
Parameters characters specifies the maximum number of characters in the name attribute the default is 512. Related commands max-value-size max-value-size specifies the maximum number of characters in the value attribute of name-value pairs to allow. Syntax max-value-size characters parameters charac...
Page 781
Parameters error generates an error. The error handling policy or the error handling map can then handle the error condition. Passthru passes the name-value pair through for further processing. Set replaces the value attribute with the string set by the unvalidated-fixup-map command. Strip removes t...
Page 782
Value-pcre specifies a pcre that is applied to a value input to see if it is an expected input. Policy specifies the action to take when a value does not match the expression. Values are as follows: error (default) the profile validation fails and an error is generated. Passthru passes the given nam...
Page 783: Mode
Chapter 94. Web application request profile configuration mode this chapter provides an alphabetic listing of commands that are available in web application request profile configuration mode. To enter this configuration mode, use the global webapp-request-profile command. The global command creates...
Page 784
Guidelines the acl command assigns an access control list to the web application request profile. The access control list applies to all requests. Use the global acl command to create an access control list. Use the no acl command to remove the access control list. Without an access control list, no...
Page 785
Guidelines the cookie-policy command sets the cookie processing policy for this request profile. Requests that violate these limits cause an error. By default, cookies are allowed, but they are not encrypted or signed. Use the global webapp-gnvc command to create a name-value profile. Examples v req...
Page 786
Examples v assigns the req-1-errors error handling policy. # error-policy-override req-1-errors v sets the error handling policy to none, which effectively disables error handling. # no error-policy-override multipart-form-data sets the policy for processing multipart requests. Syntax multipart-form...
Page 787
Request (the transaction request) is immediately forwarded to the back end service. No other matching profile is run. Pre-requisite if a request passes the criteria set forth in this profile, any other profiles that match the request may now run. The request is not necessarily forwarded to the back ...
Page 788
# no ratelimiter-policy # request-body-max specifies the maximum request body size in bytes, if the http method provides a body. Syntax request-body-max bytes parameters bytes specifies the maximum request body size in bytes. The default is 128000000. Related commands request-body-min request-body-m...
Page 789
Use the no request-body-profile command to remove any profile assigned using this command. Related commands webapp-gnvc (global) request-content-type sets the http content types to allow. Syntax request-content-type pcre no request-content-type pcre no request-content-type parameters pcre specifies ...
Page 790
Parameters name specifies the name of an existing name-value profile. Guidelines if no name-value profile is specified, no processing occurs. Use the global webapp-gnvc command to create a new profile. Use the no request-header-profile command to remove any name-value profile that is assigned. Relat...
Page 792
Examples v sets the policy for non-xml requests to run a side effect processing rule, which does not change the content of the request but does check authentication. The processing rule is then identified. # request-nonxml-policy side # request-nonxml-rule request-aaa # request-qs-policy determines ...
Page 796
Examples v sets the policy for xml requests to validate that the request is well-formed xml. A processing rule is then configured to run on the request. # request-xml-policy xml # request-xml-rule request-aaa # session-policy assigns a session management policy. Syntax session-policy name no session...
Page 797: Mode
Chapter 95. Web application response profile configuration mode this chapter provides an alphabetic listing of commands that are available in web application response profile configuration mode. To enter this configuration mode, use the global webapp-response-profile command. The global command crea...
Page 799
Parameters bytes specifies the maximum size of the response body in bytes, if the http method provides a body. The default is 128000000. Related commands response-body-min response-body-min determine the minimum response body size if the http method provides a body. Syntax response-body-min bytes pa...
Page 800
V http-402 — payment required v http-403 — forbidden v http-404 — not found v http-405 — method not allowed v http-406 — not acceptable v http-407 — proxy authentication required v http-408 — request timeout v http-409 — conflict v http-410 — gone v http-411 — length required v http-412 — preconditi...
Page 801
# response-content-type text/html # response-content-type text/xml # v removestext/xml from the allowed content types. # no response-content-type text/xml # response-header-profile sets the name-value profile to process http header content. Syntax response-header-profile name no response-header-prof...
Page 802
Output multistep processing contexts). The rule can perform such actions as authenticate and authorize, or send a copy of the response content to a third destination. Binary the appliance executes the non-xml processing rule specified. The response payload is submitted as an unparsed binary object. ...
Page 804
778 command reference.
Page 805: Configuration Mode
Chapter 96. Web application session management policy configuration mode this chapter provides an alphabetic listing of commands that are available in web application session management policy configuration mode. To enter this configuration mode, use the global webapp-session-management command. The...
Page 806
Guidelines the auto-renew command enables or disables the automatic renewal of a session whenever the user takes action. The click of a mouse or submission of a form constitutes a use. When enables, the session lifetime measures idle time between uses. Related commands lifetime lifetime determines t...
Page 807
Chapter 97. Web management service configuration mode this chapter provides an alphabetic listing of commands that are available in web management service configuration mode. To enter this configuration mode, use the global web-mgmt command. All of the commands that are listed in “common commands” o...
Page 808
Save-config-overwrite specifies system behavior after a running configuration is saved. Syntax save-config overwrite guidelines by default the save config button and the write mem command write the current running configuration to config:///autoconfig.Cfg, and designate that file as the startup conf...
Page 809
Chapter 98. Web service proxy configuration mode this chapter provides an alphabetic listing of commands that are available in web service proxy configuration mode. To enter this configuration mode, use the global wsgw command. The global command creates the named web service proxy if the proxy does...
Page 810
Parameters bytes specifies the maximum number of bytes to allow in any attachment. The default is 2000000000. Guidelines a value of 0 specifies that size limitations are not enforced by this proxy. Attachments that exceed this size will result in a failure of the entire transaction. Related commands...
Page 811
Guidelines if front side traffic is conveyed by standard http protocol, use this command to enable a default traffic handler. Otherwise, use the front-protocol command to assign one or more protocol-specific traffic handlers to the web service proxy. Related commands front-protocol back-attachment-f...
Page 812
Back-timeout sets the intra-transaction timeout value. Syntax back-timeout timervalue parameters timervalue specifies the maximum intra-transaction idle time in seconds. Use an integer in the range of 10 to 86400. The default is 120. Related commands back-persistent-timeout , front-timeout, front-pe...
Page 813
Examples v sets the static backend url to http://10.10.10.2:3000/services. # backend-url http://10.10.10.2:3000/services # v sets the static backend url to https://10.10.10.2:3000/services. To support the ssl connection with the backend server, assigns the clientssl ssl proxy profile to provide the ...
Page 814
Guidelines the web service proxy can send an http 1.1 request to the backend server. In this case, the body of the document can be delimited by either content-length or chunked encoding. All servers will understand how to interpret content-length, and many applications will fail to understand chunke...
Page 815
Guidelines if enabled, the web service proxy uses gzip to compress http transmissions to the server only if the server indicates the ability to process compressed documents in the accept-encoding http header field. The proxy signals compression usage in the transfer-encoding http header field. Gnu z...
Page 816
Element-depth defines the maximum depth of element nesting in an xml document. Syntax element-depth depth parameters depth specifies the proxy-specific maximum depth of element nesting. The default is 512. Guidelines if proxy-specific parser limitations are enabled by the gateway-parser-limits comma...
Page 817
Parameters allow specifies that external references are allowed and resolved. Forbid (default) specifies that external references cause the xml parser to abort. Ignore specifies that external references are ignored. External entities are replaced with an empty string. Follow-redirects enables or dis...
Page 818
Syntax front-persistent-timeout timervalue parameters timervalue specifies the maximum inter-transaction idle time in seconds. Use an integer in the range of 0 through 7200. The default is 180. A time value of 0 disables persistent connections. Guidelines the front-persistent-timeout command sets th...
Page 819
Syntax front-timeout timervalue parameters timervalue specifies the maximum intra-transaction idle time in seconds. Use an integer in the range of 10 to 86400. The default is 120. Guidelines sets the intra-transaction timeout value, the maximum idle time allowed within a transaction on the proxy-to-...
