Download Print this page

IBM WebSphere XS40 Command Reference Manual

Datapower xml security gateway
Hide thumbs

Advertisement

Quick Links

WebSphere
DataPower XML Security Gateway XS40
®
Version 3.7.2
Command Reference

Advertisement

loading

  Summary of Contents for IBM WebSphere XS40

  • Page 1 WebSphere DataPower XML Security Gateway XS40 ® Version 3.7.2 Command Reference...
  • Page 3 WebSphere DataPower XML Security Gateway XS40 ® Version 3.7.2 Command Reference...
  • Page 4 Before using this information and the product it supports, read the information in “Notices and trademarks” on page 1011. First Edition (December 2008) This edition applies to version 3, release 7, modification 2, level 0 of IBM WebSphere DataPower XML Security Gateway XS40 and to all subsequent releases and modifications until otherwise indicated in new editions.
  • Page 5: Table Of Contents

    . 59 application-security-policy . . 24 logging category. . 60 audit delete-backup (Common Criteria) . . 25 logging event . . 60 audit level (Common Criteria) . . 25 logging eventcode . . 61 © Copyright IBM Corp. 1999, 2008...
  • Page 6 logging eventfilter . . 62 snmp . 98 logging object . 63 soap-disposition . . 99 logging target . 64 source-ftp-poller . . 99 loglevel. . 64 source-ftp-server . . 100 logsize . . 65 source-http . . 100 matching . .
  • Page 7 wsrr-subscription . . 138 config-mode . . 173 wsrr-synchronize . . 139 deployment-policy. . 173 xml parser limits . . 139 domain-user (deprecated) . . 174 xml validate . . 139 file-monitoring . . 175 xmlfirewall . . 141 file-permissions. .
  • Page 8 result-is-conformance-report . 205 use-crl . . 256 Chapter 10. CRL configuration mode Chapter 15. Deployment Policy bind-dn . . 207 configuration mode ..257 bind-pass. . 207 ??? accept . 257 fetch-url . .
  • Page 9 result . . 291 local-address . 321 result-name-pattern . . 291 http-client-version . . 321 success-delete . . 292 max-header-count . . 322 success-rename-pattern . . 292 max-header-name-len. . 322 target-dir . . 292 max-header-value-len. . 323 xml-manager . 293 max-querystring-len .
  • Page 10 Chapter 32. Interface configuration filter-suffix . . 380 returned-attribute . . 380 mode ....351 scope . . 381 arp . . 351 dhcp . . 351 Chapter 40.
  • Page 11 hostmatch (deprecated) . . 410 default-param-namespace . . 440 httpmatch . 410 element-depth . . 440 match-with-pcre . 411 external-references. . 441 no match . . 411 follow-redirects . . 441 urlmatch . . 411 forbid-external-references (deprecated) . . 442 xpathmatch .
  • Page 12 wsrm-destination-inorder . . 478 result . . 507 wsrm-destination-maximum-inorder-queue-length result-name-pattern . . 507 wsrm-destination-maximum-sequences . . 479 success-delete . . 508 wsrm-request-force . 480 success-rename-pattern . . 508 wsrm-response-force . . 480 target-dir . . 509 wsrm-sequence-expiration . . 480 xml-manager .
  • Page 13 iterator-expression . . 533 rewrite . 567 iterator-type . . 534 route-action . . 567 log-level . . 534 route-set . . 568 log-type . . 535 setvar . . 568 loop-action . . 535 slm . . 569 multiple-outputs . .
  • Page 14 pwd-history . . 607 Chapter 72. SNMP Settings pwd-max-age . . 608 configuration mode ..637 pwd-max-history . . 608 access . . 637 pwd-minimum-length . 609 port . 638 pwd-mixed-case . 609 trap-code .
  • Page 15 tfim-issuer . . 666 Chapter 83. UDDI Subscription tfim-operation . . 666 configuration mode ..693 tfim-pathaddr . . 667 key . . 693 tfim-port . . 668 password . . 693 tfim-porttype .
  • Page 16 dhcp . . 731 error-policy-override . . 759 identifier . . 732 multipart-form-data . . 760 interface . . 732 policy-type . . 760 ip address . 733 ratelimiter-policy . . 761 ip default-gateway . 734 request-body-max . . 762 ip route .
  • Page 17 autocreate-sources . . 784 stream-output-to-front . 820 back-attachment-format . . 785 stylepolicy . . 821 back-persistent-timeout . . 785 suppress . . 821 back-timeout . 786 type . 822 backend-url . . 786 uddi-subscription . . 822 backside-port-rewrite . . 787 urlrewrite-policy .
  • Page 18 operation . . 852 method . . 887 transport . . 853 namespace . . 888 wsdl . . 853 object-name . . 888 object-type . . 889 refresh-interval . . 889 Chapter 101. WS-Proxy Endpoint server . . 890 Rewrite configuration mode .
  • Page 19 loadbalancer-group . 921 port . 945 schedule-rule . 921 ssl . . 945 user-agent . 922 system-name . 945 user-name . 946 Chapter 109. XML Parser Limits Chapter 114. Monitoring commands configuration mode ..923 show aliases .
  • Page 20 Load balancer service variables . . 983 Getting a fix . . 1009 Multistep variables . 983 Contacting IBM Support . . 1010 Transaction variables . . 984 Asynchronous transaction variables . . 984 Notices and trademarks ..1011 Error handling transaction variables .
  • Page 21: Preface

    This document assumes that you have installed and initially configured the appliance as described in the IBM WebSphere DataPower SOA Appliances: 9003: Installation Guide or in the IBM WebSphere DataPower SOA Appliances: Type 9235: Installation Guide, depending on the model type.
  • Page 22: Administration Documentation

    Guide Provides instructions for using the WebGUI to configure Multiple-Protocol Gateway services. v IBM WebSphere DataPower SOA Appliances: Web Service Proxy Developers Guide Provides instructions for using the WebGUI to configure Web Service Proxy services. v IBM WebSphere DataPower SOA Appliances: B2B Gateway Developers Guide Provides instructions for using the WebGUI to configure B2B Gateway services.
  • Page 23: Integration Documentation

    IBM WebSphere DataPower SOA Appliances: Extension Elements and Functions Catalog Provides programming information about the usage of DataPower XSLT extension elements and extension functions. Integration documentation The following documents are available for managing the integration of related products that can be associated with the DataPower appliance:...
  • Page 24: Reading Syntax Statements

    Reading syntax statements The reference documentation uses the following special characters to define syntax: Identifies optional options. Options not enclosed in brackets are required. Indicates that you can specify multiple values for the previous option. Indicates mutually exclusive information. You can use the option to the left of the separator or the option to the right of the separator.
  • Page 25 other domains. When viewed from other domains, the directory name changes from local: to the name of the application domain. logstore: This directory contains log files that are stored for future reference. Typically, the logging targets use the logtemp: directory for active logs. You can move log files to the logstore: directory.
  • Page 26: Object Name Conventions

    schemas This subdirectory contains schemas that are used by DataPower services. This encrypted subdirectory contains files that are used by the appliance itself. This subdirectory is available from the command line only. pubcerts This encrypted subdirectory contains files that are used by the appliance itself.
  • Page 27: Chapter 1. Initial Login And Common Commands

    Traces the network path to a target host. Also available in Global mode. Also available in Flash configuration mode. Table 2. Commands by type of user that are available after initial login Command admin user Privileged-type user User-type user alias © Copyright IBM Corp. 1999, 2008...
  • Page 28: Common Commands

    Table 2. Commands by type of user that are available after initial login (continued) Command admin user Privileged-type user User-type user clock configure terminal disable disconnect echo enable exec exit help login ping show shutdown switch template test schema test tcp-connection traceroute Common commands For a list of the commands that are available in most configuration modes, refer to...
  • Page 29: Admin-State

    Table 3. Common configuration commands and their general purpose (continued) Command Purpose The command is also available after initial log in, which is before you explicitly enter a configuration mode. To determine whether these commands are available to a specific user-type class after an initial login, refer to Table 2 on page 1. The output from the command differs when invoked after initial log in and when invoked while in a configuration mode.
  • Page 30: Cancel

    Guidelines Also available in Global configuration mode. If creating a macro that uses multiple commands, you can either v Surround the string in quotes and separate commands with a semicolon. For example: alias eth0 "configure terminal; interface ethernet 0" v Separate commands with an escaped semicolon. For example: alias eth0 configure terminal\;interface ethernet0 Use the no alias command to delete a command macro.
  • Page 31: Clock

    Syntax cancel Guidelines The cancel command cancels all configuration changes to the current object and returns to the parent configure mode. This command is available in all configuration modes except Interface configuration mode. Related Commands exit, reset Examples v Cancels the current configuration, which leaves the objects unchanged. # cancel clock Sets the date or time.
  • Page 32: Configure Terminal

    (config)# diagnostics Enters Diagnostics mode. Syntax diagnostics Guidelines The diagnostics command enters Diagnostics mode. Attention: Use this command only at the explicit direction of IBM Support. disable Enters User Mode. Syntax disable Guidelines Also available in Global configuration mode. Related Commands...
  • Page 33: Disconnect

    disconnect Closes a user session. Syntax disconnect session Parameters session Specifies the session ID. Guidelines The disconnect command closes a user session. Use the show users command to display the list of active user sessions. Related Commands show users Examples v Closes the session that is associated with session ID 36..
  • Page 34: Exec

    Related Commands disable, exit Examples v Exits User Mode and enters Privileged Mode. > enable Username: admin Password: ******** exec Calls and runs a target configuration script. Syntax exec URL Parameters Identifies the location of the configuration file. v If the file resides on the appliance, this parameter takes the form directory:///filename, where: directory Identifies a local directory.
  • Page 35: Exit

    exit Applies changes to the current object and returns to the parent configuration mode. Syntax exit Guidelines The exit command applies all changes made to the object to the running configuration. To save these changes to the startup configuration, use the write mem command.
  • Page 36: Login

    v Displays help for the shutdown command. # ? shutdown login Logs in to the appliance as a specific user. Syntax login Guidelines After entering the login command, the CLI prompts for a username and password. User accounts log in to User Mode, while admin, privileged accounts, and group-specific accounts log in to Privileged Mode.
  • Page 37: Ping

    Use the ntp command to identify the NTP (Network Time Protocol) server. After identifying an NTP server, the appliance functions as a Simple Network Time Protocol (SNTP) client as described in RFC 2030. Note: From the CLI, the appliance supports the configuration of only one NTP server.
  • Page 38: Reset

    Examples v Pings ragnarok. # ping ragnarok v Pings 192.168.77.144. # ping 192.168.77.144 reset Restores default values. Syntax reset Guidelines The reset command sets mode-specific properties to their default values. Properties that lack default values, are unchanged. Default values assigned by the reset command are not applied until the user uses the exit command to save changes and exit the current configuration mode.
  • Page 39: Shutdown

    shutdown Restarts or shuts down the appliance. Syntax shutdown reboot [seconds] shutdown reload [seconds] shutdown halt [seconds] Parameters reboot Shuts down and restarts the appliance. reload Restarts the appliance. halt Shuts down the appliance. seconds Specifies the number of seconds before the appliance starts the shutdown operation.
  • Page 40: Switch Domain

    Syntax summary string Parameters string Specifies descriptive text for the object. Guidelines The summary command specifies a brief, object-specific comment. If the comment contains spaces, enclose the comment in double quotation marks. Examples v Adds an object-specific comment. # summary "Amended server list" switch domain Moves to a specified domain.
  • Page 41: Test Schema

    Parameters Specifies the fully-qualified location of the interactive command line script. Guidelines Also available in Global configuration mode. The template command specifies the URL of the interactive command line script. The script is an XML file that can be local or remote to the DataPower appliance. The script must conform to the store:///schemas/dp-cli-template.xsd schema.
  • Page 42: Test Tcp-Connection

    test tcp-connection Tests the TCP connection to a remote appliance. Syntax test tcp-connection host port [timeout] Parameters host Specifies the target host. Use either the IP address or host name. port Specifies the target port. timeout Specifies an optional timeout value, the number of seconds that the CLI waits for a response from the target host.
  • Page 43: Traceroute

    Examples v Returns the user, either the admin account or a privileged account, to Privileged Mode, the user-specific login mode. (config crypto-val-credentials)# top traceroute Traces the network path to a target host. Syntax traceroute host Parameters host Specifies the target host as either the IP address or host name. Guidelines Also available in Global configuration mode.
  • Page 44 Command Reference...
  • Page 45: Chapter 2. Global Configuration Mode

    Use the cancel or exit commands to exit AAA Policy configuration mode and return to Global configuration mode. Related Commands cancel, exit account (Common Criteria) Defines the lockout behavior for local accounts. Syntax account max-login-failure count account lockout-duration minutes © Copyright IBM Corp. 1999, 2008...
  • Page 46 Parameters lockout-duration minutes Specifies the number of minutes to lock out an account after exceeding the maximum number of failed login attempts. A value of 0 indicates that accounts are locked out until reset by a privileged administrator. Use an integer in the range of 0 through 1000.
  • Page 47: Acl

    Examples v Enables lockout behavior for accounts that on the fifth login failure, the account is locked out locked out until reset by a privileged administrator: # account lockout-duration 0 # account max-login-failure 4 v Disables lockout behavior. # account max-login failure 0 Enters Access Control List configuration mode for a specified service provider.
  • Page 48: Action

    list. A candidate address is denied or granted access to the service provider in accordance with the first matching clause. Consequently, the order of clauses is important in an Access Control List. Use the no acl command to delete a named ACL. Use the exit command to exit Access Control list configuration mode and return to Global configuration mode.
  • Page 49: Alias

    Related Commands cancel, exit, show action alias Creates a command macro. Syntax alias aliasName commandString no alias aliasName Parameters aliasName Specifies the name of the command macro. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. commandString Defines a sequence of commands.
  • Page 50: Application-Security-Policy

    v Creates the back2 alias that moves back two configuration modes. If invoked while in Validation Credentials configuration mode, moves to Global configuration mode. # alias back2 "exit; exit" Alias update successful v Creates the proxys alias that displays information about XSL Proxy objects. # alias proxys show xslproxy Alias update successful v Creates the update-cfg alias that restarts the appliance with an updated...
  • Page 51: Audit Delete-Backup (Common Criteria)

    audit delete-backup (Common Criteria) Deletes the archived version of the audit log. Syntax audit delete-backup Context Available only when the appliance is in Common Criteria mode. Guidelines The audit delete-backup command deletes the audit:///audit-log.1 file. This file is the archived version of the audit log and is created when the log reaches When the size of the audit log, the audit:///audit-log file, reaches approximately 250 kilobytes, the appliance save this file as the audit:///audit-log.1 file, which overwrites the previous version of the audit:///audit-log.1 file.
  • Page 52: Cache Schema

    Parameters kilobytes Specifies the amount of disk space in kilobytes to reserve for the audit log. The reserve space must be at least four kilobytes less than the total amount of free space that is currently available on the file system. Use an integer in the range of 0 through 10000.
  • Page 53: Cache Stylesheet

    stream Compiles the schema in streaming mode If in doubt about whether the target schema lends itself to streaming, retain the default value of general. Related Commands cache stylesheet, cache wsdl Examples v Compiles the schema in streaming mode and adds the schema to the schema cache that is maintained by the mgr1 XML Manager.
  • Page 54: Clear Aaa Cache

    Syntax cache wsdl xmlMgrName wsdlURL Parameters xmlMgrName Specifies the name of an XML manager. wsdlURL Specifies a URL of the schema to cache. Related Commands cache schema, cache stylesheet Examples v Compile and adds the specified WSDL to the WSDL cache of the mgr1 XML Manager.
  • Page 55: Clear Dns-Cache

    Guidelines Also available in Interface configuration mode. Related Commands arp, show netarp Examples v Clears the ARP table. # clear arp clear dns-cache Clears the DNS cache. Syntax clear dns-cache Examples v Clears the DNS cache. # clear dns-cache Cleared DNS cache clear pdp cache Clears all compiled XACML policies of a specific XACML Policy Decision Point (PDP).
  • Page 56: Clear Rbm Cache

    is associated with the AAA Policy with the clear xsl cache command. This command clears the compiled XACML policies in the XML Manager that is referenced by the AAA Policy. Use a URL Refresh Policy You can use a URL Refresh Policy whose match conditions match the internal URL xacmlpolicy:///pdpName to perform periodic cache refreshes.
  • Page 57: Cli Remote Open

    Examples v Clears the stylesheet cache of the mgr1 XML Manager. # clear xsl cache mgr1 Cleared cache of xmlmgr mgr1 cli remote open Establishes a TCP/IP connection to a specific remote host. Syntax cli remote open address port Parameters address Specifies the IP address of the remote host.
  • Page 58 Parameters name Specifies the name of the Telnet service. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. telnetServerIP Specifies the IP address (either primary or secondary) of a DataPower Ethernet interface.
  • Page 59: Compact-Flash (Type 9235)

    v Deletes the support Telnet service. # no cli telnet support Deleted cli telnet handler compact-flash (Type 9235) Enters Compact Flash configuration mode. Syntax compact-flash name Parameters name Specifies the name of the existing compact flash volume. For appliances that have a compact flash for auxiliary data storage, the name is cf0. Guidelines The compact-flash command enters Compact Flash configuration mode for an existing compact flash enabled appliance.
  • Page 60: Compile-Options

    Syntax compact-flash-repair-filesystem name Parameters name Specifies the name of the existing compact flash volume. For appliances that have a compact flash for auxiliary data storage, the name is cf0. Guidelines The compact-flash-repair-filesystem command repairs the file system on the compact flash storage card, in case it was corrupted by an abnormal shutdown of the appliance or other error.
  • Page 61: Conformancepolicy

    conformancepolicy Enters Conformance Policy configuration mode. Syntax conformancepolicy name no conformancepolicy name Parameters name Specifies the name of the Conformance Policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the conformancepolicy command to enter Conformance Policy configuration mode to create or edit a Conformance Policy.
  • Page 62 Parameters Overwrites an existing file, if one of the same name already exists. In the absence of this argument, an attempt to save a file with the same name as an existing file will result in a prompt that requests confirmation to overwrite the existing file.
  • Page 63: Create-Tam-Files

    Related Commands delete, dir, move, send file (Global) Examples v Uses HTTP to copy a file from the specified URL to the image: directory. # copy http://host/image.crypt image:///image.crypt file copy successful (1534897 bytes transferred) v Uses HTTP over SSL to copy a file from the specified URL to the image: directory.
  • Page 64 Parameters create-copy ® The Tivoli Access Manager key database and key stash files are placed in the cert: directory when created. This directory does not allow files to be moved out of it. By selecting to create copies of the created files, a copy of the key database and stash files will be placed in the temporary: directory, and can be downloaded off of the appliance.
  • Page 65: Crypto

    ldap-auth-timeout Specifies the timeout, in seconds, that is allowed for LDAP authentication operations. There is no range limit. The default is 30. ldap-search-timeout Specifies the timeout, in seconds, that is allowed for LDAP search operations. There is no range limit. The default is 30. use-ldap-cache Indicates whether to enable client-side caching.
  • Page 66: Delete

    Related Commands exit delete Deletes a file from the DataPower appliance. Syntax delete URL Parameters Specifies a URL of the file to delete. This argument take the directory:///filename form, where: directory Specifies a directory on the appliance. Refer to “Directories on the appliance”...
  • Page 67: Dir

    The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the deployment-policy command to enter Deployment Policy configuration mode to create or edit a Deployment Policy. Use the cancel or exit command to exit Deployment Policy configuration mode and return to Global configuration mode.
  • Page 68: Disable

    disable Enters User Mode. Syntax disable Guidelines Use the disable command to exit Global configuration mode and enter User mode. Use the exit command to exit Global configuration mode and enter Privileged mode. Also available in Privileged mode. Related Commands enable, exit Examples v Exits Global configuration mode and enters User Mode.
  • Page 69: Document-Crypto-Map

    # no dns document-crypto-map Enters Document Crypto Map configuration mode. Syntax document-crypto-map name no document-crypto-map name Parameters name Specifies the name of the Document Crypto Map. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the no document-crypto-map command to delete a Document Crypto Map.
  • Page 70: Domain

    Related Commands exit domain Enters Application Domain configuration mode. Syntax domain name no domain name Parameters name Specifies the name of the application domain. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The domain command enters Application Domain configuration mode to create a new Application Domain object or to modify an existing Application Domain...
  • Page 71: File-Capture

    Related Commands cancel, exit, send error-report file-capture Controls the file capture trace utility. Syntax file-capture {always | errors | off} Parameters always Enables the file capture trace utility and provides a trace of all appliance traffic. errors Enables the file capture trace utility and provides a trace for failed transactions only.
  • Page 72: Flash

    v Disables the file capture trace utility, which restores the default state. # file-capture off File nature mode set to off flash Enters Flash configuration mode. Syntax flash Guidelines Use the exit command to exit Flash configuration mode and enter Global configuration mode.
  • Page 73: Httpserv

    Parameters alias Specifies the alias to assign to the specified IP address. Guidelines Use the no host-alias command to remove an alias map. Related Commands cancel, exit httpserv Enters HTTP Server configuration mode. Syntax httpserv name httpserv name address port no httpserv name Parameters name...
  • Page 74: Import-Execute

