IBM WebSphere XS40 Command Reference Manual

WebSphere
Version 3.7.2
®
DataPower XML Security Gateway XS40

Command Reference
WebSphere
Version 3.7.2
®
DataPower XML Security Gateway XS40

Command Reference
Note
First Edition (December 2008)
This edition applies to version 3, release 7, modification 2, level 0 of IBM WebSphere DataPower XML Security Gateway XS40 and to all subsequent releases and modifications until otherwise indicated in new editions.
© Copyright International Business Machines Corporation 1999, 2008.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Preface ..............xix
Who should read this document .......xix
Publications ..............xix
Installation and upgrade documentation . . . xix
Administration documentation .......xx
Development documentation .......xx
Reference documentation .........xx
Integration documentation ........xxi
Problem determination documentation ....xxi
Supplemental documentations .......xxi
Reading syntax statements .........xxii
Directories on the appliance ........xxii
Object name conventions .........xxiv
Typeface conventions ..........xxiv
Chapter 1. Initial login and common
commands .............1
Initial login commands ...........1
Common commands ............2
admin-state ...............3
alias .................3
cancel.................4
clock .................5
configure terminal ............6
diagnostics ...............6
disable ................6
disconnect ...............7
echo .................7
enable ................7
exec .................8
exit .................9
help .................9
login ................10
ntp.................10
ping .................11
reset .................12
show ................12
shutdown ...............13
summary ...............13
switch domain .............14
template ...............14
test schema ..............15
test tcp-connection ............16
top.................16
traceroute ...............17
Chapter 2. Global configuration mode 19
aaapolicy ...............19
account (Common Criteria) .........19
acl.................21
action ................22
alias .................23
application-security-policy .........24
audit delete-backup (Common Criteria) .....25
audit level (Common Criteria) ........25
audit reserve (Common Criteria) .......25
cache schema ..............26
cache stylesheet .............27
cache wsdl ..............27
clear aaa cache .............28
clear arp ...............28
clear dns-cache .............29
clear pdp cache .............29
clear rbm cache .............30
clear xsl cache .............30
cli remote open .............31
cli telnet ...............31
compact-flash (Type 9235) .........33
compact-flash-initialize-filesystem (Type 9235) . . . 33
compact-flash-repair-filesystem (Type 9235)....33
compile-options .............34
conformancepolicy ............35
copy.................35
create-tam-files .............37
crypto ................39
delete ................40
deployment-policy ............40
dir.................41
disable ................42
dns.................42
document-crypto-map ...........43
documentcache .............43
domain ................44
failure-notification ............44
file-capture ..............45
flash.................46
ftp-quote-command-list ..........46
host-alias ...............46
httpserv ...............47
import-execute .............48
import-package .............48
include-config .............49
input-conversion-map ...........50
interface ...............50
ip domain ...............51
ip host ................52
ip name-server .............53
iscsi-chap (Type 9235) ...........54
iscsi-fs-init (Type 9235) ..........54
iscsi-fs-repair (Type 9235) ..........55
iscsi-hba (Type 9235) ...........56
iscsi-target (Type 9235) ..........56
iscsi-volume (Type 9235) ..........56
loadbalancer-group ............57
locate-device (Type 9235) ..........57
known-host ..............58
ldap-search-parameters ..........59
load-interval ..............59
logging category.............60
logging event..............60
logging eventcode ............61
© Copyright IBM Corp. 1999, 2008 iii
logging eventfilter ............62
logging object .............63
logging target .............64
loglevel................64
logsize ................65
matching ...............66
memoization ..............67
message-matching ............68
message-type ..............68
metadata ...............69
mkdir ................69
monitor-action .............70
monitor-count .............70
monitor-duration ............71
move ................71
mpgw ................72
mtom ................73
network ...............73
nfs-client ...............74
nfs-dynamic-mounts ...........74
nfs-static-mount .............75
ntp.................75
ntp-service ..............76
peer-group ..............76
policy-attachments ............77
policy-parameters ............77
radius ................78
raid-activate (Type 9235) ..........78
raid-delete (Type 9235) ..........79
raid-initialize (Type 9235) ..........79
raid-rebuild (Type 9235) ..........79
raid-volume (Type 9235) ..........80
raid-volume-initialize-filesystem (Type 9235) . . . 80
raid-volume-repair-filesystem (Type 9235) ....81
rbm.................81
refresh stylesheet ............82
remove chkpoint ............82
reset domain ..............83
reset username .............84
restart domain .............85
rmdir ................85
rollback chkpoint ............86
rule.................87
save chkpoint..............88
save error-report.............89
save internal-state ............89
save-config overwrite ...........90
schema-exception-map...........90
search results ..............91
send error-report ............92
send file ...............92
service battery-installed ..........93
service nagle ..............93
service-monitor .............94
set-system-var .............94
simple-rate-limiter ............95
slm-action ...............96
slm-cred ...............96
slm-policy ...............97
slm-rsrc................97
slm-sched ...............97
snmp ................98
soap-disposition .............99
source-ftp-poller .............99
source-ftp-server ............100
source-http ..............100
source-https ..............100
source-nfs-poller ............101
source-raw ..............101
source-stateful-tcp ............102
ssh.................102
sslforwarder..............103
sslproxy ...............105
ssltrace ...............107
startup ...............108
statistics ...............109
stylepolicy ..............109
no stylesheet .............110
switch domain .............111
syslog ................112
system................113
tam.................113
tcpproxy ...............114
template ...............115
test hardware .............116
test logging ..............116
test schema ..............117
test urlmap ..............118
test tcp-connection............119
test urlrefresh .............119
test urlrewrite .............120
tfim ................121
throttle ...............121
timezone ...............123
traceroute ..............123
uddi-registry .............123
uddi-subscription ............124
undo ................124
urlmap ...............125
urlrefresh...............126
urlrewrite ..............127
user ................127
user-agent ..............128
user-expire-password...........128
user-password .............129
usergroup ..............129
vlan-sub-interface ............129
watchdog...............130
web-application-firewall ..........131
web-mgmt ..............131
webapp-error-handling ..........133
webapp-gnvc .............133
webapp-request-profile ..........134
webapp-response-profile..........134
webapp-session-management ........135
write memory .............135
wsgw ................136
wsm-agent ..............136
wsm-endpointrewrite...........136
wsm-rule ...............137
wsm-stylepolicy ............137
wsrr-server ..............138
iv Command Reference
wsrr-subscription ............138
wsrr-synchronize ............139
xml parser limits ............139
xml validate ..............139
xmlfirewall ..............141
xml-manager .............141
xml-mgmt ..............142
xpath-routing .............143
xsl cache size .............143
xsl checksummed cache ..........144
xslconfig ...............145
xslcoproc ...............145
xslproxy ...............147
xslrefresh...............148
zos-nss ...............149
Chapter 3. AAA Policy configuration
mode ...............151
actor-role-id ..............151
authenticate ..............152
authorize ...............153
authorized-counter ...........154
cache-allow ..............154
cache-ttl ...............154
dos-valve...............155
extract-identity .............156
extract-resource.............156
ldap-suffix ..............157
ldap-version ..............157
log-allowed ..............158
log-allowed-level ............158
log-rejected ..............158
log-rejected-level ............159
map-credentials ............159
map-resource .............160
namespace-mapping ...........160
ping-identity-compatibility .........161
post-process ..............161
rejected-counter ............161
saml-artifact-mapping ..........162
saml-attribute .............162
saml-name-qualifier ...........163
saml-server-name ............163
saml-sign-alg .............163
saml-sign-cert .............164
saml-sign-hash .............164
saml-sign-key .............165
saml-valcred..............165
saml2-metadata.............165
ssl.................166
transaction-priority ...........166
wstrust-encrypt-key ...........166
Chapter 4. Access Control List
configuration mode.........169
allow ................169
deny ................170
Chapter 5. Application Domain
configuration mode.........173
config-mode ..............173
deployment-policy............173
domain-user (deprecated) .........174
file-monitoring .............175
file-permissions.............175
import-format .............176
import-url ..............176
local-ip-rewrite .............177
maxchkpoints .............177
reset domain .............178
visible-domain .............179
Chapter 6. Application Security Policy
configuration mode.........181
error-match ..............181
request-match .............182
response-match.............182
Chapter 7. Compact Flash configuration mode (Type 9235) . . . 185
directory ...............185
read-only...............185
Chapter 8. Compile Options Policy
configuration mode.........187
allow-soap-enc-array ...........187
debug ................187
minesc ...............188
profile ................188
stack-size ...............189
stream................189
strict ................190
try-stream ..............190
validate-soap-enc-array ..........191
wildcard-ignore-xsi-type..........191
wsdl-strict-soap-version ..........191
wsdl-validate-body ...........192
wsdl-validate-faults ...........192
wsdl-validate-headers ..........193
wsdl-wrapped-faults ...........194
wsi-validate ..............194
xacml-debug .............194
xslt-version ..............195
Chapter 9. Conformance Policy
configuration mode.........197
assert-bp10-conformance .........197
fixup-stylesheet.............197
ignored-requirements...........198
profiles ...............199
reject-include-summary ..........200
reject-level ..............200
report-level ..............201
report-target..............202
response-properties-enabled ........202
response-reject-include-summary .......203
response-reject-level ...........203
response-report-level ...........204
response-report-target ..........204
Contents v
result-is-conformance-report ........205
use-crl................256
Chapter 10. CRL configuration mode 207
bind-dn ...............207
bind-pass...............207
fetch-url ...............208
issuer ................208
read-dn ...............209
refresh................209
remote-address .............210
ssl-profile...............211
Chapter 11. Crypto configuration
mode ...............213
certificate...............213
cert-monitor ..............215
crl.................215
crypto-export .............216
crypto-import .............216
decrypt ...............217
encrypt ...............219
fwcred................220
hsm-clone-kwk (HSM models)........221
hsm-delete-key (HSM models)........222
hsm-reinit (HSM models) .........222
idcred ................222
kerberos-kdc .............224
kerberos-keytab ............224
key.................225
keygen ...............227
password-map .............230
profile ................231
sign ................236
sskey ................237
test password-map ...........239
valcred ...............240
validate ...............241
Chapter 15. Deployment Policy
configuration mode.........257
??? accept ..............257
??? filter ...............258
??? modify ..............259
Chapter 16. DNS Settings
configuration mode.........263
name-server ..............263
search-domain .............264
static-host ..............265
Chapter 17. Document Cache
configuration mode.........267
clear ................267
maxdocs ...............268
policy ................268
size.................270
static-document-calls ...........270
Chapter 18. Document Crypto Map
configuration mode.........273
namespace-mapping ...........273
operation ...............273
select ................274
Chapter 19. Failure Notification
configuration mode.........275
always-on-startup ............275
email-address .............275
internal-state .............275
location-id ..............276
remote-address .............276
Chapter 12. Crypto Certificate Monitor
configuration mode.........243
disable-expired-certs ...........243
log-level ...............244
poll.................244
reminder ...............245
Chapter 13. Crypto Firewall Credentials configuration mode . . . 247
certificate...............247
key.................247
sskey ................248
Chapter 14. Crypto Validation Credentials configuration mode . . . 251
cert-validation-mode ...........251
certificate...............252
crldp ................253
explicit-policy .............253
initial-policy-set ............254
require-crl ..............255
vi Command Reference
Chapter 20. Flash configuration mode 277
boot config ..............277
boot delete ..............277
boot image ..............278
boot switch ..............278
boot update ..............279
copy ................280
delete ................282
dir.................283
move ................284
reinitialize ..............284
shutdown ..............285
Chapter 21. FTP Poller Front Side
Handler configuration mode .....287
delay-time ..............287
error-delete ..............287
error-rename-pattern ...........287
match-pattern .............288
processing-rename-pattern .........288
processing-seize-pattern ..........289
processing-seize-timeout..........290
result ................291
result-name-pattern ...........291
success-delete .............292
success-rename-pattern ..........292
target-dir ...............292
xml-manager .............293
Chapter 22. FTP Quoted Commands
configuration mode.........295
quoted-command ............295
local-address .............321
http-client-version ............321
max-header-count ............322
max-header-name-len...........322
max-header-value-len...........323
max-querystring-len ...........323
max-total-header-len ...........323
max-url-len ..............324
persistent-connections ..........324
port ................325
Chapter 23. FTP Server Front Side
Handler mode ...........297
acl.................298
address ...............298
allow-ccc ...............299
allow-compression............299
allow-restart..............300
allow-unique-filename ..........300
certificate-aaa-policy ...........300
data-encryption.............301
default-directory ............301
filesystem ..............302
filesystem-size .............303
idle-timeout ..............303
max-filename-len ............303
passive ...............304
passive-idle-timeout ...........304
passive-port-max ............305
passive-port-min ............306
passive-port-range............306
persistent-filesystem-timeout ........307
password-aaa-policy ...........307
port ................308
require-tls ..............308
response-nfs-mount ...........309
response-storage ............309
response-suffix .............310
response-type .............311
response-url ..............311
restart-timeout .............312
ssl.................312
unique-filename-prefix ..........312
virtual-directory ............313
Chapter 27. HTTP Input Conversion
Map configuration mode ......327
default-encoding ............327
rule ................328
Chapter 28. HTTP Service
configuration mode.........329
acl.................329
identifier ...............329
ip-address ..............330
local-directory .............330
mode ................331
port ................332
priority ...............332
start-page ..............332
Chapter 29. HTTPS Front Side Handler
mode ...............335
acl.................335
allowed-features ............336
compression ..............337
local-address .............337
http-client-version ............337
max-header-count ............338
max-header-name-len...........338
max-header-value-len...........339
max-querystring-len ...........339
max-total-header-len ...........339
max-url-len ..............340
persistent-connections ..........340
port ................341
ssl.................341
Chapter 24. Hard Disk Array configuration mode (Type 9235) . . . 315
directory ...............315
read-only...............315
Chapter 25. Host Alias configuration
mode ...............317
ip-address ..............317
Chapter 26. HTTP Front Side Handler
mode ...............319
acl.................319
allowed-features ............320
compression ..............321
Chapter 30. Import Configuration File
configuration mode.........343
auto-execute..............343
deployment-policy............344
import-format .............344
local-ip-rewrite .............345
overwrite-files .............345
overwrite-objects ............345
source-url ..............346
Chapter 31. Include Configuration File
configuration mode.........347
auto-execute..............347
config-url...............347
interface-detection ............348
Contents vii
Chapter 32. Interface configuration
mode ...............351
arp.................351
dhcp ................351
ip address ..............352
ip default-gateway ...........353
ip route ...............353
mac-address ..............354
mode ................355
mtu ................355
packet-capture .............356
standby ...............357
Chapter 33. iSCSI CHAP configuration
mode (Type 9235) .........361
password...............361
username...............361
Chapter 34. iSCSI Host Bus Adapter configuration mode (Type 9235) . . . 363
dhcp ................363
iname ................364
ip-address ..............364
ip default-gateway ...........365
Chapter 35. iSCSI Target configuration
mode (Type 9235) .........367
chap ................367
hba.................367
hostname...............368
port ................368
target-name ..............369
Chapter 36. iSCSI Volume configuration mode (Type 9235) . . . 371
directory ...............371
lun.................371
read-only...............372
target................372
Chapter 37. Kerberos KDC Server
configuration mode.........373
port ................373
realm ................373
server ................374
tcp.................374
udp-timeout ..............375
Chapter 38. Kerberos Keytab
configuration mode.........377
filename ...............377
use-replay-cache ............377
filter-suffix ..............380
returned-attribute ............380
scope ................381
Chapter 40. Load Balancer Group
configuration mode.........383
algorithm...............383
damp ................384
giveup-when-all-members-down .......385
health-check ..............385
masquerade ..............387
server ................387
try-every-server ............388
Chapter 41. Log Target configuration
mode ...............389
ansi-color...............389
archive-mode .............389
backup ...............390
email-address .............390
encrypt ...............390
event ................391
event-code ..............392
event-detection .............392
event-filter ..............393
facility................394
feedback-detection............394
format................394
group (deprecated) ...........395
local-address .............395
local-file ...............396
local-ident ..............396
nfs-file................396
nfs-static-mount ............397
object ................397
rate-limit ...............398
remote-address .............398
remote-directory ............399
remote-login..............400
remote-port ..............401
retry (deprecated) ............402
rotate ................402
sender-address .............403
sign ................403
size.................403
smtp-domain .............404
soap-version..............405
ssl.................405
suppression-period ...........405
timeout (deprecated) ...........406
timestamp ..............406
type ................406
upload-method .............407
url.................408
Chapter 39. LDAP Search Parameters
configuration mode.........379
base-dn ...............379
filter-prefix ..............379
viii Command Reference
Chapter 42. Matching Rule
configuration mode.........409
combine-with-or ............409
errorcode ...............409
fullurlmatch (deprecated) .........410
hostmatch (deprecated) ..........410
httpmatch ..............410
match-with-pcre ............411
no match ...............411
urlmatch ...............411
xpathmatch ..............412
Chapter 43. Message Count Monitor
configuration mode.........413
distinct-sources .............413
filter ................413
header................414
measure ...............415
message-type .............415
source ................416
Chapter 44. Message Duration Monitor
configuration mode.........417
filter ................417
measure ...............418
message-type .............419
Chapter 45. Message Filter Action
configuration mode.........421
block-interval .............421
log-priority ..............422
type ................422
Chapter 46. Message Matching
configuration mode.........425
http-header ..............425
http-header-exclude ...........426
ip.................427
ip-exclude ..............427
method ...............428
request-url ..............429
Chapter 47. Message Type
configuration mode.........431
message-matching ............431
Chapter 48. MTOM Policy
configuration mode.........433
include-content-type ...........433
mode ................433
rule ................434
