IBM Security Access Manager for Web Version 7.0. Command Reference SC

IBM Security Access Manager for Web Version 7.0 Command Reference SC23-6512-02

IBM Security Access Manager for Web Version 7.0 Command Reference SC23-6512-02

Note Before using this information and the product it supports, read the information in Notices on page 317. Edition notice Note: This edition applies to ersion 7, release 0, modification 0 of IBM Security Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2001, 2012. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents Tables............... ii About this publication........ ix Intended audience............ ix Access to publications and terminology..... ix Related publications.......... xii Accessibility.............. xiii Technical training............ xi Support information........... xi Chapter 1. pdadmin commands.... 1 How to read syntax statements........ 1 Syntax for pdadmin commands........ 1 Command modes............. 3 Single command mode.......... 4 Interactie command mode........ 4 Multiple command mode......... 5 Non-English locales............ 6 Error handling.............. 6 Return codes for a single command...... 7 Return codes for an interactie command.... 7 Return codes for multiple commands..... 7 Local or other domain........... 8 Command option processing......... 9 Commands by category........... 9 Access control list commands....... 10 Action commands........... 10 Authorization rule commands....... 11 Configuration commands......... 11 Context commands........... 12 Domain commands........... 12 Group commands........... 12 Login and logout commands....... 13 Object commands........... 13 Object space commands......... 14 Policy commands........... 14 Protected object policy commands...... 15 Resource and resource group commands... 15 Serer commands........... 16 Session Management Serer commands.... 17 User commands............ 18 WebSEAL commands.......... 19 acl attach............... 21 acl create............... 22 acl delete............... 23 acl detach............... 24 acl find................ 25 acl list................ 26 acl modify............... 26 acl show............... 30 action create.............. 31 action delete.............. 33 action group create............ 34 action group delete............ 34 action group list............. 35 action list............... 35 admin show conf............ 36 authzrule attach............. 37 authzrule create............. 38 authzrule delete............. 39 authzrule detach............. 40 authzrule find............. 40 authzrule list.............. 41 authzrule modify............ 42 authzrule show............. 43 config modify............. 44 config show.............. 46 context show.............. 48 domain create............. 49 domain delete............. 51 domain list.............. 52 domain modify............. 53 domain show.............. 54 errtext................ 54 exit or quit.............. 55 group create.............. 56 group delete.............. 57 group import.............. 58 group list............... 59 group modify.............. 61 group show.............. 62 help................. 63 login................ 65 logout................ 67 object access.............. 68 object create.............. 69 object delete.............. 71 object exists.............. 72 object list............... 73 object listandshow............ 74 object modify.............. 75 object show.............. 77 objectspace create............ 81 objectspace delete............ 82 objectspace list............. 83 policy get............... 83 policy set............... 86 pop attach............... 90 pop create............... 91 pop delete............... 92 pop detach.............. 92 pop find............... 93 pop list................ 94 pop modify.............. 95 pop show............... 98 rsrc create............... 99 rsrc delete.............. 100 rsrc list............... 101 rsrc show............... 102 rsrccred create............. 102 rsrccred delete............. 104 Copyright IBM Corp. 2001, 2012 iii