    If you wish to restrict access to an HTTP server, you can compile an ACL using the acl, allow, and deny commands. Use the no httpserv command to delete an HTTP server. Use the exit command to exit HTTP Server configuration mode and return to Global configuration mode.
  • Page 75: Include-Config

    Syntax import-package name no import-package name Parameters name Specifies the name of the Import Configuration File object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The import-package command enters Import Configuration File configuration mode to create a new Import Configuration File object or to modify an existing Import Configuration File object.
  • Page 76: Input-Conversion-Map

    Related Commands exec Examples v Enters Include Configuration configuration mode to create the standardServiAceProxies Include Configuration. # include-config standardServiceProxies Include Configuration configuration mode v Deletes the standardServiAceProxies Include Configuration. # no include standardServiceProxies input-conversion-map Enters HTTP Input Conversion Map configuration mode. Syntax input-conversion-map name no input-conversion-map name...
  • Page 77: Ip Domain

    Note: To disable an Ethernet interface, use the admin-state command in Interface configuration mode. Use the exit command to exit Interface configuration mode and enter Global configuration mode. Related Commands admin-state (Interface), exit, show interface Examples v Enters Interface configuration mode for Ethernet interface 0. # interface ethernet 0 Interface configuration mode (ethernet 0) v Enters Interface configuration mode for Ethernet interface 0.
  • Page 78: Ip Host

    Examples v Adds the datapower.com, somewhereelse.com, and endoftheearth.com IP domains to the IP domain table. The appliance attempts to resolve the host name loki in following ways: loki.datapower.com loki.somewhereelse.com loki.endoftheearth.com # ip domain datapower.com # ip domain somewhereelse.com # ip domain endoftheearth.com # xslproxy Proxy-01 XSL proxy configuration mode # remote-address loki 80...
  • Page 79: Ip Name-Server

    # no ip host * ip name-server Identifies a local DNS provider. Syntax ip name-server address [ udpPortNumber] [tcpPortNumber] [flags] [max-retries] no ip name-server address no ip name-server * Parameters address Specifies the IP address of the DNS server. udpPortNumber Optionally identifies the UDP port that the DNS server monitors.
  • Page 80: Iscsi-Chap (Type 9235)

    iscsi-chap (Type 9235) Enters iSCSCI CHAP configuration mode. Syntax iscsi-chap name no iscsi-chap name Parameters name Specifies the name of the iSCSI CHAP. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The iscsi-chap command enters iSCSCI CHAP configuration mode.
  • Page 81: Iscsi-Fs-Repair (Type 9235)

    Related Commands admin-state (iSCSI Volume) Examples v Disables, initializes, and re-enables the Georgia iSCSI volume. # iscsi-volume Georgia Modify iSCSI Volume configuration # admin-state disabled # exit # iscsi-fs-init Georgia iSCSI filesystem Georgia initialized # iscsi-volume Georgia Modify iSCSI Volume configuration # admin-state enabled iscsi-fs-repair (Type 9235) Repairs an iSCSI volume.
  • Page 82: Iscsi-Hba (Type 9235)

    iscsi-hba (Type 9235) Enters iSCSI HBA configuration mode. Syntax iscsi-hba {iscsi1 | iscsi2} Parameters iscsi1 Identifies the existing iSCSI HBA for the eth1 Ethernet interface. iscsi2 Identifies the existing iSCSI HBA for the eth2 Ethernet interface. Guidelines The iscsi-hba command enters iSCSI HBA configuration mode for the specified HBA.
  • Page 83: Loadbalancer-Group

    Syntax iscsi-volume name no iscsi-volume name Parameters name Specifies the name of the iSCSI volume to configure. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The iscsi-volume command enters iSCSI Volume configuration mode. While in this configuration mode, create, partition, and name the logical storage volume.
  • Page 84: Known-Host

    Syntax locate-device {on | off} Parameters Activates the locate LED light. (Default) Deactivates the locate LED light. Guidelines The locate-device command activates or deactivates the locate LED light on Type 9235 appliances. The locate LED is on the front of the appliance. v When activated, the locate LED light is illuminated in blue.
  • Page 85: Ldap-Search-Parameters

    Examples v Adds ragnarok.datapower.com by host name as an SSH known host. # known-host ragnarok.datapower.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1J/99rRvdZmVvkaKvcG2a+PeCm25 p8OJl87SA6mtFxudA2ME6n3lcXEakpQ8KFTpPbBXt+yDKNFR9gNHIfRl UDho1HAN/a0gEsvrnDY5wKrTcRHrqDc/x0buPzbsEmXi0lud5Pl7+BXQ VpPbyVujoHINCrx0k/z7Qpkozb4qZd8== v Adds ragnarok.datapower.com by IP address as an SSH known host. # known-host 10.97.111.108 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1J/99rRvdZmVvkaKvcG2a+PeCm25 p8OJl87SA6mtFxudA2ME6n3lcXEakpQ8KFTpPbBXt+yDKNFR9gNHIfRl UDho1HAN/a0gEsvrnDY5wKrTcRHrqDc/x0buPzbsEmXi0lud5Pl7+BXQ VpPbyVujoHINCrx0k/z7Qpkozb4qZd8== v Removes ragnarok.datapower.com by IP address as an SSH known host. # no known-host 10.97.111.108 ldap-search-parameters Enters LDAP Search Parameters configuration mode.
  • Page 86: Logging Category

    Syntax load-interval measurement-interval Parameters measurement-interval Specifies the measurement interval in milliseconds. Use an integer in the range of 500 through 5000. The default is 1000. Guidelines The load-interval command specifies the duration of a measurement interval. During this interval, system load is estimated and expressed as a percentage. Use this command in conjunction with the show load command to monitor system load.
  • Page 87: Logging Eventcode

    Parameters name Specifies the name of the existing log to which an event class will be added. category Specifies the name of an event-class to add. priority Identifies the event priority. The priority indicates that all events that are greater than or equal to this value are logged. Events use the following priority in descending order: v emerg (Emergency) v alert (Alert)
  • Page 88: Logging Eventfilter

    Parameters target Specifies the name of an existing log target. event-code Specifies the hexadecimal value of the event code. Guidelines The logging eventcode commands adds an event code to the subscription list for the specified log target. This command is equivalent to using the event-code command in Logging configuration mode.
  • Page 89: Logging Object

    logging object Adds an object filter to a specific log. Syntax logging object name object class no logging object name object class Parameters name Specifies the name of the existing log to which to add an object filter. object Identifies the object type. class Identifies a specific instance of the target class.
  • Page 90: Logging Target

    Examples v Adds an object filter to the Alarms log. This log will record only events that are issued by the Proxy-1 XSL Proxy. Event priority uses the existing configuration of the Alarms log. # logging object Alarms XSLProxyService Proxy-1 v Deletes an object filter from the Alarms log.
  • Page 91: Logsize

    v critic or 2 v error or 3 v warn or 4 v notice or 5 v info or 6 v debug or 7 Guidelines The loglevel command determines which system-generated events to log to the basic event log. The log priority also functions as filter and determines which events to forward to a remote syslog daemon.
  • Page 92: Matching

    Syntax logsize size Parameters size Specifies the size of the log in lines. The default is 200. Guidelines In the absence of an argument, logsize displays the size of the log file in lines. Note: The loglevel, logsize, and syslog commands provide the ability to configure a rudimentary basic logging system.
  • Page 93: Memoization

    implementation of Processing Policy objects. A Processing Policy uses Matching Rule objects to determine whether a candidate XML document is subject to specific processing instructions in the policy. Refer to Appendix B, “Processing Policy procedures,” on page 999 for procedural details about the creation and implementation of Matching Rule and Processing Policy objects.
  • Page 94: Message-Matching

    message-matching Enters Message Matching configuration mode. Syntax message-matching name no message-matching name Parameters name Specifies the name of the traffic-flow definition. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The message-matching command create a traffic-flow definition that describes a traffic stream to be subject to administrative monitoring and control.
  • Page 95: Metadata

    Use the cancel or exit command to leave Message Type configuration mode and enter Global configuration mode. Use the no message-type command to delete a message class. Related Commands cancel, exit metadata Enters Processing Metadata configuration mode. Syntax metadata name no metadata name Parameters name...
  • Page 96: Monitor-Action

    Use the rmdir command to delete subdirectories. Related Commands rmdir Examples v Creates the stylesheets subdirectory of the local: directory. # mkdir local:///stylesheets Directory 'local:///stylesheets' successfully created. v Creates the C-1 subdirectory in the stylesheets subdirectory of the local: directory. # mkdir local:///stylesheets/C-1 Directory 'local:///stylesheets/C-1' successfully created.
  • Page 97: Monitor-Duration

    Parameters name Specifies the name of the monitor. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines A monitor count is an incremental, or counter-based, monitor that consists of a target message class, a configured threshold, and a control procedure that is triggered when the threshold is exceeded.
  • Page 98: Mpgw

    Syntax move [-f] source-URL destination-URL Parameters Overwrites an existing file, if one of the same name already exists. In the absence of this argument, an attempt to save a file with the same name as an existing file results in a prompt that requests confirmation to overwrite the existing file.
  • Page 99: Mtom

    Guidelines Use the no mpgw command to delete a Multi-Protocol Gateway. Related Commands cancel, exit mtom Enters MTOM Policy configuration mode. Syntax mtom name no mtom name Parameters name Specifies the name of the MTOM Policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions”...
  • Page 100: Nfs-Client

    You can also control routing behavior, interface isolation and ECN settings. Use the cancel or exit command to leave Network Settings configuration mode and enter Global configuration mode. Use the no network command to reset network settings to their defaults. Related Commands cancel, exit nfs-client...
  • Page 101: Nfs-Static-Mount

    Related Commands cancel, exit nfs-static-mount Enters NFS Static Mounts configuration mode. Syntax nfs-static-mount name no nfs-static-mount name Parameters name Specifies the name of the NFS static mount object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions”...
  • Page 102: Ntp-Service

    The appliance supports one NTP server at a time. To designate a new NTP server, use the no ntp command to delete the current server, and then use the ntp command to designate the new server. Also available in Privileged mode. Related Commands clock, ntp-service, show ntp time Examples...
  • Page 103: Policy-Attachments

    Parameters name Specifies the name of the peer group. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines While in Peer Group configuration mode, you identify members of an SLM Monitoring Peer Group.
  • Page 104: Radius

    Parameters name Specifies the name of the object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit command to exit Policy Parameters configuration mode and return to Global configuration mode.
  • Page 105: Raid-Delete (Type 9235)

    Examples v Activates the RAID Volume in the disks as the active RAID volume. # raid-activate raid0 raid-delete (Type 9235) Deletes an array volume. Syntax raid-delete name Parameters name Specifies the name of the existing hard disk array volume. For appliances that have a hard disk array for auxiliary data storage, the name is raid0.
  • Page 106: Raid-Volume (Type 9235)

    Parameters name Specifies the name of the existing hard disk array volume. For appliances that have a hard disk array for auxiliary data storage, the name is raid0. Guidelines The raid-rebuild command forces a rebuild of a hard disk array volume. The contents of the primary disk in the array volume are copied to the secondary disk.
  • Page 107: Raid-Volume-Repair-Filesystem (Type 9235)

    Guidelines The raid-volume-initialize-filesystem command initializes the filesystem on the hard disk array to allow it to be made active. This action destroys the existing contents of the hard disk array. Examples v Makes a new file system on the raid0 hard disk array volume. # raid-volume-initialize-filesystem raid0 raid-volume-repair-filesystem (Type 9235) Repairs the file system.
  • Page 108: Refresh Stylesheet

    Related Commands cancel, exit refresh stylesheet Forces a reload of a specified style sheets by an XML Manager. Syntax refresh stylesheet {* | XML-manager} match Parameters XML-manager Specifies the name of a specific XML Manager. Specifies all XML Manager objects. match Defines a shell-style match pattern that defines the style sheets to refresh.
  • Page 109: Reset Domain

    Syntax remove chkpoint name Parameters name Specifies the name of the checkpoint configuration file. Guidelines The remove chkpoint command deletes the named checkpoint configuration file from the domain-specific chkpoint: directory. The command is equivalent to using the delete command to remove the file from a specified directory.
  • Page 110: Reset Username

    v The reset domain command deletes all configured objects in the domain but retains the configuration of the domain and all files in the local: directory. v The no domain command deletes all configured objects in the domain, deletes all files in the domain, and deletes the configuration of the domain itself. Related Commands domain Examples...
  • Page 111: Restart Domain

    v Not be one of the past five passwords Examples v Re-enables the suehill account by changing the password for the account (without the administrator specifying the password). # configure terminal (config)# reset username suehill Enter new password: ******** Re-enter new password: ******** Password for user 'suehill' is reset.
  • Page 112: Rollback Chkpoint

    Syntax rmdir local:///subdirectory Parameters local:///subdirectory The subdirectory to remove from the local: directory. Guidelines The rmdir command removes subdirectories from the local: directory. Related Commands mkdir Examples v Deletes the stylesheets subdirectory and all its contents from the local: directory. # rmdir local:///stylesheets Removing 'local:///stylesheets' will delete all files including subdirectories!
  • Page 113: Rule

    # rollback chkpoint foo Rollback Chkpoint foo is initiated (may take a few minutes to complete) rule Enters Stylesheet Policy Rule configuration mode. Syntax rule name rule name {request | response} no rule name Parameters name Specifies the name of the global processing rule. The name can contain a maximum of 128 characters.
  • Page 114: Save Chkpoint

    Related Commands cancel, exit, match, matching, response-rule, request-rule, rule (Stylesheet Policy), show rule, stylepolicy Examples v Creates the star matching rule to use for matching all URLs. # matching star Matching Rule configuration mode # urlmatch * # exit v Creates the valClientServer global bidirectional rule that validates client and server input against the specified schema.
  • Page 115: Save Error-Report

    Related Commands backup, maxchkpoints (Application Domain), remove chkpoint, rollback chkpoint, show chkpoints, write memory Examples v Creates the foo checkpoint configuration file. # save chkpoint foo Save Configuration Checkpoint foo scheduled (may take a few minutes to complete) save error-report Creates an error report.
  • Page 116: Save-Config Overwrite

    Guidelines The save internal-state command writes the internal state to the temporary:///internal-state.txt file Examples v Saves the internal state of the appliance. # save internal-state Internal state written to temporary:///internal-state.txt save-config overwrite Specifies system behavior after a running configuration is saved. Syntax save-config overwrite no save-config overwrite...
  • Page 117: Search Results

    Parameters name Specifies the name of the Schema Exception Map The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit command to exit Schema Exception Map configuration mode and return to Global configuration mode.
  • Page 118: Send Error-Report

    v Enables the search results algorithm for the mgr1 XML Manager, which restores the default condition. # search results mgr1 Configuration successfully updated send error-report Sends an error report as e-mail. Syntax send error-report mail-server subject email-address [email-address ...] Parameters mail-server Identifies a local SMTP server by IP address or by host name.
  • Page 119: Service Battery-Installed

    Parameters Identifies the target file and takes one of the following forms: v audit:///filename v pubcert:///filename v config:///filename v store:///filename v image:///filename v tasktemplates:///filename v logstore:///filename v temporary:///filename v logtemp:///filename mail-server Identifies a local SMTP server by IP address or by host name. email-address Specifies the fully-qualified Email addresses of the file recipient.
  • Page 120: Service-Monitor

    Guidelines The service nagle command enables or disables the Nagle slow packet avoidance algorithm. By default, the algorithm is enabled. Examples v Disables the Nagle algorithm. # service nagle disabled service nagle algorithm. v Enables the Nagle algorithm. # service nagle enabled service nagle algorithm.
  • Page 121: Simple-Rate-Limiter

    var://system Specifies the required prefix that identifies a global variable. contextName Specifies the required name of the context within which the global variable resides. value Specifies the value to assign. Guidelines The set-system-var command creates a new system variable that actions or style sheets can access with the dp:variable() function.
  • Page 122: Slm-Action

    slm-action Enters SLM Action configuration mode. Syntax slm-action name no slm-action name Parameters name Specifies the name of the SLM Action. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In SLM (Service Level Monitor) Action configuration mode, define an administrative response by defining an action type (log, reject, or shape traffic) and...
  • Page 123: Slm-Policy

    slm-policy Enters SLM Policy configuration mode. Syntax slm-policy name no slm-policy name Parameters name Specifies the name of the SLM Policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In SLM Policy configuration mode, define an SLM policy by specifying an evaluation method, noting peer groups and assigning statements to the policy.
  • Page 124: Snmp

    Syntax slm-sched name no slm-sched name Parameters name Specifies the name of the SLM Schedule. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In SLM Schedule configuration mode, define an SLM Schedule by specifying the days and hours when the schedule is in effect.
  • Page 125: Soap-Disposition

    soap-disposition Enters SOAP Header Disposition Table configuration mode. Syntax soap-disposition name no soap-disposition name Parameters name Specifies the name of the disposition table. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines The soap-disposition command enters SOAP Header Disposition Table configuration mode and creates the named object if it does not exist.
  • Page 126: Source-Ftp-Server

    Related Commands cancel, exit source-ftp-server Enters FTP Server Front Side Handler configuration mode. Syntax source-ftp-server handler no source-ftp-server handler Parameters handler Specifies the name of the FTP Server Front Side Handler object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions”...
  • Page 127: Source-Nfs-Poller

    Syntax source-https handler no source-https handler Parameters handler Specifies the name of the Secure HTTP Front Side Handler object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the no source-https command to delete a Secure HTTP Front Side Handler object.
  • Page 128: Source-Stateful-Tcp

    Parameters handler Specifies the name of the Stateless Raw XML Handler object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the no source-raw command to delete a Stateless Raw XML Handler object. Related Commands cancel, exit source-stateful-tcp...
  • Page 129: Sslforwarder

    Guidelines SSH is disabled by default. You can use the optional arguments to explicitly bind SSH to a specified interface. If you explicitly bind SSH to an interface, you must have previously configured that interface. In the absence of an explicit address assignment, SSH first attempts to bind to the management port.
  • Page 130 local-port Identifies the local port. Use an integer in the range of 0 through 65535. In conjunction with the IP address, identifies the IP addresses and ports that the SSL Proxy service monitors. remote-address Specifies the IP address of the remote SSL peer. In conjunction with the remote port number, identifies a specific destination.
  • Page 131: Sslproxy

    # event cli error # exit Logging configuration successful v Deletes the syslog-ng-stunnel SSL Proxy service. # no sslforwarder syslog-ng-stunnel sslforwarder syslog-ng-stunnel - configuration deleted. sslproxy Creates an SSL Proxy Profile that defines an SSL service type. Syntax Create an SSL proxy profile for a client sslproxy name client client-profile [client-cache {on | off}] sslproxy name forward client-profile [client-cache {on | off}] Create an SSL proxy profile for a server...
  • Page 132 (or functions in both directions). In two-way mode, SSL is used over both the appliance-to-server connection and over the appliance-to-client connection. Two-way mode requires both a client and server cryptographic profile. server-profile When the operational mode is either client or two-way, identifies the Crypto Profile that is used by the SSL client to authenticate itself to the SSL server.
  • Page 133: Ssltrace

    Use the no sslproxy command to delete an SSL Proxy Profile. Related Commands profile (Crypto) Examples v Creates the SSL-1 server SSL Proxy Profile using the Low Crypto Profile on the appliance-to-client connections. Default values are used for the other properties. # sslproxy SSL-1 server Low v Creates the SSL-2 client SSL Proxy Profile using the High Crypto Profile on appliance-to-server connections.
  • Page 134: Startup

    SSL connection completed The trace is not specific to a port, but rather to an SSL Proxy Profile. Consequently, the traced object is the first connection using the target SSL Proxy Profile. Keep in mind that a single SSL Proxy Profile can be used by multiple DataPower services.
  • Page 135: Statistics

    Related Commands show startup-config (Global), show startup-errors (Global) Examples Starts the installation wizard. # startup statistics Initiates statistical data collection. Syntax statistics no statistics Guidelines Statistical data collection is disabled by default. Statistical display (with the show statistics command) is not available if statistical data collection is suspended.
  • Page 136: No Stylesheet

    xsldefault URL Identifies a default XSL style sheet used for document transformation. This default style sheet performs transformation only if a candidate XML document fails to match any of the processing rules defined within the named Processing Policy, and if the candidate document does not contain internal transformation instructions.
  • Page 137: Switch Domain

    match Defines a shell-style match pattern that defines the style sheets to delete. You can use wildcards to define a match pattern as follows: The string wildcard matches 0 or more occurrences of any character. The single character wildcard matches one occurrence of any single character.
  • Page 138: Syslog

    syslog Designates where to forward log messages. Syntax syslog address log-level Parameters address Specifies the IP address of the target workstation. log-level Specifies the type of messages to forward to the target workstation. The log level can be a keyword or an integer. v emerg or 0 v alert or 1 v critic or 2...
  • Page 139: System

    Guidelines Use the cancel or exit command to exit System Settings configuration mode and return to Global configuration mode. Related Commands cancel, exit Enters TAM (IBM Tivoli Access Manager) configuration mode. Syntax tam name Parameters name Optionally identifies the TAM object.
  • Page 140: Tcpproxy