Page 820
Syntax fwcred [fwcredname] no fwcred [fwcredname] parameters fwcredname specifies the name of an existing firewall credentials list. Guidelines a firewall credentials list specifies which keys and certificates are available to support web service proxy processing. In the absence of a firewall creden...
Page 822
Use the no http-client-ip-label command to disable the reading of the http header to identify the ip address of the calling client. Examples v disables the reading of the http header to identify the ip address of the calling client. Subsequently, enables this function to read the ip address from the...
Page 824
Uses the client ip address no load-balancer-hash-header parameters header specifies the name of the http header. Guidelines the load-balancer-hash-header command identifies the http header to use for calculating the hash for load balancing traffic to the backend servers. V when defined, the hash alg...
Page 825
Syntax max-message-size [kilobytes] parameters kilobytes specifies the maximum number of kilobytes to scan before the document is considered malicious and dropped. Use an integer in the range of 0 through 2097151. The default is 0. A value of 0 specifies unlimited size. Guidelines the specified kilo...
Page 826
When enabled and there are no mime headers in the message, the datapower service will try to parse the message by using the protocol header information, if available. When disabled and mime headers is in the body of the message, the mime headers are considered part of the preamble. The mime headers ...
Page 827
Syntax assigns a count monitor monitor-count name removes a count monitor no monitor-count [name] parameters name specifies the name of a count monitor. Guidelines use this command to add or to remove one or more count monitors. Count monitors watch for defined messaging events and increment counter...
Page 828
Related commands monitor-count (global), monitor-service (global) examples v assigns the wsgw-duration duration monitor to the current proxy. # monitor-duration wsgw-duration # v removes the wsgw-duration duration monitor from the current proxy. # no monitor-duration wsgw-duration # v removes all du...
Page 829
Use the no monitor-service command to remove the service level monitor assignment. Related commands monitor-count , monitor-duration examples v assigns the wsgw-service service level monitor to the current proxy. # monitor-service wsgw-service # v removes the wsgw-service service from the current pr...
Page 830
Matches wsdl:service/@name when formatted as {servicenamespace}name . Subscription matches an identified subscription key. Wsdl matches when the operation requested in the current transaction is defined in the identified wsdl file. Wsdlcomponentvalue identifies the value of the wsdl-defined componen...
Page 831
Operation ignores the policy defined for the operation policy subject. Messagein ignores the policy defined for the message policy subject for input messages. Messageout ignores the policy defined for the message policy subject for output messages. Wsdlcomponenttype specifies the type of the wsdl co...
Page 832
V if wsdl, specifies either a url or the “local name” mnemonic that is assigned to the wsdl file. Subscription specifies the name of an existing subscription object. The property is meaningful only when the value of the component type is subscription. Operation-priority defines the priority for a sp...
Page 833
V if port, specifies the name of the wsdl port. Use the wildcard character (*) to specify all ports. V if service, specifies the name of the wsdl service. Use the wildcard character (*) to specify all services. V if subscription, specify double quotation marks (""). Any specified value is ignored. V...
Page 834
Examples v makes the recipient parameter with a value of alice and the type parameter with a value of content available to the current proxy. The default parameter namespace is used. # parameter recipient alice # parameter type content # v makes foobar parameter with a value of value available to th...
Page 836
V if wsdl, specifies either a url or the “local name” mnemonic that is assigned to the wsdl file. Subscription specifies the name of an existing subscription object. The property is meaningful only when the value of the component type is subscription. Guidelines to create a new policy parameters obj...
Page 837
Depending on the protocol, the backend service might return a response code that indicates an error condition. For http messages, the response from the backend server might include a response body that contains xml that provides more details about the error. Propagate-uri enables or disables propaga...
Page 838
Parameters namespace identifies the default namespace for query parameters. The default is the http://www.Datapower.Com/param/query namespace. Related commands default-param-namespace , parameter reliable-messaging controls reliable messaging properties. Syntax reliable-messaging options deliveryass...
Page 839
Port matches when the operation requested in the current transaction is included in the identified wsdl port. Matches wsdl:service/wsdl:port/@name when formatted as {servicenamespace}port-name . Service matches when the operation requested in the current transaction is included in the identified wsd...
Page 840
Reporting-interval specifies the number of seconds after a failed attempt to log a message at the error level instead of the default debug level. The minimum and default is 1. Total-retries specifies the total number of connection attempts to perform after the initial failed attempt. The minimum and...
Page 841
Attachments are buffered when an action in the processing rule requests any of the following: v needed attachments v all attachments in the package before the needed attachment v all attachments in the package for a needed manifest v all attachments in the package if the package does not contain the...
Page 842
Xml characterizes the traffic as raw (unencapsulated) xml. Soap (default) characterizes the traffic as soap. Unprocessed characterizes the traffic as non-xml traffic that is not transformed by the proxy. Related commands response-type , soap-schema-url response-attachments specifies the processing m...
Page 843
Guidelines the response-attachment command specifies the processing mode for attachments in server responses (as defined in rfc 2387). This type of request is a compound object that consists of several interrelated body parts and is the mechanism that is used to support the bundling of attachments i...
Page 844
Guidelines when streaming mime messages, specifies the action to take when the root part is not the first part of the message. If the root part must be first (for example to do conformance checking) and the action is set to process-in-order, the attachments up to the root will be buffered. This comm...
Page 845
Soap-schema-url assigns a schema to validate incoming soap messages. Syntax soap-schema-url schemaurl parameters schemaurl specifies the url of the schema file to validate that soap messages conform to the soap schema. The default is the schemas/soap- envelope.Xsd schema in the store: directory. Gui...
Page 847
Related commands stream-output-to-back stylepolicy assigns a processing policy. Syntax stylepolicy wsprocessingpolicyname parameters wsprocessingpolicyname specifies the name of a processing policy. Guidelines you do not need to specify a processing policy to configuring a web service proxy. If abse...
Page 848
Examples v deletes the http authorization header from the traffic stream to the http server. # suppress back authorization # v restores the http authorization header to the traffic stream to the http server. # no suppress back authorization # type specifies the type of web service proxy. Syntax type...
Page 849
You can add more than one uddi subscription to the current proxy by repeating this command. Use the no uddi-subscription command to remove the assignment of a uddi subscription from the current proxy. Related commands uddi-subscription (global) examples v adds the activityendpoint1 and activityendpo...
Page 850
# no urlrewrite-policy # user-policy assigns a user-policy. Syntax user-policy target-namespace wsdl-file wsdl-service wsdl-porttype wsdl-binding wsdl-operation [behavior] no user-policy parameters target-namespace specifies namespace criteria for policy selection. The target namespace is found in t...
Page 851
External clients. It is possible to enable an operation but not publish it until some other time. Also, it is possible to discontinue publishing an operation after a sunset period. Verifyfaults validates fault messages against the schema that is contained in the corresponding wsdl file. Not all wsdl...
Page 852
Guidelines the wsa-back-protocol command is relevant when the datapower service provides asynchronous service (the wsa-genstyle command is async). In these topologies, this command specifies the front side protocol handler to receive the asynchronous response and forward that response to the origina...
Page 853
Wsa-default-replyto force the inclusion of the replyto element in web services addressing (ws-addressing) messages. Syntax wsa-default-replyto replyurl parameters replyurl specifies the value of the replyto element. Guidelines the wsa-default-replyto command is relevant when the datapower service pr...
Page 854
Parameters urlrewritepolicy specifies the name of the url rewrite policy. Guidelines the wsa-faultto-write command is relevant when the datapower service provides service for ws-addressing clients (the wsa-mode command is wsa2sync or wsa2wsa ). In these topologies, this command modifies the contents...
Page 855
Http://schemas.Xmlsoap.Org/ws/2004/08/addressing/role/anonymous the fault-to header will contain the following default value: http://schemas.Xmlsoap.Org/ws/2004/08/addressing/role/anonymous these default values can be overridden with the wsa-default-replyto and wsa-default-faultto commands. Related ...
Page 856
If the request-response transmission model is oob, ensure that the web server proxy preserves explicit (non-anonymous), client-originated values for the replyto and faultto elements and passes these values intact to the server. Related commands wsa-back-protocol , wsa-http-async-response-code, wsa-m...