Chapter 49. Multi-Protocol Gateway
configuration mode.........435
attachment-byte-count ..........435
attachment-package-byte-count .......435
attribute-count .............436
back-attachment-format ..........436
back-persistent-timeout ..........437
back-timeout .............437
backend-url ..............438
chunked-uploads ............438
compression ..............439
default-param-namespace .........440
element-depth .............440
external-references............441
follow-redirects.............441
forbid-external-references (deprecated) .....442
front-attachment-format ..........442
front-persistent-timeout ..........442
front-protocol .............443
front-timeout .............443
fwcred................444
gateway-parser-limits...........444
host-rewriting .............445
http-client-ip-label ............446
http-server-version ...........446
include-content-type-encoding........447
inject ................447
load-balancer-hash-header .........448
loop-detection .............449
max-message-size ............449
max-node-size .............450
mime-back-headers ...........450
mime-front-headers ...........451
monitor-count .............452
monitor-duration ............452
monitor-processing-policy .........453
monitor-service.............454
parameter ..............454
persistent-connections ..........455
priority ...............456
process-http-errors............456
propagate-uri .............457
query-param-namespace..........458
request-attachments ...........458
request-type ..............459
response-attachments...........460
response-type .............461
root-part-not-first-action ..........462
soap-schema-url ............462
ssl.................463
stream-output-to-back ..........464
stream-output-to-front ..........464
stylepolicy ..............465
suppress ...............465
type ................466
urlrewrite-policy ............466
wsa-back-protocol ............467
wsa-default-faultto ...........467
wsa-default-replyto ...........468
wsa-faultto-rewrite ...........469
wsa-force ...............470
wsa-genstyle .............471
wsa-http-async-response-code ........471
wsa-mode ..............472
wsa-replyto-rewrite ...........474
wsa-strip-headers ............474
wsa-timeout ..............475
wsa-to-rewrite .............476
wsrm ................476
wsrm-aaapolicy ............477
wsrm-destination-accept-create-sequence ....477
wsrm-destination-accept-offers .......478
Contents ix
wsrm-destination-inorder .........478
wsrm-destination-maximum-inorder-queue-length 479
wsrm-destination-maximum-sequences .....479
wsrm-request-force ...........480
wsrm-response-force ...........480
wsrm-sequence-expiration .........480
wsrm-source-back-acks-to .........481
wsrm-source-exponential-backoff .......482
wsrm-source-front-acks-to .........482
wsrm-source-inactivity-close-interval .....483
wsrm-source-make-offer ..........483
wsrm-source-maximum-queue-length .....484
wsrm-source-maximum-sequences ......484
wsrm-source-request-ack-count .......485
wsrm-source-request-create-sequence .....485
wsrm-source-response-create-sequence .....485
wsrm-source-retransmission-interval......486
wsrm-source-retransmit-count ........486
wsrm-source-sequence-ssl .........487
xml-manager .............487
result ................507
result-name-pattern ...........507
success-delete .............508
success-rename-pattern ..........508
target-dir ...............509
xml-manager .............509
Chapter 54. NFS Static Mounts
configuration mode .........511
authenticate ..............511
local-filesystem-access ..........511
read-only...............512
remote ...............512
retrans................513
rsize ................513
timeo ................514
transport ...............515
version ...............515
wsize ................515
Chapter 50. Network Settings
configuration mode.........489
arp-interval ..............489
arp-retries ..............489
destination-routing ...........490
disable-interface-isolation .........490
ecn-disable ..............491
icmp-disable..............491
relax-interface-isolation ..........492
tcp-retries ..............492
Chapter 51. NFS Client Settings
configuration mode.........495
kerberos-keytab ............495
mount-refresh-time ...........495
Chapter 52. NFS Dynamic Mounts
configuration mode.........497
authenticate ..............497
inactivity-timeout ............497
mount-timeout .............498
read-only...............498
retrans................499
rsize ................499
timeo ................500
transport ...............501
version ...............501
wsize ................501
Chapter 53. NFS Poller Front Side
Handler configuration mode .....503
delay-time ..............503
error-delete ..............503
error-rename-pattern ...........504
match-pattern .............504
processing-rename-pattern .........504
processing-seize-pattern ..........505
processing-seize-timeout..........506
Chapter 55. NTP Service configuration
mode ...............517
refresh-interval .............517
remote-server .............517
Chapter 56. Peer Group configuration
mode ...............519
type ................519
url.................519
Chapter 57. Policy Attachments
configuration mode.........521
enforcement-mode............521
external-policy .............521
ignore-attachment-point ..........522
policy-references ............522
Chapter 58. Policy Parameters
configuration mode.........523
parameter ..............523
Chapter 59. Processing Action
configuration mode.........525
aaa-policy ..............525
async-action ..............525
asynchronous .............526
attachment-uri .............526
condition ...............527
destination ..............528
dynamic-schema ............528
dynamic-stylesheet ...........529
error-input ..............529
error-mode ..............530
error-output ..............530
event ................531
input ................531
input-conversion ............532
iterator-count .............532
x Command Reference
iterator-expression............533
iterator-type ..............534
log-level ...............534
log-type ...............535
loop-action ..............535
multiple-outputs ............536
output................537
output-type ..............537
parameter ..............538
results ................538
retry-count ..............539
retry-interval .............540
rule ................540
schema-url ..............541
slm.................541
soap-validation .............542
sslcred................542
timeout ...............543
transform...............543
type ................544
urlrewrite-policy ............546
value ................546
variable ...............547
wsdl-attachment-part ...........547
wsdl-message-direction-or-name .......548
wsdl-operation .............548
wsdl-port...............549
wsdl-url ...............549
xpath ................549
Chapter 60. Processing Metadata
configuration mode.........551
meta-item ..............551
Chapter 61. Processing Policy
configuration mode.........553
error-rule...............553
filter ................553
match ................554
request-rule ..............555
response-rule .............555
rule ................556
xsldefault...............557
Chapter 62. Processing Rule
configuration mode.........559
aaa.................559
call .................559
checkpoint ..............560
convert-http ..............560
extract................561
fetch ................562
filter ................562
input-filter ..............563
log.................564
non-xml-processing ...........564
on-error ...............565
output-filter ..............565
results ................566
results-async .............566
rewrite ...............567
route-action ..............567
route-set ...............568
setvar ................568
slm.................569
strip-attachments ............569
type ................569
unprocessed ..............570
validate ...............570
xform ................572
xformpi ...............573
Chapter 63. RADIUS configuration
mode ...............575
aaaserver ...............575
id.................576
retries ................576
server ................577
timeout ...............578
Chapter 64. RBM Settings
configuration mode.........581
apply-cli ...............581
au-cache-mode .............582
au-cache-ttl ..............583
au-custom-url .............583
au-info-url ..............584
au-kerberos-keytab ...........584
au-ldap-bind-dn ............585
au-ldap-bind-password ..........585
au-ldap-parameters ...........586
au-ldap-search .............587
au-method ..............588
au-server-host .............589
au-server-port .............589
au-zos-nss ..............590
au-valcred ..............590
cli-timeout ..............591
fallback-login .............591
fallback-user..............592
ldap-prefix ..............593
ldap-sslproxy .............593
ldap-suffix ..............594
ldap-version ..............595
loadbalancer-group ...........595
lockout-duration ............596
max-login-failure ............596
mc-custom-url .............597
mc-info-url ..............598
mc-ldap-bind-dn ............598
mc-ldap-bind-password ..........599
mc-ldap-parameters ...........600
mc-ldap-search .............601
mc-ldap-sslproxy ............602
mc-loadbalancer-group ..........603
mc-method ..............603
mc-server-host .............605
mc-server-port .............606
pwd-aging ..............606
pwd-digit ..............607
Contents xi
pwd-history ..............607
pwd-max-age .............608
pwd-max-history ............608
pwd-minimum-length ..........609
pwd-mixed-case ............609
pwd-nonalphanumeric ..........610
pwd-username .............610
restrict-admin .............611
Chapter 72. SNMP Settings
configuration mode.........637
access ................637
port ................638
trap-code ...............638
trap-priority ..............639
trap-target ..............639
version ...............640
Chapter 65. Schema Exception Map
configuration mode.........613
original-schema ............613
rule ................613
Chapter 66. Simple Rate Limiter
configuration mode.........615
action ................615
concurrent-connection-limit.........615
distinct-sources .............616
tps.................616
Chapter 67. SLM Action configuration
mode ...............617
log-priority ..............617
type ................617
Chapter 68. SLM Credential Class
configuration mode.........619
header................619
match-type ..............619
stylesheet...............620
type ................621
value ................622
Chapter 69. SLM Policy configuration
mode ...............625
eval-method ..............625
peer-group ..............626
statement...............626
Chapter 73. SOAP Header Disposition
Table configuration mode ......643
refine ................643
Chapter 74. Stateful Raw XML Handler
configuration mode.........645
acl.................645
close-on-fault .............645
local-address .............646
port ................647
remote-address .............647
remote-port ..............647
ssl.................648
Chapter 75. Stateless Raw XML
Handler configuration mode .....649
acl.................649
local-address .............649
persistent-connections ..........650
port ................651
ssl.................651
Chapter 76. System Settings
configuration mode.........653
audit-reserve .............653
contact ...............653
custom-ui-file .............654
entitlement ..............655
location ...............655
name ................655
Chapter 70. SLM Resource Class
configuration mode.........629
match-type ..............629
stylesheet...............630
subscription ..............630
type ................631
value ................632
wsrr-subscription ............633
xpath-filter ..............633
Chapter 71. SLM Schedule
configuration mode.........635
days ................635
duration ...............635
start ................636
xii Command Reference
Chapter 77. TAM configuration mode 657
file .................657
ldap-ssl-key-file ............657
ldap-ssl-key-file-dn ...........657
ldap-ssl-key-file-password .........658
ldap-ssl-port..............658
ssl-key................659
ssl-key-stash..............659
use-fips ...............659
use-ldap-ssl ..............659
Chapter 78. TFIM configuration mode 661
tfim-60-req-tokenformat ..........661
tfim-61-req-tokenformat ..........662
tfim-62-req-tokenformat ..........663
tfim-addr ...............664
tfim-compatible.............664
tfim-custom-req-url ...........665
tfim-issuer ..............666
tfim-operation .............666
tfim-pathaddr .............667
tfim-port ...............668
tfim-porttype .............668
tfim-schema-validate ...........669
tfim-sslproxy .............669
Chapter 83. UDDI Subscription
configuration mode.........693
key.................693
password...............693
registry ...............694
username...............694
Chapter 79. Telnet Service
configuration mode.........671
acl.................671
ip-address ..............671
port ................672
Chapter 80. Throttle Settings
configuration mode.........673
memory-terminate............673
memory-throttle ............673
qcode-warn ..............674
sensors-log ..............674
status-log...............674
status-loglevel .............675
temp-fs-terminate ............675
temp-fs-throttle.............676
timeout ...............676
Chapter 81. Timezone configuration
mode ...............679
custom ...............679
daylight-name .............679
daylight-offset .............679
daylight-start-day ............680
daylight-start-hours ...........680
daylight-start-minutes ..........681
daylight-start-month ...........681
daylight-start-week ...........682
daylight-stop-day ............682
daylight-stop-hours ...........683
daylight-stop-minutes ..........683
daylight-stop-month ...........684
daylight-stop-week ...........685
direction ...............685
name ................686
offset-hours ..............686
offset-minutes .............687
Chapter 82. UDDI Registry
configuration mode.........689
hostname...............689
inquiry-url ..............689
port ................690
publish-url ..............690
security-url ..............690
ssl.................691
ssl-port ...............691
subscription-url ............692
use-ssl................692
version ...............692
Chapter 84. URL Map configuration
mode ...............695
match ................695
Chapter 85. URL Refresh Policy
configuration mode.........697
disable cache .............697
disable flush..............697
interval urlmap.............698
protocol-specified ............699
Chapter 86. URL Rewrite Policy
configuration mode.........701
absolute-rewrite ............701
content-type ..............703
header-rewrite .............704
norule...............705
post-body ..............705
rewrite (deprecated) ...........707
Chapter 87. User Agent configuration
mode ...............709
add-header-policy ............709
basicauth ...............710
chunked-uploads-policy ..........711
compression-policy ...........711
ftp-policy...............712
identifier ...............714
max-redirects .............715
proxy................715
pubkeyauth ..............716
restrict-http-policy............717
soapaction ..............718
ssl.................719
timeout ...............720
Chapter 88. User configuration mode 721
access-level ..............721
domain ...............721
group................722
password...............722
snmp-cred ..............723
Chapter 89. User Group configuration
mode ...............727
access-policy .............727
add.................728
delete ................729
Chapter 90. VLAN configuration mode 731
arp.................731
Contents xiii
dhcp ................731
identifier ...............732
interface ...............732
ip address ..............733
ip default-gateway ...........734
ip route ...............734
ip secondary-address ...........735
outbound-priority ............736
packet-capture .............736
standby ...............737
Chapter 91. Web Application Error Handling Policy configuration mode . 741
error-monitor .............741
error-rule...............741
type ................742
Chapter 92. Web Application Firewall
configuration mode.........743
back-persistent-timeout ..........743
back-timeout .............743
chunked-uploads ............744
error-policy ..............744
follow-redirects.............745
front-persistent-timeout ..........745
front-timeout .............746
host-rewriting .............746
http-back-version ............747
http-client-ip-label ............747
http-front-version ............747
listen-on ...............747
priority ...............748
remote-address .............748
remote-port ..............749
request-security ............749
response-security ............749
security-policy .............749
ssl-profile...............750
stream-output-to-back ..........750
stream-output-to-front ..........751
uri-normalization ............751
xml-manager .............752
Chapter 93. Web Application Name Value Profile configuration mode . . . 753
max-aggregate-size ...........753
max-attributes .............753
max-name-size .............753
max-value-size .............754
unvalidated-fixup-map ..........754
unvalidated-fixup-policy .........754
unvalidated-xss-check ..........755
validation ..............755
error-policy-override ...........759
multipart-form-data ...........760
policy-type ..............760
ratelimiter-policy ............761
request-body-max ............762
request-body-min ............762
request-body-profile ...........762
request-content-type ...........763
request-header-profile ..........763
request-methods ............764
request-nonxml-policy ..........765
request-nonxml-rule ...........765
request-qs-policy ............766
request-qs-profile ............766
request-uri-filter-dotdot ..........767
request-uri-filter-exe ...........767
request-uri-filter-fragment .........767
request-uri-filter-unicode .........768
request-uri-max ............768
request-versions ............768
request-xml-policy............769
request-xml-rule ............769
session-policy .............770
Chapter 95. Web Application Response Profile configuration mode . 771
error-policy-override ...........771
policy-type ..............772
response-body-max ...........772
response-body-min ...........773
response-codes .............773
response-content-type ..........774
response-header-profile ..........775
response-nonxml-policy ..........775
response-nonxml-rule...........776
response-versions ............776
response-xml-policy ...........777
response-xml-rule ............777
Chapter 96. Web Application Session Management Policy configuration
mode ...............779
allow-cookie-sharing ...........779
auto-renew ..............779
lifetime ...............780
matching-policy ............780
Chapter 97. Web Management Service
configuration mode.........781
idle-timeout ..............781
local-address .............781
save-config-overwrite...........782
ssl.................782
Chapter 94. Web Application Request
Profile configuration mode .....757
aaa-policy ..............757
acl.................757
cookie-policy .............758
xiv Command Reference
Chapter 98. Web Service Proxy
configuration mode.........783
aaa-policy ..............783
attachment-byte-count ..........783
attribute-count .............784
autocreate-sources ............784
back-attachment-format ..........785
back-persistent-timeout ..........785
back-timeout .............786
backend-url ..............786
backside-port-rewrite ...........787
chunked-uploads ............787
client-principal .............788
compression ..............788
decrypt-key ..............789
default-param-namespace .........789
element-depth .............790
endpoint-rewrite-policy ..........790
external-references............790
follow-redirects.............791
forbid-external-references (deprecated) .....791
front-attachment-format ..........791
front-persistent-timeout ..........791
front-protocol .............792
front-timeout .............792
frontside-port-rewrite...........793
fwcred................793
gateway-parser-limits...........794
host-rewriting .............795
http-client-ip-label ............795
http-server-version ...........796
include-content-type-encoding........796
inject ................796
kerberos-keytab ............797
load-balancer-hash-header .........797
loop-detection .............798
max-message-size ............798
max-node-size .............799
mime-back-headers ...........799
mime-front-headers ...........800
monitor-count .............800
monitor-duration ............801
monitor-processing-policy .........802
monitor-service.............802
operation-conformance ..........803
operation-policy-opt-out ..........804
operation-priority ............806
parameter ..............807
persistent-connections ..........808
policy-parameters ............808
priority ...............810
process-http-errors............810
propagate-uri .............811
query-param-namespace..........811
reliable-messaging............812
remote-retry ..............813
request-attachments ...........814
request-type ..............815
response-attachments...........816
response-type .............817
root-part-not-first-action ..........817
server-principal.............818
soap-action-policy ............818
soap-schema-url ............819
ssl.................819
stream-output-to-back ..........820
stream-output-to-front ..........820
stylepolicy ..............821
suppress ...............821
type ................822
uddi-subscription ............822
urlrewrite-policy ............823
user-policy ..............824
wsa-back-protocol ............825
wsa-default-faultto ...........826
wsa-default-replyto ...........827
wsa-faultto-rewrite ...........827
wsa-force ...............828
wsa-genstyle .............829
wsa-http-async-response-code ........830
wsa-mode ..............830
wsa-replyto-rewrite ...........832
wsa-strip-headers ............833
wsa-timeout ..............834
wsa-to-rewrite .............834
wsdl ................835
wsdl-cache-policy ............836
wsrr-subscription ............836
wsrm ................837
wsrm-aaapolicy ............837
wsrm-destination-accept-create-sequence ....838
wsrm-destination-accept-offers .......838
wsrm-destination-inorder .........839
wsrm-destination-maximum-inorder-queue-length 839
wsrm-destination-maximum-sequences .....839
wsrm-request-force ...........840
wsrm-response-force ...........840
wsrm-sequence-expiration .........841