rsrccred list user............ 105 rsrccred modify............ 106 rsrccred show............. 107 rsrcgroup create............ 108 rsrcgroup delete............ 109 rsrcgroup list............. 110 rsrcgroup modify............ 110 rsrcgroup show............. 112 serer list............... 112 serer listtasks............. 113 serer replicate............. 115 serer show.............. 116 serer task add............. 117 serer task cache flush all......... 120 serer task create............ 121 serer task delete............ 128 serer task dynurl update......... 130 serer task help............ 131 serer task jmt............. 133 serer task list............. 134 serer task offline............ 135 serer task online............ 137 serer task refresh all_sessions....... 139 serer task reload............ 140 serer task remoe........... 141 serer task show............ 143 serer task sms key change......... 144 serer task sms key show......... 145 serer task sms realm list......... 146 serer task sms realm show........ 147 serer task sms session refresh all_sessions... 148 serer task sms session refresh session..... 150 serer task sms replica set list........ 151 serer task sms replica set show....... 152 serer task sms session list......... 153 serer task sms session terminate all_sessions.. 154 serer task sms session terminate session.... 156 serer task sms trace get......... 157 serer task sms trace set.......... 158 serer task stats............ 159 serer task terminate all_sessions....... 162 serer task terminate session........ 163 serer task throttle........... 164 serer task trace............ 166 serer task irtualhost add......... 168 serer task irtualhost create........ 171 serer task irtualhost delete........ 177 serer task irtualhost list......... 179 serer task irtualhost offline........ 180 serer task irtualhost online........ 182 serer task irtualhost remoe........ 184 serer task irtualhost show........ 186 serer task irtualhost throttle........ 188 serer task serer restart......... 190 serer task serer sync.......... 191 serer task jdb export.......... 192 serer task jdb import.......... 193 serer task cfgdb export.......... 194 serer task cfgdb import.......... 195 serer task file cat............ 196 user create.............. 197 user delete.............. 199 user import.............. 200 user list............... 201 user modify.............. 203 user show.............. 205 Chapter 2. Security Access Manager utilities.............. 209 Installation and configuration utilities..... 209 Migration utilities............ 210 WebSEAL utilities............ 211 Session management serer utilities...... 211 Security Access Manager plug-in for web serers utilities............... 211 Sericeability and problem determination utilities 212 adschema_update............ 212 amauditcfg.............. 213 amwebcfg.............. 217 amwpmcfg.............. 221 bassslcfg............... 226 cdsso_key_gen............. 229 iacld_setup.............. 230 iacld_uninst............. 231 ibase_setup.............. 233 ibase_uninst............. 236 imgrd_setup............. 237 imgrd_uninst............. 240 irgy_tool.............. 242 mgrsslcfg............... 245 PDAcld_config............. 247 PDAcld_unconfig............ 250 pdadmin_host............. 251 pd_start............... 252 pdbackup.............. 254 pdconf............... 258 pdconfig............... 260 pdjrtecfg............... 261 pdjsericeleel............. 266 PDMgr_config............. 267 PDMgr_unconfig............ 270 pdproxycfg.............. 272 PDRTE_config............. 275 PDRTE_unconfig............ 278 pdsericeleel............. 278 pdsmsclicfg.............. 279 pdersion.............. 282 pdweb................ 284 pdwebpi............... 285 pdwebpi_start............. 286 pdwpi-ersion............. 287 pdwpicfg............... 288 query_contents............. 290 smsbackup.............. 291 smscfg................ 293 smssericeleel............. 300 srsslcfg............... 301 Appendix A. Password limitations and characters allowed in object names.. 307 General password policies......... 307 i IBM Security Access Manager for Web Version 7.0: Command Reference

Character limitations for passwords and user names................ 308 Characters allowed for secure domain names... 308 Characters disallowed for user and group name 309 Characters disallowed for distinguished names.. 310 Characters disallowed for Microsoft Actie Directory distinguished names...... 310 Characters disallowed for GSO names..... 311 Characters disallowed for authorization rule names 311 Characters disallowed for ACL policy names... 312 Characters disallowed for POP names..... 313 Appendix B. Using response files.. 315 Notices.............. 317 Index............... 321 Contents

i IBM Security Access Manager for Web Version 7.0: Command Reference

Tables 1. Access control list (ACL) commands.... 10 2. Action commands.......... 10 3. Authorization rule commands...... 11 4. Config commands.......... 12 5. Context commands.......... 12 6. Domain commands.......... 12 7. Group commands.......... 13 8. Logon commands.......... 13 9. Object commands.......... 13 10. Objectspace commands........ 14 11. Policy commands.......... 14 12. Protected object policy (POP) commands 15 13. Resource commands......... 15 14. Serer commands.......... 16 15. Serer task commands......... 17 16. User commands........... 18 17. WebSEAL serer task commands..... 19 18. Security Access Manager installation and configuration utilities......... 209 19. Security Access Manager migration utilities 210 20. WebSEAL utilities.......... 211 21. Session management serer utilities.... 211 22. Security Access Manager for web serers utilities.............. 211 23. Sericeability and problem determination utilities............. 212 Copyright IBM Corp. 2001, 2012 ii

iii IBM Security Access Manager for Web Version 7.0: Command Reference

About this publication Intended audience IBM Security Access Manager for Web, formerly called IBM Tioli Access Manager for e-business, is a user authentication, authorization, and web single sign-on solution for enforcing security policies oer a wide range of web and application resources. The IBM Security Access Manager for Web Command Reference proides a comprehensie set of procedures and reference information for managing Security Access Manager serers and resources. This guide also proides you with aluable background and conceptual information for the wide range of Security Access Manager functions. This guide is for system administrators responsible for the deployment and administration of base Security Access Manager software. Readers must be familiar with the following systems and concepts: Microsoft Windows, AIX, Linux, and Solaris operating systems Database architecture and concepts Security management Internet protocols, including HTTP and TCP/IP Lightweight Directory Access Protocol (LDAP) and directory serices Authentication and authorization Security Access Manager security model and its capabilities You also must be familiar with SSL protocol, key exchange (public and priate), digital signatures, cryptographic algorithms, and certificate authorities. Access to publications and terminology This section proides: A list of publications in the IBM Security Access Manager for Web library. Links to Online publications on page xi. A link to the IBM Terminology website on page xii. IBM Security Access Manager for Web library The following documents are in the IBM Security Access Manager for Web library: IBM Security Access Manager for Web Quick Start Guide, GI11-9333-01 Proides steps that summarize major installation and configuration tasks. IBM Security Web Gateway Appliance Quick Start Guide Hardware Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Hardware Appliance, SC22-5434-00 IBM Security Web Gateway Appliance Quick Start Guide Virtual Offering Guides users through the process of connecting and completing the initial configuration of the WebSEAL Virtual Appliance. Copyright IBM Corp. 2001, 2012 ix