Page 857
Wsa2sync specifies that the datapower service is mediating between hosts that support ws-addressing and servers that employ traditional addressing. Wsa2wsa specifies that the datapower service is mediating between hosts and servers that support ws-addressing. Guidelines the wsa-mode command specifie...
Page 858
– strip the ws-addressing headers from any client-generated request before forwarding the request to the target server. The default behavior is to strip the ws-addressing headers. – rewrite the contents of, or supply default values, for client-generated replyto and faultto elements to specify the de...
Page 859
Related commands absolute-rewrite , urlrewrite, wsa-mode, wsa-faultto-rewrite, wsa-to-rewrite examples v identifies wsaresponsehandler as the url rewrite policy used to modify the contents of the replyto element. # wsa-replyto-rewrite wsaresponsehandler # v removes the assignment of wsaresponsehandl...
Page 860
Or # wsa-strip-headers # wsa-timeout specifies the asynchronous timeout value. Syntax wsa-timeout timervalue parameters timervalue specifies the maximum wait period in seconds. Use an integer in the range of 1 through 4000000. The default is 120. Guidelines the wsa-timeout command specifies the maxi...
Page 861
Related commands wsa-mode wsdl assigns or removes a source wsdl file. Syntax wsdl source-location local-name [policy-attachment] no wsdl source-location parameters source-location specifies the exact location (url) of the wsdl file. The file can be stored on the appliance or on a remote server (for ...
Page 862
Wsdl-cache-policy establishes a wsdl caching policy file with the current web service proxy. Syntax wsdl-cache-policy wsdllocation ttlvalue parameters wsdllocation specifies the location of one or more wsdl files. Ttlvalue specifies the number of seconds before the proxy refreshes the wsdl files. Gu...
Page 866
Syntax wsrm-destination-maximum-sequences maximumsequences parameters maximumsequences specifies the maximum number of simultaneous active sequences. The default is 400. Guidelines the wsrm-destination-maximum-sequences command sets a limit on the maximum number of simultaneously active sequences to...
Page 867
Off (default) does not require reliable messaging for all responses. Guidelines the wsrm-response-force command indicates whether to require the use of reliable messaging for all soap messages that response rules process. Any soap message without a sequence results in a soap fault. Note: when ws-add...
Page 868
Soap responses from the server. The front side protocol handler must be associated with the same datapower service where the corresponding reliable messaging sequence is occurring. This property controls whether the backside reliable messaging source uses a unique url to receive asynchronous acks fr...
Page 869
Parameters handler specifies the name of an existing front side protocol handler. Guidelines the wsrm-source-front-acks-to command identifies the front side protocol handler to receive the asynchronous reliable messaging sequenceacknowledgement soap responses from the client. The front side protocol...
Page 871
Parameters limit specifies the number of simultaneous active sequence. Use an integer in the range of 1 through 2048. The default is 400. Guidelines the wsrm-source-maximum-sequences command sets a limit on the maximum number of simultaneously active sequences from reliable messaging sources of this...
Page 872
To sent to the server and when there is no reliable messaging source that was created by a makeoffer from the server. The reliable messaging source is created by sending a createsequence soap request to the server address. Related commands wsrm , wsrm-source-exponential-backoff, wsrm-source-inactivi...
Page 873
Related commands wsrm , wsrm-destination-accept-offers, wsrm-source-exponential-backoff, wsrm-source-request-create-sequence , wsrm-source-response-create-sequence wsrm-source-retransmit-count specifies the number of times to retransmit a message. Syntax wsrm-source-retransmit-count count parameters...
Page 874
Xml-manager assigns an xml manager. Syntax xml-manager name parameters name specifies the name of the xml manager. Guidelines the xml-manager command assign an xml manager to the web service proxy. An xml manager obtains and controls resources required by the web service proxy. In the absence of an ...
Page 875: Mode
Chapter 99. Web services management agent configuration mode this chapter provides an alphabetic listing of commands that are available in web services monitor agent configuration mode. To enter this configuration mode, use the global wsm-agent command. All of the commands that are listed in “common...
Page 876
Guidelines capture-mode identifies messages that are captured and forwarded to a web services manager for further analysis. Not all web service management protocols accommodate full message capture. Use the all-messages option only if the spooler can forward full messages. Use of this option incurs ...
Page 877
Chapter 100. Web services monitor configuration mode this chapter provides an alphabetic listing of commands that are available in web services monitor configuration mode. To enter this configuration mode, use the global service-monitor command. All of the commands that are listed in “common command...
Page 878
You can use wildcards to define a match pattern as follows: * the string wildcard matches 0 or more occurrences of any character. ? The single character wildcard matches one occurrence of any single character. [] the delimiters bracket a character or numeric range: [1-5] matches 1, 2, 3, 4, or 5 [xy...
Page 879
Examples v specifies monitor operations, generates log entries in response to more than 30 transactions per second, and throttles excessive transactions (greater than 50 per second). # service-monitor wsmonitor-2 web services monitor configuration mode # operation all rate low 30 log # operation all...
Page 880
854 command reference.
Page 881
Chapter 101. Ws-proxy endpoint rewrite configuration mode this chapter provides an alphabetic listing of commands that are available in ws-proxy endpoint rewrite configuration mode. While in this configuration mode, you can define an endpoint rewrite policy that a web service proxy service uses. To ...
Page 882
Soap-11 uses the soap 1.1 binding for wsdl 1.1 (http:// schemas.Xmlsoap.Org/wsdl/soap11/ ). Soap-12 uses the soap 1.2 binding for wsdl 1.1 (http:// schemas.Xmlsoap.Org/wsdl/soap12/ ). Guidelines all of the arguments for the backend-rule command must be specified in the documented order. A remote end...
Page 883
This argument is relevant when use-front-protocol is off. This argument is ignored when use-front-protocol is on. Host specifies the part of the url from web service binding that specifies the host alias or ip address. The default is 0.0.0.0. This argument is relevant when use-front-protocol is off....
Page 884
# wsm-endpointrewrite testing ws-proxy endpoint rewrite configuration mode # listener-rule ".*" "default" "0.0.0.0" "0" "/search/beta2" "searcher" "on" # publisher-rule adds, edits, or deletes a publish endpoint rewrite rule. Syntax publisher-rule pattern protocol host port uri parameters pattern sp...
Page 885
# wsm-endpointrewrite somebanking ws-proxy endpoint rewrite configuration mode # publisher-rule "{http://somebank.Com}somebankport" "http" "10.10.13.35" "2068" "/somebankservice/services/somebankport" # subscription-backend-rule adds, edits, or deletes a subscription remote endpoint rewrite rule. Sy...
Page 886
A remote endpoint specifies the location to which requests are sent by a web service proxy after processing the request. This is the backend endpoint, of the transaction. It is possible to direct traffic to an endpoint other than that specified in the underlying wsdl by rewriting the endpoint. Relat...
Page 887
Uri specifies the part of the url from web service binding that specifies the local path. If no string is configured, the value from the wsdl will be used. Front-protocol specifies the front side handler to use for matching web service ports. This argument is relevant when use-front-protocol is on. ...
Page 888
Parameters subscription specifies the name of an existing uddi subscription to match against a subscription that the proxy uses for this rewrite rule. Protocol specifies the part of the url from web service binding that specifies the protocol. Host specifies the part of the url from web service bind...
Page 889
Chapter 102. Ws-proxy processing policy configuration mode this chapter provides an alphabetic listing of commands that are available in ws-proxy processing policy configuration mode. To enter this configuration mode, use the global wsm-stylepolicy command. All of the commands that are listed in “co...
Page 890
Matches wsdl:binding/operation/@name when formatted as {bindingnamespace}name , or matches wsdl:service/wsdl:port when formatted as {servicenamespace}port-name/operation-name. Port matches when the operation requested in the current transaction is included in the identified wsdl port. Matches wsdl:s...
Page 891
Guidelines use the no match command to delete all policy maps from the processing policy. To delete or modify a specific policy map, use the webgui. Examples v adds the star matching rule and the valclientserver processing rule. # match all "" star valclientserver # v adds the test matching rule and...
Page 892
866 command reference.