wsrm-source-back-acks-to .........841
wsrm-source-exponential-backoff .......842
wsrm-source-front-acks-to .........842
wsrm-source-inactivity-close-interval .....843
wsrm-source-make-offer ..........844
wsrm-source-maximum-queue-length .....844
wsrm-source-maximum-sequences ......844
wsrm-source-request-ack-count .......845
wsrm-source-request-create-sequence .....845
wsrm-source-response-create-sequence .....846
wsrm-source-retransmission-interval......846
wsrm-source-retransmit-count ........847
wsrm-source-sequence-ssl .........847
xml-manager .............848
Chapter 99. Web Services Management Agent configuration
mode ...............849
buffer-mode ..............849
capture-mode .............849
max-memory .............850
max-records ..............850
Chapter 100. Web Services Monitor
configuration mode.........851
endpoint-name .............851
endpoint-url..............851
frontend-url ..............851
Contents xv
operation ...............852
transport ...............853
wsdl ................853
Chapter 101. WS-Proxy Endpoint
Rewrite configuration mode .....855
backend-rule .............855
listener-rule ..............856
publisher-rule .............858
subscription-backend-rule .........859
subscription-listener-rule .........860
subscription-publisher-rule .........861
Chapter 102. WS-Proxy Processing
Policy configuration mode......863
filter ................863
match ................863
xsldefault...............865
Chapter 103. WS-Proxy Processing
Rule configuration mode ......867
aaa.................867
action ................867
call .................868
checkpoint ..............868
convert-http ..............869
extract................869
fetch ................870
filter ................871
input-filter ..............872
log.................872
non-xml-processing ...........873
on-error ...............873
output-filter ..............874
results ................874
results-async .............875
rewrite ...............875
route-action ..............875
route-set ...............876
setvar ................876
slm.................877
strip-attachments ............877
type ................878
unprocessed ..............878
validate ...............879
xform ................880
xformpi ...............881
method ...............887
namespace ..............888
object-name ..............888
object-type ..............889
refresh-interval .............889
server ................890
use-version ..............890
version ...............890
Chapter 106. XML Firewall
configuration mode.........893
acl.................893
attachment-byte-count ..........893
attribute-count .............894
back-attachment-format ..........894
bytes-scanned .............895
default-param-namespace .........895
element-depth .............896
external-references............896
firewall-parser-limits ...........897
forbid-external-references (deprecated) .....897
front-attachment-format ..........897
fwcred................898
local-address .............898
max-message-size ............899
max-node-size .............899
mime-headers .............900
monitor-count .............900
monitor-duration ............901
monitor-processing-policy .........901
monitor-service.............902
parameter ..............902
priority ...............903
query-param-namespace..........903
remote-address .............904
request-attachments ...........905
request-type ..............906
response-attachments...........907
response-type .............908
root-part-not-first-action ..........909
soap-schema-url ............909
ssl.................910
stylesheet-policy ............910
type ................911
urlrewrite-policy ............912
wsdl-file-location ............912
wsdl-response-policy ...........913
xml-manager .............913
Chapter 104. WSRR Server
configuration mode.........883
password...............883
server-version .............883
soap-url ...............884
ssl.................884
username...............885
Chapter 105. WSRR Subscription
configuration mode.........887
fetch-policy-attachments ..........887
Command Reference
xvi
Chapter 107. XML Management
Interface configuration mode ....915
local-address .............915
mode ................915
port ................917
slm-peering ..............917
ssl.................918
user-agent ..............918
Chapter 108. XML Manager
configuration mode.........921
loadbalancer-group ...........921
schedule-rule .............921
user-agent ..............922
Chapter 109. XML Parser Limits
configuration mode.........923
attribute-count .............923
bytes-scanned .............923
element-depth .............923
external-references............924
forbid-external-references (deprecated) .....924
max-node-size .............924
Chapter 110. XPath Routing Map
configuration mode.........925
namespace-mapping ...........925
rule ................925
Chapter 111. XSL Coprocessor
Service configuration mode .....927
cache-relative-url ............927
connection-timeout ...........927
crypto-extensions ............927
default-param-namespace .........928
intermediate-result-timeout .........928
ip-address ..............928
port ................929
priority ...............929
ssl.................929
stylesheet-policy ............930
stylesheet-rule .............930
urlrewrite-policy ............932
use-client-resolver ............932
xml-manager .............932
Chapter 112. XSL Proxy Service
configuration mode.........933
acl.................933
default-param-namespace .........933
ip-address ..............934
monitor-count .............934
monitor-duration ............935
monitor-processing-policy .........936
parameter ..............936
priority ...............937
port ................937
query-param-namespace..........938
remote-address .............938
ssl.................939
stylesheet-policy ............940
type ................941
urlrewrite-policy ............942
xml-manager .............942
Chapter 113. z/OS NSS Client
configuration mode.........943
client-id ...............943
host ................943
password...............944
port ................945
ssl.................945
system-name .............945
user-name ..............946
Chapter 114. Monitoring commands 949
show aliases ..............949
show application-security-policy .......949
show audit-log .............949
show audit-search ............950
show chkpoints.............951
show clock ..............951
show compact-flash (Type 9235) .......952
show conformancepolicy .........952
show cpu...............952
show crypto ..............952
show default-gateway ..........952
show deployment-policy .........953
show documentcache...........953
show domain .............953
show domains .............953
show file ...............954
show firmware .............954
show firmware-version ..........955
show http ..............955
show interface .............955
show interface mode ...........956
show ip ...............956
show library-version ...........957
show license..............958
show loadbalancer-group .........958
show loadbalancer-status .........958
show log ...............958
show logging .............959
show loglevel .............960
show matching .............960
show memory .............961
show netarp ..............961
show ntp-refresh ............961
show ntp-service ............962
show password-map ...........962
show radius ..............962
show raid-phys-disks (Type 9235) ......962
show raid-volume (Type 9235)........962
show raid-volumes (Type 9235) .......963
show route ..............963
show rule ..............963
show running-config ...........963
show sensors (deprecated) .........963
show sensors-fans ............964
show sensors-other ...........964
show sensors-temperature .........964
show sensors-voltage ...........965
show services .............965
show simple-rate-limiter..........965
show snmp ..............966
show standby .............966
show startup-config ...........966
show startup-errors ...........966
show statistics .............967
show stylepolicy ............967
Contents xvii
show stylesheet.............968
show stylesheets ............968
show system .............969
show tcp ...............969
show throttle .............969
show throughput ............970
show time ..............970
show urlmap .............970
show urlrefresh.............970
show useragent.............970
show usergroups ............971
show usernames ............971
show users ..............971
show version .............971
show web-application-firewall ........971
show webapp-error-handling ........972
show webapp-gnvc ...........972
show webapp-request-profile ........973
show webapp-response-profile .......973
show webapp-session-management ......973
show wsrr-server ............974
show wsrr-subscription ..........974
show wsrr-subscription-status ........975
show wsrr-subscription-service-status .....975
show xmlfirewall ............976
show xmlmgr .............976
show xslcoproc .............977
show xslproxy .............977
show xslrefresh.............977
Appendix A. Working with variables 979
Service variables ............980
General service variables ........980
Multi-Protocol Gateway and Web Service Proxy
service variables ...........981
Configuration services service variables . . . 982
Load balancer service variables ......983
Multistep variables ..........983
Transaction variables ...........984
Asynchronous transaction variables .....984
Error handling transaction variables .....985
Headers transaction variables .......986
Information transaction variables ......987
Persistent connection transaction variables. . . 988
Routing transaction variables .......988
Statistics variables ...........989
URL-based transaction variables ......989
Web Services Management transaction variables 990
Extension variables ...........992
System variables ............994
List of available variables .........995
Appendix B. Processing Policy
procedures ............999
Stylesheet policies using inline rules ......999
Configuring a Matching Rule.......1000
Configuring a Processing Policy ......1000
Assigning a Processing Policy to a DataPower
service ..............1000
Stylesheet policies using global rules .....1001
Configuring a Matching Rule.......1002
Configuring a Global Rule .......1002
Configuring a Processing Policy ......1002
Assigning a Processing Policy to a DataPower
service ..............1003
Appendix C. Stylesheet Refresh
Policy configuration ........1005
High-level procedure ..........1005
Example...............1005
Appendix D. Compile Options Policy
configuration ...........1007
Profiling overview ...........1007
Configuration overview .........1008
Appendix E. Getting help and
technical assistance ........1009
Searching knowledge bases ........1009
Getting a fix .............1009
Contacting IBM Support .........1010
Notices and trademarks ......1011
Trademarks..............1011
Index ..............1013
xviii
Command Reference
Preface
IBM®WebSphere®DataPower®SOA Appliances are purpose-built, easy-to-deploy network appliances that simplify, help secure, and accelerate your XML and Web services deployments while extending your SOA infrastructure. These appliances offer an innovative, pragmatic approach to harness the power of SOA while simultaneously enabling you to leverage the value of your existing application, security, and networking infrastructure investments.
Who should read this document
This document is intended for administrators of IBM WebSphere DataPower who are responsible for the configuration and maintenance of web services, security, and data communications equipment. These administrators are expected to have familiarity with XML and XSLT.
This document assumes that you have installed and initially configured the appliance as described in the IBM WebSphere DataPower SOA Appliances: 9003:
Installation Guide or in the IBM WebSphere DataPower SOA Appliances: Type 9235: Installation Guide, depending on the model type.
Publications
The IBM WebSphere DataPower library is organized into the following categories:
v “Installation and upgrade documentation”
v “Administration documentation” on page xx
v “Development documentation” on page xx
v “Reference documentation” on page xx
v “Integration documentation” on page xxi
v “Problem determination documentation” on page xxi
v “Supplemental documentations” on page xxi
Installation and upgrade documentation
v IBM WebSphere DataPower SOA Appliances: 9003: Installation Guide
Provides instructions for installing and powering up the Type 7993 (9003) appliance, creating a startup configuration script, and placing the appliance in operation.
v IBM WebSphere DataPower SOA Appliances: Type 9235: Installation Guide
Provides instructions for installing and powering up the Type 9235 appliance, creating a startup configuration script, and placing the appliance in operation.
v IBM WebSphere DataPower SOA Appliances: Type 9235: Hardware Problem
Determination and Service Guide
Provides information about diagnosing and troubleshooting hardware problems, ordering consumable replacement parts, and replacing parts.
v IBM WebSphere DataPower SOA Appliances: Upgrade and Rollback Guide: Generation
2 Firmware
Provides instructions for upgrading Generation 2 firmware and for rolling back firmware upgrades.
© Copyright IBM Corp. 1999, 2008 xix
Administration documentation
v IBM WebSphere DataPower SOA Appliances: Appliance Overview
Provides an introduction and understanding of the IBM Websphere DataPower SOA appliances.
v IBM WebSphere DataPower SOA Appliances: Administrators Guide
Provides instructions for using the DataPower GUI for managing user access, network access, appliance configuration and system configuration of the appliance.
v IBM WebSphere DataPower SOA Appliances: Hardware Security Module Guide
A user guide for using a Hardware Security Module (HSM) installed in the appliance.
Development documentation
v IBM WebSphere DataPower SOA Appliances: XSL Accelerator Developers Guide
Provides instructions for using the WebGUI to configure XSL Proxy and XSL Co-Processor services.
v IBM WebSphere DataPower SOA Appliances: XML Firewall Developers Guide
Provides instructions for using the WebGUI to configure XML Firewall services.
v IBM WebSphere DataPower SOA Appliances: Web Application Firewall Developers
Guide
Provides instructions for using the WebGUI to configure Web Application Firewall services.
v IBM WebSphere DataPower SOA Appliances: Multi-Protocol Gateway Developers
Guide
Provides instructions for using the WebGUI to configure Multiple-Protocol Gateway services.
v IBM WebSphere DataPower SOA Appliances: Web Service Proxy Developers Guide
Provides instructions for using the WebGUI to configure Web Service Proxy services.
v IBM WebSphere DataPower SOA Appliances: B2B Gateway Developers Guide
Provides instructions for using the WebGUI to configure B2B Gateway services.
v IBM WebSphere DataPower SOA Appliances: Low Latency Messaging Developers
Guide
Provides instructions for using the WebGUI to configure a DataPower appliance for low latency messaging.
Reference documentation
v Product-specific documentation for using commands from the command line.
The documentation is specific to each of the following products. Each document provides an alphabetical listing of all commands with syntactical and functional descriptions.
IBM WebSphere DataPower XML Accelerator XA35: Command Reference
IBM WebSphere DataPower XML Security Gateway XS40: Command Reference
IBM WebSphere DataPower XML Integration Appliance XI50: Command Reference
IBM WebSphere DataPower B2B Appliance XB60: Command Reference
IBM WebSphere DataPower Low Latency Messaging Appliance XM70: Command
Reference
xx Command Reference
v IBM WebSphere DataPower SOA Appliances: Extension Elements and Functions
Catalog
Provides programming information about the usage of DataPower XSLT extension elements and extension functions.
Integration documentation
The following documents are available for managing the integration of related products that can be associated with the DataPower appliance:
v IBM WebSphere DataPower SOA Appliances: Integrating with ITCAM
Provides concepts for integrating the DataPower appliance with IBM Tivoli Composite Application Management for SOA.
v IBM WebSphere DataPower SOA Appliances: Integrating with WebSphere
Transformation Extender
Provides concepts for integrating the DataPower appliance with WebSphere Transformer Extender.
v IBM WebSphere DataPower XML Integration Appliance XI50: WebSphere MQ
Interoperability
Explains the concepts and common use patterns for connecting DataPower services to WebSphere MQ systems.
Problem determination documentation
v IBM WebSphere DataPower SOA Appliances: Problem Determination Guide
Provides troubleshooting and debugging tools.
Supplemental documentations
v IBM WebSphere DataPower SOA Appliances: Understanding Web Services Policy
Provides conceptual information about how the DataPower appliance can use Web Services Policy (WS-Policy).
v IBM WebSphere DataPower SOA Appliances: Understanding WS-Addressing
Provides conceptual information about how the DataPower appliance can use WS-Addressing.
v IBM WebSphere DataPower SOA Appliances: Understanding LTPA
Provides conceptual information about how the DataPower appliance can use Lightweight Third Party Authentication.
v IBM WebSphere DataPower SOA Appliances: Understanding SPNEGO
Provides conceptual information about how the DataPower appliance can use SPNEGO.
v IBM WebSphere DataPower SOA Appliances: Optimizing through Streaming
Provides conceptual information about and procedures for optimizing the DataPower appliance through streaming.
v IBM WebSphere DataPower SOA Appliances: Securing the Last Mile
Provides conceptual information about and procedures for understanding the DataPower appliance while securing the last mile.
v IBM WebSphere DataPower SOA Appliances: Configuring the DoD PKI
Provides conceptual information about and procedures for configuring the DataPower appliance with Department of Defense Public Key Infrastructure.
Preface xxi
Reading syntax statements
The reference documentation uses the following special characters to define syntax:
[] Identifies optional options. Options not enclosed in brackets are required.
... Indicates that you can specify multiple values for the previous option.
| Indicates mutually exclusive information. You can use the option to the left
of the separator or the option to the right of the separator. You cannot use both options in a single use of the command.
{} Delimits a set of mutually exclusive options when one of the options is
required. If the options are optional, they are enclosed in brackets ([ ]).
When the order of the options or parameters must be used in a specific order, the syntax statement shows this order.
Directories on the appliance
The file system contains many examples and critical configuration files. These directories and their contents are as follows:
audit: This directory contains the audit logs. Each appliance contains only one
audit: directory. This directory cannot be the destination of a copy. This directory is available from the command line in the default domain only.
To view the audit log from the WebGUI, select Status View Logs Audit
Log.
cert: This encrypted directory contains private key and certificate files that
services use in the domain. You can add, delete, and view files, but you cannot modify these files while in the domain. Each application domain contains one cert: directory. This directory is not shared across domains.
chkpoints:
This directory contains the configuration checkpoint files for the appliance. Each application domain contains one chkpoints: directory. This directory is not shared across domains.
config:
This directory contains the configuration files for the appliance. Each application domain contains one config: directory. This directory is not shared across domains.
dpcert:
This encrypted directory contains files that the appliance itself uses. This directory is available from the command line in the default domain only.
export:
This directory contains the exported configurations that are created with the Export Configuration utility. Each application domain contains one export: directory. This directory is not shared across domains.
image: This directory contains the firmware images (primary and secondary) for
the appliance. This directory is where firmware images are stored typically during an upload or fetch operation. Each appliance contains only one image: directory. This directory is available in the default domain only.
local: This directory contains miscellaneous files that are used by the services
within the domain, such as XSL, XSD, and WSDL files. Each application domain contains one local: directory. This directory can be made visible to
xxii Command Reference
other domains. When viewed from other domains, the directory name changes from local: to the name of the application domain.
logstore:
This directory contains log files that are stored for future reference. Typically, the logging targets use the logtemp: directory for active logs. You can move log files to the logstore: directory. Each application domain contains one logstore: directory. This directory is not shared across domains.
logtemp:
This directory is the default location of log files, such as the appliance-wide default log. This directory can hold only 13 MB. This directory cannot be the destination of a copy. Each application domain contains one logtemp: directory. This directory is not shared across domains.
pubcert:
This encrypted directory contains the security certificates that are used commonly by Web browsers. These certificates are used to establish security credentials. Each appliance contains only one pubcert: directory. This directory is shared across domains.
sharedcert:
This encrypted directory contains security certificates that are shared with partners. Each appliance contains only one sharedcert: directory. This directory is shared across domains. However, you must be in default domain to create or upload keys and certificates.
store: This directory contains example style sheets, default style sheets, and
schemas that are used by the local appliance. Do not modify the files in this directory.
Each appliance contains only one store: directory. By default, this directory is visible to all domains. You can make changes to the contents of this directory from the default domain only.