IBM Security Access Manager for Web Installation Guide, GC23-6502-02 Explains how to install and configure Security Access Manager. IBM Security Access Manager for Web Upgrade Guide, SC23-6503-02 Proides information for users to upgrade from ersion 6.0, or 6.1.x to ersion 7.0. IBM Security Access Manager for Web Administration Guide, SC23-6504-02 Describes the concepts and procedures for using Security Access Manager. Proides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. IBM Security Access Manager for Web WebSEAL Administration Guide, SC23-6505-02 Proides background material, administratie procedures, and reference information for using WebSEAL to manage the resources of your secure Web domain. IBM Security Access Manager for Web Plug-in for Web Serers Administration Guide, SC23-6507-02 Proides procedures and reference information for securing your Web domain by using a Web serer plug-in. IBM Security Access Manager for Web Shared Session Management Administration Guide, SC23-6509-02 Proides administratie considerations and operational instructions for the session management serer. IBM Security Access Manager for Web Shared Session Management Deployment Guide, SC22-5431-00 Proides deployment considerations for the session management serer. IBM Security Web Gateway Appliance Administration Guide, SC22-5432-00 Proides administratie procedures and technical reference information for the WebSEAL Appliance. IBM Security Web Gateway Appliance Configuration Guide for Web Reerse Proxy, SC22-5433-00 Proides configuration procedures and technical reference information for the WebSEAL Appliance. IBM Security Web Gateway Appliance Web Reerse Proxy Stanza Reference, SC27-4442-00 Proides a complete stanza reference for the IBM Security Web Gateway Appliance Web Reerse Proxy. IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference, SC27-4443-00 Proides a complete stanza reference for WebSEAL. IBM Global Security Kit: CapiCmd Users Guide, SC22-5459-00 Proides instructions on creating key databases, public-priate key pairs, and certificate requests. IBM Security Access Manager for Web Auditing Guide, SC23-6511-02 Proides information about configuring and managing audit eents by using the natie Security Access Manager approach and the Common Auditing and Reporting Serice. You can also find information about installing and configuring the Common Auditing and Reporting Serice. Use this serice for generating and iewing operational reports. IBM Security Access Manager for Web Command Reference, SC23-6512-02 x IBM Security Access Manager for Web Version 7.0: Command Reference

Proides reference information about the commands, utilities, and scripts that are proided with Security Access Manager. IBM Security Access Manager for Web Administration C API Deeloper Reference, SC23-6513-02 Proides reference information about using the C language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. IBM Security Access Manager for Web Administration Jaa Classes Deeloper Reference, SC23-6514-02 Proides reference information about using the Jaa language implementation of the administration API to enable an application to perform Security Access Manager administration tasks. IBM Security Access Manager for Web Authorization C API Deeloper Reference, SC23-6515-02 Proides reference information about using the C language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Authorization Jaa Classes Deeloper Reference, SC23-6516-02 Proides reference information about using the Jaa language implementation of the authorization API to enable an application to use Security Access Manager security. IBM Security Access Manager for Web Web Security Deeloper Reference, SC23-6517-02 Proides programming and reference information for deeloping authentication modules. IBM Security Access Manager for Web Error Message Reference, GI11-8157-02 Proides explanations and correctie actions for the messages and return code. IBM Security Access Manager for Web Troubleshooting Guide, GC27-2717-01 Proides problem determination information. IBM Security Access Manager for Web Performance Tuning Guide, SC23-6518-02 Proides performance tuning information for an enironment that consists of Security Access Manager with the IBM Tioli Directory Serer as the user registry. Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security Access Manager for Web Information Center The http://pic.dhe.ibm.com/infocenter/tiihelp/2r1/topic/ com.ibm.isam.doc_70/welcome.html site displays the information center welcome page for this product. IBM Publications Center The http://www-05.ibm.com/e-business/linkweb/publications/serlet/ pbi.wss site offers customized search functions to help you find all the IBM publications that you need. About this publication xi

IBM Terminology website The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at http://www.ibm.com/ software/globalization/terminology. Related publications This section lists the IBM products that are related to and included with the Security Access Manager solution. Note: The following middleware products are not packaged with IBM Security Web Gateway Appliance. IBM Global Security Kit Security Access Manager proides data encryption by using Global Security Kit (GSKit) ersion 8.0.x. GSKit is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. GSKit ersion 8 includes the command-line tool for key management, GSKCapiCmd (gsk8capicmd_64). GSKit ersion 8 no longer includes the key management utility, ikeyman (gskikm.jar). ikeyman is packaged with IBM Jaa ersion 6 or later and is now a pure Jaa application with no dependency on the natie GSKit runtime. Do not moe or remoe the bundled jaa/jre/lib/gskikm.jar library. The IBM Deeloper Kit and Runtime Enironment, Jaa Technology Edition, Version 6 and 7, ikeyman User's Guide for ersion 8.0 is aailable on the Security Access Manager Information Center. You can also find this document directly at: Note: http://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/ 60/iKeyman.8.User.Guide.pdf GSKit ersion 8 includes important changes made to the implementation of Transport Layer Security required to remediate security issues. The GSKit ersion 8 changes comply with the Internet Engineering Task Force (IETF) Request for Comments (RFC) requirements. Howeer, it is not compatible with earlier ersions of GSKit. Any component that communicates with Security Access Manager that uses GSKit must be upgraded to use GSKit ersion 7.0.4.42, or 8.0.14.26 or later. Otherwise, communication problems might occur. IBM Tioli Directory Serer IBM Tioli Directory Serer ersion 6.3 FP17 (6.3.0.17-ISS-ITDS-FP0017) is included on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can find more information about Tioli Directory Serer at: http://www.ibm.com/software/tioli/products/directory-serer/ xii IBM Security Access Manager for Web Version 7.0: Command Reference