    ® ® Active Directory and Lotus Domino TAM is a licensed feature, and requires the presence of a TAM license on the DataPower appliance. Contact your IBM representative, to obtain the needed license. Related Commands cancel, create-tam-files, exit tcpproxy Creates a TCP proxy that redirects an incoming TCP packet stream to a remote address.
  • Page 141: Template

    high Receives above normal priority. Guidelines The TCP Proxy service terminates the inbound TCP connection, and initiates an outbound TCP connection to the destination address. Use the no tcpproxy command to delete a TCP proxy. Examples v Creates a ForwardHTTP TCP proxy that redirects incoming traffic received on appliance interface 192.68.14.12:80 to host 10.10.20.100:80.
  • Page 142: Test Hardware

    test hardware Tests the hardware. Syntax test hardware Guidelines The test hardware command tests the hardware. Depending on the state of the hardware, the command produces output that states the status for each component: v success v warning v failure The components are broken down into the following categories: v Backtrace availability v Interface diagnostics...
  • Page 143: Test Schema

    Parameters category Specifies the name of an existing Log Category. priority Identifies the event priority. The priority indicates that all events that are greater than or equal to this value are logged. Events use the following priority in descending order: v emerg (Emergency) v alert (Alert) v critic (Critical)
  • Page 144: Test Urlmap

    Guidelines The test schema command tests the conformity of an XML file against an XSD schema file. Examples v Tests conformity of the xyzbanner.xml XML file against the dp-user- interface.xsd schema. # test schema store:///xyzbanner.xml store:///schemas/dp-user-interface.xsd Performing validation of document 'store:///xyzbanner.xml' using schema 'store:///schemas/dp-user-interface.xsd' ...
  • Page 145: Test Tcp-Connection

    # test urlmap URLmap-1 https://www.company.com/XML/stylesheets/style1.xsl match # test urlmap URLmap-1 https://www.distributer.com/Renditions/XML2HTML.xsl match test tcp-connection Tests the TCP connection to a remote appliance. Syntax test tcp-connection host port [timeout] Parameters host Specifies the target host. Use either the IP address or host name. port Specifies the target port.
  • Page 146: Test Urlrewrite

    Refer to Appendix C, “Stylesheet Refresh Policy configuration,” on page 1005 for procedural details regarding the creation and implementation of URL maps and Stylesheet Refresh Policies. Related Commands interval urlmap, match, test urlmap, urlmap, urlrefresh, xslrefresh Examples v Tests two candidate matches against the 2aday Stylesheet Refresh Policy. Output confirms the matches and displays the refresh interval and the match pattern.
  • Page 147: Tfim

    The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In TFIM (IBM Tivoli Federated Identity Manager) configuration mode, you configure a TFIM object that provides the information needed to locate and access a TFIM server.
  • Page 148 Parameters throttle-threshold Specifies the free memory threshold (expressed as a percentage of total memory) at which the appliance starts to implement a memory conservation algorithm. Use an integer in the range of 1 through 100. The default is 20. kill-threshold Specifies the free memory threshold (expressed as a percentage of total memory) at which the appliance restarts itself.
  • Page 149: Timezone

    # throttle 20 5 30 v Disables throttling. # no throttle v Disables throttling. # throttle 0 0 0 timezone Enters Timezone configuration mode. Syntax timezone Guidelines While in Timezone configuration mode, you configure the time zone settings for the appliance. The time zone alters the display of time to the user. Use the cancel or exit command to exit Timezone configuration mode and return to Global configuration mode.
  • Page 150: Uddi-Subscription

    Parameters name Specifies the name of the UDDI Registry object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In UDDI (Universal Description Discovery and Integration) Registry configuration mode, you configure a UDDI Registry object that provides the information needed to locate and access a UDDI Registry.
  • Page 151: Urlmap

    Syntax undo object-type name Parameters object-type Specifies the type of object. For a complete list of object types, use the show command name Specifies the name of the object. Guidelines The undo command reverts a modified object to its last persisted state. The persisted state is the configuration in the startup configuration.
  • Page 152: Urlrefresh

    Syntax urlmap name Parameters name Specifies the name of the URL map. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines URL maps are used in the implementation of Stylesheet Refresh Policies that enable the periodic update of the stylesheet cache maintained by an XML manager.
  • Page 153: Urlrewrite

    Related Commands cancel, exit, refresh stylesheet urlrewrite Enters URL Rewrite Policy configuration mode. Syntax urlrewrite name no urlrewrite name Parameters name Specifies the name of the URL Rewrite Policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions”...
  • Page 154: User-Agent

    Guidelines The user command is available in Global configuration mode. The user command enters User configuration mode. While in User configuration mode, you can create or modify User objects. To exit the configuration mode and not apply the changes, use the cancel command.
  • Page 155: User-Password

    Parameters account Identifies the target user account. Examples v Forces password change for the josephb account on the next login. # user-expire-password josephb Expire password for user 'josephb' succeeded user-password Changes the password of the current user. Syntax user-password Examples v Enters an interactive session to change a password.
  • Page 156: Watchdog

    Syntax Enter the configuration mode to create or modify VLAN objects vlan-sub-interface name Delete VLAN objects no vlan-sub-interface name Disable VLAN objects disable vlan-sub-interface name Note: The Admin State of Ethernet interfaces can be set from enabled to disabled while Ethernet cables are still physically connected to the appliance.
  • Page 157: Web-Application-Firewall

    Guidelines The watchdog sets watchdog timeout values. Watchdog timer values are set to default values. These default values should rarely, if ever, require a change. Before changing these values, contact DataPower Customer Support. web-application-firewall Enters Web Application Firewall configuration mode. Syntax web-application-firewall name no web-application-firewall name...
  • Page 158 on timeout Sets the idle-session logout timer in seconds. Use an integer in the range of 0 to 65535. The default is 600 (10 minutes). A value of 0 disables the session timer. Resets the idle-session logout timer to its default timer. Guidelines You can create only a single WebGUI server.
  • Page 159: Webapp-Error-Handling

    webapp-error-handling Enters Web Application Error Handling Policy configuration mode. Syntax webapp-error-handling name no webapp-error-handling name Parameters name Specifies the name of the Web Application Error Handling Policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit commands to exit Web Application Error Handling Policy configuration mode and return to Global configuration mode.
  • Page 160: Webapp-Request-Profile

    webapp-request-profile Enters Web Application Request Profile configuration mode. Syntax webapp-request-profile name no webapp-request-profile name Parameters name Specifies the name of the Web Application Request Profile. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit commands to exit Web Application Request Profile configuration mode and return to Global configuration mode.
  • Page 161: Webapp-Session-Management

    webapp-session-management Enters Session Management Policy configuration mode. Syntax webapp-session-management name no webapp-session-management name Parameters name Specifies the name of the Web Application Session Management policy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit commands to exit this configuration mode and return to Global configuration mode.
  • Page 162: Wsgw

    wsgw Enters Web Services Proxy configuration mode. Syntax wsgw name no wsgw name Parameters name Specifies the optional name of the Web Services Proxy. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines Use the cancel or exit command to exit Web Services Proxy configuration mode and return to Global configuration mode.
  • Page 163: Wsm-Rule

    Guidelines Use the no wsm-endpointrewrite command to delete a WS-Proxy Endpoint Rewrite policy. Related Commands cancel, exit wsm-rule Enters Web Services Processing Rule configuration mode. Syntax wsm-rule name no wsm-rule name Parameters name Specifies the name of the Web Services Processing Rule. The name can contain a maximum of 128 characters.
  • Page 164: Wsrr-Server

    wsrr-server Enters WSRR Server configuration mode. Syntax wsrr-server name no wsrr-server name Parameters name Specifies the name of the WSSR server object. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines In WebSphere Services Repository and Registry (WSRR) Server configuration mode, provide the information necessary to locate and access a WSRR server.
  • Page 165: Wsrr-Synchronize

    wsrr-synchronize Performs a synchronization of WSRR content with the WSSR server. Syntax wsrr-synchronize wsrrSubscriptionName Parameters wsrrSubscriptionName Specifies the name of a WSSR subscription object. Content previously retrieved using this subscription is immediately synchronized with the WSSR server specified by the subscription. Related Commands refresh-interval, wsrr-subscription Examples...
  • Page 166 Syntax xml validate XML-manager matching-rule [attribute-rewrite policy] xml validate XML-manager matching-rule [dynamic-schema URL] xml validate XML-manager matching-rule [schema URL] no xml validate XML-manager Parameters XML-manager Specifies the name of an XML manager that performs XML schema validation. matching-rule Specifies the name of a Matching Rule. XML documents that match any of the patterns contained within this Matching Rule are subject to manager-specific XML schema validation.
  • Page 167: Xmlfirewall

    # xml validate mgr1 star attribute-rewrite URL-RW-1 v Enables schema-based validation for the mgr1 XML Manager. All XML documents that match star are validated against the schema1.xsd schema. # xml validate mgr1 star schema store:///schema1.xsd v Disables schema-based validation for the mgr1 XML Manager. # no xml validate mgr1 xmlfirewall Enters XML Firewall Service configuration mode.
  • Page 168: Xml-Mgmt

    Guidelines In XML Manager configuration mode, you can configure the target manager to perform a rule-based action. Use the no xml-manager command to delete an XML Manager. Related Commands documentcache, refresh stylesheet, xml parser limits, xml validate, xmlfirewall, xpath function map Examples v Enters XML Manager configuration mode to create the ScheduleHandler XML Manager.
  • Page 169: Xpath-Routing

    The DataPower appliance has a single XML Management Interface. The XML Management Interface runs SSL and uses HTTP Basic Authentication (user name and password). For information about the XML Management Interface, refer to the IBM WebSphere DataPower SOA Appliances: Administrators Guide. Examples v Enters XML Management Interface configuration mode.
  • Page 170: Xsl Checksummed Cache

    Parameters XML-manager Specifies the name of an XML manager. capacity Specifies the maximum size of the cache in style sheets. Use an integer in the range of 4 through 1000000. Guidelines The initial cache size is set to 256 style sheets. Related Commands xsl checksummed cache Examples...
  • Page 171: Xslconfig

    # xsl checksummed cache mgr1 v Disables SHA-1-assisted caching for the mgr1 XML Manager. # no xsl checksummed cache mgr1 xslconfig Assigns a Compile Options Policy. Syntax xslconfig XML-manager compileOptionsPolicyName no xslconfig XML-manager Parameters XML-manager Specifies the name of the XML Manager. compileOptionsPolicyName Specifies the name of an existing Compile Options Policy.
  • Page 172 xslcoproc name address-local port-local XML-manager [default-style-sheet] no xslcoproc name Parameters name Specifies the name of the XSL Coprocessor. The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Binds to all enabled appliance interfaces. address-locals Binds to the specified appliance interface.
  • Page 173: Xslproxy

    Examples v Enters XSL Coprocessor Service configuration mode for the CoProc-1 XSL Coprocessor. # xslcoproc CoProc-1 XSL Coprocessor Service configuration mode v Creates the CoProc-1 XSL Coprocessor. Listens for requests on port 3300 of all enabled appliance ports. # xslcoproc CoProc-1 0 3300 mgr1 v Creates the CoProc-1 XSL Coprocessor.
  • Page 174: Xslrefresh

    processingPolicy Optionally specifies the name of a Processing Policy to perform transforms. The default is to use processing instructions, if any, that are in incoming XML documents. Guidelines You can use either of two forms (referred to as single-command and multi-command) of the xslproxy command to create an XSL proxy.
  • Page 175: Zos-Nss

    Syntax xslrefresh XML-manager policy no xslrefresh XML-manager Parameters XML-manager Specifies the name of an XML Manager. policy Specifies the name of a Stylesheet Refresh Policy. Guidelines You can assign only a single Stylesheet Refresh Policy to an XML manager. With a Stylesheet Refresh Policy, an XML Manager refreshes the specified style sheets at regular intervals.
  • Page 176 The name can contain a maximum of 128 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines While in z/OS NSS Client configuration mode, you configure a z/OS NSS Client which provides the parameters necessary for authentication with SAF on a z/OS Communications Server.
  • Page 177: Chapter 3. Aaa Policy Configuration Mode

    The actor/role identifier will be the base URL of the message, if the SOAP message is transported using HTTP, the base URI is the Request-URI of the HTTP request. A string value Any string to identify the actor or role of the Security header. © Copyright IBM Corp. 1999, 2008...
  • Page 178: Authenticate

    Guidelines If a value is specified for the WS-Security S11:actor or S12:role identifier, the AAA action will act as the assumed actor or role when it consumes the Security headers. This setting takes effect only when the AAA policy attempts to process the incoming message before making an authorization decision.
  • Page 179: Authorize

    Validation Credentials List that references the certificate that is used to validate the remote SSL peer. If the method is not client-ssl or if the credentials that are submitted by the SSL peer are not authenticated, (other than checking the expiration date of the certificate and that it has not been revoked) use two double quotation mark (“”) characters without any intervening space.
  • Page 180: Authorized-Counter

    Examples v Specifies Tivoli authorization services. # authorize tivoli "" "" "" v Specifies XSL-based authorization using the identified style sheet. # authorize stylesheet store:///Authorize.xsl "" "" authorized-counter Specifies a message count monitor for approved messages. Syntax authorized-counter name Parameters name Identifies the assigned message count monitor.
  • Page 181: Dos-Valve

    Parameters seconds Specifies the number of seconds that authentication and authorization data is retained in the policy cache. The default is 3. Guidelines Meaningful only if caching is enabled. Related Commands cache-allow Examples v Specifies a cache lifetime of 10 seconds for the current AAA Policy. # cache-ttl 10 dos-valve Limits the number of times to perform the same XML processing per user request.
  • Page 182: Extract-Identity

    Examples v Limits repetitions to 5. # dos-valve 5 extract-identity Specifies and enables the methods to extract the identity of a service requester. Syntax extract-identity http WS-SEC client-SSL SAML-attribute SAML-authenticate stylesheet Parameters http Specifies either on or off to indicate whether of not the identity of a requester is presented as HTTP basic authentication (name and password).
  • Page 183: Ldap-Suffix

    Parameters target-URL Specifies either on or off to indicate whether of not the resource identity is based on the URL sent by the current AAA Policy to the backend server. original-URL Specifies either on or off to indicate whether of not the resource identity is based on the URL received by the current AAA Policy.
  • Page 184: Log-Allowed

    Parameters (Default) Indicates LDAP version 2. Indicates LDAP version 3. log-allowed Enables or disables the logging of successful AAA operations. Syntax log-allowed no log-allowed Guidelines By default, successful log operations are logged as info. Use the no log-allowed command to disable logging. Related Commands log-allowed-level, log-rejected, log-rejected-level log-allowed-level...
  • Page 185: Log-Rejected-Level

    Syntax log-rejected no log-rejected Guidelines By default, successful log operations are logged as warning. Use the no log-rejected command to disable unsuccessful AAA operations. Related Commands log-allowed, log-allowed-level, log-rejected-level log-rejected-level Specifies the log priority for messages that report successful AAA operations. Syntax log-rejected-level priority Parameters...
  • Page 186: Map-Resource

    Parameters custom custom-URL Specifies the location of the style sheet. xmlfile XML-file-URL Specifies the location of the XML file. XPath expression Specifies the operative XPath expression. Examples v Specifies that credentials mapping uses the mapCreds.xsl style sheet. # map-credentials custom local:///mapCreds.xsl map-resource Specifies the method used to map resources.
  • Page 187: Ping-Identity-Compatibility

    Examples v Specifies the schema for SOAP 1.1 envelope namespace. # namespace-mapping SOAP http://schemas.xmlsoap.org/soap/envelope/ ping-identity-compatibility Enables or disables compatibility with a PingFederate identity server. Syntax ping-identity-compatibility no ping-identity-compatibility Guidelines By default, compatibility is disabled. Use the no ping-identity-compatibility command to disable compatibility. Examples v Enables PingFederate compatibility.
  • Page 188: Saml-Artifact-Mapping

    Syntax rejected-counter name Parameters name Identifies the assigned message count monitor. Examples v Associates the AAA-Reject message count monitor with the current AAA Policy. # rejected-counter AAA-Reject saml-artifact-mapping Specifies the location of the SAML artifact-mapping file Syntax saml-artifact-mapping url Parameters Specifies a local or remote URL that specifies the file location.
  • Page 189: Saml-Name-Qualifier

    <Attribute AttributeName="cats" AttributeNamespace="http://www.example.com"> <AttributeValue>Winchester</AttributeValue> <Attribute> name Provides the local name of the attribute. For example, cats would match messages with the following attribute: <Attribute AttributeName="cats" AttributeNamespace="http://www.example.com"> <AttributeValue>Winchester</AttributeValue> <Attribute> value Provides the value given for the attribute with the corresponding name. For example, Winchester would match the following attribute: <Attribute AttributeName="cats"...
  • Page 190: Saml-Sign-Cert

    rsa-ripemd160 http://www.w3.org/2001/04/xmldsig-more/rsa-ripemd160 rsa-sha256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 rsa-sha384 http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 rsa-sha512 http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 Guidelines If the SAML message that is generated for this policy will be digitally signed, use the saml-sign-alg command to specify the SignatureMethod for the signing algorithm. saml-sign-cert Specifies the public certificate associated with the key used by the current AAA Policy to sign SAML messages.
  • Page 191: Saml-Sign-Key

    sha512 http://www.w3.org/2001/04/xmlenc#sha512 Guidelines If the SAML message that is generated for this policy will be digitally signed, use the saml-sign-hash command to specify the algorithm to calculate the message digest for signing. saml-sign-key Specifies the key used by the current AAA Policy to sign SAML messages. Syntax saml-sign-key name Parameters...
  • Page 192: Ssl

    Examples v Locates the metadata file. # saml2-metadata local:///policy-1.metadata Assigns an SSL Proxy Profile. Syntax ssl name Parameters name Specifies the name of the SSL Proxy Profile. transaction-priority Assigns a transactional priority to the user. Syntax transaction-priority name priority authorize Parameters name Specifies the name of the output credential.
  • Page 193 Parameters name Identifies the certificate object. Guidelines Use the no wstrust-encrypt-key command to remove the certificate assignment from the current AAA Policy. Chapter 3. AAA Policy configuration mode...
  • Page 194 Command Reference...
  • Page 195: Chapter 4. Access Control List Configuration Mode

    All of the commands that are listed in “Common commands” on page 2 and most, but not all, of the commands that are listed in Chapter 114, “Monitoring commands,” on page 949 are also available in ACL configuration mode. allow Identifies IP addresses to grant access. © Copyright IBM Corp. 1999, 2008...
  • Page 196: Deny

    Syntax allow address/netmask allow any Parameters address/netmask Defines a range of IP addresses. Specify the IP address in dotted decimal format. Specify the net mask in CIDR (slash) format or dotted decimal format. CIDR format is an integer that specifies the length of the network portion of the address.
  • Page 197 Guidelines The deny command defines an deny clause for the ACL. This clause identifies which IP addresses to deny access. If the ACL contains only deny clauses, the last clause in the ACL must be the allow any clause. Related Commands allow Examples v Enters ACL configuration mode for the Public ACL.
  • Page 198 Command Reference...
  • Page 199: Chapter 5. Application Domain Configuration Mode

    Creates the Randall application domain. Identifies a remote configuration resource at the specified URL. # domain Randall New Application Domain configuration # config-mode import # import-url http://www.datapower.com/configs/AppDomainTest.cfg # import-format xml deployment-policy Specifies the deployment policy that preprocesses the configuration package. © Copyright IBM Corp. 1999, 2008...
  • Page 200: Domain-User (Deprecated)

    Syntax deployment-policy name Parameters name Specifies the name of an existing Deployment Policy object. Guidelines The deployment-policy command specifies the name of the Deployment Policy object that preprocesses the configuration package. To create a Deployment Policy object, use the Global deployment-policy command. Related Commands deployment-policy Examples...
  • Page 201: File-Monitoring

    # domain test Modify Application Domain configuration # domain-user gharrison # exit file-monitoring Establishes the level of monitoring applied to files stored in the local: domain directory. Syntax file-monitoring type[+type] Parameters type Can be audit or log. The type audit causes the system to place entries in the audit log whenever a file is added, deleted or altered.
  • Page 202: Import-Format

    only Display but RBM allows a user to Display and Delete, the user will only be able to Display the contents of files. On the other hand, if the permissions allow both Display and Delete but RBM allows only Display, the user will only be able to Display the contents of files.
  • Page 203: Local-Ip-Rewrite

    Parameters Specifies the location of the remote configuration file. Guidelines If config-mode is set to import, you must specify both the location and type of the remote configuration resource with the import-url and import-format commands. Related Commands config-mode, import-format Examples v Creates the test application domain.
  • Page 204: Reset Domain

    Parameters count Specifies the maximum number of configuration checkpoints to allow. Use an integer in the range of 1 through 5. The default is 3. Related Commands config-mode, import-format, import-url reset domain Deletes the currently running configuration of the domain and returns the domain to its initial state.
  • Page 205: Visible-Domain

    [Test]# reset domain reset domain Resetting 'Test' will delete all services configured within the domain! Do you want to continue? [y/n]:y Domain reset successfully. [Test]# visible-domain Specifies other application domains that are visible to this domain. Syntax visible-domain domain Parameters domain Specifies the name of a valid application domain on the current system.
  • Page 206 Command Reference...
  • Page 207: Chapter 6. Application Security Policy Configuration Mode

    Related Commands error-policy (Web Application Firewall), error-policy-override (Web Request Profile), error-policy-override (Web Response Profile), match (Global), rule (Global) Examples v Creates three entries in the Error Map, in the order in which they were created. © Copyright IBM Corp. 1999, 2008...
  • Page 208: Request-Match