The store: directory has the following subdirectories:
meta This encrypted subdirectory contains files that are used by the
appliance itself.
msgcat
This subdirectory contains the message catalogs.
policies
This subdirectory contains the following subdirectories. The contents of these subdirectories affect Web services policy.
custom
This subdirectory contains custom style sheets.
mappings
This subdirectory contains mapping style sheets.
templates
This subdirectory contains XML files.
profiles
This subdirectory contains style sheets that are used by DataPower services.
Preface xxiii
schemas
dp This encrypted subdirectory contains files that are used by the
pubcerts
tasktemplates:
This directory contains the XSL files that define the display of specialized WebGUI screens. Each appliance contains only one tasktemplates: directory. This directory is visible to the default domain only.
temporary:
This directory is used as temporary disk space by processing rules. Each application domain contains one temporary: directory. This directory is not shared across domains.
Object name conventions
The name must be unique in this object namespace. The following characters in an object name are valid:
v a through z v A through Z v 0 through 9 v _ (underscore) v - (dash) v . (period)
This subdirectory contains schemas that are used by DataPower services.
appliance itself. This subdirectory is available from the command line only.
This encrypted subdirectory contains files that are used by the appliance itself. This subdirectory is available from the command line only.
Typeface conventions
The following typeface conventions are used in the documentation:
bold Identifies commands, programming keywords, and GUI controls.
italics Identifies words and phrases used for emphasis and user-supplied
variables.
monospaced
Identifies user-supplied input or computer output.
xxiv Command Reference
Chapter 1. Initial login and common commands
This chapter provides an alphabetic listing of the commands that are available before entering a specific configuration mode (available at initial login) and commands that are available in most, if not all, configuration modes.
Initial login commands
For a list of the commands that are available after an initial login, refer to Table 1. This table provides a listing of the available commands and their purpose. To determine whether these commands are available to a specific user-type class after an initial login, refer to Table 2.
Table 1. Initial login commands and their general purpose
Command Purpose
1
alias
1
clock
configure terminal Enters Global configuration mode.
1
disable
disconnect Closes a user session.
echo Echoes text to the console.
enable Enters Privileged mode.
exec Calls and runs a target configuration script from another
exit Closes the CLI connection.
help Displays online help.
login Logs in to the appliance as a specific user.
1
ntp
ping Determines if a target host is reachable on the network.
show Displays configuration or status information
shutdown
2
switch domain Moves to a specified domain.
template
test schema
1
1
test tcp-connection
top Returns users to their initial log in mode.
traceroute
1
Creates a command macro.
Sets the date or time.
Enters User Mode.
configuration script.
Identifies an NTP server.
Restarts or shuts down the appliance.
Runs an interactive command line script.
Tests conformity of an XML file against a schema.
1
Tests the TCP connection to a remote host.
Traces the network path to a target host.
1
Also available in Global mode.
2
Also available in Flash configuration mode.
Table 2. Commands by type of user that are available after initial login
Command admin user Privileged-type user User-type user
alias Yes Yes No
© Copyright IBM Corp. 1999, 2008 1
Table 2. Commands by type of user that are available after initial login (continued)
Command admin user Privileged-type user User-type user
clock Yes Yes No
configure terminal Yes Yes No
disable Yes Yes No
disconnect Yes Yes No
echo Yes Ye s Yes
enable No No Yes
exec Yes Yes No
exit Yes Ye s Yes
help Ye s Yes Yes
login Yes Yes No
ntp Yes Yes No
ping Yes Ye s Yes
show Yes Yes Yes
shutdown Yes Yes No
switch Yes Ye s Yes
template Yes Ye s Yes
test schema Ye s Yes Yes
test tcp-connection Yes Yes Ye s
top Ye s Yes Yes
traceroute Ye s Yes Yes
Common commands
For a list of the commands that are available in most configuration modes, refer to Table 3. This table provides a listing of the available commands and their purpose.
Table 3. Common configuration commands and their general purpose
Command Purpose
admin-state Sets the administrative state of an object.
cancel Cancels changes to the current object and returns to the parent
disconnect
1
echo
1
exit
1
help
1
ping
reset Restores default values.
1,2
show
summary Specifies a brief object-specific comment.
test tcp-connection
traceroute
configuration mode.
1
Closes a user session.
Echoes text to the console.
Applies changes to the current object and returns to the parent configuration mode.
Displays online help.
Determines if a target host is reachable on the network.
Displays configuration information
1
Tests the TCP connection to a remote host.
1
Traces the network path to a target host.
2 Command Reference
admin-state
Syntax
Parameters
Table 3. Common configuration commands and their general purpose (continued)
Command Purpose
1
The command is also available after initial log in, which is before you explicitly enter a configuration mode. To determine whether these commands are available to a specific user-type class after an initial login, refer to Table 2 on page 1.
2
The output from the command differs when invoked after initial log in and when invoked while in a configuration mode.
Sets the administrative state of an object.
admin-state {enabled | disabled}
enabled
(Default) Places an object in the enabled (active) state
disabled
Places an object in the disabled (inactive) state
alias
Guidelines
The admin-state command sets the administrative state of an object. Administrative states are not equivalent to operational states. When an object has an administrative state of enabled, its operational state might be up, down,or pending. However, when an object has an administrative state of disabled, its operational state is always down.
Examples
v Disables the object.
# admin-state disable #
Creates a command macro.
Syntax
alias alias command
no alias alias
Parameters
alias Specifies the name of the object.
command
The name can contain a maximum of 32 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Specifies a sequence of commands and arguments.
Chapter 1. Initial login and common commands 3
Guidelines
Also available in Global configuration mode.
If creating a macro that uses multiple commands, you can either
v Surround the string in quotes and separate commands with a semicolon. For
example:
alias eth0 "configure terminal; interface ethernet 0"
v Separate commands with an escaped semicolon. For example:
alias eth0 configure terminal\;interface ethernet0
Use the no alias command to delete a command macro.
Related Commands
show alias
Examples
v Creates an alias eth0. When invoked, moves to Interface configuration mode
(with the configure terminal and interface commands) for Ethernet Port 0.
# alias eth0 configure terminal\;interface eth0 Alias update successful #
v Creates an alias mgmport. When invoked, moves to Interface configuration mode
with the configure terminal and interface commands) for Management Port 0.
# alias "mgtport configure terminal; interface management 0" Alias update successful #
v Creates an alias back2. When invoked, moves back two configuration modes. If
invoked from Validation Credentials configuration mode, moves to Global configuration mode.
# alias back2 "exit; exit" Alias update successful #
v Creates an alias proxies. When invoked, displays information about XSL Proxy
objects.
# alias proxies show xslproxy Alias update successful #
v Creates an alias update-cfg. When invoked, restarts the appliance with an
updated configuration script.
# alias update-cfg configure terminal\;flash\;del config:runningconfig.cfg\; copy http://10.10.1.1/configs/39.3.cfg config:///runningconfig.cfg\; boot config runningconfig.cfg\;shutdown Alias update successful #
v Deletes the eth0 alias.
# no alias eth0 Alias 'eth0' deleted #
cancel
Cancels changes to the current object and returns to the parent configuration mode.
4 Command Reference
clock
Syntax
cancel
Guidelines
The cancel command cancels all configuration changes to the current object and returns to the parent configure mode. This command is available in all configuration modes except Interface configuration mode.
Related Commands
exit, reset
Examples
v Cancels the current configuration, which leaves the objects unchanged.
# cancel #
Sets the date or time.
Syntax
clock yyyy-mm-dd
clock hh:mm:ss
Parameters
yyyy-mm-dd
Specifies the date in four-digit year, two-digit month, and two-digit day format. When setting the date, separate each value with a hyphen (-).
hh:mm:ss
Specifies the time in two-digit hour, two-digit minute, and two-digit second format. When setting the time, separate each value with a colon (:).
Guidelines
Also available in Global configuration mode.
Related Commands
ntp, show clock
Examples
v Sets the date to August 8, 2007.
# clock 2007-08-08 Clock update successful #
v Sets the time to 8:31 PM.
# clock 20:31:00 Clock update successful #
Chapter 1. Initial login and common commands 5
configure terminal
Enters Global configuration mode.
Syntax
configure terminal
Guidelines
You use Global configuration mode to create system-wide resources that are available to various system service, to configure global behaviors, and to enter specialized configuration modes.
Related Commands
disable, exit
Examples
v Enters Global configuration mode.
# configure terminal Global configuration mode (config)#
diagnostics
disable
Enters Diagnostics mode.
Syntax
diagnostics
Guidelines
The diagnostics command enters Diagnostics mode.
Attention: Use this command only at the explicit direction of IBM Support.
Enters User Mode.
Syntax
disable
Guidelines
Also available in Global configuration mode.
Related Commands
enable, exit
Examples
v Exits privileged mode and enters User Mode.
# disable Exiting privileged mode. >
6 Command Reference
disconnect
Syntax
Parameters
Guidelines
Related Commands
Examples
Closes a user session.
disconnect session
session Specifies the session ID.
The disconnect command closes a user session. Use the show users command to display the list of active user sessions.
show users
v Closes the session that is associated with session ID 36..
# disconnnect 36 Session 36 closed. #
echo
enable
Echoes text to the console.
Syntax
echo text
Parameters
text Specifies the text to display.
Enters Privileged mode.
Syntax
enable
Guidelines
After entering the enable command, the CLI prompts for a user name and password. Only authenticated users are allowed to enter Privileged Mode.
Use the disable command to exit Privileged Mode and enter User Mode.
Use the exit command to exit Privileged Mode and terminate the CLI connection.
Use Privileged Mode to provide initial access and to start and to shutdown the appliance.
Chapter 1. Initial login and common commands 7
exec
Related Commands
disable, exit
Examples
v Exits User Mode and enters Privileged Mode.
> enable Username: admin Password: ******** #
Calls and runs a target configuration script.
Syntax
exec URL
Parameters
URL Identifies the location of the configuration file.
v If the file resides on the appliance, this parameter takes the form
directory:///filename, where:
directory
Identifies a local directory. Generally, the directory is one of the following keywords: – configlocal
Guidelines
The exec command enables the modularity of configuration scripts. For example, you can include all service configuration commands in a script called services.cfg and all Multi-Protocol Gateway configuration commands in the gateway.cfg script.
A main configuration script can consist entirely of a series of exec commands.
Examples
v Executes the specified configuration scripts.
# configure terminal # exec config:///housekeeping.cfg # exec config:///interfaces.cfg # exec config:///crypto.cfg # exec config:///services.cfg #
filename
Identifies the file in the directory.
v If the file is remote and the transport protocol is HTTP, HTTPS, SCP, or
SFTP, this parameter takes one of the following forms: – http://user:password@host/filehttps://user:password@host/filescp://user:password@host/filesftp://user:password@host/file
The host name can be specified as an IP address or as a qualified host name when DNS services were previously enabled.
8 Command Reference
exit
Applies changes to the current object and returns to the parent configuration mode.
Syntax
exit
Guidelines
The exit command applies all changes made to the object to the running configuration. To save these changes to the startup configuration, use the write mem command.
When issued from User Mode or Privileged Mode, the exit command closes the CLI connection. In all other modes, the command returns to its parent mode. When issued from the top most parent, the command closes the CLI connection.
Related Commands
cancel, disable, write mem (Global)
Examples
v Closes the CLI connection from User or Privileged Mode.
# exit
v Applies all changes made to the Crypto Validation Credentials object. Leaves
this Crypto Validation Credentials configuration mode, and returns to Crypto configuration mode. Leaves Crypto configuration mode and returns to Global configuration mode. Persists the changes made to all object during this session to the startup configuration. Closes the CLI connection.
(config crypto-val-credentials)# exit (config crypto)# exit (config)# write mem (config)# exit
help
Displays online help.
Syntax
help [ command ]
? [ command ]
Parameters
command
Examples
v Displays a list of commands available in Privileged Mode.
# help
v Displays help for the shutdown command.
# help shutdown
Specifies the command name.
Chapter 1. Initial login and common commands 9
login
v Displays help for the shutdown command.
# ? shutdown
Logs in to the appliance as a specific user.
Syntax
login
Guidelines
After entering the login command, the CLI prompts for a username and password.
User accounts log in to User Mode, while admin, privileged accounts, and group-specific accounts log in to Privileged Mode.
After your initial log in, the CLI prompts you to change your password.
Related Commands
username
Examples
v Logs in as support (a privileged account).
# login Username: support Password: ******** #
v Logs in as eugene (a user account).
# login Username: eugene Password: ******** >
ntp
Identifies an NTP server.
Syntax
ntp server [interval]
no ntp
Parameters
server Specifies the IP address or host name.
interval
Specifies the number of seconds between synchronizations with the NTP server. The default is 900.
Guidelines
Also available in Global configuration mode.
10 Command Reference
Use the ntp command to identify the NTP (Network Time Protocol) server. After identifying an NTP server, the appliance functions as a Simple Network Time Protocol (SNTP) client as described in RFC 2030.
Note: From the CLI, the appliance supports the configuration of only one NTP
server. Although the CLI supports only one NTP server, you can use the WebGUI to identify multiple NTP servers. When more than one NTP server is identified, the appliance contacts the first NTP server in the list. If this server does not respond, the appliance contacts the next server in the list. If you used the WebGUI to identify more than one NTP server, do not use the CLI to modify the NTP service. Using the ntp command replaces the entire list with the one identified NTP server.
Related Commands
clock, show ntp-service, show ntp-refresh, time
Examples
v Identifies 10.10.12.13 as the NTP server. Uses the default synchronization
interval.
# ntp 10.10.12.13 Modifying NTP Service configuration #
v Replaces 10.10.12.13 with 10.10.12.14 as an NTP server. Sets the synchronization
interval to every 2 minutes.
# ntp 10.10.12.13 120 Modifying NTP Service configuration #
v Deletes the configured NTP server.
#nontp Modifying NTP Service configuration % No NTP servers are configured #
ping
Determines if a target host is reachable on the network.
Syntax
ping host
Parameters
host Specifies the target host. Use either the IP address or host name.
Guidelines
The ping command sends 6 Internet Control Message Protocol (ICMP) echo-request messages to the specified host with a one second interval between each message and reports the results.
Related Commands
ip host, ip name-server, test tcp-connection, traceroute
Chapter 1. Initial login and common commands 11
reset
Examples
v Pings ragnarok.
# ping ragnarok
v Pings 192.168.77.144.
# ping 192.168.77.144
Restores default values.
Syntax
reset
Guidelines
The reset command sets mode-specific properties to their default values. Properties that lack default values, are unchanged.
Default values assigned by the reset command are not applied until the user uses the exit command to save changes and exit the current configuration mode.
Related Commands
cancel, exit
show
Examples
v Restores default values for the object and returns to Global configuration model.
# reset # exit #
Displays configuration or status information
Syntax
show [ arguments ]
Parameters
arguments
Specifies the specific configuration object or status object.
Guidelines
The show command displays configuration information or status information that is relevant to the provided argument. In the absence of an argument, the result differs depending on where you invoked the command.
v Within the initial login, displays a list of available arguments.
v Within a configuration mode, list the currently configured properties of that
object.
For information about using the various show command, refer to Chapter 114, “Monitoring commands,” on page 949.
12 Command Reference
shutdown
Syntax
Parameters
Guidelines
Restarts or shuts down the appliance.
shutdown reboot [seconds]
shutdown reload [seconds]
shutdown halt [seconds]
reboot Shuts down and restarts the appliance.
reload Restarts the appliance.
halt Shuts down the appliance.
seconds
Specifies the number of seconds before the appliance starts the shutdown operation. Use an integer in the range of 0 through 65535. The default is
10.
Also available in Flash configuration mode.
The appliance restarts using the startup configuration specified by the boot config command and the startup firmware image specified by the boot image command. If a startup configuration or firmware image has not been designated, the appliance restarts with the configuration and firmware image that were active when the shutdown command was executed.
Related Commands
boot config, boot image
Examples
v Shuts down and restarts the appliance after 10 seconds.
# shutdown reboot Reboot in 10 second(s). #
v Restarts the appliance after 20 seconds.
# shutdown reload 20 Reload in 20 second(s). #
v Shuts down the appliance after 60 seconds.
# shutdown halt 60 Shutdown in 60 second(s). #
summary
Specifies a brief, object-specific comment.
Chapter 1. Initial login and common commands 13
Syntax
Parameters
Guidelines
Examples
switch domain
Syntax
Parameters
summary string
string Specifies descriptive text for the object.
The summary command specifies a brief, object-specific comment. If the comment contains spaces, enclose the comment in double quotation marks.
v Adds an object-specific comment.
# summary "Amended server list"
Moves to a specified domain.
switch domain [domain]
template
domain Specifies the name of the target domain.
Guidelines
In the absence of a specified target domain, the command prompts for the domain name.
Related Commands
domain
Examples
v Switches from the default domain to the application-1 domain.
(config)# switch domain application-1 [application-1](config)#
v Displays the list of available domains and switches from the application-1
domain to the default domain.
[application-1](config)# switch domain Domain (? for all): ? application-1 default Domain (? for all): default (config)#
Runs an interactive command line script.
Syntax
template URL
14 Command Reference
Parameters
URL Specifies the fully-qualified location of the interactive command line script.
Guidelines
Also available in Global configuration mode.
The template command specifies the URL of the interactive command line script. The script is an XML file that can be local or remote to the DataPower appliance. The script must conform to the store:///schemas/dp-cli-template.xsd schema.
To verify whether the script is conformant with the schema, use the test schema command.
Related Commands
test schema
Examples
v Verify that local:///shell-script.xml conforms to the store:///schemas/dp-
cli-template.xsd schema.
# test local:///shell-script.xml store:///schemas/dp-cli-template.xsd #
v Runs the interactive script as defined in the local:///shell-script.xml file.
# template local:///shell-script.xml #
test schema
Syntax
Parameters
Guidelines
Examples
Tests conformity of an XML file against a schema.
test schema file schema
file Specifies the URL of the XML file to test.
schema Specifies the URL of the schema.