IBM Tioli Directory Integrator IBM Tioli Directory Integrator ersion 7.1.1 is included on the IBM Tioli Directory Integrator Identity Edition V 7.1.1 for Multiplatform product image or DVD for your particular platform. You can find more information about IBM Tioli Directory Integrator at: http://www.ibm.com/software/tioli/products/directory-integrator/ IBM DB2 Uniersal Database IBM DB2 Uniersal Database Enterprise Serer Edition, ersion 9.7 FP4 is proided on the IBM Security Access Manager for Web Version 7.0 product image or DVD for your particular platform. You can install DB2 with the Tioli Directory Serer software, or as a stand-alone product. DB2 is required when you use Tioli Directory Serer or z/os LDAP serers as the user registry for Security Access Manager. For z/os LDAP serers, you must separately purchase DB2. You can find more information about DB2 at: http://www.ibm.com/software/data/db2 IBM WebSphere products The installation packages for WebSphere Application Serer Network Deployment, ersion 8.0, and WebSphere extreme Scale, ersion 8.5.0.1, are included with Security Access Manager ersion 7.0. WebSphere extreme Scale is required only when you use the Session Management Serer (SMS) component. WebSphere Application Serer enables the support of the following applications: Web Portal Manager interface, which administers Security Access Manager. Web Administration Tool, which administers Tioli Directory Serer. Common Auditing and Reporting Serice, which processes and reports on audit eents. Session Management Serer, which manages shared session in a Web security serer enironment. Attribute Retrieal Serice. You can find more information about WebSphere Application Serer at: http://www.ibm.com/software/webserers/appser/was/library/ Accessibility Accessibility features help users with a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Visit the IBM Accessibility Center for more information about IBM's commitment to accessibility. About this publication xiii

Technical training Support information For technical training information, see the following IBM Education website at http://www.ibm.com/software/tioli/education. IBM Support proides assistance with code-related problems and routine, short duration installation or usage questions. You can directly access the IBM Software Support site at http://www.ibm.com/software/support/probsub.html. The IBM Security Access Manager for Web Troubleshooting Guide proides details about: What information to collect before you contact IBM Support. The arious methods for contacting IBM Support. How to use IBM Support Assistant. Instructions and problem-determination resources to isolate and fix the problem yourself. Note: The Community and Support tab on the product information center can proide more support resources. xi IBM Security Access Manager for Web Version 7.0: Command Reference

Chapter 1. pdadmin commands The pdadmin command-line utility is installed as part of the IBM Security Access Manager runtime package. Use this interface to manage access control lists, groups, serers, users, objects, and other resources in your secure domain. You can also automate certain management functions by writing scripts that use pdadmin commands. Use the Web Portal Manager interface, as discussed in the IBM Security Access Manager for Web Administration Guide, to complete remotely similar administratie tasks. When you use Web Portal Manager, no special network configuration is needed to connect and complete these management tasks. You can complete many of these tasks by using either: Administration C API functions: See the IBM Security Access Manager for Web Administration C API Deeloper Reference. Administration Jaa class functions: See the IBM Security Access Manager for Web Administration Jaa Classes Deeloper Reference. How to read syntax statements Syntax diagrams pictorially display the order and parameters for the command utility. The reference documentation uses the following special characters to define syntax: [] Identifies optional options. Options that are not enclosed in brackets are required.... Indicates that you can specify multiple alues for the preious option. Indicates mutually exclusie information. You can use the option to the left of the separator or the option to the right of the separator. You cannot use both options in a single use of the command. {} Delimits a set of mutually exclusie options when one of the options is required. If the options are optional, they are enclosed in brackets ([ ]). \ Indicates that the command line wraps to the next line. It is a continuation character. The options for each command are listed alphabetically in the Options section. The options for each utility are listed alphabetically in the Parameters section. When the order of the options or parameters must be used in a specific order, this order is shown in the syntax statements. Syntax for pdadmin commands The following syntax is used with the pdadmin command: pdadmin [ I configuration-instance-name] [[ a admin_id [ p password] [ d domain]] [ linelen max-linelen] [ histsize history size] [ ] [command] Copyright IBM Corp. 2001, 2012 1