Page 893
Chapter 103. Ws-proxy processing rule configuration mode this chapter provides an alphabetic listing of commands that are available in ws-proxy processing rule configuration mode. To enter this configuration mode, use the global wms-rule command. All of the commands that are listed in “common comman...
Page 894
Guidelines use the no action command to delete a named action from the current processing rule or to delete all actions from the current processing rule. Examples v applies the checkerror rule. # action checkerror # v deletes the checkerror rule from the current processing rule. # no action checkerr...
Page 895
Authcomplete indicates the completion of an authentication process fault indicates a fault condition request indicates the input of a client-originated document response indicates the input of a server-originated document input-context optionally identifies the context in which the checkpoint is tri...
Page 896
Syntax extract input-context output-context expression [variable] parameters input-context specifies the context to which to apply the xpath expression. Specify input to use the initial policy input, which is the original client request or server response. Output-context specifies the context that s...
Page 897
Parameters url specifies the resource to be fetched and can be expressed as a url or as a var:// url that expands to a url. Output-context specifies the context in which to store the retrieved resource. Guidelines a fetch action retrieves a remote resource for use in a processing rule, you can use a...
Page 898
Refer to appendix b, “processing policy procedures,” on page 999 for procedural details. Related commands validate examples v uses the specified style sheet to filter the original input. # filter input store:///filter-1.Xsl # v uses the style sheet referenced by the filter variable in the tools cont...
Page 899
Guidelines a log action generates a log message that contains the contents of a specified context and sends the message to a target location examples v sends the contents of the input context to the www.Us.Ibm/ragnarok/log target. # log input http://www.Us.Ibm/ragnarok/log # non-xml-processing enabl...
Page 901
Results-async adds a results-async action. Syntax results context destination parameters context specifies the target context, which is the target whose contents are sent. Destination specifies the destination. Guidelines a results-async action transmits the contents of a context to a specified dest...
Page 902
Parameters input-context specifies the context whose contents are to be routed by the specified style sheet. Specify input to use the initial policy input, which is the original client request or server response. Dynamic-stylesheet indicates that the action uses a dynamic style sheet. Url specifies ...
Page 903
Syntax setvar context variable value parameters context specifies the context in which to set the variable. Variable specifies the name of the variable and takes the var:// url format. Value assigns the value to the variable. Guidelines if the var:// url is not local, this value overrides the contex...
Page 904
Parameters context specifies the context from which attachments are stripped. Uri specifies the attachment to strip. Guidelines a strip-attachments action removes all or specified attachments from a target context in the absence of a specified attachment, all attachments are stripped from the target...
Page 905
Examples v enables unprocessed mode. # unprocessed # v disables unprocessed mode. # no unprocessed # validate adds a validate action. Syntax validate input-context [output-context] validate input-context attribute-rewrite name [output-context] validate input-context dynamic-schema url [output-contex...
Page 906
Output-context optionally specifies the output context of the validated document. Guidelines the validate command adds a validate action to the current processing rule. This action defines a policy-based xml schema validation filter. If no methodology is identified, documents are validated in accord...
Page 907
Output-context specifies the context for the transformed document. Specify output to use the final policy output, which is the transformed client request or transformed server response. Guidelines an xform action defines a policy-based xsl transform. An xform action transforms the document using a s...
Page 908
Output to use the final policy output, which is the transformed client request or transformed server response. Guidelines adds an xformpi action; an xformpi action defines a policy-based xsl transformation performed according to processing instructions contained within the candidate xml document. An...
Page 909
Chapter 104. Wsrr server configuration mode this chapter provides an alphabetic listing of commands that are available in wsrr server configuration mode. While in this configuration mode, provide the information to access a wssr server. To enter this configuration mode, use the global wsrr-server co...
Page 910
When the value is wsrr_6.1, use the wsrr subscription fetch-policy- attachments command to configure the ability to retrieve policy attachments. If enabled, the subscription service can retrieve policy attachments from the registry. Related commands fetch-policy-attachments (wsrr subscription) soap-...
Page 911
Guidelines the ssl command assigns an ssl proxy profile to support secure communications between the appliance and a remote wsrr server. Meaningful only if the soap api url, as defined by the soap-url command, starts with https:. Related commands soap-url username provides wsrr server credentials. S...
Page 912
886 command reference.
Page 913
Chapter 105. Wsrr subscription configuration mode this chapter provides an alphabetic listing of commands that are available in wsrr subscription configuration mode. While in this mode, define the wsrr-stored content to which to subscribe. To enter this configuration mode, use the global wsrr-subscr...
Page 914
Related commands refresh-interval , wsrr-synchronize (global) namespace used in conjunction with the object-name command to unambiguously identify a subscribed-to wssr resource. Syntax namespace namespace parameters namespace identifies the namespace of the resource. Guidelines both the resource nam...
Page 915
Related commands namespace examples v specifies the resource name and namespace, which provides an unambiguous identification of the target resource. # wsrr-subscription proxy-1 new wsrr subscription configuration # namespace http://tonawanda.Sr.Ibm.Com/validateinsurance # object-name insuranceservi...
Page 916
Server specifies the wssr server object. Syntax server name parameters name specifies the name of the wssr server object guidelines specifies the wssr server object, previously created with the wsrr-server command that identifies the wssr server that stores the subscribed-to resource. Related comman...
Page 917
Syntax version version parameters version specifies the version of the wsdl file. Guidelines the version command specifies the version of the wsdl file to retrieve from the wsrr registry. The registry maintains a version attribute for wsdl files. This command is relevant only when use-version is on ...
Page 918
892 command reference.
Page 919
Chapter 106. Xml firewall configuration mode this chapter provides an alphabetic listing of commands that are available in xml firewall configuration mode. To enter this configuration mode, use the global xmlfirewall command. All of the commands that are listed in “common commands” on page 2 and mos...
Page 920
Related commands attribute-count , bytes-scanned, element-depth, firewall-parser-limits, request-attachments , response-attachments attribute-count defines the xml-firewall-specific maximum number of attributes associated with a given xml element. Syntax attribute-count count parameters count sets t...
Page 921
Related commands front-attachment-format bytes-scanned specifies the maximum scope of the xml parser scanning operation. Syntax bytes-scanned bytes parameters bytes specifies the maximum scan in bytes. The default is 4194304. Guidelines if firewall-specific parser limits are enabled by the firewall-...
Page 922
Http://www.Datapower.Com/param/query related commands parameter , query-param-namespace examples v assigns a default namespace for parameters made available via the cli or webgui. # default-param-namespace http://www.Somecompany.Com/namespaces/ # element-depth defines the xml-firewall-specific maxim...
Page 923
Forbid forbids external references. An external reference causes the xml parser to abort. Ignore ignores external dtd references, and replaces external entities with the empty string firewall-parser-limits indicates whether to use firewall-specific parser limitations. Syntax firewall-parser-limits {...
Page 924
Dynamic indicates that the format if client attachments is deduced from document content. Mime indicates that client attachments are mime-encapsulated documents. Related commands back-attachment-format fwcred assigns a firewall credentials list. Syntax fwcred name no fwcred parameters name specifies...
Page 925
Port is a port number (within the range 0 to 65535) that binds the xml firewall to a single, specific interface-port or to this port on all enabled interfaces. Guidelines you must specify both a local and remote address and an xml manager when configuring an xml firewall. Other commands enable enhan...
Page 926
Parameters bytes specifies the firewall-specific maximum number of bytes to allow in a single parsed xml node before the source xml document is considered malicious and dropped. The default is 0. A value of 0 indicates that no size limits are imposed. Related commands attachment-byte-count , attribu...
Page 927
# no monitor-count logsquelch # monitor-duration assigns a duration monitor. Syntax monitor-duration name no monitor-duration name parameters name is the name of the duration monitor assigned to the service. Guidelines after completing the configuration of a duration monitor, activate the monitor by...
Page 928
Examples v allows only the first matching monitor to execute when a service has multiple monitors attached. # monitor-processing-policy terminate-at-first-match # monitor-service assigns a service level monitor (slm). Syntax service-count name no service-count name parameters name is the name of the...