Also available in Global configuration mode.
The test schema command tests the conformity of an XML file against an XSD schema file.
v Tests conformity of the xyzbanner.xml XML file against the dp-user-
interface.xsd schema.
# test schema store:///xyzbanner.xml store:///schemas/dp-user-interface.xsd Performing validation of document 'store:///xyzbanner.xml' using
schema 'store:///schemas/dp-user-interface.xsd' ... Document validation completed: OK. #
Chapter 1. Initial login and common commands 15
test tcp-connection
Tests the TCP connection to a remote appliance.
Syntax
test tcp-connection host port [timeout]
Parameters
host Specifies the target host. Use either the IP address or host name.
port Specifies the target port.
timeout
Guidelines
Also available in Global configuration mode.
Related Commands
ip host, ip name-server, ping, traceroute
Examples
v Confirms an available TCP connection to the specified host on port number 80
(the well-known HTTP port), using the default timeout value (10 seconds).
# test tcp-connection ragnarok 80 TCP connection successful #
v Confirms an available TCP connection to the specified IP address on port 21 (the
well-known FTP control port). The timeout value is 5 seconds.
# test tcp-connection 192.168.77.27 21 5 TCP connection successful #
Specifies an optional timeout value, the number of seconds that the CLI waits for a response from the target host. The default is 10.
top
Returns users to their initial log in mode.
Syntax
top
Guidelines
Regardless of the current location in the configuration modes, the top command immediately returns you to your original login mode.
For custom accounts, top returns to the user-group-specific login mode.
Related Commands
usergroup
16 Command Reference
Examples
traceroute
Syntax
Parameters
Guidelines
Related Commands
v Returns the user, either the admin account or a privileged account, to Privileged
Mode, the user-specific login mode.
(config crypto-val-credentials)# top #
Traces the network path to a target host.
traceroute host
host Specifies the target host as either the IP address or host name.
Also available in Global configuration mode.
ip host, ip name-server, ping, test tcp-connection
Examples
v Confirms an available TCP connection to loki .
# traceroute loki
Chapter 1. Initial login and common commands 17
18 Command Reference
Chapter 2. Global configuration mode
You use Global configuration mode to create system-wide resources that are available to various system services, to configure global behaviors, and to enter specialized configuration modes.
This chapter provides an alphabetic listing of commands that are available in Global configuration mode. Many of the commands that are listed in “Common commands” on page 2 and most, but not all, of the commands that are listed in Chapter 114, “Monitoring commands,” on page 949 are also available in Global configuration mode.
aaapolicy
Enters AAA Policy configuration mode.
Syntax
aaapolicy name
no aaapolicy name
Parameters
name Specifies the name of the object.
The name can contain a maximum of 32 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
The aaapolicy command enters AAA (Authentication, Authorization, Audit) configuration mode where you can create or modify an AAA Policy.
Use the no aaapolicy command to delete an AAA Policy.
Use the cancel or exit commands to exit AAA Policy configuration mode and return to Global configuration mode.
Related Commands
cancel, exit
account (Common Criteria)
Defines the lockout behavior for local accounts.
Syntax
account max-login-failure count
account lockout-duration minutes
© Copyright IBM Corp. 1999, 2008 19
Parameters
lockout-duration minutes
max-login-failure count
Context
Available only when the appliance is in Common Criteria mode.
Guidelines
The account command defines whether to lock out a local user account after a specific number of failed login attempts and, if lockout is enabled, the duration to lock out the local account. To enable lockout behavior and define the duration to lock out the account requires two invocations of the account command.
v An invocation with the max-login failure parameter defines the number of
failed login attempts to permit before a successful login. If the value is 3 and the user has failed three consecutive login attempts, the behavior on the next login attempt for this user is as follows:
– If failure, the account is locked out. The duration of the lockout depends on
the value defined by the lockout-duration parameter.
– If successful, the account is not locked out and the count is reset.
If the value is 0, lockout behavior is disabled. Repeated successive login failures by a user do not cause lockout of that account.
v An invocation with the lockout-duration parameter defines the duration to lock
out an account after exceeding the permitted number of failed login attempts defined by the invocation with the max-login failure command. Instead of locking out an account for a specific duration, the account can be locked out until re-enabled by a privileged administrator. To lock out accounts until reset, set the duration to 0.
When lockout behavior is enabled and an account is locked out, a privileged administrator can use the Global reset username command to re-enable the account. To re-enabled the account
1. The administrator will change the password on the account with the reset
2. The user will be prompted to again change the password on initial login.
Specifies the number of minutes to lock out an account after exceeding the maximum number of failed login attempts. A value of 0 indicates that accounts are locked out until reset by a privileged administrator. Use an integer in the range of 0 through 1000. The default is 1.
Specifies the maximum number of failed login attempts to allow before lockout. A value of 0 disables account lockout. Use an integer in the range of 0 through 64. The default is 3.
username command.
Note: The account command applies to all accounts including the admin account.
The only difference is that the admin account cannot be locked out until reset. When the duration is 0, the admin account is locked out for 120 minutes or until re-enabled by another administrator.
Related Commands
reset username
20 Command Reference
acl
Examples
v Enables lockout behavior for accounts that on the fifth login failure, the account
is locked out locked out until reset by a privileged administrator:
# account lockout-duration 0 # account max-login-failure 4
v Disables lockout behavior.
# account max-login failure 0
Enters Access Control List configuration mode for a specified service provider.
Syntax
acl name
acl ssh
acl web-mgmt
acl xml-mgmt
no acl name
Parameters
name Specifies the name of an object-specific or standalone ACL.
ssh Identifies the SSH service. In this case, the command enters ACL
web-mgmt
xml-mgmt
Guidelines
While in Access Control List configuration mode, you can configure an ACL for a specific service provider or for later assignment to a service provider.
v Can be the name of the service provider (for example, the name of a
DataPower service or the name of a CLI Telnet service) in which case the enters Access Control List configuration mode to create an object-specific ACL.
v Can be the name of a standalone ACL, which can later be assigned to a
service provider, or to any of the Protocol Handler types.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
configuration mode to create an SSH-specific ACL.
Identifies the WebGUI Management Interface. In this case, the command enters ACL configuration mode to create a WebGUI Management Interface-specific ACL.
Identifies the XML Management Interface. In this case, the command enters ACL configuration mode to create an XML Management Interface-specific ACL.
An ACL contains one or more clauses. Each clause consists of an IP address range that is defined by an IP address and net mask and a Boolean value (ALLOW or DENY). IP addresses are evaluated against each clause in the order in which they are in the
Chapter 2. Global configuration mode 21
list. A candidate address is denied or granted access to the service provider in accordance with the first matching clause. Consequently, the order of clauses is important in an Access Control List.
Use the no acl command to delete a named ACL.
Use the exit command to exit Access Control list configuration mode and return to Global configuration mode.
Related Commands
cancel, exit, ssh, xml-mgmt
Examples
v Enters Access Control list configuration mode to create the ACL-1 standalone
ACL.
# acl ACL-1 ACL configuration mode #
v Deletes the standalone ACL-1 ACL.
# no acl ACL-1 #
v Enters ACL configuration mode for the SSH service.
# acl XSLProxy-1 # acl ssh ACL configuration mode #
v Enters ACL configuration mode for the XML Management Interface.
# acl xml-mgmt ACL configuration mode #
action
Enters Processing Action configuration mode.
Syntax
action name
no action name
Parameters
name Specifies the name of the Processing Action.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
Use the no action command to delete a Processing Action.
Use the cancel or exit commands to exit Processing Action configuration mode and return to Global configuration mode.
22 Command Reference
alias
Related Commands
cancel, exit, show action
Creates a command macro.
Syntax
alias aliasName commandString
no alias aliasName
Parameters
aliasName
Specifies the name of the command macro.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
commandString
Defines a sequence of commands.
Guidelines
If creating a macro that uses multiple commands, you can either
v Use quotation marks (“”) to surround the command string, and use a semicolon
(;) after each commend
For example:
alias eth0 "configure terminal; interface ethernet 0"
v Separate commands with an escaped semicolon (\;)
For example:
alias eth0 configure terminal\;interface ethernet0
Use the no alias command to delete a command macro.
Also available in Privileged mode.
Related Commands
show alias
Examples
v Creates the eth0 alias that moves to Interface configuration mode (with the
interface command) for Ethernet Port 0.
# alias eth0 interface eth0 Alias update successful #
v Creates the mgmport alias that moves to Interface configuration mode (with the
interface command) for Management Port 0.
# alias mgtport interface management 0 Alias update successful #
Chapter 2. Global configuration mode 23
v Creates the back2 alias that moves back two configuration modes. If invoked
while in Validation Credentials configuration mode, moves to Global configuration mode.
# alias back2 "exit; exit" Alias update successful #
v Creates the proxys alias that displays information about XSL Proxy objects.
# alias proxys show xslproxy Alias update successful #
v Creates the update-cfg alias that restarts the appliance with an updated
configuration script.
# alias update-cfg flash\; del config:runningconfig.cfg\;copy http://10.10.1.1/configs/39.3.cfg
config:runningconfig.cfg\; boot config runningconfig.cfg\;
shutdown Alias update successful #
v Deletes the eth0 alias.
# no alias eth0 Alias 'eth0' deleted #
application-security-policy
Enters Application Security Policy configuration mode.
Syntax
application-security-policy name
no application-security-policy name
Parameters
name Specifies the name of the Application Security Policy.
Guidelines
The application-security-policy command enters Application Security Policy configuration mode to create a named Application Security Policy. A Web Application Firewall can use this Application Security Policy.
Use the no application-security-policy command to delete an Application Security Policy.
Use the cancel or exit commands to exit Application Security Policy configuration mode and return to Global configuration mode.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Related Commands
cancel, exit
24 Command Reference
audit delete-backup (Common Criteria)
Deletes the archived version of the audit log.
Syntax
audit delete-backup
Context
Available only when the appliance is in Common Criteria mode.
Guidelines
The audit delete-backup command deletes the audit:///audit-log.1 file. This file is the archived version of the audit log and is created when the log reaches When the size of the audit log, the audit:///audit-log file, reaches approximately 250 kilobytes, the appliance save this file as the audit:///audit-log.1 file, which overwrites the previous version of the audit:///audit-log.1 file.
After invoking the command, the interface prompts for confirmation.
audit level (Common Criteria)
Sets the audit level of the firmware.
Syntax
audit level {full | standard}
Parameters
full (Default) Audits the standard set of events and decisions on information
flow.
standard
Audits the standard set of events only. Does not audit decisions on information flow.
Context
Available only when the appliance is in Common Criteria mode.
Guidelines
The audit level command sets the audit level of the firmware.
v When full auditing is not strictly required, set the level to standard.
v When corporate or business security policies require full auditing, set the level
to full. This audit level impacts performance.
audit reserve (Common Criteria)
Reserves disk space for the audit log.
Syntax
audit reserve kilobytes
Chapter 2. Global configuration mode 25
Parameters
kilobytes
Context
Available only when the appliance is in Common Criteria mode.
Available only to privileged users in the default domain.
Guidelines
The audit reserve command specifies the amount of disk space in kilobytes to reserve for the audit log. Use this command to alter the amount of disk space to reserve to prevent the loss of audit events in case of a full disk. This function is disabled if the value is 0.
If the appliance is forced to release the audit reserve: v All data services will be forced into an operational down state and cease to
process traffic.
v All administrative services, such as the WebGUI, Telnet, and so forth, will
continue to work.
Specifies the amount of disk space in kilobytes to reserve for the audit log. The reserve space must be at least four kilobytes less than the total amount of free space that is currently available on the file system. Use an integer in the range of 0 through 10000. The default is 40.
cache schema
Syntax
Parameters
When the appliance forces the release, the log will contain a message that states that the disk space for audit events is low.
Before restoring the appliance to service, a privileged administrator needs to free up disk space. When there is enough available disk space for normal operations, the administration can restart the appliance, which will resume the processing of traffic.
Loads a compiled schema to the schema cache of a specific XML Manager.
cache schema xmlMgrName schemaURL [compilationMode]
xmlMgrName
Specifies the name of an XML manager.
schemaURL
Specifies the URL of the schema that the specific XML Manager caches.
compilationMode
Optionally specifies the schema compilation mode. Use one of the following values:
general
26 Command Reference
(Default) Performs standard schema compilation
Related Commands
cache stylesheet, cache wsdl
Examples
v Compiles the schema in streaming mode and adds the schema to the schema
cache stylesheet
Loads style sheets to the stylesheet cache for a specific XML manager.
Syntax
cache stylesheet XML-manager match
stream
Compiles the schema in streaming mode
If in doubt about whether the target schema lends itself to streaming, retain the default value of general.
cache that is maintained by the mgr1 XML Manager.
# cache schema mgr1
http://www.datapower.com/XSD/partnerProfile-1.xsd stream
#
Parameters
XML-manager
Specifies the name of an XML Manager.
match Specifies a shell-style match pattern that selects the URLs of the style
sheets to cache.
You can use wildcards to define a match pattern as follows:
* The string wildcard matches 0 or more occurrences of any character.
? The single character wildcard matches one occurrence of any single
character.
[] The delimiters bracket a character or numeric range:
[1-5] Matches 1, 2, 3, 4, or 5
[xy] Matches x or y
Related Commands
cache schema, cache size, cache wsdl, cache xsl, clear xsl
Examples
v Caches style sheets located at http://www.datapower.com/XSL/ in the stylesheet
cache of the mgr1 XML manager.
# cache stylesheet mgr1
http://www.datapower.com/XSL/*.xsl
#
cache wsdl
Loads a compiled WSDL to the WSDL cache of a specific XML Manager.
Chapter 2. Global configuration mode 27
Syntax
Parameters
Related Commands
Examples
clear aaa cache
cache wsdl xmlMgrName wsdlURL
xmlMgrName
Specifies the name of an XML manager.
wsdlURL
Specifies a URL of the schema to cache.
cache schema, cache stylesheet
v Compile and adds the specified WSDL to the WSDL cache of the mgr1 XML
Manager.
# cache wsdl mgr1
http://www.datapower.com/WSDL/quoteNYSE.wsdl #
Clears the information caches of a specific AAA Policy.
clear arp
Syntax
clear aaa aaaPolicyName
Parameters
aaaPolicyName
Specifies the name of the AAA Policy.
Guidelines
The clear aaa cache command clears both the authentication and authorization information caches of the specified AAA Policy.
Related Commands
cache allow, cache ttl
Examples
v Clears the authentication and authorization caches of the Policy-1 AAA Policy.
# clear aaa Policy-1 #
Clears the ARP table.
Syntax
clear arp
28 Command Reference
Guidelines
Related Commands
Examples
clear dns-cache
Syntax
Examples
Also available in Interface configuration mode.
arp, show netarp
v Clears the ARP table.
# clear arp #
Clears the DNS cache.
clear dns-cache
v Clears the DNS cache.
# clear dns-cache Cleared DNS cache #
clear pdp cache
Syntax
Parameters
Related Commands
Guidelines
Clears all compiled XACML policies of a specific XACML Policy Decision Point (PDP).
clear pdp cache pdpName
pdpName
Specifies the name of the XACML PDP.
cache-ttl (XACML Policy Decision Point), clear xsl cache, urlrefresh
In addition to using the clear pdp cache command to explicitly clear the PDP-specific XACML policy cache, you can use the following WebGUI properties to control XACML policy cache.
Specify the TTL for the PDP
During PDP configuration, use the cache-ttl command to specify a cache lifetime.
Use the XML Manager
When the PDP is for authorization, users can access the XML Manager that
Chapter 2. Global configuration mode 29
Use a URL Refresh Policy
Examples
v Clears the XACML policy cache of the PDP-orderEntry PDP.
# clear pdp cache PDP-orderEntry Cleared cache of PDP PDP-orderEntry #
is associated with the AAA Policy with the clear xsl cache command. This command clears the compiled XACML policies in the XML Manager that is referenced by the AAA Policy.
You can use a URL Refresh Policy whose match conditions match the internal URL xacmlpolicy:///pdpName to perform periodic cache refreshes.
v When PDP TTL is 0, the URL Refresh Policy controls cache refresh.
v When the URL Refresh Policy is the no-cache type, XACML policies are
never cached.
v When the URL Refresh Policy is the protocol-specified type, the TTL of
the PDP governs cache refresh unless its value is 0.
v When the URL Refresh Policy is the default type with a refresh interval
setting, the TTL of the PDP is ignored, and the URL Refresh Policy refresh interval governs cache refresh.
v When the URL Refresh Policy is the no-flush type with a refresh interval
setting, the greater of the URL Refresh Policy refresh interval or the TTL of the PDP governs cache refresh.
clear rbm cache
Syntax
Examples
clear xsl cache
Syntax
Parameters
Clears all cached role-based management (RBM) authentication data.
clear rbm cache
v Clears cached RBM authentication data.
# clear rbm cache Cleared RBM cache #
Clears the stylesheet cache of a specific XML Manager.
clear xsl cache XML-manager
XML-manager
Specifies the name of an XML Manager.
Related Commands
cache stylesheet xsl, cache size
30 Command Reference
Examples
cli remote open
Syntax
Parameters
Guidelines
v Clears the stylesheet cache of the mgr1 XML Manager.
# clear xsl cache mgr1 Cleared cache of xmlmgr mgr1 #
Establishes a TCP/IP connection to a specific remote host.
cli remote open address port
address Specifies the IP address of the remote host.
port Identifies the port on the remote host that monitors CLI traffic. Use an
integer in the range of 0 through 65535.
The cli remote open command establishes a TCP/IP session between the appliance and a remote site, but only at explicit initiation of an the admin or a privileged user. This command does not provide a back door to the appliance.
cli telnet
This command provides a command shell to a remote host that allows offsite technicians to access a appliance that is protected by a firewall or other security measures.
This command provides the same function as the cli telnet command, but provides the function from a remote host.