pdadmin [ I configuration-instance-name] [[ a admin_id [ p password] [ d domain]] [ linelen max-linelen] [ ] [file] pdadmin [ I configuration-instance-name] [[ a admin_id [ p password] [ m]] [ linelen max-linelen] [ ] [command] pdadmin [ I configuration-instance-name] [[ a admin_id [ p password] [ m]] [ linelen max-linelen] [ ] [file] pdadmin [ l] [ linelen max-linelen] [ ] [command] pdadmin [ l] [ linelen max-linelen] [ ] [file] The following list explains the options for the pdadmin utility: command Specifies the single pdadmin command to run. The command is run one time. The pdadmin utility does not enter interactie mode. The command option is mutually exclusie with the file option. file Specifies the fully qualified name of the file that contains a list of commands to run. These commands are run one time. The pdadmin utility does not enter interactie mode. The file option is mutually exclusie with the command option. Note: For Windows operating systems, file names cannot contain the backward slash (\), colon (:), question mark (?), or double quotation mark characters. a admin_id Logs you in as the user admin_id. This administrator must exist in the domain. If you do not specify this option on the command line, you are considered unauthenticated, and your access to other commands is limited. If you specify this option without specify the p option, you are prompted for the password. The a option is mutually exclusie with the l option. If you do not specify either option, you are logged in as an unauthenticated user. Unauthenticated users can use the context, errtext, exit, help, login, logout and quit commands only. d domain Specifies the Security Access Manager secure domain to log in. Log in to this domain requires authentication. The admin_id user that is specified must exist in this domain. The d option is mutually exclusie with the m option. If neither options are specified, the target domain is the local domain that is configured for the system. I configuration-instance-name Specifies the pd.conf file instance that the pdadmin command should use. The configuration-instance-name alue is the hostname that is proided to the pdadmin_host command that generated the configuration file. This option allows pdadmin to communicate with multiple policy serers. l Specifies a local login operation. When modifications are made to local configuration files by using the pdadmin config commands, a local login is required before you can run commands. 2 IBM Security Access Manager for Web Version 7.0: Command Reference

Command modes The l option is mutually exclusie with the a option. If you do not specify either option, you are logged in as an unauthenticated user. Unauthenticated users can use the context, errtext, exit, help, login, logout and quit commands only. linelen max-linelen Currently, the linelen option is ignored. m Specifies that the login operation must be directed to the management domain. Log in to this domain requires authentication. The admin_id user that is specified must exist in this domain. The m option is mutually exclusie with the d option. If neither options are specified, the target domain is the local domain that is configured for the system. p password Specifies the password for the user admin_id. Using this option might show your password to others because the password is isible on the screen and also in the process table. If you do not specify this option on the command line, you are prompted for a password. This option cannot be used unless the a option is used. Prints the ersion number of the pdadmin utility. If this option is specified, all other alid options are ignored. The following example is the output that you might see when you use this option: Security Access Manager Administratie Tool 7.0.0.0 (Build 111215) Copyright (C) IBM Corporation 2012. All Rights Resered. histsize Specifies the command history size. The default command history size is 64. The minimum size of the command history is 1 and the maximum size is 1024. The command history option is aailable only in the interactie mode and on operating systems other than Windows. Note: 1. If you specify the a and p options, you are logged in as that user. Using this method might show your password to others. For example, one user is using pdadmin with this command. Another user lists the processes that are running. Then, the full command that includes the password, might be isible to the second user. 2. Users can run the pdadmin context show command to iew their authentication information. You can use the pdadmin utility in three different command modes: single, interactie, or multiple. These modes are described in the following sections. Single command mode on page 4 Interactie command mode on page 4 Multiple command mode on page 5 For details about the command options that are displayed in the following sections, see Syntax for pdadmin commands on page 1. Chapter 1. pdadmin commands 3

Single command mode In single command mode, the CLI runs only the specified command, and ends after it receies the response message for that command. To run a single pdadmin command, enter one of the following commands: pdadmin [ a admin_id [ p password] [ d domain]] [ ] [command] pdadmin [ a admin_id [ p password] [ m]] [ ] [command] pdadmin [ l] [ ] [command] For details about the command options, see Syntax for pdadmin commands on page 1. Interactie command mode Interactie command mode uses an interactie command-line session where, after the command starts, you are prompted to enter required information. To start pdadmin in interactie mode, type the pdadmin command. This command starts pdadmin without any authentication that is required, where your access to other pdadmin commands is limited for unauthenticated users, such as context, errtext, exit, help, login, logout, and quit. c:\> pdadmin pdadmin> limited_pdadmin_command This command starts pdadmin and login authentication is required before you can use other pdadmin commands. You can be prompted for both the administrator ID and the password: c:\> pdadmin pdadmin> login Enter User ID:sec_master Enter Password: secmstrpw pdadmin sec_master> pdadmin_command Or, you can be prompted for just the administrator password: c:\> pdadmin pdadmin> login -a sec_master Enter Password: secmstrpw pdadmin sec_master> pdadmin_command Or, you can bypass being prompted, which is less secure because your password is isible: c:\> pdadmin pdadmin> login -a sec_master -p secmstrpw pdadmin sec_master> pdadmin_command 4 IBM Security Access Manager for Web Version 7.0: Command Reference

