Managing WebSEAL junctions with ‘pdadmin’ command tool is not an easy task. This post will provide a short reference to the most common operations.
First, you need to know the name of the WebSEAL instance you want to manage. Note that it differs from the object path!
pdadmin sec_master> server list default-webseald-isam-70.lab.mycompany.com ivmgrd-master pdadmin sec_master>
From here, you can obtain the list of all defined junctions on this instance:
pdadmin sec_master> server task default-webseald-isam-70.lab.mycompany.com list / /junction1 /junction2 /junction3 pdadmin sec_master>
Now we’ll create our own new junction. For example, we want to expose internal server “http://192.168.0.101:8080/” under the junction named “myjunction”:
pdadmin sec_master> server task default-webseald-isam-70.lab.mycompany.com create -t tcp -h 192.168.0.101 -p 8080 /myjunction Created junction at /myjunction pdadmin sec_master>
Let’s check the result. Note the highlighted lines – those are directly affected by the parameters we supplied during the junction creation.
pdadmin sec_master> server task default-webseald-isam-70.lab.mycompany.com show /myjunction Junction point: /myjunction Type: TCP Junction hard limit: 0 - using global value Junction soft limit: 0 - using global value Active worker threads: 0 Basic authentication mode: filter Forms based SSO: disabled TFIM junction SSO: no Authentication HTTP header: do not insert Remote Address HTTP header: do not insert Stateful junction: no Boolean Rule Header: no Scripting support: no Preserve cookie names: no Cookie names include path: no Transparent Path junction: no Delegation support: no Mutually authenticated: no Insert WebSphere LTPA cookies: no Insert WebSEAL session cookies: no Request Encoding: UTF-8, URI Encoded Server 1: ID: 67abf5a2-a0e3-11e2-8638-005056b03849 Server State: not running Operational State: Online Hostname: 192.168.0.101 Port: 8080 Virtual hostname: 192.168.0.101:8080 Server DN: local IP address: Query_contents URL: /cgi-bin/query_contents Query-contents: unknown Case insensitive URLs: no Allow Windows-style URLs: yes Current requests : 0 Total requests : 1 pdadmin sec_master>
There are additional configuration values to supply during junction creation. Here are some useful ones:
- “-s” marks junction as stateful, providing support of session stickiness for the backend servers
- “-c <header1,header2,…>” provides end user authentication data to the junction in HTTP headers:
- “iv-user” – plain username
- “iv-user-l” – DN of the end user
- “iv-user-groups” – list of groups the end user belongs to
- “-r” will send client IP address to the junction in dedicated HTTP header
- “-x” creates so-called “transparent path” junction, when the actual application resides on “/myjunction” path on the backend server
Note that those values apply to all backend servers under the junction and you cannot modify most of them – you have to recreate a junction for that!
If you want to add another backend server to this junction (say, “http://192.168.0.102:8080”), it goes much simpler:
pdadmin sec_master< server task default-webseald-isam-70.lab.mycompany.com add -h 192.168.0.102 -p 8080 /myjunction Added server at /myjunction pdadmin sec_master>
In order to remove a backend server, you’ll need the server ID. You can obtain one by listing the junction definition (see above).
pdadmin sec_master> server task default-webseald-isam-70.lab.mycompany.com remove -i 67abf5a2-a0e3-11e2-8638-005056b03849 /myjunction Removed server 67abf5a2-a0e3-11e2-8638-005056b03849 from /myjunction. pdadmin sec_master>
Deleting the whole junction is also an easy task:
pdadmin sec_master> server task default-webseald-isam-70.lab.mycompany.com delete /myjunction Deleted junction from /myjunction pdadmin sec_master>