Related Commands
cli telnet
Examples
v Establishes an appliance-initiated TCP/IP connection between the DataPower
appliance and the remote host (192.168.32.101:64999) and provides the remote host with a command shell.
# cli remote open 192.168.32.101 64999 #
Enters Telnet Service configuration mode, or creates a Telnet service for client-initiated access to the command line.
Syntax
cli telnet name
cli telnet name [0 | telnetServerIP] telnetServerPort [telnetClientIP clientMask]
no cli telnet name
Chapter 2. Global configuration mode 31
Parameters
name Specifies the name of the Telnet service.
telnetServerIP
0 Indicates a wildcard that specifies all DataPower IP addresses.
telnetServerPort
telnetClientIP
clientMask
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Specifies the IP address (either primary or secondary) of a DataPower Ethernet interface. In conjunction with the port, identifies the IP address and port that the Telnet service monitors.
Identifies a port on one or all IP interfaces. Use an integer in the range of 0 through 65535. In conjunction with IP address of the server, identifies the appliance IP addresses and port that the Telnet service monitors.
Optionally identifies the IP address. In conjunction with the client mask, defines a contiguous range of IP addresses that are granted client access to the Telnet service.
Identifies the network portion of the client IP address. The client mask can be expressed in CIDR (slash) format or in dotted decimal format.
Guidelines
Without the telnetClientIP and clientMask arguments, client access to the Telnet service is unrestricted. To restrict access to a noncontiguous IP address range, compile an ACL with the acl, allow, and deny commands.
Note: Telnet is an unsecure protocol and should be used with extreme caution.
Telnet should be enabled only on the trusted management port or on a secure network segment.
Use the no cli telnet command to delete a Telnet service.
Related Commands
acl, allow, deny
Examples
v Enters Telnet Service configuration mode to create the telnet-1 service.
# cli telnet telnet-1 Telnet Service configuration mode #
v Creates the support Telnet service on 192.168.14.12:23. Access is restricted to the
single specified Telnet client (10.10.10.5).
# cli telnet support 192.168.14.12 23 10.10.0.5 255.255.255.255 Installed cli telnet handler #
v Creates the public Telnet service on Ethernet 192.168.14.12:23. Access is
restricted to a range of addresses (10.10.8.0 through 10.10.11.255).
# cli telnet public 192.168.14.12 23 10.10.8.0/22 Installed cli telnet handler #
32 Command Reference
v Deletes the support Telnet service.
# no cli telnet support Deleted cli telnet handler #
compact-flash (Type 9235)
Enters Compact Flash configuration mode.
Syntax
compact-flash name
Parameters
name Specifies the name of the existing compact flash volume. For appliances
that have a compact flash for auxiliary data storage, the name is cf0.
Guidelines
The compact-flash command enters Compact Flash configuration mode for an existing compact flash enabled appliance. For appliances that have a compact flash for auxiliary data storage, the name is cf0.
Examples
v Enters Compact Flash configuration mode for volume cf0.
# compact-flash cf0 Compact Flash configuration mode #
compact-flash-initialize-filesystem (Type 9235)
Initializes the file system.
Syntax
compact-flash-initialize-filesystem name
Parameters
name Specifies the name of the existing compact flash volume. For appliances
that have a compact flash for auxiliary data storage, the name is cf0.
Guidelines
The compact-flash-initialize-filesystem command initializes the file system on the compact flash to allow it to be made active. This action destroys the existing contents of the compact flash storage card.
Examples
v Makes a new file system on the cf0 compact flash volume.
# compact-flash-initialize-filesystem cf0
compact-flash-repair-filesystem (Type 9235)
Repairs the file system.
Chapter 2. Global configuration mode 33
Syntax
Parameters
Guidelines
Examples
compile-options
Syntax
compact-flash-repair-filesystem name
name Specifies the name of the existing compact flash volume. For appliances
that have a compact flash for auxiliary data storage, the name is cf0.
The compact-flash-repair-filesystem command repairs the file system on the compact flash storage card, in case it was corrupted by an abnormal shutdown of the appliance or other error.
v Repairs the file system on the cf0 compact flash volume.
# compact-flash-repair-filesystem cf0
Enters Compile Options Policy configuration mode.
compile-options name
no compile-options name
Parameters
name Specifies the name of the Compile Options Policy.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
Profiling results are available with the show profile command, from the WebGUI (Status Stylesheet Profiles), or from the XML Management Interface.
Note: After a style sheet is compiled with profiling enabled, it must be flushed
from the cache to disable profiling.
Use the no compile-options command to delete a Compile Options Policy.
Use the cancel or exit command to exit Compile Options Policy configuration mode and return to Global configuration mode.
Refer to Appendix D, “Compile Options Policy configuration,” on page 1007 for details about creating a Compile Option Policy.
Related Commands
cancel, exit, show profile, xslconfig
34 Command Reference
conformancepolicy
Enters Conformance Policy configuration mode.
Syntax
conformancepolicy name
no conformancepolicy name
Parameters
name Specifies the name of the Conformance Policy.
Guidelines
Use the conformancepolicy command to enter Conformance Policy configuration mode to create or edit a Conformance Policy. A Conformance Policy is used by a conformance filter or a conformance transform.
v For a conformance filter, define a filter action that uses the store:///
conformance-filter.xsl style sheet and specifies the named Conformance
Policy.
v For a conformance filter, define a transform (xform) action that uses the
store:///conformance-xform.xsl style sheet and specifies the named
Conformance Policy.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
copy
A Conformance Policy supports the following profiles:
v Web Services Interoperability (WS-I) Basic Profile, version 1.0. The
documentation is available at the http://www.ws-i.org/Profiles/BasicProfile-
1.0.html site.
v WS-I Basic Profile, version 1.1. The documentation is available at the
http://www.ws-i.org/Profiles/BasicProfile-1.1.html site
v WS-I Attachments Profile, version 1.0. The documentation is available at the
http://www.ws-i.org/Profiles/AttachmentsProfile-1.0.html site.
v WS-I Basic Security Profile, version 1.0. The documentation is available at the
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html site.
Use the no conformancepolicy command to delete a Conformance Policy.
Use the cancel or exit command to exit Conformance Policy configuration mode and return to Global configuration mode.
Related Commands
cancel, exit
Copies a file to or from the DataPower appliance.
Syntax
copy [-f] source destination
Chapter 2. Global configuration mode 35
Parameters
-f Overwrites an existing file, if one of the same name already exists. In the
source and destination
absence of this argument, an attempt to save a file with the same name as an existing file will result in a prompt that requests confirmation to overwrite the existing file.
Specifies the URLs that identify the source file and target destination, respectively.
v If the source file or target destination reside on the appliance, these
arguments take the following form:
directory:///filename
directory
Specifies a directory on the appliance. Refer to “Directories on the appliance” on page xxii for details.
filename
Specifies the name of a file in the specified directory.
v If the source file or target destination is remote to the DataPower
appliance and the transport protocol is SCP or SFTP, these arguments take the form that is compliant with RFC 1738.
To use an absolute path:
scp://user@host:port//file_path sftp://user@host:port//file_path
Guidelines
The copy command transfers files to or from the DataPower appliance. You must issue this command from the appliance. When the source file or target destination is remote to the appliance, this command supports only the following protocols:
v HTTP
v HTTPS
v Secure Copy (SCP)
v Secured File Transfer Protocol
To send a file from the appliance as an email, use the Global send file command.
When using the copy command, be aware of the following restrictions:
v You cannot copy files from the cert: directory
v You cannot copy files to the audit:, logstore:, or logtemp: directory.
To use a path that is relative to the user's home directory:
scp://user@host:port/file_path sftp://user@host:port/file_path
Where:
host Specifies the fully-qualified host name or IP address of the
remote server. If DNS is enabled, the host name.
port Specifies the listening port on the remote server.
After issuing the command, the system prompts you for the remote login password.
36 Command Reference
Related Commands
delete, dir, move, send file (Global)
Examples
v Uses HTTP to copy a file from the specified URL to the image: directory.
# copy http://host/image.crypt image:///image.crypt file copy successful (1534897 bytes transferred) #
v Uses HTTP over SSL to copy a file from the specified URL to the image:
directory.
# copy https://host/image.crypt image:///image.crypt file copy successful (1534897 bytes transferred) #
v Uses SCP to copy a file from the specified URL to the store: directory.
# copy scp://jrb@10.10.1.159//XML/stylesheets/InitialConvert.xsl store:///InitialConvert.xsl
Password: yetanotherpassword file copy successful #
v Uses SCP to copy a file from the logstore: directory to the specified remote
target (identified by a qualified host name).
# copy logstore:///Week1.log scp://jrb@ragnarok.datapower.com//LOGS/Week1.log
Password: yetanotherpassword file copy successful #
v Uses SFTP to copy a file from the specified URL to the store: directory.
# copy sftp://jrb@10.10.1.159//XML/stylesheets/InitalConvert.xsl
store:///InitalConvert.xsl
Password: yetanotherpassword file copy successful #
v Uses SFTP to copy a file from the logstore: directory to the specified remote
target.
# copy logstore:///Week1.log sftp://jrb@10.10.1.159//LOGS/x/Week1.log
Password: yetanotherpassword file copy successful #
v Copies a file from the config: directory to the local: directory.
# copy config:///startup-config local:///startup-config file copy successful (2347 bytes transferred) #
create-tam-files
Creates TAM configuration files.
Syntax
create-tam-files [create-copy] file admin password tam-domain application host port ssl-key-expiry ssl-timeout ldap-host ldap-port [ldap-password] ldap-auth-timeout ldap-search-timeout [use-ldap-cache][ldap-user-cache-size][ldap-policy-cache-size]
Chapter 2. Global configuration mode 37
Parameters
create-copy
The Tivoli
®
Access Manager key database and key stash files are placed in the cert: directory when created. This directory does not allow files to be moved out of it.
By selecting to create copies of the created files, a copy of the key database and stash files will be placed in the temporary: directory, and can be downloaded off of the appliance.
on Places copies in the temporary: directory. off (Default) Does not place copies in the temporary: directory.
file Specifies the name to use for the created files. Do not provide a file
extension. By default, the configuration files are stored in the local: directory and have the .conf extension. In addition to the configuration files, this file name is the base file name for the TAM key file (.kdb extension) and TAM stash files (.sth extension). The key file and stash file are stored in the cert: directory.
admin Specifies the user name of the TAM administrator. The default is
sec_master.
password
Specifies the password for the TAM administrator.
tam-domain
Specifies the name of the TAM domain. The specified domain is the TAM domain to which the TAM client authenticate and use at runtime. The default is Default.
application
Specifies the name of the TAM application. The specified name is combined with the host name of the appliance to create a unique identifier for objects that are created for the TAM client.
host Specifies the host name or IP address of the TAM policy server.
port Specifies the port on which the TAM policy server listens for requests. The
default is 7135.
ssl-key-expiry
Specifies the duration, in days, for which the SSL key file for the TAM client is valid. When the key expires, a new key must be generated for the TAM client. Valid range is 1 through 7200. The default is 183.
ssl-timeout
Specifies the wait period, in seconds, that the TAM client waits for a response to an SSL request from the TAM policy server. Valid range is 1 through 30. The default is 30.
ldap-host
Specifies the host name of the LDAP server that is the user registry for the TAM environment.
ldap-port
Specifies the port on which the LDAP server listens for requests. The default is 389.
ldap-password
Specifies the password for the distinguished name (DN) used to sign on (bind) to the LDAP server.
38 Command Reference
ldap-auth-timeout
ldap-search-timeout
use-ldap-cache
ldap-user-cache-size
ldap-policy-cache-size
Guidelines
Use the create-tam-files command to create the configuration files needed to create a TAM object. The configuration files specify the network and security configuration for the policy server, replica authorization servers, and the LDAP (directory) server.
Specifies the timeout, in seconds, that is allowed for LDAP authentication operations. There is no range limit. The default is 30.
Specifies the timeout, in seconds, that is allowed for LDAP search operations. There is no range limit. The default is 30.
Indicates whether to enable client-side caching. Enabling client-side caching can improve performance for similar LDAP queries.
on Enables client-side caching. off (Default) Disables client-side caching.
When client-side caching is enabled, specifies the number of entries in the LDAP user cache. The default is 256.
When client-side caching is enabled, specifies the number of entries in the LDAP policy cache. The default is 20.
crypto
This command creates the following files:
v Client configuration file
v Key database file
v Key stash file
v Client obfuscation file (TAM version 5.1 and above)
The created files are named using the output file parameter. If TAM files are created with app1 as the output file name parameter, the created files are app1.conf, app1.kdb, app1.sth, and appl.conf.obf (Tivoli Access Manager version
5.1 and above).
The configuration and obfuscation files are written to the local: directory, and the key database and stash files are written to the cert: directory.
Related Commands
cancel, exit, tam
Enters Crypto configuration mode.
Syntax
crypto
Guidelines
Use the exit command to exit Crypto configuration mode and return to Global configuration mode.
Chapter 2. Global configuration mode 39
delete
Related Commands
exit
Deletes a file from the DataPower appliance.
Syntax
delete URL
Parameters
URL
Specifies a URL of the file to delete. This argument take the directory:///filename form, where:
directory
Specifies a directory on the appliance. Refer to “Directories on the appliance” on page xxii for details.
filename
Specifies the name of a file in the specified directory.
Guidelines
The delete command deletes a file on the DataPower appliance. The deletion of a file is permanent. After a file is deleted, it cannot be recovered.
Note: The delete command does not prompt for confirmation. Be certain that you
Related Commands
copy, dir, move
Examples
v Deletes the startup-config-deprecated file from the store: directory.
# delete store:\\\startup-config-deprecated #
v Deletes the betaImage file from the image: directory.
# delete image:\\\betaImage #
deployment-policy
Enters Deployment Policy configuration mode.
Syntax
deployment-policy name
no deployment-policy name
want to delete the file before issuing this command.
Parameters
name Specifies the name of the Deployment Policy.
40 Command Reference
dir
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
Use the deployment-policy command to enter Deployment Policy configuration mode to create or edit a Deployment Policy.
Use the cancel or exit command to exit Deployment Policy configuration mode and return to Global configuration mode.
Use the no deployment-policy command to delete a Deployment Policy.
Related Commands
cancel, exit
Displays the contents of a directory.
Syntax
dir directory
Parameters
directory
Specifies a directory on the appliance. Refer to “Directories on the appliance” on page xxii for details.
Related Commands
copy, delete, move
Examples
v Displays the contents of the config: directory.
# dir config:
File Name Last Modified Size
-----------------------------------------------­unicenter.cfg Mon Jul 9 11:09:36 2007 3411 autoconfig.cfg Mon Jul 9 14:20:27 2007 20907
89.2 MB available to config: #
v Displays the contents of the msgcat subdirectory of the store: directory.
# dir store:\\\msgcat
File Name Last Modified Size
--------- ------------- ---­crypto.xml Mon Jul 9 11:09:26 2007 179069 dplane.xml Mon Jul 9 11:09:26 2007 299644
. . .
xslt.xml Mon Jul 9 11:09:26 2007 10233
89.2 MB available to store:\msgcat #
Chapter 2. Global configuration mode 41
disable
Enters User Mode.
Syntax
disable
Guidelines
Use the disable command to exit Global configuration mode and enter User mode.
Use the exit command to exit Global configuration mode and enter Privileged mode.
Also available in Privileged mode.
Related Commands
enable, exit
Examples
v Exits Global configuration mode and enters User Mode.
# disable >
v Exits Global configuration mode and enters Privileged Mode.
# exit #
dns
Enters DNS Settings configuration mode.
Syntax
dns
no dns
Guidelines
Use the no dns command to disable DNS services.
Use the exit or cancel command to exit DNS Settings configuration mode and return to Global configuration mode.
Related Commands
cancel, exit, ip domain, ip host, ip name-server
Examples
v Enters DNS Settings configuration mode.
# dns DNS Settings configuration mode #
v Disables DNS services.
42 Command Reference
#nodns #
document-crypto-map
Enters Document Crypto Map configuration mode.
Syntax
document-crypto-map name
no document-crypto-map name
Parameters
name Specifies the name of the Document Crypto Map.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
Use the no document-crypto-map command to delete a Document Crypto Map.
Use the exit or cancel command to exit Document Crypto Map Mode and return to Global configuration mode.
Related Commands
documentcache
Syntax
Parameters
Guidelines
cancel, exit
Enters Document Cache configuration mode for a specific XML Manager
documentcache XML-manager
XML-manager
Specifies the name of an XML Manager.
By default, document caching is disabled. Document caching enables an XML Manager to cache any document that is through HTTP.
In Document Cache configuration mode, you can:
v Enable and specify the size of the document cache
v Design cache policies that determine which documents will be cached and how
long they will be retained in the cache
v Delete cache policies
v Clear specific documents or all documents from the document cache.
Use the exit command to exit Document Cache configuration mode and enter Global configuration mode.
Chapter 2. Global configuration mode 43
domain
Related Commands
exit
Enters Application Domain configuration mode.
Syntax
domain name
no domain name
Parameters
name Specifies the name of the application domain.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
The domain command enters Application Domain configuration mode to create a new Application Domain object or to modify an existing Application Domain object. While in this configuration mode, use the mode-specific commands to define the configuration of the Application Domain object.
To delete an Application Domain object, use the no domain command.
To exit this configuration mode without saving configuration changes to the running configuration, use the cancel command.
To exit this configuration mode and save configuration changes to the running configuration, use the exit command.
Related Commands
cancel, exit
failure-notification
Enters Failure Notification configuration mode.
Syntax
failure-notification
no failure-notification
Guidelines
Use the no failure-notification command to disable failure reporting. By default, failure reporting is disabled.
Use the cancel or exit command to exit Failure Notification configuration mode and enter Global configuration mode.