To start pdadmin in interactie mode with a login for issuing local configuration commands, use the local login (pdadmin login l) command. You can use the config show or the config modify commands through the local login. For example: pdadmin login l pdadmin local> config_command To start pdadmin in interactie mode: With a login to a management or other domain. Where the ID and password are authenticated before access is permitted. Where user priileges are erified before users can issue commands. For example, to log in to the management domain (Default) and authenticate, type: pdadmin login -a admin_id -p password -m pdadmin sec_master@default> pdadmin_command For example, to log in to another domain domain01 and authenticate, type: rpdadmin login -a sec_master -p secmstrpw -d domain01 pdadmin sec_master@domain01> pdadmin_command At the pdadmin prompt, type the appropriate commands and their associated options. The pdadmin prompt changes, depending on the type of login. See Login and logout commands on page 13 for more information about the login command and prompt changes. Note: In this release, the length of a command line that is used in pdadmin interactie mode is limited to 1023 characters. Multiple command mode With multiple command mode, you can create a file that contains multiple pdadmin commands, one per line, that together complete a task or series of tasks. Login commands can be included in the command file to switch between local and remote login, as needed. Login commands can be included in a command file to switch between local and remote login, as needed. To run commands in this file, proide one of the following commands: pdadmin [ a admin_id [ p password] [ d domain]] file pdadmin [ a admin_id [ p password] [ m]] file Login commands can be included in a command file to switch between pdadmin login l local login: Where no authentication is required. Where authentication is required. For details about the command options that are displayed in the following sections, see Syntax for pdadmin commands on page 1. Chapter 1. pdadmin commands 5

Non-English locales Error handling For Security Access Manager software, you can specify localized behaior by setting the required locale. Different operating systems often encode text in different ways. For example, Windows operating systems use SJIS (code page 932) for Japanese text while AIX, Linux, and Solaris operating systems often use eucjp. The installation guide contains complete information about code pages and globalization. Howeer, be aware of the following issues when you are running the pdadmin utility in a non-english locale. On Windows operating systems, you can enter commands to pdadmin through a command file argument. The command file must be encoded in the system's local (ANSI) code page. For example: C:> pdadmin -a sec_master -p password cmds.text You can determine the local code page of the system by iewing the alue of the Nls/CodePage/ACP key in the Windows registry. Files that are created by standard Windows editing tools (such as Notepad or WordPad) are encoded in this way. On AIX, Linux, and Solaris operating systems, you must run the pdadmin command in the same locale that was used to create the command file. On Windows operating systems, you can enter commands to pdadmin by redirecting a command file. The command file must be encoded in a Microsoft Original Equipment Manufacturer (OEM) code page. The OEM code page corresponds to the actie code page in the command window in which the pdadmin command is run. For example: C:> pdadmin -a sec_master -p password < cmds.text The actie code page can be determined by issuing the chcp command in the pdadmin command window. Alternatiely, you can redirect a file that is encoded in the local code page of the system. Howeer, you must change the actie code page of the command window to correspond to the encoding of the file. Change the actie code page of the window by using the chcp command. For example, entering the command chcp 1252 changes the actie code page to the ANSI code page for Western Europe and the United States. On AIX, Linux, and Solaris operating systems, you must run the pdadmin command in the same locale that was used to create the redirected command file. Security Access Manager data that is created in one locale might not display correctly on a system that is configured to another locale. Whether data displays correctly depends on the configuration of the second system. For example, correct display depends on what the current locale is, and whether the necessary code pages and fonts are installed. After a command finishes processing, a return code is displayed or logged to proide the success or failure of the command. The pdadmin command has the following return code alues: 0 The command that completed successfully. 6 IBM Security Access Manager for Web Version 7.0: Command Reference

