Managing WebSEAL junctions with ‘pdadmin’ command tool is not an easy task. This post will provide a short reference to the most common operations.
First, you need to know the name of the WebSEAL instance you want to manage. Note that it differs from the object path!
pdadmin sec_master> server list
default-webseald-isam-70.lab.mycompany.com
ivmgrd-master
pdadmin sec_master>
From here, you can obtain the list of all defined junctions on this instance:
pdadmin sec_master> server task default-webseald-isam-70.lab.mycompany.com list / /junction1 /junction2 /junction3 pdadmin sec_master>
Now we’ll create our own new junction. For example, we want to expose internal server “http://192.168.0.101:8080/” under the junction named “myjunction”:
pdadmin sec_master> server task default-webseald-isam-70.lab.mycompany.com create -t tcp -h 192.168.0.101 -p 8080 /myjunction Created junction at /myjunction pdadmin sec_master>
Let’s check the result. Note the highlighted lines – those are directly affected by the parameters we supplied during the junction creation.
pdadmin sec_master> server task default-webseald-isam-70.lab.mycompany.com show /myjunction
Junction point: /myjunction
Type: TCP
Junction hard limit: 0 - using global value
Junction soft limit: 0 - using global value
Active worker threads: 0
Basic authentication mode: filter
Forms based SSO: disabled
TFIM junction SSO: no
Authentication HTTP header: do not insert
Remote Address HTTP header: do not insert
Stateful junction: no
Boolean Rule Header: no
Scripting support: no
Preserve cookie names: no
Cookie names include path: no
Transparent Path junction: no
Delegation support: no
Mutually authenticated: no
Insert WebSphere LTPA cookies: no
Insert WebSEAL session cookies: no
Request Encoding: UTF-8, URI Encoded
Server 1:
ID: 67abf5a2-a0e3-11e2-8638-005056b03849
Server State: not running
Operational State: Online
Hostname: 192.168.0.101
Port: 8080
Virtual hostname: 192.168.0.101:8080
Server DN:
local IP address:
Query_contents URL: /cgi-bin/query_contents
Query-contents: unknown
Case insensitive URLs: no
Allow Windows-style URLs: yes
Current requests : 0
Total requests : 1
pdadmin sec_master>
There are additional configuration values to supply during junction creation. Here are some useful ones:
- “-s” marks junction as stateful, providing support of session stickiness for the backend servers
- “-c <header1,header2,…>” provides end user authentication data to the junction in HTTP headers:
- “iv-user” – plain username
- “iv-user-l” – DN of the end user
- “iv-user-groups” – list of groups the end user belongs to
- “-r” will send client IP address to the junction in dedicated HTTP header
- “-x” creates so-called “transparent path” junction, when the actual application resides on “/myjunction” path on the backend server
Note that those values apply to all backend servers under the junction and you cannot modify most of them – you have to recreate a junction for that!
If you want to add another backend server to this junction (say, “http://192.168.0.102:8080”), it goes much simpler:
pdadmin sec_master< server task default-webseald-isam-70.lab.mycompany.com add -h 192.168.0.102 -p 8080 /myjunction Added server at /myjunction pdadmin sec_master>
In order to remove a backend server, you’ll need the server ID. You can obtain one by listing the junction definition (see above).
pdadmin sec_master> server task default-webseald-isam-70.lab.mycompany.com remove -i 67abf5a2-a0e3-11e2-8638-005056b03849 /myjunction Removed server 67abf5a2-a0e3-11e2-8638-005056b03849 from /myjunction. pdadmin sec_master>
Deleting the whole junction is also an easy task:
pdadmin sec_master> server task default-webseald-isam-70.lab.mycompany.com delete /myjunction Deleted junction from /myjunction pdadmin sec_master>
Thank you. Great little note.
Thank you. You help me a lot ! I’m very gratefull!