Page 929
Guidelines the following namespace declaration must be included in a style sheet to enable that style sheet to access parameter-value pairs that are defined by the parameter command. Xmlns:dpconfig="http://www.Datapower.Com/param/config" use the no parameter command to remove parameters from the cur...
Page 930
Syntax query-param-namespace namespace parameters namespace specifies the name of the default namespace. Guidelines parameters can be made available to an xml firewall using the parameter command. The default namespace for parameters introduced with the cli or webgui is: http://www.Datapower.Com/par...
Page 932
V all attachments in the package before the needed attachment v all attachments in the package for a needed manifest v all attachments in the package if the package does not contain the needed attachment reject rejects messages that contain attachments. Strip (default) removes attachments from the m...
Page 933
Parameters xml characterizes the client-originated traffic stream as raw (unencapsulated) xml. Soap characterizes the client-originated traffic stream as soap. Unprocessed characterizes the client-originated traffic stream as non-xml traffic that is not transformed by the xml firewall. Guidelines by...
Page 934
Streaming allows messages that contain attachments in streaming mode, but provides limited processing. Messages in the form of a soap message package, which is a soap with attachments message, are supported. Processing can be applied individually to each attachment. The appliance does not create a m...
Page 935
Guidelines by default, both the client-originated (request) and server-originated (response) traffic streams are characterized as soap. Related commands raw-mode , request-type examples v characterizes server-originated traffic as xml. # response-type xml # v characterizes server-originated traffic ...
Page 936
Parameters url specifies the url of the schema file. Guidelines when an xml firewall is in soap mode, either on the request or response side, it validates the incoming messages against a w3c schema that defines a conforming soap message. It is possible to customize which schema is used on a per-fire...
Page 937
Syntax stylesheet-policy name parameters name specifies the name of a processing policy. Guidelines assigning a processing policy is optional. In the absence of a processing policy, the xml firewall uses processing instructions (if any) that are in the xml document. Related commands ssl , urlrewrite...
Page 938
Do not use the type command to create a new xml firewall. Use it to recast the type of an existing xml firewall. Related commands remote-address , ssl, stylesheet-policy urlrewrite-policy assigns a url rewrite policy. Syntax urlrewrite-policy name parameters name specifies the name of the url rewrit...
Page 940
914 command reference.
Page 941
Chapter 107. Xml management interface configuration mode this chapter provides an alphabetic listing of commands that are available in xml management interface configuration mode. To enter this configuration mode, use the global xml-mgmt command. Many of the commands that are listed in “common comma...
Page 942
Parameters mode indicates which modes to enable. Separate multiple modes with the plus sign (+) character. The following keywords are available to indicate the modes to enable: any — soap management uri enables processing of messages received on any (*) uri for legacy applications. One example would...
Page 943
When the mode command exposes the slm endpoint (slm keyword), you can use the slm-peering command to indicate the frequency to update slm peers. Related commands slm-peering examples v changes the default modes to include the ws-management endpoint service and the wsdm endpoint service. # xml-mgmt m...
Page 944
Related commands mode examples v changes the interval between updates of slm peer groups to 25 seconds. # xml-mgmt modify xml management interface configuration # slm-peering 25 # ssl assigns an ssl proxy profile. Syntax ssl name parameters name specifies the name of an existing ssl proxy profile. G...
Page 945
Examples v changes the assignment of the user agent to mgmtagent. # xml-mgmt modify xml management interface configuration # user-agent mgmtagent chapter 107. Xml management interface configuration mode 919.
Page 946
920 command reference.
Page 947
Chapter 108. Xml manager configuration mode an xml manager obtains and manages xml documents, style sheets, and other document resources on behalf of one or more services. An xml manager also provides the following functionality: v set manager-associated limits on the parsing of xml documents v enab...
Page 948
Parameters name specifies the name of an existing processing rule. Frequency specifies the frequency of rule invocation. Guidelines the schedule-rule command schedules the xml manager to run the specified processing rule. In the absence of the frequency argument, the rule is run a single time. Use t...
Page 949
Chapter 109. Xml parser limits configuration mode this chapter provides an alphabetic listing of commands that are available in xml parser limits configuration mode. To enter this configuration mode, use the global xml parser limits command. All of the commands that are listed in “common commands” o...
Page 951
Chapter 110. Xpath routing map configuration mode this chapter provides an alphabetic listing of commands that are available in xpath routing map configuration mode. To enter this configuration mode, use the global xpath-routing command. All of the commands that are listed in “common commands” on pa...
Page 952
Guidelines the rule command creates xpath-based forwarding rule by adding an xpath expression and associated forwarding data to the current xpath routing map. That is, the selection of a target web or application server is based upon the contents of the xml document being processed. With xpath-based...
Page 953
Chapter 111. Xsl coprocessor service configuration mode this chapter provides an alphabetic listing of commands that are available in xsl coprocessor service configuration mode. To enter this configuration mode, use the global xslcoproc command. All of the commands that are listed in “common command...
Page 954
Off disable access to cryptographic extensions. Alternatively, use the no crypto-extensions command. Default-param-namespace specifies the default namespace for stylesheet parameters. Syntax default-param-namespace namespace parameters namespace specifies the name of the default namespace. The defau...
Page 955
Examples v specifies 10.10.13.35:23000 as the local ip address-port that the current xsl coprocessor service monitor. # xslcoproc proxy-1 xsl coprocessor service configuration mode # ip-address 10.10.13.35 # port 23000 # port specifies the local port monitored for incoming traffic. Syntax port port ...
Page 956
Syntax ssl name parameters name specifies the name of the ssl proxy profile assigned to the xsl coprocessor service. Guidelines the ssl proxy profile enables a secure coprocessor-to-server connection. Stylesheet-policy assigns a processing policy. Syntax stylesheet-policy name parameters name specif...
Page 957
The assignment of a processing rule allows the java client code to instantiate a minimal identity transformer and invoke statically configured rule-based transformations with little overhead. For example, consider the following two examples. This command sequence creates the global coprocxform proce...
Page 958
Stdout transformer.Transform( new streamsource(args[0]), new streamresult(system.Out)); examples v assigns the coprocxform processing rule to the current xsl coprocessor. # stylesheet-rule coprocxform # urlrewrite-policy assigns a url rewrite policy. Syntax urlrewrite-policy name parameters name spe...
Page 959
Chapter 112. Xsl proxy service configuration mode this chapter provides an alphabetic listing of commands that are available in xsl proxy service configuration mode. To enter this configuration mode, use the global xslproxy command. All of the commands that are listed in “common commands” on page 2 ...
Page 960
Parameters namespace specifies the name of the default namespace. Guidelines the default namespace for parameters introduced with the cli or webgui is: http://www.Datapower.Com/param/config related commands parameter , query-param-namespace examples v assigns a default namespace for parameters made ...
Page 961
Syntax monitor-count name no monitor-count parameters name specifies the name of the message-count monitor assigned to the xsl proxy. Guidelines after completing the configuration of a message-count monitor, you activate the monitor by assigning it to an xml firewall or xsl proxy. Use the no monitor...
Page 962
Examples v assigns the ratelimit1 duration monitor to the current xsl proxy. # monitor-duration ratelimit1 # v removes the assignment of the ratelimit1 duration monitor. # no monitor-duration ratelimit1 # monitor-processing-policy sets the behavior when a service has multiple monitors. Syntax monito...
Page 963
Xmlns:dpconfig="http://www.Datapower.Com/param/config" use the no parameter command to delete a parameter and associated value. Related commands default-param-namespace , query-param-namespace examples v makes a parameter-value pair available to the current xsl proxy. # parameter foo bar # v makes a...
Page 964
Guidelines use the port command to change the port that is assigned with the ip-address command. Related commands ip-address examples v specifies 10.10.13.35:23000 as the local ip address-port that the current xsl proxy service monitor. # xslproxy proxy-1 xsl proxy service configuration mode # ip-ad...
Page 966
Parameters name specifies the name of an existing ssl proxy profile. Guidelines the ssl command assigns an ssl proxy profile to an xsl proxy. In the absence of an assigned ssl proxy profile, the xsl proxy uses nonsecure connections in client and server exchanges. An ssl proxy profile is required onl...