    # error-match SvrRedir portal-redir-errors # error-match SvrErr portal-svr-errors # error-match AllErr portal-default-errors v Empties the Error Map, effectively eliminating all custom error handling from the security policy. # no error-match request-match Establishes one or more Web Request Maps for this Security Policy. Syntax request-match rule profile no request-match...
  • Page 209 Parameters rule Specifies the name of an existing Match Rule. Use the Global match command to create a new Match Rule. profile Specifies the name of an existing Web Response Profile. Use the Global webapp-response-profile command to create a new Web Response Profile. Guidelines Any server response that matches a configured Match Rule will be handled by the corresponding Web Response Profile.
  • Page 210 Command Reference...
  • Page 211: Chapter 7. Compact Flash Configuration Mode (Type 9235)

    Sets the files on the compact flash to read-only access. Syntax read-only no read-only Guidelines The read-only command sets the files on the compact flash to read-only access. The default is read-write. Examples v Makes the file system read-only. © Copyright IBM Corp. 1999, 2008...
  • Page 212 # compact-flash cf0 Compact Flash configuration mode # read-only v Makes the file system read-write, the default state. # compact-flash cf0 Compact Flash configuration mode # no read-only Command Reference...
  • Page 213: Chapter 8. Compile Options Policy Configuration Mode

    SOAP-ENC:Array — the opposite of the normal allowable case. debug Identifies set of style sheets to profile in debug mode. Syntax debug map Parameters Specifies the name of a URL map that defines the set of style sheets. © Copyright IBM Corp. 1999, 2008...
  • Page 214: Minesc

    Guidelines A Compile Options Policy can contain multipleprofile and debug commands. A candidate URL is subject to debug profiling if it matches any of the match criteria specified in the URL Map. Refer toAppendix D, “Compile Options Policy configuration,” on page 1007for procedural details regarding the creation and implementation of profiling policies.
  • Page 215: Stack-Size

    A candidate URL is subject to standard profiling if it matches any of the match criteria specified in the URL Map. Refer to Appendix D, “Compile Options Policy configuration,” on page 1007 for procedural details regarding the creation and implementation of profiling policies. Related Commands debug, show profile Examples...
  • Page 216: Strict

    # stream fastPath strict Controls strict XSLT error-checking. Syntax strict Guidelines Use this command to toggle between enabling and disabling strict XSLT error-checking. By default, the Compile Options Policy disables strict XSLT error-checking. Non-strict operation attempts to recover from certain common XSLT errors such as use of undeclared variables or templates.
  • Page 217: Validate-Soap-Enc-Array

    validate-soap-enc-array Designates the set of schemas to perform extra validation on elements of type SOAP-ENC:Array. Syntax validate-soap-enc-array map Parameters Identifies the URL map that defines the set of schemas that perform extra validation on elements of type SOAP-ENC:Array rule. Guidelines The allow-soap-enc-array command designates a set of schemas that will perform extra validation on elements of type SOAP-ENC:Array, following the encoding rules in SOAP 1.1 Section 5.
  • Page 218: Wsdl-Validate-Body

    Syntax wsdl-strict-soap-version {on | off} Parameters Follows the version of the SOAP binding in the WSDL. Allows only messages that are bound to SOAP 1.2 to appear in SOAP 1.2 envelopes, and allows only messages that are bound to SOAP 1.1 to appear in SOAP 1.1 envelopes.
  • Page 219: Wsdl-Validate-Headers

    Parameters skip Disables validation of the fault detail. Forces validation of the fault details that match the WSDL definition. strict (Default) Validates all fault details, which allows only messages that match the WSDL description. Guidelines By default, strict validation is applied to SOAP Fault messages. Use this command to relax these restrictions, thus allowing more messages to pass validation.
  • Page 220: Wsdl-Wrapped-Faults

    wsdl-wrapped-faults Controls compatibility with RPC-style wrappers. Syntax wsdl-wrapped-faults Guidelines By default, the Compile Options Policy disables required compatibility with RPC-style wrappers. Use this command to toggle between enabling and disabling required compatibility with RPC-style wrappers. Related Commands wsdl-validate-faults Examples v Enables and subsequently disables required compatibility with RPC-style wrappers.
  • Page 221: Xslt-Version

    Syntax xacml-debug {on | off} Parameters Makes the compiler add more debugging information when evaluating a XACML policy. (Default) Does not compile the XACML policy with debugging information. Guidelines The xacml-debug command indicates whether to compile the XACML policy with debug information.
  • Page 222 Command Reference...
  • Page 223: Chapter 9. Conformance Policy Configuration Mode

    # assert-bp10-conformance off v Enables the attachment of assertions when validating compliance against WS-I Basic Profile 1.0, which restores the default state. # assert-bp10-conformance on fixup-stylesheet Identifies which style sheets to invoke after conformance analysis. © Copyright IBM Corp. 1999, 2008...
  • Page 224: Ignored-Requirements

    Syntax fixup-stylesheet file no fixup-stylesheet file Parameters file Specifies the name and location of the style sheet. Guidelines The fixup-stylesheet command defines which style sheets to invoke after conformance analysis. These style sheets can transform the analysis results to repair instances of nonconformance. Corrective style sheets cannot be applied to filter actions.
  • Page 225: Profiles

    Guidelines The ignored-requirements command defines which profile requirements to exclude from validation. For each requirement to exclude, use the ignored-requirements command. To remove an excluded requirement, use the no ignored-requirements command. For information about the requirements defined in the supported profiles, refer to the following Web sites: WS-I Attachments Profile, version 1.0 http://www.ws-i.org/Profiles/AttachmentsProfile-1.0.html...
  • Page 226: Reject-Include-Summary

    Examples v Specifies that messages validation is against WS-I Basic Profile, version 1.1 and WS-I Basic Security Profile, version 1.0. # profiles BP11+BSP10 v Specifies that messages validation is against WS-I Attachments Profile, WS-I Basic Profile, version 1.1, and WS-I Basic Security Profile, version 1.0, which restores the default state.
  • Page 227: Report-Level

    Parameters failure Rejects messages that are identified as conformance failures. never (Default) Never rejects messages. warning Rejects messages that are identified as either conformance failures or conformance warnings. Guidelines The reject-level command identifies the degree of nonconformance that causes a request message to be rejected.
  • Page 228: Report-Target

    # report-level failures # report-target http://datapower.com/conform report-target Specifies where to send conformance reports for requests. Syntax report-target URL Parameters Specifies the location to send conformance reports. Use the following URL format: protocol://host/URI Guidelines The report-target command identifies where to send conformance reports for requests.
  • Page 229: Response-Reject-Include-Summary

    response-reject-include-summary Controls the inclusion of the summary in the rejection message for responses. Syntax response-reject-include-summary {on | off} Parameters Includes the summary. (Default) Does not include the summary. Guidelines The response-reject-include-summary command determines whether to include a summary of the conformance analysis in the rejection message for responses. This command is meaningful only when response messages are rejected.
  • Page 230: Response-Report-Level

    Guidelines The response-reject-level command identifies the degree of nonconformance that causes a response message to be rejected. When a response message is rejected, you can use the response-reject-include-summary command to include a summary of the conformance analysis in the rejection message. Examples v Includes a summary in rejection messages that indicate conformance failures for responses.
  • Page 231: Result-Is-Conformance-Report

    Parameters Specifies the location to send conformance reports. Use the following URL format: protocol://host/URI Guidelines The response-report-target command identifies where to send conformance reports for responses. This command is meaningful only when the value for the response-report-level command is always, failure, or warning. Examples v Sends conformance reports for conformance failures for responses to datapower.com/conform with the HTTP protocol.
  • Page 232 Command Reference...
  • Page 233: Chapter 10. Crl Configuration Mode

    # crl LDAP1440 ldap Entering CRL mode for 'LDAP1440' # bind-dn X # bind-pass 1PAss$WorD bind-pass Specifies the password to access an LDAP server. Syntax bind-pass password Parameters password Specifies the password for the login DN. © Copyright IBM Corp. 1999, 2008...
  • Page 234: Fetch-Url

    Guidelines You must specify a password when defining an LDAP-enabled CRL Update Policy. Related Commands bind-dn, read-dn, refresh, remote-address Examples v Enters CRL Mode to create the LDAP1440 LDAP-enabled CRL Update Policy. The LDAP server is accessed with the account name of X with a password of 1PAss$WorD.
  • Page 235: Read-Dn

    Guidelines This property is required to implement a CRL Update Policy. Examples v Enters CRL mode to create the HTTP30 HTTP-enabled CRL Update Policy. Specifies crlValidate as the Validation Credentials to validate the CRL issuer. # crl HTTP30 http Entering CRL mode for 'HTTP30' # issuer crlValidate read-dn Specifies the Distinguished Name of the CA that issued the target CRL.
  • Page 236: Remote-Address

    Parameters minutes Specifies the interval in minutes between CRL updates. Guidelines You must specify a refresh interval when defining either an HTTP-enabled or LDAP-enabled CRL Update Policy. Related Commands bind-dn, bind-pass, fetch-URL, read-dn, remote-address Examples v Enters CRL Mode to create the LDAP1440L DAP-enabled CRL Update Policy. The ragnarok LDAP server (with default port 389) is accessed with the account name of X and a password of 1PAss$WorD.
  • Page 237: Ssl-Profile

    Examples v Enters CRL Mode to create the LDAP1440 LDAP-enabled CRL Update Policy. The ragnarok LDAP server (with default port 389) is accessed with the account name of X and a password of 1PAss$WorD. The target certificate is issued by VeriSign Australia.
  • Page 238 Command Reference...
  • Page 239: Chapter 11. Crypto Configuration Mode

    If the certificate is used for a certificate chain validation from a Validation Credentials and the certificate is not valid, validation fails. Similarly, if the certificate is used from an Identification Credentials, the DataPower © Copyright IBM Corp. 1999, 2008...
  • Page 240 appliance sends the certificate to the SSL peer for an SSL connection, but the peer can reject the certificate as not valid. Guidelines The password or password-alias keyword is required only when a certificate file is password-protected. Prior to using the password-alias keyword, you must use the password-map command to 3DES-encrypt the certificate password and associate an alias with the encrypted password.
  • Page 241: Cert-Monitor

    # certificate bob pubcert:bob.pem password-alias dundaulk Creating certificate 'bob' v Deletes the bob certificate alias. # no certificate bob Certificate 'bob' deleted cert-monitor Enters Crypto Certificate Monitor configuration mode. Syntax cert-monitor Guidelines The Certificate Monitor is a configurable periodic task that checks the expiration date of all certificate objects.
  • Page 242: Crypto-Export

    Use the no crl command to delete a CRL update policy. Examples v Enters CRL Mode to create the HTTP30 HTTP-enabled CRL update policy. # crl HTTP30 http Entering CRL mode for 'HTTP30' v Enters CRL Mode to create the LDAP1440 LDAP-enabled CRL update policy. # crl LDAP1440 ldap Entering CRL mode for 'LDAP1440' v Deletes the LDAP1440 LDAP-enabled CRL update policy.
  • Page 243: Decrypt

    Syntax Importing certificates crypto-import cert name [...] input file Importing keys (HSM models) crypto-import key name [...] input file [password-alias alias] [mechanism hsmkwk] crypto-import key name [...] input file [password password] [mechanism hsmkwk] Parameters key name [...] Identifies the names of the keys to import. To specify more than one key, use a space separated list.
  • Page 244 directory Must be one of the following directory-specific keywords: audit: Contains the audit log Contains domain-specific private keys and certificates cert: config: Contains configuration scripts export: Contains export packages image: Contains primary and secondary firmware images local: Contains user processing resources such as style sheets, schemas, document encryption maps, or XML mapping files logstore:...
  • Page 245: Encrypt

    encrypt Encrypts a file stored on the appliance. Syntax encrypt URL cert alias alg algorithm Parameters Identifies the local file to be encrypted, and takes the directory:/// filename format. directory Must be one of the following directory-specific keywords that reference specific directories. audit: Contains the audit log Contains domain-specific private keys and certificates cert:...
  • Page 246: Fwcred

    alg algorithm Identifies the encryption method. Related Commands certificate, idcred, send file, sign (Crypto) Examples v Encrypts the FWSec-1 log file with the recipient certificate that is referenced by the bob alias. # encrypt logtemp:///FWSec-1 cert bob alg smime File 'FWSec-1' successfully encoded fwcred Enters Firewall Credentials configuration mode.
  • Page 247: Hsm-Clone-Kwk (Hsm Models)

    v Deletes the FWCred-1 Firewall Credentials. # no fwcred FWCred-1 Firewall Credentials 'FWCred-1' deleted hsm-clone-kwk (HSM models) Clones a key wrapping key between HSM-equipped appliances. Syntax hsm-clone-kwk [input filename] [output filename] Parameters input filename Indicates the name of the local file to use as input to the cloning action. During the first part of this four-part task, do not specify this parameter.
  • Page 248: Hsm-Delete-Key (Hsm Models)

    Related Commands hsm-delete-key, hsm-reinit hsm-delete-key (HSM models) Deletes a key from the HSM (Hardware Security Module). Syntax hsm-delete-key key Parameters Identifies the key stored on the HSM. Guidelines This command is available only on systems with an internal HSM. Related Commands hsm-clone-kwk, hsm-reinit Examples v Deletes the bob key from the HSM.
  • Page 249 Syntax idcred name key-alias certificate-alias [ca certificate-alias-n ...] Parameters name Specifies the name of the Identification Credentials that authenticates the appliance. The name can contain a maximum of 32 characters. For restrictions, refer to “Object name conventions” on page xxiv. key-alias Specifies an existing alias for the private key that is referenced by the Identification Credentials.
  • Page 250: Kerberos-Kdc

    # idcred bob bob bob Creating identification credentials 'bob' v Creates the bob Identification Credentials that consists of the private key aliased by bob and the X.509 certificates aliased by bob and bob-intermediate. # idcred bob bob bob ca bob-intermediate Creating identification credentials 'bob' v Deletes the Identification Credentials alias bob.
  • Page 251: Key

    Syntax kerberos-keytab name no kerberos-keytab name Parameters name Specifies the name of the Kerberos keytab. The name can contain a maximum of 32 characters. For restrictions, refer to “Object name conventions” on page xxiv. Guidelines A keytab (or key table) is an unencrypted file that contains a list of Kerberos principals and their passwords.
  • Page 252 CAUTION: Do not store private key files in the public cryptographic area. This area is intended for the storage of public certificate files. password password Optionally identifies the plaintext password required to access the private key file. password-alias password-alias Optionally identifies the alias for the encrypted password required to access the private key file.
  • Page 253: Keygen

    # no key bob Key 'bob' deleted keygen Generates a public-private key pair and a CSR (certificate signing request) for a server. Syntax Generates a key pair on a non-HSM appliance keygen [{C | countryName} iso-code] [{L | localityName} locality] [{ST | stateOrProvinceName} state] [{O | organizationName} org] [{OU | organizationalUnitName} unit-name] {CN | commonName} server-name rsa {1024 | 2048 | 4096} [gen-object] [object-name name] [gen-sscert] [days...
  • Page 254 gen-object Creates a crypto key management object. To create a crypto certificate management object use the gen-sscert property. object-name name Optionally specifies the names for the objects that are created by the gen-object property. If not specified, the value for the commonName property is used.
  • Page 255 Use the password and password-alias properties in environments that require password-protected files. Before using the password-alias property, use the password-map command to 3DES-encrypt the private key password (plaintext) and associate an alias with the encrypted password. An attempt to reference an encrypted password that is not in the password map results in command failure.
  • Page 256: Password-Map

    Alias-name: SSL: password-map saved # keygen C au L "South Melbourne" ST Victoria O "DataPower Australia, Ltd." OU "Customer Support" CN www.bob.datapower.com.au rsa 2048 out bob password-alias WaltzingMatilda password-map Creates a Password map, a which associates an alias with an encrypted password. Syntax password-map no password-map...
  • Page 257: Profile

    Examples v Creates a new Password map and generates a host key used to 3DES-encrypt the two plaintext passwords. # password-map Please enter alias-name and plaintext password pairs - Leading and trailing white space is removed - Enter a blank alias name to finish Alias-name: towson Plaintext password: Toshiro Mifune Alias-name: dundaulk...
  • Page 258 Syntax profile name idCred [ssl name] [ciphers cipher-string] [options options-mask] profile name %none% [ssl name] [ciphers cipher-string] [options options-mask] no profile name Parameters name Specifies the name of the Crypto Profile. The name can contain a maximum of 32 characters. For restrictions, refer to “Object name conventions”...
  • Page 259 Table 5. Available algorithm keywords for the cipher string (continued) Algorithm keyword Meaning eNULL or NULL NULL ciphers offer no encryption at all and are a security risk. These cipher suites are disabled unless explicitly included. The cipher suites offering no authentication. This is aNULL currently the anonymous DH algorithms.
  • Page 260 Optionally, each cipher keyword can be preceded by the following characters: Permanently deletes the cipher from the list. Even if you explicitly add the cipher to the list, it can never reappear in the list. Deletes the cipher from the list. You can add this cipher again. Moves the cipher to the end of the list.
  • Page 261 v The SSL client requires a Validation Credentials only when it validates the certificate that is presented by an SSL server. The SSL standard does not require the validation of the server certificate. v The SSL server requires a Validation Credentials only when it validates certificates that are presented by SSL clients.
  • Page 262: Sign

    v Same as the previous example. # profile Low XSSL-1 options Disable-SSLv2+DisableTLSv1 Creating new crypto profile 'Low' v Creates the High Crypto Profile that uses the Identification Credentials aliased by XSSL-2 to identify the SSL proxy. The Crypto Profile validates the SSL peer with the TSC-1 validation credentials, and supports symmetric encryption algorithms with key lengths of 128 bits or more.
  • Page 263: Sskey

    sharedcert: Contains private keys and certificates which are shared across domains store: Contains DataPower-supplied processing resources such as style sheets, schemas and authentication/authorization files tasktemplates: Contains Task Template files temporary: Contains temporary files filename Specifies the name of the file to sign. idcred alias Specifies and existing alias for an Identification Credentials (a matched public/private key pair) used to identify the identification-set-alias references...
  • Page 264 Specifies a local URL that identifies the file that contains the private key. v If the private key is stored in the private cryptographic area, the URL takes the filename form. v If the private key is stored in the public cryptographic area, the URL takes the pubcert:///filename form.
  • Page 265: Test Password-Map

    v Creates the alice alias the specified SS2.pem secret key. The target key is contained within the private cryptographic area, and is accessed with an encrypted password aliased by HavredeGrace. # sskey alice SS2.pem password-alias HavredeGrace Creating key 'alice' v Deletes the alice shared secret key alias. # no sskey alice Key 'alice' deleted test password-map...
  • Page 266: Valcred

    v Indicates that the columbia candidate alias does not reference the encrypted password that protects the K2.der key file. # test password-map columbia key K2.der Alias 'columbia' with file 'K2.der' --> FAIL v Indicates that the towson candidate alias does reference the encrypted password that protects the K2.der key file.
  • Page 267: Validate

    Related Commands certificate (Validation Credentials), profile Examples v Enters Validation Credentials Mode to create the ValCred-1 Validation Credentials. # valcred ValCred-1 Entering Validation Credentials mode for 'ValCred-1' v Deletes the ValCred-1 Validation Credentials. # no valcred ValCred-1 Validation Credentials 'ValCred-11' deleted validate Validates the digital signature of a specified file.
  • Page 268 Command Reference...
  • Page 269: Chapter 12. Crypto Certificate Monitor Configuration Mode

    Specifies that all objects that use or reference a certificate are disabled on certificate expiration. # disable-expired-certs on v Restores the default state. Objects that use or refer to a certificate are not disabled on certificate expiration. # disable-expired-certs off # no disable-expired-certs © Copyright IBM Corp. 1999, 2008...
  • Page 270: Log-Level

    log-level Specifies the log priority assigned to certificate monitor messages that note the impending expiration date of a certificate Syntax log-level priority Parameters priority Specifies the log priority assigned to certificate expiration messages. Guidelines The level of log events are characterized (in descending order of criticality) as: v emergency v alert v critical...
  • Page 271: Reminder

    Examples v Specifies that the Certificate Monitor performs a certificate scan every 3 days. # poll 3 reminder Specifies the notification window before certificate expiration that initiates certificate expiration log messages. Syntax reminder days Parameters days Specifies the notification window. Use an integer in the range of 1 through 65535.
  • Page 272 Command Reference...
  • Page 273: Chapter 13. Crypto Firewall Credentials Configuration Mode

    Enters Firewall Credentials mode for the FWCred-1 Firewall Credentials. Adds the certificate that is referenced by the alice-3 alias. # fwcred FWCred-1 Entering Firewall Credentials mode for 'FWCred-1' # certificate alice-3 Adds a key alias. © Copyright IBM Corp. 1999, 2008...
  • Page 274: Sskey

    Syntax key alias Parameters alias Specifies the alias for the target private key. The target private key must be previously created with the Crypto key command. Guidelines Prior to adding a key alias to the list: 1. Use the copy command (or the WebGUI) to transfer the actual key to the appliance.
  • Page 275 Examples v Enters Firewall Credentials mode for the FWCred-1 Firewall Credentials. Adds the shared secret key that is referenced by the ss-bob-alice alias. # fwcred FWCred-1 Entering Firewall Credentials mode for 'FWCred-1' # sskey ss-bob-alice Chapter 13. Crypto Firewall Credentials configuration mode...
  • Page 276 Command Reference...
  • Page 277: Chapter 14. Crypto Validation Credentials Configuration Mode