1 The command failed. When a command fails, the pdadmin command displays a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See the IBM Security Access Manager for Web Error Message Reference. This reference proides a list of the Security Access Manager error messages by decimal or hexadecimal codes. For information about how to use the message number that is associated with a message to display only the descriptie text, see errtext on page 54. Return codes for a single command A single command is normally typed from a command prompt such as a DOS command prompt, Korn shell prompt, and C shell prompt. Single command mode does not automatically display the 0 or 1 return code alues; the operating system must be queried for the return code alue. For command failures, the hexadecimal error code status with its associated error message is shown in addition to the error message ID (for example, HPDMG0754W). You can redirect the error that is normally displayed on the screen out to a text file. When a single command fails, you see an error message that is like the one displayed: C:> pdadmin -a admin_id -p password user show oogle Could not perform the administration request. Error: HPDMG0754WThe entry was not found. If... (status 0x14c012f2) To display the 0 or 1 return code alues, you must type the pdadmin command, followed by either the AIX, Linux, or Solaris echo or the Windows errorleel command: For AIX, Linux, and Solaris operating systems: # pdadmin_command # echo $? For Windows operating systems: C:>pdadmin_command C:>echo %errorleel% Return codes for an interactie command Interactie command mode does not automatically display the 0 or 1 return code alues. Also, you cannot follow an interactie command with the AIX, Linux, and Solaris echo or the Windows errorleel command. For a command failure, you see a message that is like: pdadmin sec_master> user show oogle Could not perform the administration request. Error: HPDMG0754WThe entry was not found. If... (status 0x14c012f2) Only the hexadecimal exit status code is displayed. Return codes for multiple commands You can use a text file containing pdadmin commands to run those commands in a single pdadmin inocation. Chapter 1. pdadmin commands 7

Consider that an error occurs for a command while the commands run in multiple command mode. Then, an error message for the failed command is proided. Processing of the remaining commands in the file continues after an error. At the end of multiple command processing, a final status is proided. The final status code at the termination of multiple command processing is only for the last command that was attempted. For example, if the last command was successful, the final status is 0. If the last command failed, the final status is 1. For example, a text file might contain these pdadmin commands: user show cwright user show oogle Local or other domain To run the commands, run the following command: pdadmin a admin_id -p password cmd_filename The command file would produce results like: cmd> user show cwright Login ID: cwright LDAP DN: cn=claude Wright,ou=Dallas,o=Tioli,c=us LDAP CN: Claude Wright LDAP SN: Wright Description: Is SecUser: yes Is GSO user: no Account alid: yes Password alid: yes Authorization mechanism: Default:LDAP cmd:> user show oogle Could not perform the administration request. Error: HPDMG0754WThe entry was not found. If... (status 0x14c012f2) Use the pdadmin command to authenticate your user ID and password. You must authenticate before you log in to the local domain or to a domain other than the local domain. To authenticate and log in to your local domain, in interactie mode, enter: pdadmin> login -a dlucas -p lucaspwd pdadmin dlucas> In the example, user_name logs you in as the authenticated user dlucas to your own local domain. To authenticate and log in to a domain with a name that is different from the local domain, enter: pdadmin> login -a dlucas -p lucaspwd -d domain_a pdadmin dlucas@domain_a> In the example, user_name logs you in as the authenticated user dlucas. domain_a is the domain_name to which you are logging on, in interactie mode. 8 IBM Security Access Manager for Web Version 7.0: Command Reference

Command option processing Commands by category Some pdadmin command options use specific symbols or characters. Some pdadmin command options begin with a hyphen (-). For example, the following command uses the gsouser option: pdadmin sec_master> user import gsouser mlucaser cn=mlucaser,o=tioli,c=us The pdadmin command interprets any token beginning with a hyphen as a command option, een if the hyphen is placed within double quotation marks. Occasionally, you might want a token that begins with a to be interpreted as an argument rather than as a command option. For example, you might want to name the user mlucaser or " mlucaser" by entering: pdadmin sec_master> user import gsouser mlucaser cn=mlucaser,o=tioli,c=us In this example, the first gsouser option in the command is still processed. Howeer, because the user name token begins with a hyphen, the user name would be interpreted as a command option. The command would fail because the mlucaser command option does not exist. Specify the single hyphen character to turn off the interpretation of the optional arguments, by the pdadmin command. Following the single hyphen character, mlucaser is now interpreted as the user name. For example: pdadmin sec_master> user import gsouser mlucaser cn=mlucaser,o=tioli,c=us Options on the command line are position-independent. You can change the order so that all tokens that begin with a hyphen, which are not command options, follow the single hyphen character. The pdadmin commands are listed here by major category. This section lists the pdadmin commands by the following categories: Access control list commands on page 10 Action commands on page 10 Authorization rule commands on page 11 Configuration commands on page 11 Context commands on page 12 Domain commands on page 12 Group commands on page 12 Login and logout commands on page 13 Object commands on page 13 Object space commands on page 14 Policy commands on page 14 Protected object policy commands on page 15 Resource and resource group commands on page 15 Serer commands on page 16 Session Management Serer commands on page 17 Chapter 1. pdadmin commands 9