Page 968
Urlrewrite-policy assigns a url rewrite policy. Syntax urlrewrite-policy name parameters name specifies the name of the url rewrite policy to assign. Guidelines you need not specify a url rewrite policy when configuring an xsl proxy. Related commands ssl , stylesheet-policy, xml-manager examples v a...
Page 969
Chapter 113. Z/os nss client configuration mode this chapter provides an alphabetic listing of commands that are available in z/os nss client configuration mode. To enter this configuration mode, use the global zos-nss command. Client-id client id for registration with the nss server. Syntax client-...
Page 970
Guidelines the host command identifies the nss server by domain name or ip address. In conjunction with the port command, identifies the host and listening port of the nss server. The nss server must have the xmlappliance discipline support enabled. Related commands port examples v sets nssserver1.D...
Page 971
# zos-nss nssclient1 new zos nss client configuration # user-name testuser # password pword port identifies the listening port on the nss server. Syntax port port parameters port specifies a destination port on the nss server. Guidelines the port command is used in conjunction with the host command ...
Page 972
Syntax system-name string parameters string specifies a name for the nss client. Minimum length is 1. Maximum length is 8. Valid characters are: v a through z v a through z v 0 through 9 v _ (underscore) v - (dash) embedded spaces are invalid. Guidelines the system-name command specifies a name that...
Page 973
Related commands password examples v sets the user name to testuser with the password pword as the credentials to authenticate on the nss server. # zos-nss nssclient1 new zos nss client configuration # user-name testuser # password pword chapter 113. Z/os nss client configuration mode 947.
Page 974
948 command reference.
Page 975
Chapter 114. Monitoring commands this chapter provides an alphabetic listing of all commands for status objects and for configuration objects. These commands are available in all configuration modes, unless otherwise indicated. Show aliases displays a list of expanded macros. Syntax show aliases [na...
Page 976
Syntax show audit-log [-np] show audit-log [-np] user show audit-log [-np] date show audit-log [-np] time show audit-log [-np] address parameters -np indicates no pagination. User sorts the events in the audit log alphabetically by user name. Address sorts the events in the audit log numerically by ...
Page 977
Date start [end] displays events in the audit log from the specified start date to optional end date. Without an end date, displays events to the most recent date. Time start [end] displays events in the audit log from the specified start time to the optional end time. Without an end time, displays ...
Page 978
Show compact-flash (type 9235) displays the configuration of the compact flash. Syntax show compact-flash cf0 context available only of type 9235 appliances with the compact flash as auxiliary storage. Show conformancepolicy displays configuration settings for conformance policy objects. Syntax show...
Page 979
Related commands ip default-gateway context available in interface configuration mode only. Show deployment-policy displays configuration settings for deployment policy objects. Syntax show deployment-policy [name] context available in global configuration mode only. Show documentcache displays the ...
Page 980
File capture indicates whether the xml file capture utility is enabled in the domain. Debug log indicates whether the domain is using the debug logging level. Probe enabled indicates whether one or more services in the domain has the probe enable. Diagnostics indicates that diagnostic tracing is ena...
Page 981
Related commands show firmware-version show firmware-version displays the current firmware version, without image type and installation date. Syntax show firmware-version guidelines the show firmware-version command provides information about the current firmware version. This command provides the s...
Page 982
Guidelines the show interface command displays the following inofrmation: v the ip address for the interface v statistics about received transactions: – number of kilobytes/second – number of packets – number of aggregated errors v statistics about transmitted transaction: – number of kilobytes/seco...
Page 983
Parameters address displays the primary and standby addresses, if any, that are assigned to the current interface. Domains displays the ip domain search suffix table. Hosts hostname displays all host-to-ip address mappings, or display this information about the specified host. Name-servers displays ...
Page 984
Show license displays the installed licenses. Syntax show license guidelines the show license command provides information about which of the available licenses are enabled. Some licenses are available because of the type of datapower appliance, but some licenses must be purchased to be enabled. Lic...
Page 985
Related commands show logging show logging displays a specified appliance log. Syntax show logging log-name [pcre] show logging archive show logging category [log-category] show logging encrypt show logging event show logging format show logging priority show logging sign show logging target [target...
Page 986
Target [target-name] displays summary information about all active log targets, displays detailed information about a specific log target. Timestamp displays a list of timestamp formats type [log-type] displays summary information about all available logging types, or displays detailed information a...
Page 987
Related commands matching show memory displays memory usage. Syntax show memory guidelines the show memory command displays memory usage. This command is also available from the diag (login) mode. Output v # show memory memory usage: 10 % total memory: 4149324 kbytes used memory: 433761 kbytes free ...
Page 988
Show ntp-service displays the refresh interval for the current ntp server. Syntax show ntp-service related commands ntp , show ntp-refresh show password-map displays the password map. Syntax show password-map context available in crypto configuration mode only. Related commands password-map show rad...
Page 989
Context available only of type 9235 appliances with the hard disk array as auxiliary storage. Show raid-volumes (type 9235) displays the status of the disks in the hard disk array. Syntax show raid-volumes context available only of type 9235 appliances with the hard disk array as auxiliary storage. ...
Page 990
Guidelines the show sensors command has been deprecated. Use one of the following commands: v show sensors-fans v show sensors-other v show sensors-temperature v show sensors-voltage show sensors-fans displays the values for sensors that read the speed of the fans. Syntax show sensors-fans guideline...
Page 991
Syntax show sensors-temperature guidelines the show sensors-temperature command provides values for sensors that read temperatures. These sensors provide the temperature of the air flowing through the system and of key components in the system. Show sensors-voltage displays the values for sensors th...
Page 992
In the absence of the optional name argument, the system displays a list of all current command macros. Related commands simple-rate-limiter show snmp displays snmp configuration data syntax show snmp related commands port , show system, version show standby displays failover configuration informati...
Page 993
Guidelines should the appliance find an error, it displays and logs the following message: notice: startup config contains errors. You can access the startup error log to locate the source in the startup configuration. Context available in global configuration mode only. Show statistics displays inf...
Page 994
Guidelines when issued without an argument, displays data for all processing policy objects. When issued for a specific processing policy, displays data for the specified stylesheet policies. For each processing policy, the results contain the following details: v the name of the processing policy v...
Page 995
Within the style sheet, or a corrupted document, possibly caused by transient network conditions at the time the style sheet was accessed) duplicate usually indicates a temporary style sheet that was generated during a pipeline transformation pending indicates that the style sheet is being retrieved...
Page 996
Show throughput displays interface-specific traffic counts. Syntax show throughput show time displays the current date, time, and appliance uptime. Syntax show time related commands clock , show clock show urlmap displays a list of all url maps (along with match patterns contained within the map) or...
Page 997
Show usergroups displays a list of user groups and the commands suites to which group members are granted access. Syntax show usergroups related commands usergroup show usernames displays a list of all current user accounts with associated access levels. Syntax show usernames related commands show u...
Page 998
Parameters name specifies the name of an existing web application firewall. Guidelines firewall names are followed by the associated command or command sequence. In the absence of the optional name argument, the system displays a list of all current command macros. Related commands web-application-f...
Page 999
Show webapp-request-profile displays a list of web application request profile objects. Syntax show webapp-request-profile [name] parameters name specifies the name of an existing web application request profile. Guidelines profile names are followed by the associated command or command sequence. In...
Page 1000
Guidelines policy names are followed by the associated command or command sequence. In the absence of the optional name argument, the system displays a list of all current command macros. Related commands webapp-session-management show wsrr-server displays the configuration of wsrr servers. Syntax s...
Page 1001
Show wsrr-subscription-status displays operational details of wsrr subscriptions. Syntax show wsrr-subscription-status [name] parameters name specifies the name of the target wsrr subscription object. Guidelines this command provides the following operational details: subscription the name of the ws...
Page 1002
Parameters name identifies the name of the target wsrr subscription object. Guidelines this command provides the following wsdl file data: subscription the name of the wsrr subscription object that is assigned during the configuration of the subscription. Bsruri the wsrr-assigned document identifier...