    Validation Credentials List consists of self-signed certificates and certificates of trust anchors. Certificates can be a root CA or an intermediate CA. Use the no cert-validation-mode command to delete a certificate alias from a Validation Credentials List. Related Commands certificate (Crypto) © Copyright IBM Corp. 1999, 2008...
  • Page 278: Certificate

    Examples v Enters Validation Credentials Mode to create the ValCred-1 Validation Credentials List. Specifies PKIX validation mode. # valcred ValCred-1 Crypto Validation Credentials configuration mode # cert-validation-mode pkix v Restores the default setting. # valcred ValCred-1 Crypto Validation Credentials configuration mode # cert-validation-mode legacy certificate Adds a certificate alias to the current Validation Credentials List.
  • Page 279: Crldp

    Examples v Enters Validation Credentials Mode to create the ValCred-1 Validation Credentials List. Adds the bob-1 certificate alias to the list. # valcred ValCred-1 Crypto Validation Credentials configuration mode # certificate bob-1 crldp Controls support for the X.509 Certificate Distribution Point certificate extension. Syntax crldp {ignore | require} Parameters...
  • Page 280: Initial-Policy-Set

    Guidelines Meaningful only if cert-validation mode is pkix; otherwise, it is not used. If enabled, the chain validation algorithm must end with a non-empty policy tree. If disabled, the algorithm may end with an empty policy tree (unless Policy Constraints extensions in the chain require an explicit policy). Refer to RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework and to RFC 3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile for information...
  • Page 281: Require-Crl

    applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range. The certificate policies extension contains a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers.
  • Page 282: Use-Crl

    Guidelines By default, CRL usage is not required when processing certificate chains. Use the no require-crl command to restore the default condition, which allows, but does not require, CRL usage when processing certificate chains. Related Commands use-crl Examples v Enters Validation Credentials Mode to create the ValCred-1 Validation Credentials List.
  • Page 283: Chapter 15. Deployment Policy Configuration Mode

    Optionally specifies a name match for a resource. This property limits the match statement to resources of the specified name. Use a PCRE to select groups of resource instances. For example, foo* would match all resources with names that start with foo. © Copyright IBM Corp. 1999, 2008...
  • Page 284: Filter

    Property=property-name Optionally specifies the name of the configuration property. This property limits the match statement to resources of the specified property. Value=property-value Optionally specifies the value for the configuration property. This property limits the match statement to resources of the specified property.
  • Page 285: Modify

    resource Specifies the resource type. The value * matches all resource type. Name=resource-name Optionally specifies a name match for a resource. This property limits the match statement to resources of the specified name. Use a PCRE to select groups of resource instances. For example, foo* would match all resources with names that start with foo.
  • Page 286 The appliance preprocesses the add statements first, the change statements second, and the delete statements last when applying the modify clause. The statement takes the following form: address/domain/resource[?Name=resource-name &Property=property-name&Value=property-value] address Specifies the IP address or host alias. The value * matches all IP addresses.
  • Page 287 Examples v ??? Adds a summary to the Turbotans host alias in the default domain. The UserSummary property with a value of BlueSkinners is added to the configuration of the Turbotans host alias during the import. # modify */default/network/host-alias?Name=Turbotans add UserSummary BlueSkinners v ??? Changes the value of the summary for the Turbotans host alias in the default domain to Turbotans5 during the import.
  • Page 288 Command Reference...
  • Page 289: Chapter 16. Dns Settings Configuration Mode

    Use the no name-server command to delete a DNS provider. Note: Unless explicitly instructed, do not change the value of the DNS parameter. Related Commands ip name-server Examples v Identifies 10.10.10.240:53 (the well-known DNS port) as a DNS provider. # name-server 10.10.10.240 © Copyright IBM Corp. 1999, 2008...
  • Page 290: Search-Domain

    v Identifies a DNS server at 10.10.10.240 UDP port 60000. # name-server 10.10.10.240 60000 v Deletes the specified DNS provider. # no name-server 10.10.10.240 v Deletes all DNS providers. # no name-server * search-domain Adds an entry to the IP domain-suffix search table, thus enabling the usage of non-fully qualified domain names.
  • Page 291: Static-Host

    # xslproxy Proxy-01 XSL proxy configuration mode # remote-address loki 80 static-host Maps a host name to an IP address. Syntax static-host hostname address no static-host {hostname | *} Parameters hostname Identifies a specific host. address Specifies the IP address of the host. Specifies all hosts.
  • Page 292 Command Reference...
  • Page 293: Chapter 17. Document Cache Configuration Mode

    Related Commands policy Examples v Removes all documents from the document cache # clear Cleared documents in cache matching pattern * v Removes all XML schemas and XSL style sheets from the document cache © Copyright IBM Corp. 1999, 2008...
  • Page 294: Maxdocs

    # clear *xs[dl] Cleared documents in cache matching pattern *xs[dl] maxdocs Specifies the maximum size of the document cache in documents. Syntax maxdocs documents Parameters documents Specifies the maximum number of documents to retain in the document cache. Use an integer in the range of 1 through 250000. The default is 5000. Guidelines Retain the default value of 5000 documents.
  • Page 295 priority Specifies the priority of a document in the cache. The greater the value, the higher its priority. Use an integer in the range of 1 through 255. The default is 128. Specifies the maximum number of seconds to retain a document in the cache.
  • Page 296: Size

    # documentcache mgr1 Document cache configuration mode # policy *xsd v Caches all XML schemas with a priority of 210 and the default TTL. # documentcache mgr1 Document cache configuration mode # policy *xsd 210 v Caches all style sheets and schemas with a priority of 255 and the default TTL. Caches all XML files with the default priority and TTL.
  • Page 297 Syntax static-document-calls {on | off} Parameters (Default) Specifies dependent document calls. Specifies independent document calls. Guidelines XSLT specifications require that multiple document calls in the same transform return the same result. However, you can disable this behavior with the off keyword.
  • Page 298 Command Reference...
  • Page 299: Chapter 18. Document Crypto Map Configuration Mode

    New Document Crypto Map configuration # namespace-mapping SOAP http://schemas.xmlsoap.org/soap/envelope/ operation Specifies the cryptographic operation to perform. Syntax operation {encrypt | decrypt} Parameters encrypt (Default) Specifies that selected nodes are encrypted. decrypt Specifies that selected nodes are decrypted. © Copyright IBM Corp. 1999, 2008...
  • Page 300: Select

    Related Commands namespace-mapping, select Examples v Specifies document decryption. # document-crypto-map DCM-1 Modify Document Crypto Map configuration # decrypt select Specifies the document nodes to encrypt or decrypt. Syntax select XPath Parameters XPath Defines an XPath expression that identifies the target nodes. Guidelines Document nodes that match the XPath expression are encrypted or decrypted depending on the value of the operation command.
  • Page 301: Chapter 19. Failure Notification Configuration Mode

    Specifies the email address of the recipient. # email-address techsupport@TeraCorp.com internal-state Indicates whether to include a snapshot of the internal state. Syntax internal-state {on | off} Includes the snapshot. (Default) Does not include the snapshot. © Copyright IBM Corp. 1999, 2008...
  • Page 302: Location-Id

    location-id Specifies the subject line of the email. Syntax location-id string Parameters string Specifies descriptive text. Guidelines The location-id command specifies the subject line of the email. If the message contains spaces, wrap the value in double quotation marks. Examples v Provides an identifying string.
  • Page 303: Chapter 20. Flash Configuration Mode

    Related Commands boot image, boot update, save-config, overwrite, shutdown, write memory Examples v Designates testEnvironment.cfg as the startup configuration. # boot config testEnvironment.cfg boot delete Deletes the secondary install. Syntax boot delete © Copyright IBM Corp. 1999, 2008...
  • Page 304: Boot Image

    Guidelines A firmware upgrade performed with the boot image command retains current configuration data, allowing the appliance to be restored to a known, stable state if necessary. The previous firmware image and associated configuration data is referred to as the secondary install. While, you can use the boot delete command to delete the secondary install, keep in mind that its deletion will prevent firmware rollback as provided by the boot switch command.
  • Page 305: Boot Update

    Syntax boot switch Guidelines A firmware upgrade performed with the boot image command retains current configuration data, allowing the appliance to be restored (rolled back) to a known, stable state if necessary. The previous firmware image and associated configuration data is referred to as the secondary install; the newly installed firmware image and associated configuration data is referred to as the primary install.
  • Page 306: Copy

    Guidelines After opening the newly created or existing configuration, the command prompts for command input: Enter startup commands, one per line. End with a period. Enter commands, terminating each command by pressing the Return or Enter key. If appending commands to an existing configuration, make certain to start with appropriate commands to transition to the correct configuration mode.
  • Page 307 directory:///filename directory Specifies a directory on the appliance. Refer to “Directories on the appliance” on page xxii for details. filename Specifies the name of a file in the specified directory. v If the source file or target destination is remote to the DataPower appliance and the transport protocol is SCP or SFTP, these arguments take the form that is compliant with RFC 1738.
  • Page 308: Delete

    v Uses SCP to copy a file from the specified URL to the store: directory. # copy scp://jrb@10.10.1.159//XML/stylesheets/InitialConvert.xsl store:///InitialConvert.xsl Password: yetanotherpassword file copy successful v Uses SCP to copy a file from the logstore: directory to the specified remote target (identified by a qualified host name). # copy logstore:///Week1.log scp://jrb@ragnarok.datapower.com//LOGS/Week1.log Password: yetanotherpassword file copy successful...
  • Page 309: Dir

    Note: The delete command does not prompt for confirmation. Be certain that you want to delete the file before issuing this command. Related Commands copy, dir, move Examples v Deletes the startup-config-deprecated file from the store: directory. # delete store:\\\startup-config-deprecated v Deletes the betaImage file from the image: directory.
  • Page 310: Move

    move Moves a file from one directory to another. Syntax move [-f] source destination Parameters Overwrites an existing file, if one of the same name already exists. In the absence of this argument, an attempt to save a file with the same name as an existing file results in a prompt that requests confirmation to overwrite the existing file.
  • Page 311: Shutdown

    After files are deleted, they cannot be recovered. If you might need any of these files after restoring the system to a manufactured state, ensure that you have copies of these files. To recreate the appliance configuration, refer to the IBM WebSphere DataPower SOA Appliances: 9003: Installation Guide or to the IBM WebSphere DataPower SOA Appliances: Type 9235: Installation Guide, depending on your model type.
  • Page 312 Guidelines The appliance restarts using the startup configuration specified by the boot config command and the firmware image specified by the boot image command. If a startup configuration or firmware image is not designated, the appliance restarts with the configuration and firmware image that were active when you invoke the shutdown command.
  • Page 313: Chapter 21. Ftp Poller Front Side Handler Configuration Mode

    Guidelines The error-delete command indicates whether the input or processing renamed file should be deleted when it could not be processed. error-rename-pattern Specifies the rename pattern when a file could not be processed. © Copyright IBM Corp. 1999, 2008...
  • Page 314: Match-Pattern

    Syntax error-rename-pattern pattern Parameters pattern Specifies a PCRE that defines the rename pattern. Guidelines The error-rename-pattern command specifies the PCRE to rename a file when it could not be processed. This command is relevant when error-delete is off. Otherwise, it is ignored. PCRE documentation is available at the following web site: http://www.pcre.org Related Commands...
  • Page 315: Processing-Seize-Pattern

    Parameters pattern Specifies a PCRE that defines the rename pattern. Guidelines The processing-rename-pattern command specifies the PCRE to rename a file that is being processed. This functionality allows multiple poller objects to poll the same directory with the same match pattern. There is no lack of atomicity if the rename operation on the server is atomic.
  • Page 316: Processing-Seize-Timeout

    Syntax processing-seize-pattern pattern Parameters pattern Specifies the PCRE to use as the match pattern to search for files that are being processed. Guidelines The processing-seize-pattern command specifies the PCRE to find files that were renamed to indicate that they are in the ″being processed″ state but the processing was never completed.
  • Page 317: Result

    Related Commands processing-seize-pattern result Indicates whether to create a response file after processing an input file. Syntax result {on | off} Parameters (Default) Creates a result file. Does not create a result file. Guidelines The result command indicates whether the appliance should create a response file after successfully processing an input file.
  • Page 318: Success-Delete

    success-delete Indicates whether the input file is deleted after successful processing. Syntax success-delete on {on | off} Parameters Deletes the input file. (Default) Does not delete the input file. Guidelines The success-delete command indicates whether the input or processing renamed files should be deleted after successful processing.
  • Page 319: Xml-Manager

    Syntax target-dirdirectory Parameters directory Specifies the directory to poll. Guidelines The target-dir command specifies a directory to poll. The path must end in a slash. The slash denotes a directory. For a relative path to the home directory of the specified user ftp://user:password@host:port/path/ For an absolute path to the root directory ftp://user:password@host:port/%2Fpath/...
  • Page 320 Command Reference...
  • Page 321: Chapter 22. Ftp Quoted Commands Configuration Mode

    Adds an FTP command to the end of the list of FTP commands to be sent by the FTP User Agent to an FTP server before a file transfer. Generally the quoted-command command is used to send FTP SITE commands. © Copyright IBM Corp. 1999, 2008...
  • Page 322 Command Reference...
  • Page 323: Chapter 23. Ftp Server Front Side Handler Mode

    Sets the lowest port value for the passive port range. passive-port-range Controls whether to limit the port range for passive connections. persistent-filesystem-timeout Specifies the inactivity duration for a connection to a virtual persistent file system. © Copyright IBM Corp. 1999, 2008...
  • Page 324: Acl

    Table 7. FTP Server Front Side Handler commands (continued) Command Purpose password-aaa-policy Assigns an AAA Policy to evaluate the user name and password. port Specifies the listening port. require-tls Controls whether FTP client connections require TLS encryption. response-nfs-mount Specifies the NFS mount in which to store response files. response-storage Specifies where to store response files.
  • Page 325: Allow-Ccc

    Parameters address Specifies the local IP address or host alias on which the service listens. The default is 0.0.0.0. Guidelines The local-address command specifies the local IP address on which the service listens. The default of 0.0.0.0 indicates that the service is active on all IP addresses.
  • Page 326: Allow-Restart

    allow-restart Controls the use of the REST command for interrupted file transfers. Syntax allow-restart {on | off} Parameters (Default) Permits the use of the REST command. Denies the use of the REST command. Guidelines The allow-restart command controls whether to support the REST command to continue the transfer of a file after an interruption in the data transfer.
  • Page 327: Data-Encryption

    Parameters name Specifies the name of an existing AAA Policy object. Guidelines The certificate-aaa-policy command assigns the AAA policy that determines whether a password is required for secondary authentication of the information in the TLS/SSL certificate that is provided during TLS negotiation after the AUTH TLS command to the FTP server.
  • Page 328: Filesystem

    Guidelines The default-directory command specifies the current working directory for all users of this FTP server. This directory will be the initial working directory after users connect and authenticate. When using a virtual file system and the working directory is not the root directory, the specified directory must be one of the configured virtual directories.
  • Page 329: Filesystem-Size

    Related Commands persistent-filesystem-timeout, virtual-directory filesystem-size Specifies the maximum size for the temporary file system. Syntax filesystem-size megabytes Parameters megabytes Specifies the maximum size in megabytes for the temporary file system. Use an integer in the range of 1 through 2048. The default is 32. Guidelines The filesystem-size command specifies the maximum size in megabytes for the temporary file system.
  • Page 330: Passive

    Parameters length Specifies the maximum length of a file name on the FTP server. Use an integer in the range of 1 through 4000. The default is 256. passive Controls the use of passive mode by the FTP client. Syntax passive {disallow | allow | require} Parameters disallow...
  • Page 331: Passive-Port-Max

    Guidelines The passive-idle-timeout command controls the amount of time in seconds between when the FTP server issues code 227 (“Entering Passive Mode”) in response to the PASV or EPSV command from the FTP client and when the FTP client must establish a TCP data connection to the listening port and issue a data transfer command.
  • Page 332: Passive-Port-Min

    passive-port-min Sets the lowest port value for the passive port range. Syntax passive-port-min port Parameters port Specify the lower end of the passive port range. Use an integer in the range of 1024 through 65534. The default is 1024. Guidelines The passive-port-min command sets the lowest port value for the passive port range.
  • Page 333: Persistent-Filesystem-Timeout

    Note: While multiple FTP servers on the same system can use the same or overlapping passive port ranges, this configuration could introduce contention for a common resource in the TCP implementation. Because of contention, do not use a port range that overlaps with other services that are on the same system as the FTP server.
  • Page 334: Port

    Syntax password-aaa-policy name Parameters name Specifies the name of an existing AAA Policy object. Guidelines The password-aaa-policy command assigns the AAA policy to perform authentication of user names and passwords provided to the FTP server by the client with the USER and PASS commands. v If authentication succeeds, the FTP client can use all of the features of the FTP server.
  • Page 335: Response-Nfs-Mount

    Parameters Requires TLS encryption. (Default) Does not require TLS encryption. Guidelines The require-tls command controls whether FTP control connections require TLS encryption. If required, the FTP client must use the FTP AUTH TLS command before any other command. To support TLS encryption, ensure that the configuration of the associated instance of the User Agent object defines the relevant information to contact the FTP server.
  • Page 336: Response-Suffix

    Parameters temporary (Default) Stores response files in temporary storage on the system. This storage space has limited size. Stores response files on the top level directory of the specified NFS server. Only the NFS server limits the storage space. Guidelines The response-storage command specifies the storage for response file.
  • Page 337: Response-Type

    response-type Selects how to make a response available for gateway transactions started by an FTP STOR or SOUT operation. Syntax response-type {none | virtual-filesystem | ftp-client} Parameters none (Default) Indicates that no response is made available to the client. Any response from the server is dropped.
  • Page 338: Restart-Timeout

    Guidelines The response-url command selects the URL that is used in generating a response. This URL enables a response to be written using FTP commands. The URL must be an FTP URL that starts with ftp://. The URL should include a directory, but not a file name.
  • Page 339: Virtual-Directory

    Parameters variable Defines the prefix for file names that are generated when using the FTP STOU command. When defining the prefix, the directory separator (/) is not allowed. The default is to not add a prefix, which is an empty string. Use a regular expression in the ^[^/]*$ form.
  • Page 340 Command Reference...
  • Page 341: Chapter 24. Hard Disk Array Configuration Mode (Type 9235)

    Sets the files on the hard disk array to read-only access. Syntax read-only no read-only Guidelines The read-only command sets the files on the hard disk array to read-only access. The default is read-write. Examples v Makes the file system read-only. © Copyright IBM Corp. 1999, 2008...
  • Page 342 # raid-volume raid0 Hard Disk Array configuration mode # read-only v Makes the file system read-write, the default state. # raid-volume raid0 Hard Disk Array configuration mode # no read-only Command Reference...
  • Page 343: Chapter 25. Host Alias Configuration Mode

    Instead of providing the IP address, you can specify this alias. Examples v Creates the Ragnarok alias. Maps Ragnarok to IP address 192.168.12.12. # host-alias Ragnarok New Host Alias configuration # ip-address 192.168.12.12 # exit © Copyright IBM Corp. 1999, 2008...
  • Page 344 Command Reference...
  • Page 345: Chapter 26. Http Front Side Handler Mode

    Specifies the maximum length of URLs to allow. Controls the negotiation of persistent connections. persistent-connections port Specifies the listening port. Specifies a brief, object-specific comment. summary Assigns an Access Control List (ACL). Syntax acl name © Copyright IBM Corp. 1999, 2008...
  • Page 346: Allowed-Features

    Parameters name Specifies the name of an existing Access Control List object. Guidelines The acl command defines a reference to an existing Access Control List object. The Access Control List object allows or denies access to this service based on the IP address of the client.
  • Page 347: Compression

    Examples v Limits features to HTTP-1.0, HTTP-1.1, POST, and QueryString. # allowed-features HTTP-1.0+HTTP-1.1+POST+QueryString compression Controls the negotiation of GZIP compression. Syntax compression {on | off} Parameters Enables compression negotiation. (Default) Disables compression negotiation. Guidelines The compression command controls whether to enable or to disable GZIP compression negotiation.
  • Page 348: Max-Header-Count

    http/1.1 (Default) Uses HTTP 1.1. Guidelines The http-client-version command set the HTTP version for the connection. The specified version should not conflict with the HTTP version that is allowed by the allowed-features command. Related Commands allowed-features max-header-count Specifies the maximum number of headers to allow. Syntax max-header-count count Parameters...
  • Page 349: Max-Header-Value-Len

    Related Commands max-header-value-len max-header-value-len Specifies the maximum length of header values to allow. Syntax max-header-value-len bytes Parameters bytes Specifies the maximum length in bytes. The default is 0, which indicates no limit. Guidelines The max-header-value-len command specifies the maximum length of header values to allow for HTTP headers in request messages.
  • Page 350: Max-Url-Len

    Syntax max-total-header-len bytes Parameters bytes Specifies the maximum length in bytes. Use an integer in the range of 5 through 128000. The default is 128000. Guidelines The max-total-header-len command specifies the maximum aggregate length of incoming HTTP headers to allow in request messages. Examples v Limits aggregated HTTP headers to 65535 bytes.
  • Page 351: Port