44 Command Reference
Related Commands
file-capture
Syntax
Parameters
cancel, exit, send error-report
Controls the file capture trace utility.
file-capture {always | errors | off}
always
Enables the file capture trace utility and provides a trace of all appliance traffic.
errors Enables the file capture trace utility and provides a trace for failed
transactions only.
off
Guidelines
The file-capture command enables or disables the file capture trace facility. File captures facilitate visibility into erroneous XML or XSLT content as well as provide a record of the sources of erroneous content.
To support file capture, the appliance document trace function creates a RAM-disk to house a WebGUI-accessible virtual file system for tracing all traffic through the appliance. Each transaction appears in a file hierarchy broken down according to the semantics of its URL (that is, a directory for the hostname portion and a directory for each slash portion of the URL) and then further by individual transaction.
Each transaction that represents a transformation stores not only the inputs, but information on style sheets, and disposition of the transformation.
Documents are stored in compressed format to reduce byte count. Should documents need to be removed from the RAM-disk space they will be removed on a FIFO basis.
While browsing the virtual file system repository via the WebGUI, any point in the directory hierarchy can be downloaded either as a tar ball or a zip file.
(Default) Disables the file capture trace utility.
Note: With file capture enabled (either always or errors), significant performance
penalties are imposed. Consequently, file capture should be enabled only in test environments, not in production environments.
Related Commands
packet-capture
Examples
v Enables the file capture trace utility for failed transactions only.
# file-capture errors File capture mode set to errors #
Chapter 2. Global configuration mode 45
v Disables the file capture trace utility, which restores the default state.
# file-capture off File nature mode set to off #
flash
Enters Flash configuration mode.
Syntax
flash
Guidelines
Use the exit command to exit Flash configuration mode and enter Global configuration mode.
Related Commands
exit
ftp-quote-command-list
Enters FTP Quoted Commands List configuration mode.
Syntax
Parameters
Guidelines
Related Commands
host-alias
ftp-quote-command-list name
no ftp-quote-command-list name
name Specifies the name of the FTP quoted command list.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Use the no ftp-quote-command-list command to delete an a FTP quoted commands list.
Use the cancel or exit command to exit FTP Quoted Commands List configuration mode and enter Global configuration mode.
cancel, exit
Enters Host Alias configuration mode to map an IP address to an alias.
Syntax
host-alias alias
no host-alias alias
46 Command Reference
httpserv
Parameters
alias Specifies the alias to assign to the specified IP address.
Guidelines
Use the no host-alias command to remove an alias map.
Related Commands
cancel, exit
Enters HTTP Server configuration mode.
Syntax
httpserv name
httpserv name address port
no httpserv name
Parameters
name Specifies the name of the HTTP server.
address Specifies the IP address of the appliance interface that, in conjunction with
port Specifies the port of the appliance interface that, in conjunction with the IP
Guidelines
You can use either of two forms of the httpserv command to create an HTTP server.
v The single-command form, creates a basic HTTP server that serves documents
only from the general user storage (store:) area.
If you wish to restrict access to an HTTP server, you can compile an ACL using the acl, allow, and deny commands.
v The multi-command form, creates an HTTP server capable of serving documents
from other local storage areas, and provides the ability to add optional features such as user authentication.
With only the name argument, the command enters HTTP Server configuration mode, a mode that supports HTTP server creation with a series of brief single-purpose commands.
While in HTTP Server configuration mode, you must use the ip-address, local-directory, and port commands to complete server configuration. Optionally, you can use the authentication, mode, and start-page commands to provide enhanced server functions.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
the port, identifies the interface-port pair that the HTTP server monitors for incoming HTTP client requests.
address, identifies the interface-port pair that the HTTP server monitors for incoming HTTP client requests.
Chapter 2. Global configuration mode 47
If you wish to restrict access to an HTTP server, you can compile an ACL using the acl, allow, and deny commands.
Use the no httpserv command to delete an HTTP server.
Use the exit command to exit HTTP Server configuration mode and return to Global configuration mode.
Related Commands
acl, exit, show services
Examples
v Enters HTTP Server configuration mode to create the Serv-1 HTTP server.
# httpserv Serv-1 HTTP Server configuration mode #
v Creates the Serv-2 HTTP server on the specified interface.
# httpserv Serv-2 192.168.1.200 64000 Installed HTTP server on port 64000 #
v Deletes the Serv-2 HTTP server.
# no httpserv Serv-2 #
import-execute
Syntax
Parameters
Guidelines
Related Commands
Examples
Imports an Import Package object.
import-execute package
package
Specifies the name of the Import Package object.
The import-execute command imports an existing Import Package object. The Import Package must have been created with the import-package command.
import-package
v Imports the Norwood Import Package.
# import-execute Norwood #
import-package
Enters Import Configuration File configuration mode.
48 Command Reference
Syntax
import-package name
no import-package name
Parameters
name Specifies the name of the Import Configuration File object.
Guidelines
The import-package command enters Import Configuration File configuration mode to create a new Import Configuration File object or to modify an existing Import Configuration File object. While in this configuration mode, use the mode-specific commands to define the configuration of the Import Configuration File object.
To delete an Import Configuration File object, use the no import-package command.
To exit this configuration mode without saving configuration changes to the running configuration, use the cancel command.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Related Commands
include-config
Syntax
Parameters
Guidelines
To exit this configuration mode and save configuration changes to the running configuration, use the exit command.
cancel, exit
Enters Include Configuration File configuration mode.
include-config filename
no include-config filename
filename
Specifies the name of the include configuration object.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
An include configuration object references a local or remote configuration file that can be included in other configuration files.
Use the no include-config command to delete an include configuration object.
Chapter 2. Global configuration mode 49
Related Commands
exec
Examples
v Enters Include Configuration configuration mode to create the
standardServiAceProxies Include Configuration.
# include-config standardServiceProxies Include Configuration configuration mode #
v Deletes the standardServiAceProxies Include Configuration.
# no include standardServiceProxies #
input-conversion-map
Enters HTTP Input Conversion Map configuration mode.
Syntax
input-conversion-map name
no input-conversion-map name
Parameters
interface
name Specifies the name of the Input Conversion Map.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
Use the no input-conversion-map command to delete an Input Conversion Map.
Use the cancel or exit command to exit HTTP Input Conversion Map configuration mode and enter Global configuration mode.
Related Commands
cancel, exit
Enters Interface configuration mode for a specified interface.
Syntax
interface {[ethernet 0 | eth0]|[ethernet 1 | eth1]|[ethernet 2 | eth2]| [management 0 | mgt0]}
Guidelines
Depending on model type, the appliance provides three or four Ethernet interfaces. There is one dedicated management port (labelled either MANAGEMENT or MGMT), and two or three network ports (labelled either ETHERNET or NETWORK).
Use the no interface command to delete an Ethernet interface connections from the appliance.
50 Command Reference
Note: To disable an Ethernet interface, use the admin-state command in Interface
configuration mode.
Use the exit command to exit Interface configuration mode and enter Global configuration mode.
Related Commands
admin-state (Interface), exit, show interface
Examples
v Enters Interface configuration mode for Ethernet interface 0.
# interface ethernet 0 Interface configuration mode (ethernet 0) #
v Enters Interface configuration mode for Ethernet interface 0.
# interface eth0 Interface configuration mode (eth0) #
v Deletes Ethernet interface 0 from the network.
# interface eth0 disable no interface eth0# #
ip domain
Syntax
Parameters
Guidelines
Adds an entry to the IP domain-suffix search table.
ip domain domain
no ip domain domain
domain Specifies the base domain name to which a host name can be prefixed.
This command enables the usage on non-fully qualified domain names (host names) by specifying a list of one or more domain names that can be appended to a host name.
Use multiple ip domain commands to add more than one entry to the IP domain name table.
The appliance attempts to resolve a host name in conjunction with any domains identified by the ip domain command. The host name is resolved as soon as a match is found.
Use the no ip domain command to delete an entry from the table.
Related Commands
search-domain
Chapter 2. Global configuration mode 51
ip host
Examples
v Adds the datapower.com, somewhereelse.com, and endoftheearth.com IP domains
to the IP domain table. The appliance attempts to resolve the host name loki in following ways:
loki.datapower.com loki.somewhereelse.com loki.endoftheearth.com
# ip domain datapower.com # ip domain somewhereelse.com # ip domain endoftheearth.com # xslproxy Proxy-01 XSL proxy configuration mode # remote-address loki 80 #
v Removes datapower.com from the IP domain search table. The appliance
attempts to resolve the host name loki in following ways:
loki.somewhereelse.com loki.endoftheearth.com
# no ip domain datapower.com #
Maps a host name to an IP address.
Syntax
ip host hostname address
no ip host {hostname |*
Parameters
hostname
Specifies the name of the host.
address Specifies the IP address of the host.
* Specifies all hosts.
Guidelines
Use the no ip host command to remove the host name-IP address mapping.
Related Commands
ip name-server, show ip hosts, show ip name-servers
Examples
v Maps IP address 10.10.10.168 to host loki.
# ip host loki 10.10.10.168 #
v Deletes the map between IP address 10.10.10.168 and host loki.
# no ip host loki #
v Deletes all maps from the host mapping table.
52 Command Reference
ip name-server
Syntax
Parameters
# no ip host * #
Identifies a local DNS provider.
ip name-server address [ udpPortNumber][tcpPortNumber][flags][max-retries]
no ip name-server address
no ip name-server *
address Specifies the IP address of the DNS server.
udpPortNumber
Optionally identifies the UDP port that the DNS server monitors. Use an integer in the range of 0 through 65535. The default is 53.
tcpPortNumber
Optionally identifies the TCP port that the DNS server monitors. Use an integer in the range of 0 through 65535. The default is 53.
flags Optionally specifies protocol-level DNS behavior. Should be set to 0.
max-retries
Optionally specifies the maximum number of times to retransmit an unacknowledged resolution request to the DNS server. The default is 3.
* Specifies all DNS servers.
Guidelines
Use the no ip name-server command to delete a DNS provider.
Note: Unless specifically requested, do not change that DNS parameter.
Related Commands
ip host, show ip hosts, show ip name-servers
Examples
v Identifies a DNS server at 10.10.10.240 with the default port.
# ip name-server 10.10.10.240 #
v Identifies a DNS server at 10.10.10.240 with UDP port 6000.
# ip name-server 10.10.10.240 6000 #
v Deletes the specified DNS provider.
# no ip name-server 10.10.10.240 #
v Deletes all DNS providers.
# no ip name-server * #
Chapter 2. Global configuration mode 53
iscsi-chap (Type 9235)
Enters iSCSCI CHAP configuration mode.
Syntax
iscsi-chap name
no iscsi-chap name
Parameters
name Specifies the name of the iSCSI CHAP.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
The iscsi-chap command enters iSCSCI CHAP configuration mode. While in the configuration mode, define the credentials for the challenge handshake. During startup, the firmware uses the CHAP to authenticate the defined user over the network. After authentication, administrators have access to the iSCSI storage on the remote server.
Use the no iscsi-chap command to remove an iSCSI CHAP.
Related Commands
cancel, exit, iscsi-hba
Examples
v Enters iSCSCI CHAP configuration mode to create the CHAP-1 iSCSI CHAP.
# iscsi-chap CHAP-1 New iSCSI CHAP configuration #
v Removes the CHAP-1 iSCSI CHAP.
# no iscsi-chap CHAP-1 iscsi-chap CHAP-1 - Configuration deleted. #
iscsi-fs-init (Type 9235)
Initializes the iSCSI volume.
Syntax
iscsi-fs-init name
Parameters
name Specifies the name of the iSCSI volume to initialize.
Guidelines
The iscsi-fs-init command initializes an existing iSCSI volume. Before the iSCSI volume can be initialized, use the admin-state command in iSCSI Volume configuration mode to disable the volume. After the iSCSI volume is initialized, it must be enabled for further use.
54 Command Reference
Related Commands
admin-state (iSCSI Volume)
Examples
v Disables, initializes, and re-enables the Georgia iSCSI volume.
# iscsi-volume Georgia Modify iSCSI Volume configuration # admin-state disabled # exit
# iscsi-fs-init Georgia iSCSI filesystem Georgia initialized
# iscsi-volume Georgia Modify iSCSI Volume configuration # admin-state enabled #
iscsi-fs-repair (Type 9235)
Repairs an iSCSI volume.
Syntax
iscsi-fs-repair name
Parameters
name Specifies the name of the iSCSI volume to repair.
Guidelines
The iscsi-fs-repair command repairs the iSCSI volume in case it was corrupted by an abnormal shutdown of the appliance or other error. Before the iSCSI volume can be repaired, use the admin-state command in iSCSI Volume configuration mode to disable the volume. After the iSCSI volume is repaired, it must be enabled for further use.
Related Commands
admin-state (iSCSI Volume)
Examples
v Disables, repairs, and re-enables the Georgia iSCSI volume.
# iscsi-volume Georgia Modify iSCSI Volume configuration # admin-state disabled # exit
# iscsi-fs-repair Georgia iSCSI filesystem Georgia repaired
# iscsi-volume Georgia Modify iSCSI Volume configuration # admin-state enabled #
# iscsi-fs-repair Georgia iSCSI filesystem Georgia repaired #
Chapter 2. Global configuration mode 55
iscsi-hba (Type 9235)
Enters iSCSI HBA configuration mode.
Syntax
iscsi-hba {iscsi1 | iscsi2}
Parameters
iscsi1 Identifies the existing iSCSI HBA for the eth1 Ethernet interface.
iscsi2 Identifies the existing iSCSI HBA for the eth2 Ethernet interface.
Guidelines
The iscsi-hba command enters iSCSI HBA configuration mode for the specified HBA. Each DataPower appliance has iscsi1 and iscsi2. You cannot rename or delete either HBA.
Related Commands
cancel, exit
iscsi-target (Type 9235)
Enters iSCSI Target configuration mode.
Syntax
iscsi-target name
no iscsi-target name
Parameters
name Specifies the name of the iSCSI target.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
The iscsi-target command enters iSCSI Target configuration mode. While in this configuration, define the a logical storage volume, or file system, for remote storage.
Use the no iscsi-target command to remove an iSCSI target.
Related Commands
cancel, exit
iscsi-volume (Type 9235)
Enters iSCSI Volume configuration mode.
56 Command Reference
Syntax
iscsi-volume name
no iscsi-volume name
Parameters
name Specifies the name of the iSCSI volume to configure.
Guidelines
The iscsi-volume command enters iSCSI Volume configuration mode. While in this configuration mode, create, partition, and name the logical storage volume.
Use the no iscsi-volume command to remove an iSCSI volume.
Related Commands
cancel, exit
loadbalancer-group
Enters Load Balancer Group configuration mode.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Syntax
loadbalancer-group name
no loadbalancer-group name
Parameters
name Specifies the name of the Load Balancer Group.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
After completing configuration of the Load Balancer Group, assign the group to a specific XML Manager. Assignment of the Load Balancer Group to an XML Manager makes the group available to the DataPower services that this XML Manager supports.
Use the no loadbalancer-group command to delete a Load Balancer Group.
Use the exit or cancel command to exit Load Balancer Group configuration mode and return to Global configuration mode.
Related Commands
cancel, exit, show loadbalancer-group, show loadbalancer-status
locate-device (Type 9235)
Controls the locate LED.
Chapter 2. Global configuration mode 57
Syntax
locate-device {on | off}
Parameters
on Activates the locate LED light.
Guidelines
Examples
known-host
off
The locate-device command activates or deactivates the locate LED light on Type 9235 appliances. The locate LED is on the front of the appliance.
v When activated, the locate LED light is illuminated in blue.
v When deactivated, the locate LED light is not illuminated.
Only administrators in the default domain with the appropriate permissions can control the locate LED.
v Activates the locate LED light.
v Deactivates the locate LED light
Adds or removes an SSH peer as an SSH known host.
(Default) Deactivates the locate LED light.
# locate-device on #
# locate-device off #
Syntax
known-host host ssh-rsa key
no known-host host
Parameters
host Specifies the fully-qualified host name or IP address for the peer. For
ssh-rsa
key Specifies the host public key for the peer. For example:
Guidelines
The known-host command adds an SSH peer as an SSH known host.
The no known-host command removes an SSH peer as an SSH known host.
example:
ragnarok.datapower.com
10.97.111.108
Identifies RSA as the key type.
AAAAB3NzaC1yc2EAAAABIwAAAIEA1J/99rRvdZmVvkaKvcG2a+PeCm25 p8OJl87SA6mtFxudA2ME6n3lcXEakpQ8KFTpPbBXt+yDKNFR9gNHIfRl UDho1HAN/a0gEsvrnDY5wKrTcRHrqDc/x0buPzbsEmXi0lud5Pl7+BXQ VpPbyVujoHINCrx0k/z7Qpkozb4qZd8==
58 Command Reference
Examples
v Adds ragnarok.datapower.com by host name as an SSH known host.
# known-host ragnarok.datapower.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1J/99rRvdZmVvkaKvcG2a+PeCm25 p8OJl87SA6mtFxudA2ME6n3lcXEakpQ8KFTpPbBXt+yDKNFR9gNHIfRl UDho1HAN/a0gEsvrnDY5wKrTcRHrqDc/x0buPzbsEmXi0lud5Pl7+BXQ VpPbyVujoHINCrx0k/z7Qpkozb4qZd8== #
v Adds ragnarok.datapower.com by IP address as an SSH known host.
# known-host 10.97.111.108 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1J/99rRvdZmVvkaKvcG2a+PeCm25 p8OJl87SA6mtFxudA2ME6n3lcXEakpQ8KFTpPbBXt+yDKNFR9gNHIfRl UDho1HAN/a0gEsvrnDY5wKrTcRHrqDc/x0buPzbsEmXi0lud5Pl7+BXQ VpPbyVujoHINCrx0k/z7Qpkozb4qZd8== #
v Removes ragnarok.datapower.com by IP address as an SSH known host.
# no known-host 10.97.111.108 #
ldap-search-parameters
Enters LDAP Search Parameters configuration mode.