User commands on page 18 WebSEAL commands on page 19 Access control list commands Use acl commands to manage access control list (ACL) policies and extended attributes. Table 1 lists acl commands. Table 1. Access control list (ACL) commands Command Description Page acl attach on page 21 Attaches an ACL policy to a protected object. If the protected object already has an ACL attached, the ACL is replaced with a new one. acl attach on page 21 acl create on page 22 Creates an ACL policy in the ACL database. This command does not create ACL entries. acl create on page 22 acl delete on page 23 Deletes an ACL policy from the ACL database. acl delete on page 23 acl detach on page 24 acl find on page 25 acl list on page 26 acl modify on page 26 acl show on page 30 Detaches the current ACL policy from a protected object. This command does not delete the ACL policy from the ACL database. Finds and lists all protected objects that hae a specific ACL policy attached. Lists the names of all defined ACLs. Also lists the extended attribute keys that are associated with a specific ACL. Modifies ACLs, their extended attributes, and associated alues. Lists the complete set of entries for a specific ACL policy. Also lists the alues of a specific extended attribute that is associated with an ACL policy. acl detach on page 24 acl find on page 25 acl list on page 26 acl modify on page 26 acl show on page 30 Action commands The action commands define more authorization actions (permissions) and action groups. Table 2 lists action commands. Table 2. Action commands Command Description Page action create on page 31 action delete on page 33 action group create on page 34 action group delete on page 34 Creates and adds an action to an action group. Deletes an action from an action group. Creates an action group. Deletes an action group. action create on page 31 action delete on page 33 action group create on page 34 action group delete on page 34 10 IBM Security Access Manager for Web Version 7.0: Command Reference

Table 2. Action commands (continued) Command Description Page action group list on page 35 Lists all action groups. action group list on page 35 action list on page 35 Lists all defined actions in an action group. action list on page 35 Authorization rule commands The authzrule commands manage authorization rules. Table 3 lists authzrule commands. Table 3. Authorization rule commands Command Description Page authzrule attach on page 37 authzrule create on page 38 authzrule delete on page 39 authzrule detach on page 40 Attaches an authorization rule to the specified protected object. Creates an authorization rule. Deletes an authorization rule. Detaches an authorization rule from the specified protected object. authzrule attach on page 37 authzrule create on page 38 authzrule delete on page 39 authzrule detach on page 40 authzrule find on page 40 authzrule list on page 41 authzrule modify on page 42 authzrule show on page 43 Finds and lists all the protected objects that hae the specified authorization rule attached. Lists all the registered authorization rules. Modifies an authorization rule. Shows all the attributes of an authorization rule, including description, rule text, and fail reason code. authzrule find on page 40 authzrule list on page 41 authzrule modify on page 42 authzrule show on page 43 Configuration commands Configuration commands modify the local configuration files. Table 5 on page 12 lists config commands that are configuration database commands. Chapter 1. pdadmin commands 11

Table 4. Config commands Command Description Page config modify on page 44 config show on page 46 Modifies a stanza entry in a configuration file or sets the password for the serer user account. Shows the alue that is associated with specified stanzas or keys in Security Access Manager serer configuration files or in customized serer configuration files. config modify on page 44 config show on page 46 Context commands Context commands display the context (authentication) information for the user who is running the pdadmin utility. Table 5 lists context commands. Table 5. Context commands Command Description Page context show on page 48 Displays the user ID and domain ID used to establish the current context. context show on page 48 Domain commands Domain commands manage Security Access Manager secure domains. Table 6 lists domain commands. Table 6. Domain commands Command Description Page domain create on page 49 domain delete on page 51 domain list on page 52 domain modify on page 53 domain show on page 54 Creates a Security Access Manager secure domain. Deletes the specified Security Access Manager secure domain, and optionally deletes the information about the domain from the user registry. Lists all the domains except for the management domain. Modifies the description of the specified domain. Displays the specified attributes of the domain, including name and description. domain create on page 49 domain delete on page 51 domain list on page 52 domain modify on page 53 domain show on page 54 Group commands Group commands manage Security Access Manager groups. A group is a set of Security Access Manager user accounts that hae similar attributes. By using groups, you can use a group name in an access control list 12 IBM Security Access Manager for Web Version 7.0: Command Reference

(ACL) instead of listing all users indiidually. When an LDAP-based user registry is used, group names are not case-sensitie. Table 7 lists group commands. Table 7. Group commands Command Description Page group create on page 56 group delete on page 57 group import on page 58 group list on page 59 group modify on page 61 group show on page 62 Creates a group. Deletes the specified Security Access Manager group and optionally deletes the information about the group from the user registry. ACL entries that are associated with the group are also deleted. Imports the information about an existing registry group to create a Security Access Manager group. Generates a list of all groups, by group names, whose names match the specified pattern. Changes an existing group by adding a description, or adding or remoing a list of members. Displays details about a specified group. group create on page 56 group delete on page 57 group import on page 58 group list on page 59 group modify on page 61 group show on page 62 Login and logout commands Login and logout commands are used to log in to, and log out of, a Security Access Manager secure domain. Table 8 lists login and logout commands. Table 8. Logon commands Command Description Page login on page 65 Authenticates the user to the Security Access Manager policy serer as a gien administratie identity in a domain. login on page 65 logout on page 67 Discards any authentication credentials that are in effect. logout on page 67 Object commands Object commands can protect objects by attaching ACLs or protected object policy (POP). Table 9 lists objects commands. Table 9. Object commands Command Description Page object access on page 68 object create on page 69 Confirms whether a specified access is permitted on the named protected object. Creates a protected object. object access on page 68 object create on page 69 Chapter 1. pdadmin commands 13