Page 1003
Syntax show xmlmgr show xslcoproc displays information about xsl coprocessors. Syntax show xslcoproc show xslproxy displays configuration details for xml proxy objects. Syntax show xslproxy [name] parameters name specifies the name of an existing xsl proxy. Guidelines in the absence of an argument, ...
Page 1004
978 command reference.
Page 1005
Appendix a. Working with variables variables can be used in most context, except pipe. To use a variable, you must create it with the setvar action. A setvar action creates a variable in a specified context and assigns it a value. Note: you can view the value of variables for a transaction with the ...
Page 1006
Var://service/variable address a variable that is made available to a service (such as http or xsl co-processor) that is attached to a multistep session. The majority of service variables are read-only and cannot be set. For a complete list of the available service variables, refer to “service varia...
Page 1007
Use the following variable to return the contents of the load balancer status object. This status object corresponds to the loadbalancerstatus enumeration value. Var://service/system/status/loadbalancerstatus read-write variables var://service/soap-fault-response set when the response input rule is ...
Page 1008
Configuration services service variables this section contains information about configuration services variables in alphabetic order by permission category. Table 14 lists the names and permission for these variables. Table 14. Names and permissions for variables that are available for configuratio...
Page 1009
Load balancer service variables this section contains information about load balancer variables in alphabetic order by permission category. Table 15 lists the names and permission for these variables. Table 15. Names and permissions for variables that are available for load balancers variable name p...
Page 1010
Read-write variables var://service/log/soapversion gets or sets the version of soap for use by a soap log targets. Use a setvar action before a log action to change the version of soap to use when logging this message. Supports the following values: soap11 uses soap 1.1. Soap12 (default) uses soap 1...
Page 1011
V when true, notifies the service layer that this transaction is performing a one-way mep operation. This setting enables the service layer to optimize resource usage while preventing web services addressing (wsa) from waiting for and faulting on a response that will never arrive. V when false, no n...
Page 1012
Read-write variables var://service/error-code gets or sets the assigned error code from the result code table. Var://service/error-ignore gets or sets a flag that controls how the front side handler processes error condition. If the value is set and greater than zero, it does not run any error handl...
Page 1013
Var://service/append-response-header/ appends to the protocol response header. Var://service/set-request-header/ sets the protocol request header. This variable directly correlates to the dp:set-request-header() extension function. Setting the var://service/set-request-header/foo variable to the val...
Page 1014
Var://service/transaction-rule-type gets the rule type of the transaction. Persistent connection transaction variables this section contains information about persistent connection variables in alphabetic order by permission category. Table 21 lists the names and permission for these variables. Tabl...
Page 1015
– the protocol can be any valid backend protocol. – the uri is absolute and cannot be controlled with the propagate uri toggle (webgui) or propagate-uri command. The var://service/routing-url variable is an addition to the dp:set-target and dp:xset-target extension elements. These extension elements...
Page 1016
Table 24. Names and permissions for variables that are available for url-based transactions (continued) variable name permission var://service/url-out read-only read-only variables var://service/client-service-address gets the address of the frontend client. Var://service/local-service-address gets ...
Page 1017
Table 25. Names and permissions for variables that are available to wsm (continued) variable name permission var://wsm/service-port-operation read-only var://wsm/strict-fault-document-style read-only read-only variables var://service/wsm/aaa-policy-name gets the name of the wsm aaa policy. Var://ser...
Page 1018
Read-write variables var://service/wsa/timeout gets or sets the timeout value for the ws-addressing asynchronous reply. Var://service/wsa/genpattern gets or sets the pattern for the ws-addressing asynchronous reply. Extension variables this section contains information about system variables in alph...
Page 1019
Var://local/_extension/response-headers gets the manifest for the response header. This variable, on the output context of a dp:url-open() extension function or results action or fetch action, contains in the response header manifest. Var://local/_extension/response-header/headername gets the conten...
Page 1020
Input context to a dp:url-open() extension function or to a results action or to a fetch action to override the selection of an ssl proxy profile. For instance: results tmpvar2 https://foo.Bar.Com/foome.Asp tmpvar3 would normally use the ssl proxy profile that is associated with any user-agent confi...
Page 1021
List of available variables table 28 lists all of the variables that are available when using a datapower appliance. Table 28. All available variables short variable name full variable name category permission aaa-policy-name var://service/wsm/aaa-policy-name transaction, wsm read-only allow-compres...
Page 1022
Table 28. All available variables (continued) short variable name full variable name category permission error-protocol-reason-phrase var://service/error-protocol-reason-phrase transaction, error handling write-only error-protocol-response var://service/error-protocol-response transaction, error han...
Page 1023
Table 28. All available variables (continued) short variable name full variable name category permission prevent-persistent-connection var://local/_extension/prevent-persistent- connection extension write-only processor-name var://service/processor-name service, configuration read-only processor-typ...
Page 1024
Table 28. All available variables (continued) short variable name full variable name category permission time-forwarded var://service/time-forwarded transaction, statistics read-only time-response-complete var://service/time-response-complete transaction, statistics read-only time-started var://serv...
Page 1025
Appendix b. Processing policy procedures stylesheet policies can be created using two slightly different methods. The first method (referred to as the inline rule method) initially creates the processing policy and then defines transformation and filtering rules specific to that policy. The second m...
Page 1026
Configuring a matching rule this command sequence creates a matching rule, named star, that provides a universal match for all urls. # matching star matching configuration mode # urlmatch * (config-stylesheet-matching)# exit matching 'star' successfully created # configuring a processing policy this...
Page 1027
# stylesheet-policy validate-sign-encrypt-all # parameter keypair alice # parameter recipient alice # request-type xml # response-type unprocessed # exit xml firewall update successful # # xmlfirewall validate-sign-encrypt-all xml firewall configuration mode # local-address 0 9050 # remote-address 1...
Page 1028
Accept/reject decision) enable validation of an xml document against a specified schema, verification of a document's digital signature, or content-based xml/soap filtering. 5. Use the request-rule, response-rule, or rule commands in conjunction with the xform and xformpi actions to add direction-sp...
Page 1029
# stylepolicy validate-sign-encrypt-all processing policy configuration mode # match star validate-sign-encrypt # exit processing policy "validate-sign-encrypt-all" successfully created # this command sequence creates the multi-step-all processing policy that uses the multi-step global rule with the...
Page 1030
1004 command reference.
Page 1031
Appendix c. Stylesheet refresh policy configuration disabling the cache can be performance concern and might not be your goal. When style sheets are not cached, an xslt compilation is run on every single transaction. If you need to disable stylesheet caching, create a separate xml manager for the pa...
Page 1032
1006 command reference.
Page 1033
Appendix d. Compile options policy configuration profiling overview with profiling enabled, the appliance measures and reports processing times for the profiled style sheets. The appliance reports time measurements as a percentage of the total time spent processing the document. As the control flow ...
Page 1035
Appendix e. Getting help and technical assistance this section describes the following options for obtaining support for ibm products: v “searching knowledge bases” v “getting a fix” v “contacting ibm support” on page 1010 searching knowledge bases if you encounter a problem, you want it resolved qu...
Page 1036
Contacting ibm support ibm support provides assistance with product defects. Before contacting ibm support, the following criteria must be met: v your company has an active maintenance contract. V you are authorized to submit problems. To contact ibm support with a problem, use the following procedu...
Page 1037: Notices And Trademarks
Notices and trademarks this information was developed for products and services offered in the u.S.A. Ibm may not offer the products, services, or features discussed in this document in other countries. Consult your local ibm representative for information about the products and services currently a...
Page 1038
Other company, product, and service names may be trademarks or service marks of others. 1012 command reference.
Page 1039: Index
Index a aaa processing rule 559 ws-proxy ws-proxy processing rule 867 aaa policy actor-role-id 151 authenticate 152 authorize 153 authorized-counter 154 cache-allow 154 cache-ttl 154 dos-valve 155 extract-identity 156 extract-resource 156 ldap-suffix 157 ldap-version 157 log-allowed 158 log-allowed-...