Syntax
ldap-search-parameters name
no ldap-search-parameters name
Parameters
name Specifies the name of the LDAP Search Parameters object.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
The ldap-search-parameters command enters LDAP Search Parameters configuration mode. In this configuration, you can create an LDAP Search Parameters object. This object is a container for that parameters that are used to perform an LDAP search to retrieve the distinguished name (DN) of the user.
Use the cancel or exit command to leave LDAP Search Parameters configuration mode and enter Global configuration mode.
Use the no ldap-search-parameters command to delete a LDAP Search Parameters object.
Related Commands
cancel, exit
load-interval
Specifies the duration of a measurement interval.
Chapter 2. Global configuration mode 59
Syntax
load-interval measurement-interval
Parameters
measurement-interval
Specifies the measurement interval in milliseconds. Use an integer in the range of 500 through 5000. The default is 1000.
Guidelines
The load-interval command specifies the duration of a measurement interval. During this interval, system load is estimated and expressed as a percentage. Use this command in conjunction with the show load command to monitor system load. The greater the percentage the greater the use of system resources.
Related Commands
show cpu, show load
Examples
v Specifies an measurement interval of 2.5 seconds.
# load-interval 2500 #
logging category
Enters Log Category configuration mode or delete a custom logging category.
Syntax
logging category name
no logging category name
Parameters
name Specifies the name for a custom logging category.
Guidelines
Use the no logging category command to delete the custom logging category.
Related Commands
cancel, exit
logging event
Adds an event class (a set of related events) and a priority to an existing log.
Syntax
logging event name category priority
no logging event name category
60 Command Reference
Parameters
name Specifies the name of the existing log to which an event class will be
category
priority
Guidelines
Use the show logging event command to display a list of event classes.
Use the show logging priority command to display a list of event priorities.
added.
Specifies the name of an event-class to add.
Identifies the event priority. The priority indicates that all events that are greater than or equal to this value are logged. Events use the following priority in descending order:
v emerg (Emergency) v alert (Alert) v critic (Critical) v error (Error) v warn (Warning) v notice (Notice) v info (Information) v debug (Debug)
Use the no logging event command to remove an event class from a log.
Related Commands
show logging event, show logging priority
Examples
v Adds all events of critical, alert, or emergency priority to the Alarms log.
# logging event Alarms all critic #
v Specifies which event classes and which event priorities to add to the CryptoLog
log.
# logging event CryptoLog schema error # logging event CryptoLog xmlfilter error # logging event CryptoLog crypto error # logging event CryptoLog ssl error # logging event CryptoLog auth warning #
v Removes the schema event class from the CryptoLog log.
# no logging event CryptoLog schema #
logging eventcode
Adds an event code to the subscription list for a specific log.
Syntax
logging eventcode target event-code
no logging eventcode target event-code
Chapter 2. Global configuration mode 61
Parameters
target Specifies the name of an existing log target.
event-code
Guidelines
The logging eventcode commands adds an event code to the subscription list for the specified log target. This command is equivalent to using the event-code command in Logging configuration mode.
Use the show logging target command to display a list of log targets.
Use the View List of Event Codes from the WebGUI to view a list of all event codes.
Use the no form of the logging eventcode command to remove an event code from the inclusion list to the specified log.
Related Commands
logging eventfilter, logging target, event-code (Logging), show logging target
logging eventfilter
Specifies the hexadecimal value of the event code.
Adds an event code to the suppression list for a specific log.
Syntax
logging eventfilter target event-code
no logging eventfilter target event-code
Parameters
target Specifies the name of an existing log target.
event-code
Guidelines
The logging eventfilter commands adds an event code to the suppression list for the specified log target. This command is equivalent to using the event-filter command in Logging configuration mode.
Use the show logging target command to display a list of log targets.
Use the View List of Event Codes from the WebGUI to view a list of all event codes.
Specifies the hexadecimal value of the event code.
Use the no form of the logging eventfilter command to remove an event code from the exclusion list of the specified log.
Related Commands
logging eventcode, logging target, event-filter (Logging), show logging target
62 Command Reference
logging object
Syntax
Parameters
Guidelines
Adds an object filter to a specific log.
logging object name object class
no logging object name object class
name Specifies the name of the existing log to which to add an object filter.
object Identifies the object type.
class Identifies a specific instance of the target class.
Use logging object to enable a finer granularity in specifying log contents. You can restrict log entries, for example, to those events issued by a specific XSL Proxy or XML Firewall, or to a set of identified service providers.
Refer to Table 4 for specific class identifiers.
Table 4. Logging object identifiers
AAAPolicy AccessControl AccessControlList CertMonitor CompileOptionsPolicy ConfigBase CountMonitor CRLFetch Crypto CryptoCertificate CryptoEngine CryptoFWCred CryptoIdentCred CryptoKerborosKDC CryptoKey CryptoProfile CryptoSSKey CryptoValCred DeviceManagementService DeviceSettings DNSNameService DocumentCryptoMap Domain DurationMonitor DynamicSchema DynamicStylesheet DynamicXMLContentMap ErrorReportSettings EthernetInterface EventLog
FilterAction HTTPInputConversionMap HTTPProxyService HTTPService HTTPUserAgent ImportPackage IncludeConfig InternalProxy IPInterface LoadBalancerGroup LogLabel LogTarget Matching MessageFlowControl MessageMatching MessageMonitor MessageType MgmtInterface MQConfiguration MQGW MQhost MQproxy MQQM NetworkConfiguration NetworkSettings NTPService RADIUSSettings RBMSettings SchemaExceptionMap
Service ShellAlias SmtpClientHelper SNMPSettings SSHService SSLProxyProfile SSLProxyService Statistics StylePolicy StylePolicyAction StylePolicyRule SystemSettings TAM TCPProxyService TelnetService Throttler TraceTarget URLMap URLRefreshPolicy URLRewritePolicy User UserGroup WebGUI XMLFirewallService XMLManager xmltrace XPathRoutingMap XSLCoprocService XSLProxyService
Use the no logging object command to delete an object filter from an existing log.
Chapter 2. Global configuration mode 63
Examples
logging target
Syntax
Parameters
v Adds an object filter to the Alarms log. This log will record only events that are
issued by the Proxy-1 XSL Proxy. Event priority uses the existing configuration of the Alarms log.
# logging object Alarms XSLProxyService Proxy-1 #
v Deletes an object filter from the Alarms log. This log will record those events set
by the original log configuration.
# no logging object Alarms XSLProxyService Proxy-1 #
Enters Logging configuration mode.
logging target name
no logging target name
name Specifies the name of the system log.
loglevel
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
After entering Logging configuration mode, you should first use the type command to identify the log type.
Additional configuration requirements and options are dependent upon the log type.
Use the no logging target command to delete an event log.
Related Commands
cancel, exit
Sets the log priority for events to log.
Syntax
loglevel priority
Parameters
priority
Specifies the type of events written to the local system log and can be expressed as either keyword or integer. Log events are characterized in descending order of criticality.
v emerg or 0 v alert or 1
64 Command Reference
Guidelines
The loglevel command determines which system-generated events to log to the basic event log. The log priority also functions as filter and determines which events to forward to a remote syslog daemon. In contrast, syslog specifies the events that will be forwarded to a remote appliance.
In the absence of an argument, loglevel displays the current log-level.
The log levels can be expressed as character strings or as integer values, with 0 equating to emergency (most critical) and 6 equating to info (least critical).
By default the basic log level is set to notice (5).
When issued with an argument, loglevel specifies that all events of greater or equal criticality to the argument are logged.
Note: The loglevel, logsize, and syslog commands provide the ability to configure
v critic or 2 v error or 3 v warn or 4 v notice or 5 v info or 6 v debug or 7
a rudimentary basic logging system.
Users, however, are encouraged to use the logging target command to enter Logging configuration mode. From within this mode, users can exercise more precise control over log formats and contents.
Related Commands
logsize, show log, syslog
Examples
v Sets the priority to critical, which specifies that critical, alert, and emergency
events are logged.
# loglevel critical #
v Sets the priority to 2, which specifies that critical, alert, and emergency events
are logged.
# loglevel 2 #
v Sets the priority to debug, which specifies that all events are logged. This setting
is not intended for production environments.
# loglevel 7 #
v Displays the current priority.
# loglevel loglevel is 7 debug #
logsize
Sets the size of a basic event log.
Chapter 2. Global configuration mode 65
Syntax
logsize size
Parameters
size Specifies the size of the log in lines. The default is 200.
Guidelines
In the absence of an argument, logsize displays the size of the log file in lines.
Note:
The loglevel, logsize, and syslog commands provide the ability to configure a rudimentary basic logging system.
Use the logging target command to enter Logging configuration mode. From this mode, define more precise control over log formats and contents.
Related Commands
loglevel, show log
Examples
v Sets the log size to 250 lines.
# logsize 250 #
v Displays the configured log size in lines.
# logsize 250 #
matching
Enters Matching Rule configuration mode.
Syntax
matching name
no matching name
Parameters
name Specifies the name of the Matching Rule.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
Use the cancel or exit command to leave Matching Rule configuration mode and enter Global configuration mode.
A Matching Rule contains one or more shell-style match patterns that are used to evaluate candidate HTTP headers and URLs. These rules are used in the
66 Command Reference
Related Commands
memoization
Syntax
Parameters
implementation of Processing Policy objects. A Processing Policy uses Matching Rule objects to determine whether a candidate XML document is subject to specific processing instructions in the policy.
Refer to Appendix B, “Processing Policy procedures,” on page 999 for procedural details about the creation and implementation of Matching Rule and Processing Policy objects.
Use the no matching command to delete a Matching Rule.
cancel, exit
Enables the optimization of XPath expressions for a specific XML Manager.
memoization XML-manager
no memoization XML-manager
XML-manager
Guidelines
Memoizing an XPath expression adds a transparent caching wrapper to the expression, so that expression values that have already been calculated are returned from a cache rather than being recomputed each time. Memoization can provide significant performance gains for computing-intensive calls.
Memoization is enabled by default, and should rarely, if ever, be disabled. It is possible, however, that with certain style sheets, memoization could inflict a performance penalty. The identification of such style sheets is largely a matter of trial and error.
Use the no memoization command to disable XPath expression optimization.
Examples
v Disables XPath optimizations for the mgr1 XML Manager.
# no memoization mgr1 XML memoization successfully disabled XML memoization successfully updated #
v Restores the default condition by enabling XPath optimizations for the mgr1
XML Manager.
# memoization XML memoization successfully enabled XML memoization successfully updated #
Specifies the name of an XML manager.
Chapter 2. Global configuration mode 67
message-matching
Enters Message Matching configuration mode.
Syntax
message-matching name
no message-matching name
Parameters
name Specifies the name of the traffic-flow definition.
Guidelines
The message-matching command create a traffic-flow definition that describes a traffic stream to be subject to administrative monitoring and control.
When in Message Matching configuration mode, you can specify traffic stream characteristics in terms of traffic origin (IP address), HTTP header content, SSL identity, or requested documents.
Use the cancel or exit command to leave Message Matching configuration mode and enter Global configuration mode.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Related Commands
message-type
Syntax
Parameters
Guidelines
Use the no message-matching command to delete a traffic-flow definition.
cancel, exit, reset
Enters Message Type configuration mode.
message-type name
no message-type name
name Specifies the name of the message class.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
The message-type command creates a message class consists of one or more traffic-flow definitions that were created previously with the message-matching command. It identifies a set of traffic streams that are subject to specific, rules-based administrative monitoring and control.
68 Command Reference
metadata
Use the cancel or exit command to leave Message Type configuration mode and enter Global configuration mode.
Use the no message-type command to delete a message class.
Related Commands
cancel, exit
Enters Processing Metadata configuration mode.
Syntax
metadata name
no metadata name
Parameters
name Specifies the name of the Processing Metadata object.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
mkdir
Guidelines
While in Processing Metadata configuration mode you define the contents of the Metadata Processing object, a list or manifest, of metadata items that are returned in an XML nodeset to the object using the Metadata. This is typically an AAA Policy.
Use the cancel or exit command to leave Processing Metadata configuration mode and enter Global configuration mode.
Use the no metadata command to delete a Processing Metadata object.
Related Commands
cancel, exit
Creates a subdirectory.
Syntax
mkdir local:///subdirectory
Parameters
local:///subdirectory
The subdirectory to create in the local: directory.
Guidelines
The mkdir command creates subdirectories in the local: directory on the DataPower appliance. You can create subdirectories for application-specific files such as style sheets and schemas.
Chapter 2. Global configuration mode 69
Related Commands
Examples
monitor-action
Syntax
Use the rmdir command to delete subdirectories.
rmdir
v Creates the stylesheets subdirectory of the local: directory.
# mkdir local:///stylesheets Directory 'local:///stylesheets' successfully created. #
v Creates the C-1 subdirectory in the stylesheets subdirectory of the local:
directory.
# mkdir local:///stylesheets/C-1 Directory 'local:///stylesheets/C-1' successfully created. #
Enters Message Filter Action configuration mode.
monitor-action name
Parameters
Guidelines
Related Commands
monitor-count
no monitor-action name
name Specifies the name of the control procedure.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
A monitor action is a control procedure that specifies an action or set of actions to take when a monitored message class exceeds a configured threshold.
Use the cancel or exit command to leave Message Filter Action configuration mode and enter Global configuration mode.
Use the no monitor-action command to delete a control procedure.
cancel, exit, monitor-count, monitor-duration
Enters Message Count Monitor configuration mode.
Syntax
monitor-count name
no monitor-count name
70 Command Reference
Parameters
name Specifies the name of the monitor.
Guidelines
A monitor count is an incremental, or counter-based, monitor that consists of a target message class, a configured threshold, and a control procedure that is triggered when the threshold is exceeded.
Use the cancel or exit command to leave Message Count Monitor configuration mode and enter Global configuration mode.
Use the no monitor-count command to delete an incremental monitor.
Related Commands
cancel, exit, show message-count-filters
monitor-duration
Enters Message Duration Monitor configuration mode.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Syntax
monitor-duration name
no monitor-duration name
Parameters
name Specifies the name of the duration monitor.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
A duration, or time-based, monitor consists of a target message class, two thresholds, and a control procedure that is triggered when either threshold is exceeded.
Use the cancel or exit command to leave Message Duration Monitor configuration mode and enter Global configuration mode.
Use the no monitor-duration command to delete a duration monitor.
Related Commands
cancel, exit, monitor-action, monitor-count, show message-durations, show message-duration-filters
move
Moves a file from one directory to another.
Chapter 2. Global configuration mode 71
Syntax
move [-f] source-URL destination-URL
Parameters
-f Overwrites an existing file, if one of the same name already exists.
source-URL and destination-URL
Guidelines
You can use the move command to transfer a file to or from a directory. However, you cannot use the move command to copy a file from the private cryptographic area (such as the cert: directory).
In the absence of this argument, an attempt to save a file with the same name as an existing file results in a prompt that requests confirmation to overwrite the existing file.
Specifies the URLs that identify the source file and target destination, respectively. These arguments take the following form:
directory:///filename
directory
Specifies a directory on the appliance. Refer to “Directories on the appliance” on page xxii for details.
filename
Specifies the name of a file in the specified directory.
mpgw
Related Commands
copy, delete, dir
Examples
v Moves a file from the config: directory to the store: directory.
# move config:///startup-config store:///archiveConfig-10 #
v Renames a file.
# move config:///startup-config config:///archiveConfig-10 #
Enters Multi-Protocol Gateway configuration mode.
Syntax
mpgw name
no mpgw name
Parameters
name Specifies the name of the Multi-Protocol Gateway.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
72 Command Reference
mtom
Guidelines
Use the no mpgw command to delete a Multi-Protocol Gateway.
Related Commands
cancel, exit
Enters MTOM Policy configuration mode.
Syntax
mtom name
no mtom name
Parameters
name Specifies the name of the MTOM Policy.
The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv.
Guidelines
While in MTOM (SOAP Message Transmission Optimization Mechanism) Policy configuration mode you define an MTOM Policy, which provides a mechanism for optimizing the transmission and wire format of an XML/SOAP message. Optimization is performed by selecting elements with base 64 encoded character data. The selected elements are decoded and attached as MIME attachment parts before transmission. Decoding before transmission reduces the overhead that is associated with base 64 encoded data.
network
Use the cancel or exit command to leave MTOM Policy configuration mode and enter Global configuration mode.
Use the no mtom command to delete an MTOM Policy.
Related Commands
cancel, exit
Enters Network Settings configuration mode.
Syntax
network
no network
Guidelines
While in Network Settings configuration mode, you can enable or disable the generation of certain Internet Control Message Protocol (ICMP) replies and control the retry and intervals of these messages. By default the appliance replies to the corresponding ICMP requests.
Chapter 2. Global configuration mode 73
nfs-client
You can also control routing behavior, interface isolation and ECN settings.
Use the cancel or exit command to leave Network Settings configuration mode and enter Global configuration mode.
Use the no network command to reset network settings to their defaults.
Related Commands
cancel, exit
Enters NFS Client Settings configuration mode.
Syntax
nfs-client
no nfs-client
Guidelines
While in NFS Client configuration mode, you configure NFS client global settings, which are employed in all application domains. By default, the NFS Client is disabled.
Use the cancel or exit command to leave NFS Client configuration mode and enter Global configuration mode.
Use the no nfs-client command to disable the NFS client.
Related Commands
cancel, exit
nfs-dynamic-mounts
Enters NFS Dynamic Mounts configuration mode.
Syntax
nfs-dynamic-mounts
no nfs-dynamic-mounts
Guidelines
While in NFS Dynamic Mounts configuration mode, you configure NFS dynamic mounts settings, which are employed within the current application domain. By default, the NFS dynamic mounts are disabled; once in NFS Dynamic Mounts configuration mode, use the admin-state command to enable dynamic mounts and other commands to specify operational properties.
Use the cancel or exit command to leave NFS Dynamic Mounts configuration mode and enter Global configuration mode.
Use the no nfs-dynamic-mounts command to restore the NFS dynamic mount default settings.
74 Command Reference
Loading...