    Guidelines The persistent-connections command controls the negotiation of persistent connections. v When enabled, the handler negotiates with the remote peer and establishes a persistent connection if agreeable to the peer. v When disabled, the handler does not attempt to negotiate the establishment of persistent connections.
  • Page 352 Command Reference...
  • Page 353: Chapter 27. Http Input Conversion Map Configuration Mode

    XML. Any input that ends with base64 is treated and tagged as Base64. # input-conversion-map ICM-1 New HTTP Input Conversion Map configuration # default-encoding urlencoded # rule xml$ xml # rule base64$ base64 © Copyright IBM Corp. 1999, 2008...
  • Page 354: Rule

    rule Adds a processing rule to the current HTTP conversion map. Syntax rule expression {base64 | plain | urlencoded | xml} Parameters expression Defines a PCRE regular expression that defines an input element. base64 Treats input literally. Adds encoding='base64' to input element. plain XML escapes the input.
  • Page 355: Chapter 28. Http Service Configuration Mode

    Guidelines The Server response header field generally contains information (name and version) that describes the server application software. By default, inclusion of the Server response header field is suppressed. © Copyright IBM Corp. 1999, 2008...
  • Page 356: Ip-Address

    Note: Users should consider security implications before revealing software version information. Use the no identifier command to suppress the Server response header field. Examples v Specifies Release 3.7.1 as the contents of the Server response header field. # identifier "Release 3.7.1" v Suppresses the transmission of the Server response header field.
  • Page 357: Mode

    image: Serves documents from the firmware image (image:) directory store: (Default) Serves documents from the general storage (store:) directory temporary: Serves documents from the temporary (temporary:) directory Examples v Specifies that the current HTTP service serves documents from the temporary: directory.
  • Page 358: Port

    port Specifies the local port monitored by the HTTP service for incoming traffic. Syntax port port Parameters port Specifies the port. The default is 80. Guidelines Use the port command to change the port that is assigned with the ip-address command.
  • Page 359 Guidelines In the absence of this command, the HTTP service displays the directory listing that is specified by the local-directory command. Related Commands local-directory Examples v Specifies Welcome.html as the start page. # start-page Welcome.html Chapter 28. HTTP Service configuration mode...
  • Page 360 Command Reference...
  • Page 361: Chapter 29. Https Front Side Handler Mode

    Specifies the maximum length of URLs to allow. Controls the negotiation of persistent connections. persistent-connections port Specifies the listening port. Specifies a brief, object-specific comment. summary Assigns an SSL Proxy Profile object. Assigns an Access Control List (ACL). Syntax acl name © Copyright IBM Corp. 1999, 2008...
  • Page 362: Allowed-Features

    Parameters name Specifies the name of an existing Access Control List object. Guidelines The acl command defines a reference to an existing Access Control List object. The Access Control List object allows or denies access to this service based on the IP address of the client.
  • Page 363: Compression

    Examples v Limits features to HTTP-1.0, HTTP-1.1, POST, and QueryString. # allowed-features HTTP-1.0+HTTP-1.1+POST+QueryString compression Controls the negotiation of GZIP compression. Syntax compression {on | off} Parameters Enables compression negotiation. (Default) Disables compression negotiation. Guidelines The compression command controls whether to enable or to disable GZIP compression negotiation.
  • Page 364: Max-Header-Count

    http/1.1 (Default) Uses HTTP 1.1. Guidelines The http-client-version command set the HTTP version for the connection. The specified version should not conflict with the HTTP version that is allowed by the allowed-features command. Related Commands allowed-features max-header-count Specifies the maximum number of headers to allow. Syntax max-header-count count Parameters...
  • Page 365: Max-Header-Value-Len

    Related Commands max-header-value-len max-header-value-len Specifies the maximum length of header values to allow. Syntax max-header-value-len bytes Parameters bytes Specifies the maximum length in bytes. The default is 0, which indicates no limit. Guidelines The max-header-value-len command specifies the maximum length of header values to allow for HTTP headers in request messages.
  • Page 366: Max-Url-Len

    Syntax max-total-header-len bytes Parameters bytes Specifies the maximum length in bytes. Use an integer in the range of 5 through 128000. The default is 128000. Guidelines The max-total-header-len command specifies the maximum aggregate length of incoming HTTP headers to allow in request messages. Examples v Limits aggregated HTTP headers to 65535 bytes.
  • Page 367: Port

    Guidelines The persistent-connections command controls the negotiation of persistent connections. v When enabled, the handler negotiates with the remote peer and establishes a persistent connection if agreeable to the peer. v When disabled, the handler does not attempt to negotiate the establishment of persistent connections.
  • Page 368 Command Reference...
  • Page 369: Chapter 30. Import Configuration File Configuration Mode

    In this case, a warning is written to the log. Related Commands overwrite-files, overwrite-objects Examples v Disables automatic importation at startup. © Copyright IBM Corp. 1999, 2008...
  • Page 370: Deployment-Policy

    # import-package Englewood New Import Configuration File configuration # auto-execute off deployment-policy Specifies the name of an existing deployment policy that preprocesses the configuration package. Syntax deployment-policy name Parameters name Specifies the name of an existing Deployment Policy object. Related Commands deployment-policy Guidelines The deployment-policy command specifies the name of an existing Deployment...
  • Page 371: Local-Ip-Rewrite

    local-ip-rewrite Indicates whether to rewrite local IP addresses. Syntax local-ip-rewrite {on | off} Parameters (Default) Rewrites IP addresses to match the local configuration when imported. Retains the original IP address in the configuration package. Guidelines The local-ip-rewrite command indicates whether to rewrite local IP addresses on import.
  • Page 372: Source-Url

    Syntax overwrite-objects {on | off} Parameters (Default) Overwrites objects of the same name. Does not import the objects if an objects of the same name exists. Guidelines The overwrite-objects command indicates whether to objects when the configuration package contains the same object. If objects in the configuration package overwrite objects on the system, a warning is written to the log.
  • Page 373: Chapter 31. Include Configuration File Configuration Mode

    Disables automatic execution at appliance startup. # include-config StdSvcProxy New Include Configuration File configuration # auto-execute off config-url Specifies the location of a configuration file to include in another configuration file. Syntax config-url URL © Copyright IBM Corp. 1999, 2008...
  • Page 374: Interface-Detection

    Specifies the location of a remote configuration file to include. # include-config StdSvcProxy New Include Configuration File configuration # config-url scp://jrb:passWoRd@baldar.ibm.com/configs/Proxy1.cfg v Specifies the location of a local configuration file to include. # include-config StdSvcProxy Modify Include Configuration File configuration # config-url local:///Proxy2.cfg...
  • Page 375 Guidelines The interface-detection command determine when to retrieve the Include Configuration File in relationship to the state of the local interface. This command is meaningful only when auto-execute is on. Related Commands auto-execute Examples v Specifies synchronous execution of the Include Configuration File. # include-config StdSvcProxy New Include Configuration File configuration # interface-detection on...
  • Page 376 Command Reference...
  • Page 377: Chapter 32. Interface Configuration Mode

    Disables ARP on the current interface. # no arp v Enables ARP on the current interface, restoring the default state. # arp dhcp Enables a DHCP (Dynamic Host Configuration Protocol) client on the current interface. Syntax dhcp no dhcp © Copyright IBM Corp. 1999, 2008...
  • Page 378: Ip Address

    Guidelines You can use DHCP to obtain the following parameters from a DHCP server: v Interface IP address v Default Gateway IP address v DNS IP address Use the no dhcp command to disable the DHCP client. Examples v Enables a DHCP client on Ethernet 2. # interface eth2 # dhcp # exit...
  • Page 379: Ip Default-Gateway

    Examples v Assigns a primary IP address to Ethernet port 0. # ip address 192.168.7.6/27 v Functionally equivalent to the previous example. # ip address 192.168.7.6 255.255.224.0 v Assigns a secondary IP address to Ethernet port 0. # ip address 192.168.7.7/27 secondary v Removes the primary IP address from Ethernet port 0.
  • Page 380: Mac-Address

    Syntax ip route address/netmask next-hop-address [metric] no ip route address/netmask next-hop-address Parameters address Specifies the address of the destination network. netmask Identifies the network portion of the address. Can be expressed in CIDR (slash) format, which is an integer that specifies the length of the network portion of the address, or in dotted decimal format.
  • Page 381: Mode

    mode Specifies the operational mode (speed and duplex) for the current Ethernet interface. Syntax mode mode Parameters mode Specifies the Ethernet mode using one of the following keywords: 10baseT-FD or 10baseT-HD Indicates standard Ethernet configuration options. 100baseTx-FD or 100baseTx-HD Indicates Fast Ethernet configuration options. 1000baseTxFD Indicates Gigabit Ethernet configuration options.
  • Page 382: Packet-Capture

    Parameters size Specifies the maximum size of an MTU. Specifies the MTU for the current interface in bytes. Use an integer in the range of 576 to 16128. The default is 1500. Guidelines The MTU is determined without regard to the length of the layer 2 encapsulation. Examples v Sets the MTU for the current interface to 4 kilobytes.
  • Page 383: Standby

    # packet-capture store://Eth0Trace 1800 2500 Trace begun. v Initiates and then terminates a packet-capture session. # packet-capture store://Eth0Trace 1800 2500 Trace begun. # no packet-capture store://Eth0Trace standby Implements a failover configuration Syntax To assign both interfaces to a group using a Virtual IP address (VIP) standby group-number ip address To assign a priority to a standby member of a group standby group-number priority priority-value...
  • Page 384 Guidelines The standby command implements a failover configuration to ensure that an interface on another DataPower appliance is available if an active interface becomes unresponsive. There are two types of failover configurations: v An active interface is backed up by a warm standby interface. This configuration is known as an active-standby topology.
  • Page 385 # standby 2 ip 10.10.66.66 # standby 2 preempt # exit v Assigns Ethernet 0 to standby group 2 and specifies a VIP of 10.10.66.66. The priority value of 90 ensures that the interface is the standby member of the group.
  • Page 386 Command Reference...
  • Page 387: Chapter 33. Iscsi Chap Configuration Mode (Type 9235)

    New iSCSI CHAP configuration mode # username Gerry # password BigSecret username Specifies the user for the CHAP. Syntax username user Parameters user Specifies a user name. Guidelines The username command specifies the user for the CHAP. © Copyright IBM Corp. 1999, 2008...
  • Page 388 Examples v Sets Gerry as the user with the password BigSecret as the credentials for the CHAP-2 CHAP. # iscsi-chap CHAP-2 New iSCSI CHAP configuration mode # username Gerry # password BigSecret Command Reference...
  • Page 389: Chapter 34. Iscsi Host Bus Adapter Configuration Mode (Type 9235)

    Enables DHCP for the iscsi-1 HBA. # iscsi-hba iscsi-1 Modify iSCSI Host Bus Adapter configuration # dhcp on v Disables DHCP for the iscsi-1 HBA. # iscsi-hba iscsi-1 Modify iSCSI Host Bus Adapter configuration # dhcp off © Copyright IBM Corp. 1999, 2008...
  • Page 390: Iname

    iname Changes the iSCSI qualified name. Syntax iname IQN Parameters Specifies the IQN. Guidelines The iname command changes the “burned in” value for the iSCSI qualified name (IQN). If you need to change this value, specify an IQN in the following format: v iqn.2001-04.com.example v iqn.2001-04.com.example:storage:diskarrays-sn-a8675309 v iqn.2001-04.com.example:storage.tape1.sys1.xyz...
  • Page 391: Ip Default-Gateway

    # iscsi-hba iscsi-2 Modify iSCSI Host Bus Adapter configuration # ip-address 10.10.10.44 # ip default-gateway 10.10.10.46 ip default-gateway Specifies the default gateway for the HBA. Syntax ip default-gateway address Parameters address Specifies the IP address of the default gateway. Guidelines The ip default-gateway command specifies the IP address of the default gateway for the HBA.
  • Page 392 Command Reference...
  • Page 393: Chapter 35. Iscsi Target Configuration Mode (Type 9235)

    Assigns an iSCSI HBA. Syntax hba name hba{iscsi1 | iscsi2} Parameters iscsi1 Specifies the existing iSCSI HBA keyword that identifies the eth1 Ethernet interface. iscsi2 Specifies the existing iSCSI HBA keyword that identifies the eth2 Ethernet interface. © Copyright IBM Corp. 1999, 2008...
  • Page 394: Hostname

    Guidelines The hba command assigns an existing iSCSI HBA to which to bind this target instance. Examples v Assigns the iscsi1 HBA to the Target-2 iSCSI target. # iscsi-target Target-2 New iSCSI Target configuration mode # hba iscsi1 hostname Specifies the host of the iSCSI target. Syntax hostname host Parameters...
  • Page 395: Target-Name

    target-name Specifies a name of the remote iSCSI target. Syntax target-name name Parameters name Specifies the iSCSI qualified name (IQN) or IEEE Extended Unique Identifier (EUI) for the iSCSI target. Guidelines The target-name specifies the iSCSI qualified name (IQN) or IEEE Extended Unique Identifier (EUI) for the iSCSI target.
  • Page 396 Command Reference...
  • Page 397: Chapter 36. Iscsi Volume Configuration Mode (Type 9235)

    Specifies the logical unit number. Syntax lun LUN Parameters Specifies the logical unit number. Guidelines The lun command specifies the logical unit number (LUN). Use an integer in the range of 0 through 255. © Copyright IBM Corp. 1999, 2008...
  • Page 398: Read-Only

    Examples v Makes LUN 33 the VOL2 iSCSI volume . # iscsi-volume VOL2 New iSCSI Volume configuration mode # lun 22 read-only Defines whether to makes the files on the iSCSI volume read-only. Syntax read-only {on | off} Parameters Sets the file to read-only. (Default) Sets the files to read-write.
  • Page 399: Chapter 37. Kerberos Kdc Server Configuration Mode

    Specifies the realm (administrative domain) to support. Syntax realm name Parameters name Specifies the name of the Kerberos realm. Guidelines You must specify a Kerberos realm to complete KDC configuration. Related Commands server © Copyright IBM Corp. 1999, 2008...
  • Page 400: Server

    Examples v Provides the name of the Kerberos realm. # realm us.ibm.com server Identifies the server by domain name or IP address. Syntax server server Parameters server Specifies the host name or IP address of the Kerberos KDC server. Guidelines You must specify a Kerberos KDC Server to complete the configuration.
  • Page 401: Udp-Timeout

    v Restores UDP, the default, as the transport layer protocol. # no tcp udp-timeout When using UDP as the transport protocol, specifies the number of seconds to wait for a server response. Syntax udp-timeout time Parameters time Specifies the maximum time to wait for a Kerberos KDC Server response. Use an interval in the range of 1 through 60.
  • Page 402 Command Reference...
  • Page 403: Chapter 38. Kerberos Keytab Configuration Mode

    Controls the caching of Kerberos authenticators on tickets for Kerberos principals in this keytab. Syntax use-replay-cache {on | off} Parameters (Default) Enables caching of Kerberos authenticators. Disables caching of Kerberos authenticators. Examples v Disables the authenticators cache. # use-replay-cache off © Copyright IBM Corp. 1999, 2008...
  • Page 404 Command Reference...
  • Page 405: Chapter 39. Ldap Search Parameters Configuration Mode

    LDAP filter to search for the DN of the user. If the prefix is (&(mail= and the user name is bob@example.com and the suffix is )(c=US)), the LDAP search filter would be (&(mail=bob@example.com)(c=US)). © Copyright IBM Corp. 1999, 2008...
  • Page 406: Filter-Suffix

    You can use the filter-suffix to append a string to the LDAP filter expression to complete the search filter. Related Commands filter-suffix Examples Creates the LDAP filter expression (&(mail=bob@example.com)(c=US)) based on bob@example.com as the user name. # filter-prefix "(&(mail=" # filter-suffix ")(c=US))" filter-suffix Specifies the suffix of the LDAP filter expression.
  • Page 407: Scope

    Parameters attribute Specifies the name of the attribute to return. The default is dn. Guidelines The returned-attribute command specifies the name of the attribute to return for each entry that matches the search criteria. scope Indicates the depth of the search Syntax scope {base | one-level | subtree} Parameters...
  • Page 408 Command Reference...
  • Page 409: Chapter 40. Load Balancer Group Configuration Mode

    Maintains a record of active server connections and forward a new connection to the server with the least number of active connections. round-robin (Default) Maintains a list of servers and forwards a new connection to the next server on the list. © Copyright IBM Corp. 1999, 2008...
  • Page 410: Damp

    weighted-round-robin Maintains a weighted list of servers and forwards new connections in proportion to the weight (or preference) of each server. Guidelines The algorithm command specifies the server selection algorithm. A request to connect to a Load Balancer Group results in a healthy server being selected from the pool according to the server selection algorithm.
  • Page 411: Giveup-When-All-Members-Down

    giveup-when-all-members-down Specifies the connection-behavior when no member is up. Syntax giveup-when-all-members-down {on | off} Parameters Does not forward the connection to any member. Makes the next attempt when at least one members is in the up state. (Default) Selects the first member in the down state and forwards the connection to this server.
  • Page 412 LDAP Specifies that the group consists of LDAP servers. Performs a TCP ping. Standard (Default) Specifies that the group does not consist of LDAP or IMS Connect servers. use-SOAP When the check type is Standard, specifies the HTTP method used to access the target URI.
  • Page 413: Masquerade

    Examples v Specifies a periodic health check for members. # health-check on cgi-bin/x.cgi 80 Standard on store:///identity.xsl 4 60 / store:///healthcheck.xsl sslProxy1 masquerade Specifies the host name to provide to the backend server. Syntax masquerade {on | off} Parameters Passes the name of the Load Balanced Group name to the backend server. (Default) Passes the name of the member server to the backend server.
  • Page 414: Try-Every-Server

    If the server selection algorithm is first-alive, the order is significant. The first server is the primary server, while subsequent entries serve as backup servers. For all other algorithms, the order is not significant. If the server selection algorithm is weighted-round-robin, specify the relative preference of a server.
  • Page 415: Chapter 41. Log Target Configuration Mode

    The archive-mode command is required when the log type is either file or nfs; otherwise, it is not used. After specifying upload mode, you must use the remote-address, remote-directory, remote-login, and upload-method commands to enable transfer of the log file to the remote site. © Copyright IBM Corp. 1999, 2008...
  • Page 416: Backup

    Related Commands backup, email-addr, encrypt, format, local-file, local-ident, remote-addr, remote-login, rotate, sender-addr, sign, size, timestamp, upload-method Examples v Specifies an archive type of upload. # archive-mode upload v Specifies an archive type of rotate, which restores the default state. # archive-mode rotate backup Specifies a backup for the current log.
  • Page 417: Event

    Syntax encrypt certAlias smime Parameters certAlias Specifies a string that contains the alias for a certificate file that contains the public key of the message recipient. smime Specifies the required keyword for the encryption method. Guidelines The encrypt command is only used when the log type is file, nfs, or smtp to enable S/MIME (Secure Multipurpose Internet Mail Extension) encryption.
  • Page 418: Event-Code

    Examples v Specifies which event classes and which event priorities to log. # event schema error # event xmlfilter error # event crypto error # event ssl error # event auth warning event-code Specifies an event code included in the current log. Syntax event-code value Parameters...
  • Page 419: Event-Filter

    Parameters Suppresses the writing of identical events to the log for the specified suppression period. (Default) Identical events are written to the log. Guidelines The event-detection command allows for the suppression of identical log events that are generated by the same configuration object over a configurable time period.
  • Page 420: Facility

    facility Specifies the syslog facility. Syntax facility facility Parameters facility Identifies the syslog facility. Guidelines facility is used only when the logging type is syslog or syslog-ng. Related Commands local-address, local-ident, remote-address Examples v Specifies the syslog facility, local0. # type syslog # local address 10.10.13.4 # remote-address 172.16.100.1 # facility local0...
  • Page 421: Group (Deprecated)

    Specifies the log format as formatted text Specifies the log format as unformatted text Specifies the log format as XML Specifies the log format as IBM Common Base Event Specifies the log format as comma-separated Guidelines Use the show logging format command to display a list of available log formats.
  • Page 422: Local-File

    local-file Specifies a local file that will store log messages. Syntax local-file URL Parameters Specifies the file to store log messages and takes the logstore:///filename form. Guidelines When the log type is file, the use of the local-file command is required. For all other log types, it is not used.
  • Page 423: Nfs-Static-Mount

    The file must have write permission. Related Commands nfs-static-mount, type nfs-static-mount Assigns an static mount. Syntax nfs-static-mount name Parameters name Specifies the name of an existing NFS Static Mount. Guidelines When the log type is nfs, specifies the NFS Static Mount point to write the log over NFS.
  • Page 424: Rate-Limit

    create a log target to collect log messages for a particular instance of a particular object type. For example, you can create a log target to write messages associated with the xyz XSL Proxy only. Examples v Adds an object filter to the current log to log messages for the Proxy-1 XSL Proxy only.
  • Page 425: Remote-Directory

    v When the log type, as specified by the type command, is smtp, syslog, or syslog-ng v When the log type, as specified by the type command, is file and the archive mode, as specified by the archive-mode command, is upload Use the remote-address command with the remote-port command to define the destination of transmitted log messages.
  • Page 426: Remote-Login

