Working with protected object policies (or, in short, POPs) is pretty similar to working with ACLs. In this example we will create a POP that requires the end user to authenticate himself with protection level 1 on access to a junction.
First, we’ll create a new POP and display it’s content:
pdadmin sec_master> pop create level1
pdadmin sec_master> pop show level1
Protected object policy: level1
Description:
Warning: No
Audit level: none
Quality of protection: none
Time of day access: sun, mon, tue, wed, thu, fri, sat, :anytime:local
IP Endpoint Authentication Method Policy
Auth Level: 0 Network: Any Other Network
pdadmin sec_master>
As you can see, by default this POP does not enforce any access restrictions. We are going to change that!
pdadmin sec_master> pop modify level1 set ipauth anyothernw 1
pdadmin sec_master> pop show level1
Protected object policy: level1
Description:
Warning: No
Audit level: none
Quality of protection: none
Time of day access: sun, mon, tue, wed, thu, fri, sat, :anytime:local
IP Endpoint Authentication Method Policy
Auth Level: 1 Network: Any Other Network
pdadmin sec_master>
In order to attach a POP to some object, you need to know the object path. Let’s take a junction from our previous post as an example and attach our fresh POP to this junction:
pdadmin sec_master> pop attach /WebSEAL/isam-70.lab.mycompany.com-default/myjunction level1 pdadmin sec_master> pop find level1 /WebSEAL/isam-70.lab.mycompany.com-default/myjunction pdadmin sec_master>
Now you can see your POP attached to this junction!
There are much more POP-related options available. The full list is accessible via the build-in help system:
pdadmin sec_master> pop help
Error: Unknown or incomplete command. Try one of:
pop list <pop-name> attribute
pop modify <pop-name> delete attribute <attr-name>
pop modify <pop-name> delete attribute <attr-name> <attr-value>
pop modify <pop-name> set attribute <attr-name> <attr-value>
pop show <pop-name> attribute <attr-name>
pop create <pop-name>
pop delete <pop-name>
pop modify <pop-name> set description <description>
pop modify <pop-name> set tod-access <{anyday|weekday|<day-list>}>:<{anytime|<time-spec>-<time-spec>}>[:{utc|local}]
pop modify <pop-name> set ipauth remove <network> <netmask>
pop modify <pop-name> set ipauth anyothernw {<auth_level>|forbidden}
pop modify <pop-name> set ipauth add <network> <netmask> {<auth_level>|forbidden}
pop modify <pop-name> set warning {yes|no}
pop modify <pop-name> set audit-level {all|none|<audit-level-list>}
pop modify <pop-name> set qop {none|integrity|privacy}
pop list
pop show <pop-name>
pop attach <object-name> <pop-name>
pop detach <object-name>
pop find <pop-name>
pdadmin sec_master>