Page 1040
Attachment-uri processing action 526 attribute-count multi-protocol gateway 436 web service proxy 784 xml firewall 894 xml parser limits 923 au-cache-mode rbm settings 582 au-cache-ttl rbm settings 583 au-custom-url rbm settings 583 au-info-url rbm settings 584 au-kerberos-keytab rbm 584 au-ldap-bin...
Page 1041
Clock login, privileged-type user 5 close-on-fault stateful raw xml handler 645 combine-with-or matching rule 409 common commands admin-state 3 cancel 4 disconnect 7 echo 7 exit 9 help 9 ping 11 reset 12 show 12 summary 13 test tcp-connection 16 traceroute 17 common criteria account lockout-duration...
Page 1042
Crypto validation credentials (continued) no require-crl 255 no use-crl 256 require-crl 255 use-crl 256 crypto-export crypto 216 crypto-extensions xsl coprocessor service 927 crypto-import crypto 216 custom timezone 679 custom-ui-file system settings 654 customer support contacting 1010 obtaining fi...
Page 1043
Echo (continued) login, user-type user 7 ecn-disable network settings 491 element-depth multi-protocol gateway 440 web service proxy 790 xml firewall 896 xml parser limits 923 email-address failure notification 275 log target 390 enable login, user-type user 7 encrypt crypto 219 log target 390 endpo...
Page 1044
Flash boot config 277 boot delete 277 boot image 278 boot switch 278 boot update 279 copy 280 delete 282 dir 283 move 284 reinitialize 284 shutdown 285 follow-redirects multi-protocol gateway 441 web application firewall 745 web service proxy 791 forbid-external-references web service proxy 791 xml ...
Page 1045
Global (continued) network 73 nfs-client 74 nfs-dynamic-mounts 74 nfs-static-mount 75 no stylesheet 110 ntp 75 ntp-service 76 peer-group 76 policy-attachments 77 policy-parameters 77 radius 78 raid-activate 78 raid-delete 79 raid-initialize 79 raid-rebuild 79 raid-volume 80 raid-volume-initialize-fi...
Page 1046
Http front side handler (continued) max-total-header-len 323 max-url-len 324 modify configuration 319 persistent-connections 324 port 325 http input conversion map default-encoding 327 no rule 328 rule 328 http service acl 329 identifier 329 ip-address 330 local-directory 330 mode 331 no identifier ...
Page 1047
Iscsi host bus adapter (continued) ip-address 364 iscsi target chap 367 hba 367 hostname 368 port 368 target-name 369 iscsi volume directory 371 lun 371 read-only 372 target 372 iscsi-chap global 54 iscsi-fs-init global 54 iscsi-fs-repair global 55 iscsi-hba global 56 iscsi-target global 56 iscsi-vo...
Page 1048
Log target (continued) group (deprecated) 395 local-address 395 local-file 396 local-ident 396 nfs-file 396 nfs-static-mount 397 object 397 rate-limit 398 remote-address 398 remote-directory 399 remote-login 400 remote-port 401 retry (deprecated) 402 rotate 402 sender-address 403 sign 403 size 403 s...
Page 1049
Memory-terminate throttle settings 673 memory-throttle throttle settings 673 message catalogs xxiii message count monitor distinct-sources 413 filter 413 header 414 measure 415 message-type 415 no filter 413 source 416 message duration monitor filter 417 measure 418 message-type 419 no filter 417 me...
Page 1050
Multi-protocol gateway (continued) chunked-uploads 438 compression 439 default-param-namespace 440 element-depth 440 external-references 441 follow-redirects 441 forbid-external-references 442 front-attachment-format 442 front-persistent-timeout 442 front-protocol 443 front-timeout 443 fwcred 444 ga...
Page 1051
No alias login, privileged-type user 3 no arp interface 351 vlan 731 no basicauth user agent 710 no certificate crypto 213 crypto firewall credentials 247 crypto validation credentials 252 no chunked-uploads web application firewall 744 no close-on-fault stateful raw xml handler 645 no crl crypto 21...
Page 1052
No stylesheet (continued) slm resource class 630 no subscription slm resource class 630 no tcp kerberos kdc server 374 no trap-target snmp settings 639 no unprocessed processing rule 570 ws-proxy processing rule 878 no uri-normalization web application firewall 751 no use-crl crypto validation crede...
Page 1053
Privileged-type user commands (continued) login 10 no alias 3 no ntp 10 ntp 10 ping 11 show 12 shutdown 13 switch domain 14 template 14 test schema 15 test tcp-connection 16 top 16 traceroute 17 process-http-errors multi-protocol gateway 456 web service proxy 810 processing action aaa-policy 525 asy...
Page 1054
Rbm settings (continued) au-info-url 584 au-ldap-bind-dn 585 au-ldap-bind-password 585 au-ldap-parameters 586 au-ldap-search 587 au-method 588 au-server-host 589 au-server-port 589 au-valcred 590 au-zos-nss 590 cli-timeout 591 fallback-login 591 fallback-user 592 ldap-prefix 593 ldap-sslproxy 593 ld...
Page 1055
Response-reject-include-summary conformance policy 203 response-reject-level conformance policy 203 response-report-level conformance policy 204 response-report-target conformance policy 204 response-rule processing policy 555 response-security web application firewall 749 response-size variable 981...
Page 1056
Service/error-code variable 986 service/error-headers variable 985 service/error-ignore variable 986 service/error-message variable 986 service/error-protocol-reason-phrase variable 985 service/error-protocol-response variable 985 service/error-subcode variable 986 service/formatted-error-message va...
Page 1057
Slm credential class (continued) no value 622 stylesheet 620 type 621 value 622 slm policy eval-method 625 peer-group 626 statement 626 slm resource class match-type 629 no stylesheet 630 no subscription 630 no value 632 no wsrr-subscription 633 no xpath-filter 633 stylesheet 630 subscription 630 ty...
Page 1058
Stylepolicy (continued) multi-protocol gateway 465 web service proxy 821 stylesheet slm credential class 620 slm resource class 630 stylesheet-policy xml firewall 910 xsl coprocessor service 930 xsl proxy service 940 stylesheet-rule xsl coprocessor service 930 subscription slm resource class 630 sub...
Page 1059
Timezone (continued) daylight-start-day 680 daylight-start-hours 680 daylight-start-minutes 681 daylight-start-month 681 daylight-start-week 682 daylight-stop-day 682 daylight-stop-hours 683 daylight-stop-minutes 683 daylight-stop-month 684 daylight-stop-week 685 direction 685 name 686 offset-hours ...
Page 1060
User agent (continued) no proxy 715 no pubkeyauth 716 no soapaction 718 no ssl 719 proxy 715 pubkeyauth 716 restrict-http-policy 717 soapaction 718 ssl 719 timeout 720 user group access-policy 727 add 728 delete 729 user-agent global 128 xml management interface 918 xml manager 922 user-expire-passw...
Page 1061
Variables (continued) transaction url (continued) service/uri-in 990 service/uri-out 990 types 979 using 979 web service proxy backend-timeout 981 request-size 981 response-size 981 skip-backside 981 wsm listing 990 service/wsa/genpattern 992 service/wsa/timeout 992 service/wsm/aaa-policy- name 991 ...
Page 1062
Web service proxy (continued) default-param-namespace 789 element-depth 790 endpoint-rewrite-policy 790 external-references 790 follow-redirects 791 forbid-external-references 791 front-attachment-format 791 front-persistent-timeout 791 front-protocol 792 front-timeout 792 frontside-port-rewrite 793...
Page 1063
Wsa-genstyle multi-protocol gateway 471 web service proxy 829 wsa-http-async-response-code multi-protocol gateway 471 web service proxy 830 wsa-mode multi-protocol gateway 472 web service proxy 830 wsa-replyto-rewrite multi-protocol gateway 474 web service proxy 832 wsa-strip-headers multi-protocol ...
Page 1064
Xformpi processing rule 573 ws-proxy processing rule 881 xml firewall acl 893 attachment-byte-count 893 attribute-count 894 back-attachment-format 894 bytes-scanned 895 default-param-namespace 895 element-depth 896 external-references 896 firewall-parser-limits 897 forbid-external-references 897 fro...
Page 1066
Printed in usa.