    Guidelines remote-directory is used only in the following situations: v The log type is file. v The archive mode is upload. v The upload mode is scp, ftp, or sftp. To denote an absolute directory from the root directory, specify a single forward slash character or equivalent encoded character (%2F) before the fully-qualified file name (for SCP or SFTP, specify /file-path;...
  • Page 427: Remote-Port

    Guidelines The remote-login command is used only if the log type is file and the archive-mode is upload. If a password is not specified, it must be provided during the upload session. Related Commands archive-mode, remote-address, remote-directory, type Examples v Specifies the recipient address, username and password, and remote directory for an uploaded log file.
  • Page 428: Retry (Deprecated)

    retry (deprecated) Comments Deprecated command. Has no effect. rotate Sets the maximum number of file rotations. Syntax rotate count Parameters count Specifies how many times to rotate a log file. Use an integer in the range of 1 through 100. The default is 3. Guidelines The rotate command specifies the maximum number of rotations for the log file.
  • Page 429: Sender-Address

    sender-address Specifies the email address of the sender Syntax sender-address string Parameters string Specifies the local email address. Guidelines The sender-address command is only used when the log type is smtp. Related Commands type sign Enables the S/MIME signing of logs. Syntax sign idCred smime Parameters...
  • Page 430: Smtp-Domain

    Syntax size log-size Parameters log-size Specifies the maximum size of the file in kilobytes. Use an integer in the range of 100 through 50000. The default is 500. Guidelines The size command sets the maximum size of a local log file in kilobytes. Depending on the Machine Type of the appliance, the location of the file can be the local file system, the compact flash, or the hard disk array.
  • Page 431: Soap-Version

    Examples v Specifies the recipient of SMTP domain. # type smtp # smtp-domain popServer-1.datapower.com soap-version Specifies the version of SOAP to use. Syntax soap-version {soap11 | soap12} Parameters soap11 SOAP targets use SOAP 1.1. soap12 SOAP targets use SOAP 1.2. Guidelines When the log type is soap, specifies the version of SOAP for use by SOAP log targets.
  • Page 432: Timeout (Deprecated)

    Parameters interval Specifies the interval to suppress identical events in seconds. The default is Related Commands event-detection timeout (deprecated) Comments Deprecated command. Has not effect. timestamp Specifies the timestamp format. Syntax timestamp {numeric | syslog} Parameters numeric (default) Specifies a numeric timestamp format. syslog Specifies a syslog timestamp format.
  • Page 433: Upload-Method

    Guidelines For all log types, use the event command to specify log contents. Cache logs require no configuration beyond the identification of the logging type. You can, however, optionally use the format, size, and timestamp commands to customize log behavior. v For a console log, no additional configuration is required.
  • Page 434: Url

    (Default) Identifies the Secure Copy Protocol. sftp Identifies the Secure File Transfer Protocol. smtp Identifies the Simple Mail Transfer Protocol. Guidelines upload-method is used only if the log type is file and the archive-mode is upload. Related Commands archive-mode, backup, email-addr, encrypt, format, local-file, local-ident, remote-addr, remote-login, rotate, sender-addr, sign, size, timestamp Examples v Provides the required information (transfer protocol, recipient address, username...
  • Page 435: Chapter 42. Matching Rule Configuration Mode

    Defines a match pattern that defines the error code set. Guidelines The errorcode command adds a pattern to match error codes. To determine whether the pattern is a PCRE expression or shell style expression, use the match-with-pcre command. © Copyright IBM Corp. 1999, 2008...
  • Page 436: Fullurlmatch (Deprecated)

    Related Commands match-with-pcre Examples v Enters Matching Rule configuration mode to create the allErrors Matching Rule. Adds a pattern to match all error codes. # matching allErrors Matching configuration mode # errorcode * fullurlmatch (deprecated) Comments The fullurlmatch command is deprecated. Use the urlmatch command. hostmatch (deprecated) Comments The hostmatch command is deprecated.
  • Page 437: Match-With-Pcre

    match-with-pcre Indicates whether expression uses PCRE or shell-style expression. Syntax match-with-pcre {on|off Parameters Uses PCRE expressions. (Default) Uses shell style expressions. Guidelines The match-with-pcre command indicates whether match patterns use PCRE expression or shell-style expressions. This command applies to patterns defined by the following commands: v errorcode v httpmatch...
  • Page 438: Xpathmatch

    Syntax urlmatch pattern Parameters pattern Defines a shell-style match pattern that defines the URL set subject. Guidelines The urlmatch command adds a pattern to match URLs. To determine whether the pattern is a PCRE expression or shell style expression, use the match-with-pcre command.
  • Page 439: Chapter 43. Message Count Monitor Configuration Mode

    Parameters name Specifies the name of the object. The name can contain a maximum of 32 characters. For restrictions, refer to “Object name conventions” on page xxiv. interval Specifies the measurement interval in milliseconds. © Copyright IBM Corp. 1999, 2008...
  • Page 440: Header

    threshold Specifies the threshold value. Exceeding this value triggers the specified the control procedure. burst-limit Specifies an acceptable traffic burst. The value should be approximately twice the threshold value. control-procedure Specifies the name of a control procedure that was created with the monitor-action command.
  • Page 441: Measure

    measure Specifies how to increment the counter. Syntax measure {requests | responses | xpath | error} Parameters requests (Default) Indicates that the receipt of a client request increments the counter. responses Indicates that the receipt of a server response increments the counter. xpath Indicates that a style sheet increments the counter.
  • Page 442: Source

    After completing the configuration of a count monitor, activate the monitor by assigning it to a DataPower service. Related Commands message-matching (Global), message-type (Global) Examples v Specifies the Extranet message class as the target for the LogSquelch count monitor. # monitor-count LogSquelch Message count monitor Configuration mode # message-type Extranet source...
  • Page 443: Chapter 44. Message Duration Monitor Configuration Mode

    You can add multiple filters to a duration monitor. After completing the configuration of a duration message monitor, activate the monitor by assigning it to a DataPower service. Use the no filter command to remove a filter from an incremental message monitor. © Copyright IBM Corp. 1999, 2008...
  • Page 444: Measure

    Related Commands monitor-action (Global), show message-durations, show message-duration-filters Examples v Defines the RateLimit1 duration message monitor. If the average server processing time of the Extranet message class exceeds 500 milliseconds, implement the Yell control procedure. # monitor-count RateLimit1 Message duration monitor Configuration mode # message-type Extranet # measure server # filter Filter3 average 500 Yell...
  • Page 445: Message-Type

    The server and messages types deal with external processing, specifically the processing performed by the web or application server. The server type measures the actual server processing time. The messages type approximates the sum of requests, server, and responses types. After completing the configuration of a duration monitor, activate the monitor by assigning it to a DataPower service.
  • Page 446 Command Reference...
  • Page 447: Chapter 45. Message Filter Action Configuration Mode

    Enters Message Filter Action configuration mode to create the Squelch control procedure. # monitor-action Squelch Message filter action Configuration mode v Specifies a block interval of 2½ seconds. # type block # block-interval 2500 © Copyright IBM Corp. 1999, 2008...
  • Page 448: Log-Priority

    log-priority Enables the generation of a log entry when a control procedure is triggered. Syntax log-priority priority Parameters priority Identifies the event priority. The priority indicates that all events that are greater than or equal to this value are logged. Events use the following priority in descending order: v emerg (Emergency) v alert (Alert)
  • Page 449 notify Adds a log entry when a message class exceeds a configured threshold. reject Drops all over-threshold traffic originating from a message class, and optionally adds a log entry, when a message class exceeds the configured threshold. Guidelines Conditional tests that trigger the execution of control procedures are defined by the monitor-count and monitor-duration commands.
  • Page 450 Command Reference...
  • Page 451: Chapter 46. Message Matching Configuration Mode

    Matches x or y [xy] Guidelines A traffic-flow definition may contain multiple http-header commands. In the absence of an http-header command, HTTP header contents are not considered when evaluating a candidate message against a traffic-flow definition. © Copyright IBM Corp. 1999, 2008...
  • Page 452: Http-Header-Exclude

    Use the no http-header command to remove a HTTP header field match from a traffic-flow definition. Related Commands http-header-exclude Examples v Creates the TFDef1 traffic-flow definition. HTTP traffic that contains a From request header field with the string @businessPartner.com is defined as part of the target traffic flow.
  • Page 453: Ip-Exclude

    Examples v Creates the TFDef1 traffic-flow definition. HTTP traffic that contains a From request header field with the string @businessPartner.com is excluded from the target traffic flow. # message-matching TFDef1 Message matching configuration mode # http-header-exclude From *businessParter.com v Removes HTTP traffic that contains a From request header field from the TFDef1 traffic-flow definition.
  • Page 454: Method

    Parameters address Specifies a dotted decimal IP address that, with the prefix length, defines a range of excluded IP addresses. prefix-length Defines a range of excluded IP addresses. Use an integer in the range of 1 through 32. Guidelines A traffic flow definition can contain a single ip-exclude command. In the absence of an ip or ip-exclude command, source address is not considered when evaluating an individual message against a traffic-flow definition.
  • Page 455: Request-Url

    request-url Specifies a requested URL set to include in the traffic-flow definition. Syntax request-url pattern Parameters pattern Defines a shell-style match pattern that defines the requested URL. You can use wildcard characters when identifying the target URL. You can use wildcards to define a match pattern as follows: The string wildcard matches 0 or more occurrences of any character.
  • Page 456 Command Reference...
  • Page 457: Chapter 47. Message Type Configuration Mode

    Adds the TFDef2 and TFDef2 traffic-flow definitions to the Extranet message class. # message-type Extranet Message type configuration mode # message-matching TFDef1 # message-matching TFDef2 v Deletes the TFDef2 traffic-flow definition from the Extranet message class. © Copyright IBM Corp. 1999, 2008...
  • Page 458 # message-type Extranet Message type configuration mode # no message-matching TFDef2 Command Reference...
  • Page 459: Chapter 48. Mtom Policy Configuration Mode

    # mtom mtom1 MTOM policy configuration mode # mode enable # include-content-type off mode Sets the optimization mode for the MTOM policy. Syntax mode {encode | decode} © Copyright IBM Corp. 1999, 2008...
  • Page 460: Rule

    Parameters encode Optimizes an input message. decode Extracts the attachment parts on an optimized message, which reconstitutes the original, non-optimized message. Examples v Enters MTOM policy configuration mode to create the mtom1 MTOM policy and sets the optimization mode to enable. # mtom mtom1 MTOM policy configuration mode # mode enable...
  • Page 461: Chapter 49. Multi-Protocol Gateway Configuration Mode

    5000000 bytes. Any attachment that passes through the gateway can be no larger than 500000 bytes. If larger, the message will be rejected. # attachment-byte-count 500000 attachment-package-byte-count Defines the maximum number of bytes to allow for all parts of an attachment package. Syntax attachment-package-byte-count bytes © Copyright IBM Corp. 1999, 2008...
  • Page 462: Attribute-Count

    Parameters bytes Specifies the maximum number of bytes allowed for all parts of an attachment package The default is 0. Guidelines The attachment-package-byte-count command defines the maximum number of bytes allowed for all parts of an attachment package, including the root part. Attachment packages that exceed this size will result in a failure of the whole transaction.
  • Page 463: Back-Persistent-Timeout

    Related Commands front-attachment-format Examples v Specifies that attachments output to servers are DIME-encapsulated. # back-attachment-format dime back-persistent-timeout Sets the inter-transaction timeout between the completion of a TCP transaction and the initiation of a new TCP one on the gateway-to-server connection. Syntax back-persistent-timeout timerValue Parameters...
  • Page 464: Backend-Url

    the client request and receiving the server response. In other words, this time monitors the idle time within the data transfer process. If the specified idle time is exceeded, the connection is torn down. Related Commands back-persistent-timeout, front-timeout, front-persistent-timeout, persistent-connections backend-url Specifies the URL to which all traffic to the static backend server is routed.
  • Page 465: Compression

    Syntax chunked-uploads {on | off} Parameters Enables chunked encoding when sending HTTP 1.1 requests to the backend server. (default) Disables chunked encoding when sending HTTP 1.1 requests to the backend server. Guidelines The gateway might send an HTTP 1.1 request to the backend server. In this case, the body of the document can be delimited by either Content-Length or chunked encoding.
  • Page 466: Default-Param-Namespace

    default-param-namespace Specifies the namespace into which to assign the parameter. Syntax default-param-namespace URL Parameters Specifies a valid namespace URL. The default is http:// www.datapower.com/param/config. Guidelines If a stylesheet parameter is defined without a namespace (or without explicitly specifying the null namespace), use the default-param-namespace command to specify the namespace into which the parameter is assigned.
  • Page 467: External-References

    external-references Defines the handling mode for input documents that contain external references. Syntax external-references {allow | forbid | ignore} Parameters allow Allows and resolves external references. forbid Stops processing if the XML parser encounters an external reference. ignore (Default) Ignores external references and replaces external entities with the empty string.
  • Page 468: Forbid-External-References (Deprecated)

    forbid-external-references (deprecated) Comments This command has been deprecated. Use the external-references command in its place. front-attachment-format Specifies the attachment format received from front end clients. Syntax front-attachment-format {dime | dynamic | mime | detect} Parameters dime Specifies that client attachments are DIME-encapsulated documents. dynamic Specifies that client attachments are deduced from document content.
  • Page 469: Front-Protocol

    An idle TCP connection might remain in the idle state for as long as 20 seconds after the expiration of the persistence timer. Related Commands back-persistent-timeout, back-timeout, front-timeout, persistent-connections front-protocol Assigns a front side protocol handlers. Syntax front-protocol name Parameters name Specifies the name of an existing front side protocol handler.
  • Page 470: Fwcred

    Guidelines The front-timeout command sets the value of the intra-transaction timeout. This value is the maximum idle time to allow in a transaction on the gateway-to-client connection. This timer monitors idle time in the data transfer process. If the specified idle time is exceeded, the connection is torn down. Related Commands back-persistent-timeout, back-timeout, front-persistent-timeout, persistent-connections...
  • Page 471: Host-Rewriting

    With gateway-specific parser limitations enabled, the values specified by the attachment-byte-count, attribute-count, element-depth, max-message-size, and max-node-size commands (Multi-Protocol Gateway) are used to evaluate incoming XML documents. With gateway-specific parser limitations disabled (the default condition), parser limitations, if any, are derived from the assigned XML Manager. Use the no gateway-parser-limits command to disable gateway-specific parser limitations.
  • Page 472: Http-Client-Ip-Label

    # host-rewriting off # host-rewriting on http-client-ip-label Identifies the HTTP header that contains the IP address of the calling client. Syntax http-client-ip-label header no http-client-ip-label Parameters header Identifies the HTTP header that contains the IP address. The default is X-Client-IP. Guidelines The http-client-ip-label command identifies the HTTP header that contains the IP address of the calling client.
  • Page 473: Include-Content-Type-Encoding

    # http-server-version http/1.0 include-content-type-encoding Controls the inclusion of character set encoding data in content-type headers. Syntax include-content-type-encoding {on | off} Parameters Enables the inclusion of character set encoding date in content-type headers. Disables the inclusion of character set encoding date in content-type headers.
  • Page 474: Load-Balancer-Hash-Header

    value Specifies the value of the field and can contain a character string or an integer. This property is case-sensitive. Guidelines Use the no inject command to remove a previously-injected proprietary HTTP header field. Related Commands suppress Examples v Injects the ProcInst HTTP header field with a value of 0 into the packet stream directed to the HTTP client.
  • Page 475: Loop-Detection

    # no load-balancer-hash-header # load-balancer-hash-header X-Forwarded-For loop-detection Controls loop detection behavior in the network. Syntax loop-detection {on | off} Parameters Enables a loop detection mechanism. (Default) Disables a loop detection mechanism. Guidelines Some protocols provide a loop detection mechanism that can detect network loops. Loop detection is a good policy, but it runs the risk that the current Multi-Protocol Gateway might be publicly recorded in a transmitted message.
  • Page 476: Max-Node-Size

    Related Commands attachment-byte-count, attribute-count, element-depth, gateway-parser-limits, max-node-size Examples v Sets the maximum message size to 500000 kilobytes. # max-message-size 500000 max-node-size Specifies the maximum size of a single XML node. Syntax max-node-size bytes Parameters bytes Specifies the maximum message node size in bytes. The default is 0. A value of 0 indicates that no size limit is applied to incoming message nodes.
  • Page 477: Mime-Front-Headers

    Note that if this is on and there are no MIME headers contained in the message, the appliance will continue to try and parse the message, using the protocol header information, if available. When this is off and MIME headers are present in the body of the message, these MIME headers will be considered part of the preamble, and not used to parse out the message.
  • Page 478: Monitor-Count

    Related Commands mime-back-headers, request-attachments, response-attachments Examples v Disables client-side support for MIME package headers and subsequently enables support, which restores the default state. # mime-front-headers off # mime-front-headers on monitor-count Assigns a Count Monitor. Syntax monitor-count name no monitor-count name Parameters name Specifies the name of an existing Count Monitor.
  • Page 479: Monitor-Processing-Policy

    Syntax monitor-duration name no monitor-duration name Parameters name Specifies the name of a Duration Monitor. Guidelines Use the monitor-duration command to assign a Duration Monitor to the current Multi-Protocol Gateway. Duration Monitors watch for events that meet or exceed a configured duration. When a duration is met or exceeded, the monitor can either post a notification to a log or block service for a configured amount of time.
  • Page 480: Monitor-Service

    Examples v Allows only the first matching monitor to execute when a service has multiple monitors attached. # monitor-processing-policy terminate-at-first-match monitor-service Assign a Service Level Monitor. Syntax monitor-service name no monitor-service name Parameters name Specifies the name of the Service Level Monitor. Guidelines Use the monitor-service command to assign a Service Level Monitor to the current Multi-Protocol Gateway.
  • Page 481: Persistent-Connections

    Parameters name is the name of the parameter made available to the current Multi-Protocol Gateway. value is the value of the parameter. Guidelines Style sheets that are used in processing policies can take stylesheet parameters. These parameters can be passed in. Use the parameter to define each required stylesheet parameter.
  • Page 482: Priority

    Disables the establishment of persistent connections. Guidelines With persistent connections enabled, the default state for both HTTP 1.0 and HTTP 1.1, the appliance negotiates with the remote HTTP peer and establishes a persistent connection if agreeable to the peer. With persistent connections disabled, the appliance refuses to negotiate the establishment of persistent connections.
  • Page 483: Propagate-Uri

    Depending on the protocol, the backend service might return a response code that indicates an error condition. For HTTP messages, the response from the backend server might include a response body that contains XML that provides more details about the error. propagate-uri Enables or disables the propagation of the local portion of URL from the URL given by the client to the URL used to contact the backend server.
  • Page 484: Query-Param-Namespace

    query-param-namespace Identifies the namespace in which to put all parameters that are specified in the URL query string. Syntax query-param-namespace namespace Parameters namespace Enter a valid namespace URL. Defaults to: http://www.datapower.com/param/query Related Commands default-param-namespace, parameter Examples v Assigns the namespace http://www.example.com/queries to all query parameters in the client URL.
  • Page 485: Request-Type

    message package, which is a SOAP with Attachments message, are supported. Processing can be applied individually to each attachment. The appliance does not create a manifest of all attachments. Attachments must be accessed and processed in the order that they appear in the package. unprocessed Allows messages that contain attachments, but does not process attachments.
  • Page 486: Response-Attachments

    unprocessed (Default) Characterizes the client-originated traffic stream as non-XML traffic that is not transformed by the Multi-Protocol Gateway. Related Commands response-type, soap-schema-url Examples v Characterizes client-originated traffic as XML. # request-type xml v Characterizes client-originated traffic as SOAP. # request-type soap response-attachments Specifies the processing mode for SOAP attachments in server responses.
  • Page 487: Response-Type

    contain large attachments. The root part of the message, which typically contains a SOAP message, is subject to filter and transform actions. No processing of parts other than the root part is possible. Accompanying documents can be passed intact. Guidelines The response-attachment command specifies the processing mode for attachments in server responses (as defined in RFC 2387).
  • Page 488: Root-Part-Not-First-Action

    # response-type xml v Characterizes server-originated traffic as SOAP. # response-type soap root-part-not-first-action Defines the action to take when the MIME message root part is not first. Syntax root-part-not-first-action {abort | buffer | process-in-order} Parameters Stops the transaction and return an error. abort buffer Buffers attachments before the root part into memory.
  • Page 489: Ssl

    Guidelines When a Multi-Protocol Gateway is in SOAP mode, either on the request or response side, it validates incoming messages against a W3C Schema that defines the format of a SOAP message. It is possible to customize which schema is used on a per-gateway basis by changing this property to accommodate nonstandard configurations or other special cases.
  • Page 490: Stream-Output-To-Back

    stream-output-to-back Determines whether or not the Multi-Protocol Gateway will begin sending output to the backend server before all processing of the message completes. Syntax stream-output-to-back {buffer-until-verification | stream-until-infraction} Parameters buffer-until-verification (Default) Buffers submitted messages until all processing has been verified complete, and then the message is forwarded to the appropriate backend URL.
  • Page 491: Stylepolicy

    Examples v Changes the default to stream output to the client until an infraction is encountered. # stream-until-infraction stylepolicy Assigns a Processing Policy. Syntax stylepolicy name Parameters name Specifies the name of an existing Processing Policy. If not specified, the Multi-Protocol Gateway uses the processing instructions, if any, in the XML document.
  • Page 492: Type

    Guidelines Use the no suppress command to restore the standard HTTP header field to the packet stream. Related Commands host-rewriting, inject Examples v Deletes the Authorization HTTP header field from the packet stream directed to the HTTP server. # suppress back Authorization v Restores the Authorization HTTP header field to the packet stream directed to the HTTP server.
  • Page 493: Wsa-Back-Protocol

    Parameters name Specifies the name of a URL Rewrite Policy. Guidelines You need not specify a URL Rewrite Policy when configuring a Multi-Protocol Gateway. Use the no urlrewrite-policy command to remove the URL Rewrite Policy assignment. Related Commands propagate-uri Examples v Assigns the Rw1 URL Rewrite Policy to the current Multi-Protocol Gateway.
  • Page 494: Wsa-Default-Replyto

    Syntax wsa-default-faultto faultURL Parameters faultURL Specifies the value of the FaultTo element. Guidelines The wsa-default-faultto command is relevant when the DataPower service provides service for WS-Addressing clients (the wsa-mode command is wsa2sync or wsa2wsa). In these topologies, this command ensures that all messages contain the WS-Addressing FaultTo element.
  • Page 495: Wsa-Faultto-Rewrite

    or wsa2wsa). In these topologies, this command ensures that all messages contain the WS-Addressing ReplyTo element. This element identifies the recipient endpoint of a response message. Because the WS-Addressing specifications do not require the inclusion of the ReplyTo element, the DataPower service might receive messages that do not contain a ReplyTo element or that contain the element without a value.
  • Page 496: Wsa-Force

    Examples v Assigns the wsaErrorHandler URL Rewrite Policy to modify the contents of the FaultTo element. # wsa-faultto-rewrite wsaErrorHandler v Removes the assigned URL Rewrite Policy. # no wsa-faultto-rewrite wsa-force Forces the inclusion of Web Services Addressing (WS-Addressing) headers into incoming, traditionally-addressed messages.
  • Page 497: Wsa-Genstyle

    # wsa-force on v Leaves traditionally-addressed message headers untouched. # wsa-force off # no wsa-force wsa-genstyle Specifies the request-response transmission model between the DataPower service and the target server. Syntax wsa-genstyle { async | oob | sync } Parameters async Identifies an asynchronous exchange pattern in which the server response is received over a different channel than the one used by the DataPower service to convey the client request.
  • Page 498: Wsa-Mode

    Parameters responseCodeValue Specifies the HTTP response code to close the original client channel. Use a value in the range of 200 through 599. The default is 204. Guidelines If the server response to an HTTP client request is asynchronous, the DataPower service must close the original HTTP channel with a valid response code.
  • Page 499 – Strip the WS-Addressing headers from any server-generated response before forwarding the response to the original client. The default behavior is to strip the WS-Addressing headers. – Process synchronous or asynchronous server responses of either the ReplyTo (a standard response to a client request) or FaultTo (reporting an error condition) variety.
  • Page 500: Wsa-Replyto-Rewrite

    (non-anonymous) client-originated ReplyTo and FaultTo element values that are preserved by the DataPower service and passed to the server. Related Commands wsa-back-protocol, wsa-force, wsa-genstyle, wsa-timeout, wsa-strip-headers Examples v Specifies sync2wsa mode, indicating that the DataPower service is mediating between hosts that employ traditional addressing and servers that support WS-Addressing.
  • Page 501: Wsa-Timeout

    Syntax wsa-strip-headers {on | off} Parameters (Default) Enables the deletion of WS-Addressing headers from an incoming message. Disables the deletion of WS-Addressing headers from an incoming message. Guidelines This command is relevant when the DataPower service is positioned between users of WS-Addressing and a nonusers;...
  • Page 502: Wsa-To-Rewrite

    Guidelines The wsa-timeout command specifies the maximum period of time to wait for an asynchronous response, before abandoning the transaction. This timeout value can be overridden by the var://service/wsa/timeout variable. Related Commands wsa-mode Examples v Specifies a maximum pause of 1 minute while waiting for an asynchronous response.
  • Page 503: Wsrm-Aaapolicy

    Related Commands wsrm-aaapolicy, wsrm-destination-accept-create-sequence, wsrm-destination- accept-offers, wsrm-destination-inorder, wsrm-destination-maximum-inorder- queue-length, wsrm-destination-maximum-sequences, wsrm-request-force, wsrm-response-force, wsrm-sequence-expiration, wsrm-source-back-acks-to, wsrm-source-exponential-backoff, wsrm-source-front-acks-to, wsrm-source-inactivity-close-interval, wsrm-source-make-offer, wsrm-source-maximum-queue-length, wsrm-source-maximum-sequences, wsrm-source-request-ack-count, wsrm-source-request-create-sequence, wsrm-source-response-create-sequence, wsrm-source-sequence-ssl, wsrm-source-retransmission-interval, wsrm-source-retransmit-count wsrm-aaapolicy Assigns an AAA Policy. Syntax wsrm-aaapolicy name Parameters name Specifies the name of an existing AAA Policy. Guidelines Use the wsrm-aaapolicy command to assign an AAA Policy to perform authentication of incoming Reliable Messaging messages.
  • Page 504: Wsrm-Destination-Accept-Offers

    Disables this feature. If disabled, the client cannot use Reliable Messaging to communicate with this DataPower service. If disabled, the only way that a Reliable Messaging destination can be created on this DataPower service is when the Reliable Messaging source is configured to make offers. In this case an Offer and Accept can create a Reliable Messaging destination for the server to send Reliable Messaging messages to the client.
  • Page 505: Wsrm-Destination-Maximum-Inorder-Queue-Length

    client is one greater than the last one that was processed. InOrder delivery assurance increases memory and resource utilization by the Reliable Messaging destination. Related Commands wsrm, wsrm-destination-maximum-inorder-queue-length wsrm-destination-maximum-inorder-queue-length Specifies the maximum number of messages held in the queue. Syntax wsrm-destination-maximum-inorder-queue-length numberOfMessages Parameters numberOfMessages...
  • Page 506: Wsrm-Request-Force

    wsrm-request-force Indicates whether to require Reliable Messaging for all SOAP messages that request rules process. Syntax wsrm-request-force {on | off} Parameters Requires Reliable Messaging for all requests. (Default) Does not require Reliable Messaging for all requests. Guidelines The xxx command indicates whether to require the use of Reliable Messaging for all SOAP messages that request rules process.
  • Page 507: Wsrm-Source-Back-Acks-To

    Syntax wsrm-sequence-expiration lifetime Parameters lifetime Specifies the lifetime in seconds. The default is 3600. Guidelines If an incoming CreateSequence SOAP message has an Expireslifetime that is longer than this value, the value in the SequenceResponse SOAP message is reduced to this value.
  • Page 508: Wsrm-Source-Exponential-Backoff

    wsrm-source-exponential-backoff Indicates whether to use the exponential back off. Syntax wsrm-source-exponential-backoff {on | off} Parameters (Default) Uses the exponential back off to increase the interval between retransmissions. The value of the wsrm-source-retransmission-interval command sets with the initial timeout. Does not use the exponential back off to increase the interval between retransmissions.
  • Page 509: Wsrm-Source-Inactivity-Close-Interval

    v With a specified Front Side Protocol Handler and the front-side sends a CreateSequence SOAP message to establish a reliable back channel, there will be a non-anonymous URL specified in the AcksTo element of the CreateSequence SOAP request. v Without a Front Side Protocol Handler, the AcksTo elements has the value http://www.w3.org/2005/08/addressing/anonymous, which indicates synchronous Acks.
  • Page 510: Wsrm-Source-Maximum-Queue-Length

    DataPower service creates a Reliable Messaging source to send requests to the server. If the server does not accept the offer, DataPower server does not create a Reliable Messaging destination. Related Commands wsrm, wsrm-source-request-create-sequence wsrm-source-maximum-queue-length Specifies the maximum number of messages held in the queue. Syntax wsrm-source-maximum-queue-length numberOfMessages Parameters...
  • Page 511: Wsrm-Source-Request-Ack-Count

    wsrm-source-request-ack-count Specifies the number of messages to send before requesting acknowledgement. Syntax wsrm-source-request-ack-count numberOfMessages Parameters numberOfMessages Use an integer in the range of 1 through 256. The default is 1. Guidelines The wsrm-source-request-ack-count command specifies the number of messages that the a Reliable Messaging source sends before including the AckRequested SOAP header to request an acknowledgement.
  • Page 512: Wsrm-Source-Retransmission-Interval

    Parameters Creates a Reliable Messaging source. (Default) Does not create a Reliable Messaging source. Guidelines When the WS-Addressing mode as defined by the wsa-mode command is wsa2sync or wsa2wsa, the wsrm-source-response-create-sequence command indicates whether to create a Reliable Messaging source from the front side to the client when there is SOAP data to send to the client and there is no Reliable Messaging source that was created by a MakeOffer from the client by sending a CreateSequence SOAP request to the WS-Addressing ReplyTo address.
  • Page 513: Wsrm-Source-Sequence-Ssl

    Guidelines The wsrm-source-retransmit-count command specifies the number of times a Reliable Messaging source retransmits a message before declaring a failure. This command also controls the retransmission of CreateSequence requests. Related Commands wsrm, wsrm-destination-accept-offers, wsrm-source-request-create-sequence, wsrm-source-response-create-sequence wsrm-source-sequence-ssl Indicates whether to use an SSL session binding to protect sequence lifecycle messages.
  • Page 514 user-specific characteristics, use the Global xml-manager command to create a new Manager. Then use this command to associate it with the current Multi-Protocol Gateway. Related Commands stylesheet-policy xml-manager (Global) Examples v Assigns the mgr1 XML Manager to the current Multi-Protocol Gateway. # xml-manager mgr1 Command Reference...
  • Page 515: Chapter 50. Network Settings Configuration Mode

    Sets the number of times the networking system retries a failed ARP request. Syntax arp-retries retries Parameters retries Specifies the number of times to retry a failed ARP request. Use an integer in the range from 1 through 64. The default is 8. Related Commands arp-interval © Copyright IBM Corp. 1999, 2008...
  • Page 516: Destination-Routing

    Examples v Sets the ARP retry limit to 5. # arp-retries 5 destination-routing Controls the behavior of destination-based routing. Syntax destination-routing {on | off} Parameters Selects the interface based on the best path to the client, irrespective of the service or receiving interface. Best path is determined by static routes bound to the available interfaces.
  • Page 517: Ecn-Disable

    Guidelines By default the appliance will refuse to accept a packet on an interface other than the one bound to the destination address of the packet. Use the disable-interface-isolation command to disable that behavior and allow any interface on the same subnet to accept the packet. As a security policy, the interface receiving a network packet must also be configured with the IP address that is the destination address of the packet.
  • Page 518: Relax-Interface-Isolation

    Use the no icmp-disable command to enable the generation of a specific ICMP reply. Related Commands network Examples v Disables ICMP echo message (ping) replies. # icmp-disable echo-reply v Enables ping replies, which restores the default state. # no icmp-disable echo-reply relax-interface-isolation Relaxes the restriction on interface isolation.
  • Page 519 Parameters retries Specifies the number of times the local system attempt send a TCP SYN that receives no response. Use an integer in the range of 1 through 32. The default is 5. Examples v Sets the retry limit to 10. # tcp-retries 10 Chapter 50.
  • Page 520 Command Reference...
  • Page 521: Chapter 51. Nfs Client Settings Configuration Mode

    1 through 1000. The default is 10. Guidelines Each NFS mount maintenance round checks all existing NFS mounts (both dynamic and static), and retries any NFS mount that is not currently up. © Copyright IBM Corp. 1999, 2008...
  • Page 522 Decreasing the interval lessens the chance that a transaction will time out while waiting for an NFS file open operation to fail because the NFS server is down or unreachable. Increasing the interval reduced local and NFS server overhead from mount checking.
  • Page 523: Chapter 52. Nfs Dynamic Mounts Configuration Mode

    Use the krb, krb5i, or krb5p Kerberos authentication method when using NFS version 4. If authenticating with Kerberos, ensure that a keytab is defined in the NFS client. Related Commands version, kerberos-keytab (Crypto) inactivity-timeout Specifies the time period before an inactive mount is unmounted. © Copyright IBM Corp. 1999, 2008...
  • Page 524: Mount-Timeout

    Syntax inactivity-timeout seconds Parameters seconds Specifies the number of seconds an idle NFS mount, that is a mount with no file read-write activity, is maintained before the file system is unmounted. The default is 900. A value of 0 indicates that the NFS mount is never unmounted.
  • Page 525: Retrans

    Guidelines Use the read-only command to specify the mount type as read-only. This setting allows only file read operations on NFS mounts. By default, NFS mounts can read transactions and write transactions. retrans Specifies the maximum number of RPC minor time outs to allow before the transaction fails.
  • Page 526: Timeo

    Parameters size Specifies the number of bytes in each NFS read operation. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines Operations greater than 8192 bytes should only be used with TCP as the transport-layer protocol.
  • Page 527: Transport

    transport Identifies the preferred transport-layer protocol. Syntax transport {tcp | udp} Parameters (Default) Identifies TCP as the protocol identifies UDP as the protocol Guidelines The transport command specifies the preferred transport-layer protocol to use, if available. Use the TCP protocol to perform read or write transactions larger than 8192 bytes.
  • Page 528 Parameters size Specifies the number of bytes in each NFS write transaction. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines Operations greater than 8192 bytes should only be used with TCP as the transport-layer protocol.
  • Page 529: Chapter 53. Nfs Poller Front Side Handler Configuration Mode

    (Default) Does not delete the input or processing renamed file if it could not be processed. Guidelines The error-delete command indicates whether the input or processing renamed file should be deleted when it could not be processed. © Copyright IBM Corp. 1999, 2008...
  • Page 530: Error-Rename-Pattern

    error-rename-pattern Specifies the rename pattern when a file could not be processed. Syntax error-rename-pattern pattern Parameters pattern Defines a PCRE that defines the rename pattern. Guidelines The error-rename-pattern command specifies the PCRE to rename a file when it could not be processed. This command is relevant when error-delete is off.
  • Page 531: Processing-Seize-Pattern

    Syntax processing-rename-pattern pattern Parameters pattern Defines a PCRE that defines the rename pattern. Guidelines The processing-rename-pattern command specifies the PCRE to rename a file that is being processed. This functionality allows multiple pollers to poll the same directory with the same match pattern. There is no lack of atomicity if the rename operation on the server is atomic.
  • Page 532: Processing-Seize-Timeout

    Syntax processing-seize-pattern pattern Parameters pattern Defines the PCRE to use as the match pattern to search for files that are being processed. Guidelines The processing-seize-pattern command specifies the PCRE to find files that were renamed to indicate that they are in the ″being processed″ state but the processing was never completed.
  • Page 533: Result

    When these conditions are met, this system renames the file (with its host name and a fresh timestamp) and locally processes the file. This processing assumes that the rename succeeded. Related Commands processing-seize-pattern result Indicates whether to create a response file after processing an input file. Syntax result { on | off} Parameters...
  • Page 534: Success-Delete

    Related Commands result success-delete Indicates whether the input file is deleted after successful processing. Syntax success-delete {on | off} Parameters Deletes the input file. (Default) Does not delete the input file. Guidelines The success-delete command indicates whether the input (or processing renamed) files should be deleted after successful processing.
  • Page 535: Target-Dir

    target-dir Specifies the directory to poll. Syntax target-dir directory Parameters directory Specifies the directory to poll. Guidelines The target-dir command specifies a directory to poll. The path must end in a slash, which denoting a directory. For example: dpnfs://static-mount-name/path/ Do not configure one NFS poller to point at a host name that is the virtual name of a load balancer group.
  • Page 536 Command Reference...
  • Page 537: Chapter 54. Nfs Static Mounts Configuration Mode

    Use the krb, krb5i, or krb5p Kerberos authentication method when using NFS version 4. If authenticating with Kerberos, ensure that a keytab is defined in the NFS client. Related Commands version, kerberos-keytab (Crypto) local-filesystem-access Controls local access to the mounted file system. © Copyright IBM Corp. 1999, 2008...
  • Page 538: Read-Only

    Syntax local-filesystem-access {on | off} Parameters Enables local access. (Default) Disables local access. Guidelines By default, access to the mounted file system is not supported. This command enables access to the mounted file system through a folder with the name of the NFS Static Mount object.
  • Page 539: Retrans

    <path> must match or be more specific than the NFS export that is provided by the target server. For example, the server provides an export of XML/stylesheets, the <path> portion can specify XML/stylesheets or XML/stylesheets/financialServices, (if there is a financialServices subdirectory).
  • Page 540: Timeo

    Syntax rsize size Parameters size Specifies the number of bytes in each NFS read operation. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines Operations greater than 8192 bytes should only be used with TCP as the transport-layer protocol.
  • Page 541: Transport

    Related Commands retrans transport Identifies the preferred transport-layer protocol. Syntax transport {tcp | udp} Parameters (Default) Identifies TCP as the protocol. Identifies UDP as the protocol. Guidelines The transport command specifies the preferred transport-layer protocol to use, if available. Use the TCP protocol to perform read or write transactions larger than 8192 bytes.
  • Page 542 Parameters bytes Specifies the number of bytes in each NFS write operation. Use an integer in the range of 1024 through 32769. The default is 4096. Guidelines Operations greater than 8192 bytes should only be used with TCP as the transport-layer protocol.
  • Page 543: Chapter 55. Ntp Service Configuration Mode

    Identifies the NTP server and specifies a clock synchronization interval of 5 minutes. # ntp-service NTP Service configuration mode # remote-server Chronos-1 # refresh-interval 300 remote-server Identifies an NTP server. Syntax remote-server server no remote-server © Copyright IBM Corp. 1999, 2008...
  • Page 544 Parameters server Identifies the NTP server by host name or IP address. Guidelines From the command line, the appliance supports one NTP server at a time. To designate a new NTP server, use the no ntp-service command to delete the current server.
  • Page 545: Chapter 56. Peer Group Configuration Mode

    Identifies a peer group member by IP address or domain name. Guidelines When configuring a peer group you must add this DataPower appliance to the peer group list; the peer group lists must be identical across all group members. © Copyright IBM Corp. 1999, 2008...
  • Page 546 Examples v Enters Peer Group configuration mode to create the SLM-Group1 Peer Group. Specifies the peer group type as SLM and designates group members. # peer-group SLM-Group1 Peer Group configuration mode # type slm # url 192.168.12.100 # url 192.168.49.13 # url 192.168.80.126 Command Reference...
  • Page 547: Chapter 57. Policy Attachments Configuration Mode

    Wed Nov 07 2007 08:24:00 [ws-security-policy][ws-proxy][warn] wsgw(wssp-policy-015h): tid(1425)[request]: WS-SecurityPolicy Mapping: A message cannot be encrypted during enforcement external-policy Associate external policy with a service or port. Syntax external-policy {service | port} wsdlComponentValue URL © Copyright IBM Corp. 1999, 2008...
  • Page 548: Ignore-Attachment-Point

    Parameters service Indicates to associate the policy with a WSDL service. port Indicates to associate the policy with a WSDL port. wsdlComponentValue Specifies the QName of a WSDL component in the {namespace}ncname format. Specify the location of the document that contain the policy to attach. ignore-attachment-point Disables external policy for a service or port.
  • Page 549: Chapter 58. Policy Parameters Configuration Mode

    Note: If you defined a policy parameters at the port or port-operation level, these parameters are not applied to its parallel synthesize port or operation. The policy parameters for synthesized ports and operations must be inherited from the service level or redefined at the synthesized level. © Copyright IBM Corp. 1999, 2008...
  • Page 550 Command Reference...
  • Page 551: Chapter 59. Processing Action Configuration Mode

    The async-action command specifies the name of an asynchronous action that the current event-sink action should wait for. This command is meaningful only when the action type specified by the type command is event-sink. Related Commands type © Copyright IBM Corp. 1999, 2008...
  • Page 552: Asynchronous

    Examples v Causes the event-sink action to wait until the async-fetch-1 and async-fetch-2 actions complete. # type event-sink # async-action async-fetch-1 # async-action async-fetch-2 asynchronous Indicates when to run the action asynchronously. Syntax asynchronous {on | off} Parameters Runs the action asynchronously. (Default) Runs the action synchronously.
  • Page 553: Condition

    Parameters Identifies a document attachment to be stripped from the MIME multipart package. Guidelines attachment-uri is used only if the action type (as specified by the type command) is strip-attachments. Related Commands type Examples v Strips attachments from the specified document. # type strip-attachments # attachment-uri https://sona/TestBase/simple.xsl condition...
  • Page 554: Destination

    destination Either identifies an external resource or identifies the target destination for a transmitted message. Syntax destination uri Parameters Identifies the resource or message destination. Guidelines destination is required when the action type is fetch, log, results-async, or route-set. This command is optional when the action type is results. v When the action type is fetch, specifies the source location of the resource to be retrieved.
  • Page 555: Dynamic-Stylesheet

    Syntax dynamic-schema schema Parameters schema Identifies the dynamic schema. Guidelines The dynamic-schema command is used only if the action type (as specified by the type command) is validate to identify a dynamic schema to validate incoming documents. Examples v Specifies the dynamic schema used for document validation. # type validate #